Workspace ONE Assist provides end users visibility and transparency during remote control sessions by displaying privacy notices, on screen prompts, notifications, and an on screen toolbar giving the end user power over the remote session.
When the end user launches Workspace ONE Assist for the first time, whether in Attended or Unattended mode, they see a Privacy Notice that informs them of the data accessed by the Assist application. Attended sessions always present the end user with a PIN prompt.
However, if the application is launched for the first time through a connection process, the privacy notice is displayed only on the Attended mode agent. The Unattended mode agent does not display a privacy notice during the connection process.
PIN Prompt at the Beginning of a Session
When you start a session in Workspace ONE Assist, a four-digit PIN displays as a pop-up message to you, the admin. You must provide this PIN to the host device end user so they can enter it into the PIN prompt on their device. Communicate this PIN by telephone, text message, or email. This exchange represents the host device end user's acknowledgment of the privacy notice. The end-user grants access (by entering the PIN you provide) or denies access (by not entering the PIN you provide).
When you use any client tool (Remote View, Remote Control, File Manager, or Remote Shell), a blue outline is drawn around the outer edge of the host device end user's screen called a "halo". This halo serves as a persistent notification that a Workspace ONE Assist session is active.
There is a toolbar that appears with the halo. This toolbar gives the host device end user the power to pause a session, revoke remote control privileges demoting the session back to Remote View only, and the power to disconnect the session entirely. The toolbar also indicates when the screen is being recorded.
- Note: The halo effect, and other notifications, are disabled on corporate owned, fully managed Android devices using the Unattended Agent ONLY.
When you start any other client tool during a Screen Share session, the end user is again asked permission for access.
For example, an end user enters the PIN provided by the Admin resulting from initiating a Screen Share session. This action grants the Admin view only access to the end user's Windows 10 device to troubleshoot a problem. During this Screen Share session, the Admin starts the Manage Files client tool. Before the Admin gets to see and manage the end user's files remotely, the end user of the host device must select Deny or Allow from the Manage Files prompt that appears. The Screen Share session is not impacted by either choice. However, the Manage Files session cannot proceed until after the end-user grants access.
The PIN prompt and User Consent prompts are displayed only during an Attended mode of connection. When using Workspace ONE Assist in Unattended mode, no device notifications are provided when a remote management session is active. You are solely responsible for notifying device end users of Assist sessions in unattended mode.
- Note: On Samsung devices, the end user must accept a Knox permission when the application is first launched, even for devices in Unattended mode.
For more information, see Agent Modes.
Notifications Sent Per Video Recording and Screenshot
For Android, macOS, and Windows 10 devices only, the first time you initiate a video recording or request a screenshot in a session, the host device end user is prompted to grant permission. After the end-user grants permission, each subsequent video recording or screenshot made in the same session results in a "pop-up" on-screen notification instead of a permission request.
These notifications, together with the PIN prompts and the other permissions, are designed to foster transparency during any Workspace ONE Assist session.
For more information about VMware's stance on privacy, see the VMware Privacy Notice.