eXtended Reality (XR) Device Management: VMware Workspace ONE UEM

Overview

In the enterprise, eXtended Reality (XR) is being leveraged as a powerful tool to enhance the productivity of employees, keep frontline workers safe, train our colleagues, visualize our products, and inspire our customers.

XR is an umbrella term that covers assisted, augmented reality (AR), virtual reality (VR), and mixed reality (MR) technologies.

XR devices are now being used alongside mobile devices, and across a variety of verticals and use cases, to dramatically increase productivity, efficiency, and employee experience.

The VMware Workspace ONE Unified Endpoint Management (UEM) platform enables organizations to securely manage any device – from laptops and smartphones to rugged devices and XR devices – from a single console. Enrollment is the first step.

For XR devices, enrollment can be challenging. While Android is the operating system of choice for most devices, they typically are running Android Open Source Project (AOSP), and the out-of-the-box experience varies widely. The Workspace ONE UEM team is leveraging its expertise in device management and partnering with the full spectrum of hardware manufacturers to ensure the best possible enterprise device management experience for these devices.

Workspace ONE Intelligent Hub (Intelligent Hub) supports Android-based devices and Microsoft HoloLens devices and provides enterprise device management capabilities for all eXtended Reality device types.

Purpose of This Guide

The purpose of this guide is to help you configure your Workspace ONE UEM instance to simplify the onboarding of XR devices, as well as to navigate the device-specific nuances of Workspace ONE UEM-supported devices. From the navigation bar to the left, you can select from the variety of enrollment options covered, for which more are being added periodically:

VR devices: HTC VIVE Meta Quest PICO

Non-VR devices: Magic Leap RealWear Vuzix

Note: This guide contains two types of useful links. External links take you to other resources on the web, and internal links take you to other sections within this guide. After you click an internal link and read its content, you can return to your original location by clicking the Back button of your browser.

Audience

This guide is intended for IT professionals who plan to take advantage of the growing market of XR technologies and use VMware Workspace ONE UEM to deliver scalable management and app delivery for Android XR devices. Familiarity with VMware Workspace ONE UEM, directory services, and supporting technologies is assumed.

Initial Workspace ONE UEM Setup

VMware Workspace ONE Unified Endpoint Management (UEM) enables you to securely manage your XR devices from a single console, with an easy onboarding process.

Regardless of the type of XR devices you are enrolling, this process begins with the initial UEM setup. The UEM setup includes verifying prerequisites, and configuring enrollment settings, restrictions, and messaging.

Verifying Prerequisites

Before starting the enrollment process, make sure you meet the prerequisites for your devices. All devices require a supported version of VMware Workspace ONE UEM (https://kb.vmware.com/s/article/2960922), along with the following device-specific items.

All Devices:

• The current version of the VMware Workspace ONE Intelligent Hub (Intelligent Hub) client from https://getwsone.com/mobileenrollment/airwatchagent.apk

HTC VIVE Devices:

• HTC VIVE XR Elite running the latest firmware
• HTC VIVE Focus 3 running firmware 3.0.999.456 or newer
• HTC VIVE Focus Plus running firmware 4.14.623.1 or newer
• HTC VIVE Focus running firmware 3.13.623.1 or newer

PICO Devices:

• PICO 4 Enterprise running PUI 5.0 or newer
• PICO Neo 3 running PUI 4.3.34 or newer
• PICO Neo 2 running PUI 3.13.1 or newer
• PICO G2 4K running PUI 3.11.3 or newer

Note: Passcode policy is not supported on PICO Neo 2, 3 or 4.

Meta Quest Devices (Quest for Business):

Note: Quest for Business enrollment is in Tech Preview as it is currently in Beta by Meta

• Intelligent Hub must be enrolled with the setting EnableAllFileAccessPermission set to True
• Meta Quest Pro running firmware version 53 or newer
• Meta Quest 2 running firmware version 53 or newer

Meta Quest Devices (Standard):

• VMware Workspace ONE ConQuest (https://flings.vmware.com/workspace-one-conquest)
• Intelligent Hub must be enrolled with the setting EnableAllFileAccessPermission set to True
• Meta Quest companion mobile app installed on an Android or iOS mobile device
• Meta Quest Pro running firmware version 50 or newer
• Meta Quest 2 running firmware version 50 or newer

Magic Leap:

• Magic Leap 2 with OS version 2208.18 or later

RealWear:

• HMT-1 or HMT-1Z1 running v11 firmware or newer
• Navigator 500 or 520 running the latest firmware

Vuzix:

• M300/400 Series running v2.0.1 firmware or newer
• M4000, Shield running the latest firmware
• Vuzix Blade 2 running the latest firmware

Configuring Workspace ONE UEM for XR Devices

Note: All devices covered by this guide run the Android Open Source Project (AOSP) version of Android.

• Android EMM registration is needed to activate Android management capabilities within UEM, although AOSP devices do not use the Google Accounts and Google Mobile Services (GMS).
• Due to the Work Profile option not being available within AOSP, Work Managed is the only mode of management supported, and certain features need to be turned off as a result.
• If Android EMM registration has not already been configured for your UEM environment, see the Configuring Enrollment Settings section below. This is only done once per tenant to activate Android device management.

Configuring Enrollment Settings

The first step of the configuration process is to set up device enrollment settings. We recommend creating a model-specific Child Level Organizational Group (OG) for these settings.

1. In your Workspace ONE UEM Console, navigate to Groups & Settings > Configurations > Android EMM Registration, and select the Enrollment Settings tab.
2. In the Enrollment Settings tab, select the Override radio button to change the default settings.
3. Select WORK MANAGED device, select AOSP / CLOSED NETWORK, and then click Save.
   
    

Configuring Enrollment Restrictions

After configuring Enrollment Settings, the next step of the configuration process is to set up device enrollment restrictions for this Organizational Group.

1. In your Workspace ONE UEM Console, navigate to Groups & Settings > Configurations > Android EMM Registration, and select the Enrollment Restrictions tab.
2. In the Enrollment Restrictions tab, select the Override radio button to change the default settings.
3. From the Define the enrollment method for this organization group dropdown menu, select Always use Android.
4. For Allow Work Profile Enrollment, select Disable, as this mode is not supported on AOSP devices. Click Save and close the Settings window.
   
    

Configuring Intelligent Hub Settings

After configuring Enrollment Restrictions, the next step of the configuration process is to set up Workspace ONE Intelligent Hub Settings for this Organizational Group.

1. In your Workspace ONE UEM Console, navigate to Groups & Settings > All Settings > Devices & Users > Android > Intelligent Hub Settings.
2. Select the Override radio button to change the default settings.
3. For Require Google Account, select the DISABLED button.
    
4. Scroll down, then select the ENABLED button, for AirWatch Cloud Messaging.
    
5. Click Save.

Creating a Basic User Account (optional)

After configuring Intelligent Hub Settings, the final step of the initial process is to create a Basic User Account.

Note: Workspace ONE UEM manages devices by keeping track of the users of each device. Therefore, it is necessary to create and implement user accounts for devices to enroll into Workspace ONE UEM. See Workspace ONE UEM documentation for detailed information on advanced topics, such as integrating Workspace ONE UEM with Directory Services Accounts.

1. From the Customer Level Organization Group (OG), navigate to Accounts > Users > List View, select Add, then Add User.
2. On the General tab of the Add / Edit User window, complete the following settings to add a Basic User:

• Security Type - Select Basic to add a basic user.
• Username - Enter a username with which the new user is identified. For testing purposes, we recommend using lower case, alpha, and no special characters.
• Password - Enter a password that the user can use to log in. This will be included in the QR Bar Code setup. A user will not need to enter this in manually.
• Confirm Password - Confirm the password.
• Full Name - Complete the First Name, Middle Name, and Last Name of the user.
• Display Name (Optional) - Represent the user in the UEM console by entering a name.
• Email Address - Enter or edit the user's email address.
• Email username (Optional) - Enter or edit the user's email username.
• Domain (Optional) - Select the email domain from the drop-down setting.
• Phone Number (Optional) - Enter the user's phone number including plus sign, country code, and area code. This option is required if you intend to use SMS to send notifications.

3. In the Enrollment section, complete the following settings to add a Basic User:

• Enrollment Organization Group - Select the organization group into which the user enrolls. Default settings are recommended.
• Allow the user to enroll into additional Organization Groups - You can allow the user to enroll into more than one organization group. If you Enable this option, but leave Additional Organization Groups blank, then any child OG created under the Enrollment Organization Group can be used as a point of enrollment. The Enabled setting is recommended.
• Additional Organization Groups - This setting only appears when the option to allow the user to enroll into additional OGs is Enabled. This setting allows you to add additional organization groups from which your basic user can enroll.
• User Role - Select the role for the user you are adding from this drop-down setting. Default settings are recommended.

4. In the Notification tab, complete the following settings to add a Basic User, and then click Save:

• Message Type - Select the type of message you want to send to the user: Email, SMS, or None. Selecting SMS requires a valid entry in the Phone Number option.
• Message Template - The basic user activates their account with this notification. For security reasons, this notification does not include the user's password. Instead, a password reset link is included in the notification. The basic user selects this link to define another password. This password reset link expires in 24 hours automatically. Select the template for email or SMS messages by selecting one from this drop-down setting. Optionally, select Message Preview to preview the template and select the Configure Message Template to create a template.

Recommended Profile Settings for VR Devices

The following profile settings are recommended for Android-based VR devices. Other settings should be configured based on individual customer’s requirements. You must also have a smart group defined to include the VR headsets.

Best practice is to create individual profiles for each payload type. For testing purposes, a single profile may contain the multiple payloads seen below.

1. While logged into Workspace ONE UEM, change to the Organization Group (OG) that manages your headsets.
2. Navigate to Resources > Profiles & Baselines > Profiles, select Add, and then Add Profile.
3. Select Android.
4. Name your profile: For example, Headset Config, and Add Description (optional).
5. Include a Permissions payload.
   1. Scroll down and locate the Permissions payload.
   2. Select ADD (to the right). The Summary panel on the right side of the screen displays the added payload. You are now able to make changes to the Permissions payload.
   3. Under the Permissions drop down menu, for Permission Policy, select Grant All Permissions.
6. Include a Restrictions payload.

1. Scroll down and locate the Restrictions payload.
2. Select ADD to include the Restriction payload to the summary.
3. Under the Restrictions drop down menu, unselect (deactivate) the following two options.
   1. Allow All Keyguard Features
   2. Allow Keyguard

7. Include an Application Control payload.

1. Scroll down and locate the Application Control payload.
2. Select ADD to include the Application Control payload to the summary.
3. Under the Application Control drop down menu, leave all check boxes in their default positions. For the payload to be configured with the default options, deselect, and then immediately select one of the checkboxes.

8. Select the Next button.
9. Under Assignment, select an appropriate smart group to apply the profile rules.
10. Under Deployment, make the following selections.

1. Assignment Type – Auto
2. Allow Removal – Always (for testing only, select Never or With Authorization for Production)
3. Managed By – select the organization group you specified in a previous step.
   Result: The Preview screen to the right displays, showing a preview of the devices included in the smart group you selected above. If this screen displays Total Assigned Devices 0, you can add devices to the smart group later. The profile you just made is assigned to this smart group whether it contains devices or not.

11. Select the Save & Publish button.

(Optional) Installing ADB for Device Enrollment

Certain devices require the use of the Android Debug Bridge (ADB) to install software or configure the device from a connected computer. ADB download location: https://developer.android.com/studio/releases/platform-tools

Install ADB on your computer and make sure that the adb command is accessible from the command line.

Note: ADB is not required for Meta Quest 2 device enrollment, since Workspace ONE ConQuest includes ADB.

Note: ADB is not required for PICO Neo 3 enrollment when using QR Code.

Next Step: Specific Device Enrollment

After you have completed the initial Workspace UEM setup, select one of the following specific devices to finish enrollment from the navigation bar on the left:

• HTC VIVE Enrollment
• HTC VIVE Enrollment for Focus & Focus Plus
• Meta Quest Standard Enrollment
• Meta Quest for Business Enrollment (Tech Preview)
• PICO Enrollment
• Magic Leap 2 Enrollment
• RealWear Enrollment
• Vuzix Enrollment

 

HTC VIVE Device Enrollment

The HTC VIVE XR Elite and HTC VIVE Focus 3 devices use a different installation and enrollment flow than their predecessors, the HTC VIVE Focus and HTC VIVE Focus Plus. The VIVE XR Elite and VIVE Focus 3 can be automatically enrolled into Workspace ONE from boot via QR Code enrollment.

After completing the initial Workspace UEM setup, you are ready to enroll your VIVE XR Elite and VIVE Focus 3 Headset devices.

QR Code Installation and Enrollment

To install and enroll your VIVE XR Elite or VIVE Focus 3 Headset into Workspace ONE UEM:

1. Generate a QR Code by following the instructions in Setting up a VMware AirWatch agent and enrolling VIVE Focus 3 using a QR code.
2. Unbox and power on the HTC VIVE device. When the device is powered on, a welcome screen is displayed.
3. When the welcome screen appears, press the Headset button three times to enable passthrough.
4. Use the onscreen QR code scanner to scan the QR code displayed on your computer screen.
5. The MDM Setup window appears. The VMware AirWatch agent then automatically enrolls the headset. When enrollment is complete, follow the onscreen instructions to finish setting up the headset.

• Click through one privacy statement and wait until the device runs through enrollment and displays the enrolled user, email address, and additional information.

6. From the Customer or Child OG within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Batch Configuration Installation and Enrollment

Alternatively, you can set up your headset using the process described in Enabling Mobile Device Management (MDM) through batch configuration.

1. Add the Workspace One Intelligent Hub client (AirWatchAgent.apk) file to your batch configuration setup.
2. Add a Workspace ONE UEM credentials.bin file (from a Staging Package) to your configuration setup  (see Generate a Sideload Staging Package with the Configuration Wizard).
3. Add the following text to a file named enroll_script, and add it to the batch configuration setup:
   am start -a android.intent.action.MAIN -n com.airwatch.androidagent/com.airwatch.agent.ui.activity.SplashActivity -e hideui true --user 0
sleep 5
#pm grant com.airwatch.androidagent android.permission.READ_EXTERNAL_STORAGE
am broadcast -a com.airwatch.agent.action.IMPORT_CREDENTIAL_XML -e file /sdcard/credentials.bin --user 0
sleep 5
am broadcast -a com.airwatch.agent.action.AUTO_ENROLL --user 0
sleep 5
am broadcast -a com.airwatch.agent.action.AUTO_ENROLL --user 0
ls -la /data
ls -la /sdcard
rm -rf /sdcard/Download
rm -rf /data/sys_log

After you have created your batch configuration file, you can continue to enroll the headset.

To install and enroll your VIVE XR Elite or VIVE Focus 3 Headset into Workspace ONE UEM:

1. On a Windows/Mac device, unzip your Batch Configuration zip file (created using the Batch Configuration process above), then copy RichuImage.zip and key to the SD card.
2. Unbox and power on the HTC VIVE device.
3. When the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the HTC main screen.
4. Ensure your system is updated to the latest firmware: version 3.0.999.456 or later.
5. Insert the SD card with the batch configuration package into the XR Elite or Focus 3 (behind the magnetic facial interface).
6. Initiate a Factory Reset by navigating to Settings > Advanced > Reset device > Reset.
7. Reboot and the device should complete batch configuration, displaying a success dialog in the VR environment.
8. The device automatically launches the Intelligent Hub client and conducts device enrollment using the credentials provided in the batch configuration.
9. From the Customer or Child OG within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Managing Device PIN Code

Note the following limitations:

• If you want the user to set a passcode, ensure the passcode policy is set prior to device enrollment.
• If a passcode policy is set after enrollment, the user will not be notified via Intelligent Hub client and the user will not be forced to set a device passcode.

Managing Kiosk Mode

Kiosk mode for the VIVE XR Elite and VIVE Focus 3 requires pushing an XML configuration file to the device and running an Intent to trigger it.

1. In the Workspace ONE UEM console, move to the organization group (OG) that manages your headsets.
2. Navigate to Devices > Provisioning > Components > Files/Actions.

1. Use the ADD FILES/ACTIONS button at the top of the page, and select Android.
2. Configure the General tab:

• Name: HTC Kiosk Mode XML
• Description: You can choose to add an optional description.
• Managed By: Leave this field prepopulated with the correct OG.

3. Configure the Files tab and select ADD FILES:

• Select Choose Files and upload a copy of the mns.xml file (see Kiosk mode XML file – mns.xml below).
• Select Save to save the file.
• Specify the download path as $internal$/VMware and select Save to save the configuration.

4. Configure the Manifest tab:

• Select ADD ACTION under the Installation Manifest section.
• In the Action(s) To Perform drop-down, select Run Intent.
• For Command Line and Arguments to run, enter:
  mode=explicit,broadcast=false,action=com.htc.vr.launcher.SCENE,package=com.htc.vrs.launcher,class=com.htc.vr.unity.WVRUnityVRActivity,extraString=LaunchScene=UpdateKioskMode
• Select Save to save the Files/Action.

3. Navigate to Devices > Provisioning > Product List View.

1. Select Add Product and select Android.
2. Configure the General tab:

• Name: HTC Kiosk Mode Config
• Description: You can choose to add an optional description.
• Managed By: Leave this field prepopulated with the correct OG.
• Smart Groups: Enter the Smart Group(s) that the product is applied to.

3. Configure the Manifest tab, select the +Add button, and configure the following:

• Actions(s) to Perform: Select the File/Action – Install option.
• Files/Actions: Select the File/Action created above, called "Download HTC Kiosk Mode XML.”

4. Select the Save button to save the product.
5. If ready to activate Kiosk Mode, select the Activate button to give the product an active status.

If you want to activate the product later, navigate to the Product List View page, locate the "HTC Kiosk Mode Config" product from the listing, select the grey indicator next to the red traffic light for the product. The grey indicator turns green, and the red indicator turns grey to indicate that the product is now active.

Kiosk mode XML file – mns.xml

<?xml version="1.0" encoding="UTF-8"?>

<customization_form>

  <category name="application">

    <module name="vive_kiosk_enabler">

      <function name="enable_kiosk_mode">

        <set name="single">

  <!--

       1:enable kiosk mode.

       0: disable kiosk mode

  -->

          <item name="enabled" type="bool">1</item>

        </set>

      </function>

      <function name="kiosk_mode_key">

        <set name="single">

  <!-- [TO DO] Enter a passcode to leave kiosk mode. Needs to be a four digit number. Empty means no passcode to leave Kiosk mode -->

          <item name="key" type="int">0000</item>

        </set>

      </function>

   <!-- allow Bluetooth connection or not -->

      <function name="allow_bt_connection">

        <set name="single">

          <item name="enabled" type="bool">1</item>

        </set>

      </function>

   <!-- allow headset screen casting not -->

      <function name="enable_screen_casting">

        <set name="single">

          <item name="enabled" type="bool">1</item>

        </set>

      </function>

   <!-- allow screen capture or not -->

      <function name="kiosk_screen_captured_enable">

        <set name="single">

          <item name="enabled" type="bool">1</item>

        </set>

      </function>

   <!-- allow USB file transfer or not -->

      <function name="allow_usb_transfer">

        <set name="single">

          <item name="enabled" type="bool">1</item>

        </set>

      </function>

   <!-- setup application in kiosk mode -->

      <function name="kiosk_mode_apps">

        <set name="plenty">

          <item name="app_name">XR Hub</item>

          <item name="app_package_name"> com.vmware.xr.xrhub.wavevr</item>

        </set>

      </function>

   <!-- kiosk mode type

        "1" for Single app

           "2" for Multiple app

      -->

      <function name="kiosk_mode_type">

        <set name="single">

          <item name="enabled" type="int">1</item>

        </set>

      </function>

   <!-- Network permission under kiosk mode

   "1" for Offline

   "2" for Pre-defined Wi-Fi

   "3" for Allow to any Wi-Fi

      -->

      <function name="allow_network_permission">

        <set name="single">

          <item name="mode" type="int">3</item>

        </set>

      </function>

   <!-- require sign in mandatory when entering kiosk mode -->

      <function name="enable_kiosk_mode_signin">

        <set name="single">

          <item name="enabled" type="bool">0</item>

        </set>

      </function>

   <!-- Interaction method

   "1" for hand only

   "2" for controller only

   "3" for controller & hand

      -->

      <function name="kiosk_InteractionMode">

        <set name="single">

          <item name="mode" type="int">3</item>

        </set>

      </function>

   <!-- play tutorial when re-start kiosk mode -->

      <function name="kiosk_auto_play_tutorial">

        <set name="single">

          <item name="mode" type="bool">0</item>

        </set>

      </function>

   <!-- play opening video when re-start kiosk mode -->

      <function name="kiosk_cinematic_playback">

        <set name="single">

          <item name="mode" type="bool">0</item>

        </set>

      </function>

   <!-- play wearing guide when re-start kiosk mode -->

      <function name="kiosk_auto_play_wearing_guide">

        <set name="single">

          <item name="mode" type="bool">0</item>

        </set>

      </function>

    </module>

  </category>

</customization_form>

Conclusion

You have now completed enrolling your HTC VIVE XR Elite or HTC VIVE Focus 3 Headset into Workspace ONE UEM. For enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

HTC VIVE Focus & Focus Plus Device Enrollment

This section describes how to conduct an HTC VIVE Focus / HTC VIVE Focus Plus headset enrollment into Workspace ONE UEM.

After completing the initial Workspace UEM setup, you are ready to enroll your HTC VIVE Focus and HTC VIVE Focus Plus headset devices. The following instructions should be followed to register a shared device with a Workspace ONE UEM environment.

Note: Workspace ONE UEM currently supports HTC VIVE Focus Plus headsets running firmware version of 4.14.623.1 or newer, as well as HTC VIVE Focus headsets running version 3.13.623.1 or newer.

Installing and Enrolling

To install and enroll your VIVE Focus and VIVE Focus Plus headset into Workspace ONE UEM:

1. Download the Workspace ONE Intelligent Hub client APK (AirWatch agent) and have it on your computer: https://getwsone.com/mobileenrollment/airwatchagent.apk
2. If you are not starting from a new device, do a factory reset of the HTC device by clicking Settings > More Settings > Personal | Reset > Factory Data Reset.
3. Once the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the HTC main screen.
4. Critical: Launch the browser and verify that you can connect to your Workspace ONE URL. For example, https://ds135.awmdm.com (a successful connection means you will be re-directed, and you should see a Workspace ONE login screen). If you cannot connect to this site, you must switch to a Wi-Fi network that can connect before you continue.
5. Ensure your system is updated to the latest firmware by launching the System Update (in Settings) app and updating. Again, your VIVE Focus Plus must be running version 4.14.623.1 or newer, while your VIVE Focus must be running version 3.13.623.1 or newer.
6. Plug the headset into your setup machine (where you downloaded the agent) via the USB cable provided and begin an adb session.
7. Type adb devices and press Enter. This should result in showing your connected device authorized for access.
   If this shows no devices connected, enable developer mode by clicking Settings > More Settings > System | Developer Options > Turn On.
8. Install the APK you downloaded earlier onto the HTC using the adb install command. This should result in a success message.
9. Run the following adb command to set up the Intelligent Hub client (AirWatchAgent.apk) as the device owner:
   adb shell dpm set-device-owner com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver
10. Place the headset on, and continue registration from within the device as follows:
11. Launch the Intelligent Hub app that you installed earlier.
12. Enter the following in the next few screens to enroll the device:
    • Server: Device Services Server address (for example: ds135.awmdm.com)
    • Group ID: Organization Group ID
    • Enrollment User/Password: Enrollment User and password
    • Click through one privacy statement and wait until the device runs through enrollment and displays the enrolled user, email address, and some informational items.
13. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Conclusion

You have now completed enrolling your HTC VIVE VR Headset into Workspace ONE UEM. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Meta Quest for Business Enrollment (Tech Preview)

VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Meta Quest devices with streamlined enrollment via Meta Quest for Business (Tech Preview).

After an easy Workspace ONE UEM enrollment flow via Quest for Business, you can directly manage Quest devices from the same console you use for your more traditional devices. This section describes how to set up Quest for Business with Workspace ONE and enroll a Quest device.

Setting up Meta Quest for Business to enroll Quest devices into Workspace ONE UEM

After verifying prerequisites and completing the initial Workspace UEM setup, you are now ready to set up Meta Quest for Business and enroll your Quest devices into Workspace ONE.

Quest for Business enables out-of-the-box enrollment to Workspace ONE for Quest devices. Sign up to Quest for Business via their website at Getting started with Meta Quest for Business beta.

After you have signed up to Quest for Business, access the Admin Center to configure Workspace ONE UEM as an MDM Integration:

1. Click the Configurations icon, and then click Add Configuration.
   1. Configuration Name - Workspace ONE
2. Click Make this the default configuration.
3. Click the Device Management dropdown and select Third Party.
   1. Component Name - com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver
   2. Package Download - https://getwsone.com/mobileenrollment/airwatchagent.apk
   3. Hash - 6kyqxDOjgS30jvQuzh4uvHPk-0bmAD-1QU7vtW7i_o8=
4. The Extras Bundle enables UEM administrators to add the following key value pairs:

• serverurl – the FQDN of the Workspace ONE UEM server
• gid – the Group ID for the organizational group devices should be enrolled into
• un – (optional) username to use for enrollment (usually used for single/multi-user staging)
• pw – (optional) password for the enrollment user
• EnableAllFileAccessPermission – True
  (required for pushing files to the device; prompts the user to accept the permission during enrollment)
• useUEMAuthentication - True
• aospEnrollment - True

5. Click Save to complete the Quest for Business setup.

Enrolling devices into Workspace ONE UEM

Turn on the Quest device:

1. Do NOT pair the device to a phone with the Meta Quest app.
2. During device setup, the user is prompted to pair the device OR Set up Quest for Business.
3. The user should click Set up Meta Quest for Business.
4. Follow the instructions to connect the device to the user’s Meta Work account.
5. Follow the onscreen steps to enroll into MDM and Workspace ONE UEM.
   1. Meta Quest device downloads the UEM agent, installs it, and starts the enrollment process.
   2. If not using a staging account and password, the user is required to enter their enrollment credentials for Workspace ONE UEM.
   3. Once hub enrollment is completed, the user is returned to the Quest device setup process.
      1. If not, the user may need to reboot the device to complete setup.

6. Follow the instructions to link the device to the user’s Meta account.
7. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see the device enrolled in the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Managing Kiosk Mode

Note the following limitation:

• Workspace ONE UEM LockTaskMode and Workspace ONE Launcher are not supported on Quest for Business devices.
• Quest devices do not offer an official kiosk mode feature
• Workspace ONE XR Hub offers a kiosk mode experience on Quest devices (Tech Preview). See Workspace ONE XR Hub documentation for more information.

Conclusion

You have now completed enrollment of your Meta Quest device into Workspace ONE UEM using Meta Quest for Business. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Meta Quest Standard Enrollment

VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Meta Quest devices from the same console you use for your more traditional devices. This section describes how to conduct a Meta Quest standard device enrollment into Workspace ONE UEM.

After verifying prerequisites and completing the initial Workspace UEM setup, you must do one additional configuration in UEM before enrolling your Quest devices into Workspace ONE.

Configure All File Access

As of v51, Quest devices use Android 12, and therefore have additional security controls preventing access to certain filesystems. Before enrolling Quest devices into UEM, the All File Access permission must be granted to the Workspace ONE Intelligent Hub client.

1. Navigate to the Workspace ONE UEM Administration Console and select the Organizational Groups where you are enrolling devices.
2. Select Resources > Profiles & Baselines > Profiles.
3. Click Add.
4. Select Android.
5. Enter a name for the profile.
6. Select Custom Settings, and press Add.
7. Enter the following code in the text field:
   <characteristic type="com.airwatch.android.agent.settings" uuid="568bc89d-1df8-4ce9-a041-e5a24acdb7de">
   <parm name="EnableAllFileAccessPermission" value="True"/>
   </characteristic>
8. Click Next.
9. Assign the profile to your Quest devices.

Initial Device Setup

Before enrolling the device into Workspace ONE UEM, the Quest device must be connected to the Meta Quest mobile app.

To connect the Quest device to the Meta Quest mobile app:

• Ideally, the device should not have been previously set up. If it was, factory reset the device using the Meta Quest mobile app.
• Set up a required Facebook, Meta, or Oculus Test account (https://developer.oculus.com/resources/test-users/) before using the device, apps, or the app store. A Meta account is recommended.
• Your user must be registered as a developer to enroll devices using ConQuest. You can register as a developer by joining an existing organization or creating a new one.

To join an existing organization:

1. Request access from the admin to the existing organization.
2. You will receive an email invite. Accept the invite to become a member of the organization.

To create a new organization:

1. Go to https://developer.oculus.com/manage/organizations/create/ and fill in the appropriate information.
2. Download and install the Meta Quest mobile app to your iOS or Android device.
3. Log in with your Facebook, Meta, or Oculus Test Account credentials.

Installation and Enrollment

To set up your device for Workspace ONE UEM enrollment:

1. Download Workspace ONE ConQuest App from https://flings.vmware.com/workspace-one-conquest.
2. Select ConQuestApp.zip from the dropdown menu for downloading.
3. Extract and run the ConQuestApp.exe.
4. Configure the ConQuest app to use the credentials, credentials.xml, credentials.bin, or staging package zip.
5. Choose whether or not you want ConQuest to run after a device is connected to USB (Autostart USB).
6. Connect the Quest device to the PC using a USB Cable (you might need to use a phone USB-C cable).
7. Power on your device and press the Oculus button on both controllers to wake them.
8. Follow instructions in the Meta Quest mobile app to pair your headset with the Mobile app.
9. In the Mobile App, select Menu > Devices, and select your headset from the dropdown menu.
10. Configure a Wi-Fi connection using the Meta Quest mobile app.
11. Under Headset Settings, select Developer Mode and toggle it on.
12. Put on the headset and select Allow Connections to PC (in the Oculus headset).
    Note: Make sure to authorize USB debugging in the headset when prompted (you may be asked to do this several times).
13. Monitor the progress in the connected headset.
    Note: Wearing the headset keeps it from timing out and interrupting the enrollment process.
    1. ConQuest should quickly go through a process to configure the headset, launch the Intelligent Hub client, and auto-enroll the device using the credentials supplied.
    2. You may be asked to remove accounts. If so, click Remove Accounts and remove any existing accounts listed. If the process is stuck at this step, cancel and rerun ConQuest.
14. During enrollment, Hub should prompt the user to click Settings and enable All File Access. This is critical if you wish to push files to the device.
15. When the privacy statement appears, click the agreement, and wait as the device setup completes.
16. When the Workspace ONE ConQuest is complete, open the Workspace ONE UEM Console, and from the Customer or Child OG, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Managing Kiosk Mode

Note the following limitation:

• Quest devices do not offer an official kiosk mode feature.
• Quest 2 consumer devices do not support LockTaskMode and Workspace ONE Launcher.
• Workspace ONE XR Hub can provide a kiosk mode experience (Tech Preview). See Workspace ONE XR Hub documentation for more information.

Managing the In-Headset Experience

Workspace ONE UEM can control what users have access to when using the device. This may be necessary to prevent users from accessing consumer-focused or inappropriate content and apps. For example, you can:

• Restrict access to the Meta Store
• Restrict access to the Explore application
• Restrict access to Meta Events
• Stop users from adding user accounts
• Use Workspace ONE XR Hub as a kiosk mode experience (Tech Preview). See Workspace ONE XR Hub documentation for more information.

Restricting Access to Apps

Use the following process to restrict user access to certain applications:

1. In the Workspace ONE UEM Console, select the appropriate organizational group for your Quest devices.
2. Select Groups & Settings from the left side navigation menu.
3. Select Groups > App Groups from the middle navigation menu.
4. Select Add Group, select the Type dropdown, and select Denylist.
5. Select the Platform dropdown, and select Android.
6. Select the Name field, and type in a suitable name for your group.
7. Click Add Application, and enter the name of the application you wish to block.
8. Enter the application ID (for example: com.oculus.store).
    
9. Click Add Application to add other applications (such as com.oculus.explore, com.oculus.browser, and so on), and then click Next.
10. Click the Organizational Group to assign the deny list to, and then click Finish.

Preventing the Addition of More Users

Use the following process to stop users from adding additional users to the device:

1. Access the Workspace ONE UEM Console, and select the appropriate organizational group for your Quest devices.
2. Select Resources from the left side navigation menu.
3. Select Profiles & Baselines from the middle navigation menu.
4. Select Profiles.
5. Click Add, and then select Android.
6. Add a Name to your profile.
7. Find the Application Control payload from the list, and click Add.
8. Enable Disable Access to Denied Apps.
9. Find the Restrictions payload from the list, and click Add.
10. Disable Allow adding Goggle Accounts.
11. Disable Allow adding/deleting accounts, and then click Next.
12. Select the smart group to assign the profile to, and then click Save & Publish.

Conclusion

You have now completed enrollment of your Meta Quest device into Workspace ONE UEM. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

PICO Enrollment

VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your PICO headset devices from the same console you use for your more traditional devices, after an easy onboarding process. This section describes how to conduct a PICO Headset enrollment into Workspace ONE UEM.

After completing the initial Workspace UEM setup, you are now ready to enroll your PICO Headset devices.

There are two options for installation and enrollment of PICO devices:

• Pre-installed or USB key-based QR Code and user enrollment during device setup (PICO Neo 3 / 4E only)
• Manual / scripted enrollment by IT (requires connecting device to a PC or laptop with ADB)

Installing and Enrolling – QR Code (PICO Neo 3 / 4 only)

PICO devices support a QR Code-based enrollment during device setup. This requires that a QR Code generated by Workspace ONE UEM be converted to a PNG format file, and either placed on the root of the device or on the root of a USB key plugged into the device during boot.

For ordering at volume from PICO, you can request that a QR Code be placed on the root of the device. Contact PICO for more information. Alternatively, a QR Code can be placed on the root of a FAT32 formatted USB-C key to be inserted into the device at boot.

To generate a QR Code, follow the instructions in Enroll Work Managed Device Using a QR Code.

Note: We recommend the URL for AndroidAgent.APK is set to https://getwsone.com/mobileenrollment/airwatchagent.apk

Download the QR Code PDF file, open the file, and screenshot or image capture the QR Code. Save the QR Code image as QRCode.PNG.

Send your QRCode.PNG file to PICO or save it to the root of a FAT32 formatted USB-C key.

For users or administrators who power on the device for the first time:

1. Take the device out of the box, and make sure that the device and the controllers are charged.
2. If necessary, plug in the USB-C Key with the QR Code into the headset.
3. Power on the PICO device.
4. Follow the in-headset instructions to complete the initial setup of the device.
5. If you have specified Wi-Fi configuration in the QR Code, the user can skip Wi-Fi configuration.
6. The user will be prompted to select Quick Setup, as in the following screenshot:
    
7. Wait as this launches a process that configures Wi-Fi (if specified in the QR Code), then download and install the Workspace ONE UEM agent and enroll the device.
   Note: Do not press any buttons on the controller at this point, only follow the onscreen instructions.
8. If you did not provide credentials in the QR Code, the user will be prompted to enter the enrollment username and password.
9. When the device is enrolled, the user is asked to accept the privacy statement for the Workspace ONE UEM agent.
10. Once enrolled, the device downloads the appropriate profiles, applications, and content from Workspace ONE UEM.
    Note: If you see a blank white screen with the UEM logo, Hub is waiting to download applications. Wait until this screen disappears (apps have been downloaded). You may need to force install applications using the UEM console if the device is stuck with Hub showing a white screen.
11. You should be now presented with the Hub application showing that the device is enrolled.
12. Reboot the device and continue the PICO setup.
    Note: Do not select enterprise setup.
13. Within the Workspace ONE UEM Console, from the Customer or Child OG, navigate to Devices > List View. You should see the device enrolled into the Workspace ONE UEM Console. You should be able to manage these devices using Android Enterprise-based profiles.

Installing and Enrolling – Manual

To register a shared device with a Workspace ONE UEM environment, start with the installation and enrollment process.

1. Download the Workspace ONE Intelligent Hub client APK (AirWatch agent) and have it on your computer: https://getwsone.com/mobileenrollment/airwatchagent.apk
2. If you are not starting with a new device, do a factory reset of the PICO headset through the settings menu on the device.
3. After the device is powered on, connect to a Wi-Fi network, and follow the steps in the headset to get to the PICO main screen.
4. Critical: Launch the browser and verify that you can connect to your Workspace ONE URL. For example, https://ds135.awmdm.com (a successful connection means you will be re-directed, and you should see a Workspace ONE login screen). If you cannot connect to this site, you must switch to a Wi-Fi network that can before you continue.
5. Make sure that your system is updated to the latest firmware by launching the System Update (in Settings) app and updating.
6. Plug the headset into your setup machine (where you downloaded the agent) by using the USB cable provided and begin an ADB session.
7. Type adb devices and press Enter. This should result in showing your connected device authorized for access.
8. If this shows no devices connected, enable developer mode by clicking Settings > More Settings > System > Developer Options > Turn On.
9. Install the APK you downloaded earlier onto the PICO using the adb install command. This should result in a success message.
10. Run the following adb command to set up the AirWatch agent as the device owner:
    adb shell dpm set-device-owner com.airwatch.androidagent/com.airwatch.agent.DeviceAdministratorReceiver
11. Place the headset on, and continue registration from within the device, starting with launching the Hub app that you installed above.
12. Enter the following in the next few screens to enroll the device:
    • Server: Device Services Server address (for example: ds135.awmdm.com)
    • Group ID: Organization Group ID
    • Enrollment User/Password: Enrollment User and password
13. Click through one privacy statement and wait until the device runs through enrollment and displays the enrolled user, email address, and some informational items.
14. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise based profiles.

Setting Up Certificate Management

If you need to install private certificates (certs with a password), setting a device pin is required to enable the Android keystore. To support a device pin, you need to ensure your devices are running the following firmware: G2 4K (PUI 3.11.3) and Neo 2 (PUI 3.13.1). Contact your PICO representatives to request this firmware.

Passcode policy does not work in the latest versions of PICO UI (PUI). Contact PICO to access a custom ROM to address this issue.

Managing Device PIN Code

Note the following limitations:

• Setting a passcode on PICO Neo 2, 3, and 4E devices is not supported. PICO Neo 2 and 3 no longer correctly render the PIN setting UI. Contact PICO for a custom ROM to address this issue
• Setting a passcode on PICO Neo 3 and 4E causes Workspace ONE UEM to prevent users from using the device. Do not set Passcode policy on the PICO Neo 3. Setting a PIN Code on the PICO Neo 3 is not supported. Contact PICO for a custom ROM to address this issue.

Managing Kiosk Mode

Note the following limitations:

• We recommend using the PICO method for setting kiosk mode. For more information, see PicoVR Kiosk Mode.
• Workspace ONE LockTaskMode and Workspace ONE Launcher are not supported on PICO devices.

Setting Up Controller Binding (G2 4K)

If you are using the device in kiosk mode, you should bind the controller to the HMD. For more information, see Operation Guide.

Conclusion

You have now completed enrollment of your PICO Headset into Workspace ONE UEM. For information about enrolling other XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Magic Leap 2 Enrollment & Management

This section describes how to enroll Magic Leap 2 device into Workspace ONE UEM. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Magic Leap 2 device from a single console, after an easy onboarding process.

After completing the initial Workspace UEM setup, you are now ready to enroll your Magic Leap 2.

Creating an Enrollment QR Code

The QR code enrollment method sets up and configures Magic Leap 2 through simply scanning a QR code. The QR code contains a payload of JSON values with all the information needed for the device to connect to a Wi-Fi network, download the WS1 Intelligent Hub and be enrolled all with one quick scan. Although this can also be set up manually with a third party QR Code generator and a manual JSON payload, Workspace ONE UEM provides an easy wizard for creating a QR Code that can be used to enroll Magic Leap 2 devices.

1. From the Customer Level OG, navigate to Devices > Lifecycle > Staging > List View > Configure Enrollment.
2. In the Enrollment Configuration Wizard window, select the Android panel.
3. Select the QR Code panel and click the Configure button.
    
4. Select the Wi-Fi Security Level of the encrypted Wi-Fi Network to be used for automatic configuration, when scanning the QR Code. This could be a temporary Wi-Fi Network used for Staging only. (This does not support EAP-TLS Cert based Wi-Fi Networks.) Once the device is enrolled, a Production Wi-Fi Profile can be pushed to the device from the Workspace ONE UEM Console.
    
5. Complete the form by providing the SSID and Password, and click Next.
6. Select the download location for the Workspace ONE Intelligent Hub, and click Next. Use the default value unless you intend to host the server from which the Workspace ONE Intelligent Hub can be downloaded.
    
7. Configure the Organization Group (OG). This determines the OG to which the device will be enrolled. Select the Enabled button, then select the OG from the dropdown box.
8. Configure the Login Credentials. This is the Basic User that you created earlier. Select the Enabled button, then click in the Username field, and choose the user from the dropdown list. Next, provide the correct associated password for that user.
9. Keep the System Apps Enabled, and Force AOSP/Closed Network Enrollment Disabled. Click Next.
    
10. To save a .PDF document to your hard drive, select the Download File option. To scan the Enrollment QR Code directly from your PC Screen, select the View PDF option.
11. Alternatively, when adding users to Workspace ONE UEM, a message can be sent via email that includes their enrollment QR Code. See Device and User Message Templates Settings for more information.

Finishing Magic Leap 2 QR Code Enrollment

After creating an enrollment QR Code, the final step is to complete the enrollment process on the Magic Leap 2 device.

1. Power on the ML2 device, and go through the OOBE Steps using device:
   • Pair the controller.
     
     Note: It might be necessary to plug the controller into the Magic Leap 2 device using the USB-C cable.
   • Select the language.
   • Complete or skip the prescription insert instructions.
   • Accept the EULA.
   • Choose Enrollment to enroll your device into Workspace ONE UEM.
2. Select Start Scan with the Magic Leap 2 controller to scan the QR Code:
    
3. Position the Magic Leap 2 device so that the QR Code is inside the target rectangle. Note that it might take a few seconds to scan the QR Code.
   • If you have issues scanning the QR Code:
   1. Zoom in on the QR code in the PDF document so that it is at least 8” x 8” in size when viewed on the screen or a PC monitor.
   2. Maximize the window on the monitor. QR Code image should be at least 8” x  8” in size.
   3. View it at a large magnification (such as full screen) on a large monitor that has a 3 : 4 aspect ratio. (Higher aspect ratios will negate the largeness of the monitor.)
   4. The monitor needs to have a matte or anti-reflective finish (or be situated with special background lighting).
   5. The ambient lighting for the area around the monitor should be bright to avoid head-pose loss as the QR code detection is currently head pose sensitive.
   6. The monitor settings might need to be tweaked for contrast, brightness, and sharpness (a midway setting for each of them is recommended).
   7. Some amount of movement (for position and viewing angle) of the headset (or the monitor) might be required to help with the capture.
   8. Scan the QR Code with a Viewing distance between 12” to 36”.
4. If scanned successfully, you will be presented with the following:
    
5. Click Accept & Continue using the Magic Leap 2 controller, and then click Next.
    
6. Device enrollment begins with:
    
7. Shortly, the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user.
8. Press the Home button on the Magic Leap 2 controller to get back to the Magic Leap home application.
9. From the Customer or Child OG in the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Updating Firmware with Over the Air (OTA) Updates

Workspace ONE UEM can push firmware updates to the Magic Leap 2 device.

Note: OTA updates require VMware Workspace ONE UEM version 2206 or later.

To perform an OS upgrade:

1. Download the latest Magic Leap 2 OS OTA Update file (available as and when Magic Leap publish OTA updates).
2. In Workspace ONE UEM, create a Provisioning > Component > File/Action.
   • Upload the Magic Leap 2 OS OTA ZIP file.
     • Use the path $osupdate$/
   • Add an OS Upgrade action to the Manifest.
     • Select the uploaded ZIP file for the OS File.
3. In Workspace ONE UEM, go to Provisioning > Product List View.
   • Select Add a Product, and then select Android.
   • Add details to the product and select a smart group to assign the OS update to.
   • Add a File/Action – Install action to the Manifest.
     • Select the OS Upgrade File/Action component you created.
   • Add any conditions or deployment schedule to the product.
   • Click Activate to start the OS upgrade process.

For more information on OS updates for Work Managed devices, see Android OS Update for Work Managed Device.

Accessing Device Logs

Workspace ONE UEM can collect logs using two primary mechanisms:

1. Request Device Log from Workspace ONE UEM Console.
   1. To collect Hub, System, or Security logs, see Request Device Log.
      
      Note: For device system logs, users will need to access Intelligent Hub on the Magic Leap 2 devices. Use the controller to click the top bar of the application and click Share on the Bug Report notification.

2. Pull device logs using Workspace ONE Assist:
   1. To collect system logs using remote ADB commands, see Command-Line Interface, Android.

Managing Applications

Applications can be silently installed remotely to the Magic Leap 2 device using Workspace ONE UEM. In summary:

• Application APKs and supporting files must be either uploaded to Workspace ONE UEM or placed on a web/file server that is accessible by the device.
• Applications and any supporting files are installed by Workspace ONE UEM to all assigned devices.

For more information on managing applications, see Deploying Internal Application on Android Devices.

Magic Leap Resources

For more information on the Magic Leap 2 devices, the following articles from Magic Leap can be useful:

• ML2 User Guide
• Update OS using The Magic Leap Hub
• Generate bug report using ADB
• Hard reboot/reset
• Factory reset

 You can also contact Magic Leap support at care@magicleap.com.

Conclusion

You have now completed enrolling your Magic Leap 2 device into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

RealWear Enrollment

This section describes how to conduct a RealWear HMT-1 (Non-Intrinsically Safe), HMT-1Z1 (Intrinsically Safe), and RealWear Navigator device enrollment in Workspace ONE UEM. RealWear devices are designed for hands-free use in hazardous environments. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your RealWear devices from a single console, with an easy onboarding process.

After completing the initial Workspace UEM setup, you are ready to enroll your RealWear HMT-1 (Non-Intrinsically Safe), HMT-1Z1 (Intrinsically Safe), or RealWear Navigator devices.

Creating an Enrollment QR Code

The first step in the device enrollment process is to create Enrollment QR codes.

1. From the Customer Level OG, navigate to Devices > Lifecycle > Staging > List View > Configure Enrollment.
2. In the Enrollment Configuration Wizard window, select the Android panel.
3. Select the QR Code panel and click the Configure button.
    
4. Select the Wi-Fi Security Level of the encrypted Wi-Fi Network to be used for automatic configuration, when scanning the QR Code. This could be a temporary Wi-Fi Network used for Staging only. (This does not support EAP-TLS Cert based Wi-Fi Networks). Once the device is enrolled, a Production Wi-Fi Profile can be pushed to the device from the Workspace ONE UEM Console.
    
5. Complete the form by providing the SSID and Password, and click Next.
6. Select the download location for the Workspace ONE Intelligent Hub, and click Next. Use the default value unless you intend to host the server from which the Workspace ONE Intelligent Hub can be downloaded.
    
7. Configure the Organization Group (OG). This will determine the OG to which the device will be enrolled. Select the Enabled button, then select the OG from the dropdown box.
8. Configure the Login Credentials. This is the Basic User that you created earlier (this only supports basic users). Select the Enabled button, then click in the Username field, and choose the user from the dropdown list. Next, provide the correct, associated password for that user.
9. Keep the System Apps Enabled, and Force AOSP/Closed Network Enrollment Disabled. Click Next.
    
10. To save a .PDF document to your hard drive, select the Download File option. To scan the Enrollment QR Code directly from your PC Screen, select the View PDF option.

Checking Firmware Version

After creating an enrollment QR Code, the next step in the device enrollment process is to conduct a firmware version check.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11).

1. Power on your RealWear HMT-1 device (for device operations, see the instruction manual provided by RealWear).
2. Check the display to make sure that the battery level is greater than 30%, as a Software update cannot be performed if the battery is not at 30% or higher.
3. Speak the Show Help command to show the list of available commands on the screen.
    
4. Speak the My Programs command.
5. Speak the About Device command to determine the version of firmware running on the device.
    
6. If the version of firmware is lower than the one shown here, you will need to upgrade the firmware to complete the QR Code enrollment process. Skip the Firmware Update Section below, if your firmware is already updated to this version or higher.

Updating Firmware

After conducting a firmware version check, the next step in the device enrollment process is to conduct a firmware update.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11). If the version of your firmware is lower, upgrade the firmware before proceeding. If your firmware is already updated to this version or higher, skip this Firmware Update section, and proceed to Finish Enrollment.

1. Power on your RealWear HMT-1 device. For device operations, see the instruction manual provided by RealWear.
2. Check the display to make sure that the battery level is greater than 30%, as a Software update cannot be performed if the battery is not at 30% or higher.
3. Speak the Navigate Home command to return to the home screen.
4. Speak the My Programs command to view the My Programs screen.
5. Speak the Configuration command to scan a QR Bar Code that will establish Wi-Fi Settings for the device to download the latest version of firmware.
6. On your PC or MAC, navigate to https://realwear.setupmyhmt.com, and click the Configuration button.
    
7. Click the First Time Setup button.
    
8. Select your preferred language, then select NEXT.
    
9.  Set your time and date, then select NEXT.
    
10. Provide your preferred Wi-Fi Settings for the device and select NEXT.
     
11.  Scan the QR Code with the HMT-1 Camera to configure your device.
     
12. The Wi-Fi should be configured at this point. Speak the Wireless Update command. If available, follow the commands on the screen to complete the Wireless Update.

Finishing the RealWear HMT-1 QR Code Enrollment

After updating firmware, the final step is to complete the RealWear HMT-1/Workspace ONE enrollment.

Note: The RealWear HMT-1 needs to be running the latest version of firmware that supports Android Enterprise (AOSP) enrollment. The minimum version is Android 8.1 (Build Number greater than v11).

1. After a firmware update, the HMT-1 should have performed a factory reset. Within a few minutes, this will automatically present the Configuration screen through the HMT-1 viewer, allowing for a QR Code scan.
2. Aim your HMT-1 Camera at the QR Code that you created in the Enrollment QR Code Creation section.
    
3. The camera will automatically capture the QR Code, and the enrollment process will begin. The Downloading Status screen will appear as the WS1 Hub is downloaded from the cloud, followed by an Installing… notification.
4. When the Accept & Continue Screen appears, speak the command Accept & Continue. Enrollment will begin.
5. Wait until the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user. Speak the command Navigate Home. The Hub Icon should be present in your My Programs screen.
    
6. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android Enterprise-based profiles.

Conclusion

You have now completed a RealWear HMT-1 or HMT 1Z1 enrollment into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Vuzix M400 & M4000 Enrollment

This section describes how to enroll Vuzix M400 or M4000 smart glasses into Workspace ONE UEM. VMware Workspace ONE Unified Endpoint Management (UEM) platform enables you to securely manage your Vuzix smart glasses from a single console, after an easy onboarding process.

After completing the initial Workspace UEM setup, you are now ready to enroll your Vuzix smart glasses.

Creating an Enrollment QR Code

The QR code enrollment method sets up and configures Vuzix glasses through simply scanning a QR code. The QR code contains a payload of JSON values with all the information needed for the device to connect to a Wi-Fi network, download the Workspace ONE Intelligent Hub, and be enrolled all with one quick scan. Although this can also be set up manually with a third party QR Code generator and a manual JSON payload, Workspace ONE UEM provides an easy wizard for creating a QR Code that can be used to enroll Google Glasses.

1. From the Customer Level OG, navigate to Devices > Lifecycle > Staging > List View > Configure Enrollment.
2. In the Enrollment Configuration Wizard window, select the Android panel.
3. Select the QR Code panel and click the Configure button.
    
4. Select the Wi-Fi Security Level of the encrypted Wi-Fi Network to be used for automatic configuration, when scanning the QR Code. This could be a temporary Wi-Fi Network used for Staging only. (This does not support EAP-TLS Cert based Wi-Fi Networks.) After the device is enrolled, a Production Wi-Fi Profile can be pushed to the device from the Workspace ONE UEM Console.
    
5. Complete the form by providing the SSID and Password, and click Next.
6. Select the download location for the Workspace ONE Intelligent Hub, and click Next. Use the default value unless you intend to host the server from which the Workspace ONE Intelligent Hub can be downloaded.
    
7. Configure the Organization Group (OG). This determines the OG to which the device will be enrolled. Select the Enabled button, then select the OG from the dropdown box.
8. Configure the Login Credentials. This is the Basic User that you created earlier. Select the Enabled button, then click in the Username field, and choose the user from the dropdown list. Next, provide the correct, associated password for that user.
9. Keep the System Apps Enabled, and Force AOSP/Closed Network Enrollment Disabled. Click Next.
    
10. To save a .PDF document to your hard drive, select the Download File option. To scan the QR Code directly from your PC Screen, select the View PDF option.

Finishing Vuzix QR Code Enrollment

After creating an enrollment QR code, the final step is to complete the enrollment process on the smart glasses. Out of the box, the Vuzix glasses can follow the procedure below.

Note: If the device has been configured previously, it will require a factory reset to take advantage of this provisioning method (Settings > System > Reset options > Erase all data).

1. On the screen below, press and hold the front-most button on the glasses for 3 to 4 seconds until the Provisioning App launches.
    
2. This immediately launches the camera. Aim the Vuzix camera at the QR Code that you created in the Enrollment QR Code Creation section.
    
3. The camera automatically captures the QR Code, and the enrollment process begins. The Downloading Status screen appears as the Workspace ONE Intelligent Hub is downloaded from the cloud, followed by an Installing… notification.
4. If the Accept & Continue Screen appears, press the rear-most button to continue.
5. Just before the process finishes, you will be presented with the Vuzix End User License Agreement, which you need to read and accept. You can accept and continue the process by again pushing the rear-most button on the glasses.
    
6. Wait until the device becomes enrolled, and the Workspace ONE Intelligent Hub app shows the current user.
7. From the Customer or Child OG, within the Workspace ONE UEM Console, navigate to Devices > List View. You should see your device enrolled into the Workspace ONE UEM Console. You should now be able to manage these devices using Android (Enterprise) based profiles.

Conclusion

You have now completed enrolling your Vuzix smart glasses into Workspace ONE UEM. For information about how to enroll other types of XR devices with Workspace ONE UEM, select from the other sections of this guide on the navigation bar to the left.

Registering Android EMM with Google Play Account

NOTE: Follow this procedure only if Android EMM has not already been registered for the UEM tenant.

The initial step in the managing Android-based process is to register Android EMM with a Google Play account. This is required to enable Android-based device management within UEM. Even though Google Play Store or Google Message Services is not used by Android Open Source Project (AOSP) device, to manage Android devices in Workspace ONE UEM, this must be enabled.

1. Log in to your Workspace ONE UEM Console using your Administrator Account. Note that certain functions might require advanced roles, such as account creation. Check with your Workspace ONE UEM Console Administrator for proper role assignments.
2. From the Customer Level Organization Group (OG), navigate to Getting Started > Workspace ONE > Android EMM Registration.
   
   
   Note: If you prefer not to use the wizard for Android EMM Registration, or if the wizard is not available in your environment, you can navigate to Groups & Settings > All Settings > Devices & Users > Android > Android EMM Registration.
3. Make sure that you are signed into Google with your preferred (corporate account specific to your environment) Google account credentials, and select Configure.
4. In the Android EMM Registration window, click Register with Google. If you are already signed in with your Google credentials, you are redirected back to the Workspace ONE console.
    
5. On the Bring Android to Work window, select Sign In, if you are not already signed in, enter your Google credentials, and then select Get Started.
    
6. Enter your Organization Name. The Enterprise Mobility Manager (EMM) provider field populates automatically as VMware Workspace ONE UEM.
7. Select Next. The Data Protection Officer and EU Representative information is optional. Make sure to confirm that you have read and agreed to the Managed Google Play agreement.
8. Select Confirm > Complete Registration.
9. When you are redirected to the Workspace ONE Console, verify that your Google Service Account credentials are automatically populated, and select Save > Test Connection to verify that the service account is set up and connected successfully.
10. Your Android EMM Registration status should show as Complete.

Summary and Additional Resources

Immersive technologies are becoming ever more popular and interest is growing rapidly – particularly in augmented reality (AR), mixed reality (MR), and virtual reality (VR) headsets, sometimes called head-mounted displays (HMDs). To address this growing market and its resulting challenges, VMware has partnered with leading vendors to deliver scalable management and app delivery for Android and Windows 10-based devices. This guide walks you through the steps toward Workspace ONE UEM enrollment for HTC VIVE, Magic Leap, Meta Quest, PICO, RealWear, and Vuzix devices.

Additional Resources

For more information about delivering and managing XR devices through VMware Workspace ONE UEM, explore the following resources:

• Workspace ONE UEM – XR Device Interoperability Matrix
• XR Devices and UEM (Cloud)
• XR Devices and UEM (Installed)
• Workspace ONE XR Hub
• XR Hub Documentation
• VMware Workspace ONE XR Hub Release Notes
• Workspace ONE XR Hub
• Workspace ONE UEM for Enterprise Wearables Datasheet
• Workspace ONE UEM Documentation
• Workspace IoT Endpoint Management

Changelog

The following updates were made to this guide.

Date	Description of Changes
2023/05/17	Updated device types and enrollment instructions: Updated title (due to the evolution of the naming and XR as an overall category of devices) Removed Oculus and Google Glass sections (devices are End of Life by their manufacturer, and Oculus has change to Meta Quest as a brand) Added Meta Quest Business Enrollment (Tech Preview) section Added Registering Android EMM with Google Play Account section
2023/03/20	Updated enrollment processes and instructions
2023/02/22	Added Meta Quest for Business (Beta) information
2022/09/30	Added new section about enrolling and managing Magic Leap 2 devices with Workspace ONE UEM, and updated the guide throughout
2022/06/28	Updated enrollment processes for Meta Quest 2 and HTC VIVE Focus 3, which now supports QR Code enrollment
2022/06/16	Added new section about controlling in-headset experience with Meta Quest 2 (Consumer) and updated throughout
2022/05/24	Updated PICO enrollment options and new QR Code option
2022/03/22	Added HTC VIVE Focus 3, Meta Quest 2 Consumer, Oculus for Business, and PICO Neo 3 device enrollment procedures
2021/01/20	Added Vuzix M400 & M4000 enrollment procedures
2020/11/19	Added HTC VIVE Focus & Focus Plus Headset enrollment procedures
2020/10/01	Initial publication of RealWear, PICO, and Goggle Glass enrollment procedures

Authors and Contributors

The following authors, contributors, and subject-matter-expert reviewers collaborated to create this guide.

Authors

• Drew Evangelista, Senior Product Line Manager, End-User-Computing Product Management, VMware
• Matt Coppinger, Director, End-User-Computing Product Management, VMware

Contributors

• David Dwyer, Sr. Solution Engineer, End-User-Computing Technical Marketing, VMware
• Jon Duncan, Group Product Line Manager, UEM IoT, Mobile PM, EMM VMware
• Christina Minihan, Senior Staff End-User-Computing (EUC) Architect, End-User-Computing Technical Marketing, VMware

Feedback

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.