Configure Assist Admin User Access

To troubleshoot issues on end user devices or assist the users perform device tasks, the Workspace ONE Assist admins must be assigned custom roles with specific permissions set for the role.

Role-Based Access to Workspace ONE Assist

You can make customized roles based on Assist functionality and assign those roles to your admins, giving them varying level of access to Workspace ONE Assist's main features, including Remote View and Share Screen.

Roles specific to Workspace ONE Assist work the same as roles in Workspace ONE UEM. Roles are made of one or more resources (or permissions). Permissions specific to Workspace ONE Assist are included in the same pool of Workspace ONE UEM permissions.

Remote View Session Elevation

A role with the right combination of permissions can give your admins the ability to elevate the current Assist session, allowing them to go from using one client tool to using another in the middle of a session.

For example, if you make a role with the Remote View and Remote Control permissions, and assign that role to an admin, then that admin can start a Remote View session, provided the host device supports such functionality, and elevate that session to a remote control session simply by using the Share Screen.

Such elevation reflects the natural progression of many Remote View sessions, where the admin completes an initial troubleshooting phase only to discover they require the full range of abilities afforded to them by the Share Screen client tool.

Assign Role Permissions for Workspace ONE Assist Client Tools

You can add resources, or permissions, to the roles you assign to admins with the Workspace ONE UEM console so they can use Workspace ONE Assist to help users of supported devices.

In the Workspace ONE UEM console, navigate to Accounts > Administrators > Roles. You must select between creating a new role and modifying an existing role.
1. Create a New Role – Select the Add Role button. The Create Role screen displays. Complete the Name and Description options and proceed directly to step 2.
2. Modify an Existing Role – From the roles listing, locate the role you want to edit, and select the edit icon () that appears to the left of the listing. The Edit Role screen displays.
Select the Assist category, located in the left pane labeled Categories. All six Assist-related resources, or permissions, display in the right pane.
Enable the Allow check box for the specific permission you want to apply to the role.
- Remote View – "read only" view of the host device with the Remote View client tool.
- Remote Control – "edit" view or full access to the Share Screen client tool.
- File Manager – Full access to the Manage Files client tool.
- Registry Editor – Full access to the Registry Editor client tool.
- Remote Shell – Functionality includes both the Remote Shell client tool and the Command Line client tool.
- Unattended Access – Provides access to Windows desktops & MacOS devices in unattended mode. Unattended access for Android and Windows Mobile devices is handled using their respective dedicated agents.
- Session Collaboration - Enables a console user to invite additional participants into a Remote Assist session.
  Note:
  - The Unattended Access permission is enabled by default for the AirWatch Administrator and Console Administrator roles.
  - The Session Collaboration resource should be enabled by default for System Administrator, Airwatch Administrator, and Console Administrator roles.
Save the role.
Next, you must assign the role to your administrator. Navigate to Accounts > Administrators > List View and locate the Administrator you want to assign the role to.
Select the Edit icon () to the left of the administrator user name. The Add/Edit Admin screen displays.
Select the Roles tab.
Select the Add Role button. Two empty text boxes display, labeled Select Organization Group and Select Role.
Fill the Select Organization Group text box with the organization group (OG) in your org structure you want this role assignment to apply.
If your admin is in this OG or downline of this OG, then they gain the abilities of this role. If your admin moves above this OG, or upline of this OG, then they lose the abilities of this role. The higher the OG you select here, the more OGs your admin can apply the abilities of this role.
Fill the Select Role text box with the name of the role from step 1.
You can repeat Steps 8 through 10 to assign as many roles to an admin as you want.
Save the role assignment.

Agent Modes

You can connect to devices remotely using two distinct modes of the Workspace ONE Assist agent: Attended Mode and Unattended Mode. Given the enterprise use cases, ownership models, and privacy requirements, understanding the difference between these modes is the foundation of a best practice.

IT and Help Desk staff can use Workspace ONE Assist to support devices in myriad enterprise use cases. These cases include Knowledge Worker employees (Corporate-Owned Personally Enabled (COPE) or Bring Your Own Device (BYOD)), used for business-critical tasks (for example, inventory scanning, logistics) by shift working employees. Contractors with rugged devices and devices used by customers in kiosks are among other use cases.

It is important that Workspace ONE UEM be configured to deploy the correct Workspace ONE Assist client to each device based on these use cases and the privacy requirements and expectations for each device.

Attended Mode

Attended mode is intended for devices where the Remote User can contain personal or sensitive information and the Remote User can have an expectation or a legal requirement of privacy. Customers generally deploy Attended Mode for BYOD and COPE devices, providing additional privacy protection. In Attended Mode, the user is more actively prompted to authorize access to the device and its information.

Attended mode is available on Android, iOS, macOS, and Windows Desktop devices.
Windows Desktop BYOD devices always default to attended mode connection.
Android BYOD devices and Windows desktop devices not connected to the Active Directory only support attended mode connection.
Attended mode is not available on Windows Mobile/CE and Linux devices.

Unattended Mode

Unattended mode is intended for devices that do not contain personal information and might require maintenance or support by IT when there is no Remote User physically using the device (for example, when charging on a cradle between shifts, when in the depot because it was returned as defective, as a customer-facing kiosk). Customers generally deploy Unattended Mode for corporate owned Rugged/Business Critical and Kiosk devices.

There are no device notifications when using Workspace ONE Assist in unattended mode when a session is active. You are solely responsible for notifying device end users of the active remote management session.

Workspace ONE Assist uses device ownership information received during enrollment to recognize devices as corporate or personally owned. The unattended mode is not available to devices identified as personally owned or devices in a non-supervised configuration.

The unattended mode is available on Android, Windows desktops, Windows Mobile/CE, MacOS, and Linux devices.

Note: On Samsung devices, the user must accept a Knox permission when the application is first launched, even for devices in unattended mode.

Configure Unattended Access for Windows Desktop

Administrators must have the Unattended Access permission as part of their assigned role. For more information, see Assign Role Permissions for Workspace ONE Assist Client Tools.

Assist supports unattended access on the following modes of Windows desktop devices.

Kiosk mode devices
LTSC devices
Domain Joined devices
Azure AD Joined devices

Kiosk Mode and Long-Term Servicing Channel (LTSC) – With Assist 21.09, both attended and unattended modes for Windows desktop devices are supported on Kiosk Mode and LTSC. The admin can choose the mode of operation for Assist. If the admin chooses unattended access, the admin has full control of the device.

When you are logged into the Admin profile in the attended mode, all Assist Client Tools become functional. While in Kiosk Profile, however, the following features are unsupported.

Whiteboard
Halo (On-Screen notifications and controls)
Shortcuts (except Ctrl-Alt-Del)

Shared Terminals – Assist supports unattended access on Windows desktop devices that meet the following criteria:

Domain joined
Azure AD device joined

When you connect to a Windows desktop device that meets the above listed criteria, you can select the connection mode during an Assist session.

To start a session, search for the Windows desktop device from the Device List View in the Workspace ONE UEM console and pull up the Device Details. Select the Remote Assist button and choose the Screen Share tool. When the connection initiates, you can select between Attended Mode and Unattended Mode.

If Attended Mode is selected, the connection proceeds to the PIN screen, and the end user is prompted to enter that PIN per the normal procedure.
If Unattended Mode is selected, Workspace ONE Assist determines the state of the remote device.
- If the device is being actively used, then end user is prompted to accept the remote session. The end user can allow or deny the session. If the end user does not respond for more than 30 seconds, Assist locks the end user out, saving any information they may have been working on. You are then presented with the Log In screen.
- If the device is not in use, a connection is established, and you are presented with the Log In screen.

Note:

On Screen notifications and Screen controls (Halo) are displayed on Windows desktop devices in Unattended Mode.
A session that is initiated by choosing the File Manager or the Remote Shell tool, defaults to Attended mode.

Configure Unattended Access for MacOS Devices

Administrators must have the unattended access permission as part of their assigned role. For more information on assigning role permissions, see Assign Role Permissions for Workspace ONE Assist Client Tools.

Workspace ONE Assist uses device ownership information received during enrollment to recognize devices as corporate or personally owned. Unattended mode is unavailable on MacOS devices identified as personally owned or devices in a non-supervised configuration. Unattended mode is available on MacOS devices that are Corporate Owned (Dedicated or Shared).

When you connect to a MacOS device that meets the criteria, you can select the connection mode during an Assist session.

To start an Assist session:

From the Device List View page in the Workspace ONE UEM console, search for the MacOS device and access the device details.
Select the Remote Assist button and then select the Screen Share tool. When the connection initiates, you can decide between Attended Mode and Unattended Mode.

If you select Attended Mode, the connection proceeds to the PIN screen, and the end user is prompted to enter that PIN per the normal procedure.
If you select Unattended Mode, Workspace ONE Assist determines the state of the remote device.
- If the device is being actively used, then the end user is prompted to accept the remote session. The end user can allow or deny the session. If the end user does not respond for more than 30 seconds, Assist locks the end user out, saving any information they may have been working on. You are then presented with the Log In screen.
- If the device is not in use, a connection is established, and you are presented with the Log In screen.
Note: On-Screen notification and Screen controls (Halo) are displayed on MacOS Unattended mode when the user is logged in.