Android Device Management with Workspace ONE UEM

After your devices are enrolled and configured, manage the devices using the Workspace ONE UEM console. The management tools and functions enable you to keep an eye on your devices and remotely perform administrative functions.

You can manage all your devices from the UEM console. The Dashboard is a searchable, customizable view that you can use to filter and find specific devices. This feature makes it easier to perform administrative functions on a particular set of devices. The Device List View displays all the devices currently enrolled in your Workspace ONE UEM environment and their status. You can filter the list view specific to Android and see how devices are being managed in a a glance.

Using the Device Details Page

The Device Details page provides device-specific information such as profiles, apps, Workspace ONE Intelligent Hub version and which version of any applicable OEM service currently installed on the device. You can also perform remote actions on the device from the Device Details page that are platform-specific.

You can access the Device Details page by either selecting a device’s Friendly Name from the Device Search page, from one of the available Dashboards or by using any of the available search tools with the Workspace ONE UEM console.

Enrollment Status in Device Details

There are some cases when the Device Details page does not update the enrollment status due to actions performed locally on the device.

Here are some scenarios:

• When a user performs a factory reset from the Settings app on their device, the enrollment status is not updated in the UEM console.
• If a user removes the work profile from the Settings app on their device, the enrollment status is not updated in the UEM console.
• The enrollment status is not updated after the limit of failed work profile or device passcode is reached which triggers a work profile or device wipe depending on the enrollment mode:
  • On Work profile, the work profile is wiped.
  • On COPE and Fully Managed devices, the whole device is wiped.

If Devices are in Power Saving Mode

Android devices running Android M use power saving options for idle apps and devices. If a user unplugs a device and leaves it stationary, with its screen off, for a period of time, the device goes into Doze mode, where it attempts to keep the device in a sleep state. There will be no network activity during this time.

Additionally, App Standby mode allows the device to determine that an app is idle when the user is not actively using it. When devices are in either state, the Workspace ONE UEM console will not receive reports on device details. When the user plugs a device in to charge or opens an app, the device will resume normal operations and reporting from AirWatch apps installed on the device to the Workspace ONE UEM console resumes.

Direct Boot for Android Devices**

Direct Boot mode is when the device has been powered on but the user has not unlocked the device. When in this state, apps cannot run normally. Apps, such as Workspace ONE Intelligent Hub for Android, are not able to send samples to the UEM console or perform supported functionality when the device is in this state.

Direct Boot affects devices enrolled in Work Profile Mode differently. The Work Profile is still locked in Direct Boot mode until the Work Profile is unlocked by entering the Work Profile passcode, if one exists. In this way, apps outside the Work Profile may be able to function normally if the device is unlocked, but apps within the Work Profile may still be locked in Direct Boot mode until the Work Profile is unlocked by the user.

When a device is locked during Work Profile enrollment mode, the Work Profile lock screen supports the “Forgot my Password” button for Android 11 devices that have separate device and work profile passwords.

When a user selects “Forgot my Password”, they are prompted to contact their IT admin. Selecting “Forgot my Password” the button also starts the Work Profile in direct boot (locked) mode, allowing your DPC to complete the steps to perform a secure Work Profile passcode reset.

Supported Android Device Commands By Enrollment Mode

This matrix shows you the available device commands by enrollment mode.

Note: The Clear Passcode command while in direct boot is only supported with FCM (Firebase Cloud Messaging). AWCM is not supported.

Note: The Lock Command for COPE Android 11 or later devices only locks the Work Profile not the entire device.

The asterisk denotes which commands are supported while devices are in Direct boot.

Device Command	Work Managed Device Mode	Work Profile	COPE (Android 8.0-Android 10)	COPE Android 11+
Device Query	✓	✓	✓	✓
Send	✓	✓	✓	✓
Lock	✓	✓	✓	✓
Clear Passcode
Clear Device Passcode	✓*		✓
Clear Work Profile Passcode		✓	✓*	✓*
Generate App Token	✓	✓	✓	✓
Management
Change Device Passcode	✓		✓
Change Work Passcode		✓	✓	✓
Lock SSO	✓	✓	✓	✓
Reboot Device	✓
Enterprise Wipe		✓*		✓
Device Wipe	✓*		✓*	✓*
Support
Find Device	✓	✓	✓	✓
Sync Device	✓	✓	✓	✓
Admin
Change Organization Group	✓	✓	✓	✓
Manage Tags	✓	✓	✓	✓
Edit Device	✓	✓	✓	✓
Delete Device	✓*	✓	✓*	✓*
Request Device Log	✓	✓	✓	✓
Override Job Log Level	✓
Advanced
Start/Stop AWCM	✓	✓	✓	✓
Sync Device	✓	✓	✓	✓

Use the Device Details menu tabs to access specific device information, including:

• Summary – View general statistics such as enrollment status, compliance, last seen, platform/ model/OS, organization group, contact information, serial number, power status including battery health, storage capacity, physical memory and virtual memory. Zebra devices feature a panel displaying detailed battery information. You can also view the Workspace ONE Intelligent Hub and which version of any applicable OEM is currently installed on the device. Note: If Android devices report a Manufacturer and Model that is determined to be invalid according to Android standards, the Model/OS field of the summary for the devices displays in the Console as “Unknown”.
• Compliance – Display the status, policy name, date of the previous and forthcoming compliance check and the actions already taken on the device.
• Profiles – View all MDM profiles currently installed on a device.
• Apps – View all apps currently installed or pending installation on the device. For internal apps, we sample the install status of all Apps. For public apps, we sample only for apps that have a launchable icon on the device. Non-managed apps without a launchable icon are not sampled.
• Content – View status, type, name, priority, deployment, last update, and date and time of views, and provide a toolbar for administrative action (install or delete content). Android (Legacy) Platform VMware, Inc. 77
• Location – View current location or location history of a device. If your device is in power saving mode, the location data might not be updated during Doze Mode. You will need to use the Restrictions profile in the UEM console and add Allow Location Service Configuration to the allow list or use OEM Config to disable Doze mode entirely.
• User – Access details about the user of a device as well as the status of the other devices enrolled to this user. The menu tabs below are accessed by selecting More from the main Device Details tab.
• Network – View current network (Cellular, Wi-Fi, Bluetooth) status of a device. Note: If Location Services is not enabled on a device, it may not be possible to collect and report the active SSID. In these cases, SSID is reported as “Unknown SSID”
• Telecom – View all amounts of calls, data and messages sent and received involving the device.
• Notes – View and add notes regarding the device. For example, note the shipping status or if the device is in repair and out of commission.
• Certificates – Identify device certificates by name and issuant. This tab also provides information about certificate expiration.
• Products –View complete history and status of all packages provisioned to the device and any provisioning errors.
• Custom Attributes – Enable you to use advanced product provisioning functionality.
• Files/Actions – View the files and other actions associated with the device.
• Event Actions – Allows you to take action on a device when predetermined conditions are met
• Shared Device Log – View history of device in terms of Shared Device, including past checkins and check-outs and current status.
• Troubleshooting – View Event Log and Commands logging information. This page features export and search functions, enabling you to perform targets searches and analysis.
• Event Log – View detailed debug information and server check-ins, including a Filter by Event Group Type, Date Range, Severity, Module, and Category. In the Event Log listing, the Event Data column may display hypertext links that open a separate screen with even more detail surrounding the specific event. This information enables you to perform advanced troubleshooting such as determining why a profile fails to install.
• Commands – View detailed listing of pending, queued, and completed commands sent to the device. Includes a Filter enabling you to filter commands by Category, Status, and specific Command.
• Compromised Detection – View details about the compromised status of the device including the specific Reason for the status and how Severe the status is.
• Status History – View history of device in relation to enrollment status.
• Targeted Logging - View the logs for the Console, Catalog, Device Services, Device Management, and Self Service Portal. You must enable Targeted Logging in settings and a link is provided for this purpose. You must then select the Create New Log button and select a length of time the log is collected.
• Attachments – Use this storage space on the server for screenshots, documents, and links for troubleshooting and other purposes without taking up space on the device itself.

MAC Address Behavior for Android

On devices that run Android 10 or higher, the system transmits randomized MAC addresses by default. This is different from previous versions of Android.

The Android OS version and the enrollment type determines how we collect the Wi-Fi MAC address:

• Fully managed devices can collect the actual hardware WiFi MAC address on all OS versions.
• COPE devices can collect the actual hardware WiFi MAC address on all OS.
• Work Profile devices can collect the actual hardware Wi-Fi MAC address on Android 9 and below.
• Work Profile devices can collect the randomized WiFi MAC address for the active SSID on Android 10 or later.

You can find the MAC Address listed in the Network tab of Device Details.

Device Management Commands for Android Devices

The More drop-down on the Device Details page enables you to perform remote actions over-the-air to the selected device. The actions listed below vary depending on factors such as device platform, Workspace ONE UEM console settings, and enrollment status.

Clear Passcode

• Clear Passcode (Device) – Clear the device passcode. To be used in situations where the user has forgotten their device’s passcode.
• Generate App Token - Generate app token for users who forget their login information for Workspace ONE SDK-built applications.
• Clear Work Passcode - Clear the work or container passcode. To be used in situations where the user has forgotten their device’s passcode.

Management

• Change Device Passcode – Replace any existing device passcode used to access the selected device with a new passcode.
• Change Work Passcode - Select to remove the work security challenge on the device. For Android 8.0 or later.
• Lock SSO – Lock the device user out of Workspace ONE UEM Container and all participating applications.
• Reboot Device – Reboot a device remotely, reproducing the effect of powering it off and on again.
• Device Wipe – Send an MDM command to wipe a device clear of all data and operating system. This action cannot be undone.
• Lock SSO – Lock the device user out of Workspace ONE UEM Container and all participating applications.
• Enterprise Wipe – Removes enterprise data from the device without impacting any personal data. On COPE enrolled Android 11 + devices, Enterprise Wipe unenrolls the device, removes the work profile, and leaves the personal profile in tact.

Support

• Find Device – Send a text message to the applicable Workspace ONE UEM application together with an audible sound designed to help the user locate a misplaced device. The audible sound options include playing the sound a configurable number of times and the length of the gap, in seconds, between sounds.
• Sync Device – Synchronize the selected device with the UEM console, aligning its Last Seen status.

Admin

• Change Organization Group – Change the device’s home organization group to another existing OG. Includes an option to select a static or dynamic OG. If you want to change the organization group for multiple devices at a time, you must select devices for the bulk action using the Block selection method (using the shift-key) instead of the Global check box (next to the Last Seen column heading in the device list view).
• Manage Tags -
• Edit Device – Edit device information such as Friendly Name, Asset Number, Device Ownership, Device Group Device Category.
• Delete Device – Delete and unenroll a device from the console. Sends the enterprise wipe command to the device that gets wiped on the next check-in and marks the device as Delete In Progress on the console. If the wipe protection is turned off on the device, the issued command immediately performs an enterprise wipe and removes the device representation in the console.

• Request Device Log – Request the debug log for the selected device, after which you can view the log by selecting the More tab and selecting Attachments > Documents. You cannot view the log within the Workspace ONE UEM console. The log is delivered as a ZIP file that can be used to troubleshoot and provide support. When you request a log, you can select to receive the logs from the System or the Hub. System provides system-level logs. Hub provides logs from the multiple agents running on the device.

  Android Only: you can retrieve detailed logs from corporate-owned Android devices and view them in the console to resolve issues on the device quickly.

• Override Job Log Level – Override the currently specified level of job event logging on the selected device. This action sets the logging verbosity of Jobs pushed through Product Provisioning and overrides the current log level configured in Android Hub Settings. Job Log Level Override can be cleared by selecting the drop-down menu item Reset to Default on the action screen. You can also change the Job Log Level under the Product Provisioning category in Android Hub Settings.

Advanced

• Start/Stop AWCM – Start/Stop the Cloud Messaging service for the selected device. VMware AirWatch Cloud Messaging (AWCM) streamlines the delivery of messages and commands from the Admin Console. The AWCM eliminates the need for end users to access the public Internet or use consumer accounts such as Google IDs.
• Sync Device – Synchronize the selected device with the UEM console, aligning its Last Seen status.

Details Apps Tab

The Devices Details Apps Tab in the Workspace ONE UEM console contains options to control public applications by device. You can view apps that have been assigned in the UEM console and personal apps based on the enrollment type and privacy configurations.

Admins can view information about the application including the installation status, the application type, the application version, and the application identifier.

The Install option from the actions menu lets you select the assigned apps from the list view and directly push to the device. The Remove option from the actions menu to uninstall the application silently off the device.

Work Profile enrollments only display apps assigned by the admin and will not display personal applications installed by the user. Work Managed enrollments display all applications because Workspace ONE UEM has full control of the device, and there is no concept of personal applications. For a COPE enrollment, the device details apps tab display managed applications, which include internal applications that are install on the personal side by default.

The Workspace ONE UEM console will not show apps that cannot be launched by users. The UEM console reports the status of apps that have a Launcher icon that the user can click on and open. Therefore, background apps or service applications are not shown in device details.

The Request Device Log command allows you to retrieve Workspace ONE Intelligent Hub or detailed system logs from corporate-owned devices and view them in the console to quickly resolve any issues on the device. The Request Device Log dialog box allows you to customize your logging request for Android devices. See more details below.

Request Device Log

The Request Device Log command allows you to retrieve Workspace ONE Intelligent Hub or detailed system logs from corporate-owned devices and view them in the console to quickly resolve any issues on the device. The Request Device Log dialog box allows you to customize your logging request for Android devices.

1. Navigate to Groups & Settings > All Settings > Devices and Users > General > Privacy and enable Request Device Log in the privacy settings.

   Employee- owned devices are not allowed to be selected due to privacy concerns

2. Navigate to Devices > List View > Select device from list > More Actions > Request Device Log.

3. Customize the log settings:

   Setting	Description
   Source	Select Hub to collect logs generated by Workspace ONE Intelligent Hub.
   	Select System to include all applications and events on the device. System is available based on your privacy settings and is limited to device manufacturers with specific platform service applications. Note: Available on devices running Platform OEM Service v3.3+, MSI Service v1.3+, and Honewell Service v3.0+.
   	Select Network to record DNS requests and network connections from apps to a log file for the specified duration. Note: Available on Work Managed devices running Android 8 or higher. Note: Collect Public IP Address must be enabled in Privacy Settings.
   	Select Security to collect security logs that detail possible security breaches such as pre and post boot activities, authentication attempts, credential storage modification, attempted adb connections, and more. Note: Requires Work Managed Android 7.0 or later devices and Workspace ONE Intelligent Hub 21.05 for Android. The Security option is greyed out if devices do not meet these requirements.
   Type	Select Snapshot to retrieve the latest log records available from devices. Select Timed to collect a rolling log over a specified period. Multiple log files may be sent to UEM console.The ‘Level’ option will not be available when Network is selected
   Duration	Specify the duration of time for the device to collect and report logs to the console.
   Level	Determine the level of detail included in the log (Error, Warning, Info, Debug, Verbose).

4. Select Save.

5. To review the log files, navigate to Device Details > More > Attachments > Documents.

6. Cancel the device log request after the logs have been received and there is no further need for log collection. Navigate to Devices > List View > Select device from list > More Actions > Cancel Device Log to cancel the device log request.

SafetyNet Attestation

SafetyNet Attestation is a Google API used to validate the integrity of the device ensuring the device is not compromised.

SafetyNet validates software and hardware information on the device and creates a profile of that device. This attestation helps determine if a particular device has been tampered or modified. When the Workspace ONE UEM console runs the SafetyNet Attestation API and reports the device has been compromised, the UEM console Device Details page reports the device as compromised. If SafetyNet Attestation detects the device as compromised, the only way to revert a device compromised state is to re-enroll the affected device.

It is important to note that SafetyNet Attestation does not re-evaluate compromised status after it is initially reported.

SafetyNet Attestation is only supported with Workspace ONE Intelligent Hub.

Enable SafetyNet Attestation Enable the SafetyNet Attestation API in the UEM console to validate the integrity of a device and determine if a device has been compromised.

1. Navigate to Groups & Settings > All Settings > Apps > Settings & Policies > Settings > Custom Settings

2. Paste the following custom XML into the Custom Settings field: { “SafetyNetEnabled”:true }

3. Save the Custom XML.

4. Verify SafetyNet from the Summary tab in the Device Details page in the UEM console. If you do not see the status of the SafetyNet Attestation, you can send a remote command to restart the device.