Introduce device end users to the Self-Service Portal (SSP) and empower them to perform basic device management tasks, investigate issues, and fix problems, thus reducing the number of support issues. So while administrators have access to Workspace ONE UEM, device end users have the SSP.
Configure the Default Login Page for the SSP
You can set the default authentication method displayed on the Self-Service Portal of Workspace ONE UEM depending on the needs of your organization and the needs of your users.
Configure this setting by navigating to and set the SSP Authentication Type to:
- Email – Prompts users for their email address if you have set up auto discovery.
- Legacy – Prompts users for their Group ID and credentials (username/password).
- Dedicated – Prompts users for only their credentials (username/password). This option defaults a single Group ID for single-customer environments.
Log Into the SSP
Log in using the same credentials (Group ID, username, and password) used to enroll in Workspace ONE UEM.
Select a Language for the SSP
The Self-Service Portal automatically matches the browser default language. However, you can override this default setting by choosing from the Select Language drop-down on the login screen.
Change Your Password for the SSP
Change your password by selecting the Account button located at the top right of the Self Service Portal screen. Select the Change button next to the Current Password field on the User Account page.
If a device end user logs into the SSP to change a shared device passcode before it expires, this new passcode adopts the expiration time from the OG associated with the shared device, not the OG the end user is managed from.
For example, assume you have an OG structure with 'Parent' at the top and 'Child' underneath. Assume that the end user account is managed from 'Parent' with a passcode expiration of 90 days. Assume also that the shared device is managed by 'Child' with a passcode expiration of 30 days. In this scenario, when the end user logs into the Self Service Portal and changes the shared device passcode before it expires, the new passcode expiration goes from 90 days (Parent) to 30 days (Child).
The workaround is to ensure that you configure the shared device passcode on the OG the users are managed from.
As the admin, if you change the end user's shared device passcode in the Add/Edit User screen from the Workspace ONE UEM console, it correctly adopts the expiration time of the OG the end user is managed from.
Access the Self Service Portal on Devices
You can access the Self-Service Portal (SSP) from your workstations or devices by navigating to . If you have a device that supports Web Clips or Bookmarks, your administrator can supply these shortcuts enabling you to access the SSP directly.
Self Service Portal (SSP) Customizations
You can alter the default login page background by configuring Branding settings.
Navigate to and select the Upload button in the Self-Service Portal Login Page Background setting. Select a custom background image with a suggested size of 1024x768 pixels.
Self-Service Portal Actions Matrix
Each of the major device platforms supports various basic and advanced SSP actions in Workspace ONE UEM.
| Action | Android | iOS | macOS | Win Mobile | Win 7 | Win Desktop |
|---|---|---|---|---|---|---|
| Basic Actions | ||||||
| Change Passcode. | ✓ | |||||
| Clear (SSO) Passcode. | ✓ | ✓ | ✓ | |||
| Delete Device. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Delete Registration. | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Device Query | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Device Wipe | ✓ | ✓ | ✓ | ✓ | ||
| Download Hub. | ✓ | ✓ | ||||
| Enterprise Wipe | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Locate Device. | ✓ | ✓ | ✓ | ✓ | ||
| Lock Device/Screen. | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Lock SSO. | ✓ | |||||
| Make Noise. | ✓ | ✓ | ||||
| Resend Enrollment Message. | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Send Message. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Set Roaming. | ✓ | |||||
| Sync Device. | ✓ | ✓ | ||||
| View Enrollment Message.* | ✓ | ✓ | ✓ | ✓ | ✓ | |
| Advanced Actions | ||||||
| Generate App Token. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Manage Email. | ✓ | ✓ | ✓ | |||
| Review Terms of Use. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Revoke Token. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Upload S/MIME Certificate. | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
* As a security feature, this action is not available for accounts that enrolled with a token.
Remote Actions in the SSP
End users can perform remote actions over-the-air to the selected device from within the Self Service Portal. Your administrator determines the action permissions and available actions in the SSP, which vary based on device platform. Allowed actions are split between Basic Actions and Advanced Actions on the main access page.
Administrators have several remote actions and options for managed devices available to them. However, when devices are employee-owned, those employees might want to access similar management tools for their own use. The Self Service Portal (SSP) provides a means for employees to use some key MDM tools without any IT involvement. If you enable it, end users can run the SSP in a web browser and access key MDM support tools. You can also enable or deactivate the displays of information and the ability to perform remote actions from the SSP.
The administrator determines action permissions, therefore device users might have limited actions available. See the applicable platform guide, available on docs.vmware.com. You can also search the online help for platform-specific options.
Basic Remote Actions
Basic remote actions appear on the Basic Actions subtab of the selected device in the self-service portal. The actions available depend upon enrollment status, device platform, and action permissions.
| Action | Description |
|---|---|
| Change Passcode | Set a new passcode for the selected device. If a device end user logs into the SSP to change a shared device passcode before it expires, this new passcode adopts the expiration time from the OG associated with the shared device, not the OG the end user is managed from. For example, assume you have an OG structure with 'Parent' at the top and 'Child' underneath. Assume that the end user account is managed from 'Parent' with a passcode expiration of 90 days. Assume also that the shared device is managed by 'Child' with a passcode expiration of 30 days. In this scenario, when the end user logs into the Self Service Portal and changes the shared device passcode before it expires, the new passcode expiration goes from 90 days (Parent) to 30 days (Child). The workaround is to ensure that you configure the shared device passcode on the OG the users are managed from. As the admin, if you change the end user's shared device passcode in the Add/Edit User screen from the Workspace ONE UEM console, it correctly adopts the expiration time of the OG the end user is managed from. |
| Clear Passcode | Clear the passcode on the selected device and prompt for a new passcode. This action is useful if users forget their device passcode and become locked out of their device. |
| Delete Device | Remove the device from the Self Service Portal. |
| Delete Registration | Delete any pending enrollment record from the Self Service Portal. |
| Device Query | Request the device to send a comprehensive set of MDM information to the Workspace ONE UEM Server. |
| Device Wipe | Wipe all data from the selected device, including all data, email, profiles, and MDM capabilities and returns the device to factory default settings. |
| Download Hub | Download and install the Workspace ONE Intelligent Hub to the device from which you are viewing the SSP. |
| Enterprise Wipe | Wipe all corporate data from the selected device and removes the device from Workspace ONE UEM. All the enterprise data contained on the device is removed, including MDM profiles, policies, and internal applications. The device returns to the state it was in before the installation of Workspace ONE UEM. |
| Locate Device | Activate the GPS feature to locate a lost or stolen device. This action is hidden when privacy settings are restrictive. |
| Lock Device/Screen | Locks the selected device so that an unauthorized user cannot access it, which is useful if the device is lost or stolen. End users can also use the GPS feature to locate the device. |
| Lock SSO | Lock the single sign-on passcode for apps on this device. The next SSO app opened prompts for a passcode. |
| Make Noise | Rind a device by remotely causing it to ring. |
| Resend Enrollment Message | Send another copy of the initial enrollment email, SMS, or QR code to the device intended to register. As a security feature, the email address that appears in the resend enrollment message form is read-only for accounts that enrolled with a token. |
| Send Message | Send a message using email, phone notification or SMS to the device. |
| Set Roaming | Set whether roaming is enabled for this device. |
| Sync Device | Outfit devices with the latest company policies, content, and apps. |
| View Enrollment Message | See the actual email, SMS, or QR code that comprised the initial enrollment message. As a security feature, this action is not available for accounts that enrolled with a token. |
Advanced Remote Actions
Advanced remote actions appear on the Advanced Actions subtab of the selected device in the self-service portal. The actions available depend upon enrollment status, device platform, and action permissions.
| Action | Description |
|---|---|
| Generate App Token | Generate a token that the device can use to access secure applications. |
| Manage Email | Manage devices connected to an email account. |
| Review Terms of Use | Review past terms of use for this account. |
| Revoke Token | Revokes the token for a selected application. |
| Upload S/MIME Certificate | Upload an S/MIME Certificate for a corporate email account. |
Select a Device in the SSP
After logging in to the SSP, the My Devices page displays all the devices associated with the account. Each enrolled device appears in its own tab across the top of the Self Service Portal page. Select the tab representing the device you want to view and manage.
The device status displays under the name of the device on the tab. Those statuses include Discovered, Enrolled, Pending Enrollment, Unenrolled, and Enterprise Wipe Pending.
Add a Device in the SSP
You can add a device directly from the self-service portal.
- Select Add Device on the My Devices page.
- Complete the required text boxes: Friendly Name, Platform, Device Ownership, and Message Type as applicable.
- Select Save to add the new device to the SSP account.
Note: The status of a newly added device sets to "Pending Enrollment" until enrollment concludes.
Device Information in the SSP
When a user logs in to the SSP, their primary device appears in the main viewer. The main view page displays basic information such as Enrollment Date, the Last Seen date, and the device Status.
The Go to Details button displays tabs containing information about the selected device under the selected user account.
- Summary – Displays summarized information for Compliance, Profiles, Apps, Content, Friendly Name, Asset Number, UDID number, and Wi-Fi MAC Address.
- A device friendly name can be edited directly from the Summary tab view by selecting the edit icon to the right of the Friendly Name text box.
Note: The Device Summary User role resource controls the visibility of the Summary tab in the SSP. If specific pieces of information are restricted from a user role's view by way of a deactivated resource such as Device Apps, Device Compliance, or Device Profiles, then corresponding information normally appearing on the Summary tab is also hidden. For detailed instructions on limiting resources for user and admin roles, see Create a New User Role and Create Administrator Role. - Compliance – Shows the compliance status of the device, including the name and level of all compliance policies that apply to the device.
- Profiles – Shows all the MDM profiles (including automatic profiles) sent to the devices enrolled under your user account. This tab also shows the status of each profile.
- Apps – Displays all applications installed on the selected device and provides basic app information.
- Security – Shows general security information about a particular device enrolled under your user account.
Token-Based Security Measures
As a security feature, the following changes apply to accounts that enroll with a token.
- Email Address and Phone Number on both the Add Device screen and Account screen are read-only.
- The View Enrollment Message action is unavailable.
Product Improvement Program Setting
The Self Service Portal includes the VMware Product Improvement Program, allowing you to impact the quality and effectiveness of our products. When enabled, this program tests only on usability data, which is essential to ensuring our customers’ real-world needs are being met.
You can opt in or opt out of the Product Improvement Program at any time by navigating to .
To learn more about this program, see https://resources.workspaceone.com/view/9yfkbk6r2pzldhjlhrz9.
