Workspace ONE UEM Configuration

This chapter is one of a series that make up the Omnissa Workspace ONE and Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Omnissa Workspace ONE and Omnissa Horizon solutions. This chapter provides information about common configuration and deployment tasks for Workspace ONE UEM.

Using Intelligent Hub and Workspace ONE Apps on Devices That Are Not Fully Managed

Omnissa Workspace ONE UEM administrators can enable the use of Omnissa Workspace ONE Intelligent Hub and Workspace ONE apps on Android and iOS devices without also requiring full mobile device management (MDM). The method used in the Workspace ONE UEM console to set the management mode for the Intelligent Hub differs from that for Workspace ONE apps. This section includes procedures for both.

MDM Enrollment vs. Registered Mode vs. Adaptive Management

For most corporate-owned mobile devices, organizations require full device management, or MDM enrollment, before granting access to corporate apps and resources. But for employee-owned devices, UEM administrators can allow users to log in to the Intelligent Hub or Workspace ONE apps without requiring MDM enrollment. For example, the user can access the catalog of corporate applications without installing the iOS MDM profile on their device. This option is called registered mode: the user’s device is registered but not fully managed.

However, if an iOS user attempts to access a restricted corporate application in the catalog that requires MDM enrollment, the user will be prompted to install the iOS MDM profile. This is referred to as adaptive management, or step-up enrollment, and is supported only on iOS devices. The Android platform does not support adaptive management.

To learn how to enable adaptive management for restricted corporate applications that require MDM enrollment for access, see the Enabling Adaptive Management for iOS section of Workspace ONE UEM Architecture.

Enable Intelligent Hub Without Requiring Full Management

Most of the functionality within the Workspace ONE app, such as the user’s Favorites application list, is also included in the Intelligent Hub app, along with additional capabilities available only in the Intelligent Hub. Therefore, to access corporate applications from mobile devices, many organizations prefer using the Intelligent Hub over using the Workspace ONE mobile app.

The procedure that follows describes how to enable access to Intelligent Hub without requiring MDM enrollment or installing the iOS MDM profile on the device. The relevant settings for the Intelligent Hub app are located on the Management Mode tab of Enrollment settings in the Workspace ONE UEM console. 

Important: This procedure is about enabling access to the Intelligent Hub itself, but for end users to access the embedded app catalog within the Intelligent Hub, an administrator must also activate Hub Services and enable the Hub Catalog.

  1. From the desired organization group within the Workspace ONE UEM console, browse to Groups & Settings > All Settings > Devices & Users > General > Enrollment, select the Management Mode tab, and for Current Setting, select Override if Inherit is selected.

These settings will impact only the Workspace ONE Intelligent Hub app.

  1. Configure the management mode to use for employee-owned devices.
    In this exercise, you will configure the following modes: full management, registered mode for a particular organization group, and registered mode for a smart group.
    1. Full management, requiring MDM enrollment ‑ Under the Management Mode tab, set iOS and Android to DISABLED to require MDM enrollment for all devices accessing the Workspace ONE Intelligent Hub app. This is the default.

  1. Registered mode for an organization group ‑ Enable all devices in the current organization group to access Intelligent Hub without requiring MDM enrollment, as follows:
    1. Set iOS and Android to ENABLED.
    2. Set All iOS devices in this Organization Group to ENABLED.
    3. Set All Android devices in this Organization Group to ENABLED.

  1. Registered mode for a Smart Group ‑ Require MDM enrollment for some devices, and enable a subset of devices to access Intelligent Hub without MDM enrollment:
    1. Set iOS to ENABLED.
    2. Set All iOS devices in this Organization Group to DISABLED.
    3. Start typing the name of the Smart Group in the iOS Smart Groups field or select from the list that appears. Only this Smart Group will be enabled to access Intelligent Hub without MDM enrollment.

  1. Set Prompt for Device Ownership Type to ENABLED under the Optional Prompt tab within Enrollment settings.

In order to successfully log in to the Intelligent Hub mobile app without MDM enrollment, the device must be enrolled as employee-owned. Corporate-owned devices default to requiring MDM enrollment.

Enable the Workspace ONE App Without Requiring Full Management

If your users utilize the Workspace ONE app to access corporate applications, administrators can use the following procedure to enable access to this app without requiring MDM enrollment or installing the iOS MDM profile. The relevant settings for the Workspace ONE app are located on the Restrictions tab of Enrollment settings in the Workspace ONE UEM console. 

Note: Most of the functionality within the Workspace ONE app, such as the user’s Favorites application list, is also included in the Intelligent Hub app, along with additional capabilities available only in the Intelligent Hub.  Therefore, many organizations prefer using the Intelligent Hub over the Workspace ONE mobile app.

  1. From the desired organization group within the Workspace ONE UEM console, browse to Groups & Settings > All Settings > Devices & Users > General > Enrollment, select the Restrictions tab, and for Current Setting, select Override if Inherit is selected.

  1. Scroll down to the Management Requirements for Workspace ONE section.

These settings will impact only the Workspace ONE app.

  1. Configure the management mode to use for employee-owned devices.
    In this exercise, you will configure the following modes: full management, registered mode for all devices, and full management for one user group.
    1. Full management, requiring MDM enrollment ‑ Require MDM enrollment for all devices accessing the Workspace ONE app, as follows:
      1. Set Require MDM for Workspace ONE to ENABLED.
      2. Set Assigned User Group to All Users.
      3. Set iOS and Android to ENABLED.

  1. Registered mode for all devices ‑ To enable all devices to access the Workspace ONE app without requiring MDM enrollment or installing the iOS MDM profile, set Require MDM for Workspace ONE to DISABLED.

  1. Full management for a particular user group ‑ Require MDM enrollment for a subset of devices, as follows:
    1. Set Require MDM for Workspace ONE to ENABLED.
    2. From the Assigned User Group drop-down list, select the user group that will be required to enroll to log in to the Workspace ONE app.
    3. Set iOS and Android to ENABLED.

In this example, all devices in the Dark Side user group will be required to install the MDM profile to access the Workspace ONE mobile app. However, all other users can log in to the Workspace ONE app without MDM enrollment.

Note: If you hover your mouse over the tooltip next to the Require MDM for Workspace ONE setting, you will see the following text:

“When enabled, devices that fit the assigned criteria are prompted to enroll immediately upon log in to Workspace ONE. Those devices that do not fit the assigned criteria are allowed to log in with an unmanaged state.”

This portion of the tooltip describes the ability to require MDM enrollment (that is, require the MDM profile) for some users, and other users are allowed to log in to the Workspace ONE app without MDM enrollment (that is, they can use registered mode).

The portion of the tooltip that says, “They may come under management later using Adaptive Management,” indicates that if an iOS user attempts to launch a corporate application that requires MDM enrollment, the user will be prompted to install the iOS MDM profile.

  1. Set Prompt for Device Ownership Type to ENABLED under the Optional Prompt tab within Enrollment settings.

In order to successfully log in to the Workspace ONE app without MDM enrollment, the device must be enrolled as employee-owned. Corporate-owned devices default to requiring MDM enrollment.

Summary and Additional Resources

   Now that you have come to the end of this configuration chapter on Omnissa Workspace ONE UEM, you can return to the reference architecture landing page and use the tabs, search, or scroll to select further chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters give design guidance on the Omnissa products you are interested in including in your deployment, including Workspace ONE UEM, Access, Intelligence, Workspace ONE Assist, Horizon Cloud Service, Horizon 8, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of products, components, and services you need to create the environment capable of delivering the services that you want to deliver to your users.
  • Configuration chapters provide reference for specific tasks as you deploy your environment, such as installation, deployment, and configuration processes for Omnissa Workspace ONE, Horizon Cloud Service, Horizon 8, App Volumes, Dynamic Environment Management, and more.

Additional Resources

For more information about Workspace ONE UEM, you can explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2024-10-07

  • Updated graphics and diagrams.

2024-05-31

  • Updated for Omnissa docs, KB, and Tech Zone links.

2023-01-09

  • Removed section about on-premises deployment to align with general end of availability of new on-premises deployments.

2023-07-25

  • Added this Summary and Additional Resources section to list changelog, authors, and contributors within each design chapter.

2020-07-01

  • Added new section, Using Intelligent Hub and Workspace ONE Apps on Devices that are not fully managed.

Author and Contributors

This chapter was written by:

Feedback

Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com


Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Workspace ONE Workspace ONE UEM Document Reference Architecture Advanced Deploy Modern Management