How Do I Configure the Current and Child Permission Settings?

Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.

Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

Windows Auto-Discovery

The Windows Auto-Discovery (WADS) settings page lets you set the type of WADS deployment you want to use and configure the related options. Windows Auto-Discovery is a service that allows users to enroll using only their email address and removes the need for end users to enter in a server address and a group identifier.

Auto-Discovery Mode – Select whether to use an on-premises WADS solution or to use Workspace ONE UEM Cloud-Hosted WADS.

  • On-Premises - Download Windows Auto-Discovery Installer: Select to download the installer for creating an on-premises WADS solution.
  • Cloud-Hosted - Register Domain for Windows Auto-Discovery: Select to launch the domain registry wizard for configuring a cloud-hosted WADS solution.

Windows Rugged / Agent Application

The Windows Rugged Hub Application settings page lets you configure the options for downloading the specific Workspace ONE Intelligent Hub for Windows Rugged devices.
Setting Description
Use Default Cab

Enable to use the default Workspace ONE Intelligent Hub for Windows Rugged cab file available from the Workspace ONE UEM console. Disable this option to use custom cabs you upload.

  • Fully qualified path on local server to the Workspace ONE Intelligent Hub files for Windows Rugged devices – Enter the file path on the local server for the default cab if you enable the default cab.
Add Application

Select to upload a custom cab file to push to Windows Rugged devices.

  • Platform – Choose the cab file's specific OS. This option allows you to upload different cabs for different operating systems that your Windows Rugged devices use.
WM enrollment cab Select the custom cab you want to push to devices running Windows Mobile.
CE enrollment cab Select the custom cab you want to push to ARM-based devices running Windows CE.
x86 CE enrollment cab Select the custom cab you want to push to x86-based devices running Windows CE.

Windows Rugged / Agent Settings

The Windows Rugged Hub Settings page lets you configure the options for the Workspace ONE Intelligent Hub for Windows Rugged devices.
  • General
    Setting Description
    Device ID Algorithm

    Set the unique device identification algorithm used on the device.

    • Device ID Algorithm 3 – Hub uses the OS-provided API to generate the UDID.
    • Device ID Algorithm 5 – Along with the OS-provided API, the Workspace ONE Intelligent Hub uses the MAC ID of the device to generate the UDID.
    • Device ID Algorithm 6 – Together with the OS-provided API and the MAC ID of the device, the Workspace ONE Intelligent Hub also uses the serial number of the device to generate the UDID.
    Heartbeat Interval (min) Set the time (in minutes) the Workspace ONE Intelligent Hub waits before checking in with the Workspace ONE UEM console.
    Data Sample Interval (min) Set the time (in minutes) the Workspace ONE Intelligent Hub waits to collect data from the device.
    Data Transmit Time Interval (min) Set the time (in minutes) the Workspace ONE Intelligent Hub waits to send data collected from the device to the UEM console.
    Check-In on Condition (Event) Enable to limit the Workspace ONE Intelligent Hub to check-in or beacon to the UEM console only when certain conditions (Wi-Fi connection, AC Power, or NW Adapter) are met. This helps reduce bandwidth issues as devices typically meet the condition when they are stored for after hours.
  • Shared Devices (Check-in / Check-out)

    Enable Shared Device Mode - Select this check box to enable shared device functionality.

  • Notifications
  • Enable Hub Installation Complete Notification Select this check box to enable or disable notifications for Hub installation completion.
    Enable Product Install Status Notification Select this check box to enable or disable notifications through the Workspace ONE Intelligent Hub for product installation completion.
  • Location

    Collect Location Data - Enable to allow the to determine the device location based on a device's Wi-Fi network. When available, the Workspace ONE Intelligent Hub will report the location to the Workspace ONE UEM console using the Data Transmit Interval.

  • Application List

    Applications Poll Interval (min) - Set the time interval (in minutes) at which the applications list for each device will refresh on the Workspace ONE UEM console.

  • Certification List

    Certificate Poll Interval (min) - Set the time interval at which the certificate list for each device will refresh on the Workspace ONE UEM console.

  • Proxy

    Proxy Configuration - Enable to allow the configuration of a proxy settings.

  • Application Manager Package Scheduler (Only for AirWatch 3.3 Hub)

    These settings are for the legacy Workspace ONE Intelligent Hub v3.3.

    Use the APPLICATION MANAGER SCHEDULER to define a schedule for devices with the Workspace ONE Intelligent Hub v3.3+ to retrieve products provisioned on schedule.

    Setting Description
    Add Select to create schedules for provisioning products using Products (Legacy).
    Application Manager Scheduler Select the hour the product begins to push to devices.
    Randomization Window (min) Select the amount of time the product is pushed. The order of devices is randomized.
  • Remote Management
    Setting Description
    Download Remote Control Cab Select this link to download the cabinet (CAB) installer file for Workspace ONE UEM Remote Management.
    Seek Permission

    Enable Seek Permission if you want to prompt the end user to accept or decline the remote management request from the admin.

    • Enter a Seek Permission Message that the end user sees when a remote request is sent.
    • Enter the Yes Caption message for the accept button the end user sees on the Seek Permission request.
    • Enter the No Caption message for the decline button the end user sees on the Seek Permission request.
  • Product Provisioning
    Settings Descriptions
    Job Log Level

    Select the level of detail your job logs contain. You can choose between the following options.

    Error – The log contains errors only. This setting produces the smallest amount of detail.

    Warning – The log contains errors and all warnings.

    Information – The log contains all errors, all warnings, and all supplemental information.

    Verbose – The log contains all of the above plus the entire ledger of exchanges between the device and the server, no matter how trivial. Select this option for troubleshooting purposes. This option produces the largest log.

  • Wipe

    Retain Hub Executables After Enterprise Wipe - Enable to keep the Workspace ONE Intelligent Hub executable files after an enterprise wipe command is issued to the device.

Windows Rugged / Power on Password

With the Windows Rugged Power On Password settings, you can configure the options for requiring a password on a device startup.

Setting Description
Force Password Expiration Enable this setting to force the password to expire so that the user must change the password.
View Power On Password Enable this setting to allow the user to see the password that they enter.

Windows Rugged / Metrics

The Windows Rugged Metrics settings page lets you configure the options for downloading the MotoDC metrics application as well as configure the metrics collected.

Download MotoDC - Select to download the MotoDC cab to collect device metrics. You can set which metrics to collect below the download link.

Windows 7 / Agent Application

The Windows 7 Hub Application settings page lets you configure the options for hosting the Workspace ONE Intelligent Hub for Windows 7 devices.

Fully qualified path on local server to the agent files for Windows PC - Enter the file path on the local server to the Workspace ONE Intelligent Hub files for the Workspace ONE Intelligent Hub for Windows 7 devices.

Windows 7 / Agent Settings

The Windows 7 Hub Settings page lets you configure the options for the Workspace ONE Intelligent Hub for Windows 7 devices.

Setting Description
Beacon Interval (min) Enter the time interval (in minutes) at which the Workspace ONE Intelligent Hub will check in with the Workspace ONE UEM console.
Data Sample Interval (min) Enter the time interval (in minutes) at which the Workspace ONE Intelligent Hub will collect a data sample from the device.
Data Transmit Interval (min)

Enter the time interval (in minutes) at which the Workspace ONE Intelligent Hub will transmit the collected data sample to the console.

This settings also controls how often the Workspace ONE Intelligent Hub checks for a new automatic upgrade if enabled.

Block Enrollment if Windows Genuine validation fails

Enable to block devices with non-genuine copies of Windows Operating Systems from enrolling into Workspace ONE UEM.

  • If a device is enrolled and the Workspace ONE Intelligent Hub detects the Windows copy is not genuine, the Workspace ONE Intelligent Hub will send an Enterprise Wipe command to the device.
  • If a device attempts to enroll and the copy of Windows is not genuine, a Non-Compliance message will display and immediately unenroll a device.
Enforce Passcode Profile Enable to force the Workspace ONE Intelligent Hub to prompt end users for password changes when a passcode profile is installed or updated. This option does not apply to domain-joined devices.
Windows Agent Automatic Updates Enable to automatically update the Workspace ONE Intelligent Hub when an update becomes available.
Remote Management
  • Seek Permission - Enable Seek Permission if you want to prompt the end user to accept or decline the remote management request from the admin.
    • Enter a Seek Permission Message that the end user sees when a remote request is sent.
    • Enter the Yes Caption message for the accept button the end user sees on the Seek Permission request.
    • Enter the No Caption message for the decline button the end user sees on the Seek Permission request.
  • Advanced - Enter configurations for the remote management that include the port, the log level, where the log folder resides, and information for sessions and frequency.

Windows Desktop / Intelligent Hub Application

The Windows Desktop Intelligenct Hub Application page lets you configure the various options for the Unified Agent.
Setting Description
Publish Workspace ONE Intelligent Hub

Enable to use the Workspace ONE Intelligent Hub for Windows 10 devices to configure device security and protection settings. Enabling this setting allows you to initiate the Repair Hub and Request Device Log features from the UEM Console.

Device Ownership Type Select the ownership types you want to require enrolling with the Workspace ONE Intelligent Hub enrollment method.
Intelligent Hub Automatic Updates Enable to automatically update the Workspace ONE Intelligent Hub when a new version is available.

Windows Desktop / Intelligent Hub Settings

The Windows Desktop Intelligent Hub Settings page lets you configure the various options for the Workspace ONE Intelligent Hub for Windows Desktop devices.
  • Data Sample Interval (min) - Defines the intervals at which the Workspace ONE Intelligent Hub takes a sample of data from the device.
  • MDM Channel Security - Enable app level security between the OMA-DM server and clients.
  • Show Privacy Screen - Display a standardized screen with information about privacy to hub users.
  • Collect Analytics - Decide to collect crash reports.

Windows Desktop / App Deployments

The Windows Desktop App Deployments page lets you configure software package deployment for Win32 applications.

Software Package Deployment - Select Enabled to enable the ability to deploy Win32 applications from the Apps & Books section so that you can use the application life cycle flow that exists for all internal applications.

Windows Desktop / Windows Sample Schedule

The Windows Desktop Sample Schedule settings page lets you configure the time intervals at which certain data samples are sent to the Workspace ONE UEM console server.
Setting Description
Device Details Sample Enter the frequency by which device information is refreshed on the Workspace ONE UEM server.
Security Information Sample Enter the frequency by which security information is refreshed on the Workspace ONE UEM server.
Application List Sample Enter the frequency by which application information is refreshed on the Workspace ONE UEM server.
Certificate List Sample Enter the frequency by which certificate information is refreshed on the Workspace ONE UEM server.
Health Attestation Sample Enter the frequency by which health attestation information is refreshed on the Workspace ONE UEM sever.
Update Sample Enter the frequency by which Windows update information is refreshed on the Workspace ONE UEM server.
Location Information Sample Enter the frequency by which location information is refreshed on the Workspace ONE UEM server.

Windows Desktop / Windows Health Attestation

The Health Attestation settings page allows you to configure the compromised status definitions for Windows Desktop devices.
Settings Descriptions
Use Custom Server

Select to configure a custom server for Health Attestation.

This option requires a server running Windows Server 2016 or newer.

Enabling this option displays the Server URL field.

Secure Boot Disabled

Enable to flag compromised device status when Secure Boot is disabled on the device.

Secure Boot forces the system to boot to a factory trusted state. When Secure Boot is enabled, the core components used to boot the machine must have the correct cryptographic signatures that the OEM trusts. The UEFI firmware verifies the trust before it allows the machine to start. Secure boot prevents the startup if any it detects any tampered files.

Attestation Identity Key (AIK) Not Present

Enable to flag compromised device status when the AIK is not present on the device.

Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that does not have an EK certificate.

Data Execution Prevention (DEP) Policy Disabled

Enable to flag compromised device status when the DEP is disabled on the device.

The Data Execution Prevention (DEP) Policy is a memory protection feature built into the system level of the OS. The policy prevents running code from data pages such as the default heap, stacks, and memory pools. DEP is enforced by both hardware and software.

BitLocker Disabled

Enable to flag compromised device status when BitLocker encryption is disabled on the device.

Code Integrity Check Disabled

Enable to flag compromised device status when the code integrity check is disabled on the device.

Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity checks for unsigned drivers or system files before they load into the kernel. The check also scans for users with administrative privileges running system files modified by malicious software.

Early Launch Anti-Malware Disabled

Enable to flag compromised device status when the early launch anti-malware is disabled on the device.

Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

Code Integrity Version Check Enable to flag compromised device status when the code integrity version check fails.
Boot Manager Version Check Enable to flag compromised device status when the boot manager version check fails.
Boot App Security Version Number Check Enable to flag compromised device status when the boot app security version number does not meet the entered number.
Boot Manager Security Version Number Check Enable to flag compromised device status when the boot manager security version number does not meet the entered number.
BIOS Verification Requires a specific BIOS verification tool.

This menu item does not work for all Windows Desktop devices.

Advanced Settings Enable to configure advance settings in the Software Version Identifiers section.

Windows Desktop / Staging & Provisioning

The Staging & Provisioning page displays the information you need to create a provisioning pack for bulk staging of Windows 10 devices. The information displayed is used in the creation. When you visit the page for the first time, a staging user is created that the information applies to.

Windows Desktop / Auto Enrollment

The Auto Enrollment page displays settings that pertain to enrolling Windows Desktop devices with provisioning service.
Settings Description
Auto Enrollment Select Enable® to use Windows 10 Provisioning Service by VMware AirWatch.
Sync Interval Select the amount of time between sync attempts between the Workspace ONE Intelligent Hub and the Workspace ONE UEM console.
Enforce Policies Before Log In Select Enable to enforce the device policies before the user logs in to the device.
Maximum Time Before Log In Select the maximum number of minutes that may pass before a user logs in after completing the Out-of-Box-Experience.