Activate the Require Device Passcode (RDP) feature in Workspace ONE UEM with the Use Device Pin for Authentication menu item to manage access to Workspace ONE SDK-built apps and Workspace ONE productivity apps using the Workspace ONE SDK.

What are the advantages of RDP?

The require device passcode (RDP) feature offers a way to control how users access apps on their devices using the without imposing mobile device management (MDM). After you activate RDP, the user uses their device passcode to unlock the Workspace ONE SDK-built app orWorkspace ONE productivity app.

  • Without RDP, you have the listed options to ensure your users set a passcode.

    • Use MDM to force a device passcode to be set so that HSM (hardware security module) protection is effective.
    • Use the Workspace ONE SDK authentication feature, with passcode or user name and password, so that the user sets an app passcode.
  • RDP offers these benefits.
    • It offers HSM protection without using MDM.
    • The user does not have to remember another secret.

Requirements

Users must set a device passcode on there devices to use RDP.

What are the limitations of RDP?

Consider the limitations of the current RDP feature before using it.
  • The Workspace ONE Intelligent Hub for Android does not support it currently.
  • RDP is a Workspace ONE SDK profile setting. This profile is not directly compatible with Workspace ONE UEM Smart Groups.

How do you configure RDP in the Workspace ONE UEM console?

To use RDP on your devices, set the following settings in the Workspace ONE UEM console. You can set this option in either a default or custom Workspace ONE SDK profile.
  1. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
  2. Go to the Authentication Type section and select Passcode or Username and Password. RDP is not available if you use Disabled.
  3. Activate Use Device Pin for Authentication.

What uses does RDP and the Workspace ONE SDK support?

Whether you use RDP or not, you can control access to your SDK-built apps and Workspace ONE SDK productivity apps with Workspace ONE UEM or other SDK profile settings.
Table 1. Workspace ONE SDK actions with and without Use Device Pin for Authentication
Is Use Device Pin for Authentication activated? Is the device Workspace ONE UEM managed? The Workspace ONE SDK supports these uses
Yes Yes SDK uses are the same for managed and unmanaged devices.
  • Setting the app UI to lock after a period of inactivity until the device passcode is entered.
  • If the user removes the device passcode after enrollment, blocking access to the app UI and data until the user re-authenticates.
No SDK uses are the same for managed and unmanaged devices.
  • Setting the app UI to lock after a period of inactivity until the device passcode is entered.
  • If the user removes the device passcode after enrollment, blocking access to the app UI and data until the user re-authenticates.
No Yes
  • Forcing the user to set a device passcode so that an HSM key adds protection.
  • Setting the device UI to lock after a period of inactivity, until the device passcode is entered.
No
  • Forcing the user to set an app passcode to unlock their SDK apps.
  • Forcing the user to enter their domain user name and passcode to unlock their SDK apps.
  • Protecting data at rest with a PBE key derived from the app passcode.
  • Setting the app UI to lock after a period of inactivity until the app passcode, or user name and password, is entered.
  • Recovering enterprise data after forgetting the app passcode.

Additional documentation

If you want further details concerning RDP, access the Workspace ONE SDK brief (a PDF) called Require Device Passcode that is published on the VMware Developer site.