Create a Blueprint

You can create Workspace ONE Express blueprints quickly and easily by following the step-by-step blueprint wizard. You can opt out of the blueprint creation process at any time. The wizard saves your progress, allowing you to pick up where you left off.

1. From the main menu, navigate to Blueprints > List View and select the Add Blueprint button.
   • Select between Mobile (iOS/Android) and Window. Express+ Only.
2. Complete the Name text box, which is the label that appears in the Blueprint listing.

Add Applications

After you name the blueprint, include apps so your users have access to the apps they need.

This step is optional and you can skip ahead by selecting Continue to Resources. You can select the discard apps selection at any time to return to Create a Blueprint. You can also close the entire blueprint creation session by selecting the X. Your progress is saved automatically.

1. Select Add App.
2. Select the Type of App to add: Add Public App, Add Web App, and Configure Office 365 (Express+ Only).
   • Add Public App

     Add an app available in any of the major app stores to your blueprint. Select among Android, Apple, and Windows Desktop.

   • Add Web App

     Add an app that links to a specific website, such as email, wiki, or online auction house.

     • You must supply the URL, Name, and App Delivery method, described in step 4.
     • When adding an application using a Google Play Store URL, additional information such as name and application icons cannot be retrieved.
     • Optionally, you can Upload Icon representing the Web app manually. Express+ users are limited to uploading icons for Android and iOS Web Apps only.
     • Android Enterprise devices must be running Android 8.0 (Oreo) or later to use Web Apps.
   • Configure Office 365 (Express+ Only)

     You must upload the XML file that contains the Office 365 configuration settings for your Windows devices (Express+ Only). You can visit config.office.com to generate an XML file that configures Office 365 to your needs.

3. Select the Platforms and Country in which the app is used.

   This selection determines where Workspace ONE Express searches for the app.

4. Search the applicable app stores for the apps you want to add. For Android apps from the Google Play Store, you must copy and paste the URL into the App URL field.
   • Apps from the Google Play Store for Android Enterprise must be approved before you can add them to a Blueprint.
   1. Select the green Approve button in the app listing of the Google Play Store.

      Result: A separate popup window displays containing a list of elements the app has access to.

   2. Review this access list and select Approve again to proceed and add the app to the Blueprint. Alternatively, select Cancel to deny the app from your Blueprint.
   3. If you approved the app for your Blueprint, another popup window displays containing Approval Settings and Notifications. Select the settings and notification options you want to enable and select Save to apply these settings to the app.
5. Once you have located and approved the app, you must select how you want the app to be delivered.
   • On Demand: users download

     The user must download the app to the device. This option reduces the time it takes to push the blueprint to devices. However, it also means that the user can opt out of installing the app.

   • Automatic: system push

     The app installs when the blueprint gets pushed to devices. This option increases the time it takes to push the blueprint to devices but it means that the app installs automatically.

     Only Android and Apple offer these options. Users must download apps from the Windows Store.

6. Select Continue to save your settings and proceed to the next step.

   You can alternatively go back and add another app type from step 2.

Add Resources

After you have added applications, you can include email and Wi-Fi configuration settings in your Workspace ONE Express blueprints, enabling users to receive email and connect to network resources. This step is optional. Select Continue to skip this section.

1. Select Configure to complete the Email settings.

   Setting	Description
   Account Name	Enter the unique name of the email account, for example, Secure Corporate Email.
   Exchange ActiveSync Host	Enter the domain name of the Exchange ActiveSync Host that your devices connect with to send and receive email.
   Use SSL	Select to enable Secure Socket Layer for your email configuration.
   Domain	Enter the login domain by which Workspace ONE Express recognizes the user email. The default is the {EmailDomain}, entered as a lookup value. A lookup value is a variable that represents the user or the device. In this case, the domain the blueprint uses to log the user in is the email domain. The advantage to using a lookup value over entering a static text domain is that users do not necessarily all have the same email domain. No matter what email domain each user uses to retrieve their email, the lookup value represents that user (or device) accurately.
   User name	Enter the login user name. The default is {EmailUserName} lookup value.
   Email Address	Enter the login email address. The default is {EmailAddress} lookup value.

2. Select Configure to complete the Wi-Fi settings.

   Setting	Description
   Service Set Identifier (SSID)	Enter a unique identifier for the wireless access point.
   Hidden Network	Select whether you want the network access point to be visible in the Wi-Fi listing.
   Auto-join	Select whether you want authenticated devices to be automatically joined upon return to the Wi-Fi hot spot.
   Security Type	Select the type of wireless network encryption: None, WEP (unsupported in Express+), WPA, and WPA2.
   Password	Enter the wireless network password. Select the Show Characters check box to replace the redacted password entry and view the password as entered. This setting is only available when you make a Security Type selection.

3. When finished configuring the settings, select Continue to save your settings and move to the next step, Policies.

Add Policies (Available in Express+ but for Mobile Blueprints only): Device Feature

• Allow use of camera.
• Allow use of Bluetooth.
• Allow use of AirDrop/Near Field Communication (NFC).
• Allow use of Siri or Cortana.
• Allow Device Wipe.
• Allow use of Google/iCloud Backup.

Add Policies (Available in Express+ but for Mobile Blueprints only): Application

• Allow access to the App store.
• Allow use of YouTube – Grant access to YouTube. For Apple devices, applicable only to iOS 5.0 and earlier.
• Allow use of Game Center – Grant your users to access Apple's social gaming network.
• Allow untrusted applications – Enable your users to install apps from a non-official repository of apps such as App Store, Microsoft Store, and Google Play.
• Allow Native Browser.

Add Policies (Available in Express+ but for Mobile Blueprints only): Data Loss Prevention

• Allow screen capture.
• Allow copy/paste between applications.
• Allow SD Card.
• Allow unmanaged use of managed document – Managed documents refers to corporate assets. Enable this setting to allow your users to open and edit corporate content with unmanaged apps. For example, opening a Word Document using Google Docs instead of MS Word).
• Do Not require device encryption – Remove the requirement for device encryption, a secure data storage methodology.

Add Policies (Available in Express+ but for Mobile Blueprints only): Passcode

After you have added resources to the blueprint, you can define how the device is used while being managed. This definition includes a passcode requirement, length, and complexity of the passcode. This step is optional.

1. Complete each of the policy settings that reflect your security concerns and operating norms.

   Not all options are applicable to all platforms. Consult the charts on this page in the section entitled Android Policy Support.

2. Insert check marks to enable each applicable policy setting.

   Setting	Description
   Require Passcode	Select whether to require a passcode for the device.
   Minimum Passcode Length	Select the minimum passcode length from 4 to 16 characters.
   Auto-Lock (in min)	Select the time in minutes that the device automatically locks.
   Maximum Number of Failed Attempts	Select the number of times the user can fail to authenticate before locking the device.
   Password Complexity	Select the complexity of the password, between Simple and Alphanumeric characters.
   Maximum Password Age (days)	Select the number of days before the user must change their password.

3. After completing each of the sections, select Continue to proceed to the next step, adding users and user groups.

Add Policies (Available in Express+ but for Mobile Blueprints only): Android Support

Given the divergent nature of the Android platform, Workspace ONE Express support for resources and policies sometimes depends upon a device-specific application programming interface (API). The original equipment manufacturer (OEM) authors this API.

Add Configurations (Express+ Only): Personalization

This section of the Blueprint configuration enables you to customize the background and lock screen image and personalizing the start layout.

1. Select the Configure button under Personalization.
2. Configure the Images settings.

   Setting	Description
   Desktop Image	Select Upload to add an image to use as the desktop background.
   Lock Screen Image	Select Upload to add an image to use as the lock screen background.

3. Configure the Start Layout settings.

   Upload a start layout XML. This XML file overrides the default start menu layout and prevents users from changing the layout. You can configure the layout of tiles, the number of groups, and the apps in each group. You must create this XML yourself. For more information on creating a start layout XML, see https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout.

Add Configurations (Express+ Only): Windows Update

This section of the Blueprint configuration enables you to direct how your Windows device updates itself.

1. Select the Configure button under Windows Updates.
2. Configure the Branching and Deferral settings.

   Setting	Description
   Update Branch	Select the update branch to follow for updates. Windows Insider Branch - Slow Windows Insider Branch - Fast Release Windows Insider Build Semi-Annual Channel (Targeted) Device receives all applicable feature updates immediately after the release of a new Windows version. Consider using this channel for your testing process. Semi-Annual Channel This channel is the phase following targeted deployment. Consider using this channel after your testing process provides successful findings.
   Defer Feature Updates Period in Days	Select the number of days to delay feature updates before installing the updates on the device. The maximum number of days you can defer an update changed in Windows version 1703. Devices running a version before 1703 can only defer for 180 days. Devices running a version after 1703 can defer up to 365 days. If you defer an update for longer than 180 days and push the profile to a device running a version of Windows before the 1703 update, the profile fails to install on the device.
   Pause Feature Updates	Enable to pause all feature updates for 60 days or until deactivated. This setting overrides the Defer Feature Updates Period in Days setting. Use this option to delay an update that causes issues that can normally install following your deferral settings.
   Defer Quality Updates Period In Days	Select the number of days to delay quality updates before installing the updates on the device.
   Pause Quality Updates	Enable to pause all quality updates for 60 days or until deactivated. This setting overrides the Defer Quality Updates Period in Days setting. Use this option to delay an update that causes issues that can normally install following your deferral settings.

3. Configure the Update Installation Behavior settings.

   Setting	Description
   Automatic Updates	Set how updates from the selected Update Branch are handled. Install Updates Automatically. Install Updates but Let User Schedule the Computer. Install Updates Automatically and Restart at Specified Time. Install Updates Automatically and Prevent User from Modifying Control Panel Settings. Check for Updates but Let User Choose Whether to Download and Install Them. Never Check for Updates.
   Active Hours Start Time	Active Hours is the time when the system is prevented from rebooting the device. Enter the start time for active hours.
   Active Hours End Time	Enter the end time for active hours.
   Schedule Restart Warning in Hours	Allows the IT administrator to schedule the number of hours the user has before their device is automatically restarted due to an update.
   Schedule Imminent Restart Warning in Minutes	Allows the IT administrator to select the number of minutes the user has to prepare for an imminent device restart.

4. Configure the Update Policies settings.

   Setting	Description
   Dual Scan	Dual Scan is a setting designed for environments that prefer Windows Update (WU) to be the primary update source while Windows Server Update Services (WSUS) provides all other content. It avoids the 'two masters' problem of having more than one official update source by categorizing updates. Enabling this setting causes the client to only accept WSUS updates that are unrelated to the "Windows" family of products, relying solely on WU for this type of update.
   Mobile Operator App Download Limit	Specifies whether to ignore the Mobile Operator download limit over a cellular network for apps and their updates.
   Mobile Operator Update Download Limit	Specifies whether to ignore the Mobile Operator download limit over a cellular network for OS updates.

Add Security (Express+ Only): Password

This section of the Blueprint configuration enables you to customize password settings including complexity, minimum length, among many others.

Add Security (Express+ Only): Restrictions

Select from options including allowing (or disallowing) devices to unenroll, location service use, diagnostic and telemetry data use, sign-in options, VPN, bluetooth, camera, Cortana, USB storage, application use settings, and network settings.

1. Configure the Administration settings.

   Settings	Description
   Allow MDM Unenrollment	Allow the end user to unenroll from Workspace ONE Express manually through the Workplace/Work Access enrollment. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.

2. Configure the Security & Privacy settings.

   Settings	Description
   Location	Select how location services run on the device. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Send Diagnostic and Usage Telemetry Data	Select the level of telemetry data to send to Microsoft. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.

3. Configure the general Settings.

   Settings	Description
   Allow User to Change Sign-In Options	Allow the user to change the Sign-In Options. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   VPN	Allow the user to change the VPN settings. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Allow User to Change Workplace Settings	Allow the user to change Workplace settings and change how MDM functions on the device. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Allow the User to Change Account Settings	Allow the user to change Account settings. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.

4. Configure the Bluetooth settings.

   Settings	Description
   Bluetooth	Allow the use of Bluetooth on the device. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.

5. Configure the Device Functionality settings.

   Settings	Description
   Camera	Allow access the camera function of the device. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Cortana	Allow access to the Cortana application. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Smart Screen	Enable to allow the end user to use the Microsoft SmartScreen feature, which is a form of security requesting the end user to draw shapes on an image to unlock the device. This option also allows end users to use PINs as their passcode. Note: After you deactivate this function, you cannot re-enable it through Workspace ONE UEM MDM. To re-enable it, you must factory reset the device. The restriction does not apply to Windows Home edition devices.
   USB Storage	Enable to allow the connection of USB storage devices.

6. Configure the Applications settings.

   Settings	Description
   Allow Non-Windows Store Applications	Allows the downloading and installation of applications not trusted by the Microsoft Store. This restriction applies to all Windows devices.
   Allow App Store Auto Updates	Enable to allow apps downloaded from the Microsoft Store to update automatically when new versions are available. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Allow Developer Unlock	Allows the use of the Developer Unlock setting for sideloading applications onto devices. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Allow DVR & Game Broadcasting	Enable to allow the recording and broadcasting of games on the device. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.

7. Configure the Network settings.

   Setting	Description
   Allow Auto Connect to Wi-Fi Hotspots	Enable to allow the device to connect to Wi-Fi hotspots automatically using the Wi-Fi Sense functionality. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Allow Cellular Data On Roaming	Enable to allow cellular data use while roaming. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.
   Allow Internet Sharing	Enable to allow Internet sharing between devices. This restriction applies to Windows devices only and is not supported for Windows Home edition devices.

Add Security (Express+ Only): Encryption

Select from several encryption options such as whether to encrypt the entire hard disk or the system partition, encryption method (default or multiple 128-bit and 256-bit options), and BitLocker Authentication settings.

1. Complete the Configure Encryption settings.

   Settings	Descriptions
   Encrypted Volume	Use the drop-down menu to select the type of encryption as follows. Complete Hard Disk – Encrypts the entire hard disk on the device, including the System Partition where the OS is installed. System Partition – Encrypts a partition or drive in the same location Windows is installed and from which it starts.
   Encryption Method	Select the encryption method for the device. These settings are only supported on Windows 1511 and later.
   Only Encrypt Used Space During Initial Encryption	Enable to limit the BitLocker encryption to only the used space on the drive at the time of encryption.
   Force Encryption	Enable to force encryption on the device. This enforcement means that the device immediately re-encrypts if BitLocker is manually deactivated. Consider disabling this setting to prevent issues during upgrades or Enterprise Wipes.

2. Configure the BitLocker Authentication Settings.

   Authentication Mode	Select the method for authenticating access to a BitLocker encrypted device. TPM – Uses the devices Trusted Platform Module. Requires a TPM on the device. Password – Uses a password to authenticate.
   Enforce Encryption PIN on Login	Select the check box to require users to enter a PIN to unlock the device. This option locks out the OS startup and auto-resumes from suspend or hibernate until the user enters the correct PIN. To remove an existing pre-authorization PIN from an enrolled device, the end user must decrypt their device and re-encrypt with the updated encryption profile.
   Use Password if TPM Not present	Select the check box to use a password as a fallback to decrypt the device if the TPM is unavailable. If this setting is not enabled, any devices without a TPM do not encrypt.

Add Security (Express+ Only): Firewall

Configure how the firewall behaves when connected to Domain, Private, and Public networks.

Add Security (Express+ Only): Defender

You can make Windows Defender a part of your Blueprint by enabling and configuring its use on Windows device. Options include threat default actions, selecting how much CPU to devote to a scan, enabling full scans and quick scans, and how long to wait before quarantined files are discarded.

1. Configure the Real-Time Monitoring settings.

   Setting	Description
   Real-time Monitoring	Enable to activate the real-time monitoring component of Defender.

2. Configure the Exclusions settings.

   Setting	Description
   Exclusions	Select the Add New button to exclude a Path, a file Extension, or a Process from Defender scans.

3. Configure the Threat Default Action settings to determine the default action when Defender encounters various levels of threat: Low, Moderate, High, and Severe.
   • Not Configured
   • Clean – Select to clean the issues with the threat.
   • Quarantine – Select to separate the threat into a quarantine folder.
   • Remove – Select to remove the threat from the device.
   • Allow – Select to allow the threat to stay.
   • User Defined – Select to allow the user decide how the threat is handled.
   • Block – Select to block the threat from accessing the device.
4. Configure the Advanced settings.

   Setting	Description
   Scan Avg CPU Load Factor (%)	Allows you to set the average CPU load factor as a percentage, limiting the CPU load Defender is allowed to use during scans. The larger this number, the faster Defender can complete scans, but at the same time, the fewer CPU cycles are available for other tasks.
   Catchup Full Scan	Enable to allow the running of a full scan that was interrupted or missed previously. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the device was turned off at the scheduled time.
   Catchup Quick Scan	Enable to allow the running of a quick scan that was interrupted or missed previously.
   Remove Quarantined Files After	Set how long files are kept in quarantine before being deleted permanently.

Add Security (Express+ Only): BIOS

If you are a Dell customer, you can incorporate BIOS updates into the Blueprints for your Windows devices from Dell.

1. Configure the Security settings.

   Setting	Description
   BIOS Password	Enter the password used to unlock the BIOS of the device. This text box is required.
   TPM Chip	Select Enable and enable the device Trusted Platform Module chip.

2. Configure the Boot settings.

   Setting	Description
   Boot Mode (drop-down menu)	Select whether the device starts in BIOS or UEFI mode.
   Boot Mode Protection (check box)	Safeguards the start settings of a device when Boot Mode is changed. Disabling Boot Mode Protection can prevent the currently installed operating system from booting if Boot Mode is changed.
   Secure Boot	Select Enable and use Secure Boot settings on the device. You cannot deactivate Secure Boot with DCM. If your devices already use Secure Boot, you must manually deactivate the settings on the device. Secure Boot requires Boot Mode to be set to UEFI and Legacy Option ROMS to be set to Deactivate.
   Legacy Option ROMS	Select Enable and allow the use of legacy option ROMS during the boot process.

3. Configure the Virtualization settings.

   Setting	Description
   CPU Virtualization	Select Enable and allow hardware virtualization support.
   Virtualization IO	Select Enable and allow input/output virtualization.
   Trusted Execution	Select Enable and allow the device to use the TPM chip, CPU Virtualization, and Virtualization IO for trust decisions. Trust Execution requires the TPM Chip, CPU Virtualization, and Virtualization IO settings to be set to Enabled.

Add Groups to a Blueprint

Use the Add Group button to search for existing directory-based user groups to assign Workspace ONE Express blueprints to users and their devices.

1. Complete the group settings.

   Setting	Description
   Directory Name	Read-only option displaying the address of your directory services server.
   Domain	The domain automatically populates based on the directory services server information you enter on the Directory Services page (System > Enterprise Integration > Directory Services).
   Group Base DN	The group base distinguished name is used as a starting point for the user group search. Information in this setting populates automatically based on the Domain setting.
   Group Name	Identify the name of a user group in your active directory and select Search to search for it. If a directory group contains your search text, a list of group names displays. Select a Group Name from your Search Results list.

2. Select Add Group to add the user group to the list of users and user groups to be added to the blueprint.
3. Once your list of users and user groups is complete, select Continue to save your settings and apply your users to the blueprint.
4. Select Publish to finalize and push the blueprint out to user devices. You can return to the Blueprints listing to edit your blueprint configurations at any time.

Add New Users to a Blueprint

When users enroll their devices, they receive all the applications, resources, and policies from the blueprint.

You can add Workspace ONE Express users to a blueprint as Basic users or Directory users.

1. Select Add User.

   You must choose between adding Basic users and adding Directory users.

   1. For Basic users, fill out the user information, making sure to select 'Basic' as the Security Type.
   2. For Directory users, fill out the user information, making sure to select 'Directory' as the Security Type.
2. After all the settings have been selected, add the Basic or Directory user to the blueprint by selecting Add User at the bottom of the page.

   You can assign multiple blueprints to users.

   Applications and resources that are unique to the assigned blueprint are installed on the user device. Applications and resources that are duplicated across multiple blueprints do not get duplicated on the device.

Add Existing Users to a Blueprint

How Do You Migrate Blueprints for Android Enterprise

You can migrate any Workspace ONE Express Blueprint you published before configuring Android EMM Registration to ensure that the Blueprint is pushed to your enrolled Android Enterprise devices.

1. Navigate to Blueprints > List View and locate the Blueprint you want to migrate.
2. Select the App tile and begin migrating applications.

   Applications for Android Enterprise require an approval process. Therefore, any applications you added to Android Blueprints before registering with Android Enterprise must be searched for in the Google Play Store, downloaded again, and readded to the migrated Blueprint.

   1. Select the Add App button.
   2. Select the Add button under Public App. Web applications do not need to be migrated.
   3. Select the check mark for Android and deselect the check marks for Apple and Windows Desktop.
   4. Enter the name of the application to be readded in the text box and select Search.

      Results: Search results display from the Google Play Store.

   5. Select the specific application you want to add to the Blueprint and select the green Approve button.

      Results:A separate popup window displays containing a list of elements the application has access to.

   6. Review this access list and select Approve again to proceed and add the application to the Blueprint.
   7. Another popup window displays containing Approval Settings and Notifications. Select the settings and notification options you want to enable and select Save to add the application to your Blueprint.
   8. Set App Delivery by selecting On Demand or Automatic.
   9. Select Done, select View Applications, then select Done again.

      This process consolidates the old application and the new, readded application into one, single application which is then pushed to both Android Enterprise and legacy Android devices.

3. Select the Resources panel and begin migrating Email and Wi-Fi resources.
   1. Select Edit and change the existing Email configuration.

      Results:The Configure Microsoft Exchange ActiveSync Email screen appears. You are not required to change any of the options to migrate it. You only have to load it and immediately save it.

   2. Select Save Changes.
   3. Do the same thing for Wi-Fi resources. Select Edit and immediately select Save Changes.
4. Select the Policies panel and begin migrating the policy configuration.
   1. Just like before, you must only select Edit Policies and immediately select Save Changes.

Results:You have successfully migrated a Blueprint you made for devices enrolled as Android (Legacy) and applied it to devices enrolled as Android Enterprise.