iOS - Corporate Device Walkthrough (Direct Enrollment)

This TestDrive walkthrough will guide you through registering your iOS device to Workspace ONE and AirWatch similar to how an employee would with a corporate issued device. Once your device is setup, we'll call out the features delivered by Workspace ONE and AirWatch.

Walkthrough Summary

Walkthrough Preparation

Before you begin this walkthrough ensure you have the following: 

  • A valid account in the VMware TestDrive environment, sign up here if you do not yet have an account
  • Activated the AirWatch service from the My Services tab in the VMware Testdrive Demo Portal
  • Activated Blue Jeans, Salesforce, and Office 365 from the My Services tab in the VMware TestDrive Demo Portal (Blue Jeans is not yet available to partners) 

Section 1: Register your iOS Device

Ensure you're starting with an unenrolled iOS device. First, Navigate to the app store and download the VMware Workspace ONE app.

Once the app installs, launch the app and enter your TestDrive email address.

What's my TestDrive email address?

If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:

  1. Login to portal.vmtestdrive.com with your username and password
  2. Click on My Services
  3. Click the "i" next to AirWatch
  4. Here you will find your TestDrive email address

Enter your TestDrive email address and click Next.

Next, enter your TestDrive username and password and click "Sign In".

Next, the Workspace ONE app will load your environments settings.

Next, we'll select the demo we would like to perform. In this guide we're enrolling as a corporate device so select "Enterprise - EMM Demo" from the dropdown.

Click "Proceed".

At this point your device has been identified as a corporate issued device. In this demo scenario, the admin has selected to require corporate owned devices to be registered and fully managed in order to access corporate resources. Alternatively, in our BYOD guide you'll see the admin has allowed access to some resources without being fully managed. This corporate issued enrollment is termed direct enrollment. Click next to proceed. 

Next, you'll be directed to install the Workspace Services profile. Click Allow in the browser to proceed.

Install the Workspace Services profile to your device. With this profile, additional restrictions and profiles including certificates are being installed on your device.

Click Open to return to the Workspace ONE app.

Now you're ready to open Workspace ONE. Click "Enter".

At this point Workspace ONE will suggest native apps to install onto your device. Select the native apps you would like to install and select "Install". If you choose not to install an app now, you can always return to Workspace ONE and install it on demand later.

Click Proceed to install the recommended apps.

Now you'll see prompts for the apps to install. Click install to install the apps. Note: if you're using Apple's Device Enrollment Program to supervise your devices, users will not get this prompt. 

Section 2: Corporate Device Features

Now that you're device is registered and has the Workspace Services profile installed, we're ready to walk through the features that have been pushed down to the device. First, launch Workspace ONE.

Within Workspace ONE you'll find a Bookmarks and Catalog tab. Workspace ONE aggregates all the apps your employees need whether its a virtual app, web app or native app. On top of this, Workspace ONE's identity solution is providing single sign on and access policy controls to these apps regardless of what device type, enrollment status or endpoint the user is attempting to access the app from. In this walkthrough we're using an enrolled iOS device, which the admin has allowed access to all the apps for using access policies, so throughout this walkthrough you'll be seeing the single sign on experience. Alternatively, if you were trying to sign into these apps from an unmanaged device you could see a different experience depending on what the admin has configured.

In our Bookmarks tab you'll see the web and virtual apps the user has bookmarked for frequent use. If you don't yet have any bookmarks, you can navigate to the catalog page to add some or search and bookmark an item from the search results. If we launch into any of these apps you'll see the single sign on experience.

Next, in the catalog tab you'll find the full list of apps available to the user. The user can add an app to their bookmarks, open the app, or install any native apps they have not yet installed. You'll notice all app types are aggregated into this single catalog. Since Boxer (Email) has not automatically been installed on our device, let click to download VMware Boxer from the list. We can download Boxer by finding it in the list or just search for it.

Search for Boxer. Click to install the app.

Now, you've downloaded a native app from Workspace ONE.

We'd also like to point out that if you use the native spotlight search on iOS, web and virtual apps that are within Workspace ONE will also be displayed in the results. This way, end users can easily find the apps they need without needing to open a separate catalog.

Here when I search for Socialcast, I see both the native app thats installed on my device and the web app thats available in Workspace ONE. If you're searching for an app thats only available as a virtual or web app (like a Windows 10 virtual app for example) it will appear in these same search results. 

Next, lets take a look at the Privacy app. Click to launch the privacy app.

The Privacy app reports the information which is being collected from the device by AirWatch and reported back to the Administrative Console. In this scenario the device is enrolled as a corporate device so the information being collected is typical of a corporate issued device. If a change is made to the privacy settings on the AirWatch console the changes will be immediately reflected in the privacy app, so the user always knows what can or cannot be collected from their device.

You will see for this corporate device text messages, photos, and personal email are NOT collected while other details such as GPS location, Telecom and more are collected.

Also, you'll notice that our corporate device has a few restrictions that have applied:

  • Camera app has been removed from the device
  • iMessage has been removed from the device (restriction only applies to supervised devices. See guide here to supervise your device to achieve this functionality)
  • User is unable to delete apps (restriction only applies to supervised devices. See guide here to supervise your device to achieve this functionality)
  • Unable to move documents from managed applications to unmanaged applications 
  • Unable to move documents from unmanaged applications to managed applications
  • Game Center and iTunes have been removed (Game Center is removed for supervised devices. See guide here to supervise your device to achieve this functionality)
  • Passcode is required; if device did not previously have passcode user will be prompted to create one

Next, lets walkthrough VMware Boxer. When we installed the Workspace Services profile, a certificate was installed on our device which allows us to single sign on into our email using Boxer. In the TestDrive environments we use Office 365 as our email provider. Make sure you have turned on Office 365 from your TestDrive Portal services before attempting to access it.

Launch Boxer.

Boxer is automatically configured with your email address and the user just clicks Get started to login (no need to enter your password thanks to certificate authentication!)

Now the user is signed into their Office 365 email. We've populated sample emails in your inbox for demo purposes.

Next, lets navigate back to the device home screen and launch some of the iOS applications which have been configured using App Config (ACE). App config is a community of app providers who have worked to allow EMM providers who are part of the community to push down configurations for these apps. As a result, using Workspace ONE and app config, the user no longer has to remember multiple passwords or environment parameters (such as URLs) - the experience is seamless. In TestDrive, we have configured Blue Jeans, Salesforce, and Dropbox using app config.

For more information on ACE please see the AppConfig Community page:  http://www.appconfig.org/

Lets take a look at this experience using Salesforce. Launch Salesforce.

You'll see the user is prompted to accept the EULA since this is their first time using the app.

After accepting the EULA Workspace ONE automatically signs the user in and App Config pushed down through AirWatch feeds in my Salesforce environment info so I'm directed to the correct instance.

All the user had to do was accept the terms and now I'm signed in as my identity in Salesforce using Workspace ONE and App Config.

Next, lets move onto the AirWatch Content Locker. If you don't yet have content locker installed on your device you can install it from the Workspace ONE catalog. Launch into Content Locker.

Next you will see an overlay highlighting the available icons. Click anywhere on the device to close the overlay.

The Repositories tab will contain all the user's content along with all shared corporate content. In the Corporate Content section you will see three network repositories for each region.  Content saved to these repositories are accessible from your Horizon VDI Desktop and Remote Applications that you launch in each region. We must do a first time log in to one of the repositories but then this information will be saved and will not have to be entered again.  

Click on “AMER-SCL” to connect to the repository. 

An authentication request login page will load, enter your testdrive credentials in the format of username and then password and click “Login” 

Upon successful login, the repository will populate and you will see all the available folders and files saved to this particular region. Click on the word "Repositories" at the top of the page or the "Filing Cabinet" icon on the left side bar to return to the main listing.

Click on “APAC-SCL” and ensure that the files and folders for this region populates. Repeat this step for the “EMEA-SCL” file share and ensure you are able to log in. 

Now you have completed setting up Content Locker and you may use it on your iOS device or access the same files from your Horizon Desktops and Applications. 

You can also select "AirWatch Content > World Wide Enterprises" to view the content shared from the AirWatch Admin Console and demonstrate the document configurations. First, select "Unrestricted Access - Sales Training Manual".

The document will open and the user is able to swipe left and right to navigate between pages, zoom in and out by pinching, and rotate the device, and search the document for key words or phrases. Additionally, the user is able to select the export button in the top right to perform actions permitted by the administrator such as open into, view info, or print. 

Now, lets switch back to to another document to demonstrate the different permissions granted to each document. 

Select "Back" in the top left to return to the World Wide Enterprises content and select "Restricted Access - Financial Forecasting Training". The document will open displaying the watermark with the user's name. The user is able to zoom into the document and the watermark adjusts with the zoom size. Also, when selecting the export button in the top right you will see the user is no longer able to print or open into as they were with the unrestricted document. 

Next we will launch the Air Watch Browser. Click on "Browser" to launch it. If you don't yet have AirWatch Browser, you can download it from Workspace ONE.

Now you will see your homepage for your internal resources as defined in the AirWatch Browser. Here you can see the different restrictions you may have when using the AirWatch Browser. You can setup access into an intranet website, you can set links to public webpages, and you can restrict access to certain websites by blacklisting them.  

Now you have successfully walked through the corporate device demo features. 

Section 3: Enterprise Wipe

The last step we will perform is to remove the corporate info from our device similar to how an organization could remove this info if the device was lost or stollen.

First, open a web browser and navigate to airwatch.vmtestdrive.com. Login with your TestDrive username and password.

Note: Make sure you are using the VMWDemo domain! Your username should be in the format "VMWdemo\Username"

Next, ensure you're using the "Device Administrator at World Wide Enterprises" role by checking your account settings in the top right.

Next, navigate to "Devices > List View" in the left column. You can search for your username in the right side of the screen to find your device in the list. Click the name of your device to open the device details.

Now Click "More Actions > Delete Device" to both delete your device record from the console and issue an enterprise wipe.

If we switch back to our device, you'll now see the corporate apps and profiles have been removed from the device. Any apps that remain on the device that the user may have logged into outside of management will be reset so the user can no longer access their corporate info (Example, Boxer).

Walkthrough Summary

  • Section 1: Register your iOS Device
    • Download Workspace ONE
    • Install Workspace Services on your device (Direct Enrollment)
  • Section 2: Corporate Device Features
    • Workspace ONE
    • Privacy App
    • Device policies and restrictions
    • VMware Boxer (Enterprise Email)
    • App Config apps (BlueJeans, Salesforce and Socialcast)
    • AirWatch Content Locker
    • AirWatch Browser
  • Section 3: Enterprise Wipe
    • Login to the AirWatch Console
    • Delete your device record
  • Check out the TestDrive Support KB for further walkthroughs, FAQs and information regarding the VMware TestDrive environments. 

    For support or to report issues with any of the TestDrive environments please send us an email.