Airwatch Container

Airwatch Container is used on personal devices to segregate work and personal data, ensuring company security policy while maintaining user privacy by containing and controlling only enterprise data instead of the entire device.


With the development of cloud technology and personal devices capable of more features to perform enterprise tasks, more and more employees are switching to personal devices to manage their corporate work or the Bring Your Own Device (BYOD) policy. Especially in recent times of pandemic, remote work on personal devices connected to local LAN networks is prevalent. This poses a security threat to the organization’s databases and enterprises. If any of these unsecured endpoint devices is compromised, it could breach the entire organization database, including sensitive information.

Airwatch Container helps create a secure work environment on a personal device by securing enterprise applications through a common SDK framework and container password. Personal devices can deploy applications from the app store, Workspace One UEM applications, and internal applications.

Airwatch Container

Airwatch Container is used on personal devices to separate personal and enterprise data and applications, providing control and security over corporate data without managing the entire device while maintaining user privacy guidelines. A common SDK framework with container passcode and app tunnel VPN is used to securely and seamlessly use personal devices in a secure work environment. Personal data, GPS location, and messages remain private, and only enterprise apps and data can be accessed by admin, which is maintained in a separate compartment. Airwatch container is a part of the entire Airwatch infrastructure and cannot function independently. The Airwatch admin console is required to configure AirWatch container settings. A Single Sign-On(SSO) for users enhances and simplifies the employee experience.

Advantages of Airwatch Container

The AirWatch container increases employee flexibility, productivity, and connectivity while ensuring company data security and compliance on personal and corporate. Airwatch Container has many advantages, which are:


  • Saves costs of purchasing multiple corporate devices. Employees can follow Bring Your Own Device(BYOD) policy to perform work tasks on their own devices. These devices can be centrally remotely and securely managed through a UEM console.
  • Personal data is separated from corporate data. Admin can manage, secure or control enterprise data but cannot perform any of those functions on personal data in compliance with the user privacy policy.
  • An enhanced user experience with Single Sign-On, customized apps with unique company branding and seamless access to enterprise databases and applications.


Easy to manage

  • Hybrid deployment to integrate Workspace One container with enterprise deployment method and enrol devices with features of both the frameworks.
  • Manage and secure enterprise apps, mail, and collaboration tools at application level management without the need to secure the entire device.
  • Employees can use their devices for corporate and personal work with a Single Sign-On to secure workspace without worrying about MDM restrictions.
  • Easily and seamlessly switch between enterprise and personal apps.


Security and Encryption

  • Application-level management of only enterprise apps contained in Airwatch Container by setting complex passcodes and encryption locally without interfering with personal user data.iOS devices have FIPS 140-2 encryption, allowing users with touch identity features and eye sensors for authentication.
  • Sharing data outside applications is prohibited as workspaces one UEM controls third-party integrated apps, wrapped apps, web clips, bookmarks, and workspace One UEM apps.
  • Corporate mail can be securely accessed on personal devices through Airwatch Inbox or IBM Notes Traveller without the need for separate devices.
  • Containerize Airwatch apps, personal and public apps separately
  • Data Loss Prevention(DLP) settings for sensitive data
  • Self-service portal to clear passcode, lock device, or wipe enterprise data


Airwatch Container Enrollment

Enrolling devices is the first step before interacting with Workspace One UEM and accessing enterprise resources and networks. Devices can be enrolled with Basic, Directory, or Authentication Proxy. Autodiscovery and Security Assertion Markup Language(SAML) integration helps simplify the onboarding process.


Enrolling Devices

  • Go to Device Settings under Devices
  • Select Device and Users, then select General and click on enrollment. Then select Authentication
  • Select one of three enrollment methods from BAsic, Directory or Authentication Proxy
  • Autodiscovery can be used to onboard devices with an email domain.


Terms of Use

Terms of Use(TOU) is an end-user agreement to comply with company policy. The device owner must first accept Terms Of Use before onboarding, accessing the UEM console, and installing apps.TOU can be customized from the UEM console for specific individuals or organizations and child groups. The following functions can be accessed from the display screen during the enrollment process:

  • Version numbers can be set.
  • Platforms can be defined to receive TOU.
  • Updates on TOU can be communicated to users through the mail.
  • TOU can be created in different languages.
  • Multiple TOU agreements based on platform or ownership type can be created and assigned to organization groups.
  • TOU can be customized for specific groups to meet liability requirements.


Configure Profile Payloads

Specific restrictions or settings can be deployed to end-user devices through Profile Payload Configuration. Profile payload is enhanced with Mobile Device Management (MDM) capabilities and is a two-step process. First general settings are defined. Then a specific payload is selected to impose a particular setting or restriction for an individual or a group of devices. The payloads and settings which can be deployed differ for different platforms.

The following steps can be used to enforce some general settings:

  • Select Profiles under Devices.
  • Click Add under ListView and then select Add platform.
  • Select platform for the profile.
  • Under general settings, define who receives payload, how it is received, and other overall settings.
  • Select payload from the following options available.

General: Customized profile for device deployment available on iOS and Android devices.

WiFi: A WiFi profile connects on corporate networks such as hidden, encrypted, or password-protected networks.Works on android and iOS devices.

EAS via Airwatch Inbox: Creates Airwatch Inbox profile’s email profile.Works on android and iOS devices

EAS via IBM notes: Creates IBM notes email profile, Works on only android devices.

Web clips: Helps in publishing a profile of web clips to selected devices.Only available on iOS devices.

Bookmarks: Create and save a link on user devices for employees to easily access.


Managing Airwatch Container Devices from Device Dashboard

The enrolled devices are auto-detected and displayed on the UEM console dashboard once the Airwatch container is activated. Specific devices can be searched for in the Airwatch Container fleet. Specific Airwatch Control actions can be taken on them. Individual devices can be located either on the dashboard or by using the Global Search feature. Filters can be applied to view Airwatch container devices only. List view expands device information on the screen. Single or multiple devices can be selected to remotely manage from the UEM console. Some of these actions are:


Lock SSO

Current sessions can be ended, and users have to enter the passcode again to log in. For lost, stolen or employees who quit the enterprise, devices current session can be ended remotely, and credentials have to be entered again to log in.


Clear SSO Passcode

The current passcodes to sign in to enterprise networks and apps are reset, and users are prompted to create a new passcode. This action is mostly used when users forget their password in which cases old passwords are reset, and a new one is created.


Data wipe

The devices can be unenrolled wiping application data from all internal applications using Airwatch SDK. The device wipe can be used for lost or stolen devices whose advantage is that rather than just ending an SSO session, all enterprise data and features can be wiped out completely. During device unenrollment all internal and public apps are still visible, but their data is deleted if the device uses Airwatch SDK.


Push Email Profile

Airwatch Container allows the admin to send updated and newly configured profiles to enrolled devices. Employees use personal devices to access email on the go. Push email profile feature sends a new email or updated credentials to users for access at all times.


Push notifications

Admin can push notifications and send important messages to Airwatch container on end-user devices, so employees stay updated at all times.


How to use an Airwatch container on a device

Airwatch container works in conjunction with VMWare Airwatch infrastructure and is managed through configurable system settings within the admin console. The IT team configures the First Airwatch UEM console, and then devices are enrolled. Users, have to first download the Airspace Container app and then enter credentials provided by the enterprise.

Airwatch Container for iOS

Airwatch container for iOS helps separate personal and corporate data. Company admin has complete control over corporate data, which is secure and can be wiped in case of a security breach but has no control over private data, GPS location, private messages in compliance with the user privacy policy. Users can access corporate data and resources with Single Sign-On and switch seamlessly between corporate and private apps. Data loss prevention(DLP) settings with a self-service portal to remotely clear passcode, lock device, and wipe data. Airwatch container is compatible with Airwatch 6.5+

Instructions for activation of Airwatch Container on iOS:

  • Download and install an app from the iOS store
  • Enter corporate credentials and enter a passcode
  • At the enterprise end, the admin can use the central console to manage and secure devices


Airwatch Container for Android

Airwatch separates personal and corporate data by containing internal, public, and Workspace One apps separately. A Single Sign-On helps switch between corporate and personal apps easily and seamlessly. Admin can remotely protect data with Data Prevention Settings(DPS) by providing a self-service portal to clear passcode, lock devices, or wipe data completely. Airwatch 6.5+ is required for the AirWatch container on android. Steps for installing android container:

  • Download and install the AirWatch app through the play store
  • Enter enterprise credentials and set a passcode
  • Admin can log into the Airwatch UEM console to manage enrolled devices.


  • Barry Allen

    A Full Stack Developer with 10+ years of experience in different domain including SAP, Blockchain, AI and Web Development.

    View all posts


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.