Workspace ONE Assist provides end users visibility and transparency during remote control sessions by displaying privacy notices, on screen prompts, notifications, and an on screen toolbar giving the end user power over the remote session.
Privacy Notices
When the end user launches Workspace ONE Assist for the first time, whether in Attended or Unattended mode, they see a Privacy Notice that informs them of the data accessed by the Assist application. Attended sessions always present the end user with a PIN prompt.
However, if the application is launched for the first time through a connection process, the privacy notice is displayed only on the Attended mode agent. The Unattended mode agent does not display a privacy notice during the connection process.
PIN Prompt at the Beginning of a Session
When you start a session in Workspace ONE Assist, a four-digit PIN displays as a pop-up message to you, the admin. You must provide this PIN to the host device end user so they can enter it into the PIN prompt on their device. Communicate this PIN by telephone, text message, or email. This exchange represents the host device end user's acknowledgment of the privacy notice. The end-user grants access (by entering the PIN you provide) or denies access (by not entering the PIN you provide).
The Halo
When you use any client tool (Remote View, Remote Control, File Manager, or Remote Shell), a blue outline is drawn around the outer edge of the host device end user's screen called a "halo". This halo serves as a persistent notification that a Workspace ONE Assist session is active.
There is a toolbar that appears with the halo. This toolbar gives the host device end user the power to pause a session, revoke remote control privileges demoting the session back to Remote View only, and the power to disconnect the session entirely. The toolbar also indicates when the screen is being recorded.
- Note: The halo effect, and other notifications, are disabled on corporate owned, fully managed Android devices using the Unattended Agent ONLY.
Permission Prompts
When you start any other client tool during a Screen Share session, the end user is again asked permission for access.
For example, an end user enters the PIN provided by the Admin resulting from initiating a Screen Share session. This action grants the Admin view only access to the end user's Windows 10 device to troubleshoot a problem. During this Screen Share session, the Admin starts the Manage Files client tool. Before the Admin gets to see and manage the end user's files remotely, the end user of the host device must select Deny or Allow from the Manage Files prompt that appears. The Screen Share session is not impacted by either choice. However, the Manage Files session cannot proceed until after the end-user grants access.
Android 11 and Manage Files Client Tool
Beginning with Android 11, Google is enforcing scoped storage on all applications targeting API level 30. The enforcement of scoped storage means an app is limited to only accessing its own file sandbox and specific types of media files that the app has created.
To provide access to other file locations on the device, VMware has partnered with many of the top Android device manufacturers to create a newer version of the OEM-specific service application (v2.5). Download and install the latest version of the Assist service application to access all files on the remote device.
On devices where an OEM-specific service application is not available (for example, Samsung and Sony devices) the end user on the remote device must explicitly grant additional permissions to the application when requested. Workspace ONE Assist prompts the Android 11 device end user to 'Allow access to manage all files'. This permission must be granted to the Assist application one-time at the beginning of the first Manage Files session.
- In Attended mode, this permission must be granted or denied by the end user of the device.
- In Unattended mode, you must grant this permission through the Share Screen client tool.
Once permission is granted, all files on the remote device can be accessed during the Manage Files session. In the absence of this permission, you can only access Media and Downloads folder.
Agent Modes
The PIN prompt and User Consent prompts are displayed only during an Attended mode of connection. When using Workspace ONE Assist in Unattended mode, no device notifications are provided when a remote management session is active. You are solely responsible for notifying device end users of Assist sessions in unattended mode.
- Note: On Samsung devices, the end user must accept a Knox permission when the application is first launched, even for devices in Unattended mode.
For more information, see Agent Modes.
Notifications Sent Per Video Recording and Screenshot
For Android, macOS, and Windows 10 devices only, the first time you initiate a video recording or request a screenshot in a session, the host device end user is prompted to grant permission. After the end-user grants permission, each subsequent video recording or screenshot made in the same session results in a "pop-up" on-screen notification instead of a permission request.
These notifications, together with the PIN prompts and the other permissions, are designed to foster transparency during any Workspace ONE Assist session.
For more information about VMware's stance on privacy, see the VMware Privacy Notice.
Session Collaboration Notifications and Prompts
Device end users receive a popup notification for each participant that joins the active session collaboration. The only exception is for Android devices in Unattended mode.