eXtended Reality (XR) Device Management: Augmented, Virtual, and Mixed Reality with VMware Workspace ONE UEM

Overview

In the enterprise, eXtended Reality (XR) is being leveraged as a powerful tool to enhance the productivity of employees, keep frontline workers safe, train our colleagues, visualize our products, and inspire our customers.

XR is an umbrella term that covers assisted reality (aR), augmented reality (AR), virtual reality (VR), and mixed reality (MR) technologies.

XR devices are now being used alongside mobile devices, and across a variety of verticals and use cases, to dramatically increase productivity, efficiency, and employee experience.

The VMware Workspace ONE Unified Endpoint Management (UEM) platform enables organizations to securely manage any device – from laptops and smartphones to rugged devices and XR devices – from a single console. Enrollment is the first step.

For XR devices, enrollment can be challenging. While Android is the operating system of choice for most devices, they typically are running the customizable Android Open Source Project (AOSP) version, and the out-of-the-box experience varies widely. The Workspace ONE UEM team is leveraging its expertise in device management and partnering with the full spectrum of hardware manufacturers to ensure the best possible enterprise device management experience for these devices.

Workspace ONE Intelligent Hub (Intelligent Hub) supports Android-based XR devices and Workspace ONE UEM provides enterprise device management capabilities for all eXtended Reality device types.

Purpose of This Guide

The purpose of this guide is to help you configure your Workspace ONE UEM instance to simplify the onboarding of XR devices, as well as to navigate the device-specific nuances of Workspace ONE UEM-supported devices. From the navigation bar to the left, you can select from the variety of enrollment options covered, for which more are being added periodically:

VR devices: HTC VIVE Meta Quest PICO Lenovo VRX

Non-VR devices: Magic Leap RealWear Vuzix

Note: This guide contains two types of useful links. External links take you to other resources on the web, and internal links take you to other sections within this guide. After you click an internal link and read its content, you can return to your original location by clicking the Back button of your browser.

Audience

This guide is intended for IT professionals who plan to take advantage of the growing market of XR technologies and use VMware Workspace ONE UEM to deliver scalable management and app delivery for Android XR devices. Familiarity with VMware Workspace ONE UEM, directory services, and supporting technologies is assumed.

Initial Workspace ONE UEM Setup

VMware Workspace ONE Unified Endpoint Management (UEM) enables you to securely manage your XR devices from a single console, with an easy onboarding process.

Regardless of the type of XR devices you are enrolling, this process begins with the initial UEM setup. The UEM setup includes verifying prerequisites and configuring enrollment settings, restrictions, and messaging.

Verifying Prerequisites

Before starting the enrollment process, make sure you meet the prerequisites for your devices. All devices require a supported version of VMware Workspace ONE UEM (https://kb.vmware.com/s/article/2960922), along with the following device-specific items.

All Devices:

The current supported version of the VMware Workspace ONE Intelligent Hub (AirwatchAgent) client from https://packages.vmware.com/wsone/androidhub/airwatchagent.apk (latest version).

Note: Intelligent Hub 23.06 or 23.10+ are recommended. 23.07 and 23.08 are not recommended to be used with XR devices due to a known issue.

HTC VIVE Devices:

• HTC VIVE XR Elite running the latest firmware
• HTC VIVE Focus 3 running firmware 3.0.999.456 or later
• HTC VIVE Focus Plus running firmware 4.14.623.1 or later
• HTC VIVE Focus running firmware 3.13.623.1 or later

Lenovo VR Devices:

• Lenovo VRX running the latest firmware

Meta Quest Devices (Quest for Business):

• Intelligent Hub must be enrolled with the setting EnableAllFileAccessPermission set to True
• Meta Quest 3 running firmware version 59 or later
• Meta Quest Pro running firmware version 53 or later
• Meta Quest 2 running firmware version 53 or later

PICO Devices:

• PICO 4 Enterprise running PUI 5.0 or later
• PICO Neo 3 running PUI 4.3.34 or later
• PICO Neo 2 running PUI 3.13.1 or later
• PICO G2 4K running PUI 3.11.3 or later

Note: Passcode policy is not supported on PICO Neo 2, 3, or 4.

Magic Leap:

• Magic Leap 2 with OS version 2208.18 or later

RealWear:

• HMT-1 or HMT-1Z1 running v11 firmware or later
• Navigator 500 or 520 running the latest firmware

Vuzix:

• M300/400 Series running v2.0.1 firmware or later
• M4000, Shield running the latest firmware
• Vuzix Blade 2 running the latest firmware

Configuring Workspace ONE UEM for XR Devices

Note: All devices covered by this guide run the Android Open Source Project (AOSP) version of Android.

• Android EMM registration is needed to activate Android management capabilities within UEM, although AOSP devices do not use Google Accounts and Google Mobile Services (GMS). Android enrollment-related settings are included in this section, regardless of Google status.
• Due to the Work Profile option not being available within AOSP, Work Managed is the only mode of management supported, and certain features need to be turned off as a result.
• If Android EMM registration has not already been configured for your UEM environment, see the section below. This is only done once per tenant to activate Android device management.

Registering Android EMM with Google Play Account

Note: Follow this procedure only if Android EMM has not already been registered for the UEM tenant. This is done on a per-tenant basis.

The initial step in the managing Android-based process is to register Android EMM with a Google Play account. This is required to enable Android-based device management within UEM. Even though Google Play Store or Google Message Services is not used by Android Open Source Project (AOSP) devices, to manage Android devices in Workspace ONE UEM, this must be enabled.

1. Log in to your Workspace ONE UEM Console using your Administrator Account. Note that certain functions might require advanced roles, such as account creation. Check with your Workspace ONE UEM Console Administrator for proper role assignments.
2. From the Customer Level Organization Group (OG), navigate to Getting Started > Workspace ONE > Android EMM Registration.

   
   Note: If you prefer not to use the wizard for Android EMM Registration, or if the wizard is not available in your environment, you can navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration.

3. Make sure that you are signed into Google with your preferred (corporate account specific to your environment) Google account credentials, and select Configure.
4. In the Android EMM Registration window, click Register with Google. If you are already signed in with your Google credentials, you are redirected back to the Workspace ONE console.
    
5. On the Bring Android to Work window, select Sign In, if you are not already signed in, enter your Google credentials, and then select Get Started.
    
6. Enter your Organization Name. The Enterprise Mobility Manager (EMM) provider field populates automatically as VMware Workspace ONE UEM.
7. Select Next. The Data Protection Officer and EU Representative information is optional. Make sure to confirm that you have read and agreed to the Managed Google Play agreement.
8. Select Confirm > Complete Registration.
9. When you are redirected to the Workspace ONE Console, verify that your Google Service Account credentials are automatically populated, and select Save > Test Connection to verify that the service account is set up and connected successfully.
10. Your Android EMM Registration status should show as Complete.

Creating Organizational Group(s) for XR Devices

We recommend creating an organizational group for XR devices. This ensures that XR devices can be managed separately from other devices. If you are deploying different types of devices, we recommend establishing organizational groups for each device type, for example, groups for Meta Quest, HTC VIVE, Pico, etc. under the XR Devices group.

To create an organizational group, follow these steps:

1. In your Workspace ONE UEM Console, navigate to Groups & Settings > Groups > Organization Groups > Details, and select the Add Child Organization Group tab.
2. Type XR Devices in the Name field.
3. Type XR in the Group ID field.
4. Set Type to Container.
5. Set the rest of the fields as appropriate.
6. Click SAVE.

Now create another organizational group for the first device type you are deploying, for example, Pico or HTC.

You can apply profiles and settings for all XR devices at the top-level organizational group and then device type specific settings and resources at the device specific group level.

Configuring Enrollment Settings

The first step of the configuration process is to override the default Android EMM settings and configure device enrollment settings for the Organizational Groups (OG) used for XR devices. We recommend creating a model-specific Child Level Organizational Group for these settings.

1. In your Workspace ONE UEM Console, navigate to Groups & Settings > Configurations > Android EMM Registration, and select the Enrollment Settings tab.
2. In the Enrollment Settings tab, select the Override radio button to change the default settings.
3. Select WORK MANAGED device, select AOSP / CLOSED NETWORK, and then click Save.
   
    

Configuring Enrollment Restrictions

After configuring Enrollment Settings, the next step of the configuration process is to set up device enrollment restrictions for this Organizational Group.

1. In your Workspace ONE UEM Console, navigate to Groups & Settings > Configurations > Android EMM Registration, and select the Enrollment Restrictions tab.
2. In the Enrollment Restrictions tab, select the Override radio button to change the default settings.
3. From the Define the enrollment method for this organization group dropdown menu, select Always use Android.
4. For Allow Work Profile Enrollment, select Disable, as this mode is not supported on AOSP devices. Click Save and close the Settings window.

    

Configuring Intelligent Hub Settings

After configuring Enrollment Restrictions, the next step of the configuration process is to set up Workspace ONE Intelligent Hub Settings for this Organizational Group.

1. In your Workspace ONE UEM Console, navigate to Groups & Settings > All Settings > Devices & Users > Android > Intelligent Hub Settings.
2. Select the Override radio button to change the default settings.
3. For Require Google Account, select the DISABLED button.
    
4. Scroll down, then select the ENABLED button, for AirWatch Cloud Messaging.
    
5. Click Save.

Creating a Basic User Account (optional)

After configuring Intelligent Hub Settings, the final step of the initial process is to create a Basic User Account.

Note: Workspace ONE UEM manages devices by keeping track of the users of each device. Therefore, it is necessary to create and implement user accounts for devices to enroll into Workspace ONE UEM. See Workspace ONE UEM documentation for detailed information on advanced topics, such as integrating Workspace ONE UEM with Directory Services Accounts.

1. From the Customer Level Organization Group (OG), navigate to Accounts > Users > List View, select Add, then Add User.
2. On the General tab of the Add / Edit User window, complete the following settings to add a Basic User:

• Security Type - Select Basic to add a basic user.
• Username - Enter a username with which the new user is identified. For testing purposes, we recommend using lowercase, alpha, and no special characters.
• Password - Enter a password that the user can use to log in. This will be included in the QR Bar Code setup. A user will not need to enter this manually.
• Confirm Password - Confirm the password.
• Full Name - Complete the First Name, Middle Name, and Last Name of the user.
• Display Name (Optional) - Represent the user in the UEM console by entering a name.
• Email Address - Enter or edit the user's email address.
• Email username (Optional) - Enter or edit the user's email username.
• Domain (Optional) - Select the email domain from the drop-down setting.
• Phone Number (Optional) - Enter the user's phone number including plus sign, country code, and area code. This option is required if you intend to use SMS to send notifications.

3. In the Enrollment section, complete the following settings to add a Basic User:

• Enrollment Organization Group - Select the organization group into which the user enrolls. Default settings are recommended.
• Allow the user to enroll into additional Organization Groups - You can allow the user to enroll into more than one organization group. If you Enable this option, but leave Additional Organization Groups blank, then any child OG created under the Enrollment Organization Group can be used as a point of enrollment. The Enabled setting is recommended.
• Additional Organization Groups - This setting only appears when the option to allow the user to enroll into additional OGs is Enabled. This setting allows you to add additional organization groups from which your basic user can enroll.
• User Role - Select the role for the user you are adding from this drop-down setting. Default settings are recommended.

4. In the Notification tab, complete the following settings to add a Basic User, and then click Save:

• Message Type - Select the type of message you want to send to the user: Email, SMS, or None. Selecting SMS requires a valid entry in the Phone Number option.
• Message Template - The basic user activates their account with this notification. For security reasons, this notification does not include the user's password. Instead, a password reset link is included in the notification. The basic user selects this link to define another password. This password reset link expires in 24 hours automatically. Select the template for email or SMS messages by selecting one from this drop-down setting. Optionally, select Message Preview to preview the template and select the Configure Message Template to create a template.

Recommended Profile Settings for VR Devices

The following profile settings are recommended for Android-based VR devices. Other settings should be configured based on individual customer’s requirements. You must also have a smart group defined to include the VR headsets.

Best practice is to create individual profiles for each payload type. For testing purposes, a single profile may contain the multiple payloads seen below.

1. While logged into Workspace ONE UEM, change to the Organization Group (OG) that manages your headsets.
2. Navigate to Resources > Profiles & Baselines > Profiles, select Add, and then Add Profile.
3. Select Android.
4. Name your profile: For example, Headset Config, and Add Description (optional).
5. Include a Permissions payload.
   
   1. Scroll down and locate the Permissions payload.
   2. Select ADD (to the right). The Summary panel on the right side of the screen displays the added payload. You are now able to make changes to the Permissions payload.
   3. Under the Permissions drop-down menu, for Permission Policy, select Grant All Permissions.
6. Include a Restrictions payload.

1. Scroll down and locate the Restrictions payload.
2. Select ADD to include the Restriction payload in the summary.
3. Under the Restrictions drop-down menu, unselect (deactivate) the following two options.
   
   1. Allow All Keyguard Features
   2. Allow Keyguard

7. Include an Application Control payload.

1. Scroll down and locate the Application Control payload.
2. Select ADD to include the Application Control payload in the summary.
3. Under the Application Control drop-down menu, leave all checkboxes in their default positions. For the payload to be configured with the default options, deselect, and then immediately select one of the checkboxes.

8. Select the Next button.
9. Under Assignment, select an appropriate smart group to apply the profile rules.
10. Under Deployment, make the following selections.

1. Assignment Type – Auto
2. Allow Removal – Always (for testing only, select Never or With Authorization for Production)
3. Managed By – select the organization group you specified in a previous step.
   Result: The Preview screen to the right displays, showing a preview of the devices included in the smart group you selected above. If this screen displays Total Assigned Devices 0, you can add devices to the smart group later. The profile you just made is assigned to this smart group whether it contains devices or not.

11. Select the Save & Publish button.

Intelligent Hub Permissions for Deploying OBB Files

XR devices using Android 11 or later (Meta Quest, Lenovo VRX) block device management solutions from writing to certain protected folders. This can prevent the installation of OBB (extension files) for applications.

Intelligent Hub must be configured with the “Install Unknown Sources” permission for it to deploy OBB files. Intelligent Hub is currently configured to do this using a Remote Intent.

To deploy a Remote Intent, use the following steps in the Workspace ONE UEM console:

1. Click Devices > Provisioning > Components.
2. Click Files/Actions and ADD FILES/ACTIONS.
3. Click Android
4. Type Install Unknown Sources Intent into the Name field.
5. Click Manifest and click Add Action.
6. From the drop-down menu, select Run Intent.
7. Copy and paste the following into the Command Line field:
   
   1. mode=implicit,broadcast=false,action=android.settings.MANAGE_UNKNOWN_APP_SOURCES,data=package:com.airwatch.androidagent
8. Click SAVE and click SAVE again.
9. Click Product List View and click ADD PRODUCT.
10. Click Android.
11. Type Install Unknown Sources Intent into the Name field.
12. Select a Smart Group for your XR devices.
13. Click Manifest and click ADD.
14. Select File/Action – Install from the Action(s) To Perform drop-down menu.
15. In the Files/Actions field, enter Install Unknown Sources Intent and select the provisioning component you previously set up.
16. Click SAVE.
17. Click ACTIVATE and click ACTIVATE again.

When devices within the specified smart group are enrolled, users will be prompted to accept the Install Unknown Sources permission. Users must accept this permission for Intelligent Hub to push OBB files to devices.

Next Step: Specific Device Enrollment

After you have completed the initial Workspace UEM setup in the console, select one of the following specific devices to finish enrollment from the navigation bar on the left:

• HTC VIVE Enrollment
• Lenovo VRX Enrollment
• Meta Quest for Business Enrollment
• PICO Enrollment
• Magic Leap 2 Enrollment
• RealWear Enrollment
• Vuzix Enrollment

Streamlined Enrollment of XR Devices

Workspace ONE UEM supports three different methods for enrolling XR devices into Workspace ONE UEM. Once a device is enrolled, it can be managed remotely from the Workspace ONE UEM console.

1. Zero Touch Enrollment – either via QR Code scanning or Out Of the Box Experience (OOBE).
2. SimpleXR – a simple setup tool that can enroll devices over USB.
3. Sideload Staging Wizard – a package created using Workspace ONE UEM that can set up devices over USB.

For XR devices we recommend using Zero Touch or SimpleXR for device enrollment.

Zero Touch Enrollment

Zero touch enrollment means that IT do not have to touch a device to set it up. The enrollment flow is designed to be as simple as possible and conducted by a user.

QR Code Enrollment

The simplest zero touch enrollment flow is QR code enrollment. When a device is powered on, a user is given the option to scan a QR code and then the device is automatically enrolled and setup. We support QR code scanning with the following devices:

1. Pico 4 Enterprise – scan a UEM generated QR code ( See Enroll Work Managed Device Using a QR Code for more details).
2. HTC XR Elite – scan an HTC VIVE specific QR code ( See Enrolling and setting up VIVE Focus 3 in VMware AirWatch via a QR code for more details).
3. Magic Leap – scan a UEM generated QR code (See Enroll Work Managed Device Using a QR Code for more details).
4. Vuzix - scan a UEM generated QR code (See Enroll Work Managed Device Using a QR Code for more details).
5. RealWear - scan a UEM generated QR code (See Enroll Work Managed Device Using a QR Code for more details).

Steps to create a Workspace ONE UEM QR code can also be found in SimpleXR Installation and Enrollment.

Out Of the Box Experience (OOBE)

OOBE enrollment is a flow where users can opt to enroll their devices into Workspace ONE UEM during device setup. An OEM vendor has specifically integrated MDM enrollment into their initial device setup flow. We support OOBE enrollment with the following devices:

• Meta Quest 2 – requires Quest for Business
• Meta Quest 3 – requires Quest for Business
• Meta Quest Pro – requires Quest for Business

SimpleXR Enrollment

For devices that do not support zero touch enrollment, or for when IT wants to set up devices, a setup tool called SimpleXR can be used. SimpleXR is a GUI application that runs on a Windows laptop or desktop and requires that an XR device is connected via USB. SimpleXR will automatically enroll a device into Workspace ONE UEM.

In general, any XR device can be enrolled using SimpleXR including devices that support zero-touch enrollment.

However, the following devices should be enrolled with SimpleXR as they do not support zero-touch enrollment.

• Pico Neo 3, Pico G3, Pico Neo 2, Pico G2 4K
• HTC VIVE Focus 3, HTC VIVE Focus Plus, HTC VIVE Focus
• Lenovo VRX
• Any other XR device

SimpleXR is available as a download from here  https://via.vmw.com/SimpleXR.

For more information on SimpleXR, see SimpleXR Installation and Enrollment.

HTC VIVE Device Enrollment

After completing the initial Workspace UEM setup in the console, you are ready to enroll your VIVE XR Elite or VIVE Focus Headset devices.

The HTC VIVE XR Elite and HTC VIVE Focus 3 devices can scan a QR code for zero touch enrollment. The HTC VIVE Focus Plus device does not support QR Codes.

For VIVE XR Elite devices the recommended enrollment method is QR Code.  QR Code method is NOT recommended for the VIVE Focus 3, as its cameras may not be able to read a QR code reliably; the current recommended method for VIVE Focus 3 and HTC VIVE Focus Plus devices is to use the SimpleXR tool.

QR Code Installation and Enrollment (XR Elite)

To install and enroll your VIVE XR Elite Headset into Workspace ONE UEM:

1. Generate a QR Code by following the instructions in Setting up a VMware AirWatch agent and enrolling VIVE Focus 3 using a QR code. 
2. Unbox and power on the HTC VIVE device. When the device is powered on, a welcome screen is displayed.
3. When the welcome screen appears, press the Headset button three times to enable passthrough.
4. Use the onscreen QR code scanner to scan the QR code displayed on your computer screen.
5. The MDM Setup window appears. The Workspace ONE Intelligent Hub (AirWatch) agent then automatically enrolls the headset. When enrollment is complete, follow the onscreen instructions to finish setting up the headset.

• Click through one privacy statement and wait until the device runs through enrollment and displays the enrolled user, email address, and additional information.

6. From the Customer or Child OG within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

SimpleXR Installation and Enrollment (VIVE Focus devices)

For devices that do not support QR code enrollment, SimpleXR tool can be used to enroll devices.

To register a device with a Workspace ONE UEM environment using SimpleXR use the following steps:

1. If you are not starting with a new device, do a factory reset of the HTC headset through the settings menu on the device.
2. After the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the HTC main screen.
3. Make sure that your system is updated to the latest firmware by launching the System Update (in Settings) app and updating it.
4. Plug the headset into your setup machine (where you downloaded SimpleXR) by using the USB cable provided and begin an ADB session.
5. Follow the SimpleXR instructions to enroll your device.
6. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console and be able to manage them remotely.

Managing Device PIN Code

Note the following limitations:

• If you want the user to set a passcode, ensure the passcode policy is set prior to device enrollment.
• If a passcode policy is set after enrollment, the user will not be notified via Intelligent Hub client and the user will not be forced to set a device passcode.

Managing Kiosk Mode

Kiosk mode for the VIVE XR Elite and VIVE Focus 3 requires pushing an XML configuration file to the device and running an Intent to trigger it.

1. In the Workspace ONE UEM console, move to the organization group (OG) that manages your headsets.
2. Navigate to Devices > Provisioning > Components > Files/Actions.

1. Use the ADD FILES/ACTIONS button at the top of the page and select Android.
2. Configure the General tab:

• Name: HTC Kiosk Mode XML
• Description: You can choose to add an optional description.
• Managed By: Leave this field prepopulated with the correct OG.

3. Configure the Files tab and select ADD FILES:

• Select Choose Files and upload a copy of the mns.xml file (see Kiosk mode XML file – mns.xml below).
• Select Save to save the file.
• Specify the download path as $internal$/VMware and select Save to save the configuration.

4. Configure the Manifest tab:

• Select ADD ACTION under the Installation Manifest section.
• In the Action(s) To Perform drop-down, select Run Intent.
• For Command Line and Arguments to run, enter:
  mode=explicit,broadcast=false,action=com.htc.vr.launcher.SCENE,package=com.htc.vrs.launcher,class=com.htc.vr.unity.WVRUnityVRActivity,extraString=LaunchScene=UpdateKioskMode
• Select Save to save the Files/Action.

3. Navigate to Devices > Provisioning > Product List View.

1. Select Add Product and select Android.
2. Configure the General tab:

• Name: HTC Kiosk Mode Config
• Description: You can choose to add an optional description.
• Managed By: Leave this field prepopulated with the correct OG.
• Smart Groups: Enter the Smart Group(s) that the product is applied to.

3. Configure the Manifest tab, select the +Add button, and configure the following:

• Actions(s) to Perform: Select the File/Action – Install option.
• Files/Actions: Select the File/Action created above, called "Download HTC Kiosk Mode XML.”

4. Select the Save button to save the product.
5. If ready to activate Kiosk Mode, select the Activate button to give the product an active status.

If you want to activate the product later, navigate to the Product List View page, locate the "HTC Kiosk Mode Config" product from the listing, and select the grey indicator next to the red traffic light for the product. The grey indicator turns green, and the red indicator turns grey to indicate that the product is now active.

 Kiosk mode XML file – mns.xml

<?xml version="1.0" encoding="UTF-8"?>
<customization_form>
  <category name="application">
    <module name="vive_kiosk_enabler">
      <function name="enable_kiosk_mode">
        <set name="single">
  <!--
       1:enable kiosk mode.
       0: disable kiosk mode
  -->
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
      <function name="kiosk_mode_key">
        <set name="single">
  <!-- [TO DO] Enter a passcode to leave kiosk mode. Needs to be a four digit number. Empty means no passcode to leave Kiosk mode -->
          <item name="key" type="int">0000</item>
        </set>
      </function>
   <!-- allow Bluetooth connection or not -->
      <function name="allow_bt_connection">
        <set name="single">
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
   <!-- allow headset screen casting not -->
      <function name="enable_screen_casting">
        <set name="single">
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
   <!-- allow screen capture or not -->
      <function name="kiosk_screen_captured_enable">
        <set name="single">
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
   <!-- allow USB file transfer or not -->
      <function name="allow_usb_transfer">
        <set name="single">
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
   <!-- setup application in kiosk mode -->
      <function name="kiosk_mode_apps">
        <set name="plenty">
          <item name="app_name">XR Hub</item>
          <item name="app_package_name"> com.vmware.xr.xrhub.wavevr</item>
        </set>
      </function>
   <!-- kiosk mode type
        "1" for Single app
           "2" for Multiple app
      -->
      <function name="kiosk_mode_type">
        <set name="single">
          <item name="enabled" type="int">1</item>
        </set>
      </function>
   <!-- Network permission under kiosk mode
   "1" for Offline
   "2" for Pre-defined Wi-Fi
   "3" for Allow to any Wi-Fi
      -->
      <function name="allow_network_permission">
        <set name="single">
          <item name="mode" type="int">3</item>
        </set>
      </function>
   <!-- require sign in mandatory when entering kiosk mode -->
      <function name="enable_kiosk_mode_signin">
        <set name="single">
          <item name="enabled" type="bool">0</item>
        </set>
      </function>
   <!-- Interaction method
   "1" for hand only
   "2" for controller only
   "3" for controller & hand
      -->
      <function name="kiosk_InteractionMode">
        <set name="single">
          <item name="mode" type="int">3</item>
        </set>
      </function>
   <!-- play tutorial when re-start kiosk mode -->
      <function name="kiosk_auto_play_tutorial">
        <set name="single">
          <item name="mode" type="bool">0</item>
        </set>
      </function>
   <!-- play opening video when re-start kiosk mode -->
      <function name="kiosk_cinematic_playback">
        <set name="single">
          <item name="mode" type="bool">0</item>
        </set>
      </function>
   <!-- play wearing guide when re-start kiosk mode -->
      <function name="kiosk_auto_play_wearing_guide">
        <set name="single">
          <item name="mode" type="bool">0</item>
        </set>
      </function>
    </module>
  </category>
</customization_form>
 

Accessing Device Logs

Request Device Log from Workspace ONE UEM Console.

• To collect Hub, System, or Security logs, see Request Device Log.

  Note: For device system logs, users will need to access Intelligent Hub on the XR devices. Use the controller to click the top bar of the application and click Share on the Bug Report notification.

Managing Applications

Applications can be silently installed remotely to the XR device using Workspace ONE UEM. In summary:

• Application APKs and supporting files must be either uploaded to Workspace ONE UEM or placed on a web/file server that is accessible by the device.
• Applications and any supporting files are installed by Workspace ONE UEM on all assigned devices.

For more information on managing applications, see Deploying Internal Application on Android Devices.

Conclusion

You have now completed enrolling your HTC VIVE XR Elite or HTC VIVE Focus headset into Workspace ONE UEM. For enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Lenovo VRX Enrollment

After completing the initial Workspace UEM setup in the console, you are ready to enroll your Lenovo VRX devices.

The Lenovo VRX device can be enrolled using SimpleXR, or by following Lenovo’s own process documented in Device enrollment to VMware Workspace ONE – ThinkReality VRX headset.

SimpleXR Installation and Enrollment

To register a device with a Workspace ONE UEM environment using SimpleXR use the following steps:

1. If you are not starting with a new device, perform a factory reset of the VRX headset through the settings menu on the device.
2. After the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the VRX main screen.
3. Make sure that your system is updated to the latest firmware by launching the Settings app and clicking About. Any firmware updates will be indicated under System Information
4. Put the device into developer mode by clicking the Settings > About > System Information > Software Version text 8 times.
5. Scroll down in the About section, click Developer Mode, and check that USB debugging is toggled on.
6. Plug the headset into your setup machine (where you downloaded SimpleXR) by using the USB cable provided.
7. Follow the SimpleXR instructions to enroll your device.
8. In the event Intelligent Hub is not auto-launched by SimpleXR, you will need to manually launch Hub from within the headset to complete enrollment. While SimpleXR is processing the final step (“Enroll into Workspace ONE UEM”), you will need to manually launch Hub from within the headset to complete enrollment. Simply launch the Hub on the device and wait for enrollment to conclude. If SimpleXR times out before you can launch the Hub on the device, click back on Simple XR and run the plan again.
9. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console and be able to manage them remotely.

Managing Device PIN Code

Note the following limitations:

• Device PIN is not supported on the VRX

Accessing Device Logs

Request Device Log from Workspace ONE UEM Console.

• To collect Hub, System, or Security logs, see Request Device Log.

  Note: For device system logs, users will need to access Intelligent Hub on the XR devices. Use the controller to click the top bar of the application and click Share on the Bug Report notification.

Managing Applications

Applications can be silently installed remotely to the XR device using Workspace ONE UEM. In summary:

• Application APKs and supporting files must be either uploaded to Workspace ONE UEM or placed on a web/file server that is accessible by the device.
• Applications and any supporting files are installed by Workspace ONE UEM on all assigned devices.

For more information on managing applications, see Deploying Internal Application on Android Devices.

Conclusion

You have now completed enrolling your Lenovo VRX headset into Workspace ONE UEM. For enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Meta Quest for Business Enrollment

VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Meta Quest devices with streamlined enrollment via Meta Quest for Business.

After an easy Workspace ONE UEM enrollment flow via Quest for Business, you can directly manage Quest devices from the same console you use for your more traditional devices. This section describes how to set up Quest for Business with Workspace ONE and enroll a Quest device.

Setting up Meta Quest for Business to enroll Quest devices into Workspace ONE UEM

After verifying prerequisites and completing the initial Workspace UEM setup, you are now ready to set up Meta Quest for Business and enroll your Quest devices into Workspace ONE.

Quest for Business enables out-of-the-box enrollment to Workspace ONE for Quest devices. Sign up to Quest for Business via Meta’s website at Getting started with Meta Quest for Business beta.

After you have signed up to Quest for Business, access the Admin Center to configure Workspace ONE UEM as an MDM Integration:

1. Click Devices.
2. Click the Device Profiles icon, and then click New device profile.
   
   1. From the drop-down menu, select VMware Workspace ONE UEM.
3. Enter a suitable name in the Name field.
4. Click Set as default configuration.
5. Click Continue.
6. Update the device profile with the appropriate recommended settings:
   
   1. Package Download - https://packages.vmware.com/wsone/airwatchagent.apk
7. Update the Extras Bundle, and add a Bundle for each key pair value required:

• promptPrivacy – True (default)
  (optional; controls displaying privacy screens if desired)
• EnableAllFileAccessPermission – True
  (required to push files to the device; prompts the user to accept the permission during enrollment)
• serverurl – the FQDN of the Workspace ONE UEM server
  (recommended; required for zero touch staging enrollment)
• gid – the Group ID for the organizational group devices should be enrolled into
  (recommended; required for zero touch staging enrollment)
• un – username for the enrollment user (usually used for single/multi-user staging)
  (optional, but required for zero touch staging enrollment)
• pw –password for the enrollment user
  (optional, but required for zero touch staging enrollment)
• useUEMAuthentication – True
  (required for accounts using basic authentication in Workspace ONE UEM)
• aospEnrollment – True
  (recommended)

8. Click Create to complete the Quest for Business setup.

Enrolling devices into Workspace ONE UEM

Turn on the Quest device:

1. Do NOT pair the device to a phone with the Meta Quest app or the Meta Quest Developer Hub.
2. During device setup, the user is prompted to pair the device OR Set up Quest for Business OR Connect this device to your organization.
3. The user should click Set up Meta Quest for Business OR Connect this device to your organization.
4. Follow the instructions to connect the device to the user’s Meta Work account.
5. Follow the onscreen steps to enroll into MDM and Workspace ONE UEM.
   
   1. Meta Quest device downloads the UEM agent, installs it, and starts the enrollment process.
   2. If not using a staging account and password, the user is required to enter their enrollment credentials for Workspace ONE UEM.
   3. Once hub enrollment is completed, the user is returned to the Quest device setup process.
      
      1. If not, the user may need to reboot the device to complete setup.

9. Follow the instructions to link the device to the user’s Meta account.
10. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see the device enrolled in the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Managing Device PIN Code

Note the following recommendations:

• If you want the user to set a passcode, ensure the passcode policy is set prior to device enrollment.
• If a passcode policy is set after enrollment, the user will only be notified if they are within Meta Quest Home environment.
• Only a 4-digit numeric passcode is supported on Quest devices.

Managing OS Updates

Workspace ONE UEM can be used to manage Meta Quest OS Updates. Meta Quest OS updates can be configured to be installed automatically, postponed for a number of days or installed during a timed window.

To configure OS update policy, create an Android policy using these steps, then follow these steps to configure System Updates.

An example can be seen here:

Managing Kiosk Mode

Note the following limitation:

• Workspace ONE UEM LockTaskMode and Workspace ONE Launcher are not supported on Quest for Business devices.
• Quest devices do not offer an official kiosk mode feature
• Workspace ONE XR Hub offers a kiosk mode experience on Quest devices (Tech Preview). See Workspace ONE XR Hub documentation for more information.

Managing the In-Headset Experience

Workspace ONE UEM can control what users have access to when using the device. This may be necessary to prevent users from accessing consumer-focused or inappropriate content and apps. For example, you can:

• Restrict access to the Meta Store
• Restrict access to the Explore application
• Restrict access to Meta Events
• Stop users from adding user accounts
• Use Workspace ONE XR Hub as a kiosk mode experience (Tech Preview). See Workspace ONE XR Hub documentation for more information.

Restricting Access to Apps

Use the following process to restrict user access to certain applications:

1. In the Workspace ONE UEM Console, select the appropriate organizational group for your Quest devices.
2. Select Groups & Settings from the left-side navigation menu.
3. Select Groups > App Groups from the middle navigation menu.
4. Select Add Group, select the Type dropdown, and select Denylist.
5. Select the Platform drop-down menu and select Android.
6. Select the Name field, and type in a suitable name for your group.
7. Click Add Application and enter the name of the application you wish to block.
8. Enter the application ID (for example, com.oculus.store).
    
9. Click Add Application to add other applications (such as com.oculus.explore, com.oculus.browser, and so on), and then click Next.
10. Click the Organizational Group to assign the deny list to, and then click Finish.

Preventing the Addition of More Users

Use the following process to stop users from adding additional users to the device:

1. Access the Workspace ONE UEM Console, and select the appropriate organizational group for your Quest devices.
2. Select Resources from the left-side navigation menu.
3. Select Profiles & Baselines from the middle navigation menu.
4. Select Profiles.
5. Click Add, and then select Android.
6. Add a Name to your profile.
7. Find the Application Control payload from the list, and click Add.
8. Enable Disable Access to Denied Apps.
9. Find the Restrictions payload from the list, and click Add.
10. Disable Allow adding Google Accounts.
11. Disable Allow adding/deleting accounts and then click Next.
12. Select the smart group to assign the profile to, and then click Save & Publish.

Accessing Device Logs

Request Device Log from Workspace ONE UEM Console.

1. To collect Hub, System, or Security logs, see Request Device Log.

   Note: For device system logs, users will need to access Intelligent Hub on the XR devices. Use the controller to click the top bar of the application and click Share on the Bug Report notification.

Managing Applications

Applications can be silently installed remotely to the XR device using Workspace ONE UEM. In summary:

• Application APKs and supporting files must be either uploaded to Workspace ONE UEM or placed on a web/file server that is accessible by the device.
• Applications and any supporting files are installed by Workspace ONE UEM on all assigned devices.

For more information on managing applications, see Deploying Internal Application on Android Devices.

Conclusion

You have now completed enrollment of your Meta Quest device into Workspace ONE UEM using Meta Quest for Business. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

PICO Enrollment

VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your PICO headset devices from the same console you use for your more traditional devices, after an easy onboarding process. This section describes how to conduct a PICO Headset enrollment into Workspace ONE UEM.

After completing the initial Workspace UEM setup, you are now ready to enroll your PICO Headset devices.

There are three options for installation and enrollment of PICO devices:

• QR Code enrollment via camera (Pico 4 E)
• Pre-installed or USB key-based QR Code and user enrollment during device setup (PICO Neo 3 / 4E, G3)
• SimpleXR (Pico G2 4K, Pico Neo 2, G3)

Installing and Enrolling with QR Code Scan (PICO 4 Enterprise)

To generate a QR Code, follow the instructions in Enroll Work Managed Device Using a QR Code.

For users or administrators who power on the device for the first time:

1. Take the device out of the box, and make sure that the device and the controllers are charged.
2. Power on the PICO device.
3. Follow the in-headset instructions to complete the initial setup of the device.
4. If you have specified Wi-Fi configuration in the QR Code, the user can skip Wi-Fi configuration.
5. The user will be prompted to select Quick Setup, as in the following screenshot:
    
6. Wait as this launches a process that configures Wi-Fi (if specified in the QR Code), then download and install the Workspace ONE UEM agent and enroll the device.
   Note: Do not press any buttons on the controller at this point, only follow the onscreen instructions.
7. If you did not provide credentials in the QR Code, the user will be prompted to enter the enrollment username and password.
8. When the device is enrolled, the user is asked to accept the privacy statement for the Workspace ONE UEM agent.
9. Once enrolled, the device downloads the appropriate profiles, applications, and content from Workspace ONE UEM.
   Note: If you see a blank white screen with the UEM logo, Hub is waiting to download applications. Wait until this screen disappears (apps have been downloaded). You may need to force install applications using the UEM console if the device is stuck with Hub showing a white screen.
10. You should be now presented with the Hub application showing that the device is enrolled.
11. Reboot the device and continue the PICO setup.
    Note: Do not select enterprise setup.
12. Within the Workspace ONE UEM Console, from the Customer or Child OG, navigate to Devices > List View. You should see the device enrolled into the Workspace ONE UEM Console. You should be able to manage these devices using Android Enterprise-based profiles.

Installing and Enrolling with QR Code File (Pico Neo 3, G3)

PICO devices also support a QR Code-based enrollment during device setup where the QR code is already on the device. This requires that a QR Code generated by Workspace ONE UEM be converted to a PNG format file, and either placed on the root of the device or on the root of a USB key plugged into the device during boot.

For ordering at volume from PICO, you can request that a QR Code be placed on the root of the device. Contact PICO for more information. Alternatively, a QR Code can be placed on the root of a FAT32 formatted USB-C key to be inserted into the device at boot.

To generate a QR Code, follow the instructions in Enroll Work Managed Device Using a QR Code.

Download the QR Code PDF file, open the file, and screenshot or image capture the QR Code. Save the QR Code image as QRCode.PNG.

Send your QRCode.PNG file to PICO or save it to the root of a FAT32 formatted USB-C key.

For users or administrators who power on the device for the first time:

13. Take the device out of the box, and make sure that the device and the controllers are charged.
14. If necessary, plug in the USB-C Key with the QR Code into the headset.
15. Power on the PICO device.
16. Follow the in-headset instructions to complete the initial setup of the device.
17. If you have specified Wi-Fi configuration in the QR Code, the user can skip Wi-Fi configuration.
18. The user will be prompted to select Quick Setup, as in the following screenshot:
     
19. Wait as this launches a process that configures Wi-Fi (if specified in the QR Code), then download and install the Workspace ONE UEM agent and enroll the device.
    Note: Do not press any buttons on the controller at this point, only follow the onscreen instructions.
20. If you did not provide credentials in the QR Code, the user will be prompted to enter the enrollment username and password.
21. When the device is enrolled, the user is asked to accept the privacy statement for the Workspace ONE UEM agent.
22. Once enrolled, the device downloads the appropriate profiles, applications, and content from Workspace ONE UEM.
    Note: If you see a blank white screen with the UEM logo, Hub is waiting to download applications. Wait until this screen disappears (apps have been downloaded). You may need to force install applications using the UEM console if the device is stuck with Hub showing a white screen.
23. You should be now presented with the Hub application showing that the device is enrolled.
24. Reboot the device and continue the PICO setup.
    Note: Do not select enterprise setup.
25. Within the Workspace ONE UEM Console, from the Customer or Child OG, navigate to Devices > List View. You should see the device enrolled into the Workspace ONE UEM Console. You should be able to manage these devices using Android Enterprise-based profiles.

Installing and Enrolling with SimpleXR (Any Pico device)

For devices that do not support QR code enrollment, SimpleXR tool can be used to enroll devices.

To register a device with a Workspace ONE UEM environment follow these steps:

1. If you are not starting with a new device, do a factory reset of the PICO headset through the settings menu on the device.
2. After the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the PICO main screen.
3. Make sure that your system is updated to the latest firmware by launching the System Update (in Settings) app and updating it.
4. Plug the headset into your setup machine (where you downloaded SimpleXR) by using the USB cable provided and begin an ADB session.
5. Follow the SimpleXR instructions to enroll your device.
6. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console and be able to manage them remotely.

Managing Device PIN Code

Note the following limitations:

• Setting a passcode on PICO Neo 2, 3, and 4E devices is not supported.
• Setting a passcode on PICO Neo 3 and 4E causes Workspace ONE UEM to prevent users from using the device. Do not set Passcode policy on the PICO Neo 3 or 4E.                                                                                                                                                                                                                                                                                         

Managing Kiosk Mode

Note the following limitations:

• We recommend using the PICO method for setting kiosk mode. For more information, see PicoVR Kiosk Mode.
• Workspace ONE LockTaskMode and Workspace ONE Launcher are not supported on PICO devices.
• Workspace ONE XR Hub offers a kiosk mode experience on PICO devices. See Workspace ONE XR Hub documentation for more information.

Setting Up Controller Binding (G2 4K)

If you are using the device in kiosk mode, you should bind the controller to the HMD. For more information, see Operation Guide.

Accessing Device Logs

Request Device Log from Workspace ONE UEM Console.

1. To collect Hub, System, or Security logs, see Request Device Log.

   Note: For device system logs, users will need to access Intelligent Hub on the XR devices. Use the controller to click the top bar of the application and click Share on the Bug Report notification.

Managing Applications

Applications can be silently installed remotely to the XR device using Workspace ONE UEM. In summary:

• Application APKs and supporting files must be either uploaded to Workspace ONE UEM or placed on a web/file server that is accessible by the device.
• Applications and any supporting files are installed by Workspace ONE UEM on all assigned devices.

For more information on managing applications, see Deploying Internal Application on Android Devices.

Conclusion

You have now completed enrollment of your PICO Headset into Workspace ONE UEM. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Magic Leap 2 Enrollment & Management

This section describes how to enroll Magic Leap 2 devices into Workspace ONE UEM. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Magic Leap 2 device from a single console, after an easy onboarding process.

After completing the initial Workspace UEM setup, you are now ready to enroll your Magic Leap 2.

The QR code enrollment method sets up and configures Magic Leap 2 by simply scanning a QR code.

To generate a QR Code, follow the instructions in Enroll Work Managed Device Using a QR Code.

Magic Leap 2 QR Code Enrollment

After creating an enrollment QR Code, the final step is to complete the enrollment process on the Magic Leap 2 device.

1. Power on the ML2 device, and go through the OOBE Steps using the device:
   
   • Pair the controller.

     Note: It might be necessary to plug the controller into the Magic Leap 2 device using the USB-C cable.

   • Select the language.
   • Complete or skip the prescription insert instructions.
   • Accept the EULA.
   • Choose Enrollment to enroll your device into Workspace ONE UEM.
2. Select Start Scan with the Magic Leap 2 controller to scan the QR Code:
    
3. Position the Magic Leap 2 device so that the QR Code is inside the target rectangle. Note that it might take a few seconds to scan the QR Code.
   
   • If you have issues scanning the QR Code:
   1. Zoom in on the QR code in the PDF document so that it is at least 8” x 8” in size when viewed on the screen or a PC monitor.
   2. Maximize the window on the monitor. QR Code image should be at least 8” x  8” in size.
   3. View it at a large magnification (such as full screen) on a large monitor that has a 3:4 aspect ratio. (Higher aspect ratios will negate the largeness of the monitor.)
   4. The monitor needs to have a matte or anti-reflective finish (or be situated with special background lighting).
   5. The ambient lighting for the area around the monitor should be bright to avoid head-pose loss as the QR code detection is currently head-pose sensitive.
   6. The monitor settings might need to be tweaked for contrast, brightness, and sharpness (a midway setting for each of them is recommended).
   7. Some amount of movement (for position and viewing angle) of the headset (or the monitor) might be required to help with the capture.
   8. Scan the QR Code with a Viewing distance between 12” to 36”.
4. If scanned successfully, you will be presented with the following:
    
5. Click Accept & Continue using the Magic Leap 2 controller, and then click Next.
    
6. Device enrollment begins with:
    
7. Shortly, the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user.
8. Press the Home button on the Magic Leap 2 controller to get back to the Magic Leap home application.
9. From the Customer or Child OG in the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Updating Firmware with Over the Air (OTA) Updates

Workspace ONE UEM can push firmware updates to the Magic Leap 2 device.

Note: OTA updates require VMware Workspace ONE UEM version 2206 or later.

To perform an OS upgrade:

1. Download the latest Magic Leap 2 OS OTA Update file (available as and when Magic Leap publishes OTA updates).
2. In Workspace ONE UEM, create a Provisioning > Component > File/Action.
   
   • Upload the Magic Leap 2 OS OTA ZIP file.
     
     • Use the path $osupdate$/
   • Add an OS Upgrade action to the Manifest.
     
     • Select the uploaded ZIP file for the OS File.
3. In Workspace ONE UEM, go to Provisioning > Product List View.
   
   • Select Add a Product, and then select Android.
   • Add details to the product and select a smart group to assign the OS update to.
   • Add a File/Action – Install action to the Manifest.
     
     • Select the OS Upgrade File/Action component you created.
   • Add any conditions or deployment schedule to the product.
   • Click Activate to start the OS upgrade process.

For more information on OS updates for Work Managed devices, see Android OS Update for Work Managed Device.

Accessing Device Logs

Request Device Log from Workspace ONE UEM Console.

1. To collect Hub, System, or Security logs, see Request Device Log.

   Note: For device system logs, users will need to access Intelligent Hub on the XR devices. Use the controller to click the top bar of the application and click Share on the Bug Report notification.

Managing Applications

Applications can be silently installed remotely to the Magic Leap 2 device using Workspace ONE UEM. In summary:

• Application APKs and supporting files must be either uploaded to Workspace ONE UEM or placed on a web/file server that is accessible by the device.
• Applications and any supporting files are installed by Workspace ONE UEM on all assigned devices.

For more information on managing applications, see Deploying Internal Application on Android Devices.

Magic Leap Resources

For more information on the Magic Leap 2 devices, the following articles from Magic Leap can be useful:

• ML2 User Guide
• Update OS using The Magic Leap Hub
• Generate bug report using ADB
• Hard reboot/reset
• Factory reset

 You can also contact Magic Leap support at care@magicleap.com.

Conclusion

You have now completed enrolling your Magic Leap 2 device into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

RealWear Enrollment

This section describes how to conduct a RealWear HMT-1 (Non-Intrinsically Safe), HMT-1Z1 (Intrinsically Safe), and RealWear Navigator device enrollment in Workspace ONE UEM. RealWear devices are designed for hands-free use in hazardous environments. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your RealWear devices from a single console, with an easy onboarding process.

After completing the initial Workspace UEM setup, you are ready to enroll your RealWear HMT-1 (Non-Intrinsically Safe), HMT-1Z1 (Intrinsically Safe), or RealWear Navigator devices.

RealWear devices are enrolled using a QR code.

To generate a QR Code, follow the instructions in Enroll Work Managed Device Using a QR Code

Checking Firmware Version

After creating an enrollment QR Code, the next step in the device enrollment process is to conduct a firmware version check.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11).

1. Power on your RealWear HMT-1 device (for device operations, see the instruction manual provided by RealWear).
2. Check the display to make sure that the battery level is greater than 30%, as a Software update cannot be performed if the battery is not at 30% or higher.
3. Speak the Show Help command to show the list of available commands on the screen.
    
4. Speak the My Programs command.
5. Speak the About Device command to determine the version of firmware running on the device.
    
6. If the version of firmware is earlier than the one shown here, you will need to upgrade the firmware to complete the QR Code enrollment process. Skip the Firmware Update Section below, if your firmware is already updated to this version or later.

Updating Firmware

After conducting a firmware version check, the next step in the device enrollment process is to conduct a firmware update.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11). If the version of your firmware is lower, upgrade the firmware before proceeding. If your firmware is already updated to this version or higher, skip this Firmware Update section, and proceed to Finish Enrollment.

1. Power on your RealWear HMT-1 device. For device operations, see the instruction manual provided by RealWear.
2. Check the display to make sure that the battery level is greater than 30%, as a Software update cannot be performed if the battery is not at 30% or higher.
3. Speak the Navigate Home command to return to the home screen.
4. Speak the My Programs command to view the My Programs screen.
5. Speak the Configuration command to scan a QR Bar Code that will establish Wi-Fi Settings for the device to download the latest version of firmware.
6. On your PC or MAC, navigate to https://realwear.setupmyhmt.com, and click the Configuration button.
    
7. Click the First Time Setup button.
    
8. Select your preferred language, then select NEXT.
    
9.  Set your time and date, then select NEXT.
    
10. Provide your preferred Wi-Fi Settings for the device and select NEXT.
     
11.  Scan the QR Code with the HMT-1 Camera to configure your device.
     
12. The Wi-Fi should be configured at this point. Speak the Wireless Update command. If available, follow the commands on the screen to complete the Wireless Update.

Finishing the RealWear HMT-1 QR Code Enrollment

After updating firmware, the final step is to complete the RealWear HMT-1/Workspace ONE enrollment.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11).

1. After a firmware update, the HMT-1 should have performed a factory reset. Within a few minutes, this will automatically present the Configuration screen through the HMT-1 viewer, allowing for a QR Code scan.
2. Aim your HMT-1 Camera at the QR Code that you created in the Enrollment QR Code Creation section.
    
3. The camera will automatically capture the QR Code, and the enrollment process will begin. The Downloading Status screen will appear as the WS1 Hub is downloaded from the cloud, followed by an Installing… notification.
4. When the Accept & Continue Screen appears, speak the command Accept & Continue. Enrollment will begin.
5. Wait until the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user. Speak the command Navigate Home. The Hub Icon should be present in your My Programs screen.
    
6. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Conclusion

You have now completed a RealWear HMT-1 or HMT 1Z1 enrollment into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Vuzix M400 & M4000 Enrollment

This section describes how to enroll Vuzix M400 or M4000 smart glasses into Workspace ONE UEM. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Vuzix smart glasses from a single console, after an easy onboarding process.

After completing the initial Workspace UEM setup, you are now ready to enroll your Vuzix smart glasses.

Vuzix devices are enrolled using a QR code.

To generate a QR Code, follow the instructions in Enroll Work Managed Device Using a QR Code

Vuzix QR Code Enrollment

After creating an enrollment QR code, the final step is to complete the enrollment process on the smart glasses. Out of the box, the Vuzix glasses can follow the procedure below.

Note: If the device has been configured previously, it will require a factory reset to take advantage of this provisioning method (Settings > System > Reset options > Erase all data).

1. On the screen below, press and hold the front-most button on the glasses for 3 to 4 seconds until the Provisioning App launches.
    
2. This immediately launches the camera. Aim the Vuzix camera at the QR Code that you created in the Enrollment QR Code Creation section.
    
3. The camera automatically captures the QR Code, and the enrollment process begins. The Downloading Status screen appears as the Workspace ONE Intelligent Hub is downloaded from the cloud, followed by an Installing… notification.
4. If the Accept & Continue Screen appears, press the rear-most button to continue.
5. Just before the process finishes, you will be presented with the Vuzix End User License Agreement, which you need to read and accept. You can accept and continue the process by again pushing the rear-most button on the glasses.
    
6. Wait until the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user.
7. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android (Enterprise) based profiles.

Conclusion

You have now completed enrolling your Vuzix smart glasses into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left. 

SimpleXR Installation and Enrollment

SimpleXR is a tool that can simplify device enrollment if a device does not support zero touch enrollment.

You can download SimpleXR from  https://via.vmw.com/SimpleXR.

To set up your device for Workspace ONE UEM enrollment:

1. Make sure your device has been factory reset and that developer mode is enabled.
2. Connect the device to a PC using a USB Cable (you might need to use a phone USB-C cable).
3. Download Workspace ONE SimpleXR App from https://via.vmware.com/SimpleXR.
4. Extract and run the _SimpleXR.exe.
5. Click Next.
6. Configure the SimpleXR app with enrollment credentials or use a credentials.xml or credentials.bin.file
7. Click Next.
8. Click Check Device to make sure SimpleXR can see your connected device.
9. Click Next.
10. Click Run.
11. Monitor the progress in the connected headset.
    
    1. SimpleXR should quickly go through a process to configure the headset, launch the Intelligent Hub client, and auto-enroll the device using the credentials supplied.
    2. On certain devices, you may be asked to remove accounts. If so, quickly click any existing accounts listed. If the process is stuck at this step (Authorize Device Administrator Privileges), cancel and rerun SimpleXR.
12. When the Workspace ONE SimpleXR is complete, open the Workspace ONE UEM Console, and from the Customer or Child OG, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console.
13. You may wish to check in the headset to confirm Intelligent Hub has completed all necessary enrollment steps. Intelligent Hub may ask users to confirm the privacy statement or accept certain permissions configured on the device.

Summary and Additional Resources

Immersive technologies are becoming ever more popular, and interest is growing rapidly – particularly in augmented reality (AR), mixed reality (MR), and virtual reality (VR) headsets, sometimes called head-mounted displays (HMDs). To address this growing market and its resulting challenges, VMware has partnered with leading vendors to deliver scalable management and app delivery for Android and Windows 10-based devices. This guide walks you through the steps toward Workspace ONE UEM enrollment for HTC VIVE, Magic Leap, Meta Quest, PICO, RealWear, and Vuzix devices.

Additional Resources

For more information about delivering and managing XR devices through VMware Workspace ONE UEM, explore the following resources:

• Workspace ONE UEM – XR Device Interoperability Matrix
• XR Devices and UEM (Cloud)
• XR Devices and UEM (Installed)
• Workspace ONE XR Hub
• XR Hub Documentation
• XR Hub Release Notes
• XR Hub Datasheet
•  Workspace ONE UEM for Enterprise Wearables Datasheet
• Workspace ONE UEM Documentation
• Workspace IoT Endpoint Management

Changelog

The following updates were made to this guide.

Date	Description of Changes
2023/12/15	Updated enrollment instructions for several devices: Meta Quest for Business enrollment updated Removed ConQuest enrollment for consumer devices Added SimpleXR enrollment for HTC, PICO, and Lenovo devices Removed separate sections for HTC devices Added Lenovo VRX
2023/05/17	Updated device types and enrollment instructions: Updated title (due to the evolution of the naming and XR as an overall category of devices) Removed Oculus and Google Glass sections (devices are End of Life by their manufacturer, and Oculus has changed to Meta Quest as a brand) Added Meta Quest Business Enrollment (Tech Preview) section Added Registering Android EMM with Google Play Account section
2023/03/20	Updated enrollment processes and instructions
2023/02/22	Added Meta Quest for Business (Beta) information
2022/09/30	Added new section about enrolling and managing Magic Leap 2 devices with Workspace ONE UEM, and updated the guide throughout
2022/06/28	Updated enrollment processes for Meta Quest 2 and HTC VIVE Focus 3, which now supports QR Code enrollment
2022/06/16	Added new section about controlling in-headset experience with Meta Quest 2 (Consumer) and updated throughout
2022/05/24	Updated PICO enrollment options and new QR Code option
2022/03/22	Added HTC VIVE Focus 3, Meta Quest 2 Consumer, Oculus for Business, and PICO Neo 3 device enrollment procedures
2021/01/20	Added Vuzix M400 & M4000 enrollment procedures
2020/11/19	Added HTC VIVE Focus & Focus Plus Headset enrollment procedures
2020/10/01	Initial publication of RealWear, PICO, and Google Glass enrollment procedures

Authors and Contributors

The following authors, contributors, and subject-matter-expert reviewers collaborated to create this guide.

Authors

• Drew Evangelista, Senior Product Line Manager, End-User-Computing Product Management, VMware
• Matt Coppinger, Director, End-User-Computing Product Management, VMware

Contributors

• David Dwyer, Sr. Solution Engineer, End-User-Computing Technical Marketing, VMware
• Jon Duncan, Group Product Line Manager, UEM IoT, Mobile PM, EMM VMware
• Christina Minihan, Senior Staff End-User-Computing (EUC) Architect, End-User-Computing Technical Marketing, VMware

Feedback

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.