[Deep Dive] The Latest VMware Workspace ONE Features

Feb 15, 2018
Hannah Jernigan


Hannah is a technical writer for the VMware End-User Computing technical marketing team.

Share This Post On

Today’s post covers the newest VMware Workspace ONE features based on the releases of VMware AirWatch 9.2.2 and 9.2.3 and VMware Identity Manager 3.1.

VMware Workspace ONE

Workspace ONE unifies Identity Manager access control and application management and AirWatch unified endpoint management (UEM) technology into a single platform. Available as a cloud service or for on-premises deployments, the Workspace ONE platform enables IT to deliver and manage any app on any device.

What’s New in Unified Endpoint Management

AirWatch unified endpoint management (UEM) technology powers the integrated Workspace ONE platform, empowering the digital workspace to meet business mobility needs. By unifying endpoint management into a single point of reference, the solution delivers a premium user experience that doesn’t compromise enterprise security.

New! macOS Management Features

[AirWatch 9.2.2] macOS Kernel Extension Policy Profiles

In macOS 10.13.2, Apple introduced User-Approved Kernel Extension Loading. This means that third-party kernel extensions (KEXTs) now require user approval before these can run on a system.

While an upgrade to macOS 10.13.2 whitelists current KEXTs, any new KEXTs require user approval. Adding user approval to the workflow could potentially disrupt the distribution of software that includes kernel extensions.

The Kernel Extension Policy profile, available in AirWatch 9.2.2, creates a way around user approval. You can whitelist allowed KEXTs by specifying the bundle ID or team ID in the profile.

[Related: macOS High Sierra User-Approved Kernel Extension Loading]

Configure a Kernel Extension Policy Profile

  1. Allow applications and installers that use kernel extensions to load on devices running macOS 10.13.2 and later.
  2. Navigate to Devices > Profiles & Resources > Profiles > Add > Apple macOS > Device Profile.
  3. Configure the profile General settings to determine how the profile deploys and who receives it.
  4. Select the Kernel Extension Policy payload and choose to Allow User Overrides, or configure the Extension Policy Settings:
    • Allow User Overrides: Select the check box to allow the User to approve additional kernel extensions not explicitly allowed by configuration profiles. If you select this option, the extension policy settings below provide a baseline of allowed team and bundle identifiers, but the user is allowed to add additional team identifiers to the allow list.Override User Approval for Extension Pkg
    • Extension Policy Settings: Pre-configure the Kernel Extensions allowed on the device.
      Setting Description
      Whitelist Team Identifiers List the team identifiers for which all validly signed kernel extensions are allowed to load.Click the Add button to create additional identifiers.
      Whitelist Kernel Extensions List the signed kernel extensions allowed to load on the machine, and provide a Team Identifier and a Bundle ID for each. When entering unsigned legacy kernel extensions, use an empty key as the team identifier. Click the Add button to create additional extensions.
  5. Click the Add button to create additional extensions.

[AirWatch 9.2.3] View Enrollment Status for User Approved MDM

The release of macOS High Sierra 10.13.2 introduces User Approved Mobile Device Management (MDM) enrollment. This enrollment flow requires the end-user to approve device enrollment before an administrator can manage its security-sensitive settings.

[Related: User Approved Kernel Extension Loading in macOS High Sierra]

In macOS 10.13.2 (High Sierra), the SecurityInfo response contains a ManagementStatus dictionary with two keys:

  • EnrolledViaDEP – TRUE if the device was DEP-enrolled
  • UserApprovedEnrollment – TRUE if the user approved the Enrollment. This means the device is fully capable of applying security-sensitive payloads such as Kernel Extensions.

View Enrollment Status for User Approved MDM

  • Devices > Device Details > Summary Tab > Security
  • Devices > Device Details > Security Tab

In the database, this saves as the EnrolledViaDEP flag and is viewable via the device info API.

New! iOS Management Features

[AirWatch 9.2.3] DEP Anchor Certificates

Anchor certificates enable the delivery of Root/Intermediate Certificates with the DEP profile. This allows the device to trust the MDM server certificate even if the chain is not in the iOS Trust Store.

Configure DEP Anchor Certificates

  1. Configure a new DEP profile.
  2. Under MDM Features, set the Anchor Certificate to Enabled.DEP-Anchor-Certs
  3. Upload a DER-encoded Root (and Intermediate) certificate to be used as the Anchor Certificate.
  4. Click Save.

[AirWatch 9.2.3] DEP API Enhancements

Supply a DEP profile ID and return all the serial numbers currently assigned to that profile using a new API. This API also returns the enrollment status displayed in the AirWatch console on the Lifecycle > Enrollment page.

Find the Feature

The new API is an HTTP GET to /dep/profiles/{profileUuid}/devices

New! Windows Management Features

[AirWatch 9.2.2] Prevent AirWatch Service Disablement

Prevent end users from changing the AirWatch service properties on their devices with a Windows Desktop Custom Settings Profile. For devices that already have local changes, the profile resets the device to the default values and locks those settings from further changes.

Push a Custom Settings profile with XML Code

  1. Navigate to Add > Profile > Windows > Desktop > Device Profile.
  2. Add General Profile Settings to determine how the profile deploys and who receives it.
  3. Select the Custom Settings payload and click Configure.
  4. From the Target dropdown menu, select AirWatch Protection Agent.
  5. Paste the following XML into the text box:
    <wap-provisioningdoc id="c14e8e45-792c-4ec3-88e1-be121d8c33dc" name="customprofile"> <characteristic type="com.airwatch.winrt.awservicelockdown" uuid="7957d046-7765-4422-9e39-6fd5eef38174"> <parm name="LockDownAwService" value="True"/> </characteristic> </wap-provisioningdoc>
  6. Select Save & Publish.
    Since the code is now custom, only devices running the latest version implement this custom code. Test the profile devices with older versions to verify expected behavior. You can work on a copy of your profile, saved under a “test” organization group, to avoid affecting other users before you are ready to Save and Publish.
  7. To remove the restriction from end users devices, push a separate profile using the following code:
    <wap-provisioningdoc id="c14e8e45-792c-4ec3-88e1-be121d8c33dc" name="customprofile"> <characteristic type="com.airwatch.winrt.awservicelockdown" uuid="7957d046-7765-4422-9e39-6fd5eef38174"> <parm name="LockDownAwService" value="False"/> </characteristic> </wap-provisioningdoc>

[AirWatch 9.2.3] PAN Global Protect VPN

Configure a Windows Desktop VPN profile with a Palo Alto Network Global Protect Connection Type.
This profile supports the Universal Windows Platform (UWP), as well as the Microsoft Store version of the Global Protect client.

Deploy PAN Global Protect VPN

Deploy the Global Protect client one of two ways:

  • Integrate with the Microsoft Store for Business. The store version has the Package Family Name (PFN)PaloAltoNetworks.GlobalProtect_rn9aeerfb38dg.
  • Deploy the profile and have the end user download the client. To deploy the VPN profile and have end users download the GlobalProtect client:
    1. Open the AirWatch console.
    2. Navigate to Add > Profile > Windows > Desktop > Device > VPN. Configure the required settings.
    3. Then, for the Connection Type, select GlobalProtect.

[AirWatch 9.2.3] Assume Management of User-Installed Apps

Gain administrative ownership of user-installed apps. Previously, when AirWatch detected apps as installed by user, it barred admins from uninstalling or managing them. Now, configure devices to allow management of these user-installed apps. However, this process does not work for BYOD devices.

Assume Management of User-Installed Apps

  1. Navigate to Apps & Books > Add Application.
  2. Follow the process to add an app.
  3. On the Add Assignment page, set Make App MDM Managed if User Installed to Enabled.Manage-User-Installed-Apps

New! Android Management Features

[AirWatch 9.2.2] Detailed Device Logging

Request AirWatch Agent or detailed system logs from corporate-owned Android devices using the command. Then, access the logs in the AirWatch console using the collected information to diagnose issues and detect malicious activity.

To mitigate privacy concerns, AirWatch pushes a privacy web clip to every enrolled device. The clip explains what AirWatch collects and why in an accessible, user-friendly language. To further protect end user privacy, AirWatch does not allow logging on employee-owned devices.

Use Detailed Device Logging

  1. In the AirWatch console, select Request Device Log
  2. After accessing the logs and reaching a resolution, navigate to: Devices > List View > Select device from list > More Actions. 
  3. Then, select Cancel Device Log from the dropdown menu.AirWatch Device Logs

[AirWatch 9.2.3] Cisco AnyConnect VPN

The Connection Type field of the VPN profile for Android now includes Cisco AnyConnect.

Find the Feature

  1. In the AirWatch console, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android > Android for Work > VPN.
  2. From the Connection Type field, select Cisco AnyConnect and configure applicable settings.

New! Chrome OS Management Features

[AirWatch 9.2.2] Device Sync Scheduler for Chrome OS

Use a scheduler to retrieve newly enrolled Chrome OS devices, and automatically sync devices every 60 minutes. Previously, only a manually-initiated sync could connect new Chrome OS devices with AirWatch. Additionally, the manual sync is still available on the Chrome Configuration page.

View Last Chrome OS Sync

  1. In the AirWatch console, navigate to Groups & Settings > Admin > Scheduler.
  2. Locate the setting labeled Chrome OS Device Sync.
  3. View the Last Sync timestamp to see when the last AirWatch console sync occurred.

[AirWatch 9.2.3]Certificate-Based Wi-Fi for Chrome OS

Use the Network profile for Chrome OS to configure WPA/WPA2 certificate-based Wi-Fi.

Configure Certificate-Based Wi-Fi for Chrome OS

  1. In the AirWatch console, navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Chrome OS.
  2. Select the type of profile to configure:
    • Select Device to deploy settings to the device profile.
    • Select User to deploy settings to the user profile.
  3. Add General Profile Settings to determine how the profile deploys and who receives it.
  4. Select the Network payload and click Configure.
  5. Select Save & Publish.

Check out this highlight reel of the new features in AirWatch 9.2.3!

What’s New in App Access & Management

New! Workspace ONE App Features

[Identity Manager 3.1] SAML Authentication Support for iOS DEP

Stage iOS devices using DEP and switch device assignment to the authenticated user using Workspace ONE’s SAML authentication. Then, the authenticated user receives any assigned apps, profiles or resources on their device. Please note: this feature requires v3.2 of the Workspace ONE application.

[Identity Manager 3.1] Improved Searching in Workspace ONE Catalog

Search for keywords within the application’s description, name or category. Then, view the search terms highlighted in the results.

[Identity Manager 3.1] New People Search App

Deploy the VMware People Search app to employees to help them find important contacts and organizational charts.

Getting Started with the People Search App

First, enable People Search in the Identity Manager console. Then, download the People Search app from the Apple App Store.


People Search requires the OAuth2 template, which impacts customers using versions available prior to Identity Manager 3.1. For these customers, re-enable the people search attribute to generate the appropriate template.

Configure People Search in the Identity Manager Console
  1. Log into the Identity Manager console.
  2. Open the Catalog tab and navigate to Settings > People Search.
  3. Click Enable People Search.
  4. Click Next.
  5. Select the directory to configure for People Search.
  6. Review the attribute list and select which ones display in the app.
  7. Map the selected attributes to Active Directory and initiate the sync.
Enable People Search in the AirWatch Admin Console
  1. Configure the People Search Application Profile in the AirWatch console.
    • Branding configurations are applicable on the app log-in screens only.
    • Configure Custom Settings to set app behavior and defaults. For example: { "allowAddToContacts": true, "emailUsing": "Boxer", "openUrlUsing": “AWBrowser”, "policyAllowCrashReporting": true, "policyAllowMetrics": true, "tenantHost": "ps.hwslabs.com” }
  2. Assign People Search to End Users.

[Identity Manager 3.1] Categorize Applications as Recommended

Use the Recommended tag, a predefined category in the Workspace ONE catalog, to advise users which apps to use. End users can then access these recommendations using the Recommended filter in the Workspace ONE Catalog.

[AirWatch 9.2.2] Assignment Exclusions for Applications

Use application-level exclusions to exclude smart groups, user groups and organization groups from native application assignments in AirWatch 9.2.2. Exclusions apply to all native applications, except for those purchased using redemption codes or assigned via APIs.

Configure Exclusions for Application Assignments

To use the exclusions option for a flexible deployment:

  1. Open the AirWatch console and navigate to Apps & Books > Native > Internal or Public > Application > Assign > Exclusions.
  2. Use the Assignment Type filter to find unassigned devices.
  3. In the AirWatch console, navigate to Apps & Books > Native > Internal or Public > Application > Devices > Filters > Assignment Type > Excluded.

[AirWatch 9.2.2] Direct Enrollment for Workspace ONE

Strike the balance between usability and security with Workspace ONE Direct Enrollment. Direct enrollment seamlessly onboards corporate-owned, personally enabled (COPE) devices by:

  • Requiring MDM immediately upon logging into the Workspace ONE app
  • Providing an alternative to the device registration + adaptive management enrollment flow

Configure Workspace ONE Direct Enrollment

  • AirWatch 9.2 FP2
  • Identity Manager v3.2
  • Workspace ONE App V3.2 for iOS or Android
Enable Workspace ONE Direct Enrollment

By default, Workspace ONE Direct Enrollment is disabled. To enable:

  1. Open the AirWatch console and navigate to All Settings > Devices & Users > General > Enrollment.
  2. Then, configure the appropriate settings for each tab.
  3. To enable Direct Enrollment, select the Restrictions tab and configure the Management Requirements for Workspace ONE.

For more information, see the online help topic: Supported Enrollment Options in Workspace ONE.

I already have 10k devices enrolled via Agent. What now?

For existing devices, save some work and don’t fix something that isn’t broken:

  • Let previously enrolled devices continue to function as-is.
  • Push Workspace ONE as a managed app and let it serve as an App Catalog.

For new devices – “The grass IS greener on the other side!”

  • Every new device can start with Workspace ONE, whether their device falls into the MAM only bucket or MDM.
  • Enrolling with Workspace ONE as the starting point is a much better user experience
  • Simpler message to convey to ALL users
  • One less app to take up space on an end user’s device (where feasible).

[AirWatch 9.2.2] Skip Real-Time User Group Sync

During authentication, Workspace ONE makes a real-time call to the configured LDAP server, creating a device record. Since this call can impact performance, disable the real-time sync to maximize performance. This setting applies to both Workspace ONE managed and registered (MAM only) devices!

EXCEPTIONS: While disabling this setting benefits most customers, certain use cases require real-time sync for user groups. Therefore, enable the setting when leveraging user groups for user mapping or app/profile/policy assignment if:

  • Users do not exist in AirWatch at the time of enrollment.
  • Users exist in AirWatch at the time of enrollment, but user group assignments change frequently.

[AirWatch 9.2.2] Refresh Token Expiration UX Improvements

Help users understand the need to re-authenticate, and prevent accidental enterprise wipes with the improved user experience.

[AirWatch 9.2.3] VMware Tunnel UX Improvements

Auto-detect if the VMware Tunnel App is a dependency, and prompt end users to complete the necessary steps to ensure connectivity.

[AirWatch 9.2.3] Bookmarks & Catalog UX Improvements

Add recommended apps to the Bookmarks view in the Workspace ONE Catalog, and configure the show/hide setting to prevent end users from landing on a blank tab.

Automatically Add Recommended Apps to Bookmarks

  1. Open the Identity Manager console.
  2. Navigate to Catalog > Settings > User Portal Configurations.
  3. Enable the feature by selecting the setting Show recommended apps in Bookmarks tab.

Hide Bookmarks or Catalog Tab

  1. Open the Identity Manager console.
  2. Navigate to Catalog > Settings > User Portal Configurations.
  3. Enable the feature by selecting the setting Hide Catalog tab or Hide Bookmarks tab.

New! Conditional Access & Unified Catalog Features

[Identity Manager 3.1] Improved Manageability for Horizon and Citrix Application Integration

Virtual Apps Collection is a new feature that improves manageability of your Horizon and Citrix integrations. Benefits include:

  • Resources sync across multiple connectors instead of relying on a single connector.
  • Automatic failover to a secondary connector for synchronization if the primary connector is down.
  • Resources sync present on multiple domains without a trust relationship.
  • Migration wizard for current Horizon & Citrix resources sync. Post-migration to Virtual Apps Collection for Citrix resources and configure the SSO Integration Broker with HTTPS before editing the XenApp profile.

In the Identity Manager console, navigate to Catalog > Virtual Apps Collection.

Start Using Virtual Apps Collection

To start using Virtual Apps Collection, upgrade connector and service to version 3.1.

  1. In the Identity Manager console, navigate to Catalog > Virtual Apps Collection > Add Virtual Apps.
  2. Click Getting Started.
  3. Use the migration wizard to migrate all the resources at the same time. Select the connector worker used for each resource type in the legacy installation.
    Keep in mind:

    • Once the Migration wizard runs, it is no longer available.
    • Only previously configured resources display in the dropdown list. Since the wizard is designed for one-time use, make a selection for all the existing configurations.
    • If multiple connectors were set up for high availability, select the connector with an automatic sync schedule set.
  4. Post-migration, the Manage Desktop Applications menu on the Catalog tab disappears from view. Instead, integrations get managed from the Virtual Apps Collection page.

[Identity Manager 3.1] Citrix XenApp App & Desktop Visibility

Include visibility restrictions while syncing entitlements from Citrix into Identity Manager. These restrictions determine which applications or desktops within a Delivery Group are accessible through Workspace ONE. For apps, this is done through a published app’s limit visibility page and Application Groups. For desktops, it is done on Desktops page under Delivery Group.

New! Enterprise Connector Features

[Identity Manager 3.1] Connector sync performance improvements

To improve performance, when Active Directory groups are added to Identity Manager, their members are not immediately added to the Identity Manager. When resources are entitled to a group, their members are added to Identity Manager.

New! Identity Manager Service Features

[Identity Manager 3.1] Improved Flexibility in Deploying Certificate Authentication in the DMZ.

Certificate authentication is no longer defaulted to port 443 in the Identity Manager installers. Default is now port 7443, with the ability to install an additional SSL cert for use with certificate authentication. There’s also the ability to customize certificate authentication port. This allows for the use of load balancers, which inspect or terminate SSL.

What’s New in Workspace ONE Intelligence

Using a cloud-based service to gather data and deliver analytics, custom reporting with VMware Workspace ONE Intelligence streamlines access to your AirWatch deployment’s critical data.

New! Custom Reports Features

[AirWatch 9.2.2] Custom Reports Dashboard

Use the Custom Reports dashboard, available in AirWatch 9.2.2, to visually identify and analyze business critical data.

[Related: EUC Analytics: Custom Reports in VMware AirWatch]

Use the Custom Reports Dashboard


View a comprehensive list of requirements in the blog post: EUC Analytics: Custom Reports in VMware AirWatch.

  • AirWatch 9.2+: Supported for Software-as-a-Service (SaaS), dedicated SaaS and on-premises environments. SaaS Customers (Shared or Dedicated): contact support or your SAM to find out if your environment has Custom Reports currently set up. On-Premise Customers: download and install the Workspace ONE Intelligence Cloud Connector
  • AirWatch Tenant: Customer type only
Find the Feature

In the AirWatch console, navigate to Hub > Reports & Analytics > Custom Reports > List View Page.

[AirWatch 9.2.2] Customizable Report Widgets

Edit or copy an existing widget, as well as define widgets from scratch for:

  • Apps
  • Devices
  • OS Updates

Co-Authors & Reviewers

Josue Negron, senior technical marketing manager for VMware EUC mobile marketing, contributed Windows 10 content.

Justin Grimsley, product marketing manager for VMware EUC mobile marketing, reviewed Windows 10 content.

Karim Chelouati, senior technical marketing manager for VMware EUC mobile marketing, contributed Chrome OS and Android content.

Kristen Foss, product marketing manager for VMware EUC mobile marketing, reviewed Chrome OS and Android content.

Bhavesh Kumar, product manager for VMware EUC mobile product management, reviewed Chrome OS and Android content.

Dan Quintas, product director for VMware EUC mobile product management, reviewed Chrome OS and Android content.

Robert Terakedis, senior technical marketing manager for VMware EUC mobile marketing, contributed iOS and macOS content.


468 ad