After your devices are enrolled and configured, manage the devices using the Workspace ONE ™ UEM console. The management tools and functions enable you to keep an eye on your devices and remotely perform administrative functions.
You can manage all your devices from the UEM console. The Dashboard is a searchable, customizable view that you can use to filter and find specific devices. This feature makes it easier to perform administrative functions on a particular set of devices. The Device List View displays all the devices currently enrolled in your Workspace ONE UEM environment and their status. The Device Details page provides device-specific information such as profiles, apps, Workspace ONE Intelligent Hub version and which version of any applicable OEM service currently installed on the device. You can also perform remote actions on the device from the Device Details page that are platform-specific.
As devices are enrolled, you can manage them from the Device Dashboard in Workspace ONE UEM powered by AirWatch.
The Device Dashboard provides a high-level view of your entire fleet and allows you to act on individual devices quickly.
You can view graphical representations of relevant device information for your fleet, such as device ownership type, compliance statistics, and platform and OS breakdowns. You can access each set of devices in the presented categories by selecting any of the available data views from the Device Dashboard.
From the List View, you can take administrative action: send messages, lock devices, delete devices, and change groups associated with the device.
Security – View the top causes of security issues in your device fleet. Selecting any of the doughnut charts displays a filtered Device List view comprised of devices affected by the selected security issue. If supported by the platform, you can configure a compliance policy to act on these devices.
- Compromised – The number and percentage of compromised devices (jailbroken or rooted) in your deployment.
- No Passcode – The number and percentage of devices without a passcode configured for security.
- Not Encrypted – The number and percentage of devices that are not encrypted for security. This reported figure excludes Android SD Card encryption. Only those Android devices lacking disc encryption are reported in the donut graph. Ownership – View the total number of devices in each ownership category. Selecting any of the bar graph segments displays a filtered Device List view comprised of devices affected by the selected ownership type.
Last Seen Overview/Breakdown – View the number and percentage of devices that have recently communicated with the Workspace ONE UEM MDM server. For example, if several devices have not been seen in over 30 days, select the corresponding bar graph to display only those devices. You can then select all these filtered devices and send out a query command so that the devices can check in.
- Platforms – View the total number of devices in each device platform category. Selecting any of the graphs displays a filtered Device List view comprised of devices under the selected platform.
- Enrollment – View the total number of devices in each enrollment category. Selecting any of the graphs displays a filtered Device List view comprised of devices with the selected enrollment status.
- Operating System Breakdown – View devices in your fleet based on operating system. There are separate charts for each supported OS. Selecting any of the graphs displays a filtered Device List view comprised of devices running the selected OS version.
Device List View
Use the Device List View in Workspace ONE UEM powered by AirWatch to see a full listing of devices in the currently selected organization group.
Device List View,UEM,Workspace ONE,device list,friendly name,device status
The Last Seen column displays an indicator showing the number of minutes elapsed since the device has checked-in. The indicator is red or green, depending on how long the device is inactive. The default value is 480 minutes (8 hours) but you can customize this by navigating to Groups & Settings > All Settings > Devices & Users > General > Advanced and change the Device Inactivity Timeout (min) value.
Select a device-friendly name in the General Info column at any time to open the details page for that device. A Friendly Name is the label you assign to a device to help you differentiate devices of the same make and model.
Sort by columns and configure information filters to review activity based on specific information. For example, sort by the Compliance Status column to view only devices that are currently out-of-compliance and target only those devices. Search all devices for a friendly name or user name to isolate one device or user.
Customize Device List View Layout
Display the full listing of visible columns in the Device List view by selecting the Layout button and select the Custom option. This view enables you to display or hide Device List columns per your preferences.
There is also an option to apply your customized column view to all administrators at or below the current organization group (OG). For instance, you can hide 'Asset Number' from the Device List views of the current OG and of all the OGs underneath.
Once all your customizations are complete, select the Accept button to save your column preferences and apply this new column view. You can return to the Layout button settings at any time to tweak your column display preferences.
Some notable device list view custom layout columns include the following.
- Android Management
- SSID (Service Set Identifier or Wi-Fi network name)
- Wi-Fi MAC Address
- Wi-Fi IP Address
- Public IP Address
Exporting List View
Select the Export button to save an XLSX or CSV(comma-separated values) file of the entire Device List View that can be viewed and analyzed with MS Excel. If you have a filter applied to the Device List View, the exported listing reflects the filtered results.
Search in Device List View
You can search for a single device for quick access to its information and take remote action on the device.
To run a search, navigate to Devices > List View, select the Search List bar and enter a user name, device-friendly name, or other device-identifying element. This action initiates a search across all devices, using your search parameter, within the current organization group and all child groups.
Device List View Action Button Cluster
With one or more devices selected in the Device List View, you can perform common actions with the action button cluster including Query, Send [Message], Lock, and other actions accessed through the More Actions button.
Available Device Actions vary by platform, device manufacturer, model, enrollment status, and the specific configuration of your Workspace ONE UEM console.
You can start a Remote Assist session on a single qualifying device allowing you to remotely view the screen and control the device. This feature is ideal for troubleshooting and performing advanced configurations on devices in your fleet.
To use this feature, you must satisfy the following requirements.
- You must own a valid license for Workspace ONE Assist.
- You must be an administrator with a role assigned that includes the appropriate Assist permissions.
- The Assist app must be installed on the device.
- Supported device platforms:
- Windows 10
- Windows Mobile
Select the check box to the left of a qualifying device in the Device List View and the Remote Assist button displays. Select this button to initiate a Remote Assist session.
For more information, see the Workspace ONE Assist guide, available on docs.vmware.com.
Using the Device Details Page for iOS Devices
Use the Device Details page to track detailed device information and quickly access user and device management actions.
You can access the Device Details page by either selecting a device's Friendly Name from the List View page, from one of the available Dashboards or by using any of the available search tools within the UEM console.
View Device Information Use the Device Details menu tabs to access specific device information, including:
- Summary – View general statistics such as:
- Enrollment status
- Last seen
- Activation Lock
- Find My iPhone
- iCloud Backup (use the mouse to hover over iCloud Backup status to see Last Backup status)
- Data protection
- Contact information
- Organization group and smart group
- Phone number (for the devices such as iPhone XS, XR, or XS Max that supports multiple SIM cards including eSIM, displays the phone numbers of all the SIMs associated with the device)
- Serial number, UDID, and asset number
- Power status
- Storage capacity
- Available OS updates (iOS 11 and later devices)
- Physical memory and virtual memory and warranty information
If Apple's Global Service Exchange information is accessible, select the warranty link to see when the status was last updated. Then, use the Refresh button to get the latest information
- An enterprise or factory wipe queries an Activation Lock bypass code and then go into wipe pending mode on supervised devices.
If the Find my iPhone Activation Lock option is enabled for iOS 7+ devices, then a warning will appear when performing a device wipe command on an unsupervised device, notifying you that a device with Activation Lock enabled cannot be reactivated without the original Apple ID and password. This is true even if you perform a full device wipe. For more information, see Activation Lock Overview.
Compliance – Display the status, policy name, date of the previous and forthcoming compliance check and the actions already taken on the device.
- Profiles – View all MDM profiles currently installed on a device.
- Apps – View the app status, app name, type of the app (whether public or internal), app version and identifier, and the size of the app. For iOS 11.+ devices, the UEM console displays available app updates (whether the installed version is the latest version or if an update is available) and app source (whether the app is installed through the App Store, distributed as a Beta app, signed adhoc by an enterprise account, or managed using a device based VPP license).
Note: Due to the way application status is reported on iOS devices, an application achieves Installed status only after the installation process is fully completed. Which means when the Workspace ONE UEM console queries the device for its application list sample, and if the application is still downloading, then the application returns a status of Installing. On a successful application installation, the device returns the application status as Installed which is marked the same in the Workspace ONE UEM console.
- Updates – View the iOS updates available for the device including the OS version, product key, build version, last update, download percentage, and progress status.
- Content – View the status, type, name, priority, deployment, last update, and date and time of views, and provides a toolbar for administrative action (install or delete content).
- Location – View current location or location history of a device.
- User – Access details about the user of a device as well as the status of the other devices enrolled to this user.
The menu tabs below are accessed by selecting More from the main Device Details page:
- Network – View the current network (Cellular, Wi-Fi, Bluetooth) status of a device. For iOS 12.1 and later devices such as iPhone XS, XR, or XS Max that supports multiple SIMs and eSIM, you can view and track the network status of the SIMs on the UEM console.
- Security – View the current security status of a device based on security settings.
- Restrictions – View the types of restrictions that currently apply to the device.
- Telecom – View all amounts of calls, data and messages sent and received involving the device.Item
- Notes – View and add notes regarding the device. For example, note the shipping status or if the device is in repair and out of commission.
- Certificates – Identify device certificates by name and issuant. This tab also provides information about certificate expiration.
- Alerts – View all alerts associated with the device.
- Books – View all internal books on the device.
- Shared Device Log – View the history of the shared device including past check-ins and check-outs and status.
- Restrictions – View all restrictions currently applied to a device. This tab also shows specific restrictions by Device, Apps, Ratings, and Passcode.
- Status History – View history of device in relation to enrollment status.
- Targeted Logging – View the logs for the Console, Catalog, Device Services, Device Management, and Self Service Portal. You must enable Targeted Logging in settings and a link is provided for this purpose. You must then select the Create New Log button and select a length of time the log is collected.
Troubleshooting – View Event Log and Commands logging information. This page features export and search functions, enabling you to perform targets searches and analysis
- Event Log – View detailed debug information and server check-ins, including a Filter by Event Group Type, Date Range, Severity, Module, and Category.
In the Event Log listing, the Event Data column may display hypertext links that open a separate screen with even more detail surrounding the specific event. This information enables you to perform advanced troubleshooting such as determining why a profile fails to install.
- Commands – View detailed listing of pending, queued, and completed commands sent to the device. Includes a Filter enabling you to filter commands by Category, Status, and specific Command.
- Attachments – Use this storage space on the server for screenshots, documents, display Hub logs sent from the Intelligent Hub, and links for troubleshooting and other purposes without taking up space on the device its
Perform Remote Actions The More Actions drop-down on the Device Details page enables you to perform remote actions over-the-air to the selected device. See below for detailed information about each remote action. The actions listed below will vary depending on factors such as device platform, UEM console settings, and enrollment status.
- Query All – Send a query command to the device to return a list of installed applications (including Workspace ONE Intelligent Hub, where applicable), books, certificates, device information, profiles, and security measures.
- Device Information (Query) – Send an MDM query command to the device to return information on the device such as friendly name, platform, model, organization group, operating system version, and ownership status.
- Security (Query) – Send an MDM query command to the device to return the list of active security measures (device manager, encryption, passcode, certificates, and so on).
- Profiles (Query) – Send an MDM query command to the device to return a list of installed device profiles.
- Apps (Query) – Send an MDM query command to the device to return a list of installed applications.
- Certificates (Query) – Send an MDM query command to the device to return a list of installed certificates.
- Clear Passcode (Restrictions Setting) – Clear the passcode command clears the login passcode on the device. The device needs to be supervised.
- User Lists (Query) - Send a query command to the device to return a list of users who have logged into the device (for shared devices only).
- Lock Device – Send an MDM command to lock a selected device, rendering it unusable until it is unlocked.
- Lock SSO – Lock the device user out of Workspace ONE UEM Container and all participating applications.
- Enterprise Wipe – Enterprise Wipe a device to unenroll and remove all managed enterprise resources including applications and profiles. This action cannot be undone and re-enrollment is required before Workspace ONE UEM can manage this device again. This device action includes options to prevent future re-enrollment and a Note Description text box for you to add information about the action.
- Enterprise Wipe is not supported for cloud domain-joined devices.
- iOS updates - Select individual devices or devices in bulk to send updates to devices that are enrolled through Apple Business Manager.
- Managed Settings – Activate or deactivate voice roaming, data roaming, and personal hotspots.
- Device Wipe – Send an MDM command to wipe a device clear of all data and operating system. This puts the device in a state where recovery partition will be needed to reinstall the OS. This action cannot be undone. The recovery partition is only needed on Mac devices and not in iOS devices.
- iOS Device Wipe Considerations
- For iOS 11 and below devices, the device wipe command would also wipe the Apple SIM data associated with the devices.
- For iOS 11+ devices, you have the option to preserve the Apple SIM data plan (if existed on the devices). To do this, select the Preserve Data Plan checkbox on the Device Wipe page before sending the device wipe command.
- For iOS 11.3+ devices, you have an additional option to activate or deactivate to skip the Proximity Setup screen while sending down the device wipe command. When the option is enabled, the Proximity Setup screen will be skipped in the Setup Assistant and thus preventing the device user from seeing the Proximity Setup option
For more information about troubleshooting device wipes, related permissions, and when device wipe actions appear in the UEM console, refer to the following Workspace ONE UEM Knowledge Base article https://support.workspaceone.com/articles/115012396488.
- Schedule iOS Updates – Push an iOS update to a device that is not enrolled through DEP. For more information, see Configure iOS Updates.
- Refresh eSIM – Send a query to a carrier eSIM server URL to refresh the active eSIM cellular plan profiles on the device.
- Send Message – Send a message to the user of the selected device. Select between Email, Push Notification (through AirWatch Cloud Messaging), and SMS. Push notification requires Airwatch applications like Hub, Boxer etc which must have been launched at least once.
- Find Device – Send a text message to the applicable Workspace ONE UEM application together with an audible sound designed to help the user locate a misplaced device. The audible sound options include playing the sound a configurable number of times and the length of the gap, in seconds, between sounds.
- Request Device Check-In – Request the selected device to check-in itself in to the UEM console and updates the Last column status. This action also resets the device enrollment to the staging user.
- Sync Device – Synchronize the selected device with the UEM console, aligning its Last Seen status.
- Remote View – Enable an active stream of the device's output to a destination of your choice, allowing you to see what the user sees as they operate the device. The destination parameters include IP address, port, audio port, password, and scan time.
Change Organization Group – Change the device's home organization group to another existing OG. Includes an option to select a static or dynamic OG.
- If you want to change the organization group for multiple devices at a time, you must select devices for the bulk action using the Block selection method (using the shift-key) instead of the Global check box (next to the Last Seen column heading in the device list view).
Add Tag – Assign a customizable tag to a device, which can be used to identify a special device in your fleet.
- Edit Device – Edit device information such as Friendly Name, Asset Number, Device Ownership, Device Group Device Category.
- Delete Device – Delete and unenroll a device from the console. Sends the enterprise wipe command to the device that gets wiped on the next check-in and marks the device as Delete In Progress on the console. If the wipe protection is turned off on the device, the issued command immediately performs an enterprise wipe and removes the device representation in the console.
- Clear Activation Lock – Clear the Activation Lock on an iOS device. With the Activation Lock enabled, the user requires an Apple ID and password before taking the following actions: disabling Find My iPhone, factory wipe, and reactivate to use the device.
- Device Configured - Send this command if a device is stuck in an Awaiting Configuration state.
Enable/Disable Lost Mode – Use this device action to lock a device and send a message, phone number, or text to the lock screen. The device end user cannot deactivate Lost Mode. When an admin deactivates Lost Mode, the device returns to normal functionality. Users receive a message that tells them that the location of the device was shared. (iOS 9.3 + Supervised)
- Request Device Location – Query a device when in Lost Mode and then use the Location tab to find the device. (iOS 9.3 + Supervised)
- Log out user - Log out the current user of the device if needed.
Configure and Deploy a Custom Command to a Managed Device
Workspace ONE UEM enables administrators to deploy a custom XML command to managed Apple devices. Custom commands allow more granular control over your devices.
Use custom commands to support device actions that the UEM console does not currently support. Do not use custom commands to send commands that exist in the UEM console as Device Actions. Samples of XML code you can deploy as custom commands are available in the Workspace ONE UEM Knowledge Base at https://kb.vmware.com/s/article/2960669.
Important: Improperly formed or unsupported commands can impact the usability and performance of managed devices. Test the command on a single device before issuing custom commands in bulk
- In the UEM console, navigate to Devices > List View.
- Select one or more macOS or iOS devices using the check boxes in the left column.
- Select the More Actions drop-down and select Custom Commands. The Custom Commands dialogue box opens.
- Enter the XML code for the action you want to deploy and select Send to deploy the command to devices.
- Browse XML code for Custom Commands on the Workspace ONE UEM Knowledge Base at https://kb.vmware.com/s/article/2960669.
If the Custom Command does not run successfully, delete the command by navigating to Devices > List View. Select the device to which you assigned the custom command. In the Device Details View, select More > Troubleshooting > Commands. Select the Command you want to remove, and then select Delete. The Delete option is only available for Custom Commands with a Pending status.