AW - WS1DM - Lab Manual Days 1 - 2
AW - WS1DM - Lab Manual Days 1 - 2
AW - WS1DM - Lab Manual Days 1 - 2
www.vmware.com/education
CONTENTS
Lab 1 Welcome to VMware Labs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Lab 2 Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Lab 3 VMware AirWatch Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Lab 4 Mobile Device Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Lab 5 Mobile Email Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Lab 6 Mobile Content Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
i
ii Contents
Lab 1 Welcome to VMware Labs
Exercise Introduction
Thank you for your interest in learning more about VMware solutions. We have developed a series
of lab exercises for you to learn more about the Workspace ONE platform. These labs are designed
to lead you through the various components of the AirWatch products in a hands-on format. Please
refer to the training decks, my.air-watch.com and the on-line help in the console for additional
assistance.
If you have any questions or feedback, please send them to Eduoperations@vmware.com.
Sincerely,
VMware Education Services
1
2 Lab 1 Welcome to VMware Labs
Lab 2 Before You Begin
Lab Preparation
Please be sure that you have the following tools ready and available for the lab.
1. Laptop: either PC or Mac, used for accessing the AirWatch training environment.
2. Mobile Device: iOS or Android device used for lab exercises. This device should be running
the most up-to-date version of its operating system; This is considered a best practice.
3. App Store Login: based on the platform of your mobile device, either an Apple ID or Google
account, used for downloading public applications.
4. Browser: modern browser used throughout the duration of the training. We recommend the use
of a modern browser such as Google Chrome, Firefox or Safari.
5. Academic Success Kit: contains the Course_Materials folder, which includes assets used
for lab activities. Please ensure the Academic Success Kit is staged on your desktop for easy
access.
3
4 Lab 2 Before You Begin
Lab 3 VMware AirWatch Basics
5
5. Input the following user credentials:
• User: user
• Password: AirWatch
AirWatch authenticates end users by enrolling them into virtual containers known as
Organization Groups.
6. Accept the Terms of Use policy.
7. Click the option prompted to continue to with the enrollment process, such as Redirect &
Enable for iOS.
8. Depending on the platform, you should install, activate and/or accept all prompts and Click
Done to complete the enrollment.
• iOS: Install a Digital Workspace (Enrollment Profile) and trust Remote Management.
• Android: Some platforms require the user to enable AirWatch as a Device Administrator
or to install and activate additional Manufacturer Service Applications.
9. Accept any prompts to install the following applications:
• AirWatch Inbox
• Content Locker
NOTE
student1/student1 may be used an alternate if access is blocked for maintenance.
3. Browse email, calendar and contacts.
• iOS: email, calendar and contacts are containerized in one application.
LEARN MORE!
During the MEM training module, you will learn more how AirWatch can protect your email
infrastructure. This is accomplished by either deploying the AirWatch Secure Email Gateway to act
as a proxy for email requests or with direct integration leveraging PowerShell Cmdlets or Google
Apps for Business API.
If a URL is presented upon login, verify the following details and Click OK:
• URL: <Instructor Provided>
• Group ID: intro
If prompted for credentials, enter the following:
• User: user
• Password: AirWatch
The AirWatch Admin can determine what content is pushed for automatic download or in an
on-demand capacity. Additional settings, such as enabling downloads only when devices are
connected to Wi-Fi or configuring an expiration date for content availability, can additionally be
defined.
4. Click Back or “X” out of the document and select the file cabinet to go back to the main
Repositories screen.
5. Click AirWatch Content and navigate to AirWatch Education.
6. Attempt to email the Introduction to AirWatch document. The steps below are for iOS; similar
series of actions would be carried out on other platforms:
• Click the Checkmark button from the top left of the navigation panel.
Application-level DLP settings allow control over content access to be flexibly organized
throughout different levels of the organization group structure.
7. Tap on the document and review the available options.
8. Assign a document as a favorite by selecting the star button.
LEARN MORE!
During the MCM training module, you will learn about the differences between corporate and user
content, how to create categories associated with content loaded into AirWatch, configuring content
repositories (such as Google Drive or SharePoint) and enforcing application-level DLP settings.
If VMware Browser requires installation, open the App Catalog, select the option to install the
VMware Browser. A prompt to install the application will appear, either in the middle of the
screen or in the notification bar. For iOS, Click Install and enter your Apple ID credentials, if
prompted. For Android, the prompt will take you into the AirWatch Agent. Tap on VMware
Browser, which will then direct you to the Google Play store for installation.
Single sign-on has been enabled and leverages the AirWatch Software Development Kit (SDK),
which is coded into the application. Credentials are not required, since the AirWatch Agent is
used to authenticate the session.
2. Navigate to google.com.
Users can access pre-approved sites that were deemed acceptable for work use.
3. Attempt to navigate to twitter.com.
LEARN MORE!
If you are interested in learning more about the VMware Browser, refer to supporting
documentation in the Resources section of the myAirWatch portal.
For iOS and Android, the AirWatch Catalog is a shortcut to an AirWatch website. This site
enables users to install, interact with and deploy approved applications. iOS refers to this
shortcut as web clip, while Android refers to this shortcut as a bookmark.
No credentials are required for access. This setting could be enabled on your environment by an
AirWatch Administrator.
3. Select an application by tapping on the icon, scroll down to the bottom of the navigation pane
on the right, provide an internal rating on an app, and then Click Save.
Administrators can promote selected applications to increase application adoption.
4. From the menu, filter by All Apps.
5. Select Wikipedia and then click Install to start the installation process for the application.
Though Wikipedia is a public application, it can be removed from your device remotely by the
AirWatch Administrator.
LEARN MORE!
During the MAM training module, you will learn about how to enable and configure the AirWatch
Catalog, how to push, load and assign public and internal applications, and how to enforce app
compliance. If you are interested in learning more about AirWatch app development tools, refer to
supporting documentation in the Resources section of the myAirWatch portal.
AirWatch Fundamentals
19
5. Read through and verify that you accept the AirWatch Terms of Use agreement.
Button Description
Ensure that all aspects of a basic successful
deployment are established. Getting Started is
organized to reflect only those modules within
an AirWatch Admin Console deployment that
you are interested in. This produces an on-
boarding experience that is more tailored to
your actual configuration.
4. From the top, locate the Organization Group menu. The information displayed on each page
will be relevant for the Organization Group (OG) level displayed.
In a later lab activity, you will create a hierarchy under Company. This may include further
defining your deployment with distinct categories, including geographies, divisions and
business units.
In the training environment, your OG is a child of several parent OGs. These parent OGs are
not visible to you since they are above your Company OG. As an AirWatch Administrator at
your Company OG, your role-based permissions define what you can configure and manage
within the AirWatch Admin Console. The AirWatch Administrator at the parent OG above
yours has full governance over all settings, since they created your AirWatch Administrator
account and defined your role-based permissions. As the AirWatch Administrator at your
Company OG, you can similarly decide and define what access levels to grant to AirWatch
The search provides results based on the Organization Group level for all aspects of your
AirWatch deployment, including devices, users, content, applications, configuration settings,
admins, pages and more.
6. Click Add and review the options.
The Add button makes it easy to quickly add an admin, device, user, compliance policy, piece
of content, profile, internal or public application, rather than forcing you to navigate to a
specific page to add a new configuration via the Main Menu. The Add button will add the
object or configuration to whichever Organization Group is currently being accessed.
7. Click Saved. No saved menu pages appear. To tag a page as a favorite, Click the Star icon.
8. Click the House icon. This option will set the current menu page as the homepage; this page
appears to the AirWatch Administrator as the first page when they log in to the AirWatch
Admin Console.
10. Click Manage Account Settings to review the options for changing admin user metadata such
as login history and other security settings.
11. Click Help and select Open Help Page.
Click
Help will launch the online help portal, where you can browse and search available guides and
feature documentation. The Help menu displays information based on where you are in the
console (such as Apps & Books), but launches in a separate tab so that you can navigate back to
the console without being forced to log out and back in.
There is another option under the Help icon that will create a Temporary Administrator. This
option allows you to create a basic administrator account that is intended to be used for
troubleshooting. This account will become inactive after a defined time threshold of 6 hours to
1 week.
NOTE
The APNs certificate can also be created using the Getting Started Wizard. Since there is
already a APNs certificate loaded at a higher-level OG than you have permissions to modify,
you must override the parent settings in the AirWatch Admin Console settings.
2. If a APNs certificate was not loaded, this is where you would go through the process of loading
a new one. This is also the location where you would update an existing APNs certificate once
your existing certificate expires. If you intend to use Apple devices within your deployment,
you will need to ensure that this certificate is kept up-to-date. If it expires, all Apple devices
will become unenrolled.
The “Collect and Display” setting gathers user data and displays it in the AirWatch Admin
Console. The “Collect Do Not Display” setting collects user data for use in reports and
compliance, but is not displayed within the AirWatch Admin Console. The “Do Not Collect”
setting prevents collection of user data from being shown in both the AirWatch Admin Console
and in generated reports.
4. Review all remaining privacy settings, including whether the AirWatch Administrator can
remotely erase a device (factory wipe), remote control a device based on ownership, display
user information and more.
NOTE
English is the default language. Use the Select Language list to change the default language.
7. Enter your Terms of Use in the text field provided and Click Save.
The editor provides an HTML entry tool to create a new Terms of Use or, alternately, copy and
paste an existing Terms of Use. If you choose to use paste copied from external content, right-
click the text box and choose Paste as plain text. This will prevent any HTML or formatting
errors. For localized versions, previously-translated text must be entered.
Setting Description
Company Logo The logo that appears in the upper left corner
of the AirWatch Console.
Login Background Page The image that displays on the login splash
page. You can upload multiple images that
will function as rotating slides.
Company Website URL The URL that a user will be directed to after
clicking the Primary Logo image.
Login Page Slide Delay (seconds) The delay between image rotation on the login
splash page.
In our environment, the current parent OG has disabled the settings available in the Branding
tab.
2. Click Override.
3. Modify the colors assigned to the interface and Click Save.
All AirWatch websites will be branded with color assignments, including the AirWatch Admin
Console, AirWatch Catalog, and AirWatch Self-Service Portal.
NOTE
For training purposes, define a Group ID which is easy to remember for future device
enrollment. The Group ID is not case sensitive, but cannot contain spaces or special symbols.
While the Group ID may be the same as your OG name, it may fail to save because another
student within the training environment may have already defined this value. If this occurs,
define a different Group ID.
NOTE
Changing OG Type, Country, Locale and Time Zone settings will only affect reporting metrics.
8. Click Save. Refresh your browser to view the updated OG name.
9. Select Add Child Organization Group.
10. Using the sample OG topology hierarchy, enter North America in the Name field, which is the
first geographic region OG hierarchy.
11. Define a unique Group ID and accept the default Type.
12. Adjust Country, Locale and Time Zone settings based on your region.
13. Click Save. Refresh your browser to view the updated OG name.
14. Select your Company OG, and select Add Child Organization Group and follow the same
procedures to build an OG for EMEA and APAC.
NOTE
Remember to navigate back to your Company OG to create each child OG for different
geographical locations. The disclosure arrow to the left will expand or contract your OGs for
each navigation.
NOTE
The “Root” pictured here should be your email address. “World Wide Enterprises” represents
the unique Organization Group you created in step 5.
16. At each geographic OG, create two child OGs called Sales and ITops.
17. Define a unique Group ID and accept the default Type.
If your OG structure does not mirror the displayed OG structure, and has a unique Group ID
defined, select the incorrect OG and fix the issue or delete it. When you delete the OG, enter the
Security PIN that you defined when you first logged in to the AirWatch Admin Console. Once
this is complete, navigate back to your Company OG and create the correct child OGs.
NOTE
In some cases, there may be some decencies that will not allow for deletion, where other
associate settings must be deleted first, such as Assignment Groups with configurations tied to
enrolled devices.
19. Navigate to any geographic OG and attempt to delete that OG. You will not be able to perform
this action because all geographic OGs have child OGs. If you need to delete an OG with
children, then you must delete all the children OGs prior to deleting the partner OG.
When an OG is deleted, all configurations and settings associated with it are erased as well.
There is no option to restore this information; this is one reason why a Security PIN is required.
Additionally, there are no options for moving or inserting OGs. For example, you could not
A User Acceptance Testing (UAT) OG allows you to configure settings and enroll devices into
a sandboxed OG, which is not affected by settings configured in your production Company OG.
The UAT OG will not have a disclosure arrow next to it, since it has no child OGs.
22. Define a unique Group ID and accept the default Type.
23. Adjust Country, Locale and Time Zone settings based on your region.
24. Click Save. Refresh your browser to view the updated OG name.
2. From the Main Menu, navigate to Accounts > Users > List View > Add > Add User.
Create the user in the OG where you have a defined Group ID. Avoid creating the user in an OG
where there is no Group ID defined.
There is also an option to perform a batch import of user data. If you wished to leverage this
option, you could either perform a batch import or download the template for batch upload by
selecting the i button.
Notice that the Enrollment > Enrollment Organization Group is defined as your Company
OG. This means the user can enroll their device into any OG within your hierarchy, so long as
they know the Group ID. If you change this setting to point to a lower Group ID, this will
define into which OG(s) users are allowed to enroll.
For those using AirWatch Autodiscovery by with registered email domains, the Enrollment
Organization Group field can funnel devices into a specific OG.
4. Select Enrollment > User Role and note the built-in roles that are available. Leave the setting
as Full Access. This role defines access permission in the AirWatch Self Service Portal, where
users can manage their own devices. As an AirWatch Administrator, you can define what type
of access users will have within their role. Custom roles can also be created to meet complex
requirements.
5. Click Save and verify you receive the user activation email, which includes enrollment
instructions.
LEARN MORE!
For training purposes, a directory user or user group will not be imported. If you are interested in
learning more about directory services integration, view a recorded session, sign up for a live
webinar or refer to supporting documentation in the Resources section of the myAirWatch portal.
NOTE
The user is only visible at the OG where it was created/imported. This ensures AirWatch
Administrators who are defined at lower OGs cannot alter user records defined at parent OGs.
2. Navigate back up to Company OG and select the check box next to your user to access common
user functions.
NOTE
The Add Device button will associate a pending device record with the selected user; the pencil
will allow for editing user fields; the unlock button is used to unlock an account which has
failed to authenticate too many times.
3. Select More to review the menu options, which can be used to perform the following actions:
• Add and remove user to/from User Group
• Change Organization Group
• Temporarily Activate/Deactivate user
If you deactivate a user, they will not be able to enroll a device. Selecting Change
Organization Group allows you to move a Basic user to another OG you are able to manage.
You cannot delete a user if that user has a device enrolled. Should you wish to delete a user with
an enrolled device, you would first have to deactivate the user account, which unenrolls the
device. Once unenrolled, you may delete the account. Additional actions will be offered in the
dropdown menu for users with enrolled devices, including the ability to view associated devices
and verify their acceptance of any applicable Terms of Use policies.
4. Select the user to display the user record.
If you selected Override as Current Setting, authentication modes and device enrollment
methods could be modified here.
Regarding “Open Enrollment”: Users are able to enroll their devices, as long as they know their
user credentials. This includes directory-based users who have not been imported into
AirWatch. If you wish to limit enrollment to only import directory users and user groups, refer
to the Restrictions tab on this page for details. If Registered Devices Only is selected, then the
setting for token-based enrollment can be configured. There are also options to enforce
enrollment using the AirWatch Agent rather than the native browser for iOS and Mac OS X.
Managing Administrators
If required, settings for each permission can be toggled on or off for both read and edit
functions.
8. Click Save. Note that the role is listed for your Company OG.
6. Click Save.
NOTE
If saving the admin fails, ensure none of the checkboxes next the roles are selected, and the
password is at least six charters in length and is a mixture of letters and numbers.
Passwords cannot be changed within AirWatch for directory-based accounts. Work with your
directory administrator to manage passwords for these accounts.
Task 16: Logging in with a New Admin User and Test Role
Permissions
1. Select your username from the Header Menu.
Note that the AirWatch Administrator account, with which you are currently logged in, has an
AirWatch Administrator role at the Root OG.
3. Click Logout.
4. Log back in with the “new” AirWatch Administrator account you built.
The password is case sensitive.
5. Click Login.
6. Read and verify that you accept the AirWatch Terms of Use agreement.
7. Define a four-digit Security PIN.
8. Close the AirWatch Console Highlight page.
The Account Role now displays two options. These are based on the roles that you defined for
this AirWatch Administrator account.
10. Toggle to the other role and note the differences between the roles you defined. For example,
email access for managed devices (where email is being routed through an AirWatch-monitored
email solution) is not visible in the Main Menu when the Device Manager role is enabled. The
OG will also change based on assignment.
As an AirWatch Administrator, you have full control over the AirWatch Administrator accounts
you build in AirWatch or import from directory services, as well as for their role-based
permissions.
11. Click Logout, then log in again using the AirWatch Administrator account that was previously
assigned to you.
NOTE
You are logging in again with the AirWatch Administrator account that was previously assigned
to you. This is because it has access to your Root OG with full role-based access.
Enrolling Devices
Enrollment cannot be completed using your email address, since the email domain was not
registered with AirWatch Autodiscovery in the training environment.
2. Enter the Server, which is the URL of the AirWatch Admin Console, and the Group ID, which
you defined for business unit under your geographic region, such as Sales or ITops.
NOTE
View the Group ID by placing your cursor over the OG hierarchy to display the OG name and
Group ID. This feature may not be supported for all browsers.
3. Click Next to proceed with the enrollment process.
4. Input the user credentials you defined for the user.
NOTE
If the user will not authenticate, navigate to the user within the AirWatch Admin Console and
change the password before trying again. Verify that the user is at an OG at the same level as
the Group ID you defined or higher. In a previous lab, you were instructed to add the user at the
Company OG. The user will be unable to be authenticated if it is in the OG below the Group ID
that you defined. Verify the Enrollment OG is set as the Company OG so that the user can
enroll into any OG within your hierarchy. If failure still occurs, exit and close the AirWatch
Agent and restart the enrollment process. You should still verify that the Group ID supplied
here is one that you defined.
7. Depending on the platform, you should install, activate, and accept all prompts. Click Done to
complete the enrollment.
• iOS requires the user to install an Enrollment Profile and accept Remote Management.
• Some Android platforms require the user to allow AirWatch as a Device Administrator and
to install and activate additional Manufacturer Service Applications.
8. Accept any prompts to install any other AirWatch applications for subsequent lab activities.
NOTE
Agent app can be downloaded from Windows store as well by searching “AirWatch Agent”
in the Store.
3. Download and Install the AirWatch Agent app
4. Launch the Agent and Click the Server Details method
NOTE
You defined the User Credentials in the lab. If you cannot remember the password, you can edit
the user to change it. The password is case-sensitive.
7. Click Next
8. Accept the Terms of Use
9. Click Done
NOTE
Only use the Windows 10 VM when explicitly directed to do so in the manual.
NOTE
If your device does not appear, verify you are at the Company OG. If the device is still does not
appear, refer to the previous steps to unenroll and reenroll the device. Ensure the correct Server
and Group ID have been entered.
NOTE
If Select Devices or Users was selected, the Smart Group could be assigned to specific users
and/or devices for a very granular deployment.
6. Expand and review the criteria options shown on the left side. Filtering may be configured with
specs for minimum OS, device models, ownership, tags, organization groups and more.
7. Verify your device appears in the Devices in Smart Group window. If not, verify you are at the
Company OG and no filtered options are selected.
8. Click Save.
NOTE
Some options may require additional configuration, such as Allowing Removal, Device
Exclusions or enabling a Geofencing zone/Time Schedule. Options may be different across
If a payload option requires a minimum OS version, it is only available for select device types
and/or requires special configuration. The specific requirements appear on the right side of the
payload.
8. Click Save & Publish.
Your device appears in the Smart Group.
9. Click Publish to push the configuration to your device.
NOTE
If other devices were part of this Smart Group assignment, they would also receive the
configuration. If you Click Cancel, then you could add or remove Smart Groups to adjust you
deployment plan.
10. Go to your enrolled device and verify the camera has been removed. For supported Android
devices, the Camera icon may still appear, but the functionality will be disabled.
NOTE
If you made the profile removable in General settings, then the user would be able to remove
the profile from the device.
NOTE
You will need access to all the security information pertaining to the network in order to complete
this task.
1. At the Company OG, navigate to Devices > Profiles & Resources > Profiles > Add > Add
Profile.
2. Select the platform you have enrolled.
3. Define the following General properties:
• Name: TBD by Network
• Assigned Groups: All Devices (Company)
4. From the left sidebar, select the Wi-Fi payload, Click Configure.
5. Define the following:
• Service Set Identifier: TBD by Network
• Security Type: TBD by Network
6. Click Save & Publish and verify you device appears in the View Device Assignment window.
7. Click Publish to push the configuration to your device.
8. Go to your enrolled device and verify that Wi-Fi configuration is available for connection
without the password. If you are already connected to the same Wi-Fi network, the password
will be removed when the device is unenrolled.
NOTE
Upload the Help_Desk.jpg from the Academic Success Kit. For Android, perform similar
configurations, but ensure that Add to Home screen is enabled. This will push the bookmark to
your device’s home screen. If there is not room on the home screen of your device, then the
bookmark will not be installed.
7. Click Save & Publish and verify you device appears in the View Device Assignment window.
8. Click Publish to push the configuration to your device.
9. Go to your enrolled device and verify the web clip or bookmark was successfully pushed down
to the device.
10. Verify the web clip or bookmark displays https://my.air-watch.com.
NOTE
Any profile created should include a single individual payload. For example, a Wi-Fi and Email
configuration should not be paired together in the same profile, since removal of this profile
will remove both configurations from the device. If they are created as separate profiles, then
the Wi-Fi and Email configurations can be individually removed and troubleshot as needed.
2. Select the number under Installed and then Assigned to view the different options. You should
see your device listed with the option to remove or reinstall the profile. If zero is shown, this
means that the profile is not yet installed or has a pending status.
3. Review the options in the buttons to the right, such as editing, copying, and viewing the devices
which are being pushed the profile.
4. Click the down arrow to expand the menu and view the XML code for the profile, change your
Smart Group assignments, or delete the profile.
NOTE
During the time the device is either reporting its location to AirWatch or is within the defined
time schedule, access to the camera will remain disabled. Multiple factors, however, impact the
pulling of device location data. This can range from not allowing the device to share location to
the AirWatch Agent to the AirWatch Agent settings not being configured to pull location data
and more. Geofencing profile functionality is currently only supported for iOS and Android
devices; Time Scheduling is supported for most platforms.
NOTE
In this example we will block the Xbox application (.appx).
CAUTION
Failure to follow the steps as outlined will cause the VM to fail.
9. Check Configured under Package app Rules; Enforce rules option is default, if you want to
test the rules before applying them, then you could run them in Audit Mode first.
10. Click Apply
NOTE
All the package's information is pre-populated. You can block the Xbox app based on the
specific version, package name, or by the publisher. We want to block any version of the Xbox
application.
24. Raise the lever from Package version to Package name
NOTE
Now that you have exported the policy, we want to remove it from the test device (in this case
the Windows 10 VM).
34. Right-click AppLocker
35. Click Clear Policy
36. Click Yes to delete the policy
37. Click OK to acknowledge the removal of policy
38. Close the group policy editor window
39. RETURN TO THE AIRWATCH CONSOLE
40. Ensure you are at company OG
41. Click ADD button at the top right corner of the console
42. Select Profile > Windows > Windows Desktop
43. In general tab, Enter "Block Xbox" into the Name field
44. Select your "All Devices" smart group for the Assigned Groups or the smart group/OG your
device belongs to.
45. Select Application Control on the left-hand side panel
46. Click Configure
47. Check the Import Sample Device Configuration box
48. Click Upload
49. Click Browse and find the XML file created in the Downloads folder
NOTE
You should see the following error message:
NOTE
Using the Any setting, any rule that is violated within the list of rules that you create will
trigger a compliance action. If All is selected, all conditions within the list of defined rules must
be satisfied to trigger the compliance action.
5. Select the drop-down arrow next to the MDM Terms of Use Acceptance rule and review the
available options.
NOTE
Based on these settings, if a device reports a missing passcode, jailbroken or rooted status, or is
not encrypted, then the first rule will be trigged. Some data access may require the AirWatch
Agent, such as Compromised Status.
10. Accept the default for sending an email to the user as the first action. Note that someone can be
copied (CC) on the email and that the Default Template can be replaced with one that is created
by the AirWatch Administrator.
11. On the far right side, Click the + button to add another action. Click Send Push Notification to
Device.
NOTE
This action will be trigged simultaneously with the email generation. The AirWatch Agent must
be installed in order for push notifications to be received by the device.
12. Click Add Escalation and accept the default for 1 Day.
NOTE
This action will remove all applications managed by AirWatch and will not remove personal
applications from the device. Specific managed applications could also be removed by entering
the Application Identifier. The Application Identifier can be found for enrolled devices in the
application section of the Device Dashboard.
16. Click the + button to add another action. Change Notify to Email and change the action to
Block Email.
NOTE
If AirWatch is monitoring your email deployment, this compliance policy will tell the
integration to block email. The email profile itself, though, will not be removed from the device
configuration.
NOTE
An enterprise wipe will remove all AirWatch functionality provisioned to the device. It will not,
however, remove the AirWatch Agent, since you installed the AirWatch Agent prior to
enrollment. Other commands will be offered depending on the type of device selected. The Full
Wipe option is not offered; a Full Wipe can only be performed by an AirWatch Administrator.
The Compliance Engine is built to automate policy management, and it would be foolhardy to
entrust any automated system with the ability to wipe personal data without explicit
administrator permission. In some cases, you may not want to enterprise wipe a device as the
last action, and rather remove all the AirWatch functionality, so the device is still managed and
email the administrator to follow-up.
19. For Assignment, define the following:
• Managed By: Company OG
• Assigned Groups: All Devices @ Company
NOTE
Additional Smart Groups or Exclusions could be defined. Use View Device Assignment to view
impacted devices and accordingly adjust assigned Smart Groups.
20. Click Next to review the summary.
21. Under General, change the Name and Description to match the scope of the compliance policy.
22. Refer to the Device Summary to see how your device will be impacted by your compliance
rule.
NOTE
Since the compliance engine runs every 5 minutes against the database, the data shown may
take up to 5 minutes to update.
3. All devices enrolled at this OG and below will be shown. Review the device details, such as
security, ownership, last seen, platform and enrollment.
NOTE
Each option is hyperlinked to applicable devices, which are linked to the filtered view. If your
device is compromised, has no passcode and/or is not encrypted, the device will only show as
noncompliant if you have a compliance policy set to take action when any noncompliant status
is detected.
4. From the Main Menu, navigate to Devices > List View.
5. Toggle the Filters button to adjust which devices are shown.
8. Click the Radio Button next to the device to show bulk management options, including
querying the device to check in, sending a message, locking the device and more. These actions
can be executed on multiple devices at the same time by selecting all devices and then
performing the necessary actions.
The edit button, represented by a pencil underneath the radio button, next to the device allows
for editing device details.
10. Select the Friendly Name, such as jdoe iPad iOS 9.3.2 DNQR. The Device detail page
appears.
11. Select each tab and view the respective device details, such as a Summary, Compliance,
Profiles, Apps, and Content.
Some tabs will allow for both the removal and re-pushing of configurations and functionality,
such as profiles and applications.
NOTE
Multiple factors can impact whether the location appears in the console. Refer to the Profiles
section within the console, where a geofencing zone was defined, for more details.
13. Select the More tab for additional options, such as Network, Notes, Terms of Use acceptance,
Troubleshooting, Targeted Logging and attachments.
14. From the top right corner, review the device commands that can be performed.
15. Use Recent List to toggle back and forth to next device viewable at this OG.
NOTE
The push notification message will be sent to the device through the supported messaging
network (such as, APNs for iOS devices). If the AirWatch Agent is not configured to allow
notifications, then no message will be received.
19. Click More and review the options. The following options are available:
• Query the device to check in with updates to requested data.
• Clear the Device Passcode.
• Erase the device using an enterprise wipe (business data wipe) or full wipe (factory wipe).
• Find a missing device using a chime/tone.
• Sync the device to sync out of date profiles or apps that failed to install upon first push.
• Change the Organization Group to a different OG within your hierarchy.
• Tag to enable advanced filters within searches.
NOTE
The Full Wipe option may be hidden from your view since it is being restricted in the privacy
settings. If you decide to enable this function, then you are liable should you perform this action
on your device. Other options may additionally be available based on the platform.
NOTE
The AirWatch Hub is your central portal for fast access to critical information. Each option is
hyperlinked to respective devices, which are linked to the filtered view. Some actions may
allow for a message to be sent to filtered devices.
NOTE
Replace “#” with the number of your training environment
3. Log in using the same credentials (Group ID, Username and Password) used to enroll your
device into AirWatch.
NOTE
For Make Noise, the ringer will ring so long as the volume is not muted. In the AirWatch
Admin Console, this is referred to as “Find Device.” The sound can be halted by opening the
AirWatch Agent to disable it. When sending a message, choose to send out an email, as you can
verify receipt in your email inbox. SMS is an available option, provided that you have
5. Click Go to Details to see if your device is missing any required items, such as profiles,
applications, or content.
NOTE
S/MIME requires additional steps for full configuration. For Apps, there is an option to create a
unique token to access VMware Content Locker. This is an optional method for login, and is an
alternative to using your enrollment credentials for access.
7. Exit the Account window.
8. The Add Device option is used in the same capacity as in the AirWatch Admin Console, where
a pending device record could be created to send the user a token for enrollment.
9. Underneath My Devices, there is an option for My Content. This option is covered fully in the
Mobile Content Management training. This option is only available for customers who have
purchased the editing and collaboration module for content management.
10. Use the Logout button to exit the SSP.
Prerequisites
The Mobile Email Management (MEM) lab requires the core configurations you performed during
the completion of previous lab activities. Required configurations include setting up an OG
hierarchy with a defined Group ID, a sample user and an enrolled device.
91
4. Select Test Connection to verify communication between AirWatch and the MEM solution.
The settings can be exported, as an XML file, at the OG where the MEM solution is configured.
NOTE
Within the training environment, the AirWatch Secure Email Gateway is deployed at a higher
OG. Once a MEM solution is configured, no other MEM solution can be defined at a child OG.
For the purposes of this lab, an MEM solution will not be configured; it has already been
deployed at a higher OG to enable other lab exercises.
5. Select Save.
NOTE
student1@training.saas/student1 may be used an alternate if access is blocked for maintenance.
5. Configure the following fields to deploy the Native Mail Client to your device. Accept defaults,
if not defined.
• Mail Client: Native Mail Client
• Account Name: Corporate Exchange
• Exchange ActiveSync Host: <Instructor Provided>
• Password: AirWatch
NOTE
If you previously configured the user account with student1 @training.saas/student1, the
password is AirWatch.
• Past Days of Mail to Sync: 1 Month
NOTE
For Android, the default email configuration is for the AirWatch Mail Client (AirWatch Inbox).
If your device is not supported, configure the same settings for the AirWatch Mail Client,
though the AirWatch Inbox will require installation on the device to utilize the associated email
account.
6. Select Save & Publish. Based on your defined Smart Group, your device appears.
7. Select Publish to push the configuration to your device.
8. Open your device’s native Mail, Contacts and Calendar applications and verify they have
synced successfully. Sample content that should have seeded to the device includes one month
of sample email and selected individual contacts and events.
If the AirWatch Email Client profile was configured, be sure to install the AirWatch Inbox from
the appropriate app store. The AirWatch Inbox can also be required and pushed down to devices
as a managed application from the AirWatch Admin Console. To push the application, refer to
the Mobile Application Management module. Email passwords cannot be pushed within this
configuration; enter “student” when prompted for authentication.
NOTE
If the AirWatch Inbox profile was configured, be sure to install the AirWatch Inbox from the
appropriate app store. The AirWatch Inbox can also be required and pushed down to devices as
a managed application from the AirWatch Admin Console. To push the application, refer to the
Mobile Application Management module. Email passwords cannot be pushed within this
configuration; enter “student” when prompted for authentication. If you previously configured
the user account with s1@training.saas/student1, the password is student1.
5. Toggle the Mail Client to a different option and review the options. If necessary, exit the
creation of the profile and create another one, to view all supported mail client options.
NOTE
The Email Settings payload is used for configuring IMAP/POP3 accounts and does not use
ActiveSync.
LEARN MORE!
If you are interested in learning more about email compliance, view a recorded session, sign up for a
live webinar or refer to supporting documentation in the Resources section of the myAirWatch
portal.
4. Select the radio button next to your device, select Override, choose Blacklist, and enter the
provided code to blacklist the device.
6. Go back to the AirWatch Admin Console, select the radio button next to your device, select
Override, choose Default, and enter the code to set the device back into its default state.
7. On the device, attempt to sync mail and observe that the sync is restored and an email can be
sent.
8. Select the radio button next to your device and select Administration. The following options
are available:
• Enable/disable additional logging.
Requirements
The Mobile Content Management (MCM) lab requires the core configurations you performed
during the completion of previous lab activities. Required configurations include a custom OG
hierarchy with a defined Group ID, a test user and an enrolled device.
105
5. Review the Info options and associate the content with the Education / Associate.
6. Select the Details tab, and review the Author, Notes, Subject, and Keyword fields.
7. Select the Security tab, select Allow Open in Third Party Apps.
11. Change Download Type option from On Demand to Automatic, and then select Save.
NOTE
Content tied to corporate file servers can be viewed by selecting the Corporate File Servers
tab.
4. Scroll down and find the content you uploaded.
Change the view by selecting the filter option in the top right corner, next to the house and star
icons.
5. Review each column, including the version, expiration and installation/assignment status.
6. Select the install/assignment status hyperlink, to review options to install or delete the content
from VMware Content Locker.
NOTE
Like other settings, content that you have uploaded to the console includes a hyperlink to ease
access for management. Role-based access may prevent you from seeing this link for content
which you did not upload. As with applications, newly-updated content may have been
downloaded to a device and will not show an update on the dashboard until the device has
checked in with the console.
7. Select the radio button next to the piece of content and review the following options:
• View Devices: View which devices are associated with the content.
• Add Version: Update your uploaded content with a new version.
• Download: Download content to your computer for auditing purposes.
• Featured Content: Add content to Feature Content section in VMware Content Locker.
Selecting the pencil icon or the name of the document allows you to change settings.
6. Hover over the i button to review the option to lock a supervised iOS device into only showing
required content for onboarding purposes.
7. Select Enable and review additional configuration options.
8. Do not save the configuration.
3. Select Add.
5. Select Continue.
6. Accept the default options for Security and Assignment tabs.
All configuration tabs provide the same options for uploading content.
7. For the Deployment tab, verify Download Type is set to On Demand.
It is not recommended to set a content repository to automatically download all content, since
there could be a considerable amount of content loaded.
The content in the repository may be viewed by the AirWatch Administrator in Content > List
View > Corporate File Server tab so long as authentication credentials were defined during
the initial association with the content repository.
NOTE
If VMware Content Locker requires installation, open the World Wide Apps shortcut in the
AirWatch Catalog. Select the option to install the VMware Content Locker. A prompt to install
the application will appear, either in the middle of the screen or in the notification bar. For iOS,
select Install and, if prompted, enter your Apple ID credentials. For Android, the prompt will
take you into the AirWatch Agent. Once in the AirWatch Agent, select the VMware Content
Locker. This will take you to the Google Play store for installation.
Single sign-on access has been enabled to leverage the AirWatch Software Development Kit
(SDK), which has functionality coded directly into the application. As a result, the credentials
are not required since the AirWatch Agent is used to authenticate the session.
If a URL is presented upon login, verify the following details and select okay:
• URL: <Same URL as AirWatch Admin Console, such as mdm.server.com>
• Group ID: <Group ID you defined for enrollment during MDM lab>
If prompted for credentials, enter the following:
• User: <username you defined during MDM lab>
If you forgot the Group ID, username or password, you can refer to these settings within the
AirWatch Admin Console. If required, refer to the MDM lab exercise to locate and changes
these settings.
2. Accept any pop-up notifications and swipe through the tutorial screens and select Got it,
Thanks. to view the Repositories page.
6. Navigate back to Repositories, and select the Google Drive or OneDrive repository.
7. When prompted, enter your credentials, select Allow for Content Locker to connect to your
account and view your cloud content.
8. Navigate back to Repositories, and note the Download transfer status. Alerts and search are
available from the home screen.
4. Select the Content tab and view the content status for your device.
The date the content was viewed is available once the device syncs with the AirWatch Admin
Console. Additional content details may be viewed via the Content dashboard.
End