Configure End-User Devices

After you install and configure the servers, you must install the platform-specific agents on the devices so that they can be remotely managed with Workspace ONE Assist. You may also have to enable the device to accept remote control.

Install the Assist App for Windows and macOS

Visit the https://my.workspaceone.com/products page that lists all the available device agents.
Identify and download platform-specific Workspace ONE Assist agents that are applicable to your deployment.
Note:
With regard to the permission prompts for the Remote View and Remote Control functions on macOS devices, be aware of the following.
- macOS devices running version 10.14 (Mojave) allow the Share Screen feature by default. No additional permissions are required to share the screen, therefore, no prompt is displayed at the beginning of a Share Screen session.
- For macOS devices running version 10.15 (Catalina), the Share Screen and Remote View features both require that you enable the Screen Recording permission to Workspace ONE Assist in the Privacy tab of Security & Privacy preferences, located in System Preferences. Only during the first time you initiate a Share Screen session with a qualifying macOS device, an access request popup displays including a convenience link to this privacy setting in System Preferences.
- Similarly, macOS devices running version 11 (Big Sur) or later must enable Screen Recording permission to Workspace ONE Assist for both Remote View and Share Screen features. This permission is configured in a slightly different way for version 11:
  Enable Screen Recording by navigating to System Preferences > Security & Privacy > Privacy tab > Screen Recording then select the Lock icon to unlock the Privacy settings and enter the Administrator password. This is a one-time activation by the end user.
- For Unattended mode in MacOS, Screen Share tool has two possible flows to auto-grant the Screen Recording permissions.
  1. If a user is logged into the device, the Screen Recording permission is granted automatically before the start of each Screen Share session by pushing a TCC profile from the UEM console. Before each Screen Share session, the Assist Agent checks if the permission is already granted. If the permission is granted, the connection goes through. If the permission is not granted, Assist agent grants the permission while the Screen Share connection is in progress. This is a safe way since the permission can be revoked anytime by the end user. The TCC profile is bundled with the Assist 23.02 agent package and can be downloaded from the My Workspace ONE ™ portal.
  2. If there is no user logged into the device, the Screen Recording permission cannot be granted automatically. In such a situation, the admin has to log into any user account for the automatic Screen Recording permission to kick-in. This can be done by passing username and password using following commands through Remote Shell Tool, these steps are essentially just to enter username and passwords on the remote Mac.
    To achieve this connect to Remote Shell tool and log in to their user account by entering the listed commands.
    - osascript -e ‘tell application “System Events” to keystroke “<user name>"’
    - osascript -e ‘tell application “System Events” to keystroke return’
    - osascript -e ‘tell application “System Events” to keystroke "<password>"’
    - osascript -e ‘tell application “System Events” to keystroke return’
    Once these commands are executed, the admin console might show a brief interruption of the remote session while the user is logged in and eventually will re-connect. Now once user is logged in, the Screen Recording permission is granted automatically and the admin can view the screen right after that. This is a one time procedure and need not be performed in subsequent session as long as the permission is not revoked by the user. If the Screen Recording permissions are already granted before the start of connection, the connection goes through and there is no need to connect to Remote Shell tool.
    Irrespectively, if the connection is only either Remote Shell and/or File Manager then there are no limitations as above, and Unattended connection goes through without providing additional permission other than configuring TCC profile.

Install the Assist App for iOS

iOS devices do not require a separate Assist application. The Assist libraries are built into the Intelligent Hub. To prepare your iOS devices to use the Remote View feature, see How Do You Enable Remote View for iOS Devices.

On Workspace ONE UEM version 2101 or later, a privacy flag is introduced to activate or deactivate Remote View on iOS devices at an Organization Group (OG) level.

To configure this flag:

Navigate to Groups & Settings > All Settings > Devices & Users > General > Privacy.
On the Privacy screen, turn on or off the Remote Control flag for each ownership type.

On existing Customer Organization Groups, this flag value remains the same as the previous value set prior to the 2101 upgrade. On new Customer Organization Groups, this flag is deactivated by default. To enable Remote view, simply turn the flag on for the necessary ownership types.

Install the Assist App for Android

Visit the https://my.workspaceone.com/products page that lists all the available device agents.
Download and install the platform-specific Workspace ONE Assist agent.
To provide full remote control support on Android devices, VMware has partnered with many of the top Android device manufacturers to make OEM-specific service applications. Download and install the OEM specific service application on the device.
- Starting with Android 13, Assist supports remote control using OEM configurations available through the 'Moto OEMConfig' application. For more information, see OEM configurations from Moto OEMConfig Application.
- Starting with Android 11, the Assist Android agent uses Zebra-provided remote management APIs to support the remote control functionality. Hence, Android 11 and later devices do not require a separate service download. For information about the minimum requirements, see Remote management APIs from Zebra.
If the launcher mode is enabled on Samsung devices, you must allowlist the following activities in order for you to be able to respond to the prompts during the installation of the Assist agent. For devices with launcher version 4.9, the launcher automatically displays the prompts.
com.samsung.klmsagent.activities.ConfirmDialog
com.android.packageinstaller.permission.ui.GrantPermissionsActivity
Note:
- Android devices by Samsung and Sony do not require this OEM-specific service application, as they include support for Assist out of the box. Zebra devices with Android 11 or later also support Workspace ONE Assist out of the box. This support means customers do not need to deploy the Zebra-specific service application APK file on their Zebra devices running Android 11 or later.
- With Assist 21.09, Android devices running Android 7.1 and later no longer require a OEM-specific service application to be installed to support full remote control. For full remote control, end users must provide additional permissions such as:
  - Enable screen share for every session on Android 10 and later.
  - Enable accessibility service for each remote control session.
  Accessibility service cannot be enabled within a Work Profile, hence, remote control using Accessibility service cannot be leveraged on COPE and BYOD devices.
- To leverage KNOX Remote Control APIs on Samsung devices, the end user must accept a KNOX End User License Agreement on the remote device. This permission is required on Unattended mode of connection as well. From Assist 22.04, this permission is requested on the Unattended mode agent at the time of application installation. On Assist Attended mode, this permission is requested during the first remote control session.
- For Android Enterprise Enrolled BYOD Devices, see How Do You Enable Remote Control for Android Enterprise Enrolled BYOD Devices.
- For Android Enterprise Enrolled COPE Devices, see How Do You Enable Remote Control for Android Enterprise Enrolled COPE Devices.

OEM configurations from Moto OEMConfig Application

Starting with Android 13, Assist supports remote control using OEM configurations available through the 'Moto OEMConfig' application.

Minimum requirements:

OS 14
Moto OEMConfig v13.03.0320 or later
Assist Agent 23.10 or later

Configurations for the Moto OEMConfig application:

Activate 'Managed Access'in application configuration.
Activate 'Display over the other app settings' and add package name 'com.airwatch.rm.agent' (UEM resource portal) or 'com.airwatch.rm.agent.cloud' (playstore version) based on use cases'.
'Grant Access' for 'Remote Control'

Table 1.
com.airwatch.rm.agent	com.airwatch.rm.agent.cloud
Grant Access: True Package Name: 'com.airwatch.rm.agent'(UEM resource portal) App Certificate: 54:BF:43:56:6C:CE:2A:53:3A:F0:85:E1:FB:B7:92:61:9D:B9:3E:D0:C2:DB:0C:A6:FA:D8:90:87:3F:9A:C2:90	Grant Access: True Package Name: 'com.airwatch.rm.agent.cloud' (Playstore version) App Certificate: D2:4E:43:63:C4:1F:A7:08:55:1B:EA:4E:F4:27:4C:DF:FA:F3:80:01:D4:C1:0A:89:30:BA:4B:AA:2F:4F:47:35

Remote management APIs from Zebra

Starting with Android 11, the Assist Android agent uses Zebra-provided remote management APIs to support the remote control functionality.

Listed are the minimum requirements:

MXMF version 10 or later (This is usually pre-loaded with the firmware.)
Zebra MX Service 5.2 or later
Assist Agent 22.03 or later
Intelligent Hub 21.09 or later

Install Assist app for Linux

To remotely manage a Linux or Linux based IoT device, you must install the Workspace ONE Assist application on a Linux device already enrolled in UEM. Once the Assist application is installed on the Linux device, you must register it to the Workspace ONE Assist server. You can verify the status of the registration by navigating to the Device detailed view > More > Troubleshooting > Event Logs.

Workspace ONE Assist is compatible with all distributions of Linux running on either x64, ARM5, or ARM7 architectures.

You can install the Assist application on the Linux device either:

Manually on the device
OR
Using a Workspace ONE custom configuration profile

Install Assist Manually

If you have physical access to the Linux device, install the Assist agent manually using this method.

On the Linux device, open a browser and navigate to the VMware Workspace ONE Resource Portal.
Download the Workspace ONE Assist agent directly on the Linux device. You can also use an alternative method for copying the agent to the Linux device.
Extract the package.

Change the directory using the command.

$ cd ws1-assist_21.09.00.69_release_linux-<arch>

Install the package using the command.
```
$ sudo ./install.sh
```

Install using Custom Configuration Profile

Install the Workspace ONE Assist agent on the remote Linux device using a Workspace ONE custom configuration profile which uses puppet manifests.

Navigate to Resources > Profiles & Baselines > Profiles on the Workspace ONE UEM console. Depending on your UEM version, the Profiles tab is available either under Devices or Resources.
Create a Linux profile or update an existing one to add a new custom configuration for Workspace ONE Assist.
On the Custom Configuration page, enter a name and create a puppet manifest to install the Assist application on your Linux devices. You can access the sample manifest file at https://resources.workspaceone.com/view/v9dm3bwbr9lvjhvdxlsm/en and modify it as per your need.
Once the custom configuration is added, select Save and Publish to publish the Linux profile to your Linux devices.

How Do You Enable Remote Control with Samsung Knox Service Plugin

You can enable Samsung Knox devices to be remotely controlled with Workspace ONE Assist by installing the Knox Service Plugin.

The Samsung Knox Service Plugin is only available on Android 9.0 (Pie) and later. The only deployment modes supported are Profile Owner (PO) and Device Owner (DO). For detailed compatibility information, see Which Profile/Ownerships Work with Samsung Knox.

With the introduction of Knox version 3.4.1, Samsung has enabled remote control on non premium Work Profiles by default. This is available on Samsung devices running Android 10.0 and later.

Log in to the Workspace ONE UEM Console.
Navigate to Apps and Books > Applications > Native, select the Public tab, and then select Add Application.
Select Android as the platform and enter "Knox Service Plugin" for the Name option.
Select the Knox Service Plugin from the list of applications.
Click the Select button.
Add additional details as needed. Select Save and Assign to continue.
Select Add Assignment.
Select your applicable assignment groups.
Select the desired application delivery method: Auto to automatically apply the application assignment and On Demand to allow the device user to opt-out of the app assignment.
Select CONFIGURE next to Application Configuration.
Enter the KNOX Premium License Key.
The Knox premium license key is mandatory to enable remote control within the work profile on Android 9.x.
Select CONFIGURE next to Work profile policies (Profile Owner).
Select the Enable drop-down next to Enable Work Profile Policies. Then enable the two options under Advanced restrictions in work profile and Allow remote control. Then select the ADD button.
Select Add again to save the assignment.
Finally, select Save and Publish to publish the Knox Service Plugin with the configured policies.
Once the Knox Service Plugin is installed on the device and the policies are applied successfully, remote control is available within the work profile.
Samsung Knox devices can now be remotely controlled using Workspace ONE Assist.

Note: On Samsung BYOD devices, only applications in the Work Profile can be viewed and controlled. If you navigate to the Work profile home screen or personal side of a Samsung BYOD device during a Workspace ONE Assist session, it only displays a blank screen.

How Do You Enable Remote View For iOS Devices

The steps for enabling the Remote View feature for your iOS devices vary based on the Intelligent Hub version installed on the devices. Follow the steps for the appropriate Intelligent Hub version on your device.

For devices with Intelligent Hub 20.11 or later

Ensure Workspace ONE Intelligent Hub 20.11 or later is installed.
Note: The iOS version used must be 13 or later.
Request the iOS device user to open the Hub notification received or launch the Workspace ONE Intelligent Hub.
Select Start Sharing and then select Start Broadcast.

The end user can pause or disconnect the connection anytime during the remote view session.
If the session is interrupted, the end user must start the screen broadcast from the Control Center using the following procedure:
1. Open Control Center using the screen gesture appropriate for your iOS model.
2. Press and hold down the Screen Recording icon ().
3. Enable Hub Broadcast.
4. Select Start Broadcast.

For devices with Intelligent Hub 20.11 or earlier

Ensure Workspace ONE Intelligent Hub 20.11 or earlier is installed.
Request the iOS device end user to perform the following one time setup.
1. Navigate to Settings > Control Center > Customize Controls and add Screen Recording to the Control Center by selecting its green plus sign.
Request the iOS device end user to perform the following procedure before each Remote View session.
1. Open Control Center using the screen gesture appropriate for your iOS model.
2. Press and hold down the Screen Recording icon ().
3. Enable Hub Broadcast.
4. Select Start Broadcast.
  This iOS device can now be remotely viewed using Workspace ONE Assist.

How Do You Enable Remote Control for Android Enterprise Enrolled BYOD Devices

You must enable your Android Enterprise enrolled BYOD devices to work with Workspace ONE Assist before they can be remotely controlled.

The Assist Agent and OEM-specific Assist Service package can be auto installed from Workspace ONE UEM or made available for the end user to install when needed.

The Workspace ONE Assist Agent is available at https://my.workspaceone.com/products.

On BYOD Enrolled devices, the Assist agent always behaves as an Attended agent. Even if the Unattended agent is pushed to the device, the Assist agent continues to behave as an Attended agent due to the presence of the Work Profile.

CHOOSE ONE PATH ONLY

YOU MUST SELECT BETWEEN TWO CHOICES.

YOU CAN EITHER PUSH CONTENT USING UEM OR LEAVE IT TO THE END USER. Do not perform both.


PUSH CONTENT USING UEM	LEAVE IT TO THE END USER
From the Workspace ONE UEM console, use Apps and Books or Product Provisioning to add the Workspace ONE Assist agent as a managed PlayStore application. For more information, see Mobile Application Management. From the Workspace ONE UEM console, use Apps and Books or Product Provisioning to add the OEM-specific Assist Service as a managed PlayStore application. This step is required to enable remote control on all supported OEMs except Samsung and Sony. For more information, see Product Provisioning. Create a smart group that includes these Android Enterprise enrolled BYOD devices. Assign the agent and OEM-specific Assist Service to the smart group you created and automatically push the application to all managed devices in the smart group. For more information, see Smart Groups. Proceed directly to the What to do next section.	Make the Workspace ONE Assist agent and OEM-specific service application available as Public applications through the Play Store. Direct your Android BYOD end users to navigate to the Work Profile. The end user must open the Play Store from within the Work Profile. End user must download and install the Workspace ONE Assist Agent. If applicable, the end user must download and install the OEM-specific service application. This step is required to enable remote control on all supported OEMs except Samsung and Sony. Proceed directly to the What to do next section.

Note: On Samsung BYOD devices, only applications in the Work Profile can be viewed and controlled. If you navigate to the Work profile home screen or personal side of a Samsung BYOD device during a Workspace ONE Assist session, it only displays a blank screen.

Note: On Samsung BYOD devices, remote control is deactivated by default within All Work Profiles under Android 9.0 (with Knox versions earlier than 3.4.1) and Premium Work Profiles under Android 10.0 or later (with Knox 3.4.1 or later). You can enable remote control on these work profiles by installing the KNOX Service Plug-in together with the appropriate OEM Config policy. For more information, see How Do You Enable Remote Control with Samsung Knox Service Plugin and Full Remote Control Support by Original Equipment Manufacturer (OEM) and Model, Android.

With the introduction of Knox version 3.4.1, Samsung has enabled remote control on non premium Work Profiles by default. This is available on Samsung devices under Android 10.0 and later.

A Knox Premium License is necessary to enable remote control on Work Profiles with Knox versions earlier than 3.4.1.

How Do You Enable Remote Control for Android Enterprise Enrolled COPE Devices

You must enable your Android Enterprise enrolled COPE (Corporate-Owned, Personally-Enabled) devices to work with Workspace ONE Assist before they can be remotely controlled.

The Workspace ONE Assist Agent is available at https://my.workspaceone.com/products.

From the Workspace ONE UEM console, use Apps and Books or Product Provisioning to add the Workspace ONE Assist agent.
- Android 8, 9, and 10 devices must add the Workspace ONE Assist agent as a managed internal application.
- Android 11 devices must add the Workspace ONE Assist agent as a managed PlayStore application.
  For more information, see Mobile Application Management documentation.
From the Workspace ONE UEM console, use Apps and Books or Product Provisioning to add the OEM-specific Assist Service. This step is required to enable remote control on all supported OEMs except Samsung and Sony.
- Android 8, 9, and 10 devices must add the OEM-specific Assist Service as a managed internal application.
- Android 11 devices must add the OEM-specific Assist Service as a managed PlayStore application.
  For more information, see Product Provisioning.
Create a smart group that includes these Android Enterprise enrolled COPE devices.
Assign the agent and OEM-specific Assist Service to the smart group you created and push it to managed devices. For more information, see Smart Groups.
Direct the device End User to uninstall the Workspace ONE Assist application if it was previously installed on the personal side of the device in Android 8, 9, or 10.
- For Android 8, 9, and 10 devices, the end user must uninstall Workspace ONE Assist from the personal side of the device.
- For Android 11 devices, the end user must uninstall Workspace ONE Assist from the work profile on the device.
  On Samsung COPE devices, the Personal profile and Work profile can be remote controlled.

Few important information to note:

On COPE Enrolled devices, the Assist agent always behaves as an Attended agent. Even if the Unattended agent is pushed to the device, the Assist agent continues to behave as an Attended agent due to the presence of the Work Profile.
Devices running under Android 8 (Oreo), 9 (Pie), and 10, the Workspace ONE Assist application operates on the personal side of the device to provide remote control functionality to the entire device. As a result, the Workspace ONE Assist app must be installed as an internal application.
On devices running Android 11, the Workspace ONE Assist app can no longer run on the personal side of a COPE device. The Assist application can operate only within the Work profile on COPE devices. As a result, once a device is upgraded to Android 11, the Assist application must be uninstalled from the personal side and reinstalled on the Work profile as a managed Play Store application.
On Samsung COPE devices, prior to Assist 22.04, due to Knox restrictions, Remote View and Control was only supported within the work profile applications. Because the home screen and the application launcher screen within the work profile tab are both considered personal, Assist could only provide Remote View and Control capabilities when the end user manually launched the application to foreground. On the work profile on Samsung devices, starting with Assist 22.04, the entire device, including the home screen, settings, and all other screens, can be remotely viewed.
On Samsung COPE devices, remote control is deactivated by default within All Work Profiles under Android 9.0 (with Knox versions earlier than 3.4.1) and Premium Work Profiles under Android 10.0 or later (with Knox 3.4.1 or later). You can enable remote control on these work profiles by installing the KNOX Service Plug-in together with the appropriate OEM Config policy. For more information, see How Do You Enable Remote Control with Samsung Knox Service Plugin and Full Remote Control Support by Original Equipment Manufacturer (OEM) and Model, Android.
With the introduction of Knox version 3.4.1, Samsung has enabled remote control on non premium Work Profiles by default. This is available on Samsung devices under Android 10.0 and later.
A Knox Premium License is necessary to enable remote control on Work Profiles with Knox versions earlier than 3.4.1.

How to view and control external monitors connected to Zebra devices using the Workstation Connect Cradle or Connect Hub

Zebra devices that are connected to external monitors through the Workstation Connect Cradle or Connect Hub can now be viewed and controlled through the remote session.

The Multi-Monitor button appears in the admin console when the Zebra device has an external monitor connected. It allows the admin to switch between the displays they want to view or control. Please note that only one monitor may be viewed or controlled at any given time.

Listed are the pre-requisites to use this feature.

The Zebra device should be connected through the docking station. The docking station must be connected to the monitor through HDMI cable.
The Force Desktop Mode option must be enabled under Settings > Developer Options.
Zebra WorkStation connect application must be installed and Display Over Apps/Appear on Top permission must be enabled.
For non-tablet devices, we must enable the DisplayDesktopOEM [com.displaylink.desktop.oem] application through profiles. By default, UEM may disable all system apps.
Ensure to restart the device after you configure the required settings.

Note:

Supported Firmware version is 11-31-27.00-RG-U00-STD-HEL-04 or later.
Supported Device models are EC50, EC55, ET51, ET56, L10A, TC21, TC21 HC, TC26, TC26 HC, TC52, TC52 HC, TC57, TC72, TC77.