Evaluation Guide: Managing Apps and Devices with Cloud-Based VMware Workspace ONE

VMware Workspace ONE

Overview

This evaluation guide introduces you to cloud-based VMware Workspace ONE®. Workspace ONE integrates access control, application management, and multi-platform endpoint device management into a single platform. Workspace ONE is available as a cloud service or on-premises deployment. The exercises in this guide focus on managing mobile and desktop devices using the cloud service.

Use Workspace ONE to manage mobile devices, desktops, rugged devices, and “things.” With Workspace ONE, end users can get password-less single sign-on to a catalog of mobile apps, web apps, cloud apps, and Windows apps.

Purpose of This Guide

The tutorials in this guide help you evaluate this product through a series of practical exercises. Each exercise includes a video that demonstrates how to perform the task. For your convenience, following the video are the written-out steps. This way, you can consume the information in the format that you prefer: video, text, or both.

This guide describes how to perform the most common day-2 operations, such as deploying apps to devices, configuring single sign-on for end users, and configuring compliance policies. In order to perform the exercises in this guide, you need to have already set up a cloud-based Workspace ONE environment, as described in Evaluation Guide, Part 1: Setting Up Cloud-Based VMware Workspace ONE.

Important: The exercises in this guide are for evaluation purposes, based on minimum required resources for a basic deployment, and do not explore all possible features. The resulting environment should not be used as a template for deploying a production environment. To deploy a production environment, see the Workspace ONE Documentation.

Audience

This guide is intended for prospective IT administrators of Workspace ONE and anyone who uses the product. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is assumed. Knowledge of VMware Workspace ONE® UEM (unified endpoint management), VMware Workspace ONE® Access (formerly VMware Identity Manager), and VMware Horizon® is helpful but not required.

Note: Not all sections of this guide are necessarily applicable to your particular deployment. Optional sections are marked as such. If you have questions about the specifics of your order, reach out to your VMware sales representative.

Technical Introduction and Features

Workspace ONE is a digital platform that delivers and manages any app on any device by integrating access control, application management, and unified endpoint management. 

The main components of Workspace ONE are Workspace ONE Unified Endpoint Management (UEM) powered by AirWatch and VMware Workspace ONE Access (formerly known as VMware Identity Manager). Workspace ONE also integrates with VMware Horizon to provide virtual desktops and apps.

Features and Benefits

Key features of Workspace ONE include:

  • Identity and access management: The Workspace ONE Access component of Workspace ONE uses certificates to establish trust. This way, end users can get password-less single sign-on to a catalog of mobile apps, web apps, cloud apps, and Windows apps. 

    To protect sensitive information, Workspace ONE enforces access decisions based on device compliance and identity context. If needed, administrators can apply conditional access policies on a per-application basis.
  • Unified endpoint management: With the Workspace ONE UEM component of Workspace ONE, the choice of endpoint device can be left up to employees. Administrators manage the full lifecycle of any endpoint—mobile (Android, iOS), desktop (Windows 10, macOS, Chrome OS), rugged, and even IoT. Device management types include bring-your-own, choose-your-own, corporate-owned, locked down, and so on.
  • Automated app management: Whether you are deploying Windows apps or mobile apps, with Workspace ONE, you can automate the application delivery process to allow better security and compliance. Administrators can create an automated workflow for software, applications, files, scripts, and commands to install on endpoint devices.

For more information, see the video VMware Workspace ONE: Introductory Demo for IT Admins.

Components and Architecture

The core elements of cloud-based Workspace ONE that you will be working with in this guide are:

  • Workspace ONE UEM tenant and console, for unified management of mobile devices, desktops, and BYOD endpoints
  • Workspace ONE Access tenant and console, for secure, password-free single sign-on (SSO) to SaaS, mobile, Windows, virtual, and web apps on any device and OS

Other components that you must install and configure for the initial setup of cloud-based Workspace ONE are described in Evaluation Guide, Part 1: Setting Up Cloud-Based VMware Workspace ONE.

For a high-level overview of the Workspace ONE architecture, see the What is the architecture of Workspace ONE? section of the What Is Workspace ONE? document.

For detailed descriptions of how the components work together, along with logical architecture diagrams, see the Workspace ONE UEM Architecture document and the Workspace ONE Access Architecture document.

Packaging and Licensing

Workspace ONE is licensed as a subscription, with various pricing packages.

Two licensing models are available: per user and per device. When licensing Workspace ONE in a device-license model, the SSO and access control technology is restricted to work only on licensed devices and from managed applications. Organizations looking to enable or allow access to enterprise applications from any web browser must license Workspace ONE in a per-user license model.

Federating Single Sign-On Access to Web Apps

You use the Workspace ONE Access component to add Web apps to the Workspace ONE unified app catalog and configure those apps to trust Workspace ONE for performing authentication. The exercises in this chapter walk you through performing both of those tasks.

Exercise: Configure Salesforce to Trust Workspace ONE Access as Its Identity Provider

In this exercise, you create a Salesforce developer account and configure Workspace ONE Access as a third-party identity provider in Salesforce. This is the first step to providing users with single sign-on access from the VMware Workspace ONE® Intelligent Hub app or web portal. In the next exercise, you will complete the process by adding Salesforce as a web app to the unified app catalog.

Important: To perform this exercise, you must already have a Workspace ONE Access tenant with Administrator access, and you must have the Workspace ONE Access connector installed and synced with your directory service. If you have not satisfied one or more of these prerequisites, see the following sections of the evaluation guide for Workspace ONE setup:

Note: The following video, Configuring a Web App (Salesforce) to Trust Workspace ONE Access as an Identity Provider (IdP), demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. Log in to the Workspace ONE Access console, as follows:
    1. Open a browser and go to the URL for your Workspace ONE Access tenant.
    2. Enter the credentials for System domain admin, which is the account you set up when you got your Workspace ONE Access tenant, and then click Sign-in.

      You are taken to the Workspace ONE Access catalog portal.
    3. Click the user account button in the upper-right corner of the page, and select Workspace ONE Access Console.
  1. Using the new navigation, click the Resources tab, select Web Apps, and click the Settings button.
  2. In the Settings dialog box, select SAML Metadata, and under SAML Metadata, right-click Identity Provider (IdP) metadata and select Save Link As to save the metadata as an XML file.

    Note: You can also use this window to download a signing certificate or an encryption certificate. Because the identity provider metadata includes the signing certificate information, you do not need to separately download the certificate for Salesforce.
  3. Open a new browser tab to go to https://developer.salesforce.com/signup and fill out the form to get a free Salesforce account.

    Note: If you already have a Salesforce environment and want to use that instead, you can skip this part and just log in to Salesforce.

    Important: The username needs to match the tenant administrator user account in Workspace ONE Access if you want to have single sign-on access with this account.
  4. After you click Sign Me Up at the bottom of the Salesforce form, open the email from Salesforce, click Verify Account, and change your password.

    This email also gives you the URL for logging in to your new Salesforce environment.
  5. In Salesforce, using the Quick Find box, enter Single Sign-On to get to the single sign-on settings.
  6. In the Single Sign-On Settings section, click Edit, select the SAML Enabled check box, and click Save.
  7. In the SAML Single Sign-On Settings section, click New from Metadata File, and in the Federated Single Sign-on section, click Choose File to select and open the file that you just downloaded from Workspace ONE Access.
  8. Click Create, and in the form that appears, make sure that the following fields are set correctly before clicking Save:
  • SAML Identity Type is set to Assertion contains the User’s Salesforce username. This means that Workspace ONE Access is going to send over the user’s Salesforce username, which must be an email address.
  • SAML Identity Location is set to Identity is in the NameIdentifier element of the Subject statement.
  • Identity Provider Single Logout URL is set, which is just like the login URL, except that after the “auth/” part, it says logout.
  • Set Single Logout Request Binding to HTTP POST.
  1. Scroll down and click Download Metadata, which will download another XML file.

    You will use this file as directed in the next exercise, which is about adding the Salesforce web app to the unified app catalog.
  2. If you are using a new Salesforce developer account, add a test user, as follows:
  1. Using the Quick Find box, enter Users, to go to Users > Users.
  2. Click New User, and fill out the first and last name fields, and the alias.

    This user needs to match a user that you have in Workspace ONE Access so that the user can be mapped from that Access system to this Salesforce system. If you already have a Salesforce environment and it is connected to the same directory service and directories as your Workspace ONE Access system, you do not need to do this part.
  3. Enter the email address for the user, which must match the email used in Workspace ONE Access.

    The username is populated automatically from the email address. The nickname is also populated automatically, but you can change it if you like.
  4. Leave the role as None Specified, but be sure to change the User License to Force.com – Free, which automatically adds the correct corresponding profile.
  5. Scroll down and click Save.

    The Salesforce system is going to generate a password, but that does not matter because Workspace ONE Access is going to do the authentication.
  1. Add the Workspace ONE Access authentication service to the Salesforce login page, as follows:
    1. Using the Quick Find box, enter My Domain to go to My Domain.
    2. Scroll down to the Authentication Configuration section and click Edit.
    3. Under Authentication Service, select the check box next to the name of your single sign-on service, and click Save.

      For this exercise, you can leave the Login Form check box selected also.
    4. To test this configuration, open a new In Cognito window and go to the Salesforce login page.
    5. Verify that you can see both the regular login form and, below it, the link for logging in using Workspace ONE Access.

You can now proceed to the next exercise, to complete the two-part process of federating access to Web apps.

Exercise: Add the Salesforce Web App to the Workspace ONE App Catalog

In this exercise, you will use Workspace ONE Access to add Salesforce as a web app to the unified app catalog. This is the second part of the two-part process for providing users with single sign-on access from the Intelligent Hub app or web portal. In the preceding exercise, you did the first part, creating a Salesforce test environment and configuring Workspace ONE Access as a third-party identity provider in Salesforce.

Important: Before you can perform this exercise, you must first have completed the preceding exercise, Exercise: Configure a Salesforce to Trust Workspace ONE Access as Its Identity Provider. This includes having downloaded an XML file from Salesforce that includes the Salesforce single-sign on SAML metadata.

Note: The following video, Adding Salesforce as a Web App to the VMware Workspace ONE App Catalog, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. Open a browser and log in to your Workspace ONE Access tenant as a user with Administrator privileges.
  2. Add the Salesforce app, as follows:
    1. Using the new navigation, click the Resources tab, select Web Apps, and click the New button.
    2. In the New SaaS Application wizard, click in the Search field, enter Salesforce and select Salesforce from the drop-down list, and then scroll down and click NEXT.

      The fields on the form are automatically populated because Salesforce is one of the many enterprise Web applications included in the cloud application catalog.
    3. On the Single Sign-On Configuration page, under Configuration, click URL/XML.
    4. Using a text editor, open the metadata XML file that you downloaded from Salesforce, and then select and copy all the text in the file.
    5. Back in the Workspace ONE Access wizard, paste the text into the URL/XML text box, scroll down, and click NEXT.
    6. On the Access Policies page, you can leave the default access policy selected, click NEXT, and then on the Summary page, click SAVE & ASSIGN.
  3. Assign the app, as follows:
    1. On the Assign page, in the search box, enter all users, and select ALL USERS.
    2. For the deployment type, select Automatic, and click SAVE.

      If you were to leave the deployment type set to User-Activated, users would have to go through an approval process before they can use the application.
  4. Change the Username Value for Salesforce to use an email address, as follows:
    1. Back on the Resources > Web Apps page, select the Salesforce application and click Edit.
    2. Click NEXT to go to the Configuration page of the Edit SaaS Application wizard.
    3. Scroll down to the Username Value field, and because Salesforce is going to be looking for an email address, change this setting to ${user.email}, and click NEXT.
    4. On the Access Policies page, click NEXT.
    5. On the Summary page, click SAVE.
  5. To test the configuration, open a new incognito window and log in to Workspace ONE Access as the test user that you configured in Salesforce, as described in Exercise: Configure a Salesforce to Trust Workspace ONE Access as Its Identity Provider.
    1. Select the test user’s domain and click NEXT.
    2. Enter the test user’s username—just the username because the domain is already selected—and the password, and click Sign-in.
  6. In the app catalog that appears, click the Salesforce icon.

    If the configuration is correct, the Salesforce application appears, without prompting for login credentials again.
  7. To explore the types of access policies you can create:
    1. Log in to Workspace ONE Access as an administrator and navigate to Resources > Policies.
    2. Select the default policy and click EDIT.

      The policy applies to one application right now, and that is Salesforce.
    3. On the Definition page, click NEXT.

      On the Configuration page, the table lists the rules that are currently defined. It has one rule for the device type called Web Browser and another rule for the Workspace ONE App or Hub App. And all network ranges are allowed.
    4. Click ADD POLICY RULE to see what all the possible rule settings are.
    5. Click the drop-down lists to see all the possible options for each setting.

      For example, there are many possible device types. Note that for the authentication method, you can click the + (plus sign) to add a second method, as would be used for two-factor authentication. You can also add a fallback method.
    6. Click CANCEL.
  8. To see the list of all possible authentication methods you can configure, navigate to Integrations > Authentication Methods, and then select the radio button for a method and click CONFIGURE.

Deploying Native Apps to Devices

Mobile application management with Workspace ONE lets organizations deploy and control certain apps on end users’ devices. Security is ensured through the use compliance policies. In this exercise, you will use Workspace ONE UEM to add and assign a public iOS app and an internal Windows app. In the exercises that follow, you will configure authentication methods to be used when users attempt to access the app, including:

  • Single sign-on by using Mobile SSO for iOS or user certificate authentication for Windows desktops
  • Conditional access by conducting a compliance check

Note: The exercises in this guide use examples of deploying apps and configuring SSO on iOS and Windows devices. For information about accomplishing these tasks on Android devices, see the product documentation guides Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM Managed Android Devices and Integrating Workspace ONE UEM with Android.

Exercise: Deploy a Public iOS App and an Internal Windows App

Workspace ONE supports managing native (internal, public, purchased) and web applications:

  • Internal apps are either internally developed apps that are uploaded directly to the Workspace ONE UEM console or apps that are imported from an external app repository, such as the Enterprise App Repository for Windows.

    Important: In October 2022, the Microsoft Office 365 application was added to the Workspace ONE Enterprise Application Repository. See New Windows Baselines and Microsoft Office 365 app now available in Workspace ONE UEM.

  • Public apps are available on various app stores, such as the Apple App Store, the Google Play app store, Microsoft Store for Business, and so on.

    Important: To deploy a public app that is imported from Microsoft Store for Business, you must configure Azure Active Directory services in Workspace ONE UEM to enable the communication between the systems. You must also have a Microsoft Store for Business Admin Account with Global Permissions. This task is beyond the scope of this evaluation guide, but instructions are provided in the product documentation guide App Management for Windows in Workspace ONE UEM. Also see the Tech Zone guide Integrating Microsoft Store for Business: VMware Workspace ONE Operational Tutorial.

  • Purchased apps, available for macOS and iOS devices, are categorized as VPP (Volume Purchased Program) and Custom B2B apps. The VPP allows organizations to purchase, distribute, and manage their apps and books in bulk. Custom B2B apps for iOS are developed by third parties and are then distributed through the VPP store.

For this exercise, you will create a native public app in Workspace ONE UEM, and that app will be the iOS version of Salesforce. You will also create a native internal app, using the Enterprise App Repository, and that app will be the Windows version of Notepad++.

Important: This exercise shows you how to add a single native internal app and a single native public app, each with no dependencies. If you have apps that you want to install that have dependencies, you should look at Freestyle Orchestrator. For example, Freestyle Orchestrator is designed for use cases such as installing Outlook and Zoom and having the Zoom plugin installed in Outlook. The best way to try out Freestyle Orchestrator is to use a VMware Hands On Lab. See “Module 1 – Introductions to Freestyle Orchestrator,” in Workspace ONE UEM Getting Started Hands-On Lab.

Note: The following video, Adding and Assigning a Public App and an Internal App in Workspace ONE, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

 

 

  1. In the Workspace ONE UEM console, click RESOURCES in the left panel, and then navigate to Applications > Native.
  2. Create a public iOS application for Salesforce, as follows:
    1. Click the Public tab on the page, and click ADD APPLICATION.
    2. In the Add Application wizard, for Platform, select Apple iOS.
    3. With SEARCH APP STORE selected, in the Name field, enter Salesforce, and click NEXT.
    4. From the search results, click the SELECT button next to Salesforce.
    5. Scroll down to see the other options and information about the application on the Details tab, and also click the Terms of Use tab and the SDK tab, to see those options, and finally click SAVE & ASSIGN.

      For more information about each field, place your cursor over the tooltip icon, or see the table in the product documentation topic Deploy Public Applications on Your Devices. For information about SDK profiles, see the product documentation guide App Management with VMware Workspace ONE SDK Settings.

  3. In the Salesforce Assignment wizard, create an assignment for the iOS app, as follows:
    1. On the Distribution page that appears, enter a name for the assignment, such as Salesforce – Staff.
    2. Click in the Assignment Groups box, and from the list that appears, select All Devices.

      The list displays the smart groups you can choose from.

    3. For App Delivery Method, select Auto.
    4. Click Restrictions in the left pane and scroll through the Restrictions options, and make sure Managed Access is turned on, and turn on Make App MDM Managed If User Installed.
    5. Click Application Configuration in the left panel, turn on Send Configuration, scroll down to the configuration table and enter the following values:
  • In the Configuration Key column, enter AppServiceHosts.
  • In the Value Type column, select String.
  • In the Configuration Value column, enter the server name portion of the Salesforce URL that your users will connect to. For example, myserver-a1-dev-ed-my.salesforce.com, without the HTTPS://. Be sure to use the server name for the instance that you have created. For iOS Salesforce apps, you must omit the HTTPS://, whereas for Android Salesforce apps, you must include the HTTPS://. For more information, see the “Automatic Custom Host Provisioning” section of the Salesforce Public Mobile App Security Guide.
    1. Click CREATE.

      Your assignment is now listed on the Salesforce Assignment Details page.

    2. Click SAVE on the Details page, and on the Salesforce – Preview Assigned Devices page, click PUBLISH.

      No devices are listed on this page yet because you have yet enrolled any devices.

      After the application is published, you are taken to the Salesforce application page, on the Assignment tab.

    3. Click the Summary tab, and scroll down to see the tiles that will give you status information once you enroll devices and the application is automatically installed.
  1. To create an internal application for Windows:
    1. Click RESOURCES in the left panel, and then navigate to Applications > Native, and click the Internal tab.
    2. Click ADD and select From Enterprise App Repository.
    3. In the Add Application window, click in the Search bar and search for Notepad.
    4. In the search results, select Notepad++ (x64) and click NEXT.
    5. On the Details page, review the settings, changing the name, if desired, and set Update Notifications to Notify, if you want to get email and console notifications when a new version is added to the repository. Click NEXT.
    6. Review the Summary page and click SAVE.

      Note: In reviewing the settings and options, you can see that almost a dozen options are automatically configured. If you add an application file manually, rather than using the Enterprise App Repository, you must configure most of these options yourself.

      The app is uploaded and then added to the list of internal apps on the List View page.

  2. Create an assignment for the Windows app, as follows:
    1. From the list of the internal apps, use the Search List box, if necessary, to find the Notepad++ app you just added.
    2. Select the radio button next to the app name and click the ASSIGN button that appears.
    3. On the Distribution page that appears, enter a name for the assignment, such as Notepad++  – Staff.
    4. Click in the Assignment Groups box, and from the list that appears, select All Devices.

      The list displays the smart groups you can choose from.

    5. For App Delivery Method, select Auto.
    6. Click Restrictions in the left pane and turn on Make App MDM Managed If User Installed.
    7. Click CREATE.

      Your assignment is now listed on the Notepad++ Assignment Details page.

    8. Click SAVE on the Details page, and on the Notepad++ – Preview Assigned Devices page, click PUBLISH.

      No devices are listed on this page yet because you have yet enrolled any devices.

      After the application is published, you are taken to the Notepad++ application page, on the Assignment tab.
       

Exercise: Configure SSO Authentication and Compliance Policies for iOS and Windows Devices

With SSO (single sign-on) authentication, after users log in to Workspace ONE on their devices, they will not need to log in again when they access apps that require authentication. Workspace ONE can also perform device compliance checks to verify that the device is compliant with security requirements before it lets the user access applications.

Important: Before you can perform this exercise, you must have already set up integration between Workspace ONE UEM and Workspace ONE Access, as described in the Evaluation Guide: Setting Up Cloud-Based VMware Workspace ONE. You must also have integrated Salesforce with Workspace ONE Access, as described in the earlier exercises in this guide:

Note: The following video, Workspace ONE: Configuring Mobile SSO Authentication for iOS and Windows, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. Export the root certificate for integration between Workspace ONE UEM and Workspace ONE Access, as follows:
    1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
    2. Scroll down to the Connect to Workspace ONE Access row, and click EDIT.
    3. Scroll down to the Certificate section and next to Issuer Certificate, click the EXPORT button.

      Tip: If, instead of seeing the certificate information in the Certificate section, you see an ENABLE button, you will need to click that button before you can export the certificate.

      The name of the certificate file is VidmAirWatchRootCertificate.cer. You will now switch to the Workspace ONE Access console to perform the rest of the steps.
  2. Use Workspace ONE Access to configure various authentication methods, the first of which is the compliance check, as follows:
    1. In the Workspace ONE Access console, click the Integrations tab, and click UEM Integration in the left panel.
    2. Scroll down to the Compliance Check section, select Enable, and click Save.
    3. Click Authentication Methods at the top of the list in the left panel, and verify that for Device Compliance (with Workspace ONE UEM), the status is Enabled.
  3. While still on the Integrations > Authentication Methods page, configure Mobile SSO for iOS, as follows:
    1. Scroll down the Authentication Methods page, select Mobile SSO (for iOS), and then scroll back up and click CONFIGURE.
    2. Set Enable KDC Authentication to Yes.
    3. Click SELECT FILE, navigate to the VidmAirWatchRootCertificate.cer file that you downloaded earlier in this procedure, and click Open.
    4. Click Yes in the confirmation box that appears, and then scroll down and click SAVE.

      To learn more about any of the options in the Mobile SSO wizard, click the tooltip next to the option.
  4. Configure SSO for Windows, as follows:
    1. To create a rule for Windows, in the Authentication Methods page, select Certificate (Cloud Deployment) and click CONFIGURE.
    2. Set Enable Certificate Adapter to Yes.
    3. Click SELECT FILE, navigate to the VidmAirWatchRootCertificate.cer file that you downloaded earlier in this procedure, and click Open.
    4. Click Yes in the confirmation box that appears.
    5. Set Use CRL from Certificates to No.

      You do not need this option for this evaluation setup.
    6. Scroll down and click SAVE.
  5. Configure the built-in identity provider, as follows:
    1. Click Identity Providers in the left pane of the Workspace ONE Access console, and in the list of identity providers, click Built-in.
    2. Scroll down to the Users section and select the user group that you used when you added and synced an AD user group in Workspace ONE Access.

      Tip: The procedure for adding this group is shown in the video Adding and Syncing Active Directory User Groups in Workspace ONE Access.
    3. Scroll down to the Authentication Methods section, verify that all the methods that you configured are selected, and also select Password, which you will configure as a fallback method in a later step.
    4. In the Network section, select ALL RANGES.
    5. In the KDC Certificate Export section, click Download Certificate.

      You will use this certificate when creating an iOS profile for SSO.
    6. Scroll down and click Save.
  6. Create an SSO and compliance policy, as follows:
    1. Click the Resources tab and select Policies in the left panel.
    2. Click ADD POLICY and name the policy, for example, Mobile SSO and Compliance Policy.
    3. For the description, enter, for example, For iOS and Windows.
    4. Under Applies to, click in Select applications from, and select Salesforce.

      Salesforce appears in the list if you completed the earlier exercises from the chapter Federating Single Sign-On Access to Web Apps.
    5. Click NEXT, and on the Configuration page.
    6. Click ADD POLICY RULE, to create a rule for iOS devices, and complete the Add Policy Rule page:
  • For network range, leave the setting as ALL RANGES.
  • For device type, select iOS.
  • For user groups, leave the setting empty so that it applies to all users.
  • For the action, leave it set to Authenticate using….
  • For the authentication method, select Mobile SSO (for iOS).
  • Click the + sign next to that field to add a second authentication method.
  • Next to and, select Device Compliance (with Workspace ONE UEM).
  • Click ADD FALLBACK METHOD and select Password (cloud deployment).
    1. Click SAVE.
    2. Click ADD POLICY RULE, to create a rule for Windows devices, and complete the Add Policy Rule page:

      Important: Unless you have configured the Salesforce app to be imported from the Microsoft Store for Business, the rule that you are about to create will not come into play. The steps are included here so that you can see what they are. To import the Salesforce app from the Microsoft Store, you must configure Azure Active Directory services in Workspace ONE UEM, and you must have a Microsoft Store for Business Admin Account with Global Permissions, as described in the product documentation guide App Management for Windows in Workspace ONE UEM.
  • For network range, leave the setting as ALL RANGES.
  • For device type, select Windows 10.
  • For user groups, leave the setting empty so that it applies to all users.
  • For the action, leave it set to Authenticate using….
  • For the authentication method, select Certificate (cloud deployment).
  • Click the + sign next to that field to add a second authentication method.
  • Next to and, select Device Compliance (with Workspace ONE UEM).
  • Click ADD FALLBACK METHOD and select Password (cloud deployment).
    1. Click SAVE.
    2. Click ADD POLICY RULE, to create a rule for web browsers, and complete the Add Policy Rule page:
  • For network range, leave the setting as ALL RANGES.
  • For user groups, leave the setting empty so that it applies to all users.
  • For the action, leave it set to Authenticate using….
  • For the authentication method, select Password (cloud deployment).
    1. Click SAVE.
    2. Click NEXT, and on the Summary page, click SAVE.

Exercise: Configure SSO Profiles for iOS and Windows

Profiles are used to manage and configure devices. When creating a profile, you first define the general settings and then define the type of restriction or setting to apply by using payloads. The next section covers profiles and payloads in more detail. The recommendation is to use one payload per profile. However, for the iOS SSO profile, you will configure several payloads.

Important: Before you can perform this exercise, you must have already completed the preceding exercise, Exercise: Configuring SSO Authentication and Compliance Policies for iOS and Windows Devices. This includes having downloaded the KDC certificate.

Note: The following video, Workspace ONE: Configuring SSO Profiles for iOS and Windows, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, click Resources in the left panel, and then navigate to Profiles & Baselines > Profiles.
  2. On the Profiles page, click ADD and select Add Profile.
  3. In the Add Profile wizard, select iOS and select Device Profile.
  4. Complete the General settings page, as follows:
  1. For Name, enter iOS Passcode Profile.
  2. For Smart Groups, click in the box, to display a list, and select All Devices.
  3. For the rest of the options on this page, leave the defaults.
  1. From the list of payloads on the left, click Credentials and click CONFIGURE.
  2. On the Credentials page, click UPLOAD, browse to KDC-root-cert.cer, select and open the file and click Save.
  3. From the list of payloads, click SCEP and click CONFIGURE.
  4. Complete the SCEP page, as follows:
    1. For Credential Source, select AirWatch Certificate Authority.
    2. The other fields are auto populated when you select the AirWatch option. Keep these settings.
  5. From the list of payloads, click Single Sign-On and click CONFIGURE.
  6. Complete the Single Sign-On page, as follows:
    1. For Account Name, enter Kerberos.
    2. For Kerberos Principal Name, select {EnrollmentUser}.
    3. For Realm, enter VIDMPREVIEW.COM.

      Important: This text must be entered in uppercase letters.
      Although the convention is to make the realm name the same as the Workspace ONE Access tenant domain name, the realm and domain are independent and can sometimes differ.

      Refer to the Knowledge Base article Workspace ONE Access and Hub Services and SaaS IP address change (87063) which lists realm details.
    4. For Renewal Certificate, select SCEP #1.
    5. In the URL Prefixes section, for URLs, enter your Workspace ONE Access tenant URL.
    6. In the Applications section, for Application Bundle ID, select com.salesforce.chatter.
    7. Click Add and enter com.apple.mobilesafari.
  7. Click SAVE AND PUBLISH, and then on the View Device Assignment page, click PUBLISH.
    No devices are listed on this page because you have not yet enrolled any devices.
  8. Click ADD > Add Profile and select Windows > Windows Desktop > User Profile. 
  9. Complete the General settings page, as follows: 
  10. For Name, enter Windows User Cert. 
  11. For Smart Groups, click in the box, to display a list, and select All Devices. 
  12. For the rest of the files on this page, leave the defaults. 
  13. From the list of payloads on the left, click SCEP and click CONFIGURE.
  14. Complete the SCEP page, as follows:
    1. For Credential Source, select AirWatch Certificate Authority.
    2. For Certificate Template, select Certificate (Cloud Deployment).
    3. For Key Location, select TPM If Present.
  15. Click SAVE AND PUBLISH and then on the View Device Assignment page, click PUBLISH.

Managing Devices Using Workspace ONE UEM Profiles and Compliance Policies

Device profiles and compliance policies work in the following ways:

  • Device profiles are installed on the device, and they control security-related settings that can include passcode complexity, geofencing, time schedules, device hardware functionality, Wi-Fi, VPN, email, certificates, and many more.
  • Compliance policies are security-related rules that devices must follow to be deemed compliant. For example, an administrator might create a compliance policy that has several rules, including that the device must have a passcode set, must be within a certain network range, and must have a minimum OS version. If any of these rules is broken, the device is marked as not compliant and is not allowed to access any managed apps, or the device could even be locked.

Device profiles and compliance policies can work together when administrators define, for example, a compliance profile that gets installed automatically by a compliance policy if a user fails to make their device compliant within a certain amount of time. Defining this type of escalation is part of creating compliance policies.

Exercise: Configure Passcode/Password Profiles for iOS and Windows Devices

Most device management capabilities in Workspace ONE are carried out by using Workspace ONE UEM profiles. User and device profiles can be very granular, including settings for just about anything you can think of. The simplest way to create and organize profiles is to create a separate profile for each payload, or type of setting. One example of a payload is passcode. Within the passcode payload for iOS, you can configure ten different options, including such things as passcode length and maximum number of failed attempts.

Tip: For information about all the payloads available for iOS devices, see the product documentation topic iOS Device Profiles. For Windows Desktop, see the documentation topic Workspace ONE UEM Profiles for Windows. For information about profiles for other operating systems, see the device management guides on the main VMware Workspace ONE UEM Console Documentation page.

In the previous exercise, you created SSO profiles, which included multiple payloads. For this exercise, you will create a more traditional type of profile, which will include just one payload per profile, after you fill out the general settings.

Note: The following video, Workspace ONE: Configuring Passcode/Password Profiles for iOS and Windows Devices, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, click RESOURCES in the left panel, and then navigate to Profiles & Baselines > Profiles.
  2. On the Profiles page, click ADD and select Add Profile.
  3. In the Add Profile wizard, select iOS and select Device Profile.
  4. Complete the General settings page, as follows:
  1. For Name, enter iOS Passcode Profile.
  2. For Smart Groups, click in the box, to display a list, and select All Devices.
  3. For the rest of the options on this page, leave the defaults.

    Note: Deployment Type is set to Managed. For this evaluation, use Managed so that you can explore the full set of device management features.
  1. From the list of payloads on the left, click Passcode and click CONFIGURE.
  2. Complete the Passcode settings page, as follows:
  • Select Require passcode on device. The rest of the settings are displayed.
  • Set Minimum passcode length to the desired number.
  • For this exercise, leave the rest of the default settings. For example, leave Maximum number of failed attempts set to None, to avoid getting locked out of the system while you are trying to evaluate the product!

    Tip: Use the tooltips to learn more about a setting.
  1. Click SAVE AND PUBLISH.

    The View Device Assignment page is display. Nothing appears on this page yet because you have not yet enrolled any devices.
  2. Click PUBLISH. The new device profile appears in the list on the Profiles page.
  3. Click ADD > Add Profile, and select Windows > Windows Desktop > Device Profile.
  4. Complete the General settings page, as follows:
  1. For Name, enter Windows Password Profile.
  2. For Smart Groups, click in the box, to display a list, and select All Devices.
  3. For the rest of the files on this page, leave the defaults.
  1. From the list of payloads on the left, click Password and click CONFIGURE.
  2. Review the various settings on the Password page, but you can use the default settings.

    Note: On the right side of the page, you might see Workspace ONE Intelligent Hub or 10. These labels mean that in order to enforce the setting, the device must have the Intelligent Hub installed, must use the Windows 10 or higher operating system, or both.
  3. Click SAVE AND PUBLISH, and then on the View Device Assignment page, click PUBLISH.

Exercise: Create Compliance Policies in Workspace ONE UEM

If you completed the steps in the earlier section Exercise: Configure SSO Authentication and Compliance Policies for iOS and Windows Devices, you created a compliance policy in Workspace ONE Access. That policy basically said that you want a compliance check to be performed on the specified devices. But what exactly is involved in the compliance check? You define the aspects of the compliance check by creating a compliance policy in Workspace ONE UEM.

Examples of requirements you might define as part of a compliance policy include:

  • A passcode of a certain length must already be set on the device, or a password of a certain strength.
  • The device must have the minimum required version of a particular operating system.
  • The device must have checked in within a specified time interval.
  • The antivirus status must good, the system drive must be encrypted, updates must be checked for, and so on.

You can configure the policy so that if the device is found to be out of compliance, any number of actions and escalations are taken, including such things as:

  • Blocking or removing certain or all managed apps
  • Running a command to wipe the device or have the device check in
  • Notifying the user, an administrator, or someone else by email, SMS, or push notification, using predefined or custom templates
  • Installing or blocking installation of a particular device profile

Note: The following video, Creating Compliance Policies in Workspace ONE UEM, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, click DEVICES in the left panel, and then navigate to Compliance Policies > List View.
  2. On the List View page, click ADD.
  3. In the Add Policy wizard, select Apple iOS.

    The Compliance Policy page appears. The next steps tell you which options to select for this exercise. If you would like to read descriptions of all the options, see the product documentation topic Compliance Policies Rules and Actions.
  4. Complete the Rules tab of the iOS Compliance Policy page, as follows:
  1. In the first drop-down list for the first rule, select Passcode.
  2. Leave the second drop-down list set to Is Not Present, meaning that if a passcode has not been set, the device is out of compliance.
  3. For this exercise, you can leave Default Template selected, but in practice you would deselect that check box and either select the template you want to use, or click the link that appears and go to the Message Template page to create the message you want to send.
  4. Click NEXT.

    Tip: For this exercise, we will have only one rule. In practice, you could click Add Rule to define as many rules as you like. You can use the Match drop-down list to specify whether all the rules must be met or just any one of the rules must be met to mark the device as noncompliant.
  1. Complete the Actions tab of the iOS Compliance Policy page, as follows:
  1. Leave the check mark next to Mark as Not Compliant.

    In practice, you might choose to remove the check mark and then add an escalation to specify that if a certain action is not taken within a certain amount of time, then mark the device as not compliant.
  2. Leave the first drop-down list set to Notify.
  3. In the second drop-down list, select Send SMS to Device.
  4. Click NEXT.

    Tip: For this exercise, we will not click Add Escalation, to add any escalations. In practice, you might do so to specify that after a certain number of hours or days, you want a certain action to be taken. You can even add multiple escalations.
  1. On the Assignments tab of the iOS Compliance Policy page, click in the box next to Smart Groups and select All Devices, and click NEXT.
  2. On the Summary page, click FINISH & ACTIVATE. The new policy is added on the List View page.

    Important: For this exercise, we are not changing the default name of the policy, but if you want to change the name or description, you do that on the Summary page, rather than on the first page of the wizard.
  3. Click ADD on the List View page and select Windows Desktop, to create a policy for Windows devices.
  4. On the Rules tab, select OS Version from the first list, and select the very first Windows 10 version from the last drop-down list, to specify a very early, and therefore less secure version of the OS. Click NEXT.

    You are creating a rule that says if the Windows 10 version is that out of date, you want to mark the device as noncompliant.
  5. On the Actions tab, select Application from the first drop-down list, leave the second drop-down list set to Block/Remove All Managed Apps, and click NEXT.
  6. On the Assignments tab, click in the box next to Smart Groups and select All Devices, and click NEXT.
  7. On the Summary page, click FINISH & ACTIVATE.

    The new policy is added to the List View page. Now, if a Windows device uses this older version of Windows 10, no managed apps will be installed.

Tip: You can also define the compliance policy so that if the user does not make their device compliant within a certain time period, the policy will install a device compliance profile that restricts the settings in question. For more information, see the product documentation topic Compliance Profiles.

Enrolling Devices

Exploring the absolute multitude of enrollment mechanisms for devices is beyond the scope of this evaluation guide. The exercises in this guide will use the Workspace ONE Intelligent Hub to enroll iOS and Windows devices. After going to https://getwsone.com/ and downloading and installing the Intelligent Hub app, you will sign in to complete the process of enrolling the device in Workspace ONE.

Important: Besides being used for enrollment, the Intelligent Hub app is the app employees use for all Workspace ONE services, including single sign-on capabilities, a unified app catalog, People Search, remote troubleshooting assistance, and more. For more information, see the Tech Zone article What Is Workspace ONE Intelligent Hub?

Other options for enrolling devices include:

  • Browser-based enrollment – For example, on iOS devices, users who do not have an Apple ID can use this method.
  • Bulk enrollment – Examples on iOS include using the Apple Configurator 2 and the Apple Business Manager's Device Enrollment Program (DEP). Examples on Windows include using Azure AD integration, such as Out of Box Experience enrollment or Office 365 enrollment, or using native MDM enrollment or Windows Desktop device staging.
  • User enrollment – Available on iOS and allows administrators to effectively manage settings, applications, and corporate data while protecting user privacy and personal data.
  • Registered mode – With this type of management mode, users can use a subset of Workspace ONE services without full MDM (mobile device management), including Workspace ONE Assist, VMware Workspace ONE Tunnel, Digital Experience Employee Management (DEEM), and Workspace ONE Hub Services. For more information, see the video Enabling Windows 10 Registered Mode in Workspace ONE UEM and DEEM in Workspace ONE Intelligence.

For information on all these enrollment options, see the following platform-specific product documentation topics:

Exercise: Enroll an iOS Device Using the Intelligent Hub

The Workspace ONE Intelligent Hub makes enrolling a device very easy. You can either go to https://getwsone.com/ and be redirected to the app in the Apple App Store, or you can just go to the App Store and search for Intelligent Hub.

Important: Before you can perform this exercise:

Note: The following video, Enrolling iOS Devices in Workspace ONE Using the Intelligent Hub, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. On the iOS device, go to the App Store, search for and install the Intelligent Hub app.
  2. Open the Intelligent Hub app and sign in:
  • If Email Auto-Discovery is set up, you can enter an email address.
  • If Email Auto-Discovery is not set up, enter the fully qualified domain name of the Workspace ONE UEM server instance; for example: uem.acme.com, tap Next, and enter the org group ID. You will also need to select a domain, since you did not enter an email address, which includes the domain.
  1. Enter the user name and password for a user you configured for enrollment, and when finished, tap Done and then tap Sign In.

    Note: Adding user groups to Workspace ONE is described in the video Adding and Syncing Active Directory User Groups in Workspace ONE UEM.

    Important: Occasionally, a second login box might appear. If it does, enter the domain name as part of the user name, since there is no domain list; for example, acme\user1, and click Submit.
  2. Follow the prompts to:
  • Learn about the Workspace ONE privacy policies.
  • Download the MDM profile.
  • Go to the Settings app to install the profile.
  • Trust the profile’s source to enroll in remote management.
  1. After enrollment is finished and you tap Done in the Profile Installed box, tap Workspace Services, and tap More Details to drill down into the profile.
  2. Tap Kerberos to look at the single sign-on profile and see the apps for single sign-on.
  3. If, during the process, you are prompted to install Salesforce, tap Install, and follow the prompts to install the app.

    If you have been following the exercises in this guide, you configured Salesforce to download automatically, as described in Exercise: Deploy a Public iOS App and an Internal Windows App.

    Note: At this point, you are in the Settings app.
  4. When prompted, tap Take me to Hub.
  5. In the Intelligent Hub, follow prompts to:
  • Create a passcode.
  • Skip the intro.
  • Verify that you understand the privacy policy.
  • Agree to the data-sharing policy.
  1. Tap the Apps tab at the bottom of the window, and tap All Apps, to see the apps in your catalog.

    If you have completed the exercises for configuring single sign-on to the Salesforce web app and the Salesforce native app, you should see two Salesforce apps in the catalog.
  2. For the Salesforce web app, tap Open. You are logged in to the Salesforce web app without being prompted for credentials.
  3. Back on your Home Screen, tap the natively installed Salesforce app and accept the license agreement.
    1. If it looks like you are being prompted for credentials, scroll down to the section where it says, Or log in using <instance name>, and tap the link. You should be logged in without having to provide credentials.
    2. Tap Allow to allow access, and select a notification preference.
  4. To verify enrollment from the administrator’s point of view, go to the Workspace ONE UEM console, click DEVICES in the left pane, and click Dashboard.
  5. Click List View, click the device you just enrolled, and click the various tabs to see all the details for that device.

Tip: If you need to troubleshoot issues with enrollment, see the VMware Knowledge Base articles Device enrollment issues with Workspace ONE (2960930) and Workspace ONE (WS1) Enrollment Error Catalog (81557).

For more information about the Intelligent Hub for iOS specifically, see the product documentation topic Workspace ONE Intelligent Hub for iOS.

Exercise: Enroll a Windows VM Using the Intelligent Hub

The process for enrolling a Windows device by using the Intelligent Hub is generally very similar to that of enrolling an iOS device. One big difference, though, is that for Windows, it is recommended to use a virtual machine rather than a physical machine if you are doing an evaluation or proof of concept. For instructions, see the Tech Zone tutorial Creating a Windows Virtual Machine to Test Workspace ONE.

Tip: If you do use a physical machine, do not use the same Windows machine that you use for logging in to Workspace ONE UEM and managing the machine. Your machine should not be both the chicken and the egg. Another reason to create a VM, preferably using VMware Workstation or VMware Fusion, is that you can take a VM snapshot before you enroll the machine and then, if you want to later, you can revert back to that snapshot.

Important: Before you can perform this exercise:

  • You need to have credentials to log in to the Windows OS as a local administrator, so that you will be able to run the installer.
  • It is recommended that the method you set up for enrollment is Email Auto-Discovery, so that employees need enter only their email address and password to log in to Intelligent Hub. That setup is described in the video Configuring Email Auto-Discovery for Enrollment in Workspace ONE UEM. 

    If you do not set up Email Auto-Discovery, you will need to obtain the organization group ID and the server name of the Workspace ONE UEM instance.
  • To see the full enrollment process as it is meant to appear for this evaluation guide, you need to have completed the setup exercises from Evaluation Guide, Part 1: Setting Up Cloud-Based VMware Workspace ONE, and you need to have completed the exercises for deploying the Salesforce app and setting up single sign-on, as described in all the preceding exercises in this guide.

Note: The following video, Enrolling Windows Devices in Workspace ONE Using the Intelligent Hub, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. Log in to the Windows device using an account with local admin privileges.
  2. Open a browser and go to https://getwsone.com/ and download the Intelligent Hub app.
  3. Open the installer file and follow the prompts to run the installer.
  4. When the installation is finished, click the Windows Start menu and select the Intelligent Hub app, which appears in the Recently Added section.
  5. When the Intelligent Hub app opens, sign in:
  • If Email Auto-Discovery is set up, you can enter an email address.
  • If Email Auto-Discover is not set up, enter the fully qualified domain name of the Workspace ONE UEM server instance; for example: uem.acme.com, click Next, and enter the org group ID. You will also need to select a domain, since you did not enter an email address, which includes the domain.
  1. Enter the user name and password for a user you configured for enrollment, and when finished, click Sign In.

    Note: Adding user groups to Workspace ONE is described in the video Adding and Syncing Active Directory User Groups in Workspace ONE UEM.

    Important: Occasionally, a second login box might appear. If it does, enter the domain name as part of the user name, since there is no domain list; for example, acme\user1, and click Submit.
  2. When prompted about letting the app collect information about your usage, select Not Now.
  3. In the Congratulations window, click Done.
  4. On the Hello and Welcome page, click Get Started.
  5. In the Intelligent Hub app, click Apps, and scroll down to the All Apps section. You should see the Salesforce web app and perhaps an app that you configured from the Enterprise App Repository.
  6. Click the Salesforce web app and confirm that you can log in without being prompted for credentials.
  7. Go back to the Intelligent Hub app and click the Support tab, to examine what got installed.
    1. Scroll down to see the compliance status and the profiles.
    2. Click the user name (profile icon) in the lower-left corner, click Hub Status under Support at the top of the window, and scroll down to review all the information, including location of the logs.
  8. To verify the enrollment as an administrator, go to the Workspace ONE UEM console, click DEVICES in the left pane, and click Dashboard.
  9. Click List View, click the device you just enrolled, and click the various tabs to see all the details for that device.

Tip: If you need to troubleshoot issues with enrollment, see the VMware Knowledge Base articles Device enrollment issues with Workspace ONE (2960930) and Workspace ONE (WS1) Enrollment Error Catalog (81557). Also see the Troubleshooting Windows 10 Enrollment chapter of the Tech Zone guide Troubleshooting Windows Devices: Workspace ONE Operational Tutorial.

Exercise: Unenroll Devices from Workspace ONE

Now that you have enrolled devices in Workspace ONE for evaluation purposes, you will unenroll them using the Enterprise Wipe command. Enterprise wipe unenrolls the device and removes all managed enterprise resources, including managed applications and profiles. Enterprise wipe does not remove any of the end user’s personal data.

Here are a few more considerations for using enterprise wipe:

  • After you enterprise-wipe a device, if you want Workspace ONE to manage the device again, you need to re-enroll the device.
  • If you wanted to wipe everything off the device, you would need to use the Device Wipe command, rather than the Enterprise Wipe command, in the Workspace ONE UEM console.
  • You can configure the system to automatically enterprise-wipe devices when users are removed from user groups, as described in the product documentation topic Perform Automatic Enterprise Wipe for Users That Do Not Belong to a User Group.
  • To guard against having too many automated wipes occur at the same time, or to guard against an accidental wipe initiated by an administrator, you can configure wipe protection, as described in the product documentation topic Wipe Protection.

Note: The following video, Unenrolling Devices from Workspace ONE, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, click DEVICES in the left panel, and then click List View.

    If you have been performing all the exercises in this guide, the list view should now show two devices, a Windows device and an iOS device.
  2. Select the check box next to the Windows device.
  3. From the MORE ACTIONS drop-down list, select Enterprise Wipe.
  4. In the Restricted Action – Enterprise Wipe dialog box, scroll down and enter the PIN number you configured when you set up Workspace ONE UEM.

    Note: For this exercise, leave the Keep Apps on Device check box unchecked.
  5. On the List View page, after about one minute, click the Refresh icon and scroll to the right to verify that the Enrollment column says that the device is now unenrolled.
  6. Repeat the procedure for the iOS device.
  7. To verify unenrollment on the Windows device, log in to the Windows device, click the Start menu and select Settings.
  8. In the Settings window, click Accounts, and select Access Work or School in the left pane, and verify that the work account for Workspace ONE is now missing.
  9. Open the Intelligent Hub app on the Windows device and click the Support tab.

    Notice that the My Devices section now says Add a device because the device is no longer enrolled.
  10. To verify unenrollment on the iOS device, go to Settings > General > VPN & Device Management and verify that Workspace Services is no longer listed.
  11. Open the Intelligent Hub app on the iOS device and verify that you are prompted to sign in, which means the device is no longer enrolled and you are being prompted to enroll again.

Monitoring, Reporting, and Analyzing

Workspace ONE UEM includes a Console Monitor that helps administrators quickly identify important issues with regard to compliance and enrollment. Click any bar or donut graph on the MONITOR > Overview page to display a list of all the devices specific to the metric you selected. You can then select a device and send a message, lock or wipe the device, or perform any number of other actions.

From the MONITOR > Reports > List View page, you can select from a long list of report templates and then specify criteria to run reports. Save your favorite reports to a My Reports area. Then download the report in CSV format to use with your favorite reporting tools. For more information about the monitoring features of Workspace ONE UEM, see the product documentation topic Console Monitor.

To go beyond the status information provided by the Console Monitor in Workspace ONE UEM, you can use VMware Workspace ONE® Intelligence™ to:

  • Aggregate data from a variety of sources
  • Correlate the data for risk-based analysis
  • Automate proactive resolutions, based on insights gained from rich visualization capabilities

Exercise: Enable Workspace ONE Intelligence

In this exercise, we review some of the monitoring features you can use without Workspace ONE Intelligence, and then we use the Workspace ONE UEM console to enable Workspace ONE Intelligence. This is really just the first step to setting up Intelligence dashboards and automation.

Workspace ONE Intelligence is the core data platform for the anywhere workspace, and as such, it has its own console, sensors, connectors, and so on. Delving into the features of this platform is beyond the scope of this evaluation guide.

For an easy introduction, see the Tech Zone article What Is VMware Workspace ONE Intelligence? and try out the Workspace ONE UEM Getting Started Hands-On Lab, “Module 7: Workspace ONE Intelligence – Introduction to Dashboards, Automation, and Reports.”

Note: The following video, Enabling Workspace ONE Intelligence, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, click MONITOR in the left panel, and then click Overview.

    If you have been performing all the exercises in this guide, you should have two devices enrolled at this point, and these devices should be included in the Status Breakdown graph.
  2. Click one of the bars in the Status Breakdown graph to drill down and see the list of devices included in that graph.
  3. Go back to the MONITOR > Overview page and scroll down to examine all the types of critical information that can be displayed in graphs. At this point, because your devices most likely do not have any violations, you will not be able to see many graphs.

    Tip: If your Overview page is rather empty due to a lack of compliance violations, be sure to watch the video above, which shows examples of the bar and donut graphs.
  4. Go to the MONITOR > Reports and Analytics > Reports > List View page, and scroll through the list of report templates.
  5. Click a report name to run a report and in the Export List dialog box that appears after you run the report, click the Exports link to go to the Exports page, where you can download the report in CSV format.
  6. To enable Workspace ONE Intelligence, go to the MONITOR > Intelligence page and click GET STARTED.
  7. Scroll down the page and select the Opt in check box to opt in to use the Workspace ONE Intelligence service, and click NEXT.
  8. Scroll down the Terms of Service page, enter your name and company details, and click ACCEPT.

    An Intelligence tenant is automatically created for you, and the Workspace ONE Intelligence console appears.
  9. In the Services section of the Workspace ONE Intelligence console, scroll to the Workspace ONE Intelligence tile and click START > Dashboards.

    At this point, you could click Get Started and ADD DASHBOARD to create your first dashboard. Unfortunately, creating Intelligence dashboards is beyond the scope of this tutorial. See Getting Started with Workspace ONE Intelligence Reports and Dashboards: Workspace ONE Operational Tutorial.
  10. To see a list of the sources you can use in order to aggregate data and perform risk analysis, click the Integrations tab at the top of the screen and scroll down the tiles.

    The page displays both VMware data sources and possible third-party data sources you can set up for your trust network.

For more information, see the following resources:

Summary and Additional Resources

Now that you have completed the exercises in this guide, you should have:

  1. Configured single sign-on for both the Salesforce web app and the Salesforce iOS app
  2. Deployed a native internal app (for iOS) and a native public app (for Windows)
  3. Configured SSO policies and profiles
  4. Configured a compliance policy and passcode profiles
  5. Enrolled a mobile (iOS) device and a desktop (Windows) device, and unenrolled both
  6. Monitored devices using dashboard graphs and reports
  7. Enabled Workspace ONE Intelligence

Although the basic environment you just set up is for evaluation purposes only, you can now explore further on your own as you evaluate this offering. When you are ready to deploy a production environment, see Product Documentation Resources.

Freestyle Orchestrator and Workspace ONE Assist


In addition to Workspace ONE Intelligence, two other important components of Workspace ONE that deserve consideration but are beyond the scope of this evaluation guide are Freestyle Orchestrator and Workspace ONE Assist.

Workspace ONE Assist

With VMware Workspace ONE® Assist, administrators can remotely connect to any enrolled device, across any OS platform, and view and control its screen in real-time, directly from the Workspace ONE console. Sessions can be recorded for training or escalation purposes, and items can be highlighted to guide employees through tasks.

Session collaboration and chat features are available, as well as privacy features, such as allowing device owners to reject certain access requests and pause or end a remote session.

For more information, see the following resources:

Freestyle Orchestrator

The three major use cases for Freestyle Orchestrator are:

  • Deploying complex workflows for onboarding any type of device
  • Orchestrating the sequence of app installations and configuration; for example, installing Zoom, then Outlook, then the Zoom plugin for Outlook
  • Bringing endpoints to a desired state; for example, making sure a specific application version is installed or matching explicit Sensor values

For more information, go to the Tech Zone Freestyle Orchestrator focus page, which includes links to a getting-started guide, videos, and an interactive demo.

To try out Freestyle Orchestrator, see “Module 1 – Introductions to Freestyle Orchestrator,” in the Workspace ONE UEM Getting Started Hands-On Lab.

Also see What is Freestyle Orchestrator? (product documentation guide).

Device-Specific Tech Zone Resources

This guide addressed the most basic day-2 operational tasks, such as managing apps and devices on iOS and Windows devices. Be sure to also check out the following documents and videos, available from VMware Digital Workspace Tech Zone:

Windows Devices:

Windows 10 & 11 Endpoint Management (VMware TestDrive walk-through)

Experience Workspace ONE on Windows 10 (VMware TestDrive walk-through)

Creating a Windows Virtual Machine to Test Workspace ONE

Planning Your Windows Deployment: Workspace ONE Operational Tutorial

Enrolling Windows Devices Using Azure AD: Workspace ONE UEM Operational Tutorial

Managing Updates for Windows Devices: Workspace ONE Operational Tutorial

Getting Started with Freestyle Orchestrator

Mac Devices:

Configuring Basic macOS Management: Workspace ONE Operational Tutorial

Managing Major macOS Updates: Workspace ONE Operational Tutorial

Getting Started with Freestyle Orchestrator on macOS Devices

iOS Devices:

Experience Workspace ONE on iOS (VMware TestDrive walk-through)

Managing iOS Updates: Workspace ONE Operational Tutorial

Managing iOS Custom Apps: Workspace ONE Operational Tutorial

How VMware IT Enrolls iOS Devices - VMware on VMware (video)

Android Devices:

Android Application Management: VMware Workspace ONE Operational Tutorial

Managing Android Devices: Workspace ONE Operational Tutorial

VMware Workspace ONE Intelligent Hub Android enrollment - Feature Walk-through (video)

Chrome Devices:

Managing Chrome OS Devices: Workspace ONE Operational Tutorial

VMware Workspace ONE: Chrome OS - Feature Walk-through (video)

4 reasons the Chromebook could be the ultimate enterprise client device (blog post)

All Devices:

Deploying VMware Unified Access Gateway: Workspace ONE Operational Tutorial

Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial

Automating Notifications: Workspace ONE Operational Tutorial

Workspace ONE Experience Workflows (video)

Product Documentation Resources

The following links go to the various product documentation websites associated with Workspace ONE:

VMware Workspace ONE Documentation, which has links to:

Workspace ONE Hub Services Documentation

Workspace ONE UEM Integration with Workspace ONE Access

Workspace ONE Cloud Admin Hub Documentation

VMware Workspace ONE UEM Documentation, which has links to release notes, as well as:

VMware Workspace ONE UEM Console Documentation

VMware Workspace ONE Productivity Apps Documentation and Release Notes

VMware Workspace ONE Access Documentation

VMware Workspace ONE Intelligence Products documentation landing page

Changelog

The following updates were made to this guide:

Date

Description of Changes

2022/10/20

Original publication date.

Authors and Contributors

The following authors, contributors, and subject-matter-expert reviewers collaborated to create this tutorial.

Authors

  • Caroline Arakelian, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
  • Gina Daly, Technical Marketing Manager, End-User-Computing Technical Marketing, Vmware
  • Darren Weatherly, Senior Technical Marketing Architect, End-User-Computing Technical Marketing, VMware
  • Darryl Miles, Staff Solution Engineer, End-User Computing, VMware

Contributors

  • Christina Minihan, Senior Staff End-User-Computing (EUC) Architect, End-User-Computing Technical Marketing, VMware

Feedback

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Filter Tags

Workspace ONE Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Document Quick-Start Intermediate Deploy Manage App & Access Management DEX