Console Basics
VMware Workspace ONE UEM 2209
You can find the most up-to-date technical documentation on the VMware by Broadcom website at:
https://docs.vmware.com/
VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright
©
2022 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or
its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade names,
service marks, and logos referenced herein belong to their respective companies. Copyright and trademark
information.
Console Basics
VMware by Broadcom 2
Contents
1 Working in the UEM Console 5
2 Logging In to the Console 11
3
Using the Getting Started Wizard 21
4
Main Menu
24
5 APNs Certificates for Workspace ONE UEM 26
6 Assignment Groups 29
Organization Groups 32
Smart Groups 42
User Groups 52
Admin Groups 60
View Assignments 63
7 Configurations 64
8 Console Monitor 66
9 Console Notifications 71
10 Event Logs 75
11 Freestyle Orchestrator 78
12 Other Enterprise Systems for Integration 79
13
Role-based Access
81
How Do You Create a Restrictive Help Desk Admin and Add a Role Giving It Specific Functions
94
14 Self-Service Portal Into Workspace ONE UEM 98
15 Terms of Use 105
16 User and Admin Accounts 109
VMware by Broadcom
3
Working in the UEM Console
1
You can view and manage every aspect of your mobile device deployment. With this single, web-
based resource, you can quickly and easily add new devices and users to your fleet, manage
profiles, and configure system settings.
Acquaint yourself with security settings and interface features such as the Getting Started
Wizard, menu icons, sending feedback, and global search.
For more information about how VMware handles information collected through Workspace
ONE UEM, such as analytics, see the VMware Privacy Policy at https://www.vmware.com/help/
privacy.html.
Supported Browsers
The Workspace ONE Unified Endpoint Management (UEM) console supports the latest stable
builds of the following web browsers.
n Chrome
n Firefox
n Safari
n Microsoft Edge
Comprehensive platform testing has been performed to ensure functionality using these web
browsers. If you run the UEM console with an older version browser or on a non-certified
browser, you can experience minor issues.
Note If using IE to access the UEM console, navigate to Control Panel > Settings > Internet
Options > Security and ensure that you have a security level or custom security level that
includes the Font Download option being set to Enabled.
Table 1-1. Supported Platforms
n Android 5.0+ n QNX 6.5+
n Apple iOS 11.0+ n Windows Desktop (8/8.1/RT/10)
n Apple macOS 10.9+ n Windows Rugged (Mobile 5/6 and Windows CE 4/5/6)
n Chrome OS (latest)
VMware by Broadcom 5
Limited support might be available for other devices or operating systems. Workspace ONE
Direct Enrollment is supported on iOS and Android devices only. For more information, see
the topic Workspace ONE Direct Enrollment in the Workspace ONE UEM Managing Devices
documentation.
Refer to each platform-specific guide by searching the online help, visiting docs.vmware.com, or
contacting VMware Support for more information.
Header Menu
The Header Menu appears at the top of nearly every page of the Workspace ONE UEM powered
by AirWatch, enabling you to access to the following functions and features.
n Organization Group – Select the Organization Group (the tab labeled Global) to which you
want to apply changes.
n Add – Quickly create an admin, device, user, policy, content, profile, internal application, or
public application.
n Global Search – ( ) Search all aspects of your deployment within the UEM console,
including devices, users, content, applications, configuration settings, admins, pages, and
more.
n Notifications – ( ) Stay informed about important console events with Notifications. The
number badge on the Notifications bell icon indicates the number of alerts that require your
attention.
n Saved – ( ) Access your favorite and most-utilized pages within the UEM console.
n Help – ( ) Browse or search the available guides and UEM console documentation.
n My Services Selector – ( ) Use this menu button to select between all Workspace ONE
services that are available to you.
n Account – View your account information. Change the Account Role that you are assigned
to within the current environment. Customize settings for contact information, language,
Notifications, view history of Logins, and Security settings including PIN reset. You can also
Log out of the UEM console and return to the Login screen.
n
Refresh – ( ) See updated stats and info without leaving the current view by refreshing the
screen.
n
Available Sections – ( ) Customize the view of the Monitor Overview by selecting only the
sections you want to see. Available only on the Monitor screen.
Console Basics
VMware by Broadcom 6
n Export – ( ) Produces a full (or filtered, if filtering is used) listing of users, devices, profiles,
apps, books, or policies to an XLSX or CSV (comma-separated values) file. You can view and
analyze these files with MS Excel.
n Home – ( ) Use this icon to assign any screen in the UEM console as your home page. The
next time you open the UEM console, your selected screen displays as your home page.
n Save – ( ) Add the current page to the Saved page list for quick access to your favorite
UEM console pages.
Global Search
Using a modular design with a tabbed interface, Global Search runs searches across your entire
deployment. Global Search applies your search string to a single tab at a time, which produces
faster results. Apply the same string to another area of the Workspace ONE UEM by selecting
another tab.
After running a global search, select the following tabs to view the results.
n Devices – Returns matches to Device friendly name and Device Profile name searches.
Search results include organization group to provide context in large environments.
n Accounts – Returns matches to user name and administrator name searches.
n Applications – Returns matches to internal, public, purchased, and Web application searches.
n Content – Returns matches to any content that appears on devices.
You can use the asterisk * as a wildcard in your search parameters in the following ways.
n Entering *device returns ruggeddevice, appledevice, mobiledevice
n Entering m*e returns manufacture, Maine, merge
n Entering admin* returns administrator, administration, admins
n With the introduction of wildcards, Global Search only returns exact matches unless wildcards
are used both before and after your search parameter.
n For example, entering *desktop* returns all devices that include the string "desktop"
anywhere in their device list listing.
n An alternate way to find desktops is to use filters in device list view. Using filters means
you can produce a single list of not only windows desktops but also macOS plus a large
array of other variables. For more information, see Filtering Devices in List View.
n To include an asterisk as part of your search parameter, enclose it in double quotes or
precede it with a backslash.
n Entering micro"*" returns micro*
n Entering valueable\* returns valueable*
Console Basics
VMware by Broadcom 7
Search for an Organization Group
You can also perform a search for an organization group by selecting the organization group
drop-down menu. The Search bar displays above the list.
Search for Settings
You can search for settings by initiating a search from the Configurations page. Navigate to
Groups & Settings > Configurations and enter your keyword in the search text box.
Collapse and Expand the Submenu
You can collapse the left panel submenu of the Workspace ONE UEM to create more screen
space for device information. You can also expand or reopen a collapsed submenu.
1 To collapse the submenu temporarily, select the arrow pointing left shown here.
Console Basics
VMware by Broadcom 8
2 To expand or reopen the collapsed submenu, select the arrow pointing right at the bottom-
left of the screen.
Customize the UI with Branding
Workspace ONE UEM allows extensive customization options. These options allow you to brand
your tools and resources according to the color scheme, logo, and overall aesthetic of your
organization.
Branding can be configured in support of multi-tenancy, so different divisions of your enterprise
can have their unique look and feel at their organization group level. For more information, see
Organization Groups.
1 Select the organization group you want to brand and then navigate to Groups & Settings >
All Settings > System > Branding.
2 Configure logo and background settings on the Branding tab.
3 Upload a Company Logo by uploading a file saved on your computer. The suggested
resolution of the uploaded image is 800x300.
4 Upload a background for the login page by uploading a file saved on your computer. The
suggested resolution of the uploaded image is 1024x768.
5 Upload a background for the Self-Service Portal (SSP) login page by uploading a file saved on
your computer. The suggested resolution of the uploaded image is 1024x768.
6 Configure customizations to the Colors section in the Branding tab.
7 Configure the settings on the Custom CSS tab. Enter customized CSS code for advanced
branding.
Console Basics
VMware by Broadcom 9
8 Select Save.
Join or Leave the Customer Experience Improvement
Program
The VMware Customer Experience Improvement Program (CEIP) provides information that
VMware uses to improve its products and services, to fix problems, and to advise you on
how best to deploy and use VMware products. This program is only available to on-premises
deployments of Workspace ONE UEM.
Before you begin: Workspace ONE UEM participates in VMware's Customer Experience
Improvement Program ("CEIP"). Details regarding the data collected through CEIP and the
purposes for which it is used by VMware are set forth at the Trust & Assurance Center at http://
www.vmware.com/trustvmware/ceip.html.
For more information about how VMware handles information collected through Workspace
ONE UEM, such as analytics, see the VMware Privacy Policy at https://www.vmware.com/help/
privacy.html.
About this task: The CEIP prompt appears when you install or upgrade Workspace ONE UEM.
You must make a selection. You can change your selection any time afterwards from the UEM
console by taking the following steps.
1 Navigate to Groups & Settings > All Settings > Admin > Product Improvement Programs.
2 If you want to participate in the CEIP, enable the check box next to Join the VMware
Customer Experience Improvement Program.
a If you do not want to participate in the CEIP, deactivate (clear) this check box.
3 Select the Save button
Console Basics
VMware by Broadcom 10
Logging In to the Console
2
Before you can do anything in Workspace ONE UEM, you must first log in to the console.
Before you can log in to the Workspace ONE UEM console, you must have the Environment URL
and log in credentials. How you obtain this information depends on your type of deployment.
n SaaS Deployment – Your Account Manager provides your Environment URL and user name/
password. The URL is not customizable, and generally follows the format of awmdm.com.
n On-premises – The on-premises URL is customizable and follows the format
awmdm.<YourCompany>.com.
Your Account Manager provides the initial setup credentials for your environment. Administrators
who create more accounts to delegate management responsibility can also create and distribute
credentials for their environment.
After your browser has successfully loaded the console Environment URL, you can log in using
the User Name and Password provided by your Workspace ONE UEM administrator.
VMware by Broadcom
11
1 Enter your User Name.
n The Workspace ONE UEM console saves the user name and the type of user (SAML or
non-SAML) in the browser cache.
n If SAML user, admin is directed to SAML login.
n If non-SAML user, admin must enter a password.
n If the Remember check box is enabled, then the User Name text box is pre-populated
with the last logged-in user the next time you visit your Environment URL.
2 Enter your Password.
n If you are logging in for the first time, you are prompted for the login password. Enter it to
proceed.
n If you have logged in before and you are allowing your default browser to remember user
names and passwords, then the Password text box auto-completes with the password
saved in the browser cache.
Console Basics
VMware by Broadcom 12
3 Select the Log In button.
n Your default home screen (which is customizable) opens upon login. Learn how to
customize your home screen by visiting Header Menu.
Password Expiration
Basic administrators are notified by email 5 days before their password expires with another
email notification the day before. On-premises administrators can change this default 5-day
period by navigating to Groups & Settings > All Settings > Admin > Console Security >
Passwords while in the Global organization group. Dedicated SaaS administrators must contact
support to make changes to this setting.
You can make a custom password expiration notification for your admins by navigating to
Groups & Settings > All Settings > Devices & Users > General > Message Template and select
'Administrator' as the Category and 'Admin Password Expiry Notification' as the Type.
For information about Enrollment User Password Settings, which are managed separately from
Admin Console Passwords, see the system settings page by navigating to Groups & Settings >
All Settings > Devices & Users > General > Passwords.
Session Timeouts and Logouts
The Workspace ONE UEM console logs you out in two basic scenarios.
1 Explicit Logout (including closing the browser and inactivity.)
n If you have configured your default browser to remember your user name and password,
then upon the next log in, the browser pre-populates the user name text box with the last
user to log in successfully.
n If you have configured your browser to forget user names and passwords, then the user
name and type of user (SAML / non-SAML) are wiped from the browser cache.
2 Session Invalidation (including load balancer issues and sessions timeouts due to admin
setting.)
n Non-SAML users log back in using a saved user name and selecting the Log In button.
n SAML users can log back into the console without any clicks.
Login Lockouts
System Administrators and AirWatch Administrators can configure the Maximum invalid login
attempts before admins are locked out of the console by navigating to Groups & Settings > All
Settings > Admin > Console Security > Passwords.
You are locked out from the UEM console in two scenarios: 1) when you make failed login
attempts greater than the maximum number of invalid login attempts and 2) when you answer
your password recovery question incorrectly three times while trying to reset your password.
Console Basics
VMware by Broadcom 13
When this happens, you must either reset your password using the troubleshooting link on the
login page or you must get assistance from an admin to unlock your account using the Admin List
View. You receive an email notification when your account is locked and again when it becomes
unlocked.
Research Account Lockout Console Events
When Basic Administrator accounts are locked out or unlocked in Workspace ONE UEM, a
console event is generated. Both events generate a logging level 5 (warning) event. In addition
to reviewing the basic login history directly from Account Settings, you can research Admin
account lockouts or unlock console events by taking the following steps.
1 Navigate to Monitor > Reports and Analytics > Events > Console Events.
2 Select "Warning and above" from the Severity drop-down filter at the top of the Console
Event listing.
3 Select "Login" from the Category drop-down filter.
4 Select "Administration" from the Module drop-down filter.
5 Apply more filters as you might require including Date Range.
Manage Account Settings
Administrators of Workspace ONE UEM have console specific account settings allowing you
to configure user contact information, notification preferences, login history, and security
configuration including password recovery.
Manage Account Settings: User
Ensure you can be reached by entering your personal information in the User tab including email,
up to four different phone numbers, time zone, and locale.
Console Basics
VMware by Broadcom 14
Manage Account Settings: Notifications
Use the Notifications settings on the Account Settings page to enable or deactivate APNs
Expiration alerts, select how to receive alerts, and change the email to which it sends alerts.
For more information, see Configure Notifications Settings.
Manage Account Settings: Logins
Review your entire login history including login date and time, the source IP address, login type,
source applications, browser make and version, OS platform, and login status.
Manage Account Settings: Security
You can reset your login password, reset the password recovery questions, and reset your
four-digit security PIN.
Manage Account Settings: Password
The Password accompanies your account user name when you log into the UEM console. You
can Reset this password at any time.
Manage Account Settings: Password Recovery Questions
The Password Recovery Questions are the method by which you reset your password. You
must define this question together with its answer when you log in to the UEM console for the
first time. You can select a new password recovery question by selecting the Reset button.
This action logs out the user automatically. Upon logging back in, they are presented with the
Security Settings screen where they are required to select from the list of Password Recovery
Questions and supply the answer.
Admins who never selected a password recovery question and do not have a Reset button for
Password Recovery Questions must have their accounts deleted and re-created. Upon logging
in for the first time after their account is re-created, they are required to define a password
recovery question and answer.
You are locked out from the login page when you answer a Password Recovery Question
incorrectly more than three times. When this happens, you must reset your password using
the troubleshooting link on the login page. Alternatively, you can get assistance from an admin
to unlock your account using the Admin List View. You receive an email notification when your
account is locked and again when it becomes unlocked.
Console Basics
VMware by Broadcom 15
Manage Account Settings: Security PIN
Establish security for the UEM console by creating a Security PIN. The PIN acts as a safeguard
against accidentally wiping a device or deleting important aspects of your environment, such
as users and organization groups. The Security PIN also works as a second layer of security. It
presents an added point of authentication by blocking actions made by unapproved users.
When you first log in to the UEM console, you are required to establish a Security PIN.
Reset your security PIN every so often to minimize security risks.
Cookie Usage (viewable by VMware Cloud Services
administrators only)
You can participate in the process of improving our services including support,
recommendations, and user experience by enabling access to browser cookie-based product
guides and analytics. You can opt-out by selecting Cookie Usage and deactivate the sliders for
Enable Analytics and Enable Product Guides under the Pendo info card.
Restrict UEM Console Actions
In a scenario when the console for Workspace ONE UEM console is left unlocked and
unattended, an extra safeguard is provided against malicious actions that are potentially
destructive. You can place those actions out of reach of unauthorized users in such a scenario.
1 Navigate to Groups & Settings > All Settings > System > Security > Restricted Actions.
2 Configure the Send Message to All setting. Enable this setting to allow a system administrator
to send a message to all devices in your deployment from the Device List View. It can also be
used to send a message to a specific group.
Console Basics
VMware by Broadcom 16
3 You can require that certain UEM console actions require admins to enter a PIN. Configure
the Password Protect Actions by enabling or disabling the following actions.
Note Denoted by * below, some actions always require a PIN and as a result cannot be
deactivated.
Setting Description
Admin Account
Delete
Prevents the deletion of an admin user account in Accounts > Administrators > List View.
*Regenerate
VMware Enterprise
Systems Connector
Certificate
Prevents the regeneration of the VMware Enterprise Systems Connector certificate in
Groups & Settings > All Settings > System > Enterprise Integration > VMware Enterprise
Systems Connector.
*APNs Certificate
Change
Prevents the disabling of APNs for MDM in Groups & Settings > All Settings > Devices &
Users > Apple > APNs For MDM.
Application Delete/
Deactivate/Retire
Prevents the deletion, deactivation, or retirement of an application in Apps & Books >
Applications > List View.
Content Delete/
Deactivate
Prevents the deletion or deactivation of a content file in Content > List View.
*Data Encryption
Toggle
Prevents the Encryption of user information setting in Groups & Settings > All Settings >
System > Security > Data Security.
Device Delete Prevents the deletion of a device in Devices > List View. Admin security PIN is still required
for bulk actions even when this setting is deactivated.
*Device Wipe Prevents any attempt to perform a device wipe from the Device List View or Device
Details screens.
Enterprise Reset Prevents any attempt to perform an enterprise reset on a device from the Devices Details
page of a Windows Rugged, Rugged Android, or QNX device.
Enterprise Wipe Prevents any attempt to perform an enterprise wipe on a device from the Devices Details
page of a device.
Enterprise Wipe
(Based on User
Group Membership
Toggle)
Prevents any attempt to perform an enterprise wipe on a device when it is removed from
a user group. This setting is an optional setting that you can configure under Groups &
Settings > All Settings > Devices & Users > General > Enrollment on the Restrictions tab.
If you Restrict Enrollment to Configured Groups on this tab, you then have the added
option of performing an enterprise wipe a device when it is removed from a group.
*Organization
Group Delete
Prevents any attempt to delete the current organization group from Groups & Settings >
Groups > Organization Groups > Organization Group Details.
Profile Delete/
Deactivate
Prevents any attempt to delete or deactivate a profile from Devices > Profiles & Resources
> Profiles.
Provisioning
Product Delete
Prevents any attempt to delete a provisioning product from Devices > Provisioning >
Products List View.
Revoke Certificate Prevents any attempt to revoke a certificate from Devices > Certificates > List View.
*Secure Channel
Certificate Clear
Protects from any attempt to clear an existing secure channel certificate from Groups &
Settings > All Settings > System > Advanced > Secure Channel Certificate.
Console Basics
VMware by Broadcom 17
Setting Description
User Account
Delete
Prevents any attempt to delete a user account from Accounts > Users > List View.
Change in Privacy
Settings
Prevents any attempt to alter the privacy settings in Groups & Settings > All Settings >
Devices & Users > General > Privacy.
Delete Telecom
Plan
Prevents the deletion of a telecom plan in Telecom > Plan List.
Override Job Log
Level
Prevents attempts to override the currently selected job log level from Groups & Settings
> Admin > Diagnostics > Logging. Overriding the Job Log Level is useful when a device
or group of devices is having an issue. In this case, the admin can override those device
settings by forcing an elevated log level to Verbose, which logs the maximum level of
console activity, making it ideal for troubleshooting.
*App Scan Vendor
Reset/Toggle
Prevents the resetting (and subsequent wiping) of your app scan integration settings. This
action is performed in Groups & Settings > All Settings > Apps > App Scan.
Shut Down Prevents any attempt to shut down the device in Devices > List View > Device Details.
Maximum invalid
PIN attempts
Defines the maximum number of invalid attempts at entering a PIN before the console
locks down. This setting must be between 1 and 5.
Select Password Protect Actions
Restricted Console Actions provide an added layer of protection against malicious actions that
are potentially destructive to your Workspace ONE UEM console.
1 Configure settings for restricted actions by navigating to Groups & Settings > All Settings >
System > Security > Restricted Actions.
2 For each action you protect by requiring admins to enter a PIN, select the appropriate
Password Protect Actions button for Enabled or Deactivated as appropriate.
This requirement provides you with granular control over which actions you want to make
more secure.
Note Some actions always require a PIN and as a result cannot be deactivated. Denoted by
* following.
3 Set the maximum number of failed attempts the system accepts before automatically logging
out the session. If you reach the set number of attempts, you must log into the Workspace
ONE UEM console and set a new security PIN.
Setting
Description
Admin Account Delete Prevents the deletion of an admin user account in Accounts > Administrators > List
View.
Regenerate VMware
Enterprise Systems
Connector Certificate
Prevents the regeneration of the VMware Enterprise Systems Connector certificate
in Groups & Settings > All Settings > System > Enterprise Integration > VMware
Enterprise Systems Connector.
Console Basics
VMware by Broadcom 18
Setting Description
*APNs Certificate Change Prevents the disabling of APNs for MDM in Groups & Settings > All Settings >
Devices & Users > Apple > APNs For MDM.
Application Delete/
Deactivate/Retire
Prevents the deletion, deactivation, or retirement of an application in Apps & Books
> Applications > List View.
Content Delete/Deactivate Prevents the deletion or deactivation of a content file in Content > List View.
*Data Encryption Toggle Prevents the Encryption of user information setting in Groups & Settings > All
Settings > System > Security > Data Security.
Device Delete Prevents the deletion of a device in Devices > List View. Admin security PIN is still
required for bulk actions even when this setting is deactivated.
*Device Wipe Prevents any attempt to perform a device wipe from the Device List View or Device
Details screens.
Enterprise Reset Prevents any attempt to perform an enterprise reset on a device from the Devices
Details page of a Windows Rugged, Rugged Android, or QNX device.
>Enterprise Wipe Prevents any attempt to perform an enterprise wipe on a device from the Devices
Details page of a device.
Enterprise Wipe (Based on
User Group Membership
Toggle)
Prevents any attempt to perform an enterprise wipe on a device when it is removed
from a user group. This setting is an optional setting that you can configure under
Groups & Settings > All Settings > Devices & Users > General > Enrollment on the
Restrictions tab. If you Restrict Enrollment to Configured Groups on this tab, you
then have the added option of performing an enterprise wipe a device when it is
removed from a group.
*Organization Group Delete Prevents any attempt to delete the current organization group from Groups &
Settings > Groups > Organization Groups > Organization Group Details.
Profile Delete/Deactivate Prevents any attempt to delete or deactivate a profile from Devices > Profiles &
Resources > Profiles.
Provisioning Product Delete Prevents any attempt to delete a provisioning product from Devices > Provisioning
> Products List View.
Revoke Certificate Prevents any attempt to revoke a certificate from Devices > Certificates > List
View.
*Secure Channel Certificate
Clear
Protects from any attempt to clear an existing secure channel certificate from
Groups & Settings > All Settings > System > Advanced > Secure Channel
Certificate.
User Account Delete Prevents any attempt to delete a user account from Accounts > Users > List View.
Change in Privacy Settings Prevents any attempt to alter the privacy settings in Groups & Settings > All
Settings > Devices & Users > General > Privacy.
Delete Telecom Plan Prevents the deletion of a telecom plan in Telecom > Plan List.
Override Job Log Level Prevents attempts to override the currently selected job log level from Groups &
Settings > Admin > Diagnostics > Logging. Overriding the Job Log Level is useful
when a device or group of devices is having an issue. In this case, the admin can
override those device settings by forcing an elevated log level to Verbose, which
logs the maximum level of console activity, making it ideal for troubleshooting.
*App Scan Vendor Reset/
Toggle
Prevents the resetting (and subsequent wiping) of your app scan integration
settings. This action is performed in Groups & Settings > All Settings > Apps >
App Scan.
Console Basics
VMware by Broadcom 19
Setting Description
Shut Down Prevents any attempt to shut down the device in Devices > List View > Device
Details.
Maximum invalid PIN
attempts
Defines the maximum number of invalid attempts at entering a PIN before the
console locks down. This setting must be between 1 and 5.
Configure Required Notes for Action
You can require administrators to enter notes using the Require Notes check box and explain
their reasoning when performing certain Workspace ONE UEM console actions.
1 Navigate to Groups & Settings > All Settings > System > Security > Restricted Actions.
2 If you require that your admins enter a note before taking any of these actions, make sure
that you modify the role with the Add Note resource (permission).
For more information, see Create Administrator Role.
Setting Description
Lock Device Require a note for any attempt to lock a device from Device List View or Device Details.
Lock SSO Require a note for any attempt to lock an SSO session from Device List View or Device
Details.
Device Wipe Require a note for any attempt to perform a device wipe from Device List View or Device
Details.
Enterprise Reset Require a note for any attempt to enterprise reset a device from the Device Details page
of a Windows Rugged or Rugged Android device.
Enterprise Wipe Require a note for any attempt to perform an enterprise wipe from Device Details.
Override Job Log
Level
Require a note before attempts to override the default job log level from Groups &
Settings > Admin > Diagnostics > Logging.
Reboot Device Require a note before a reboot attempt from Devices > List View > Device Details.
Shut Down Require a note before a shut down attempt from Devices > List View > Device Details.
Console Basics
VMware by Broadcom 20
Using the Getting Started Wizard
3
The Getting Started Wizard serves as a checklist that walks you through the settings step by
step for Workspace ONE UEM powered by AirWatch. It presents only those modules within your
specific deployment, producing a configuration experience tailored to your environment.
Navigate the Getting Started Wizard
The Getting Started Wizard main menu operates in a way that is most convenient to you. It not
only tracks how far along you are in the configuration process, you can start, pause, restart later,
rewind, review, and even change prior responses.
n Initiate the first step in a submodule by selecting Start Wizard. Here, you configure settings
for each feature by answering questions and accessing the exact pages within the UEM
console. As you complete each submodule, the percentage counter in the upper-right corner
progresses and displays how far along you are in completing the submodule.
n If you stop a submodule before completing it, you can return to where you left off by
selecting Continue.
n You can opt out of any submodule by selecting Skip Section, which temporarily deactivates
the Continue button and inserts a Resume Section link. Enable the Continue button once
more by selecting the Resume Section link.
The Getting Started page is split into four submodules: Workspace ONE, Device, Content, and
Application. Each submodule has its own set of steps. The Getting Started Wizard tracks shared
steps among all submodules so you never have to complete the same step twice.
n Workspace ONE – Representing unimpeded access from any employee or corporate owned
device. Secure connectivity to enterprise productivity applications such as email, calendar,
contacts, documents, and more. Instant, Single Sign-On (SSO) access to mobile, cloud, and
Windows applications. Powerful data security that protects the enterprise and employees
against compromised devices.
For more information about Workspace ONE, see VMware Workspace ONE Documentation.
VMware by Broadcom
21
n Device – Perform actions on MDM enrolled devices such as lock, notify, or enterprise wipe.
You can configure email, restrictions, settings, and more by deploying device profiles. You
can ensure that you meet security policies for your device fleet by configuring compliance
policies. Manage your devices using the best information learned from the Dashboard and
Monitor.
n Content – Deploy content & access it within the Content Locker application. View & Manage
your content with Content Dashboards, Reports, and Logs. Share and collaborate with others
using personal content. Integrate with existing repositories and deploy your content to
mobile devices.
n Application – Deploy internally developed or publicly available free or purchased
applications. Users can search, download, and install applications when you deploy a custom
App Catalog. Integrate with compliance policies and application control profiles by making
allowlist and denylist of applications. Configure advanced application management options
like application scanning.
Navigate the Workspace ONE, Device, Content, and
Application Wizards
Each of the four submodules displays a list of sections representing features that you can
configure or ignore, according to the needs of your organization. Features not configured display
an empty Incomplete check box while configured features display a green Complete check mark.
n You can define settings for the feature you are interested in by selecting the Configure
button.
n Review or change settings of a complete feature by selecting the Edit button.
n The percentage completed progress bar progresses as you complete each feature.
n Most features have a Video button next to the Configure or Edit button. This video lets
you see the feature in action and aid your understanding of how it might be useful to your
organization.
n You can skip some features in the submodule without penalty toward the percentage
completed progress bar. Remove the feature from your list by selecting the Skip This Step
button where available. To display the feature once again, select the Reactivate button.
Some features and functions have prerequisites. For example, Mobile Single Sign-On requires
that you have already configured Enterprise Connector, Active Directory, and Workspace ONE
Access. Where possible, you can initiate the configuration of these required features by selecting
the provided button.
Console Basics
VMware by Broadcom 22
Enable the Getting Started Wizard Manually
For a new Workspace ONE UEM implementation, access the Getting Started page from the
main menu. However, you can manually enable the Getting Started Wizard at any time. Manually
enabling the Getting Started Wizard restarts the walk-through.
1 Select any organization group other than the top level group.
2 Navigate to Groups & Settings > Groups > Organization Groups > Organization Group
Details. Ensure that you are currently at a customer-level organization group and Save your
changes.
3 Navigate to Groups & Settings > All Settings > System > Getting Started.
4 You can activate each of the Getting Started sections that you want by selecting Enable.
n Getting Started Workspace ONE Status
n Getting Started Device Status
n Getting Started Content Status
n Getting Started Application Status
5 Save changes to the page.
For more information, see Organization Groups.
Console Basics
VMware by Broadcom 23
Main Menu
4
You can navigate to all the role enabled features and MDM deployment within Workspace ONE
UEM powered by AirWatch.
Getting Started Ensure that all aspects of a basic successful deployment are established. Getting Started is
organized to reflect only those modules within a Workspace ONE UEM console deployment
that you are interested in. Getting Started produces an on-boarding experience that is more
tailored to your actual configuration.
Monitor View and manage MDM information that drives decisions you must make and access a quick
overview of your device fleet. View information such as the most denylisted applications that
violate compliance. Track module licenses with the Admin Panel Dashboard and monitor all
devices that are currently out of compliance. Select and run Industry Templates to streamline
the onboarding process with industry-specific applications and policies for your iOS devices.
Devices Access an overview of common aspects of devices in your fleet, including compliance policies
and status, ownership type breakdown, last seen, platform type, and enrollment type. Swap
views according to your own preferences including full Dashboard, list view, and detail view.
Access tabs, including all current profiles, enrollment status, Notification, Wipe Protection
settings, compliance policies, certificates, product provisioning, and printer management.
Resources Access and manage resource elements you install on devices, including applications & books,
sensors, device profiles, device updates, scripts, and installation orders. Also view application
analytics and logs with application settings, time schedules, and geofences.
Accounts Survey and manage users and administrators involved with your MDM deployment. Access
and manage user groups, roles, batch status, and settings associated with your users. Also,
access and manage admin groups, roles, system activity, and settings associated with your
administrators.
Content Access detailed overview of content use including storage history trends, user status, content
status, engagement, and user breakdown. Manage and upload content available to users
and devices. Also, access batch import status, content categories, content repositories, user
storage, VMware Content Locker homescreen configuration, and all other content-specific
settings.
Email Access detailed overview of email information related to your deployment. Such information
includes email management status, managed devices, email policy violations, deployment
type, and time last seen.
VMware by Broadcom 24
Telecom Access detailed overview of Telecom-enabled devices including use history, plan use, and
roaming data. View and manage Telecom use, track roaming, including call, Short Message
Service (SMS), and content settings.
Groups & Settings Manage structures, types and statuses related to organization groups, smart groups,
application groups, user groups, and Admin Groups. Access Configurations, which is a
categorized and curated list of links that lead directly to the settings pages you need.
Console Basics
VMware by Broadcom 25
APNs Certificates for Workspace
ONE UEM
5
To manage iOS devices, you must first obtain an Apple Push Notification Service (APNs)
certificate. Workspace ONE UEM communicates with Apple devices securely and reports
information back to the UEM console using APNs certificates.
Per the Apple Enterprise Developer Program, an APNs certificate is valid for one year and then
requires renewal. The UEM console sends reminders through Notifications as the expiration date
nears. Your current certificate revokes when you renew from the Apple Development Portal,
which prevents device management until you upload the new one. Upload your certificate
immediately after you renew it. It is a best practice to use one certificate for your production
environment and a separate certificate for your test environment.
APNs Certificate Expiration, Workspace ONE UEM
The Notifications button in the header bar of the console alerts you when your APNs for MDM
certificates are close to expiring, allowing you to act.
For more information, see Chapter 9 Console Notifications.
Generate a New APNs Certificate, Workspace ONE UEM
Before you can manage iOS devices with Workspace ONE UEM, you must first generate an APNs
Certificate to enable and maintain secure communications between your iOS devices and the
Workspace ONE UEM console.
You can follow the steps outlined in the Chapter 3 Using the Getting Started Wizard or generate
a new APNs certificate manually by taking the following steps.
1 Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
VMware by Broadcom
26
2 Select the Generate New Certificate button. Step 1 Sign Request displays.
3 Select the link 'MDM_APNsRequest.plist' and select a save location. You upload this file to
Apple in the following step.
4 You can learn how to upload a certificate from the Apple Push Certificates Portal by selecting
the instructions link. Provided on this page is a convenient Go To Apple button that opens
the Apple Push Certificates Portal in a new tab of your browser.
5 You need two items to continue:
n The Workspace ONE UEM Certificate Request, which is the PLIST file that you saved to
your device.
n A corporate Apple ID that is dedicated to MDM for your company. Select the link
provided ('Click here') to proceed with the creation of the Apple ID. Afterward, a new
tab opens in your browser.
6 Click Next to advance to the next page where you must enter your Apple ID and upload the
Apple-issued Workspace ONE UEM MDM certificate (PEM file).
7 Select Save.
Results: Your APNs certificate generates.
What to do next: Check the connectivity of your APNs certificate over the HTTP/2 protocol. See
the section titled Review APNs Connecivity over HTTP/2.
Renew an Existing APNs Certificate in Workspace ONE UEM
To enable and maintain secure communications between your iOS devices and Workspace ONE
UEM, you must occasionally renew APNs Certificates.
You can follow the steps outlined in the Chapter 3 Using the Getting Started Wizard or renew
expired APNs certificates manually by taking the following steps.
1 Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
2 Select the Renew button and follow the instructions.
3 Select the link 'MDM_APNsRequest.plist' and select a save location. You must upload this file
to Apple in the next step.
4 You can learn how to upload a certificate from the Apple Push Certificates Portal by selecting
the instructions link. Provided on this page is a convenient Go To Apple button that opens
the Apple Push Certificates Portal in a new tab of your browser.
5 You need two items to continue:
n The Workspace ONE UEM Certificate Request, which is the PLIST file that you saved to
your device.
n The Apple ID that you originally used to create the certificate, which is displayed in item 2
of the Step 1 Sign Request. See the section titled Generate a New APNs Certificate.
Console Basics
VMware by Broadcom 27
6 Click Next to advance to the next page where you must enter your Apple ID and upload the
Apple-issued Workspace ONE UEM MDM certificate (PEM file).
7 Select Save.
Results: Your existing APNs certificate renews.
Select the connectivity of your APNs certificate over the HTTP/2 protocol. See the next section
titled Review APNs Connecivity over HTTP/2.
Review APNs Connectivity over HTTP/2 in Workspace ONE
UEM
You can review the connectivity between Workspace ONE UEM and the Apple HTTP/2 API
endpoint, api.push.apple.com:443. This review allows you to ensure APNs functionality over an
HTTP/2 connection after generating a new certificate or following a certificate renewal.
This connectivity test is only for testing APNs over the default HTTP/2 connection. Any
connectivity failures from this test do not impact APNs functionality over a legacy connection.
1 Navigate to Groups & Settings > All Settings > Devices & Users > Apple > APNs for MDM.
2 Select the Test Connection button. The Workspace ONE UEM console conducts an internal
test to determine whether connectivity over the new HTTP/2 protocol is functional.
Results: Because this test only centers on the HTTP/2 protocol, test failures here do not affect
current APNs communication. If the HTTP/2 connectivity test fails, the steps you take depend
upon the cause of the failure.
1 Expired Certificate – The certificate you are using for the test has expired. Request a renewal
by following the Renew an Existing APNs Certificate instructions on this page.
2 Invalid Certificate – The certificate you are using for the test, while not expired, is invalid
for another reason. You can request a certificate renewal or wait a few minutes and test the
connection again.
3 Unknown Error – Typically occurs during a temporary loss of Internet access. Wait a few
minutes and test the connection again.
4 APNs Client Deactivated – While rare, this cause means that Apple has returned an internal
error or that the APNs service is unavailable. Wait a few minutes and test the connection
again.
Console Basics
VMware by Broadcom 28
Assignment Groups
6
Assignment Group is an umbrella term used to categorize certain management grouping
structures within Workspace ONE UEM powered by AirWatch. Organization Groups, Smart
Groups, and User Groups each have full feature sets and are distinct from each other.
One feature these groups have in common is assigning content to user devices easily. As an
administrator, you can manage these three grouping structures from a single location.
Navigate to Groups & Settings > Groups > Assignment Groups.
You can assign multiple organization groups, smart groups, and user groups to one or more
profiles, public applications, and policies all from the Assignment Groups list view.
Assignment Group List View
The Assignment Groups List View organizes three kinds of groups that have the function of
assigning content to devices: organization groups, smart groups, and user groups. You can
create a listing of only those groups you are interested in seeing.
VMware by Broadcom
29
Navigate to Groups & Settings > Groups > Assignment Groups and the Assignment Groups List
View displays. The only assignment groups listed for viewing are those managed by the OG that
the administrator is currently in.
Assignment Group List View: Sort by Columns
You can sort the listing of groups by individual columns by selecting the column header.
Assignment Group List View: Filter Groups
You can filter groups by Group Type (Smart Groups, Organization Groups, and User Groups). You
can also filter by how or whether they have been Assigned (Assignments, Exclusions, All, and
None).
Assignment Group List View: Select Links
Four columns in the Assignment Groups Listing page serve a specific function and require a
special mention.
n The Groups column features a link for each Smart Group. You can edit the smart group by
selecting this link.
n If you select non-zero values in the Assignments column, the View Assignments page
displays, even for assigned organization groups and user groups. You can view and confirm
assignments to profiles, public applications, and compliance policies. For more information,
see View Assignments.
n If you select non-zero values in the Exclusions column, the View Assignments page displays,
even for excluded organization groups and user groups. You can view and confirm exclusions
from profiles, public applications, and compliance policies.
n If you select the Devices column number, the Devices List View page displays. The Device
List View contains the listing of all devices in the selected organization group, smart group, or
user group.
Assign One or More Assignment Groups
You can assign groups to device profiles, public applications, and compliance policies. You can
also assign multiple groups of each individual type (organization, smart, or user) in a single sitting.
To assign public applications, you can configure different application policies for different groups
of users. For more information, see Use Flexible Deployment to Assign Applications in the
VMware Workspace ONE UEM Mobile Application Management Guide, which can be found on
docs.vmware.com.
1 Navigate to Groups & Settings > Groups > Assignment Groups.
2 Select one or more groups in the listing and select the Assign button.
Console Basics
VMware by Broadcom 30
3 The Assign page displays the Organization Groups, Smart Groups, and User Groups you
selected.
4 Assign them by searching for Profile, Public Application, and Compliance Policy. You can
select up to 10 profiles, up to 10 public applications, and a single compliance policy.
You can only select multiple entities of a single type per session. For example, you can assign
multiple groups to up to 10 different profiles in a single command. However, you can not, in
a single command, assign multiple groups to 10 profiles, 10 applications, and a compliance
policy. If you have multiple entities of multiple types, you must make separate assignment
sessions for each type (profiles, applications, and policies).
5 Select Next to display the View Device Assignment page which you can use to confirm the
groups assignment.
6 Select Save & Publish to finalize the assignment.
How to Delete Groups
You can delete an assignment group, be it an organization group, smart group, user group, or
admin group, provided you first remove all of the assignments and empty the group. For more
information about deleting each type of group, see the following topics.
n Organization Group – Delete an Organization Group
n Smart Group – Unassign a Smart Group
n User Group – User Groups List View
n Admin Group – Admin Groups List View
Read the following topics next:
n Organization Groups
Console Basics
VMware by Broadcom 31
n Smart Groups
n User Groups
n Admin Groups
n View Assignments
Organization Groups
Think of organization groups as individual branches on a family tree, with each leaf as a device
user. Workspace ONE UEM powered by AirWatch identifies each leaf and establishes its standing
in the family tree using organization groups (OG). Most customers make OG trees look like their
corporate hierarchy: Executives, Management, Operations, Sales, and so forth.
You can also establish OGs based on Workspace ONE UEM features and content.
You can access organization groups by navigating to Groups & Settings > Groups > Organization
Groups > List View or through the organization group drop-down menu.
n Build groups for entities within your organization (Management, Salaried, Hourly, Sales, Retail,
HR, Exec, and so on).
n Customize hierarchies with parent and child levels (for example, 'Salaried' and 'Hourly' as
children under 'Management').
n Integrate with multiple internal infrastructures at the tier level.
n Delegate role-based access and management based on a multi-tenant structure.
Note The Organization Groups List View defines "Active Devices" as only those devices that
have reported back to the Workspace ONE UEM console within the prior 8 hour period.
Characteristics of Organization Groups
Organization groups can accommodate functional, geographic, and organization entities and
enable a multi-tenancy solution.
n Scalability – Flexible support for exponential growth.
n Multi-tenancy – Create groups that function as independent environments.
n Inheritance – Streamline the setup process by setting child groups to inherit parent
configurations.
Console Basics
VMware by Broadcom 32
Using the example of the organization group drop-down menu, profiles, features, applications,
and other MDM settings can be set at the 'World Wide Enterprises' level.
Settings inherit down to child organization groups, such as AsiaPacific and EMEA or even
further down to grand-child AsiaPacific > Manufacturing or even great grand-child AsiaPacific
> Operations > Corporate.
Settings between sibling organization groups such as AsiaPacific and EMEA take advantage of
the multi-tenant nature of OGs, by keeping these settings separate from one another. However,
these two sibling OGs do inherit settings from their parent OG, World Wide Enterprises.
Alternatively, you can opt to override settings at a lower level and alter only the settings that you
want to change or keep. These settings can be altered or carried down at any level.
Console Basics
VMware by Broadcom 33
Considerations for Setting Up Organization Groups
Before setting up your organization group (OG) hierarchy in the Workspace ONE UEM console,
first decide on the group structure. The group structure allows you to make the best use of
settings, applications, and resources.
n Delegated Administration – You can delegate administration of subgroups to lower-level
administrators by restricting their visibility to a lower organization group.
n Corporate administrators can access and view everything in the environment.
n LA manager has access to the LA OG and can manage only those devices.
n NY manager has access to the NY OG and can manage only those devices.
n System Settings – Settings are applied at different levels in the organization group tree and
inherited down. They can also be overridden at any level. Settings include device enrollment
options, authentication methods, privacy setting, and branding.
n Overall company establishes an enrollment against the company Active Directory server.
n Driver devices override the parent authentication and allow a token-based enrollment.
n Warehouse devices inherit the AD settings from the parent group.
n
Device Use Case – A profile can be assigned to one or several organization groups.
Devices in those groups can then receive that profile. Refer to the Profiles section for more
information. Consider configuring devices using profile, application, and content settings
according to attributes such as device make, model, ownership type, or user groups before
creating organization groups.
n
Executive devices cannot install applications and have access to the Wi-Fi sales network.
n Sales devices are allowed to install applications and have VPN access.
Changing Organization Groups
You can change organization groups by selecting the OG indicator at the top-right of the screen.
When selected, a drop-down menu displays your OG hierarchy, allowing you to change to
another organization group.
Console Basics
VMware by Broadcom 34
Compare Two Organization Groups
You can compare the settings of one organization group to another to mitigate version migration
issues. The Organization Group Compare feature is only available for on-premises customers.
You can perform the following tasks when you compare OG settings.
n Upload XML files containing the OG settings from different Workspace ONE UEM software
versions.
n Eliminate the possibility of a difference in configuration causing problems during version
migration.
n Filter the comparison results, allowing you to display only the settings you are interested in
comparing.
n Search for a single setting by name with the search function.
An example of a version migration scenario is when a User Acceptance Testing (UAT) server has
been upgraded, configured, and tested, you can compare the UAT settings to the production
settings directly.
1 Navigate to Groups & Settings > All Settings > Admin > Settings Management > Settings
Comparison.
2 Select an OG in your environment from the left drop-down menu (labeled with the numeral
1). Alternatively, upload the XML settings file by selecting the Upload button and selecting an
exported OG setting XML file.
3 Select the comparison OG on the right drop-down menu (labeled with the numeral 2).
4 Display a list of all settings for both selected organization groups by selecting the Update
button.
n Differences between the two sets of OG settings are highlighted.
n You can optionally enable the Show Differences Only check box. This check box displays
only those settings that apply to one OG but not the other.
n Individual settings that are empty (or not specified) display in the comparison listing as
'NULL'.
Create Organization Groups
You must create an organization group (OG) for each business entity where devices are
deployed. Understand that the OG you are currently in is the parent of the child OG you are
about to create.
1 Navigate to Groups & Settings > Groups > Organization Groups > Details.
Console Basics
VMware by Broadcom 35
2 Select the Add Child Organization Group tab and complete the following settings.
Setting Description
Name Enter a name for the child organization group (OG) to be displayed. Use alphanumeric
characters only. Do not use odd characters.
Group ID This required OG identifier is used by end users during device login and during the
enrollment of group devices to the appropriate OG.
Ensure that users sharing devices receive the Group ID as it might be required for the
device to log in depending on your Shared Device configuration.
If you are not in an on-premises environment, the Group ID identifies your organization
group across the entire shared SaaS environment. For this reason, all Group IDs must be
uniquely named.
Type Select the preconfigured OG type that reflects the category for the child OG.
Country Select the country where the OG is based.
Locale Select the language classification for the selected country.
Customer Industry This setting is only available when Type is Customer. Select from the list of Customer
Industries.
Time Zone Select the time zone for the OG's location.
3 Select Save.
Delete an Organization Group
You can delete an organization group (OG) provided it contains no OG children and no devices
anywhere in its downline.
1 Move to the OG you want to delete by selecting it from the OG drop-down menu.
2 Navigate to Groups & Settings > Groups > Organization Groups > Details.
3 At the bottom of the Details screen, review the counts for Devices in Organization Group
and Child Organization Groups. If either entry is not zero, then you cannot delete the OG and
the Delete button is unavailable.
You must move all devices from this OG into another OG. Any child OGs downline of the OG
you want to delete must also contain no devices before they can be deleted.
4 Once the counts for Devices in Organization Group and Child Organization Groups are both
zero, then you can proceed with deleting the OG.
5 Select the Delete button.
Console Basics
VMware by Broadcom 36
6 The Restricted Action - Organization Group Delete screen displays and provides warnings
about preparations you must take before deleting the OG.
7 Before you are allowed to proceed with the deletion, you must enter your four digit security
PIN, which you selected when you enrolled as a UEM admin. Reset this PIN by selecting the
Forgot Security PIN?
link.
Identify the Group ID for Any Organization Group
You can identify the group ID for any organization group (OG) by taking the following steps.
1 Move to the OG you want to identify by selecting it from the OG drop-down menu.
2 Hover your pointer over the OG label. A popup displays the name and group ID for the
currently selected organization group.
Inheritance, Multi-Tenancy, and Authentication
The concept of overriding settings on a per-organization group basis, when combined with
organization group (OG) characteristics such as inheritance and multi-tenancy, can be further
combined with authentication. This combination provides for flexible configurations.
The following organization group model illustrates this flexibility.
In this model, Administrators, generally in possession of greater permissions and functionality,
are positioned at the top of this OG branch. These administrators log into their OG using SAML
that is specific to admins.
Console Basics
VMware by Broadcom 37
Corporate users are subservient to administrators so their OG is arranged as its child. Being
users and not administrators, their SAML login setting cannot inherit the administrator setting.
Therefore, the Corporate users' SAML setting is overridden.
BYOD users differ from Corporate users. Devices used by BYOD users belong to the users
themselves and likely contain more personal information. So these device profiles might require
slightly different settings. BYOD users might have a different terms of use agreement. BYOD
devices might need different enterprise wipe parameters. For all these reasons and more, it
might make sense for BYOD users to log into a separate OG.
And while not subservient to Corporate users in a corporate hierarchy sense, placing BYOD users
as a child of Corporate users has advantages. This arrangement means that BYOD users inherit
settings applicable to ALL corporate user devices by applying them to the Corporate users OG.
Inheritance also applies to SAML authentication settings. Since BYOD users is a child of Corporate
users, BYOD users inherit their SAML for users' authentication settings.
An alternate model is to make BYOD users a sibling of Corporate users.
Under this alternate model, the following is true.
n All device profiles meant to apply globally to ALL devices, including compliance policies and
other globally applicable device settings, are applied to two organization groups instead of
one. The reason for this duplication need is that inheritance from Corporate users to BYOD
users is no longer a factor in this model. Corporate users and BYOD users are now
peers
and
therefore there is no inheritance.
n Another SAML override must be applied to BYOD users. This override is necessary because
the system assumes it is inheriting SAML settings from its parent, Administrators. Such an
assumption is a mistake because BYOD users are not administrators and do not have the
same access and permissions.
n BYOD users continue to be handled separately from Corporate users. This alternate model
means that they continue to enjoy their own device profile settings.
What factor determines which model is the best? Compare the number of globally applicable
device settings with the number of group-specific device settings. Basically, if you want to treat
all devices in generally the same way, then consider making BYOD users a child of Corporate
users. If maintaining separate settings is more important, then consider making BYOD users a
sibling of Corporate users.
Console Basics
VMware by Broadcom 38
Organization Group Restrictions
If you attempt to configure an organization group (OG)-limited setting, the settings pages under
Groups & Settings > All Settings notify you of the limitation.
The following restrictions apply to creating Customer-level organization groups.
n Whether you are in a software-as-a-service (SaaS) or on-premises environment, you cannot
create nested customer OGs.
Organization Group Type Functions and Customizations
The type of an organization group can have an impact on what settings an admin can configure.
n Global – The top-most organization group. Usually, this group is called Global and has type
Global.
n For hosted SaaS environments, you are not able to access this group.
n On-premises customers can turn on Verbose logging at this level.
n Customer – The top-level organization group for each customer.
n A customer organization group cannot have any children/parent organization groups that
are of the customer type.
n Essential workflows can only occur within a customer type OG or within its hierarchy.
These workflows include adding a device, register and enroll a device, user group
mapping, smart group creation and mapping, changing the OG on a device (or moving
a device from one OG to another), and device check-out.
n Some settings can only be configured at a Customer group. These settings filter down to
lower container type OGs.
n Autodiscovery email domains
n Device Enrollment Program settings (before AirWatch 8.0)
n Personal content
n Apple VPP (Volume Purchase Program), must be enabled at the parent customer OG
and only then will child container type OGs feature working VPP functionality.
n Samsung Enterprise FOTA
n Hub packages
n Custom attributes
n Relay server
n Intelligence
Console Basics
VMware by Broadcom 39
n Sensors
n App Scan and App Removal Protection
n CDN (Content Delivery Network) for app delivery
n NFS storage for content management will become configurable
n Workspace One hub services
n Conditional Access
n MAG (Mobile Access Gateway)
n LBUS (Local Basic User Sync)
n Dynamic Environment Manager
n Mobile Flows
n Container – The default organization group type.
n All organization groups beneath a customer organization group must be of the container
type. You can have containers between Partner and Customer groups.
n Partner – Top-level organization group for partners (third-party resellers of Workspace ONE
UEM).
n Prospect – Potential customers. Similar to a customer organization group and might have less
functionality than a true customer group.
There are additional Organization Group types such as Division, Region, and the ability to define
your own Organization Group type.
Add Organization Group Type
You can add custom organization group types. These types do not have any special
characteristics and function identically to the Container Organization Group type.
To create your own OG type...
1 Navigate to Groups & Settings > Groups > Organization Groups > Types and then select the
Add Organization Group Type button.
2 Enter the Name you want for the OG Type and its Description.
3 Select Save.
Reasons You Should Not Enroll Devices in Global
There are several reasons enrolling devices directly to the top-level organization group (OG),
commonly known as Global, is not a good idea. These reasons are multitenancy, inheritance, and
functionality.
Multitenancy
You can make as many child organization groups as you need and you configure each one
independently from the others. Settings you apply to a child OG do not impact other siblings.
Console Basics
VMware by Broadcom 40
Inheritance
Changes made to a parent level OG apply to the children. Conversely, changes made to a child
level OG do not apply to the parent or siblings.
Functionality
There are settings and functionality that are only configurable to Customer type organization
groups. These include wipe protection, Telecom, and personal content. Devices added directly to
the top-level Global OG are excluded from these settings and functionality.
The Global organization group (OG) is designed to house Customer and other types of OGs.
Given the way inheritance works, if you add devices to Global and configure Global with settings
intended to affect those devices, you are also affecting all the Customer OGs underneath. This
undermines the benefits of multitenancy and inheritance.
Override Versus Inherit Setting for Organization Groups
The hierarchy of the organization group (OG) structure you make determines which OGs are
children and which are parents. Child OGs inherit settings from their parent OGs but you can elect
to override this inheritance.
Each system settings page applies its settings according to two types of inheritance / override
options regarding organization group hierarchy: 1) Current Setting and 2) Child Permission. The
OG it applies settings to is the OG you are currently in.
In other words, if you are in the Employees\Warehouse OG, then changes you make to settings
apply to that OG and all OGs that are children of the Warehouse OG.
For example, the Branding settings page, found by navigating to Groups & Settings > All
Settings > System > Branding, controls all the custom background images, logos, and color
schemes for the OG visible in the organization group drop-down.
Applying our example earlier, you can import a new background image, new logo, a different
color scheme, all specific to the Employees\Warehouse OG. You can also configure the settings
to apply to the Warehouse OG only. This option is enabled by changing the inheritance of this
OG on the settings page.
Child Permission
Think of the Child Permission setting as the parent OG's attitude toward the child OG. There are
three different settings for Child Permission: Inherit or Override, Inherit Only, and Override Only.
The Inherit or Override setting simply means that the parent has no preference for the child's
permissions. When a parent's Child Permission setting is Inherit or Override, the Current Setting
of the child OG determines whether they override or inherit settings. Child Permissions are set to
Inherit or Override by default.
A Child Permission setting of Inherit Only on the parent forces inheritance on all children. This
setting means that all children have the same settings as the parent. A Child Permission setting of
Override Only removes the inheritance effect on all child OGs, requiring you to configure settings
specific to that child OG.
Console Basics
VMware by Broadcom 41
Child Permission settings affect only the children one level down. Such settings have no impact
on grandchildren or lower OGs.
Current Setting
If Child Permission is the attitude of the parent toward the child, then the Current Setting of
an OG is the attitude of the child toward the parent. A Current Setting can only be Inherit or
Override.
A Current Setting of Inherit means that the child OG accepts all the settings of the parent OG.
Select a Current Setting of Override, and the child rejects the parent and is on its own. The
override selection means you can make new settings for the child.
You can only change an OG's Current Setting provided the parent OG's Child Permission setting
is Inherit or Override.
Continuing the example from above, if you wanted to affect Branding settings to the Warehouse
OG
only
, you can change the Current Setting for each child OG of Warehouse to Override
provided the Child Permission for Warehouse is the default Inherit or Override. You can then
configure Branding settings for the children of Warehouse as you see fit, either different from
Warehouse or the same.
Changing Permission Settings
You cannot change the Current Setting of a child if its parent's Child Permission setting does not
allow it. For example, if MomandDadOG's Child Permission setting is Override Only, you cannot
change the Current Setting of JuniorOG to Inherit. In short, the parent OG's Child Permission
settings take precedence over the child OG's Current Setting.
When you change the Current Settings of a child from Override to Inherit, changing the Child
Permission setting of its parent to Inherit Only locks the child OG's Child Permission setting. You
are not able to change the child permission setting in this scenario. This behavior does not apply
if the child OG setting is never overridden.
The work-around to this behavior is that you must change the Child Permission settings on the
parent OG back to Inherit or Override, unlocking the Child Permission setting of the child OG.
The larger strategy is to plan ahead, configuring inheritance and override settings to the OG
levels that make sense given the hierarchy structure you want.
Smart Groups
Smart groups are customizable groups within Workspace ONE UEM powered by AirWatch that
determine which platforms, devices, and users receive an assigned application, book, compliance
policy, device profile, or provision.
When you create organization groups, you typically base them on the internal corporate
structure: geographical location, business unit, and department. For example, "Corporate Sales,"
"Asia" With smart groups, you can deliver content and settings by device platform, model,
operating system, device tag, or user group. You can even deliver content to individual users
across multiple organization groups.
Console Basics
VMware by Broadcom 42
You can create smart groups when you upload content and define settings. However, you can
create them at any time and assign them later.
The main benefit of smart groups is their reusability. Making a new assignment each time you add
content or define a profile or policy might be intuitive, however, if you instead define assignees
to smart groups only once, you can include those smart groups in your definition of content.
Smart Group List View
View the entire list of smart groups by navigating to Groups & Settings > Groups > Assignment
Groups. Admin can only see groups which they can manage based on their permissions settings.
You can view detailed information by selecting the links within the columns Groups,
Assignments, Exclusions, and Devices.
n Selecting links in the Assignments or Exclusions columns display the View Smart Group
Assignments screen.
n Selecting a link in the Devices column displays the Devices > List View showing only those
devices included in the smart group.
n You can Filter your collection of groups by Group Type (Smart, Organization, User, or all) or
by Assigned status. Assigned status shows whether the group is assigned, is excluded, both,
or neither.
n You can Assign a smart group directly from the listing.
Console Basics
VMware by Broadcom 43
Unassign a Smart Group
You can unassign a smart group from an application, book, policy, profile, or product. This action
removes the associated content from all devices in the smart group.
1 To unassign smart groups from applications, books, compliance policies, device profiles, or
product provisions. Follow the navigation paths shown.
n Native Apps – Navigate to Resources > Apps > Native and select the Internal, Public, or
Purchased tab.
n Books – Navigate to Resources > Books > List View and select the Internal, Public, or
Purchased tab.
n Compliance Policy – Navigate to Devices > Compliance Policies > List View.
n Device Profile – Navigate to Resources > Profiles & Baselines > Profiles.
n Product Provision – Navigate to Devices > Provisioning > Product List View.
n Scripts – Navigate to Resources > Scripts.
n Sensors – Navigate to Resources > Sensors.
n Time Windows – Navigate to Resources > Time Windows.
2 Locate the content or setting from the listing and select the Edit icon from the actions
menu. Alternatively, you might select a check box or radio button to the left of the listing.
3 Select the Assignment tab or locate the Smart Groups text box.
4 Select Delete (X) next to the smart group that you want to unassign. This action does not
delete the smart group. It simply removes the smart group assignment from the saved
setting.
5 Follow the required steps to Save your changes.
Delete a Smart Group
When you have no further use for a smart group, you can delete it. You can only delete one
smart group at a time. Selecting more than one smart group causes the Delete button to be
unavailable.
Before you can delete a smart group, it cannot be assigned to any device product. If you are
certain the smart group you want to delete is unassigned, then take the following steps.
1 Navigate to Groups & Settings > Groups > Assignment Groups and locate the smart group
you want to delete from the listing.
2 Select the check box to the left of the smart group you want to delete.
3 Select Delete from the actions menu that displays.
Results: The unassigned smart group has been removed.
Console Basics
VMware by Broadcom 44
Edit a Smart Group
You can edit an established smart group. Any edits that you apply to a smart group affects all
policies and profiles to which that smart group is assigned.
Here is an example of a typical need to edit a smart group. Assume a smart group for executives
is assigned to a compliance policy, device profile, and two internal apps. If you want to exclude
some of the executives from one or more of the assigned content items, then simply edit the
smart group by specifying Exclusions. This action prevents not only the two internal apps from
being installed on the excluded executives' devices but also the compliance policy and device
profile.
1 Navigate to Groups & Settings > Groups > Assignment Groups.
2 Select the Edit icon ( ) located to the left of the listed smart group that you want to edit.
You can also select the smart group name in the Group column. The Edit Smart Group page
displays with its existing settings.
3 In the Edit Smart Group page, alter Criteria or Devices and Users (depending upon which
type the smart group was saved with) and then select Next.
4 In the View Assignments page, you can review which profiles, apps, books, provisions, and
policies can be added or removed from the devices as a result
5 Select Publish to save your smart group edits. All profiles, apps, books, provisions, and
policies tied to this smart group update their device assignments based on this edit.
Results: The Console Event logger tracks changes made to smart groups, including the author of
changes, devices added, and devices removed.
Research Smart Group Events Using Console Event Logger
You can track the changes to smart groups, and when they are made and by whom, by using the
Console Event logger. Such tracking can be useful when troubleshooting devices.
1 Navigate to Monitor > Reports & Analytics > Events > Console Events.
2 Select Smart Groups from the Module drop-down filter at the top of the Console Event
listing.
3 Apply more filters as you might require including Date Range, Severity, and Category.
4 Where applicable, select the hypertext link in the Event Data column which contains extra
detail that can assist your research efforts.
Create a Smart Group
Before you can assign a smart group to an application, book, compliance policy, device profile, or
product provision, you must create a smart group.
Console Basics
VMware by Broadcom 45
Watch the following video for five best practice tips on making smart groups.
n You can follow along with the prescriptive task companion, How To Make A Smart Group
Smartly, Companion Task to the Video, which you can review as you watch the video.
(How to Make a Smart Group, Smartly)
1 Select the applicable Organization Group (OG) to which your new smart group applies and
from which it can be managed. Selecting an OG is optional.
2 Navigate to Groups & Settings > Groups > Assignment Groups and then select Add Smart
Group.
3 Enter a Name for the smart group.
4 Optionally, you can enable the Device Preview to see which devices are included in the
smart group you have designed. This device preview is deactivated by default to improve
performance.
5 Configure the smart group type.
Choose from:
n Criteria – The Criteria option works best for groups with large numbers of devices (more
than 500) that receive general updates. This method works best because the inherent
details of these groups can reach all endpoints of your mobile fleet.
n Devices or Users – The Devices or Users option works best for groups with smaller
numbers of devices (500 or fewer) that receive sporadic, although important, updates.
This method works best because of the granular level at which you can select group
members.
Note Switching between Criteria and Devices or Users erases any entries and selections
you might have made.
1 In the Criteria type, select qualifying parameters to add in the smart group. If no
selection is made in any setting, then that filtering is not applied toward the criteria.
Setting
Description
Organization Group This criteria option filters devices by organization groups selected. You can select
more than one OG.
You must select a Customer type OG or a child OG with a Customer type parent
OG. Assigning the smart group to a non-customer type OG is not allowed. For
more information, see Changing Organization Groups and Create Organization
Groups.
User Group This criteria option filters devices by user groups selected. You can select more
than one user group.
Ownership This criteria option filters devices by ownership type selected.
Console Basics
VMware by Broadcom 46
Setting Description
Tags This criteria option filters devices according to device tags. You can select more
than one tag.
Platform and
Operating System
This criteria option filters devices by platform and OS selected. You can select
multiple combinations of each.
While Platform is a criterion within a smart group, the platform configured in
the device profile or compliance policy always takes precedence over the smart
group's platform. For instance, if you make an iOS device profile and assign it to
a smart group, the profile is only assigned to iOS devices even if the smart group
includes Android devices.
OEM & Model This criteria option applies only to Android and Windows Desktop platform
selections made in Platform and Operating System.
You can select one or more original equipment manufacturers and multiple
models per OEM.
New Android OEMs and models get added to the drop-down menu when devices
are enrolled or synced.
Model (Legacy) This criteria option filters non Android and non Windows Desktop devices by
model. Individual models displayed are based on the selections made in Platform
and Operating System.
Select from the list of presented models to include in your smart group.
Enterprise OEM
Version
This criteria option filters devices by enterprise original equipment manufacturer
version. You can select more than one Enterprise OEM version.
An Enterprise OEM version is a software-based classification applicable to OEM
device models. For example, an Enterprise OEM version can be supplementary
software support for devices such as Motorola's Mobility Extensions (MX) or
Samsung SAFE. An Enterprise OEM version can also be an OEM's particular flavor
of the Android operating system such as those offered by Honeywell, LG, and
Sony among others.
Management Type Filter devices according to the way the device is managed.
Enrollment Category Filter devices according to the way the device is enrolled.
Additions This criteria option adds individual devices and users that are not included in the
filtering criteria. You can select more than one device and more than one user.
Exclusions This criteria option excludes individual devices, individual users, and user groups
that are included in the filtering criteria. You can exclude more than one device,
more than one user, and more than one user group.
2
Use the Devices or Users type to assign content and settings to special cases outside
of the general enterprise mobility criteria. Enter the device friendly name in Devices
and user name (first name or last name) in Users. You must Add at least one device or
user or you cannot save the smart group.
Setting
Description
Devices Add a device to this Smart Group by entering the device friendly name. You can
add more than one device using this method.
Users Add users to this smart group by entering the user name, first name, or last
name. You can add more than one user using this method.
Console Basics
VMware by Broadcom 47
Create and Assign a Smart Group
You can create a smart group defined by platform, ownership, user group, OS version, model,
device tag, enterprise OEM, and even individual devices by friendly name.
For example, you can make a smart group containing all employee-owned iPhone Touch devices
with iOS version earlier than 9.0.2. Add to this same smart group all Android devices by HTC
version 2.0 with OS version 4.1 or greater. Out of this group, you can exclude devices in the user
group "full time." To this highly customized pool of *devices, you can assign 10 device profiles, 10
applications, or a compliance policy.
*Some restrictions might apply due to the multiplatform nature of this customized device pool.
For example, there might be apps you want to assign that do not offer an Android version.
You can assign a smart group two ways.
Assign Smart Group While Creating Device Product
You can assign a smart group when you add or create an application, book, compliance policy,
device profile, or product provision.
1 Complete the Assigned Groups drop-down menu.
2 Select a smart group from the drop-down menu. Smart groups available are managed only
within the organization group (OG) to which the resource is being added, or to a child OG
below it.
3 If no smart group matches the desired assignment criteria, then select the Create a Smart
Group option. You can assign more than one smart group per application, book, compliance
policy, device profile, or product provision.
4 Select Save to include the assignment.
Assign Smart Group While Managing the Smart Group
You can also assign a smart group during the process of managing the smart group itself.
1 View the entire list of smart groups by navigating to Groups & Settings > Groups >
Assignment Groups.
2 Select one or more smart groups you want to assign and select Assign. The Assign page
displays. Select the Groups link at the top of the Assign page to display the Groups page. On
this page, the organization groups that manage the smart groups are displayed. Return to the
Assign page by selecting the Close button.
3 On the Assign page, use the search box to view the list of eligible products and assign it to
the selected smart groups.
4 Select Next to display the View Device Assignment page and confirm the assignment status.
5 Select Save & Publish.
Console Basics
VMware by Broadcom 48
Exclude Groups in Profiles and Policies
You can exclude groups from the assignment of device profiles and compliance policies with as
much ease as assigning groups to these device products.
You must have the groups defined before you initiate this task. At a minimum, you must be able
to make a smart group comprised of the users you want to exclude. This task allows you to make
a new smart group on the fly but if you prefer to exclude an organization group or user group,
then see Create Organization Groups and User Groups respectively.
1 While adding a device profile or compliance policy, select Yes next to the Exclusions setting
to display the Excluded Groups option.
2 In the Excluded Groups setting, select groups that you want to exclude from the assignment
of this profile or policy.
n You can enter the first few letters of the group by name and the auto-search function
shows you all the groups whose name corresponds to the string you entered.
n You can select one or more organization groups, user groups, or smart groups.
n You can make a new smart group by selecting the Create Smart Group button.
3 Select Save and Publish (for device profiles) or Next (for compliance policies) and continue
the process for those tasks.
If you select the same group in both the Assigned Groups and Excluded Groups settings,
then the profile or policy fails to save.
Next Steps: Preview the affected devices by selecting View Device Assignment.
How To Make A Smart Group Smartly, Companion Task to the Video
This is a companion task to the video of the same name which appears toward the top of this
page. In one tab of your browser, you can have the video play, pausing as necessary, and in
another tab, scroll through this task which includes all the details left out of the video.
1. Move to the Organization Group You Want to Manage the Smart Group From
Content packages such as device profiles, compliance policies, apps, books, and so on, are
created from and managed by a specific organization group (OG), same as devices. You are able
to include these content packages in a smart group only if you create the smart group from the
same OG the content packages were created from.
Use the OG selector to move to the child OG that contains the content packages (apps, books,
device profiles, compliance policies, and so on) you want to include in the smart group. You can
identify the managed OG for any content package. Select the content package from its List View
and then review the selected Managed By option.
For example, if you want to assign a device profile to your smart group, navigate to Resources >
Profiles & Baselines > Profiles, locate the name of the device profile you want to assign to your
smart group from the listing and see the Managed By column for that profile. This is the OG you
move to before you make your smart group.
Console Basics
VMware by Broadcom 49
Note that you still have access to content created in all parent OGs above the OG you have
moved to. This means you can assign content to the smart group from the OG you are in and
also from all parent OGs above.
2. Create the Smart Group
Once you are in the organization group that contains your targeted content packages, proceed
with making the smart group.
1 Navigate to Groups & Settings > Groups > Assignment Groups.
2 Select the Add Smart Group button. The Create New Smart Group screen displays.
3 Name the OG like a newspaper headline, a summary of its contents. Naming your smart
group in a way that describes the devices themselves makes it possible to assign content to
the same smart group any time in the future.
n Be warned that if you give a functional name to the smart group instead of a name that
represents the devices themselves, you are more likely to create additional smart groups
in the future representing the same set of devices for each new function. This is very
wasteful and very taxing on the
Workspace ONE UEM console.
n For example...
n ...if you maintain a single smart group for "Non-Exempt Staff" containing 2500
devices, you can simply assign and unassign content packages as needed throughout
your fleet's lifetime. Those 2500 devices can all be served from the same smart group
indefinitely.
n Compare this streamlined practice with having twelve functionally-named smart
groups, each containing the same 2500 devices, each with different content assigned
to it. Workspace ONE UEM console must spend an excessive amount of CPU cycles in
order to keep up with all those smart groups, slowing everything else down.
n The time to create a new smart group is when you identify a subset of those 2500
devices that need to be treated differently than the others, for instance, different
apps, differnet policies, different profiles. But even then, name that new smart group
in a way that represents the devices themselves, not in a way that describes what
you plan to do with them.
4 Select the right Type of Smart Group. Most of the time, the type you want is Criteria, which
offers the greatest flexibility and customization. Only in specific scenarios, such as the training
scenario cited in the video, does Devices and Users make more sense.
5 Select the best Criteria. Hover the mouse pointer over the info badge of each criteria
category and you can see a popup describing how the category filters your device fleet.
Console Basics
VMware by Broadcom 50
6 Select Additions and Exclusions. As stated in the video, these two criteria categories offer
the greatest freedom, even if the added or excluded device goes against every other
category you just defined.
n For example, if you want only Apple iPhones in your smart group, even specifying a
version number for iOS, you can defy this rule in the Additions category by adding iPad
users and even macOS devices, provided the content assigned is compatible with both
iOS and macOS.
n Another example, if you make a smart group that contains devices for all your managers,
assigning all manager-only profiles, policies, and apps, you have the freedom to include
a device used by a management trainee, for example, preparing them for their new
role. Conversely, you can make an Exclusion of a device in the manager pool, making
the manager profiles, policies, and apps unavailable to that device. The possibilities are
numerous.
3. Assign the Smart Group
There are 2 different scenarios when to assign smart groups.
1 Assign the smart group directly after making it.
a Navigate to Groups & Settings > Groups > Assignment Groups
b Locate and select the smart group you just made by inserting a check in the check box to
the left of the listing.
c Select the Assign button. The Assign screen displays.
d Select profiles and policies from the available list, which is based on the organization
group you are currently in. The only device profiles and compliance policies available to
select are 1) those created in the organization group you are currently in and 2) those
created in the same OG as the smart group you selected.
2 Assign the smart group directly after making the content package. This includes not only
device profiles and compliance policies but also apps, books, products, scripts, sensors, and
time windows.
a Navigate to the list view for the content type to which you want to assign the smart
group.
n Native Apps – Navigate to Resources > Apps > Native and select the Public, or
Internal tab.
n Books – Navigate to Resources > Books > List View and select the Internal, Public, or
Purchased tab.
n Compliance Policy – Navigate to Devices > Compliance Policies > List View.
n Device Profile – Navigate to Resources > Profiles & Baselines > Profiles.
n Product Provision – Navigate to Devices > Provisioning > Product List View.
n Scripts – Navigate to Resources > Scripts.
Console Basics
VMware by Broadcom 51
n Sensors – Navigate to Resources > Sensors.
n Time Windows – Navigate to Resources > Time Windows.
b Locate the content or setting from the listing and select the Edit icon from the actions
menu. Alternatively, you might select a check box or radio button to the left of the listing.
c Select the Assign button or Assignment tab, depending upon the design of the screen.
Locate and click the Smart Groups text box, then select the smart group from the drop
down menu that displays.
User Groups
You can group sets of users into user groups which, like organization groups, act as filters for
assigning profiles and applications. When configuring your environment in Workspace ONE UEM,
align user groups with security groups and business roles within your organization.
You can assign profiles, compliance policies, content, and applications to users and devices with
user groups. You can add your existing directory service groups into Workspace ONE UEM or
create user groups from scratch.
As an alternative to user groups, you can also manage content by assigning devices according to
a preconfigured range of network IP address or custom attributes.
User Groups List View
The User Groups List View page features useful tools for common user group maintenance and
upkeep, including viewing, merging, deleting user groups, adding missing users, and syncing user
groups.
You can use the User Groups List View to create lists of user groups immediately, based on
criteria that is most important to you. You can also add new user groups individually or in bulk.
Navigate to Accounts > User Groups > List View.
Action
Description
Filters Display only the desired user groups by using the following filters.
n User Group Type.
n Sync Status.
n Merge Status.
Add
Add User Group. Perform a one-off addition of either a Directory-Based User Group or a Custom User Group.
Batch Import Import new user groups in bulk by using a comma-separated values (CSV) file. You can
organize multiple user groups at a time by entering a unique name and description.
Sorting and Resizing
Columns
Columns in the List View that are sortable are Group Name, Last Sync On, Users, and Merge
Status. Columns that can be resized are Group Name and Last Sync On.
Console Basics
VMware by Broadcom 52
Action Description
Details View View basic user group information in the Details View by selecting the link in the Group
Name column. This information includes group name, group type, external type, manager, and
number of users. Details View also includes a link to the group-mapping settings in All Settings
> Devices & Users > General > Enrollment in the Grouping tab.
Export ( )
Save an XLSX or CSV (comma-separated values) file of the entire unfiltered or filtered List
View. Both file formats can be viewed and analyzed with MS Excel.
The User Groups List View also features a selection check box and Edit icon to the left of the
user. Selecting the Edit icon ( ) enables you to make basic changes to the user group. You
can make bulk actions on user groups by selecting one or more groups which reveals the action
buttons for the listing.
More Actions for User Groups
You can select more than one user group by selecting as many check boxes as you like. Doing
so modifies the available action buttons and also makes the available actions apply to multiple
groups and their respective users.
Action Description
Sync Copy recently added user group users to the temporary table, manually, ahead of the
scheduled, automated Active Directory sync by Workspace ONE UEM and Workspace ONE
Express.
Note The user attributes synchronization process continues even if a duplicate user is
encountered. When such a sync failure occurs, an entry is made to the console event log
for troubleshooting purposes, called DuplicateUserSyncFailure. Review this and other console
event log entries by navigating to Monitor > Reports and Analytics > Events > Console Events.
View Users Displays the User Group Members screen, enabling you to review the user names of all the
members in the selected user group.
More Actions
View and Merge View, Add, and Remove users recently added to the temporary user group table. User group
users that appear in this table await the automated user group sync in Workspace ONE UEM
and Workspace ONE Express.
Add Missing Users Combine the temporary user group table with the Active Directory table, making the addition
of these new users in the user group official.
Delete Delete a user group.
Add Users to User Groups
You can add users to user groups as the need arises. If you do not want to wait for the Active
Directory synchronization of user groups, which is a scheduled, automatic occurrence, then you
can manually sync user groups.
When you have a new user to add to one or more user groups, follow these steps.
1 Navigate to Accounts > Users > List View.
Console Basics
VMware by Broadcom 53
2 Select one or more users in the listing by inserting a check mark in the check box to the left.
3 Select the More Actions button and then select Add To User Group. The Add Selected Users
Into Custom User Group page displays.
4 You can add users to an Existing User Group or create a New User Group.
5 Select the Group Name.
6 Select Save.
7 Navigate to Accounts > User Groups > List View.
a The Active Directory (AD) synchronization (which is an automated, scheduled process)
copies these pending user group users to a temporary table. Then these user group users
are reviewed, added, or removed.
b If you do not want to wait for the automated AD sync, you can synchronize manually.
Start a manual synchronization by selecting the user group to which you added users,
then select the Sync button.
Note The user attributes synchronization process continues even if a duplicate user is
encountered. When such a sync failure occurs, an entry is made to the console event
log for troubleshooting purposes, called DuplicateUserSyncFailure. Review this and other
console event log entries by navigating to Monitor > Reports and Analytics > Events >
Console Events.
8 You can optionally select More > View and Merge to perform maintenance tasks such as
review, add, and remove pending user group users.
9 Combine the temporary table of pending user group users with the Active Directory user
group users by selecting More > Add Missing Users.
Add User Groups Without Directory Integration, Custom
Creating a user group outside of your existing Active Directory structure allows you to create
specialized groups of users at any time. Customize user groups according to your deployment by
specifically designing access to features and content, which might be preferred depending upon
the kind of user group you need.
For instance, you can create a temporary user group for a specific project requiring specialized
apps, device profiles, and compliance policies.
For more information about adding user groups in bulk, see Batch Import User Groups.
Custom user groups can only be added at a customer level organization group.
1 Navigate to Accounts > User Groups > List View and select Add and then Add User Group.
2 Change the user group Type option to Custom.
3 Enter the Group Name and Description used to identify the user group in the Workspace
ONE UEM console.
Console Basics
VMware by Broadcom 54
4 Confirm the organization group that manages the user group and select Save.
5 You can then add users to this new user group by navigating to Accounts > Users > List
View.
Add multiple users by selecting check boxes to the far-left of each listed user name. Next, select
the Management button above the column headings and select Add to User Group.
Add User Groups With Directory Integration
An alternative to custom user groups without active directory integration is through user group
integration that applies your existing active directory structure, providing many benefits.
Once you import existing directory service user groups as Workspace ONE UEM user groups,
you can perform the following.
n User Management – Reference your existing directory service groups (such as security
groups or distribution lists) and align user management in Workspace ONE UEM with the
existing organizational systems.
n Profiles and Policies – Assign profiles, applications, and policies across a Workspace ONE
UEM deployment to groups of users.
n Integrated Updates – Automatically update user group assignments based on group
membership changes.
n Management Permissions - Set management permissions to allow only approved
administrators to change policy and profile assignments for certain user groups.
n Enrollment – Allow users to enroll with existing credentials and automatically assign an
organization group.
The administrator must designate an existing organization group as the primary root location
from which the administrator manages devices and users. Directory services must be enabled at
this root organization group.
You can add your existing directory service groups into Workspace ONE UEM. While integration
does not immediately create user accounts for each of your directory service accounts, it
ensures that Workspace ONE UEM recognizes them as user groups. You can use this group
to restrict who can enroll.
For more information about adding directory user groups in bulk, see Batch Import User Groups.
Making user groups with directory integration fosters an aligned approach to device
management: device enrollment plus subsequent updates, administrative overview, and user
management are each in lockstep with your existing directory service structure.
Console Basics
VMware by Broadcom 55
Before you begin: Ensure that the user group Type is Directory.
1 Navigate to Accounts > User Groups > List View, select Add then Add User Group.
Setting Description
Type Select the type of User Group.
n Directory – Create a user group that is aligned with your existing active directory
structure.
n Custom – Create a user group outside of your organization's existing Active Directory
structure. This user group type grants access to features and content for basic and
directory users to customize user groups according to your deployment. Custom user
groups can only be added at a customer level organization group.
External Type Select the external type of group you are adding.
n Group – Refers to the group object class on which your user group is based. Customize
this class by navigating to Groups & Settings > All Settings > System > Enterprise
Integration > Directory Services > Group.
n Organizational Unit – Refers to the organizational unit object class on which your user
group is based. Customize this class by navigating to Groups & Settings > All Settings
> System > Enterprise Integration > Directory Services > Group.
n Custom Query – You can also create a user group containing users you locate by
running a custom query. Selecting this external type replaces the Search Text function
but displays the Custom Query section.
Search Text Identify the name of a user group in your directory by entering the search criteria and
selecting Search to search for it. If a directory group contains your search text, a list of
group names displays.
This option is unavailable when External Type is set to Custom Query.
Directory Name Read-only setting displaying the address of your directory services server.
Domain and Group
Base DN
This information automatically populates based on the directory services server
information you enter on the Directory Services page (Groups & Settings > System >
Enterprise Integration > Directory Services).
Select the Fetch DN plus sign (+) next to the Group Base DN setting, which displays a list
of distinguished name elements from which you can select.
Custom Object
Class
Identifies the object class under which your query runs. The default object class is 'person'
but you can supply a custom object class to identify your users with a greater success and
accuracy.
This option is available only when Custom Query is selected as External Type.
Group Name Select a Group Name from your Search Text results list. Selecting a group name
automatically alters the value in the Distinguished Name setting.
This option is available only after you have completed a successful search with the Search
Text setting.
Distinguished Name This read-only setting displays the full distinguished name of the group you are creating.
This option is available only when Group or Organizational Unit is selected as External
Type.
Custom Base DN Identifies the base distinguished name which serves as the starting point of your query.
The default base distinguished name is 'AirWatch' and 'sso'. However, if you want to run
the query with a different starting point, you can supply a custom base distinguished
name.
This option is available only when Custom Query is selected as External Type.
Console Basics
VMware by Broadcom 56
Setting Description
Organization Group
Assignment
This optional setting enables you to assign the user group you are creating to a specific
organization group (OG).
n This option is available only when Group or Organizational Unit is selected as External
Type.
n You must select a "Customer" type OG. Assigning the user group to a non-customer
type OG is not allowed.
User Group Settings Select between Apply default settings and Use Custom settings for this user group. See
the Custom Settings section for additional setting descriptions. You can configure this
option from the permission settings after the group is created.
This option is available only when Group or Organizational Unit is selected as External
Type.
Custom Query -
Query
This setting displays the currently loaded query that runs when you select the Test Query
button and when you select the Continue button. Changes you make to the Custom Logic
setting or the Custom Object Class setting are reflected here.
Custom Logic Add your custom query logic here, such as user name or admin name. For example,
"cn=jsmith". You can include as much or as little of the distinguished name as you like. The
Test Query button allows you to see if the syntax of your query is correct before selecting
the Continue button.
Custom Settings
- Management
Permissions
You can allow or disallow all administrators to manage the user group you are creating.
Default Role Select a default role for the user group from the drop-down menu.
Default Enrollment
Policy
Select a default enrollment policy from the drop-down menu.
Auto Sync with
Directory
This option enables the directory sync, which detects user membership from the directory
server and stores it in a temporary table. Administrators approve changes to the console
unless the Auto Merge option is selected.
If you want to prevent user groups from automatically syncing during a scheduled sync,
this setting must be deactivated.
Auto Merge
Changes
Enable this option to apply sync changes automatically from the database without
administrative approval.
Maximum Allowable
Changes
Use this setting to set a threshold for the number of automatic user group sync changes
that can occur before approval must be given.
Changes more than the threshold need admin approval and a notification is sent to this
effect.
This option is available only when Auto Merge Changes is enabled.
Add Group
Members
Automatically
Enable this setting to add users to the user group automatically.
If you want to prevent user groups from automatically syncing during a scheduled sync,
this setting must be deactivated.
Console Basics
VMware by Broadcom 57
Setting Description
Send Email to
User when Adding
Missing Users
Enable to send an email to users when missing users are being added to the user group.
Adding missing users means combining the temporary user group table with the Active
Directory table.
Message Template This option is available only when Send Email to User when Adding Missing Users is
enabled.
Select a message template to be used for the email notification during the addition of
missing users to the user group.
When adding active directory users new to the Workspace ONE UEM console, the
message template availability depends upon the enrollment mode as configured in
Groups & Settings > All Settings > Devices & Users > General > Enrollment selecting
Authentication, and making a choice in the Devices Enrollment Mode option.
When Open Enrollment is selected as the Devices Enrollment Mode, a User Activation
email template is available in the Message Template drop-down. This email message
enables the new AD user to enroll.
When Registered Devices Only is selected as the Devices Enrollment Mode, a Device
Activation email template is available in the Message Template drop-down. This email
message enables the new AD user to enroll their devices. If Require Registration Token is
enabled, the device can be registered with the token embedded in the message.
For more information on Distinguished Name, search for Microsoft's TechNet article entitled
"Object Naming" at https://technet.microsoft.com/.
2 Select Save.
Edit Your User Group Permissions
Fine-tuning user group permissions allows you to reconsider who inside your organization can
edit certain groups. For example, if your organization has a user group for company executives,
you might not want lower-level administrators to have management permissions for that user
group.
Use the Permissions page to control who can manage certain user groups and who can assign
profiles, compliance policies, and applications to user groups.
1 Navigate to Accounts > User Groups > List View.
2 Select the Edit icon of an existing user group row.
3 Select the Permissions tab, then select Add.
4 Select the Organization Group you want to define permissions for. You must select an
organization group (OG) that is within the root OG hierarchy of the user group. The OG you
select must also be of a "customer" type. For more information, see Organization Group Type
Functions and Customizations.
5 Select the Permissions you want to enable.
n Manage Group (Edit/Delete) – Activate the ability to edit and delete user groups.
Console Basics
VMware by Broadcom 58
n Manage Users Within Group and Allow Enrollment – Manage users within the user group
and to allow a device enrollment in the OG. This setting can only be enabled when
Manage Group (Edit/Delete) is also enabled. If Manage Group (Edit/Delete) is deactivated,
then this setting is also deactivated.
n Use Group For Assignment – Use the group to assign security policies and enterprise
resources to devices. This setting can only be changed if Manage Group (Edit/Delete) is
deactivated. If Manage Group (Edit/Delete) is enabled, then this setting becomes locked
and uneditable.
n This setting is deactivated when the user group is managed by a parent OG and you
want to assign the group from one of its children OGs.
6 Select the Scope of these permissions, that is, which groups of administrators are allowed to
manage or use this user group. Only one of the following options may be active.
n Administrator Only – The permissions affect only those administrators at the parent OG.
n All Administrators at or below this Organization Group – The permissions affect the
administrators in the OG and all administrators in all child OGs underneath.
Access User Details
After your users and user groups are in place, you can view all user information regarding user
details, associated devices, and interactions.
Access user information from any location in the Workspace ONE UEM console where the user
name is displayed, including each of the following pages in the console.
n User Group Members (Accounts > User Groups > Details View > More > View Users)
n Users List View (Accounts > Users > List View)
n Administrators List View (Accounts > Administrators > List View).
The User Details page is a single-page view.
n All associated user groups.
n All Devices associated with the user over time and a link to all enrolled devices.
n All devices a user has checked-out in a Shared Device Environment and a link to complete
check-in/check-out device history.
n All device- and user-specific event logs.
n All assigned, accepted, and declined Terms of Use.
Encrypt Personal Details
You can encrypt personally identifiable information including first name, last name, email address,
and phone number.
1 Navigate to Groups & Settings > All Settings > System > Security > Data Security from the
Global or Customer-level organization group for which you want to configure encryption.
Console Basics
VMware by Broadcom 59
2 Enable the Encrypt User Information setting, then select individual user data settings to
activate encryption. Doing so deactivates the search, sort, and filter functionality.
3 Click Save to encrypt user data so it is not accessible in the database. Doing so limits some
features in the Workspace ONE UEM console, such as search, sort, and filter.
Admin Groups
Admin groups enable you to assemble subsets of administrator accounts for assigning roles and
permissions beyond the permissions that come from having an admin account in Workspace
ONE UEM powered by AirWatch.
Admin groups can be used to assign roles and permissions granting access to the console that
is specific to a special project. You can add your existing directory service administrators into
admin groups or create admin groups from scratch using custom queries.
For example, if you have a new business directive, you might need to assign special admin
access to a group of training facilitators. You might create an admin group, run a custom query
for training facilitators, and assign a role that is specific to the new business effort. For more
information, see
Admin Accounts.
Admin Groups List View
The Admin Groups List View page in features useful tools for common user group maintenance
and upkeep. Such upkeep includes adding, viewing, merging, and deleting user groups and
missing users.
View this page by navigating to Accounts > Administrators > Admin Groups.
Display the Edit Admin Group page by selecting the hypertext name in the Group Name column
of the list view. Use this page to change the name of the admin group. You can also add and
remove roles that are applicable to group members. For more information, see Admin Roles.
Display the Admin Group Members listing by selecting the hypertext link number in the Admin
column. This listing shows you the names of all the administrators in the admin group.
You can also download an XLSX or CSV (comma-separated values) file of the Admin Groups List
View. You can then view and analyze this file with MS Excel. Select the Export button and choose
a download location.
Access the following actions and maintenance functions by selecting the radio button next to the
group name.
Action
Description
Sync Copy recently added admin group users to the temporary table, manually, ahead of the
scheduled, automated Active Directory sync by Workspace ONE UEM.
More Actions
Console Basics
VMware by Broadcom 60
Action Description
View and Merge View, Add, and Remove users recently added to the temporary admin group table. Admin
group administrators that appear in this table await the automated Workspace ONE UEM
admin group sync.
Delete Delete an admin group.
Top, Up, Down,
Bottom
You can edit the ranking of each admin group as it appears in the listing. Moving the groups in
this way is useful for when you have more admin groups than a single page can display.
Add Missing Users. Combine the temporary admin group table with the Active Directory table, making the
addition of these new admins in the group official.
Add Admin Groups
You can add admin groups in Workspace ONE UEM powered by AirWatch to assign additional
roles and permissions to your admins for special projects by taking the following steps.
1 Navigate to Accounts > Administrators > Admin Groups and select Add. Complete the
applicable settings.
Setting Description
External Type Select the external type of admin group you are adding.
n Group – Refers to the group object class on which your admin group is based.
Customize this class by navigating to Groups & Settings > All Settings > System >
Enterprise Integration > Directory Services > Group.
n Organizational Unit – Refers to the organizational unit object class on which your
admin group is based. Customize this object class by navigating to Groups & Settings >
All Settings > System > Enterprise Integration > Directory Services > Group.
n Custom Query – You can also create an admin group containing administrators you
locate by running a custom query. Selecting this external type replaces the Search Text
function but displays the Custom Query section.
Directory Name Read-only setting displaying the address of your directory services server.
Domain and Group
Base DN
This information automatically populates based on the directory services server
information you enter on the Directory Services page (Accounts > User Groups > Settings
> Directory Services).
Select the Fetch DN plus sign (+) next to the Group Base DN setting, which displays a list
of Base Domain Names from which you can select.
Search Text Enter the search criteria to identify the name of an admin group in your directory and
select Search to search for it. If a directory group contains your search text, a list of group
names displays.
Also, you can apply default roles to the admin group you are creating. After a successful
search is run, select the Roles tab and then select the Add button to add a new role. Or
edit an existing role by changing the Organization Group and Role selection.
This setting is available only when Group or Organizational Unit is selected as the External
Type.
Custom Object
Class
Identifies the object class under which your query runs. The default object class is 'person'
but you can supply a custom object class to identify your admins with greater accuracy.
This setting is available only when Custom Query is selected as External Type.
Console Basics
VMware by Broadcom 61
Setting Description
Custom Base DN Identifies the base distinguished name which serves as the starting point of your query.
The default is 'airwatch' and 'sso' but you can supply a custom base distinguished name if
you want to run the query from a different starting point.
This setting is available only when Custom Query is selected as External Type.
Group Name Select a Group Name from your Search Text results list. Selecting a group name
automatically alters the value in the Distinguished Name setting.
This setting is available only after you have completed a successful search with the Search
Text setting.
Distinguished Name Read-only setting that displays the full distinguished name of the admin group you are
creating.
This setting is available only after you have completed a successful search with the Search
Text setting.
Rank Read-only setting that displays the rank of the admin group once it is created. You can
change an admin group's rank by navigating to Groups & Settings > Groups > Admin
Groups and moving its relative position using the More action button to the right of the
admin group listing.
Auto Sync This option enables the directory sync, which detects user membership from the directory
server and stores it in a temporary table. An administrator approves all changes to the
console unless the Auto Merge option is enabled.
Auto Merge Enable this option to apply sync changes automatically from the database without
administrative approval.
Maximum Allowable
Changes
Use this setting to set a threshold for the number of automatic admin group sync changes
that can occur before approval must be given.
This option is available only when Auto Merge is enabled.
Add Group
Members
Automatically
Enable this option to add administrators automatically to the admin group.
Time Zone Enter the time zone associated with the admin group. This required setting impacts when
the scheduled, automated Active Directory sync runs.
Locale Select the localization setting (language) associated with the admin group. This setting is
required.
Initial Landing Page Enter the initial landing page for administrators in the admin group. The default setting for
this required setting is the Device Dashboard but you can set it to any page of your choice.
Custom Query
Query This setting displays the currently loaded query that runs when you select the Test Query
button and when you select the Continue button. Changes you make to the Custom Logic
option or the Custom Object Class setting are reflected here.
Custom Logic Add your custom query logic here, such as an admin name. For example, "cn=jsmith". You
can include as much or as little of the distinguished name as you like. The Test Query
button allows you to see if the syntax of your query results in a successful search before
selecting the Continue button.
For more information on Distinguished Name, search for Microsoft's TechNet article entitled
"Object Naming" at https://technet.microsoft.com/.
Console Basics
VMware by Broadcom 62
2 Select Save.
View Assignments
As a convenience, you can preview and confirm the device profiles, apps, books, channels,
and compliance policies that are included in (and excluded from) the assigned groups within
Workspace ONE UEM powered by AirWatch.
Procedure
1 Navigate to the group listing in Groups & Settings > Groups > Assignment Groups and locate
a group that has been assigned to at least one entity.
2 In the Assignments column, select the hyperlinked number to open the View Assignments
page. This page displays only those categories that contain Assignments or Exclusions in the
group.
What to do next
Above the header row in the View Assignments screen, you can use the Refresh button, the
Export button, and the Search List text box to help you locate and confirm that the specific
profile, app, book, channel, and compliance policy has been assigned.
Console Basics
VMware by Broadcom 63
Configurations
7
Configurations are a curated list of settings pages that are categorized, searchable, and logically
organized. You can identify and jump directly to essential settings pages in Workspace ONE
UEM powered by AirWatch and Workspace ONE Express. Get started by navigating to Groups &
Settings > Configurations.
Each Configuration can be inspected by selecting the 'greater than' left arrow to expand the row
and reading the description. Once expanded, you can also read the official documentation on the
Configuration by selecting the Learn More button.
Searchable
You can search for Configurations and categories by making entries in the search bar located
above the listing.
VMware by Broadcom
64
Categorized
All the Configurations are categorized by attributes and use cases so you can quickly locate the
ones you need the most. Clicking on categories acts like a filter, eliminating Configurations from
view that are not part of the selected category. To clear out selected categories and reset the
view, click the 'x' next to the category name or select the Reset button above the search bar.
Portable Categories
You can share Configuration categories with other administrators that include category
combinations. For example, if you select Platform Setup, Apple, and Enrollment, you can share
this combination of categories by copying the URL in the address bar of your browser.
Console Basics
VMware by Broadcom 65
Console Monitor
8
The Console Monitor in Workspace ONE UEM is your central portal for fast access to critical
information. With its colorful bar and donut graphs, you can quickly identify important issues and
act from a single location.
Selecting any bar or donut graph on the page displays the
Device List View. This list view
contains all the devices specific to the metric you selected. You can then perform actions such as
sending a message to those devices.
For example, select the Antivirus Status donut graph. Within seconds, the Device List View
displays with a list of devices whose lack of antivirus software has triggered a policy violation.
Select all the devices in this list by clicking the check box to the far left of each device. You can
also select the "select all" check box below the Add Device button. The action button cluster
displays above the listing. Select the Send button to send a message to the users of the selected
devices. You can select an Email, a push notification, or an SMS text message.
The Monitor > Overview page provides summary graphs and detailed views.
n Devices – View the exact number of devices.
n Status breakdown of all devices including registered, enrolled, enterprise wipe pending,
device wipe pending and unenrolled.
VMware by Broadcom
66
n Platform breakdown of devices enrolled in Workspace ONE UEM.
n Enrollment history over the past day, past week, and past month.
n Compliance – View which devices are violating compliance policies.
n All compliance policies currently violated by devices, including apps, security settings,
geolocation, and more.
n Top violated policies, covering all types of compliance policies established.
n Denylisted Apps, including all denylisted apps installed on devices, ranked by order of
instances of violation.
n Devices lacking the apps that you want to be installed and ready for your users.
n Profiles – View which profiles are out of date.
n Latest Profile Version, including devices with old versions of each profile.
n Apps – View which applications are associated with devices.
n Latest Application Version, including devices with old versions of each application.
n Most Installed Apps, ranked by devices that have the application currently installed.
For more information see, Tracking and Monitoring Your Application Deployment.
n Content – View devices with content that is out of date.
n Latest Content Version, including each file that is out of date ranked by order of instance.
n Email – View devices that are currently unable to receive email.
n Devices Blocked from email, including devices blocked by default, denylisted or
unenrolled.
n Certificates – View which certificates are set to expire.
n Certificates expiring within one month, one to three months, three to six months, six to 12
months and greater than 12 months. Also, view certificates that have already expired.
The set of devices shown varies depending on your current organization group, including all
devices in child organization groups. Switch to lower organization groups and automatically
update device results by using the organization group drop-down menu.
Toggle between views by selecting the List View icon ( ) and Chart View icon ( ). Select any
metric to open the Device List View for that specific set of devices. You can then perform actions
such as sending a message to those devices.
Customize the Monitor by selecting the Available Sections icon ( ). Select or deselect check
boxes representing available sections (Devices, Compliance, Profiles, and so on) and select Save
to craft the Monitor Overview.
Console Basics
VMware by Broadcom 67
Intelligence
Note You must have a Cloud Services account to access Workspace ONE Intelligence.
Custom reporting and advanced analytics from Workspace ONE Intelligence can provide you
with deeper insights about your device fleet. Such insights include enhanced visibility on
performance issues, highly effective planning tools, and faster deployment times.
Ensure that you are in a customer type organization group, then navigate to Monitor >
Intelligence, select the Next button to see how Intelligence works, and opt-in to take advantage
of the service.
You can opt out of Intelligence custom reporting at any time.
For more information about Workspace ONE Intelligence, see the VMware Workspace ONE
Intelligence Products guide.
IMPORTANT: Limiting the number of administrators that can change the Workspace ONE
Intelligence opt-in setting prevents data collection oversights and sync errors. If you want to
prevent admins from changing the opt-in setting, then you must edit the role that is used by
those admins to allow "Read-Only" access to Intelligence.
Note that any changes you make to an admin role applies to all admins who are assigned that
role. If you want the access changes to affect only a subset of admins, then you must make a
copy the original admin role, update the Intelligence permission to "Read-Only", and assign this
role copy to your targeted admins.
n These admins will enjoy all the same access as before, just with read-only access to the
Intelligence Opt-in setting.
Take the following steps to change the role used by these admins.
1 Navigate to Accounts > Admin > Roles.
2 Locate the name of the role you want to change.
n If you are making a copy of this role, then enable the check box to the left of the role
name and select the Copy button that displays above the listing. The Copy Role screen
displays.
n If you are not making a copy, then select the edit icon ( ). The Edit Role screen
displays.
3 In the Categories panel, scroll down and select Monitor, then select Intelligence, then select
the Read checkboxes and deselect the Edit checkboxes.
Console Basics
VMware by Broadcom 68
4 Select Save.
The new role assignments are not applied until the next time these admins log in.
Admin Panel Dashboard
The Admin Panel provides an overview of module license information and deployed Workspace
ONE ™ UEM components condensed into two separate sections, Active Products and Deployed
Components.
Access the Admin Panel by navigating to Monitor > Admin Panel. The Admin Panel can only be
accessed from a Customer type organization group.
The Active Products section identifies active products and displays summarized license
information, including license model and license type.
The Deployed Components section features a panel for every enabled component at the
customer organization group, each reporting the connectivity status.
App and Profile Monitor
Track the deployment of an application or profile to end-user devices with the App and Profile
Monitor. This monitor provides at-a-glance information on the status of your deployments.
1 Navigate to Monitor > App and Profile Monitor.
2 In the search field, enter the name of the app or profile. You must select the Enter key on
your keyboard to start the search.
3 Select the app or profile from the drop-down menu and select the Add button.
Console Basics
VMware by Broadcom 69
The app or profile data displays on a card. You can only have five cards added at one time.
The App and Profile Monitor displays the current deployment status for devices during a
deployment. The status combines different app and profile installation statuses into Done,
Pending, or Incomplete.
Industry Templates for iOS
An Industry Template is a collection of mobile applications and device profiles that you can push
to your devices, greatly expediting the deployment process.
You can select templates in support of industries such as healthcare and retail and you can edit
these templates to fit your needs. For more information, see Apple Industry Templates.
Reports and Analytics
Workspace ONE UEM lets you access detailed information about the devices, users, and
applications in report form that you can analyze with Excel. For more information, see Reports
and Analytics.
Console Basics
VMware by Broadcom 70
Console Notifications
9
Notifications are a communication tool designed to keep you informed about events that can
impact your operation of Workspace ONE UEM. The Notifications button is next to the Global
Search magnifying glass icon.
There are many different kinds of notifications.
n Application APNs Certificate Expiration – You are notified 30 days before APNs for
Applications expire, which is a Critical Priority alert. This notification helps you avoid the
hassles involved with expired certificates and keeps the apps functional on your devices.
n App Removal Protection – This High Priority alert displays when the Application Removal
threshold is crossed. You can act by selecting the Review App Removal link on the
Notifications pop-up.
n Device App Log Storage Alert – This notification is a High Priority alert which displays
when your storage log exceeds 75% of its capacity. Purge your logs or increase the limit
by contacting your support representative. This alert can be dismissed.
n Enterprise App Repository Updates – This notification is an informational alert which displays
when there is an App Update Available from the curated catalog of enterprise apps that you
can apply to devices in your fleet.
n List View Export – This notification appears when the Device or User list view export you
requested completes and is ready for examination. This notification is an Info Priority level
and can be dismissed.
n Maintenance and Upgrade Notifications – These bell icon notifications are informational
alerts that let you know when an upgrade or maintenance patch is available. It includes
notifications for Workspace ONE UEM and Workspace ONE Assist.
Console banner notifications are informational alerts that let you know when an upgrade
patch is available or when a maintenance event is planned or unplanned. The console banner
notifications shown are visible to all SaaS admins and include the following subcategories.
n Maintenance
VMware by Broadcom
71
n Outages
n SaaS Product Announcements
n Upgrade
n MDM APNs Expiring – You are notified 30 days before APNs for MDM certificates expire,
which is a Critical Priority alert. After the APNs certificate expires, the Critical Priority alert is
reduced to a High Priority alert. This notification helps you avoid the hassles involved with
expired certificates and keeps your devices in contact with Workspace ONE UEM.
n Peer-to-Peer Server Update Required – You are notified when a new version of the peer-
to-peer server becomes available and that you can upgrade your server to avoid service
disruptions.
n Provisioning Profile Expiration – You are notified when a provisioning profile containing
applications expires, requiring you to regenerate the provisioning profile and update it. This
notification is a Critical priority level and cannot be dismissed.
n Token (DEP) Errors – You are notified when DEP synchronization fails due to an expired DEP
token.
n Token (VPP and DEP) Expiration – You are notified when a token is due to expire, so you
can renew the token and avoid service disruption.
n User Group Merge Pending – This notification lets you know that the User Group Merge
process is pending and in need of admin approval. Such notification happens in two
scenarios:
n You have the Auto Merge Changes setting deactivated on your Directory-based User
Group, which means all changes need approval.
Console Basics
VMware by Broadcom 72
n You have the Auto Merge Changes enabled and the number of changes exceed the
Maximum Allowable Changes threshold. The portion of changed user group info beyond
the maximum require admin approval.
n VPP App Auto Update – High priority alerts that notify you when an application installed with
Apple Volume Purchase Program has an updated version you can install.
Manage Console Notifications
When there are active notifications that require your attention, a numeral badge appears on
the Notifications icon indicating the number of active alerts. Display the Notifications pop-up by
selecting this bell-shaped icon.
You can manage the notifications you receive. This management includes viewing the list of
active alerts, Renewing your APNs, Dismissing expired alerts, viewing the list of dismissed alerts,
and Configuring Notification Settings.
Each alert displays the organization group under which the APNs for an MDM certificate is
located. The alert also shows the expiration date of the certificate and a link to Renew your
APNs.
n View Active Alerts – The default view displays the list of active alerts.
n Renew your APNs – Displays the Change Organization Group (OG) screen. This screen
appears when the OG that manages the device with the impending license expiration is
different than the OG you are currently in. Renew this APNs license by selecting Yes to
change your OG automatically.
Renew the license and keep the device in contact with Workspace ONE UEM by following the
instructions on the APNs For MDM settings page.
n Dismiss Alert – Close the expired alert and send it to the Dismissed alert listing by selecting
the X button. You cannot close critical priority notifications.
n Dismiss All – Close all active alerts and send them to the Dismissed alert listing.
n View Dismissed Alerts – View the listing of dismissed alerts by selecting the Dismissed tab at
the top of the Notifications pop-up.
Configure Notifications Settings
Use the Notifications settings on the Account Settings page to enable or deactivate APNs
Expiration alerts, select how to receive alerts, and change the email to which it sends alerts.
1 Select the Account drop-down, which is accessible from almost every page on the
Workspace ONE UEM console, then select Manage Account Settings and select the
Notifications tab.
Console Basics
VMware by Broadcom 73
You can also access the notification settings page by selecting the gear icon located in the
lower-right corner of the Notifications pop up screen.
2 Select your notification method when each of the following events occurs.
Setting Description
MDM APNs Expiring This notification helps you avoid the hassles involved with expired certificates and keeps
your devices in contact with Workspace ONE UEM.
List View Export You can trigger an alert when the exportation of a User List View or Device List View is
complete.
User Group Merge You can trigger an alert when the Active Directory database changes sync with Workspace
ONE UEM and you have Auto Merge Changes deactivated.
VPP App Auto
Update
You can trigger an alert when an application installed with Apple Volume Purchase Program
has an updated version you can install.
Application APNs
Certificate Expiration
This notification helps you avoid the hassles involved with expired certificates and keeps
applications functional on your devices.
Provisioning Profile
Expiration
You are notified when a provisioning profile containing applications expires, requiring you to
regenerate the provisioning profile and update it.
Apple Business
Manager Device
Token Expiring
You are notified when a DEP token is due to expire and that you can renew to avoid
disruption.
Apple Business
Manager Location
Token Expiring
You are notified when a location token is due to expire and that you can renew to avoid
disruption.
Apple Business
Manager Device
Token Error
You are notified when DEP synchronization fails due to an expired DEP token.
API Utilization You are notified when the number of API (Application Programming Interface) calls reaches
50%, 75%, 90%, and 100% of the daily API limit.
Enterprise App
Repository Updates
You are notified when an application in your catalog of curated enterprise apps has an
update that can be applied to devices.
3
For each event, select between None, Console, Email, and Console and Email, unless
specified otherwise.
Selections of Email and Console and Email require you entering at least one email address in
the Send email(s) to: text box. You can enter multiple email addresses separated by commas.
4 Save or Cancel your changes.
Console Basics
VMware by Broadcom 74
Event Logs
10
Events are records of administrative and device actions that the Workspace ONE UEM console
stores in logs. Export event logs as CSV files. You can also configure the Workspace ONE UEM
console to send the event logs to your Security Information and Event Management tools or
Business Intelligence systems.
The event logs show both device events and Workspace ONE UEM console events. Device
events show the commands sent from the console to devices, device responses, and device
user actions. Console events show actions taken from the Workspace ONE UEM console
including login sessions, failed login attempts, admin actions, system settings changes, and user
preferences.
You can filter the date range, severity level, category, or module.
Severity levels include the following descriptions.
n Critical – Indicates a failure in a primary Workspace ONE UEM console system.
n Error – Indicates a failure in a non-primary Workspace ONE UEM console system.
n Warning – Indicates an issue in the future if action is not taken.
n Notice – Indicates unusual conditions.
n Information – Indicates normal operational data.
n Debug – Indicates useful information for troubleshooting.
Note If your selected Date & Time option returns more than 10,000 events , then a banner
message displays recommending that you select a smaller date range. If you prefer a larger date
range, then run an event report for each multiple child OG rather than a single event report on a
single parent OG.
Console Events
Console events show MDM actions from the Workspace ONE UEM console that include the
following examples: Login sessions, Failed login attempts, Admin actions, System settings
changes, and User preferences.
1 Navigate to Monitor > Reports and Analytics > Events > Console Events.
VMware by Broadcom
75
2 Apply a filter ( ) to the list of console events.
Choose from:
n Date & Time (see Note above)
n Severity
n Category
n Module
3 View details of a specific console event by selecting the Event option.
Device Events
Device events are a listing of several different kinds of events logged by the system. It lists
Mobile Device Management (MDM) commands to devices, device responses, and device user
actions. You can filter the log by date range, the severity level, category, or module.
Severity levels for device events include the following descriptions.
n Emergency – Indicates a catastrophic MDM failure requiring immediate attention.
n Alert – Indicates a failure of a foundational MDM system requiring attention.
n Critical – Indicates a failure in a primary MDM system.
n Error – Indicates a failure in a non-primary MDM system.
n Warning – Indicates an issue in the future if action is not taken.
n Notice – Indicates unusual conditions.
n Information – Indicates normal operational data.
n Debug – Indicates useful information for troubleshooting.
Examine device event logs by taking the following steps.
1 Navigate to Monitor > Reports and Analytics > Events > Device Events.
2 Apply a filter ( ) to the list of device events.
Choose from:
n Date & Time (see Note above)
n Severity
n Category
n Module
3 View details of a specific device event by selecting the Event option.
4 View details of a specific device by selecting the Device Friendly Name option.
Console Basics
VMware by Broadcom 76
5 You can Add Device, Edit options, and Change Organization Group by selecting the
Enrollment UserName option.
Change Syslog Settings
You can make Syslog setting changes. Navigate to the settings page at Groups & Settings > All
Settings > System > Enterprise Integration > Syslog.
Alternatively, you can select the Syslog menu item at Monitor > Reports and Analytics > Events
> Syslog.
For more information, see Syslog Integration.
Change Event Settings
You can change the minimum logging level for events. Navigate to Groups & settings > All
Settings > Admin > Events and select the Event Settings button.
Set the minimum log level for Device and Console events. Events that meet the selected levels
and above for both Device and Console are captured and stored by the
Workspace ONE
UEM database and displayed in the Workspace ONE UEM console on the Monitor > Reports
& Analytics > Events > Device Events and Console Events pages.
Console Basics
VMware by Broadcom 77
Freestyle Orchestrator
11
Fulfill a specific goal regarding your device by creating a customized workflow with the Freestyle
Orchestrator. You can install resources (like apps, scripts, and profiles) based on conditions that
you define.
Note The Freestyle Orchestrator is currently available for macOS and Windows devices only.
Custom Workflows Made Easy
Freestyle Orchestrator is a no-code IT orchestration platform that gives you drag and drop ease
and flexibility to create workflows using the resources, condition, and group features.
Resources As Building Blocks
Resources can be installed on a device, like an app, device profile, or script (Windows PowerShell
or macOS Shell Script). Resources can also be a mechanism native to the device, like a sensor.
When you make a Freestyle Workflow, you gain the power to leverage all these resources to
accomplish a task that you define.
Navigate to Resources and configure apps, profiles, scripts, and sensors to use within a workflow
and apply them to devices based on granular criteria.
For more information, see the Freestyle Orchestrator Guide.
VMware by Broadcom
78
Other Enterprise Systems for
Integration
12
Take advantage of advanced MDM functionality by integrating your environment for Workspace
ONE UEM powered by AirWatch with existing enterprise infrastructures including directory
services, email management with SMTP, and content management repositories.
n Email Relay (SMTP) – Provide security, visibility, and control for mobile email.
n Directory Services (LDAP/AD) – Take advantage of existing corporate groups to manage
users and devices.
n Microsoft Certificate Services – Use existing Microsoft certificate infrastructure for a
Workspace ONE UEM deployment.
n Simple Certificate Enrollment Protocol (SCEP PKI) – Configure certificates for Wi-Fi, VPN,
Microsoft EAS and more.
n Email Management Exchange 2010 (PowerShell) – Securely connect Workspace ONE UEM
to enforce policies with corporate email servers.
n BlackBerry Enterprise Server (BES) – Integrate with BES for streamlined BlackBerry
management.
n Third-party Certificate Services – Import certificate management systems to be managed
within the Console.
n Lotus Domino Web Service (HTTPS) – Access Lotus Domino content and features through
your AW deployment.
n Content Repositories – Integrate with SharePoint, Google Drive, SkyDrive, file servers, and
network shares.
n Syslog (Event log data) – Export event log data to be viewed across all integrated servers
and systems.
n Corporate Networks – Configure Wi-Fi and VPN settings, provision device profiles with user
credentials for access.
n System Information and Event Management (SIEM) – Record and compile device and
console data to ensure security and compliance with regulations and corporate policies.
VMware by Broadcom
79
For more information on how to integrate Workspace ONE UEM with these infrastructures, see
Workspace ONE Access Documentation. See also VMware Tunnel Admin Guide, the AirWatch
Logging Guide, and the AirWatch Installation Guide, each available on docs.vmware.com. You
can also search for these topics on docs.vmware.com.
Console Basics
VMware by Broadcom 80
Role-based Access
13
You can make roles that grant specific kinds of access to the Workspace ONE UEM powered by
AirWatch. You define roles for individual users and groups based on UEM console access levels
you find useful.
For example, help desk administrators within your enterprise might have limited access within the
console, while the IT Manager has a greater range of permissions. For details about this example,
see the use case How Do You Create a Restrictive Help Desk Admin and Add a Role Giving It
Specific Functions.
To enable role-based access control, you must first set up administrator and user roles within the
UEM console. Specific resources, also known as permissions, define these roles which enable and
deactivate access to various features within the UEM console. You can create user roles granting
access to the Self-Service Portal.
Since roles (and specifically resources or permissions) determine what users and admins can
and cannot do in the UEM console, grant the correct resources or permissions with care. For
example, if you require admins enter a note before a device can be enterprise wiped, the role
must not only have the permissions to enterprise wipe a device but also add a note.
Roles are important to maintain the security of your device fleet, for example, the creation of
staging users which is an elevated level administrator privilege. Treat staging user credentials the
same as administrator privileges and do not disclose the user credentials.
Default and Custom Roles
There are several default roles already provided by Workspace ONE UEM powered by AirWatch
from which you can select. These default roles are available with every upgrade and help quickly
assign roles to new users. You can tailor the user privileges and permissions further if you require
more customization.
Unlike default roles, custom roles require manual updates with every Workspace ONE UEM
upgrade.
Each type of role includes inherent advantages and disadvantages. Default Roles save time in
configuring a brand new role from scratch, logically suit various administrative privileges, and
automatically update alongside new features and settings. However, Default Roles might not be a
precise fit for your organization or MDM deployment, which is why Custom Roles are available.
VMware by Broadcom
81
Default End-User Roles
Roles are available by default to device users in the Unified Endpoint Management Console.
n Full Access Role – Provides full access to the Self-Service Portal.
n Basic Access Role – Provides all permissions except MDM commands from the Self-Service
Portal.
Custom Roles allow you to customize as many unique roles as you require, and to tweak large
or small changes across different users and administrators. However, you must manually maintain
custom roles over time and update them with new features.
Edit a Default End-User Role to Create a Custom User Role
If none of the available default roles provide the proper fit for your organization, consider
modifying an existing user role and creating a custom user role.
Create a custom end-user role by editing a default role included with the UEM console.
1 Ensure that you are currently in the organization group you want the new role to be
associated with.
2 Navigate to Accounts > Users > Roles.
3 Determine which role from the list best fits the role you want to create. Then edit that role by
selecting the edit icon ( ) to the far right. The Add/Edit Role page displays.
4 Edit the Name, Description, and Initial Landing Page text boxes as necessary. Review
each of the check boxes. These options represent the various permissions, selecting and
deselecting those options as necessary.
5 Select Save.
Default Administrator Roles
The following roles are available by default to administrators in the Workspace ONE UEM
console.
Use the Admin Role Compare tool to compare the specific permissions of two admin roles. For
more information, see Create Administrator Role.
Console Basics
VMware by Broadcom 82
Role Description
System
Administrator
The System Administrator role provides complete access to a Workspace ONE UEM
environment. This role includes access to the Password and Security settings, Session
Management, and UEM console audit information, located in the Administration tab under
System Configuration.
This role is limited to environment managers, for example, SaaS Operations teams for all SaaS
environments hosted by VMware.
AirWatch
Administrator
The AirWatch Administrator role allows comprehensive access to the Workspace ONE
UEM environment. However, this access excludes the Administration tab under System
Configuration, because that tab manages top-level UEM console settings.
This role is limited to VMware employees with access to environments for troubleshooting,
installation, and configuration purposes.
Console
Administrator
The Console Administrator role is the default admin role for shared SaaS environments. The
role features limited functionality surrounding compliance policy attributes, report authoring,
and organization group selection.
Device Manager The Device Manager role grants users significant access to the UEM console. However, this
role is not designed to configure most System Configurations. These configurations include
Active Directory (AD) /Lightweight Directory Access Protocol (LDAP), Simple Mail Transfer
Protocol (SMTP), Agents, and so on. For these tasks, use a top-tier role like the AirWatch
Administrator or System Administrator.
Report Viewer The Report Viewer role allows viewing of the data captured through Mobile Device
Management (MDM). This role limits its users to generating, viewing, exporting, and
subscribing to reports from the UEM console.
Content
Management
The Content Management role only includes access to VMware Content Locker management.
Use this role for specialized administrators responsible for uploading and managing a device
content.
Application
Management
The Application Management role allows admins with this access to deploy and manage
the device fleet's internal and public apps. Use this role for an application management
administrator.
Help Desk The Help Desk role provides the tools necessary for most Level 1 IT Help Desk functions. The
primary tool available in this role is the ability to see and respond to device info with remote
actions. However, this role also contains report viewing and device searching abilities.
App Catalog Only
Administrator
The App Catalog Only Admin role has much the same permissions as Application
Management. Added to these permissions are abilities to add and maintain admin and user
accounts, admin and user groups, device details, and tags.
Read Only The Read Only role provides access to most of the UEM console, but limits access to read-only
status. Use this role to audit or record the settings in a Workspace ONE UEM environment.
This role is not useful for system operators or administrators.
Horizon
Administrator
The Horizon Administrator role is a specially designed set of permissions for complementing a
Workspace ONE UEM configuration integrated with VMware Horizon View.
NSX Administrator The NSX Administrator role is a specially designed set of permissions intended to complement
VMware NSX integrated with Workspace ONE UEM. This role offers the full complement of
system and certificate management permissions, allowing administrators to bridge endpoint
security with data center security.
Privacy Officer The Privacy Officer role provides read access to Monitor Overview, Device List View, View
system settings, and full edit permissions for privacy settings.
Console Basics
VMware by Broadcom 83
Edit a Default Admin Role to Create a Custom Admin Role
If the available default roles provide no proper fit for admin resources in your organization,
consider modifying an existing default role into a custom admin role.
Create a custom administrator role by editing a default role included with the UEM console.
1 Ensure that you are currently in the organization group with which you want the new role to
be associated.
2 Navigate to Accounts > Administrators > Roles.
3 Determine which role from the list best fits the role you want to create. Select the check box
for that role.
4 Select Copy from the actions menu. The Copy Role page displays.
5 Edit specific settings of the copy in the resulting Copy Role page. Create a unique Name and
Description for the customized role.
6 Select Save.
What to do next: For more information, see Create Administrator Role.
Admin Roles
You can enable or deactivate permissions for every available setting and resource in Workspace
ONE UEM powered by AirWatch. These settings grant or restrict console abilities for each
member of your admin team, enabling you to craft a hierarchy of administrators specific to your
needs.
Creating multiple admin roles is a time saving measure. Making comprehensive configurations
across different organization groups means that you can change the permissions for a specific
administrator at any time.
Making Admin Role Changes Effective
If you edit a role that is in use by an administrator, it does not apply until the administrator logs
out and then logs back in.
Admin Roles List View
Navigate to Accounts > Administrators > Roles.
You can delete an unused role from your library of administrator roles. You cannot delete an
assigned role. Select an unassigned role and select the Delete button.
You can edit the name, description, and specific permissions of a role. Select the pencil icon to
the left of the role name from the listing and the Edit Role screen displays.
Console Basics
VMware by Broadcom 84
You can also download an XLSX or CSV (comma-separated values) file containing the entire
Administrators Roles List View. You can then view and analyze this file with MS Excel. Select the
Export button and choose a download location. For information about exporting roles and later
importing them, see the section on this page called Export Admin Roles.
Create Administrator Role
1 Navigate to Accounts > Administrators > Roles and select Add Role in the UEM console.
2
In the Create Role, enter the Name and Description of the role.
3 Select from the list of Categories.
The Categories section organizes top-level categories such as Device Management under
which are located subcategories including Applications, Browser, and Bulk Management
among others. This category subdivision enables an easy and quick role creation process.
Each subcategory setting in the right panel has a Read and Edit check box.
When you select from the Categories section, its subcategorized contents (individual
settings) populate in the right panel. Each individual setting features its own Read and Edit
check box and a "select all" style Read and Edit check box in the column heading. This
arrangement allows for a flexible level of control and customization while creating roles.
Use the Search Resources text box to narrow down the number of resources from which you
can select. Resources are generally labeled the same way as they are referred to in the UEM
console itself. For example, if you want to limit an admin role to editing App Logs, then enter
"App Logs" in the Search Resources box and a listing of all resources that contain the string
"App Logs" displays.
Console Basics
VMware by Broadcom 85
4 Select the appropriate Read and Edit check box in the corresponding resource options. You
can also choose to clear any of the selected resources.
5 To make blanket category selections, select None, Read, or Edit directly from the Categories
section without ever populating the right panel. Select the circular icon to the right of the
Category label, which is a drop-down menu. Use this selection method when you are certain
you want to select none, read-only, or edit capabilities for the entire category setting.
6 Select Save to finish creating the Custom Role. You can now view the added role in the list on
the Roles page. From here, you can also edit the role details or delete the role.
What to do next: You must update the custom role after each Workspace ONE UEM version
update to account for the new permissions in the latest release.
Export Admin Roles
Administrator roles are a portable resource. This portability can save time if you manage more
than one Workspace ONE UEM environment. You can export settings from one environment
as an XML file, then import that XML file into another environment. Such activity can cause
versioning issues.
1 Navigate to Accounts > Administrators > Roles.
2 Export a role by selecting the check box next to the administrator role. If you select more
than one admin role, the Export action is not available.
3 Select the Export button and save the XML file to a location on your device.
Import Admin Roles
1 Navigate to Accounts > Administrators > Roles and select Import Role.
2 In the Import Role page, select Browse and locate the previously saved XML file. Upload the
admin role to the Category listing for validation by selecting Upload.
Console Basics
VMware by Broadcom 86
3 Workspace ONE UEM performs a series of validation checks including an XML file check,
importing role permission check, duplicate role name check, and blank name and description
check.
4 Check the resource settings and verify their imported role specifications by selecting specific
Categories in the left pane.
5 You can also edit the resources and the Name and Description of the imported role based on
your needs. If you want to keep both the existing role and the imported role, then rename the
existing admin role before importing the new role.
a If the role you are importing is named the same as an existing role in your environment,
then a message displays. "A role with this name exists in this environment. Would you
Like to override the existing role?"
b If you select No, then the existing role in your environment remains untouched and the
role import is canceled.
c If you select Yes, then you are prompted for the security PIN, which if entered correctly,
replaces the existing role with the imported role.
6 Select Save to apply the imported role to the new environment.
Versioning Issues When Importing and Exporting Admin
Roles
There can be cases where an exported role is imported into an environment running an earlier
version of Workspace ONE UEM. This earlier version might not have the same resources and
permissions that comprise the imported role.
In these cases, Workspace ONE UEM notifies you with the following message.
There are some permissions in this environment that are not found in your imported file. Review
and correct the highlighted permissions before saving.
Use the category listing page to deselect the highlighted permissions. This action allows you to
save the role to the new environment.
Copy Role
You can save time by making a copy of an existing role. You can also change the permissions of
the copy and save it under a different name.
1 Select the check box next to the role you want to copy.
2 Select the Copy button. The Copy Role page displays.
3 Make your changes to the Categories, Name, and Description.
4 When finished, select Save.
Console Basics
VMware by Broadcom 87
Rename an Admin Role
If you are importing an admin role named the same as an existing admin role, you might find it
useful to rename the existing role first. Renaming a role enables you to keep both the old and the
new role in the same environment.
1 Navigate to Accounts > Administrators > Roles and select the Edit icon ( ) of the role you
want to rename. The Edit Role page displays.
2 Edit the Name of the role and optionally, the Description.
3 Select Save.
Read/Edit Indicator in Categories for Admin Roles
There is a visual indicator in the Categories section that reflects the current selection of read-
only, edit, or a combination of each. This indicator reports what the setting is without requiring
you to open and examine the individual subcategory settings.
The indicator features a circular icon located to the right side of the Category listing that reports
the following.
All options in this category have the edit capability (which by definition means that they also have
read-only capability).
Most category settings have the edit capability enabled, but edits are deactivated for at least one
subcategory.
All category settings have read-only enabled (edit deactivated).
Most category settings are read-only, but edits are enabled for at least one subcategory.
Assign a Role or Edit the Role Loadout of an Admin
You can assign roles which expands the capabilities of an Admin in the Workspace ONE UEM
console. You can also edit the existing role loadout, potentially limiting or expanding an admin's
capabilities.
If you edit a role loadout that is in use by an administrator, it does not take effect until the
administrator logs out and then logs back in.
1 Navigate to Accounts > Administrators > List View, locate the admin account whose role
loadout you want to change, and select the Edit icon (
) to the left of the admin account
username. The Add/Edit Admin page displays.
Console Basics
VMware by Broadcom 88
2 Select the Roles tab and then choose from among the following, a, b, or a combination of
both:
a If you want to add a new role to the admin account, select the Add Role button, then
enter the Organization Group and Role details for each role that you add.
b If you want to delete an existing role from the admin account, select the role and click the
Delete button.
3 Select Save.
View the Resources of an Admin Role
You can view all the resources, or permissions, of any administrator role, including custom and
default roles. This view can help you determine what an admin can, and cannot, do in the UEM
console.
Roles are composed of hundreds of resources, also called permissions, which allow access (read
only or edit) to a specific function within the UEM console.
The View Role and Edit Role screens are the same except that the Edit Role screen allows you
to make and save changes with the Save button.
To view or edit the resources of an admin role, take the following steps.
1 Navigate to Accounts > Administrators > Roles.
2 Locate the admin role for which you want to see permissions. If you have a large library of
admin roles, use the Search List bar in the upper-right corner to narrow the listing.
3 Select from among the following choices, a or b:
a To view the role, select the name of the role, which is a link, and the View Role screen
displays containing all the permissions associated with the role. When finished auditing
administrator roles, select Close.
Console Basics
VMware by Broadcom 89
b To edit the role, select the Edit icon ( ) to the left of the role name, and the Edit Role
screen displays. Edit the role by adding or removing Read and Edit check marks. When
finished editing the role, select Save.
Some facts about the listing, whether you select View or Edit.
n Role Categories display in the left panel. Select the '>' indicator to expand the category and
view role subcategories.
Console Basics
VMware by Broadcom 90
n For more information about the orange-colored read/edit visual indicators seen on this
screen, see the section on this page entitled Read/Edit Indicator in Categories for Admin
Roles.
n Select a specific category in the left panel and the category, name, and description of each
resource displays on the right panel.
n The Details link to the far right reveals each specific read-only and edit function within the
UEM console.
n You can use the Search Resources text box to locate a specific function by name. This search
feature makes it easy to locate a specific tag-related function and assign it to a role.
n For example, if you want to make an admin role that can only add a tag to a device, enter
the word "tag" in the Search Resources text box and press the enter key. Every resource
that contains the string "tag" in the Category or Name or Description or Description
Details, appears in the right panel.
Note Keep in mind, "Staging" as in Staging Devices, also includes the "tag" string.
What to do next: You can apply these steps to making your own roles by visiting the section on
this page entitled Create Administrator Role.
Compare Two Roles
When creating an administrator role, it is often easier to modify an existing role than it is to
create one from scratch. The Compare Roles tool lets you compare the permissions settings
of any two administrator roles for the sake of accuracy or to confirm your deliberate settings
differences.
1 Navigate to Accounts > Administrators > Roles.
2 Locate any two listed roles, including roles that appear on different pages, and select those
roles.
3 Select Compare. The Compare Roles page displays featuring a list of categories. Selecting a
specific category on the left populates all the details of that category on the right.
Console Basics
VMware by Broadcom 91
n If you have fewer than two or more than two roles selected, the Compare button does
not display.
n Select the Details link to the far-right side to view role subcategories. Collapse the role
subcategory by selecting the Hide link.
n There is an All category in the left panel that, when selected, displays all the parent
categories on the Compare Roles page. When you enter a search parameter in the
Search Resources bar, the right panel only displays matching category and resources
(also known as permissions) listings.
n The search function is persistent. This persistence means that if you have a parameter
in the Search Resources bar, selecting the All category displays only the matching
categories and resources. The search function is persistent even after you select specific
resources and make Read and Edit selections.
n By default, only categories and subcategories whose settings are different display. You
can display all the permissions including those settings that are identical across the two
selected roles by enabling the Show All Permissions check box.
n If you select two roles that have identical permissions across the board, the console
displays this message at the top of the Compare Roles page.
"There are no differences in permissions between the two roles.".
What to do next: You can optionally select Export to create an Excel-viewable XLSX or CSV file
(comma-separated values). The export file contains all settings for Role 1 and Role 2, enabling
you to analyze the differences between them.
Console Basics
VMware by Broadcom 92
User Roles
User roles in Workspace ONE UEM powered by AirWatch allow you to enable or deactivate
specific actions that users can perform. These actions include controlling access to a device wipe,
device query, and managing personal content. User Roles can also customize initial landing pages
and restrict access to the Self-Service portal.
Creating multiple user roles is a time saving measure. You can make comprehensive
configurations across different organization groups or change the user role for a specific user
at any time.
Create a New User Role
In addition to the preset Basic Access and Full Access roles, you can create customized
roles. Having multiple user roles available fosters flexibility and can potentially save time when
assigning roles to new users.
1 Navigate to Accounts > Users > Roles and select Add Role. The Add/Edit Role page
displays.
2 Enter a Name and Description, and select the Initial Landing Page of the SSP for users with
this new role.
For existing user roles, the default Initial Landing Page is the My Devices page.
3 Select from a list of options the level of access and control end users of this assigned role
have in the SSP.
n Click Select None to clear all check boxes on the page.
n Select all the check boxes on the page by selecting Select All.
4 Save the changes to the role. The added user role now appears in the list on the Roles page.
What to do next: From the Roles page, you can view, edit, or delete roles.
Configure a Default Role
A default role is the baseline role from which all user roles are based. Configuring a default role
enables you to set the permissions and privileges users automatically receive upon enrollment.
1 Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select
the Grouping tab.
2 Configure a default level of access for end users in the Self-Service Portal (SSP) by selecting a
Default Role.
These role settings are customizable by organization group. Choose from the following.
n Full Access - Grants users with access to higher SSP functions such as install/remove
profiles and apps, reset passcodes, send device messages, and write-access to content.
Console Basics
VMware by Broadcom 93
n Basic Access - Grants users with a low impact access. They can register their own device,
view-only (but not install) profiles and apps, view their own account, and query and find
their own device.
n External Access - Users with External Access have all the abilities as basic access users
but they also have read-only access to content on the SSP that is explicitly shared with
them.
3 Select Save.
Assign or Edit the Role of an Existing User
You can edit the role for a specific user, for example, to grant or restrict access to Workspace
ONE UEM functions.
If you edit a role that is in use by a user, the edit does not take effect until the user logs out and
then logs back in.
1 Select the appropriate organization group.
2 Navigate to Accounts > Users > List View.
3 Search for the specific user that you want to edit from the list. Once you have identified the
user, select the Edit icon under the check box. The Add/Edit User screen displays.
4 In the General tab, scroll to the Enrollment section and select a User Role from this drop-
down menu to change the role for this specific user.
5 Select Save.
Read the following topics next:
n How Do You Create a Restrictive Help Desk Admin and Add a Role Giving It Specific
Functions
How Do You Create a Restrictive Help Desk Admin and Add
a Role Giving It Specific Functions
You can make a custom role that allows a help desk admin to do only the things in Workspace
ONE UEM powered by AirWatch that you allow them to do. Learn how accounts, roles, and
programmable permissions all work together to get you where you need to go.
Use Case: You need dedicated help desk resources to shoulder the task of adding users and
devices without impacting your other administrators. These admins must also allowlist and
denylist devices. At the same time, limiting the points of access to higher console abilities is
crucial. You want to add a handful of admin accounts and give these accounts the ability to add
users and devices, allowlist and denylist devices, and nothing else.
The role being made in this use case is outfitted with just a handful of console functions: adding
users and devices, and allowlisting and denylisting devices. This role prohibits all other functions
in Workspace ONE UEM.
Console Basics
VMware by Broadcom 94
Prerequisites
You must have an existing administrator account. This use case makes a custom role based on
the "help desk" role, included with Workspace ONE UEM powered by AirWatch, and assigns it to
your admin account.
Procedure
1 Navigate to Accounts > Administrators > Roles.
The full listing of Administrator Roles displays.
2 Enter the keyword 'help' in the search text box in the upper-right corner of the screen.
All roles containing the text string 'help' display in the listing.
3 Select the Help Desk role by selecting the check box to the left of the role name.
A new button cluster appears under the main button cluster.
4 Select the Copy button.
The Copy Role screen displays.
5 Enter the Name and Description for your custom help desk role.
6 Select the orange pie chart to the right of the All category on the left side of the Copy Role
screen. Select None from the Choose Edit Mode popup that displays.
This action removes all permissions from this custom help desk role, giving you a clean slate.
So the only permissions these admins have are the ones you give them here.
7 Enable the following eight permissions. You can find the location of each permission check
box by following the category, subcategory, and permission name from the table.
Remember also that you can type the permission name in the Search Resources text box and
jump directly to its location.
Category > Subcategories
Permission Name (check box)
Accounts > Users > Accounts User Accounts Add (Edit)
Accounts > Users > Accounts User Accounts Edit (Edit)
Console Basics
VMware by Broadcom 95
Category > Subcategories Permission Name (check box)
Accounts > Users > Accounts User Registration Edit (Edit)
Accounts > Users > Accounts User Registration (Read)
Device Management > Devices List
View
Device List View Access (Read)
Device Management > Devices List
View
Devices (Read)
Settings > Devices & Users > General Add Denylisted Device (Edit)
Settings > Devices & Users > General Add Allowlisted Device (Edit)
Starting at the top of the table, here is a walk through of the first four permissions as an
example. The first permission name we need (called User Accounts Add) can be found in the
Copy Role screen by selecting the "Account" category from the left panel.
In the same left panel, select the "Users" subcategory and lastly, select "Accounts" which is
under Users. You can now see all the permissions in the right panel of the Copy Role screen.
In this "Accounts > Users > Accounts" subcategory, there are four check boxes we are
interested in.
1 & 2) Select the Details link in "Add/Edit" to reveal two permissions from the list. Enable
those check boxes as indicated in the table. "User Accounts Add" gets the Edit check box
and "User Accounts Edit" also gets the Edit check box.
3) Next, select the Details link for "Add Device" above. You should see the next permission in
our list: "User Registration Edit," which also gets the Edit check box.
4) One permission from this subcategory remains, called "User Registration" and it is found by
selecting the Details link for "View". It gets the Read check box.
Follow the same process for the remaining four permissions in the table, starting with "Device
List View Access".
8 Select Save to finalize the custom help desk role definition.
9 Assign this custom role to your existing administrator account by navigating to Accounts >
Administrators > List View and locate your administrator account from the listing.
10 Select the Edit icon ( ) to the left of your admin account.
The Add/Edit Admin screen displays.
11 Select the Roles tab.
12 Assign the custom help desk role to the administrator account.
This use case dictates that only nine UEM Console functions are assigned to your
administrator role. Despite this, you can add this custom help desk role and other roles to
your admin account, even if your admin account already has one or more roles assigned to it.
13 Select Save to finalize the role assignment.
Console Basics
VMware by Broadcom 96
Results
When administrators with only this custom help desk role log into your Workspace ONE UEM
environment, the only functions they have access to is the Add button, from which they can
only select from two choices: Device and User. They also have access to the Devices main menu
button which includes List View and Lifecycle > Enrollment Status, which is where you add
allowlisted and denylisted devices.
Console Basics
VMware by Broadcom 97
Self-Service Portal Into
Workspace ONE UEM
14
Introduce device end users to the Self-Service Portal (SSP) and empower them to perform basic
device management tasks, investigate issues, and fix problems, thus reducing the number of
support issues. So while administrators have access to Workspace ONE UEM, device end users
have the SSP.
Configure the Default Login Page for the SSP
You can set the default authentication method displayed on the Self-Service Portal of Workspace
ONE UEM depending on the needs of your organization and the needs of your users.
Note This setting is only accessible at the Global level for on-premises customers.
Configure this setting by navigating to Groups & Settings > All Settings > Installation >
Advanced > Other and set the SSP Authentication Type to:
n Email – Prompts users for their email address if you have set up auto discovery.
n Legacy – Prompts users for their Group ID and credentials (username/password).
n Dedicated – Prompts users for only their credentials (username/password). This option
defaults a single Group ID for single-customer environments.
Log Into the SSP
Log in using the same credentials (Group ID, username, and password) used to enroll in
Workspace ONE UEM.
Select a Language for the SSP
The Self-Service Portal automatically matches the browser default language. However, you can
override this default setting by choosing from the Select Language drop-down on the login
screen.
VMware by Broadcom
98
Change Your Password for the SSP
Change your password by selecting the Account button located at the top right of the Self
Service Portal screen. Select the Change button next to the Current Password field on the User
Account page.
Note If a device end user logs into the SSP to change a shared device passcode before it
expires, this new passcode adopts the expiration time from the OG associated with the shared
device, not the OG the end user is managed from.
For example, assume you have an OG structure with 'Parent' at the top and 'Child' underneath.
Assume that the end user account is managed from 'Parent' with a passcode expiration of 90
days. Assume also that the shared device is managed by 'Child' with a passcode expiration of 30
days. In this scenario, when the end user logs into the Self Service Portal and changes the shared
device passcode before it expires, the new passcode expiration goes from 90 days (Parent) to
30 days (Child).
The workaround is to ensure that you configure the shared device passcode on the OG the users
are managed from.
As the admin, if you change the end user's shared device passcode in the Add/Edit User screen
from the Workspace ONE UEM console, it correctly adopts the expiration time of the OG the end
user is managed from.
Access the Self Service Portal on Devices
You can access the Self-Service Portal (SSP) from your workstations or devices by navigating
to https://<AirWatchEnvironment > /MyDevice. If you have a device that supports Web Clips
or Bookmarks, your administrator can supply these shortcuts enabling you to access the SSP
directly.
Self Service Portal (SSP) Customizations
You can alter the default login page background by configuring Branding settings.
Navigate to Groups & Settings > All Settings > System > Branding and select the Upload button
in the Self-Service Portal Login Page Background setting. Select a custom background image
with a suggested size of 1024x768 pixels.
Self-Service Portal Actions Matrix
Each of the major device platforms supports various basic and advanced SSP actions in
Workspace ONE UEM.
Console Basics
VMware by Broadcom 99
Action Android iOS macOS Win Mobile Win 7 Win Desktop
Basic Actions
Change Passcode. ✓
Clear (SSO) Passcode. ✓ ✓ ✓
Delete Device. ✓ ✓ ✓ ✓ ✓ ✓
Delete Registration. ✓ ✓ ✓ ✓ ✓
Device Query ✓ ✓ ✓ ✓ ✓
Device Wipe ✓ ✓ ✓ ✓
Download Hub. ✓ ✓
Enterprise Wipe ✓ ✓ ✓ ✓ ✓ ✓
Locate Device. ✓ ✓ ✓ ✓
Lock Device/Screen. ✓ ✓ ✓ ✓ ✓
Lock SSO. ✓
Make Noise. ✓ ✓
Resend Enrollment Message. ✓ ✓ ✓ ✓ ✓
Send Message. ✓ ✓ ✓ ✓ ✓ ✓
Set Roaming. ✓
Sync Device. ✓ ✓
View Enrollment Message.* ✓ ✓ ✓ ✓ ✓
Advanced Actions
Generate App Token. ✓ ✓ ✓ ✓ ✓ ✓
Manage Email. ✓ ✓ ✓
Review Terms of Use. ✓ ✓ ✓ ✓ ✓ ✓
Revoke Token. ✓ ✓ ✓ ✓ ✓ ✓
Upload S/MIME Certificate. ✓ ✓ ✓ ✓ ✓ ✓
* As a security feature, this action is not available for accounts that enrolled with a token.
Console Basics
VMware by Broadcom 100
Remote Actions in the SSP
End users can perform remote actions over-the-air to the selected device from within the Self
Service Portal. Your administrator determines the action permissions and available actions in the
SSP, which vary based on device platform. Allowed actions are split between Basic Actions and
Advanced Actions on the main access page.
Administrators have several remote actions and options for managed devices available to them.
However, when devices are employee-owned, those employees might want to access similar
management tools for their own use. The Self Service Portal (SSP) provides a means for
employees to use some key MDM tools without any IT involvement. If you enable it, end users
can run the SSP in a web browser and access key MDM support tools. You can also enable or
deactivate the displays of information and the ability to perform remote actions from the SSP.
The administrator determines action permissions, therefore device users might have limited
actions available. See the applicable platform guide, available on docs.vmware.com. You can also
search the online help for platform-specific options.
Basic Remote Actions
Basic remote actions appear on the Basic Actions subtab of the selected device in the self-
service portal. The actions available depend upon enrollment status, device platform, and action
permissions.
Action
Description
Change Passcode Set a new passcode for the selected device.
If a device end user logs into the SSP to change a shared device passcode before it expires,
this new passcode adopts the expiration time from the OG associated with the shared device,
not the OG the end user is managed from.
For example, assume you have an OG structure with 'Parent' at the top and 'Child' underneath.
Assume that the end user account is managed from 'Parent' with a passcode expiration of 90
days. Assume also that the shared device is managed by 'Child' with a passcode expiration
of 30 days. In this scenario, when the end user logs into the Self Service Portal and changes
the shared device passcode before it expires, the new passcode expiration goes from 90 days
(Parent) to 30 days (Child).
The workaround is to ensure that you configure the shared device passcode on the OG the
users are managed from.
As the admin, if you change the end user's shared device passcode in the Add/Edit User
screen from the Workspace ONE UEM console, it correctly adopts the expiration time of the
OG the end user is managed from.
Clear Passcode Clear the passcode on the selected device and prompt for a new passcode. This action is
useful if users forget their device passcode and become locked out of their device.
Delete Device Remove the device from the Self Service Portal.
Delete Registration Delete any pending enrollment record from the Self Service Portal.
Device Query Request the device to send a comprehensive set of MDM information to the Workspace ONE
UEM Server.
Device Wipe Wipe all data from the selected device, including all data, email, profiles, and MDM capabilities
and returns the device to factory default settings.
Console Basics
VMware by Broadcom 101
Action Description
Download Hub Download and install the Workspace ONE Intelligent Hub to the device from which you are
viewing the SSP.
Enterprise Wipe Wipe all corporate data from the selected device and removes the device from Workspace
ONE UEM. All the enterprise data contained on the device is removed, including MDM
profiles, policies, and internal applications. The device returns to the state it was in before
the installation of Workspace ONE UEM.
Locate Device Activate the GPS feature to locate a lost or stolen device. This action is hidden when privacy
settings are restrictive.
Lock Device/Screen Locks the selected device so that an unauthorized user cannot access it, which is useful if the
device is lost or stolen. End users can also use the GPS feature to locate the device.
Lock SSO Lock the single sign-on passcode for apps on this device. The next SSO app opened prompts
for a passcode.
Make Noise Rind a device by remotely causing it to ring.
Resend Enrollment
Message
Send another copy of the initial enrollment email, SMS, or QR code to the device intended to
register.
As a security feature, the email address that appears in the resend enrollment message form is
read-only for accounts that enrolled with a token.
Send Message Send a message using email, phone notification or SMS to the device.
Set Roaming Set whether roaming is enabled for this device.
Sync Device Outfit devices with the latest company policies, content, and apps.
View Enrollment
Message
See the actual email, SMS, or QR code that comprised the initial enrollment message.
As a security feature, this action is not available for accounts that enrolled with a token.
Note Registration and Enrollment actions only display in the SSP when the enrollment of a
selected device is pending.
Advanced Remote Actions
Advanced remote actions appear on the Advanced Actions subtab of the selected device in the
self-service portal. The actions available depend upon enrollment status, device platform, and
action permissions.
Action
Description
Generate App Token Generate a token that the device can use to access secure applications.
Manage Email Manage devices connected to an email account.
Review Terms of Use Review past terms of use for this account.
Revoke Token Revokes the token for a selected application.
Upload S/MIME Certificate Upload an S/MIME Certificate for a corporate email account.
Console Basics
VMware by Broadcom 102
Select a Device in the SSP
After logging in to the SSP, the My Devices page displays all the devices associated with the
account. Each enrolled device appears in its own tab across the top of the Self Service Portal
page. Select the tab representing the device you want to view and manage.
The device status displays under the name of the device on the tab. Those statuses include
Discovered, Enrolled, Pending Enrollment, Unenrolled, and Enterprise Wipe Pending.
Add a Device in the SSP
You can add a device directly from the self-service portal.
1 Select Add Device on the My Devices page.
2 Complete the required text boxes: Friendly Name, Platform, Device Ownership, and
Message Type as applicable.
3 Select Save to add the new device to the SSP account.
Note The status of a newly added device sets to "Pending Enrollment" until enrollment
concludes.
Device Information in the SSP
When a user logs in to the SSP, their primary device appears in the main viewer. The main view
page displays basic information such as Enrollment Date, the Last Seen date, and the device
Status.
The Go to Details button displays tabs containing information about the selected device under
the selected user account.
n Summary – Displays summarized information for Compliance, Profiles, Apps, Content,
Friendly Name, Asset Number, UDID number, and Wi-Fi MAC Address.
n A device friendly name can be edited directly from the Summary tab view by selecting
the edit icon to the right of the Friendly Name text box.
Note The Device Summary User role resource controls the visibility of the Summary tab
in the SSP. If specific pieces of information are restricted from a user role's view by way
of a deactivated resource such as Device Apps, Device Compliance, or Device Profiles,
then corresponding information normally appearing on the Summary tab is also hidden. For
detailed instructions on limiting resources for user and admin roles, see Create a New User
Role and Create Administrator Role.
n Compliance – Shows the compliance status of the device, including the name and level of all
compliance policies that apply to the device.
n Profiles – Shows all the MDM profiles (including automatic profiles) sent to the devices
enrolled under your user account. This tab also shows the status of each profile.
Console Basics
VMware by Broadcom 103
n Apps – Displays all applications installed on the selected device and provides basic app
information.
n Security – Shows general security information about a particular device enrolled under your
user account.
Token-Based Security Measures
As a security feature, the following changes apply to accounts that enroll with a token.
n Email Address and Phone Number on both the Add Device screen and Account screen are
read-only.
n The View Enrollment Message action is unavailable.
Product Improvement Program Setting
The Self Service Portal includes the VMware Product Improvement Program, allowing you to
impact the quality and effectiveness of our products. When enabled, this program tests only on
usability data, which is essential to ensuring our customers’ real-world needs are being met.
You can opt in or opt out of the Product Improvement Program at any time by navigating to
Groups & Settings > All Settings > Admin > Product Improvement Programs.
To learn more about this program, see https://resources.workspaceone.com/view/
9yfkbk6r2pzldhjlhrz9.
Console Basics
VMware by Broadcom 104
Terms of Use
15
You can enforce terms of use (TOU) on all managed devices within Workspace ONE UEM
powered by AirWatch.
Ensure that all users with managed devices agree to the policy by defining and enforce terms of
use (TOU). If necessary, users must accept the TOU before proceeding with enrollment, installing
apps, or accessing the UEM console. The UEM console allows you to customize fully and assign a
unique TOU to each organization group and child organization group.
The TOU displays during each device enrollment. Get access to the following functions.
n Set version numbers.
n Set platforms to receive the TOU.
n Notify users by email with the TOU updates.
n Create language-specific copies of the TOU.
n Create multiple TOU agreements and assign them to organization groups based on platform
or the type of ownership.
n Meet the liability requirements of specific groups by customizing TOU.
View Terms of Use Acceptance
You can enforce terms of use acceptance by making a compliance policy. You can also see
who has and who has not accepted the agreement. Then, if necessary, you can contact those
individuals directly.
1 Navigate to Groups & Settings > All Settings > System > Terms of Use.
2 Use the Type drop-down menu to filter based on the agreement type, for example,
Enrollment. The Users / Devices column displays devices that have accepted/not accepted/
been assigned the terms of use.
VMware by Broadcom
105
3 Select the appropriate number in the Devices column for the terms of use row to see device
information pertaining to that agreement. Optionally, access the drop-down menu for the row
and select one of the following.
View Devices or
Users
Display all devices and their acceptance statuses. You can filter by organization group.
View Previous
Versions
View previous iterations of the agreement.
View Terms of Use View the terms of use agreement.
Track Terms of Use Acceptance With Reports
You can track user acceptance for terms of use.
View details regarding specific organization groups, console acceptances, and device enrollment
acceptances. View the acceptances directly in the Workspace ONE UEM console or export the
report in XLSX or CSV format, both viewable with MS Excel.
1 Navigate to Monitor > Reports and Analytics > Reports > List View.
2 Search for and generate the Terms of Use Acceptance Detail report by selecting the report
title.
3 Select the Organization Groups.
4 Select the Terms of Use Type.
5 Select the Report Format.
6 Select Download to save the report.
VMware Workspace ONE UEM does not provide legally binding sample text. Your company
legal team must review any text examples provided.
Create Enrollment Terms of Use
You can create an agreement about terms of use (TOU) specific to enrollment purposes. You can
also limit the distribution of the TOU by device platform, ownership type, and enrollment type.
You can make TOU agreements specific to an organization group. Ensure that your current active
organization group is correct for the TOU you are creating.
1 Navigate to Devices > Device Settings > Devices & Users > General > Enrollment and select
the Terms of Use tab.
2 Select the Add New Enrollment Terms of Use button and complete the following options.
Setting
Description
Name Enter a unique name for the new TOU.
Type This option is pre-populated as Enrollment.
Console Basics
VMware by Broadcom 106
Setting Description
Version This option is automatically tracked and populated accordingly.
Platforms,
Device Ownership,
and
Enrollment Type
If you do not want to make a TOU for any specific category of device, then keep the
default selection of Any for these options.
If you prefer to specify a platform, ownership, and enrollment, you can select one or more
of these categories and define the limitations specific to your TOU.
n If you select Selected Platform option, then select your desired platforms from the list
that appears. Your TOU applies to the device platforms you select, excluding all others.
n If you select Selected Ownership Types option, then you must choose your desired
ownership from the list that appears. Your TOU applies to the ownership types you
select, excluding all others.
n If you select Selected Enrollment Types option, then you must choose your desired
enrollment from the list that appears. Your TOU applies to the types of enrollment you
select, excluding all others.
Notification Send an email to users whenever the TOU is updated by selecting this check box. The
notification email is sent when you select Save in step 5.
Select Language Optionally, for localization purposes, you can enter a TOU agreement for each language
applicable to your needs by making a choice in the Select Language drop-down.
3 In the text box provided, enter your customized TOU. The editor provides a basic text entry
tool to create a TOU or paste in an existing TOU. To paste text from an external source,
right-click the text box and select Paste as plain text to prevent any HTML or formatting
errors.
4 Select Save.
Results: You can enforce MDM terms of use acceptance by creating a compliance policy for
MDM Terms of Use Acceptance.
Create Application or Console Terms of Use
You can create application-based terms of use (TOU) to notify end users when a specific
application collects data or when it imposes restrictions.
When users run these applications from your enterprise app catalog, they must accept the
agreement to access the application. You can set TOU for app versions, make language-specific
TOU, and remove apps if the TOU is not accepted.
Console TOU display when an administrator logs in to the Workspace ONE UEM console for the
first time. For the UEM console, you can set TOU version numbers and create language-specific
copies of the TOU. For Applications, assign the TOU when adding or editing an application using
the Terms of Use tab.
1 Navigate to Groups & Settings > All Settings > System > Terms of Use.
2 Select Add Terms of Use.
3 Enter a Name for the terms of use and select the Type, which can be Console or Application.
Console Basics
VMware by Broadcom 107
4 Configure settings such as a Version number and a Grace Period, depending on the Type
you selected.
5 Enter your TOU in the text box provided. The editor provides a basic text entry tool to create
a TOU or paste in an existing TOU. If you are pasting text from an external source, right-click
the text box and choose Paste as plain text to prevent any HTML or formatting errors.
6 Select Save.
Console Basics
VMware by Broadcom 108
User and Admin Accounts
16
To enroll devices in Workspace ONE Express and Workspace ONE UEM, you must create and
integrate user accounts. Likewise, you must also create administrator accounts so admins can
easily manage users and devices.
User Account List View
The console allows you to establish a complete user and admin infrastructure. It provides
configuration options for authentication, enterprise integration, and ongoing maintenance.
The List View page, which you can find by navigating to Accounts > Users > List View, provides
useful tools for common user account maintenance and upkeep within Workspace ONE UEM.
VMware by Broadcom
109
Customize List View
You can use the User Accounts List View to create customized lists of users immediately. You
can also customize the screen layout based on criteria that is most important to you. You can
export this customized list for a later analysis and add new users individually or in bulk.
Action Description
Filters View only the desired users by using the following filters.
n Security Type
n Enrollment Organization Group
n Enrollment Status
n User Group
n User Role
n Status
Add button n Add User – Perform a one-off addition of a basic user account. Add an employee or a
newly promoted employee that needs access to MDM capabilities.
n Batch Import – Add multiple users into Workspace ONE by importing a comma-separated
values (CSV) file. Enter a unique name and description to group and organize multiple
users at a time. For more information, see Batch Import Users and Devices.
Layout button Enables you to customize the column layout.
n Summary – View the List View with the default columns and view settings.
n Custom – Select only the columns in the List View you want to see. You can also apply
selected columns to all administrators at or below the current organization group.
Sorting Most columns in the List View (in both Summary and Custom Layout) are sortable including
Devices, User Groups, and Enrollment Organization Group.
Export button You can save an XLSX or CSV (comma-separated values) file of the entire User List View that
you view and analyze with MS Excel. If you have a filter applied to the User List View, the
exported listing reflects the filtered results.
Select the Export button, select the format (XLSX or CSV), then navigate to Monitor > Reports
& Analytics > Exports to view and download the resulting report.
Interact with User Accounts
The list view also features a check box to the left of each user account. View user details by
selecting the hypertext user name in the General Info column.
The Edit icon enables you to make basic changes to the user account. Selecting a single check
box causes three action buttons to appear, Send Message, Add Device, and More Actions.
You can select multiple user accounts using the check box, which, in turn, modifies the available
actions.
Action
Description
Send Message. Provide immediate support to a single user or group of users. Send a User Activation (user
template) email to a user notifying them of their enrollment credentials.
Add Device. Add a device for the selected user. Only available for single user selections.
Console Basics
VMware by Broadcom 110
Action Description
More Actions Display the following options.
Add to User Group. Add selected users to new or existing user group for simplified user management. For more
information, see User Groups List View and Edit Your User Group Permissions.
Remove from User
Group.
Remove selected users from the existing user group.
Change Organization
Group
Manually move the user to a different organization group. Update the available content,
permissions, and restrictions of a user if they change positions, get a promotion, or change
office locations.
Delete If a member of your organization permanently ends employment, you can quickly delete a
user account. Deleting account information is the equivalent of the account never having
existed in the first place. A deleted account cannot be reactivated. If a deleted account owner
returns, a new account must be created for them.
Activate Activate a previously deactivated account if a user returns to an organization or must be
reinstated in the company.
Deactivate Deactivation is a security measure. Deactivate is used when a user is missing in action, their
device is out-of-compliance, or their device is lost or stolen. Workspace ONE UEM retains
all the information about a deactivated account such as name, email address, password,
enrollment organization group, and so forth.
A deactivated account means no one with deactivated account credentials can log in. Once
the security issue is resolved (user is located, device becomes compliant, the device is
recovered) then you can Activate the account.
Read the following topics next:
n User Authentication Types
n Basic User Accounts
n Directory-based User Accounts
n Batch Import Feature
n Admin Accounts
User Authentication Types
Before you enroll devices, each device user must have an authentic user account recognized by
Workspace ONE UEM. The type of user authentication you select depends upon the needs of
your organization.
Authentication Proxy
The authentication proxy delivers directory services integration across the cloud or across
hardened internal networks. In this model, the Workspace ONE UEM server communicates with
a publicly facing Web server or an Exchange ActiveSync Server. This arrangement authenticates
users against the domain controller.
Console Basics
VMware by Broadcom 111
PROS
n secure method to proxy integration with AD/LDAP across the cloud.
n end users authenticate with existing corporate credentials.
n lightweight module requires minimal configuration.
CONS
n requires public facing web server or an Exchange ActiveSync server which ties into an AD/
LDAP server.
n only feasible for specific architecture layouts.
n less robust solution than VMware Enterprise Systems Connector.
n cannot be used for Workspace ONE Direct Enrollment.
1 Device connects to Workspace ONE UEM to enroll device. User enters their directory
services user name and password.
n User name and password encrypted during transport.
n Workspace ONE UEM does not store the user's directory services password.
2 Workspace ONE UEM relays the user name and password to a configured Authentication
Proxy endpoint that requires authentication (for example, Basic Authentication).
3 The user's credentials validate against the corporate directory services.
4 If the user credentials are valid, the Workspace ONE UEM server enrolls the device.
Active Directory with LDAP Authentication and VMware Enterprise
Systems Connector
The Active Directory with LDAP authentication and VMware Enterprise Systems Connector
provides the same functionality as traditional AD & LDAP authentication. This model functions
across the cloud for Software as a Service (SaaS) deployments.
PROS
n End users authenticate with existing corporate credentials.
n Requires no firewall changes, as communication initiates from the VMware Enterprise
Systems Connector within your network.
Console Basics
VMware by Broadcom 112
n Transmission of credentials encrypts securely.
n Offers secure configuration to other infrastructure such as BES, Microsoft ADCS, SCEP, and
SMTP servers.
n Compatible with Workspace ONE ™ Direct Enrollment.
CONS
n Requires VMware Enterprise Systems Connector to be installed behind the firewall or in a
DMZ.
n Requires extra configuration.
SaaS Deployment Model
On-premises Deployment Model
SAML 2.0 Authentication
The Security Assertion Markup Language (SAML) 2.0 Authentication offers single sign-on support
and federated authentication. Workspace ONE UEM never receives any corporate credentials.
If an organization has a SAML Identity Provider server, use SAML 2.0 integration. Ensure that the
Identity Provider returns the objectGUID attribute as part of the SAML response.
PROS
n Offers single sign-on capabilities.
n Authentication with existing corporate credentials.
n Workspace ONE UEM never receives corporate credentials in plain text.
n Compatible with Workspace ONE Direct Enrollment when paired with a SAML Directory User.
n Only Administrators can use multi-domain environments.
Console Basics
VMware by Broadcom 113
CONS
n Requires corporate SAML Identity Provider infrastructure.
n Incompatible with Workspace ONE Direct Enrollment when paired with a SAML Basic User.
n Configuring SAML with Workspace ONE Access as IDP with Local Basic User feature enabled
does not support the authentication of Basic Users.
a Device connects to Workspace ONE UEM for enrollment. The UEM server then redirects
the device to the client specified identity provider.
b Device securely connects through HTTPS to client provided identity provider and user
enters credentials.
n Credentials encrypted during transport directly between the device and the SAML
endpoint.
c Credentials validate against directory services.
d The identity provider returns a signed SAML response with the authenticated user name.
e The device responds back to the Workspace ONE UEM server and presents the signed
SAML message. The user authenticates.
For more information, see Set Up Directory Services Manually and scroll down to the SAML
section.
n SaaS apps are not available to SAML administrators who authenticate using Workspace ONE
Access.
SaaS App Functionality for SAML Admins
SaaS applications, as well as other Workspace ONE Access policies and functions, are
unavailable to you if you are a SAML administrator who authenticates using Workspace ONE
Access. You will see the following error message when you navigate to the SaaS Apps page.
Check that your administrator account exists in both UEM and IDM systems and that the
domain in Workspace ONE UEM exactly matches the same account’s domain in VMware Identity
Manager.
To restore SaaS app accessibility, you must log into Workspace ONE UEM using basic
authentication and you must also enable Workspace ONE Access at your organization group.
Console Basics
VMware by Broadcom 114
Token-based Authentication
The Token-based authentication offers the easiest way for a user to enroll their device. With this
enrollment setting, Workspace ONE UEM generates a token, which places within the enrollment
URL.
For single-token authentication, the user accesses the link from the device to complete an
enrollment and the Workspace ONE UEM server references the token provided to the user.
For added security, set an expiration time (in hours) for each token. Setting an expiration
minimizes the potential for another user to gain access to any information and features available
to that device.
You can also decide to implement two factor authentication to take end-user identity verification
a step further. With this authentication setting, the user must enter their user name and password
upon accessing the enrollment link with the provided token.
PROS
n Minimal work for an end user to enroll and authenticate their device.
n Secure token use by setting expiration.
n User does not need credentials for single-token authentication.
CONS
n Requires either Simple Mail Transfer Protocol (SMTP) or Short Message Service (SMS)
integration to send tokens to device.
1 Administrator authorizes user device registration.
2 Single use token generated and sent to user from Workspace ONE UEM.
3 User receives a token and navigates to enrollment URL. User receives prompts for token and
optionally two-factor authentication.
Console Basics
VMware by Broadcom 115
4 Device enrollment process.
5 Workspace ONE UEM marks token as expired.
Note SaaS deployments include SMTP.
Enable Security Types for Enrollment
After Workspace ONE UEM integrates with a selected user security type and before enrollment,
enable each authentication mode you allow.
1 Navigate to Devices > Device Settings > Devices & Users > General > Enrollment in the
Authentication tab.
2 Select the appropriate check boxes for the Authentication Mode setting.
Setting Description
Add Email Domain This button is used for setting up the Auto-Discovery Service to register email domains to
your environment.
Authentication
Mode(s)
Select the allowed authentication types, which include:
n Basic – Basic user accounts (ones you create manually in the UEM console) can enroll.
n Directory – Directory user accounts (ones that you have imported or allowed using
directory service integration) can enroll. Workspace ONE Direct Enrollment supports
Directory users with or without SAML.
n Authentication Proxy – Allows users to enroll using Authentication Proxy user
accounts. Users authenticate to a web endpoint.
n Enter Authentication Proxy URL, Authentication Proxy URL Backup, and
Authentication Method Type (choose between HTTP Basic and Exchange
ActiveSync).
Source of
Authentication for
Intelligent Hub
Select the system the Intelligent Hub service uses as its source for users and authentication
policies.
n Workspace ONE UEM – Select this setting if you want Hub Services to use Workspace
ONE UEM as the source of users and auth policies.
When you configure the Hub Configuration page for Hub Services, enter the Hub
Services tenant URL.
n Workspace ONE Access – Select this setting if you want Hub Services to use
Workspace ONE Access as the source of users and auth policies.
When you configure the Hub Configuration page for Hub Services, enter the
Workspace ONE Access tenant URL.
Note If you enable Workspace ONE Access as the source of authentication for
Intelligent Hub, and you use a command line to enroll for staging purposes, then this
configuration is bypassed in favor of the credentials supplied in the command line.
For details about Workspace ONE Intelligent Hub, see the VMware Workspace ONE Hub
Services Documentation.
For details about Workspace ONE Access, see the VMware Workspace ONE Access
Documentation.
Console Basics
VMware by Broadcom 116
Setting Description
Devices Enrollment
Mode
Select the preferred device enrollment mode, which includes:
n Open Enrollment – Essentially allows anyone meeting the other enrollment criteria
(authentication mode, restrictions, and so on) to enroll. Workspace ONE Direct
Enrollment supports open enrollment.
n Registered Devices Only – Only allowed users to enroll using devices you or they have
registered. Device registration is the process of adding corporate devices to the UEM
console before they are enrolled. Workspace ONE Direct Enrollment supports allowing
only registered devices to enroll but only if registration tokens are not required.
Require
Registration Token
Visible only when Registered Devices Only is selected.
If you restrict enrollment to registered devices only, you also have the option of requiring
a registration token to be used for enrollment. This increases security by confirming that
a particular user is authorized to enroll. You can send an email or SMS message with the
enrollment token attached to users with Workspace ONE UEM accounts.
Require Intelligent
Hub Enrollment for
iOS
Select this check box to require iOS device users to download and install the Workspace
ONE Intelligent Hub before they can enroll. If deactivated, Web Enrollment is available.
Require Intelligent
Hub Enrollment for
macOS
Select this check box to require macOS device users to download and install the
Workspace ONE Intelligent Hub before they can enroll. If deactivated, Web Enrollment
is available.
3 Select Save.
Basic User Authentication
You can use Basic Authentication to identify users in the Workspace ONE UEM architecture but
this method offers no integration to existing corporate user accounts.
PROS
n Compatible with any deployment method.
n Requires no technical integration.
n Requires no enterprise infrastructure.
CONS
n Incompatible with Auto Discovery.
n Credentials only exist in Workspace ONE UEM and do not necessarily match existing
corporate credentials.
n Offers no federated security or single sign-on.
n Workspace ONE UEM stores all user name and passwords.
n Incompatible with Workspace ONE Direct Enrollment.
Console Basics
VMware by Broadcom 117
1 Console user logs in to Workspace ONE UEM SaaS using local account for authentication
(Basic Authentication).
n Credentials encrypt during transport.
n (for example, user name: [email protected], password: Abcd).
2 Device user enrolls device using local Workspace ONE UEM account (Basic Authentication)
credentials.
n Credentials encrypt during transport.
n (for example, user name: jdoe2, password 2557).
Active Directory with LDAP Authentication
Active Directory (AD) with Lightweight Directory Access Protocol (LDAP) authentication is used
to integrate user and admin accounts of Workspace ONE UEM with existing corporate accounts.
PROS
n End users now authenticate with existing corporate credentials.
n Secure method of integrating with LDAP / AD.
n Standard integration practice.
n Compatible with Workspace ONE Direct Enrollment.
CONS
n AD or other LDAP server required.
Console Basics
VMware by Broadcom 118
1 Device connects to Workspace ONE UEM to enroll device. User enters their directory
services user name and password.
n User name and password encrypt during transport.
n Workspace ONE UEM does not store the user's directory services password.
2 Workspace ONE UEM queries directory services through a secure LDAP protocol over the
Internet using a service account for authentication.
3 The user's credentials validate against the corporate directory service.
4 If the user credentials are valid, the Workspace ONE UEM server enrolls the device.
Basic User Accounts
Create basic user accounts for your end users if you are not integrating a directory service with
Workspace ONE UEM. You can create basic accounts quickly and dispose of them easily, making
them useful for testing purposes.
Pros
n Can be used for any deployment method.
n Requires no technical integration.
n Requires no enterprise infrastructure.
n Can enroll into potentially multiple organization groups.
Cons
n Credentials only exist in Workspace ONE UEM and do not necessarily match existing
corporate credentials.
n Offers no federated security.
n Single sign on not supported.
n Workspace ONE UEM stores all user names and passwords.
Console Basics
VMware by Broadcom 119
n Cannot be used for Workspace ONE Direct Enrollment.
Create Basic User Accounts
You can create basic user accounts for each user to authenticate and log in to the Workspace
ONE UEM system. You can then send basic users a notification with instructions on activating
their account including a password reset link that expires in 24 hours.
This topic details creating user accounts one at a time. To create user accounts in bulk, see Batch
Import Users and Devices.
1 Navigate to Accounts > Users > List View, select Add then Add User. The Add / Edit User
page displays.
2 In the General tab, complete the following settings to add a basic user.
Setting Description
Security Type Select Basic to add a basic user.
Username Enter a username which is used by the device end user to log in.
Password Enter a password that the user can use to log in.
Confirm Password Confirm the password.
Full Name Complete the First Name, Middle Name, and Last Name of the user.
Display Name Represent the user in the UEM console by entering a name.
Email Address Enter or edit the user's email address.
Email user name Enter or edit the user's email user name.
Domain Select the email domain from the drop-down setting.
Phone Number Enter the user's phone number including plus sign, country code, and area code. This
option is required if you intend to use SMS to send notifications.
Enrollment
Enrollment
Organization Group
Select the organization group into which the user enrolls.
Allow the
user to enroll
into additional
Organization
Groups
You can allow the user to enroll into more than one organization group.
If you Enable this option but leave Additional Organization Groups blank, then any
child OG created under the Enrollment Organization Group can be used as a point of
enrollment.
Additional
Organization
Groups
This setting only appears when the option to allow the user to enroll into additional OGs is
Enabled.
This setting allows you to add additional organization groups from which your basic user
can enroll.
User Role Select the role for the user you are adding from this drop-down setting.
Notification
Console Basics
VMware by Broadcom 120
Setting Description
Message Type Select the type of message you want to send to the user, Email, SMS, or None. Selecting
SMS requires a valid entry in the Phone Number option.
Message Template The basic user activates their account with this notification. For security reasons, this
notification does not include the user's password. Instead, the notification includes a
password reset link. This password reset link expires in 24 hours automatically.
Select the template for email or SMS messages by selecting one from this drop-down
setting. Optionally, select Message Preview to preview the template and select the
Configure Message Template to create a template.
3 You can optionally select the Advanced tab and complete the following settings.
Setting Description
Advanced Info Section
Email Password Enter the email password of the user you are adding.
Confirm Email
Password
Confirm the email password of the user you are adding.
User Principal
Name
Enter the principal name of the basic user. This setting is optional.
Category Select the User Category for the user being added.
Department Enter the user's department for administrative purposes.
Employee ID Enter the user's employee ID for administrative purposes.
Cost Center Enter the user's cost center for administrative purposes.
Certificates Section
Use S/MIME Enable or Deactivate Secure Multipurpose Internet Mail Extensions (S/MIME).
If enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME
certificate by selecting Upload.
Separate
Encryption
Certificate
Enable or Deactivate encryption certificate.
If enabled, you must upload an encryption certificate using Upload. Generally, the same
S/MIME certificate is used for signing and encryption, unless a different certificate is
expressly being used.
Old Encryption
Certificate
Enable or deactivate a legacy version encryption certificate.
If enabled, you must Upload an encryption certificate.
Staging Section
Enable Device
Staging
Enable or deactivate the staging of devices.
If enabled, you must select between Single User Devices and Multi User Devices. If Single
User Devices, you must select between Standard, where users themselves log in and
Advanced, where a device is enrolled on behalf of another user.
See Device Staging for more information.
Console Basics
VMware by Broadcom 121
4 Select Save to save only the new user or select Save and Add Device to save the new user
and proceed to the Add Device page.
Directory-based User Accounts
You can enroll users automatically by integrating with an existing directory service. It eliminates
the need of having to add users manually to the Workspace ONE UEM.
Every directory user you want to manage through Workspace ONE UEM must have a
corresponding user account in the UEM console.
You can directly add your existing directory services users to Workspace ONE UEM using one of
the following methods.
n Batch upload a file containing all your directory services users. The act of batch importing
automatically creates a user account.
n Create user accounts one at a time by entering the directory user name and selecting Check
User to auto-populate remaining details.
n Do not import in bulk nor manually create user accounts and instead allow all directory users
to self-enroll at enrollment time.
Pros
n End users authenticate with existing corporate credentials.
n Detects and syncs changes from the directory system into Workspace ONE UEM
automatically. For instance, when you deactivate users in AD, the corresponding user
account in Workspace ONE UEM console is marked inactive.
n Secure method of integrating with your existing directory service.
n Standard integration practice.
n Can be used for Workspace ONE Direct Enrollment.
n SaaS deployments using the AirWatch Cloud Connector require no firewall changes and
offers a secure configuration to other infrastructures, such as Microsoft ADCS, SCEP, and
SMTP servers.
For more information regarding syncing of account statuses, see the section documented on this
page entitled Directory User Status Syncing.
Cons
n Requires an existing directory service infrastructure.
n SaaS deployments require additional configuration due to the AirWatch Cloud Connector
being installed behind the firewall or in a DMZ.
Console Basics
VMware by Broadcom 122
Directory User Status Syncing
When you make users inactive in your directory service, it impacts the corresponding Workspace
ONE UEM and Workspace ONE Express account in a similar way but only assuming these
prerequisite conditions.
n Syncing of removed users works with Active Directory only.
n The user name you entered in the Bind User Name option must have Active Directory
administrator privileges.
n Check on this name by navigating to Groups & Settings > All Settings > System >
Enterprise Integration > Directory Services, and in the Server tab, look for the Bind User
Name text box.
n Workspace ONE Express customers can find the Bind User Name text box in the same
Server tab by navigating to Groups & Settings, then select Directory Services from the
Name column.
n You can allow non administrators in Active Directory access to the deleted
objects container provided you follow the steps outlined in the following
Microsoft Support article.
https://support.microsoft.com/en-in/help/892806/how-to-let-non-
administrators-view-the-active-directory-deleted-object.
n Furthermore, the recycle bin must be enabled using the Active Directory Administrative
Center but only if you are deleting users in AD.
a Open the Active Directory Administrative Center.
b Select the domain, then right-click the domain.
c Select Enable Recycle Bin. Once enabled, the recycle bin cannot be deactivated.
Create a Directory-Based User Account
You must create accounts for each user in the Workspace ONE UEM system and directory users
authenticate using your existing corporate credentials.
This topic details creating user accounts one at a time. To create user accounts in bulk, see Batch
Import Users and Devices.
1 Navigate to Accounts > Users > List View and select Add and then Add User. The Add / Edit
User page displays.
2 In the General tab, complete the following settings to add a directory user.
Setting
Description
Security Type Add an Active Directory user by choosing Directory as the Security Type.
Directory Name This pre-populated setting identifies the Active Directory name.
Domain Choose the domain name from the drop-down menu.
Console Basics
VMware by Broadcom 123
Setting Description
User name Enter the user's directory user name and select Check User. If the system finds a match,
the user's information is automatically populated. The remaining settings in this section are
only available after you have successfully located an active directory user with the Check
User button.
Full Name Use Edit Attributes to allow any option that syncs a blank value from the directory
to be edited. Edit Attributes also enables you to populate matching user's information
automatically.
If a setting syncs an actual value from the directory, then that setting must be edited in the
directory itself. The change takes effect on the next directory sync. Complete any blank
option returned from the directory in Full Name and select Edit Attributes to save the
addition.
Display Name Enter the name that displays in the admin console.
Email Address Enter or edit the user's email address.
Email user name Enter or edit the user's email user name.
Domain (email) Select the email domain from the drop-down menu.
Phone Number Enter the user's phone number including plus sign, country code, and area code. If you
intend to use SMS to send notifications, the phone number is required.
Enrollment
Enrollment
Organization Group
Select the organization group into which the user enrolls.
Allow the
user to enroll
into additional
Organization
Groups
Choose whether or not to allow the user to enroll into more than one organization group. If
you select Enabled, then complete the Additional Organization Groups.
User Role Select the role for the user you are adding from this drop-down menu.
Notification
Message Type Choose the type of message you can send to the user, Email, SMS, or None. Selecting
SMS requires a valid entry in the Phone Number text box.
Message Template Choose the template for email or SMS messages from this drop-down setting. Optionally,
select the Message Preview to preview the template and select the Configure Message
Templates link to create a template.
3 You can optionally select the Advanced tab and complete the following settings.
Setting
Description
Advanced Info Section
Email Password Enter the email password of the user you are adding.
Confirm Email
Password
Confirm the email password of the user you are adding.
Console Basics
VMware by Broadcom 124
Setting Description
Distinguished Name For directory users recognized by Workspace ONE UEM, this text box is pre-populated
with the distinguished name of the user. Distinguished Name is a string representing the
user name and all authorization codes associated with an Active Directory user.
Manager
Distinguished Name
Enter the distinguished name of the user's manager. This text box is optional.
Category Choose the user category for the user being added.
Department Enter the user's department for your company's administrative purposes.
Employee ID Enter the user's employee ID for your company's administrative purposes.
Cost Center Enter the user's cost center for your company's administrative purposes.
Custom Attribute
1–5 (for Directory
users only)
Enter your previously configured custom attributes, where applicable. You can define
these custom attributes by navigating to Groups & Settings > All Settings > Devices &
Users > Advanced > Custom Attributes.
Note Custom attributes can be configured only at Customer organization groups.
Certificates Section
Use S/MIME Enable or deactivate the use of Secure/Multipurpose Internet Mail Extensions (S/MIME).
If enabled, you must have an S/MIME-enabled profile and you must upload an S/MIME
certificate by selecting Upload.
Separate
Encryption
Certificate
Enable or deactivate the use of a separate encryption certificate. If enabled, you must
upload an encryption certificate using Upload. Generally, the same S/MIME certificate is
used for signing and encryption, unless a different certificate is expressly being used.
Old Encryption
Certificate
Enable or deactivate a legacy version encryption certificate. If enabled, you must Upload
an encryption certificate.
Staging Section
Enable Device
Staging
Enable or deactivate the staging of devices.
If enabled, you must choose between Single User Devices and Multi User Devices.
If Single User Devices, you must select between Standard, where users themselves log in
and Advanced, where a device is enrolled on behalf of another user.
See Device Staging for more information.
4 Select Save to save only the new user or select Save and Add Device to save the new user
and proceed to the Add Device page.
Batch Import Feature
You can batch-create users and user groups or batch import them from your directory service
into Workspace ONE UEM.
Console Basics
VMware by Broadcom 125
Making a batch import means taking a supplied template in a comma-separated values format,
then filling it out with your own data and uploading the completed template.
Note The downloadable template files are supplied from the Workspace ONE UEM console,
specific to and located within the type of batch import you want. Select from the links below
to see the specific navigation paths within the Workspace ONE UEM console you must take to
access these downloads.
Changes in External LDAP and AD User Directories
Once your user and user group batch lists are uploaded, changes to your external LDAP/AD user
directories are not updated in Workspace ONE UEM. You must update these changes manually
or upload them as a new batch.
Batch Import Users and Devices
You can batch import multiple users and devices into the console. You can also check on the
status of a batch job by navigating to Accounts > Users > Batch Status.
The Batch Status screen displays a list of all batch import jobs you have requested, including the
job status.
To begin the process of batch importing users or devices, take the following steps.
1 Navigate to Accounts > Users > Batch Status or Devices > Lifecycle > Enrollment Status >
Add and select Batch Import.
2 Enter the basic information including a Batch Name and Batch Description.
3 Select the applicable batch type from the Batch Type drop-down menu.
4 Select and download the template that best matches the kind of batch import you are
making. Choose from among the following.
n Denylisted Devices – Import a list of known, non-compliant devices by IMEI, Serial
Number, or UDID. Denylisted devices are not allowed to enroll. If a denylisted device
attempts to enroll, it is automatically blocked.
n Allowlisted Devices – Import pre-approved devices by IMEI, Serial Number, or UDID. Use
this template to import a list of known, trusted devices. The ownership and group ID
associated to this device is automatically applied during enrollment.
Console Basics
VMware by Broadcom 126
n User and/or Device – Select between a Simple and an Advanced CSV template. The
simple template features only the most often-used options while the advanced template
features the full, unabridged compliment of import options.
Note You can allow users to enroll into additional organization groups (OG) when using
the Advanced CSV template. Populate the Authorized GroupIDs column with the default
OG and any additional OGs you want, each separated by a single ampersand character
(&).
n Change Organization Group – Move users to a different organization group.
5 Open the CSV file. Confirm if users are part of the enrollment organization group (OG).
The CSV file features several columns corresponding to the options on the Add / Edit User
page. When you open the CSV template, notice that sample data exists in each column of
the template. The sample data is there to inform you what kind of data is required and what
format it must be in. Do not stray from the format presented by the sample data.
Note A CSV file (comma-separated values) is simply a text file whose extension is changed
from "TXT" to "CSV". It stores tabular data (text and numbers) in plain text. Each line of the
file is a data record. Each record consists of one or more fields, separated by commas. It can
be opened and edited with any text editor. It can also be opened and edited with Microsoft
Excel.
6 Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment and
select the Grouping tab.
For a directory-based enrollment, the Security Type for each user must be Directory.
Result: If the Group ID Assignment Mode is set to Default, your users are part of the
enrollment OG.
7 Enter data for your users, including device information (if applicable) and save the file.
8 Return to the Batch Import page and select Choose File to locate and upload the CSV file
that you had previously downloaded and filled out.
9 Select Save.
Console Basics
VMware by Broadcom 127
Batch Import User Groups
To save time, you can import multiple Lightweight Directory Access Protocol (LDAP)/Active
Directory (AD) user groups into the Workspace ONE UEM console. You can batch import user
groups in much the same way as individual users, by completing a supplied template and
uploading it.
1 Navigate to Accounts > User Groups > List View and select Add.
2 Select Batch Import.
3 Enter the basic information including Batch Name and Batch Description in the Workspace
ONE UEM console.
4 Under Batch File (.csv), select the Choose File button to locate and upload the completed
CSV file.
5 Alternately, select the link Download template for this batch type and save the comma-
separated values (CSV) file and use it to prepare a new importation file.
n Open the CSV file, which has several columns corresponding to the settings that display
on the
Add User Group page. Columns with an asterisk are required and must be entered
with data. Save the file.
n The last column heading in the CSV file template is labeled "GroupID/Manage (Edit and
Delete)/Manage(Users and Enrollment)/UG assignment/Admin Inheritance." This column
heading corresponds to the settings and abides by the logic of the Permissions tab of the
Edit User Group page. For details, see Edit Your User Group Permissions.
6 Select Import.
7 If the Batch Import does not complete successfully, view and troubleshoot errors by selecting
Accounts > Batch Status. You can view specific batch import errors by clicking the Errors
hyperlink.
Editing Basic Users with Batch Import
The Batch Import feature lets you edit and move users in groups rather than one at a time.
The users must exist in Workspace ONE UEM for such a procedure to work. Edit the following
settings in the CSV file and use Batch Import to upload this file.
You can edit and move users in groups rather than one at a time by changing certain columns
in the CSV file you upload as part of a batch import procedure. Such column manipulation is
only applicable to two kinds of user authentication: basic user authentication and authentication
proxy.
Console Basics
VMware by Broadcom 128
n Password (Basic only).
n First Name.
n Middle Name.
n Last Name.
n Email Address.
n Phone Number.
n Mobile Number.
n Department.
n Email user name.
n Email Password.
n Authorized organization groups (at and below the given Group ID only).
n Enrollment user category (this category is accessible to the user, otherwise,
defaulted to 0).
n Enrollment user role (this role is accessible to the user, otherwise, it
assumes the default role of the organization group).
Such basic user editing applies only to Basic User Authentication and Authentication Proxy.
Move Users Between Organization Groups with Batch Import
Batch import is used to move multiple users to a different organization group.
1 From the Batch Import screen, enter the basic information including a Batch Name and a
Batch Description in the Workspace ONE UEM console.
2 Choose Change Organization Group from the list of templates and save the CSV file
somewhere accessible.
3 Enter the applicable Group ID of the user's existing organization group, user name to be
moved, and Target Group ID of the user's new organization group.
4 Return to the Batch Import screen, select Choose File to locate and upload the saved CSV file
and select Open.
5 Select Save.
Admin Accounts
You can maintain settings, push, or revoke features and content, and much more with admin
accounts in Workspace ONE Express and Workspace ONE UEM.
Admin Account List View
Console Basics
VMware by Broadcom 129
You can implement key management functions for ongoing maintenance and upkeep of admin
accounts by navigating to Accounts > Administrators > List View.
Display the Add/Edit Admin page by selecting the hypertext link in the user name column.
This link enables you to update current roles assigned quickly or change roles within your
organization quickly to keep their privileges up-to-date. You can also alter general admin
information and reset a password.
You can Filter the list of administrators to include all roles or limit the listing to only a specific
role you want to see. You can also export an XLSX or CSV (comma-separated values) file of the
filtered or unfiltered Administrators List View. You can then view and analyze this file with MS
Excel. Select the Export button and choose a download location.
Display the action buttons applicable to that admin by selecting the radio button next to the
administrator user name.
n View History – Track when admins log in and out of the Workspace ONE UEM console or
Workspace ONE Express.
n Deactivate – Change the status of an admin account from active to inactive. This feature
allows you to suspend the management functions and privileges temporarily. At the same
time, this feature enables you to keep the defined roles of the admin account for later use.
n Activate – Change the status of an admin account from inactive to active.
n Delete – Remove the admin account from the console. Such an action is useful for when an
administrator ends employment.
Console Basics
VMware by Broadcom 130
n Reset Password – Available to basic administrators only. Sends an email to the basic admin
email address on record. The email contains a link that expires in 48 hours. To reset the
password, the basic admin must select the link and answer the password recovery question.
This link enables the basic admin to change their own password.
Directory-based administrators must reset their passwords using the active directory system.
Temporary administrators cannot reset their password. Another admin must delete then
re-create the temporary admin account.
Create an Admin Account
You can add Admin Accounts from the Administrators List View page, providing access to
advanced features of the Workspace ONE UEM console and Workspace ONE Express. Each
admin that maintains and supervises the console must have an individual account.
1 Navigate to Accounts > Administrators > List View, select Add, then Add Admin. The Add/
Edit Admin page displays.
2 Under the Basic tab, for the User Type setting, select either Basic or Directory.
n If you select Basic, then fill in all required settings on the Basic tab, including user name,
password, First Name, and Last Name.
n You can enable Two-Factor Authentication where you select between Email and SMS as
a delivery method and the token expiration time in minutes.
n You can also select a Notification option, choosing between None, Email, and SMS. The
Admin receives an auto-generated response.
n If you select Directory, then enter the Domain and user name of the admin user.
3 Select the Details tab and enter additional information, if necessary.
4 Select the Roles tab and then select the Organization Group followed by the Role you want
to assign to the new admin. Add new roles by using Add Role.
5 Select the API tab and choose the Authentication type.
6 Select the Notes tab and enter additional Notes for the admin user.
7 Select Save to create the admin account with the assigned role.
Create a Temporary Admin Account
You can grant temporary administrative access to your environment for support, demonstrations,
and other time limited use cases.
1 Navigate to Accounts > Administrators > List View, select Add. Select the Add Temporary
Admin option.
Alternatively, you can select the Help button from the header bar that appears at the top-
right corner of almost every page of Workspace ONE UEM and Workspace ONE Express and
select Add Temporary Admin.
Console Basics
VMware by Broadcom 131
2 In the Basic tab, select to add a temporary admin account based on Email Address or user
name and complete the following settings.
Setting Description
Email Address Enter the email address on which the temporary admin account is based. Available only
when Email Address radio button is selected.
User name Enter the user name on which the temporary admin account is based. Available only when
the user name radio button is selected.
Password / Confirm
Password
Enter and confirm the password that is associated with the Email Address or user name.
Expiration Period Select an Expiration Period which defaults to 6 hours. You can also set this drop-down
menu to Inactive to create the account now and activate it later.
Ticket Number Optionally, you can add the Ticket Number from ZenDesk, Bugzilla, Jira, or other help desk
tool as a reference marker.
3 In the Roles tab, you can add, edit, and delete roles applicable to the temporary admin
account.
n Add a role by selecting the Add Role button and then select the organization group and
role for which the temporary admin account applies.
n Edit an existing role by selecting the edit icon ( ) and select a different organization
group and role.
n Delete a role by selecting the delete icon ( ).
Directory User Status Syncing
When you make users inactive in your directory service, it impacts the corresponding Workspace
ONE UEM and Workspace ONE Express account in a similar way but only assuming these
prerequisite conditions.
n Syncing of removed users works with Active Directory only.
n The user name you entered in the Bind User Name option must have Active Directory
administrator privileges.
n Check on this name by navigating to Groups & Settings > All Settings > System >
Enterprise Integration > Directory Services, and in the Server tab, look for the Bind User
Name text box.
n Workspace ONE Express customers can find the Bind User Name text box in the same
Server tab by navigating to Groups & Settings, then select Directory Services from the
Name column.
n You can allow non administrators in Active Directory access to the deleted
objects container provided you follow the steps outlined in the following
Microsoft Support article. https://support.microsoft.com/en-in/help/892806/how-to-let-non-
administrators-view-the-active-directory-deleted-object.
Console Basics
VMware by Broadcom 132
n Furthermore, the recycle bin must be enabled using the Active Directory Administrative
Center but only if you are deleting users in AD.
a Open the Active Directory Administrative Center.
b Select the domain, then right click the domain.
c Select Enable Recycle Bin. Once enabled, the recycle bin cannot be deactivated.
Login History
Navigate to Accounts > Administrators > System Activity > Login History and you can view a
listing of all administrator logins including date & time, their IP address, browser, and platform.
Select a Username from the listing to see the entire login history of the selected admin.
Console Basics
VMware by Broadcom 133
Using UEM Functionality With a
REST API
17
You can configure external applications to use the core product functionality of Workspace ONE
UEM by integrating REST APIs with the UEM infrastructure and facilitate connectivity. You can
also select an OAuth token URL closest to your data center to authenticate API calls.
Getting Started with REST APIs
Using simplified REST software architecture, Workspace ONE UEM REST APIs currently support
multiple functionalities, including organization group, console administration, mobile application,
mobile device, email, enrollment user, profile, smart group, and user group management.
Using REST-based APIs provide several benefits to enterprises, including eliminated cost and
time spent developing applications in-house. Workspace ONE UEM REST APIs are fully able
and ready to integrate with enterprise servers, programs, and processes. Workspace ONE UEM
REST APIs are more efficient, can run smoothly, and can be easily branded with enterprises.
These APIs are for application developers. This guide provides an understanding of design
and architecture of the API library and facilitates custom development and integration with
Workspace ONE UEM.
Accessing API Documentation
Review detailed API documentation by navigating to the Workspace ONE UEM API Help page.
In the address bar of your browser, replace the "cn" in the URL with "as" and then append /api/
help after .com.
For example, API documentation for a SaaS environment URL of...
https://cn4855.awmdm.com
...is...
https://as4855.awmdm.com/api/help
VMware by Broadcom
134
Datacenter and Token URLs for OAuth 2.0 Support
Workspace ONE UEM supports the OAuth 2.0 industry standard protocol for secure
authentication and authorization for REST API calls.
Workspace ONE Token Service is the Token Issuer for OAuth authentication and is supported
only in SaaS environments. The Token URLs are region-specific.
Table 17-1. Region-specific Token URLs
Region
Workspace ONE UEM
SaaS Data Center Location Token URL
Ohio (United States) All UAT environment https://uat.uemauth.vmwservices.com/connect/token
Virginia (United States) United States https://na.uemauth.vmwservices.com/connect/token
Virginia (United States) Canada https://na.uemauth.vmwservices.com/connect/token
Frankfurt (Germany) United Kingdom https://emea.uemauth.vmwservices.com/connect/token
Frankfurt (Germany) Germany https://emea.uemauth.vmwservices.com/connect/token
Tokyo (Japan) India https://apac.uemauth.vmwservices.com/connect/token
Tokyo (Japan) Japan https://apac.uemauth.vmwservices.com/connect/token
Tokyo (Japan) Singapore https://apac.uemauth.vmwservices.com/connect/token
Tokyo (Japan) Australia https://apac.uemauth.vmwservices.com/connect/token
Tokyo (Japan) Hong Kong https://apac.uemauth.vmwservices.com/connect/token
Create an OAuth Client to Use for API Commands (SaaS)
You can create an OAuth client to use for API commands, supported in SaaS environments only.
Create an OAuth client for your SaaS environment by taking the following steps.
1 Navigate to Groups & Settings > Configurations.
2 Enter OAuth in the search text box labeled 'Enter a name or category'.
3 Select OAuth Client Management that appears in the results. The OAuth Client Management
screen displays.
4 Select the Add button.
5 Enter the Name, Description, Organization Group, and Role.
Note For more information about specific REST API permissions for the role you select, see
the section in this topic entitled Create a Role That Can Use REST APIs.
6 Ensure that the Status is Enabled.
7 Select Save.
Console Basics
VMware by Broadcom 135
8 IMPORTANT: Copy the Client ID and Client Secret to clipboard and save them before you
close this screen. Select the Copy icon ( ) to send the Client Secret to the clipboard.
You cannot return here to retrieve these pieces of information after you select Close.
9 Use the client ID, Client Secret, and Token URL to generate the access token in the following
format:
API call: POST {Region-Specific Token URL from section above}
Key Value
grant_type client_credentials
client_id {CLIENT ID generated on UEM console}
client_secret {CLIENT SECRET generated on UEM console}
10 Use the access token returned to authorize future API requests to Workspace ONE UEM API
servers. You must format the access token in the request headers in the following way.
API call: {UEM API}
Key Value
Authorization [Access Token}
Create a Role That Can Use REST APIs
Each API call has a corresponding resource (or permission) that you must include in the role you
assign to the OAuth Client. So the permissions to include in the role you assign line up with the
kinds of API calls you are making.
Use the information in the following table to help you select which permissions you must include
in the role you assign. Then visit Create Administrator Role for instructions on making that role.
Console Basics
VMware by Broadcom 136
Table 17-2. REST API Role Permissions
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST > Admins REST API System Groups Access to organization group information E
d
i
t
REST API System Admin Access to admin info E
d
i
t
REST API System Users Access to User Info E
d
i
t
REST API Admins Write Enables access to all write/update APIs in Admin users
collection
E
d
i
t
REST API Admins Execute Enables access to all execute APIs in Admin users collection E
d
i
t
REST API Admins Delete Enables access to all Delete APIs in Admin users collection E
d
i
t
REST API Admins Read Enables access to all READ only APIs in Admin users
collection
R
e
a
d
O
n
l
y
REST > Apps REST API MAM Blob Upload download content E
d
i
t
Console Basics
VMware by Broadcom 137
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API MAM Apps Access to managed apps E
d
i
t
REST API Apps Write Enables access to all write/update APIs in Apps collection E
d
i
t
REST API Apps Execute Enables access to all execute APIs in Apps collection E
d
i
t
REST API Apps Delete Enables access to all Delete APIs in Apps collection E
d
i
t
REST API Apps Read Enables access to all READ only APIs in Apps collection R
e
a
d
O
n
l
y
REST > Compliance
Policy
REST API Compliance Policy
Delete
Enables access to all Delete APIs in Compliance Policy
collection
E
d
i
t
REST API Compliance Policy
Execute
Enables access to all Execute APIs in Compliance Policy
collection
E
d
i
t
REST API Compliance Policy
Write
Enables access to all Write APIs in Compliance Policy
collection
E
d
i
t
Console Basics
VMware by Broadcom 138
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API Compliance Policy
Read
Enables access to all READ only APIs Compliance Policy
collection
R
e
a
d
O
n
l
y
REST > Custom
Attributes
REST API Custom Attributes
Execute
Enables access to all execute APIs in Custom Attributes
collection
E
d
i
t
REST API Custom Attributes
Write
Enables access to all write APIs in Custom Attributes
collection
E
d
i
t
REST API Custom Attributes
Delete
Enables access to all Delete APIs in Custom Attributes
collection
E
d
i
t
REST API Custom Attributes
Read
Enables access to all READ only APIs in Custom Attributes
collection
R
e
a
d
O
n
l
y
REST > Devices REST API MDM Smart Groups Access to smart group info E
d
i
t
REST API MDM User Groups Access to User Groups E
d
i
t
Console Basics
VMware by Broadcom 139
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API MDM Profiles Send Lock/Unlock Commands E
d
i
t
REST API MDM Devices Send lock/unlock commands E
d
i
t
REST API BLOBS Write Enables access to all write/update only APIs in BLOBS
collection
E
d
i
t
REST API BLOBS Execute Enables access to all execute only APIs in BLOBS collection E
d
i
t
REST API BLOBS Delete Enables access to all delete only APIs in BLOBS collection E
d
i
t
REST API Devices Write Enables access to all write/update APIs in Devices collection E
d
i
t
REST API Devices Execute Enables access to all execute APIs in Devices collection E
d
i
t
REST API Devices Delete Enables access to all Delete APIs in Devices collection E
d
i
t
REST API Devices Advanced Enables access to all Advanced APIs in Devices collection E
d
i
t
Console Basics
VMware by Broadcom 140
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API BLOBS Read Enables access to all read only APIs in BLOBS collection R
e
a
d
O
n
l
y
REST API Devices Read Enables access to all READ only APIs in Devices collection R
e
a
d
O
n
l
y
REST >
REST Enterprise
Integration
REST API Enterprise
Integration Read
Enables access to all READ only APIs in Enterprise Integration R
e
a
d
O
n
l
y
REST > Groups REST API Groups Write Enables access to all write/update APIs in Organization Group
collection
E
d
i
t
REST API Groups Execute Enables access to all execute APIs in Organization Group
collection
E
d
i
t
REST API Groups Delete Enables access to all Delete APIs in Organization Group
collection
E
d
i
t
Console Basics
VMware by Broadcom 141
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API Smart Groups Write Enables access to all write APIs in Smart Groups collection E
d
i
t
REST API Smart Groups
Execute
Enables access to all execute APIs in Smart Groups collections E
d
i
t
REST API Smart Groups
Delete
Enables access to all Delete APIs in Smart Groups collection E
d
i
t
REST API User Groups Write Enables access to all write/update APIs in User Groups E
d
i
t
REST API User Groups
Execute
Enables access to all execute APIs in User Groups E
d
i
t
REST API User Groups Delete Enables access to all Delete APIs in User Groups E
d
i
t
REST API Cart Write REST API to save and edit Cart data E
d
i
t
REST API Cart Delete REST API to delete Cart data E
d
i
t
REST API Apple School
Manager Write
REST API to initiate Apple School Manager sync E
d
i
t
Console Basics
VMware by Broadcom 142
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API Apple School
Manager map
REST API to map an enrollment user to a member from Apple
School Manager
E
d
i
t
REST API Class Assignments
Save
REST API call to save class assignments E
d
i
t
REST API Class Write REST API to save and edit class data E
d
i
t
REST API Class Delete REST API to delete class data E
d
i
t
REST API Education settings
Write
REST API to save and edit Education settings E
d
i
t
REST API Education settings
Read
REST API to view Education settings E
d
i
t
REST API Groups Read Enables access to all READ only APIs in Organization Group
collection
R
e
a
d
O
n
l
y
Console Basics
VMware by Broadcom 143
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API Smart Groups Read Enables access to all READ only APIs in Smart Groups
collection
R
e
a
d
O
n
l
y
REST API User Groups Read Enables access to all READ only APIs in User Groups R
e
a
d
O
n
l
y
REST API Apple School
Manager Sync Read
REST API to check the Apple School Manager sync status R
e
a
d
O
n
l
y
REST API Apps For Device
Read
REST API to get a list of apps eligible for a device R
e
a
d
O
n
l
y
Console Basics
VMware by Broadcom 144
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API Class Read REST API to view class data R
e
a
d
O
n
l
y
REST > Products REST API Products Execute Enables access to all execute APIs in Products collection E
d
i
t
REST API Products Write Enables access to all write APIs in Products collection E
d
i
t
REST API Products Delete Enables access to all Delete APIs in Products collection E
d
i
t
REST API Products Read Enables access to all READ only APIs in Products collection R
e
a
d
O
n
l
y
REST > Profiles Updates Policy Write access Enables access to all WRITE APIs in Updates Policy collection E
d
i
t
Updates Policy Execute
access
Enables access to all EXECUTE APIs in Updates Policy
collection
E
d
i
t
Console Basics
VMware by Broadcom 145
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
Updates Policy Delete access Enables access to all DELETE APIs in Updates Policy collection E
d
i
t
REST API Profiles Write Enables access to all write APIs in Profiles collection E
d
i
t
REST API Profiles Execute Enables access to all execute APIs in Profiles collection E
d
i
t
REST API Profiles Delete Enables access to all Delete APIs in Profiles collection E
d
i
t
Updates Policy Read access Enables access to all READ only APIs in Updates Policy
collection
R
e
a
d
O
n
l
y
REST API Profiles Read Enables access to all READ only APIs in Profiles collection R
e
a
d
O
n
l
y
REST > Users REST API Users Write Enables access to all write/update APIs in Enrollment users
collection
E
d
i
t
Console Basics
VMware by Broadcom 146
Table 17-2. REST API Role Permissions (continued)
Category Name Description
R
e
a
d
O
n
l
y
/
E
d
i
t
REST API Users Execute Enables access to all execute APIs in Enrollment users
collection
E
d
i
t
REST API Users Delete Enables access to all Delete APIs in Enrollment users
collection
E
d
i
t
REST API User Tokens Read Enables access to Enrollment user tokens for APIs in
Enrollment User collection
R
e
a
d
O
n
l
y
REST API Users Read Enables access to all READ only APIs for Enrollment users
collection
R
e
a
d
O
n
l
y
Console Basics
VMware by Broadcom 147
