In a recent article, we discussed the use cases related to shift-based frontline employees, as well as the solutions provided by Workspace ONE Web for these use cases. These include integrating SSO with check-in/check-out for shared devices, accessing internal web applications, and integrating authentication. We also talked about our plans for shift-based access control. Today, we will discuss frontline use cases around kiosks and limited web browsing.
Following are the different flavors of these use cases that we see in the field:
- Limited browsing – Organizations often want to limit the browsing activity to only certain URLs or web applications on frontline devices, as most of the frontline devices are limited-purpose devices. For example, the devices used by delivery drivers may need to provide access to only selected web applications.
- Locked-down Kiosk Mode – Some frontline jobs require the workers to be focussed only on certain tasks, and any kind of intended or unintended distraction needs to be removed. For such scenarios, organizations want to provide a customized locked-down experience on these devices to improve employee focus and productivity, and to prevent unauthorized actions. The point of sale devices used by retail store associates have a similar use case.
- Browsing with locked-down experience for only specific URLs – Some frontline use cases require workers to have web browsing through the device with a locked-down experience for only a certain set of URLs (which may be work-related or sensitive), so organizations do require this flexibility as well.
Following are the solutions provided by Workspace ONE Web browser for the above mentioned use cases.
Limited browsing support
Workspace ONE Web provides configurations to allow or deny a specific set of URL domains or URL domain patterns. These configurations can be used to restrict and secure the browsing experience provided through the Workspace ONE Web browser on frontline devices.
You can configure this through the Web configuration settings interface, by navigating to Groups and Settings –> All Settings –> Apps –> Workspace ONE Web on the Workspace ONE UEM admin console, as shown below.
Admins can use * as a wildcard to provide a URL domain pattern to allow or block in Workspace ONE Web. For example, in the above screenshot, the admin has allowed only the URL domains ending with either vmware.com or salesforce.com. All other domains are denied. You can find more details in the Configuring Workspace ONE Web admin guide.
The end user will see the following screen when trying to access a denied URL:
Admins can configure a locked-down browsing experience on the devices in two different ways.
One of the ways is by configuring Workspace ONE Web in single tab Kiosk Mode to provide a locked-down browsing experience. In single tab Kiosk Mode, Workspace ONE Web opens only pre-configured URL(s) and the end user cannot edit the URL bar or access the application menu, and thus cannot visit any other URLs apart from the admin-configured ones. You can also choose to hide URL address bar and/or bottom bar (navigation controls and home button) in this mode using admin configurations.
You can configure this in the Workspace ONE UEM console by navigating to Groups and Settings –> All Settings –> Apps –> Workspace ONE Web.
To lock the browsing experience to a single URL, you can provide the URL in the ‘Home Page URL’ field after selecting single tab Kiosk Mode (Kiosk Mode enabled, Multiple Tabs Support disabled). With this configuration, when the end user launches Workspace ONE Web, this URL will be loaded by default with no way for the user to browse any other URL (as shown below).
To lock the browsing experience to multiple URLs, instead of setting the ‘Home Page URL,’ you need to leave that field empty and configure all the URLs as managed bookmarks. In absence of the home page URL, Web shows a page with all the managed bookmarks. Users can tap on any of the bookmarks to visit that URL and tap back on the home icon to return to the bookmarks.
Another way to configure a locked down experience is using webclips and Workspace ONE Web’s full screen mode. For this, the webclips need to be configured to use awbf:// and awbfs:// as the URL prefix, which makes them open in full screen mode in Web. You can choose to provide a more secure and restricted experience for your end users when using webclips in full screen mode by not allowing the user to exit the full screen. Do this by setting the configuration key ‘EnableForcedFullScreenWithAwbfs’ to ‘true.’ In addition, you can configure the allowed list of URLs in Web to be just the webclip URLs, which will prevent the users from accessing any other URL in Web.
Browsing support with locked-down experience for only specific URLs
You can use webclips the same way as in the previous use case to provide locked down browsing experience for the webclip URLs. In addition, if you need to allow the users to browse the internet or allow access to another set of URLs (apart from the webclip URLs), you need to add all those URLs to the Web allowed list of URLs in addition to the webclip URLs.
Here is the end user experience of accessing locked down web applications through configured webclips:
Here is the end user experience for full browsing:
It is important to re-iterate that the nature of job for frontline workers is very different from office workers. When it comes to web browsing, they have unique set of use-cases and requirements. It is critical for the web browser used on the frontline devices to have very special set of capabilities to cater to the frontline use-cases so that there is no compromise on frontline worker productivity, experience, and security.
Workspace ONE Unified Endpoint Management (UEM) platform provides a leading industry solution to support complex mission-critical frontline device deployments at scale. And Workspace ONE Web provides specialized features and capabilities to serve the web browser related use-cases of frontline devices.