Logging In to the Console

Before you can do anything in Workspace ONE UEM, you must first log in to the console.

Before you can log in to the Workspace ONE UEM console, you must have the Environment URL and log in credentials. How you obtain this information depends on your type of deployment.

SaaS Deployment – Your Account Manager provides your Environment URL and user name/password. The URL is not customizable, and generally follows the format of awmdm.com.
On-premises – The on-premises URL is customizable and follows the format awmdm.<YourCompany>.com.

Your Account Manager provides the initial setup credentials for your environment. Administrators who create more accounts to delegate management responsibility can also create and distribute credentials for their environment.

After your browser has successfully loaded the console Environment URL, you can log in using the User Name and Password provided by your Workspace ONE UEM administrator.

VMware Workspace ONE Login Screen

Enter your User Name.
- The Workspace ONE UEM console saves the user name and the type of user (SAML or non-SAML) in the browser cache.
  - If SAML user, admin is directed to SAML login.
  - If non-SAML user, admin must enter a password.
- If the Remember check box is enabled, then the User Name text box is pre-populated with the last logged-in user the next time you visit your Environment URL.
Enter your Password.
- If you are logging in for the first time, you are prompted for the login password. Enter it to proceed.
- If you have logged in before and you are allowing your default browser to remember user names and passwords, then the Password text box auto-completes with the password saved in the browser cache.
Select the Log In button.
- Your default home screen (which is customizable) opens upon login. Learn how to customize your home screen by visiting the section titled Header Menu in the Admin Console.

Password Expiration

Basic administrators are notified by email 5 days before their password expires with another email notification the day before. On-premises administrators can change this default 5-day period by navigating to Groups & Settings > All Settings > Admin > Console Security > Passwords while in the Global organization group. Dedicated SaaS administrators must contact support to make changes to this setting.

You can make a custom password expiration notification for your admins by navigating to Groups & Settings > All Settings > Devices & Users > General > Message Template and select ‘Administrator’ as the Category and ‘Admin Password Expiry Notification’ as the Type.

For information about Enrollment User Password Settings, which are managed separately from Admin Console Passwords, see the system settings page by navigating to Groups & Settings > All Settings > Devices & Users > General > Passwords.

Session Timeouts and Logouts

The Workspace ONE UEM console logs you out in two basic scenarios.

Explicit Logout (including closing the browser).
- If you have configured your default browser to remember your user name and password, then upon the next log in, the browser pre-populates the user name text box with the last user to log in successfully.
- If you have configured your browser to forget user names and passwords, then the user name and type of user (SAML / non-SAML) are wiped from the browser cache.
Session Timeout resulting from a session being inactive for a time period in excess of the number of minutes configured in the Forced Session Timeout limit or the Idle Session Timeout option, both in Session Management Settings (this amount of time includes load balancer issues).
- Non-SAML users log back in using a saved user name and selecting the Log In button.
- SAML users can log back into the console without any clicks.

Advanced troubleshooting often means having multiple sessions open under the same administrator account, either multiple tabs in the same browser or logins on multiple devices. This scenario means enabling the Allow Multiple Sessions option in Session Management Settings. In order to foster such troubleshooting sessions, while at the same time maintain a minimum level of security, the following rules apply.

All active admin sessions, whether in multiple browser tabs or mulitple devices, are extended so long as one of those sessions is actively maintained.
All sessions can remain active, however, if an amount of time elapses in excess of the number of minutes configured in the Idle Session Timeout option in Session Management Settings for all admin sessions, then all sessions associated with that admin account are terminated.

If you engage in this type of advanced troubleshooting that require multiple active sessions, consider configuring the Restricted Actions Settings.

Login Lockouts

System Administrators and AirWatch Administrators can configure the Maximum invalid login attempts before admins are locked out of the console by navigating to Groups & Settings > All Settings > Admin > Console Security > Passwords.

You are locked out from the UEM console in two scenarios: 1) when you make failed login attempts greater than the maximum number of invalid login attempts and 2) when you answer your password recovery question incorrectly three times while trying to reset your password.

When this happens, you must either reset your password using the troubleshooting link on the login page or you must get assistance from an admin to unlock your account using the Admin List View. You receive an email notification when your account is locked and again when it becomes unlocked.

Research Account Lockout Console Events

When Basic Administrator accounts are locked out or unlocked in Workspace ONE UEM, a console event is generated. Both events generate a logging level 5 (warning) event. In addition to reviewing the basic login history directly from Account Settings, you can research Admin account lockouts or unlock console events by taking the following steps.

Navigate to Monitor > Reports and Analytics > Events > Console Events.
Select “Warning and above” from the Severity drop-down filter at the top of the Console Event listing.
Select “Login” from the Category drop-down filter.
Select “Administration” from the Module drop-down filter.
Apply more filters as you might require including Date Range.

Manage Account Settings

VMware Workspace ONE UEM Manage Account Settings from the account drop down menu.

Administrators of Workspace ONE UEM have console specific account settings allowing you to configure user contact information, notification preferences, login history, and security configuration including password recovery.

Manage Account Settings: User

Ensure you can be reached by entering your personal information in the User tab including email, up to four different phone numbers, time zone, and locale.

Manage Account Settings: Notifications

Use the Notifications settings on the Account Settings page to enable or deactivate APNs Expiration alerts, select how to receive alerts, and change the email to which it sends alerts. For more information, see the section titled Configure Notifications Settings in Console Notifications.

Manage Account Settings: Logins

Review your entire login history including login date and time, the source IP address, login type, source applications, browser make and version, OS platform, and login status including successful logins and failed logins.

Manage Account Settings: Security

You can reset your login password, reset the password recovery questions, and reset your four-digit security PIN.

Manage Account Settings: Password

The Password accompanies your account user name when you log into the UEM console.

You can Reset this password at any time. When you reset your Workspace ONE UEM password, the session used to reset the password continues but you are logged out automatically from any other active session you might have running. When you reset another administrator’s password, the admin with the reset password is logged out of all active sessions, preventing unauthorized access to the system. This feature applies only to basic administrator accounts; third party authentication, such as AD credentials or IDP credentials, is not currently supported. For more information about password minimums and maximums, see Password Settings.

Manage Account Settings: Password Recovery Questions

The Password Recovery Questions are the method by which you reset your password. You must define this question together with its answer when you log in to the UEM console for the first time. You can select a new password recovery question by selecting the Reset button. This action logs out the user automatically. Upon logging back in, they are presented with the Security Settings screen where they are required to select from the list of Password Recovery Questions and supply the answer.

Admins who never selected a password recovery question and do not have a Reset button for Password Recovery Questions must have their accounts deleted and re-created. Upon logging in for the first time after their account is re-created, they are required to define a password recovery question and answer.

You are locked out from the login page when you answer a Password Recovery Question incorrectly more than three times. When this happens, you must reset your password using the troubleshooting link on the login page. Alternatively, you can get assistance from an admin to unlock your account using the Admin List View. You receive an email notification when your account is locked and again when it becomes unlocked.

Manage Account Settings: Security PIN

Establish security for the UEM console by creating a Security PIN. The PIN acts as a safeguard against accidentally wiping a device or deleting important aspects of your environment, such as users and organization groups. The Security PIN also works as a second layer of security. It presents an added point of authentication by blocking actions made by unapproved users.

When you first log in to the UEM console, you are required to establish a Security PIN.

Reset your security PIN every so often to minimize security risks.

Cookie Usage (viewable by VMware Cloud Services administrators only)

This partial screenshot shows the Username Account drop down menu when you are logged in to your VMware Cloud Services account, revealing a Cookie Usage selection, allowing you to configure them.

You can participate in the process of improving our services including support, recommendations, and user experience by enabling access to browser cookie-based product guides and analytics. You can opt-out by selecting Cookie Usage and deactivate the sliders for Enable Analytics and Enable Product Guides under the Pendo info card.

Pendo Tracking of UEM Admin Accounts (applicable to VMware Cloud Services administrators only)

As an administrator of VMware Cloud Services, you can track admin account activity only in customer type organization groups in Workspace ONE UEM. This tracking allows you to gain a broader understanding of product use.

Track all local UEM admins along with CSP admins.
Enable or disable tracking at a visitor level. Tracking is enabled by default.
Track data at customer type OG and visitor level.
No tracking at OGs above customer type OG.
One visitor can access multiple customer OGs, all of which are tracked.

Restrict UEM Console Actions

In a scenario when the console for Workspace ONE UEM console is left unlocked and unattended, an extra safeguard is provided against malicious actions that are potentially destructive. You can place those actions out of reach of unauthorized users in such a scenario.

Navigate to Groups & Settings > All Settings > System > Security > Restricted Actions.
Configure the Send Message to All setting. Enable this setting to allow a system administrator to send a message to all devices in your deployment from the Device List View. It can also be used to send a message to a specific group.

You can require that certain UEM console actions require admins to enter a PIN. Configure the Password Protect Actions by enabling or disabling the following actions.

Note: Denoted by * below, some actions always require a PIN and as a result cannot be deactivated.

Setting	Description
Admin Account Delete	Prevents the deletion of an admin user account in Accounts > Administrators > List View.
*Regenerate VMware Enterprise Systems Connector Certificate	Prevents the regeneration of the VMware Enterprise Systems Connector certificate in Groups & Settings > All Settings > System > Enterprise Integration > VMware Enterprise Systems Connector.
*APNs Certificate Change	Prevents the disabling of APNs for MDM in Groups & Settings > All Settings > Devices & Users > Apple > APNs For MDM.
Application Delete/Deactivate/Retire	Prevents the deletion, deactivation, or retirement of an application in Apps & Books > Applications > List View.
Content Delete/Deactivate	Prevents the deletion or deactivation of a content file in Content > List View.
*Data Encryption Toggle	Prevents the Encryption of user information setting in Groups & Settings > All Settings > System > Security > Data Security.
Device Delete	Prevents the deletion of a device in Devices > List View. Admin security PIN is still required for bulk actions even when this setting is deactivated.
*Device Wipe	Prevents any attempt to perform a device wipe from the Device List View or Device Details screens.
Enterprise Reset	Prevents any attempt to perform an enterprise reset on a device from the Devices Details page of a Windows Rugged, Rugged Android, or QNX device.
Enterprise Wipe	Prevents any attempt to perform an enterprise wipe on a device from the Devices Details page of a device.
Enterprise Wipe (Based on User Group Membership Toggle)	Prevents any attempt to perform an enterprise wipe on a device when it is removed from a user group. This setting is an optional setting that you can configure under Groups & Settings > All Settings > Devices & Users > General > Enrollment on the Restrictions tab. If you Restrict Enrollment to Configured Groups on this tab, you then have the added option of performing an enterprise wipe a device when it is removed from a group.
*Organization Group Delete	Prevents any attempt to delete the current organization group from Groups & Settings > Groups > Organization Groups > Organization Group Details.
Profile Delete/Deactivate	Prevents any attempt to delete or deactivate a profile from Devices > Profiles & Resources > Profiles.
Provisioning Product Delete	Prevents any attempt to delete a provisioning product from Devices > Provisioning > Products List View.
Revoke Certificate	Prevents any attempt to revoke a certificate from Devices > Certificates > List View.
*Secure Channel Certificate Clear	Protects from any attempt to clear an existing secure channel certificate from Groups & Settings > All Settings > System > Advanced > Secure Channel Certificate.
User Account Delete	Prevents any attempt to delete a user account from Accounts > Users > List View.
Change in Privacy Settings	Prevents any attempt to alter the privacy settings in Groups & Settings > All Settings > Devices & Users > General > Privacy.
Delete Telecom Plan	Prevents the deletion of a telecom plan in Telecom > Plan List.
Override Job Log Level	Prevents attempts to override the currently selected job log level from Groups & Settings > Admin > Diagnostics > Logging. Overriding the Job Log Level is useful when a device or group of devices is having an issue. In this case, the admin can override those device settings by forcing an elevated log level to Verbose, which logs the maximum level of console activity, making it ideal for troubleshooting.
*App Scan Vendor Reset/Toggle	Prevents the resetting (and subsequent wiping) of your app scan integration settings. This action is performed in Groups & Settings > All Settings > Apps > App Scan.
Shut Down	Prevents any attempt to shut down the device in Devices > List View > Device Details.
Maximum invalid PIN attempts	Defines the maximum number of invalid attempts at entering a PIN before the console locks down. This setting must be between 1 and 5.

Select Password Protect Actions

Restricted Console Actions provide an added layer of protection against malicious actions that are potentially destructive to your Workspace ONE UEM console.

Configure settings for restricted actions by navigating to Groups & Settings > All Settings > System > Security > Restricted Actions.
For each action you protect by requiring admins to enter a PIN, select the appropriate Password Protect Actions button for Enabled or Deactivated as appropriate.

This requirement provides you with granular control over which actions you want to make more secure.

Note: Some actions always require a PIN and as a result cannot be deactivated. Denoted by * following.

Set the maximum number of failed attempts the system accepts before automatically logging out the session. If you reach the set number of attempts, you must log into the Workspace ONE UEM console and set a new security PIN.

Setting	Description
Admin Account Delete	Prevents the deletion of an admin user account in Accounts > Administrators > List View.
Regenerate VMware Enterprise Systems Connector Certificate	Prevents the regeneration of the VMware Enterprise Systems Connector certificate in Groups & Settings > All Settings > System > Enterprise Integration > VMware Enterprise Systems Connector.
*APNs Certificate Change	Prevents the disabling of APNs for MDM in Groups & Settings > All Settings > Devices & Users > Apple > APNs For MDM.
Application Delete/Deactivate/Retire	Prevents the deletion, deactivation, or retirement of an application in Apps & Books > Applications > List View.
Content Delete/Deactivate	Prevents the deletion or deactivation of a content file in Content > List View.
*Data Encryption Toggle	Prevents the Encryption of user information setting in Groups & Settings > All Settings > System > Security > Data Security.
Device Delete	Prevents the deletion of a device in Devices > List View. Admin security PIN is still required for bulk actions even when this setting is deactivated.
*Device Wipe	Prevents any attempt to perform a device wipe from the Device List View or Device Details screens.
Enterprise Reset	Prevents any attempt to perform an enterprise reset on a device from the Devices Details page of a Windows Rugged, Rugged Android, or QNX device.
>Enterprise Wipe	Prevents any attempt to perform an enterprise wipe on a device from the Devices Details page of a device.
Enterprise Wipe (Based on User Group Membership Toggle)	Prevents any attempt to perform an enterprise wipe on a device when it is removed from a user group. This setting is an optional setting that you can configure under Groups & Settings > All Settings > Devices & Users > General > Enrollment on the Restrictions tab. If you Restrict Enrollment to Configured Groups on this tab, you then have the added option of performing an enterprise wipe a device when it is removed from a group.
*Organization Group Delete	Prevents any attempt to delete the current organization group from Groups & Settings > Groups > Organization Groups > Organization Group Details.
Profile Delete/Deactivate	Prevents any attempt to delete or deactivate a profile from Devices > Profiles & Resources > Profiles.
Provisioning Product Delete	Prevents any attempt to delete a provisioning product from Devices > Provisioning > Products List View.
Revoke Certificate	Prevents any attempt to revoke a certificate from Devices > Certificates > List View.
*Secure Channel Certificate Clear	Protects from any attempt to clear an existing secure channel certificate from Groups & Settings > All Settings > System > Advanced > Secure Channel Certificate.
User Account Delete	Prevents any attempt to delete a user account from Accounts > Users > List View.
Change in Privacy Settings	Prevents any attempt to alter the privacy settings in Groups & Settings > All Settings > Devices & Users > General > Privacy.
Delete Telecom Plan	Prevents the deletion of a telecom plan in Telecom > Plan List.
Override Job Log Level	Prevents attempts to override the currently selected job log level from Groups & Settings > Admin > Diagnostics > Logging. Overriding the Job Log Level is useful when a device or group of devices is having an issue. In this case, the admin can override those device settings by forcing an elevated log level to Verbose, which logs the maximum level of console activity, making it ideal for troubleshooting.
*App Scan Vendor Reset/Toggle	Prevents the resetting (and subsequent wiping) of your app scan integration settings. This action is performed in Groups & Settings > All Settings > Apps > App Scan.
Shut Down	Prevents any attempt to shut down the device in Devices > List View > Device Details.
Maximum invalid PIN attempts	Defines the maximum number of invalid attempts at entering a PIN before the console locks down. This setting must be between 1 and 5.

Configure Required Notes for Action

You can require administrators to enter notes using the Require Notes check box and explain their reasoning when performing certain Workspace ONE UEM console actions.

Navigate to Groups & Settings > All Settings > System > Security > Restricted Actions.

If you require that your admins enter a note before taking any of these actions, make sure that you modify the role with the Add Note resource (permission).

For more information, see the section titled Create Administrator Role in Role Based Access.

Setting	Description
Lock Device	Require a note for any attempt to lock a device from Device List View or Device Details.
Lock SSO	Require a note for any attempt to lock an SSO session from Device List View or Device Details.
Device Wipe	Require a note for any attempt to perform a device wipe from Device List View or Device Details.
Enterprise Reset	Require a note for any attempt to enterprise reset a device from the Device Details page of a Windows Rugged or Rugged Android device.
Enterprise Wipe	Require a note for any attempt to perform an enterprise wipe from Device Details.
Override Job Log Level	Require a note before attempts to override the default job log level from Groups & Settings > Admin > Diagnostics > Logging.
Reboot Device	Require a note before a reboot attempt from Devices > List View > Device Details.
Shut Down	Require a note before a shut down attempt from Devices > List View > Device Details.