managing corporate owned personally-enabled android ......this exercise walks-through deploying an...

GUIDE – APRIL 2019

PRINTED 19 AUGUST 2019

MANAGING CORPORATEOWNED PERSONALLY-ENABLED ANDROIDDEVICES: VMWAREWORKSPACE ONEOPERATIONAL TUTORIALVMware Workspace ONE

MANAGING CORPORATE OWNED PERSONALLY-ENABLED ANDROID DEVICES: VMWARE WORKSPACE ONEOPERATIONAL TUTORIAL

GUIDE | 2

Table of Contents

Overview

– Introduction

– Audience

Getting Started with COPE Android Management

– Introduction

– Prerequisites

– Understanding Android Device Modes

– Logging In to the Workspace ONE UEM Console

– Registering for Android EMM

– Enabling Corporate Owned Personally-Enabled Mode

Enrolling Android COPE Devices

– Introduction

– Prerequisites

– Configuring the Enrollment QR Code

– Enrolling Using the QR Code (Video)

Configuring Android COPE Profiles

– Introduction

– Prerequisites

– Understanding Configuration Options for Android Profiles

– Configuring Restriction Profiles


GUIDE | 3

– Testing Android Restriction Settings

Deploying Applications to Android COPE Devices

– Introduction

– Prerequisites

– Deploying VMware Workspace ONE Web to an Android Device

– Verifying Workspace ONE Web on an Android Device

Summary and Additional Resources

– Conclusion

– Terminology Used in This Tutorial

– Additional Resources

– About the Authors

– Feedback


GUIDE | 4

Managing Android Corporate-Owned Personally-Enabled Devices: VMware Workspace ONEOperational Tutorial

OverviewIntroductionVMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you deploycorporate owned personally-enabled (COPE) Android devices. First, you register Android EMM (enterprise mobility management) andconfigure COPE devices. Then, you configure the enrollment QR code and enroll using the QR code. Finally, you configure camerarestrictions.

AudienceThis operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Bothcurrent and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment isassumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such asVMware Workspace ONE® Access™ (formerly VMware Identity Manager) and VMware Workspace ONE® UEM (unified endpointmanagement), powered by AirWatch, is also helpful.

Getting Started with COPE Android ManagementIntroductionThis exercise walks-through deploying an Android device in Corporate Owned Personally-Enabled (COPE) mode. Android COPEdevices give Workspace ONE UEM control of the entire device, but also dedicate a separate space for personal use.

PrerequisitesBefore you can perform this exercise, you must meet the following requirements.

Workspace ONE UEM version 1810 or later

This exercise requires specific account information. Gather the required account information, and record it in the following table. Theaccount information provided in the table is based on a test environment. Your account details will differ.

Workspace ONE UEM Account Information

Server URL https://<WorkspaceONEUEMHostname>

User name administrator

Password VMware1!

Google Admin Account Information

Email [email protected]

http://www.vmware.com/products/workspace-one.html

https://www.vmware.com/products/workspace-one/access.html

https://www.vmware.com/products/airwatch-enterprise-mobility-management.html


GUIDE | 5

Understanding Android Device ModesTo address a variety of device-ownership use cases, Workspace ONE UEM supports multiple management modes for Android. Theeasiest way to determine which device mode is the most appropriate for your organization is to evaluate your device-ownership usecase.

The following table pairs each device-ownership use case with its coordinating device mode. Review this table, and double-check thatthe tutorial you are reading will best address your use case.

Use Case Device Mode

BYOD Work Profile

Corporate-Owned Work Managed

Hybrid COPE

Each device mode offers a unique device-side user experience. After you have determined which device mode best addresses youruse case, it is important to understand the user experience that mode offers. To help you understand their key similarities anddifferences, the following table outlines some of the primary device-side capabilities of each mode.

Work Profile Work Managed COPE

Entire DeviceManagement

No Yes Yes

Badged Enterprise Apps Yes No Yes

Dedicated Personal Apps Yes No Yes

Logging In to the Workspace ONE UEM ConsoleTo perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

2. Navigate to the VMware Workspace ONE UEM ConsoleFor example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of theWorkspace ONE UEM console.


GUIDE | 6

3. Authenticate In to the Workspace ONE UEM Console

Enter your Username, for example, administrator.1.Click Next. After you click Next, the Password text box is displayed.2.


GUIDE | 7

Enter your Password, for example, VMware1!1.Click Login.2.

Note: If you see a Captcha, be aware that it is case sensitive.

Registering for Android EMMAfter logging into the Workspace ONE UEM console, you register your enterprise with Google. This creates an admin account thatconnects Google with Workspace ONE UEM.

1. Navigate to Android EMM Registration Settings


GUIDE | 8

In the Workspace ONE UEM console, at the appropriate Organization Group level:

Click Groups & Settings.1.Click All Settings.2.

2. Begin Google Registration

Select Devices & Users.1.Expand Android.2.Select Android EMM Registration.3.Click Register with Google.4.

3. Provide a Google Admin Account


GUIDE | 9

Confirm you are logged into your Google Admin Account that you want to associate with your Android for Work configuration.1.For example, enter [email protected]. Note: After you register a Google Admin Account to Android forWork, you cannot disassociate your Google Admin Account from that Organization. Ensure the Google Admin Account shownis the account you want to associate with your Organization.Click Get Started.2.

4. Provide Organization Details


GUIDE | 10

Enter your Organization Name.1.Select the Google Play Agreement.2.Click Confirm.3.

5. Complete Registration

Click Complete Registration to return to the Workspace ONE UEM Android Enterprise configuration.

6. Confirm Integration in the Workspace ONE UEM Console


GUIDE | 11

Return to the Android EMM Registration page in the Workspace ONE UEM Console:

On the Configuration tab, scroll down to the Google Admin Console Settings section. Note that the account information you1.provided to Google displays here.Confirm the Android Enterprise Registration Status is shown as Successful.2.Note how the Client ID and Google Service Account Email Address have been automatically created and configured. 3.

Enabling Corporate Owned Personally-Enabled ModeAfter registering Android for enterprise mobility management with Workspace ONE UEM, you are ready to enable Corporate OwnedPersonally-Enabled devices.

1. Navigate to Android EMM Registration Settings


GUIDE | 12

In the Workspace ONE UEM console, at the appropriate Organization Group level:

Click Groups & Settings.1.Click All Settings.2.Navigate to Devices & Users > Android > Android EMM Registration.3.

2. Configure Enrollment Settings

On the Android EMM Registration page, click Enrollment Settings.1.Next to Fully-Managed Device Enrollments, select Corporate Owned Personally Enabled.2.Click Save.3.


GUIDE | 13

Enrolling Android COPE DevicesIntroductionDevice enrollment establishes communication with the Workspace ONE UEM console and allows devices to access internalresources. In this exercise, generate a QR code in the Workspace ONE UEM console, and use it to enroll your Android COPE device.

Although this exercise walks through QR code enrollment, there are several additional enrollment options for Android COPE devices:

AirWatch RelayUnique IdentifierZero Touch

PrerequisitesBefore you can perform the activities in this exercise, you must meet the following requirements:

Successfully complete directory integrationRetrieve the Group ID from Workspace ONE UEM ConsoleAndroid device 8.0 or laterFactory reset device in out of the box mode

Warning: Do not factory reset your personal device to complete these exercises.

This exercise requires a user to enroll their device into Workspace ONE UEM. A staging account is also required to setup enrollment.Gather the required account information, and record it in the following table. The account information used in this exercise is based ona test environment. Your account details will differ.

Staging User Account Information

User name staging

Password VMware1!

User Account Information

User name admin

Password VMware1!

Configuring the Enrollment QR CodeBefore you can enroll your device, you must generate the enrollment QR Code in the Workspace ONE UEM console.

1. Navigate to Enrollment Settings

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMware-Workspace-ONE-UEM-Android-Documentation/GUID-AWT-COPE-ENROLLMENT-OVERVIEW.html

https://techzone.vmware.com/quick-start-tutorial-series-cloud-based-vmware-workspace-one/installation-setup#1050741


GUIDE | 14

In the Workspace ONE UEM console, in the appropriate Organization Group:

Click Devices.1.Click Staging & Provisioning.2.Click Staging.3.Click Configure Enrollment.4.

2. Open the Enrollment Configuration Wizard


GUIDE | 15

On the Enrollment Configuration Wizard page that appears:

Under Platform, click Android.1.Under Enrollment, select QR Code.2.Click Configure.3.

3. Configure Wi-Fi Settings


GUIDE | 16

In the enrollment wizard, configure Wi-Fi settings for enrollment:

Set Connect device to Wi-Fi prior to enrollment to Enabled.1.Enter your Wi-Fi network name or SSID. For example, VMware Guest.2.Enter your Wi-Fi Password.3.Click Next.4.

4. Configure Hub Settings

From the Workspace ONE Intelligent Hub drop-down menu, select Use latest Workspace One intelligent Hub.1.Click Next.2.

5. Configure Enrollment Details


GUIDE | 17

Set Configure Organization Group to Enabled.1.Select your Organization Group.2.Set Login Credentials to Enabled.3.Enter a User Name. For example, staging.4.Enter your Password.5.Click Next.6.

6. Download the QR Code

On the Summary tab:

Click Download File and save your QR code to a secure, accessible location.1.Click Close.2.

Enrolling Using the QR Code (Video)The QR code you generated in the Workspace ONE UEM console contains a payload of key-value pairs with all the information thedevice needs to enroll. In this section, follow-along with the steps in the video to enroll your Android COPE device using the QR codeyou generated.


GUIDE | 18

Configuring Android COPE ProfilesIntroductionIn this exercise, set up and configure a restrictions profile in Workspace ONE UEM to explore how enterprise profile settings apply onan Android COPE device.

PrerequisitesBefore you can complete this exercise, you must successfully enroll an Android device in COPE mode.

Understanding Configuration Options for Android ProfilesProfiles are the mechanism by which Workspace ONE UEM manages settings on a device. All profiles are broken down into two basicsections; the General section and the Payload section.

The General section defines the profile's name and assignment settings.The Payload sections define actions to be taken on the device.

Every profile must have all required fields in the General section properly filled out and at least one payload configured.

To address multiple device ownership use cases, you can enable Android profile payload settings in Workspace ONE UEM at theWork Profile level and at the Work Managed device level.

Work Profile-level configurations only apply restrictions and settings to the device's badged enterprise apps, and do not affectthe users personal apps or settings.Work Managed device-level configurations apply restrictions and settings to the entire device.Corporate Owned Personally-Enabled devices use Work Profile-level and Work Managed device-level configurations

Configuring Restriction ProfilesIn this exercise, control camera settings by configuring a restrictions profile in the Workspace ONE UEM console.

1. Create a New Profile

In the Workspace ONE UEM Console:

Click Add.1.Click Profile.2.


GUIDE | 19

2. Select the Android Platform

Select Android.

3. Configure the General Settings


GUIDE | 20

Select General.1.Enter a name for the Android Profile. For example, Android Restriction.2.Click Assigned Groups to display the list of available assignments.3.Select All Devices.4.

4. Open the Restrictions Payload


GUIDE | 21

Select the Restrictions payload.1.Click Configure.2.

5. Configure Screen Capture Restrictions

Under Device Functionality:

In the Work Managed Device column, select the Allow Screen Capture check box.1.In the Work Profile column, deselect the Allow Screen Capture check box.2.

6. Configure Camera Restrictions


GUIDE | 22

Scroll down to the Application section.1.In the Work Managed Device column, select the Allow Camera check box.2.In the Work Profile column, deselect the Allow Camera check box.3.Click Save & Publish.4.

7. Publish the Profile

Click Publish.

Testing Android Restriction SettingsFor Android, the various device modes change the way profile settings apply to devices. After configuring a restriction profile, test theprofile settings to see how they applied on the Android device.

1. Verify Camera Restrictions

After the restrictions profile pushes to the device:

Notice that a badged enterprise version of the camera application is not available.1.Notice that the unbadged personal camera remains available.2.


GUIDE | 23

2. Test Screenshot Restrictions in Personal Contacts

Open your non-badged Contacts app, and try to take a screenshot within the app. Notice that the screen shot was successful.

3. Test Screenshot Restriction in Enterprise Contacts

Open the badged Contacts app, and try to take a screenshot within the app. Notice that the screenshot was unsuccessful. In certaindevice models and OS versions, a message may also appear.

Deploying Applications to Android COPE DevicesIntroductionIn this exercise, you deploy VMware Workspace ONE Web, a public application, to your Android device. Public applications pushedfrom the Workspace ONE UEM console have the same functionality as their Google Play Store counterparts. However, pushing appsfrom the Workspace ONE UEM console allows you to enable additional functionality and security features for these applications.

PrerequisitesBefore you can complete this exercise, you must successfully enroll an Android device in COPE mode.


GUIDE | 24

Deploying VMware Workspace ONE Web to an Android DeviceThe following steps walk through deploying VMware Workspace ONE Web, a public application, to an Android device.

1. Add Public Application

In the Workspace ONE UEM Console:

Select Add.1.Select Public Application.2.

2. Search for Workspace ONE Web

Select Android from the Platform drop-down menu.1.Select Search App Store for the Source.2.Enter Web in the Name text box.3.


GUIDE | 25

Click Next.4.

3. Select the Web - Workspace ONE App

Click the Web app.

4. Approve Web - Workspace ONE

If prompted, click Approve.

5. Confirm Approval for Web - Workspace ONE


GUIDE | 26

Click Approve again in the Application pop-up window.

Note: Scroll down if you do not see the pop-up window.

6. Save Approval Settings


GUIDE | 27

You may need to scroll down to view the Approval Settings button.

Select Keep approved when app requests new permission.1.Click Save.2.

7. Publish the App

Click Save & Assign.

8. Add Assignment


GUIDE | 28

Click Add Assignment.

9. Configure Assignment

Click in the Selected Assignment Groups search box. From the list of Assignment Groups that appear, select the appropriate1.group. For example, select All Devices ([email protected]).Select Auto for the App Delivery Method.2.Click Add.3.

10. Save and Publish Web - Workspace ONE App


GUIDE | 29

Click Save & Publish.

11. Preview Assigned Devices and Publish


GUIDE | 30

Click Publish.

Verifying Workspace ONE Web on an Android DeviceAfter using the Workspace ONE UEM console to push Workspace ONE Web to your Android device, verify the Work app installedcorrectly on your device.

Note: Screenshots may differ depending on device model and OS.

1. Confirm the Published Workspace ONE Web ApplicationDownloaded


GUIDE | 31

Return to your testing Android device and confirm that the Workspace ONE Web application has downloaded and displays as a Workapp.

Using this process, you can rapidly approve new applications and deploy them to your users.

2. Open the Badged Android for Work Play Store App


GUIDE | 32

Open your Work Play Store application on your Android device.

3. Accept Google Play Terms of Service (IF NEEDED)

If you are prompted with the Google Play Terms of Service, tap Accept. Otherwise, continue to the next step.

4. Open Play Store Menu


GUIDE | 33

Tap the Menu button in the upper-left corner.

5. View Play Store Work Apps

Tap My Work Apps from the menu.

6. Verify Workspace ONE Web Is Available As A Work App


GUIDE | 34

Tap Installed.1.Confirm that the Workspace ONE Web application is in your list of Work applications. You may need to scroll down to find the2.application.

The Workspace ONE Web app is listed as a Work app because it was approved as a Work app through the Workspace ONE UEMConsole while adding and assigning the application to your users. This streamlines and rapidly improves the process of approving anddeploying Work apps to your Android devices.


GUIDE | 35

Summary and Additional ResourcesConclusionThis operational tutorial provided steps to deploy corporate owned personally-enabled Android devices.

Procedures included:

Registering Android EMMConfiguring Corporate Owned Personally-Enabled DevicesConfiguring the Enrollment QR CodeEnrolling Using the QR CodeConfiguring Camera Restrictions

Terminology Used in This TutorialThe following terms are used in this tutorial:

application storeA user interface (UI) framework that provides access to a self-service catalog, publicexamples of which include the Apple App Store, the Google Play Store, and the MicrosoftStore.

auto-enrollmentAuto-enrollment simplifies the enrollment process by automatically enrolling registereddevices following the Out-of-Box-Experience.

catalogA user interface (UI) that displays a personalized set of virtual desktops and applications tousers and administrators. These resources are available to be launched upon selection.

cloudAsset of securely accessed, network-based services and applications. A cloud can also hostdata storage. Clouds can be private or public, as well as hybrid, which is both private andpublic.

device enrollmentThe process of installing the mobile device management agent on an authorized device.This allows access to VMware products with application stores, such as Workspace ONEAccess (formerly VMware Identity Manager).

identity provider (IdP)A mechanism used in a single-sign-on (SSO) framework to automatically give a user accessto a resource based on their authentication to a different resource.

mobile devicemanagement(MDM) agent

Software installed on an authorized device to monitor, manage, and secure end-user accessto enterprise resources.

one-touch loginA mechanism that provides single sign-on (SSO) from an authorized device to enterpriseresources.

service provider (SP) A host that offers resources, tools, and applications to users and devices.

virtual desktop The user interface of a virtual machine that is made available to an end user.

virtual machineA software-based computer, running an operating system or application environment, that islocated in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

https://www.vmware.com/support/pubs/


GUIDE | 36

Additional ResourcesFor more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curatedassets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides aframework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the AuthorsThis exercise was written by:

Karim Chelouati, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMwareHannah Jernigan, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

FeedbackThe purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at [email protected].

https://techzone.vmware.com/becoming-workspace-one-hero

https://techzone.vmware.com/resource/workspace-one-and-horizon-reference-architecture

https://techzone.vmware.com/users/karim-chelouati

https://techzone.vmware.com/users/hannah-jernigan

mailto:[email protected]

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001

www.vmware.com

Copyright © 2019 VMware, Inc. All rights reserved. This product is protected by U.S. and international

copyright and intellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in

the United States and/or other jurisdictions. All other marks and names mentioned herein may be

trademarks of their respective companies.

managing corporate owned personally-enabled android ......this exercise walks-through deploying an...

Documents