BYOD End User Adoption

A question that comes up often is "how can I get my end users to adopt MDM management of their BYOD devices?" - the answer to which being give them an incentive to do so. To give you an example, say my company uses Office 365 for email/document management/etc and they can freely access those resources from their BYOD devices. We can incentivize users to adopt MDM management a few different schools of thought. 

Method 1: Require Management of Devices through SSO 

One way being restricting access to those resources to only managed devices, so they cannot get their work done without their device being managed. This will allow you as the IT admin to ensure that their device complies with certain policies as well, such as minimum OS version, rooted/jailbroken detection, passcode existence, amongst other policies. After all, you want to make sure the devices that are accessing corporate resources are secure. Workspace ONE deals with BYOD device management alongside corporate-owned management really well - segmenting apps and policies depending on the ownership - but that's a discussion for another day. 

Technically speaking, we'd need to evaluate the device prior to sign in to a SaaS application. We can do this either through Workspace ONE Access, Okta, Ping, or Azure AD. I won't go into the details on each of these solutions in this article, but a high level flow of how this works for Ping can be found below. Note that the evaluation of a certificate on the device is how we determine the device's enrollment into Workspace ONE UEM. If the device is enrolled, it receives a user identity certificate. If the certificate exists, certificate authentication proceeds through Workspace ONE Access and is passed back to Okta for authentication into the SaaS application. If the certificate isn't present, the user receives the access denied message. You can pair this with compliance policies in Workspace ONE UEM as well. For instance, if a device is running too old of an OS, you can revoke the profile that pushes the user identity certificate, and they can no longer authenticate into those protected SaaS applications. 

Method 2: Comprehensive Digital Workspace and AppConfig for Work Applications

One of the biggest advantages to using Workspace ONE (and the idea of the digital workspace) is that when my device is enrolled, I receive all of the applications onto my device that I need to do my job. I get a certificate on the device to automatically authenticate into SaaS apps (so I don't have to remember or type a username/password multiple times a day). The apps that I use, like Outlook or Boxer, are already configured with my email or server details, Zoom points to the correct subdomain for SSO, and so on. I get notifications from work through the Intelligent Hub application if the power is out in a building, or if there is an IT outage. An often overlooked portion of setting up the digital workspace (focusing primarily on mobile platforms - Android and iOS in this case) is adding applications to Workspace ONE and setting up AppConfig values, which is what points Outlook, Boxer, or Zoom to the correct account or server details in my previously given example. This is what I will focus on in this section. There are other blog posts that cover certificate based authentication ad nauseam. 

AppConfig

The first part is to add applications to your UEM catalog (there is a pre-requisite requirement for Apple to enable APNS and Android to enable Google Play Services if not already done). Once accomplished, when doing the assignment for your applications, you can specify AppConfig values. Note that the AppConfig values supported are a result of the software developer. For example, these are the AppConfig values supported by Outlook. We can go to the app assignment for Outlook (find the app in the apps - public section of WS1 UEM, select the radio button next to it, click the "Assign" button. In the assignment, go to "Application Configuration," and you can configure AppConfig key value pairs (KVP's) there. 

At this point, you can rinse and repeat this for all of your corporate applications (again, those that support it, not all applications have AppConfig built in). A worthy call out - we have to manually configure AppConfig KVP's for iOS. For Android, the Workspace ONE UEM console will enumerate through those automatically and present them to you in the Application Configuration section. 

Profiles 

In addition to apps, you can push certain configurations for the device to make end users' lives easier. One example being a wifi configuration for the office. You can push a wifi profile (doc link for iOS and Android, respectively) so that when users come into the office, their phone just works with the wifi. No need to do captive portals for the wifi or have the end user enter credentials for wireless. Some common other profiles for BYOD devices will be VPN (if not accomplished via an app as described above), SCEP for user certificates, and Exchange ActiveSync to configure the native mail app. Note that we are limited in what profiles we can push to BYOD for non-supervised devices (iOS) or work profile devices (Android). These are denoted in the console as a grey tag to the right of the configuration item. 

Notifications through Intelligent Hub

I also wanted to give a brief mention to notifications through Intelligent Hub that I had mentioned earlier. This is going to be done through Hub Services (meaning this is only available if you have Workspace ONE Access configured and integrated with UEM. End users don't need to authenticate through Access, but the two just need to be integrated). Either in Workspace ONE Cloud Services (https://console.cloud.vmware.com and click "Manage" for the Workspace ONE service) or through the hamburger menu in the top right corner in WS1 UEM, navigate to Workspace ONE Hub Services. Click Notifications on the left side, and then click New. You can create a new notification, or template to use later for future messages. 

Then you can specify how you will designate who will receive the notification, and it's urgency (just in the Intelligent Hub app, or do you want it to pop up immediately on users' devices?). Then select whether it is an actionable or informational notification, what you want it to say, and schedule the notification to be delivered to devices. Once created, you can monitor the notification's progress on the notifications section in Hub Services (the first screenshot above). 

Conclusion

There are a myriad of reasons to give to users for BYOD adoption, the above just some of them. VMware also offers assets to aid in end user adoption, including messaging and instruction on how to enroll devices, found here. For users concerned with privacy and "IT looking over their shoulder," the Workspace ONE app will always inform the user upon enrollment as to what data is and isn't collected from their phone. Basic app metadata (what apps are managed and installed via WS1) may be collected, but personal information and text messages never are. There is also information on privacy with Workspace ONE available on the VMware site here and in the Workspace ONE documentation here.