Empower Frontline Workers Solution: Manage



After the process of Staging, you are now ready to Manage your device fleet. The Empower Frontline Workers Solution contains several technologies to support a successful deployment. Within the Workspace ONE UEM console, you can choose the best method to manage your mission-critical devices, regardless of use case.

Scope of This Document

VMware’s Empower Frontline Workers Solution provides a comprehensive set of tools across the three primary pillars of mission-critical device management: Stage, Manage, and Support. Each pillar provides technologies to simplify operations for IT teams responsible for mission-critical devices. 

Graphical user interface, application

Description automatically generated

Figure 1: Three pillars of mission-critical device management: Stage, Manage and Support

This deployment considerations document provides an overview of the Manage component of the Empower Frontline Workers Solution and is the second document in a three-part series. 

Due to the prevalence of the Android operating system in frontline use cases, this document primarily addresses these types of devices. 


This document is intended for prospective and current IT administrators of Workspace ONE and anyone who uses the Workspace ONE platform. Familiarity with mobile device management, security, networking, Active Directory, identity management, and directory services is assumed. Knowledge of VMware Workspace ONE® UEM (Unified Endpoint Management), VMware Workspace ONE® Access, and VMware Horizon® is also helpful.

Android Enterprise Management


The most common platform for frontline worker deployments is Android Enterprise. Android Enterprise offers many management modes depending on the use case. Refer to the Empower Frontline Workers Solution: Staging documents for an overview of the onboarding methods for mission-critical devices. 

Work Managed

For Android devices, the administrator will have the most options and control when the device is Work Managed, sometimes referred to as Device Owner Mode. This is a fully managed, locked-down device where employees will only have access to corporate apps and no access to personal apps through the Google Play Store. This management mode is typically only used for corporate-owned devices because the device must be factory reset. Work Managed gives the administrator full control of the device, including configuration of the user accounts, password policies, and control over the software and hardware options.  

Work Profile

Adding a Work Profile creates a dedicated container, or OS partition, for business applications and content. Although this mode enables you to manage the business data and applications in the container, you cannot manage the user's personal data and apps. To easily differentiate between the work and personal side of the device, the work applications will be badged with a briefcase icon. 

Work Profile for Company-Owned Devices (WPCO)

Work profile for company-owned devices (WPCO), formerly known as corporate owned personally enabled (COPE), combines Work Managed and Work Profile management options so that the administrator has full device-level control, but the device is also provisioned with a work profile to allow visual separation of the work and personal apps. Admins still have control over major features on the device including Wi-Fi settings, app allow/block list, and all restrictions offered within the Workspace ONE UEM console. 

Review the Managing Android Devices Operational Tutorial on Tech Zone to learn more about managing Android devices.

Android Application Management


Due to the wide variety of applications used within frontline worker use cases, it can be challenging to efficiently manage all apps in the field and ensure productivity of employees. Workspace ONE UEM offers a variety of tools to help manage essential work applications in the field while keeping data secure.

Public Applications

The administrator can publish and manage public applications directly from the Workspace ONE UEM console. Built into the admin console is an iFrame that directly accesses the Google Play Store account associated with the Android Enterprise account configured in device settings.

Internal Applications

Internal applications are a common tool used by organizations today to customize frontline worker workflows and processes. Pushing internal applications to devices is made easy by the ability to upload internal applications to the Google Play Store. After the app is published to the Google Play Store, it is added as a public application in the Workspace ONE UEM console. Even though the app will be managed as a public app and available for assigned users to access, internal apps will not be searchable in the public app store.  Alternatively, internal apps can be uploaded into the UEM console and managed separately from the public app store.

Workspace ONE UEM consolidates all app management tools into one place. To learn more about Android application management, see the Android App Management Operational Tutorial on Tech Zone.

Workspace ONE Launcher

Frontline Workers have a wide array of roles and responsibilities, and in some industries, it is cost-prohibitive to assign each employee a dedicated device. Depending on the task or shift, different applications and different types of employees may be required. For this reason, organizations often share a pool of devices within a group of employees. But the challenge is reconfiguring the device for each shift, or each time the device changes hands. Workspace ONE Launcher helps reduce operational costs and increases the efficiency of frontline workers by providing a method to automate the process of checking a device in and out and configuring the correct applications for the role or task.

There are two primary modes for Workspace ONE Launcher: Single App Mode and Multi-App Mode. 

Single App Mode

Single App Mode for Workspace ONE Launcher allows the administrator to lock down the device to only one app to reduce confusion and help desk tickets. The application can be from the public Google Play Store or an internal app and can be categorized based on the use case. The layout is also customizable to create a unique experience for each user or role, if required.

Multi-App Mode

Multi-App Mode is the most common Workspace ONE Launcher configuration. From the Workspace ONE UEM console, the administrator can restrict the device to a limited set of applications that are required for the employee’s role or task to maximize productivity and reduce confusion. Multi-App Mode also allows you to customize the device screen layout and branding. 

CICO (Check In/Check Out)

The administrator can create profiles within the Workspace ONE UEM console depending on the frontline worker’s role and use the Check in/Check out (CICO) feature within Launcher to automate the configuration of the device. After the device is checked out, it is automatically configured with the applications and settings based on the user’s login credentials. When the user is finished with the device and checks it back in, the device is automatically wiped of all the apps and settings associated with that user. The device is now ready to be checked back out, and depending on the role associated with a user, will receive the relevant applications and settings needed for the job. This reduces operational costs and increases efficiency within the organization. 

Review the VMware Docs article Using Workspace ONE Launcher to learn more.

Product Provisioning

Mission-critical device deployments often have hundreds, if not thousands, of devices deployed in the field that are geographically dispersed, which creates a significant challenge when device configurations, security patches, or app updates are required. Workspace ONE UEM enables the administrator to create and deliver products, which contain device profiles, applications, and platform-specific installation instructions and conditions. These products follow a set of rules, schedules, and dependencies to ensure devices are up to date with the content they need.

Relay Servers

If updates or applications are deployed to thousands of devices at the same time, delays and errors can occur, especially if these updates rely on the WAN. Product provisioning supports the use of relay servers to significantly reduce WAN bandwidth usage. Relay servers are FTP(S), SFTP, or HTTPS servers that serve as a distribution hub in a local branch, office, or store. The Workspace ONE UEM console can distribute device configurations and applications to a few relay servers, then devices can retrieve these updates from the relay server, versus all devices reaching out to the Workspace ONE UEM server for updates.


Description automatically generated

Figure 2: Example architecture using Relay Server and hosted Workspace ONE UEM 

Relay Servers can be configured in a pull or push model. Or, as an alternative to the traditional push or pull relay service, Workspace ONE UEM supports a Relay Server Cloud Connection, a hybrid solution that pulls updates from a content service endpoint and distributes them to the relay servers.

Review these resources to learn more about product provisioning and relay servers:


Workspace ONE UEM exposes admin console functionality via REST APIs so that administrators can automate workflows and simplify mission-critical device operations. The following examples describe how existing Workspace ONE customers are customizing and automating frontline worker deployments.

Administrators can:

  • Automate the creation of new organization groups (OGs) and product provisioning packages when new retail locations or device types come online.
  • Automate device lifecycle management to onboard and retire devices.
  • Develop a custom device dashboard.
  • Develop CI/CD pipeline for mobile application deployment and lifecycle management and integrate with existing change control processes.
  • Automate migration of devices, configurations, and applications between organization groups and Workspace ONE UEM tenants.
  • Feed environment data and device metrics to external analytics engines and cloud providers.
  • Monitor device network settings and automatically perform a device wipe if an IP address changes or a device connects to a new endpoint.

VMware provides an API Explorer tool to facilitate the use of Workspace ONE REST APIs. See How to Use Workspace ONE API Explorer (KB) to learn more.

For additional REST API documentation, see UEM REST API Product Docs.

Summary and Additional Resources


This deployment considerations guide provided an overview of the tools and technologies available within the Empower Frontline Workers Solution to manage mission-critical device deployments.

Additional Resources

Visit the Empower Frontline Workers Solution Architecture page on Tech Zone for more technical resources.


The following updates were made to this guide:


Description of Changes


  • Updated Android management mode information and resource links.


  • Initial publication

About the Author and Contributors

This document was written by: 

  • Christina Minihan, Staff Architect, End User Computing Technical Marketing, VMware
  • Dave Dwyer, Staff Solution Engineer, End User Computing, VMware


Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Workspace ONE Workspace ONE UEM Document Deployment Considerations Overview Android Manage