Combine Workspace ONE UEM MDM features with Workspace ONE UEM apps to even further enhance security and functionality. Easily manage Workspace ONE UEM apps throughout the entire lifecycle across employee-owned, corporate-owned, and shared devices from the UEM console.
Workspace ONE UEM applications allow you and your end users to:
For more information about managing applications, see Mobile Application Management.
The Workspace ONE Intelligent Hub for iOS collects and delivers managed device information to the UEM console. Because this information may contain sensitive data, Workspace ONE UEM takes extensive measures to ensure that the information is encrypted and that it originates from a trusted source.
Workspace ONE UEM uses a unique certificate pair to sign and encrypt all communication between Workspace ONE Intelligent Hub for iOS and the server. These certificates also allow the server to verify the identity and authenticity of each device enrolled in Workspace ONE UEM. This overview details the benefits and necessities of both security enhancements.
Before any data is transferred, the Workspace ONE Intelligent Hub application and the server trade personalized certificates. This relationship is established when Workspace ONE Intelligent Hub for iOS checks into the Workspace ONE UEM server for the first time during enrollment.
After the initial exchange of certificates, all data sent to the UEM console is encrypted from that point forward. The following table shows the two certificates involved and their responsibility in the transaction.
|Hub Certificate||Server Certificate|
|Workspace ONE Intelligent Hub||Sign the Data||Encrypt the Data|
|Workspace ONE UEM Server||Verify the Data Origin||Decrypt the Data|
There are two categories of APIs that Workspace ONE UEM uses with iOS devices for management and tracking capabilities:
The Workspace ONE Intelligent Hub for iOS acts as the broker application that integrates with the Native iOS SDK API layer of management. When using Workspace ONE Intelligent Hub for iOS combined with the Workspace ONE UEM SDK for iOS, administrators can take advantage of more MDM features for applications, more so than what is offered in the Over-the-Air (OTA) MDM API layer.
You can customize the Workspace ONE Intelligent Hub settings in the UEM console. For example, specify an SDK Profile to use with the Workspace ONE Intelligent Hub to harness Workspace ONE UEM functionality.
|Disable Un-Enroll in Hub||This setting deactivates the user's ability to unenroll from Workspace ONE UEM MDM using the Workspace ONE Intelligent Hub. This setting is only available in the Workspace ONE Intelligent Hub v4.9.2 and higher.|
|Background App Refresh||This setting tells the Workspace ONE Intelligent Hub the maximum allowed time interval to refresh app content. Some applications run for a brief period before reaching a suspended state.
Background App Refresh is a feature in iOS where the application itself wakes from this suspended state. During this refresh, the Workspace ONE Intelligent Hub reports information, such as compromised detection, hardware details, GPS, iBeacon, and telecom, to the UEM console. The frequency at which the Workspace ONE Intelligent Hub refreshes is controlled by the OS and only completed during efficient times, such as when the device is plugged into a power source, frequency of use, or connected to Wi-Fi.
To take advantage of the Background App Refresh feature, this setting must be enabled in the UEM console, the Workspace ONE Intelligent Hub cannot be stopped on the device, and Background App Refresh must be enabled on the device for the Workspace ONE Intelligent Hub under Settings > General > Background App Refresh.
|Minimum Refresh Interval||Select the minimum amount of time that must pass before the device attempts to refresh app content.|
|Transmit on Wi-Fi only||Enable background refresh to occur over Wi-Fi connections only.|
What to do next
For information about offline access, branding, and other Settings and Polices, refer to the VMWare AirWatch Mobile Application Management Guide.
Workspace ONE Intelligent Hub Mobile Application for iOS
After enrolling the Workspace ONE Intelligent Hub, the application defaults to a My Device screen. Here you can view real-time information about your device, sync the device, re-enroll the device, and read messages that have been sent from the UEM console.
The Self Service Enabled check box must be selected in the Hub Settings in the UEM console to see all the status information.
Note: If the Disable Un-enroll Hub option is not checked in Hub Settings, select Un-enroll Device before re-enrolling with the Workspace ONE Intelligent Hub v4.9.2.
My Device Functionality
Tap the Status menu to view various statuses and self-service diagnostic options:
Current Status – Use the menus to find information about enrollment, re-enroll the device, view accounts, and compliance.
Diagnostics – Use these menus to test connectivity, view Internet access, connectivity issues, server information, and view and send Hub and Device logs.
VMware Workspace ONE Content is an application that enables your end users to access important content on their devices while ensuring file safety for your organization.
From the Workspace ONE Content, end users can access content you upload in the UEM console, content from synced corporate repositories, or their own personal content.
Use the UEM console to add content, sync repositories and configure the actions that end users can take on content opened within the application. These configurations prevent content from being copied, shared, or saved without approval.
For more information about MCM and configuring the VMware Workspace ONE Content, see the VMware Workspace ONE UEM Mobile Content Management Guide.
VMware Workspace ONE Web is an application that provides a manageable and secure alternative to native Web browsers. You can secure the browsing experience on an application, tunnel, and Web site level.
For additional information about preparing and configuring the Workspace ONE Web for deployment, see the VMware Workspace ONE Web Admin Guide.
VMware Workspace ONE Boxer is an email application that offers a consumer-centric focus on mobile productivity with enterprise-grade security in the form of AES 256-bit encryption. This app containerizes business data from personal data, providing frictionless access to enterprise email, calendar, and contacts across corporate-owned and employee owned.
Workspace ONE Boxer allows users to personalize the app to meet their needs with features like custom swipe gestures, contact avatars, custom smart folders, and account color preferences. The all-in-one email, calendar, and contacts app provides an intuitive user experience following native design paradigms on devices.
For more information on VMware Workspace ONE Boxer, see the VMware Workspace ONE Boxer Admin Guide.
AirWatch Container offers a flexible approach to Bring Your Own Device (BYOD) management by pushing a secure work space to a personal device. Businesses can distribute Workspace ONE UEM applications and internal applications to the AirWatch Container for employees to use on their mobile devices.
Applications are visible inside and outside the AirWatch Container, but the enterprise applications are secure through a common SDK framework and a container passcode. These apps can interact seamlessly using single sign on authentication and can connect securely to the Internet through an app tunnel VPN.
For more information about the AirWatch Container, refer to the VMware AirWatch Container Admin Guide.
Single sign on (SSO) allows end users to access Workspace ONE UEM apps, wrapped apps, and SDK-enabled apps without entering credentials for each application. Using the Workspace ONE Intelligent Hub or the AirWatch Container as a "broker application," end users authenticate once per session using their normal credentials or an SSO Passcode.
Enable SSO as part of the Security Policies that you configure to apply to all Workspace ONE UEM apps, wrapped apps, and SDK-enabled apps using a Default SDK Profile.
Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.
Set Single Sign On to Enabled to allow end users to access all Workspace ONE UEM applications and maintain a persistent login.
Authentication Type to Passcode and set the Passcode Mode to either Numeric or Alphanumeric to require an SSO Passcode on the device. If you enable SSO but do not enable an Authentication Type, end users use their normal credentials (either directory service or Workspace ONE UEM account) to authenticate, and an SSO Passcode does not exist.
Once an end user authenticates with an application participating in SSO, a session establishes. The session is active until the Authentication Timeout defined in the SDK profile is reachedor if the user manually locks the application.
Workspace ONE UEM integrates with Apple Configurator to enable you to supervise and manage scaled deployments of Apple iOS devices. Administrators can create configuration profiles, import existing profiles from the iPhone Configuration Utility, install specific operating system versions and enforce iOS device security policies.
Install and run Apple Configurator 2 from a macOS laptop to integrate with the Workspace ONE UEM console to supervise and configure one or many devices at the same time.
Apple Configurator 2 also works with Apple's Device Enrollment Program (DEP) to automate Mobile Device Management (MDM) enrollment and the Volume Purchase Program (VPP) by assigning managed licenses apps to devices.
For a complete list of features and functionality available to supervised and unsupervised devices, refer to the iOS Functionality appendix.
For information on enrolling iOS devices with Apple Configurator, see Enrolling iOS Devices in Bulk using Apple Configurator and the Integration with Apple Configurator guide.
Upload a Signed Apple Configurator Profile to the UEM console
You can export a signed profile from Apple Configurator (or IPCU) directly to the UEM console.
Configure supervision and management settings in Apple Configurator (or IPCU).
Export and save the newly created profile to somewhere easily accessible on your computer.
Navigate to Resources > Profiles & Baselines > Profiles within the UEM console and select Upload.
Enter the Managed By group and select Upload to locate and upload the profile exported from Apple Configurator (or IPCU). Click Continue.
Enter the general profile description, including name, description, and assigned organization groups.
Click Save & Publish to send the profile down to assigned devices.