You can configure to deploy public and internal applications based on the device management status. Any device can access applications that are configured as open access apps. Only devices that are granted permission through the Workspace ONE Intelligent Hub app can access applications that are configured for managed access.

The table outlines capabilities for both managed and unmanaged scenarios.

Access Type Features Description Suggested Uses
Open Access (unmanaged)
  • Self-service app catalog for Web, Horizon, and Citrix resources.
  • Launch web/virtual with single sign-on (SSO).
  • Touch ID / PIN application protection.
  • Device jailbreak detection.
  • Support for Workspace ONE Access conditional access, including authentication policies and blocking devices.
  • Native application access.
  • Internal App and SDK app distribution.
Users access resources on their device without granting admins permission to access their device.

The applications with open access are available to devices no matter their managed status. Admins cannot systematically remove native applications when they are set to Open Access.

  • Provide application access to end-users immediately upon login, without elevated security permissions.
  • Recommend the use of an application without requiring that the application is installed. Users can install the application on their device when they want.
  • Applications do not contain sensitive corporate data and do not access protected corporate resources.
  • To distribute applications to auxiliary personnel without the Workspace ONE UEM MDM profile.
Managed Access
  • Self-service app catalog for Web, Horizon, and Citrix resources.
  • Launch web/virtual with single sign-on (SSO).
  • Touch ID / PIN application protection.
  • Device jailbreak detection.
  • Support for Workspace ONE Access conditional access, including authentication policies and blocking devices.
  • Managed and direct installation of Native Apps.
  • Internal App and SDK app management.
  • Support for app configuration.
  • Per-app VPN
  • One-Touch SSO for SAML enabled native apps.
  • Device profiles.
  • Workspace ONE UEM compliance engine.
Users install a management profile on their device to grant admins permission to access their device.

Applications with managed access are available to devices that Workspace ONE UEM manages.

If Workspace ONE UEM does not manage the device, Workspace ONE prompts the user on the device to enroll with Workspace ONE UEM. If the device is enrolled, the user can use the device to access the application through Workspace ONE.

  • To remove sensitive corporate data from devices when users leave the organization or lose their device.
  • Require app tunneling to authenticate and securely communicate with internal back-end resources when applications access the intranet.
  • Enable single sign-on for applications.
  • Track user adoption and installation status for applications.
  • Deploy the application automatically upon enrollment.

For information on where to configure managed access options for internal applications or how to add public application for deployment through Workspace ONE, see the Workspace ONE UEM Mobile Application Management Guide.