eXtended Reality (XR) Device Management: VMware Workspace ONE UEM

Overview

In the enterprise, eXtended Reality (XR) is being leveraged as a powerful tool to enhance the productivity of employees, keep frontline workers safe, train our colleagues, visualize our products, and inspire our customers.

XR is an umbrella term that covers assisted reality, augmented reality (AR), virtual reality (VR), and mixed reality (MR) technologies.

XR devices are now being used alongside mobile devices, and across a variety of verticals and use cases, to dramatically increase productivity, efficiency, and employee experience.

The VMware Workspace ONE Unified Endpoint Management (UEM) platform enables organizations to securely manage any device – from laptops and smartphones to rugged devices and XR devices – from a single console. Enrollment is the first step.

For XR devices, enrollment can be challenging. While Android is the operating system of choice for most devices, they typically are running the customizable Android Open Source Project (AOSP) version, and the out-of-the-box experience varies widely. The Workspace ONE UEM team is leveraging its expertise in device management and partnering with the full spectrum of hardware manufacturers to ensure the best possible enterprise device management experience for these devices.

Workspace ONE Intelligent Hub (Intelligent Hub) supports Android-based devices and Workspace ONE UEM provides enterprise device management capabilities for all eXtended Reality device types.

Purpose of This Guide

The purpose of this guide is to help you configure your Workspace ONE UEM instance to simplify the onboarding of XR devices, as well as to navigate the device-specific nuances of Workspace ONE UEM-supported devices. From the navigation bar to the left, you can select from the variety of enrollment options covered, for which more are being added periodically:

VR devices:

  • HTC VIVE
  • Meta Quest
  • PICO

Non-VR devices:

  • Magic Leap
  • RealWear
  • Vuzix

Note: This guide contains two types of useful links. External links take you to other resources on the web, and internal links take you to other sections within this guide. After you click an internal link and read its content, you can return to your original location by clicking the Back button of your browser.

Audience

This guide is intended for IT professionals who plan to take advantage of the growing market of XR technologies and use VMware Workspace ONE UEM to deliver scalable management and app delivery for Android XR devices. Familiarity with VMware Workspace ONE UEM, directory services, and supporting technologies is assumed.

Initial Workspace ONE UEM Setup

VMware Workspace ONE Unified Endpoint Management (UEM) enables you to securely manage your XR devices from a single console, with an easy onboarding process.

Regardless of the type of XR devices you are enrolling, this process begins with the initial UEM setup. The UEM setup includes verifying prerequisites, and configuring enrollment settings, restrictions, and messaging.

Verifying Prerequisites

Before starting the enrollment process, make sure you meet the prerequisites for your devices. All devices require a supported version of VMware Workspace ONE UEM (https://kb.vmware.com/s/article/2960922), along with the following device-specific items.

All Devices:

The current supported version of the VMware Workspace ONE Intelligent Hub (AirwatchAgent) client from https://packages.vmware.com/wsone/androidhub/airwatchagent23.06.apk

HTC VIVE Devices:

  • HTC VIVE XR Elite running the latest firmware
  • HTC VIVE Focus 3 running firmware 3.0.999.456 or newer
  • HTC VIVE Focus Plus running firmware 4.14.623.1 or newer
  • HTC VIVE Focus running firmware 3.13.623.1 or newer

PICO Devices:

  • PICO 4 Enterprise running PUI 5.0 or newer
  • PICO Neo 3 running PUI 4.3.34 or newer
  • PICO Neo 2 running PUI 3.13.1 or newer
  • PICO G2 4K running PUI 3.11.3 or newer

Note: Passcode policy is not supported on PICO Neo 2, 3 or 4.

Meta Quest Devices (Quest for Business):

  • Intelligent Hub must be enrolled with the setting EnableAllFileAccessPermission set to True
  • Meta Quest Pro running firmware version 53 or newer
  • Meta Quest 2 running firmware version 53 or newer

Meta Quest Devices (Standard):

  • VMware Workspace ONE ConQuest (https://via.vmware.com/conquest)
  • Intelligent Hub must be enrolled with the setting EnableAllFileAccessPermission set to True
  • Meta Quest companion mobile app installed on an Android or iOS mobile device, or Meta Quest Developer Hub desktop app installed on a computer
  • Meta Quest Pro running firmware version 50 or newer
  • Meta Quest 2 running firmware version 50 or newer

Magic Leap:

  • Magic Leap 2 with OS version 2208.18 or later

RealWear:

  • HMT-1 or HMT-1Z1 running v11 firmware or newer
  • Navigator 500 or 520 running the latest firmware

Vuzix:

  • M300/400 Series running v2.0.1 firmware or newer
  • M4000, Shield running the latest firmware
  • Vuzix Blade 2 running the latest firmware

Configuring Workspace ONE UEM for XR Devices

Note: All devices covered by this guide run the Android Open Source Project (AOSP) version of Android.

  • Android EMM registration is needed to activate Android management capabilities within UEM, although AOSP devices do not use the Google Accounts and Google Mobile Services (GMS). Android enrollment-related settings are included in this section, regardless of Google status.
  • Due to the Work Profile option not being available within AOSP, Work Managed is the only mode of management supported, and certain features need to be turned off as a result.
  • If Android EMM registration has not already been configured for your UEM environment, see the Registering Android with Workspace ONE UEM section in the Workspace ONE UEM documentation. This is only done once per tenant to activate Android device management.

Configuring Enrollment Settings

The first step of the configuration process is to override the default Android EMM settings and configure device enrollment settings for the Organizational Groups (OG) used for XR devices. We recommend creating a model-specific Child Level Organizational Group for these settings.

  1. In your Workspace ONE UEM Console, navigate to Groups & Settings > Configurations > Android EMM Registration, and select the Enrollment Settings tab.
  2. In the Enrollment Settings tab, select the Override radio button to change the default settings.
  3. Select WORK MANAGED device, select AOSP / CLOSED NETWORK, and then click Save.
    Graphical user interface, text, application Description automatically generated
     

Configuring Enrollment Restrictions

After configuring Enrollment Settings, the next step of the configuration process is to set up device enrollment restrictions for this Organizational Group.

  1. In your Workspace ONE UEM Console, navigate to Groups & Settings > Configurations > Android EMM Registration, and select the Enrollment Restrictions tab.
  2. In the Enrollment Restrictions tab, select the Override radio button to change the default settings.
  3. From the Define the enrollment method for this organization group dropdown menu, select Always use Android.
  4. For Allow Work Profile Enrollment, select Disable, as this mode is not supported on AOSP devices. Click Save and close the Settings window.

     

Configuring Intelligent Hub Settings

After configuring Enrollment Restrictions, the next step of the configuration process is to set up Workspace ONE Intelligent Hub Settings for this Organizational Group.

  1. In your Workspace ONE UEM Console, navigate to Groups & Settings > All Settings > Devices & Users > Android > Intelligent Hub Settings.
  2. Select the Override radio button to change the default settings.
  3. For Require Google Account, select the DISABLED button.
    Graphical user interface, application Description automatically generated 
  4. Scroll down, then select the ENABLED button, for AirWatch Cloud Messaging.
    Graphical user interface, application, Teams Description automatically generated 
  5. Click Save.

Creating a Basic User Account (optional)

After configuring Intelligent Hub Settings, the final step of the initial process is to create a Basic User Account.

Note: Workspace ONE UEM manages devices by keeping track of the users of each device. Therefore, it is necessary to create and implement user accounts for devices to enroll into Workspace ONE UEM. See Workspace ONE UEM documentation for detailed information on advanced topics, such as integrating Workspace ONE UEM with Directory Services Accounts.

  1. From the Customer Level Organization Group (OG), navigate to Accounts > Users > List View, select Add, then Add User.
  2. On the General tab of the Add / Edit User window, complete the following settings to add a Basic User:
  • Security Type - Select Basic to add a basic user.
  • Username - Enter a username with which the new user is identified. For testing purposes, we recommend using lower case, alpha, and no special characters.
  • Password - Enter a password that the user can use to log in. This will be included in the QR Bar Code setup. A user will not need to enter this in manually.
  • Confirm Password - Confirm the password.
  • Full Name - Complete the First Name, Middle Name, and Last Name of the user.
  • Display Name (Optional) - Represent the user in the UEM console by entering a name.
  • Email Address - Enter or edit the user's email address.
  • Email username (Optional) - Enter or edit the user's email username.
  • Domain (Optional) - Select the email domain from the drop-down setting.
  • Phone Number (Optional) - Enter the user's phone number including plus sign, country code, and area code. This option is required if you intend to use SMS to send notifications.
  1. In the Enrollment section, complete the following settings to add a Basic User:
  • Enrollment Organization Group - Select the organization group into which the user enrolls. Default settings are recommended.
  • Allow the user to enroll into additional Organization Groups - You can allow the user to enroll into more than one organization group. If you Enable this option, but leave Additional Organization Groups blank, then any child OG created under the Enrollment Organization Group can be used as a point of enrollment. The Enabled setting is recommended.
  • Additional Organization Groups - This setting only appears when the option to allow the user to enroll into additional OGs is Enabled. This setting allows you to add additional organization groups from which your basic user can enroll.
  • User Role - Select the role for the user you are adding from this drop-down setting. Default settings are recommended.
  1. In the Notification tab, complete the following settings to add a Basic User, and then click Save:
  • Message Type - Select the type of message you want to send to the user: Email, SMS, or None. Selecting SMS requires a valid entry in the Phone Number option.
  • Message Template - The basic user activates their account with this notification. For security reasons, this notification does not include the user's password. Instead, a password reset link is included in the notification. The basic user selects this link to define another password. This password reset link expires in 24 hours automatically. Select the template for email or SMS messages by selecting one from this drop-down setting. Optionally, select Message Preview to preview the template and select the Configure Message Template to create a template.

The following profile settings are recommended for Android-based VR devices. Other settings should be configured based on individual customer’s requirements. You must also have a smart group defined to include the VR headsets.

Best practice is to create individual profiles for each payload type. For testing purposes, a single profile may contain the multiple payloads seen below.

  1. While logged into Workspace ONE UEM, change to the Organization Group (OG) that manages your headsets.
  2. Navigate to Resources > Profiles & Baselines > Profiles, select Add, and then Add Profile.
  3. Select Android.
  4. Name your profile: For example, Headset Config, and Add Description (optional).
  5. Include a Permissions payload.
    1. Scroll down and locate the Permissions payload.
    2. Select ADD (to the right). The Summary panel on the right side of the screen displays the added payload. You are now able to make changes to the Permissions payload.
    3. Under the Permissions drop down menu, for Permission Policy, select Grant All Permissions.
  6. Include a Restrictions payload.
  1. Scroll down and locate the Restrictions payload.
  2. Select ADD to include the Restriction payload to the summary.
  3. Under the Restrictions drop down menu, unselect (deactivate) the following two options.
    1. Allow All Keyguard Features
    2. Allow Keyguard
  1. Include an Application Control payload.
  1. Scroll down and locate the Application Control payload.
  2. Select ADD to include the Application Control payload to the summary.
  3. Under the Application Control drop down menu, leave all check boxes in their default positions. For the payload to be configured with the default options, deselect, and then immediately select one of the checkboxes.
  1. Select the Next button.
  2. Under Assignment, select an appropriate smart group to apply the profile rules.
  3. Under Deployment, make the following selections.
  1. Assignment Type – Auto
  2. Allow Removal – Always (for testing only, select Never or With Authorization for Production)
  3. Managed By – select the organization group you specified in a previous step.
    Result: The Preview screen to the right displays, showing a preview of the devices included in the smart group you selected above. If this screen displays Total Assigned Devices 0, you can add devices to the smart group later. The profile you just made is assigned to this smart group whether it contains devices or not.
  1. Select the Save & Publish button.

(Optional) Installing ADB for Device Enrollment

Certain devices require the use of the Android Debug Bridge (ADB) to install software or configure the device from a connected computer. ADB download location: https://developer.android.com/studio/releases/platform-tools

Install ADB on your computer and make sure that the adb command is accessible from the command line.

Note: ADB is not required for Meta Quest 2 device enrollment, since Workspace ONE ConQuest includes ADB.

Note: ADB is not required for device enrollment when using QR Code.

Next Step: Specific Device Enrollment

After you have completed the initial Workspace UEM setup in the console, select one of the following specific devices to finish enrollment from the navigation bar on the left:

  • HTC VIVE Enrollment
  • HTC VIVE Enrollment for Focus & Focus Plus
  • Meta Quest Standard Enrollment
  • Meta Quest for Business Enrollment
  • PICO Enrollment
  • Magic Leap 2 Enrollment
  • RealWear Enrollment
  • Vuzix Enrollment

 

HTC VIVE Device Enrollment

After completing the initial Workspace UEM setup in the console, you are ready to enroll your VIVE XR Elite and VIVE Focus 3 Headset devices.

The HTC VIVE XR Elite and HTC VIVE Focus 3 devices use a different installation and enrollment flow than their predecessors.

A picture containing headphones, accessory, headset, goggles Description automatically generated

For VIVE XR Elite devices the recommended enrollment method is QR Code.  QR Code method is NOT recommended for the VIVE Focus 3, as its cameras may not be able to read a QR code reliably; the current recommended method for VIVE Focus 3 is using the simple Sideload Staging Enrollment tool for VIVE Focus 3 located at https://resources.workspaceone.com/view/yvvxz4hlx6snykszmxgr/

QR Code Installation and Enrollment with Camera

To install and enroll your VIVE XR Elite or VIVE Focus 3 Headset into Workspace ONE UEM:

  1. Generate a QR Code by following the instructions in Setting up a VMware AirWatch agent and enrolling VIVE Focus 3 using a QR code.

Important: To use XR Hub, the URL field in the JSON file must use the following value:
URL: https://packages.vmware.com/wsone/androidhub/airwatchagent23.06.apk.

  1. Unbox and power on the HTC VIVE device. When the device is powered on, a welcome screen is displayed.
  2. When the welcome screen appears, press the Headset button three times to enable passthrough.
  3. Use the onscreen QR code scanner to scan the QR code displayed on your computer screen.
  4. The MDM Setup window appears. The Workspace ONE Intelligent Hub (AirWatch) agent then automatically enrolls the headset. When enrollment is complete, follow the onscreen instructions to finish setting up the headset.
  • Click through one privacy statement and wait until the device runs through enrollment and displays the enrolled user, email address, and additional information.
  1. From the Customer or Child OG within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Sideload Staging Enrollment

Configure the Sideload Staging Enrollment Tool

Alternatively, you can use the simple Sideload Staging Enrollment tool to run provided scripts for enrolling HTC VIVE Focus 3 devices.

  1. Download and unzip the Sideload Staging Enrollment tool for HTC VIVE Focus 3 devices from: https://resources.workspaceone.com/view/yvvxz4hlx6snykszmxgr/
  2. Add a Workspace ONE UEM credentials.bin file (from a Staging Package) to the credentials folder in the Sideload Staging Enrollment tool (see Stage Devices With a Manually Created Staging Package to extract the credentials.bin file from the zip file created when generating a side load staging package).

Enroll with the Sideload Staging Enrollment Tool

After you have downloaded the Sideload Staging Enrollment tool, you can continue to enroll the headset.

To install the Workspace ONE Intelligent Hub (AirWatch) agent and enroll your headset into Workspace ONE UEM:

  1. On a Windows/Mac device, navigate to your unzipped Sideload Staging Enrollment tool folder.
  2. Unbox and power on the HTC VIVE device.
  3. Plug the device into your computer with a USB-C cable.
  4. When the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the HTC main screen.
  5. Ensure your system is updated to the latest firmware: version 3.0.999.456 or later.
  6. If device is not in a fresh state, initiate a Factory Reset by navigating to Settings > Advanced > Reset device > Reset.
  7. From the Staging Enrollment Tools folder run (or double-click) the validation script “1-display_settings.bat” to ensure the script successfully runs.  “List of devices attached” should show the device plugged into the USB cable.
  8. From the Staging Enrollment Tools folder run (or double-click) the install and enrollment script “2-install-and-enroll.bat” to install and enroll the device.
  9. The device automatically launches the Intelligent Hub client on startup and conducts device enrollment using the credentials provided in the batch configuration.

    Note: If the enrollment process gets interrupted, or does not start due to an interruption, such as internet connectivity issues, you can run (or double-click) the enroll only script “3-enroll-again-if-necessary” to enroll the device.
  10. From the Customer or Child OG within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Managing Device PIN Code

Note the following limitations:

  • If you want the user to set a passcode, ensure the passcode policy is set prior to device enrollment.
  • If a passcode policy is set after enrollment, the user will not be notified via Intelligent Hub client and the user will not be forced to set a device passcode.

Managing Kiosk Mode

Kiosk mode for the VIVE XR Elite and VIVE Focus 3 requires pushing an XML configuration file to the device and running an Intent to trigger it.

  1. In the Workspace ONE UEM console, move to the organization group (OG) that manages your headsets.
  2. Navigate to Devices > Provisioning > Components > Files/Actions.
  1. Use the ADD FILES/ACTIONS button at the top of the page, and select Android.
  2. Configure the General tab:
  • Name: HTC Kiosk Mode XML
  • Description: You can choose to add an optional description.
  • Managed By: Leave this field prepopulated with the correct OG.
  1. Configure the Files tab and select ADD FILES:
  • Select Choose Files and upload a copy of the mns.xml file (see Kiosk mode XML file – mns.xml below).
  • Select Save to save the file.
  • Specify the download path as $internal$/VMware and select Save to save the configuration.
  1. Configure the Manifest tab:
  • Select ADD ACTION under the Installation Manifest section.
  • In the Action(s) To Perform drop-down, select Run Intent.
  • For Command Line and Arguments to run, enter:
    mode=explicit,broadcast=false,action=com.htc.vr.launcher.SCENE,package=com.htc.vrs.launcher,class=com.htc.vr.unity.WVRUnityVRActivity,extraString=LaunchScene=UpdateKioskMode
  • Select Save to save the Files/Action.
  1. Navigate to Devices > Provisioning > Product List View.
  1. Select Add Product and select Android.
  2. Configure the General tab:
  • Name: HTC Kiosk Mode Config
  • Description: You can choose to add an optional description.
  • Managed By: Leave this field prepopulated with the correct OG.
  • Smart Groups: Enter the Smart Group(s) that the product is applied to.
  1. Configure the Manifest tab, select the +Add button, and configure the following:
  • Actions(s) to Perform: Select the File/ActionInstall option.
  • Files/Actions: Select the File/Action created above, called "Download HTC Kiosk Mode XML.”
  1. Select the Save button to save the product.
  2. If ready to activate Kiosk Mode, select the Activate button to give the product an active status.

If you want to activate the product later, navigate to the Product List View page, locate the "HTC Kiosk Mode Config" product from the listing, select the grey indicator next to the red traffic light for the product. The grey indicator turns green, and the red indicator turns grey to indicate that the product is now active.

Kiosk mode XML file – mns.xml 

<?xml version="1.0" encoding="UTF-8"?>
<customization_form>
  <category name="application">
    <module name="vive_kiosk_enabler">
      <function name="enable_kiosk_mode">
        <set name="single">
  <!--
       1:enable kiosk mode.
       0: disable kiosk mode
  -->
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
      <function name="kiosk_mode_key">
        <set name="single">
  <!-- [TO DO] Enter a passcode to leave kiosk mode. Needs to be a four digit number. Empty means no passcode to leave Kiosk mode -->
          <item name="key" type="int">0000</item>
        </set>
      </function>
   <!-- allow Bluetooth connection or not -->
      <function name="allow_bt_connection">
        <set name="single">
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
   <!-- allow headset screen casting not -->
      <function name="enable_screen_casting">
        <set name="single">
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
   <!-- allow screen capture or not -->
      <function name="kiosk_screen_captured_enable">
        <set name="single">
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
   <!-- allow USB file transfer or not -->
      <function name="allow_usb_transfer">
        <set name="single">
          <item name="enabled" type="bool">1</item>
        </set>
      </function>
   <!-- setup application in kiosk mode -->
      <function name="kiosk_mode_apps">
        <set name="plenty">
          <item name="app_name">XR Hub</item>
          <item name="app_package_name"> com.vmware.xr.xrhub.wavevr</item>
        </set>
      </function>
   <!-- kiosk mode type
        "1" for Single app
           "2" for Multiple app
      -->
      <function name="kiosk_mode_type">
        <set name="single">
          <item name="enabled" type="int">1</item>
        </set>
      </function>
   <!-- Network permission under kiosk mode
   "1" for Offline
   "2" for Pre-defined Wi-Fi
   "3" for Allow to any Wi-Fi
      -->
      <function name="allow_network_permission">
        <set name="single">
          <item name="mode" type="int">3</item>
        </set>
      </function>
   <!-- require sign in mandatory when entering kiosk mode -->
      <function name="enable_kiosk_mode_signin">
        <set name="single">
          <item name="enabled" type="bool">0</item>
        </set>
      </function>
   <!-- Interaction method
   "1" for hand only
   "2" for controller only
   "3" for controller & hand
      -->
      <function name="kiosk_InteractionMode">
        <set name="single">
          <item name="mode" type="int">3</item>
        </set>
      </function>
   <!-- play tutorial when re-start kiosk mode -->
      <function name="kiosk_auto_play_tutorial">
        <set name="single">
          <item name="mode" type="bool">0</item>
        </set>
      </function>
   <!-- play opening video when re-start kiosk mode -->
      <function name="kiosk_cinematic_playback">
        <set name="single">
          <item name="mode" type="bool">0</item>
        </set>
      </function>
   <!-- play wearing guide when re-start kiosk mode -->
      <function name="kiosk_auto_play_wearing_guide">
        <set name="single">
          <item name="mode" type="bool">0</item>
        </set>
      </function>
    </module>
  </category>
</customization_form>
 

Conclusion

You have now completed enrolling your HTC VIVE XR Elite or HTC VIVE Focus 3 Headset into Workspace ONE UEM. For enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

HTC VIVE Focus & Focus Plus Device Enrollment

This section describes how to conduct an HTC VIVE Focus / HTC VIVE Focus Plus headset enrollment into Workspace ONE UEM.

VIVE Focus Plus

After completing the initial Workspace UEM setup, you are ready to enroll your HTC VIVE Focus and HTC VIVE Focus Plus headset devices. The following instructions should be followed to register a shared device with a Workspace ONE UEM environment.

Note: Workspace ONE UEM currently supports HTC VIVE Focus Plus headsets running firmware version of 4.14.623.1 or newer, as well as HTC VIVE Focus headsets running version 3.13.623.1 or newer.

Installing and Enrolling

To install and enroll your VIVE Focus and VIVE Focus Plus headset into Workspace ONE UEM:

  1. Download the Workspace ONE Intelligent Hub client APK (AirWatch agent) and have it on your computer: https://packages.vmware.com/wsone/androidhub/airwatchagent23.06.apk
  2. If you are not starting from a new device, do a factory reset of the HTC device by clicking Settings > More Settings > Personal | Reset > Factory Data Reset.
  3. Once the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the HTC main screen.
  4. Critical: Launch the browser and verify that you can connect to your Workspace ONE URL. For example, https://ds135.awmdm.com (a successful connection means you will be re-directed, and you should see a Workspace ONE login screen). If you cannot connect to this site, you must switch to a Wi-Fi network that can connect before you continue.
  5. Ensure your system is updated to the latest firmware by launching the System Update (in Settings) app and updating. Again, your VIVE Focus Plus must be running version 4.14.623.1 or newer, while your VIVE Focus must be running version 3.13.623.1 or newer.
  6. Plug the headset into your setup machine (where you downloaded the agent) via the USB cable provided and begin an adb session.
  7. Type adb devices and press Enter. This should result in showing your connected device authorized for access.
    If this shows no devices connected, enable developer mode by clicking Settings > More Settings > System | Developer Options > Turn On.
  8. Install the APK you downloaded earlier onto the HTC using the adb install command. This should result in a success message.
  9. Run the following adb command to set up the Intelligent Hub client (AirWatchAgent.apk) as the device owner:
    adb shell dpm set-device-owner com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver
  10. Place the headset on, and continue registration from within the device as follows:
  11. Launch the Intelligent Hub app that you installed earlier.
  12. Enter the following in the next few screens to enroll the device:
    • Server: Device Services Server address (for example: ds135.awmdm.com)
    • Group ID: Organization Group ID
    • Enrollment User/Password: Enrollment User and password
    • Click through one privacy statement and wait until the device runs through enrollment and displays the enrolled user, email address, and some informational items.
  13. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Conclusion

You have now completed enrolling your HTC VIVE VR Headset into Workspace ONE UEM. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Meta Quest for Business Enrollment

VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Meta Quest devices with streamlined enrollment via Meta Quest for Business.

After an easy Workspace ONE UEM enrollment flow via Quest for Business, you can directly manage Quest devices from the same console you use for your more traditional devices. This section describes how to set up Quest for Business with Workspace ONE and enroll a Quest device.

A pair of white headphones Description automatically generated with medium confidence

Setting up Meta Quest for Business to enroll Quest devices into Workspace ONE UEM

After verifying prerequisites and completing the initial Workspace UEM setup, you are now ready to set up Meta Quest for Business and enroll your Quest devices into Workspace ONE.

Quest for Business enables out-of-the-box enrollment to Workspace ONE for Quest devices. Sign up to Quest for Business via their website at Getting started with Meta Quest for Business beta.

After you have signed up to Quest for Business, access the Admin Center to configure Workspace ONE UEM as an MDM Integration:

  1. Click the Configurations icon, and then click Add Configuration.
    1. Configuration Name - Workspace ONE
  2. Click Make this the default configuration.
  3. Click the Device Management dropdown and select Third Party.
    1. Component Name - com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver
    2. Package Download - https://packages.vmware.com/wsone/androidhub/airwatchagent23.06.apk
    3. Hash - 6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=
  4. The Extras Bundle enables UEM administrators to add the following key value pairs:
  • serverurl – the FQDN of the Workspace ONE UEM server
    (recommended; required for zero touch staging enrollment)
  • gid – the Group ID for the organizational group devices should be enrolled into
    (recommended; required for zero touch staging enrollment)
  • un – username for the enrollment user (usually used for single/multi-user staging)
    (optional, but required for zero touch staging enrollment)
  • pw –password for the enrollment user
    (optional, but required for zero touch staging enrollment)
  • EnableAllFileAccessPermission – True
    (required to push files to the device; prompts the user to accept the permission during enrollment)
  • useUEMAuthentication – True
    (required for accounts using basic authentication in Workspace ONE UEM)
  • aospEnrollment – True
    (required)
  • promptPrivacy – True (default)
    (optional; controls displaying privacy screens if desired)
  1. Click Save to complete the Quest for Business setup.

Enrolling devices into Workspace ONE UEM

Turn on the Quest device:

  1. Do NOT pair the device to a phone with the Meta Quest app or the Meta Quest Developer Hub
  2. During device setup, the user is prompted to pair the device OR Set up Quest for Business.
  3. The user should click Set up Meta Quest for Business.
  4. Follow the instructions to connect the device to the user’s Meta Work account.
  5. Follow the onscreen steps to enroll into MDM and Workspace ONE UEM.
    1. Meta Quest device downloads the UEM agent, installs it, and starts the enrollment process.
    2. If not using a staging account and password, the user is required to enter their enrollment credentials for Workspace ONE UEM.
    3. Once hub enrollment is completed, the user is returned to the Quest device setup process.
      1. If not, the user may need to reboot the device to complete setup.
  1. Follow the instructions to link the device to the user’s Meta account.
  2. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see the device enrolled in the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Managing Kiosk Mode

Note the following limitation:

  • Workspace ONE UEM LockTaskMode and Workspace ONE Launcher are not supported on Quest for Business devices.
  • Quest devices do not offer an official kiosk mode feature
  • Workspace ONE XR Hub offers a kiosk mode experience on Quest devices (Tech Preview). See Workspace ONE XR Hub documentation for more information.

Conclusion

You have now completed enrollment of your Meta Quest device into Workspace ONE UEM using Meta Quest for Business. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Meta Quest Standard Enrollment

VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Meta Quest devices from the same console you use for your more traditional devices. This section describes how to conduct a Meta Quest standard device enrollment into Workspace ONE UEM.

A pair of white headphones Description automatically generated with medium confidence

After verifying prerequisites and completing the initial Workspace UEM setup, you must do one additional configuration in UEM before enrolling your Quest devices into Workspace ONE.

Configure All File Access

As of v51, Quest devices use Android 12, and therefore have additional security controls preventing access to certain filesystems. Before enrolling Quest devices into UEM, the All File Access permission must be granted to the Workspace ONE Intelligent Hub client.

  1. Navigate to the Workspace ONE UEM Administration Console and select the Organizational Groups where you are enrolling devices.
  2. Select Resources > Profiles & Baselines > Profiles.
  3. Click Add.
  4. Select Android.
  5. Enter a name for the profile.
  6. Select Custom Settings, and press Add.
  7. Enter the following code in the text field:
    <characteristic type="com.airwatch.android.agent.settings" uuid="568bc89d-1df8-4ce9-a041-e5a24acdb7de">
    <parm name="EnableAllFileAccessPermission" value="True"/>
    </characteristic>
  8. Click Next.
  9. Assign the profile to your Quest devices.

Initial Device Setup

Before enrolling the device into Workspace ONE UEM, the Quest device must be connected to the Meta Quest mobile app or Meta Quest Developer Hub desktop app.

To connect the Quest device to the Meta Quest mobile app:

  • Ideally, the device should not have been previously set up. If it was, factory reset the device using the Meta Quest mobile app.
  • Set up a required Facebook, Meta, or Oculus Test account (https://developer.oculus.com/resources/test-users/) before using the device, apps, or the app store. A Meta account is recommended.
  • Your user must be registered as a developer to enroll devices using ConQuest. You can register as a developer by joining an existing organization or creating a new one.

To join an existing organization:

  1. Request access from the admin to the existing organization.
  2. You will receive an email invite. Accept the invite to become a member of the organization.

To create a new organization:

  1. Go to https://developer.oculus.com/manage/organizations/create/ and fill in the appropriate information.
  2. Download and install the Meta Quest mobile app to your iOS or Android device.
  3. Log in with your Facebook, Meta, or Oculus Test Account credentials.

Installation and Enrollment

To set up your device for Workspace ONE UEM enrollment:

  1. Download Workspace ONE ConQuest App from https://via.vmware.com/conquest.
  2. Extract and run the ConQuest.exe.
  3. Configure the ConQuest app to use the credentials, credentials.xml, or credentials.bin.
  4. Connect the Quest device to the PC using a USB Cable (you might need to use a phone USB-C cable).
  5. Power on your device and press the Oculus button on both controllers to wake them.
  6. Follow instructions in the Meta Quest mobile app or Meta Quest Developer Hub to pair your headset with the Mobile app.
  7. In the Mobile App, ensure your headset is displayed.
  8. Configure an optional Wi-Fi connection using the Meta Quest mobile app or Meta Quest Developer Hub.
  9. Under Headset Settings, select Developer Mode and toggle it on.
  10. Put on the headset and select Allow Connections to PC (in the Quest headset).
    Note: Make sure to authorize USB debugging in the headset when prompted (you may be asked to do this several times).
  11. Monitor the progress in the connected headset.
    Note: Wearing the headset keeps it from timing out and interrupting the enrollment process.
    1. ConQuest should quickly go through a process to configure the headset, launch the Intelligent Hub client, and auto-enroll the device using the credentials supplied.
    2. You may be asked to remove accounts. If so, click Remove Accounts and remove any existing accounts listed. If the process is stuck at this step, cancel and rerun ConQuest.
  12. During enrollment, Hub should prompt the user to click Settings and enable All File Access. This is critical if you wish to push files to the device.
  13. When the privacy statement appears, click the agreement, and wait as the device setup completes.
  14. When the Workspace ONE ConQuest is complete, open the Workspace ONE UEM Console, and from the Customer or Child OG, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Managing Kiosk Mode

Note the following limitation:

  • Quest devices do not offer an official kiosk mode feature.
  • Quest devices do not support LockTaskMode and Workspace ONE Launcher.
  • Workspace ONE XR Hub can provide a kiosk mode experience (Tech Preview). See Workspace ONE XR Hub documentation for more information.

Managing the In-Headset Experience

Workspace ONE UEM can control what users have access to when using the device. This may be necessary to prevent users from accessing consumer-focused or inappropriate content and apps. For example, you can:

  • Restrict access to the Meta Store
  • Restrict access to the Explore application
  • Restrict access to Meta Events
  • Stop users from adding user accounts
  • Use Workspace ONE XR Hub as a kiosk mode experience (Tech Preview). See Workspace ONE XR Hub documentation for more information.

Restricting Access to Apps

Use the following process to restrict user access to certain applications:

  1. In the Workspace ONE UEM Console, select the appropriate organizational group for your Quest devices.
  2. Select Groups & Settings from the left side navigation menu.
  3. Select Groups > App Groups from the middle navigation menu.
  4. Select Add Group, select the Type dropdown, and select Denylist.
  5. Select the Platform dropdown, and select Android.
  6. Select the Name field, and type in a suitable name for your group.
  7. Click Add Application, and enter the name of the application you wish to block.
  8. Enter the application ID (for example: com.oculus.store).
     
  9. Click Add Application to add other applications (such as com.oculus.explore, com.oculus.browser, and so on), and then click Next.
  10. Click the Organizational Group to assign the deny list to, and then click Finish.

Preventing the Addition of More Users

Use the following process to stop users from adding additional users to the device:

  1. Access the Workspace ONE UEM Console, and select the appropriate organizational group for your Quest devices.
  2. Select Resources from the left side navigation menu.
  3. Select Profiles & Baselines from the middle navigation menu.
  4. Select Profiles.
  5. Click Add, and then select Android.
  6. Add a Name to your profile.
  7. Find the Application Control payload from the list, and click Add.
  8. Enable Disable Access to Denied Apps.
  9. Find the Restrictions payload from the list, and click Add.
  10. Disable Allow adding Goggle Accounts.
  11. Disable Allow adding/deleting accounts, and then click Next.
  12. Select the smart group to assign the profile to, and then click Save & Publish.

Conclusion

You have now completed enrollment of your Meta Quest device into Workspace ONE UEM. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

PICO Enrollment

VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your PICO headset devices from the same console you use for your more traditional devices, after an easy onboarding process. This section describes how to conduct a PICO Headset enrollment into Workspace ONE UEM.

A picture containing headphones Description automatically generated

After completing the initial Workspace UEM setup, you are now ready to enroll your PICO Headset devices.

There are three options for installation and enrollment of PICO devices:

  • QR Code enrollment via camera
  • Pre-installed or USB key-based QR Code and user enrollment during device setup (PICO Neo 3 / 4E only)
  • Manual / scripted enrollment by IT (requires connecting device to a PC or laptop with ADB)

Installing and Enrolling with QR Code File (PICO Neo 3 / 4 only)

PICO devices support a QR Code-based enrollment during device setup. This requires that a QR Code generated by Workspace ONE UEM be converted to a PNG format file, and either placed on the root of the device or on the root of a USB key plugged into the device during boot.

For ordering at volume from PICO, you can request that a QR Code be placed on the root of the device. Contact PICO for more information. Alternatively, a QR Code can be placed on the root of a FAT32 formatted USB-C key to be inserted into the device at boot.

To generate a QR Code, follow the instructions in Enroll Work Managed Device Using a QR Code.

Important: To use XR Hub, the URL field in the JSON file must use the following value
android.app.extra.PROVISIONING_DEVICE_ADMIN_PACKAGE_DOWNLOAD_LOCATION: https://packages.vmware.com/wsone/androidhub/airwatchagent23.06.apk.

Download the QR Code PDF file, open the file, and screenshot or image capture the QR Code. Save the QR Code image as QRCode.PNG.

Send your QRCode.PNG file to PICO or save it to the root of a FAT32 formatted USB-C key.

For users or administrators who power on the device for the first time:

  1. Take the device out of the box, and make sure that the device and the controllers are charged.
  2. If necessary, plug in the USB-C Key with the QR Code into the headset.
  3. Power on the PICO device.
  4. Follow the in-headset instructions to complete the initial setup of the device.
  5. If you have specified Wi-Fi configuration in the QR Code, the user can skip Wi-Fi configuration.
  6. The user will be prompted to select Quick Setup, as in the following screenshot:
    Graphical user interface Description automatically generated 
  7. Wait as this launches a process that configures Wi-Fi (if specified in the QR Code), then download and install the Workspace ONE UEM agent and enroll the device.
    Note: Do not press any buttons on the controller at this point, only follow the onscreen instructions.
  8. If you did not provide credentials in the QR Code, the user will be prompted to enter the enrollment username and password.
  9. When the device is enrolled, the user is asked to accept the privacy statement for the Workspace ONE UEM agent.
  10. Once enrolled, the device downloads the appropriate profiles, applications, and content from Workspace ONE UEM.
    Note: If you see a blank white screen with the UEM logo, Hub is waiting to download applications. Wait until this screen disappears (apps have been downloaded). You may need to force install applications using the UEM console if the device is stuck with Hub showing a white screen.
  11. You should be now presented with the Hub application showing that the device is enrolled.
  12. Reboot the device and continue the PICO setup.
    Note: Do not select enterprise setup.
  13. Within the Workspace ONE UEM Console, from the Customer or Child OG, navigate to Devices > List View. You should see the device enrolled into the Workspace ONE UEM Console. You should be able to manage these devices using Android Enterprise-based profiles.

Installing and Enrolling – Manual

To register a shared device with a Workspace ONE UEM environment, start with the installation and enrollment process.

  1. Download the Workspace ONE Intelligent Hub client APK (AirWatch agent) and have it on your computer: https://packages.vmware.com/wsone/androidhub/airwatchagent23.06.apk
  2. If you are not starting with a new device, do a factory reset of the PICO headset through the settings menu on the device.
  3. After the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the PICO main screen.
  4. Critical: Launch the browser and verify that you can connect to your Workspace ONE URL. For example, https://ds135.awmdm.com (a successful connection means you will be re-directed, and you should see a Workspace ONE login screen). If you cannot connect to this site, you must switch to a Wi-Fi network that can before you continue.
  5. Make sure that your system is updated to the latest firmware by launching the System Update (in Settings) app and updating.
  6. Plug the headset into your setup machine (where you downloaded the agent) by using the USB cable provided and begin an ADB session.
  7. Type adb devices and press Enter. This should result in showing your connected device authorized for access.
  8. If this shows no devices connected, enable developer mode by clicking Settings > More Settings > System > Developer Options > Turn On.
  9. Install the APK you downloaded earlier onto the PICO using the adb install command. This should result in a success message.
  10. Run the following adb command to set up the AirWatch agent as the device owner:
    adb shell dpm set-device-owner com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver
  11. Place the headset on, and continue registration from within the device, starting with launching the Hub app that you installed above.
  12. Enter the following in the next few screens to enroll the device:
    • Server: Device Services Server address (for example: ds135.awmdm.com)
    • Group ID: Organization Group ID
    • Enrollment User/Password: Enrollment User and password
  13. Click through one privacy statement and wait until the device runs through enrollment and displays the enrolled user, email address, and some informational items.
  14. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise based profiles.

Setting Up Certificate Management

If you need to install private certificates (certs with a password), setting a device pin is required to enable the Android keystore. To support a device pin, you need to ensure your devices are running the following firmware: G2 4K (PUI 3.11.3) and Neo 2 (PUI 3.13.1). Contact your PICO representatives to request this firmware.

Passcode policy does not work in the latest versions of PICO UI (PUI). Contact PICO to access a custom ROM to address this issue.

Managing Device PIN Code

Note the following limitations:

  • Setting a passcode on PICO Neo 2, 3, and 4E devices is not supported. PICO Neo 2 and 3 no longer correctly render the PIN setting UI. Contact PICO for a custom ROM to address this issue
  • Setting a passcode on PICO Neo 3 and 4E causes Workspace ONE UEM to prevent users from using the device. Do not set Passcode policy on the PICO Neo 3. Setting a PIN Code on the PICO Neo 3 is not supported. Contact PICO for a custom ROM to address this issue.

Managing Kiosk Mode

Note the following limitations:

  • We recommend using the PICO method for setting kiosk mode. For more information, see PicoVR Kiosk Mode.
  • Workspace ONE LockTaskMode and Workspace ONE Launcher are not supported on PICO devices.

Setting Up Controller Binding (G2 4K)

If you are using the device in kiosk mode, you should bind the controller to the HMD. For more information, see Operation Guide.

Conclusion

You have now completed enrollment of your PICO Headset into Workspace ONE UEM. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Magic Leap 2 Enrollment & Management

This section describes how to enroll Magic Leap 2 device into Workspace ONE UEM. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Magic Leap 2 device from a single console, after an easy onboarding process.

A pair of sunglasses Description automatically generated with medium confidence

After completing the initial Workspace UEM setup, you are now ready to enroll your Magic Leap 2.

Creating an Enrollment QR Code

The QR code enrollment method sets up and configures Magic Leap 2 through simply scanning a QR code. The QR code contains a payload of JSON values with all the information needed for the device to connect to a Wi-Fi network, download the WS1 Intelligent Hub and be enrolled all with one quick scan. Although this can also be set up manually with a third party QR Code generator and a manual JSON payload, Workspace ONE UEM provides an easy wizard for creating a QR Code that can be used to enroll Magic Leap 2 devices.

  1. From the Customer Level OG, navigate to Devices > Lifecycle > Staging > List View > Configure Enrollment.
  2. In the Enrollment Configuration Wizard window, select the Android panel.
  3. Select the QR Code panel and click the Configure button.
    Graphical user interface, application Description automatically generated 
  4. Select the Wi-Fi Security Level of the encrypted Wi-Fi Network to be used for automatic configuration, when scanning the QR Code. This could be a temporary Wi-Fi Network used for Staging only. (This does not support EAP-TLS Cert based Wi-Fi Networks.) Once the device is enrolled, a Production Wi-Fi Profile can be pushed to the device from the Workspace ONE UEM Console.
    Graphical user interface, text, application Description automatically generated 
  5. Complete the form by providing the SSID and Password, and click Next.
  6. Select the download location for the Workspace ONE Intelligent Hub, and click Next. Use the default value unless you intend to host the server from which the Workspace ONE Intelligent Hub can be downloaded.
    Graphical user interface, text, application, email Description automatically generated 
  7. Configure the Organization Group (OG). This determines the OG to which the device will be enrolled. Select the Enabled button, then select the OG from the dropdown box.
  8. Configure the Login Credentials. This is the Basic User that you created earlier. Select the Enabled button, then click in the Username field, and choose the user from the dropdown list. Next, provide the correct associated password for that user.
  9. Keep the System Apps Enabled, and Force AOSP/Closed Network Enrollment Disabled. Click Next.
    Graphical user interface, application Description automatically generated 
  10. To save a .PDF document to your hard drive, select the Download File option. To scan the Enrollment QR Code directly from your PC Screen, select the View PDF option.
  11. Alternatively, when adding users to Workspace ONE UEM, a message can be sent via email that includes their enrollment QR Code. See Device and User Message Templates Settings for more information.

Finishing Magic Leap 2 QR Code Enrollment

After creating an enrollment QR Code, the final step is to complete the enrollment process on the Magic Leap 2 device.

  1. Power on the ML2 device, and go through the OOBE Steps using device:
    • Pair the controller.

      Note: It might be necessary to plug the controller into the Magic Leap 2 device using the USB-C cable.
    • Select the language.
    • Complete or skip the prescription insert instructions.
    • Accept the EULA.
    • Choose Enrollment to enroll your device into Workspace ONE UEM.
  2. Select Start Scan with the Magic Leap 2 controller to scan the QR Code:
     
  3. Position the Magic Leap 2 device so that the QR Code is inside the target rectangle. Note that it might take a few seconds to scan the QR Code.
    • If you have issues scanning the QR Code:
    1. Zoom in on the QR code in the PDF document so that it is at least 8” x 8” in size when viewed on the screen or a PC monitor.
    2. Maximize the window on the monitor. QR Code image should be at least 8” x  8” in size.
    3. View it at a large magnification (such as full screen) on a large monitor that has a 3 : 4 aspect ratio. (Higher aspect ratios will negate the largeness of the monitor.)
    4. The monitor needs to have a matte or anti-reflective finish (or be situated with special background lighting).
    5. The ambient lighting for the area around the monitor should be bright to avoid head-pose loss as the QR code detection is currently head pose sensitive.
    6. The monitor settings might need to be tweaked for contrast, brightness, and sharpness (a midway setting for each of them is recommended).
    7. Some amount of movement (for position and viewing angle) of the headset (or the monitor) might be required to help with the capture.
    8. Scan the QR Code with a Viewing distance between 12” to 36”.
  4. If scanned successfully, you will be presented with the following:
     
  5. Click Accept & Continue using the Magic Leap 2 controller, and then click Next.
    A picture containing graphical user interface Description automatically generated 
  6. Device enrollment begins with:
     
  7. Shortly, the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user.
  8. Press the Home button on the Magic Leap 2 controller to get back to the Magic Leap home application.
  9. From the Customer or Child OG in the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Updating Firmware with Over the Air (OTA) Updates

Workspace ONE UEM can push firmware updates to the Magic Leap 2 device.

Note: OTA updates require VMware Workspace ONE UEM version 2206 or later.

To perform an OS upgrade:

  1. Download the latest Magic Leap 2 OS OTA Update file (available as and when Magic Leap publish OTA updates).
  2. In Workspace ONE UEM, create a Provisioning > Component > File/Action.
    • Upload the Magic Leap 2 OS OTA ZIP file.
      • Use the path $osupdate$/
    • Add an OS Upgrade action to the Manifest.
      • Select the uploaded ZIP file for the OS File.
  3. In Workspace ONE UEM, go to Provisioning > Product List View.
    • Select Add a Product, and then select Android.
    • Add details to the product and select a smart group to assign the OS update to.
    • Add a File/Action – Install action to the Manifest.
      • Select the OS Upgrade File/Action component you created.
    • Add any conditions or deployment schedule to the product.
    • Click Activate to start the OS upgrade process.

For more information on OS updates for Work Managed devices, see Android OS Update for Work Managed Device.

Accessing Device Logs

Workspace ONE UEM can collect logs using two primary mechanisms:

  1. Request Device Log from Workspace ONE UEM Console.
    1. To collect Hub, System, or Security logs, see Request Device Log.

      Note: For device system logs, users will need to access Intelligent Hub on the Magic Leap 2 devices. Use the controller to click the top bar of the application and click Share on the Bug Report notification.
  1. Pull device logs using Workspace ONE Assist:
    1. To collect system logs using remote ADB commands, see Command-Line Interface, Android.

Managing Applications

Applications can be silently installed remotely to the Magic Leap 2 device using Workspace ONE UEM. In summary:

  • Application APKs and supporting files must be either uploaded to Workspace ONE UEM or placed on a web/file server that is accessible by the device.
  • Applications and any supporting files are installed by Workspace ONE UEM to all assigned devices.

For more information on managing applications, see Deploying Internal Application on Android Devices.

Magic Leap Resources

For more information on the Magic Leap 2 devices, the following articles from Magic Leap can be useful:

 You can also contact Magic Leap support at care@magicleap.com.

Conclusion

You have now completed enrolling your Magic Leap 2 device into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

RealWear Enrollment

This section describes how to conduct a RealWear HMT-1 (Non-Intrinsically Safe), HMT-1Z1 (Intrinsically Safe), and RealWear Navigator device enrollment in Workspace ONE UEM. RealWear devices are designed for hands-free use in hazardous environments. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your RealWear devices from a single console, with an easy onboarding process.

After completing the initial Workspace UEM setup, you are ready to enroll your RealWear HMT-1 (Non-Intrinsically Safe), HMT-1Z1 (Intrinsically Safe), or RealWear Navigator devices.

Creating an Enrollment QR Code

The first step in the device enrollment process is to create Enrollment QR codes.

  1. From the Customer Level OG, navigate to Devices > Lifecycle > Staging > List View > Configure Enrollment.
  2. In the Enrollment Configuration Wizard window, select the Android panel.
  3. Select the QR Code panel and click the Configure button.
    Graphical user interface, application Description automatically generated 
  4. Select the Wi-Fi Security Level of the encrypted Wi-Fi Network to be used for automatic configuration, when scanning the QR Code. This could be a temporary Wi-Fi Network used for Staging only. (This does not support EAP-TLS Cert based Wi-Fi Networks). Once the device is enrolled, a Production Wi-Fi Profile can be pushed to the device from the Workspace ONE UEM Console.
    Graphical user interface, text, application Description automatically generated 
  5. Complete the form by providing the SSID and Password, and click Next.
  6. Select the download location for the Workspace ONE Intelligent Hub, and click Next. Use the default value unless you intend to host the server from which the Workspace ONE Intelligent Hub can be downloaded.
    Graphical user interface, text, application, email Description automatically generated 
  7. Configure the Organization Group (OG). This will determine the OG to which the device will be enrolled. Select the Enabled button, then select the OG from the dropdown box.
  8. Configure the Login Credentials. This is the Basic User that you created earlier (this only supports basic users). Select the Enabled button, then click in the Username field, and choose the user from the dropdown list. Next, provide the correct, associated password for that user.
  9. Keep the System Apps Enabled, and Force AOSP/Closed Network Enrollment Disabled. Click Next.
    Graphical user interface, application Description automatically generated 
  10. To save a .PDF document to your hard drive, select the Download File option. To scan the Enrollment QR Code directly from your PC Screen, select the View PDF option.

Checking Firmware Version

After creating an enrollment QR Code, the next step in the device enrollment process is to conduct a firmware version check.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11).

  1. Power on your RealWear HMT-1 device (for device operations, see the instruction manual provided by RealWear).
  2. Check the display to make sure that the battery level is greater than 30%, as a Software update cannot be performed if the battery is not at 30% or higher.
  3. Speak the Show Help command to show the list of available commands on the screen.
    Graphical user interface, application Description automatically generated 
  4. Speak the My Programs command.
  5. Speak the About Device command to determine the version of firmware running on the device.
    Graphical user interface, application Description automatically generated 
  6. If the version of firmware is lower than the one shown here, you will need to upgrade the firmware to complete the QR Code enrollment process. Skip the Firmware Update Section below, if your firmware is already updated to this version or higher.

Updating Firmware

After conducting a firmware version check, the next step in the device enrollment process is to conduct a firmware update.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11). If the version of your firmware is lower, upgrade the firmware before proceeding. If your firmware is already updated to this version or higher, skip this Firmware Update section, and proceed to Finish Enrollment.

  1. Power on your RealWear HMT-1 device. For device operations, see the instruction manual provided by RealWear.
  2. Check the display to make sure that the battery level is greater than 30%, as a Software update cannot be performed if the battery is not at 30% or higher.
  3. Speak the Navigate Home command to return to the home screen.
  4. Speak the My Programs command to view the My Programs screen.
  5. Speak the Configuration command to scan a QR Bar Code that will establish Wi-Fi Settings for the device to download the latest version of firmware.
  6. On your PC or MAC, navigate to https://realwear.setupmyhmt.com, and click the Configuration button.
    Diagram Description automatically generated 
  7. Click the First Time Setup button.
    Table Description automatically generated with medium confidence 
  8. Select your preferred language, then select NEXT.
    Graphical user interface, application Description automatically generated 
  9.  Set your time and date, then select NEXT.
    Graphical user interface, text, application Description automatically generated 
  10. Provide your preferred Wi-Fi Settings for the device and select NEXT.
    Graphical user interface, text, application Description automatically generated 
  11.  Scan the QR Code with the HMT-1 Camera to configure your device.
    Qr code Description automatically generated 
  12. The Wi-Fi should be configured at this point. Speak the Wireless Update command. If available, follow the commands on the screen to complete the Wireless Update.

Finishing the RealWear HMT-1 QR Code Enrollment

After updating firmware, the final step is to complete the RealWear HMT-1/Workspace ONE enrollment.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11).

  1. After a firmware update, the HMT-1 should have performed a factory reset. Within a few minutes, this will automatically present the Configuration screen through the HMT-1 viewer, allowing for a QR Code scan.
  2. Aim your HMT-1 Camera at the QR Code that you created in the Enrollment QR Code Creation section.
    Graphical user interface, application Description automatically generated 
  3. The camera will automatically capture the QR Code, and the enrollment process will begin. The Downloading Status screen will appear as the WS1 Hub is downloaded from the cloud, followed by an Installing… notification.
  4. When the Accept & Continue Screen appears, speak the command Accept & Continue. Enrollment will begin.
  5. Wait until the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user. Speak the command Navigate Home. The Hub Icon should be present in your My Programs screen.
    A screen shot of a cell phone Description automatically generated with medium confidence 
  6. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Conclusion

You have now completed a RealWear HMT-1 or HMT 1Z1 enrollment into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Vuzix M400 & M4000 Enrollment

This section describes how to enroll Vuzix M400 or M4000 smart glasses into Workspace ONE UEM. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Vuzix smart glasses from a single console, after an easy onboarding process.

After completing the initial Workspace UEM setup, you are now ready to enroll your Vuzix smart glasses.

Creating an Enrollment QR Code

The QR code enrollment method sets up and configures Vuzix glasses through simply scanning a QR code. The QR code contains a payload of JSON values with all the information needed for the device to connect to a Wi-Fi network, download the Workspace ONE Intelligent Hub, and be enrolled all with one quick scan. Although this can also be set up manually with a third party QR Code generator and a manual JSON payload, Workspace ONE UEM provides an easy wizard for creating a QR Code that can be used to enroll Google Glasses.

  1. From the Customer Level OG, navigate to Devices > Lifecycle > Staging > List View > Configure Enrollment.
  2. In the Enrollment Configuration Wizard window, select the Android panel.
  3. Select the QR Code panel and click the Configure button.
    Graphical user interface, application, Teams Description automatically generated 
  4. Select the Wi-Fi Security Level of the encrypted Wi-Fi Network to be used for automatic configuration, when scanning the QR Code. This could be a temporary Wi-Fi Network used for Staging only. (This does not support EAP-TLS Cert based Wi-Fi Networks.) After the device is enrolled, a Production Wi-Fi Profile can be pushed to the device from the Workspace ONE UEM Console.
    Graphical user interface, text, application Description automatically generated 
  5. Complete the form by providing the SSID and Password, and click Next.
  6. Select the download location for the Workspace ONE Intelligent Hub, and click Next. Use the default value unless you intend to host the server from which the Workspace ONE Intelligent Hub can be downloaded.
    Graphical user interface, text, application Description automatically generated 
  7. Configure the Organization Group (OG). This determines the OG to which the device will be enrolled. Select the Enabled button, then select the OG from the dropdown box.
  8. Configure the Login Credentials. This is the Basic User that you created earlier. Select the Enabled button, then click in the Username field, and choose the user from the dropdown list. Next, provide the correct, associated password for that user.
  9. Keep the System Apps Enabled, and Force AOSP/Closed Network Enrollment Disabled. Click Next.
    Graphical user interface, application Description automatically generated 
  10. To save a .PDF document to your hard drive, select the Download File option. To scan the QR Code directly from your PC Screen, select the View PDF option.

Finishing Vuzix QR Code Enrollment

After creating an enrollment QR code, the final step is to complete the enrollment process on the smart glasses. Out of the box, the Vuzix glasses can follow the procedure below.

Note: If the device has been configured previously, it will require a factory reset to take advantage of this provisioning method (Settings > System > Reset options > Erase all data).

  1. On the screen below, press and hold the front-most button on the glasses for 3 to 4 seconds until the Provisioning App launches.
    A picture containing text Description automatically generated 
  2. This immediately launches the camera. Aim the Vuzix camera at the QR Code that you created in the Enrollment QR Code Creation section.
    Graphical user interface, application Description automatically generated 
  3. The camera automatically captures the QR Code, and the enrollment process begins. The Downloading Status screen appears as the Workspace ONE Intelligent Hub is downloaded from the cloud, followed by an Installing… notification.
  4. If the Accept & Continue Screen appears, press the rear-most button to continue.
  5. Just before the process finishes, you will be presented with the Vuzix End User License Agreement, which you need to read and accept. You can accept and continue the process by again pushing the rear-most button on the glasses.
    Text Description automatically generated 
  6. Wait until the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user.
  7. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android (Enterprise) based profiles.

Conclusion

You have now completed enrolling your Vuzix smart glasses into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Registering Android EMM with Google Play Account

NOTE: Follow this procedure only if Android EMM has not already been registered for the UEM tenant.

The initial step in the managing Android-based process is to register Android EMM with a Google Play account. This is required to enable Android-based device management within UEM. Even though Google Play Store or Google Message Services is not used by Android Open Source Project (AOSP) device, to manage Android devices in Workspace ONE UEM, this must be enabled.

  1. Log in to your Workspace ONE UEM Console using your Administrator Account. Note that certain functions might require advanced roles, such as account creation. Check with your Workspace ONE UEM Console Administrator for proper role assignments.
  2. From the Customer Level Organization Group (OG), navigate to Getting Started > Workspace ONE > Android EMM Registration.

    Graphical user interface, text Description automatically generated
    Note: If you prefer not to use the wizard for Android EMM Registration, or if the wizard is not available in your environment, you can navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration.
  3. Make sure that you are signed into Google with your preferred (corporate account specific to your environment) Google account credentials, and select Configure.
  4. In the Android EMM Registration window, click Register with Google. If you are already signed in with your Google credentials, you are redirected back to the Workspace ONE console.
    Graphical user interface Description automatically generated with low confidence 
  5. On the Bring Android to Work window, select Sign In, if you are not already signed in, enter your Google credentials, and then select Get Started.
    Graphical user interface, application, Teams Description automatically generated 
  6. Enter your Organization Name. The Enterprise Mobility Manager (EMM) provider field populates automatically as VMware Workspace ONE UEM.
  7. Select Next. The Data Protection Officer and EU Representative information is optional. Make sure to confirm that you have read and agreed to the Managed Google Play agreement.
  8. Select Confirm > Complete Registration.
  9. When you are redirected to the Workspace ONE Console, verify that your Google Service Account credentials are automatically populated, and select Save > Test Connection to verify that the service account is set up and connected successfully.
  10. Your Android EMM Registration status should show as Complete.

Summary and Additional Resources

Immersive technologies are becoming ever more popular and interest is growing rapidly – particularly in augmented reality (AR), mixed reality (MR), and virtual reality (VR) headsets, sometimes called head-mounted displays (HMDs). To address this growing market and its resulting challenges, VMware has partnered with leading vendors to deliver scalable management and app delivery for Android and Windows 10-based devices. This guide walks you through the steps toward Workspace ONE UEM enrollment for HTC VIVE, Magic Leap, Meta Quest, PICO, RealWear, and Vuzix devices.

Additional Resources

For more information about delivering and managing XR devices through VMware Workspace ONE UEM, explore the following resources:

Changelog

The following updates were made to this guide.

Date

Description of Changes

2023/05/17

Updated device types and enrollment instructions:

  • Updated title (due to the evolution of the naming and XR as an overall category of devices)
  • Removed Oculus and Google Glass sections (devices are End of Life by their manufacturer, and Oculus has change to Meta Quest as a brand)
  • Added Meta Quest Business Enrollment (Tech Preview) section
  • Added Registering Android EMM with Google Play Account section

2023/03/20

Updated enrollment processes and instructions

2023/02/22

Added Meta Quest for Business (Beta) information

2022/09/30

Added new section about enrolling and managing Magic Leap 2 devices with Workspace ONE UEM, and updated the guide throughout

2022/06/28

Updated enrollment processes for Meta Quest 2 and HTC VIVE Focus 3, which now supports QR Code enrollment

2022/06/16

Added new section about controlling in-headset experience with Meta Quest 2 (Consumer) and updated throughout

2022/05/24

Updated PICO enrollment options and new QR Code option

2022/03/22

Added HTC VIVE Focus 3, Meta Quest 2 Consumer, Oculus for Business, and PICO Neo 3 device enrollment procedures

2021/01/20

Added Vuzix M400 & M4000 enrollment procedures

2020/11/19

Added HTC VIVE Focus & Focus Plus Headset enrollment procedures

2020/10/01

Initial publication of RealWear, PICO, and Goggle Glass enrollment procedures

Authors and Contributors

The following authors, contributors, and subject-matter-expert reviewers collaborated to create this guide.

Authors

  • Drew Evangelista, Senior Product Line Manager, End-User-Computing Product Management, VMware
  • Matt Coppinger, Director, End-User-Computing Product Management, VMware

Contributors

  • David Dwyer, Sr. Solution Engineer, End-User-Computing Technical Marketing, VMware
  • Jon Duncan, Group Product Line Manager, UEM IoT, Mobile PM, EMM VMware
  • Christina Minihan, Senior Staff End-User-Computing (EUC) Architect, End-User-Computing Technical Marketing, VMware

Feedback

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Filter Tags

Workspace ONE Workspace ONE UEM Document Fundamental Intermediate Deploy Manage