By Product Business Continuity Featured VMware Workspace ONE

3 Things You Need to Know About Workspace ONE Intelligent Hub & Employee Privacy

Privacy is one of the hottest topics in the tech world and a concern for most digital users. While digital tools aim to make our lives easier, how those digital tools use the information we share and the level of privacy and transparency have become one of the defining factors for adoption. 

This is no different in the workplace. Employees who access work tools and information on their personal or “BYO” devices have historically held a level of distrust with IT and have raised concerns over what IT departments can and cannot see and collect from their devices. 

When shopping for digital solutions, organizations must take into account their employee’s privacy experience to establish trust with users and ensure the adoption of investments. Over the years, our Workspace ONE product teams have carefully built privacy into the core of our platform, making it easy for IT and business teams to craft a great employee experience centered around privacy and transparency. Let’s take a look at three key things you need to know about the Workspace ONE platform and employee privacy. 

1. Encouraging mobile transparency: A built-in tool for employees

Employees need improved transparency, access, and choice when it comes to enrolling their mobile devices. With the release of Workspace ONE Privacy Guard, we give the end user a consistent privacy experience across the Workspace ONE secure productivity apps that shows employees exactly what IT departments are collecting from a smartphone and/or tablet in terms that are easy to understand.

When you initially open Intelligent Hub or any of our other Workspace ONE secure productivity apps, you will be presented with a privacy notice. The notice is broken into the following parts: 

  1. Device Management (only in Intelligent Hub). Gives an overview of the information collected from the device, helping employees understand what information the device administrators can and cannot see or collect. This gives employees clarity around things like text messages, photos, personal email, and more that are not collected by admins.  
  2. App Data Collected. Displays data collected by the application. This includes user, device and app information, diagnostics, and more.
  3. Device Permissions. Displays the operating system level requirements for the application to work properly. This includes items like calendar access, push notifications and more.
  4. Privacy Policy. Displays the organization’s privacy policy.

Mobile workers can check this privacy information at any given time within the app, typically within “Settings.” A privacy notification will also be shown any time a change is initiated that impacts an employee’s privacy. This includes changes in enrollment status or any changes made by IT in the console across both MDM policies and app container policies. 

[Related: Announcing New Workspace ONE Privacy Guard]

An in-depth look at the user privacy experience as part of Workspace ONE Privacy Guard–built into every Workspace ONE secure, productivity app. 

2. What information Workspace ONE Intelligent Hub can and cannot collect

One of the most common employee misconceptions we hear from customers is that Workspace ONE Intelligent Hub can collect personal information from their personal devices. This can include personal text messages, photos, applications, and more. The reality is that Intelligent Hub cannot collect metadata on any of these items. 

Privacy on OEM devices 

Apple has taken a much more aggressive approach to user privacy over the years with the latest iOS releases. This started with removing APIs to allow developers to collect the unique identifier associated with each iOS device in 2011. The iOS 9 release gave end users more granular control over location-based services. Per Apple: “An app can use your data only if you have given it your permission.”  

Android has also taken an aggressive approach to user privacy over the years. For employee-owned and corporate-owned personally enabled (COPE) devices, Android Enterprise by default separates the data into “work” and “personal,” meaning IT has no way of accessing personal data. This feature is baked in at the operating system level. As it states on their site, “Privacy comes first on Android. That’s why we created the work profile, so employees can work on their personal phones without sharing their personal stuff. Between work and personal profiles, every app stays separate — emails, calendars, docs, photos. The two versions never share data. And the IT team can never touch anything personal.” Google continues to show a commitment to privacy with each Android release. 

[Related: What’s New with Workspace ONE UEM for Android OS]

One of the most common privacy settings that employees are most concerned about is the ability to track the location of the mobile device. As a consumer, the ability to find a lost or misplaced device is revolutionary and, every once in a while, very useful. There are many different reasons why IT may need to track the device. The device could be used to help a field service technician or be used as a self-service resource that provides assistance to customers in a retail environment. In both instances, the location of the device may be very important to the enterprise. It may be important to wipe the device if it leaves the store or to provide location information if a service technician leaves it at a worksite. By default, Workspace ONE does not track GPS data.

Situations may change that might require the enablement of some privacy settings. If users notice one of these privacy pop-ups during the course of work, they should work with their IT department to understand why they are asking for the information. 

3. Introducing Workspace ONE Privacy Guard for Admins 

As part of Workspace ONE Privacy Guard, there’s an important administrative role: the “Privacy Officer.” The Privacy Officer role has access to view devices and system settings that affect users and has full editing rights around privacy. 

IT can assign an individual or small group the exclusive privilege to manage privacy settings across the Workspace ONE platform. This role is important, as it allows for an additional layer of segregation on the administrative side. Separating the privacy settings by policy within IT allows for better checks and balances and helps provide an additional layer of end-user protection.

Protecting privacy should be the focus of every mobile experience. After all, user adoption is key to any successful business mobility initiative, and earning user trust is the foundation of successful user adoption. That’s why the Workspace ONE digital workspace platform delivers what we call “privacy by design” through Workspace ONE Privacy Guard. 

Workspace ONE Privacy Guard has even more to offer than what is covered in this blog. To get those details, read the blog: Announcing New Workspace ONE Privacy Guard. To learn more about Workspace ONE and privacy, visit our privacy webpage. To see Privacy Guard from an admin perspective, watch this video.

Originally published February 20, 2020. Updated August 22, 2022.