Deploy Workspace ONE Notebook with security configurations to your end users from the Workspace ONE UEM console.

You can also configure Workspace ONE Notebook with Secure Email Gateway (SEG). To know how to configure SEG, see the Secure Email Gateway admin guide.
Note: To enable SEG support when you are configuring Notebook version 1.4 using the Workspace ONE UEM console version 2003 and below, you must add the EasDeviceIdentifier key to the Notebook application configuration.

You can add the Workspace ONE Notebook app as a public application to the Workspace ONE UEM console.

Use this simplified deployment workflow to push the Workspace ONE Notebook app to the end users.

  1. In the Workspace ONE UEM console navigate to Apps & Books >Applications > Native > List View >Public.
  2. Select Add Application.
  3. Configure Add Application.
    Setting Description
    Managed By Select the organization group.
    Platform Select an appropriate platform.
    Name Enter Workspace ONE Notebook.
    Search App Store (iOS only) Search App Store Select to make the application available in the App Store.
    Enter URL Enter the URL of the app.
    Import from Play Select to make the application available in the Play Store. It is applicable for the Android platform. To search the Google Play Store in an on-premises deployment, you must integrate a Google Account with the Workspace ONE UEM MDM environment.
  4. Select the Workspace ONE Notebook application.
  5. (Optional) Assign the custom SDK profile to Workspace ONE Notebook. Only complete this step if you have selected to use a custom SDK profile instead of the default SDK profile.
  6. Navigate to the SDK tab. It is the custom SDK profile.
  7. Select the SDK profile you created during the Notebook configuration steps.
  8. Select Save and Assign.
  9. Select Add Assignment from the updated assignment page and enter the name of assignment group in the Select Assignment Groups text box.
  10. Select Add.
  11. Select Save and Publish.

Install Workspace ONE Notebook on a mobile device that is registered or enrolled using Workspace ONE Intelligent Hub or Workspace ONE app. Users must enter their Exchange credentials after the initial run to synchronize the Exchange content.

Configure Workspace ONE Notebook with Derived Credentials (PIV-D)

Create and configure an SDK profile with Derived Credential and assign the profile to the Notebook application. The SDK profile enables Notebook to fetch the Derived Credential certificates from the Workspace ONE PIV-D Manager application so that the device can use the certificates to access resources securely.

A Derived Credential is a client certificate that is generated (or issued) on a mobile device after end users prove their identity using their existing smart card (CAC or PIV) during the enrollment process.

When you set the Credential Source as Derived Credential on the Credential payload, Notebook imports the authentication, signing, and encryption certificates from the PIV-D application. The PIV-D certificate is then used to authenticate users against the Exchange Server through CBA and dual authentication in Notebook.

For more information on the PIV-D application, see Workspace ONE PIV-D Manager Admin Guide.

  1. Configure the SDK Profile:
    1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles select Add Profiles.
    2. Select SDK Profile.
    3. Select the desired platform.
    4. Configure the profile's General Settings.
    5. Select the Credentials payload and select Configure.
    6. Set the Credential Source to Derived Credentials.
    7. Select the Key Usage based on how the certificate is used. Select Authentication, Signing, or Encryption.
    8. To add additional certificates, use the plus sign at the bottom of the profile window.
    9. Select Save and Publish.
  2. Assign the SDK Profile to Notebook:
    1. Navigate to Apps & Books > Native > Public > Add Application and add Workspace ONE Notebook.
    2. If the Notebook application has already been added, you can skip the preceding step.
    3. Select Edit.
    4. Navigate to the SDK tab and set the SDK profile to the one configured with the derived credential source and key usage.
    5. Select Save and Assign.

Assign and Configure Workspace ONE Notebook Using the App Assignment

Configure Workspace ONE Notebook using the App Policies.

The steps provided in this page are applicable to assign the Notebook application for versions 1.4 and higher using the console versions of 2004 and higher. For older versions of assigning Notebook, see Application Configurations for Workspace ONE Notebook.

These configurations are set as a part of the SDK profile that you are planning to use for Notebook. If you are using the default SDK profile, set the application configurations by navigating to Groups & Settings > All Settings > Apps > Settings and Policies > Settings.

You can upload Notebook as a public or an internal application to Workspace ONE UEM console.
  1. Navigate to Apps & Books > Applications > Native > List View > Public.
  2. Select the Assign link under the Install Status column for the Notebook application. Alternatively, you can also select the edit icon and then select Save & Assign.
  3. On the Assignment page, select Add Assignment and complete the options.
    1. In the Distribution tab, enter the following information:
      Settings Description
      Name Enter the assignment name.
      Description Enter the description for the assignment.
      Assignment Groups Enter the smart group name to which you want to assign the application.

      As you enter the smart group name, options are displayed and you can select the appropriate smart group from the list.

      If necessary, you can add more assignment groups.
      App Delivery Method
      • On Demand – Deploys content to a catalog or other deployment agent. The device user can decide if and when to install the content.

        This option is the best choice for content that is not critical to the organization. Allowing users to download the content when they want helps conserve bandwidth and limits unnecessary traffic.

      • Automatic – Deploys content to a catalog or other deployment Hub on a device upon enrollment. After the device enrolls, the system prompts users to install the content on their devices.

      This option is the best choice for content that is critical to your organization and its mobile users.
  4. In the Restrictions tab, enter the following information:
    Settings Description
    Remove on Unenroll Set the application to be removed from a device when the device unenrolls from Workspace ONE UEM. Workspace ONE UEM enables this setting by default.

    If you enable this setting, supervised devices are restricted from silent app installation. This is because the device is locked and the provisioning profile installation is in the command queue which requires a device to be unlocked to complete the installation.

    If you deactivate this setting, provisioning profiles are not pushed with the installed application. That is, if the provisioning profile is updated, the new provisioning profile is not automatically deployed to devices. In such cases, a new version of the application with the new provisioning profile is required.
    Prevent Application Backup Disallow backing up the application data to iCloud. However, the application can still back up to iCloud.
    Make App MDM Managed if User Installed

    Assume management of applications previously installed by users on their devices, whether applications are supervised or unsupervised.

    Enable this feature so that users do not have to delete the application version installed on the device. Workspace ONE UEM manages the application without having to install the AirWatch Catalog version on the device.
  5. In the Tunnel & Other Attributes tab, enter the following information:
    Per App VPN Profile Select a VPN profile that you want to use for the application. Users access the application using a VPN, which helps ensure that application access and use is trusted and secure.
    Other Attributes App attributes provide device-specific details for applications to use. For example, when you want to set a list of domains that are associated to a distinct organization.
  6. In the Application Configuration tab, enter the following information:
    Settings Description
    UPLOAD XML You can upload an XML file that contains the key value pairs supported by the application for the app configuration.
  7. Select Add Assignment, to add more assignments for your publication.
  8. In the Exchange Settings, enter the following information:
    Table 1.
    Settings Descriptions
    Exchange URL Enter the Exchange URL.
    Note: If you are using SEG then insert the SEG URL here.
    Exchange User Name Enter the Exchange user name.
    User Email Enter the user's email address.
    Authentication Type Select the type of authentication.
    Note: For certificate authentication, configure and upload certificate in SDK profile.
  9. In the App Policies, enter the following information:
    Table 2.
    Settings Descriptions
    Allow Gallery Enables or deactivate access and use of the device image gallery.
    Allow Voice Recordings Enables or deactivate the use of audio recording.
    Allow Document Scanner (iOS Only) Enables or deactivate the document scanning feature.
    Allow Hyperlinks (iOS Only) Allow users to enter hyperlinks.
    Allow Annotation (iOS Only) Allows the use of handwriting and highlighter tools.
    Allow Attachments Enables or deactivate note attachments feature. When deactivate, no attachment types are allowed.
  10. Select Create.