You can connect to devices remotely using two distinct modes of the Workspace ONE Assist agent: Attended Mode and Unattended Mode. Given the enterprise use cases, ownership models, and privacy requirements, understanding the difference between these modes is the foundation of a best practice.

IT and Help Desk staff can use Workspace ONE Assist to support devices in myriad enterprise use cases. These cases include Knowledge Worker employees (Corporate-Owned Personally Enabled (COPE) or Bring Your Own Device (BYOD)), used for business-critical tasks (for example, inventory scanning, logistics) by shift working employees. Contractors with rugged devices and devices used by customers in kiosks are among other use cases.

It is important that Workspace ONE UEM be configured to deploy the correct Workspace ONE Assist client to each device based on these use cases and the privacy requirements and expectations for each device.

Attended Mode

Attended Mode is intended for devices where the Remote User can contain personal or sensitive information and the Remote User can have an expectation or a legal requirement of privacy. Customers generally deploy Attended Mode for BYOD and COPE devices, providing additional privacy protection. In Attended Mode, the user is more actively prompted to authorize access to the device and its information.
  • Attended mode is available on Android, iOS, macOS, and Windows 10 devices.
  • Windows 10 BYOD devices always default to attended mode connection.
  • Android BYOD devices and Windows 10 devices not connected to the Active Directory only support attended mode connection.
  • Attended mode is not available on Windows Mobile/CE devices.

Unattended Mode

Unattended Mode is intended for devices that do not contain personal information and might require maintenance or support by IT when there is no Remote User physically using the device (for example, when charging on a cradle between shifts, when in the depot because it was returned as defective, as a customer-facing kiosk). Customers generally deploy Unattended Mode for corporate owned Rugged/Business Critical and Kiosk devices.

There are no device notifications when using Workspace ONE Assist in unattended mode when a session is active. You are solely responsible for notifying device end users of the active remote management session.

Workspace ONE Assist uses device ownership information received during enrollment to recognize devices as corporate or personally owned. Unattended mode is not available to devices identified as personally owned or devices in a non-supervised configuration.
  • Unattended mode is available on Android, Windows 10, and Windows Mobile/CE devices.
  • Unattended mode is not currently available on macOS devices.
Note: On Samsung devices, a Knox permission must be accepted by the user when the application is first launched, even for devices in unattended mode.

Configure Unattended Access for Windows 10 Devices

Administrators must have the Unattended Access permission as part of their assigned role. For more information, see Assign Role Permissions for Workspace ONE Assist Client Tools.

  • Kiosk Mode and Long-Term Servicing Channel (LTSC) – All Assist sessions default to Unattended mode. Once connected, you have full control and are presented with the Log In screen. When you are logged into the Admin profile, all Assist Client Tools become functional. While in Kiosk Profile, however, the following features are unsupported.
    • Whiteboard
    • Halo (On-Screen notifications and controls)
    • Shortcuts (except Ctrl-Alt-Del)
  • Shared Terminals – Assist supports unattended access on Windows 10 devices that meet the following criteria:
    • Domain joined
    • Azure AD device joined

    When you connect to a Windows 10 device that meets the above listed criteria, you can select the connection mode during an Assist session.

    To start a session, search for the Windows 10 device from the Device List View in the Workspace ONE UEM console and pull up the Device Details. Select the Remote Assist button and choose the Screen Share tool. When the connection initiates, you can select between Attended Mode and Unattended Mode.

    • If Attended Mode is selected, the connection proceeds to the PIN screen, and the end user is prompted to enter that PIN per the normal procedure.
    • If Unattended Mode is selected, Workspace ONE Assist determines the state of the remote device.
      • If the device is being actively used, then end user is prompted to accept the remote session. The end user can allow or deny the session. If the end user does not respond for more than 30 seconds, Assist locks the end user out, saving any information they may have been working on. You are then presented with the Log In screen.
      • If the device is not in use, a connection is established, and you are presented with the Log In screen.
    Note:
    • On Screen notifications and Screen controls (Halo) are displayed on Windows 10 devices in Unattended Mode.
    • A session that is initiated by choosing the File Manager or the Remote Shell tool, defaults to Attended mode.