VMware AirWatch Mobile Device Management Guide V9 1
User Manual: Pdf
Open the PDF directly: View PDF .
Page Count: 217 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- Chapter 1: Overview
- Chapter 2: Getting Started with AirWatch
- Chapter 3: Environment Setup
- Chapter 4: User and Admin Accounts
- Chapter 5: Role-Based Access
- Chapter 6: Groups
- Chapter 7: Device Enrollment
- Device Enrollment Overview
- Basic vs. Directory Services Enrollment
- Bring Your Own Device (BYOD) Enrollment
- Self-Enrollment vs Device Staging
- Device Registration
- Configure Enrollment Options
- Blacklisting and Whitelisting Device Registration
- Additional Enrollment Restrictions
- AirWatch Autodiscovery Enrollment
- Chapter 8: Shared Devices
- Chapter 9: Device Assignments
- Chapter 10: Profiles & Resources
- Chapter 11: Compliance Policies
- Chapter 12: Device Tags
- Chapter 13: Managing Devices
- Chapter 14: Certificate Management
- Chapter 15: Custom Attributes
- Chapter 16: Self-Service Portal
- Accessing Other Documents
VMware AirWatch Mobile Device
Management Guide
Managing your organization's mobile devices
AirWatch v9.1
Have documentation feedback?Submit a Documentation Feedback support ticket using the Support Wizard on
support.air-watch.com.
Copyright © 2017 VMware, Inc. All rights reserved. This product is protected by copyright and intellectual property laws in the United States and other countries as well as by
international treaties. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their
respective companies.
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
1
Table of Contents
Chapter 1: Overview 6
What's New 7
Introduction to Mobile Device Management (MDM) 8
Chapter 2: Getting Started with AirWatch 10
AirWatch Console Overview 11
Getting Started Wizard 17
Chapter 3: Environment Setup 19
Environment Setup Overview 20
Log In to the AirWatch Console 20
APNs Certificates 20
Privacy and Data Collection 21
Terms of Use 26
Console Branding 29
Restricted Console Actions 29
Other Enterprise Systems for Integration 32
Chapter 4: User and Admin Accounts 33
User and Admin Accounts Overview 34
User Authentication Types 34
Basic User Accounts 40
Directory-Based User Accounts 42
User Accounts List View Overview 46
Batch Import Feature 47
Admin Accounts 50
Chapter 5: Role-Based Access 53
Role-Based Access Overview 54
Default and Custom Roles 54
User Roles 56
Admin Roles 57
2
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Chapter 6: Groups 64
Assignment Groups Overview 65
Organization Groups Overview 67
Smart Groups Overview 71
User Groups Overview 76
Admin Groups Overview 83
View Assignments 86
Chapter 7: Device Enrollment 88
Device Enrollment Overview 89
Basic vs. Directory Services Enrollment 93
Bring Your Own Device (BYOD) Enrollment 96
Self-Enrollment vs Device Staging 99
Device Registration 103
Configure Enrollment Options 111
Blacklisting and Whitelisting Device Registration 115
Additional Enrollment Restrictions 116
AirWatch Autodiscovery Enrollment 120
Chapter 8: Shared Devices 122
Shared Devices Overview 123
Define the Shared Device Hierarchy 124
Chapter 9: Device Assignments 125
Device Assignments Overview 126
Enable Device Assignments 126
Define Device Assignment Rule or NetworkRange 127
Chapter 10: Profiles &Resources 129
Device Profiles Overview 130
Add General Profile Settings 130
Device Profiles List View 132
Device Profile Editing 136
Resources Overview 137
3
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
View Device Assignment 155
Compliance Profiles Overview 156
Geofences 157
Time Schedules 159
Chapter 11: Compliance Policies 161
Compliance Policies Overview 162
Compliance Policies List View 162
Compliance Policy Rules by Platform 165
Add a Compliance Policy 168
Chapter 12: Device Tags 172
Device Tags Overview 173
Filter Devices by Tag 173
Create a New Tag 173
Add Tags 174
Manage Tags 175
Chapter 13: Managing Devices 176
Managing Devices Overview 177
Device Dashboard 177
Device List View 178
Device Details 184
Device Actions by Platform 187
Enrollment Status 192
Wipe Protection 195
AirWatch Hub 197
Reports &Analytics 200
Chapter 14: Certificate Management 201
Certificate Management Overview 202
Digital Certificates List View 202
Certificate Integration Resources 203
Chapter 15: Custom Attributes 205
4
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Custom Attributes Overview 206
Create Custom Attributes 206
Custom Attributes Importing 207
Assign Organization Groups Using Custom Attributes 208
Chapter 16: Self-Service Portal 210
Self-Service Portal Overview 211
Configure the Default Login Page for the SSP 211
My Devices Page of the SSP 211
Remote Actions in the SSP 213
Self-Service Portal Actions Matrix 215
VMware Content Locker Options 216
Accessing Other Documents 217
5
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
What's New
The Mobile Device ManagementGuide has been updated with the latest features and functionality from the most recent
releaseAirWatch v9.1. This list includes new features and the sections and pages on which they appear.
lYou can now disable the captcha authentication safeguard mechanism at the login prompt. Be aware that disabling
captcha may weaken the overall security. For more information, see Security PIN on page 11.
lThe Self-Service Portal login page has been redesigned and the ability to customize the background image of the SSP
login page is now possible. For more information, see Self-Service Portal Overview on page 211.
lFour admin console notifications have been added, which help you stay in touch with and react swiftly to changes in
your device fleet. For more information, see AirWatch Console Notifications on page 15 and Configure Notifications
Settings on page 16.
oApp Removal Protection – If apps you've identified as critical keep getting removed from your devices, you can
be notified when the number of these removals exceeds the threshold that you define.
oList View Export – Depending on the number of users and devices in your list, the exportation of the Device List
View and User List View to a comma-separated values file can take time to produce. This notification tells you
when it's complete and ready for examination.
oUser Group Merge Pending – If you have the Auto Merge Changes setting disabled on your User Group, then
you must supply admin approval each time database changes are initiated. This notification lets you know when
AirWatch is ready to begin the merge process.
oVPP App Auto Update – High priority alerts that notify you when an app installed with Apple Volume Purchase
Program has an updated version you can install.
lLicense information has been made more accurate by basing its status on the active/inactive flag instead of
expiration date. The license model is also now accurately reflected which can be user-based or device based. For
more information, see Admin Panel Dashboard on page 199.
Chapter 1: Overview
7
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Introduction to Mobile Device Management (MDM)
Mobile devices are valuable enterprise tools. They allow employees to have immediate access to your internal content
and resources. However, the diversity of mobile platforms, operating systems and versions can make managing a set of
devices difficult. VMware AirWatch® Mobile Device Management™ (MDM) solves this problem by enabling you to
configure, secure, monitor, and manage all types of mobile devices in the enterprise.
Benefits of Mobile Device Management
Mobile device management provides an elegant solution to security concerns and accessibility inherent to enterprise
mobility.
lManage large-scale deployments of mobile devices from a single console.
lEnroll devices in your enterprise environment quickly and easily.
lConfigure and update device settings over the air.
lEnforce security and compliance policies.
lSecure mobile access to corporate resources.
lRemotely lock and wipe managed devices.
You can tailor your MDM environment to gain immediate access to device locations, current users, and content. You can
also automate your MDM deployment to enforce security and compliance settings with rules and warnings that are
unique to each user or organization group. Finally, you can restrict or enable content and features based on the
geographic location of a device.
This guide outlines how to create, configure, and maintain your MDM deployment.
Supported Browsers
The AirWatch Console supports the latest stable builds of the following browsers:
lChrome
lFirefox
lSafari
lInternet Explorer 11
lMicrosoft Edge
Note: If you use IE to access the Console, navigate to Control Panel > Settings > Internet Options > Security and
ensure you have a security level or custom security level that includes the Font Download option being set to
Enabled.
If you are using a browser older than those listed above, upgrade your browser to the latest available version to get the
best performance from the AirWatch console. Comprehensive platform testing has been performed to ensure
functionality using these browsers. The AirWatch Console may experience minor issues if you choose to run it in a non-
certified browser.
Chapter 1: Overview
8
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Supported Platforms
AirWatch supports the following devices and operating systems.
lAndroid 4.0+ lTizen 2.3+
lApple iOS 7.0+ lWindows Desktop (8/8.1/RT/10)
lApple macOS 10.9+ lWindows 7 (Windows 7 or higher)
lChrome OS (latest) lWindows Phone (Windows Phone 8/ 8.1, Windows 10 Mobile)
lQNX 6.5+ lWindows Rugged (Mobile 5/6 and Windows CE 4/5/6)
Limited support may be available for other devices or operating systems. Refer to each platform-specific User Guide,
available on Accessing Other Documents on page 217, or contact AirWatch Support for more information.
Chapter 1: Overview
9
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
AirWatch Console Overview
The AirWatch Console allows you to view and manage every aspect of your Mobile Device Management (MDM)
deployment. With this single, web-based resource, you can quickly and easily add new devices and users to your fleet,
manage profiles, and configure system settings.
Acquaint yourself with security settings and interface features such as the Getting Started Wizard, menu icons, and global
search.
Security PIN
Establish security for the AirWatch Console by creating a security PIN. The PIN acts as a safeguard against accidentally
wiping a device or deleting important aspects of your environment, such as users and organization groups. The Security
PIN also works as a second layer of security. It presents an added point of authentication by blocking actions made by
unapproved users.
Establish Your Security PIN
When you first log in to the AirWatch Console, you are prompted to establish a Security PIN.
Enter and confirm your four-digit Security PIN on the Security Settings page and save this PIN for future use. You may not
bypass this page, or proceed to any area within the AirWatch Console, before creating this PIN.
If you enter the wrong password more than the maximum allowed login attempts, you are presented with a "Captcha"
authentication prompt, which you can customize. You can also disable the Captcha login prompt.
Reset Your Security PIN
Reset your security PIN every so often to minimize security risks.
1. Select the Account icon in the top-right corner of the AirWatch Console.
2. Select Manage Account Settings. The Account Settings page displays.
3. Select the Security tab and then reset your PIN by selecting the Reset button.
4. Log out of the console and complete the PIN creation prompt upon logging back in.
Chapter 2: Getting Started with AirWatch
11
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Header Menu
The Header Menu appears at the top of nearly every page of the AirWatch Console, enabling you to access to the
following functions and features.
lOrganization Group – Select the Organization Group (the tab labeled Global) to which you want to apply changes.
lAdd – Quickly create an admin, device, user, policy, content, profile, internal application, or public application.
lGlobal Search – ( ) Search all aspects of your deployment within the AirWatch Console, including devices, users,
content, applications, configuration settings, admins, pages, and more.
lNotifications – ( ) Stay informed about important console events with Notifications. The number badge on the
Notifications bell icon indicates the number of alerts that require your attention.
lSaved – ( ) Access your favorite and most-utilized pages within the AirWatch Console.
lHelp – ( ) Browse or search the available guides and console documentation.
lAccount – View your account information. Change the Account Role that you are assigned to within the current
environment. Customize settings for contact information, language, Notifications, view history of Logins, and
Security settings including PIN reset. You can also Log out of the AirWatch Console and return to the Login screen.
lRefresh – ( ) See updated stats and info without leaving the current view by refreshing the screen.
lAvailable Sections – ( ) Customize the view of the Hub Overview by selecting only the sections you want to see.
Available only on the Hub Overview.
lExport – ( ) Produces a full listing of profiles, apps, books, channels, or policies to a comma-separated values (CSV)
file that you can view and analyze with Excel.
lHome – ( ) Use this icon to assign any screen in the AirWatch Console as your home page. The next time you open
the AirWatch Console, your selected screen displays as your home page.
lSave – ( ) Add the current page to the Saved page list for quick access to your favorite console pages.
For more information, see the following topics.
Organization Groups Overview on page 67.
Role-Based Access Overview on page 54.
AirWatch Console Notifications on page 15.
AirWatch Console Overview on page 11.
AirWatch Hub on page 197.
Chapter 2: Getting Started with AirWatch
12
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Main Menu
The Main Menu allows you to navigate to all the features available to your role and Mobile Device Management (MDM)
deployment.
Ensure that all aspects of a basic successful deployment are established. Getting Started is organized to
reflect only those modules within an AirWatch Console deployment that you are interested in. Getting
Started produces an on-boarding experience that is more tailored to your actual configuration.
View and manage MDM information that drives decisions you must make and access a quick overview of
your device fleet. View information such as the most blacklisted apps that violate compliance. Track module
licenses with the Admin Panel Dashboard and monitor all devices that are currently out of compliance.
Select and run Industry Templates to streamline the onboarding process with industry-specific apps and
policies for your iOS devices.
Access an overview of common aspects of devices in your fleet, including compliance status, ownership
type breakdown, last seen, platform type, and enrollment type. Swap views according to your own
preferences including full Dashboard, list view, and detail view. Access additional tabs, including all current
profiles, enrollment status, Notification, Wipe Protection settings, compliance policies, certificates, product
provisioning, and printer management.
Survey and manage users and administrators involved with your MDM deployment. Access and manage
user groups, roles, batch status, and settings associated with your users. Also, access and manage admin
groups, roles, system activity, and settings associated with your administrators.
Access and manage the app catalog, book catalog, and Volume Purchase Program (VPP) orders. Also view
application analytics and logs with application settings, including app categories, smart groups, app groups,
featured apps, Geofencing, and profiles associated with apps.
Access detailed overview of content use including storage history trends, user and content status,
engagement, and user breakdown. Manage and upload content available to users and devices. Also, access
batch import status, content categories, content repositories, user storage, VMware Content Locker
homescreen configuration, and all other content-specific settings.
Access detailed overview of email information related to your deployment. Such information includes email
management status, managed devices, email policy violations, deployment type, and time last seen.
Access detailed overview of telecom-enabled devices including use history, plan use, and roaming data.
View and manage telecom use and track roaming, including call, Short Message Service (SMS), and content
settings.
Manage structures, types and statuses related to organization groups, smart groups, app groups, user
groups, and Admin Groups. Configure entire system settings or access settings related to all Main Menu
options.
Chapter 2: Getting Started with AirWatch
13
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Collapse and Expand the Submenu
You can collapse the submenu by selecting the arrow at the bottom of the console. This action creates more space for
device information. To expand or reopen the submenu, select the modified arrow.
Global Search
Using a modular design with a tabbed interface, Global Search runs searches across your entire deployment. Global
Search applies your search parameter to a single tab at a time, which produces faster results. Apply the same parameters
to another area of the AirWatch Console by selecting another tab.
After running a global search, select the following tabs to view the results.
lDevices – Returns matches to Device friendly name and Device Profile name searches.
lAccounts – Returns matches to user name and administrator name searches.
lApplications – Returns matches to internal, public, purchased, and Web application searches.
lContent – Returns matches to any content that appears on devices.
lSettings – Returns matches to individual field-level settings and console main page searches.
Chapter 2: Getting Started with AirWatch
14
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
You can also perform a search for an organization group by selecting the organization group drop-down menu. The
Search bar displays above the list.
AirWatch Console Notifications
Notifications are a communication tool designed to keep you informed about console events that may be impactful to
your operation. The Notifications button is located next to the Global Search button.
There are many different kinds of notifications.
lAPNs Expiration and APNs Expired – You are notified 30 days before APNs for MDM certificates expire, which is a
Critical Priority alert. After the APNs certificate expires, the Critical Priority alert is reduced to a High Priority alert. This
notification helps you avoid the hassles involved with expired certificates and keeps your devices in contact with
AirWatch.
lApp Removal Protection – This High Priority alert displays when the ApplicationRemoval threshold is crossed. You
can act by selecting the Review App Removal link on the Notifications pop-up.
lList View Export – This notification appears when the Device or User list view export you requested has been
completed and is ready for examination. This notification is an Info Priority level.
lUser Group Merge Pending – This notification lets you know that the user group merge process is pending and in
need of admin approval. Such notification happens in two scenarios:
oYou have the Auto Merge Changes setting disabled on your Directory-based User Group, which means all
changes need approval.
oYou have the Auto Merge Changes enabled and the number of changes exceed the Maximum Allowable Changes
threshold. The portion of changes above the threshold need admin approval.
lVPP App Auto Update – High priority alerts that notify you when an app installed with Apple Volume Purchase
Program has an updated version you can install.
For information about Device Lifecycle Notifications, see Configure Lifecycle Notifications on page 113.
Manage Console Notifications
When there are active notifications that require your attention, a numeral badge appears on the alert icon indicating the
number of active alerts. Display the Notifications pop-up by selecting the bell-shaped Notifications icon.
Chapter 2: Getting Started with AirWatch
15
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
You can manage the notifications you receive. This management includes viewing the list of active alerts, Renewing your
APNs, Dismissing expired alerts, viewing the list of dismissed alerts, and Configuring Notification Settings.
Each alert displays the organization group under which the APNs for an MDMcertificate is located. The alert also shows
the expiration date of the certificate and a link to Renew your APNs.
lView Active Alerts – The default view displays the list of active alerts.
lRenew your APNs – Displays the Change Organization Group (OG) screen. This screen appears when the OG that
manages the device with the impending license expiration is different than the OG you are currently in. Renew this
APNs license by selecting Yes to change your OG automatically.
Renew the license and keep the device in contact with AirWatch by following the instructions on the APNs For MDM
settings page.
lDismiss Alert – Close the expired alert and send it to the Dismissed alert listing by selecting the Xbutton. You cannot
close critical priority notifications.
lView Dismissed Alerts – View the listing of dismissed alerts by selecting the Dismissed tab at the top of the
Notifications pop-up.
Configure Notifications Settings
Use the Notifications settings page to enable or disable APNs Expiration alerts, choose how to receive alerts, and change
the email to which it sends alerts.
To configure notification settings, take the following steps.
1. Select the Account button, which is accessible from almost every page on the console, then select Manage Account
Settings and select the Notifications tab.
You can also access the notification settings page by selecting the gear icon located in the lower-right corner of the
Notifications pop up screen.
Chapter 2: Getting Started with AirWatch
16
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
2. Complete the notification settings.
Setting Description
APNs
Expiration
You can trigger an alert when APNs licenses expire or are in jeopardy of expiring.
Notification Select the notification delivery method. Choose from Console, Email, or Both.
Send email to Enter the email address for when Email or Both is selected in Notification. Separate multiple email
addresses with a comma.
List View
Export
You can trigger an alert when the exportation of a User List View or Device List View is complete.
Notification Select the notification delivery method. Choose from Console, Email, or Both. For List View
Exports, the email used is the address on record in the User tab of Account Settings for the
currently logged in administrator.
User Group
Merge
You can trigger an alert when the Active Directory database changes sync with AirWatch and you
have Auto Merge Changes disabled.
Notification Select the notification delivery method. Choose from Console, Email, or Both.
Send email to Enter the email address for when Email or Both is selected in Notification. Separate multiple email
addresses with a comma.
VPP App
Auto Update
You can trigger an alert when an app installed with Apple Volume Purchase Program has an
updated version you can install.
Notification Select the notification delivery method. Choose from Console, Email, or Both.
Send email to Enter the email address for when Email or Both is selected in Notification. Separate multiple email
addresses with a comma.
3. Save or Cancel your changes.
Getting Started Wizard
The Getting Started Wizard serves as a checklist that walks you through the AirWatch Console settings step by step. It
presents only those modules within your specific deployment which produces an on-boarding experience tailored to
your configuration.
The Getting Started page is split into four sections: Workspace ONE, Mobile Device Management, Mobile Content
Management, and Mobile Application Management. Each section has its own set of steps. Steps that are shared among
all sections are tracked automatically so you never have to complete the same step twice.
lWorkspace ONE – Manage, monitor, and support all desktops, BYOD, and corporate-owned devices in a single,
secure catalog of apps.
lMobile Device Management (MDM) – Establish the level of control you want to have over your devices, add users,
and enroll devices into the AirWatch system.
lMobile Content Management (MCM) – Identify and secure personal content, add users, and configure content
management specifications.
Chapter 2: Getting Started with AirWatch
17
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
lMobile Application Management (MAM) – Determine how users install suggested apps and identify and install
public apps to enrolled devices.
Navigate the Getting Started Wizard
The Getting Started Wizard is run in a way that is most convenient to you. It not only tracks how far along you are, it can
be started, paused, restarted later, and rewound to review prior responses.
lSelect Start Wizard to initiate the first step in a module. Here, you answer questions and access the exact pages
within the AirWatch Console to configure settings for each feature. As you answer each question, the percentage
counter progresses and displays how far along you are in completing the module.
lIf you stop a module before completing it, select Continue to return to where you left off.
lYou can opt out of any module by selecting Skip Section, which temporarily disables the Continue button and
inserts a Resume Section link. Enable the Continue button once more by selecting this link.
lYou can review your responses to any module at any time by selecting Review Section from each completed
module.
lAs each substep in the module is completed, a small check mark is placed in the header for that substep. The green
status bar at the top representing the whole module, progresses further.
lSelect the Back button at any time to return to the previous question or screen.
Enable the Getting Started Wizard
For a new AirWatch implementation, access the Getting Started page from the main menu, located above the Hub icon in
the left panel. However, you can manually enable the Getting Started Wizard at any time. Manually enabling the Getting
Started Wizard restarts the walk-through.
To enable the Getting Started Wizard manually
1. Select any Organization Group other than the top-level group.
2. Navigate to Groups &Settings > Groups > Organization Groups > Organization Group Details. Ensure that you are
currently at a customer-level organization group and Save your changes.
3. Navigate to Groups &Settings > All Settings > System > Getting Started.
4. Select Enable for each of the settings on this page:
a. Getting Started Device Status
b. Getting Started Content Status
c. Getting Started Application Status
5. Save changes to the page.
For more information, see Organization Groups Overview on page 67.
Chapter 2: Getting Started with AirWatch
18
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Chapter 3:
Environment Setup
Environment Setup Overview 20
Log In to the AirWatch Console 20
APNs Certificates 20
Privacy and Data Collection 21
Terms of Use 26
Console Branding 29
Restricted Console Actions 29
Other Enterprise Systems for Integration 32
19
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Environment Setup Overview
You can determine the environment URL and login credentials, generate certificates for managing platforms, configure
telecom, privacy settings, customize the console, and more.
Log In to the AirWatch Console
Before you can log in to the AirWatch Console, you must have the Environment URL and log in credentials. How you
obtain this information depends on your type of deployment.
lSaaS Deployment – Your Account Manager provides your Environment URL and user name/password. The URL is
not customizable, and generally follows the format of awmdm.com.
lOn-premises – The on-premises URL is customizable and follows the format awmdm.<MyCompany>.com.
Your Account Manager provides the initial setup credentials for your environment. Administrators who create more
accounts to delegate management responsibility may also create and distribute credentials for their environment. See
Create an Admin Account for details.
Once your browser has successfully loaded the AirWatch Console Environment URL, you can log in using the user name
and Password provided by your AirWatch Administrator.
APNs Certificates
To manage iOS devices, you must first obtain an Apple Push Notification Service (APNs) certificate. An APNs certificate
allows AirWatch to communicate securely to Apple devices and report information back to AirWatch.
Per Apple's Enterprise Developer Program, an APNs certificate is valid for one year and then must be renewed.
TheAirWatch Console sends reminders through Notifications as the expiration date nears. Your current certificate is
revoked when you renew from the Apple Development Portal, which prevents device management until you upload the
new one. Plan to upload your certificate immediately after it is renewed. Consider using a different certificate for each
environment if you use separate production and test environments.
For more information, please see the Generating and Renewing an APNs Certificate for AirWatch
KBarticle:https://support.air-watch.com/articles/115001662728.
Chapter 3: Environment Setup
20
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
APNs Certificate Expiration
The Notifications button in the header bar of the Console alerts you when your APNs for MDM certificates are close to
expiring. This notice allows you to act.
For more information, see AirWatch Console Notifications on page 15.
Generate an APNs Certificate
You must generate and occasionally renew APNs Certificates to enable and maintain secure communications between
your iOS devices and AirWatch. To generate an APNs certificate, you must choose between two methods.
1. Follow the steps outlined in the Getting Started Wizard on page 17.
OR
2. Generate APNs certificates manually by taking the following steps.
a. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
b. If the Valid To date has passed, select the Renew button and follow the on-screen instructions. There is an
instructions link that shows you how to use the Apple Push Certificates Portal to upload a certificate request.
Provided on this page is a convenient Go To Apple button that opens the Apple Push Certificates Portal in a new
tab of your browser. You need two items to continue.
i. AirWatch Certificate Request, which is a file in the PLIST format that you can save to your device.
ii. The Apple ID that you originally used to create the certificate.
c. Click Next to advance to the next page where you must enter your Apple ID and upload the Apple-issued
AirWatch MDMcertificate (PEM file).
d. Select Save.
Privacy and Data Collection
It is important that you inform your end users about how their data is collected and stored when they enroll into
AirWatch. The AirWatch Console allows you to create a customized privacy notification to inform users about what data
your company collects from enrolled devices.
Work with your legal department to determine what message about the collection of data you communicate to your end
users.
Privacy Notices for BYODEnd Users
A privacy notice informs your end users about what data you collect from their devices based on their device type,
deployment type, and ownership type.
Chapter 3: Environment Setup
21
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Privacy Notice Configuration
Privacy notices are automatically delivered based on the organization group and device ownership of the device
connecting. You may choose to display a privacy notice for each ownership type: Employee Owned,Corporate -
Dedicated,Corporate - Shared, and Unknown.
You must create a privacy notice before you assign ownership types to receive the notice. For more information, See
Create a Privacy Notice in the VMware AirWatch BYOD &Privacy Guide, available through AirWatch Resources.
Privacy Notice Deployment
When you assign an ownership type to receive privacy notices, all users in the selected ownership type receive the
privacy notification immediately as a Web clip. If you inserted the privacy notice lookup value
PrivacyNotificationUrl in your message template, then the message includes a URL where the user can read
the privacy notice.
Users receive the privacy notice automatically if:
lThey enroll a new device and they are of an ownership type for which the privacy notice is enabled.
lThey currently use an enrolled device and their ownership is changed post-enrollment to a type that is assigned the
Web clip.
To learn how to deploy a privacy notice as part of a device activation, see Register an Individual Device.
Create a Privacy Notice for BYODUsers
Inform your users about what data your company collects from their enrolled devices with a customized privacy
notification. Work with your legal department to determine what message about data collection you communicate to
your end users.
1. Navigate to Groups and Settings > All Settings > Devices and Users > General > Message Templates.
2. Select Add to create a template. If you have already created a privacy notification template, select it from the list of
available templates to use or edit it.
3. Complete the Add/Edit Message Template settings.
Setting Description
Name Enter a name for the notification template.
Description Enter a description of the template you are creating.
Category Select Enrollment.
Type Select MDM Device Activation.
Select
Language
Select the default language for your template. Use the Add button to add more default languages for
a multi-language delivery.
Default Select this check box to make this template the default message template.
Message
Type
Select one or more message types: Email,SMS, or Push message.
4. Create the notification content. The message types that you selected in the Message Type selection determine which
Chapter 3: Environment Setup
22
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
messages appear for you to configure.
Element Description
Email
Email
Content
Formatting
Choose whether your email notification is delivered as Plain Text or HTML.
Subject Enter the subject line for your email notification.
Message
Body
Compose the email message to send to your users. The editing and formatting tools that appear in
this text box depend on which format you chose in the Email Content Formatting selection.
If you have enabled the Visual Privacy Notice, include the lookup value
PrivacyNotificationUrl in the message body.
SMS
Message
Body
Compose the SMS message to send to your users.
If you have enabled the Visual Privacy Notice, include the lookup value
PrivacyNotificationUrl in your message body.
Push
Message
Body
Compose the Push notification to send to your users.
If you have enabled the Visual Privacy Notice, include the lookup value
PrivacyNotificationUrl in your message body.
5. Select Save.
Privacy Settings
Privacy settings enable you to define how device and user information are handled in the AirWatch Console. This
information is useful in Bring Your Own Device (BYOD) deployments.
lReview and adjust privacy policies according to device ownership, which lets you align with data privacy laws in other
countries or legally defined restrictions.
lEnsure that certain IT checks and balances are in place, preventing overload of servers and systems.
Important: Each jurisdiction has its own regulations governing what data can be collected from end users. Research
these regulations thoroughly before Configure Privacy Settings on page 23.
Configure Privacy Settings
End-user privacy is a major concern for you and your users. AirWatch provides granular control over what data is
collected from users and what collected data is viewable by admins.
Configure the privacy settings to serve both your users and your business needs.
1. Navigate to Devices > Device Settings > Devices & Users > General > Privacy.
2. Select the appropriate setting for GPS,Telecom,Applications,Profiles, and Network data collection.
Chapter 3: Environment Setup
23
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Collect and Display – User data is collected and displayed in the AirWatch Console.
Collect Do Not Display – User data is collected for use in reports but is not displayed it in the AirWatch
Console.
Do Not Collect – User data is not collected and therefore it is not displayed.
3. Select the appropriate setting for the Commands that can be performed on devices.
Allow – The command is made on devices without permission from the user.
Allow With User Permission – The command is made on devices but only with the permission of the user.
Prevent – The command does not run on devices.
Consider disabling all remote commands for employee-owned devices, especially full wipe. This disablement
prevents inadvertent deletion or wiping of an end user's personal content.
Note: If you disable the wipe function for select iOS ownership types, users do not see the "Erase all content and
settings" permission during enrollment.
If you are going to allow remote control, file manager, or registry manager access for Android/Windows Rugged
devices, consider using the Allow With User Permission option. This option requires the end user to consent to
admin access on their device through a message prompt before the action is performed. If you opt to allow use of
any commands, explicitly mention these commands in your terms of use agreement.
4. For User Information, select Display or Do Not Display in the Console for the First Name,Last Name,Phone
Number,Email Accounts, and user name data.
If an option other than user name is set to Do Not Display, that data displays as "Private" wherever it appears in the
AirWatch Console. Options you set to Do Not Display are not searchable in the console. When a user name is set to
Do Not Display, the user name displays as "Private" only on the Device List View and Device Details pages. All other
pages in the AirWatch Console show the user name of the enrolled user.
You can encrypt personally identifiable information, including first name, last name, email address, and telephone
number. Navigate to Groups &Settings > All Settings > System > Security > Data Security from the Global or
Customer-level organization group you want to configure encryption for. Enabling encryption, selecting which user
data to encrypt, and selecting Save encrypts user data. Doing so limits some features in the AirWatch Console, such
as search, sort, and filter.
5. Select whether to Enable or Disable the Do Not Disturb Mode on the device. This setting lets user devices ignore
MDM commands for a specified period. When Enabled, you can select a grace period or activation time in minutes,
hours, or days, after which the Do Not Disturb Mode expires.
For more information about using Do Not Disturb Mode, see the following VMware AirWatch Knowledge
Base article:https://support.air-watch.com/articles/115001662448.
6. Select to Enable or Disable the User-Friendly Privacy Notice on the device.
Chapter 3: Environment Setup
24
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
lWhen Enabled, you may choose Yes (display a privacy notice) or No (do not display a privacy notice) for each
ownership level: Employee Owned,Corporate - Dedicated,Corporate - Shared, and Unknown.
7. Click Save. You must enter your PIN to save the changes. Click Save.
For more information about applying a Bring Your Own Device solution, see the VMware AirWatch BYOD and Privacy
Guide, available on Accessing Other Documents on page 217.
Privacy Best Practices
Striking a balance between your business needs and the privacy concerns of your employees can be challenging. There
are a few simple practices that can manage Privacy Settings to strike the best balance.
Important: Every deployment is different. Tailor these settings and policies that fit your organization in the best way
by consulting with your own legal, human resource, and management teams.
User Information for Privacy Best Practices
In general, you display user information such as the first name, last name, phone number, and email address for both
employee-owned and corporate-owned devices.
Application Information for Privacy Best Practices
In general, it is appropriate to set the collection of application information to either do not collect or collect and do not
display for employee-owned devices. This setting is important because public apps installed on a device, if viewed, can be
considered personally identifiable information. For corporate-owned devices, AirWatch records all installed applications
on the device.
If Do Not Collect is selected, only personal application information is not collected. AirWatch collects all managed
applications, whether public, internal, or purchased.
Remote Commands for Privacy Best Practices
Consider disabling all remote commands for employee-owned devices. However, if you allow remote actions or
commands, explicitly mention these remote actions and commands in your terms of use agreement.
GPS Coordinates for Privacy Best Practices
In general, it is not appropriate to collect GPS data for employee-owned devices. The following notes apply to corporate-
owned devices.
lGPS Data – Information collected includes location data and a time-stamp indicating when this information was sent
to AirWatch.
oFor iOS devices, GPS data is reported automatically. GPSdata is reported by opening any AirWatch application or
internal application with an AirWatch Software Development Kit (SDK) set to capture GPS data.
When GPS data is reported, AirWatch defines a 1-kilometer region around this location. It then reports location
information whenever the device moves outside the region or whenever the user opens an AirWatch or internal
application. No new GPS data is reported unless one of these actions occurs.
oLocation Services must be enabled on the iOS device. AirWatch cannot force this setting.
Chapter 3: Environment Setup
25
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
lWhile GPS is typically used for lost or stolen devices, it is also used for any situation where knowing the location of a
device is useful.
Telecom Data for Privacy Best Practices
It is only appropriate to collect telecom data for employee-owned devices if they are a part of a stipend where cellphone
expenses are subsidized. In this case, or for corporate-owned devices, consider the following about data you can collect.
lCarrier/Country Code – Carrier and Country Code are recorded and can be used for telecom tracking purposes.
Telecom plans can be set up and devices can be assigned to the appropriate plan based on their carrier and country.
This information can also be used to track devices by home carrier and home country or by current country and
current carrier.
lRoaming Status – This status can be used to track which devices are in a 'Roaming' or 'Not Roaming' state.
Compliance policies can be set up to disable voice and data use while the device is roaming or you can also apply
other compliance actions. Also, if the device is assigned to a telecom plan, AirWatch can track data use while
roaming. Collecting and monitoring roaming status can be helpful in preventing large carrier charges due to roaming.
lCellular Data Use – The data use in terms of total bytes sent and received. This data can be collected for each cellular
device. If the device is assigned to a telecom plan, you can monitor data use based on a percentage of total data
amount per billing cycle. This feature allows you to create compliance policies based on the percentage of data used
and is helpful in preventing large carrier overage charges.
lCell Use – The voice minutes that can be collected for each cellular device. Similar to data, if the device is assigned to
a telecom plan, you can monitor use based on a percentage of minutes per billing cycle. This method allows you to
create compliance policies based on the percentage of minutes used and can be helpful in preventing large carrier
overage charges.
lSMS Use – The short message service (SMS) data that can be collected for each cellular device. Similar to data, if the
device is assigned to a telecom plan, you can monitor SMS use based on a percentage of messages per billing cycle.
This method allows you to create compliance policies based on the percentage of messages used. Monitoring SMS
use is helpful in preventing large carrier overage charges.
Terms of Use
Ensure that all users with managed devices agree to the policy by defining and enforce terms of use (TOU). If necessary,
users must accept the TOU before proceeding with enrollment, installing apps, or accessing the AirWatch Console. The
AirWatch Console allows you to customize fully and assign a unique TOU to each organization group and child
organization group.
The terms of use displays during each device enrollment. Get access the following functions.
lSet version numbers.
lSet platforms to receive the terms of use.
lNotify users by email with the terms of use updates.
lCreate language-specific copies of the terms of use.
lCreate multiple terms of use agreements and assign them to organization groups based on platform or the type of
Chapter 3: Environment Setup
26
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
ownership.
lMeet the liability requirements of specific groups by customizing terms of use.
Create Enrollment Terms of Use
You can create an agreement about terms of use (TOU) specific to enrollment purposes. You can also limit devices
allowed for enrollment by device platform, ownership type, and enrollment type.
1. Ensure that your current active organization group is correct for the TOU you are creating.
2. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select the Terms of Use tab.
3. Select Add New Enrollment Terms of Use.
4. Enter a unique Name of the new TOU. The Type of TOU is pre-populated as Enrollment.
5. Choose Any for the settings Platforms,Device Ownership, and Enrollment Type if your TOU applies to any kind of
device for that category.
6. If you prefer to specify a device type, you can select one or more of these categories and define the limitations
specific to your TOU.
lIf you select Selected Platform option, then choose your desired platforms from the list that appears. Your TOU
applies to the device platforms you select, excluding all others.
lIf you select Selected Ownership Types option, then you must choose your desired ownership from the list that
appears. Your TOU applies to the ownership types you select, excluding all others.
lIf you select Selected Enrollment Types option, then you must choose your desired enrollment from the list that
appears. Your TOU applies to the types of enrollment you select, excluding all others.
7. Send an email to users whenever the TOU is updated by selecting the Notification check box.
a. Optionally, for localization purposes, you may enter a TOU agreement for each language applicable to your
needs by making a choice in the Select Language drop-down.
8. In the text box provided, enter your customized TOU.
The editor provides a basic text entry tool to create a TOU or paste in an existing TOU. To paste text from an external
source, right-click the text box and choose Paste as plain text to prevent any HTML or formatting errors.
9. Select Save.
You can enforce MDM terms of use acceptance by creating a compliance policy for MDM Terms of Use Acceptance. This
enforcement does not apply to devices using AirWatch Container.
Create Application or Console Terms of Use
You can also create application-based terms of use (TOU) to notify end users when a specific application collects data or
when it imposes restrictions.
When users run these applications from your enterprise app catalog, they must accept the agreement to access the
application. You can set TOU for app versions, make language-specific TOU, and remove apps if the TOU is not accepted.
Console TOU display when an administrator logs in to the AirWatch Console for the first time. For the AirWatch Console,
you can set TOU version numbers and create language-specific copies of the TOU.
Chapter 3: Environment Setup
27
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
For Applications, assign the TOU when adding or editing an application using the Terms of Use tab.
1. Navigate to Groups &Settings > All Settings > System > Terms of Use.
2. Select Add Terms of Use.
3. Enter a Name for the terms of use and select the Type, which can be Console or Application.
4. Configure settings such as a Version number and a Grace Period, depending on the Type you selected.
5. Enter your TOU in the text box provided. The editor provides a basic text entry tool to create a TOU or paste in an
existing TOU. If you are pasting text from an external source, right-click the text box and choose Paste as plain text
to prevent any HTML or formatting errors.
6. Select Save.
View Terms of Use Acceptance
While compliance policies can be configured to help enforce terms of use acceptance, you can also see who has and who
has not accepted the agreement. Then, if necessary, you can contact those individuals directly.
1. Navigate to Groups & Settings > All Settings > System > Terms of Use.
2. Use the Type drop-down menu to filter based on the agreement type, for example, Enrollment. The Users / Devices
column displays devices that have accepted/not accepted/been assigned the terms of use.
3. Select the appropriate number in the Devices column for the terms of use row to see device information pertaining
to that agreement. Optionally, access the drop-down menu for the row and select one of the following.
lView Devices or Users – Display a complete list of devices and their acceptance statuses. You can filter by
organization group.
lView Previous Versions – View previous iterations of the agreement.
lView Terms of Use – View the terms of use agreement.
Track Terms of Use Acceptance With Reports
You can track user acceptance for terms of use, enabling you to take possible action.
View details regarding specific organization groups, console acceptances, and device enrollment acceptances. View the
acceptances directly in the AirWatch Console or export the report in either PDF, CSV, or Excel formats.
1. Navigate to Hub > Reports & Analytics > Reports > List View.
2. Search for and generate the Terms of Use Acceptance Detail report by selecting the report title.
3. Select the OrganizationGroups.
4. Select the Terms of Use Type.
5. Select the Report Format.
6. Select Download to save the report in the selected format.
7. You can also Preview as PDF.
Chapter 3: Environment Setup
28
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Important: AirWatch does not provide legally binding sample text and any text examples provided must be reviewed
by your own company or legal team.
Console Branding
The AirWatch Console allows extensive customization options. These options allow you to brand aspects of your
AirWatch tools and resources according to the color scheme, logo, and overall aesthetic of your organization.
Branding can be configured in support of multi-tenancy, so different divisions of your enterprise can have their unique
look and feel at their organization group level.
For more information, see Organization Groups Overview on page 67.
Configure Console Branding
You can align with the color scheme, logo, and overall aesthetic of your organization by customizing the console.
1. Select the organization group you want to brand and then navigate to Groups & Settings > All Settings > System >
Branding.
2. Configure the settings on the Branding tab:
lUpload a Company Logo by uploading a file saved on your computer. The suggested resolution of the uploaded
image is 800x300.
lUpload a background for the login page by uploading a file saved on your computer. The suggested resolution of
the uploaded image is 1024x768.
lUpload a background for the Self-Service Portal login page by uploading a file saved on your computer. The
suggested resolution of the uploaded image is 1024x768.
3. Configure customizations to the Colors section in the Branding tab.
4. Configure the settings on the Custom CSS tab.
lEnter customized CSS code for advanced branding.
5. Select Save.
Restricted Console Actions
In a scenario where the AirWatch Console is left unattended, AirWatch provides an extra safeguard against malicious
actions that are potentially destructive. You can place those actions out of reach of unauthorized users. Navigate to
Groups &Settings > AllSettings > System > Security > Restricted Actions.
Enable Send Message to All
Enable this setting to allow a system administrator to send a message to all devices in your deployment from the Device
List View.
Chapter 3: Environment Setup
29
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
For more information, see Device List View on page 178.
Select Password Protect Actions
Restricted Console Actions provides an added layer of protection against malicious actions that are potentially
destructive. Configure settings for restricted actions by navigating to Groups & Settings > All Settings > System >
Security > Restricted Actions.
You can require that certain actions require admins to enter a PIN. For each action you choose to protect, select the
appropriate Password Protect Actions button for Enabled or Disabled as appropriate. This provides you with granular
control over which actions you want to make more secure.
Note: Some actions always require a PIN and thus cannot be disabled. Denoted by * below.
You can set the maximum number of failed attempts the system accepts before automatically logging out the session. If
you reach the set number of attempts, you need to re-login into the AirWatch Console and set a new security PIN.
Setting Description
Admin Account Delete Prevents the deletion of an admin user account in Accounts > Administrators > List View.
*Regenerate VMware
Enterprise Systems
ConnectorCertificate
Prevents the regeneration of the VMware Enterprise Systems Connectorcertificate in
Groups &Settings >All Settings >System >Enterprise Integration >VMware Enterprise
Systems Connector.
*APNs Certificate
Change
Prevents the disabling of APNs for MDM in Groups & Settings > All Settings > Devices &
Users > Apple > APNs For MDM.
Application
Delete/Deactivate/Retire
Prevents the deletion, deactivation, or retirement of an application in Apps & Books >
Applications > List View.
Content
Delete/Deactivate
Prevents the deletion or deactivation of a content file in Content > List View.
*Data Encryption Toggle Prevents the Encryption of user information setting in Groups & Settings > All Settings >
System > Security > Data Security.
Device Delete Prevents the deletion of a device in Devices > List View. Admin security PIN is still required
for bulk actions even when this setting is disabled.
*Device Wipe Prevents any attempt to perform a device wipe from the Device List View or Device Details
screens.
Chapter 3: Environment Setup
30
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Setting Description
Enterprise Reset Prevents any attempt to perform an enterprise reset on a device from the Devices Details
page of a Windows Rugged, Rugged Android, or QNX device.
Enterprise Wipe Prevents any attempt to perform an enterprise wipe on a device from the Devices Details
page of a device.
Enterprise Wipe (Based
on User Group
Membership Toggle)
Prevents any attempt to perform an enterprise wipe on a device when it is removed from a
user group. This is an optional setting that you can configure under Groups & Settings > All
Settings > Devices &Users > General > Enrollment on the Restrictions tab. If you Restrict
Enrollment to Configured Groups on this tab, you then have the added option of
performing an enterprise wipe a device when it is removed from a group. For more
information, see the Configure Enrollment Restriction Settings on page 116.
*Organization Group
Delete
Prevents any attempt to delete the current organization group from Groups & Settings >
Groups > Organization Groups > Organization Group Details.
Profile
Delete/Deactivate
Prevents any attempt to delete or deactivate a profile from Devices > Profiles & Resources
> Profiles.
Provisioning Product
Delete
Prevents any attempt to delete a provisioning product from Devices > Staging
&Provisioning > Products List View.
Revoke Certificate Prevents any attempt to revoke a certificate from Devices > Certificates > List View.
*Secure Channel
Certificate Clear
Protects from any attempt to clear an existing secure channel certificate from Groups &
Settings > All Settings > System > Advanced > Secure Channel Certificate.
User Account Delete Prevents any attempt to delete a user account from Accounts > Users > List View.
Delete Telecom Plan Prevents the deletion of a telecom plan in Telecom > PlanList.
Override Job Log Level Prevents attempts to override the currently-selected job log level from Groups &Settings >
Admin > Diagnostics > Logging. Overriding the Job Log Level is useful when a device or
group of devices is having an issue. In this case, the admin can override those device
settings by forcing an elevated log level to Verbose, which logs the maximum level of
console activity, making it ideal for troubleshooting.
*App Scan Vendor
Reset/Toggle
Prevents the resetting (and subsequent wiping) of your app scan integration settings. This
action is performed in Groups &Settings > All Settings > Apps > App Scan.
Maximum invalid PIN
attempts
Defines the maximum number of invalid attempts at entering a PIN before the console locks
down. This setting must be between 1 and 5.
Configure Required Notes for Action
You can also require admins to enter notes using the Require Notes check box and explain their reasoning when
performing these actions. Navigate to Groups &Settings > AllSettings > System > Security > Restricted Actions.
Setting Description
Lock Device Require a note for any attempt to lock a device from the Device List View or Device Details pages.
Chapter 3: Environment Setup
31
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Setting Description
Lock SSO Require a note for any attempt to lock an SSOsession from the Device List View or Device Details
screens.
Device Wipe Require a note for any attempt to perform a device wipe from the Device List View or Device Details
screens.
Enterprise
Reset
Require a note for any attempt to enterprise reset a device from the Devices Details page of a
Windows Rugged or Rugged Android device.
Enterprise Wipe Require a note for any attempt to perform an enterprise wipe from the Devices Details page of a
device.
Override Job
Log Level
Require a note prior to attempts to override the default job log level from Groups &Settings >
Admin > Diagnostics > Logging.
Other Enterprise Systems for Integration
Take advantage of advanced MDM functionality by integrating your AirWatch environment with existing enterprise
infrastructures including email management with SMTP, directory services, and content management repositories.
AirWatch can integrate with the following internal components.
lEmail Relay (SMTP) – Provide security, visibility, and control for mobile email.
lDirectory Services (LDAP/AD) – Take advantage of existing corporate groups to manage users and devices.
lMicrosoft Certificate Services – Use existing Microsoft certificate infrastructure for an AirWatch deployment.
lSimple Certificate Enrollment Protocol (SCEP PKI) – Configure certificates for Wi-Fi, VPN, Microsoft EAS and more.
lEmail Management Exchange 2010 (PowerShell) – Securely connect AirWatch to enforce policies with corporate
email servers.
lBlackBerry Enterprise Server (BES) – Integrate with BES for streamlined BlackBerry management.
lThird-party Certificate Services – Import certificate management systems to be managed within the Console.
lLotus Domino Web Service (HTTPS) – Access Lotus Domino content and features through your AW deployment.
lContent Repositories – Integrate with SharePoint, Google Drive, SkyDrive, file servers, and network shares.
lSyslog (Event log data) – Export event log data to be viewed across all integrated servers and systems.
lCorporate Networks – Configure Wi-Fi and VPN settings, provision device profiles with user credentials for access.
lSystem Information and Event Management (SIEM) – Record and compile device and console data to ensure
security and compliance with regulations and corporate policies.
For more information on how to integrate AirWatch with these infrastructures, seeVMware Enterprise Systems
Connector Guide, available at https://www.vmware.com/support/pubs/workspaceone-pubs.html. See also VMware
Tunnel Admin Guide and the 'Syslog' section of the Reports & Analytics Guide, available on Accessing Other Documents
on page 217.
Chapter 3: Environment Setup
32
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Chapter 4:
User and Admin Accounts
User and Admin Accounts Overview 34
User Authentication Types 34
Basic User Accounts 40
Directory-Based User Accounts 42
User Accounts List View Overview 46
Batch Import Feature 47
Admin Accounts 50
33
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
User and Admin Accounts Overview
You must create and integrate user accounts for devices to enroll into AirWatch. Likewise, Administrator accounts must
be created and assigned so Admins can easily manage users and devices.
The AirWatch Console allows you to establish a complete user and admin infrastructure. It provides configuration
options for authentication, enterprise integration, and ongoing maintenance.
User Authentication Types
Before any devices can be enrolled, each device user must have an authentic user account recognized by AirWatch. The
type of user authentication you choose depends upon the needs of your organization.
Basic User Authentication
You can use Basic Authentication to identify users in the AirWatch architecture but this method offers no integration to
existing corporate user accounts.
Pros
lCan be used for any deployment method.
lRequires no technical integration.
lRequires no enterprise infrastructure.
Cons
lCredentials only exist in AirWatch and do not necessarily match existing corporate credentials.
lOffers no federated security or single sign-on.
lAirWatch stores all user name and passwords.
1. Console user logs in to AirWatch SaaS using local AirWatch account for authentication (Basic Authentication)
lCredentials are encrypted during transport
l(for example, user name:jdoe@air-watch.com, password: abcd)
Chapter 4: User and Admin Accounts
34
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
2. Device user enrolls device using local AirWatch account (Basic Authentication)credentials
lCredentials are encrypted during transport
l(for example, user name:jdoe2, password 2557)
Active Directory / LDAP Authentication
Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) authentication is used to integrate user and admin
accounts of AirWatch with existing corporate accounts.
Pros
lEnd users now authenticate with existing corporate credentials.
lSecure method of integrating with LDAP / AD.
lStandard integration practice.
Cons
lRequires an AD or other LDAP server.
1. Device connects to AirWatch MDMto enroll device. User enters their directory services user name and password.
lUser name and password are encrypted during transport.
lAirWatch does not store the user's directory services password.
2. AirWatch queries the client's directory services through a secureLDAP protocol over the Internet using a service
account for authentication.
3. The user's credentials are validated against the corporate directory service.
4. If the user credentials are valid, the AirWatch server allows the device to complete a device enrollment.
Chapter 4: User and Admin Accounts
35
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Active Directory / LDAP Authentication with VMware Enterprise Systems Connector
The Active Directory / LDAP authentication with VMware Enterprise Systems Connector provides the same functionality
as traditional AD/LDAP authentication. This model functions across the cloud for Software as a Service (SaaS)
deployments.
Pros
lEnd users authenticate with existing corporate credentials.
lRequires no firewall changes, as communication is initiated from the VMware Enterprise Systems Connector within
your network.
lTransmission of credentials is encrypted and secure.
lOffers secure configuration to other infrastructure such as BES, Microsoft ADCS, SCEP, and SMTP servers.
Cons
lRequires VMware Enterprise Systems Connector to be installed behind the firewall or in a DMZ.
lRequires extra configuration.
SaaS Deployment model
On-premises Deployment model
For information about how to integrate your AirWatch environment with these infrastructures, seeVMware Enterprise
Systems Connector Guide, available at https://www.vmware.com/support/pubs/workspaceone-pubs.html.
Chapter 4: User and Admin Accounts
36
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Authentication Proxy
The authentication proxy delivers directory services integration across the cloud or across hardened internal networks. In
this model, the AirWatch MDM server communicates with a publicly facing Web server or an Exchange ActiveSync Server.
This arrangement authenticates users against the domain controller.
Pros
lOffers a secure method to proxy integration with AD/LDAP across the cloud.
lEnd users can authenticate with existing corporate credentials.
lLightweight module that requires minimal configuration.
Cons
lRequires a public facing Web server or an Exchange ActiveSync server which ties into an AD/LDAP server.
lOnly feasible for specific architecture layouts.
lMuch less robust solution than VMware Enterprise Systems Connector.
1. Device connects to AirWatch to enroll device. User enters their directory services user name and password.
lUser name and password are encrypted during transport.
lAirWatch does not store the user's directory services password.
2. AirWatch relays the user name and password to a configured Authentication Proxy endpoint that requires
authentication (for example, Basic Authentication).
3. The user's credentials are validated against the corporate directory services.
4. If the user credentials are valid, the AirWatch server allows the device to complete a device enrollment.
Chapter 4: User and Admin Accounts
37
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
SAML 2.0 Authentication
The Security Assertion Markup Language (SAML) 2.0 Authentication offers single sign-on support and federated
authentication. AirWatch never receives any corporate credentials. If an organization has a SAML Identity Provider
server, use SAML 2.0 integration.
Pros
lOffers single sign-on capabilities.
lAuthentication with existing corporate credentials.
lAirWatch never receives corporate credentials in plain-text.
Cons
lRequires corporate SAML Identity Provider infrastructure.
1. Device connects to AirWatch for enrollment. AirWatch server redirects the device to the client specified identity
provider.
2. Device securely connects through HTTPS to client provided identity provider and user enters credentials.
lCredentials are encrypted during transport directly between the device and SAML endpoint.
3. Credentials are validated against directory services.
4. The identity provider returns a signed SAML response with the authenticated user name.
5. The device responds back to the AirWatch server and presents the signed SAML message. The user is authenticated.
For more information, see the VMware AirWatch SAML Integration Guide, on Accessing Other Documents on page 217.
Chapter 4: User and Admin Accounts
38
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Token-Based Authentication
The Token-based authentication offers the easiest way for a user to enroll their device. With this enrollment setting,
AirWatch generates a token, which is placed within the enrollment URL.
For single-token authentication, the user accesses the link from the device to complete an enrollment and the AirWatch
server references the token provided to the user.
For added security, set an expiration time (in hours) for each token. Setting an expiration minimizes the potential for
another user to gain access to any information and features available to that device.
You may also decide to implement two factor authentication to take end-user identity verification a step further. With
this authentication setting, the user must enter their user name and password upon accessing the enrollment link with
the provided token.
Pros
lMinimal work for an end user to enroll and authenticate their device.
lSecure token use by setting expiration.
lUser does not need credentials for single-token authentication.
Cons
lRequires either Simple Mail Transfer Protocol (SMTP) or Short Message Service (SMS) integration to send tokens to
device.
1. Administrator authorizes user device registration.
2. Single use token generated and sent to user from AirWatch.
3. User receives a token and navigates to enrollment URL. User is prompted for token and optionally two-factor
authentication.
4. Device enrollment process.
5. AirWatch marks token as expired.
Note: SMTP is included with SaaS deployments.
Chapter 4: User and Admin Accounts
39
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Enable Security Types for Enrollment
Once AirWatch is integrated with a selected user security type and before enrollment, enable each authentication mode
you plan to allow.
Navigate to Devices > Device Settings > Devices & Users > General > Enrollment in the Authentication tab and select
the appropriate check boxes for the Authentication Mode setting.
Basic User Accounts
Create basic user accounts in AirWatch for your end users if you are not integrating with a directory service. Basic user
accounts are also useful for testing purposes: they can be created quickly and disposed of afterward. For more
information, see Basic vs. Directory Services Enrollment on page 93.
Pros
lCan be used for any deployment method.
lRequires no technical integration.
lRequires no enterprise infrastructure.
Cons
lCredentials only exist in AirWatch and do not necessarily match existing corporate credentials.
lOffers no federated security.
lSingle sign on not supported.
lAirWatch stores all usernames and passwords.
Create Basic User Accounts
You can create basic user accounts for each user to authenticate and log in to the AirWatch system. You can then send
basic users a notification with instructions on activating their account including a password reset link that expires in 24
hours. For more information, see Create Basic User Accounts on page 40.
Create Basic User Accounts
You can create basic user accounts which each user requires to authenticate and log in to the AirWatch system. This topic
details creating user accounts one at a time.
1. Navigate to Accounts > Users > List View, select Add then Add User. The Add / Edit User page displays.
2. In the General tab, complete the following settings to add a basic user.
Setting Description
Security Type Choose Basic to add a basic user.
User name Enter a user name with which the new user is identified.
Password Enter a password that the user can use to log in.
Chapter 4: User and Admin Accounts
40
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Setting Description
Confirm
Password
Confirm the password.
Full Name Complete the First Name,Middle Name, and Last Name of the user.
Display Name Represent the user in the AirWatch Console by entering a name.
Email Address Enter or edit the user's email address.
Email user name Enter or edit the user's email user name.
Domain Select the email domain from the drop-down setting.
Phone Number Enter the user's phone number including plus sign, country code, and area code. This option is
required if you intend to use SMS to send notifications.
Enrollment
Enrollment
Organization
Group
Choose the organization group the user enrolls in.
Allow the user to
enroll into
additional
Organization
Groups
You can allow the user to enroll into more than one organization group. If you select Enabled,
then complete the Additional Organization Groups drop-down setting.
User Role Select the role for the user you are adding from this drop-down setting.
Notification
Message Type Choose the type of message you may send to the user, Email,SMS, or None. Selecting SMS
requires a valid entry in the Phone Number option.
Message
Template
The basic user activates their account with this notification. For security reasons, this
notification does not include the user's password. Instead, a password reset link is included in
the notification. The basic user selects this link to define another password. This password
reset link expires in 24 hours automatically.
Choose the template for email or SMS messages by selecting one from this drop-down setting.
Optionally, select Message Preview to preview the template and select the Configure Message
Template to create a template.
Chapter 4: User and Admin Accounts
41
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
3. You may optionally select the Advanced tab and complete the following settings.
Setting Description
Advanced Info Section
Email
Password
Enter the email password of the user you are adding.
Confirm
Email
Password
Confirm the email password of the user you are adding.
User
Principal
Name
Enter the principal name of the basic user. This setting is optional.
Category Choose the User Category for the user being added.
Department Enter the user's department for administrative purposes.
Employee
ID
Enter the user's employee ID for administrative purposes.
Cost Center Enter the user's cost center for administrative purposes.
Certificates Section
Use
S/MIME
Enable or Disable Secure Multipurpose Internet Mail Extensions (S/MIME).
If enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME certificate by
selecting Upload.
Separate
Encryption
Certificate
Enable or Disable encryption certificate.
If enabled, you must upload an encryption certificate using Upload. Generally, the same S/MIME
certificate is used for signing and encryption, unless a different certificate is expressly being used.
Old
Encryption
Certificate
Enable or disable a legacy version encryption certificate.
If enabled, you must Upload an encryption certificate.
Staging Section
Enable
Device
Staging
Enable or disable the staging of devices.
If enabled, you must choose between Single User Devices and Multi User Devices. If Single User
Devices, you must select between Standard, where users themselves log in and Advanced, where a
device is enrolled on behalf of another user. See Self-Enrollment vs Device Staging on page 99 for
more information.
4. Select Save to save only the new user or select Save and Add Device to save the new user and proceed to the Add
Device page.
Directory-Based User Accounts
Integrating with an existing directory service enables you to pull in users automatically. It eliminates the need of having
to add users manually to the AirWatch Console. For more information, see Basic vs. Directory Services Enrollment on
Chapter 4: User and Admin Accounts
42
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
page 93.
Every directory user you want to manage through AirWatch Mobile Device Management (MDM) must have a
corresponding user account in the AirWatch Console.
You can directly add your existing directory services users to AirWatch using one of the following methods.
lBatch upload a file containing all your directory services users. The act of batch importing automatically creates a
user account.
lCreate an AirWatch user accounts one at a time by entering the directory user name and selecting Check User to
auto-populate remaining details.
lDo not import in bulk nor manually create user accounts and instead allow all directory users to self-enroll at
enrollment time.
Pros
lEnd users authenticate with existing corporate credentials.
lCan automatically detect and sync changes from the directory system into AirWatch.
lSecure method of integrating with your existing directory service.
lStandard integration practice.
lSaaS deployments using the VMware Enterprise Systems Connector require no firewall changes and offers a secure
configuration to other infrastructures, such as Microsoft ADCS, SCEP, and SMTP servers.
Cons
lRequires an existing directory service infrastructure.
lSaaS deployments require additional configuration due to the VMware Enterprise Systems Connector being installed
behind the firewall or in a DMZ.
Create a Directory-Based User Account
You must create accounts for each user in the AirWatch system and directory users authenticate using your existing
corporate credentials. For more information, see Create a Directory-Based User Account on page 43.
Create a Directory-Based User Account
You must create accounts for each user in the AirWatch system and directory users authenticate using your existing
corporate credentials. This topic details creating user accounts one at a time.
1. Navigate to Accounts > Users > List View and select Add and then Add User. The Add / Edit User page displays.
2. In the General tab, complete the following settings to add a directory user.
Setting Description
Security Type Add an Active Directory user by choosing Directory as the Security Type.
Directory Name This pre-populated setting identifies the Active Directory name.
Domain Choose the domain name from the drop-down menu.
Chapter 4: User and Admin Accounts
43
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Setting Description
User name Enter the user's directory user name and select Check User. If the system finds a match, the
user's information is automatically populated. The remaining settings in this section are only
available after you have successfully located an active directory user with the Check User
button.
Full Name Use Edit Attributes to allow any option that syncs a blank value from the directory to be
edited. Edit Attributes also enables you to populate matching user's information
automatically.
If a setting syncs an actual value from the directory, then that setting must be edited in the
directory itself. The change takes effect on the next directory sync. Complete any blank
option returned from the directory in Full Name and select Edit Attributes to save the
addition.
Display Name Enter the name that displays in the admin console.
Email Address Enter or edit the user's email address.
Email user name Enter or edit the user's email user name.
Domain (email) Select the email domain from the drop-down menu.
Phone Number Enter the user's phone number including plus sign, country code, and area code. If you
intend to use SMS to send notifications, the phone number is required.
Enrollment
Enrollment
Organization
Group
Select the organization group into which the user enrolls.
Allow the user to
enroll into
additional
Organization
Groups
Choose whether or not to allow the user to enroll into more than one organization group. If
you select Enabled, then complete the Additional Organization Groups.
User Role Select the role for the user you are adding from this drop-down menu.
Notification
Message Type Choose the type of message you may send to the user, Email,SMS, or None. Selecting SMS
requires a valid entry in the Phone Number text box.
Message Template Choose the template for email or SMS messages from this drop-down setting. Optionally,
select the Message Preview to preview the template and select the Configure Message
Templates link to create a template.
3. You may optionally select the Advanced tab and complete the following settings.
Chapter 4: User and Admin Accounts
44
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
Setting Description
Advanced Info Section
Email Password Enter the email password of the user you are adding.
Confirm Email
Password
Confirm the email password of the user you are adding.
Distinguished
Name
For directory users recognized by VMware AirWatch, this text box is pre-populated with the
distinguished name of the user. Distinguished Name is a string representing the user name and
all authorization codes associated with an Active Directory user.
Manager
Distinguished
Name
Enter the distinguished name of the user's manager. This text box is optional.
Category Choose the user category for the user being added.
Department Enter the user's department for your company's administrative purposes.
Employee ID Enter the user's employee ID for your company's administrative purposes.
Cost Center Enter the user's cost center for your company's administrative purposes.
Custom
Attribute 1–5
(for Directory
users only)
Enter your previously configured custom attributes, where applicable. You may define these
custom attributes by navigating to Groups &Settings > All Settings > Devices &Users >
Advanced > Custom Attributes.
Note: Custom attributes can be configured only at Customer organization groups.
Certificates Section
Use S/MIME Enable or disable the use of Secure/Multipurpose Internet Mail Extensions (S/MIME). If
enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME certificate
by selecting Upload.
Separate
Encryption
Certificate
Enable or disable the use of a separate encryption certificate. If enabled, you must upload an
encryption certificate using Upload. Generally, the same S/MIME certificate is used for signing
and encryption, unless a different certificate is expressly being used.
Old Encryption
Certificate
Enable or disable a legacy version encryption certificate. If enabled, you must Upload an
encryption certificate.
Staging Section
Enable Device
Staging
Enable or disable the staging of devices.
If enabled, you must choose between Single User Devices and Multi User Devices.
If Single User Devices, you must select between Standard, where users themselves log in and
Advanced, where a device is enrolled on behalf of another user.
4. Select Save to save only the new user or select Save and Add Device to save the new user and proceed to the Add
Device page.
For more information about adding directory users to AirWatch, refer to the VMware AirWatch Directory Services
Guide, available on Accessing Other Documents on page 217.
Chapter 4: User and Admin Accounts
45
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyright © 2017 VMware, Inc. All rights reserved.
User Accounts List View Overview
The List View page, which you can find by navigating to Accounts > Users > List View, provides useful tools for common
user account maintenance and upkeep.
Customize List View
You can use the User Accounts List View to create customized lists of users immediately. You can also customize the
screen layout based on criteria that is most important to you. You can export this customized list for later analysis and
add new users individually or in bulk.
Action Description
Filters View only the desired users by using the following filters.
lSecurity Type lUser Group
lEnrollment Organization Group lUser Role
lEnrollment Status
Add lAdd User – Perform a one-off addition of a basic user account. Add an employee or a newly promoted
employee that needs access to MDM capabilities. For more information, see Add Users to User Groups on
page 83.
lBatch Import – Add multiple users into AirWatch by importing a comma-separated values (CSV) file. Enter
a unique name and description to group and organize multiple users at a time. For more information, see
Batch Import Users or Devices on page 47.
Layout Enables you to customize the column layout.
lSummary – View the List View with the default columns and view settings.
lCustom – Select only the columns in the List View you want to see. You can also apply selected columns
to all administrators at or below the current organization group.
Chapter 4: User and Admin Accounts
46
VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017
Copyr