VMware AirWatch Mobile Device Management Guide V9 1

User Manual: Pdf

Open the PDF directly: View PDF .
Page Count: 217 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Chapter 1: Overview
- What's New
- Introduction to Mobile Device Management (MDM)
Chapter 2: Getting Started with AirWatch
- AirWatch Console Overview
- Getting Started Wizard
Chapter 3: Environment Setup
Chapter 4: User and Admin Accounts
Chapter 5: Role-Based Access
Chapter 6: Groups
Chapter 7: Device Enrollment
Chapter 8: Shared Devices
- Shared Devices Overview
- Define the Shared Device Hierarchy
Chapter 9: Device Assignments
Chapter 10: Profiles & Resources
Chapter 11: Compliance Policies
Chapter 12: Device Tags
Chapter 13: Managing Devices
Chapter 14: Certificate Management
Chapter 15: Custom Attributes
Chapter 16: Self-Service Portal
Accessing Other Documents

VMware AirWatch Mobile Device

Management Guide

Managing your organization's mobile devices

AirWatch v9.1

Have documentation feedback?Submit a Documentation Feedback support ticket using the Support Wizard on

support.air-watch.com.

international treaties. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their

respective companies.

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Table of Contents

Chapter 1: Overview 6

What's New 7

Introduction to Mobile Device Management (MDM) 8

Chapter 2: Getting Started with AirWatch 10

AirWatch Console Overview 11

Getting Started Wizard 17

Chapter 3: Environment Setup 19

Environment Setup Overview 20

APNs Certificates 20

Privacy and Data Collection 21

Console Branding 29

Restricted Console Actions 29

Other Enterprise Systems for Integration 32

Chapter 4: User and Admin Accounts 33

User and Admin Accounts Overview 34

User Authentication Types 34

Basic User Accounts 40

Directory-Based User Accounts 42

User Accounts List View Overview 46

Batch Import Feature 47

Admin Accounts 50

Chapter 5: Role-Based Access 53

Role-Based Access Overview 54

Default and Custom Roles 54

User Roles 56

Admin Roles 57

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 6: Groups 64

Assignment Groups Overview 65

Organization Groups Overview 67

Smart Groups Overview 71

User Groups Overview 76

Admin Groups Overview 83

View Assignments 86

Chapter 7: Device Enrollment 88

Device Enrollment Overview 89

Basic vs. Directory Services Enrollment 93

Bring Your Own Device (BYOD) Enrollment 96

Self-Enrollment vs Device Staging 99

Device Registration 103

Configure Enrollment Options 111

Blacklisting and Whitelisting Device Registration 115

Additional Enrollment Restrictions 116

AirWatch Autodiscovery Enrollment 120

Chapter 8: Shared Devices 122

Shared Devices Overview 123

Define the Shared Device Hierarchy 124

Chapter 9: Device Assignments 125

Device Assignments Overview 126

Enable Device Assignments 126

Define Device Assignment Rule or NetworkRange 127

Chapter 10: Profiles &Resources 129

Device Profiles Overview 130

Add General Profile Settings 130

Device Profiles List View 132

Device Profile Editing 136

Resources Overview 137

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

View Device Assignment 155

Compliance Profiles Overview 156

Geofences 157

Time Schedules 159

Chapter 11: Compliance Policies 161

Compliance Policies Overview 162

Compliance Policies List View 162

Compliance Policy Rules by Platform 165

Add a Compliance Policy 168

Chapter 12: Device Tags 172

Device Tags Overview 173

Filter Devices by Tag 173

Create a New Tag 173

Add Tags 174

Manage Tags 175

Chapter 13: Managing Devices 176

Managing Devices Overview 177

Device Dashboard 177

Device List View 178

Device Details 184

Device Actions by Platform 187

Enrollment Status 192

Wipe Protection 195

AirWatch Hub 197

Reports &Analytics 200

Chapter 14: Certificate Management 201

Certificate Management Overview 202

Digital Certificates List View 202

Certificate Integration Resources 203

Chapter 15: Custom Attributes 205

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Custom Attributes Overview 206

Create Custom Attributes 206

Custom Attributes Importing 207

Assign Organization Groups Using Custom Attributes 208

Chapter 16: Self-Service Portal 210

Self-Service Portal Overview 211

Configure the Default Login Page for the SSP 211

My Devices Page of the SSP 211

Remote Actions in the SSP 213

Self-Service Portal Actions Matrix 215

VMware Content Locker Options 216

Accessing Other Documents 217

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 1:

Overview

What's New 7

Introduction to Mobile Device Management (MDM) 8

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

What's New

The Mobile Device ManagementGuide has been updated with the latest features and functionality from the most recent

releaseAirWatch v9.1. This list includes new features and the sections and pages on which they appear.

lYou can now disable the captcha authentication safeguard mechanism at the login prompt. Be aware that disabling

captcha may weaken the overall security. For more information, see Security PIN on page 11.

lThe Self-Service Portal login page has been redesigned and the ability to customize the background image of the SSP

lFour admin console notifications have been added, which help you stay in touch with and react swiftly to changes in

your device fleet. For more information, see AirWatch Console Notifications on page 15 and Configure Notifications

Settings on page 16.

oApp Removal Protection – If apps you've identified as critical keep getting removed from your devices, you can

be notified when the number of these removals exceeds the threshold that you define.

oList View Export – Depending on the number of users and devices in your list, the exportation of the Device List

View and User List View to a comma-separated values file can take time to produce. This notification tells you

when it's complete and ready for examination.

oUser Group Merge Pending – If you have the Auto Merge Changes setting disabled on your User Group, then

you must supply admin approval each time database changes are initiated. This notification lets you know when

AirWatch is ready to begin the merge process.

oVPP App Auto Update – High priority alerts that notify you when an app installed with Apple Volume Purchase

Program has an updated version you can install.

lLicense information has been made more accurate by basing its status on the active/inactive flag instead of

expiration date. The license model is also now accurately reflected which can be user-based or device based. For

more information, see Admin Panel Dashboard on page 199.

Chapter 1: Overview

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Introduction to Mobile Device Management (MDM)

Mobile devices are valuable enterprise tools. They allow employees to have immediate access to your internal content

and resources. However, the diversity of mobile platforms, operating systems and versions can make managing a set of

devices difficult. VMware AirWatch® Mobile Device Management™ (MDM) solves this problem by enabling you to

configure, secure, monitor, and manage all types of mobile devices in the enterprise.

Benefits of Mobile Device Management

Mobile device management provides an elegant solution to security concerns and accessibility inherent to enterprise

mobility.

lManage large-scale deployments of mobile devices from a single console.

lEnroll devices in your enterprise environment quickly and easily.

lConfigure and update device settings over the air.

lEnforce security and compliance policies.

lSecure mobile access to corporate resources.

lRemotely lock and wipe managed devices.

You can tailor your MDM environment to gain immediate access to device locations, current users, and content. You can

also automate your MDM deployment to enforce security and compliance settings with rules and warnings that are

unique to each user or organization group. Finally, you can restrict or enable content and features based on the

geographic location of a device.

This guide outlines how to create, configure, and maintain your MDM deployment.

Supported Browsers

The AirWatch Console supports the latest stable builds of the following browsers:

lChrome

lFirefox

lSafari

lInternet Explorer 11

lMicrosoft Edge

Note: If you use IE to access the Console, navigate to Control Panel > Settings > Internet Options > Security and

ensure you have a security level or custom security level that includes the Font Download option being set to

Enabled.

If you are using a browser older than those listed above, upgrade your browser to the latest available version to get the

best performance from the AirWatch console. Comprehensive platform testing has been performed to ensure

functionality using these browsers. The AirWatch Console may experience minor issues if you choose to run it in a non-

certified browser.

Chapter 1: Overview

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Supported Platforms

AirWatch supports the following devices and operating systems.

lAndroid 4.0+ lTizen 2.3+

lApple iOS 7.0+ lWindows Desktop (8/8.1/RT/10)

lApple macOS 10.9+ lWindows 7 (Windows 7 or higher)

lChrome OS (latest) lWindows Phone (Windows Phone 8/ 8.1, Windows 10 Mobile)

lQNX 6.5+ lWindows Rugged (Mobile 5/6 and Windows CE 4/5/6)

Limited support may be available for other devices or operating systems. Refer to each platform-specific User Guide,

available on Accessing Other Documents on page 217, or contact AirWatch Support for more information.

Chapter 1: Overview

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 2:

Getting Started with AirWatch

AirWatch Console Overview 11

Getting Started Wizard 17

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

AirWatch Console Overview

The AirWatch Console allows you to view and manage every aspect of your Mobile Device Management (MDM)

deployment. With this single, web-based resource, you can quickly and easily add new devices and users to your fleet,

manage profiles, and configure system settings.

Acquaint yourself with security settings and interface features such as the Getting Started Wizard, menu icons, and global

search.

Security PIN

Establish security for the AirWatch Console by creating a security PIN. The PIN acts as a safeguard against accidentally

wiping a device or deleting important aspects of your environment, such as users and organization groups. The Security

PIN also works as a second layer of security. It presents an added point of authentication by blocking actions made by

unapproved users.

Establish Your Security PIN

When you first log in to the AirWatch Console, you are prompted to establish a Security PIN.

Enter and confirm your four-digit Security PIN on the Security Settings page and save this PIN for future use. You may not

bypass this page, or proceed to any area within the AirWatch Console, before creating this PIN.

If you enter the wrong password more than the maximum allowed login attempts, you are presented with a "Captcha"

authentication prompt, which you can customize. You can also disable the Captcha login prompt.

Reset Your Security PIN

Reset your security PIN every so often to minimize security risks.

1. Select the Account icon in the top-right corner of the AirWatch Console.

2. Select Manage Account Settings. The Account Settings page displays.

3. Select the Security tab and then reset your PIN by selecting the Reset button.

4. Log out of the console and complete the PIN creation prompt upon logging back in.

Chapter 2: Getting Started with AirWatch

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Header Menu

The Header Menu appears at the top of nearly every page of the AirWatch Console, enabling you to access to the

following functions and features.

lOrganization Group – Select the Organization Group (the tab labeled Global) to which you want to apply changes.

lAdd – Quickly create an admin, device, user, policy, content, profile, internal application, or public application.

lGlobal Search – ( ) Search all aspects of your deployment within the AirWatch Console, including devices, users,

content, applications, configuration settings, admins, pages, and more.

lNotifications – ( ) Stay informed about important console events with Notifications. The number badge on the

Notifications bell icon indicates the number of alerts that require your attention.

lSaved – ( ) Access your favorite and most-utilized pages within the AirWatch Console.

lHelp – ( ) Browse or search the available guides and console documentation.

lAccount – View your account information. Change the Account Role that you are assigned to within the current

environment. Customize settings for contact information, language, Notifications, view history of Logins, and

Security settings including PIN reset. You can also Log out of the AirWatch Console and return to the Login screen.

lRefresh – ( ) See updated stats and info without leaving the current view by refreshing the screen.

lAvailable Sections – ( ) Customize the view of the Hub Overview by selecting only the sections you want to see.

Available only on the Hub Overview.

lExport – ( ) Produces a full listing of profiles, apps, books, channels, or policies to a comma-separated values (CSV)

file that you can view and analyze with Excel.

lHome – ( ) Use this icon to assign any screen in the AirWatch Console as your home page. The next time you open

the AirWatch Console, your selected screen displays as your home page.

lSave – ( ) Add the current page to the Saved page list for quick access to your favorite console pages.

For more information, see the following topics.

Organization Groups Overview on page 67.

Role-Based Access Overview on page 54.

AirWatch Console Notifications on page 15.

AirWatch Console Overview on page 11.

AirWatch Hub on page 197.

Chapter 2: Getting Started with AirWatch

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Main Menu

The Main Menu allows you to navigate to all the features available to your role and Mobile Device Management (MDM)

deployment.

Ensure that all aspects of a basic successful deployment are established. Getting Started is organized to

reflect only those modules within an AirWatch Console deployment that you are interested in. Getting

Started produces an on-boarding experience that is more tailored to your actual configuration.

View and manage MDM information that drives decisions you must make and access a quick overview of

your device fleet. View information such as the most blacklisted apps that violate compliance. Track module

licenses with the Admin Panel Dashboard and monitor all devices that are currently out of compliance.

Select and run Industry Templates to streamline the onboarding process with industry-specific apps and

policies for your iOS devices.

Access an overview of common aspects of devices in your fleet, including compliance status, ownership

type breakdown, last seen, platform type, and enrollment type. Swap views according to your own

preferences including full Dashboard, list view, and detail view. Access additional tabs, including all current

profiles, enrollment status, Notification, Wipe Protection settings, compliance policies, certificates, product

provisioning, and printer management.

Survey and manage users and administrators involved with your MDM deployment. Access and manage

user groups, roles, batch status, and settings associated with your users. Also, access and manage admin

groups, roles, system activity, and settings associated with your administrators.

Access and manage the app catalog, book catalog, and Volume Purchase Program (VPP) orders. Also view

application analytics and logs with application settings, including app categories, smart groups, app groups,

featured apps, Geofencing, and profiles associated with apps.

Access detailed overview of content use including storage history trends, user and content status,

engagement, and user breakdown. Manage and upload content available to users and devices. Also, access

batch import status, content categories, content repositories, user storage, VMware Content Locker

homescreen configuration, and all other content-specific settings.

Access detailed overview of email information related to your deployment. Such information includes email

management status, managed devices, email policy violations, deployment type, and time last seen.

Access detailed overview of telecom-enabled devices including use history, plan use, and roaming data.

View and manage telecom use and track roaming, including call, Short Message Service (SMS), and content

settings.

Manage structures, types and statuses related to organization groups, smart groups, app groups, user

groups, and Admin Groups. Configure entire system settings or access settings related to all Main Menu

options.

Chapter 2: Getting Started with AirWatch

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Collapse and Expand the Submenu

You can collapse the submenu by selecting the arrow at the bottom of the console. This action creates more space for

device information. To expand or reopen the submenu, select the modified arrow.

Global Search

Using a modular design with a tabbed interface, Global Search runs searches across your entire deployment. Global

Search applies your search parameter to a single tab at a time, which produces faster results. Apply the same parameters

to another area of the AirWatch Console by selecting another tab.

After running a global search, select the following tabs to view the results.

lDevices – Returns matches to Device friendly name and Device Profile name searches.

lAccounts – Returns matches to user name and administrator name searches.

lApplications – Returns matches to internal, public, purchased, and Web application searches.

lContent – Returns matches to any content that appears on devices.

lSettings – Returns matches to individual field-level settings and console main page searches.

Chapter 2: Getting Started with AirWatch

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

You can also perform a search for an organization group by selecting the organization group drop-down menu. The

Search bar displays above the list.

AirWatch Console Notifications

Notifications are a communication tool designed to keep you informed about console events that may be impactful to

your operation. The Notifications button is located next to the Global Search button.

There are many different kinds of notifications.

lAPNs Expiration and APNs Expired – You are notified 30 days before APNs for MDM certificates expire, which is a

Critical Priority alert. After the APNs certificate expires, the Critical Priority alert is reduced to a High Priority alert. This

notification helps you avoid the hassles involved with expired certificates and keeps your devices in contact with

AirWatch.

lApp Removal Protection – This High Priority alert displays when the ApplicationRemoval threshold is crossed. You

can act by selecting the Review App Removal link on the Notifications pop-up.

lList View Export – This notification appears when the Device or User list view export you requested has been

completed and is ready for examination. This notification is an Info Priority level.

lUser Group Merge Pending – This notification lets you know that the user group merge process is pending and in

need of admin approval. Such notification happens in two scenarios:

oYou have the Auto Merge Changes setting disabled on your Directory-based User Group, which means all

changes need approval.

oYou have the Auto Merge Changes enabled and the number of changes exceed the Maximum Allowable Changes

threshold. The portion of changes above the threshold need admin approval.

lVPP App Auto Update – High priority alerts that notify you when an app installed with Apple Volume Purchase

Program has an updated version you can install.

For information about Device Lifecycle Notifications, see Configure Lifecycle Notifications on page 113.

Manage Console Notifications

When there are active notifications that require your attention, a numeral badge appears on the alert icon indicating the

number of active alerts. Display the Notifications pop-up by selecting the bell-shaped Notifications icon.

Chapter 2: Getting Started with AirWatch

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

You can manage the notifications you receive. This management includes viewing the list of active alerts, Renewing your

APNs, Dismissing expired alerts, viewing the list of dismissed alerts, and Configuring Notification Settings.

Each alert displays the organization group under which the APNs for an MDMcertificate is located. The alert also shows

the expiration date of the certificate and a link to Renew your APNs.

lView Active Alerts – The default view displays the list of active alerts.

lRenew your APNs – Displays the Change Organization Group (OG) screen. This screen appears when the OG that

manages the device with the impending license expiration is different than the OG you are currently in. Renew this

APNs license by selecting Yes to change your OG automatically.

Renew the license and keep the device in contact with AirWatch by following the instructions on the APNs For MDM

settings page.

lDismiss Alert – Close the expired alert and send it to the Dismissed alert listing by selecting the Xbutton. You cannot

close critical priority notifications.

lView Dismissed Alerts – View the listing of dismissed alerts by selecting the Dismissed tab at the top of the

Notifications pop-up.

Configure Notifications Settings

Use the Notifications settings page to enable or disable APNs Expiration alerts, choose how to receive alerts, and change

the email to which it sends alerts.

To configure notification settings, take the following steps.

1. Select the Account button, which is accessible from almost every page on the console, then select Manage Account

Settings and select the Notifications tab.

You can also access the notification settings page by selecting the gear icon located in the lower-right corner of the

Notifications pop up screen.

Chapter 2: Getting Started with AirWatch

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

2. Complete the notification settings.

Setting Description

APNs

Expiration

You can trigger an alert when APNs licenses expire or are in jeopardy of expiring.

Notification Select the notification delivery method. Choose from Console, Email, or Both.

Send email to Enter the email address for when Email or Both is selected in Notification. Separate multiple email

addresses with a comma.

List View

Export

You can trigger an alert when the exportation of a User List View or Device List View is complete.

Notification Select the notification delivery method. Choose from Console, Email, or Both. For List View

Exports, the email used is the address on record in the User tab of Account Settings for the

currently logged in administrator.

User Group

Merge

You can trigger an alert when the Active Directory database changes sync with AirWatch and you

have Auto Merge Changes disabled.

Notification Select the notification delivery method. Choose from Console, Email, or Both.

Send email to Enter the email address for when Email or Both is selected in Notification. Separate multiple email

addresses with a comma.

VPP App

Auto Update

You can trigger an alert when an app installed with Apple Volume Purchase Program has an

updated version you can install.

Notification Select the notification delivery method. Choose from Console, Email, or Both.

Send email to Enter the email address for when Email or Both is selected in Notification. Separate multiple email

addresses with a comma.

3. Save or Cancel your changes.

Getting Started Wizard

The Getting Started Wizard serves as a checklist that walks you through the AirWatch Console settings step by step. It

presents only those modules within your specific deployment which produces an on-boarding experience tailored to

your configuration.

The Getting Started page is split into four sections: Workspace ONE, Mobile Device Management, Mobile Content

Management, and Mobile Application Management. Each section has its own set of steps. Steps that are shared among

all sections are tracked automatically so you never have to complete the same step twice.

lWorkspace ONE – Manage, monitor, and support all desktops, BYOD, and corporate-owned devices in a single,

secure catalog of apps.

lMobile Device Management (MDM) – Establish the level of control you want to have over your devices, add users,

and enroll devices into the AirWatch system.

lMobile Content Management (MCM) – Identify and secure personal content, add users, and configure content

management specifications.

Chapter 2: Getting Started with AirWatch

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

lMobile Application Management (MAM) – Determine how users install suggested apps and identify and install

public apps to enrolled devices.

Navigate the Getting Started Wizard

The Getting Started Wizard is run in a way that is most convenient to you. It not only tracks how far along you are, it can

be started, paused, restarted later, and rewound to review prior responses.

lSelect Start Wizard to initiate the first step in a module. Here, you answer questions and access the exact pages

within the AirWatch Console to configure settings for each feature. As you answer each question, the percentage

counter progresses and displays how far along you are in completing the module.

lIf you stop a module before completing it, select Continue to return to where you left off.

lYou can opt out of any module by selecting Skip Section, which temporarily disables the Continue button and

inserts a Resume Section link. Enable the Continue button once more by selecting this link.

lYou can review your responses to any module at any time by selecting Review Section from each completed

module.

lAs each substep in the module is completed, a small check mark is placed in the header for that substep. The green

status bar at the top representing the whole module, progresses further.

lSelect the Back button at any time to return to the previous question or screen.

Enable the Getting Started Wizard

For a new AirWatch implementation, access the Getting Started page from the main menu, located above the Hub icon in

the left panel. However, you can manually enable the Getting Started Wizard at any time. Manually enabling the Getting

Started Wizard restarts the walk-through.

To enable the Getting Started Wizard manually

1. Select any Organization Group other than the top-level group.

2. Navigate to Groups &Settings > Groups > Organization Groups > Organization Group Details. Ensure that you are

currently at a customer-level organization group and Save your changes.

3. Navigate to Groups &Settings > All Settings > System > Getting Started.

4. Select Enable for each of the settings on this page:

a. Getting Started Device Status

b. Getting Started Content Status

c. Getting Started Application Status

5. Save changes to the page.

For more information, see Organization Groups Overview on page 67.

Chapter 2: Getting Started with AirWatch

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 3:

Environment Setup

Environment Setup Overview 20

APNs Certificates 20

Privacy and Data Collection 21

Console Branding 29

Restricted Console Actions 29

Other Enterprise Systems for Integration 32

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Environment Setup Overview

You can determine the environment URL and login credentials, generate certificates for managing platforms, configure

telecom, privacy settings, customize the console, and more.

Before you can log in to the AirWatch Console, you must have the Environment URL and log in credentials. How you

obtain this information depends on your type of deployment.

lSaaS Deployment – Your Account Manager provides your Environment URL and user name/password. The URL is

not customizable, and generally follows the format of awmdm.com.

lOn-premises – The on-premises URL is customizable and follows the format awmdm.<MyCompany>.com.

Your Account Manager provides the initial setup credentials for your environment. Administrators who create more

accounts to delegate management responsibility may also create and distribute credentials for their environment. See

Create an Admin Account for details.

Once your browser has successfully loaded the AirWatch Console Environment URL, you can log in using the user name

and Password provided by your AirWatch Administrator.

APNs Certificates

To manage iOS devices, you must first obtain an Apple Push Notification Service (APNs) certificate. An APNs certificate

allows AirWatch to communicate securely to Apple devices and report information back to AirWatch.

Per Apple's Enterprise Developer Program, an APNs certificate is valid for one year and then must be renewed.

TheAirWatch Console sends reminders through Notifications as the expiration date nears. Your current certificate is

revoked when you renew from the Apple Development Portal, which prevents device management until you upload the

new one. Plan to upload your certificate immediately after it is renewed. Consider using a different certificate for each

environment if you use separate production and test environments.

For more information, please see the Generating and Renewing an APNs Certificate for AirWatch

KBarticle:https://support.air-watch.com/articles/115001662728.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

APNs Certificate Expiration

The Notifications button in the header bar of the Console alerts you when your APNs for MDM certificates are close to

expiring. This notice allows you to act.

For more information, see AirWatch Console Notifications on page 15.

Generate an APNs Certificate

You must generate and occasionally renew APNs Certificates to enable and maintain secure communications between

your iOS devices and AirWatch. To generate an APNs certificate, you must choose between two methods.

1. Follow the steps outlined in the Getting Started Wizard on page 17.

2. Generate APNs certificates manually by taking the following steps.

a. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.

b. If the Valid To date has passed, select the Renew button and follow the on-screen instructions. There is an

instructions link that shows you how to use the Apple Push Certificates Portal to upload a certificate request.

Provided on this page is a convenient Go To Apple button that opens the Apple Push Certificates Portal in a new

tab of your browser. You need two items to continue.

i. AirWatch Certificate Request, which is a file in the PLIST format that you can save to your device.

ii. The Apple ID that you originally used to create the certificate.

c. Click Next to advance to the next page where you must enter your Apple ID and upload the Apple-issued

AirWatch MDMcertificate (PEM file).

d. Select Save.

Privacy and Data Collection

It is important that you inform your end users about how their data is collected and stored when they enroll into

AirWatch. The AirWatch Console allows you to create a customized privacy notification to inform users about what data

your company collects from enrolled devices.

Work with your legal department to determine what message about the collection of data you communicate to your end

users.

Privacy Notices for BYODEnd Users

A privacy notice informs your end users about what data you collect from their devices based on their device type,

deployment type, and ownership type.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Privacy Notice Configuration

Privacy notices are automatically delivered based on the organization group and device ownership of the device

connecting. You may choose to display a privacy notice for each ownership type: Employee Owned,Corporate -

Dedicated,Corporate - Shared, and Unknown.

You must create a privacy notice before you assign ownership types to receive the notice. For more information, See

Create a Privacy Notice in the VMware AirWatch BYOD &Privacy Guide, available through AirWatch Resources.

Privacy Notice Deployment

When you assign an ownership type to receive privacy notices, all users in the selected ownership type receive the

privacy notification immediately as a Web clip. If you inserted the privacy notice lookup value

PrivacyNotificationUrl in your message template, then the message includes a URL where the user can read

the privacy notice.

Users receive the privacy notice automatically if:

lThey enroll a new device and they are of an ownership type for which the privacy notice is enabled.

lThey currently use an enrolled device and their ownership is changed post-enrollment to a type that is assigned the

Web clip.

To learn how to deploy a privacy notice as part of a device activation, see Register an Individual Device.

Create a Privacy Notice for BYODUsers

Inform your users about what data your company collects from their enrolled devices with a customized privacy

notification. Work with your legal department to determine what message about data collection you communicate to

your end users.

1. Navigate to Groups and Settings > All Settings > Devices and Users > General > Message Templates.

2. Select Add to create a template. If you have already created a privacy notification template, select it from the list of

available templates to use or edit it.

3. Complete the Add/Edit Message Template settings.

Setting Description

Name Enter a name for the notification template.

Description Enter a description of the template you are creating.

Category Select Enrollment.

Type Select MDM Device Activation.

Select

Language

Select the default language for your template. Use the Add button to add more default languages for

a multi-language delivery.

Default Select this check box to make this template the default message template.

Message

Type

Select one or more message types: Email,SMS, or Push message.

4. Create the notification content. The message types that you selected in the Message Type selection determine which

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

messages appear for you to configure.

Element Description

Content

Formatting

Choose whether your email notification is delivered as Plain Text or HTML.

Subject Enter the subject line for your email notification.

Message

Body

Compose the email message to send to your users. The editing and formatting tools that appear in

this text box depend on which format you chose in the Email Content Formatting selection.

If you have enabled the Visual Privacy Notice, include the lookup value

PrivacyNotificationUrl in the message body.

SMS

Message

Body

Compose the SMS message to send to your users.

If you have enabled the Visual Privacy Notice, include the lookup value

PrivacyNotificationUrl in your message body.

Push

Message

Body

Compose the Push notification to send to your users.

If you have enabled the Visual Privacy Notice, include the lookup value

PrivacyNotificationUrl in your message body.

5. Select Save.

Privacy Settings

Privacy settings enable you to define how device and user information are handled in the AirWatch Console. This

information is useful in Bring Your Own Device (BYOD) deployments.

lReview and adjust privacy policies according to device ownership, which lets you align with data privacy laws in other

countries or legally defined restrictions.

lEnsure that certain IT checks and balances are in place, preventing overload of servers and systems.

Important: Each jurisdiction has its own regulations governing what data can be collected from end users. Research

these regulations thoroughly before Configure Privacy Settings on page 23.

Configure Privacy Settings

End-user privacy is a major concern for you and your users. AirWatch provides granular control over what data is

collected from users and what collected data is viewable by admins.

Configure the privacy settings to serve both your users and your business needs.

1. Navigate to Devices > Device Settings > Devices & Users > General > Privacy.

2. Select the appropriate setting for GPS,Telecom,Applications,Profiles, and Network data collection.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Collect and Display – User data is collected and displayed in the AirWatch Console.

Collect Do Not Display – User data is collected for use in reports but is not displayed it in the AirWatch

Console.

Do Not Collect – User data is not collected and therefore it is not displayed.

3. Select the appropriate setting for the Commands that can be performed on devices.

Allow – The command is made on devices without permission from the user.

Allow With User Permission – The command is made on devices but only with the permission of the user.

Prevent – The command does not run on devices.

Consider disabling all remote commands for employee-owned devices, especially full wipe. This disablement

prevents inadvertent deletion or wiping of an end user's personal content.

Note: If you disable the wipe function for select iOS ownership types, users do not see the "Erase all content and

settings" permission during enrollment.

If you are going to allow remote control, file manager, or registry manager access for Android/Windows Rugged

devices, consider using the Allow With User Permission option. This option requires the end user to consent to

admin access on their device through a message prompt before the action is performed. If you opt to allow use of

any commands, explicitly mention these commands in your terms of use agreement.

4. For User Information, select Display or Do Not Display in the Console for the First Name,Last Name,Phone

Number,Email Accounts, and user name data.

If an option other than user name is set to Do Not Display, that data displays as "Private" wherever it appears in the

AirWatch Console. Options you set to Do Not Display are not searchable in the console. When a user name is set to

Do Not Display, the user name displays as "Private" only on the Device List View and Device Details pages. All other

pages in the AirWatch Console show the user name of the enrolled user.

You can encrypt personally identifiable information, including first name, last name, email address, and telephone

number. Navigate to Groups &Settings > All Settings > System > Security > Data Security from the Global or

Customer-level organization group you want to configure encryption for. Enabling encryption, selecting which user

data to encrypt, and selecting Save encrypts user data. Doing so limits some features in the AirWatch Console, such

as search, sort, and filter.

5. Select whether to Enable or Disable the Do Not Disturb Mode on the device. This setting lets user devices ignore

MDM commands for a specified period. When Enabled, you can select a grace period or activation time in minutes,

hours, or days, after which the Do Not Disturb Mode expires.

For more information about using Do Not Disturb Mode, see the following VMware AirWatch Knowledge

Base article:https://support.air-watch.com/articles/115001662448.

6. Select to Enable or Disable the User-Friendly Privacy Notice on the device.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

lWhen Enabled, you may choose Yes (display a privacy notice) or No (do not display a privacy notice) for each

ownership level: Employee Owned,Corporate - Dedicated,Corporate - Shared, and Unknown.

7. Click Save. You must enter your PIN to save the changes. Click Save.

For more information about applying a Bring Your Own Device solution, see the VMware AirWatch BYOD and Privacy

Guide, available on Accessing Other Documents on page 217.

Privacy Best Practices

Striking a balance between your business needs and the privacy concerns of your employees can be challenging. There

are a few simple practices that can manage Privacy Settings to strike the best balance.

Important: Every deployment is different. Tailor these settings and policies that fit your organization in the best way

by consulting with your own legal, human resource, and management teams.

User Information for Privacy Best Practices

In general, you display user information such as the first name, last name, phone number, and email address for both

employee-owned and corporate-owned devices.

Application Information for Privacy Best Practices

In general, it is appropriate to set the collection of application information to either do not collect or collect and do not

display for employee-owned devices. This setting is important because public apps installed on a device, if viewed, can be

considered personally identifiable information. For corporate-owned devices, AirWatch records all installed applications

on the device.

If Do Not Collect is selected, only personal application information is not collected. AirWatch collects all managed

applications, whether public, internal, or purchased.

Remote Commands for Privacy Best Practices

Consider disabling all remote commands for employee-owned devices. However, if you allow remote actions or

commands, explicitly mention these remote actions and commands in your terms of use agreement.

GPS Coordinates for Privacy Best Practices

In general, it is not appropriate to collect GPS data for employee-owned devices. The following notes apply to corporate-

owned devices.

lGPS Data – Information collected includes location data and a time-stamp indicating when this information was sent

to AirWatch.

oFor iOS devices, GPS data is reported automatically. GPSdata is reported by opening any AirWatch application or

internal application with an AirWatch Software Development Kit (SDK) set to capture GPS data.

When GPS data is reported, AirWatch defines a 1-kilometer region around this location. It then reports location

information whenever the device moves outside the region or whenever the user opens an AirWatch or internal

application. No new GPS data is reported unless one of these actions occurs.

oLocation Services must be enabled on the iOS device. AirWatch cannot force this setting.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

lWhile GPS is typically used for lost or stolen devices, it is also used for any situation where knowing the location of a

device is useful.

Telecom Data for Privacy Best Practices

It is only appropriate to collect telecom data for employee-owned devices if they are a part of a stipend where cellphone

expenses are subsidized. In this case, or for corporate-owned devices, consider the following about data you can collect.

lCarrier/Country Code – Carrier and Country Code are recorded and can be used for telecom tracking purposes.

Telecom plans can be set up and devices can be assigned to the appropriate plan based on their carrier and country.

This information can also be used to track devices by home carrier and home country or by current country and

current carrier.

lRoaming Status – This status can be used to track which devices are in a 'Roaming' or 'Not Roaming' state.

Compliance policies can be set up to disable voice and data use while the device is roaming or you can also apply

other compliance actions. Also, if the device is assigned to a telecom plan, AirWatch can track data use while

roaming. Collecting and monitoring roaming status can be helpful in preventing large carrier charges due to roaming.

lCellular Data Use – The data use in terms of total bytes sent and received. This data can be collected for each cellular

device. If the device is assigned to a telecom plan, you can monitor data use based on a percentage of total data

amount per billing cycle. This feature allows you to create compliance policies based on the percentage of data used

and is helpful in preventing large carrier overage charges.

lCell Use – The voice minutes that can be collected for each cellular device. Similar to data, if the device is assigned to

a telecom plan, you can monitor use based on a percentage of minutes per billing cycle. This method allows you to

create compliance policies based on the percentage of minutes used and can be helpful in preventing large carrier

overage charges.

lSMS Use – The short message service (SMS) data that can be collected for each cellular device. Similar to data, if the

device is assigned to a telecom plan, you can monitor SMS use based on a percentage of messages per billing cycle.

This method allows you to create compliance policies based on the percentage of messages used. Monitoring SMS

use is helpful in preventing large carrier overage charges.

Ensure that all users with managed devices agree to the policy by defining and enforce terms of use (TOU). If necessary,

users must accept the TOU before proceeding with enrollment, installing apps, or accessing the AirWatch Console. The

AirWatch Console allows you to customize fully and assign a unique TOU to each organization group and child

organization group.

The terms of use displays during each device enrollment. Get access the following functions.

lSet version numbers.

lSet platforms to receive the terms of use.

lNotify users by email with the terms of use updates.

lCreate language-specific copies of the terms of use.

lCreate multiple terms of use agreements and assign them to organization groups based on platform or the type of

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

ownership.

lMeet the liability requirements of specific groups by customizing terms of use.

Create Enrollment Terms of Use

You can create an agreement about terms of use (TOU) specific to enrollment purposes. You can also limit devices

allowed for enrollment by device platform, ownership type, and enrollment type.

1. Ensure that your current active organization group is correct for the TOU you are creating.

2. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select the Terms of Use tab.

3. Select Add New Enrollment Terms of Use.

4. Enter a unique Name of the new TOU. The Type of TOU is pre-populated as Enrollment.

5. Choose Any for the settings Platforms,Device Ownership, and Enrollment Type if your TOU applies to any kind of

device for that category.

6. If you prefer to specify a device type, you can select one or more of these categories and define the limitations

specific to your TOU.

lIf you select Selected Platform option, then choose your desired platforms from the list that appears. Your TOU

applies to the device platforms you select, excluding all others.

lIf you select Selected Ownership Types option, then you must choose your desired ownership from the list that

appears. Your TOU applies to the ownership types you select, excluding all others.

lIf you select Selected Enrollment Types option, then you must choose your desired enrollment from the list that

appears. Your TOU applies to the types of enrollment you select, excluding all others.

7. Send an email to users whenever the TOU is updated by selecting the Notification check box.

a. Optionally, for localization purposes, you may enter a TOU agreement for each language applicable to your

needs by making a choice in the Select Language drop-down.

8. In the text box provided, enter your customized TOU.

The editor provides a basic text entry tool to create a TOU or paste in an existing TOU. To paste text from an external

source, right-click the text box and choose Paste as plain text to prevent any HTML or formatting errors.

9. Select Save.

You can enforce MDM terms of use acceptance by creating a compliance policy for MDM Terms of Use Acceptance. This

enforcement does not apply to devices using AirWatch Container.

Create Application or Console Terms of Use

You can also create application-based terms of use (TOU) to notify end users when a specific application collects data or

when it imposes restrictions.

When users run these applications from your enterprise app catalog, they must accept the agreement to access the

application. You can set TOU for app versions, make language-specific TOU, and remove apps if the TOU is not accepted.

Console TOU display when an administrator logs in to the AirWatch Console for the first time. For the AirWatch Console,

you can set TOU version numbers and create language-specific copies of the TOU.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

For Applications, assign the TOU when adding or editing an application using the Terms of Use tab.

1. Navigate to Groups &Settings > All Settings > System > Terms of Use.

2. Select Add Terms of Use.

3. Enter a Name for the terms of use and select the Type, which can be Console or Application.

4. Configure settings such as a Version number and a Grace Period, depending on the Type you selected.

5. Enter your TOU in the text box provided. The editor provides a basic text entry tool to create a TOU or paste in an

existing TOU. If you are pasting text from an external source, right-click the text box and choose Paste as plain text

to prevent any HTML or formatting errors.

6. Select Save.

View Terms of Use Acceptance

While compliance policies can be configured to help enforce terms of use acceptance, you can also see who has and who

has not accepted the agreement. Then, if necessary, you can contact those individuals directly.

1. Navigate to Groups & Settings > All Settings > System > Terms of Use.

2. Use the Type drop-down menu to filter based on the agreement type, for example, Enrollment. The Users / Devices

column displays devices that have accepted/not accepted/been assigned the terms of use.

3. Select the appropriate number in the Devices column for the terms of use row to see device information pertaining

to that agreement. Optionally, access the drop-down menu for the row and select one of the following.

lView Devices or Users – Display a complete list of devices and their acceptance statuses. You can filter by

organization group.

lView Previous Versions – View previous iterations of the agreement.

lView Terms of Use – View the terms of use agreement.

Track Terms of Use Acceptance With Reports

You can track user acceptance for terms of use, enabling you to take possible action.

View details regarding specific organization groups, console acceptances, and device enrollment acceptances. View the

acceptances directly in the AirWatch Console or export the report in either PDF, CSV, or Excel formats.

1. Navigate to Hub > Reports & Analytics > Reports > List View.

2. Search for and generate the Terms of Use Acceptance Detail report by selecting the report title.

3. Select the OrganizationGroups.

4. Select the Terms of Use Type.

5. Select the Report Format.

6. Select Download to save the report in the selected format.

7. You can also Preview as PDF.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Important: AirWatch does not provide legally binding sample text and any text examples provided must be reviewed

by your own company or legal team.

Console Branding

The AirWatch Console allows extensive customization options. These options allow you to brand aspects of your

AirWatch tools and resources according to the color scheme, logo, and overall aesthetic of your organization.

Branding can be configured in support of multi-tenancy, so different divisions of your enterprise can have their unique

look and feel at their organization group level.

For more information, see Organization Groups Overview on page 67.

Configure Console Branding

You can align with the color scheme, logo, and overall aesthetic of your organization by customizing the console.

1. Select the organization group you want to brand and then navigate to Groups & Settings > All Settings > System >

Branding.

2. Configure the settings on the Branding tab:

lUpload a Company Logo by uploading a file saved on your computer. The suggested resolution of the uploaded

image is 800x300.

lUpload a background for the login page by uploading a file saved on your computer. The suggested resolution of

the uploaded image is 1024x768.

lUpload a background for the Self-Service Portal login page by uploading a file saved on your computer. The

suggested resolution of the uploaded image is 1024x768.

3. Configure customizations to the Colors section in the Branding tab.

4. Configure the settings on the Custom CSS tab.

lEnter customized CSS code for advanced branding.

5. Select Save.

Restricted Console Actions

In a scenario where the AirWatch Console is left unattended, AirWatch provides an extra safeguard against malicious

actions that are potentially destructive. You can place those actions out of reach of unauthorized users. Navigate to

Groups &Settings > AllSettings > System > Security > Restricted Actions.

Enable Send Message to All

Enable this setting to allow a system administrator to send a message to all devices in your deployment from the Device

List View.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

For more information, see Device List View on page 178.

Select Password Protect Actions

Restricted Console Actions provides an added layer of protection against malicious actions that are potentially

destructive. Configure settings for restricted actions by navigating to Groups & Settings > All Settings > System >

Security > Restricted Actions.

You can require that certain actions require admins to enter a PIN. For each action you choose to protect, select the

appropriate Password Protect Actions button for Enabled or Disabled as appropriate. This provides you with granular

control over which actions you want to make more secure.

Note: Some actions always require a PIN and thus cannot be disabled. Denoted by * below.

You can set the maximum number of failed attempts the system accepts before automatically logging out the session. If

you reach the set number of attempts, you need to re-login into the AirWatch Console and set a new security PIN.

Setting Description

Admin Account Delete Prevents the deletion of an admin user account in Accounts > Administrators > List View.

*Regenerate VMware

Enterprise Systems

ConnectorCertificate

Prevents the regeneration of the VMware Enterprise Systems Connectorcertificate in

Groups &Settings >All Settings >System >Enterprise Integration >VMware Enterprise

Systems Connector.

*APNs Certificate

Change

Prevents the disabling of APNs for MDM in Groups & Settings > All Settings > Devices &

Users > Apple > APNs For MDM.

Application

Delete/Deactivate/Retire

Prevents the deletion, deactivation, or retirement of an application in Apps & Books >

Applications > List View.

Content

Delete/Deactivate

Prevents the deletion or deactivation of a content file in Content > List View.

*Data Encryption Toggle Prevents the Encryption of user information setting in Groups & Settings > All Settings >

System > Security > Data Security.

Device Delete Prevents the deletion of a device in Devices > List View. Admin security PIN is still required

for bulk actions even when this setting is disabled.

*Device Wipe Prevents any attempt to perform a device wipe from the Device List View or Device Details

screens.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Setting Description

Enterprise Reset Prevents any attempt to perform an enterprise reset on a device from the Devices Details

page of a Windows Rugged, Rugged Android, or QNX device.

Enterprise Wipe Prevents any attempt to perform an enterprise wipe on a device from the Devices Details

page of a device.

Enterprise Wipe (Based

on User Group

Membership Toggle)

Prevents any attempt to perform an enterprise wipe on a device when it is removed from a

user group. This is an optional setting that you can configure under Groups & Settings > All

Settings > Devices &Users > General > Enrollment on the Restrictions tab. If you Restrict

Enrollment to Configured Groups on this tab, you then have the added option of

performing an enterprise wipe a device when it is removed from a group. For more

information, see the Configure Enrollment Restriction Settings on page 116.

*Organization Group

Delete

Prevents any attempt to delete the current organization group from Groups & Settings >

Groups > Organization Groups > Organization Group Details.

Profile

Delete/Deactivate

Prevents any attempt to delete or deactivate a profile from Devices > Profiles & Resources

> Profiles.

Provisioning Product

Delete

Prevents any attempt to delete a provisioning product from Devices > Staging

&Provisioning > Products List View.

Revoke Certificate Prevents any attempt to revoke a certificate from Devices > Certificates > List View.

*Secure Channel

Certificate Clear

Protects from any attempt to clear an existing secure channel certificate from Groups &

Settings > All Settings > System > Advanced > Secure Channel Certificate.

User Account Delete Prevents any attempt to delete a user account from Accounts > Users > List View.

Delete Telecom Plan Prevents the deletion of a telecom plan in Telecom > PlanList.

Override Job Log Level Prevents attempts to override the currently-selected job log level from Groups &Settings >

Admin > Diagnostics > Logging. Overriding the Job Log Level is useful when a device or

group of devices is having an issue. In this case, the admin can override those device

settings by forcing an elevated log level to Verbose, which logs the maximum level of

console activity, making it ideal for troubleshooting.

*App Scan Vendor

Reset/Toggle

Prevents the resetting (and subsequent wiping) of your app scan integration settings. This

action is performed in Groups &Settings > All Settings > Apps > App Scan.

Maximum invalid PIN

attempts

Defines the maximum number of invalid attempts at entering a PIN before the console locks

down. This setting must be between 1 and 5.

Configure Required Notes for Action

You can also require admins to enter notes using the Require Notes check box and explain their reasoning when

performing these actions. Navigate to Groups &Settings > AllSettings > System > Security > Restricted Actions.

Setting Description

Lock Device Require a note for any attempt to lock a device from the Device List View or Device Details pages.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Setting Description

Lock SSO Require a note for any attempt to lock an SSOsession from the Device List View or Device Details

screens.

Device Wipe Require a note for any attempt to perform a device wipe from the Device List View or Device Details

screens.

Enterprise

Reset

Require a note for any attempt to enterprise reset a device from the Devices Details page of a

Windows Rugged or Rugged Android device.

Enterprise Wipe Require a note for any attempt to perform an enterprise wipe from the Devices Details page of a

device.

Override Job

Log Level

Require a note prior to attempts to override the default job log level from Groups &Settings >

Admin > Diagnostics > Logging.

Other Enterprise Systems for Integration

Take advantage of advanced MDM functionality by integrating your AirWatch environment with existing enterprise

infrastructures including email management with SMTP, directory services, and content management repositories.

AirWatch can integrate with the following internal components.

lEmail Relay (SMTP) – Provide security, visibility, and control for mobile email.

lDirectory Services (LDAP/AD) – Take advantage of existing corporate groups to manage users and devices.

lMicrosoft Certificate Services – Use existing Microsoft certificate infrastructure for an AirWatch deployment.

lSimple Certificate Enrollment Protocol (SCEP PKI) – Configure certificates for Wi-Fi, VPN, Microsoft EAS and more.

lEmail Management Exchange 2010 (PowerShell) – Securely connect AirWatch to enforce policies with corporate

email servers.

lBlackBerry Enterprise Server (BES) – Integrate with BES for streamlined BlackBerry management.

lThird-party Certificate Services – Import certificate management systems to be managed within the Console.

lLotus Domino Web Service (HTTPS) – Access Lotus Domino content and features through your AW deployment.

lContent Repositories – Integrate with SharePoint, Google Drive, SkyDrive, file servers, and network shares.

lSyslog (Event log data) – Export event log data to be viewed across all integrated servers and systems.

lCorporate Networks – Configure Wi-Fi and VPN settings, provision device profiles with user credentials for access.

lSystem Information and Event Management (SIEM) – Record and compile device and console data to ensure

security and compliance with regulations and corporate policies.

For more information on how to integrate AirWatch with these infrastructures, seeVMware Enterprise Systems

Connector Guide, available at https://www.vmware.com/support/pubs/workspaceone-pubs.html. See also VMware

Tunnel Admin Guide and the 'Syslog' section of the Reports & Analytics Guide, available on Accessing Other Documents

on page 217.

Chapter 3: Environment Setup

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 4:

User and Admin Accounts

User and Admin Accounts Overview 34

User Authentication Types 34

Basic User Accounts 40

Directory-Based User Accounts 42

User Accounts List View Overview 46

Batch Import Feature 47

Admin Accounts 50

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

User and Admin Accounts Overview

You must create and integrate user accounts for devices to enroll into AirWatch. Likewise, Administrator accounts must

be created and assigned so Admins can easily manage users and devices.

The AirWatch Console allows you to establish a complete user and admin infrastructure. It provides configuration

options for authentication, enterprise integration, and ongoing maintenance.

User Authentication Types

Before any devices can be enrolled, each device user must have an authentic user account recognized by AirWatch. The

type of user authentication you choose depends upon the needs of your organization.

Basic User Authentication

You can use Basic Authentication to identify users in the AirWatch architecture but this method offers no integration to

existing corporate user accounts.

Pros

lCan be used for any deployment method.

lRequires no technical integration.

lRequires no enterprise infrastructure.

Cons

lCredentials only exist in AirWatch and do not necessarily match existing corporate credentials.

lOffers no federated security or single sign-on.

lAirWatch stores all user name and passwords.

1. Console user logs in to AirWatch SaaS using local AirWatch account for authentication (Basic Authentication)

lCredentials are encrypted during transport

l(for example, user name:jdoe@air-watch.com, password: abcd)

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

2. Device user enrolls device using local AirWatch account (Basic Authentication)credentials

lCredentials are encrypted during transport

l(for example, user name:jdoe2, password 2557)

Active Directory / LDAP Authentication

Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) authentication is used to integrate user and admin

accounts of AirWatch with existing corporate accounts.

Pros

lEnd users now authenticate with existing corporate credentials.

lSecure method of integrating with LDAP / AD.

lStandard integration practice.

Cons

lRequires an AD or other LDAP server.

1. Device connects to AirWatch MDMto enroll device. User enters their directory services user name and password.

lUser name and password are encrypted during transport.

lAirWatch does not store the user's directory services password.

2. AirWatch queries the client's directory services through a secureLDAP protocol over the Internet using a service

account for authentication.

3. The user's credentials are validated against the corporate directory service.

4. If the user credentials are valid, the AirWatch server allows the device to complete a device enrollment.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Active Directory / LDAP Authentication with VMware Enterprise Systems Connector

The Active Directory / LDAP authentication with VMware Enterprise Systems Connector provides the same functionality

as traditional AD/LDAP authentication. This model functions across the cloud for Software as a Service (SaaS)

deployments.

Pros

lEnd users authenticate with existing corporate credentials.

lRequires no firewall changes, as communication is initiated from the VMware Enterprise Systems Connector within

your network.

lTransmission of credentials is encrypted and secure.

lOffers secure configuration to other infrastructure such as BES, Microsoft ADCS, SCEP, and SMTP servers.

Cons

lRequires VMware Enterprise Systems Connector to be installed behind the firewall or in a DMZ.

lRequires extra configuration.

SaaS Deployment model

On-premises Deployment model

For information about how to integrate your AirWatch environment with these infrastructures, seeVMware Enterprise

Systems Connector Guide, available at https://www.vmware.com/support/pubs/workspaceone-pubs.html.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Authentication Proxy

The authentication proxy delivers directory services integration across the cloud or across hardened internal networks. In

this model, the AirWatch MDM server communicates with a publicly facing Web server or an Exchange ActiveSync Server.

This arrangement authenticates users against the domain controller.

Pros

lOffers a secure method to proxy integration with AD/LDAP across the cloud.

lEnd users can authenticate with existing corporate credentials.

lLightweight module that requires minimal configuration.

Cons

lRequires a public facing Web server or an Exchange ActiveSync server which ties into an AD/LDAP server.

lOnly feasible for specific architecture layouts.

lMuch less robust solution than VMware Enterprise Systems Connector.

1. Device connects to AirWatch to enroll device. User enters their directory services user name and password.

lUser name and password are encrypted during transport.

lAirWatch does not store the user's directory services password.

2. AirWatch relays the user name and password to a configured Authentication Proxy endpoint that requires

authentication (for example, Basic Authentication).

3. The user's credentials are validated against the corporate directory services.

4. If the user credentials are valid, the AirWatch server allows the device to complete a device enrollment.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

SAML 2.0 Authentication

The Security Assertion Markup Language (SAML) 2.0 Authentication offers single sign-on support and federated

authentication. AirWatch never receives any corporate credentials. If an organization has a SAML Identity Provider

server, use SAML 2.0 integration.

Pros

lOffers single sign-on capabilities.

lAuthentication with existing corporate credentials.

lAirWatch never receives corporate credentials in plain-text.

Cons

lRequires corporate SAML Identity Provider infrastructure.

1. Device connects to AirWatch for enrollment. AirWatch server redirects the device to the client specified identity

provider.

2. Device securely connects through HTTPS to client provided identity provider and user enters credentials.

lCredentials are encrypted during transport directly between the device and SAML endpoint.

3. Credentials are validated against directory services.

4. The identity provider returns a signed SAML response with the authenticated user name.

5. The device responds back to the AirWatch server and presents the signed SAML message. The user is authenticated.

For more information, see the VMware AirWatch SAML Integration Guide, on Accessing Other Documents on page 217.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Token-Based Authentication

The Token-based authentication offers the easiest way for a user to enroll their device. With this enrollment setting,

AirWatch generates a token, which is placed within the enrollment URL.

For single-token authentication, the user accesses the link from the device to complete an enrollment and the AirWatch

server references the token provided to the user.

For added security, set an expiration time (in hours) for each token. Setting an expiration minimizes the potential for

another user to gain access to any information and features available to that device.

You may also decide to implement two factor authentication to take end-user identity verification a step further. With

this authentication setting, the user must enter their user name and password upon accessing the enrollment link with

the provided token.

Pros

lMinimal work for an end user to enroll and authenticate their device.

lSecure token use by setting expiration.

lUser does not need credentials for single-token authentication.

Cons

lRequires either Simple Mail Transfer Protocol (SMTP) or Short Message Service (SMS) integration to send tokens to

device.

1. Administrator authorizes user device registration.

2. Single use token generated and sent to user from AirWatch.

3. User receives a token and navigates to enrollment URL. User is prompted for token and optionally two-factor

authentication.

4. Device enrollment process.

5. AirWatch marks token as expired.

Note: SMTP is included with SaaS deployments.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Enable Security Types for Enrollment

Once AirWatch is integrated with a selected user security type and before enrollment, enable each authentication mode

you plan to allow.

Navigate to Devices > Device Settings > Devices & Users > General > Enrollment in the Authentication tab and select

the appropriate check boxes for the Authentication Mode setting.

Basic User Accounts

Create basic user accounts in AirWatch for your end users if you are not integrating with a directory service. Basic user

accounts are also useful for testing purposes: they can be created quickly and disposed of afterward. For more

information, see Basic vs. Directory Services Enrollment on page 93.

Pros

lCan be used for any deployment method.

lRequires no technical integration.

lRequires no enterprise infrastructure.

Cons

lCredentials only exist in AirWatch and do not necessarily match existing corporate credentials.

lOffers no federated security.

lSingle sign on not supported.

lAirWatch stores all usernames and passwords.

Create Basic User Accounts

You can create basic user accounts for each user to authenticate and log in to the AirWatch system. You can then send

basic users a notification with instructions on activating their account including a password reset link that expires in 24

hours. For more information, see Create Basic User Accounts on page 40.

Create Basic User Accounts

You can create basic user accounts which each user requires to authenticate and log in to the AirWatch system. This topic

details creating user accounts one at a time.

1. Navigate to Accounts > Users > List View, select Add then Add User. The Add / Edit User page displays.

2. In the General tab, complete the following settings to add a basic user.

Setting Description

Security Type Choose Basic to add a basic user.

User name Enter a user name with which the new user is identified.

Password Enter a password that the user can use to log in.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Setting Description

Confirm

Password

Confirm the password.

Full Name Complete the First Name,Middle Name, and Last Name of the user.

Display Name Represent the user in the AirWatch Console by entering a name.

Email Address Enter or edit the user's email address.

Email user name Enter or edit the user's email user name.

Domain Select the email domain from the drop-down setting.

Phone Number Enter the user's phone number including plus sign, country code, and area code. This option is

required if you intend to use SMS to send notifications.

Enrollment

Organization

Group

Choose the organization group the user enrolls in.

Allow the user to

enroll into

additional

Organization

Groups

You can allow the user to enroll into more than one organization group. If you select Enabled,

then complete the Additional Organization Groups drop-down setting.

User Role Select the role for the user you are adding from this drop-down setting.

Notification

Message Type Choose the type of message you may send to the user, Email,SMS, or None. Selecting SMS

requires a valid entry in the Phone Number option.

Message

Template

The basic user activates their account with this notification. For security reasons, this

notification does not include the user's password. Instead, a password reset link is included in

the notification. The basic user selects this link to define another password. This password

reset link expires in 24 hours automatically.

Choose the template for email or SMS messages by selecting one from this drop-down setting.

Optionally, select Message Preview to preview the template and select the Configure Message

Template to create a template.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

3. You may optionally select the Advanced tab and complete the following settings.

Setting Description

Advanced Info Section

Password

Enter the email password of the user you are adding.

Confirm

Password

Confirm the email password of the user you are adding.

User

Principal

Name

Enter the principal name of the basic user. This setting is optional.

Category Choose the User Category for the user being added.

Department Enter the user's department for administrative purposes.

Employee

Enter the user's employee ID for administrative purposes.

Cost Center Enter the user's cost center for administrative purposes.

Certificates Section

Use

S/MIME

Enable or Disable Secure Multipurpose Internet Mail Extensions (S/MIME).

If enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME certificate by

selecting Upload.

Separate

Encryption

Certificate

Enable or Disable encryption certificate.

If enabled, you must upload an encryption certificate using Upload. Generally, the same S/MIME

certificate is used for signing and encryption, unless a different certificate is expressly being used.

Old

Encryption

Certificate

Enable or disable a legacy version encryption certificate.

If enabled, you must Upload an encryption certificate.

Staging Section

Enable

Device

Staging

Enable or disable the staging of devices.

If enabled, you must choose between Single User Devices and Multi User Devices. If Single User

Devices, you must select between Standard, where users themselves log in and Advanced, where a

device is enrolled on behalf of another user. See Self-Enrollment vs Device Staging on page 99 for

more information.

4. Select Save to save only the new user or select Save and Add Device to save the new user and proceed to the Add

Device page.

Directory-Based User Accounts

Integrating with an existing directory service enables you to pull in users automatically. It eliminates the need of having

to add users manually to the AirWatch Console. For more information, see Basic vs. Directory Services Enrollment on

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

page 93.

Every directory user you want to manage through AirWatch Mobile Device Management (MDM) must have a

corresponding user account in the AirWatch Console.

You can directly add your existing directory services users to AirWatch using one of the following methods.

lBatch upload a file containing all your directory services users. The act of batch importing automatically creates a

user account.

lCreate an AirWatch user accounts one at a time by entering the directory user name and selecting Check User to

auto-populate remaining details.

lDo not import in bulk nor manually create user accounts and instead allow all directory users to self-enroll at

enrollment time.

Pros

lEnd users authenticate with existing corporate credentials.

lCan automatically detect and sync changes from the directory system into AirWatch.

lSecure method of integrating with your existing directory service.

lStandard integration practice.

lSaaS deployments using the VMware Enterprise Systems Connector require no firewall changes and offers a secure

configuration to other infrastructures, such as Microsoft ADCS, SCEP, and SMTP servers.

Cons

lRequires an existing directory service infrastructure.

lSaaS deployments require additional configuration due to the VMware Enterprise Systems Connector being installed

behind the firewall or in a DMZ.

Create a Directory-Based User Account

You must create accounts for each user in the AirWatch system and directory users authenticate using your existing

corporate credentials. For more information, see Create a Directory-Based User Account on page 43.

Create a Directory-Based User Account

You must create accounts for each user in the AirWatch system and directory users authenticate using your existing

corporate credentials. This topic details creating user accounts one at a time.

1. Navigate to Accounts > Users > List View and select Add and then Add User. The Add / Edit User page displays.

2. In the General tab, complete the following settings to add a directory user.

Setting Description

Security Type Add an Active Directory user by choosing Directory as the Security Type.

Directory Name This pre-populated setting identifies the Active Directory name.

Domain Choose the domain name from the drop-down menu.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Setting Description

User name Enter the user's directory user name and select Check User. If the system finds a match, the

user's information is automatically populated. The remaining settings in this section are only

available after you have successfully located an active directory user with the Check User

button.

Full Name Use Edit Attributes to allow any option that syncs a blank value from the directory to be

edited. Edit Attributes also enables you to populate matching user's information

automatically.

If a setting syncs an actual value from the directory, then that setting must be edited in the

directory itself. The change takes effect on the next directory sync. Complete any blank

option returned from the directory in Full Name and select Edit Attributes to save the

addition.

Display Name Enter the name that displays in the admin console.

Email Address Enter or edit the user's email address.

Email user name Enter or edit the user's email user name.

Domain (email) Select the email domain from the drop-down menu.

Phone Number Enter the user's phone number including plus sign, country code, and area code. If you

intend to use SMS to send notifications, the phone number is required.

Enrollment

Organization

Group

Select the organization group into which the user enrolls.

Allow the user to

enroll into

additional

Organization

Groups

Choose whether or not to allow the user to enroll into more than one organization group. If

you select Enabled, then complete the Additional Organization Groups.

User Role Select the role for the user you are adding from this drop-down menu.

Notification

Message Type Choose the type of message you may send to the user, Email,SMS, or None. Selecting SMS

requires a valid entry in the Phone Number text box.

Message Template Choose the template for email or SMS messages from this drop-down setting. Optionally,

select the Message Preview to preview the template and select the Configure Message

Templates link to create a template.

3. You may optionally select the Advanced tab and complete the following settings.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Setting Description

Advanced Info Section

Email Password Enter the email password of the user you are adding.

Confirm Email

Password

Confirm the email password of the user you are adding.

Distinguished

Name

For directory users recognized by VMware AirWatch, this text box is pre-populated with the

distinguished name of the user. Distinguished Name is a string representing the user name and

all authorization codes associated with an Active Directory user.

Manager

Distinguished

Name

Enter the distinguished name of the user's manager. This text box is optional.

Category Choose the user category for the user being added.

Department Enter the user's department for your company's administrative purposes.

Employee ID Enter the user's employee ID for your company's administrative purposes.

Cost Center Enter the user's cost center for your company's administrative purposes.

Custom

Attribute 1–5

(for Directory

users only)

Enter your previously configured custom attributes, where applicable. You may define these

custom attributes by navigating to Groups &Settings > All Settings > Devices &Users >

Advanced > Custom Attributes.

Note: Custom attributes can be configured only at Customer organization groups.

Certificates Section

Use S/MIME Enable or disable the use of Secure/Multipurpose Internet Mail Extensions (S/MIME). If

enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME certificate

by selecting Upload.

Separate

Encryption

Certificate

Enable or disable the use of a separate encryption certificate. If enabled, you must upload an

encryption certificate using Upload. Generally, the same S/MIME certificate is used for signing

and encryption, unless a different certificate is expressly being used.

Old Encryption

Certificate

Enable or disable a legacy version encryption certificate. If enabled, you must Upload an

encryption certificate.

Staging Section

Enable Device

Staging

Enable or disable the staging of devices.

If enabled, you must choose between Single User Devices and Multi User Devices.

If Single User Devices, you must select between Standard, where users themselves log in and

Advanced, where a device is enrolled on behalf of another user.

4. Select Save to save only the new user or select Save and Add Device to save the new user and proceed to the Add

Device page.

For more information about adding directory users to AirWatch, refer to the VMware AirWatch Directory Services

Guide, available on Accessing Other Documents on page 217.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

User Accounts List View Overview

The List View page, which you can find by navigating to Accounts > Users > List View, provides useful tools for common

user account maintenance and upkeep.

Customize List View

You can use the User Accounts List View to create customized lists of users immediately. You can also customize the

screen layout based on criteria that is most important to you. You can export this customized list for later analysis and

add new users individually or in bulk.

Action Description

Filters View only the desired users by using the following filters.

lSecurity Type lUser Group

lEnrollment Organization Group lUser Role

lEnrollment Status

Add lAdd User – Perform a one-off addition of a basic user account. Add an employee or a newly promoted

employee that needs access to MDM capabilities. For more information, see Add Users to User Groups on

page 83.

lBatch Import – Add multiple users into AirWatch by importing a comma-separated values (CSV) file. Enter

a unique name and description to group and organize multiple users at a time. For more information, see

Batch Import Users or Devices on page 47.

Layout Enables you to customize the column layout.

lSummary – View the List View with the default columns and view settings.

lCustom – Select only the columns in the List View you want to see. You can also apply selected columns

to all administrators at or below the current organization group.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Action Description

Sorting Most columns in the List View (in both Summary and Custom Layout) are sortable including Devices,User

Groups, and Enrollment Organization Group.

Export Save a comma-separated values (CSV) file of the entire List View that can be viewed and analyzed in Excel.

Interact With User Accounts

The list view also features a check box to the left of each user account. View user details by selecting the hypertext user

name in the General Info column. For more information, see Access User Details on page 81.

The Edit icon enables you to make basic changes to the user account. Selecting a single check box causes three action

buttons to appear, Send Message,Add Device, and More Actions.

You can select multiple user accounts using the check box, which, in turn, modifies the available actions.

Action Description

Send

Message

Provide immediate support to a single user or group of users. Send a User Activation (user template)

email to a user notifying them of their enrollment credentials.

Add Device Add a device for the selected user. Only available for single user selections.

More Actions Display the following options.

Add to User

Group

Add selected users to new or existing user group for simplified user management. For more information, see User Groups

List View on page 81 and Edit User Group Permissions on page 80.

Remove from

User Group

Remove selected users from the existing user group.

Change

Organization

Group

Manually move the user to a different organization group. Update the available content, permissions, and restrictions of a

user if they change positions, get a promotion, or change office locations.

Delete If a member of your organization resigns or is fired, you can quickly and completely delete a user account.

Activate Activate the account if a user returns to an organization or must be reinstated in the company.

Deactivate Deactivate a user if a user is missing in action, out-of-compliance, or if their device is lost or stolen.

Batch Import Feature

If you have several dozen or more users to add to AirWatch, you can batch-create users and user groups or batch-import

them from your directory service.

Making a batch import means taking an AirWatch supplied template in a comma-separated values format. Then filling it

out with your own data and uploading the completed template.

Changes in External LDAP/AD User Directories

Once your user and user group batch list is uploaded, changes to your external LDAP/AD user directories are not updated

in AirWatch. These user and user group changes must be updated manually, or uploaded again as a new batch.

Batch Import Users or Devices

To save time, you can batch import multiple Lightweight Directory Access Protocol (LDAP)/Active Directory (AD) users and

devices into the AirWatch Console.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

1. Navigate to Accounts > Users > Batch Status or Devices > Lifecycle > Enrollment Status > Add and select Batch

Import.

2. Enter the basic information including a Batch Name and Batch Description in the AirWatch Console.

3. Select the applicable batch type from the BatchType drop-down menu.

4. Select and download the template that best matches the kind of batch import you are making.

Blacklisted Devices – Import a list of known, non-compliant devices by IMEI, Serial Number, or UDID. Blacklisted

devices are not allowed to enroll. If a blacklisted device attempts to enroll, it is automatically blocked.

Whitelisted Devices – Import pre-approved devices by IMEI, Serial Number, or UDID. Use this import a list of known,

trusted devices. The ownership and group ID associated to this device is automatically applied to the device during

enrollment.

User / Device – Choose between a Simple and an Advanced CSV template. The simple template features only the

most often-used options and the Advanced template features the full, unabridged compliment of options.

5. Open the CSV file, which consists of a CSV (comma-separated values) file that is populated with a single row

completed with a sample device data. The CSV file features several columns corresponding to the setting that display

on the Add / Edit User page. The GroupIDcolumn corresponds to the Enrollment Organization Group setting on the

Add / Edit User page.

You can confirm whether or not users are part of the enrollment organization group (OG).

a. Navigate to Groups &Settings > All Settings > Devices &Users > General > Enrollment and check the

Grouping tab.

b. If the Group ID Assignment Mode is set to Default, then your users are part of the enrollment OG.

c. For a directory-based enrollment, the Security Type for each user must be Directory.

6. Enter data for your organization's users, including device information (if applicable) and save the file.

7. Return to the Batch Import page and select Choose File to locate and upload the CSV file that you had previously

downloaded and filled out.

8. Select Save.

Batch Import User Groups

To save time, you can import multiple Lightweight Directory Access Protocol (LDAP)/Active Directory (AD) user groups

into the AirWatch Console.

1. Navigate to Accounts > User Groups >List View and select Add.

2. Select Batch Import.

3. Enter the basic information including Batch Name and Batch Description in the AirWatch Console.

4. Under Batch File (.csv), select the Choose File button to locate and upload the completed CSV file, now ready for

importing.

5. Alternately, select the link Download template for this batch type and save the comma-separated values (CSV) file

and use it to prepare a new importation file.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

lOpen the CSV file, which has several columns corresponding to the settings that display on the Add User Group

page. Columns with an asterisk are required and must be entered with data. Save the file.

lThe last column heading in the CSV file template is labeled "GroupID/Manage(Edit and Delete)/Manage(Users

and Enrollment)/UG assignment/Admin Inheritance." This column heading corresponds to the settings and

abides by the logic of the Permissions tab of the Edit User Group page.

6. Select Import.

7. If the Batch Import does not complete successfully, view and troubleshoot errors by selecting Accounts > Batch

Status. You can view specific batch import errors by clicking the Errors hyperlink.

Editing Basic Users with Batch Import

The Batch Import feature lets you edit and move users in groups rather than one at a time. The users must exist in

AirWatch for such a procedure to work. Edit the following settings in the CSV file and use Batch Import to upload this file.

lPassword (Basic only).

lFirst Name.

lMiddle Name.

lLast Name.

lEmail Address.

lPhone Number.

lMobile Number.

lDepartment.

lEmail user name.

lEmail Password.

lAuthorized organization groups (at and below the given Group ID only).

lEnrollment user category (this category is accessible to the user, otherwise, defaulted to 0).

lEnrollment user role (this role is accessible to the user, otherwise, it assumes the default role of the organization

group).

Such basic user editing applies to Basic User Authentication on page 34 and Authentication Proxy on page 37 only.

Move Users With Batch Import

You may also use the Batch Import feature to move sets of users to a different organization group.

1. From the Batch Import screen, enter the basic information including a Batch Name and a Batch Description in the

AirWatch Console.

2. Choose Change Organization Group from the list of templates and save the CSV file somewhere accessible.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

3. Enter the applicable Group ID of the user's existing organization group, user name to be moved, and Target Group

ID of the user's new organization group.

4. Return to the Batch Import screen in the AirWatch Console, select Choose File to locate and upload the saved CSV

file and select Open.

5. Select Save.

Admin Accounts

Administrator Accounts enable you to maintain Mobile Device Management (MDM) settings, push, or revoke features

and content, and much more from the centralized AirWatch Console.

Also, a Temporary Admin Account enables a remote assistance feature within the AirWatch Console. These Temporary

Admin Accounts, which have a configurable expiration, can be used to access areas normally reserved for permanent

admin account-holders.

Create an Admin Account

You can add Admin Accounts from the Administrators List View page, providing access to advanced features of the

AirWatch Console. Each admin that maintains and supervises the console must have an individual account.

1. Navigate to Accounts > Administrators > List View, select Add, and then Add Admin. The Add/Edit Admin page

displays.

2. Under the Basic tab, for the User Type setting, select either Basic or Directory.

lIf you select Basic, then fill in all required settings on the Basic tab, including user name, password, FirstName,

and Last Name.

lYou can enable Two-Factor Authentication where you select between Email and SMS as a delivery method and

the token expiration time in minutes.

lYou can also select a Notification option, choosing between None, Email, and SMS. The Admin receives an auto-

generated response.

lIf you select Directory, then enter the Domain and user name of the admin user.

3. Select the Details tab and enter additional information, if necessary.

4. Select the Roles tab and then select the Organization Group followed by the Role you want to assign to the new

admin. Add new roles by using Add Role.

5. Select the APItab and choose the Authentication type.

6. Select the Notes tab and enter additional Notes for the admin user.

7. Select Save to create the adminaccount with the assigned role.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Create a Temporary Admin Account

You may grant temporary administrative access to your environment for support, demonstrations, and other time

limited use cases.

1. Navigate to Accounts > Administrators > List View, select Add. Select the Add Temporary Admin option.

Select the Help button and choose Add Temporary Admin.

2. In the Basic tab, choose to add a temporary admin account based on Email Address or user name and complete the

following settings.

Setting Description

Email Address Enter the email address on which the temporary admin account is based. Available only when

Email Address radio button is selected.

User name Enter the user name on which the temporary admin account is based. Available only when the

user name radio button is selected.

Password /

ConfirmPassword

Enter and confirm the password that is associated with the Email Address or user name.

Expiration Period Select anExpirationPeriod which defaults to 6 hours. You may also set this drop-down menu

to Inactive to create the account now and activate it later.

Ticket Number Optionally, you can add the Ask Ticket Number from ZenDesk as a reference marker.

3. In the Roles tab, you can add and delete roles applicable to the temporary admin account.

a. Add a role by selecting the Add Role button and then select the organization group and role for which the

temporary admin account applies.

b. Edit an existing role by selecting the edit icon ( ) and choose a different organization group and role.

c. Delete a role by selecting the delete icon ( ).

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

4. Select Save.

Managing Admin Accounts

You can implement key management functions for ongoing maintenance and upkeep of admin accounts by navigating to

Accounts > Administrators > List View.

Display the Add/Edit Admin page by selecting the hypertext link in the user name column. This link enables you to

update current roles assigned quickly or change roles within your organization quickly to keep their privileges up-to-date.

You can also alter general admin information and change a password.

You can Filter the list of administrators to include all roles or limit the listing to only a specific role you want to see.

Display the action buttons applicable to that admin by selecting the radio button next to the administrator user name.

lView History – Track when admins log in and out of the AirWatch Console.

lDeactivate – Change the status of an admin account from active to inactive. This feature allows you to suspend the

management functions and privileges temporarily. At the same time, this feature enables you to keep the defined

roles of the admin account for later use.

lActivate – Change the status of an admin account from inactive to active.

lDelete – Ensure that only the right users are accessing the AirWatch Console. Immediately cancel and eliminate a

user account and revoke privileges if someone quits or is fired from their position.

lChange Password – Edit the password belonging to a basic or temporary admin account.

Chapter 4: User and Admin Accounts

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 5:

Role-Based Access

Role-Based Access Overview 54

Default and Custom Roles 54

User Roles 56

Admin Roles 57

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Role-Based Access Overview

The AirWatch Console allows you to define access levels for individual users or groups based on the roles you created

during the user enrollment process.

For example, help desk administrators within your enterprise may have limited access within the console, while the IT

Manager has a greater range of permissions.

To enable role-based access control, you must first set up the administrator and user roles within the AirWatch Console.

Specific resources, also known as permissions, define these roles which enable and disable access to various features

within the AirWatch Console. Roles can also be created for end users who need access to the Self-Service Portal.

Default and Custom Roles

There are several default roles already provided by AirWatch from which you may select. These default roles are available

with every AirWatch upgrade and help quickly assign roles to new users. If you require further customization, you may

create custom roles to tailor the user privileges and permissions further. Unlike default roles, custom roles require

manual updates with every AirWatch upgrade.

Each type of role includes inherent advantages and disadvantages. Default Roles save time in configuring a brand new

role from scratch, logically suit various administrative privileges, and automatically update alongside new AirWatch

features and settings. However, Default Roles may not be a precise fit for your organization or MDM deployment, which

is why Custom Roles were created.

Default End-User Roles

Roles are available by default to end users in the AirWatch Console.

lFull Access Role – Provides full permission to perform all the tasks on the Self-Service Portal.

lBasic Access Role – Provides all permissions except MDM commands from the Self-Service Portal.

Custom Roles allow you to customize as many unique roles as you require, and to tweak large or small changes across

different users and administrators. However, Custom Roles must be manually maintained over time and updated with

new features.

Edit a Default End-User Role to Create a Custom User Role

If none of the available default roles provide the proper fit for your organization, consider modifying an existing user role

and creating a custom user role.

1. Ensure that you are currently in the organization group you want the new role to be associated with.

2. Navigate to Accounts > Users > Roles.

3. Determine which role from the list best fits the role you want to create. Then edit that role by selecting the edit

icon ( ) to the far right. The Add/Edit Role page displays.

4. Edit the Name,Description, and Initial Landing Page text boxes as necessary. Review each of the check boxes. These

options represent the various permissions, selecting and deselecting those options as necessary.

5. Select Save to save your changes, overwriting the prior settings of the role in favor of the new settings.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Default Administrator Roles

The following roles are available by default to administrators in the AirWatch Console. Use the Admin Role Compare tool

to compare the specific permissions of two admin roles. For more information, see Compare Admin Roles on page 63.

Role Description

System

Administrator

The System Administrator role provides complete access to an AirWatch environment. This role

includes access to the Password and Security settings, Session Management, and AirWatch Console

audit information. This information is located the Administration tab under System Configuration.

This role is not available for Software as a Service (SaaS) customers.

Device

Manager

The Device Manager role grants users significant access to the AirWatch Console. However, this role is

not designed to configure most System Configurations. These configurations include Active Directory

(AD)/Lightweight Directory Access Protocol (LDAP), Simple Mail Transfer Protocol (SMTP), Agents, and

so on. For these tasks, use a top-tier role like the AirWatch Administrator or System Administrator.

Report

Viewer

The Report Viewer role allows viewing of the data captured through Mobile Device Management

(MDM). This role limits its users to generating, viewing, exporting, and subscribing to reports from the

AirWatch Console.

AirWatch

Administrator

The AirWatch Administrator role allows comprehensive access to the AirWatch environment. However,

this access excludes the Administration tab under System Configuration, because that tab manages

top-level AirWatch Console settings.

Read Only The Read Only role provides access to most of the AirWatch Console, but limits access to read-only

status. Use this role to audit or record the settings in an AirWatch environment. This role is not useful

for system operators or administrators.

Content

Management

The Content Management role only includes access to VMware Content Locker management. Use this

role for specialized administrators responsible for uploading and managing a device content.

Application

Management

The Application Management role allows admins with this access to deploy and manage the device

fleet's internal and public apps. Use this role for an application management administrator.

Help Desk The Help Desk role provides the tools necessary for most Level 1 IT Help Desk functions. The primary

tool available in this role is the ability to see and respond to device info with remote actions. However,

this role also contains report viewing and device searching abilities.

App Catalog

Only

Administrator

The App Catalog Only Admin role has much the same permissions as Application Management. Added

to these permissions are abilities to add and maintain admin and user accounts, admin and user

groups, device details, and tags.

Horizon

Administrator

The Horizon Administrator role is a specially designed set of permissions for complementing an

AirWatch configuration integrated with VMware Horizon View.

NSX

Administrator

The NSX Administrator role is a specially designed set of permissions intended to complement VMware

NSX integrated with AirWatch. This role offers the full complement of system and certificate

management permissions, allowing administrators to bridge endpoint security with data center

security.

Privacy

Officer

The Privacy Officer role provides read access to Hub Overview, Device List View, View system settings,

and full edit permissions for privacy settings.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Edit a Default Admin Role to Create a Custom Admin Role

If the available default roles provide no proper fit for admin resources in your organization, consider modifying an

existing default role into a custom admin role.

1. Ensure that you are currently in the organization group with which you want the new role to be associated.

2. Navigate to Accounts > Administrators > Roles.

3. Determine which role from the list best fits the role you want to create. Select the check box for that role.

4. Select Copy from the actions menu above the listing. The Copy Role page displays.

5. Edit specific settings of the copy in the resulting Copy Role page. Create a unique Name and Description for the

customized role.

6. Select Save.

For more information, see Create Administrator Role on page 58.

User Roles

User roles allow you to enable or disable specific actions that logged-in users can perform. These actions include

controlling access to a device wipe, device query, and managing personal content. You can also customize initial landing

pages and restrict access to the Self-Service portal.

Creating multiple user roles is a time saving measure. You can make comprehensive configurations across different

organization groups or change the user role for a specific user at any time.

Create a New User Role

In addition to the preset Basic Access and Full Access roles, you can create customized roles. Having multiple user roles

available fosters flexibility and can potentially save time when assigning roles to new users.

To create a user role:

1. Navigate to Accounts > Users > Roles and select Add. The Add/Edit Role page displays.

2. Enter a Nameand Description, and select the Initial Landing Page of the SSP for users with this new role.

For existing user roles, the default InitialLanding Page is the My Devices page.

3. Select from a list of options the level of access and control end users of this assigned role have in the SSP.

lClick Select None to clear all check boxes on the page.

lSelect all the check boxes on the page by selecting Select All.

4. Save the changes to the role. The added user role now appears in the list on the Roles page.

From the Roles page, you can view, edit, or delete roles.

Configure a Default Role

A default role is the baseline role from which all user roles are based. Configuring a default role enables you to set the

permissions and privileges users automatically receive upon enrollment.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select the Grouping tab.

2. Configure a default level of access for end users in the Self-Service Portal (SSP) by selecting a Default Role. These role

settings are customizable by organization group.

3. Select Save.

Assign or Edit the Role of an Existing User

You can edit the role for a specific user, for example, to grant or restrict access to AirWatch functions.

1. Select the appropriate organization group.

2. Navigate to Accounts > Users > List View

3. Search for the specific user that you want to edit from the list. Once you have identified the user, select the Edit icon

under the check box. The Add/Edit User screen displays.

4. In the General tab, scroll to the Enrollment section and select a User Role from this drop-down menu to change the

role for this specific user.

5. Select Save.

Admin Roles

Admin roles allow you to enable or disable permissions for every available setting and resource in the AirWatch Console.

These settings grant or restrict console abilities for each member of your admin team, enabling you to craft a hierarchy of

administrators specific to your needs.

Creating multiple admin roles is a time saving measure. Making comprehensive configurations across different

organization groups or changing the permissions for a specific administrator at any time.

Administrator Roles List View

The administrator roles list view enables you to add, edit, compare, and maintain your library of roles for your entire

admin base.

Add Role

Make a new admin role from scratch by selecting the Add Role button. For more information, see Create Administrator

Role on page 58.

Import Role

You can import a role exported from another environment. For more information, see the following topics.

lImport Admin Roles on page 60

lExport Admin Roles on page 60,

lVersioning Issues When Importing and Exporting Admin Roles on page 61.

Copy Role

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

You can save time by making a copy of an existing role. You can also change the permissions of the copy and save it

under a different name.

1. Select the check box next to the role you want to copy.

2. Select the Copy button. The Copy Role page displays.

3. Make your changes to the Categories,Name, and Description.

4. When finished, select Save.

View Users

The View Users button enables you to see the Administrators List View, displaying a listing of all admins. Select a role

name and then select the View Users button.

Delete Role

You can delete an unused role from your library of administrator roles. You cannot delete a role that is assigned to an

admin. Select an unassigned role you want to delete and select the Delete button.

Export Role

You can export a role saved as an XML file to a location on your device, suitable to be imported later. Select the role you

want to export and select the Export button. For more information, see the following topics.

lExport Admin Roles on page 60,

lImport Admin Roles on page 60,

lVersioning Issues When Importing and Exporting Admin Roles on page 61.

Rename a Role

If you are importing an admin role named the same as an existing admin role, you can rename the existing role first. For

more information, see Rename an Admin Role on page 61.

Edit Role

You can edit an existing role's name, description, and specific permissions. Select the hypertext role name from the listing

and the View Role screen displays, enabling you to make changes.

Compare Two Roles

You can also compare the individual permissions settings between two roles. For more information, see Compare Admin

Roles on page 63.

Create Administrator Role

You can create administrator roles which define specific tasks that can be performed in AirWatch. You then assign these

roles to individual admins. To create an administrator role, follow these steps.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

1. Navigate to Accounts > Administrators > Roles and select Add Role in the AirWatch Console.

2. In the Create Role, enter the Name and Description of the role.

3. Make a selection from the list of Categories.

The Categories section organizes top-level categories such as Device Management under which are located

subcategories including Applications,Browser, and Bulk Management among others. This category subdivision

enables an easy and quick role creation process. Each subcategory setting in the right panel has a Read and Edit

check box.

When you make a selection from the Categories section, its subcategorized contents (individual settings) populate in

the right panel. Each individual setting features its own Read and Edit check box and a "select all" style Read and Edit

check box in the column heading. This arrangement allows for a flexible level of control and customization while

creating roles.

4. Select the appropriate Read and Edit check box in the corresponding resource options. You may also choose to clear

any of the selected resources.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

5. To make blanket category selections, select None,Read, or Edit directly from the Categories section without ever

populating the right panel. Select the circular icon to the right of the Category label, which is a drop-down menu. Use

this selection method when you are certain you want to select none, read-only, or edit capabilities for the entire

category setting.

6. Select Save to finish creating the Custom Role. You can now view the added role in the list on the Roles page. From

here, you can also edit the role details or delete the role.

You must update the custom role after each AirWatch version update to account for the new permissions in the latest

release.

Import Admin Roles

You can import administrator roles saved from another environment as an XML file, making admin roles a portable

resource, which can save time.

To import a role into a separate AirWatch environment.

1. Navigate to Accounts > Administrators > Roles and select Import Role.

2. In the Import Role page, select Browse and locate the previously saved XML file. Select Upload to upload the admin

role to the Category listing for validation.

3. AirWatch performs a series of validation checks including an XML file check, importing role permission check,

duplicate role name check, and blank name and description check.

4. Check the resource settings and verify their imported role specifications by selecting specific Categories in the left

pane.

5. You may also edit the resources and the Name and Description of the imported role based on your needs. If you

want to keep both the existing role and the imported role, then rename the existing admin role before importing the

new role.

a. If the role you are importing is named the same as an existing role in your environment, then a message

displays. "A role with this name exists in this environment. Would you Like to override the existing role?"

b. If you select No, then the existing role in your environment remains untouched and the role import is canceled.

c. If you select Yes, then you are prompted for the security PIN, which if entered correctly, replaces the existing role

with the imported role.

6. Select Save to apply the imported role to the new environment.

Export Admin Roles

You can export administrator roles as an XML file and import those files into another environment, making admin roles a

portable resource which can save time.

To initiate this process, take the following steps.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

1. Navigate to Accounts > Administrators > Roles.

2. Select the check box next to the administrator role that you want to export. Doing so displays actions buttons above

the role listing.

3. Select Export and save the XML file to a location on your device.

If you select more than one admin role, the Export action is not available.

Rename an Admin Role

If you are importing an admin role named the same as an existing admin role, you may find it useful to rename the

existing role first. Renaming a role allows you to keep both the old and the new role in the same environment.

1. Navigate to Accounts > Administrators > Roles and select the Edit icon ( ) of the role you want to rename. The Edit

Role page displays.

2. Edit the Name of the role and optionally, the Description.

3. Select Save.

Versioning Issues When Importing and Exporting Admin Roles

There may be cases where an exported role is imported into an environment running an earlier version of AirWatch. This

earlier version may not have the same resources and permissions that comprise the imported role.

In these cases, AirWatch notifies you with the following message.

There are some permissions in this environment that are not found in your imported file. Review and correct the highlighted

permissions before saving.

Use the category listing page to deselect the highlighted permissions. This action allows you to save the role to the new

environment.

Read/Edit Indicator in Categories for Admin Roles

There is a visual indicator in the Categories section that reflects the current selection of read-only, edit, or a combination

of each. This indicator reports what the setting is without requiring you to open and examine the individual subcategory

settings.

The indicator features a circular icon located to the right side of the Category listing that reports the following.

All options in this category have the edit capability (which by definition means that they also have read-only

capability).

Most category settings have the edit capability enabled, but edits are disabled for at least one subcategory.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

All category settings have read-only enabled (edit disabled).

Most category settings are read-only, but edits are enabled for at least one subcategory.

Assign or Edit the Role of an Admin

You can assign roles to an admin which expand the capabilities of an Admin in the AirWatch console. You can also edit

existing roles, potentially limiting or changing their capabilities.

1. Navigate to Accounts > Administrators > List View, locate the admin account, and select the Edit icon in the Action

button cluster. The Add/Edit Admin page displays.

2. Select the Roles tab. Then select Add Role.

3. Enter the Organization Group and Role details for each role that is added.

4. Select Save.

Admin Roles Compare Tool

When creating an administrator role, it is often easier to modify an existing role than it is to create an admin role from

scratch. The Compare Roles tool makes this process easy.

If you have fewer than two or more than two roles selected, the Compare button does not display.

lBy default, only those categories and subcategories whose settings are different are displayed. You can display all the

permissions including those settings that are identical across the two selected roles by enabling Show All

Permissions.

lIf you choose two roles that have identical permissions across the board, the console displays this message at the

top of the Compare Roles page.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

"There are no differences in permissions between the two roles."

lYou may also select Export to create an Excel-viewable CSV file (comma-separated values). This CSV file contains the

complete list of settings for Role 1 and Role 2, enabling you to analyze the differences between them.

Compare Admin Roles

You can compare the permissions settings of any two Administrator roles for the sake of accuracy or to confirm your

deliberate settings differences. Compare two Admin Roles with the Compare Roles tool.

1. Navigate to Accounts > Administrators > Roles.

2. Locate any two listed roles, including roles that appear on different pages, and select those roles.

3. Select Compare. The Compare Roles page displays featuring a list of categories. Selecting a specific category on the

left populates all the details of that category on the right.

lRole subcategories can be viewed in the right panel by selecting the Details link to the far-right side. Collapse the

role subcategory by selecting the Hide link.

lThere is an All category in the left panel that, when selected, displays all the parent categories on the Compare

Roles page. When you enter a search parameter in the Search Resources bar, the right panel only displays

matching category and resources listings.

lThe search function is persistent. This persistence means that if you have a parameter in the SearchResources

bar, selecting the All category displays only the matching categories and resources. The search function is

persistent even after you select specific resources and make Read and Edit selections.

Chapter 5: Role-Based Access

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 6:

Groups

Assignment Groups Overview 65

Organization Groups Overview 67

Smart Groups Overview 71

User Groups Overview 76

Admin Groups Overview 83

View Assignments 86

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Assignment Groups Overview

Assignment Groups is an umbrella term used to categorize certain management grouping structures within AirWatch.

Organization Groups, Smart Groups, and User Groups each have full feature sets and properties and are distinct from

each other. One element they have in common is the way they can be used to assign content to user devices easily.

Assignment Groups enables an administrator to manage these three grouping structures from a single location.

You can use the list view to assign multiple organization groups, smart groups, and user groups to one or more profiles,

public applications, and policies.

Navigate to Groups &Settings > Groups >Assignment Groups.

Create Custom Assignment Group List

The Assignment Groups List View organizes three kinds of groups that have the function of assigning content to devices:

organization groups, smart groups, and user groups. You can create a listing of only those groups you are interested in

seeing.

Sort by Columns

You can sort the listing of groups by individual columns by selecting the column header.

Filter Groups

You can filter groups by Group Type (Smart Groups, OrganizationGroups, and User Groups). You can also filter by how or

whether they have been Assigned (Assignments, Exclusions, All, and None).

Select Links in the Assignment Groups Listing

Four columns in the Assignment Groups Listing page serve a specific function and require a special mention.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

lThe Groups column features a link for each Smart Group. You can select this link to edit the smart group.

lIf you select non-zero values in the Assignments column, the View Assignments page displays, even for assigned

organization groups and user groups. This function allows you to view and confirm assignments to profiles, public

applications, and compliance policies.

lIf you select non-zero values in the Exclusions column, the View Assignments page displays, even for excluded

organization groups and user groups. The View Assignments page allows you to view and confirm exclusions from

profiles, public applications, and compliance policies.

lIf you select the Devices column number, the Devices List View page displays. The Device List View contains the listing

of all devices in the selected organization group, smart group, or user group.

For more information, see the following topics.

View Assignments on page 86

Device List View on page 178

Assign One or More Assignment Groups

You can assign groups to device profiles, public applications, compliance policies. You can also assign multiple groups of

each type (organization, smart, and user) at one time.

1. Navigate to Groups &Settings >Groups > Assignment Groups.

2. Select one or more groups in the listing and select Assign above the column header.

3. The Assign page displays the Organization Groups,Smart Groups, and User Groups you selected.

4. Assign them by initiating a search for a Profile, a Public Application, and Compliance Policy. You may choose up to

10 profiles, up to 10 public applications, and a single compliance policy.

You can only choose multiple entities of a single type per session. For example, you may assign multiple groups to up

to 10 different profiles in a single command. However, you may not, in a single command, assign multiple groups to

10 profiles, 10 apps, and a compliance policy. If you have multiple entities of multiple types, you must undertake

separate assignment sessions for each type (profiles, apps, policies).

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

5. Select Next to display the View Device Assignment page which you can use to confirm the groups assignment.

6. Select Save &Publish to finalize the assignment.

Organization Groups Overview

AirWatch identifies users and establishes permissions using organization groups. While any organization method delivers

content to devices, use organization groups (OG) to establish an MDM hierarchy identical to your organizational

hierarchy. You may also establish OGs based on AirWatch features and content.

You can access organization groups by navigating to Groups & Settings > Groups > Organization Groups > List View or

through the organization group drop-down menu.

lBuild groups for entities within your organization.

lCustomize hierarchies with parent and child levels.

lIntegrate with multiple internal infrastructures at the tier level.

lDelegate role-based access and management based on a multi-tenant structure.

Characteristics of Organization Groups

Organization groups can accommodate functional, geographic, and organization entities and enable a multi-tenancy

solution.

lScalability – Flexible support for exponential growth.

lMulti-tenancy – Create groups that function as independent environments.

lInheritance – Streamline the setup process by setting child groups to inherit parent configurations.

Using the example of the organization group drop-down menu, profiles, features, applications, and other MDM

settings can be set at the 'World Wide Enterprises' level.

Settings are inherited down to child organization groups, such as Asia/Pacific and EMEA or even further down to

grand-child Australia > Manufacturing Division or even great grand-child Australia > Operations Division >

Corporate.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Settings between sibling organization groups such as Asia/Pacific and EMEA take advantage of the multi-tenant

nature of OGs, by keeping these settings separate from one another. However, these two sibling OGs do inherit

settings from their parent OG, World Wide Enterprises.

Alternatively, you may choose to override settings at a lower level and alter only the settings that you want to change

or keep. These settings can be altered or carried down at any level.

Considerations for Setting Up Organization Groups

Before setting up your organization group (OG) hierarchy in the AirWatch Console, first decide on the group structure.

The group structure allows you to make the best use of settings, applications, and resources.

lDelegated Administration – You can delegate administration of subgroups to lower-level administrators by

restricting their visibility to a lower organization group.

lCorporate administrators can access and view everything in the

environment.

lLA manager has access to the LA OG and can manage only those

devices.

lNY manager has access to the NY OG and can manage only those

devices.

lSystem Settings – Settings can be applied at different levels in the organization group tree and inherited down. They

can also be overridden at any level. Settings include device enrollment options, authentication methods, privacy

setting, and branding.

lOverall company establishes an enrollment against the company

Active Directory server.

lDriver devices override the parent authentication and allow a

token-based enrollment.

lWarehouse devices inherit the AD settings from the parent group.

lDevice Use Case – A profile can be assigned to one or several organization groups. Devices in those groups can then

receive that profile. Refer to the Profiles section for more information. Consider configuring devices using profile,

application, and content settings according to attributes such as device make, model, ownership type, or user

groups before creating organization groups.

lExecutive devices cannot install applications and have access to the Wi-Fi

sales network.

lSales devices are allowed to install applications and have VPN access.

Override Versus Inherit Setting for Organization Groups

The hierarchy of your structure determines which organization groups are children and which are parents. However, only

with the addition of repositories and applications can you elect to override this native inheritance.

You can add repositories and applications to child groups that inherit parent group settings. Alternatively, if you choose,

you may override inheritance at each group level.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

For more information, see the VMware AirWatch Mobile Content Management (MCM) Guide and the VMware

AirWatch Mobile Application Management (MAM) Guide. Each document is available on Accessing Other Documents

on page 217.

Create Organization Groups

You must create an organization group (OG) for each business entity where devices are deployed. Understand that the

OG you are currently in is the parent of the child OG you are about to create.

1. Navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details.

2. Select the Add Child Organization Group tab and complete the following settings.

Setting Description

Name Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters

only. Do not use odd characters.

Group ID Enter an identifier for the OG for the end users to use during the device login. Group IDs are used

during the enrollment of group devices to the appropriate OG.

Ensure that users sharing devices receive the Group ID as it may be required for the device to log in

depending on your SharedDevice configuration.

Type Select the preconfigured OG type that reflects the category for the child OG.

Country Select the country where the OG is based.

Locale Select the language classification for the selected country.

Customer

Industry

This setting is only available when Type is Customer. Select from the list of Customer Industries.

3. Select Save.

Organization Group Type Functions

The type of an organization group can have an impact on what settings an admin can configure. Certain system settings,

such as Wipe Protection and certain features, such as Personal Content, Telecom, and so on, can only be configured at

Customer level organization groups. In addition, Global is only available for certain deployments. Other than Customer,

Partner, and Global, the types are simply for metadata purposes and do not serve a specific purpose.

For more information about the different types of Organization Groups (e.g. Global, Partner, Customer,

Container, etc.), refer to the following VMware AirWatch Knowledge Base article:https://support.air-

watch.com/articles/115001662908.

Adding Devices at Global

The Global organization group (OG) is designed to house Customer and other types of OGs. Given the way inheritance

works, if you add devices to Global and configure Global with settings intended to affect those devices, you are also

affecting all the Customer OGs underneath. This undermines the benefits of multitenancy and inheritance.

For more information, see Reasons You Should Not Enroll Devices in Global on page 119.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Organization Group Restrictions

If you attempt to configure an organization group (OG)-limited setting, the settings pages under Groups &Settings >All

Settings notify you of the limitation.

The following restrictions apply to creating Customer-level organization groups.

lIn a software-as-a-service (SaaS) environment, you cannot create nested customer OGs.

lIn an on-premises environment, you can create nested customer OGs, but only if your administrator role is System

Administrator.

Organization Groups Settings Comparison

As an Administrator, you may find it useful to compare the settings of one organization group (OG) to another. The

following are available when you compare OG settings.

lUpload XML files containing the OG settings from different AirWatch software versions.

lEliminate the possibility of a difference in configuration causing problems during version migration.

lFilter the comparison results, allowing you to display only the settings you are interested in comparing.

lSearch for a single setting by name with the search function.

The Organization Group Compare feature is only available for on-premises customers.

Compare Two Organization Groups

You can compare the settings of one organization group to another to mitigate version migration issues.

For instance, once a User Acceptance Testing (UAT) server has been upgraded, configured, and tested, you can compare

the UAT settings to the production settings directly.

1. Navigate to Groups & Settings > All Settings > Admin > Settings Management > Settings Comparison.

2. Select an OG in your environment from the left drop-down menu (labeled with the numeral 1). Alternatively, upload

the XML settings file by selecting the Upload button and choosing an exported OG setting XML file.

3. Select the comparison OG on the right drop-down menu (labeled with the numeral 2).

4. Display a list of all settings for both selected organization groups by selecting the Update button.

lDifferences between the two sets of OG settings are automatically highlighted.

lYou may optionally enable the Show Differences Only check box. This check box displays only those settings

that apply to one OG but not the other.

lIndividual settings that are empty (or not specified) display in the comparison listing as 'NULL'.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Smart Groups Overview

Smart groups are customizable groups that determine which platforms, devices, and users receive an assigned

application, book, compliance policy, device profile, or provision.

When you create organization groups, you typically base them on the internal corporate structure: geographical

location, business unit, and department. For example, "North Sales," "South HR." Smart groups, however, offer the

flexibility to deliver content and settings by device platform, model, operating system, device tag, or user group. You can

even deliver content to individual users across multiple organization groups.

You can create smart groups when you upload content and define settings. However, their modular nature means you

can also create them at any time, so they are available to be assigned later.

The main benefit of smart groups is their reusability. It may be intuitive to make a new assignment every time you add

content or define a profile or policy. Instead, if you define assignees to smart groups only once, you can simply include

those smart groups in your definition of content.

Create a Smart Group

Before you can assign a smart group to an application, book, compliance policy, device profile, video channel, or product

provision, you must first create one.

1. Choose the applicable Organization Group to which your new smart group applies and from which it can be

managed.

2. Navigate to Groups & Settings > Groups > Assignment Groups and then select Add Smart Group.

3. Enter a Name for the smart group.

4. Configure the smart group type. Choose between Select Criteria and Select Devices or Users.

lThe Select Criteria option works best for groups with large numbers (more than 500 devices) that receive general

updates. This method works best because the inherent details of these groups can reach all endpoints of your

mobile fleet.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

oIn the Select Criteria type, select qualifying parameters to add in the smart group. Parameters include

Organization Group,User Group,Ownership,Tags,Platform and Operating System,Model, and

Enterprise OEM (Original Equipment Manufacturer) Version. You can also add and exclude specific devices

and users in the Additions and Exclusions sections.

While Platform is a criterion within a smart group, the platform configured in the device profile or

compliance policy always takes precedence over the smart group's platform. For instance, if a device profile

is created for the iOS platform, the profile is only assigned to iOS devices even if the smart group includes

Android devices.

lThe Select Devices or Users option works best for groups with smaller numbers (500 or less devices) that receive

sporadic, although important, updates. This method works best because of the granular level at which you can

select group members.

Switching between Select Criteria and Select Devices or Users erases any entries and selections you may have

made.

oUse the Select Devices or Users type to assign content and settings to special cases outside of the general

enterprise mobility criteria. Enter the device friendly name in Devices and user name (first name or last

name) in Users. You must Add at least one device or user or you cannot save the smart group.

There is a limit to the number of rules (500) that a smart group may be programmed with. This 500 rule limit is

unrelated to the 500 device threshold determining whether your smart group is Select Criteria or Select Devices

or Users-based.

5. Select Save when complete.

Assign a Smart Group

Once you have created the smart group and before it can take effect, you must assign it. You can assign it to an

application, book, compliance policy, device profile, video channel, or product provision. There are two methods to

assign a smart group.

Assign Smart Group While Creating Device Product

You can assign a smart group when you add or create an application, book, compliance policy, device profile, video

channel, or product provision.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

1. Complete the Assigned Groups drop-down menu.

2. Select a smart group from the drop-down menu. Smart groups available are managed only within the organization

group (OG) to which the resource is being added, or to a child OG below it.

3. If no smart group matches the desired assignment criteria, then select the Create a Smart Group option. You can

assign more than one smart group per application, book, compliance policy, device profile, video channel, or

product provision.

4. Select Save to include the assignment.

Assign Smart Group While Managing the Smart Group

You can also assign a smart group during the process of managing the smart group itself.

1. View the entire list of smart groups by navigating to Groups & Settings > Groups > Assignment Groups.

2. Select one or more smart groups you want to assign and select Assign. The Assign page displays.

Select the Groups link at the top of the Assign page to display the Groups page. On this page, the organization

groups that manage the smart groups are displayed. Return to the Assign page by selecting the Close button.

3. On the Assign page, use the search box to view the list of eligible products and assign it to the selected smart groups.

4. Select Next to display the View Device Assignment page and confirm the assignment status.

5. Select Save &Publish.

For more information, see View Device Assignment on page 155.

Exclude Smart Groups in Profiles and Policies

In addition to apps, books, video channels, and products, smart groups apply to device profiles and compliance policies.

This flexibility lets you exclude selected smart groups from profiles and policies.

For example, if you want a compliance policy for all users in the company except executives, then take the following

steps. Make two smart groups, one consisting of all users and another containing executives. Create the Compliance

Policy and assign it to the "all users" smart group then specify the "executives" smart group in the Exclusions option.

1. While adding a device profile or compliance policy, select Yes next to the Exclusions setting to display the

ExcludedGroups option.

2. In the Excluded Groups setting, select those groups that you want to exclude from the assignment of this profile or

policy. You can alternatively make a new group by selecting the Create Assignment Group button.

If you select the same group in both the Assigned Groups and Excluded Groups settings, then the profile or policy

fails to save.

3. Preview the affected devices by selecting View Device Assignment.

Smart Group List View

Manage your smart groups by editing, assigning, unassigning, excluding, and deleting them with the AirWatch Console.

View the entire list of smart groups by navigating to Groups & Settings > Groups > Assignment Groups. Admins can only

see groups which they can manage based on their permissions settings.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

The columns Groups,Assignments,Exclusions, and Devices each feature links which you can select to view detailed

information.

lSelecting links in the Assignments or Exclusions columns display the View Smart Group Assignments screen.

lSelecting a link in the Devices column displays the Devices > List View showing only those devices included in the

smart group.

lYou can Filter your collection of groups by Group Type (Smart, Organization, User, or all) or by Assigned status.

Assigned status shows whether the group is assigned, is excluded, both, or neither.

lYou can Assign a smart group directly from the listing.

Edit, Delete, and Unassign a Smart Group

Any edits that you apply to a smart group affects all policies and profiles to which that smart group is assigned.

For example, a smart group for executives is assigned to a compliance policy, device profile, and two internal apps. If you

want to exclude some of the executives, then simply edit the smart group by specifying Exclusions. This action removes

not only the two internal apps but also the compliance policy and device profile from those excluded devices.

1. Navigate to Groups & Settings > Groups > Assignment Groups.

2. Select the Edit icon ( ) located to the left of the listed smart group that you want to edit. You can also select the

smart group name in the Group column. The Edit Smart Group page displays with its existing settings.

3. In the Edit Smart Group page, alter Criteria or Devices and Users (depending upon which type the smart group was

saved with) and then select Next.

4. In the View Assignments page, you can review which profiles, apps, books, provisions, and policies may be added or

removed from the devices as a result.

5. Select Publish to save your smart group edits. All profiles, apps, books, provisions, and policies tied to this smart

group update their device assignments based on this edit.

The Console Event logger track changes made to smart groups, including the author of changes, devices added, and

devices removed.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Delete a Smart Group

When you have no further use for a smart group, you can delete it. You can only delete one smart group at a time.

Selecting more than one smart group causes the Delete button to be unavailable. If a smart group is assigned, you are

not permitted to delete it.

1. Navigate to Groups & Settings > Groups > Assignment Groups and locate the smart group you want to delete from

the listing.

2. Select the check box to the left of the smart group name and select Delete from the actions menu that displays.

Unassign a Smart Group

You can unassign a smart group from an application, book, channel, policy, profile, or product. This action removes the

associated content from all devices in the smart group.

1. Unassign smart groups from applications, books, compliance policies, device profiles, or product provisions. Follow

the navigation paths shown.

lApplications – Navigate to Apps & Books > Applications > List View and select the Public, or Internal tab.

lBooks – Navigate to Apps & Books > Books > List View and select the Public,Internal, or Web tab.

lChannels – Navigate to Content > Video > Channels.

lCompliance Policy – Navigate to Devices > Compliance Policies > List View.

lDevice Profile – Navigate to Devices > Profiles & Resources > Profiles.

lProduct Provision – Navigate to Devices > Staging &Provisioning > Products > List View.

2. Locate the content or setting from the listing and select the Edit icon from the actions menu.

3. Select the Assignment tab or locate the Assigned Smart Groups text box.

4. Select Delete (X) next to the smart group that you want to unassign. This action does not delete the smart group. It

simply removes the smart group assignment from the saved setting.

5. Follow the required steps to Save your changes.

Research Smart Group Events Using Console Event Logger

You can track the changes to smart groups, and when they were made and by whom, by using the Console Event logger.

Such tracking can be useful when troubleshooting devices.

1. Navigate to Hub > Reports &Analytics > Events > Console Events.

2. Select Smart Groups from the Module drop-down filter at the top of the Console Event listing.

3. Apply more filters as you may require including Date Range,Severity, and Category.

4. Where applicable, select the hypertext link in the Event Data column which contains extra detail that may assist your

research efforts.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

User Groups Overview

You can group sets of users into user groups which, like organization groups, act as filters for assigning profiles and

applications. When configuring your MDM environment, align user groups with security groups and business roles

within your organization.

You can assign profiles, compliance policies, content, and applications to users and devices with user groups. You can

add your existing directory service groups into AirWatch or create user groups from scratch.

As an alternative to user groups, you can also manage content by assigning devices according to a preconfigured range of

network IP address or custom attributes. For more information, see Device Assignments Overview on page 126.

User Groups Without Directory Integration (Custom)

Creating a user group outside of your existing Active Directory structure allows you to create specialized groups of users

at any time. Customize user groups according to your deployment by specifically designing access to features and

content. For instance, you can create a temporary user group for a specific project requiring specialized apps, device

profiles, and compliance policies.

For more information about adding user groups in bulk, see Batch Import User Groups on page 48.

Add User Groups Without Directory Integration (Custom)

You can establish a custom user group outside of your corporate structure, which may be preferred depending upon the

kind of user group you need. Custom user groups can only be added at a customer level organization group.

1. Navigate to Accounts >User Groups >List View and select Add and then Add User Group.

2. Change the user group Type option to Custom.

3. Enter the Group Name and Description used to identify the user group in theAirWatch Console.

4. Confirm the organization group that manages the user group and select Save.

5. You can then add users to this new user group by navigating to Accounts > Users > List View.

Add multiple users by selecting check boxes to the far-left of each listed user name. Next, select the Management

button above the column headings and choose Add to User Group.

User Groups With Directory Integration

An alternative to custom user groups without active directory integration is through user group integration that applies

your existing active directory structure, providing many benefits.

Once you import existing directory service user groups as AirWatch user groups, you can perform the following.

lUser Management – Reference your existing directory service groups (such as security groups or distribution lists)

and align user management in AirWatch with the existing organizational systems.

lProfiles and Policies – Assign profiles, applications, and policies across an AirWatch deployment to groups of users.

lIntegrated Updates – Automatically update user group assignments based on group membership changes.

lManagement Permissions – Set management permissions to allow only approved administrators to change policy

and profile assignments for certain user groups.

lEnrollment – Allow users to enroll with existing credentials and automatically assign an organization group.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

The administrator must designate an existing organization group as the primary root location from which the

administrator manages devices and users. Directory services must be enabled at this root organization group.

You can add your existing directory service groups into AirWatch. While integration does not immediately create

AirWatch user accounts for each of your directory service accounts, it ensures that AirWatch recognizes them as user

groups. You can use this group to restrict who can enroll.

For more information about adding directory user groups in bulk, see Batch Import User Groups on page 48.

Add User Groups With Directory Integration

Making user groups with directory integration fosters an aligned approach to device management: device enrollment

plus subsequent updates, administrative overview, and user management are each in lockstep with your existing

directory service structure.

Before proceeding, ensure that the user group Type is Directory.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

1. Navigate to Accounts > User Groups > List View, select Add then Add User Group.

Setting Description

Type Select the type of User Group.

lDirectory – Create a user group that is aligned with your existing active directory structure.

lCustom – Create a user group outside of your organization's existing Active Directory

structure. This user group type grants access to features and content for basic and directory

users to customize user groups according to your deployment. Custom user groups can only

be added at a customer level organization group.

External Type Select the external type of group you are adding.

lGroup – Refers to the group object class on which your user group is based. Customize this

class by navigating to Groups &Settings > All Settings > System > Enterprise Integration >

Directory Services > Group.

lOrganizational Unit – Refers to the organizational unit object class on which your user group

is based. Customize this class by navigating to Groups &Settings > All Settings > System >

Enterprise Integration > Directory Services > Group.

lCustom Query – You can also create a user group containing users you locate by running a

custom query. Selecting this external type replaces the Search Text function but displays the

Custom Query section.

Search Text Identify the name of a user group in your directory by entering the search criteria and selecting

Search to search for it. If a directory group contains your search text, a list of group names

displays.

This option is unavailable when External Type is set to Custom Query.

Directory

Name

Read-only setting displaying the address of your directory services server.

Domain and

Group Base

This information automatically populates based on the directory services server information you

enter on the Directory Services page (Accounts > User Groups > Settings > Directory Services).

Select the Fetch DN plus sign (+) next to the Group Base DN setting, which displays a list of Base

Domain Names from which you can select.

Search Text Enter the search criteria to identify the name of an admin group in your directory and select Search

to search for it. If a directory group contains your search text, a list of group names displays.

Also, you can apply default roles to the admin group you are creating. After a successful search is

run, select the Roles tab and then select the Add button to add a new role. Or edit an existing role

by changing the Organization Group and Role selection.

This setting is available only when Group or Organizational Unit is selected as the External Type.

Custom

Object Class

Identifies the object class under which your query runs. The default object class is 'person' but you

can supply a custom object class to identify your admins with greater success and accuracy.

This setting is available only when Custom Query is selected as External Type.

Custom Base

Identifies the base distinguished name which serves as the starting point of your query. The

default is 'airwatch' and 'sso' but you can supply a custom base distinguished name if you want to

run the query from a different starting point.

This setting is available only when Custom Query is selected as External Type.

Group Name Select a Group Name from your Search Text results list. Selecting a group name automatically

alters the value in the Distinguished Name setting.

This setting is available only after you have completed a successful search with the SearchText

setting.

Distinguished

Name

Read-only setting that displays the full distinguished name of the admin group you are creating.

This setting is available only after you have completed a successful search with the SearchText

setting.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Setting Description

Rank Read-only setting that displays the rank of the admin group once it is created. You can change an

admin group's rank by navigating to Groups &Settings > Groups > Admin Groups and moving its

relative position using the More action button to the right of the admin group listing.

Auto Sync This option enables the directory sync, which detects user membership from the directory server

and stores it in a temporary table. An administrator approves all changes to the console unless the

Auto Merge option is enabled.

Auto Merge Enable this option to apply sync changes automatically from the database without administrative

approval.

Maximum

Allowable

Changes

Use this setting to set a threshold for the number of automatic admin group sync changes that are

allowed to occur before approval must be given.

This option is available only when Auto Merge is enabled.

Add Group

Members

Automatically

Enable this option to add administrators automatically to the admin group.

Time Zone Enter the time zone associated with the admin group. This required setting impacts when the

scheduled, automated Active Directory sync runs.

Locale Select the localization setting (language) associated with the admin group. This setting is required.

Initial

Landing Page

Enter the initial landing page for administrators in the admin group. The default setting for this

required setting is the Device Dashboard but you can set it to any page of your choosing.

Custom Query

Query This setting displays the currently loaded query that runs when you select the Test Query button

and when you select the Continue button. Changes you make to the Custom Logic option or the

Custom Object Class setting are reflected here.

Custom Logic Add your custom query logic here, such as an admin name. For example, "cn=jsmith". You can

include as much or as little of the distinguished name as you like. The Test Query button allows

you to see if the syntax of your query results in a successful search before selecting the Continue

button.

For more information on Distinguished Name, search for Microsoft's TechNet article entitled "Object Naming"

at https://technet.microsoft.com.

2. Select Save.

View Assignments

As a convenience, you can confirm the profiles, apps, books, channels, and compliance policies that are included in (and

excluded from) the assigned group.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

1. Navigate to the group listing in Groups & Settings > Groups > Assignment Groups and locate a group that has been

assigned to at least one entity.

2. In the Assignments column, select the hyperlinked number to open the View Assignments page. This page displays

only those categories that contain Assignments or Exclusions in the group.

Above the header row in the View Assignments screen, are three new tools to help you confirm the specific profile, app,

book, channel, and compliance policy.

Chapter 6: Groups

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 7:

Device Enrollment

Device Enrollment Overview 89

Basic vs. Directory Services Enrollment 93

Bring Your Own Device (BYOD) Enrollment 96

Self-Enrollment vs Device Staging 99

Device Registration 103

Configure Enrollment Options 111

Blacklisting and Whitelisting Device Registration 115

Additional Enrollment Restrictions 116

AirWatch Autodiscovery Enrollment 120

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Device Enrollment Overview

AirWatch provides multiple options for enrolling a device which is required before they can be managed.

This non-linear questionnaire outlines some of these combinations and serves as a guide to choosing an appropriate

enrollment path that best suits your organization's needs. It is not intended to be comprehensive or inclusive of every

enrollment option, rather to help you think about which options you may want to consider.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Prerequisites to the Enrollment Process

The enrollment process may differ slightly depending on the device platform. You can find platform-specific instructions

for enrolling each type of a device in the applicable Platform Guides.

To enroll a device, you need the following information.

lEnrollment URL – This enrollment URL is AWAgent.com for all users, organizations, and devices enrolling into

AirWatch.

lUser Credentials – This user name and password confirm the identity of a user to allow log in, authentication, and

enrollment.

oCredentials may be the same as network directory services, for use in a directory-service based enrollment.

oCredentials may be AirWatch-specific, for use in a basic user enrollment.

lGroup ID – The Group ID determines what Mobile Device Management (MDM) resources and features the end user

has access to upon enrollment. If necessary, provide end users with this Group ID.

Enrolling Devices at Global

The Global organization group (OG) is designed to house Customer and other types of OGs. Given the way inheritance

works, if you add devices to Global and configure Global with settings intended to affect those devices, you are also

affecting all the Customer OGs underneath. This undermines the benefits of multitenancy and inheritance.

For more information, see Reasons You Should Not Enroll Devices in Global on page 119.

Enroll a Device With AirWatch Agent

Enrolling a device with the AirWatch Agent is the main option for Android, iOS, and Windows devices.

1. Navigate to AWAgent.com from the native browser on the device that you are enrolling.

AirWatch auto-detects if the AirWatch Agent is already installed and redirects to the appropriate mobile app store to

download the Agent if needed.

Downloading the Agent from public application stores requires either an Apple ID or a Google Account.

2. Run the Agent upon the completion of the download or return to your browser session.

Important: To ensure a successful installation and running of the AirWatch Agent on your Android device, it must

have a minimum of 60 MB of space available. CPU and Run Time Memory are allocated per app on the Android

platform. If an app uses more than allocated, Android devices optimize themselves by killing the app.

3. Enter your email address. AirWatch checks if your address has been previously added to the environment. In which

case, you are already configured as an end user and your organization group is already assigned.

If AirWatch cannot identify you as an end user based on your email address, you are prompted to enter your

Environment URL,Group ID, and Credentials. If your environment URL and Group ID are needed, your AirWatch

Administrator can provide it.

4. Finalize the enrollment by following all remaining prompts.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Additional Enrollment Workflows

In some unique cases, the enrollment process must be adjusted for specific organizations and deployments. For each of

the additional enrollment options, end users need the credentials detailed in the Required Information section of this

guide.

lNotification-Prompt Enrollment – The end user receives a notification (email and SMS) with the Enrollment URL, and

enters their Group ID and login credentials. When the end user accepts the Terms of Use (TOU), the device

automatically enrolls and outfits with all MDM features and content. This acceptance includes selected apps and

features from the AirWatch server.

lSingle-Click Enrollment – In this workflow, which applies to web-based enrollments, an administrator sends an

AirWatch-generated token to the user with an enrollment link URL. The user merely selects the provided link to

authenticate and enroll the device, making it the easiest and fastest enrollment process for the end user. This

method can also be secured by setting expiration times.

oWeb Enrollment – There is an optional welcome screen that an administrator can invoke for Web enrollments by

appending "/enroll/welcome" to the active environment. For example, by supplying the URL

https://<custenvironment>/enroll/welcome to users participating in Web Enrollment, they see a Welcome to

AirWatch screen. This screen includes options to enroll with an Email Address or Group ID. The Web Enrollment

option is applicable for AirWatch version 8.0 and above.

lDual-Factor Authentication – In this workflow, an administrator sends the same enrollment token generated by

AirWatch, but the user must also enter their login credentials. This method is just as easy to run as the Single-Click

Enrollment but adds one additional level of security. The additional security measure is requiring the user to enter

their unique credentials.

lEnd-User Registration – The user logs in to the Self-Service Portal (SSP) and registers their own device. Once

registration is complete, the system sends an email to the end user that includes the enrollment URL and login

credentials. This workflow assumes that administrators have not already performed device registration for a

corporate device fleet. It also assumes that you require corporate devices to be registered so administrators can

track enrollment status. Also, end-user registration means that corporate devices can be used together with user-

purchased devices.

lSingle-User Device Staging – The administrator enrolls devices on behalf of an end user. This method is useful for

administrators who set up multiple devices for an entire team or single members of a team. Such a method saves the

end users the time and effort of enrolling their own devices. The admin can also configure and enroll a device and

mail it directly to a user who is off-site.

lMulti-User Device Staging – The administrator enrolls devices that are used by multiple users. Each device is

enrolled and provisioned with a specific set of features that users access only after they log in with unique

credentials.

For more information, see the following topics.

Enable Registration Tokens and Create a Default Message on page 109.

End-User Device Registration on page 108.

Device Registration on page 103.

Stage a Single-User Device on page 102.

Stage a Multi-User Device on page 103.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Basic vs. Directory Services Enrollment

If you have a directory services infrastructure such as Active Directory (AD), Lotus Domino, and Novell e-Directory, you

can apply existing users and groups in AirWatch.

If you do not have an existing directory services infrastructure or you choose not to integrate with it, you must perform

Basic Enrollment. Basic enrollment means manually creating AirWatch user accounts.

Note: While AirWatch supports a mix of both Basic and Directory-based users, you typically use one or the other for

the initial enrollment of users and devices.

Pros and Cons

Pros Cons

Basic Enrollment lCan be used for any deployment

method.

lRequires no technical integration.

lRequires no enterprise infrastructure.

lCredentials only exist in AirWatch and do not

necessarily match existing corporate

credentials.

lOffers no federated security.

lSingle sign on not supported.

lAirWatch stores all usernames and passwords.

Directory Service

Enrollment

lEnd users authenticate with existing

corporate credentials.

lCan automatically detect and sync

changes from the directory system into

AirWatch.

lSecure method of integrating with your

existing directory service.

lStandard integration practice.

lSaaS deployments using the VMware

Enterprise Systems Connector require

no firewall changes and offers a secure

configuration to other infrastructures,

such as Microsoft ADCS, SCEP, and

SMTP servers.

lRequires an existing directory service

infrastructure.

lSaaS deployments require additional

configuration due to the VMware Enterprise

Systems Connector being installed behind the

firewall or in a DMZ.

Enrollment Considerations, Basic v Directory

When considering end-user enrollment, in addition to the existing pros and cons of Basic vs Directory users, consider also

the following questions.

For the pros & cons of basic users vs directory users, see Basic vs. Directory Services Enrollment on page 93.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Consideration #1: Who Can Enroll?

In answering this question, consider the following.

lIs the intent of your MDM deployment to manage devices for all of your organization's users at or below the base

DN you configured? If so, the easiest way to achieve this arrangement is to allow all users to enroll by ensuring the

Restrict Enrollment check boxes are deselected.

You can allow all users to enroll during the initial deployment rollout and then afterward, restrict the enrollment to

prevent unknown users from enrolling. As your organization adds new employees or members to existing user

groups, these changes are synced and merged.

lAre there certain users or groups who are not to be included in MDM? If so, you must either add users one at a time

or batch import a CSV (comma-separated value) file of only eligible users.

If you want to restrict certain users and groups, see Configure Enrollment Restriction Settings on page 116.

Consideration #2: Where Will Users Be Assigned?

Another consideration to make when integrating your AirWatch environment with directory services is how you assign

directory users to organization groups during an enrollment. In answering this question, consider the following.

lHave you created an organization group structure that logically maps to your directory service groups? You must

complete this task before you can edit user group assignments.

lIf your users are enrolling their own devices, the option to select a Group ID from a list is simple. Human error is a

factor in this simplicity and can lead to incorrect group assignments.

You can automatically select a Group ID based on a user group or allow users to select a Group ID from a list. These

Group ID Assignment Mode options are available by navigating to Devices > Device Settings > Devices & Users >

General > Enrollment and selecting the Grouping tab.

If you want to configure Group ID options, see Configure Enrollment Options on Grouping Tab on page 111.

Enabling Basic Enrollment

Basic Enrollment refers to the process of manually creating user accounts and user groups for each of your organization's

users. If your organization is not integrating AirWatch with a directory service, basic enrollment is how you create user

accounts.

If you have a very small number of basic accounts to create, then create them one at a time by visiting Create Basic User

Accounts on page 40.

For basic enrollments involving larger end-user numbers, you can save time by filling out and uploading CSV (comma-

separated values) template files. These files contain all user information through the batch import feature. For more

information, see Batch Import Users or Devices on page 47.

Would you like to start the device enrollment questionnaire over again? Visit Device Enrollment Overview on page 89.

Enabling Directory Service-Based Enrollment

Directory service enrollment refers to the process of integrating AirWatch with your organization's directory service

infrastructure. Integrating your directory service with AirWatch means you can import users automatically and,

optionally, user groups such as security groups and distribution lists.

When integrating with a directory service such as Active Directory (AD), you have options for how you import users.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

lAllow all directory users to enroll – You can allow all your directory service users to enroll. Also, you can set up your

environment to auto discover users based on their email. Then create an AirWatch user account for them when they

perform an enrollment.

lAdd users one by one – After integrating with a directory service, you can add users individually in the same manner

as creating basic AirWatch user accounts. The only difference is you must enter their user name and select Check

User to auto populate remaining information from your directory service.

lBatch upload a CSV file – Using this option, you can import a list of directory services accounts in a CSV (comma-

separated values) template file. This file has specific columns, some of which cannot be left blank.

lIntegrate with user groups (Optional) – With this method, you can use your existing user group memberships to

assign profiles, apps, compliance policies, and so on.

Note: For information about how to integrate your AirWatch environment with your directory service, refer to the

VMware AirWatch Directory Services Guide. If you are considering integrating AirWatch with a SAML provider, refer

to the VMware AirWatch SAML Integration Guide, both available on Accessing Other Documents on page 217.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Bring Your Own Device (BYOD) Enrollment

A major challenge in managing users' personal devices is recognizing and distinguishing between employee-owned and

corporate-owned devices and then limiting enrollment to only approved devices.

AirWatch enables you to configure many options that customize the end-user experience of enrolling a personal device.

Before you begin, you must consider how you plan to identify employee-owned devices in your deployment and

whether to enforce enrollment restrictions for employee-owned devices.

Enrollment Considerations, BYOD

Assuming you are allowing employees to enroll their personal devices in your AirWatch environment, there are many

considerations you must make before you proceed.

Consideration #1: Will BYOD Users Enroll With VMware Workspace ONE, AirWatch Container App, or the AirWatch

Agent?

VMware Workspace ONE is a secure enterprise platform that delivers and manages any app on any device. It begins with

self-service, single-sign on access to cloud, mobile, and Windows apps and includes powerfully integrated email,

calendar, file, and collaboration tools.

With Workspace ONE, users do not need to enroll their personal devices to get access to services. The Workspace ONE

app itself may be downloaded from the Apple App Store, Google Play, or Microsoft Store and installed. A user then logs

in and gains access to applications based on the established policies. The Workspace ONE app configures an MDM

management profile during its installation that enrolls the device automatically.

AirWatch Container enables you to provide specific resources to segments of BYOD users. For example, some users may

only want access to corporate email, while others may only require access to a single enterprise app.

With AirWatch Container, your BYOD users can enroll in AirWatch and securely access business applications and

resources without receiving the same AirWatch profile corporate-owned devices receive.

AirWatch Container addresses privacy concerns users have about MDM by only giving administrators the ability to

control managed enterprise apps instead of the entire device.

Consideration #2: How Will You Specify Ownership Type?

Every device enrolled into AirWatch has an assigned device ownership type: Corporate Dedicated, Corporate Shared, or

Employee Owned. Employees' personal devices are categorized as an Employee Owned type and subject to the specific

privacy settings and restrictions you configure for that type.

In answering the question of specifying an ownership type, consider the following.

lDo you have access to a master list of corporate devices that you can bulk upload into the AirWatch Console? If so,

you may consider uploading this list and setting the default ownership type to Employee Owned.

lHave you considered the legal implications of allowing users to select an ownership type from a list? For example, if a

user enrolls a personal device but incorrectly selects corporate owned as the ownership type. What are the

ramifications when that user violates a policy and has their personal device fully wiped?

For your BYOD program, you can configure AirWatch to apply a default ownership type during enrollment or allow users

to choose the appropriate ownership type themselves.

Consideration #3: Will You Apply Additional Enrollment Restrictions for Employee-Owned Devices?

When answering this question, consider the following.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

lDoes your MDM deployment only support certain device platforms? If so, you can specify these platforms and only

allow devices running on them to enroll.

lAre you limiting the number of personal devices an employee is allowed to enroll? If so, you can specify the

maximum number of devices a user is allowed to enroll.

You can set up additional enrollment restrictions to further control who can enroll and which device types are allowed.

For example, you may choose to support only those Android devices that feature built-in enterprise management

functionality. After your organization evaluates and determines which kinds of employee-owned devices they want to

use in your work environment, you can configure these settings.

For more information, see Additional Enrollment Restrictions on page 116.

Identify Corporate Devices and Specify Default Device Ownership

Preparing a list of devices can be useful if you have a mix of corporate-owned devices and employee-owned devices

which employees enroll themselves.

As enrollment commences, devices you identified as Corporate-Owned have their ownership type configured

automatically based on what you selected. Then you can configure all employee-owned devices – which are not in the

list– to enroll with an ownership type as Employee-Owned.

The following procedure explains how to import a list of pre-approved corporate devices. You can apply the Corporate-

Owned ownership type after enrollment automatically, even if you have a restriction that automatically applies the

Employee-Owned ownership type.

Restrictions for an open enrollment, by contrast, explicitly allow or block the enrollment for devices matching parameters

you identify including platform, model, and operating system.

1. Navigate to Devices > Lifecycle > Enrollment Status and select Add, then Batch Import.

You can also select Whitelisted Devices to enter up to 30 whitelisted devices at a time by IMEI, UDID, or Serial

Number. You can also select either Corporate Owned or Corporate Shared as the Ownership Type.

2. Enter a Batch Name and Batch Description, then select Add Whitelisted Device as the Batch Type.

3. Select Choose File to upload a file or select the information icon to download a sample template. If saving a

template, proceed to fill out the necessary information.

4. Select Save.

Now, set the Default Device Ownership type to Employee Owned for all open enrollment.

1. Navigate to Devices > Devices Settings > Devices & Users > General > Enrollment and choose the Grouping tab.

2. Select Employee Owned as the Default Device Ownership.

3. Select the Default Role assigned to the user, which determines the level of access the user has to the Self-Service

Portal (SSP).

4. Select the Default Action for Inactive Users, which determines what to do if the user is marked as inactive.

5. Select Save.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Prompt Users to Identify Ownership Type

If your deployment has organization groups with multiple ownership types, you can prompt users to identify their

ownership type during enrollment.

1. Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and choose the Optional Prompt

tab.

2. Select Prompt for Device Ownership Type. During enrollment, users are prompted to select their ownership type.

3. Select Save.

Risks

While simple, this approach assumes that every user correctly selects the appropriate ownership type applicable to their

device.

If a personal device user chooses the Corporate-Owned type, their device is now subject to policies and profiles that

normally do not apply. This erroneous selection can have serious legal implications regarding user privacy.

While you can always update the ownership type later, it is safer and more secure to make a list of corporate devices.

Then enroll the corporate-owned devices separately and later, set the default ownership type to Employee Owned.

For more information, see VMware AirWatch BYOD Guide, available on Accessing Other Documents on page 217.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

Self-Enrollment vs Device Staging

AirWatch supports two methods for enrolling corporate devices. You can let users enroll their own devices or

administrators can enroll devices on users' behalf in a process called device staging.

In device staging, an administrator enrolls devices before assigning them and distributing them to end users. This

method is useful for administrators who must set up devices shared by multiple users across an organization.

Also, device staging works well for newly provisioned devices, since it happens before an employee receives the device. If

your end users already have corporate devices, then allowing them to self-enroll makes the most sense. Letting users

enroll their own devices is also beneficial when the total number of devices makes it impractical for administrators to

perform device staging.

Device staging can be performed for Android, Windows Phone, iOS, and macOS devices.

Note: Windows Phone currently only supports single user device staging.

Enrollment Considerations, Self-Enrollment

If you want to save time by allowing your end users to self enroll, consider the following questions.

Consideration #1: Device Ownership

lDo your end users already have assigned corporate devices? In this case, it may not be practical to collect each

device and have it staged and instead have users enroll themselves.

lAre your end users sharing devices or do they have their own dedicated devices? If end users are not sharing devices,

then you can make it the responsibility of that device's single owner to enroll themself.

Consideration #2: Auto discovery

Are you associating your organization's email domain with your AirWatch environment? This process, known as an auto

discovery, means that end users need only enter email address and credentials. The enrollment URL and Group ID are

automatically entered.

See also Configure Autodiscovery Enrollment From a Child Organization Group on page 121 and Configure Autodiscovery

Enrollment From a Parent Organization Group on page 120.

Self-Enrollment Process

Self-enrollment may require that end users know their appropriate Group ID and login credentials. If you have integrated

with directory services, these credentials are the same as the user's directoryservice credentials.

You can also associate your organization's email domain with your AirWatch environment in a process known as auto

discovery. With auto discovery enabled, devices of supported platforms prompt end users to enter their email address.

These devices automatically complete enrollment if their email domain (the text after @) matches – without the need to

enter a Group ID or enrollment URL.

Note: AirWatch Container users download the AirWatch Container app from the app store.

1. End users navigate to AWAgent.com, which automatically detects whether the AirWatch Agent is installed. If it is not,

the Website redirects to the appropriate mobile app store.

Chapter 7: Device Enrollment

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

2. After launching the Agent, users enter their credentials – in addition to either an email address or URL/Group ID –

and proceed with enrollment.

Enrollment Considerations, Device Staging

Administrators can enroll devices on behalf of users in a process called device staging. Staging devices serves to

streamline the process of registration and to enroll iOS devices shared by multiple users. You can also stage devices to

provision an entire device fleet quickly with Apple Configurator.

Consideration #1: Use of Device Staging

Unless you are using Apple Configurator, administrators must stage devices one-by-one. For large deployments, consider

the time and staffing this effort requires.

Whereas administrators can stage new devices easily, employees already using corporate-owned devices must ship

devices in or collect them on-site to have devices staged.

If you have thousands of devices to pre-enroll, device staging can take time. Therefore it works best when you have a

new batch of devices being provisioned, since you can gain access to the devices before employees receive them.

Device staging can be performed for Android, Windows Phone, and iOS devices in following ways.

lSingle User (Standard) – Used when you are staging a device which any user can enroll.

lSingle User (Advanced) – Used when you are staging and enrolling a device for a particular user.

lMulti User – Used when you are staging a device to be shared among multiple users.

Note: Windows Phone currently only supports single user device staging.

Consideration #2: Are You Participating in Apple's Device Enrollment Program?

To maximize the benefits of Apple devices enrolled in Mobile Device Management (MDM), Apple has introduced the

Device Enrollment Program (DEP). With DEP, you can perform the following.

lInstall a non-removable MDMprofile on a device, preventing end users from being able to delete it.

lProvision devices in Supervised mode (iOSonly). Devices in Supervised mode can access additional security and

configuration settings.

lEnforce an enrollment for all end users.

lMeet your organization's needs by customizing and streamline the enrollment process.

lPrevent iCloud back up by disabling users from signing in with their Apple ID when generating a DEPprofile.

lForce OS updates for all end users.

Consideration #3: Use of Apple Configurator

Apple Configurator enables IT administrators to deploy and manage Apple iOS devices effectively. Organizations such as

retail stores, classrooms, and hospitals find it especially useful to pre-enroll devices for multiple end users to share.

Using Configurator to enroll pre-registered devices meant for a single user is supported by adding serial number/IMEI

information to a user's registered device in the Console. A major benefit of Apple Configurator is that you can use a USB

hub or iOSdevice cart to provision multiple devices in minutes.

Chapter 7: Device Enrollment

100

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

For more information about Apple Configurator, refer to the VMware AirWatch Integration with an Apple Configurator

document, available on Accessing Other Documents on page 217.

Supervised Mode

Administrators have the option of enabling Supervised Mode for devices enrolled through Apple Configurator, which

enables additional enhanced security features. However, this mode does introduce several limitations on the device.

Benefits

Once a device is supervised and enrolled in AirWatch, the administrator has the following enhanced features available for

configuration when compared to normal devices.

lElevated Restrictions over MDM

oPrevent User from Removing Applications. Removing applications can also be restricted locally on the device

using restrictions under System Configuration.

oPrevent AirDrop.

oPrevent users from modifying iCloud and Mail account settings which prevents account modification.

oDisable iMessage.

oSet iBookstore Content rating restrictions.

oDisable Game Center and iBookstore.

lEnhanced Security

oPrevent end users from visiting websites with adult content in Safari.

oRestrict which devices can connect to specified AirPlay destinations, such as Apple TVs.

oPrevent the installation of certificates or unmanaged configuration profiles.

oForce all device network traffic through a global HTTP proxy.

lKiosk Mode

oLock down devices to one app with single app mode and disable the home button.

lCustomize Wallpaper and Text on Device

lEnable or Clear ActivationLock

Limitations

lUSB Access to supervised devices is restricted to the supervising Mac.

lCannot copy data to and from the supervised device using iTunes unless the Apple Configurator supervision identity

certificate is installed on the device.

oMedia such as photos and videos cannot be copied from the device to a PC or Mac. To transfer this type of data,

use the VMware Content Locker to sync the content with the user’s Personal Documents section. Alternatively, a

file sharing application can be used to transfer the data over WLAN/WWAN to a server.

Chapter 7: Device Enrollment

101

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

lSupervised mode prevents access to device-side logs using the iPhone Configuration Utility (IPCU).

oThis mode makes it harder to troubleshoot any application or device issues. The reason for this difficulty is the

logs from the device can only be obtained if the device is connected to the supervising Mac. To remediate some

of the challenges, use the AirWatch SDK to send logs and logistics from the applications to the AirWatch Console.

lDevices cannot be reset with factory settings easily.

oOnce a device is factory reset, it must be brought back to the supervising Mac to restore it back to supervised

mode. This procedure may be problematic if the Mac is not near the device.

In deciding whether or not to enable Supervised Mode, consider the following. While it enables additional features that

enhance security on the device, the USB limitations must be considered.

The proximity of the device to the supervising Mac plays an important role in the decisions. Since the USB limitation

prevents access to device-side logs, a device experiencing issues must be shipped back to a depot and restaged to restore

functionality.

Deciding on supervision in advance is important because the process to supervise or “unsupervise” requires the shipping

of the device to an IT location or depot.

Stage a Single-User Device

Single-User Device Staging on the AirWatch Admin Console allows a single administrator to outfit devices for other users

on their behalf, which can be particularly useful for IT administrators provisioning a fleet of devices.

1. Navigate to Accounts > Users > List View and select Edit for the user account for which you want to enable device

staging.

2. In the Add / Edit User page, select the Advanced tab.

a. Scroll down to the Staging section.

b. Select Enable Device Staging.

c. Select the staging settings that will apply to this staging user.

3. Single User Devices stages devices for a single user. Toggle the type of single user device staging mode to either

Standard or Advanced. Standard staging requires an end user to enter login information after staging, while

Advanced means the staging user can enroll the device on behalf of another user.

4. Ensure Multi User Devices is set to Disabled.

5. Enroll the device using one of the two following methods.

lEnroll using the AirWatch Agent by entering a server URLand Group ID.

lOpen the device's Internet browser, navigate to the enrollment URL, and enter the proper Group ID.

6. Enter your staging user's credentials during enrollment. If necessary, specify that you are staging for Single User

Devices. You will only have to do this if multi-user device staging is also enabled for the staging user.

7. Complete enrollment for either Advanced or Standard staging.

lIf you are performing Advanced staging, you are prompted to enter the username of the end-user device owner

who is going to use the device. Proceed with enrollment by installing the Mobile Device Management

Chapter 7: Device Enrollment

102

VMware AirWatch Mobile Device Management Guide | v.2017.10 | October 2017

(MDM)profile and accepting all prompts and messages.

lIf you are performing Standard staging, then when the end user completes the enrollment, they will be

prompted to enter their own credentials in the login window.

The device is now staged and ready for use by the new user.

Stage a Multi-User Device

Multi-user device/shared device staging allows an ITadministrator to provision devices intended to be used by more

than one user. Multi-User staging allows the device to dynamically change its assigned user as the different network

users log into that device.

1. Navigate to Accounts > Users > List View and select Edit for the user account for which you want to enable device

staging.

2. In the Add / Edit User page, select the Advanced tab.

a. Scroll down to the Staging section.

b. Select Enable Device Staging.

c. Select the staging settings that will apply to this staging user.

3. Single User Devices stages devices for a single user. Toggle the type of single user device staging mode to either

Standard or Advanced. Standard staging requires an end user to enter login information after staging, while

Advanced means the staging user can enroll the device on behalf of another user.

4. Ensure Multi User Devices is set to Enabled.