Embedded Files
It's important before purchasing any IT product to try it out. Workspace ONE offers a 30-day trial to test the product prior to buying. However due to its expansive nature, it's important to focus on the important pieces instead of trying to boil the ocean, so to speak. This guide aims to not only set some expectations, but also give some technical knowledge/guidance on accomplishing the beginning pieces of a Workspace ONE trial and set a flow of the trial (at least from an EUC SE perspective). Note this guide aims to only discuss the basic concepts to get up and running on a trial. For more in-depth content or advanced use cases, see the other pages on this site or contact your VMware representative for further support.
Walk Before you Run
Walk Before you Run
As I mentioned before, don't try to boil the ocean. Think about what is most important for you to test out about Workspace ONE. Is it management of MacOS or Windows devices? Is it pushing out public app store applications to iOS and Android devices? Is it pushing out Workspace ONE Launcher for frontline Android devices? As a rule of thumb, test the specific pieces that are core to your requirements first using the basics. Push off the more advanced configuration - Google Workspaces integration, single sign on, automatic/zero touch provisioning of devices, etc - until later on. Workspace ONE can certainly accomplish these things, but it is multitudes easier to accomplish these things having the basics down first. I'll structure this document using this methodology, as you'll see below.
The Methods of Trialing Workspace ONE
The Methods of Trialing Workspace ONE
There are two methods of trying Workspace ONE - either through TestDrive, or through a trial obtained from the Workspace ONE site. Below are some of their advantages/disadvantages, as the two are not the same -
Workspace ONE Trial
Workspace ONE Trial
Pros-
Can be moved into production environment, so you do not lose your work through the trial (not required though)
Fully featured provisioned environment and full license to try out all aspects of the product (UEM, Intelligence, etc)
Includes ability to test Workspace ONE Assist (remote into devices for end-user support)
Cons-
Expires after 30 days
Blank environment
TestDrive
TestDrive
Pros-
There are different environments you can access - sandbox or RTU (ready to use/demonstration) environment
Sandbox is for your testing of configurations, individual to you
RTU environment is shared amongst customers/partners/VMware employees, and is a read-only environment you can enroll your device into to see some of what is possible with Workspace ONE without configuring everything yourself
Easily obtained and able to be extended - both through contact of EUC Sales Representative
Cons-
Does not transition to a production environment
Cannot test Workspace ONE Assist in sandbox environment (remote into devices for end-user support)
Getting Started with TestDrive
Getting Started with TestDrive
Starting testing of Workspace ONE with TestDrive is fairly straight forward. Once you've been sent an invitation, you sign in and either login to the RTU environment (with your same TestDrive credentials) or you go to the "Sandbox Experiences" tab to spin up your sandbox UEM tenant. Note that it will provide you your administrator credentials. This are sync'd at time of provisioning of environment, but may change/expire down the road, and will not remain sync'd with the TD console indefinitely. You will still need to create an enrollment user account (UEM administrator accounts, and UEM enrollment/user accounts are fundamentally different and are not interchangeable), which I'll go into later down the page. Skip the below section on "Getting Started with a Trial".
Getting Started with a Workspace ONE Trial
Getting Started with a Workspace ONE Trial
Spinning up the trial for Workspace ONE is fairly straight forward, fill out a form, and receive an email to get started. I do want to give some words of caution, however, and provide some guidance on starting the trial to ensure no hiccups occur with provisioning. My first word of caution: time the start of the trial with your specified timeline. You'll have 30 days to test the product from the time you fill out the form (as this is when the environment is provisioned). I'd also consider reaching out to a VMware representative (and speaking to a VMware EUC Specialist) prior to starting the trial. I'm a very hands-on IT person, but it's good to have the support and resources available ahead of time in case you have any questions.
The first step to get started with the trial, you can simply fill out this form.
Next, you'll get two emails: one with your "SID" (this is the unique identifer for your trial, and you'll need it if you want to flip this trial into production) - while not important now, keep the email handy. The second email will have a blue "Get Started" button on it. Do not click this button yet. The button is tokenized (will only let you click it once), and as a best practice I'd encourage you to do the following steps below prior to using the "Get Started" button on the email.
I'd encourage you to do the following to onboard into VMware Cloud Services (which is what you will access the trial through) and to initialize your trial -
Open an incognito window (in Chrome/Firefox/browser of choice)
Go to https://my.vmware.com and make sure you (1) have an account and (2) can login successfully
Go back to the original email. Right click on the "Get Started" button and copy the URL
Open the tokenized URL in your incognito window. You may need to sign in again, but then you should get a screen like this to "create an organization" -
Finish the onboarding steps and then you should be pushed to a page that looks like this -
To access your UEM trial, under the "Unified Endpoint Management" tile on the right side, click "Manage". This will single-sign you into Workspace ONE UEM.
A couple other tips to mention while we are on the topic of VMware Cloud Services -
To access the trial again in the future, you can go to https://console.cloud.vmware.com and sign in. There will be a Workspace ONE tile where you can click "manage" to access the above page.
To add additional administrators (if you have colleagues who will be testing the solution as well), go to https://console.cloud.vmware.com/ and then follow the steps listed in this documentation link to add additional administrators.
Prerequisites for Management of Devices
Prerequisites for Management of Devices
To get started, there are a couple pre-requisites to manage all platforms. In addition, there may be requirements for specific platform management. For instance, we would need to enable Apple Push Notification Services for management of iOS/MacOS, Android Enterprise for management of Android. See the below topics for coverage of both general and platform-specific pre-requisites. You can skip the headers for the platforms that are not in scope for testing in the trial.
General Pre-Requisites
General Pre-Requisites
To get started, we need a few foundational things in place as part of enrollment - namely an enrollment account (username/password to enroll a device) and the server URL and group ID (where to enroll the device to). Note that this isn't going to be the process for a production environment - you can leverage email auto-discovery and Single-Sign On with an Identity Provider of choice. But again, we want to start small.
Server URL and Group ID
Server URL and Group ID
In the UEM console, we will need to notate the Server URL and Group ID. This can be found in the UEM console. The server URL is the first part of the URL you are seeing - usually cn1688.awmdm.com, cn1784.awmdm.com, cn1380.awmdm.com, and so on. The group ID can be found by hovering over your SID (or the text) in the white box next to the Workspace ONE UEM logo.
More information on identifying the Group ID of your Workspace ONE tenant can be found here.
Create an Enrollment User
Create an Enrollment User
Next, we will need to create a basic user account in Workspace ONE UEM. In the UEM console, go to Accounts - Users - List View. Then click Add and then Add User.
In the next window, enter the details for the user account. All you will need to remember from here is the username and password. Note, if the email address you input is valid, the email will receive a user activation email with information on how to enroll the device, and a link to reset the password from the default. When finished, click Save. (Note: you don't need to "Add Device" at this moment, devices will automatically come into the console when enrolled)
Now you should have all the information you need to enroll - server URL, group ID, and enrollment credentials. If you are planning to enroll MacOS, iOS, or Android, see the below headers. If you are planning on enrolling other platforms (Windows, Linux) then you can proceed to enrollment.
MacOS and iOS
MacOS and iOS
For MacOS and iOS, we need to setup Apple Push Notification Services. This will allow us to issue management commands against those platforms. This process is fairly straight forward to complete. The only thing to keep in mind is to use an Apple ID that is agnostic of the individual. That is, use an Apple ID that is shared across the IT organization so that if someone leaves the organization, you do not lose access to the Apple ID. This video from VMware EUC does a fantastic job of walking through the process. The document version of the video can be found here.
Android
Android
With Android, we need to register with Android EMM which will allow Workspace ONE access to the Android management API's. How this is implemented, however, can depend on two options and thus presents us a fork in the road: Managed Google Play Account, or Managed Google Domain. Generally speaking, the former is for non-Google Workspaces (formerly G-Suite) organizations, while the latter is for Google Workspaces organizations.
Managed Google Play Account:
Uses a singular account to tie the Workspace ONE tenant to Android management API's
Simply put - allows everything (app distribution through Google Play, management of Android phones, etc) to work
Easiest to setup and recommended for trials to get started
Managed Google Domain:
For Google Workspaces organizations
Requires creation of a service account in Google Cloud (only requires a Google Workspaces subscription to do so) to facilitate Android API communication between WS1 and Google
Can restrict enrollment of Android devices to just those in your Google Workspaces Organization
Requires configuration at the top-level of the Google Workspaces domain, changing the EMM provider to be Workspace ONE (which may not be ideal for a trial)
Takes an hour or two to configure
For the reasons above, in a trial, I would recommend the "Managed Google Play Account" method of EMM registration. VMware EUC has a good video on how this is setup here, and the document version here.
If you would like to try the Managed Google Domain registration method, see this VMware Docs page for information on setting this up.
Getting Started with Management of Devices
Getting Started with Management of Devices
Now that we have finished the above pre-requisites, we can get started with enrolling and pushing profiles/applications to devices.
Enrollment
Enrollment
Regardless of the device platform, on the endpoint, go to https://getwsone.com to download the Intelligent Hub agent. Install it, and it should prompt for the server URL, group ID, username and password we created earlier. Follow the process and your device should be enrolled into your UEM tenant and visible in Devices - List View. For mobile platforms, you can also simply download the Intelligent Hub application from the applicable app store.
Profiles
Profiles
Profiles are the method in which we push configuration to the device (whether it be a restriction to lock down the device or configuration to set up email/VPN access, for instance). The way we push profiles to the device is by going to Resources - Profiles and Baselines - Profiles, and clicking on Add - Add Profile
On the next screen, we can see all of the platforms that we can push a profile to
Once you select the platform, you may be asked whether you want to push a device or user profile. Generally, we will push a device profile (as the name implies, it affects the entire device as opposed to just a specific user) unless we have a specific need for a user profile (ex. SCEP profile for user identity certificate).
Next, to create a profile, we need to give it a name and assign it to a smart group (which is a dynamic grouping of devices). In this example, I selected all corporate dedicated devices. As more corporate devices enroll, they will automatically populate this group. The enrollment flow (default ownership, prompt for user to select ownership or input asset tag, etc) can be changed later. As a best practice, keep each profile to only one payload. So one profile for encryption, one profile for VPN, one profile for restrictions, so on. Select the payload on the left side to configure with your chosen settings. Once you're done with configuring a profile, click save and publish. Rinse and repeat for each profile/configuration desired for the applicable platforms.
Applications
Applications
Workspace ONE can push both internal apps (those that you upload - think pkg, dmg for MacOS; exe, zip, msi, appx, msix for Windows) and public apps (sourced from the app store). We can add applications by going to Resources - Apps - Native, and selecting the appropriate tab.
For native (uploaded) applications, you can click Add - From Application file to upload a file. Note that applications distributed via this means need to be able to be deployed silently.
For Windows, you will need to specify certain data about the app install (install command, how to call install complete, uninstall command, etc) depending on the uploaded app type. For MSI, you can just upload the application and (generally) continue without any modifications/additions to install data that would otherwise be needed for exe/zip files. For information on deploying Windows apps, please see this fantastic TechZone Article that goes into great detail.
For Windows you also have the option to do Add - From Enterprise App Repository. This is a VMware-maintained repository with common applications that help you get up and running with your environment. Running through the process, it will perform a "copy/paste" operation of the application from the repository into your environment. You can also select to be notified when new versions of applications are available so you can import the new version as well. Note: VMware will not automatically update the application in your catalog. For details on this, see this Techzone Article.
For MacOS, you can upload dmg or pkg files. You may need to utilize the Workspace ONE Admin Assistant tool to generate a metadata .plist file that will allow the application to be deployed. Details on this can be found in this TechZone Article.
For Public (App Store) apps, the apps themselves (and updating of those apps) come from their respective App Store. Deploying them out is super easy - click Add Application, type the name of the app and then select the app store, and add it to your app catalog.
When you add applications to the catalog (either after they are imported or by selecting the radio button next to the app and click on the "Assign" button), you'll see a window like the below to assign the app to devices. The idea here is you've added (or allowed) the application to be a part of your catalog, but now you need to actually assign it to devices. You'll need to give it a name and assign it to a smart group like we did earlier with profiles. There is then an option to assign the app to be auto or on-demand This will affect whether the app lands on the device automatically or whether it will be available via the Intelligent Hub app catalog for users to have installed on their device on-demand.
Next, check out the Restrictions page on the left. This can have the option to "Make App MDM Managed if User Installed" (for applicable platforms/enrollment models), so that even though the user may have 7-Zip installed (in this example), we will still take MDM control of it and remove the app if the device were to be unenrolled later on.
When finished, click save, and then click publish. The application should land on the device shortly. Rinse and repeat for all of the desired applications.
Like mentioned earlier, this guide's purpose is to help get started with Workspace ONE. If you're looking for additional information on integrations and in-depth configurations, please see some of the other pages of this site (or other sites that EUC SE's have published). I'd also always encourage reaching out to your VMware EUC Specialist for formal assistance in a proof of concept, or for answers to any questions.
Handy Resources
Handy Resources
Assignment groups (smart groups vs organizational groups)
See also nav bar on left side of page for additional information
Great starting point for learning about the platform and different facets of the product. See the tabs on the top of page to see additional resources as well.
Page updated
Google Sites
Report abuse