You can configure to deploy public and internal applications based on the device management status. Any device can access applications that are configured as open access. Only devices that are granted permission, either by being enabled through the Workspace Services or Agent Enrollment, can access applications that are configured for managed access.

The table outlines capabilities for both managed and unmanaged scenarios.

Access Type

Features

Description

Suggested Uses

Open Access (unmanaged)

  • Self-service app catalog for Web, Horizon, and Citrix resources

  • Launch web/virtual with single sign-on (SSO)

  • Touch ID / PIN application protection

  • Device jailbreak detection

  • Support for VMware Identity Manager conditional access, including authentication policies and blocking devices.

  • Native application access.

  • Internal App and SDK app distribution.

Users access resources on their device without granting admins permission to access their device.

The applications with open access are available to devices no matter their managed status. Admins cannot systematically remove native applications when they are set to Open Access.

  • Provide application access to end-users immediately upon login, without elevated security permissions.

  • Recommend the use of an application without requiring that the application be installed. Users can install the application on their device when they want.

  • Applications do not contain sensitive corporate data and do not access protected corporate resources.

  • To distribute applications to auxiliary personnel without the AirWatch MDM profile.

Managed Access

  • Self-service app catalog for Web, Horizon, and Citrix resources

  • Launch web/virtual with single sign-on (SSO)

  • Touch ID / PIN application protection

  • Device jailbreak detection

  • Support for VMware Identity Manager conditional access, including authentication policies and blocking devices.

  • Managed and direct installation of Native Apps

  • Internal App and SDK app management.

  • Support for app configuration

  • Per-app VPN

  • One Touch SSO for SAML enabled native apps

  • Device profiles

  • AirWatch compliance engine

Users install a management profile on their device to grant admins permission to access their device.

Applications with managed access are available to devices that AirWatch manages.

If AirWatch does not manage the device, Workspace ONE prompts the user on the device to enroll with AirWatch. If the device is enrolled, the user can use the device to access the application through Workspace ONE.

  • To remove sensitive corporate data from devices when users leave the organization or lose their device.

  • Require app tunneling to authenticate and securely communicate with internal back-end resources when applications access the intranet.

  • Enable single sign-on for applications.

  • Track user adoption and installation status for applications.

  • Deploy the application automatically upon enrollment.

For information on where to configure managed access options for internal applications or how to add public application for deployment through Workspace ONE, see the AirWatch Mobile Application Management Guide.

Supported Platforms for Open and Managed Access

Configure the access type for internal and public applications based on the platform.

Managed Access

Open Access

INTERNAL APPLICATIONS

Android

X

X

iOS

X

X

Windows 10 Desktop

X

-

Windows 10 Phone

X

-

PUBLIC APPLICATIONS

Android

X

X

iOS

X

X

Windows 10 Desktop

-

X

Windows 10 Phone

-

X