Empower Frontline Workers Solution: Manage
After the process of Staging, you are now ready to Manage your device fleet. The Empower Frontline Workers Solution contains several technologies to support a successful deployment. Within the Workspace ONE UEM console, you can choose the best method to manage your mission-critical devices, regardless of use case.
Scope of This Document
There are three main components of VMware’s Empower Frontline Workers Solution: Stage, Manage, and Support. Each component provides technologies to simplify operations for IT teams responsible for mission-critical devices.
Figure 1: Components of the Empower Frontline Workers Solution
This deployment considerations document provides an overview of the Manage component of the Empower Frontline Workers Solution and is the second document in a three-part series.
Due to the prevalence of the Android operating system in Frontline Workers use cases, this document primarily addresses these types of devices.
This document is intended for prospective and current IT administrators of Workspace ONE and anyone who uses the Workspace ONE platform. Familiarity with mobile device management, security, networking, Active Directory, identity management, and directory services is assumed. Knowledge of (Unified Endpoint Management), , and is also helpful.
Android Enterprise Management
The most common platform for frontline worker deployments is Android Enterprise. Android Enterprise offers many management modes depending on the use case. Refer to the document for an overview of the onboarding methods for mission-critical devices.
For Android devices, the admin will have the most options and control when the device is Work Managed, sometimes referred to as Device Owner Mode. This is a fully managed, locked-down device where employees will only have access to corporate apps and no access to personal apps through the Google Play Store. This management mode is typically only used for corporate-owned devices because the device must be factory reset. Work Managed gives the admin full control of the device, including configuration of the user accounts, password policies, and control over the software and hardware options.
Adding a Work Profile creates a dedicated container, or OS partition, for business applications and content. Although this mode enables you to manage the business data and applications in the container, you cannot manage the user's personal data and apps. To easily differentiate between the work and personal side of the device, the work applications will be badged with a briefcase icon.
COPE (Corporate Owned Personally Enabled)
COPE combines Work Managed and Work Profile management options so that the admin has full device-level control, but the device is also provisioned with a work profile to allow visual separation of the work and personal apps. Admins still have control over major features on the device including Wi-Fi settings, app allow/block list, and all restrictions offered within the Workspace ONE UEM console.
Android Application Management
Due to the wide variety of applications used within frontline worker use cases, it can be challenging to efficiently manage all apps in the field and ensure productivity of employees. Workspace ONE UEM offers a variety of tools to help manage essential work applications in the field while keeping data secure.
The administrator can publish and manage public applications directly from the Workspace ONE UEM console. Built into the admin console is an iFrame that directly accesses the Google Play Store account associated with the Android Enterprise account configured in device settings.
Internal applications are a common tool used by organizations today to customize frontline worker workflows and processes. Pushing internal applications to devices is made easy by the ability to upload internal applications to the Google Play Store. After the app is published to the Google Play Store, it is added as a public application in the Workspace ONE UEM console. Even though the app will be managed as a public app and available for assigned users to access, internal apps will not be searchable in the public app store. Alternatively, internal apps can be uploaded into the UEM console and managed separately from the public app store.
Workspace ONE Launcher
Frontline Workers have a wide array of roles and responsibilities, and in some industries, it is cost-prohibitive to assign each employee a dedicated device. Depending on the task or shift, different applications and different types of employees may be required. For this reason, organizations often share a pool of devices within a group of employees. But the challenge is reconfiguring the device for each shift, or each time the device changes hands. Workspace ONE Launcher helps reduce operational costs and increases the efficiency of frontline workers by providing a method to automate the process of checking a device in and out and configuring the correct applications for the role or task.
There are two primary modes for Workspace ONE Launcher: Single App Mode and Multi-App Mode.
Single App Mode
Single App Mode for Workspace ONE Launcher allows the admin to lock down the device to only one app to reduce confusion and help desk tickets. The application can be from the public Google Play Store or an internal app and can be categorized based on the use case. The layout is also customizable to create a unique experience for each user or role, if required.
Multi-App Mode is the most common Workspace ONE Launcher configuration. From the Workspace ONE UEM console, the admin can restrict the device to a limited set of applications that are required for the employee’s role or task to maximize productivity and reduce confusion. Multi-App Mode also allows you to customize the device screen layout and branding.
CICO (Check In/Check Out)
The administrator can create profiles within the Workspace ONE UEM console depending on the frontline worker’s role and use the Check in/Check out (CICO) feature within Launcher to automate the configuration of the device. After the device is checked out, it is automatically configured with the applications and settings based on the user’s login credentials. When the user is finished with the device and checks it back in, the device is automatically wiped of all the apps and settings associated with that user. The device is now ready to be checked back out, and depending on the role associated with a user, will receive the relevant applications and settings needed for the job. This reduces operational costs and increases efficiency within the organization.
Review the Workspace ONE Launcher Operational Tutorial on Tech Zone to learn more.
Mission-critical device deployments often have hundreds, if not thousands, of devices deployed in the field that are geographically spread out, which creates a significant challenge when device configurations, security patches, or app updates are required. Workspace ONE UEM enables the admin to create and deliver products, which contain device profiles, applications, and platform-specific installation instructions and conditions. These products follow a set of rules, schedules, and dependencies to ensure devices are up to date with the content they need.
If updates or applications are deployed to thousands of devices at the same time, delays and errors can occur, especially if these updates rely on the WAN. Product provisioning supports the use of relay servers to significantly reduce WAN bandwidth usage. Relay servers are FTP(S), SFTP, or HTTPS servers that serve as a distribution hub in a local branch, office, or store. The Workspace ONE UEM console can distribute device configurations and applications to a few relay servers, then devices can retrieve these updates from the relay server, versus all devices reaching out to the Workspace ONE UEM server for updates.
Figure 2: Example architecture using Relay Server and hosted Workspace ONE UEM
Relay Servers can be configured in a pull or push model. Or as an alternate to the traditional push or pull relay service, Workspace ONE UEM supports a Relay Server Cloud Connection, a hybrid solution that pulls updates from a content service endpoint and distributes them to the relay servers.
Review these resources to learn more about product provisioning and relay servers:
Workspace ONE UEM exposes admin console functionality via REST APIs so that administrators can automate workflows and simplify mission-critical device operations. The following examples describe how existing Workspace ONE customers are customizing and automating frontline worker deployments.
- Automate the creation of new organization groups (OGs) and product provisioning packages when new retail locations or device types come online.
- Automate device lifecycle management to onboard and retire devices.
- Develop a custom device dashboard.
- Develop CI/CD pipeline for mobile application deployment and lifecycle management and integrate with existing change control processes.
- Automate migration of devices, configurations, and applications between organization groups and Workspace ONE UEM tenants.
- Feed environment data and device metrics to external analytics engines and cloud providers.
- Monitor device network settings and automatically perform a device wipe if an IP address changes or a device connects to a new endpoint.
Summary and Additional Resources
This deployment considerations guide provided an overview of the tools and technologies available within the Empower Frontline Workers Solution to manage mission-critical device deployments.
Visit the for more technical resources.
The following updates were made to this guide:
Description of Changes
About the Author and Contributors
This document was written by:
- Karim Chelouati, Sr. Technical Marketing Manager, End User Computing, VMware
- Christina Minihan, Staff Architect, End User Computing Technical Marketing, VMware
Your feedback is valuable.