Workspace One UEM Console enables the administrators with Unified Endpoint Management (UEM) allowing Mobile Device Management(MDM) and Mobile Application Management(MAM) capabilities to manage and secure endpoint devices.
Table of Contents
Employees are using personal devices to perform corporate tasks more often as the Bring Your Own Device(BYOD) policy is becoming increasingly popular further fueled with cloud technology allowing users to access corporate servers remotely and greater abilities in personal devices. A variety of endpoint vulnerabilities that can compromise enterprise security are presented by these personal unsecured devices which use local networks to access corporate servers.
To counter modern problems led to the development of modern solutions called Enterprise Mobility Management Solutions. All the endpoint devices can be centrally and remotely secured and managed on a single platform. The devices and applications are continuously monitored for suspicious activity and security configurations can be remotely deployed in case of a breach.
What is Workspace One UEM Console
Workspace One is an Enterprise Mobility Management(EMM) solution in which all the endpoint devices are enrolled, secured, and managed on a single platform with Unified Endpoint Management(UEM) allowing Mobile Device Management(MDM) and Mobile Application Management(MAM) capabilities.
Among other features, the admin can view the device statistics in detail, control user access, deploy applications, send messages and notifications to end-users, and get analytical reports on endpoint devices. Content repositories that store all enterprise data and documents and access to the company intranet can be controlled as well. An immediate alert is prompted in case of a security breach or non-compliance of any device and the admin can take action on the rogue device remotely.
Workspace One Console can be accessed through a web-based portal and the most recent version of Firefox or Chrome for management is recommended. An own custom URL can be created or for the SaaS environment, a URL is received from Workspace One with a dedicated on-premise or SaaS deployment. To log in to the console, enter the username, password, and PIN.
Features of the Workspace One UEM Console
On the main dashboard for the organization within the Workspace ONE UEM environment, a high-level summary of the entire device fleet at a glance is available including types of ownership for those devices, enrolled devices, and activity on when those devices last checked in. For the World Wide Enterprises role in the Device Administrator settings, some of the features of the Workspace ONE UEM Console are:
To quickly review the device fleet, preconfigured dashboards are available on the Workspace ONE UEM console to easily drill down to sets of devices, apps, and more with these dashboards. For instance, Within the Device dashboard click on “Devices seen in last 8 hours”. The admin is redirected to a list view showing all the devices that have recently been checked in the last 8 hours.
The main dashboard is located by navigating to the Hub and selecting Overview and corresponding section dashboards are located under that section. For instance: A variety of dashboards are available under Devices and Content.
With robust filters including platform, OS version, compliance status as well as using custom layouts and more customize device list view to allow administrators to easily narrow down the devices they are searching for. By selecting the device dive into the specific menus and available options to manage the device. On the first page for the device, the overall summary of information regarding the device can be viewed, which is the summary tab. For instance, at a glance view the Serial number and compliance status of the device.
The admin can view all the policies and configurations, under the profiles tab, that have been deployed to the device. Select the profile name to further load detailed information on a specific profile. For the different applications, various options are available depending on the device ownership.
A feature called the multi-tenant architecture under the Workspace ONE UEM console allows the admin to match the organization’s structure, organization groups and be able to customize the environment. For instance, An enterprise may be split into multiple divisions. By clicking the company name at the top, below the top group multiple organization groups are available. The admin can set settings and policies at each of these levels to override or inherit settings from above making this structure completely customizable.
Roles based Access
Under the Workspace ONE UEM console, at different organization groups, assign default or custom roles to administrators with Roles-based Access. A help desk employee can be assigned to a locked-down role limited to the region they work in by the admin while top admins have full access to all levels. Change the selected role to toggle between them by navigating to the top right corner and selecting the admin account.
Profiles are Configurations and policies that can be remotely and centrally deployed to the device. The admin role can be configured to always have a working testing environment. The profiles have a view-only option and cannot be edited or deleted under this setting. Go to Devices, navigate to Profiles & Resources, and select Profiles. The profile configurations can also be viewed.
Administrators are provided with complete control and authorization over data stored in a specific location called the UEM Managed Content repository. If the content is labeled as UEM Managed, the end-users can access the added content, but cannot edit the content from the repository using the VMware Workspace ONE Content app.
Features provided under Content Repositories are:
- Upload files manually
- Permissions and configure options for individual files can be customized.
- With the Sync option on end-user devices, Content accessed can be controlled.
- With the list view Advanced file management options are provided.
Security features provided under content repositories are to protect the content synced from the repository to end-user devices and stored content:
- With SSL encryption between the UEM console and end-user devices, the data in transit is secured.
- Roles with the security pin allow controlled access to the content
Navigate the Workspace One UEM Console
Every aspect of the Mobile Device Management (MDM) deployment can be viewed and seen allowing admin to manage profiles, configure system settings, and add new devices and users to the fleet with the Workspace One UEM Console.
Create a security PIN Security to establish security for the Workspace One Console by safeguarding against deleting important aspects of the environment, such as users and organization groups and accidentally wiping a device with the security PIN. An added point of authentication and the second layer of security is provided by the security PIN blocks actions made by unapproved users.
Establishing a Security PIN
A prompt is shown to create a security PIN when the admin first logs into the Workspace One Console. On the Security Settings page, the four-digit Security PIN is entered and confirmed, and the PIN is saved for future use. The admin may not bypass this page or proceed to any area within the Workspace One Console without creating this PIN. If the password entered is wrong more than the maximum allowed login attempts the admin is presented with a “Captcha” authentication prompt which can be customized or disabled by the admin.
Reset the Security PIN
Reset the security PIN frequently to minimize security risks. The following steps should be followed to do the same:
- Navigate to the top-right corner of the Workspace One Console, and click on the Account icon.
- Go to and click on Manage Account Settings. The page for Account Settings is shown.
- By clicking on the Reset button under the Security tab, reset the PIN.
- Log out of the console. On signing back in again the PIN creation prompt has to be completed.
The admin can access the following functions and features at top of nearly every page with the Header Menu.
- Organization Group: The Organization Group (the tab labeled Global) can be selected and the changes made are applied to the selected group.
- Add: Create a device or public application, user, policy, content, admin, a profile, and an internal application
- Global search: All aspects of deployment can be searched for under Workspace One UEM Console including admins, pages, applications, configuration settings, devices, users, content, and more.
- Notifications: Stay updated about important console events with Notifications. the number badge on the Notifications bell icon is used to indicate the number of alerts that require admin attention.
- Saved: Most-utilized and favorite pages can be accessed within the Workspace One Console.
- Help: Search or browse for console documentation and the available guides.
- Account: Change the account role that the admin is assigned to within the current environment to view the Account Information. The settings can be specifically customized for viewing the history of Logins, language, Notifications, contact information, and Security settings including PIN reset. After logging out of Workspace One the admin can also return to the Login screen.
- Refresh: Updated stats and info can be viewed, by refreshing the screen, without leaving the current view.
- Available Sections: Customize the view of the Hub Overview by selecting only the sections the admin wants to see.
- Export: The admin can view and analyze a comma-separated values(CSV) file, which is exported, with Excel producing a full listing of books, channels, profiles, apps, or policies.
- Home: Use this icon in the Workspace One Console to assign any screen as a home page. The next time Workspace One Console is opened, the selected screen displays as the home page.
- Save: The current page can be added to the Saved page list, for quick access to the favorite console pages.
As specified for the role, navigate to all the features available, and Mobile Device Management (MDM) deployment with the Main Menu:
- Getting Started: Reflect only modules of interest and make sure that all aspects of a basic successful deployment are fulfilled within a Workspace One Console deployment. An onboarding experience that is more tailored to the actual process is produced by Getting Started.
- Hub: A quick overview of the device fleet is provided and view and manage MDM information that drives urgent decisions the admin must make. View and track module licenses with the Admin Panel Dashboard, most black-listed apps that violate compliance, and monitor all devices that are currently out of compliance. Streamline the onboarding process with industry-specific apps and policies for iOS devices by selecting and running Industry Templates. Some of the aspects that can be accessed for devices in the fleet are compliance status, platform type, Ownership type, breakdown, last seen, and enrollment type. Available options that can be swapped as per preference are Full Dashboard, list view, and detail view. Wipe Protection settings, current profiles, enrollment status, Compliance policies, certificates, product provisioning, Notification, and printer management are some additional tabs available that can be configured.
- Accounts: Survey and manage users and administrators, batch status, user groups, roles, and settings associated with the users alongside admin roles, groups, system activity, and settings associated with the administrators.
- Apps & Books: Access, view and manage Book catalog, App catalog, Volume Purchase Program (VPP) orders, App groups featured apps, Geofencing, app categories, smart groups, and profiles associated with the app along with logs with application settings and application analytics.
- Content: A detailed view of content is available including engagement, storage history trends, user and content status, and user breakdown. Manage and upload content authorized to users and devices. Content categories, content repositories, batch import status, User storage, VMware Content Locker home screen configuration, and all other content-specific settings can be configured.
- Email: A detailed summary of Email information related to the deployment is provided. Some of the information displayed are email management status, managed devices, email policy violations, deployment type, and time last seen.
- Telecom: A detailed overview of telecom-enabled devices is provided including roaming data, plan use and use history. The telecom use can be viewed and managed including Short Message Service(SMS), track roaming, call, and content settings.
- Groups & Settings: Manage structures, types, and statuses that are related to organization groups including app groups, user groups, smart groups, and Admin Groups. Configure entire system settings or settings related to all Main Menu options.
Collapse and Expand the Submenu
Collapse the submenu by clicking on the arrow at the bottom of the console creating more space for device information. Expand or reopen the submenu with the modified arrow.
To run searches across the entire deployment with the Global Search option a modular design with a tabbed interface is used. Faster search results are produced by running a single tab applied by Search parameter under the Global Search option. Apply the same parameters to another area of the Workspace One Console by selecting another tab. After a global search has been run, select the following tabs to view the results.
- Devices: Matches to Device friendly names and Profile name searches are shown.
- Accounts: Matches to user names and Administrator name searches are shown.
- Applications: Public, purchased, internal and Web application searches are shown.
- Content: Matches to any content that appears on devices are displayed.
- Settings: Matches to individual field-level settings and Matches to console main page searches are displayed.
Perform a search for an organized group by selecting the organization group drop-down menu displaying the list in the search bar above.
Workspace One Console Notifications
A special communication tool is designed called notifications to convey the admin information about console events that impact the operation and is located next to the Global Search button. The different types of notifications are:
- APNs Expiration and APNs Expired: For MDM certificates that are set to expire for APNs a Critical Priority alert is generated and the admin is notified 30 days in advance. The Critical Priority alert is reduced to a High Priority alert after the APNs certificate expires. The admin is assisted with this notification in avoiding the hassles involved with expired certificates by keeping the devices connected with Workspace One UEM Console.
- App Removal Protection: When the Application Removal threshold is exceeded, This High Priority alert prompt is shown. Act by clicking the Review App Removal link on the Notifications pop-up.
- List View Export: When the User or Device list view export the admin requested has been finished and is ready for examination an info priority level alert notification is displayed.
- User Group Merge Pending: This notification pops up when the user group merge process is pending and admin approval is needed. Scenarios for this notification are:
All changes require admin approval if the Auto Merge Changes setting is disabled on the Directory-based User Group.
If the Auto Merge Change is enabled and the number of changes is greater than the Maximum Allowable Changes threshold, admin approval is needed for a portion of changes above the threshold.
- VPP App Auto Update: High priority alerts that notify are generated when an app is installed with Apple Volume Purchase Program.
Managing Console Notifications
When there are active notifications that require attention indicated by the number of active alerts, a numeral badge appears on the alert icon. To view the Notifications pop-up, click on the bell-shaped Notifications icon. The received notifications can be managed including viewing the list of active alerts, renewing the APNs, viewing the list of dismissed alerts, Dismissing expired alerts, and Configuring Notification Settings. In the organization groups, the APNs for an MDM certificate are located, displaying each alert. A link to Renew APNs and the expiration date of the certificate is displayed by each alert.
- View Active Alerts: With the default view, the list of active alerts is displayed.
- Renew APN’s: This screen is displayed When the OG admin is currently indifferent from the OG that manages the device with the impending license expiration and the Change Organization Group (OG) is displayed on the screen. To renew this APN’s license, click on Yes to change the OG automatically. By following the instructions on the APNs for the MDM settings page and maintaining the device connection with Workspace One the license can be renewed.
- Dismiss Alert: By clicking on the X button, the expired alert closes and is sent to the Dismissed alert listing. Admin cannot close the critical priority notifications.
- View Dismissed Alerts: Navigate to the Dismissed tab, at the top of the Notifications pop-up to see the listing of dismissed alerts.
Configure Notifications Settings
By using the Notifications settings page, choose how to receive alerts, change the email to which it sends alerts, expiration alerts and enable or disable APNs. To configure notification settings, these steps must be followed:
1. From every page on the console, the Account button can be accessed and is selected. Click on the Notifications tab under Manage Account Settings. Alternatively, the notification settings page can be opened by clicking on the gear icon available in the lower-right corner of the Notifications pop-up screen.
2. Complete the following notification settings:
- APN’s Expiration: The following alert can be generated when the APNs licenses are about to expire or have expired.
- Notification: Choose the notification delivery method from Console, Email, or Both.
- Send Email to: The email address has to be entered when Email or both is selected in Notification and Commas are used to separate different email IDs.
- List View Export: An alert is generated when the exportation of a device list view or user list view is completed.
- Notification: Choose the notification delivery method from Console, Email, or Both. In the user tab of Account Settings, this email used is the address on record, for list view exports, for the currently logged-in administrator.
- User group Merges : When Workspace One and Auto Merge Changes are disabled, along with the Active Directory database changes sync, this alert is generated.
- VPP App Auto Update: When Apple Volume Purchase Program is used to install an app and an updated version is available that can be installed, an alert is triggered.
3. Save the changes made.