Configure Assist Admin User Access

To troubleshoot issues on end user devices or assist the users perform device tasks, the Workspace ONE Assist admins must be assigned custom roles with specific permissions set for the role.

Role-Based Access to Workspace ONE Assist

You can make customized roles based on Assist functionality and assign those roles to your admins, giving them varying level of access to Workspace ONE Assist's main features, including Remote View and Share Screen.

Roles specific to Workspace ONE Assist work the same as roles in Workspace ONE UEM. Roles are made of one or more resources (or permissions). Permissions specific to Workspace ONE Assist are included in the same pool of Workspace ONE UEM permissions.

Remote View Session Elevation

A role with the right combination of permissions can give your admins the ability to elevate the current Assist session, allowing them to go from using one client tool to using another in the middle of a session.

For example, if you make a role with the Remote View and Remote Control permissions, and assign that role to an admin, then that admin can start a Remote View session, provided the host device supports such functionality, and elevate that session to a remote control session simply by using the Share Screen.

Such elevation reflects the natural progression of many Remote View sessions, where the admin completes an initial troubleshooting phase only to discover they require the full range of abilities afforded to them by the Share Screen client tool.

Assign Role Permissions for Workspace ONE Assist Client Tools

You can add resources, or permissions, to the roles you assign to admins with the Workspace ONE UEM console so they can use Workspace ONE Assist to help users of supported devices.

In the Workspace ONE UEM console, navigate to Accounts > Administrators > Roles. You must select between creating a new role and modifying an existing role.
1. Create a New Role – Select the Add Role button. The Create Role screen displays. Complete the Name and Description options and proceed directly to step 2.
2. Modify an Existing Role – From the roles listing, locate the role you want to edit, and select the edit icon () that appears to the left of the listing. The Edit Role screen displays.
Select the Assist category, located in the left pane labeled Categories. All six Assist-related resources, or permissions, display in the right pane.
Enable the Allow check box for the specific permission you want to apply to the role.
- Remote View – "read only" view of the host device with the Remote View client tool.
- Remote Control – "edit" view or full access to the Share Screen client tool.
- File Manager – Full access to the Manage Files client tool.
- Registry Editor – Full access to the Registry Editor client tool.
- Remote Shell – Functionality includes both the Remote Shell client tool and the Command Line client tool.
- Unattended Access – Provides access to only Windows 10 devices in unattended mode. Unattended access for Android and Windows Mobile devices is handled using their respective dedicated agents.
- Session Collaboration - Enables a console user to invite additional participants into a Remote Assist session.
  Note:
  - The Unattended Access permission is enabled by default for the AirWatch Administrator and Console Administrator roles.
  - The Session Collaboration resource should be enabled by default for System Administrator, Airwatch Administrator, and Console Administrator roles.
Save the role.
Next, you must assign the role to your administrator. Navigate to Accounts > Administrators > List View and locate the Administrator you want to assign the role to.
Select the Edit icon () to the left of the administrator user name. The Add/Edit Admin screen displays.
Select the Roles tab.
Select the Add Role button. Two empty text boxes display, labeled Select Organization Group and Select Role.
Fill the Select Organization Group text box with the organization group (OG) in your org structure you want this role assignment to apply.
If your admin is in this OG or downline of this OG, then they gain the abilities of this role. If your admin moves above this OG, or upline of this OG, then they lose the abilities of this role. The higher the OG you select here, the more OGs your admin can apply the abilities of this role.
Fill the Select Role text box with the name of the role from step 1.
You can repeat Steps 8 through 10 to assign as many roles to an admin as you want.
Save the role assignment.

Agent Modes

You can connect to devices remotely using two distinct modes of the Workspace ONE Assist agent: Attended Mode and Unattended Mode. Given the enterprise use cases, ownership models, and privacy requirements, understanding the difference between these modes is the foundation of a best practice.

IT and Help Desk staff can use Workspace ONE Assist to support devices in myriad enterprise use cases. These cases include Knowledge Worker employees (Corporate-Owned Personally Enabled (COPE) or Bring Your Own Device (BYOD)), used for business-critical tasks (for example, inventory scanning, logistics) by shift working employees. Contractors with rugged devices and devices used by customers in kiosks are among other use cases.

It is important that Workspace ONE UEM be configured to deploy the correct Workspace ONE Assist client to each device based on these use cases and the privacy requirements and expectations for each device.

Attended Mode

Attended Mode is intended for devices where the Remote User can contain personal or sensitive information and the Remote User can have an expectation or a legal requirement of privacy. Customers generally deploy Attended Mode for BYOD and COPE devices, providing additional privacy protection. In Attended Mode, the user is more actively prompted to authorize access to the device and its information.

Attended mode is available on Android, iOS, macOS, and Windows 10 devices.
Windows 10 BYOD devices always default to attended mode connection.
Android BYOD devices and Windows 10 devices not connected to the Active Directory only support attended mode connection.
Attended mode is not available on Windows Mobile/CE and Linux devices.

Unattended Mode

Unattended Mode is intended for devices that do not contain personal information and might require maintenance or support by IT when there is no Remote User physically using the device (for example, when charging on a cradle between shifts, when in the depot because it was returned as defective, as a customer-facing kiosk). Customers generally deploy Unattended Mode for corporate owned Rugged/Business Critical and Kiosk devices.

There are no device notifications when using Workspace ONE Assist in unattended mode when a session is active. You are solely responsible for notifying device end users of the active remote management session.

Workspace ONE Assist uses device ownership information received during enrollment to recognize devices as corporate or personally owned. Unattended mode is not available to devices identified as personally owned or devices in a non-supervised configuration.

Unattended mode is available on Android, Windows 10, Windows Mobile/CE, and Linux devices.
Unattended mode is not currently available on macOS devices.

Note: On Samsung devices, a Knox permission must be accepted by the user when the application is first launched, even for devices in unattended mode.

Configure Unattended Access for Windows 10 Devices

Administrators must have the Unattended Access permission as part of their assigned role. For more information, see Assign Role Permissions for Workspace ONE Assist Client Tools.

Kiosk Mode and Long-Term Servicing Channel (LTSC) – With Assist 21.09, both attended and unattended modes for Windows 10 devices are supported on Kiosk Mode and LTSC. The admin can choose the mode of operation for assist. If the admin chooses unattended access, the admin has full control of the device.
When you are logged into the Admin profile in the attended mode, all Assist Client Tools become functional. While in Kiosk Profile, however, the following features are unsupported.
- Whiteboard
- Halo (On-Screen notifications and controls)
- Shortcuts (except Ctrl-Alt-Del)
Shared Terminals – Assist supports unattended access on Windows 10 devices that meet the following criteria:
- Domain joined
- Azure AD device joined
When you connect to a Windows 10 device that meets the above listed criteria, you can select the connection mode during an Assist session.
To start a session, search for the Windows 10 device from the Device List View in the Workspace ONE UEM console and pull up the Device Details. Select the Remote Assist button and choose the Screen Share tool. When the connection initiates, you can select between Attended Mode and Unattended Mode.
- If Attended Mode is selected, the connection proceeds to the PIN screen, and the end user is prompted to enter that PIN per the normal procedure.
- If Unattended Mode is selected, Workspace ONE Assist determines the state of the remote device.
  - If the device is being actively used, then end user is prompted to accept the remote session. The end user can allow or deny the session. If the end user does not respond for more than 30 seconds, Assist locks the end user out, saving any information they may have been working on. You are then presented with the Log In screen.
  - If the device is not in use, a connection is established, and you are presented with the Log In screen.
Note:
- On Screen notifications and Screen controls (Halo) are displayed on Windows 10 devices in Unattended Mode.
- A session that is initiated by choosing the File Manager or the Remote Shell tool, defaults to Attended mode.