iOS Device Management

VMware Workspace ONE UEM services

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom

3401 Hillview Ave.

Palo Alto, CA 94304

www.vmware.com

subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade names, service

marks, and logos referenced herein belong to their respective companies. Copyright and trademark

information.

iOS Device Management

VMware by Broadcom

Contents
Introduction to Managing iOS Devices 8
Supported iOS Devices 8
iOS Admin Task Prerequisites 8
Enroll iOS Devices 9
Enrollment Requirements 9
Single Device Enrollment 9
Hub-Based Enrollment 9
Browser-Based Enrollment 9
Bulk Device Enrollment 10
iOS Device Enrollment Requirements 10
Capabilities Based on Enrollment Type for iOS Devices 11
Enroll an iOS Device with the Workspace ONE Intelligent Hub 12
Enroll an iOS Device with the Safari Browser 14
Bulk Enrollment of iOS Devices Using Apple Configurator 15
Device Enrollment with the Apple Business Manager’s Device Enrollment Program 16
User Enrollment 16
Enroll an iOS Device Using Traditional User Enrollment 17
Enroll an iOS Device Using Account Driven User Enrollment 18
App Management on User Enrolled Devices 18
iOS Device Profiles 19
Configure an iOS Profile 19
AirPlay Profile for iOS 20
AirPrint Profile for iOS 21
CalDAV or CardDAV Profile for iOS 22
Cellular Profile for iOS 23
Custom Settings Profile for iOS 24
Device Passcode Profile for iOS 26
Configure a Device Passcode Profile for iOS 27
Email Account Profile for iOS 28
Exchange ActiveSync (EAS) Mail for iOS Devices 30
Create a Generic EAS Profile for Multiple Users 30
Configure an EAS Mail Profile for the Native Mail Client 31
Forcepoint Content Filter for iOS 34
iOS Device Management
VMware by Broadcom
3

Google Account Profile for iOS 35
Global HTTP Proxy Profile for iOS 35
Home Screen Layout Profile (iOS Supervised) 36
LDAP Profile for iOS 37
Lock Screen Message Profile for iOS 38
macOS Server Account Profile for iOS 39
Managed Domains Profile for iOS 39
Network Usage Rules for iOS 40
Notifications Profile for iOS 41
Per-App VPN Profile for iOS 42
Configure Public Apps to Use Per App Profile 42
Configure Internal Apps to Use Per App Profile 43
Restrictions Profile for iOS 43
Configure a Restrictions Profile 44
Specific Restrictions for iOS 45
SCEP/Credentials Profile for iOS 49
Single App Mode Profile for iOS 50
Single Sign-On Profile for iOS 53
Skip Setup Assistant Profile for iOS 55
SSO Extension Profile for iOS 57
Subscribed Calendar Profile for iOS 59
Virtual Private Network (VPN) Profile for iOS 59
VPN On Demand Profile for iOS 62
Web Clips Profile for iOS 64
Web Content Filter Profile for iOS 65
Wi-Fi Profile for iOS 67
Compliance Policies for iOS Devices 71
Apps for iOS Devices 72
Workspace ONE Intelligent Hub for iOS 72
Understanding the Certificate Exchange 72
Securing the Data in Transit 73
APIs and Application Functionality 73
Configure Workspace ONE Intelligent Hub Settings for iOS Devices 74
VMware Workspace ONE Content 76
VMware Workspace ONE Web 76
VMware Workspace ONE Boxer 76
AirWatch Container for iOS 77
iOS Device Management
VMware by Broadcom
4

Enforcing Application-Level Single Sign On Passcodes 77
Apple Configurator Overview 78
Configure iOS Devices 80
Apple Industry Templates 80
Working with Profiles and Compliance Policies for Industry Templates 81
Create an Apple Industry Template 82
Edit Application Lists in Apple Industry Templates 83
Delete an Apple Industry Template 84
Apple iBeacon Overview 85
Requirements for iBeacon 85
iBeacon Operations Details 85
Enable iBeacon for iOS Devices 85
Assign iBeacon Groups to Device Profiles 86
Add Compliance Policies for iBeacon Groups 87
Activation Lock Overview 89
Activation Lock for Unsupervised vs. Supervised Devices 89
Enable Activation Lock for iOS Devices 89
Viewing Activation Lock Status 90
Clear Activation Lock on iOS Devices 90
Use the Clear Activation Lock Command 91
Enter an Activation Lock Bypass Code 91
Perform a Device Wipe Command 92
Activation Lock - Wipe Command Workflow Matrix 92
Remote View 94
Prerequisites to initiate a Remote View 94
Remote View Device Requirements 94
Configure the UEM Console with Remote View 94
Configure End-User Devices 95
Initiate a Remote View Session 95
Request AirPlay for an iOS Device 96
Configure Managed Settings for iOS Devices 98
Configure Organization Settings 98
Set Required App 99
Override Default Roaming Settings (iOS) 100
Set a Default Wallpaper 100
Set Default Organization Information 100
iOS Device Management
VMware by Broadcom
5

Install Fonts on iOS Devices 101
Cisco QOS Marking for iOS Applications 101
Apple Push Notification Service (APNs) 102
Apple Push Notification Service (APNs) Certificate 102
Apple Push Notification Service Workflow 102
Device Management 104
Device Dashboard 104
Device List View 105
Customize Device List View Layout 106
Exporting List View 106
Search in Device List View 106
Device List View Action Button Cluster 106
Remote Assist 107
Using the Device Details Page for iOS Devices 107
Configure and Deploy a Custom Command to a Managed Device 112
OS Update Management 114
iOS Update Management Features 114
iOS Update Management Prerequisites 114
Supported Devices 114
Network Requirements 114
View the Available iOS Updates 115
Assign and Publish iOS Updates 116
Pause and Unpause iOS Updates 117
Monitor iOS Update Assignments 117
Manage iOS Updates for Individual Devices 118
Delay iOS Updates 119
Set the Device Name for a Supervised iOS Device 119
AppleCare GSX 121
Create a GSX Account 121
Obtain an Apple Certificate to Integrate AppleCare GSX 121
Configure AppleCare in the UEM console 121
Obtain an Apple Certificate to Integrate AppleCare GSX 121
Configure AppleCare GSX in the UEM Console 122
Shared Devices 124
Define the Shared Device Hierarchy 125
iOS Device Management
VMware by Broadcom
6

Configure Shared Devices 126

iOS Functionality Matrix: Supervised vs. Unsupervised 131

iOS Device Management

VMware by Broadcom

Introduction to Managing iOS Devices

Workspace ONE UEM provides you with a robust set of mobility management solutions to enroll,

secure, configure, and manage the iOS devices in your deployment.

Through the Workspace ONE UEM console you can:

Manage the entire lifecycle of corporate and employee owned devices.

Enable end users to perform tasks themselves including enrollment and by using the Self-

Service Portal (SSP).

Ensure that devices are compliant and secure by assigning profiles to specific groups and

individuals in your organization.

Integrate any of your existing enterprise apps with the Workspace ONE UEM Software

Development Kit (SDK) to enhance their functionality.

Use reporting tools and a searchable, customizable dashboard to perform ongoing

maintenance and management of your device fleet.

Supported iOS Devices

Workspace ONE UEM supports iPhone, iPad, and iPod Touch devices running iOS 11.0 and higher.

Certain Workspace ONE UEM and iOS features require later versions of the software. These

additional requirements are noted in the documentation where applicable. For more information on

supported versions, see KB article here.

iOS Admin Task Prerequisites

You need the following information to perform many of the tasks. Compile this information before

proceeding.

UEM console – Access to the UEM console with administrator permissions, which allows you

to create profiles, policies, and manage devices within the Workspace ONE UEM

environment.

Credentials – This user name and password allow you to access your UEM console

environment. These credentials may be the same as your network directory services or may

be uniquely defined in the UEM console.

Apple Push Notification service (APNs) Certificate – This certificate is issued to your

organization to authorize the use of Apple’s cloud messaging services.

iOS Device Management

VMware by Broadcom

Enroll iOS Devices

Each device in your organization’s deployment must be enrolled in your organization’s environment

before it can communicate with Workspace ONE UEM and access internal content and features

using Mobile Device Management (MDM). iOS devices enroll using MDM functionality built into the

native OS.

Enrollment Requirements

To enroll an iOS device, you or your end users must gather specific information. The information the

users need depends on whether you associated an email domain to their environment as part of

auto-discovery.

Associating an email domain with your environment requires end users to enter an email address

and credentials (and sometimes select a Group ID from a list) to complete enrollment. This choice

simplifies enrollment because end users likely already know this information.

Alternatively, if you do not set up an email domain for enrollment, users are additionally prompted

for the Enrollment URL and Group ID, which admins must provide to them.

For more information on enrollment requirements, see

iOS Device Enrollment Requirements

Single Device Enrollment

The device management capabilities available for enrolled devices depend on the type of enrollment

you choose. Workspace ONE UEM provides a matrix comparing supported features for Hub-based

and agentless enrollment types. Use this matrix to determine what type of enrollment meets your

organization’s needs.

Formore information on the comparison matrix between Hub-based and browser-based

enrollments, see

Capabilities Based on Enrollment Type for iOS Devices

Hub-Based Enrollment

The Hub-based enrollment process secures a connection between iOS devices and your Workspace

ONE UEM environment through the Workspace ONE Intelligent Hub app. The Workspace ONE

Intelligent Hub application facilitates the enrollment, and then allows for real-time management and

access to device information. Hub-based enrollment is best suited for deployments where users

have an available Apple ID, which they must download the Workspace ONE Intelligent Hub from the

App Store.

For more information on hub based enrollment, see

Workspace ONE Intelligent Hub for iOS and

Enroll an iOS Device with Workspace ONE Intelligent Hub

in Apps for iOS.

iOS Device Management

VMware by Broadcom

Browser-Based Enrollment

You can also enroll devices using a web-based enrollment process through the iOS device’s built-in

Safari browser. This approach is best suited for deployments where users do not have an available

Apple ID to download the Workspace ONE Intelligent Hub.

For more information on browser based enrollment, see

Enroll an iOS Device with the Safari

Browser

Bulk Device Enrollment

Depending on your deployment type and device ownership model, you may want to enroll devices

in bulk. Workspace ONE UEM provides bulk enrollment capabilities using the Apple Configurator 2

and the Apple Business Manager’s Device Enrollment Program (DEP).

Bulk Enrollment with Apple Configurator 2

Workspace ONE UEM helps businesses take advantage of the unique setup capabilities offered by

Apple Configurator 2, such as iOS versioning enforcement and complete backup prevention. You

can bulk-enroll devices using Apple Configurator 2 on a macOS computer through a

USB connection.

For more information on using Apple Configurator for bulk enrollment, see

Bulk Enrollment of iOS

Devices Using Apple Configurator

Bulk Enrollment with Apple Device Enrollment Program

Deploying a bulk enrollment through the Apple Device Enrollment Program(DEP) allows you to

install a non-removable MDM profile on a device, which prevents end users from being able to

remove the profile from their device. You can also provision devices in Supervised mode to access

additional security and configuration settings.

For more information on enrollment with the Apple Business Manager, see

Device Enrollment with

the Apple Business Manager’s Device Enrollment Program

iOS Device Enrollment Requirements

To enroll an iOS device, you or your end users need information that depends on whether you

associate an email domain to their environment as part of auto discovery. If an email domain is

associated to their environment, users will need:

Email address – Email address associated to your organization. For example, [email protected].

QR Code – Users can scan a QR code generated from the UEM console and received through

email.

Apple ID – This Apple ID is needed for each user performing Hub-based enrollment.

If an email domain is not associated to your environment: If a domain is not associated to an

environment, end users are prompted to enter an email address. Since auto discovery is not

enabled, end users are also prompted for the following information:

Enrollment URL – This URL is unique to your organization’s enrollment environment and takes the

user directly to the enrollment screen. For example, https:// .com/enroll.

Group ID – This Group ID associates a user’s device with their corporate role and is defined in the

iOS Device Management

VMware by Broadcom

UEM console for a given organization group. Point to the organization group drop-down menu to

see the Group ID of the current group.

Apple ID – This Apple ID is needed for each user performing Hub-based enrollment.

Capabilities Based on Enrollment Type for iOS Devices

Feature Hub-Based Agentless

Enrollment

Requires Apple ID Required Optional

Force EULA/Terms of Use Acceptance Yes Yes

Active Directory/LDAP/SAML Integration Yes Yes

Two Factor Authentication Yes Yes

BYOD Support Yes Yes

Device Staging Support Yes⁰ Yes

Branding Partial Yes

Configuration Profile Management

View and Manage Profiles Yes Yes

Security Settings (Data Encryption, Password Policy, etc.) Yes Yes

Device Restrictions Yes Yes

Certificate Management Yes Yes

Email and Exchange ActiveSync management Yes Yes

Device Information

Device Information (model, serial number, IMEI number, etc.) Yes Yes

GPS Tracking Yes No

Phone Number Yes Yes

Memory Information Yes Yes

Battery Information Yes Yes

UDID Yes Yes

Compromised/Jailbreak Detection Yes Yes†

Activation Lock Status Yes Yes

Find my iPhone Status Yes Yes

iCloud Back Up Status Yes Yes

Last Back Up Time Yes Yes

Network Information

iOS Device Management

VMware by Broadcom

Feature Hub-Based Agentless

Cellular Information (MCC/MNC, SIM card info, etc.) Yes Yes

Telecom Roaming Information Yes Yes

Telecom Usage Information Yes Yes†

IP Address Yes Yes†

Bluetooth MAC address Yes Yes

Wi-Fi MAC address Yes Yes

Management Commands

Full Device Wipe Yes Yes

Enterprise Wipe Yes Yes

Lock Device Yes Yes

Clear Passcode Yes Yes

Email Messaging Yes Yes

SMS Messaging Yes Yes

APNs Push Messaging Yes Yes†

Remote View Yes No

Set Device Name Yes Yes

Clear Restrictions Passcode Yes Yes

Application Management

View and Manage Applications Yes Yes

Volume Purchase Program (VPP) Yes Yes

Application List Yes Yes

Number Badging for App Updates Yes Yes†

Content Management

Content Management Yes* Yes*

⁰ Requires end user to transfer purchases when syncing for first time.

† Requires Workspace ONE UEM SDK embedded application to be present on device.

* Requires VMware Content Locker App from iTunes.

Enroll an iOS Device with the Workspace ONE Intelligent Hub

The Hub-based enrollment process secures a connection between an iOS device and your

Workspace ONE UEM environment. The Workspace ONE Intelligent Hub application facilitates

enrollment and allows for real-time management and access to device information.

If you want to take full advantage of the Workspace ONE Intelligent Hub capabilities while also

iOS Device Management

VMware by Broadcom

allowing the Web enrollment process, you can allow users to enroll through the Workspace ONE

Intelligent Hub. This setting prevents the end users from enrolling if they have not downloaded the

Workspace ONE Intelligent Hub.

Navigate to Groups & Setting > All Settings > Devices & Users > General > Enrollment >

Authentication, and select the Require Hub Enrollment for iOS.

To enroll an iOS device with the Workspace ONE Intelligent Hub perform the following steps:

1. Navigate to getwsone.com from the Safari browser. Workspace ONE UEM automatically

prompts the end user to go to the App Store and download the Workspace ONE Intelligent

Hub application. Follow the download prompts. An Apple ID is required to download the

Workspace ONE Intelligent Hub from the iTunes store.

2. Select the Workspace ONE Intelligent Hub application and then select either one of the

iOS Device Management

VMware by Broadcom

following authentication methods:

a. Email Address – Select auto-discovery, if it is configured in your environment. In addition,

you might be prompted to select a group from a drop-down menu.

b. Server Details – Select to enroll using the server URL. The server URL is the network

location of your organization’s Workspace ONE UEM instance and the Group ID of the group

associated with your device.

c. QR Code – Select and use the device to scan the QR code received through email or

Support tab.

3. Enter credentials, which can include either a Username and Password, or a Token, or a

combination of both to authenticate the device.

a. If you enter the credentials incorrectly, a Captcha code appears. Enter the displayed

Captcha code to complete the authentication.

4. Complete the following process flow as determined by the administrator. Select Next after

you complete each page.

a. Select your Device Ownership type, if applicable.

b. Accept your organization’s Terms of Use, if applicable.

c. Enter the device Asset Number, if applicable.

5. Select Next after reviewing privacy collection information.

6. Once redirected to Safari webview, you are prompted to download the MDM profile. The

following message is displayed:

This website is trying to download a configuration file. Do you want to allow this?

7. Tap Allow and when the download is complete, tap Close.

a. For iOS devices 12.2 and later, tap Continue and open Hub to follow the instructional

screens to install the MDM profile and accept the MDM warning message by selecting Install.

b. For devices below iOS 12.2, install the MDM profile when prompted and accept the MDM

warning message by selecting Install.

8. Select Allow to download the MDM profile.

9. Install the MDM profile. Accept any prompts for trust, if applicable.

10. Once MDM profile is installed, navigate back to Hub.

11. Select Done to complete enrollment. A success message is displayed. The enrollment into

Workspace ONE UEM is now complete.

a. If prompted, set up a passcode or enter more credentials for shared devices. To set up a

passcode, log in to the Self-Service Portal and follow the instructions.

b. Optionally, select Open to see the Workspace ONE Intelligent Hub details.

Enroll an iOS Device with the Safari Browser

You can enroll devices using a web-based enrollment process through the iOS device’s built-in

Safari browser. This approach is best suited for deployments where users do not have an available

iOS Device Management

VMware by Broadcom

Apple ID to download the Workspace ONE Intelligent Hub.

To enroll an iOS device using a web-based enrollment process perform the following steps:

1. Open the Safari browser on the iOS device.

2. Navigate to https://<Environment_URL>.com/enroll.

3. Select Group ID or your Email Address (if auto-discovery is set up for your environment) to

enroll your iOS device. Select Next.

4. Enter the credentials, which can include either a Username and Password, or a Token, or a

combination of both to authenticate the device.

a. If you enter the credentials incorrectly, a Captcha code appears. Enter the displayed

Captcha code to complete the authentication.

5. Complete the following process flow as determined by the administrator. Select Next after

you complete each page.

a. Select your Device Ownership type, if applicable.

b. Enter the device Asset Number, if applicable.

c. Accept the Terms of Use of your organization, if applicable.

6. When prompted, download the MDM profile. The following message is displayed:

This website is trying to download a configuration file. Do you want to allow?

7. Tap Allow and when the download is compete, tap Close.

You have successfully installed the profile.You can view the profile in Settings and continue

with installation.

8. Download and install the MDM profile. Accept any prompts for trust, if applicable.

For devices below iOS 12.2, install the MDM profile when prompted and accept the

MDM warning message by selecting Install.

For devices iOS 12.2 and later, follow the instructional screens to install the MDM

profile and accept the MDM warning message by selecting Install. Note: You can also

perform an agentless enrollment without using the Workspace ONE Intelligent Hub

for web-based enrollment. To perform an agentless enrollment, navigate to Groups

& Settings > All Settings > Devices & Users > General and ensure that the Require

Hub Enrollment for iOS check box is not selected.

Bulk Enrollment of iOS Devices Using Apple Configurator

You can bulk enroll devices using Apple Configurator on a macOS computer to configure and

deploy iOS devices. By using Apple Configurator with Workspace ONE UEM, you can benefit from

maintained management visibility of devices, complete backup prevention, and continued life-cycle

management beyond the initial configuration.

With Apple Configurator, you can:

Prepare a single, central backup image to consistently mass-configure devices.

Install the Workspace ONE UEM MDM profile as part of the configuration to enroll and

manage devices.

iOS Device Management

VMware by Broadcom

Assign devices to specific users by adding registered device details such as serial number or

IMEI to a user’s registered device in the UEM console before enrolling with Configurator.

Configure and update corporate device settings and apps over-the-air in Workspace ONE

UEM.

For steps to use Apple Configurator with Workspace ONE UEM or for more information, refer to the

VMware Workspace ONE UEM Integration with Apple Configurator document.

Device Enrollment with the Apple Business Manager’s Device

Enrollment Program

Device Enrollment Program (DEP) maximizes the benefits of Apple devices enrolled in Mobile

Device Management (MDM).

With DEP, you can perform the following.

Install a non-removable MDM profile on a device, preventing end users from being able to

delete it.

Provision devices in Supervised mode (iOS only). Devices in supervised mode can access

additional security and configuration settings.

Enforce an enrollment for all end users.

Meet your organization’s needs by customizing and streamline the enrollment process.

Prevent iCloud back up by disabling users from signing in with their Apple ID when

generating a DEP profile.

Force iOS updates for all end users.

For more information, see the following topics:

Apple Business Manager - Device Enrollment Program in

Introduction to Apple Business

Manager

The Apple Business Support Portal.

The Apple Device Enrollment Program Guide, or contact your Apple Apple representative.

User Enrollment

User Enrollment is a new enrollment method for iOS 13 and later devices that allow you to effectively

manage settings, applications, and corporate data while protecting user privacy and personal data.

With User Enrollment, you are permitted to install applications, configure profiles, and issue

commands only to a managed user container on the device rather than the entire device.

User Enrollment is achieved through MDM providing a user context called a Managed Apple ID in

the MDM profile installed on the device during enrollment. The user context instructs the device to

prompt the user for their Managed Apple ID credentials to install the MDM profile. After enrollment,

a specific Apple File System (APFS) volume is created for the managed data. Data in the personal

volume cannot be accessed from the managed volume keeping user data private.

Due to the creation of the new managed volume of data, there are several existing management

capabilities that are not possible for privacy purposes. For example, if any app is manually installed by

iOS Device Management

VMware by Broadcom

the user from the App Store, that app is considered personal and cannot be managed by MDM. Such

user installed apps must first be uninstalled and then reinstalled by Workspace ONE UEM to be

managed.

For this reason, Workspace ONE does not permit User Enrollment using the Intelligent Hub app. If

the Intelligent Hub is already installed by the user, uninstall and reinstall the Hub through MDM so

that the app’s data can be accessed by other Workspace ONE SDK enabled apps.

User Enrollment Settings

Enable the User Enrollment option for iOS devices by accessing the Enrollment settings page on the

Workspace ONE UEM console (Groups & Setting > All Settings > Devices & Users > General >

Enrollment). Enabling the option allows the supported iOS 13 and later devices to enroll to the

Organization Group using Apple’s User Enrollment method. User Enrollment uses the users’

Managed Apple IDs rather than the enrollment user name as a way to indicate which user the device

is enrolling. The Managed Apple ID should correspond a user’s email address in Workspace ONE

UEM.

Enroll an iOS Device Using Traditional User Enrollment

Enroll an iOS 13 and later device using Managed Apple IDs in Apple Business Manager federated to

Azure AD. User Enrolled device allows the enhanced privacy focus for users by separating managed

data from personal while still providing the core management capabilities such as installing apps,

configuring Wi-Fi, and requiring a passcode.

Ensure that you have the following pre-requisites before the User Enrollment:

Apple Business Manager w/ federation to Azure AD

Azure AD

Unsupervised iOS 13 and later device

Exactly one enrollment user with an email address that matches a Managed Apple ID in

Apple Business Manager.

To enroll an iOS device:

1. Open the Safari browser on the iOS 13 or later device and navigate to your environment’s

User Enrollment URL. The URL is your device services hostname appended with the

/enroll/user path.

For example:

Complete URL/enroll/user/

2. Enter the enrollment user’s email address matching a Managed Apple ID.

Optionally, enter the Group ID of an Organization Group at or below the Organization Group

of the enrollment user. Otherwise, the user’s enrollment Organization Group is used.

3. Confirm the download of the User Enrollment MDM profile.

4. Navigate to Settings in the app and tap Enroll in {Your Company}.

5. Tap through the prompts to redirect to Azure AD for authentication and conditional access

prompts.

Azure AD configurations, user type, device, or organization determines the type and number

iOS Device Management

VMware by Broadcom

of prompts .

User Enrollment is now complete. The device starts receiving the commands from the UEM console.

Enroll an iOS Device Using Account Driven User Enrollment

Enroll an iOS 15 and later device using Managed Apple IDs. You can directly sign in using Settings in

the iOS device.

Ensure that you have the following pre-requisites before the User Enrollment:

Unsupervised iOS 15 and later device.

Exactly one enrollment user with an email address that matches a Managed Apple ID in

Apple Business Manager.

Configured Discovery Service for account driven user enrollment.

To enroll an iOS device:

1. Open Settings > General > VPN & Device Management > Sign In to Work or School

Account.

2. Enter the enrollment user’s email address corresponding to their Managed Apple ID and tap

Continue.

Note: User Enrollment does not currently support the custom Managed Apple ID feature

possible for Shared iPads.

3. Continue through any authentication screens or prompts. This step will vary depending on

your organization’s Apple Business Manager setup.

4. Tap Allow Remote Management and wait for the MDM profile to get installed on your iOS

device.

User Enrollment is now complete.

App Management on User Enrolled Devices

Applications installed by Workspace ONE UEM on the User Enrolled devices are managed and

associated to the Managed Apple ID, that is used to enroll the device. Any application installed by

the user through the App Store is associated to the user’s personal Apple ID and cannot be

managed.

Since User Enrollment must associate the managed application to a Managed Apple ID, only

managed distribution with User-Based Licenses purchased in Apple Business Manager is supported.

For example, applications assigned through the Public tab under the Resources > Apps page on the

UEM console are not supported on User Enrolled devices. There are no differences between

managing User-Based Licenses on User Enrollment compared to Device Enrollment. When the

application is assigned to a User Enrolled device, a VPP license is assigned to the Managed Apple ID

associated with the device and the app is installed.

For more information, refer the

Managed Distribution by Apple IDs

section in the

Integration with

Apple Business Manager

guide.

iOS Device Management

VMware by Broadcom

iOS Device Profiles

Profiles are the primary means to manage devices. Configure profiles so your iOS devices remain

secure and configured to your preferred settings. You can think of profiles as the settings and rules

that, when combined with compliance policies, help you enforce corporate rules and procedures.

They contain the settings, configurations, and restrictions that you want to enforce on devices.

A profile consists of the general profile settings and a specific payload. Profiles work best when they

contain only a single payload.

iOS profiles apply to a device at either the user level or the device level. When creating iOS profiles,

you select the level the profile applies to. Some profiles can only be applied to the user level or

device level.

Supervised Mode Requirement for Profiles

You can deploy some or all your iOS devices in Supervised mode. Supervised mode is a device-

level setting that provides administrators with advanced management capabilities and restrictions.

Certain profile settings are available only to supervised devices. A supervised setting is tagged using

an icon displayed to the right, which indicates the minimum iOS requirement needed for

enforcement.

For example, prevent end users from using AirDrop to share files with other macOS computers and

iOS devices, by deselecting the check box next to Allow AirDrop. The iOS 7 + Supervised icon

means only devices that are running iOS 7 and set up in Supervised mode using Apple Configurator

are affected by this restriction.For more information, see Integration with Apple Configurator or the

Apple Business Manager. To see a complete list of the iOS system requirements and supervision

options, see iOS Functionality Matrix: Supervised vs. Unsupervised.

Configure an iOS Profile

Using the following basic steps you can configure any iOS profile in the Workspace ONE UEM.

Explore the available settings for each profile in the following sections.

1. Navigate to Resources > Profiles & Baselines > Profiles and select Add > Apple iOS >

Device Profile.

2. Configure the profile’s General settings.

iOS Device Management

VMware by Broadcom

3. Select the payload from the list.

4. Configure the profile settings.

5. Select Save and Publish

AirPlay Profile for iOS

Configuring the AirPlay payload lets you allow a specific set of devices to receive broadcast

privileges according to device ID. Also, if the display access to your Apple TV is password-protected,

you can pre-enter the password to create a successful connection without revealing the PIN to

unauthorized parties.

This payload works even if you do not enroll your Apple TVs with Workspace ONE UEM. For more

information about tvOS capabilities, see tvOS Management guide.

Note: AirPlay allowlist currently only pertains to supervised iOS 7 and iOS 8 devices.

1. Configure Passwords settings for iOS 7 devices and Allow Lists for iOS 7 + Supervised

devices.

2. Configure the settings including:

iOS Device Management

VMware by Broadcom

Setting Description

Device

Name

Enter the device name for the AirPlay destination.

Passw

ord

Enter the password for AirPlay destination. Select Add to include additional allowed devices.

Display

Name

Enter the name of the destination display. The name must match the tvOS device name and is

case-sensitive. The device name can be found on the tvOS device settings. (iOS 7 + Supervised)

Device

Enter the device ID (include the MAC address or Ethernet address formatted as

XX:XX:XX:XX:XX:XX) for the destination display. Select Add to include additional allowed devices.

(iOS 7 + Supervised)

3. Now that the AirPlay destination allowlist is established for iOS 7 + Supervised devices, use

the Device Control Panel to activate or deactivate AirPlay manually:

a. Navigate to Devices > List View and locate the device intending to AirPlay, and select the

device’s Friendly Name.

b. Select Support and select Start AirPlay from the list of support options.

c. Choose the Destination created in the AirPlay profile, enter the Password if necessary

and select the Scan Time. Optionally, select Custom from the Destination list to create a

custom destination for this particular device.

d. Select Save and accept the prompt to enable AirPlay.

4. To deactivate AirPlay manually on the device, return to the device’s Control Panel, select

Support and select Stop AirPlay.

AirPrint Profile for iOS

Configure an AirPrint payload for an Apple device to enable computers automatically to detect an

AirPrint printer even if the device is on a different subnet than the AirPrint printer.

Configure the AirPrint profile settings including:

Setting Description

addres

Enter the IP address (XXX.XXX.XXX.XXX).

iOS Device Management

VMware by Broadcom

Setting Description

Resour

Path

Enter the Resource Path associated with the AirPrint printer (ipp/printer or

printers/Canon_MG5300_series). To find the Resource Path and IP address information of a printer, see

the

Retrieve AirPrint Printer Information

section.

Retrieve AirPrint Printer Information

To know the AirPrint printer’s information such as IP address and Resource path, perform the steps

mentioned in this section.

1. Connect an iOS device to the local network (subnet) where the AirPrint printers are located.

2. Open the Terminal window (located in /Applications/Utilities/), enter the following command

and then press Return.

ippfind

Note: Make a note of the printer information that is fetched through the command. The first

part is the name of your printer and the last part is the resource path.

ipp://myprinter.local.:XXX/ipp/portX

3. To get the IP address, enter the following command and the name of your printer.

ping myprinter.local.

Note: Make a note of the IP address information that is fetched through the command.

PING myprinter.local (XX.XX.XX.XX)

4. Enter the IP address (XX.XX.XX.XX) and resource path (/ipp/portX) obtained from the steps

2 and 3 into the AirPrint payload settings.

CalDAV or CardDAV Profile for iOS

Deploy a CalDAV or CardDAV profile to allow end users to sync corporate calendar items and

contacts, respectively.

iOS Device Management

VMware by Broadcom

Configure the CalDav profile settings including:

Setting Description

Account Description Enter a brief description of the account.

Account Hostname Enter/view the name of the server for CalDAV use.

Port Enter the number of the port assigned for communication with the CalDAV server.

Principal URL Enter the Web location of the CalDAV server.

Account Username Enter the user name for the Active Directory account.

Account Password Enter the password for the Active Directory account.

Use SSL Select to enable Secure Socket Layer use.

Cellular Profile for iOS

Configure a cellular payload to configure cellular network settings on devices and determine how

your device accesses the carrier’s cellular data network.

Push this payload to use a different APN from the default point. If your APN settings are incorrect

you may lose functionality, so find out the correct APN settings from your carrier. For more

information on cellular settings, see Apple’s knowledge base article.

iOS Device Management

VMware by Broadcom

Configure the CalDav profile settings including:

Setting Description

Access Point Name (APN) Enter the APN provided by your carrier (For example: come.moto.cellular).

Authentication Type Select the authentication protocol.

Access Point Username Enter the user name used for authentication.

Access Point Password Enter the APN password used for authentication.

Access Point Name Enter the APN provided by your carrier (For example: come.moto.cellular).

Access Point Username Enter the user name used for authentication.

Authentication Type Select the authentication protocol.

Password Enter the APN password used for authentication.

Proxy Server Enter the proxy server details.

Proxy Server Port Enter the proxy server port for all traffic. Select Add to continue this process.

Custom Settings Profile for iOS

The Custom Settings payload can be used when Apple releases new iOS functionality or features

that Workspace ONE UEM does not currently support through its native payloads. If you do not want

iOS Device Management

VMware by Broadcom

to wait for the newest release of Workspace ONE UEM to control these settings, you can use the

Custom Settings payload and XML code to enable or deactivate certain settings manually.

You might want to copy your profile and save it under a “test” organization group to avoid affecting

users before you are ready to Save and Publish.

Do not assign a profile to any smart group as it might give an encrypted value when viewing XML.

1. Navigate to Resources > Profiles & Baselines > Profiles > Add > Add Profile > iOS.

2. Configure the profile’s General settings.

3. Configure the appropriate payload (for example, Restrictions or Passcode).

4. Select Save and Publish.

Note: Ensure that the profile created in Steps 1–4 is not assigned to any smart group.

Otherwise, the data might be encrypted when viewing xml.

5. Navigate back to the Profiles page and select a profile using the radio button next to the

profile name. Menu options appear above the list.

6. Select </> XML from the menu choices. A View Profile XML window appears.

7. Look for the PayloadContent key and copy the single dictionary nested inside. Copy the

entire dictionary content from <dict>…</dict>. See below for sample XML for the Restrictions

payload.

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>safariAcceptCookies</key>

<key>safariAllowAutoFill</key>

<key>PayloadDisplayName</key>

<string>Restrictions</string>

<key>PayloadDescription</key>

<string>RestrictionSettings</string>

<key>PayloadIdentifier</key>

<string>745714ad-e006-463d-8bc1-495fc99809d5.Restrictions</string>

<key>PayloadOrganization</key>

<key>PayloadType</key>

iOS Device Management

VMware by Broadcom

<string>com.apple.applicationaccess</string>

<key>PayloadUUID</key>

<key>PayloadVersion</key>

</dict>

</array>

<key>PayloadDescription</key>

<key>PayloadDisplayName</key>

<string>Block Camera/V_1</string>

<key>PayloadIdentifier</key>

<key>PayloadOrganization</key>

<key>PayloadRemovalDisallowed</key>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<key>PayloadVersion</key>

</dict>

</plist>

For more examples and information on the XML code, refer to the KB article here.

8. If you see encrypted text between dict tags in the XML window, you can generate the

decrypted text by modifying the settings in the profiles page. To do this:

a. Navigate to Groups & Settings > All Settings > Devices > Users > Apple > Profiles.

b. Override the custom settings option.

c. Deactivate Encrypt Profiles option and then Save.

9. Navigate back to Custom Settings profile and paste the XML you copied in the text box. The

XML code you paste should contain the complete block of code, from <dict> to </dict>.

10. Remove the original payload you configured by selecting the base payload section, for

example, Restrictions, Passcode and selecting the minus [-] button. You can now enhance

the profile by adding custom XML code for the new functionality.

11. Select Save and Publish.

Device Passcode Profile for iOS

Device passcode profiles secure iOS devices and their content. Configure the level of security based

on your users’ needs.

Choose strict options for high-profile employees or more flexible options for other devices or for

employees who are part of a BYOD program. In addition, when a passcode is set on an iOS device, it

provides hardware encryption for the device and also creates a device indicator Data Protection is

Enabled in the Security tab of the Device Details page.

Create a passcode and configure:

Complexity – Use simple values for quick access or alphanumeric passcodes for enhanced

iOS Device Management

VMware by Broadcom

security. You can also require a minimum number of complex characters (@, #, &,! , ,? ) in

the passcode. For example, require users with access to sensitive content to use more

stringent passcodes.

Maximum Number of Failed Attempts – Prevent unauthorized access by wiping or locking

the device after determined number of attempts. This option works well for corporate-owned

devices, but not for employee-owned devices in a BYOD program. For example, if a device

is restricted to five passcode attempts, and a user entered a passcode incorrectly five times

in a row, then the device automatically performs a full device wipe. If simply locking the

device is preferable, set this option to None, that implies you can attempt passcode retries

indefinitely.

Maximum Passcode Age – Enforce renewal of passcodes at selected intervals. Passcodes

that are changed more frequently may be less vulnerable to exposure to unauthorized

parties.

Auto-Lock (min) – The maximum number of minutes for which the device can be idle

without the user unlocking it, before the system locks it. When this limit is reached, the

system locks the device and the passcode is required to unlock it. The user can edit this

setting, but the value can not exceed the configured setting.

Configure a Device Passcode Profile for iOS

Device passcode profiles secure iOS devices and their content. Configure several settings as part of

a passcode payload to enforce device passcodes based on your users’ needs.

Configure the Device Passcode profile settings including:

Setting Description

Require

passcode on

device

Enable mandatory passcode protection.

iOS Device Management

VMware by Broadcom

Setting Description

Allow

simple value

Allow the end user to apply a simple numeric passcode.

Require

Alphanumer

ic Value

Restrict the end user from using spaces or non-alphanumeric characters in their passcode.

Minimum

Passcode

Length

Select the minimum number of characters required in the passcode.

Minimum

number of

complex

characters

Select the minimum number of complex characters (#, $,! , @) a passcode required.

Maximum

Passcode

Age (days)

Select the maximum number of days the passcode can be active.

Auto-lock

(min)

The maximum number of minutes for which the device can be idle without the user unlocking it,

before the system locks it. When this limit is reached, the system locks the device and the passcode is

required to unlock it. The user can edit this setting, but the value can not exceed the configured

setting.

Passcode

History

Select the number of passcodes to store in history that an end user cannot repeat.

Grace

period for

the device

lock (min)

Select an amount of time in minutes that a device can be idle before it is locked by the system, and the

end user must reenter their passcode.

Maximum

Number of

Failed

Attempts

Select the number of attempts allowed. If the end user enters an incorrect passcode that many times,

the device performs a factory reset.

Email Account Profile for iOS

Configure an email profile for iOS devices to configure email settings on the device.

iOS Device Management

VMware by Broadcom

Configure the settings including:

Settings Descriptions

Account Description Enter a brief description of the email account.

iOS Device Management

VMware by Broadcom

Settings Descriptions

Account Type Use the drop-down menu to select either IMAP or POP.

Path Prefix Enter the name of the root folder for the email account(IMAP only).

User Display Name Enter the name of the end user.

Email Address Enter the address for the email account.

Prevent Moving Messages Select to block the user from forwarding email or opening in third-party apps.

Prevent Recent Address Syncing Select to restrict the user from syncing email contacts to their personal

device.

Prevent Use in Third Party Apps Select to prevent users from moving corporate email into other email clients.

Prevent Mail Drop Select to prevent users from using Apple’s Mail Drop feature.

Use S/MIME Select to use more encryption certificates.

Host Name Enter the name of the email server.

Port Enter the number of the port assigned to incoming mail traffic.

Username Enter the user name for the email account.

Authentication Type Use the drop-down menu to select how the email account holder is

authenticated.

Password Enter the password required to authenticate the end user.

Use SSL Select to enable Secure Socket Layer use for incoming email traffic.

Host Name Enter the name of the email server.

Port Enter the number of the port assigned to outgoing mail traffic.

Username Enter the user name for the email account.

Authentication Type Use the drop-down menu to select how the email account holder is

authenticated.

Outgoing Password Same As

Incoming

Select to auto-populate the password text box.

Password Enter the password required to authenticate the end user.

Use SSL Select to enable Secure Socket Layer use for outgoing email traffic.

Exchange ActiveSync (EAS) Mail for iOS Devices

The industry standard protocol designed for email synchronization on mobile devices is called

Exchange Active Sync (EAS). Through EAS profiles, you can remotely configure devices to check

into your mail server to sync email, calendars and contacts.

The EAS profile uses information from each user, such as user name, email address, and password.

If you integrate Workspace ONE UEM with Active Directory services, then this user information is

automatically populated for the user and can be specified in the EAS profile by using look-up values.

Create a Generic EAS Profile for Multiple Users

iOS Device Management

VMware by Broadcom

Before you create an EAS profile that automatically enables devices to pull data from your mail

server, you must first ensure that users have the appropriate information in their user account

records. For Directory Users, or those users that enrolled with their directory credentials, such as

Active Directory, this information is automatically populated during enrollment. However, for Basic

Users this information is not automatically known and must be populated in one of two ways:

You can edit each user record and populate the Email Address and Email Username text

boxes.

You can prompt users to enter this information during enrollment by navigating to Devices >

Device Settings > General > Enrollment and under the Optional Prompt tab, checking the

Enable Enrollment Email Prompt box.

Configure an EAS Mail Profile for the Native Mail Client

Create an email configuration profile for the native mail client on iOS devices.

1. Navigate to Resources> Profiles & Baselines > Profiles > Add. Select Apple iOS.

2. Configure the profile’s General settings.

3. Select the Exchange ActiveSync payload.

iOS Device Management

VMware by Broadcom

4. Select Native Mail Client for the Mail Client. Fill in the Account Name text box with a

iOS Device Management

VMware by Broadcom

description of this mail account. Fill in the Exchange ActiveSync Host with the external

URL of your company’s ActiveSync server.

The ActiveSync server can be any mail server that implements the ActiveSync protocol, such

as Lotus Notes Traveler, Novell Data Synchronizer, and Microsoft Exchange. In the case of

Secure Email Gateway (SEG) deployments, use the SEG URL and not the email server URL.

5. Select the Use SSL check box to enable Secure Socket Layer use for incoming email traffic.

6. Select the S/MIMEcheck box to use more encryption certificates. Prior to enabling this

option, ensure you have uploaded necessary certificates under Credentials profile settings.

a. Select the S/MIME Certificate to sign email messages.

b. Select the S/MIME Encryption Certificate to both sign and encrypt email messages.

c. Select the Per Message Switch check box to allow end users to choose which individual

email messages to sign and encrypt using the native iOS mail client (iOS 8+ supervised only).

7. Select the Use OAuth check box to enable OAuth for authentication. OAuth is required for

modern authentication-enabled accounts.

a. OAuth Sign In URL - Enter the OAuth Sign In URL.

b. OAuth Token URL - Enter the OAuth Token URL.

8. Fill in the Login Information including Domain Name, Username and Email Address using

look-up values. Look-up values pull directly from the user account record. To use the

{EmailDomain}, {EmailUserName} {EmailAddress} look-up values, ensure your Workspace

ONE UEM user accounts have an email address and email user name defined.

9. Leave the Password field empty to prompt the user to enter a password.

10. Select the Payload Certificate to define a certificate for cert-based authentication after the

certificate is added to the Credentials payload.

11. Configure the following Settings and Security optional settings, as necessary:

a. Past Days of Mail to Sync – Downloads the defined amount of mail. Note that longer time

periods will result in larger data consumption while the device downloads mail.

b. Prevent Moving Messages – Disallows moving mail from an Exchange mailbox to another

mailbox on the device.

c. Prevent Use in 3rd Party Apps – Disallows other apps from using the Exchange mailbox

to send message.

d. Prevent Recent Address Syncing – Deactivates suggestions for contacts when sending

mail in Exchange.

e. Prevent Mail Drop – Deactivates use of Apple’s Mail Drop feature.

f. (iOS 13) Enable Mail – Enables the configuration of a separate Mail app for the Exchange

account.

g. (iOS 13) Allow Mail toggle – If deactivated, prevents the user to toggle Mail on or off.

h. (iOS 13) Enable Contacts – Enables the configuration of a separate Contacts app for the

Exchange account.

i. (iOS 13) Allow Contacts toggle – If deactivated, prevents the user to toggle Contacts on or

iOS Device Management

VMware by Broadcom

off.

j. (iOS 13) Enable Calendars – Enables the configuration of a separate Calendar app for the

Exchange account.

k. (iOS 13) Allow Calendars toggle – If deactivated, prevents the user to toggle Calendars on

or off.

l. Enable Notes – Enables the configuration of a separate Notes app for the Exchange

account.

m. (iOS 13) Allow Notes toggle – If deactivated, prevents the user to toggle Notes on or off.

n. (iOS 13) Enable Reminders – Enables the configuration of a separate Reminders app for

the Exchange account

o. (iOS 13) Allow Reminders toggle – If deactivated, prevents the user to toggle Reminders

on or off.

12. Assign a Default Audio Call App that your Native EAS account will use to make calls when

you select a phone number in an email message.

13. Select Save and Publish to push the profile to available devices.

Forcepoint Content Filter for iOS

With the Workspace ONE UEM integration with Forcepoint, you can use your existing content

filtering categories in Forcepoint and apply them to devices you manage within the UEM console.

Allow or block access to websites according to the websites you configure in Forcepoint and then

deploy a VPN payload to force devices to comply with those rules. Directory users enrolled in

Workspace ONE UEM are validated against Forcepoint to determine which content filtering rules to

apply based on the specific end user.

You can enforce content filtering with Forcepoint in one of following two ways.

a. Use the VPN profile as described in this topic. Enforcing content filtering using VPN profile can be

applied to all Web traffic using browsers other than the VMware Browser.

b. Configure the Settings and Policies page, which applies to all Web traffic using browsers other

than the VMware Browser. For instructions on configuring Settings and Policies, refer to the

VMware Browser Guide.

Procedure

1. After you select the payload, then select Websense (Forcepoint) as the Connection Type.

2. Configure Connection Info including:

Settings Description

Connection Name Enter the name of the connection name to be displayed.

Username Enter the user name to connect to the proxy server.

Password Enter the password for connection.

3. You can also Test Connection.

4. Configure Vendor Configurations settings.

iOS Device Management

VMware by Broadcom

Setting Description

Vendor Keys Create custom keys and add to the vendor config dictionary.

Key Enter the specific key provided by the vendor.

Value Enter the VPN value for each key.

5. Select Save & Publish. Directory-based end users can now access permitted sites based on

your Forcepoint categories.

Google Account Profile for iOS

Enable an end user to use their Google account on their iOS device Native Mail application. Add a

Google Account directly from the UEM console.

Configure the Google account profile settings including:

Setting Description

Account Name The full user name for the Google account. This is the user name that appears when you send a

mail message.

Account

Description

A description of the Google account, which appears in Mail and Settings.

Email Address The full Google email address for the account.

Default Audio

Call App

Search and select an application that will be the default app for making any calls made from

configured Google account.

Global HTTP Proxy Profile for iOS

Configure a global HTTP proxy to direct all HTTP traffic from Supervised iOS 7 and higher devices

through a designated proxy server. For example, a school can set a global proxy to ensure that all

web browsing is routed through its Web content filter.

iOS Device Management

VMware by Broadcom

Configure Global HTTP Proxy settings including:

Setting Description

Proxy Type Choose Auto or to Manual for proxy configuration.

Proxy Server Enter the URL of the proxy server. This text box displays when the Proxy Type is set to

Manual.

Proxy Server Port Enter the port used to communicate with the proxy. This text box displays when the

Proxy Type is set to Manual.

Proxy

Username/Password

If the proxy requires credentials, you can use look-up values to define the

authentication method. This text box displays when the Proxy Type is set to Manual.

Allow bypassing proxy to

access captive networks

Select this check box to allow the device to bypass proxy settings to access a known

network. This text box displays when the Proxy Type is set to Manual.

Proxy PAC File URL Enter the URL of the Proxy PAC File to apply its settings automatically. This text box

displays when the Proxy Type is set to Auto.

Allow direct connection if

PAC is unreachable

Select this option to have iOS devices bypass the proxy server if the PAC file is

unreachable. This text box displays when the Proxy Type is set to Auto.

Allow bypassing proxy to

access captive networks

Select this check box to allow the device to bypass proxy settings to access a known

network. This text box displays when the Proxy Type is set to Auto.

Home Screen Layout Profile (iOS Supervised)

Use this payload to define the layout of apps, folders, and web clips for the home screen. Deploying

this payload allows you to group applications and web clips in ways that meet your organization’s

needs.

When the payload is deployed to the device, the home screen layout is locked and cannot be

modified by the users. This payload is allowed on iOS 9.3+ Supervised devices.

iOS Device Management

VMware by Broadcom

Configure the Home Screen Layout profile settings including:

Setting Description

Dock Choose what applications and web clips you want to appear in the dock.

Page Choose applications and web clips you want to add to the device. You can also add more pages for more

groups of applications and web clips.

Add

Folder

Configure a new folder to add to the device screen on the selected page.- Use the pencil icon in the gray

bar to create or edit the name of the folder.

Select Add Page to add more pages to the device if needed and select Save & Publish to push this

profile to devices.

LDAP Profile for iOS

Configure an LDAP profile to allow end users to access and integrate with your corporate LDAPv3

directory information.

iOS Device Management

VMware by Broadcom

Configure the LDAP profile settings including:

Setting Description

Account Description Enter a brief description of the LDAP account.

Account Hostname Enter/view the name of the server for Active Directory use.

Account Username Enter the user name for the Active Directory account.

Account Password Enter the password for the Active Directory account.

Use SSL Select this check box to enable Secure Socket Layer use.

Search Settings Enter settings for Active Directory searches ran from the device.

Lock Screen Message Profile for iOS

Customize the Lock Screen of your end users’ devices with information that may help you retrieve

devices that are lost.

Configure the Lock Screen Message profile settings including:

Setting Description

“If lost return

to” Message

Display a name or organization to whom a found device should be returned. This field supports

lookup values.

iOS Device Management

VMware by Broadcom

Setting Description

Asset Tag

Information

Display the device asset tag information on the device lock screen. This asset tag may duplicate or

replace a physical asset tag attached to the device. This field supports lookup values.

macOS Server Account Profile for iOS

Add an macOS server account directly from the UEM console to help manage your MDM framework.

Use to provide the credentials to allow end users to access File Sharing on macOS.

Configure the macOS server profile settings including:

Setting Description

Account Description Enter the display name for the account.

Hostname Enter the server address.

User Name Enter the user’s login name.

Password Enter the user’s password.

Port Designates the port number to use when contacting the server.

Managed Domains Profile for iOS

Managed domains are another way Workspace ONE UEM enhances Apple’s “open in” security

feature on iOS 8 devices. Using the “open in” feature with managed domains, you can protect

corporate data by controlling what apps can open documents downloaded from enterprise domains

using Safari.

Specify URLs or subdomains to manage how documents, attachments, and downloads from the

browser are opened. Also, in managed email domains, a color-coded warning indicator can be

displayed in email messages that are sent to unmanaged domains. These tools help end users

quickly determine what documents can be opened with corporate apps and what documents are

personal and may be opened in personal applications.

iOS Device Management

VMware by Broadcom

Configure the Managed Domains profile settings including:

Setting Description

Managed

Domains

Enter domains to specify which email addresses are corporate domains. For example:

exchange.acme.com. Emails sent to addresses not specified here are highlighted in the email app to

indicate that the address is not part of the corporate domain.

Managed

Web

Domains

Enter domains to choose specific URLs or subdomains that can be considered managed. For example:

sharepoint.acme.com. Any documents or attachments coming from those domains are considered

managed.

Safari

Passwor

Domains

Enter password for the domains you specify for Safari to save. This option is applicable only for

supervised devices.

Network Usage Rules for iOS

Configure network usage rules to control which applications and SIM cards can access data based on

the network connection type or when the device is roaming. This feature allows administrators to

help manage data charges when employees are using devices for work. Use granular controls to

apply different rules to different apps and SIMs as needed.

1. Under the App Usage Rules, enter the Application Identifier of any public, internal, or

purchased applications.

iOS Device Management

VMware by Broadcom

2. Enable Allow Cellular Data and Data Usage on Roaming. Both options are selected by

default.

3. Under the SIM Usage Rules, provide the ICCIDs of SIM cards (physical and eSIM cards) and

specify the type of Wi-Fi Assist capability, either Default or Unlimited Cellular Data.

4. Select Save & Publish.

Notifications Profile for iOS

Use this profile to allow notifications for specific apps to appear on the home screen when it is

locked.

Control when and how the notifications appear. This profile applies to iOS 9.3 + Supervised devices.

1. Choose Select App. A new window appears.

2. Configure the settings.

iOS Device Management

VMware by Broadcom

Setting Description

Select App Choose the app that you want to configure.

Allow Notifications Select whether to allow any notifications.

Show in

Notification Center

Select whether to allow notifications to appear in the Notification Center.

Show in Lock

Screen

Select whether to allow notifications to appear in the lock screen.

Allow Sound Select whether to allow a sound to occur with the notification.

Allow Badging Select whether to allow badges to appear on the application icon.

Alert Style when

Unlocked

Choose the style for the notification when unlocked:

Banner - A banner appears across the home screen alerting the user.

Modal Alert - A window appears across the home screen. The user must interact with

the window before proceeding.

3. Select Save to push the payload to the device.

Per-App VPN Profile for iOS

For iOS 7 and higher devices, you can force selected applications to connect through your corporate

VPN. Your VPN provider must support this feature, and you must publish the apps as managed

applications.

1. Configure your base VPN profile accordingly.

2. Select Per-App VPN to generate a VPN UUID for the current VPN profile settings. The

VPN UUID is a unique identifier for this specific VPN configuration.

3. Select Connect Automatically to display text boxes for the Safari Domains, which are

internal sites that trigger an automatic VPN connection.

4. Choose a Provider Type to determine how to tunnel traffic, either through an application

layer or IP layer.

5. Select Save & Publish.

If saving was done as an update to an existing VPN profile, then any existing

devices/applications that currently use the profile are updated. Any devices/applications that

were not using any VPN UUID are also updated to use the VPN profile.

Configure Public Apps to Use Per App Profile

After you create a per app tunnel profile, you can assign it to specific apps in the application

configuration screen. This tells the application to use the defined VPN profile when establishing

connections.

1. Navigate to Resources > Apps > Native.

2. Select the Public tab.

iOS Device Management

VMware by Broadcom

3. Select Add Application to add an app or Edit an existing app.

4. On the Deployment tab, select Use VPN and then select the profile you created.

5. Select Save and publish your changes.

For more information on adding or editing apps, see the Mobile Application Management guide.

Configure Internal Apps to Use Per App Profile

After you create a per app tunnel profile you can assign it to specific apps in the application

configuration screen. This tells the application to use the defined VPN profile when establishing

connections.

1. Navigate to Resources > Apps > Native.

2. Select the Internal tab.

3. Select Add Application and add an app.

4. Select Save & Assign to move to the Assignment page.

5. Select Add Assignment and select Per-App VPN Profile in the Advanced section.

6. Save & Publish the app.

For more information on adding or editing apps, see Mobile Application Management guide in

VMware AirWatch documentation

Restrictions Profile for iOS

Restrictions profile limit how employees can use their iOS devices and give administrators the ability

to lock down the native functionality of iOS devices and enforce data-loss prevention.

Certain restriction options on the Restrictions profile page have an icon displayed to the right, which

indicates the minimum iOS version required to enforce that restriction. For example, the iOS 7

+ Supervised icon next to the Allow AirDrop check box means only devices running iOS 7 that are

also set to run in Supervised mode using Apple Configurator or Apple’s Device Enrollment

Program are affected by this restriction.

iOS Device Management

VMware by Broadcom

The step-by-step instructions listed here list a few functional examples of settings you can restrict. To

see a complete list of iOS version and supervised requirements, see iOS Functionality Matrix:

Supervised vs. Unsupervised.

Configure a Restrictions Profile

You can configure device restrictions,application level restrictions, iCloud restrictions etc on your iOS

devices.

Configure the restrictions profile settings including:

Settings Descriptions

Device

Function

ality

Device-level restrictions can deactivate the core device functionality such as the camera, FaceTime, Siri,

and in-app purchases to help improve productivity and security.

Applicati

ons

Application-level restrictions deactivates certain applications such as YouTube, iTunes, and Safari, or

some of their features, to enforce corporate use policies.

iCloud Workspace ONE UEM provides restrictions for iOS 7 and later devices that can deactivated iCloud or

iCloud functionality if needed.

Security

& Privacy

Security and privacy-based restrictions prohibit end users from performing certain actions that might

violate corporate policy or otherwise compromise their device.

Data Loss

Preventio

Data loss prevention restrictions prevent end users from using AirDrop to share files with other macOS

computers and iOS devices, Allow managed apps to write contacts to unmanaged contacts accounts etc

Media

Content

Ratings-based restrictions prevent access to certain content based on its rating, which is managed by

region.

Educatio

Restrictions for students to force unprompted screen observation for managed classes

Updates

OS level software delay restrictions which allow you to hide iOS updates from end users for a specified

number of days.

iOS Device Management

VMware by Broadcom

Specific Restrictions for iOS

Functionality Supported Devices Supervised

Device Functionality Restrictions

Allow use of camera iOS 4, iOS 13 + ✓

Allow FaceTime iOS 4, iOS 13 + ✓

Allow screen capture

Allow Screen Observation iOS 9.3 + ✓

Allow passcode modification iOS 9 + ✓

Allow Biometric ID to unlock device iOS 7

Allow Biometric ID modification iOS 8.3 + ✓

Allow use of iMessage iOS 6 + ✓

Allow app installation iOS 4, iOS 13 + ✓

Allow app installation from alternative marketplaces iOS 17.4 ✓

Allow App Store icon on Home screen iOS 9 + ✓

Allow app removal iOS 6 + ✓

Allow in-app purchase

Allow automatic app downloads iOS 9 + ✓

Allow changes to cellular data usage for apps iOS 7 + ✓

Force limited ad tracking iOS 7

Allow Handoff iOS 8

Allow automatic sync while roaming

Allow voice dialing

Allow internet results in Spotlight iOS 8 + ✓

Allow Siri iOS 5

Allow Siri while device locked iOS 5.1

Enable Siri Profanity Filter iOS 11 + ✓

Show user-generated content in Siri iOS 7 + ✓

Allow manual profile installation iOS 6 + ✓

Allow configuring Restrictions iOS 8 + ✓

Allow Erase All Contents and Settings iOS 8 + ✓

Allow device name modification iOS 9 + ✓

iOS Device Management

VMware by Broadcom

Functionality Supported Devices Supervised

Allow wallpaper modification iOS 9 + ✓

Allow account modification iOS 7 + ✓

Require passcode on first AirPlay pairing iOS 7.1

Allow Wallet notifications in Lock screen iOS 6

Show Control Center in Lock screen iOS 7

Show Notifications Center in Lock screen iOS 7

Show Today view in Lock screen iOS 7

Enforce AirDrop as an unmanaged drop destination iOS 9

Allow Apple Watch pairing iOS 9 + ✓

Enforce Wrist Detection on Apple Watch iOS 8.3

Allow keyboard shortcuts iOS 9 + ✓

Allow predictive keyboard iOS 8.1.3 + ✓

Allow auto correction for keyboard iOS 8.1.3 + ✓

Allow spell check for keyboard iOS 8.1.3 + ✓

Allow definition lookup for keyboard iOS 8.1.3 + ✓

Allow Bluetooth Settings Modification iOS 10 + ✓

Allow Dictation iOS 10.3 + ✓

Allow system app removal iOS 11 + ✓

Allow manual VPN creation iOS 11 + ✓

Allow new device proximity setup iOS 11 + ✓

Allow password proximity requests iOS 12 + ✓

Force Date & Time to be Set Automatically iOS 12 + ✓

Allow auto filling of passwords OS 12 + ✓

Allow sharing of Wi-Fi passwords iOS 12 +

Force authentication before autofilling passwords iOS 11 + ✓

Allow cellular plan modification iOS 11 + ✓

Allow eSIM modification iOS 12.1 + ✓

Allow personal hotspot modification iOS 12.2 + ✓

Allow Siri server logging iOS 12.2

Allow toggling Wi-Fi on/off iOS 13 + ✓

Allow QuickPath keyboard iOS 13 + ✓

iOS Device Management

VMware by Broadcom

Functionality Supported Devices Supervised

Allow USB drive access iOS 13 + ✓

Force on Wi-Fi iOS 13.1 + ✓

Allow network drive access iOS 13.1 + ✓

Allow deprecated TLS versions iOS 13.4

Allow Shared device temporary session iOS 13.4

Allow App Clips iOS 14 + ✓

Allow automatic unlock iOS 14.5

Allow iCloud Private Relay iOS 15 + ✓

Applications Restrictions

Allow use of YouTube iOS 5 and below

Allow use of iTunes Music Store iOS 4, iOS 13 + ✓

Allow use of iBookstore iOS 6 + ✓

Allow Game Center iOS 6 + ✓

Allow multiplayer gaming iOS 4.1, iOS 13 + ✓

Allow adding Game Center friends iOS 4.2.1, iOS 13 + ✓

Allow changes to Find My Friends iOS 7 + ✓

Allow use of Safari iOS 4, iOS 13 + ✓

Allow News iOS 9 + ✓

Allow Radio Service iOS 9.3 + ✓

Allow Music Service iOS 9 + ✓

Allow Podcasts iOS 8 + S ✓

Enable autofill iOS 4, iOS 13 + ✓

Force fraud warning

Enable JavaScript

Block pop-ups

Accept Cookies

Show Apps iOS 9.3 + ✓

Hide Apps iOS 9.3 + ✓

Allow Find My Device iOS 13 + ✓

Allow Find My Friends iOS 13 + ✓

iOS Device Management

VMware by Broadcom

Functionality Supported Devices Supervised

iCloud Restrictions

Allow backup iOS 5, iOS 13 + ✓

Allow document sync iOS 5, iOS 13 + ✓

Allow keychain sync iOS 7, iOS 13 + ✓

Allow managed apps to store data iOS 8

Allow backing up Enterprise Books iOS 8

Allow synchronizing Enterprise Books notes and highlights iOS 8

Allow Photo Stream iOS 5

Allow Shared Photo Stream iOS 6

Allow iCloud photo library iOS 9

Security & Privacy restrictions

Allow USB Restricted Mode iOS 11.4.1 + ✓

Allow recovery mode with unpaired device iOS 14.5 + ✓

Allow user to trust unmanaged enterprise apps iOS 9

Force iTunes Store password entry iOS 5

Allow diagnostic data to be sent to Apple iOS 5

Force on-device dictation iOS 14.5

Force on-device translation iOS 15

Allow user to accept untrusted TLS certificates iOS 5

Allow over the air PKI updates iOS 7

Force encrypted backups

Allow pairing with non-Configurator hosts iOS 7 + ✓

Require Managed Wi-Fi iOS 10.3 + ✓

Allow AirPrint credentials storage in keychain iOS 11 + ✓

Force AirPrint to use a trusted TLS certificate iOS 11 + ✓

Allow AirPrint iBeacon discovery iOS 11 + ✓

Allow personalized advertising iOS 14 + ✓

Allow Mail Privacy Protection iOS 15.2 + ✓

Data Loss Prevention Restrictions

Allow documents from managed sources in unmanaged destinations iOS 7

Allow documents from unmanaged sources in managed destinations iOS 7

iOS Device Management

VMware by Broadcom

Functionality Supported Devices Supervised

Allow AirDrop iOS 7 + ✓

Allow AirPrint iOS 11 + ✓

Allow NFC iOS 14.2 + ✓

Allow managed apps to write contacts to unmanaged contacts accounts iOS 12

Allow unmanaged apps to read contacts from managed contacts accounts iOS 12

Require managed paste board iOS 15.0

Media Content Restrictions

Ratings region

Movies

TV Shows

Apps

iBooks iOS 6

Allow explicit music and podcasts iOS 4, iOS 13 + ✓

Education Restrictions

Force unprompted screen observation for managed classes iOS 10.3 + ✓

Allow unprompted app and device lock in unmanaged classes iOS 11 + ✓

Allow automatic joining of unmanaged classes iOS 11 + ✓

Force students to request permission to leave unmanaged classes iOS 11.3 + ✓

OS updates Restrictions

Delay OS Updates (Days) iOS 11.3 + ✓

Allow Rapid Security Response Installation iOS 16.0 + ✓

Allow Rapid Security Response Removal iOS 16.0 + ✓

SCEP/Credentials Profile for iOS

Even if you protect your corporate email, Wi-Fi and VPN with strong passcodes and other

restrictions, your infrastructure may remain vulnerable to brute force and dictionary attacks, in

addition to employee error. For greater security, you can implement digital certificates to protect

corporate assets.

To assign certificates, you must first define a certificate authority. Then, configure a Credentials

payload alongside your Exchange ActiveSync (EAS), Wi-Fi, or VPN payload. Each of these

payloads has settings for associating the certificate authority defined in the Credentials payload.

To push down certificates to devices, you must configure a Credentials or SCEP payload as part of

the profiles you created for EAS, Wi-Fi, and VPN settings. Use the following instructions to create a

certificate-enabled profile:

iOS Device Management

VMware by Broadcom

1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select iOS from the

platform list.

2. Configure the profile’s General settings.

3. Select either the EAS, Wi-Fi, or VPN payload to configure. Fill out the necessary

information, depending on the payload you selected.

4. Select the Credentials (or SCEP) payload.

5. Choose one option from the Credentials Source menu:

a. Choose to Upload a certificate and enter the Certificate Name.

b. Choose Defined Certificate Authority and select the appropriate Certificate Authority

and Certificate Template.

c. Choose User Certificate and the use for the S/MIME certificate.

d. Choose Derived Credentials and select the appropriate Key Usage based on how the

certificate is used. Key Usage options are Authentication, Signing, and Encryption.

6. Navigate back to the previous payload for EAS, Wi-Fi, or VPN.

7. Specify the Identity Certificate in the payload:

a. EAS – Select the Payload Certificate under Login Information.

b. Wi-Fi – Select a compatible Security Type (WEP Enterprise, WPA/WPA2 Enterprise or

Any (Enterprise) and select the Identity Certificate under Authentication.

c. VPN – Select a compatible Connection Type (for example, CISCO AnyConnect, F5 SSL)

and select Certificate from the User Authentication drop-down. Select the Identity

Certificate.

8. Navigate back to Credentials (or SCEP ) payload.

9. Select Save & Publish after configuring any remaining settings.

Single App Mode Profile for iOS

Use Single App Mode to provision devices so they can only access a single app of choice. Single

App Mode deactivates the home button and forces the device to boot directly into the designated

app if the user attempts a manual restart.

This feature ensures that the device is not used for anything outside of the desired application and

has no way of accessing unintended other apps, device settings, or an Internet browser. This feature

is useful for restaurants and retail stores. For education, students can use devices that are locked

access to a single game, eBook, or exercise.

iOS Device Management

VMware by Broadcom

An iOS 7 or higher device configured in Supervised mode. (iOS 7 and higher is required for extra

options and autonomous single app mode.)

Configure Single App mode settings including:

Setting Description

Filter

Type

Choose a filter, either Lock device into a single app or Permitted apps for autonomous single app mode:

Lock device into a single app – Lock devices into a single public, internal, purchased, or native application

until the profile with this payload is removed. The home button is deactivated, and the device always

returns to the specified application from a sleep state or reboot.

Permitted apps for autonomous single app mode – Enable allowed applications to trigger Single App

Mode based on an event that controls when to turn on and off Single App Mode on the device. This action

happens within the app itself as determined by the app developer.

iOS Device Management

VMware by Broadcom

Setting Description

Applic

ation

Bundle

Enter the bundle ID or select one from the drop-down menu. The bundle ID appears in the drop-down

menu after the application has been uploaded to the UEM console. For example: com.air-

watch.secure.browser.

Option

Setting

Choose optional settings for Supervised iOS 7 and higher devices.

Once you save the profile,each device provisioned with this profile enters Single App Mode.

Restart a Device Operating in Single App Mode

The hard reset procedure is used to restart a device operating in Single App Mode.

1. Press and hold the Home button and the Sleep/Wake button simultaneously.

2. Continue holding both buttons until the device shuts off and begins to restart.

3. Let go when you see the silver Apple logo. It may take a while for the device to load from

the Apple logo to the main screen.

Exit Single App Mode on iOS Devices

End users cannot exit the app when Single App Mode is enabled. Workspace ONE UEM provides

two options for exiting single app mode, depending on which Single App Mode you enable.

You can deactivate Single App Mode temporarily if you need to update the specified app to a new

version or release. Deactivate Single App Mode using the instructions below, install the new app

version, and enable Single App Mode again.

Procedure

1. Navigate to Resources > Profiles & Baselines > Profiles. In the row for the Single App

Mode profile, select the View Devices icon.

2. Select Remove Profile for the device from which you want to remove the setting.

3. Update the application to the desired version.

4. Re-install the profile using the steps under Configure Single App Mode

Allow Device Admin to Exit Single App Mode from the Device

You can allow an admin to exit Single App Mode with a passcode on the device itself. This option is

only available if you enable autonomous single app mode as the Filter Type for the Single App Mode

profile.

Procedure

1. Navigate to Resources > Profiles & Baselines > Profiles > Add. Select Apple iOS.

2. Configure the profile’s General settings.

3. Select the Single App Mode payload.

4. With Permitted apps for autonomous single app mode selected, enter the bundle ID of an

application that supports autonomous single app mode under Permitted Applications.

iOS Device Management

VMware by Broadcom

5. Select Save & Publish to push this profile to the assigned devices.

6. Navigate to Resources > Apps > Native > Public for public apps, or Resources > Apps >

Native > Purchased for apps managed through VPP.

7. Locate the autonomous single app mode supported application and select the Edit

Assignment icon. The Edit Application window displays.

8. Select the Assignment tab and expand the Policies section.

9. Select Enabled for Send Application Configuration, enter AdminPasscode as the

Configuration Key, and set the Value Type to String.

10. Enter the passcode admins use to exit Single App Mode as the Configuration Value. The

value can be numeric or alphanumeric. Select Add.

11. Select Save and Publish to push the application configuration.

Single Sign-On Profile for iOS

Enable single sign-on for corporate apps to allow seamless access without requiring authentication

into each app. Push this profile to authenticate end users through Kerberos authentication instead of

storing passwords on devices. For more information on single sign-on settings, refer to the VMware

Workspace ONE UEM Mobile Application Management Guide.

iOS Device Management

VMware by Broadcom

1. Enter Connection Info:

Setting Description

Accoun

t Name

Enter the name that appears on the device.

Kerbero

Princip

al Name

Enter the Kerberos principal name.

Realm Enter the Kerberos domain realm. This parameter must be fully capitalized.

Renewa

Certific

ate

On iOS 8+ devices, select the certificate used to reauthenticate the user automatically without

any need for user interaction when the user’s single sign-on session expires. Configure a renewal

certificate (for example: .pfx) using a credentials or SCEP payload.

2. Enter the URL Prefixes that must be matched to use this account for Kerberos authentication

over HTTP. For example: http://sharepoint.acme.com. If left empty, the account is eligible

to match all HTTP and HTTPS URLs.

3. Enter the Application Bundle ID or select one from the drop-down menu. The bundle ID

appears in this drop-down menu after the application has been uploaded to the UEM

console. For example: com.air-watch.secure.browser. The applications specified must

support Kerberos authentication.

4. Select Save & Publish.

In the example of a Web browser, when end users navigate to a Web site specified in the payload,

they are prompted to enter the password of their domain account. Afterward, they do not have to

enter credentials again to access any of the Web sites specified in the payload.

Note:

Using Kerberos authentication, devices must be connected to the corporate network (either

using corporate Wi-Fi or VPN).

The DNS server must have a record of the Kerberos services (KDC server).

Both the application on the mobile device and the Web site must support

Kerberos/Negotiate authentication.

iOS Device Management

VMware by Broadcom

Skip Setup Assistant Profile for iOS

Use Setup Assistant profile to skip Setup Assistant screens on the device after an OS update. This

profile is applicable only to iOS 14, IPadOS 14 and later.

iOS Device Management

VMware by Broadcom

Configure the Skip Setup Assistant profile settings, including:

Settings Description

Setup Assistant Select either skip all Setup Assistant screens after an OS update or skip selected screens from the

list below.

Note: By default, Skip all screens option is selected. When users select option to Skip some

screens, the rest of the text boxes are editable.

Move from

Android

If the Restore pane is not skipped, skips the Move from Android option in the Restore pane on

iOS.

Choose Your Look Skips the Choose Your Look screen.

Apple ID Setup Skips Apple ID setup.

App Store Skips the App Store page during the Setup.

Emergency SOS Skips the Emergency SOS page during the Setup.

Biometric ID Skips biometric setup. Device To Device Migration

iOS Device Management

VMware by Broadcom

Settings Description

Device To Device

Migration

Skips Device to Device Migration pane.

Diagnostics Skips the App Analytics pane.

Display Tone Skips DisplayTone setup.

Home Button Skips the Meet the New Home Button screen on iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8

Plus, and iPhone SE.

iMessage and

FaceTime

Skips the iMessage and FaceTime screen in iOS.

Location Services Skips Location Services.

Passcode Skips the passcode pane.

Payment Skips Apple Pay setup.

Privacy Skips the privacy pane.

Restore Deactivates restoring from backup restore.

Restore

Completed

Skips the Restore Completed pane.

Screen Time Skips the Screen Time pane.

Add Cellular Plan Skips the add cellular plan pane.

Siri Skips Siri.

Software Update Skips the mandatory software update screen in iOS.

Terms and

Conditions

Skips Terms and Conditions.

Terms of Address Skips Terms of Address during the Setup Wizard

Update

Completed

Skips the Software Update Complete pane.

Watch Migration Skips the screen for watch migration.

Welcome Skips the Get Started pane.

Zoom Skips zoom setup.

SSO Extension Profile for iOS

To configure an application on device to perform single sign-on (SSO) with the Kerberos extension,

configure the SSO Extension profile. With the SSO Extension profile, users do not have to provide

their user name and password to access specific URLs. This profile is applicable only to iOS 13 and

later devices.

iOS Device Management

VMware by Broadcom

Configure the SSO Extension settings, including:

Setting Description

Extension

Type

Select the type of the SSO extension for the application. If Generic is selected, provide the Bundle ID

of the application extension that performs SSO for the specified URLs in the Extension Identifier field.

If Kerberos is selected, provide the Active Directory Realm and Domains.

Type Select either Credential or Redirect as extension type. Credentials extension is used for the

challenge/response authentication. Redirect extension can use OpenID Connect, OAuth, and SAML

authentication.

Team

Identifier

Enter the Team Identifier of the application extension that performs SSO for the specified URLs.

URLs Enter one or more URL prefixes of identity providers where the application extension performs SSO.

Additional

Settings

Enter additional settings for the profile in XML code which is added to the ExtensionData node.

Active

Directory

Realm

This option appears only if Kerberos is selected as the Extension Type. Enter the name for the Kerberos

Realm.

Domains Enter the host names or the domain names which can be authenticated through the application

extension.

Use Site

Auto-

Discovery

Enable the option to make the Kerberos extension to automatically use LDAP and DNS to determine

the Active Directory site name.

iOS Device Management

VMware by Broadcom

Setting Description

Allow

Automatic

Enable the option to allow passwords to be saved to the keychain.

Require

User Touch

ID or

Password

Enable the option to allow the user to provide Touch ID, FaceID, or passcode to access the keychain

entry.

Certificate Select the certificate to push down to the device which is in the same MDM profile.

Allowed

Bundle IDs

Enter a list of application bundle IDs to allow access to the Kerberos Ticket Granting Ticket (TGT).

Subscribed Calendar Profile for iOS

Push calendar subscriptions using the native Calendar app in macOS to your iOS devices by

configuring this payload.

Configure the calendar settings, including:

Setting Description

Description Enter a brief description of the subscribed calendars.

URL Enter the URL of the calendar to which you are subscribing.

Username Enter the user name of the end user for authentication purposes.

Password Enter the password of the end user for authentication purposes.

Use SSL Check to send all traffic using SSL.

Virtual Private Network (VPN) Profile for iOS

Virtual private networks (VPNs) provide devices with a secure and encrypted tunnel to access

internal resources. VPN profiles enable each device to function as if it were connected through an

on-site network. Configuring a VPN profile ensures that end users have the seamless access to

email, files, and content.

The settings that you see may vary depending on the Connection Type you choose. For more

iOS Device Management

VMware by Broadcom

information on using the Forcepoint content filtering, see

Creating a Forcepoint Content Filter

Profile

Configure the Notifications profile settings, including:

Settings Description

Connection

Name

Enter the name of the connection to be displayed on the device.

Connection

Type

Use the drop-down menu to select the network connection method.

Server Enter the hostname or IP address of the server for connection.

Account Enter the name of the VPN account.

Send All

Traffic

Force all traffic through the specified network.

Disconnect

on Idle

Allow the VPN to auto-disconnect after a specific amount of time. Support for this value depends on

the VPN provider.

iOS Device Management

VMware by Broadcom

Settings Description

Connect

Automatical

Select to allow the VPN to connect automatically to the following domains. This option appears when

Per App VPN Rules is selected.

Safari Domains

Mail Domains

Contacts Domains

Calendar Domains

Provider

Type

Select the type of the VPN service. If the VPN service type is an App proxy, the VPN service tunnels

the traffic at the application level. If it is a Packet tunnel, the VPN service tunnels the traffic at the IP

layer.

Per App

VPN Rules

Enables the Per App VPN for devices. For more information, see

Configuring Per-App VPN for

iOS Devices

in this guide

Authenticati

Select the method to authenticate to end users. Follow the related prompts to upload an Identity

Certificate, or enter a Password information, or the Shared Secret key to be provided to authorize end

users for VPN access.

Enable

VPN On

Demand

Enable VPN On Demand to use certificates to establish VPN connections automatically using the

Configuring VPN On Demand for iOS Devices

section in this guide.

Proxy Select either Manual or Auto as the proxy type to configure with this VPN connection.

Server Enter the URL of the proxy server.

Port Enter the port used to communicate with the proxy.

Username Enter the user name to connect to the proxy server.

Password Enter the password for authentication.

Vendor

Keys

Select to create custom keys to go into the vendor config dictionary.

Key Enter the specific key provided by the vendor.

Value Enter the VPN value for each key.

Exclude

Local

Networks

Enable the option to include all networks to route the network traffic outside the VPN.

Include All

Networks

Enable the option to include all networks to route the network traffic through the VPN.

Enforce

routes

Enable this option for all VPN non-default routes to take precedence over locally defined rules.If you

have enabled Include all networks, this setting is ignored.

Maxium

Transmissio

n Unit

This specifies the maximum size in bytes of each packet that will be sent over the IKEv2 VPN interface.

SMB

Domains

An array of SMB domains that is accessible through this VPN connection.

iOS Device Management

VMware by Broadcom

Settings Description

Prevent on

demand

override

Enable this option to prevent users from toggling VPN On Demand in Settings.

Note: If you have chosen IKEv2 as the type, you are eligible to enter the minimum and the

maximum TLS version for the VPN connection. Provided that you enable the Enable EAP check

box before you enter the TLS version.

After saving the profile, end users have access to permitted sites.

VPN On Demand Profile for iOS

VPN On Demand is the process of automatically establishing a VPN connection for specific domains.

For increased security and ease of use, VPN On Demand uses certificates for authentication instead

of simple passcodes.

Ensure your certificate authority and certificate templates in Workspace ONE UEM are properly

configured for certificate distribution. Make your third-party VPN application of choice available to

end users by pushing it to devices or recommending it in your enterprise App Catalog.

1. Configure your base VPN profile accordingly.

2. Select Certificate from the User Authentication drop-down menu. Navigate to the

Credentials payload.

a. From the Credential Source drop-down menu, select Defined Certificate Authority.

b. Select the Certificate Authority and Certificate Template from the respective drop-down

menus.

c. Navigate back to the VPN payload.

3. Select the Identity Certificate as specified through the Credentials payload if you are

applying certificate authentication to the VPN profile.

4. Select the Enable VPN On Demand box.

5. Configure the Use the New on Demand Keys (iOS 7) to enable a VPN connection when end

users access any of the domains specified:

Setting Description

Use new

Demand

Keys (iOS

7 and

higher)

Select to use the new syntax that allows for specifying more granular VPN rules.

iOS Device Management

VMware by Broadcom

Setting Description

Demand

Rule/Acti

Choose an Action to define VPN behavior to apply to the VPN connection based on the

defined criteria. If the criterion is true, then the action specified takes place.

Evaluate Connection: Automatically establish the VPN tunnel connection based on the

network settings and on the characteristics of each connection. The evaluation happens every

time the VPN connects to a Web site.

Connect: Automatically establish the VPN tunnel connection on the next network attempt if

the network criteria met.

Disconnect: Automatically deactivate the VPN tunnel connection and do not reconnect on

demand if the network criteria are met.

Ignore: Leave the existing VPN connection, but do not reconnect on demand if the network

criteria are met.

Action

Paramete

Configure Action Parameters for specified domains to trigger a VPN connection attempt if

domain name resolution fails, such as when the DNS server indicates that it cannot resolve the

domain, responds with a redirection to a different server, or fails to respond (timeout).

If choosing Evaluate Connection, these options appear:

Choose Connect If Needed/Never Connect and enter additional information:

Domains – Enter the domains for which this evaluation applies.

URL Probe – Enter an HTTP or HTTPS (preferred) URL to probe, using a GET request. If the

URL’s hostname cannot be resolved, if the server is unreachable, or if the server does not

respond with a 200 HTTP status code, a VPN connection is established in response.

DNS Servers – Enter an array of DNS server IP addresses to be used for resolving the specified

domains. These servers need not be part of the device’s current network configuration. If these

DNS servers are not reachable, a VPN connection is established in response. These DNS

servers must be either internal DNS servers or trusted external DNS servers. (optional)

Criteria/V

alue for

Paramete

Interface Match – Select the type of connection that matches device’s network current

adapter. Values available are any, Wifi, Ethernet, and Cellular.

URL Probe – Enter the specified URL for criteria to be met. When criteria is met, a 200 HTTP

status code is returned. This format includes protocol (https).

SSID Match – Enter the device’s current network ID. For the criteria to be met, it must match at

least one of the values in the array. - Use the + icon to enter multiple SSIDs as needed.

DNS Domain Match – Enter the device’s current network search domain. A wildcard is

supported (*.example.com).

DNS Address Match – Enter the DNS address that matches the device’s current DNS server’s

IP address. For criteria to be met, all the device’s listed IP addresses must be entered. Matching

with a single wildcard is supported (17.*).

6. Alternatively, choose legacy VPN On Demand:

Setting Description

iOS Device Management

VMware by Broadcom

Match

Domain or

Host

On Demand Action

Establish if Needed or Always Establish – Initiates a VPN connection only if the specified

page cannot be reached directly.

Never Establish – Does not establish a VPN connection for addresses that match the

specified the domain. However, if the VPN is already active, it can be used.

7. Use the + icon to add more Rules and Action Parameters as desired.

8. Choose a Proxy type:

Setting Description

Proxy Select either Manual or Auto proxy type to configure with this VPN connection.

Server Enter the URL of the proxy server.

Port Enter the port used to communicate with the proxy.

Username Enter the user name to connect to the proxy server.

Password Enter the password for authentication.

9. Complete Vendor Configurations. These values are unique to every VPN provider.

Setting Description

Vendor Keys Select to create custom keys to add to the vendor config dictionary.

Key Enter the specific key provided by the vendor.

Value Enter the VPN value for each key.

10. Click Save and Publish. Once the profile installs on a user’s device, a VPN connection

prompt automatically displays whenever the user navigates to a site that requires it, such as

SharePoint.

Web Clips Profile for iOS

Web Clips are Web bookmarks that you can push to devices that display as icons on the device

springboard or in your app catalog.

iOS Device Management

VMware by Broadcom

Configure Web Clip settings, including:

Setting Description

Label Enter the text displayed beneath the Web Clip icon on an end user’s device. For example: “AirWatch Self-

Service Portal.”

URL Enter the URL of the Web Clip that displays. Here are some examples for Workspace ONE UEM pages:

For the SSP, use: https://{Airwatch Environment}/mydevice/

For the app catalog, use:

https://{Environment}/Catalog/ViewCatalog/{SecureDeviceUdid}/{DevicePlatform}

For the book catalog, use: https://{Environment}/Catalog/BookCatalog?uid={DeviceUUID}

Remov

able

Enable device users to use the long press feature to remove the Web Clip off their devices.

Icon Select this option to upload as the Web Clip icon. Upload a custom icon using a .gif, .jpg, or .png format,

for the application. For best results, provide a square image no larger than 400 pixels on each side and less

than 1 MB when uncompressed. The graphic is automatically scaled and cropped to fit and converted to

.png format, if necessary. Web Clip icons are 104 x 104 pixels for devices with a Retina display or 57 x 57

pixels for all other devices.

Preco

mpose

d Icon

Select this option to display the icon without any visual effects.

Full

Screen

Select this option to run the Web page in full screen mode.

Web Content Filter Profile for iOS

You can allow or prevent end users from accessing specific URLs using a Web browser by

configuring a Web content filter payload that is applied to devices. All URLs must begin with http://

or https://. If necessary, you must create separate entries for both the HTTP and HTTPS versions of

the same URL. The Web content filter payload requires iOS 7+ supervised devices.

iOS Device Management

VMware by Broadcom

Configure the web content filter settings, including:

Select Filter Type drop-down menu:

1. Built-in: Allow Web sites

2. Built-in: Deny Web sites

3. Plug-in

Built-in: Allow Web Sites

Configure an allowlist of URLs to allow end users to access only these specific Web sites on the list

and prevent them from accessing any other Web sites.

1. Select Built-in: Allow Websites in the Filter Type drop-down menu to choose what plug-ins

can be accessed.

2. Select Add and configure a list of allowed Web sites:

Setting Description

Allowed URLs The URL of a allowed site.

Title The bookmark title.

Bookmark Path The folder into which the bookmark is added in Safari.

Built-in: Deny Web Sites

Configure a denylist of URLs to prevent users from accessing the specified Web sites. However, all

other Web sites remain available to end users. Also, Web sites with profanity are automatically

filtered unless an exception is permitted.

Select Built-in: Deny Website in the Filter Type drop-down menu and configure denied Web sites:

Setting Description

Denied URLs Enter Denied URLs and separate with new lines, spaces, or commas.

Automatically filter inappropriate Web

sites

Select to filter adult Web sites.

iOS Device Management

VMware by Broadcom

Setting Description

Bookmark Path Enter the folder path into which the bookmark is added in Safari.

Permitted URLs Enter any Web sites that may be allowed as exceptions to the automatic

filter.

Plug-ins

This payload allows you to integrate with a third-party Web content filtering plug-in with Safari.

If you want to integrate specifically with Forcepoint or Blue Coat content filters, see the appropriate

sections in this guide.

1. Select Plug-in in the Filter Type drop-down menu to choose what plug-ins can be accessed.

You must enable either Webkit or Socket traffic needs in order for the payload to work.

Setting Description

Filter Name Enter the name of filter that displays on the device.

Identifier Enter the bundle ID of the identifier of the plug-in that provides filtering service.

Service Address Enter the hostname, IP address, or URL for service.

Organization Choose the organization string that is passed to the third party plug-in.

Filter WebKit Traffic Select to choose whether to filter Webkit traffic.

Filter Socket Traffic Select to choose whether to filter SocKet traffic.

2. Configure the Authentication information including:

Setting Description

Username Use look-up values to pull directly from the user account record. Ensure your Workspace ONE

UEM user accounts have an email address and email user name defined.

Password Enter the password for this account.

Payload

Certificat

Choose the authentication certificate.

3. Add Custom Data which includes keys required by the third-party filtering service. This

information goes into the vendor config dictionary.

4. Select Save & Publish.

Wi-Fi Profile for iOS

Configuring a Wi-Fi profile allows devices to connect to corporate networks, even if they are hidden,

encrypted, or password protected. This payload is useful to end users who travel and use their own

unique wireless network or to end users in an office setting where they are able to automatically

connect their devices to a wireless network on-site.

iOS Device Management

VMware by Broadcom

1. Configure the wi-fi settings including:

Setting Description

Service Set

Identifier

Enter the name of the network where the device connects.

Hidden network Enter a connection to a network that is not open or broadcasting.

Auto-Join Determine whether the device automatically connects to the network when starting the

device. The device keeps an active connection until the device is restarted or a different

connection is chosen manually.

Enable IPv6 Deselect this option to disable IPv6

Security Type Select the type of access protocol to be used. Enter the Password or select the Protocols

that apply to your Wi-Fi network.

Protocols Choose protocols for network access.

This option appears when WiFi and Security Type is any of the Enterprise choices. This

option also appears when Ethernet is selected.

iOS Device Management

VMware by Broadcom

Setting Description

Wi-Fi Hotspot

2.0

Enable Wi-Fi Hotspot 2.0 functionality and is only available for iOS 7 and higher

devices. Hotspot 2.0 is a type of public-access Wi-Fi that allows devices to identify and

connect seamlessly to the best match access point. Carrier plans must support Hotspot

2.0 for it to function correctly.

HESSID The HESSID used for Wi-Fi Hotspot 2.0 negotiation

Domain Name Enter the domain name of the Passpoint service provider.

Allow

connecting to

roaming

partner

Passpoint

networks

Enable roaming to partner Passpoint networks.

Displayed

Operator Name

Enter the name of the Wi-Fi hotspot service provider.

Roaming

Consortium

Organization ID

Enter the roaming consortium organization identifiers.

Network Access

Enter the Network Access ID realm names.

MCC/MNC Enter the Mobile Country Code/Mobile Network Configuration formatted as a 6-digit

number.

Authentication Configure Authentication settings that vary by protocol.

User name Enter the username for the account.

User Per-

Connection

Password

Request the password during the connection and send with authentication.

Password Enter the password for the connection.

Identity

Certificate

Select the certificate for authentication.

Outer Identity Select the external authentication method.

TLS Certificate

Required

Enable to allow for two-factor authentication for EAP-TTLS, PEAP, or EAP-FAST. Select

disabled to allow for zero-factor authentication for EAP-TLS.

TLS Minimum

Version

Select the minimum TLS version 1.0, 1.1, and 1.2. If no value is selected, the minimum TLS

version defaults to 1.0.

Note: and Maximum TLS versions can be configured only for TLS, TTLS, EAP-Fast, and

PEAP protocol types.

TLS Maximum

Version

Select the maximum TLS version 1.0, 1.1, and 1.2. If no value is selected, the maximum

TLS version defaults to 1.2.

Trusted

Certificates

These are the trusted server certificates for your Wi-Fi network.

iOS Device Management

VMware by Broadcom

Setting Description

Trusted Server

Certificate

Names

Enter the trusted server certificate names.

Allow Trust

Exceptions

Allow end users to make trust decisions.

2. Configure Proxy settings for either Manual or Auto proxy types.

3. If you use a Cisco infrastructure, configure the QoS Marking Policy (iOS v11 and higher).

Setting Description

Fastlane QoS Marking Select the marking setup that you require.

Enable QoS Marking Select this option to choose apps for prioritized data allocations.

Allow Apple Calling Select Allow Apple Calling to add Apple Wifi Calling to your QoS allowlist.

Allow Apps for QoS Marking Search for and add Apps to allocate prioritized data.

4. Configure Captivate Portal to bypass the portal.

5. Select Save & Publish when you are finished to push the profile to devices.

iOS Device Management

VMware by Broadcom

Compliance Policies for iOS Devices

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide

by your policies. These policies can include basic security settings such as requiring a passcode and

having a minimum device lock period.

For certain platforms, you can also decide to set and enforce certain precautions. These precautions

include setting password strength, denylisting certain apps, and requiring device check-in intervals to

ensure that devices are safe and in-contact with Workspace ONE UEM. Once devices are

determined to be out of compliance, the compliance engine warns users to address compliance

errors to prevent disciplinary action on the device. For example, the compliance engine can trigger a

message to notify the user that their device is out of compliance.

In addition, devices not in compliance cannot have device profiles assigned to it and cannot have

apps installed on the device. If corrections are not made in the amount of time specified, the device

loses access to certain content and functions that you define. The available compliance policies and

actions vary by platform.

For more information about compliance policies, including which policies and actions are supported

for a particular platform, see the Managing Devices documentation on docs.vmware.com.

iOS Device Management

VMware by Broadcom

Apps for iOS Devices

Combine Workspace ONE UEM MDM features with Workspace ONE UEM apps to even further

enhance security and functionality. Easily manage Workspace ONE UEM apps throughout the entire

lifecycle across employee-owned, corporate-owned, and shared devices from the UEM console.

Workspace ONE UEM applications allow you and your end users to:

Explore the VMware Workspace ONE Content to sync a personal content folder.

Configure VMware Workspace ONE Web to secure Internet searches.

Enable VMware Workspace ONE Boxer to configure email.

Use the AirWatch Container as an alternative to MDM by providing separation of corporate

and personal data on device, while maintaining employee privacy.

For more information about managing applications, see Mobile Application Management.

Workspace ONE Intelligent Hub for iOS

The Workspace ONE Intelligent Hub for iOS collects and delivers managed device information to the

UEM console. Because this information may contain sensitive data, Workspace ONE UEM takes

extensive measures to ensure that the information is encrypted and that it originates from a trusted

source.

Workspace ONE UEM uses a unique certificate pair to sign and encrypt all communication between

Workspace ONE Intelligent Hub for iOS and the server. These certificates also allow the server to

verify the identity and authenticity of each device enrolled in Workspace ONE UEM. This overview

details the benefits and necessities of both security enhancements.

Understanding the Certificate Exchange

Before any data is transferred, the Workspace ONE Intelligent Hub application and the server trade

personalized certificates. This relationship is established when Workspace ONE Intelligent Hub for

iOS checks into the Workspace ONE UEM server for the first time during enrollment.

iOS Device Management

VMware by Broadcom

1. Workspace ONE Intelligent Hub for iOS communicates with the Workspace ONE UEM

server to obtain the server’s certificate public key. Both Workspace ONE Intelligent Hub for

iOS and the Workspace ONE UEM server trust the public key of the Workspace ONE UEM

Root certificate, which verifies the authenticity of all certificates involved in the enrollment

exchange.

2. Workspace ONE Intelligent Hub for iOS validates the server’s certificate against the

Workspace ONE UEM Root CA certificate.

3. Workspace ONE Intelligent Hub for iOS sends a unique certificate public key to the

Workspace ONE UEM server.

4. The Workspace ONE UEM server associates the Workspace ONE Intelligent Hub’s certificate

with that device in the database.

Securing the Data in Transit

After the initial exchange of certificates, all data sent to the UEM console is encrypted from that point

forward. The following table shows the two certificates involved and their responsibility in the

transaction.

Hub Certificate Server Certificate

Workspace ONE Intelligent Hub Sign the Data Encrypt the Data

Workspace ONE UEM Server Verify the Data Origin Decrypt the Data

APIs and Application Functionality

There are two categories of APIs that Workspace ONE UEM uses with iOS devices for management

and tracking capabilities:

Over-the-Air (OTA) MDM APIs are activated through the enrollment process regardless if

Workspace ONE Intelligent Hub for iOS is used or not.

Native iOS SDK APIs are available to any third-party application, including Workspace ONE

Intelligent Hub applications and any other application using the Workspace ONE UEM

Software Development Kit (SDK).

The Workspace ONE Intelligent Hub for iOS acts as the broker application that integrates with the

iOS Device Management

VMware by Broadcom

Native iOS SDK API layer of management. When using Workspace ONE Intelligent Hub for

iOS combined with the Workspace ONE UEM SDK for iOS, administrators can take advantage of

more MDM features for applications, more so than what is offered in the Over-the-Air (OTA) MDM

API layer.

Configure Workspace ONE Intelligent Hub Settings for iOS Devices

You can customize the Workspace ONE Intelligent Hub settings in the UEM console. For

example, specify an SDK Profile to use with the Workspace ONE Intelligent Hub to harness

Workspace ONE UEM functionality.

Workspace ONE Intelligent Hub Mobile Application for iOS

After enrolling the Workspace ONE Intelligent Hub, the application defaults to a My Device

screen. Here you can view real-time information about your device, sync the device, re-

enroll the device, and read messages that have been sent from the UEM console.

Configure Workspace ONE Intelligent Hub Settings for iOS Devices

You can customize the Workspace ONE Intelligent Hub settings in the UEM console. For example,

specify an SDK Profile to use with the Workspace ONE Intelligent Hub to harness Workspace ONE

UEM functionality.

Procedure

1. Navigate to Devices > Device Settings > Apple > Apple iOS > Hub Settings.

2. Configure the following settings for the Workspace ONE Intelligent Hub:

Setting Description

Disable

Un-

Enroll

in Hub

This setting deactivates the user’s ability to unenroll from Workspace ONE UEM MDM using the Workspace

ONE Intelligent Hub. This setting is only available in the Workspace ONE Intelligent Hub v4.9.2 and

higher.

iOS Device Management

VMware by Broadcom

Setting Description

Backgr

ound

App

Refres

This setting tells the Workspace ONE Intelligent Hub the maximum allowed time interval to refresh app

content. Some applications run for a brief period before reaching a suspended state.

Background App Refresh is a feature in iOS where the application itself wakes from this suspended state.

During this refresh, the Workspace ONE Intelligent Hub reports information, such as compromised

detection, hardware details, GPS, iBeacon, and telecom, to the UEM console. The frequency at which the

Workspace ONE Intelligent Hub refreshes is controlled by the OS and only completed during efficient

times, such as when the device is plugged into a power source, frequency of use, or connected to Wi-Fi.

To take advantage of the Background App Refresh feature, this setting must be enabled in the UEM

console, the Workspace ONE Intelligent Hub cannot be stopped on the device, and Background App

Refresh must be enabled on the device for the Workspace ONE Intelligent Hub under Settings > General >

Background App Refresh.

Minim

Refres

Interva

Select the minimum amount of time that must pass before the device attempts to refresh app content.

Trans

mit on

Wi-Fi

only

Enable background refresh to occur over Wi-Fi connections only.

1. Customize the following extra configurations for the Workspace ONE Intelligent Hub from

the Settings and Policies page in the UEM console for Single Sign On in this guide.

What to do next

For information about offline access, branding, and other Settings and Polices, refer to the VMWare

AirWatch Mobile Application Management Guide.

Workspace ONE Intelligent Hub Mobile Application for iOS

After enrolling the Workspace ONE Intelligent Hub, the application defaults to a My Device screen.

Here you can view real-time information about your device, sync the device, re-enroll the device,

and read messages that have been sent from the UEM console.

The Self Service Enabled check box must be selected in the Hub Settings in the UEM console to

see all the status information.

Note: If the Disable Un-enroll Hub option is not checked in Hub Settings, select Un-enroll Device

before re-enrolling with the Workspace ONE Intelligent Hub v4.9.2.

My Device Functionality

Tap the Status menu to view various statuses and self-service diagnostic options:

Sync Device – Tap this action to send a request to resync the device with the UEM

console.

Current Status – Use the menus to find information about enrollment, re-enroll the

device, view accounts, and compliance.

Diagnostics – Use these menus to test connectivity, view Internet access,

connectivity issues, server information, and view and send Hub and Device logs.

iOS Device Management

VMware by Broadcom

Tap the Device Details menu to view various status options:

Network – View network adapters and IP addresses.

Advanced – Use these menus to find information about the device’s battery,

memory, and disk space.

Location– View GPS coordinates for your device for the current and previous time

periods

iBeacon – View the name of the iBeacon region. If iBeacon is configured but location

data is not configured, then the device displays only the iBeacon area. If iBeacon and

location data are enabled, then the device displays the iBeacon region and the map

with the location on the device.

Use the dock at the bottom of the screen to find additional information including:

Messages– Read notifications from the UEM console. For example, you may receive

notifications in the message center to complete a required compliance check to

ensure that your device can be successfully monitored.

About – Find information about the Workspace ONE Intelligent Hub application and

legal information.

VMware Workspace ONE Content

VMware Workspace ONE Content is an application that enables your end users to access important

content on their devices while ensuring file safety for your organization.

From the Workspace ONE Content, end users can access content you upload in the UEM console,

content from synced corporate repositories, or their own personal content.

Use the UEM console to add content, sync repositories and configure the actions that end users can

take on content opened within the application. These configurations prevent content from being

copied, shared, or saved without approval.

For more information about MCM and configuring the VMware Workspace ONE Content, see the

VMware Workspace ONE UEM Mobile Content Management Guide.

VMware Workspace ONE Web

VMware Workspace ONE Web is an application that provides a manageable and secure alternative

to native Web browsers. You can secure the browsing experience on an application, tunnel, and

Web site level.

You can configure the Workspace ONE Web to meet unique business needs by restricting Web

access to Web sites and providing a secure Internet portal for mobile point-of-sale devices. Provide

users with a standard browsing experience, including support of multi-tabbed browsing and

JavaScript dialog box. For maximum security on your Android and iOS devices, consider deploying

the Workspace ONE Web with a Restrictions profile blocking the native browser.

For additional information about preparing and configuring the Workspace ONE Web for

deployment, see the VMware Workspace ONE Web Admin Guide.

VMware Workspace ONE Boxer

iOS Device Management

VMware by Broadcom

VMware Workspace ONE Boxer is an email application that offers a consumer-centric focus on

mobile productivity with enterprise-grade security in the form of AES 256-bit encryption. This app

containerizes business data from personal data, providing frictionless access to enterprise email,

calendar, and contacts across corporate-owned and employee owned.

Workspace ONE Boxer allows users to personalize the app to meet their needs with features like

custom swipe gestures, contact avatars, custom smart folders, and account color preferences. The

all-in-one email, calendar, and contacts app provides an intuitive user experience following native

design paradigms on devices.

For more information on VMware Workspace ONE Boxer, see the VMware Workspace ONE Boxer

Admin Guide.

AirWatch Container for iOS

AirWatch Container offers a flexible approach to Bring Your Own Device (BYOD) management by

pushing a secure work space to a personal device. Businesses can distribute Workspace ONE UEM

applications and internal applications to the AirWatch Container for employees to use on their mobile

devices.

Applications are visible inside and outside the AirWatch Container, but the enterprise applications

are secure through a common SDK framework and a container passcode. These apps can interact

seamlessly using single sign on authentication and can connect securely to the Internet through an

app tunnel VPN.

For more information about the AirWatch Container, refer to the VMware AirWatch Container

Admin Guide.

Enforcing Application-Level Single Sign On Passcodes

Single sign on (SSO) allows end users to access Workspace ONE UEM apps, wrapped apps, and

SDK-enabled apps without entering credentials for each application. Using the Workspace ONE

Intelligent Hub or the AirWatch Container as a “broker application,” end users authenticate once per

session using their normal credentials or an SSO Passcode.

Enable SSO as part of the Security Policies that you configure to apply to all Workspace ONE UEM

apps, wrapped apps, and SDK-enabled apps using a Default SDK Profile.

1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security

Policies.

iOS Device Management

VMware by Broadcom

2. Set Single Sign On to Enabled to allow end users to access all Workspace ONE UEM

applications and maintain a persistent login.

3. Authentication Type to Passcode and set the Passcode Mode to either Numeric or

Alphanumeric to require an SSO Passcode on the device. If you enable SSO but do not

enable an Authentication Type, end users use their normal credentials (either directory

service or Workspace ONE UEM account) to authenticate, and an SSO Passcode does not

exist.

Once an end user authenticates with an application participating in SSO, a session establishes. The

session is active until the Authentication Timeout defined in the SDK profile is reachedor if the user

manually locks the application.

Apple Configurator Overview

Workspace ONE UEM integrates with Apple Configurator to enable you to supervise and manage

scaled deployments of Apple iOS devices. Administrators can create configuration profiles, import

existing profiles from the iPhone Configuration Utility, install specific operating system versions and

enforce iOS device security policies.

Install and run Apple Configurator 2 from a macOS laptop to integrate with the Workspace ONE UEM

console to supervise and configure one or many devices at the same time.

Install the Workspace ONE UEM MDM profile as part of the configuration to enroll devices

silently.

Supervise dedicated line-of-business devices that are shared among different users.

Create configuration profiles to change device settings for Wi-Fi networks, preconfigure mail

iOS Device Management

VMware by Broadcom

and Microsoft Exchange settings, and more.

Distribute public apps without entering an Apple ID on the device using Configurator.

Create blueprints to automate device management. Use blueprints as templates to configure

profiles and application and push them quickly to devices

Add Supervision to devices and take advantage of even more management capabilities

including showing or hiding applications, modifying the device name, wall paper, passcodes,

keyboard short cuts and more.

Back up user settings and app data, including new user-created data using Configurator.

Apple Configurator 2 also works with Apple’s Device Enrollment Program (DEP) to automate Mobile

Device Management (MDM) enrollment and the Volume Purchase Program (VPP) by assigning

managed licenses apps to devices.

For a complete list of features and functionality available to supervised and unsupervised devices,

refer to the iOS Functionality appendix.

For information on enrolling iOS devices with Apple Configurator, see

Enrolling iOS Devices in Bulk

using Apple Configurator

and the Integration with Apple Configurator guide.

Upload a Signed Apple Configurator Profile to the UEM console

You can export a signed profile from Apple Configurator (or IPCU) directly to the UEM console.

1. Configure supervision and management settings in Apple Configurator (or IPCU).

2. Export and save the newly created profile to somewhere easily accessible on your computer.

3. Navigate to Resources > Profiles & Baselines > Profiles within the UEM console and select

Upload.

4. Enter the Managed By group and select Upload to locate and upload the profile exported

from Apple Configurator (or IPCU). Click Continue.

5. Enter the general profile description, including name, description, and assigned organization

groups.

6. Click Save & Publish to send the profile down to assigned devices.

iOS Device Management

VMware by Broadcom

Configure iOS Devices

Workspace ONE UEM helps you configure key elements to manage your end users’ device

experience to meet your enterprise objectives. The functionality detailed in this section provides

granular detail of the interface and experience of your managed devices.

Many of these configurations are available only with certain types of deployments, such as Apple

DEP deployments or Apple School Manager deployments.

Apple Industry Templates

Choose industry templates to expedite your deployment process.

Apple Industry templates automatically bundle recommended mobile apps, profiles, and compliance

policies so that they can be pushed simultaneously to the required organization group.

Industry templates available on the UEM console v8.2.2 include Healthcare and Retail.

Industry templates available on the UEM console v8.3+ include Healthcare, Retail, Education,

Hospitality, and Field Services.

Types of Templates

Use the following table to determine what kind of template and initiative best describes the type of

mobile configuration you need. Each template includes recommended applications and security

policies based on expert research industry standards and best practices.

Industry Initiative Description

Healthc

are

Clinical Collaboration Deliver timely communication to medical staff and

patients to ensure the best care without sacrificing

security. (UEM console v8.2.2+)

Mobile

Clinicia

Workflo

Allow physicians, nurses, pharmacists, and others to use real-time communication to deliver care to

patients if they are at home or located in another medical facility. (UEM console v8.2.2+)

Patient

Care

Improve medical outcomes and patient satisfaction by using iPads and mobile applications to enhance

the patient experience. (UEM console v8.2.2+)

Educati

Digital Classroom Use iPads and mobile applications to communicate

with teachers, students and parents about

assignments, student behavior, and more. (UEM

console v8.3+)

Making

Learnin

g Fun

Keep students engaged and focused through digital

learning and collaboration. (UEM console v8.3+)

g Fun

iOS Device Management

VMware by Broadcom

Industry Initiative Description

Mobile

Cash

Authorize employees to become points of sale from

any location, such as a bookstore or in an

administrative office. (UEM console v8.3+)

Hospital

ity

Guest Experience Create memorable guest experiences to foster

loyalty and ensure guests return by allowing them

to schedule their own services, look for attractions,

or redeem loyalty bonuses. (UEM console v8.3+)

Hotel

Manage

ment

Manage bookings and reservations and track staff

schedules, shift responsibilities, and special

requests in real time. (UEM console v8.3+)

Mobile

Paymen

Integrate mobile payment solutions into POS

systems so guests may take advantage of fast

payment options or authorize employees to

become points of sale wherever needed. (UEM

console v8.3+)

Retail Mobile In Store Experience Serve customers from anywhere in the store by

browsing products, providing product information,

performing a price check, or making a sale. (UEM

console v8.3+)

Mobile

Cash

Create mobile points of sale and free up floor space

for merchandise.(UEM console v8.2.2+)

Store

Manage

Give managers the freedom to work on reports,

employee schedules, and payroll from anywhere in

the store. (UEM console v8.2.2+)

Field

Services

Field Employee Increase efficiency for sales reps, service

technicians, and others to deliver improved

paperless services and real-time data to customers.

(UEM console v8.3+)

Field

Manage

Provide dynamic scheduling and real‐time

reporting capabilities to managers to communicate

with employees, identify locations, edit schedules,

and assign tasks. (UEM console v8.3+)

Working with Profiles and Compliance Policies for Industry

Templates

Profiles - The ability to add or edit profiles is supported in the UEM console from the List

View page only. Any changes made on the List View page are not reflected in the industry

template UI under Monitor.

Compliance Policies - The only compliance policy that is seeded and available for viewing

within industry templates is Compromised Status in the UEM console 8.2.2+. Similar to

profiles, the ability to add or edit compliance policies is supported from the List View page

only. Any changes made on the List View page are not reflected in the industry template

UI under Monitor.

For more information on setting up profiles and compliance policies, refer to the VMware

iOS Device Management

VMware by Broadcom

Workspace ONE UEM Mobile Device Management Guide, available on Workspace ONE UEM

Resources.

Create an Apple Industry Template

Configure initiative-specific settings using a template. Then create a Patient Care template to push to

patients. For example, you can create a Clinical Collaboration template to push to a user group of

doctors and a user group of nurses.

Prerequisites

Consider creating your User Groups before you begin this process.

Procedure

1. Navigate to Monitor > Industry Templates > List View > Add Template. An Add Template

window appears.

2. Select the appropriate Industry category. A Getting Started with Industry Templates

window appears.

a. If you want to select another industry and pick different initiatives, select Choose Another

Industry at the bottom of the window to override the current industry if needed.

3. Choose the business initiative to configure and select Setup.

4. Select Next after reviewing the template overview. A new window appears where you can

customize the template.

5. Set the Friendly Name that appears in the UEM console.

6. Choose what Applications to push to your users by selecting and deselecting apps. All the

seeded apps are recommended and pre-selected by default. Alternatively, select Add App

to search the app store for public applications or to upload internal applications.

a. Choose More Options to push the application in Auto mode or On-Demand and create a

custom Application Configuration to enter the key value pairs.

If you choose the Mobile In Store Experience template and select VMware Browser in single

app mode, configure the URL before pushing the template to devices by navigating to

Groups & Settings > All Settings > Apps > Browser > Mode > Home Page URL. These

iOS Device Management

VMware by Broadcom

devices must be configured in supervised mode.

7. Review Policies that apply to the selected template.

8. Assign Users or user groups for deployment, or create users. Directory services must already

be configured to add directory users. If a new user or group is created, it appears on the

Accounts > List View page in UEM console, even if the industry template is not yet

deployed.

9. Select Next after confirming your selections.

10. Select Publish. The new template creates a smart group to which all apps, profiles, policies,

users, and user groups are assigned. The new template now appears in the Industry

Templates > List View.

Consider assigning one template to one group of devices, so that only one business initiative

is assigned to each device. However, if you assign more than one template to the same

group, then all the apps from both templates install and the most restrictive policies are sent

to the device.

Edit Application Lists in Apple Industry Templates

You can customize the industry templates you create with specific app deployment configurations.

1. Quickly remove a public application and push the updated application list to users

immediately.

a. Navigate to Monitor > Industry Templates > List View.

b. Select the pencil button or template name to edit the template.

c. Deselect the application. The check mark in the corner disappears.

d. Select Next > Publish to save and republish the template.

2. Upload a new application version of an internal app after deleting the old version.

a. Select the pencil button or template link to edit the template.

b. Select More Options. A trash can icon appears on the internal application.

c. Select Remove and follow the prompt to delete the application from the list.

iOS Device Management

VMware by Broadcom

d. Select Add App to upload the updated application.

e. Select Next > Publish to save and republish the template with new application version.

Consider editing applications only within the industry template. However, applications can

also be edited from the Resources > Apps > Native in the UEM console. Any changes made

to applications from the Native List View page are not reflected in the industry template UI.

Delete an Apple Industry Template

You can edit and delete templates at the current or parent Organization Group level only. You

cannot edit or delete templates that were created at a higher Organization Group, you can only view

them.

1. Navigate to Monitor > Industry Templates > List View.

2. Select the radio button. A Delete button appears at the top of list.

3. Select Delete and follow the prompt to delete the template. Deleting a template also deletes

the corresponding applications and policies from assigned devices.

Deleting a template does not remove the application from Applications > Native or remove

the smart group from Groups > List View.

iOS Device Management

VMware by Broadcom

Apple iBeacon Overview

Apple iBeacon with Workspace ONE Intelligent Hub v5.1+ helps manage location awareness for

devices. Using Bluetooth Low Energy (BLE), iBeacons provide a more efficient way to track devices

than using geofencing.

Bluetooth Low Energy does not drain the battery life of a device, and you can establish iBeacons to

observe multiple regions simultaneously, providing more precise monitoring. This functionality also

allows more privacy for end users because devices are only tracked when the device enters or exits

specific locations, instead of being constantly monitored.

After setting up a third-party iBeacon, configure the iBeacon in the UEM console. Next, create

iBeacon regions to monitor. Last, push device profiles with iBeacon functionality to manage iBeacons

within the configured regions using the Workspace ONE Intelligent Hub. Detect when the device

enters these regions and use device event logs to find changes in iBeacon ranges.

Requirements for iBeacon

Workspace ONE UEM console v8.1+

iBeacons from a third-party vendor

Workspace ONE Intelligent Hub v5.1 + for iOS

Location services on the device must be enabled

Bluetooth must be enabled

iPhone 4S+, iPad mini+, iPad 3rd Generation+, iPod touch 5th Generation+

iBeacon Operations Details

A maximum of 20 regions, including geofencing and iBeacon groups may be assigned to the

device. This is the maximum amount that Apple allows. A high number of iBeacon groups

assigned to the device increases battery consumption on the device.

The Workspace ONE Intelligent Hub monitors iBeacons only. It does not use the ranging

technique that determines the proximity of the device to iBeacon transmitter.

If the Workspace ONE Intelligent Hub is stopped before a device exits the iBeacon group,

the device is not detected until the Workspace ONE Intelligent Hub is launched again.

Enable iBeacon for iOS Devices

To configure iBeacon, first enable the Workspace ONE Intelligent Hub to detect iBeacon groups that

receive broadcasts. Then, add a set of iBeacon groups for the device to monitor.

iOS Device Management

VMware by Broadcom

1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple iOS >

Hub Settings.

2. Scroll to Area and select Detect iBeacon Area to enable an iBeacon for the organization

group.

3. Select Save.

4. Navigate to Resources > Profile & Baselines > Settings > Areas.

5. Select Add > iBeacon Group. Choose Add > Add Profile or Edit an existing profile using

the pencil button on the left-side of the profile. A General profile window appears.

6. Configure the iBeacon Group settings.

Setting Description

Group Name Enter the name for the specific iBeacon group.

iBeacon Name Enter the name of the iBeacon.

UUID Enter a unique identifier for the iBeacon deployment to share.

Major Value Enter an identifier to subdivide the area of the iBeacon.

Minor Value Enter an extra identifier to subdivide the area of the iBeacon.

7. Select Save. Return to Area and edit and delete iBeacon groups as needed using the menu

buttons on the left.

Assign iBeacon Groups to Device Profiles

Once the iBeacon group is established, you can assign the group to a device profile. This profile is

then installed on the device when it enters the iBeacon group and is removed when it exits the

group.

1. Navigate to Resources > Profiles & Baselines > Profiles. Choose Add> Add Profile or Edit

an existing profile using the pencil button on the left-side of the profile. A General profile

window appears.

2. Scroll to Additional Assignment Criteria on the General profile.

3. Select Install only on devices inside selected areas and select the iBeacon from Assigned

Geofence Areas.

iOS Device Management

VMware by Broadcom

4. Continue to configure the payload as needed.

5. Select Save & Publish. You can now manage devices in the iBeacon group with the

Workspace ONE Intelligent Hub.

Add Compliance Policies for iBeacon Groups

Once the iBeacon group is established, add compliance polices to enforce actions on the device

when it enters or exits the iBeacon group.

1. Navigate to Devices > Compliance Policies > List View, and select Add and then Apple

iOS.

2. Choose Any or All of the rules to match.

3. Select iBeacon Area and choose within/not within for a specific iBeacon group and select

Next.

iOS Device Management

VMware by Broadcom

4. Choose the Actions tab and select actions that can occur in the iBeacon group. For detailed

information on the applicable actions on Apple iOS, see the

Compliance Policies Actions by

Platform

section of the

Managing Devices

documentation.

5. Select Finish and Activate when you have completed the compliance policy configuration.

Verify that the policy is available on the Device Details page in the UEM console.

iOS Device Management

VMware by Broadcom

Activation Lock Overview

Activation Lock is a security feature for devices running iOS 7 and higher that uses Apple’s Find My

iPhone functionality. This feature makes it difficult for unauthorized persons to use a lost or stolen

device.

When Activation Lock is enabled, an end user’s Apple ID and password are required to unlock a

device even if the device is wiped or factory reset, including through DFU mode. For more

information about Activation Lock as an iOS feature, read the Apple Support article Find My iPhone

Activation Lock.

Prerequisites

To use the Activation Lock feature, devices must have the following:

A valid Apple ID and password assigned

Find My iPhone enabled

Activation Lock for Unsupervised vs. Supervised Devices

The extent to which you can manage devices with Activation Lock depends on whether the devices

are supervised or unsupervised. The following table outlines the differences:

Unsupervised Supervised

End user must enable Find My iPhone setting.

Administrator can view whether Activation Lock is enabled on a particular

device.

Administrator must accept a notification when performing a device wipe

command, which warns that a device with Activation Lock enabled cannot

be reactivated without the original Apple ID and password*.

Administrator can enable Activation

Lock. This will automatically activate

the Find My iPhone setting.

Administrator can view whether

Activation Lock is enabled on a

particular device.

Administrator can clear the

Activation Lock using one of three

methods.

To learn how to remove a previous owner’s Apple ID in order to reactivate a

device, read the Apple Support article Find My iPhone Activation Lock.

Enable Activation Lock for iOS Devices

For supervised devices running iOS 7 and higher, you can configure Activation Lock and force it to

be enabled.

Procedure

1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple iOS >

iOS Device Management

VMware by Broadcom

Managed Settings.

2. Select the Activation Lock setting.

3. Select Save.

Viewing Activation Lock Status

For both unsupervised and supervised devices running iOS 7 and higher, you can view whether

Activation Lock is enabled on the device. Procedure

1. Navigate to Devices > List View.

2. Select an iOS device.

Under the Security section, you can see whether Activation Lock is activated or deactivated.

Clear Activation Lock on iOS Devices

For supervised devices running iOS 7 and later, you can clear the Activation Lock using one of three

iOS Device Management

VMware by Broadcom

methods.

Procedure

1. Use the Clear Activation Lock command

2. Enter an Activation Lock Bypass Code directly onto the device.

3. Perform a Device Wipe Command and select an option to clear the Activation Lock.

Use the Clear Activation Lock Command

Using the Clear Activation Lock command you can clear the Activation Lock on a device without

performing a device wipe. This command is useful if you know the whereabouts of the device and

do not want to wipe its contents completely to clear the lock.

This command also works if the device is unenrolled from Workspace ONE UEM MDM.

1. Navigate to Devices > List View.

2. Select an iOS device.

3. The Device Details page displays Select the More drop-down to see a list of available remote

commands.

4. Select Clear Activation Lock.

5. Select Deactivate.

Enter an Activation Lock Bypass Code

Entering an Activation Lock Bypass Code can be useful if the device has been unenrolled from

Workspace ONE UEM MDM and you have no means by which to perform a Clear Activation Lock

command or device wipe.

1. Navigate to Devices > List View.

2. Select an iOS device. The Device Details page displays.

3. Select the More drop-down to see a list of available remote commands.

4. Select Clear Activation Lock. The Activation Lock Bypass Code displays on the screen.

iOS Device Management

VMware by Broadcom

Reactivate the device once factory wiped using MDM. When you reach the Activate iPhone pane in

the Setup Assistant, enter the bypass code as the Activation Lock password and leave the Apple ID

text box empty.

Perform a Device Wipe Command

When performing a device wipe command, you also have the option of clearing the Activation Lock

on a device.

1. Navigate to Devices > List View.

2. Select an iOS device. The Device Details page displays.

3. Select the More drop-down to see a list of available remote commands.

4. Select Device Wipe. The Device Wipe page displays.

5. Select Clear Activation Lock. Enter your Security PIN, and the device is wiped.

Activation Lock - Wipe Command Workflow Matrix

The following matrix shows the workflow to check the activation lock bypass code before issuing the

wipe command from the UEM console to the device. The bypass code check can be initiated from

the Device List View page or the Device Details page.

iOS Device Management

VMware by Broadcom

Command Activation Lock Bypass Code Workflow

Device List View Device Details page

Device

Wipe

Not applicable Sends query to the device for fetching the

activation lock bypass code.

Device marked as Device Wipe Initiated in the

UEM console.

If the wipe protection is turned off on the device,

the device responds with the bypass code to the

UEM console.

The UEM console sends the device wipe

command to the device.

Device responds with the successful wipe

message to the UEM console.

Device is marked as Unenrolled in the UEM

console.

Enterprise

Wipe

Sends query to the device for fetching the

activation lock bypass code.

Device is marked as Enterprise Wipe Initiated in

the UEM console.

If the wipe protection is turned off on the device,

the device responds with the bypass code to the

UEM console.

The UEM console sends the enterprise wipe

command to the device.

Device responds with the successful wipe

message to the UEM console.

Device marked as Unenrolled in the UEM

console.

Sends query to the device for fetching the

activation lock bypass code.

Device marked as Enterprise Wipe Initiated in the

UEM console.

If the wipe protection is turned off on the device,

the device responds with the bypass code to the

UEM console.

The UEM console sends the enterprise wipe

command to the device.

Device responds with the successful wipe

message to the UEM console.

Device marked as Unenrolled in the UEM console.

iOS Device Management

VMware by Broadcom

Remote View

With the Remote View feature, administrators can easily assist with troubleshooting by viewing an

MDM managed end user’s device from the UEM console that is integrated with the partner system.

Integration of the partner system with the UEM console offers a complete remote management suite

with Remote View capabilities.

For more information on configuration and integration of Remote Management services using the

partner system with the UEM console, refer VMware AirWatch Advanced Remote Management

Guide found on docs.vmware.com.

Prerequisites to initiate a Remote View

UEM console provisioned with proper partner hostname and all required certificates.

End User devices registered with partner by the Workspace ONE Intelligent Hub.

Remote View Device Requirements

Devices must have the Workspace ONE Intelligent Hub v5.8 or higher installed and in the

foreground when you attempt to initiate remote view.

iOS 11 and higher devices are required to run the Start Remote View command.

iOS 11 and higher Supervised devices are required for administrators to run the Stop Remote

View command. This command appears on the partner console.

Configure the UEM Console with Remote View

For On-premises deployments, provision the site URLs with proper hostname for the partner system

at the Global organization group in the Site URLs page.

1. Navigate to Groups & Settings > All Settings > System > Advanced > Site > Site URLs

2. In the Workspace ONE Assist section, configure the Remote Management settings.

iOS Device Management

VMware by Broadcom

Settings Description

Console

Connection

Hostname

Enter the Remote Management server fully qualified domain name (FQDN) plus “/t10”.

For example:

https://rmstage01.awmdm.com/t10

Device

Connection

Hostname

Enter the ARM server fully qualified domain name (FQDN).

For example:

https://rmstage01.awmdm.com

The Device Hostname is the only URL used for device registration and gets delivered to all the

devices in the organization group when the partner is provisioned.

3.Select Save.

Configure End-User Devices

Now that the console is configured, you must install the iOS-specific Hub on the devices so that they

can be remotely managed.

1. Visit the my Workspace ONE ™ page that lists all the device agents.

https://my.workspaceone.com/products/AirWatch-Agent.

2. Download Workspace ONE Intelligent Hub from the iOS App store for your deployment.

For more information about App Management, see Mobile Application Management guide

on VMware AirWatch documentation.

3. Customize control center for initiating screen broadcasting:

a. Navigate to Settings > Control Center > Customize Controls.

b. Add Screen Recording.

Initiate a Remote View Session

Use the Remote View session to easily assist the troubleshooting issues by viewing an end user’s

device from the UEM console.

1. Navigate to Devices > List View > Select Device > More Actions > Support > Start Remote

View

iOS Device Management

VMware by Broadcom

The Remote Support window appears. The UEM console verifies the device’s abilities before

initiating the broadcast. Simultaneously, a push notification is sent to the end user device

through Workspace ONE Intelligent Hub to start the broadcast. The user must access the

device control center and force touch on the Screen Recording. Select Hub Broadcast >

Start Broadcast to initiate broadcasting the device’s screen. The device begins capturing the

UI and shares it to the Workspace ONE Intelligent Hub which in turn is linked to the

Advanced Remote Management server.

2. In the Remote Support window, select Launch Session to initiate the remote view session.

Once the connection is made, the remote management client opens on the console and

then the mirrored device screen is shown up.

Note: The UEM console displays a four-digit PIN which you must direct the customer to

enter into their device. This action provides customer authorization to manage their device

remotely.

3. Select Cancel, if required to end the session.

Request AirPlay for an iOS Device

Using the AirPlay command, administrators can easily mirror screens from a macOS computer to an

tvOS on the same subnet as an end user’s iOS 7 + device.

If an end user needs assistance, simply send an AirPlay request from the UEM console to the device

to share your screen on an end user’s device.

1. Navigate to Devices > List View > Select Device > Support > More > Start AirPlay. An

AirPlay window appears.

iOS Device Management

VMware by Broadcom

2. Select Add a Destination to start adding destinations to view. An Add New AirPlay

Destination window appears.

3. Enter the Destination Name, which is the friendly name for the device.

4. Enter the Destination Address, which is the MAC address of the device to view.

5. Enter the Password for the destination.

6. Determine the Scan Time, which is the length of time that the device searches for the

destination. The default value is 30 seconds.

7. Select the Set as Default check box to make the current destination the default destination.

The next time AirPlay is used, the default destination appears as the Destination Name. It

does not have to be entered again.

8. Select Save and Start to send the AirPlay request to the device.

a. This destination is saved for the next request in the Destination Name drop-down menu.

9. To Stop AirPlay on iOS 7+ supervised devices, navigate back to the UEM console. Go to

Devices > List View > Select Device > Support > More > Stop AirPlay.

10. To Edit AirPlay Destination

a. Navigate to Devices > List View > Select Device > Support > More > AirPlay. An AirPlay

window appears.

b. Choose the Device Destination to edit from the drop-down menu.

c. Select Edit to start editing the destination settings. An Edit AirPlay Destination window

appears.

d. Select Save and Start to send the AirPlay request to the device.

iOS Device Management

VMware by Broadcom

Configure Managed Settings for iOS Devices

The Managed Settings page in the UEM console lets you configure a few extra settings related to the

Workspace ONE Intelligent Hub and managing iOS devices.

1. Navigate to Devices > Device Settings > Devices & Users > Apple > Apple iOS > Managed

Settings > Default Managed Settings.

2. Configure which devices the settings affect according to ownership type, including Corporate

- Dedicated, Corporate - Shared, Employee Owned, and Unknown.

3. Activate or deactivate:

a. Voice Roaming (iOS 5+)

b. Data Roaming (iOS 5+)

c. Personal Hotspot (iOS 7)

d. Activation Lock (iOS 7 and Supervised)

e. (iOS 11.3+ Supervised)

4. Select Save to save the settings to devices in the current organization group.

Configure Organization Settings

The Managed Settings Requested page in the UEM console lets you configure settings related to

branding in Workspace ONE Intelligent Hub and managing iOS devices. Change the settings

including default wallpaper, home screen image, organizational settings and so on.

1. Navigate to Devices > Settings > Devices & Users > Apple > Apple iOS > Managed

Settings.

2. Navigate to Organization Information > Organization Name. Enter the Organization name.

iOS Device Management

VMware by Broadcom

3. Click Save.

4. The organization name that you have entered is included in the installation screen.

Set Required App

The Required App forces installation of a single App Store application with no user prompt on any

device running iOS 15.1 or later. The required app is set on new device enrollments only as the

iTunes Store ID

of the App Store application is part of the MDM profile.

Required App requires:

User Enrolled iOS 15.1 and iPadOS 15.1 devices. For more information on User Enrollment,

see User Enrollment.

Searching or manually adding the

iTunes Store ID

for Public and Purchased Apple App Store

apps.

To set the Required App:

1. Navigate to Devices > Settings > Devices & Users > Apple > Apple iOS > Managed

Settings.

2. Navigate to Organization Information > Required App. Search for one of your iOS apps or

manually add

iTunes Store ID

. The app must be already added to the current Organization

Group or below to appear in search results.

Note: Admins can find the

iTunes Store ID

in the URL of the app on the App Store such as in

a browser.

iOS Device Management

VMware by Broadcom

Override Default Roaming Settings (iOS)

Override default settings in order to modify roaming permissions for an individual iOS device.

Modify settings to manage roaming status that does not require a permanent restriction.

1. Navigate to Devices > List View. Filter by Platform to locate your desired device. Select its

Friendly Name to launch the Device Control Panel.

2. Select More > Managed Settings.

3. Select the Enable or Disable radio button to override current Voice Roaming Allowed, Data

Roaming Allowed, and Personal Hotspot Allowed settings. Click Save.

Set a Default Wallpaper

Set a default Lock Screen image or Home Screen image for iOS 7 + Supervised devices to match

your corporate branding policies.

1. Navigate to Devices > Device Settings > Devices & Users > Apple > Apple iOS > Managed

Settings. Scroll down to the Default Wallpaper section.

2. Upload a Lock Screen Image or Home Screen Image.

3. Select Save.

Set Default Organization Information

Set up custom organization information for MDM prompts for iOS 7+ devices.

1. Navigate to Devices > Device Settings > Apple > Apple iOS > Managed Settings and scroll

down to the Default Organization Information section.

2. Enter your organization information, including name, phone number, and email.

iOS Device Management

VMware by Broadcom

100

3. Select Save.

Install Fonts on iOS Devices

Available to macOS Yosemite and devices running iOS 7 and higher, the UEM console provides a

means to upload fonts and install them onto devices. Installing specific fonts allows users to view and

read text that is not supported by standard means.

Compatible font file types include .ttf or .otf. There is no limit to the number of fonts you are can

install on devices and you can remove a font at any time.

Procedure

To install and deploy fonts:

1. Navigate to Devices > Device Settings > Apple > Install Fonts.

2. Drag and drop a supported font file type (.ttf or .otf) onto the screen.

3. Locate the font file and select Save to send the font to all devices enrolled in the current

organization group.

Cisco QOS Marking for iOS Applications

Apple and Cisco have partnered to deliver a better app and voice experience for iOS devices on

corporate networks through Cisco’s QOS fast lane network. Workspace ONE UEM allows you to

select audio and video applications to receive prioritized data allocations.

With Workspace ONE UEM MDM, customers with the Cisco infrastructure can:

Activate or Deactivate use of Cisco QoS fast lane network

Allowlist Applications to benefit from L2 and L3 marking

Enable Audio and Video traffic for built-in services such as FaceTime and Wi-Fi calling for L2

and L3 marking for traffic sent to Wi-Fi network

To configure Cisco QOS Marking for applications, see Create a Wifi Profile in this guide..

iOS Device Management

VMware by Broadcom

101

Apple Push Notification Service (APNs)

Apple Push Notification service (APNs) is the MDM protocol created by Apple to manage their

devices. It requires the MDM provider to have a valid APNs certificate configured and routes all

commands through Apple’s central cloud messaging servers.

Initiating an APNs command leads to the following:

When an iOS device is enrolled, an APNs token is generated that is connected to a specific

device. The generated token is known to both Workspace ONE UEM console and the APNs

servers.

Once enrolled, a device always (connectivity permitting) exhibits an active connection to

Apple’s APNs servers.

When a command is initiated in the UEM console (such as a profile push or a device lock

command), the following steps occur:

An entry is stored in the Device Command Queue in the UEM database. The entry

contains a specific ID attached to the type of command initiated.

The UEM server (either console or device services depending on where the

command initiated), reaches out to the APNs servers with the APNs token tied to that

specific device.

The APNs server validates the token and informs the device to connect to the MDM server to

receive a command.

The device connects to the device services server. Upon establishing this connection, the

device receives all pending commands from the Device Command Queue.

Apple Push Notification Service (APNs) Certificate

To manage iOS devices, you must first obtain an Apple Push Notification Service (APNs) certificate.

An APNs certificate allows the UEM console to communicate securely to Apple devices and report

information back to the UEM console.

Per Apple’s Enterprise Developer Program, an APNs certificate is valid for one year and then must

be renewed. The UEM console sends reminders through Notifications as the expiration date nears.

Your current certificate is revoked when you renew from the Apple Development Portal, which

prevents device management until you upload the new one. Plan to upload your certificate

immediately after it is renewed. Consider using a different certificate for each environment if you use

separate production and test environments.

Apple Push Notification Service Workflow

Understand the backend workflow of the Apple Push Notification Service before initiating the MDM

iOS Device Management

VMware by Broadcom

102

management on Apple devices.

1. System Administrator remotely performs MDM actions such as lock device, clear device

passcode, device wipe, and break MDM from the UEM console.

A notification will be queued in FastLaneAPNsOutBound queue which is picked up by

Workspace ONE Messaging Service and sent to APNs server. Later, a command is queued

in AWEventLog queue and then picked up by EntityChangeQueueMonitor service. This

service queues the command in Workspace ONE Database server.

2. The device always has an active connection to APNs. All communication to APNs is inbound

and is constantly checking with APNs. The servers let the device know when there’s a

command waiting for the device by MDM.

3. Once the device receives the push notification, it checks-in to the Workspace ONE device

services server.

4. Device services server checks whether any command is queued for that particular device

(based on DeviceID) in the Workspace ONE database server.

5. Device services server pulls the command which is already queued for that device from the

Workspace ONE database server.

6. Device services generates an XML and sends it to the device. Native MDM Agent (MDM

profile installed on device) then performs required action on the device.

iOS Device Management

VMware by Broadcom

103

Device Management

After your devices are enrolled and configured, manage the devices using the Workspace ONE ™

UEM console. The management tools and functions enable you to keep an eye on your devices and

remotely perform administrative functions.

You can manage all your devices from the UEM console. The Dashboard is a searchable,

customizable view that you can use to filter and find specific devices. This feature makes it easier to

perform administrative functions on a particular set of devices. The Device List View displays all the

devices currently enrolled in your Workspace ONE UEM environment and their status. The Device

Details page provides device-specific information such as profiles, apps, Workspace ONE Intelligent

Hub version and which version of any applicable OEM service currently installed on the device. You

can also perform remote actions on the device from the Device Details page that are platform-

specific.

Device Dashboard

As devices are enrolled, you can manage them from the Device Dashboard in Workspace ONE

UEM.

The Device Dashboard provides a high-level view of your entire fleet and allows you to act on

individual devices quickly.

You can view graphical representations of relevant device information for your fleet, such as device

ownership type, compliance statistics, and platform and OS breakdowns. You can access each set of

devices in the presented categories by selecting any of the available data views from the Device

Dashboard.

From the List View, you can take administrative action: send messages, lock devices, delete

devices, and change groups associated with the device.

Security – View the top causes of security issues in your device fleet. Selecting any of the

doughnut charts displays a filtered Device List view comprised of devices affected by the

selected security issue. If supported by the platform, you can configure a compliance policy

to act on these devices.

Compromised – The number and percentage of compromised devices (jailbroken or

rooted) in your deployment.

No Passcode – The number and percentage of devices without a passcode

configured for security.

Not Encrypted – The number and percentage of devices that are not encrypted for

security. This reported figure excludes Android SD Card encryption. Only those

Android devices lacking disc encryption are reported in the donut graph. Ownership

– View the total number of devices in each ownership category. Selecting any of the

iOS Device Management

VMware by Broadcom

104

bar graph segments displays a filtered Device List view comprised of devices

affected by the selected ownership type.

Last Seen Overview/Breakdown – View the number and percentage of devices that have

recently communicated with the Workspace ONE UEM MDM server. For example, if several

devices have not been seen in over 30 days, select the corresponding bar graph to display

only those devices. You can then select all these filtered devices and send out a query

command so that the devices can check in.

Platforms – View the total number of devices in each device platform category. Selecting

any of the graphs displays a filtered Device List view comprised of devices under the

selected platform.

Enrollment – View the total number of devices in each enrollment category. Selecting any of

the graphs displays a filtered Device List view comprised of devices with the selected

enrollment status.

Operating System Breakdown – View devices in your fleet based on operating system.

There are separate charts for each supported OS. Selecting any of the graphs displays a

filtered Device List view comprised of devices running the selected OS version.

Device List View

Use the Device List View in Workspace ONE UEM to see a full listing of devices in the currently

selected organization group.

Device List View,UEM,Workspace ONE,device list,friendly name,device status

The Last Seen column displays an indicator showing the number of minutes elapsed since the

device has checked-in. The indicator is red or green, depending on how long the device is inactive.

The default value is 480 minutes (8 hours) but you can customize this by navigating to Groups &

Settings > All Settings > Devices & Users > General > Advanced and change the Device Inactivity

Timeout (min) value.

Select a device-friendly name in the General Info column at any time to open the details page for

that device. A Friendly Name is the label you assign to a device to help you differentiate devices of

the same make and model.

iOS Device Management

VMware by Broadcom

105

Sort by columns and configure information filters to review activity based on specific information. For

example, sort by the Compliance Status column to view only devices that are currently out-of-

compliance and target only those devices. Search all devices for a friendly name or user name to

isolate one device or user.

Customize Device List View Layout

Display the full listing of visible columns in the Device List view by selecting the Layout button and

select the Custom option. This view enables you to display or hide Device List columns per your

preferences.

There is also an option to apply your customized column view to all administrators at or below the

current organization group (OG). For instance, you can hide ‘Asset Number’ from the Device List

views of the current OG and of all the OGs underneath.

Once all your customizations are complete, select the Accept button to save your column

preferences and apply this new column view. You can return to the Layout button settings at any

time to tweak your column display preferences.

Some notable device list view custom layout columns include the following.

Android Management

SSID (Service Set Identifier or Wi-Fi network name)

Wi-Fi MAC Address

Wi-Fi IP Address

Public IP Address

Exporting List View

Select the Export button to save an XLSX or CSV(comma-separated values) file of the entire Device

List View that can be viewed and analyzed with MS Excel. If you have a filter applied to the Device

List View, the exported listing reflects the filtered results.

Search in Device List View

You can search for a single device for quick access to its information and take remote action on the

device.

To run a search, navigate to Devices > List View, select the Search List bar and enter a user name,

device-friendly name, or other device-identifying element. This action initiates a search across all

devices, using your search parameter, within the current organization group and all child groups.

Device List View Action Button Cluster

With one or more devices selected in the Device List View, you can perform common actions with

the action button cluster including Query, Send [Message], Lock, and other actions accessed

through the More Actions button.

iOS Device Management

VMware by Broadcom

106

Available Device Actions vary by platform, device manufacturer, model, enrollment status, and the

specific configuration of your Workspace ONE UEM console.

Remote Assist

You can start a Remote Assist session on a single qualifying device allowing you to remotely view

the screen and control the device. This feature is ideal for troubleshooting and performing advanced

configurations on devices in your fleet.

To use this feature, you must satisfy the following requirements.

You must own a valid license for Workspace ONE Assist.

You must be an administrator with a role assigned that includes the appropriate Assist

permissions.

The Assist app must be installed on the device.

Supported device platforms:

Android

iOS

macOS

Windows 10

Windows Mobile

Select the check box to the left of a qualifying device in the Device List View and the Remote

Assist button displays. Select this button to initiate a Remote Assist session.

For more information, see the Workspace ONE Assist guide, available on docs.vmware.com.

Using the Device Details Page for iOS Devices

Use the Device Details page to track detailed device information and quickly access user and device

management actions.

You can access the Device Details page by either selecting a device’s Friendly Name from the List

View page, from one of the available Dashboards or by using any of the available search tools within

the UEM console.

View Device Information Use the Device Details menu tabs to access specific device information,

including:

Summary – View general statistics such as:

Compliance

Enrollment status

Last seen

Platform/model/OS

Management

Supervision

iOS Device Management

VMware by Broadcom

107

Activation Lock

Find My iPhone

iCloud Backup (use the mouse to hover over iCloud Backup status to see Last

Backup status)

Data protection

Encryption

Contact information

Organization group and smart group

Phone number (for the devices such as iPhone XS, XR, or XS Max that supports

multiple SIM cards including eSIM, displays the phone numbers of all the SIMs

associated with the device)

Serial number, UDID, and asset number

Power status

Storage capacity

Available OS updates (iOS 11 and later devices)

Physical memory and virtual memory and warranty information

If Apple’s Global Service Exchange information is accessible, select the warranty link to see when

the status was last updated. Then, use the Refresh button to get the latest information

An enterprise or factory wipe queries an Activation Lock bypass code and then go into wipe

pending mode on supervised devices.

If the Find my iPhone Activation Lock option is enabled for iOS 7+ devices, then a warning

will appear when performing a device wipe command on an unsupervised device, notifying

you that a device with Activation Lock enabled cannot be reactivated without the original

Apple ID and password. This is true even if you perform a full device wipe. For more

information, see Activation Lock Overview.

Compliance – Display the status, policy name, date of the previous and forthcoming

compliance check and the actions already taken on the device.

Profiles – View all MDM profiles currently installed on a device.

Apps – View the app status, app name, type of the app (whether public or internal), app

version and identifier, and the size of the app. For iOS 11.+ devices, the UEM console displays

available app updates (whether the installed version is the latest version or if an update is

available) and app source (whether the app is installed through the App Store, distributed as

a Beta app, signed adhoc by an enterprise account, or managed using a device based VPP

license).

Note: Due to the way application status is reported on iOS devices, an application achieves Installed

status only after the installation process is fully completed. Which means when the Workspace ONE

UEM console queries the device for its application list sample, and if the application is still

downloading, then the application returns a status of Installing. On a successful application

installation, the device returns the application status as Installed which is marked the same in the

Workspace ONE UEM console.

iOS Device Management

VMware by Broadcom

108

Updates – View the iOS updates available for the device including the OS version, product

key, build version, last update, download percentage, and progress status.

Content – View the status, type, name, priority, deployment, last update, and date and time

of views, and provides a toolbar for administrative action (install or delete content).

Location – View current location or location history of a device.

User – Access details about the user of a device as well as the status of the other devices

enrolled to this user.

The menu tabs below are accessed by selecting More from the main Device Details page:

Network – View the current network (Cellular, Wi-Fi, Bluetooth) status of a device. For iOS

12.1 and later devices such as iPhone XS, XR, or XS Max that supports multiple SIMs and

eSIM, you can view and track the network status of the SIMs on the UEM console.

Security – View the current security status of a device based on security settings.

Restrictions – View the types of restrictions that currently apply to the device.

Telecom – View all amounts of calls, data and messages sent and received involving the

device.Item

Notes – View and add notes regarding the device. For example, note the shipping

status or if the device is in repair and out of commission.

Certificates – Identify device certificates by name and issuant. This tab also provides

information about certificate expiration.

been accepted during device enrollment.

Alerts – View all alerts associated with the device.

Books – View all internal books on the device.

Shared Device Log – View the history of the shared device including past check-ins and

check-outs and status.

Restrictions – View all restrictions currently applied to a device. This tab also shows specific

restrictions by Device, Apps, Ratings, and Passcode.

Status History – View history of device in relation to enrollment status.

Targeted Logging – View the logs for the Console, Catalog, Device Services, Device

Management, and Self Service Portal. You must enable Targeted Logging in settings and a

link is provided for this purpose. You must then select the Create New Log button and select

a length of time the log is collected.

Troubleshooting – View Event Log and Commands logging information. This page features

export and search functions, enabling you to perform targets searches and analysis

Event Log – View detailed debug information and server check-ins, including a Filter

by Event Group Type, Date Range, Severity, Module, and Category.

In the Event Log listing, the Event Data column may display hypertext links that open a

separate screen with even more detail surrounding the specific event. This information

enables you to perform advanced troubleshooting such as determining why a profile fails to

install.

iOS Device Management

VMware by Broadcom

109

Commands – View detailed listing of pending, queued, and completed commands

sent to the device. Includes a Filter enabling you to filter commands by Category,

Status, and specific Command.

Attachments – Use this storage space on the server for screenshots, documents,

display Hub logs sent from the Intelligent Hub, and links for troubleshooting and

other purposes without taking up space on the device its

Perform Remote Actions The More Actions drop-down on the Device Details page enables you to

perform remote actions over-the-air to the selected device. See below for detailed information

about each remote action. The actions listed below will vary depending on factors such as device

platform, UEM console settings, and enrollment status.

Query All – Send a query command to the device to return a list of installed applications

(including Workspace ONE Intelligent Hub, where applicable), books, certificates, device

information, profiles, and security measures.

Device Information (Query) – Send an MDM query command to the device to return

information on the device such as friendly name, platform, model, organization group,

operating system version, and ownership status.

Security (Query) – Send an MDM query command to the device to return the list of active

security measures (device manager, encryption, passcode, certificates, and so on).

Profiles (Query) – Send an MDM query command to the device to return a list of installed

device profiles.

Apps (Query) – Send an MDM query command to the device to return a list of installed

applications.

Certificates (Query) – Send an MDM query command to the device to return a list of

installed certificates.

Clear Passcode (Restrictions Setting) – Clear the passcode command clears the login

passcode on the device. The device needs to be supervised.

User Lists (Query) - Send a query command to the device to return a list of users who have

logged into the device (for shared devices only).

Lock Device – Send an MDM command to lock a selected device, rendering it unusable until

it is unlocked.

Lock SSO – Lock the device user out of Workspace ONE UEM Container and all participating

applications.

Enterprise Wipe – Enterprise Wipe a device to unenroll and remove all managed enterprise

resources including applications and profiles. This action cannot be undone and re-

enrollment is required before Workspace ONE UEM can manage this device again. This

device action includes options to prevent future re-enrollment and a Note Description text

box for you to add information about the action.

Enterprise Wipe is not supported for cloud domain-joined devices.

iOS updates - Select individual devices or devices in bulk to send updates to devices that

are enrolled through Apple Business Manager.

Managed Settings – Activate or deactivate voice roaming, data roaming, and personal

iOS Device Management

VMware by Broadcom

110

hotspots.

Device Wipe – Send an MDM command to wipe a device clear of all data and operating

system. This puts the device in a state where recovery partition will be needed to reinstall the

OS. This action cannot be undone. The recovery partition is only needed on Mac devices

and not in iOS devices.

iOS Device Wipe Considerations

For iOS 11 and below devices, the device wipe command would also wipe the

Apple SIM data associated with the devices.

For iOS 11+ devices, you have the option to preserve the Apple SIM data plan

(if existed on the devices). To do this, select the Preserve Data Plan

checkbox on the Device Wipe page before sending the device wipe

command.

For iOS 11.3+ devices, you have an additional option to activate or deactivate

to skip the Proximity Setup screen while sending down the device wipe

command. When the option is enabled, the Proximity Setup screen will be

skipped in the Setup Assistant and thus preventing the device user from

seeing the Proximity Setup option

For more information about troubleshooting device wipes, related permissions, and when device

wipe actions appear in the UEM console, refer to the following Workspace ONE UEM Knowledge

Base article https://support.workspaceone.com/articles/115012396488.

Schedule iOS Updates – Push an iOS update to a device that is not enrolled through DEP.

For more information, see Configure iOS Updates.

Refresh eSIM – Send a query to a carrier eSIM server URL to refresh the active eSIM cellular

plan profiles on the device.

Send Message – Send a message to the user of the selected device. Select between Email,

Push Notification (through AirWatch Cloud Messaging), and SMS. Push notification requires

Airwatch applications like Hub, Boxer etc which must have been launched at least once.

Find Device – Send a text message to the applicable Workspace ONE UEM application

together with an audible sound designed to help the user locate a misplaced device. The

audible sound options include playing the sound a configurable number of times and the

length of the gap, in seconds, between sounds.

Request Device Check-In – Request the selected device to check-in itself in to the UEM

console and updates the Last column status. This action also resets the device enrollment to

the staging user.

Sync Device – Synchronize the selected device with the UEM console, aligning its Last Seen

status.

Remote View – Enable an active stream of the device’s output to a destination of your

choice, allowing you to see what the user sees as they operate the device. The destination

parameters include IP address, port, audio port, password, and scan time.

Change Organization Group – Change the device’s home organization group to another

existing OG. Includes an option to select a static or dynamic OG.

If you want to change the organization group for multiple devices at a time, you must

iOS Device Management

VMware by Broadcom

111

select devices for the bulk action using the Block selection method (using the shift-

key) instead of the Global check box (next to the Last Seen column heading in the

device list view).

Add Tag – Assign a customizable tag to a device, which can be used to identify a special

device in your fleet.

Edit Device – Edit device information such as Friendly Name, Asset Number, Device

Ownership, Device Group Device Category.

Delete Device – Delete and unenroll a device from the console. Sends the enterprise wipe

command to the device that gets wiped on the next check-in and marks the device as Delete

In Progress on the console. If the wipe protection is turned off on the device, the issued

command immediately performs an enterprise wipe and removes the device representation

in the console.

Clear Activation Lock – Clear the Activation Lock on an iOS device. With the Activation

Lock enabled, the user requires an Apple ID and password before taking the following

actions: disabling Find My iPhone, factory wipe, and reactivate to use the device.

Device Configured - Send this command if a device is stuck in an Awaiting Configuration

state.

Enable/Disable Lost Mode – Use this device action to lock a device and send a message,

phone number, or text to the lock screen. The device end user cannot deactivate Lost

Mode. When an admin deactivates Lost Mode, the device returns to normal functionality.

Users receive a message that tells them that the location of the device was shared. (iOS 9.3 +

Supervised)

Request Device Location – Query a device when in Lost Mode and then use the

Location tab to find the device. (iOS 9.3 + Supervised)

Log out user - Log out the current user of the device if needed.

Configure and Deploy a Custom Command to a Managed

Device

Workspace ONE UEM enables administrators to deploy a custom XML command to managed Apple

devices. Custom commands allow more granular control over your devices.

Use custom commands to support device actions that the UEM console does not currently support.

Do not use custom commands to send commands that exist in the UEM console as Device Actions.

Samples of XML code you can deploy as custom commands at https://github.com/vmware-

samples/euc-samples/tree/master/UEM-Samples.

Important: Improperly formed or unsupported commands can impact the usability and performance

of managed devices. Test the command on a single device before issuing custom commands in bulk

Procedure

1. In the UEM console, navigate to Devices > List View.

2. Select one or more macOS or iOS devices using the check boxes in the left column.

3. Select the More Actions drop-down and select Custom Commands. The Custom Commands

dialogue box opens.

iOS Device Management

VMware by Broadcom

112

4. Enter the XML code for the action you want to deploy and select Send to deploy the

command to devices.

5. Browse XML code for Custom Commands on the Workspace ONE UEM Knowledge Base at

https://github.com/vmware-samples/euc-samples/tree/master/UEM-Samples.

If the Custom Command does not run successfully, delete the command by navigating to Devices >

List View. Select the device to which you assigned the custom command. In the Device Details

View, select More > Troubleshooting > Commands. Select the Command you want to remove, and

then select Delete. The Delete option is only available for Custom Commands with a Pending status.

iOS Device Management

VMware by Broadcom

113

OS Update Management

With the OS update management system, admins can block and require iOS updates on their

supervised iOS devices to keep all devices on a common iOS version for a consistent management

experience. Maintaining the OS ensures that the device security issues are addressed with minor iOS

updates and the devices are always up to date.

OS update management offers an ideal solution for admins to:

Block end-user devices from detecting new iOS updates released by Apple. For more

information on configuring the restriction profile to block end-users, refer

Restriction Profile

Configurations

in Device Profiles.

Get information on current available patches/updates available for devices.

Publish iOS updates to end-user devices.

iOS Update Management Features

The major features available are:

Block Update – Configure the device not to detect an update for up to 90 days from the

release date of the update by Apple. For more information on configuring the restriction

profile to block the updates, refer Restriction Profile Configurations

List available updates – Lists all the available updates from Apple and lists out the devices

that are eligible for the respective updates.

OS Update Action – Define the OS update action; download only, install only, or download

and install immediately.

Monitor – Display the status of an OS update on assigned devices.

iOS Update Management Prerequisites

Ensure to have the minimum requirements explained in this section before initiating the OS update

management on managed devices from the UEM console.

Supported Devices

Supervised iOS 11.3 and later

Device must have at least 50 percent battery

Device must have enough storage space available to download the update

Device must have a network connection Apple’s update servers

iOS Device Management

VMware by Broadcom

114

Network Requirements

For information on network architecture and its requirements, refer to the Recommended

Architecture guide.

View the Available iOS Updates

View the snapshot of the list of latest or active iOS updates available from Apple for all your managed

and eligible devices.

Navigate to the Resources > Device Updates > iOS tab to view the available OS updates and other

related details, including:

Update – Name of the update.

Version – Version of the update.

Release Date – Date when the update is released.

Expiration Date – Date when the update expires.

Update Status – Status of the iOS update if available or not available from Apple.

Assignments – Number of assignments applied to an update.

Assignment Status – Status of the assignments applied to the update such as Assigned, Not

Assigned, or Paused.

The list of iOS update details is pulled from the Apple using the Sync Device Updates scheduler job

at the specified interval which runs at an interval of 6-24 hours (that pulls data from Apple).

Note: The Update Status shows the OS versions that are not available in

https://gdmf.apple.com/v2/pmv. Whenever there is any change in the Expiry Date, the sync job

inserts new records or updates the records accordingly. The update becomes unavailable only if the

Expiry Date is over. To overcome this issue, the job must be fixed to update the Expiry Date of

missing updates to one day less than the job runs so that the updates can be displayed as not

available in UEM.

Select an OS Update from the Device Updates > iOS tab to view additional information. The Details

section shows the details of the OS update (such as version details, supported devices and so on).

The graphs beneath the Details section, shows:

Device Readiness – Provides information related to the update and the devices enrolled at

the organization group and below. This includes devices that are eligible to receive the

update, devices that are not eligible to receive the update (e.g. unsupervised, incompatible

hardware, etc.), devices that are on higher version, or devices already on the selected

version.

Device Status – Provides information on the status of the iOS update on the assigned,

eligible devices. This includes the devices that downloaded the update, installed the update,

or failed with a specified error code.

Devices – The table shows the status of the iOS updates on eligible and non-eligible devices

that are triggered from an assignment.

Updates to the devices are assigned using Smart Groups with preferred deployment parameters by

selecting Manage Assignments. For more information on assignment, refer

Assign OS Updates

iOS Device Management

VMware by Broadcom

115

Assign and Publish iOS Updates

To deploy an OS Update, assign one or more smart groups to an iOS update and publish to the

device.

To assign smart groups and deploy the iOS updates:

1. Navigate to the Resources > Device Updates > iOS tab.

2. Select an iOS Update by selecting the corresponding radio button. The Manage

Assignments option appears on top of the page.

3. Select Manage Assignments for the assignment page to display.

4. Select New Assignment under the Assignment section. The Add Assignment page appears.

5. In the Definition tab, enter the assignment name and select one or more smart groups.

Select Next.

6. In the Deployment tab, enter the date and time for the deployment to begin and select one

deployment method. The available deployment methods are:

Method Description

Download and

Install

The iOS update gets downloaded and installed on the device.

Download Only The iOS update only gets downloaded but not installed on the device.

Install Only The iOS updates gets installed on the device only if it is already downloaded through

MDM or manually.

7. In the Notification tab, activate or deactivate the notification for the successful download or

install status and enter the notification text in the Push Notification field.

8. Select Save to publish the iOS update.

When the assignment gets saved for the selected iOS update in the UEM console, any eligble,

assigned devices will receive the update command on their next check in. Keep in mind a device

may not immediately check in depending on your console’s settings. After saving, the status of the

iOS update will change to Assigned and the status for assigned devices can be monitored in the

iOS Device Management

VMware by Broadcom

116

Update Details page.

Note: These settings can be changed at any time after the update has been published.

If devices have multiple iOS update assignments, the deployment settings and iOS version will be

evaluated in the following priority:

1. Newest iOS version (e.g. iOS 13.3 be prioritized over iOS 13.1).

2. Closest assignment at or above the Organization Group where the device is enrolled (e.g. if a

device is enrolled at a child Organization Group, the device will take the assignment at the

child Organization Group rather than any at a parent level. This assumes the assignments are

for the same iOS version).

3. Highest priority within the assignment selected based on the first two criteria with an

ascending priority (e.g. priority of 1 is higher than a priority of 2).

Pause and Unpause iOS Updates

As an admin, you can even pause any updates that have been assigned. This holds any updates that

have not been sent to iOS devices until the update is unpaused.

To pause an iOS update:

1. Navigate to the Resources > Device Updates >iOS tab.

2. Select an assigned iOS update.

3. Select the PAUSE option at the top of the page.

Note: Pausing does not stop the updates that have already been processed on the device

such as already downloading the update. Pause only stops the assigned future downloads of

the update.

Monitor iOS Update Assignments

After assigning and publishing iOS updates to devices, the next step is to monitor their deployment.

To see the status of a deployment, select an iOS update from the Resources > Device Updates >

iOS tab to view additional information. The Details section shows the details of the iOS update (such

iOS Device Management

VMware by Broadcom

117

as version details, supported devices and so on). The graphs beneath the Details section are for

monitoring and taking action on the assigned devices. Those graphs show:

Device Readiness – Provides information related to the update and the devices enrolled at

the organization group and below. This includes devices that are eligible to receive the

update, devices that are not eligible to receive the update (e.g. unsupervised, incompatible

hardware, etc.), devices that are on higher version, or devices already on the selected

version.

Device Status – Provides information on the status of the iOS Update on the assigned,

eligible devices. This includes the devices that downloaded the update, installed the update,

or failed with a specified error code.

Devices – The table shows the status of the iOS update on eligible and non-eligible devices

that are triggered from an assignment. The values of this table are:

Values Description

Last Seen The last time the device communicated back to Workspace ONE UEM.

Device

Name

The friendly name of the device.

User The enrollment user’s first and last name assigned to the device.

Status The most recent status received for this iOS version’s update.

Reason Additional context for the status of an update if it was a failure.

Retry

An estimate of when the system retries to send the update to the device when a failure occurs. It can be

more frequent than the time listed.

The table is also used to take action on devices for the selected update. The actions include:

Query – Request latest information for the device related to the iOS update.

Override – Trigger a Download and/or Install command for the device. It ignores any

assignments made for the device previously.

Manage iOS Updates for Individual Devices

Managing iOS Updates can be achieved at an individual device level for a more direct approach to

ensure that the latest updates and their functionalities are applied across a managed device. These

updates can be deployed and monitored for an individual device by navigating to Devices > List

View > Select Device > Updates.

Publish iOS Updates for a Device

To publish a specific update to a selected device:

1. Select Updates tab to view the snapshot of the available OS Updates details.

2. Select an OS Update name and then select Publish. The Update page appears.

3. Select the preferred Device Installation Method.

Note: Download/Install option for Update Assignments performs either download or install

actions based on the status of the OS update on the device.

iOS Device Management

VMware by Broadcom

118

If the OS update has already been downloaded, then the command installs the OS update.

However, if the OS update is not downloaded yet, then the command triggers a download

instead. Send the command again after the download is completed to trigger the install.

4. Select Send to publish the OS Update to the device.

5. Select Query Update Progress to request the latest status on the update.

Note: This does not impact any iOS updates assigned to the device. Any assignments will continue to

be published to devices until they are on or above the assigned iOS version.

Track the Status for iOS Updates

The status for iOS updates are not shown until you schedule an update from the UEM console

whether manually publishing or by assigning an update to the device. If an update is downloaded

manually on an iOS device, the status of that update will not appear in the Updates list view. Once

an admin schedules the update, the status on the console is updated. If an update installed manually,

this is reflected in the Device Details Summary.

Troubleshooting

All commands and responses can be seen in event data by navigating to Device Details → More →

Troubleshooting tab.

Delay iOS Updates

Admins can delay iOS updates for up to 90 days from when the update is released by Apple using a

configuration profile.

To delay an iOS update:

1. Navigate to Resources > Profiles & Baselines > Profiles > Add.

2. Select Apple > iOS and configure Restrictions settings.

3. Select Delay Updates (Days) from the OS Updates Restrictions subsection.

4. Restrict Delay Updates and specify the number of days to delay the software update.

Number of days range from 1 to 90. The number of days dictate the length of time after the

release of the software update and not after the time of installation of the profile

Note: Any managed OS update command will bypass the delay OS updates restriction even

if the OS version is within the restriction window of 90 or fewer days. However, if an update

is downloaded while a restriction window is active, the update may still not be visible to the

user. Once the restriction window expires, the update becomes visible to users.

Set the Device Name for a Supervised iOS Device

Automatically or manually set an iOS 8+ supervised device name to match the Friendly Name in the

UEM console. This feature is helpful when performing asset tracking from the device itself. The

device name appears when the device is connected to iTunes and it can be edited in iTunes too.

1. Navigate to Groups & Settings > All Settings > General > Devices & Users > Friendly

Name.

iOS Device Management

VMware by Broadcom

119

2. Select the Enable Custom Smartphone Friendly Name to set the device name as the

friendly name.

3. Enter the Smartphone Friendly Name Format by entering the enrollment user, the device

model, and device operating system information.

4. Select the Set Device Name to Friendly Name setting to set this name as the Device Name

to match the Friendly Name.

5. Select Save to update the name.

iOS Device Management

VMware by Broadcom

120

AppleCare GSX

Apple Global Service Exchange (GSX) allows administrators to look up device details related to the

display model name, the device purchase and warranty status directly from the UEM console.

If any devices in an organization group are missing a display model name, then a time scheduler

runs periodically to search and update these names using the GSX information that was configured

for the devices at that organization group level.

Only authorized Apple employees or organizations that have registered with Apple’s Self-Servicing

Account Program can access GSX information.

Create a GSX Account

Before you can integrate your deployment, you must create an Apple GSX account. To apply for a

GSX account, you must have a service contract with Apple. Contact your Apple Account Executive

to learn more about GSX.

To apply for a GSX account, visit http://www.apple.com/support/programs/ssa/.

Obtain an Apple Certificate to Integrate AppleCare GSX

To integrate AppleCare GSX with your Workspace ONE UEM deployment, you must first obtain an

Apple certificates and convert them to .p12 format.

For more information, see

Obtain an Apple Certificate to Integrate AppleCare GSX

Configure AppleCare in the UEM console

Once you have obtained and configured an Apple Certificate, you must upload the certificate to the

UEM console and configure your AppleCare instance.

For more information, see

Configure AppleCare GSX in the UEM console

Obtain an Apple Certificate to Integrate AppleCare GSX

To integrate AppleCare GSX with your Workspace ONE UEM deployment, you must first obtain an

Apple certificate and convert them to .p12 format.

1. Generate a certificate signing request (CSR) using OpenSSL or Java Keytool.

2. Send the CSR and the following GSX account information to Apple to receive Apple

certificates (.pem files).

GSX Sold-To account number

Primary IT contact name

iOS Device Management

VMware by Broadcom

121

Primary IT contact email

Primary IT contact phone number

Outgoing static IP address of the server that sends requests to GSX Production

If your environment is hosted on the AW SaaS, refer to https://support.air-

watch.com/articles/115001662168 for the IP address. If the IP range for your

environment is not listed, please open a support ticket to have our Network

Operations team facilitate it.

Apple generates the Apple certificate(.pem) and returns a signed certificate and a

chain certificate. For ease of use, rename the files “cert.pem” and “chain.pem” for

use in subsequent steps.

You may also receive a file labeled “issuer” that is not needed for this process.

3. Convert the Apple certificates to .p12 format.

a. Create a .p12 file using the private key and Apple certificates by executing the following

command:

sudo openssl pkcs12 -export -inkey privatekey.pem -in cert.pem -certfile chain.pem

-out GSX_Cert.p12

b. The certificate saves as a .p12 file in the location you specified.

If you do not specify a path before the file name when running the conversion command,

the file saves to your working directory.

Configure AppleCare GSX in the UEM Console

Once you have obtained and configured an Apple Certificate, you must upload the certificate to the

UEM console and configure your AppleCare instance.

Procedure

1. Navigate to Groups & Settings > All Settings > Devices & Users > Apple > AppleCare.

To configure a GSX connection with the UEM console, you must have a GSX account with

manager-level access, access to web services, and access to coverage and warranty

information.

2. Enter GSX settings including:

Setting Action

GSX User ID Enter the account user ID.

GSX Password Enter the account password.

Sold-to Account

Number

Enter the 10-digit service account number. This account number can be found in the

GSX portal at the bottom of the web page.

Time Zone Use the drop-down menu to select the appropriate time zone.

Language Use the drop-down menu to choose a language.

iOS Device Management

VMware by Broadcom

122

3. Select Save to complete the integration with AppleCare.

4. Navigate to the List View, select a device, and use the More menu to find AppleCare

information in the UEM console.

5. Navigate to Accounts > Administrators and pull the information from Details section.

6. In the Add/Edit Admin page, add the GSX User ID and click SAVE.

You can now make GSX API calls.

iOS Device Management

VMware by Broadcom

123

Shared Devices

Shared Device/Multi-User Device functionality in Workspace ONE UEM ensures that security and

authentication are in place for every unique end user. Shared devices can also allow only specific

end users to access sensitive information.

Issuing a device to every employee in certain organizations can be expensive. Workspace ONE UEM

lets you share a mobile device among end users in two ways: using a single fixed configuration for all

end users, or using a unique configuration setting for individual end users.

When administering shared devices, you must first provision the devices with applicable settings and

restrictions before deploying them to end users. Once deployed, Workspace ONE UEM uses a

simple login or log-out process for shared devices in which end users simply enter their directory

services or dedicated credentials to log in. The end-user role determines their level of access to

corporate resources such as content, features, and applications. This role ensures the automatic

configuration of features and resources that are available after the user logs in.

The login or log-out functions are self-contained within the Workspace ONE Intelligent Hub. Self-

containment ensures that the enrollment status is never affected, and that the device is managed

whether it is in use or not.

Shared Device capabilities are also possible natively on Apple iPads integrated with Apple Business

Manager. This functionality called Shared iPads for Business leverages the user’s Managed Apple ID

for login and does not take place in the Workspace ONE Intelligent Hub for login and logout. To

know more about configuring Shared iPads for Business with Apple Business Manager and steps to

achieve this functionality, see Shared iPads for Business in

Introduction to Apple Business Manager

Guide

available on docs.vmware.com.

Shared Devices Capabilities

There are basic capabilities surrounding the functionality and security of devices that are shared

across multiple users. These capabilities offer compelling reasons to consider shared devices as a

cost-effective solution to making the most of enterprise mobility.

Functionality

Personalize each end-user experience without losing corporate settings.

Logging in a device configures it with corporate access and specific settings, applications,

and content based on the end-user role and organization group (OG).

Allow for a log in/log out process that is self-contained in the Workspace ONE Intelligent

Hub or Workspace ONE Access.

After the end user logs out of the device, the configuration settings of that session are wiped.

The device is then ready for login by another end user.

Security

iOS Device Management

VMware by Broadcom

124

Provision devices with the shared device settings before providing devices to end users.

Authenticate end users during a login with directory services or dedicated Workspace ONE

UEM credentials.

Authenticate end users using Workspace ONE Access.

Manage devices even when a device is not logged in.

Platforms That Support Shared Devices

The following devices support shared device/multi-user device functionality.

Android 4.3 or later

iOS devices with Workspace ONE Intelligent Hub 4.2 or later.

For details about logging in and out of shared iOS devices, see the topic

Log Out of Shared iOS Devices

in the iOS Platform Guide, available on

docs.vmware.com.

MacOS devices with Workspace ONE Intelligent Hub 2.1 or later.

Define the Shared Device Hierarchy

While strictly optional, making an organization group (OG) specific to shared devices offers many

benefits due to multi-tenancy and inherited device settings.

If you have a large number of shared devices in your fleet and you want to manage them apart from

single user devices, you can make a shared device-specific OG. Making a shared device hierarchy in

your OG structure is optional. Features like smart groups and user groups mean you do not have to

rely strictly on OG hierarchy design to simplify device management.

However, having a shared device OG (or nested OGs) simplifies device management by enabling

you to standardize device functionality through profiles, policies, and device inheritance without the

processing overhead required by a smart group or a user group.

1. Navigate to Groups & Settings > Groups > Organization Groups > Organization Group

Details.

Here, you can see an OG representing your company.

iOS Device Management

VMware by Broadcom

125

2. Ensure the Organization Group Details displayed are accurate, and then use the available

settings to make modifications, if necessary. If you make changes, select Save.

3. Select Add Child Organization Group.

4. Enter the following information for the first OG underneath the top-level OG.

Setting Description

Name Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters

only. Do not use odd characters.

Group

Enter an identifier for the OG for the end users to use during the device login. Group IDs are used

during the enrollment of group devices to the appropriate OG.

Ensure that users sharing devices receive the Group ID as it might be required for the device to log

in depending on your Shared Device configuration.If you are not in an on-premises environment,

the Group ID identifies your organization group across the entire shared SaaS environment. For this

reason, all Group IDs must be uniquely named.

Setting Description

Name Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters only.

Do not use odd characters.

GroupID Enter an identifier for the OG for the end users to use during the device login. Group IDs are used during

the enrollment of group devices to the appropriate OG.

Ensure that users sharing devices receive the Group ID as it might be required for the device to log in

depending on your Shared Device configuration.

If you are not in an on-premises environment, the Group ID identifies your organization group across the

entire shared SaaS environment. For this reason, all Group IDs must be uniquely named.

Type Select the preconfigured OG type that reflects the category for the child OG.

Country Select the country where the OG is based.

Locale Select the language classification for the selected country.

Custome

Industry

This setting is only available when Type is Customer. Select from the list of Customer Industries.

Time

Zone

Select the time zone for the OG’s location.

1. Build out your corporate hierarchical structure by creating more groups and subgroups in the

same manner.

a. If you are configuring a Fixed Organization Group, then ensure that you create the single

organization group for end users to log in or log out.

b. If you configure Prompt Users for Organization Group, then ensure that you have

created the multiple OGs for end-user roles for logging in or logging out. For more

information, see

Configure Shared Devices

2. Select Save.

iOS Device Management

VMware by Broadcom

126

Configure Shared Devices

Similar to single-user device staging, multi-user staging (a “shared device”) allows an IT administrator

to provision devices to be used by more than one user.

1. Navigate to Groups & Settings > All Settings > Devices & Users > General > Shared

Device.

2. Select Override and complete the Grouping section.

Setting Description

iOS Device Management

VMware by Broadcom

127

Group

Assign

ment

Mode

Configure devices in one of three ways:

Select Prompt User for Organization Group to have the end user enter a Group ID for an

organization group upon login.

With this method, you have the flexibility to provide access to the settings, applications, and

content of the organization group entered. Using this approach, an end user is not restricted to

accessing only the settings, applications, and content for the organization group to which they

are enrolled.

Select Fixed Organization Group to limit your managed devices to settings and content

applicable to a single organization group.

Each end user who logs in to a device has access to the same settings, applications, and content.

This method can be beneficial in a retail use case where employees use shared devices for similar

purposes such as checking inventory.

Select User Group Organization Group to enable features based on both user groups and

organization groups across your hierarchy.

When an end user logs in to a device, they have access to specific settings, applications, and

content based on their assigned role within the hierarchy. For example, an end user is a member

of the ‘Sales’ user group, and that user group is mapped to the ‘Standard Access’ organization

group. When that end user logs in to the device, the device is configured with the settings,

applications, and content available to the ‘Standard Access’ organization group.

You can map user groups to organization groups on the UEM console. Navigate to Groups &

Settings > All Settings > Devices & Users > General > Enrollment. Select the Grouping tab and fill

in the required details.

Always

Promp

t for

Terms

of Use

Prompts the end users to accept your Terms of Use agreement before they log in to a device.

3. Complete the Security section, as applicable.

Setting Description

Require Shared Device

Passcode

(For iOS devices only) Require users to create a Shared Device passcode in

the Self-Service Portal to check out devices. This passcode is different from a

Single Sign On passcode or a device-level passcode.

Require Special Characters Require special characters in the shared device passcode, which includes

characters such as @, %, &, and so forth.

Shared Device Passcode

Minimum Length

Set the minimum character length of the shared passcode.

Shared Device Passcode

Expiration Time (days)

Set the length of time (in days) the shared passcode expires.

Keep Shared device

Passcode for minimum time

(days)

Set the minimum amount of time (in days) the shared device passcode must

be changed.

iOS Device Management

VMware by Broadcom

128

Setting Description

Prompt users to change

their Shared Device

Passcode x (days) before

expiration

(For iOS devices only) Set the number of days the user is reminded to

change their shared device passcode before it expires.

For best results, set a value less than the difference between the Expiration

Time and minimum time you can keep the Shared Device Passcode.

Passcode History Set the number of passcodes that are remembered by the system, providing

a more secure environment by preventing the user from reusing old

passcodes.

Auto Logout Configure an automatic log out after a specific time period.

Auto Logout After Set the length of time that must elapse before the Auto Log out function

activates in Minutes, Hours, or Days.

iOS Single App Mode Select this check box to configure Single App Mode, which locks the device

into a single application when an end user logs in to the device.

To check out an iOS device in Single App Mode, end users log in using their

credentials. When the device is checked in again, it returns to Single App

Mode.

Enabling Single App Mode also deactivates the Home button on the device.

Note: Single App Mode applies only to Supervised iOS devices.

4. Configure the Logout Settings, as applicable.

Setting Description

Clear

Androi

d App

Data

Clear the app data when the user logs out of a shared device (checks it in).

Reinsta

Androi

d Apps

Use the drop-down to select whether to Always reinstall app between users or never reinstall app

between users. For Android (Legacy) deployments, you can opt to reinstall app if the Hub cannot

clear app data between users.

Clear

Androi

Device

Passco

This setting controls whether the current Android device passcode is cleared when the user logs

out (checks in) a multi-user shared device.

Allow

PIN at

Startup

Activate or deactivate Android Secure Startup, which requires an initial PIN entry to boot up the

device. If deactivated, users cannot enable Secure Startup during passcode setup. If Secure

Startup is already deactivated on the device, the device must be factory reset to enable it. This

feature applies only to Android devices that do not have file-based encryption.

Clear

iOS

Device

Passco

This setting controls whether the current iOS device passcode is cleared when the user logs out

(checks in) a multi-user shared device.

5. Select Save.

iOS Device Management

VMware by Broadcom

129

For specific information about provisioning devices for single-user and multi-user device staging, see

the topics

Stage a Single-User Device

and

Stage a Multi-User Device

in Self-Enrollment Versus

Device Staging.

You can log in to and out of an iOS device that is shared across multiple users.

1. Run the Workspace ONE Intelligent Hub on the device.

2. Enter the end-user credentials.

If the device is already logged in to Workspace ONE Intelligent Hub, then users are

prompted to enter an SSO Passcode. If the device is not logged in, then users are prompted

to enter a user name and password. The profiles assigned to each user are pushed down

based on the smart group and user group association.

Note: If Prompt User for Organization Group is enabled, then end users are required to

enter a Group ID to log in to a device.

3. Select Login and accept the Terms of Use.

Note: If prompted for a passcode, users can create one in the Self-Service Portal. These

passcodes are subject to an expiration period. As the expiration period nears, the Workspace

ONE Intelligent Hub prompts users to change the passcode on the device. If users do not a

change their passcode before it expires, users must return to the Self-Service Portal to

create another passcode.

To log out of an iOS device, run the Workspace ONE Intelligent Hub and select Log Out at the

bottom.

iOS Device Management

VMware by Broadcom

130

iOS Functionality Matrix: Supervised vs.

Unsupervised

The following table shows all the available iOS profile functionality that you can control using the

UEM console and the minimum iOS version that applies.

Features and Functionality

Does Not Require

Supervision

Requires

Supervision

OS Notes

Passcode

Passcode settings ✓ -

Wi-Fi

Wi-Fi settings ✓ -

Auto-Join ✓ iOS 7

Wi-Fi Hotspot 2.0 settings ✓ iOS 7

Proxy settings ✓ iOS 7

QOS Marking Policy ✓ iOS 10

VPN

VPN settings ✓ -

Per-App VPN ✓ iOS 7

Connect automatically ✓ iOS 7

Email settings ✓ -

Prevent Moving Messages ✓ iOS 7

Disable recent contact sync ✓ iOS 7

Prevent Use In 3rd Party Apps ✓ iOS 7

Use S/MIME ✓ iOS 7

Exchange ActiveSync

EAS settings ✓ -

Use S/MIME ✓ iOS 7

Per-Message S/MIME ✓ iOS 8

iOS Device Management

VMware by Broadcom

131

Features and Functionality

Does Not Require

Supervision

Requires

Supervision

OS Notes

Prevent Moving Messages ✓ iOS 7

Prevent Use In 3rd Party Apps ✓ iOS 7

Disable recent contact sync ✓ iOS 7

Prevent Mail Drop ✓ iOS 9

Default Calling App ✓ iOS 10

LDAP

LDAP settings ✓ -

CalDAV

CalDAV settings ✓ -

Subscribed Calendars

Subscribed Calendar settings ✓ -

CardDAV

CardDAV settings ✓ -

Web Clips

Web Clip settings ✓ -

Credentials

Credentials certificate settings ✓ -

SCEP

SCEP settings for certificate authority ✓ -

Global HTTP Proxy

Global HTTP Proxy settings ✓ iOS 7

Single App Mode

Single App Mode – Lock device into a single

app

✓ iOS 7

Optional settings for “Lock device into a

single app”

✓ iOS 7

Autonomous single app mode ✓ iOS 7

Web Content Filter

Web Content Filter settings (Allowlist,

Denylist, Permitted URLs)

✓ iOS 7

Web Content Filtering with 3rd Party

Provider

✓ iOS 8

Managed Domains

iOS Device Management

VMware by Broadcom

132

Features and Functionality

Does Not Require

Supervision

Requires

Supervision

OS Notes

Managed Email Domains ✓ iOS 8

Managed Web Domains ✓ iOS 8

Managed Safari Password Domains ✓ iOS 9.3

Network Usage Rules

Network Usage Rules ✓ iOS 9

macOS Server Accounts

macOS Server Accounts ✓ iOS 9

Single Sign On

Single Sign On settings with Kerberos

authentication

✓ iOS 7

Single Sign On settings with Renewal

certificates

✓ iOS 8

AirPrint

AirPrint destination settings ✓ iOS 7

AirPlay Mirroring

AirPlay Destination settings (Allowlist) ✓ iOS 7

AirPlay Passwords ✓

Access Point

Advanced Access Point settings ✓

App Installation Settings

Silent App Installation ✓ +VPP

Control Cellular Settings

Voice Roaming ✓ ✓ iOS 7

Data Roaming ✓ ✓ iOS 7

Personal Hotspot ✓ ✓ iOS 7

Wallpaper Settings

Set Lock Screen Image ✓ iOS 7

Set Lock Screen Message ✓ iOS 9.3+

Set Home Screen Image ✓ iOS 7

Set Home Screen Layout ✓ iOS 9.3+

Notifications

Notification settings ✓ iOS 9.3+

iOS Device Management

VMware by Broadcom

133

Features and Functionality

Does Not Require

Supervision

Requires

Supervision

OS Notes

Queries and Commands

Supervised status ✓ iOS 7

Personal Hotspot status ✓ iOS 7

Clear Activation Lock ✓ iOS 7

Clear Restrictions Passcode ✓ iOS 8

Configure iOS Updates ✓ iOS 9

Prior to iOS 10.3, DEP is

also required

Delay iOS Updates ✓ iOS 11.3+

Custom Fonts and Messaging

Custom Font Installation ✓ iOS 7

Custom Enrollment Messages ✓ iOS 7

Custom MDM Prompts ✓ iOS 7

Activation Lock Warning ✓ iOS 7

iOS Device Management

VMware by Broadcom

134