After your devices are enrolled and configured, manage the devices using the Workspace ONE UEM console. The management tools and functions enable you to keep an eye on your devices and remotely perform administrative functions.

You can manage all your devices from the UEM console. The Dashboard is a searchable, customizable view that you can use to filter and find specific devices. This feature makes it easier to perform administrative functions on a particular set of devices. The Device List View displays all the devices currently enrolled in your Workspace ONE UEM environment and their status. You can filter the list view specific to Android and see how devices are being managed in a a glance.

The Device Details page provides device-specific information such as profiles, apps, Workspace ONE Intelligent Hub version and which version of any applicable OEM service currently installed on the device. You can also perform remote actions on the device from the Device Details page that are platform-specific.

Using the Device Details Page

The Device Details page allows you to track detailed device information and quickly access user and device management actions.

You can access the Device Details page by either selecting a device's Friendly Name from the Device Search page, from one of the available Dashboards or by using any of the available search tools with the Workspace ONE UEM console.

If Devices are in Power Saving Mode

Android devices running Android M use power saving options for idle apps and devices. If a user unplugs a device and leaves it stationary, with its screen off, for a period of time, the device goes into Doze mode, where it attempts to keep the device in a sleep state. There will be no network activity during this time.

Additionally, App Standby mode allows the device to determine that an app is idle when the user is not actively using it. When devices are in either state, the Workspace ONE UEM console will not receive reports on device details. When the user plugs a device in to charge or opens an app, the device will resume normal operations and reporting from AirWatch apps installed on the device to the Workspace ONE UEM console resumes.

Use the Device Details menu tabs to access specific device information, including:

  • Summary – View general statistics such as enrollment status, compliance, last seen, platform/ model/OS, organization group, contact information, serial number, power status including battery health, storage capacity, physical memory and virtual memory. Zebra devices feature a panel displaying detailed battery information. You can also view the Workspace ONE Intelligent Hub and which version of any applicable OEM is currently installed on the device.
  • Compliance – Display the status, policy name, date of the previous and forthcoming compliance check and the actions already taken on the device.
  • Profiles – View all MDM profiles currently installed on a device.
  • Apps – View all apps currently installed or pending installation on the device.
  • Content – View status, type, name, priority, deployment, last update, and date and time of views, and provide a toolbar for administrative action (install or delete content). Android (Legacy) Platform VMware, Inc. 77
  • Location – View current location or location history of a device. If your device is in power saving mode, the location data might not be updated during Doze Mode. You will need to use the Restrictions profile in the UEM console and add Allow Location Service Configuration to the allow list or use OEM Config to disable Doze mode entirely.
  • User – Access details about the user of a device as well as the status of the other devices enrolled to this user. The menu tabs below are accessed by selecting More from the main Device Details tab.
  • Network – View current network (Cellular, Wi-Fi, Bluetooth) status of a device.
  • Telecom – View all amounts of calls, data and messages sent and received involving the device.
  • Notes – View and add notes regarding the device. For example, note the shipping status or if the device is in repair and out of commission.
  • Certificates – Identify device certificates by name and issuant. This tab also provides information about certificate expiration.
  • Products –View complete history and status of all packages provisioned to the device and any provisioning errors.
  • Custom Attributes – Enable you to use advanced product provisioning functionality.
  • Files/Actions – View the files and other actions associated with the device.
  • Event Actions – Allows you to take action on a device when predetermined conditions are met
  • Shared Device Log – View history of device in terms of Shared Device, including past checkins and check-outs and current status.
  • Troubleshooting – View Event Log and Commands logging information. This page features export and search functions, enabling you to perform targets searches and analysis.
  • Event Log – View detailed debug information and server check-ins, including a Filter by Event Group Type, Date Range, Severity, Module, and Category. In the Event Log listing, the Event Data column may display hypertext links that open a separate screen with even more detail surrounding the specific event. This information enables you to perform advanced troubleshooting such as determining why a profile fails to install.
  • Commands – View detailed listing of pending, queued, and completed commands sent to the device. Includes a Filter enabling you to filter commands by Category, Status, and specific Command.
  • Compromised Detection – View details about the compromised status of the device including the specific Reason for the status and how Severe the status is.
  • Status History – View history of device in relation to enrollment status.
  • Targeted Logging - View the logs for the Console, Catalog, Device Services, Device Management, and Self Service Portal. You must enable Targeted Logging in settings and a link is provided for this purpose. You must then select the Create New Log button and select a length of time the log is collected.
  • Attachments – Use this storage space on the server for screenshots, documents, and links for troubleshooting and other purposes without taking up space on the device itself.

Device Management Commands for Android Devices

The More drop-down on the Device Details page enables you to perform remote actions over-the-air to the selected device. The actions listed below vary depending on factors such as device platform, Workspace ONE UEM console settings, and enrollment status.

Clear Passcode

  • Clear Passcode (Device) – Clear the device passcode. To be used in situations where the user has forgotten their device's passcode.
  • Generate App Token - Generate app token for users who forget their login information for Workspace ONE SDK-built applications.
  • Clear Work Passcode - Clear the work or container passcode. To be used in situations where the user has forgotten their device's passcode.

Management

  • Change Device Passcode – Replace any existing device passcode used to access the selected device with a new passcode.
  • Change Work Passcode - Select to remove the work security challenge on the device. For Android 8.0 or later.
  • Lock SSO – Lock the device user out of Workspace ONE UEM Container and all participating applications.
  • Reboot Device – Reboot a device remotely, reproducing the effect of powering it off and on again.
  • Device Wipe – Send an MDM command to wipe a device clear of all data and operating system. This action cannot be undone.
  • Lock SSO – Lock the device user out of Workspace ONE UEM Container and all participating applications.
  • Enterprise Wipe – Enterprise Reset a device to factory settings, keeping only the Workspace ONE UEM enrollment.

Support

  • Find Device – Send a text message to the applicable Workspace ONE UEM application together with an audible sound designed to help the user locate a misplaced device. The audible sound options include playing the sound a configurable number of times and the length of the gap, in seconds, between sounds.
  • Sync Device – Synchronize the selected device with the UEM console, aligning its Last Seen status.

Admin

  • Change Organization Group – Change the device's home organization group to another existing OG. Includes an option to select a static or dynamic OG. If you want to change the organization group for multiple devices at a time, you must select devices for the bulk action using the Block selection method (using the shift-key) instead of the Global check box (next to the Last Seen column heading in the device list view).
  • Manage Tags -
  • Edit Device – Edit device information such as Friendly Name, Asset Number, Device Ownership, Device Group Device Category.
  • Delete Device – Delete and unenroll a device from the console. Sends the enterprise wipe command to the device that gets wiped on the next check-in and marks the device as Delete In Progress on the console. If the wipe protection is turned off on the device, the issued command immediately performs an enterprise wipe and removes the device representation in the console.
  • Request Device Log – Request the debug log for the selected device, after which you can view the log by selecting the More tab and selecting Attachments > Documents. You cannot view the log within the Workspace ONE UEM console. The log is delivered as a ZIP file that can be used to troubleshoot and provide support. When you request a log, you can select to receive the logs from the System or the Hub. System provides system-level logs. Hub provides logs from the multiple agents running on the device.

    Android Only: you can retrieve detailed logs from corporate-owned Android devices and view them in the console to resolve issues on the device quickly.

  • Override Job Log Level – Override the currently specified level of job event logging on the selected device. This action sets the logging verbosity of Jobs pushed through Product Provisioning and overrides the current log level configured in Android Hub Settings. Job Log Level Override can be cleared by selecting the drop-down menu item Reset to Default on the action screen. You can also change the Job Log Level under the Product Provisioning category in Android Hub Settings.

Advanced

  • Start/Stop AWCM – Start/Stop the Cloud Messaging service for the selected device. VMware AirWatch Cloud Messaging (AWCM) streamlines the delivery of messages and commands from the Admin Console. The AWCM eliminates the need for end users to access the public Internet or use consumer accounts such as Google IDs.
  • Sync Device – Synchronize the selected device with the UEM console, aligning its Last Seen status.

Details Apps Tab

The Devices Details Apps Tab in the Workspace ONE UEM console contains options to control public applications by device. You can view apps that have been assigned in the UEM console and personal apps based on the enrollment type and privacy configurations.

Admins can view information about the application including the installation status, the application type, the application version, and the application identifier.

The Install option from the actions menu lets you select the assigned apps from the list view and directly push to the device. The Remove option from the actions menu to uninstall the application silently off the device.

Work Profile enrollments only display apps assigned by the admin and will not display personal applications installed by the user. Work Managed enrollments display all applications because Workspace ONE UEM has full control of the device, and there is no concept of personal applications. For a COPE enrollment, the device details apps tab display managed applications, which include internal applications that are install on the personal side by default.

The Workspace ONE UEM console will not show apps that cannot be launched by users. The UEM console reports the status of apps that have a Launcher icon that the user can click on and open. Therefore, background apps or service applications are not shown in device details.

The Request Device Log command allows you to retrieve Workspace ONE Intelligent Hub or detailed system logs from corporate-owned devices and view them in the console to quickly resolve any issues on the device. The Request Device Log dialog box allows you to customize your logging request for Android devices. See more details below.

Request Device Log

The Request Device Log command allows you to retrieve Workspace ONE Intelligent Hub or detailed system logs from corporate-owned devices and view them in the console to quickly resolve any issues on the device. The Request Device Log dialog box allows you to customize your logging request for Android devices.

  1. Navigate to Groups & Settings > All Settings > Devices and Users > General > Privacy and enable Request Device Log in the privacy settings.

    Employee- owned devices are not allowed to be selected due to privacy concerns

  2. Navigate to Devices > List View > Select device from list > More Actions > Request Device Log.

  3. Customize the log settings:

    Setting Description
    Source Select Hub to collect logs generated by Workspace ONE Intelligent Hub.

    Select System to include all applications and events on the device. System is available based on your privacy settings and is limited to device manufacturers with specific platform service applications.

    Note: Available on devices running Platform OEM Service v3.3+, MSI Service v1.3+, and Honewell Service v3.0+.

    Select Network to record DNS requests and network connections from apps to a log file for the specified duration.

    Note: Available on Work Managed devices running Android 8 or higher.

    Note: Collect Public IP Address must be enabled in Privacy Settings.

    Setting Description
    Type Select Snapshot to retrieve the latest log records available from devices. Select Timed to collect a rolling log over a specified period. Multiple log files may be sent to UEM console.The 'Level' option will not be available when Network is selected
    Duration Specify the duration of time for the device to collect and report logs to the console.
    Level Determine the level of detail included in the log (Error, Warning, Info, Debug, Verbose).
  4. Select Save.

  5. To review the log files, navigate to Device Details > More > Attachments > Documents.

  6. Cancel the device log request after the logs have been received and there is no further need for log collection. Navigate to Devices > List View > Select device from list > More Actions > Cancel Device Log to cancel the device log request.

SafetyNet Attestation

SafetyNet Attestation is a Google API used to validate the integrity of the device ensuring the device is not compromised.

SafetyNet validates software and hardware information on the device and creates a profile of that device. This attestation helps determine if a particular device has been tampered or modified. When the Workspace ONE UEM console runs the SafetyNet Attestation API and reports the device has been compromised, the UEM console Device Details page reports the device as compromised. If SafetyNet Attestation detects the device as compromised, the only way to revert a device compromised state is to re-enroll the affected device.

It is important to note that SafetyNet Attestation does not re-evaluate compromised status after it is initially reported.

SafetyNet Attestation is only supported with Workspace ONE Intelligent Hub.

Enable SafetyNet Attestation Enable the SafetyNet Attestation API in the UEM console to validate the integrity of a device and determine if a device has been compromised.

  1. Navigate to Groups & Settings > All Settings > Apps > Settings & Policies > Settings > Custom Settings

  2. Paste the following custom XML into the Custom Settings field: { "SafetyNetEnabled":true }

  3. Save the Custom XML.

  4. Verify SafetyNet from the Summary tab in the Device Details page in the UEM console. If you do not see the status of the SafetyNet Attestation, you can send a remote command to restart the device.

check-circle-line exclamation-circle-line close-line
Scroll to top icon