VMware Workspace ONE Content

The Content Management solution provides you the VMware Workspace ONE Content app to enable the end users to access the managed content. The Workspace ONE Content app is deployed to end-user devices and the managed content is accessed in the app within the configured parameters.


  • Content settings to set unique app behaviors.
  • Use default SDK settings when configured as part of the Workspace ONE UEM app suite.
  • Content Management Dashboard and list views to manage the content deployment from the UEM console.
  • Workspace ONE Content supports the multitasking feature of iPadOS. To enhance your productivity, you can use the content app in split mode while working on the another app inline.


  • SSL encryption for secure data transit.
  • AES 256-bit encryption to protect the deployed content.
  • VMware Workspace ONE Content v2.2 and later for iOS uses the NSFileProtectionComplete class to store the content.

VMware Workspace ONE Content Capabilities by Platform

The following matrix applies to the platform version of VMware Workspace ONE Content available in the app store.

Features iOS Android
Second Factor Passcode
SSL Encryption in Transit
AES 256-Bit Encryption at Rest
In Memory Encryption  
FIPS 140-2
Certificate Pinning  
IT Policies      
Compromised Detection
Automatic offline revocation when device is compromised
Require Enrollment
Automatic offline revocation when document expires
Maximum number of offline logins
Wipe content at Maximum number of failed login attempts
Prevent deleting mandatory content
Prevent Copy/Paste
Enable/Disable Print  
Enable/Disable Open in Third Party Application(s)
Enable/Disable Sharing via Email  
Enable/Disable Document Level Encryption
Enable/Disable Document Watermarking*
The watermark feature is available for only admin repositories, user repositories, and Workspace ONE UEM managed content. It is not available for email attachments opened in Workspace ONE Content
✓* ✓*  
Enable/Disable Screen Capture
** For Workspace ONE Content, Enable Screen Capture must be set to Yes to allow users to take screenshot of the documents and media content. It also enables the Screen Mirroring feature using third party apps like Vysor. If Enable Screen Capture is set to No, users can only take screenshot of the Workspace ONE Content home screen and folders. Screen Mirroring is also disabled.
Data Collection      
Install Content
Open/Close Content
Uninstall/Delete Content
Session Status
Mobile Experience
Keep Me Signed In
Authenticate with back-end credentials (Active Directory)
Integrate with Workspace ONE UEM Single-Sign-On  
Workspace ONE UEM Single-Sign-On with Hub as Broker App  
Allow Offline Access
Standalone MCM
Customize Terms of Use
Content Views      
Featured Content (Folder, File, Category)
All Content (All/Installed/Uninstalled)
Recent Activity (Recently Updated and Viewed)
New Content
Favorite Content
Tile and List Views of content  
Full-screen mode for images/PDFs
View Required Content  
Swipe through all images in a folder/view    
Grid view of all images    
File Management      
Sort Content (alphabetically, chronologically, importance)
Filter Content (File Type, download status)
Delete On-Demand documents
Import and Upload new documents/new versions
2-way sync for WebDav, network shares
2- way sync for Google Drive, One Drive  
Check-In/Check-Out to SharePoint  
Add comments to files at SharePoint Check-in    
User Generated Content- Capture Pictures or Video in VMware Workspace ONE Content  
Add, Copy, Multi-Select files or folders
User Generated Content - Add Audio Files    
User Generated Content - Add Office Files
User Generated Content - Add Text Files  
Queue Multiple Document Downloads Simultaneously
Manage Downloads (Pause/Resume/Cancel/Re-order)  
Manage Uploads (Pause/Resume/Cancel/Re-order)    
Search Strings within Documents (PDF Only)
Thumbnail navigation/scrub bar  
View Table of Contents
Multi-Tab Document Viewing(File type restrictions apply)  
Bookmarking (PDF Only)
Edit Bookmarks  
Night-Mode (PDF)  
Presentation Mode (native pointer for presenting content)    
Support for Links in PDFs
View Updates
Search Documents Based on Keywords
Highlight search results
View Last Successful Sync (Sync Status)
User Managed Content (Local Storage)
File Management  
Add/Remove Files(s)
Add new version
Move File(s)/Folder(s)
Add/Remove Folder(s)
Removed files goes to Trash
Automatically Upload document upon opening in VMware Workspace ONE Content  
Add and Save PDF Annotations
Flatten PDF Annotations
Edit and Save Office Documents (Word, Excel, PPT)  
View shared folders with Files (Co-Owner, Editor, Reader)
Display Collaborators & Roles by each Shared Folder
Add Comments to File Versions    
View Activity Feed of Comments & Revision History per Document    
Save Drafts locally    
Notify User when update is available for document
Customization and Integration
External File Repository Integration      
Share Point 2007
Share Point 2010
Share Point 2013
Share Point Online (Office 365)
Network File Share
FileServer (HTTP)  
Google Drive
User Added Repository Support
One Drive for Business  
External File Repository Folder Actions      
Allow sharing of Google Drive folders through email    
Allow sharing of OneDrive folders through email    
Allow marking a folder as favorite    
Google Drive and OneDrive folders cannot be deleted as the delete permissions are not provided to these repositories      
Chinese - Simplified
Chinese - Traditional
Portugese - Brazil
Email Attachment and Integration      
Allow Viewing of Attachments and saving to VMware Workspace ONE Content
Allow Viewing, Extracting and Saving of zipped attachments to VMware Workspace ONE Content
Allow Editing of Email Attachments  
Allow Reshare of Email Attachments  
Multi-Select Content and Send as Email Attachments (Individual Attachments)    
Select Folders and Send as Email Attachments (Zipped Folder)    
VMware Browser Integration      
Allow Viewing and Saving of VMware Browser Downloads  
*File type supported for editing.      

Matrix of Supported File Type by Platform

The file types supported by the Workspace ONE Content app on different platforms are listed in the matrix.

The matrix applies to the version of VMware Workspace ONE Content available in the app store.

Supported File Types iOS Android Notes
Edit View Edit View
AD/Azure RMS
Content app v3.5+

Content app
AAC (audio/aac)     You cannot edit the audio and the video files. You can only add the files from the Content iOS and Android app. Among the audio files, you can add only the .m4a files.
ALAC (audio/m4a)      
WAV (audio/wav)       
MP3 (audio/mpeg)      
MOV (video/quicktime)     Android devices do not support MOV files by default; however, few OEMs do provide support. Samsung devices do not support MOV files.
MP4 (video/mp4)       
M4B, M4R,        
CSV (.csv)      
ePub (.epub)        
iWorks - Keynote (.key) application/vnd.apple.keynote        
iWorks - Numbers (.numbers) application/vnd.apple.numbers      
iWorks - Pages (.pages) application/vnd.apple.pages        
MS Office - Excel (.xls/.xlsx) application/vnd.ms-excel    
MS Office - PowerPoint (.ppt/.pptx) application/vnd.ms-powerpoint    
MS Office - Word (.docx) application/msword Editing is not supported for .doc files
MS Office - Password Protected (.docx, .pptx, .xlsx MS Office 2007 or later) Editing is not supported for .doc files
MS Office - Documents with pivot tables      
HTML (.html) text/html     HTML viewer does not support JavaScript
PDF (.pdf) application/pdf  
Rich Text Format (.rtf) application/rtf      
Rich Text Format Directory (.rtfd) application/octet-stream      
XML (.xml) application/xml      
PNG (.png) image/png      You can add the images but cannot edit the files.
JPG (.jpg) image/jpeg    
TIF (.tif, .tiff) image/tif      
Bitmap (.bmp) image/bmp    
GIF (.gif) image/gif    
Zip (.zip) application/zip  
Password Protected Zip  
RAR (.rar) application/rar      
Password Protected RAR          
GZIP (.gzip) application/zip          
BZIP (.bzip) application/zip          
BZIP2 (.bzip2) application/zip        
TAR (.tar) application/zip            
7Zip (.7z) application/zip    

Configure VMware Workspace ONE Content

Provide end users with device side access to the corporate content using the Workspace ONE Content app. The configurations set in the UEM console determine the level of freedom provided to end users accessing corporate content from their devices.

  1. Navigate to Groups & Settings > All Settings > Content > Applications > Workspace ONE Content app.
  2. Configure the Settings and Policies settings.

    Settings Description
    Application Profile Set to define the security policies and settings used by this application.
    Leave as Default and configure the Recommended Default SDK settings to define app behavior using Workspace ONE UEM recommendations.
    Alternatively, select Custom application settings to override the default SDK settings and configure a unique set off behaviors for the app.
    iOS Profile Select a custom-created SDK profile from the drop-down list.
    Android Profile Select a custom-created SDK profile from the drop-down list.
  3. Configure the General settings.

    Settings Description
    Numbers of Days to Keep Content New Select the number of days recently added documents will be labeled as new in the Workspace ONE Content.
    File Upload Limit Set the maximum number of files that your users can upload in the content app. You can allow users to upload up to 40 files at once.
    Block Enrollment via Content, Boxer, and Web Enable to prevent enrollment through Workspace ONE Content, VMware Workspace ONE Boxer, and VMware Workspace ONE Web. If Workspace ONE Content uses the VMware Workspace ONE SDK for iOS in Objective-C, then MDM enrollment is required for the single-sign on SDK setting to function correctly.
    Change Repository Name for Managed Content Enable to change the repository name in the Root Repository Name field that appears.
    Root Repository Name Enter the new repository name you want to use.
    Allow Hyperlinks Enable to allow end users to open hyperlinks located in documents in the Open Internet Links with field that appears.
    Open Internet Links with Select the application in which to open hyperlinks.
    Local Storage Enable to provide a storage alternative for user content.
    Upload on Wi-Fi Only Enable to restrict uploads from Workspace ONE Content to Wi-Fi connections only.
  4. Implement the Terms of Use agreement for your app.

  5. Assign Notifications to Workspace ONE Content applications for the specified platform.

    Setting Description
    Application Type Indicate as System or Internal.
    Application Name Assign to the application.
    Bundle ID Assign to the application.
    Badge Count Set to Required, Updates Only or None.
    Required: Badge Count represents the number of required documents that the User has not opened through the Workspace ONE Content.
    Updates Only (For Downloaded Content): Badge Count represents the number of downloaded documents that have updates or new versions available.
    None: Badge Counts are disabled for Workspace ONE Content.
  6. Select Save.

Overview for Onboarding VMware Workspace ONE Content

Onboarding requires end users to review and acknowledge training materials and videos before gaining full access to VMware Workspace ONE Content on their devices.

Maximize onboarding functionality, by configuring required content and pushing a single app mode profile to end-users devices. Once Onboarding completes, remove the profile to allow end users to access full device functionality.

Alternatively, configure Onboarding without single app mode to provide a more flexible experience for end users. In this set up end users cannot access the Workspace ONE Content until they view the required content, but they can still use their device.

App With Single App Mode Without Single App Mode
VMware Workspace ONE Content Locked in the Required Content View Locked in the Required Content View
Other Device Apps Inaccessible. The device remains locked in the Required Content View. Accessible. End users can still use their devices.

Before you enforce content viewing, consider how these choices affect the end-user experience. For example, pushing required content to a device out in the field might confuse end users, resulting in help desk tickets. In general, on-boarding, or in a similar guided scenario, provides an appropriate level of context for the limited device behavior, reducing the likelihood of end-user confusion.

Also, consider the impact of deploying Workspace ONE Content in single app mode, as it restricts device functionality to a single app, in this case, Workspace ONE Content. If planning to remove the single app mode restriction at a set time, ensure that the end users does not access other apps. Also, ensure that the end users perform work related tasks on their devices while their devices are restricted.

Enable Onboarding for VMware Workspace ONE Content

Onboarding provides a deployment option for Workspace ONE Content that locks the app into a view that only displays the required content until that content is viewed.

  1. Meet minimum OS and app requirements.
  2. Determine and configure enrollment flow.
  3. Navigate to Content > Settings > Advanced > Onboarding.
  4. Set Onboardingto Enabled and configure the settings that appear.

    Setting Description
    Administrative Unlock Code Set this code to override the supervised mode as an admin.
    Entrance Message Provide a message to end users explaining that they must view the required content before they can use their device.
    Exit Message Provide a message to end users explaining they viewed all the require content and are now free to use their device.

Configure Document Extensions

Document extensions enable end users to interact with the VMware Workspace ONE Content files on iOS devices from within third-party applications. This functionality requires specific configurations within the UEM console and special consideration for certain types of corporate file servers.

Ensure that document extension functionality appears on devices with Workspace ONE Content v3.1 and later by completing the required configurations in the UEM console.

  • Disable Authentication Type

    Applications with the authentication type enabled restrict the users from uploading files from Workspace ONE Content app using document extensions. To allow the user to upload files into the third-party applications, the authentication type must be disabled.

    1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
    2. Select Disabled from the Authentication Type drop-down menu and then select Save.
  • Disable Application Allowlisting

    Allowlisting of applications must be disabled to permit users to open documents from third-party apps into Workspace ONE Content.

    1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
    2. Set Limit Documents to Open Only in Approved Apps to No.
    3. Select Save.
  • Enable Allow Open In Third Party Apps

    Allow Open In Third Party Apps option must be enabled for the end users to use the export functionality within third-party apps.

    1. Navigate to Content > Repositories > Admin Repositories.
    2. Select the Editicon next to the Corporate File Server that syncs to end-user devices.
    3. On the Security tab, select Allow Open In Third Party Apps and then Save.

Enable Storage Access

End users can access the files and storage from third-party applications only when the file and storage access is enabled for the Workspace ONE Content on Android devices.

To enable the storage access, complete the required configurations on the console.

  • Enable Storage Access from Third-Party Apps using Android SDK Default Settings

    Add a configuration key in the default SDK profile to enable the content file and storage access from third-party applications.

    1. Navigate to Apps > Settings and Policies > Settings > Custom Settings.
    2. Select Enable Custom Settings and paste {“PolicyEnableFileProvider”: “true”}.
    3. Select Save.
  • Enable Storage Access from Third-Party Apps using Android SDK Custom Profile

    Add a configuration key in the custom SDK profile for Workspace ONE Content to enable the content file and storage access from third-party applications.

    1. If you have an existing custom profile, navigate to Apps > Settings > Profiles > Custom Profile > Custom Settings Payload.
    2. If you want to add a custom profile, navigate to Apps > Settings > Profiles > Add Profile > SDK Profile > Android > Custom Settings > Custom Settings Payload.
    3. Paste {“PolicyEnableFileProvider”: “true”} and select Save.

      If you have multiple custom settings, append the PolicyEnableFileProvider key after your existing custom key within { }. For example, {
      “CustomSetting Default”: "true”, “PolicyEnableFileProvider”: “true” }.

  • You must also enable the Allow Open In Third Party Apps setting to allow end users to access the files from third-party apps. See Enable Allow Open In Third Party Apps.

Limitation of Storage Access from Third-Party Apps (Android Only)

The following list describes the limitations of storage access from third-party apps.

  • Allow Open in third-party apps flag is considered to allow or deny access to third-party apps. ‘Allow Email’ permission flag is not considered for a file since it cannot be determined (based on application ID) whether the third-party app is an email app or not.
  • Support for Android framework to provide the Content file and storage access from third-party apps is disabled by default to manage app containers and the data shared between them.
  • Local Storage files are not accessible since Open In functionality for third-party apps is disabled by default.
  • When Workspace ONE Content authentication is enabled, you must have Workspace ONE Content unlocked to access it through a third-party app (displays message).
  • If your admin has configured an app allowlist and the third-party app is not in the allowlist, then you cannot open or create files through Workspace ONE Content.
  • For the Managed content, all the content is available while browsing through a third-party app. For other repositories, content is available (for one level) only for those folders that are synced in Workspace ONE Content.

QR Code Scan to access Custom URLs (Android Only)

Use custom URLs to provide end users the direct access to the files in the Workspace ONE Content application. Upon scanning, the QR code, which contains the custom URLs allow the end user to search or view the file if the file is downloaded.

You must use either a search query or a specific content ID as the custom URL. The content IDs are automatically generated for every file that you upload to the Workspace ONE UEM console. When you point to the filename, the file path displays the Content IDs.

The custom URLs are:

  • awscl://search/?query=text
  • awscl://search?query=text
  • awscl://search/?query=“text”
  • awscl://search?query=“text”
  • awscl://contentid={content ID}
  • awscl://contentid=“{content ID}”

The search query searches for the specified text string and the specific Content ID directly opens the specified document.

Behavior Changes for Content on iOS using Swift SDK

Workspace ONE Content 5.0 for iOS is the first version of Content to use the Workspace ONE Swift SDK. Previous versions of Content used the Objective C version of the Workspace ONE SDK. With this architectural change comes few changes that might impact the Content app behavior that end users are accustomed to.

The following list describes the behavioral changes:

  • Workspace ONE SDK does not support the logout function in standalone mode.

    Note: Users must use the Intelligent Hub in registered mode on their devices. Users must not try logging in to the Content app in Standalone mode with devices that are not MDM managed or does not have Workspace ONE Intelligent Hub.

  • Work offline option on the username/password screen is no longer supported. The user can work offline by navigating to App Settings and enabling Work Offline. Network calls can still be made, and offline work is honored by Content specific interactions only.

  • SDK authentication screens are updated to a new user experience.
  • If the SDK fails to fetch the Content settings after launch, the user is presented with a failure message.
  • Experience update for user change without Check-in Check Out (CICO) during the forgot passcode scenario.

    For more information about Content app behavioral changes, see the knowledge base article, Behavior changes coming in Workspace ONE Content 5.0.

Document Acknowledgment in Workspace ONE Content

The Content app users can now acknowledge the documents that you assign to them as required content. The users can view the files that require their acknowledgment in the Your files to review section of the app’s For You screen.

On the Workspace ONE UEM console, you can view these acknowledgments in the Content List View and the Device Details pages.

On selecting View under the Installed Status column of the Content List View page, a pop-up box appears to show the exact number of users who have viewed and acknowledged the content.

The following list describes the supported document acknowledgment features:

  • To enable acknowledgement for the required content, apply the custom setting EnableDocumentAcknowledgement: true on the UEM console.
  • The user is not prompted to acknowledge a document which has been already acknowledged.

  • User is prompted to acknowledge again for a new version of the already acknowledged document.

  • The Device Details page shows the acknowledged status and the date on which the document was acknowledged.

  • Content Details by Device report contains the acknowledged status on a per device basis.

Enable Staged Content Mode for Multi-User Devices

To prevent the loss of staged content on multi-user devices during the device check-in and check-out sessions, you must enable the staged content mode for the Content app on the Workspace ONE UEM console. On enabling the staged content mode, any managed content staged on the device is retained, thus helping the user avoid redownloading the content on the next login.

The content is available to a new user who checks out the device only if the new user is assigned the content. The content is cleared if the content is not assigned to the new user.

To enable the staging content mode, add the following configuration key on the Workspace ONE UEM console.

Configuration Key Value Type Supported Types Description
{ “RetainContentBetweenCheckoutSessions”: true } Boolean True = Enabled
False (default) = Disabled
When set to true, the downloaded content is retained and not cleared during the device check-in and checkout sessions.
When set to false, the downloaded content is cleared and not retained during the device check-in and checkout sessions.

Enable Staged Content Support Using Default SDK Profile

Add the configuration key in the default SDK profile to enable the staged mode for the managed content downloaded on the Content app.

  1. Navigate to Groups & Settings > All Settings > Apps > Settings & Policies > Settings.
  2. Select Enable Custom Settings and enter the configuration keys as per your requirement.
    "CustomAppSettings": {
        "com_vmware_folio": {
            "SharedDeviceSettings": {
                "RetainContentBetweenCheckoutSessions": true
  1. Select Save.

Enable Staged Content Support Using a Custom SDK Profile

Add the configuration key in the custom SDK profile to enable the staged mode for the managed content on the Content app.

  1. Navigate to Groups & Settings > All Settings.
  2. If you have an existing custom profile, navigate to Apps > Settings & Policies > Profiles > Custom Profile > Custom Settings.
  3. If you want to add a custom profile, navigate to Apps > Settings & Policies > Profiles > Add Profile > SDK Profile > iOS > Custom Settings.
  4. From Custom Settings, select Configure and enter the configuration key as per your requirement.
    "CustomAppSettings": {
        "com_vmware_folio": {
            "SharedDeviceSettings": {
                "RetainContentBetweenCheckoutSessions": true
  1. Select Save.

Supported and Unsupported Use Cases for Staged Content Mode

Listed are the use cases that are supported and not supported with the staged content mode.


  • New Content app installations that support Staged Content mode.
  • Authentication type in the SDK settings is ‘None.’
  • Retention of only managed Content.


  • Upgrade from an old Content app version to the version supporting the staged content mode.
  • Switching between users in different organization groups, thus having different content retention settings.
  • Switching between parent organization groups where content retention settings are enabled.
  • Editing and saving a PDF/Office document as a draft. If the user has edited a file that is shared between other users, the file retains the edits when the user switch takes place.
  • Repositories other than managed content repositories are not supported.

Digitally sign the PDF Documents using the PIV-D application

Workspace ONE Content enables users to securely sign the PDF documents using the PIV-D signing application. While activating the PIV-D application, users must enroll it and create a Keystore PIN. For more information on the activation process, see the PIV-D app documentation. Users can follow the following steps to securely sign PDF documents in the content app:

  1. Tap on the Digital signature field and a popup message appears.
  2. Tap the Certificate field and enter the Keystore PIN. This is the PIN that users generate at the end of the PIV-D credential activation process.
  3. Select the certificate that the PIV-D creates. You may add your signature if you want.
  4. The PDF document is signed.

Targeted Logging

Enabling the Targeted Logging option in the app allows users to automatically record and send logs for any incident that occurs during a specific flow or duration. The feature generates and shares two sets of log files - start and stop logs. One file contains logs prior to enabling targeted logging, and other file contains logs between enabling and disabling targeted logging.

Set Advance DLP Restrictions on Workspace ONE Content

Using the Workspace ONE UEM console, you can secure the Content app’s data by setting the following advanced Data Loss Preventions (DLPs).

  • Limit uploading files to the content app - You can set the maximum number of files that your users can upload to the content app at once. Navigate to Group & Settings < All Settings > Content > Application > Workspace ONE Content App > File Upload Limit and set the number of files that your users can upload. You can allow users to upload up to 40 files at once.

  • Restrict users to upload images only from their device’s camera - You can restrict the source of the photos from where the enterprise users can upload the image in the content app. Navigate to Content > Repositories > Admin Repositories and add or edit the repository on which you want to impose restrictions. Then, on the Edit Content Repository page, select Allow Upload from Camera Only.

Restricting Unmanaged Application Access

You can enable adaptive management to set Workspace ONE UEM to manage the device so that the device can access the application. Only the devices that are enrolled in EMM can install the app and receive app policies when you enable this setting. To do so, in the Restrictions page, you must enable the Managed Access option.

check-circle-line exclamation-circle-line close-line
Scroll to top icon