VMware Workspace ONE Community
Heath_MIS
Contributor
Contributor
‎02-02-2023 07:07 AM

Workspace ONE UEM iPhone Enrollment options

We are evaluating Workspace One UEM for mobile devices and I am unclear about a few things.

First of all, our set up. Half are company owned iPhones and the rest are employee owned.

Our phones connect to an onprem Exchange server using the native iOS mail app.

On other products, they have container apps dedicated for email and this is for company owned or BYOD. It seems like for Workspace One, the separation of work and personal is only for BYOD (separate volume on phone). Company owned can have restrictions on emails but not data separation because, I assume, the whole phone is for business. Is that correct? FYI...the only work being done on our phones is email and voice. Users can use the phone as they like besides that.

As for BYOD...how is that set up exactly? Sounds like you need to create accounts in Apple Business Manager for each user and enroll the device in a specific way. Then you can install managed apps with the managed apple id created for each user in ABM. How can we tell that the native mail app is storing business data in a separate volume when the app itself isn't managed?

Also...I went through the process of creating a profile and adding a device using the intelligent hub but what is the exact process for employee owned iphones? I tried creating a user in Workspace One, a user in Apple Business Manager and logging into the iphone using that apple id in the settings->management section of the iPhone but the login account wasn't recognized. Must be missing something.

Reply
0 Kudos
3 Replies
ogushia
Hot Shot
Hot Shot
‎02-06-2023 05:57 AM

Hi,
I think the Boxer app meets your requirements.
You can configure some DLP settings for Boxer (restrict copy and paste, restrict documents to open only in approved apps, etc.).
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/Boxer_Admin_Guide/GUID-BoxerIntroductio...

Reply
0 Kudos
Afshin_Lak
Enthusiast
Enthusiast
‎02-22-2023 07:56 AM

https://support.apple.com/en-gb/guide/apple-business-manager/axm6a88f692e/web

Step 3: Add your devices to Apple Business Manager

Devices purchased with your Apple Customer Number or Reseller Number appear automatically in Apple Business Manager. You can also manually add devices you own, using Apple Configurator. See Add devices from Apple Configurator.

Reply
0 Kudos
nachogonzalez
Commander
Commander
‎02-27-2023 02:01 AM

Hi How are you?

Answering your questions:

On other products, they have container apps dedicated for email and this is for company owned or BYOD.
It seems like for Workspace One, the separation of work and personal is only for BYOD (separate volume on phone). Company owned can have restrictions on emails but not data separation because, I assume, the whole phone is for business. Is that correct? FYI...the only work being done on our phones is email and voice. Users can use the phone as they like besides that.

Containers are only available on Android, in iOS you have a concept called managed apps, there is no separation of environments, you can have your personal apps alongside the work apps. When you configure the restrictions there are some settings that allow users not to move data and so on.
You can apply restrictions on BYOD iOS devices (for example, not allowing users to backup Managed App data into iCloud, blocking airdrop, etc) but the ammount of restrictions you can enforce is way more if you have Corporate Owned devices.

As for BYOD...how is that set up exactly? Sounds like you need to create accounts in Apple Business Manager for each user and enroll the device in a specific way. Then you can install managed apps with the managed apple id created for each user in ABM. How can we tell that the native mail app is storing business data in a separate volume when the app itself isn't managed?

ABM will only apply for Corporate Owned Devices, for BYOD devices, at the moment of enrolling the device user (or the person who is enrolling should choose personal device)

additionally, what i would do in this case is:
1. Create assignment groups both for BYOD and Corporate devices and one for all iOS devices.
2. When you assign an app to a BYOD use the assignment group.
3. Create profiles such as passcode, restrictions, etc for the BYOD that consider the privacy and restrictions required for a personal device.

hope that works


Blog Nachogonzalez.com.ar Twitter @nachogon_
Reply
0 Kudos