Managing iOS Devices for Frontline Workers with Workspace ONE UEM
Unlike knowledge workers, who often spend their day at a desk, frontline workers are always on the move. Whether they are providing essential services or delivering goods to customers, frontline workers are a highly mobile workforce with unique requirements and challenges, spanning a variety of industries, from retail to healthcare, manufacturing, and supply chain logistics. Ensuring that frontline workers have access to properly managed and configured mission-critical devices is crucial to their productivity and a company’s customer satisfaction.
Workspace ONE UEM makes it easier than ever for IT admins to manage shared iOS devices used by frontline workers. From controlling the icons displayed on the device home screen to configuring Single App Mode, there are plenty of options that IT admins can use to ensure that frontline workers receive the best device experience possible while also having access to all the resources they require to do their daily job.
Check-in and Check-out with Intelligent Hub
Devices used by frontline workers are often shared among multiple users working varying shifts. A user may “check-out” a device at the beginning of their shift, and then check it back into the device pool at the end of their shift, allowing another user to use the device during their own shift. Intelligent Hub can be configured for multi-user mode, allowing any employee to authenticate within Intelligent Hub on a shared iOS device. During user login, Workspace ONE UEM will apply the appropriate policies and applications for that user to the device.
To use Check-In / Check-out with Intelligent Hub, you need to create a Multi-staging User account in Workspace ONE UEM, which is used for device enrollment. If you plan to enroll devices through Apple Business Manager, you will also need to configure an Automated Device Enrollment profile with the Staging Mode set to Multi User device and configure the profile with your Multi-staging User account.
If you do not wish to use Apple Business Manager for enrollment, it is also possible to use Hub enrollment on the device using the Multi Staging User account.
You’ll also want to configure Intelligent Hub to be deployed silently to the device using Device Based Licensing. This will eliminate the need for an Apple ID on the device. You’ll need to import Intelligent Hub into your Workspace ONE UEM environment through Apple’s Volume Purchase Program, and then enable Device Assignment on the app. Then, assign the app to the assignment group in which your device resides.
Finally, make sure that you configure the Shared Device settings in Workspace ONE UEM. Specifically, you want to set the Group Assignment Mode. Unless you want your end users to be prompted for an Organization Group every time they log in, it is best to select User Group Organization Group. In the case where your end users might work in different locations, you can use Prompt User For Organization Group. For example, if your organization structure is organized by location, the end user could enter the respective location they are in for that day.
One thing to note about Check-in / Check-out with Intelligent Hub; applications that require the user to log in, such as Microsoft Outlook or Slack, will not be logged out automatically when the user checks the shared device back in at the end of their shift. This could leave a previous user’s data exposed to the next user who checks the device out. It is critical that end users log out of all their apps prior to returning the device at the end of their shift.
It is possible to use the Hub authentication session to authenticate users into their apps. This does require Workspace ONE UEM integration with an IdP provider, and the apps would need to support Apple’s SSO extension. Not all apps currently support this framework. I won’t be discussing this option in the post.
Configuring the User Experience for Shared iOS Devices
To ensure that frontline workers are productive and have the best user experience, it is important to provide a consistent user interface on shared devices, such as application and home screen configuration. You can manage the user experience in Workspace ONE UEM with iOS device profiles.
For example, if you want to ensure that your frontline workers see the three apps they use the most in the dock, you can create a new iOS profile, add the Home Screen Layout payload, and configure the app icons that you want on the dock. In this example, we’ve configured Microsoft Outlook, the barcode scanner, and Intelligent Hub on the dock.
Using this same payload, you can also configure pages on the home screen, and the placement of app icons on each of those pages. You can configure multiple pages for the device and even configure folders and the app icons that go in them. This profile keeps your frontline workers’ resources at their fingertips and provides a consistent shared device user experience.
Using Single App Mode with Frontline Workers
In some cases, your frontline workers may only require access to a single application to do their job, such as Workspace ONE Web or a third-party point-of-sale app. IT admins can restrict iOS devices to launching that single app, making it even more convenient for frontline workers. Your workers need only turn on the device, and their app is immediately available for them.
A Single App Mode profile offers the versatility of locking a device to a single app, meaning that the device will return to a specified app automatically upon wake or reboot. With this profile, the home button is automatically deactivated, and IT admins have the additional ability to configure device features, such as disabling the volume and ringer buttons, and enabling accessibility features like VoiceOver, AssistiveTouch, and Voice Control.
Additionally, the iOS device can be configured for autonomous single app mode, which allows you to configure a list of permitted apps in the profile. Autonomous single app mode, however, does not allow for the configuration of other device features like those mentioned above.
Configuring Device Security for Frontline Workers
Securing shared iOS devices used by frontline workers is crucial to an organization’s overall security posture. Since frontline workers may have access to patient or customer data and could be making payment transactions, it is critical to ensure that those devices are properly secured. This often includes restricting device functionality and configuring device physical security, like passcodes. Both can be controlled using Passcode and Restrictions profiles in Workspace ONE UEM.
Let’s start with the Passcode profile. A passcode is the first line of defense for protecting personal and corporate data that might be on an iOS device. If a dubious individual gets their hands on an unattended frontline worker device, they will need to know the passcode before gaining access to any sensitive data. The Passcode payload gives IT admins control over the passcode configuration on iOS devices, allowing them to enforce specific passcode requirements. You can configure options like minimum passcode length, maximum passcode age, how long before the device auto-locks, and other options.
Apple iOS devices offer many features that make life easier and more convenient for end users, such as Siri, AirDrop for sharing across devices, iCloud syncing, FaceTime, and many others. For an individual’s personal device and even in certain corporate owned device use cases, these features can be handy for end users. However, these, and other features, could be a security risk for frontline devices that access sensitive data or process financial transactions.
The Restrictions payload in Workspace ONE UEM gives IT admins a plethora of opportunities for restricting device functionality and is a powerful tool for securing an iOS device. A Restrictions profile can be used to deactivate device functionality, such as FaceTime, use of the camera, iMessage, app installations for the Apple App Store, Siri, AirDrop, and much more.
It can also be used for managing the built-in apps on iOS devices by disabling iTunes Music Store, Find My, the Apple News app, Game Center, and even disallowing cookies, just to name a few. You can manage iCloud account settings, as well as configuring security and privacy settings, like TLS certificate management, device backup encryption, managed Wi-Fi, and others.
The Restrictions payload can manage data loss prevention features, access to media content, such as books, movies, and TV shows, and control educational features like screen observation for managed classes. Finally, IT admins can also manage the behavior of the built-in Software Updates utility to have more granular control over device OS updates.
The Restrictions payload provides a vast set of configuration possibilities that IT admins can use for securing their frontline worker devices.
Summary
Ensuring that frontline workers have fast and reliable access to the resources they require on iOS devices is critical to an organization’s success. Configuring shared devices with consistent app access and security can help your frontline employees work more efficiently. Workspace ONE UEM offers the tools required by IT admins for creating and managing an effective shared frontline worker device strategy.
For more information on managing iOS devices with Workspace ONE UEM, check out the following resources on Tech Zone.
'%3E%3Cpath id='Rectangle_1' data-name='Rectangle 1' d='M0,0H800V300H0Z' transform='translate(2297 -300)' fill='%23E2F0D9'/%3E%3Cg id='Group_5' data-name='Group 5' transform='translate(-6 -3)'%3E%3Ctext transform='translate(2534 -152)' font-size='50' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECurated Assets%3C/tspan%3E%3C/text%3E%3Ctext transform='translate(2683 -99)' font-size='20' font-family='Roboto-Regular, Roboto'%3E%3Ctspan x='0' y='0'%3ECard%3C/tspan%3E%3C/text%3E%3C/g%3E%3C/g%3E%3C/svg%3E)