VMware Workspace ONE Content

The Content Management solution provides you the VMware Workspace ONE Content app to enable the end users to access the managed content. The Workspace ONE Content app is deployed to end-user devices and the managed content is accessed in the app within the configured parameters.

Features

  • Content settings to set unique app behaviors.
  • Use default SDK settings when configured as part of the Workspace ONE UEM app suite.
  • Content Management Dashboard and list views to manage the content deployment from the UEM console.
  • Workspace ONE Content supports the multitasking feature of iPadOS. To enhance your productivity, you can use the content app in split mode while working on the another app inline.

Security

  • SSL encryption for secure data transit.
  • AES 256-bit encryption to protect the deployed content.
  • VMware Workspace ONE Content v2.2 and later for iOS uses the NSFileProtectionComplete class to store the content.

VMware Workspace ONE Content Capabilities by Platform

The following matrix applies to the platform version of VMware Workspace ONE Content available in the app store.

Features iOS Android
Security
Authentication      
Basic
AD/LDAP
Token
Second Factor Passcode
Encryption
SSL Encryption in Transit
AES 256-Bit Encryption at Rest
In Memory Encryption  
FIPS 140-2
Certificate Pinning  
IT Policies      
Compromised Detection
Automatic offline revocation when device is compromised
Require Enrollment
Automatic offline revocation when document expires
Maximum number of offline logins
Wipe content at Maximum number of failed login attempts
Prevent deleting mandatory content
DLP    
Prevent Copy/Paste
Enable/Disable Print  
Enable/Disable Open in Third Party Application(s)
Enable/Disable Sharing via Email  
Enable/Disable Document Level Encryption
Enable/Disable Document Watermarking*
The watermark feature is available for only admin repositories, user repositories, and Workspace ONE UEM managed content. It is not available for email attachments opened in Workspace ONE Content
✓* ✓*  
Enable/Disable Screen Capture
** For Workspace ONE Content, Enable Screen Capture must be set to Yes to allow users to take screenshot of the documents and media content. It also enables the Screen Mirroring feature using third party apps like Vysor. If Enable Screen Capture is set to No, users can only take screenshot of the Workspace ONE Content home screen and folders. Screen Mirroring is also disabled.
  ✓**
Data Collection      
Install Content
Open/Close Content
Uninstall/Delete Content
Session Status
Mobile Experience
Access
Keep Me Signed In
Authenticate with back-end credentials (Active Directory)
Integrate with Workspace ONE UEM Single-Sign-On  
Workspace ONE UEM Single-Sign-On with Hub as Broker App  
Allow Offline Access
Standalone MCM
Customize Terms of Use
Content Views      
Featured Content (Folder, File, Category)
All Content (All/Installed/Uninstalled)
Recent Activity (Recently Updated and Viewed)
New Content
Favorite Content
Tile and List Views of content  
Full-screen mode for images/PDFs
View Required Content  
Swipe through all images in a folder/view    
Grid view of all images    
File Management      
Sort Content (alphabetically, chronologically, importance)
Filter Content (File Type, download status)
Delete On-Demand documents
Import and Upload new documents/new versions
2-way sync for WebDav, network shares
2- way sync for Google Drive, One Drive  
Check-In/Check-Out to SharePoint  
Add comments to files at SharePoint Check-in    
User Generated Content- Capture Pictures or Video in VMware Workspace ONE Content  
Add, Copy, Multi-Select files or folders
User Generated Content - Add Audio Files    
User Generated Content - Add Office Files
User Generated Content - Add Text Files  
Queue Multiple Document Downloads Simultaneously
Manage Downloads (Pause/Resume/Cancel/Re-order)  
Manage Uploads (Pause/Resume/Cancel/Re-order)    
Usability      
Search Strings within Documents (PDF Only)
Thumbnail navigation/scrub bar  
View Table of Contents
Multi-Tab Document Viewing(File type restrictions apply)  
Bookmarking (PDF Only)
Edit Bookmarks  
Night-Mode (PDF)  
Presentation Mode (native pointer for presenting content)    
Support for Links in PDFs
View Updates
Search Documents Based on Keywords
Highlight search results
View Last Successful Sync (Sync Status)
User Managed Content (Local Storage)
File Management  
Add/Remove Files(s)
Add new version
Move File(s)/Folder(s)
Add/Remove Folder(s)
Removed files goes to Trash
Automatically Upload document upon opening in VMware Workspace ONE Content  
Collaboration      
Add and Save PDF Annotations
Flatten PDF Annotations
Edit and Save Office Documents (Word, Excel, PPT)  
View shared folders with Files (Co-Owner, Editor, Reader)
Display Collaborators & Roles by each Shared Folder
Add Comments to File Versions    
View Activity Feed of Comments & Revision History per Document    
Save Drafts locally    
Notify User when update is available for document
Customization and Integration
External File Repository Integration      
Share Point 2007
Share Point 2010
Share Point 2013
Share Point 2019
Share Point Online (Office 365)
Network File Share
WebDAV  
FileServer (HTTP)  
Google Drive
OneDrive
CMIS  
User Added Repository Support
One Drive for Business  
Box
External File Repository Folder Actions      
Allow sharing of Google Drive folders through email    
Allow sharing of OneDrive folders through email    
Allow marking a folder as favorite    
Google Drive and OneDrive folders cannot be deleted as the delete permissions are not provided to these repositories      
Localization      
Arabic
Chinese - Simplified
Chinese - Traditional
Czech
Danish
Dutch
English
French
Hebrew
German
Italian
Japanese
Korean
Polish
Portugese - Brazil
Russian
Spanish
Swedish
Turkish
Email Attachment and Integration      
Allow Viewing of Attachments and saving to VMware Workspace ONE Content
Allow Viewing, Extracting and Saving of zipped attachments to VMware Workspace ONE Content
Allow Editing of Email Attachments  
Allow Reshare of Email Attachments  
Multi-Select Content and Send as Email Attachments (Individual Attachments)    
Select Folders and Send as Email Attachments (Zipped Folder)    
VMware Browser Integration      
Allow Viewing and Saving of VMware Browser Downloads  
*File type supported for editing.      

Matrix of Supported File Type by Platform

The file types supported by the Workspace ONE Content app on different platforms are listed in the matrix.

The matrix applies to the version of VMware Workspace ONE Content available in the app store.

Supported File Types iOS Android Notes
View Edit View Edit
AD/Azure RMS
AAC(.acc) audio/aac Content app supports adding .m4a file using Record Audio option.
ALAC (.m4a) audio/m4a Content app supports adding .m4a file using Record Audio option. 
Bitmap (.bmp) image/bmp  
CSV (.csv) txt/csv
ePub (.epub) application/epub+zip      
GIF (.gif) image/gif  
HTML (.html) text/html
iWorks - Keynote (.key) application/vnd.apple.keynote      
iWorks - Numbers (.numbers) application/vnd.apple.numbers    
iWorks - Pages (.pages) application/vnd.apple.pages      
JPG (.jpg) image/jpeg
MP3 (audio/mpeg) Content app supports adding .m4a file using Record Audio option. 
MOV (video/quicktime) Android devices do not support MOV files by default.
MP4 (.mp4) video/mp4       
M4V (.m4v) videos/m4v
MSG (.MSG) application/vnd.ms-outlook Content app supports multiple attachments.   
MS Office - Documents with pivot tables  
MS Office - Word (.doc/.docx/.docm) application/msword Editing is supported for .docx only. Password protected supported. 
MS Office - Excel (.xls/.xlsx/.xlsm) application/vnd.ms-excel Editing is supported for .docx only. Password protected supported.
MS Office - PowerPoint (.ppt/.pptx/pptm) application/vnd.ms-powerpoint Editing is supported for .docx only. Password protected supported.
PDF (.pdf) application/pdf  
PNG (.png) image/png
RAR (.rar) application/rar   Password protected not supported
Text (.txt) text/plain
TIF (.tif, .tiff) image/tiff  
WAV (.wav) audio/wav Content app supports adding .m4a file using Record Audio option.  
XML (.xml) application/xml ✓   
Zip (.zip) application/zip Password protected supported
7Zip (.7z) application/zip Password protected not supported

Configure VMware Workspace ONE Content

Provide end users with device side access to the corporate content using the Workspace ONE Content app. The configurations set in the UEM console determine the level of freedom provided to end users accessing corporate content from their devices.

  1. Navigate to Groups & Settings > All Settings > Content > Applications > Workspace ONE Content app.
  2. Configure the Settings and Policies settings.

    Settings Description
    Application Profile Set to define the security policies and settings used by this application.
    Leave as Default and configure the Recommended Default SDK settings to define app behavior using Workspace ONE UEM recommendations.
    Alternatively, select Custom application settings to override the default SDK settings and configure a unique set off behaviors for the app.
    iOS Profile Select a custom-created SDK profile from the drop-down list.
    Android Profile Select a custom-created SDK profile from the drop-down list.
  3. Configure the General settings.

    Settings Description
    Numbers of Days to Keep Content New Select the number of days recently added documents will be labeled as new in the Workspace ONE Content.
    File Upload Limit Set the maximum number of files that your users can upload in the content app. You can allow users to upload up to 40 files at once.
    Block Enrollment via Content, Boxer, and Web Enable to prevent enrollment through Workspace ONE Content, VMware Workspace ONE Boxer, and VMware Workspace ONE Web. If Workspace ONE Content uses the VMware Workspace ONE SDK for iOS in Objective-C, then MDM enrollment is required for the single-sign on SDK setting to function correctly.
    Change Repository Name for Managed Content Enable to change the repository name in the Root Repository Name field that appears.
    Root Repository Name Enter the new repository name you want to use.
    Allow Hyperlinks Enable to allow end users to open hyperlinks located in documents in the Open Internet Links with field that appears.
    Open Internet Links with Select the application in which to open hyperlinks.
    Local Storage Enable to provide a storage alternative for user content.
    Upload on Wi-Fi Only Enable to restrict uploads from Workspace ONE Content to Wi-Fi connections only.
    Document Acknowledgement Enable this option to allow users to view required content in the “Your files to review section” of the app’s For You screen.
    Acknowledgement Button Text Add the text you want to appear on the acknowledgement button.
    Time to Acknowledgement (from 5 to 999 seconds) Add time to acknowledge.
  4. Implement the Terms of Use agreement for your app.

  5. Assign Notifications to Workspace ONE Content applications for the specified platform.

    Setting Description
    Application Type Indicate as System or Internal.
    Application Name Assign to the application.
    Bundle ID Assign to the application.
    Badge Count Set to Required, Updates Only or None.
    Required: Badge Count represents the number of required documents that the User has not opened through the Workspace ONE Content.
    Updates Only (For Downloaded Content): Badge Count represents the number of downloaded documents that have updates or new versions available.
    None: Badge Counts are disabled for Workspace ONE Content.
  6. Select Save.

Configure Document Extensions

Document extensions enable end users to interact with the VMware Workspace ONE Content files on iOS devices from within third-party applications. This functionality requires specific configurations within the UEM console and special consideration for certain types of corporate file servers.

Ensure that document extension functionality appears on devices with Workspace ONE Content v3.1 and later by completing the required configurations in the UEM console.

  • Disable Authentication Type

    Applications with the authentication type enabled restrict the users from uploading files from Workspace ONE Content app using document extensions. To allow the user to upload files into the third-party applications, the authentication type must be disabled.

    1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
    2. Select Disabled from the Authentication Type drop-down menu and then select Save.
  • Disable Application Allowlisting

    Allowlisting of applications must be disabled to permit users to open documents from third-party apps into Workspace ONE Content.

    1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
    2. Set Limit Documents to Open Only in Approved Apps to No.
    3. Select Save.
  • Enable Allow Open In Third Party Apps

    Allow Open In Third Party Apps option must be enabled for the end users to use the export functionality within third-party apps.

    1. Navigate to Content > Repositories > Admin Repositories.
    2. Select the Editicon next to the Corporate File Server that syncs to end-user devices.
    3. On the Security tab, select Allow Open In Third Party Apps and then Save.

Enable Storage Access

End users can access the files and storage from third-party applications only when the file and storage access is enabled for the Workspace ONE Content on Android devices.

To enable the storage access, complete the required configurations on the console.

  • Enable Storage Access from Third-Party Apps using Android SDK Default Settings

    Add a configuration key in the default SDK profile to enable the content file and storage access from third-party applications.

    1. Navigate to Apps > Settings and Policies > Settings > Custom Settings.
    2. Select Enable Custom Settings and paste {“PolicyEnableFileProvider”: “true”}.
    3. Select Save.
  • Enable Storage Access from Third-Party Apps using Android SDK Custom Profile

    Add a configuration key in the custom SDK profile for Workspace ONE Content to enable the content file and storage access from third-party applications.

    1. If you have an existing custom profile, navigate to Apps > Settings > Profiles > Custom Profile > Custom Settings Payload.
    2. If you want to add a custom profile, navigate to Apps > Settings > Profiles > Add Profile > SDK Profile > Android > Custom Settings > Custom Settings Payload.
    3. Paste {“PolicyEnableFileProvider”: “true”} and select Save.

      If you have multiple custom settings, append the PolicyEnableFileProvider key after your existing custom key within { }. For example, {
      “CustomSetting Default”: "true”, “PolicyEnableFileProvider”: “true” }.

  • You must also enable the Allow Open In Third Party Apps setting to allow end users to access the files from third-party apps. See Enable Allow Open In Third Party Apps.

Limitation of Storage Access from Third-Party Apps (Android Only)

The following list describes the limitations of storage access from third-party apps.

  • Allow Open in third-party apps flag is considered to allow or deny access to third-party apps. ‘Allow Email’ permission flag is not considered for a file since it cannot be determined (based on application ID) whether the third-party app is an email app or not.
  • Support for Android framework to provide the Content file and storage access from third-party apps is disabled by default to manage app containers and the data shared between them.
  • Local Storage files are not accessible since Open In functionality for third-party apps is disabled by default.
  • When Workspace ONE Content authentication is enabled, you must have Workspace ONE Content unlocked to access it through a third-party app (displays message).
  • If your admin has configured an app allowlist and the third-party app is not in the allowlist, then you cannot open or create files through Workspace ONE Content.
  • For the Managed content, all the content is available while browsing through a third-party app. For other repositories, content is available (for one level) only for those folders that are synced in Workspace ONE Content.

QR Code Scan to access Custom URLs (Android Only)

Use custom URLs to provide end users the direct access to the files in the Workspace ONE Content application. Upon scanning, the QR code, which contains the custom URLs allow the end user to search or view the file if the file is downloaded.

You must use either a search query or a specific content ID as the custom URL. The content IDs are automatically generated for every file that you upload to the Workspace ONE UEM console. When you point to the filename, the file path displays the Content IDs.

The custom URLs are:

  • awscl://search/?query=text
  • awscl://search?query=text
  • awscl://search/?query=“text”
  • awscl://search?query=“text”
  • awscl://contentid={content ID}
  • awscl://contentid=“{content ID}”

The search query searches for the specified text string and the specific Content ID directly opens the specified document.

Document Acknowledgment

The Content app users can acknowledge the documents and media files that you assign to them as required content. The users can view the files that require their acknowledgment in the All files to review section of the app’s For You screen.

As an administrator, you can allow users to acknowledge the required document from Your files to review section in For You tab. You can mark the documents as Required in the console. When documents are acknowledged, they are moved to the See recently reviewed page, allowing you to keep track of the document’s Read status.

On the Workspace ONE UEM console, you can view these acknowledgments in the Content List View and the Device Details pages.

On selecting View under the Installed Status column of the Content List View page, a pop-up box appears to show the exact number of users who have viewed and acknowledged the content.

You must first ensure the following steps to activate Document Acknowledgement:

  1. Enable Document Acknowledgement by navigating to Groups & Settings > All Settings > Content > Applications > Workspace ONE Content app.
    • The acknowledgment button text is configurable
    • The timer to show the Acknowledgement button is also configurable
  2. Enable Required flag for file or repository by navigating to Content > List View > Edit File > Deployment

The following list describes the supported document acknowledgment features:

  • Users are not prompted to acknowledge a document that has been already acknowledged.

  • Users are prompted to acknowledge again a new version of the already acknowledged document.

  • The Device Details page shows the acknowledged status and the date on which the document was acknowledged.

  • Content Details by Device report contains the acknowledged status on a per device basis.

  • You can track the Acknowledgement data from console an can send Acknowledgement data to console.

Enable Staged Content Mode for Multi-User Devices

To prevent the loss of staged content on multi-user devices during the device check-in and check-out sessions, you must enable the staged content mode for the Content app on the Workspace ONE UEM console. On enabling the staged content mode, any managed content staged on the device is retained, thus helping the user avoid redownloading the content on the next login.

The content is available to a new user who checks out the device only if the new user is assigned the content. The content is cleared if the content is not assigned to the new user.

To enable the staging content mode, add the following configuration key on the Workspace ONE UEM console.

Configuration Key Value Type Supported Types Description
{ “RetainContentBetweenCheckoutSessions”: true } Boolean True = Enabled
False (default) = Disabled
When set to true, the downloaded content is retained and not cleared during the device check-in and checkout sessions.
When set to false, the downloaded content is cleared and not retained during the device check-in and checkout sessions.

Enable Staged Content Support Using Default SDK Profile

Add the configuration key in the default SDK profile to enable the staged mode for the managed content downloaded on the Content app.

  1. Navigate to Groups & Settings > All Settings > Apps > Settings & Policies > Settings.
  2. Select Enable Custom Settings and enter the configuration keys as per your requirement.
{
    "CustomAppSettings": {
        "com_vmware_folio": {
            "SharedDeviceSettings": {
                "RetainContentBetweenCheckoutSessions": true
            }
        }
    }
}
  1. Select Save.

Enable Staged Content Support Using a Custom SDK Profile

Add the configuration key in the custom SDK profile to enable the staged mode for the managed content on the Content app.

  1. Navigate to Groups & Settings > All Settings.
  2. If you have an existing custom profile, navigate to Apps > Settings & Policies > Profiles > Custom Profile > Custom Settings.
  3. If you want to add a custom profile, navigate to Apps > Settings & Policies > Profiles > Add Profile > SDK Profile > iOS > Custom Settings.
  4. From Custom Settings, select Configure and enter the configuration key as per your requirement.
{
    "CustomAppSettings": {
        "com_vmware_folio": {
            "SharedDeviceSettings": {
                "RetainContentBetweenCheckoutSessions": true
            }
        }
    }
}
  1. Select Save.

Supported and Unsupported Use Cases for Staged Content Mode

Listed are the use cases that are supported and not supported with the staged content mode.

Supported

  • New Content app installations that support Staged Content mode.
  • Authentication type in the SDK settings is ‘None.’
  • Retention of only managed Content.

Unsupported

  • Upgrade from an old Content app version to the version supporting the staged content mode.
  • Switching between users in different organization groups, thus having different content retention settings.
  • Switching between parent organization groups where content retention settings are enabled.
  • Editing and saving a PDF/Office document as a draft. If the user has edited a file that is shared between other users, the file retains the edits when the user switch takes place.
  • Repositories other than managed content repositories are not supported.

Digitally sign the PDF Documents using the PIV-D Manager

Workspace ONE Content enables users to securely sign the PDF documents using the PIV-D Manager. While activating the PIV-D Manager, users must enroll it and create a Keystore PIN. For more information on the activation process, see the PIV-D app documentation.

To setup PIV-D Manager app, see Workspace ONE PIV-D Manager.

To securely sign PDF documents in the content app:

  1. Tap on the Digital signature field and a popup message appears.
  2. Tap the Certificate field and enter the Keystore PIN. This is the PIN that users generate at the end of the PIV-D credential activation process.
  3. Select the certificate that the PIV-D Manager creates. You may add your signature if you want.

The PDF document is signed.

Digitally sign the PDF Documents using the PIV-D Manager with Non-repudiation changes

To digitally sign PDF documents using the PIV-D Manager with Non-repudiation changes:

  1. Login to the Workspace ONE UEM Console and navigate to Settings> Apps> Settings and Policies> Profiles.
  2. Add the SDK profile for the Content App and PIV-D Non-repudiation certificate.
  3. Select Content Profile and set the KVP { “AllowNonRepudiation”: True } in the Custom settings.
  4. Go to Apps & Books > Native and select PIV-D Manager app.
  5. Navigate to the SDK page and select the SDK profile for repudiation changes.
  6. Go to Apps & Books > Native and select Workspace ONE Content app.
  7. Navigate to the SDK page and set the SDK profile for which you have set the KVP.
  8. Click Save.

To securely sign PDF documents in the content app:

  1. Tap on the Digital signature field and a popup message appears.
  2. Tap the Certificate field and enter the Keystore PIN. This is the PIN that users generate at the end of the PIV-D credential activation process.
  3. Select the certificate that the PIV-D Manager creates. You may add your signature if you want.

The PDF document is signed.

Targeted Logging

Enabling the Targeted Logging option in the app allows users to automatically record and send logs for any incident that occurs during a specific flow or duration. The feature generates and shares two sets of log files - start and stop logs. One file contains logs prior to enabling targeted logging, and other file contains logs between enabling and disabling targeted logging.

Set Advance DLP Restrictions on Workspace ONE Content

Using the Workspace ONE UEM console, you can secure the Content app’s data by setting the following advanced Data Loss Preventions (DLPs).

  • Limit uploading files to the content app - You can set the maximum number of files that your users can upload to the content app at once. Navigate to Group & Settings > All Settings > Content > Application > Workspace ONE Content App > File Upload Limit and set the number of files that your users can upload. You can allow users to upload up to 40 files at once.

  • Restrict users to upload images only from their device’s camera - You can restrict the source of the photos from where the enterprise users can upload the image in the content app. Navigate to Content > Repositories > Admin Repositories and add or edit the repository on which you want to impose restrictions. Then, on the Edit Content Repository page, select Allow Upload from Camera Only.

Note: To avail the advance DLP restrictions, you must use Workspace ONE UEM 2209 and later versions.

Restricting Unmanaged Application Access

You can enable adaptive management to set Workspace ONE UEM to manage the device so that the device can access the application. Only the devices that are enrolled in EMM can install the app and receive app policies when you enable this setting. To do so, in the Restrictions page, you must enable the Managed Access option. For more information, see Mobile Application Management guide.

Add Custom Fonts Capability to MS Office Files

You can add custom font to the document for MS office files. You can add custom fonts usng the following ways.

  • Workspace ONE UEM Console: As an admin, you can add font files to the UEM console and push the fonts to the enrolled device as MDM profile. To do so, you must:
    1. Log in to the Workspace ONE UEM console.
    2. Navigate to Settings > Device & Users > Apple > Install Fonts.
    3. Drag and drop the font files. Allowed file types are .ttf or .otf.
    4. Click Save to publish Font files to the devices.
  • Third-party Apps: You can insatll custom fonts using any third-party apps. These Fonts are added to the device and the Content app can fetch them and pass them to the MS Office files.
  • Apple Configurator: You can create a profil with fonts using Apple Configurator such as iFonts, Fonts - Install Font on Mac and push it to the device after connecting it. To do so, navigate to your device’s Settings > General > Fonts and download apps that install fonts from the App store. For more information, see MS office viewer capability.

Set File Download Priority on UEM

Workspace ONE UEM lets you set file download priority for end users. Users can access the Activity page in the Content app, where Automatic Download type files are queued based on the priority set in UEM. The file with the Download Priority set to High is downloaded first, followed by Normal and Low.

check-circle-line exclamation-circle-line close-line
Scroll to top icon