Combine Workspace ONE UEM MDM features with Workspace ONE UEM apps to even further enhance security and functionality. Easily manage Workspace ONE UEM apps throughout the entire lifecycle across employee-owned, corporate-owned, and shared devices from the UEM console.

Workspace ONE UEM applications allow you and your end users to:

  • Explore the VMware Workspace ONE Content to sync a personal content folder.
  • Configure VMware Workspace ONE Web to secure Internet searches.
  • Enable VMware Workspace ONE Boxer to configure email.
  • Use the AirWatch Container as an alternative to MDM by providing separation of corporate and personal data on device, while maintaining employee privacy.

For more information about managing applications, see Mobile Application Management.

Workspace ONE Intelligent Hub for iOS

The Workspace ONE Intelligent Hub for iOS collects and delivers managed device information to the UEM console. Because this information may contain sensitive data, Workspace ONE UEM takes extensive measures to ensure that the information is encrypted and that it originates from a trusted source.

Workspace ONE UEM uses a unique certificate pair to sign and encrypt all communication between Workspace ONE Intelligent Hub for iOS and the server. These certificates also allow the server to verify the identity and authenticity of each device enrolled in Workspace ONE UEM. This overview details the benefits and necessities of both security enhancements.

Understanding the Certificate Exchange

Before any data is transferred, the Workspace ONE Intelligent Hub application and the server trade personalized certificates. This relationship is established when Workspace ONE Intelligent Hub for iOS checks into the Workspace ONE UEM server for the first time during enrollment.

  1. Workspace ONE Intelligent Hub for iOS communicates with the Workspace ONE UEM server to obtain the server’s certificate public key. Both Workspace ONE Intelligent Hub for iOS and the Workspace ONE UEM server trust the public key of the Workspace ONE UEM Root certificate, which verifies the authenticity of all certificates involved in the enrollment exchange.
  2. Workspace ONE Intelligent Hub for iOS validates the server’s certificate against the Workspace ONE UEM Root CA certificate.
  3. Workspace ONE Intelligent Hub for iOS sends a unique certificate public key to the Workspace ONE UEM server.
  4. The Workspace ONE UEM server associates the Workspace ONE Intelligent Hub’s certificate with that device in the database.

Securing the Data in Transit

After the initial exchange of certificates, all data sent to the UEM console is encrypted from that point forward. The following table shows the two certificates involved and their responsibility in the transaction.

Hub Certificate Server Certificate
Workspace ONE Intelligent Hub Sign the Data Encrypt the Data
Workspace ONE UEM Server Verify the Data Origin Decrypt the Data

APIs and Application Functionality

There are two categories of APIs that Workspace ONE UEM uses with iOS devices for management and tracking capabilities:

  • Over-the-Air (OTA) MDM APIs are activated through the enrollment process regardless if Workspace ONE Intelligent Hub for iOS is used or not.
  • Native iOS SDK APIs are available to any third-party application, including Workspace ONE Intelligent Hub applications and any other application using the Workspace ONE UEM Software Development Kit (SDK).

The Workspace ONE Intelligent Hub for iOS acts as the broker application that integrates with the Native iOS SDK API layer of management. When using Workspace ONE Intelligent Hub for iOS combined with the Workspace ONE UEM SDK for iOS, administrators can take advantage of more MDM features for applications, more so than what is offered in the Over-the-Air (OTA) MDM API layer.

  • Configure Workspace ONE Intelligent Hub Settings for iOS Devices
    You can customize the Workspace ONE Intelligent Hub settings in the UEM console. For example, specify an SDK Profile to use with the Workspace ONE Intelligent Hub to harness Workspace ONE UEM functionality.
  • Workspace ONE Intelligent Hub Mobile Application for iOS
    After enrolling the Workspace ONE Intelligent Hub, the application defaults to a My Device screen. Here you can view real-time information about your device, sync the device, re-enroll the device, and read messages that have been sent from the UEM console.

Configure Workspace ONE Intelligent Hub Settings for iOS Devices**

You can customize the Workspace ONE Intelligent Hub settings in the UEM console. For example, specify an SDK Profile to use with the Workspace ONE Intelligent Hub to harness Workspace ONE UEM functionality.

Procedure

  1. Navigate to Devices > Device Settings > Apple > Apple iOS > Hub Settings.
  2. Configure the following settings for the Workspace ONE Intelligent Hub:
Setting Description
Disable Un-Enroll in Hub This setting deactivates the user's ability to unenroll from Workspace ONE UEM MDM using the Workspace ONE Intelligent Hub. This setting is only available in the Workspace ONE Intelligent Hub v4.9.2 and higher.
Background App Refresh This setting tells the Workspace ONE Intelligent Hub the maximum allowed time interval to refresh app content. Some applications run for a brief period before reaching a suspended state.

Background App Refresh is a feature in iOS where the application itself wakes from this suspended state. During this refresh, the Workspace ONE Intelligent Hub reports information, such as compromised detection, hardware details, GPS, iBeacon, and telecom, to the UEM console. The frequency at which the Workspace ONE Intelligent Hub refreshes is controlled by the OS and only completed during efficient times, such as when the device is plugged into a power source, frequency of use, or connected to Wi-Fi.

To take advantage of the Background App Refresh feature, this setting must be enabled in the UEM console, the Workspace ONE Intelligent Hub cannot be stopped on the device, and Background App Refresh must be enabled on the device for the Workspace ONE Intelligent Hub under Settings > General > Background App Refresh.
Minimum Refresh Interval Select the minimum amount of time that must pass before the device attempts to refresh app content.
Transmit on Wi-Fi only Enable background refresh to occur over Wi-Fi connections only.
  1. Customize the following extra configurations for the Workspace ONE Intelligent Hub from the Settings and Policies page in the UEM console for Single Sign On in this guide.

What to do next

For information about offline access, branding, and other Settings and Polices, refer to the VMWare AirWatch Mobile Application Management Guide.

Workspace ONE Intelligent Hub Mobile Application for iOS

After enrolling the Workspace ONE Intelligent Hub, the application defaults to a My Device screen. Here you can view real-time information about your device, sync the device, re-enroll the device, and read messages that have been sent from the UEM console.

The Self Service Enabled check box must be selected in the Hub Settings in the UEM console to see all the status information.

Note: If the Disable Un-enroll Hub option is not checked in Hub Settings, select Un-enroll Device before re-enrolling with the Workspace ONE Intelligent Hub v4.9.2.

My Device Functionality

  • Tap the Status menu to view various statuses and self-service diagnostic options:

    • Sync Device – Tap this action to send a request to resync the device with the UEM console.
    • Current Status – Use the menus to find information about enrollment, re-enroll the device, view accounts, and compliance.

    • Diagnostics – Use these menus to test connectivity, view Internet access, connectivity issues, server information, and view and send Hub and Device logs.

  • Tap the Device Details menu to view various status options:
    • Network – View network adapters and IP addresses.
    • Advanced – Use these menus to find information about the device's battery, memory, and disk space.
    • Location– View GPS coordinates for your device for the current and previous time periods
    • iBeacon – View the name of the iBeacon region. If iBeacon is configured but location data is not configured, then the device displays only the iBeacon area. If iBeacon and location data are enabled, then the device displays the iBeacon region and the map with the location on the device.
  • Use the dock at the bottom of the screen to find additional information including:
    • Messages– Read notifications from the UEM console. For example, you may receive notifications in the message center to complete a required compliance check to ensure that your device can be successfully monitored.
    • About – Find information about the Workspace ONE Intelligent Hub application and legal information.

VMware Workspace ONE Content

VMware Workspace ONE Content is an application that enables your end users to access important content on their devices while ensuring file safety for your organization.

From the Workspace ONE Content, end users can access content you upload in the UEM console, content from synced corporate repositories, or their own personal content.

Use the UEM console to add content, sync repositories and configure the actions that end users can take on content opened within the application. These configurations prevent content from being copied, shared, or saved without approval.

For more information about MCM and configuring the VMware Workspace ONE Content, see the VMware Workspace ONE UEM Mobile Content Management Guide.

VMware Workspace ONE Web

VMware Workspace ONE Web is an application that provides a manageable and secure alternative to native Web browsers. You can secure the browsing experience on an application, tunnel, and Web site level.

You can configure the Workspace ONE Web to meet unique business needs by restricting Web access to Web sites and providing a secure Internet portal for mobile point-of-sale devices. Provide users with a standard browsing experience, including support of multi-tabbed browsing and JavaScript dialog box. For maximum security on your Android and iOS devices, consider deploying the Workspace ONE Web with a Restrictions profile blocking the native browser.

For additional information about preparing and configuring the Workspace ONE Web for deployment, see the VMware Workspace ONE Web Admin Guide.

VMware Workspace ONE Boxer

VMware Workspace ONE Boxer is an email application that offers a consumer-centric focus on mobile productivity with enterprise-grade security in the form of AES 256-bit encryption. This app containerizes business data from personal data, providing frictionless access to enterprise email, calendar, and contacts across corporate-owned and employee owned.

Workspace ONE Boxer allows users to personalize the app to meet their needs with features like custom swipe gestures, contact avatars, custom smart folders, and account color preferences. The all-in-one email, calendar, and contacts app provides an intuitive user experience following native design paradigms on devices.

For more information on VMware Workspace ONE Boxer, see the VMware Workspace ONE Boxer Admin Guide.

AirWatch Container for iOS

AirWatch Container offers a flexible approach to Bring Your Own Device (BYOD) management by pushing a secure work space to a personal device. Businesses can distribute Workspace ONE UEM applications and internal applications to the AirWatch Container for employees to use on their mobile devices.

Applications are visible inside and outside the AirWatch Container, but the enterprise applications are secure through a common SDK framework and a container passcode. These apps can interact seamlessly using single sign on authentication and can connect securely to the Internet through an app tunnel VPN.

For more information about the AirWatch Container, refer to the VMware AirWatch Container Admin Guide.

Enforcing Application-Level Single Sign On Passcodes

Single sign on (SSO) allows end users to access Workspace ONE UEM apps, wrapped apps, and SDK-enabled apps without entering credentials for each application. Using the Workspace ONE Intelligent Hub or the AirWatch Container as a "broker application," end users authenticate once per session using their normal credentials or an SSO Passcode.

Enable SSO as part of the Security Policies that you configure to apply to all Workspace ONE UEM apps, wrapped apps, and SDK-enabled apps using a Default SDK Profile.

  1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.

  2. Set Single Sign On to Enabled to allow end users to access all Workspace ONE UEM applications and maintain a persistent login.

  3. Authentication Type to Passcode and set the Passcode Mode to either Numeric or Alphanumeric to require an SSO Passcode on the device. If you enable SSO but do not enable an Authentication Type, end users use their normal credentials (either directory service or Workspace ONE UEM account) to authenticate, and an SSO Passcode does not exist.

Once an end user authenticates with an application participating in SSO, a session establishes. The session is active until the Authentication Timeout defined in the SDK profile is reachedor if the user manually locks the application.

Apple Configurator Overview

Workspace ONE UEM integrates with Apple Configurator to enable you to supervise and manage scaled deployments of Apple iOS devices. Administrators can create configuration profiles, import existing profiles from the iPhone Configuration Utility, install specific operating system versions and enforce iOS device security policies.

Install and run Apple Configurator 2 from a macOS laptop to integrate with the Workspace ONE UEM console to supervise and configure one or many devices at the same time.

  • Install the Workspace ONE UEM MDM profile as part of the configuration to enroll devices silently.
  • Supervise dedicated line-of-business devices that are shared among different users.
  • Create configuration profiles to change device settings for Wi-Fi networks, preconfigure mail and Microsoft Exchange settings, and more.
  • Distribute public apps without entering an Apple ID on the device using Configurator.
  • Create blueprints to automate device management. Use blueprints as templates to configure profiles and application and push them quickly to devices
  • Add Supervision to devices and take advantage of even more management capabilities including showing or hiding applications, modifying the device name, wall paper, passcodes, keyboard short cuts and more.
  • Back up user settings and app data, including new user-created data using Configurator.

Apple Configurator 2 also works with Apple's Device Enrollment Program (DEP) to automate Mobile Device Management (MDM) enrollment and the Volume Purchase Program (VPP) by assigning managed licenses apps to devices.

For a complete list of features and functionality available to supervised and unsupervised devices, refer to the iOS Functionality appendix.

For information on enrolling iOS devices with Apple Configurator, see Enrolling iOS Devices in Bulk using Apple Configurator and the Integration with Apple Configurator guide.

Upload a Signed Apple Configurator Profile to the UEM console

You can export a signed profile from Apple Configurator (or IPCU) directly to the UEM console.

  1. Configure supervision and management settings in Apple Configurator (or IPCU).

  2. Export and save the newly created profile to somewhere easily accessible on your computer.

  3. Navigate to Resources > Profiles & Baselines > Profiles within the UEM console and select Upload.

  4. Enter the Managed By group and select Upload to locate and upload the profile exported from Apple Configurator (or IPCU). Click Continue.

  5. Enter the general profile description, including name, description, and assigned organization groups.

  6. Click Save & Publish to send the profile down to assigned devices.

check-circle-line exclamation-circle-line close-line
Scroll to top icon