000AirWatch BYOD Guide v8 - 0 PDF

AirWatch Bring Your Own Device (BYOD)
Guide
Supporting Bring Your Own Device deployments
AirWatch v8.0
2015 VMware, Inc. All rights reserved.

This document, as well as the software described in it, is furnished under license. The information in this manual may only be used in accordance with the terms of the license. This
document should not be reproduced, stored or transmitted in any form, except as permitted by the license or by the express permission of AirWatch, LLC.
All other marks and names mentioned herein may be trademarks or trade names of their respective companies.
AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Copyright 2015 VMware, Inc. All rights reserved. Proprietary & Confidential.
Table of Contents
Disclaimer
Introduction to BYOD
Overview
In This Guide
Before You Begin
Overview
In This Section
Supported Platforms
Recommended Reading
Getting Started
BYODPrivacy Settings
Overview
In This Section
Configuring Privacy Settings
Privacy Best Practices
12
Terms of Use
15
Overview
15
Creating your Terms of Use
15
Disseminating the Terms of Use
15
In This Section
16
Configuring Terms of Use
16
BYOD Enrollment
19
Overview
19
Enrollment Considerations
19
In This Section
19
Workspace vs. Agent-based Enrollment
19
Configuring Device Ownership
20
Configuring Enrollment Restrictions
21
BYODDevices (Using the Workspace)
24
Overview
24
In This Section
24
Automatic Features
24
Configurable Features
26
BYOD Devices (Using the Agent)

Overview
28
28
Page 2
In This Section
28
Creating Restrictions for BYOD
28
Defining Compliance Policies for BYOD
29
Managing Access to Corporate Resources
29
Reclaiming Corporate Data upon Employee Departure
31
Self-Service Portal (SSP) Permissions
33
Overview
33
In This Section
33
Performing Remote Actions
33
Viewing Tabs
34
Defining User Roles
34
Finding Additional Documentation
36

Page 3
Disclaimer
Disclaimer
While AirWatch strives to provide some level of direction for customers in terms of initially implementing a Bring Your
Own Device (BYOD) program, it is up to your organizations legal, human resources and management teams to create a
device management program that is right for your organization. The scenarios and issues in this document are provided
as examples and are not meant to act as official guidance or recommendations regarding device management or liability.
References in this document to any specific service provider, manufacturer, company, product, service, setting, or
software do not constitute an endorsement or recommendation by AirWatch. Under no circumstances shall AirWatch be
liable to you or any other person for any damages, including without limitation, any direct, indirect, incidental, special or
consequential damages, expenses, costs, profits, lost savings or earnings, lost or corrupted data or other liability arising
out of or related in any way to information, guidance or suggestions provided in this document.

Page 4
Overview
Your organization can use AirWatch to secure employee-owned devices that have access to corporate resources as part
of a Bring Your Own Device (BYOD) program. While BYOD programs offer benefits such as maximized employee
productivity, reduced overhead costs, management flexibility and a simplified ITinfrastructure, they also pose
challenges. For example, you will need to balance the need for maximum security against an end user's privacy
expectations. You also must ensure end users completely understand your MDM Terms of Use agreement and what data
you will and won't collect. AirWatch MDMprovides your organization's employees the privacy they need while
maintaining the level of protection your corporate assets require. By asking employees to bring their own device and
enabling those devices with corporate content, your organization gains the following valuable resources:
l
Management flexibility Eliminate the need to select and manage a provider and plan.
Higher level of confidence Allow employees to use one device for both business and personal purposes.
Maximized employee performance Allow employees to work with the device with which they are most
comfortable.
Cost savings Reduce overhead costs in managing a corporate plan.
Simplified ITinfrastructure Reduce the strain on IThelp desks to support additional devices.
In This Guide
l
Before You Begin This section covers topics and prerequisites you should familiarize yourself with so you can get
the most out of using this guide.
BYODPrivacy Settings Privacy is one of the biggest concerns for both administrators and end users when it comes
to implementing a BYOD program. This section outlines how to configure the types of data AirWatch collects and
displays.
Terms of Use Ensuring end users understand the extent of your BYODprogram is important, and this section
outlines creating and enforcing your own BYODterms of use agreements.
BYODEnrollment BYODdevices can be enrolled multiple ways, which can have an affect on how they're managed.
This section covers how to enroll BYODdevices.
BYODDevices (Using the Workspace) If your BYODusers will be using only the AirWatch Workspace application,
then how you manage them will differ from if they were to also use the AirWatch Agent. This section explains what is
supported within the AirWatch Workspace.
BYODDevices (Using the Agent) If your BYODusers will be downloading the AirWatch Agent onto their devices you
will have more management capabilities you can perform. This section outlines some of the more important
considerations.

Page 5
Self-Service Portal Permissions The Self-Service Portal (SSP) empowers BYODusers to troubleshoot their own issues
and take matters into their own hands. Configuring SSPsettings lets you define roles and decide what actions users
can perform.

Page 6
Before You Begin
Before You Begin

Overview
This section covers topics and prerequisites you should familiarize yourself with so you can get the most out of using this
guide.
In This Section
l
Supported Platforms See a list of supported devices that can be enrolled into BYODwith AirWatch.
Recommended Reading See a list of guides you can reference to better your understanding of how to manage
BYODwith AirWatch.
Getting Started See additional considerations you should know before you begin.
Supported Platforms
AirWatch supports the following platforms as part of a BYODprogram:
l
Android versions 2.3+
Windows Mobile 5/6 and Windows CE 4/5/6
BlackBerry versions 5+
Windows Phone 7 and 7.5 Mango
BlackBerry 10
Windows Phone 8
iOS versions 4.0+
Windows 8/8.1/RT
Mac OS X 10.7+
Win32
Symbian OS ^3 and S60
However, at this time the AirWatch Workspace application is only available for Android Gingerbread 2.3+ and iOS 5.0+.
Recommended Reading
l
Mobile Device Management Guide Provides a general overview of the AirWatch solution.
AirWatch Workspace Guide Explains how to set up and use the AirWatch Workspace application.
Mobile Application Management Guide Gives details about how to deploy applications to your device fleet,
including employee-owned devices.
Mobile Content Management Guide Tells you how to add and deploy content to end users.

Page 7
Before You Begin
Getting Started
Before reading this guide it is beneficial if you are aware of the AirWatch Workspace and its capabilities. AirWatch
Workspace enables you to provide specific corporate resources to segments of BYODusers. For example, some users
may only want access to corporate email, while others may only require access to a single enterprise app. With AirWatch
Workspace, your BYOD users can enroll in AirWatch and securely access containerized business applications and
resources without receiving the same AirWatch MDMprofile corporate-owned devices receive. AirWatch Workspace
addresses privacy concerns users have about MDM by only giving administrators the ability to control managed
enterprise apps instead of the entire device. See the BYODEnrollment section for more information about the differences
between Workspace-based and Agent-based enrollment.
Note:For more information about configuring the AirWatch Workspace, refer to the AirWatch Workspace Guide,
available via AirWatch Resources.

Page 8
Overview
One of the biggest concerns for many BYOD end users is the privacy of the personal content on their devices. Your
organization must be able to assure employees their personal data cannot be threatened by any management actions
and is not subject to corporate oversight. With AirWatch MDM,you can help ensure the privacy of personal data by
creating privacy policies that do not collect personal data and customizing them based on device ownership type. In
addition, you can define granular privacy settings to disable the collection of the personally identifiable information and
disallow certain remote actions for employee-owned devices to ensure employee privacy.
Note:Certain jurisdictions and countries have their own rules, laws, and regulations of what can be collected from
end users. These should be thoroughly researched before configuring your BYOD privacy policies.
In This Section
l
Configuring Privacy Settings Covers the various privacy options available in the AirWatch Admin Console.
Configuring Privacy Settings

Configure Privacy Settings to define how device and user information are handled in the AirWatch Admin Console. This is
particularly useful in bring your own device (BYOD) deployments.
The AirWatch Admin Console enables you to:
l
Review and adjust privacy policies according to device ownership, which lets you easily adhere to data privacy laws in
other countries or legally-defined restrictions.
Ensure certain IT checks and balances are in place, preventing overload of servers and systems.
See Privacy Best Practices for tips about configuring data collection for GPS, Telecom and application usage.
To set up privacy settings:
1. Navigate to Devices Device Settings Devices & Users General Privacy.
2. Select one of the following options for the various settings for GPS, Telecom and Applications:
Collect and Display Collect user data and display it in the AirWatch Admin Console.
Collect Do Not Display Collect user data for use in reports but do not display it in the AirWatch Admin
Console.
Do Not Collect Do not collect user data.

Page 9
1. For more information on privacy within AirWatch, see recommended best practices.
2. Select the Commands that can be performed on devices.
Consider disabling all remote commands for employee-owned devices especially full wipe. This prevents
inadvertent deletion or wiping of an end user's personal content.
If you are going to allow remote control, file manager, or registry manager access for Android/Windows Mobile
devices, you should consider using the Allow With User Permission option. This requires the end user to consent to
admin access on their device via message prompt before the action is performed. If you opt to allow use of any
commands, explicitly mention these in your Terms of Use agreement.

Page 10
3. Select the Commands that can be performed on devices.

Consider disabling all remote commands for employee-owned devices especially full wipe. This prevents
inadvertent deletion or wiping of an end user's personal content.
Note for iOSdevices:If you disable full wipe as a command for select ownership types, then users who enroll
under that ownership type will not see the "Erase all content and settings"permission displayed during
MDMprofile installation when enrolling with the AirWatch Agent.
If you are going to allow remote control, file manager, or registry manager access for Android/Windows Mobile
devices, you should consider using the Allow With User Permission option. This requires the end user to consent to
admin access on their device via message prompt before the action is performed. If you opt to allow use of any
commands, explicitly mention these in your Terms of Use agreement.
4. For User Information, select whether to Display or Do Not Display in the AirWatch Admin Console information for
First Name, Last Name, Phone Number, and Email Accounts.

Page 11
If a field is set to Do Not Display, then it displays as "Private" wherever it appears in the AirWatch Admin Console.
This means you are not be able to search for fields you set to Do Not Display.
Note: If desired, you can encrypt personally identifiable information, including first name, last name, email
address and telephone number. Navigate to Groups &Settings All Settings System Security Data
Security from the Global or Customer-level Organization Group you want to configure encryption for. Enabling
encryption, selecting which user data fields to encrypt, and clicking Save encrypts user data. Doing so limits some
features in the AirWatch Admin Console, such as search, sort and filter.
5. Click Save when finished.
For more information about leveraging bring your own device, please see the .AirWatch BYOD Guide document,
available via AirWatch Resources.
Privacy Best Practices

AirWatch recommends a few simple best practices for managing Privacy Settings. Note, however, that every deployment
is different and you should consult with your own legal, human resource and management teams to tailor these settings
to best suit your organization.
GPS Coordinates
In general, it is not appropriate to collect GPS data for employee-owned devices. The following notes apply to corporateowned devices:
l
GPS Data Information collected includes location data and a time-stamp indicating when this information was sent
to AirWatch.
o
For iOS devices, GPS data is reported automatically by opening any AirWatch application or internal applications
with an AirWatch software development kit (SDK) set to capture GPS data.
When this happens, AirWatch defines a 1 kilometer region around this location and reports location information
whenever the device moves outside this 1 kilometer region or whenever the user opens an AirWatch or internal

Page 12
application. No new GPS data is reported unless one of these actions occurs.
o
Location Services must be enabled on the iOS device. AirWatch cannot force this setting.
While GPS data is typically used for lost or stolen devices, it can also be used for any situation where knowing a
devices location is useful.
User Information
In general, you will display user information such as first name and last name for both employee-owned and corporateowned devices, since you need to know who you are managing. This information includes First Name, Last Name, Phone
Number and Email Address.
Telecom Data
In general, it is only appropriate to collect telecom data for employee-owned devices that are a part of a stipend program
where you subsidize an end user's cellphone plan. In this case, or for corporate-owned devices, the following notes
apply:
l
Carrier/Country Code Carrier and Country Code are recorded and can be used for telecom tracking purposes.
Telecom plans can be set up and devices can be assigned to the appropriate plan based on their carrier and country.
This information can also be used to track devices by home carrier and home country or by current country and
current carrier if the device is traveling.
Roaming Status Roaming Status is either Roaming or Not Roaming in AirWatch. This can be used to track which
devices are in a roaming state. Compliance policies can be set up to disable voice and data usage while the device is
roaming or perform other compliance actions. Additionally, if the device is assigned to a telecom plan, AirWatch can
track data usage while roaming. Collecting and monitoring roaming status can be helpful in preventing large carrier
charges due to roaming.
Cellular Data Usage Cellular Data Usage refers to data usage in terms of total bytes sent and received. This data can
be collected for each cellular device. If the device is assigned to a telecom plan within AirWatch, you can monitor data
usage based on a percentage of a total amount of data for a billing cycle. This allows you to create compliance
policies based on the percentage of data used. This can be helpful in preventing large carrier overage charges.
Cell Usage Cell Usage refers to the voice minutes that can be collected for each cellular device. Similar to Data
Usage, if the device is assigned to a telecom plan within AirWatch, you can monitor voice usage based on a
percentage of a total amount of minutes for a billing cycle. This allows you to create compliance policies based on the
percentage of minutes used. This can be helpful in preventing large carrier overage charges.
SMS Usage SMS Usage refers to the short message service data that can be collected for each cellular device.
Similar to Data Usage, if the device is assigned to a telecom plan within AirWatch, you can monitor SMS usage based
on a percentage of a total amount of messages for a billing cycle. This allows you to create compliance policies based
on the percentage of messages used. This can be helpful in preventing large carrier overage charges.
Application Information
In general, it is appropriate to set the collection of application information to either do not collect or collect and do not
display for employee-owned devices. This is because public apps installed on a device, if viewed, can be considered
personally identifiable information. For corporate-owned devices, all installed applications on the device will be reported
to AirWatch.

Page 13
If Do Not Collect is selected, only personal application information will not be collected. All managed applications,
whether public, internal or purchased will still be collected by AirWatch.
Remote Commands
Consider disabling all remote commands for employee-owned devices. However, if you are going to allow remote actions
or commands, you will want to explicitly mention these in your Terms of Use agreement.

Page 14
Terms of Use
Terms of Use
Overview
For legal and liability reasons it is important to inform employees who use their own devices about the data that is
captured and the actions that are allowed on them when enrolled in AirWatch MDM. You can do this by creating Terms
of Use agreements in the AirWatch Admin Console, which users are prompted to read and accept before enabling
MDMon their personal devices. By assigning Terms of Use agreements based on ownership type, you can create and
distribute different agreements for corporate and BYOD users.
Creating your Terms of Use

Your organization's legal team should carefully consider how to tailor your Terms of Use for personal devices. A common
practice is to reference a more extensive document hosted elsewhere, which details your legal agreements at length.
However, a few items you might want to include in the Terms of Use agreement are:
l
Highlight key MDMallowances (such as administrator permissions).
Address user obligations in the event of a lost or stolen device.
List the devices (platforms, operating systems, versions)you will allow to have access to corporate resources.
Define the corporate resources (email and calendars, for example) that users can access via their personal devices.
Acknowledge that the device will be enabled with proprietary corporate data and is subject to enterprise security
policies regarding sensitive information. For example, you may want to include details such as a passcode profile you
create that sets a maximum number of failed passcode attempts before a device is wiped.
Detail any inappropriate behaviors that will not be tolerated per your normal business standards, such as using the
device to harass others.
Outline the reimbursement policies for telecom and other costs. For example, whether you have a stipend program
for telecom usage, the cost of apps (personal vs. work-related), and roaming charges.
Note:One option is to take any Terms of Use employees sign for computer usage/access and tailor that to BYOD by
mentioning specifically what information is collected.
Disseminating the Terms of Use

After your organization has written its Terms of Use agreement, consider giving it to end users in a one to two-page
whitepaper form that omits legalese. This will not be the official Terms of Use end users agree to, but instead serve as a
document they can read to better understand what using their own devices means. Ideally, end users should not be
seeing the Terms of Use for employee-owned devices for the first time when they enroll their device. Consider being
upfront about what end-user information you will collect and how your BYODprogram will affect them.

Page 15
Terms of Use
In This Section
l
Configuring Terms of Use Details how to customize Terms of Use presented to users upon enrolling their device,
logging into the AirWatch Admin Console and using applications.
Configuring Terms of Use

Define and enforce Terms of Use to ensure all users with managed devices agree to the policy. If required, users must
accept the Terms of Use before proceeding with enrollment, installing apps, or accessing the AirWatch Admin Console.
The AirWatch Admin Console allows you to fully customize and assign a unique Terms of Use to each Organization Group
and Child Organization Group.
Creating Enrollment Terms of Use

The Terms of Use displays during each device's enrollment. Set version numbers, set platforms to receive the Terms of
Use, set to notify users by email if the Terms of Use is updated and create language-specific copies of the Terms of Use.
You can create multiple Terms of Use agreements and assign them to Organization Groups based on ownership type or
platform. This lets you tailor each agreement to meet the legal and liability requirements of specific groups, including
users enrolled in your BYOD program.
1. Ensure your current active Organization Group is the correct one for the terms of use you are creating.
2. Navigate to Devices Device Settings Devices & Users General Enrollment and select the Terms of Use tab.
3. Select Add New Enrollment Terms of Use.
4. Set the Terms of Use to trigger depending on platform type by toggling the Platforms option from Any to Selected
Platform and checking each desired platform.
5. Set the Terms of Use to trigger depending on ownership type by toggling the Device Ownership option from Any to
Selected Ownership Types and checking each desired type of ownership.
6. Set the Terms of Use to trigger depending on enrollment type by toggling the Enrollment Type option from Any to
Selected Enrollment Types and checking the desired type of enrollment.
7. Enter your Terms of Use in the text field provided.
This is where you may want to mention any specific privacy settings and any applicable restrictions or compliance
policies. The editor provides a basic text entry tool to create a new Terms of Use or paste in an existing Terms of Use.
If pasting in text from external content, right-click the text box and choose Paste as plain text to prevent any HTML
or formatting errors.
8. Select Save.
Note: You can enforce MDM Terms of Use acceptance by creating a compliance policy for MDM Terms of Use
Acceptance.

Page 16
Terms of Use
Creating Application or Console Terms of Use

You can also create application-based Terms of Use to notify end users when a specific application collects data or when it
imposes restrictions. When users launch these applications from your enterprise App Catalog, they must accept the
agreement to access the application. For applications, you can set Terms of Use version numbers, create languagespecific copies of the Terms of Use, and set a grace period to remove associated apps if the Terms of Use isn't accepted.
Console Terms of Use display when an administrator logs in to the AirWatch Admin Console for the first time. For the
AirWatch Admin Console, you can set Terms of Use version numbers and create language-specific copies of the Terms of
Use.
1. Navigate to Groups &Settings All Settings System Terms of Use.
2. Select Add Terms of Use.
3. Enter a Name for the Terms of Use and select the Type, which can be Console, Enrollment or Application.
4. Configure settings such as Version number and Grace Period, depending on the Type you selected.
5. Enter your Terms of Use in the text field provided. The editor provides a basic text entry tool to create a new Terms of
Use or paste in an existing Terms of Use. If pasting in text from external content, right-click the text box and choose
Paste as plain text to prevent any HTML or formatting errors.
6. Select Save.
For Applications, assign the Terms of Use when adding or editing an application using the Terms of Use tab. For more
information, please see the Mobile Application Management Guide document, available via AirWatch Resources.
View Terms of Use Acceptance

While compliance policies can be set up to help enforce Terms of Use acceptance, you can also view a summary page of
exactly who has and has not accepted the agreement. Then, if necessary, you can contact those individuals directly.
1. Navigate to Groups & Settings All Settings System Terms of Use. A list of Terms of Use agreements displays.
2. Use the Type drop-down list to filter based on agreement type, for example, Enrollment. The Users / Devices column
displays devices that have accepted/not accepted/been assigned the Terms of Use.
3. Select the appropriate number in the Devices column for the applicable Terms of Use row to see device information
pertaining to that agreement. Optionally, access the drop-down menu for the row and click one of the following:
View Devices or Users Display a complete list of devices and their acceptance statuses. You can filter by
Organization Group.

Page 17
Terms of Use
View Previous Versions View previous iterations of the agreement.
View Terms of Use View the Terms of Use agreement.
Tracking Terms of Use Acceptance via Reports

Track user acceptance for each Terms of Use by accessing the Hub Reports & Analytics Reports List View page and
generating the Terms of Use Acceptance Detail report. View details regarding specific Organization Groups and drill
down to view AirWatch Admin Console acceptances or Device Enrollment acceptances. View the acceptances directly in
the Admin Console or export the report in either PDF, CSV and Excel formats.
Note: AirWatch does not provide legally binding sample text and any text examples provided must be reviewed by
your own company/legal team.

Page 18
BYOD Enrollment
BYOD Enrollment
Overview
A major challenge in managing employees' personal devices is recognizing and distinguishing employee-owned devices
and limiting enrollment to only approved devices. AirWatch helps address end-user concerns about privacy and
administrator concerns about security by providing two types of enrollment for BYOD users, which are outlined below.
Enrollment Considerations
AirWatch enables you to configure a variety of options that customize the end-user experience of enrolling a personal
device. Before you begin, however, you need to consider how you plan to manage employee-owned devices. For
example, are you:
l
Allowing employee-owned devices to enroll through the AirWatch Workspace app or requiring them to enroll
through the AirWatch Agent?
Allowing employees who enroll their own devices to select their Group ID and/or ownership type? Or will you
manually add corporate-owned whitelisted devices, then automatically setting all other devices that enroll to
employee-owned?
Allowing or blocking certain platforms or operating systems based on your organization's security requirements?
The following sections detail these considerations and will help you determine the best enrollment configuration for your
environment.
In This Section
l
Workspace vs. Agent-based Enrollment Compare the differences between Workspace vs. Agent-based enrollment.
Configuring Device Ownership Ensure that employee-owned devices receive the proper Ownership Type in the
AirWatch Admin Console.
Configuring Enrollment Restrictions Restrict enrollment to specific devices based on various parameters.
Workspace vs. Agent-based Enrollment

BYOD users can enroll their devices via either the AirWatch Workspace app or the AirWatch Agent app, both of which can
be downloaded from the iOS or Android app stores. The differences between the two are outlined below:
l
Workspace-based enrollment takes place when an end user enrolls through the AirWatch Workspace app, which
means they do not receive an MDMprofile on their device.You can think of this as a containerized approach, as
opposed to true MDM. Those with supported platforms will still have access to email, content, and apps, but certain
other settings, such as Wi-Fi and VPN profiles, and remote actions, such as full device wipes, are not supported with
this method. For more information about what security features and functionality are supported, see the
Configuring BYODDevices (Workspace) section and the AirWatch Workspace Guide.

Page 19
BYOD Enrollment
Agent-based enrollment follows the same enrollment process corporate-owned devices use with the AirWatch Agent
and lets you deploy corporate accounts, profiles, apps, and content based on the ownership type identified during
enrollment. You can think of this as true MDM, since it installs an MDMprofile on the device and allows you to
perform more device management functions.
For deployments where you might want to fully manage some BYODusers while selectively managing others, these two
enrollment methods can be combined to form a hybrid approach. Using a hybrid approach, you can manage some BYOD
users under MDM (using the AirWatch Agent), which gives full access to internal resources, and others under the
containerized method (using the AirWatch Workspace), which selectively gives access to content, apps, email, etc. on an
individual basis.
Note:While you can install the AirWatch Workspace and AirWatch Agent together on the same device, the apps are
mutually exclusive. The user will be prompted to unenroll from the one before enrolling into the other.
Enrollment Flow
With Workspace-based enrollment, the end user:
l
Will download the AirWatchWorkspace app and launch it to perform enrollment using either their work email
address (for auto discovery)or their credentials, server URL, and Group ID.
Will access AirWatch apps, wrapped apps, and other internal apps, from the AirWatch Workspace application.
With Agent-based enrollment, the end user:

l
Will download the AirWatch Agent app (or navigate to awmdm.com for simplified enrollment)and launch it to
perform enrollment using either a work email address (for auto discovery)or credentials, server URL, and Group ID.
Will access AirWatch apps, deployed internal apps, etc. from the native device launch screens.
Configuring Device Ownership

Every device enrolled into AirWatch MDM, either via the Agent or the Workspace app, has an assigned device ownership
type: corporate dedicated, corporate shared or employee-owned. Employees' personal devices fall under the employeeowned type and are subject to the specific privacy settings and restrictions you configure for that type.
For both Workspace-based and Agent-based enrollment, you have the following options:
l
Upload a list of corporate devices and configure AirWatch to apply a default ownership type during enrollment.
(Recommended)
Allow users to choose the appropriate ownership type themselves.
Upload a List of Corporate Devices and Specify Default Device Ownership

You can identify a set list of your organization's corporate devices, which is useful if you have a mix of corporate-owned
devices that you give to certain employees and employee-owned devices that employees are allowed to enroll
themselves. As devices are enrolled, those you identified as corporate-owned as part of a pre-approved list will
automatically have their ownership type configured based on the ownership type you selected for the list (either
Corporate Owned or Corporate Shared). Then you can configure all other devices, which would only be end-user
personal devices, to automatically have their ownership type set as Employee Owned.

Page 20
BYOD Enrollment
1. Navigate to Devices Lifecycle Enrollment Status and select Add, then Batch Import.
Alternatively, you can select Whitelisted Devices to enter up to 30 whitelisted devices at a time by IMEI, UDID or
Serial Number. Additionally, select either Corporate Owned or Corporate Shared as the Ownership Type.
2. Enter a Batch Name and Batch Description, then select Add Whitelisted Device as the Batch Type.
3. Click Choose File to upload a file or select the Information icon to download a sample template. If saving a template,
proceed to fill out the necessary information.
4. Click Save.
From here, you can either set the Default Device Ownership type to Employee Owned, or you can create a restriction
that only allows Employee Owned as the ownership type during open enrollment. This ensures any device enrolling into
this applicable Organization Group will be Employee Owned by default. However, this does not mean corporate devices
will then display as Employee Owned, since those devices will be updated post-enrollment to reflect their Corporate
Owned ownership type status.
To set the default ownership type as Employee Owned:
1. Navigate to Devices Device Settings Devices &Users General Enrollment. Click the Grouping tab.
2. Select Employee Owned as the Default Device Ownership.
3. Select the Default Role assigned to enrolled users, which will determine the level of access the user has to the SelfService Portal.
4. Select the Default Action for Inactive Users, which determines what to do if the user is marked as inactive.
5. ClickSave.
Prompt Users to Identify Ownership Type

If your organization has Organization Groups with multiple ownership types, such as a mix of corporate and employeeowned, you can prompt users to identify their ownership type during enrollment. You can always update the ownership
type later, if necessary.
1. Navigate to Devices Device Settings Devices &Users General Enrollment. Click the Optional Prompt tab.
2. Select Prompt for Device Ownership Type. During enrollment, users will be prompted to select their ownership
type.
3. ClickSave.
While simple, this approach assumes every user will select the appropriate ownership type that applies to their device. If
a user with a personal device chooses the Corporate-Owned ownership type, their device will be subject to a number of
policies and profiles that normally would not affect an employee-owned device. This can have serious legal implications
regarding user privacy. While you can always update the ownership type later, if necessary, it is safer and more secure to
instead identify a list of corporate devices and then set the default ownership type to Employee Owned.
Configuring Enrollment Restrictions

You can set up additional enrollment restrictions to further control who can enroll and which device types are allowed.
For example, you could create a restriction to only allow Android OS 4.0+ to enroll, which would be useful if you wanted

Page 21
BYOD Enrollment
to ensure email containerization for all Android devices with the AirWatch Email Container, which requires Android 4.0
and higher.
After your organization evaluates the number and kinds of devices your employees own and determines which ones
make sense to use in your work environment, you can configure the following settings.
Enrollment Restrictions
When integrating AirWatch with directory services, you can choose whether or not to restrict enrollment to only known
users or configured groups. Known users refers to users that already exist in the AirWatch Admin Console, while
configured groups refers to users associated to directory service groups if you chose to integrate with user groups. These
options are available by navigating to Groups &Settings All Settings Devices &Users General Enrollment and
choosing the Restrictions tab.
l
Restrict Enrollment to Known Users Enable this option to restrict enrollment only to users that already exist in the
AirWatch AdminConsole. This applies to directory users you manually have added to the AirWatch Admin Console
one by one or via batch import. It can also be used to lock down enrollment after an initial deployment that allowed
anyone to enroll. This lets you to selectively allow only certain users to enroll.
Leave this option unchecked to allow all directory users to create new AirWatch user accounts during enrollment.
Since they do not already have an active AirWatch user account, they will use their directory service credentials to
enroll.
Restrict Enrollment to Configured Groups Enable this option to restrict enrollment and only allow users belonging
to All Groups or Selected Groups (if you have integrated with user groups) to enroll devices. You should not select
this option if you have not integrated with your directory service user groups. Leave this option unchecked to allow
all directory users to create new AirWatch user accounts during enrollment. In addition, you can select the Enterprise
Wipe devices of users not belonging to configured groups option to automatically enterprise wipe any devices not
belonging to any user group (if AllGroups is selected)or a particular user group (if Selected Groups is selected).
Note:One option for integrating with user groups is to create an "MDM Approved" directoryservice group, import it
to AirWatch, then add existing directory service user groups to the "MDM Approved" group as they become eligible
for AirWatch MDM.
Note:For information about integrating your directoryservice groups with AirWatch, refer to the AirWatch
DirectoryServices Guide document, available via AirWatch Resources.

Page 22
BYOD Enrollment
Policy Settings
Save your enrollment restrictions as a policy by taking the following steps:
1. Navigate to Devices Device Settings Devices &Users General Enrollment and choose the Restrictions tab,
then Add Policy located in the Policy Settings section. The Add / Edit Enrollment Restriction Policy screen will
display.
2. Enter an Enrollment Restriction Policy Name for your policy and select the OrganizationGroup it should apply to.
3. Select the Policy Type, which can be either Organization Group Default to apply to the selected Organization Group,
or User Group Policy to apply to specific User Groups via Group Assignment Settings on the Restrictions tab.
4. Identify the Allowed Ownership Types, which indicates whether you will permit or prevent bring your own device
(BYOD).
5. Identify the Allowed Enrollment Types, which indicates whether you will permit or prevent enrollment through
either the AirWatch Agent or AirWatch Workspace (for iOS/Android)apps.
6. Select the Unlimited check box for Device Limit to allow users to enroll as many devices as they want. Leave this box
unchecked to enter values for the Maximum Devices Per User total or maximum devices per ownership type.
7. Select the Limit enrollment to specific platforms, models or operating systems option to add additional device
restrictions based on device platform, device model, operating system version and, if applicable, enterprise version.
You can also set a device limit. Choose one of two Device Level RestrictionModes:
l
Only allow listed device types (Whitelist) Select this option to explicitly allow only devices matching the
parameters you enter and to block everything else.
Block listed device types (Blacklist) Select this option to explicitly block devices matching the parameters you
enter and to allow everything else.
Note:You can also block specific devices based on their IMEI, Serial Number or UDID by navigating to Devices
Lifecycle Enrollment Status and selecting Add. This is an effective way to block a single device and
prevent it from re-enrolling without affecting other users' devices. Preventing re-enrollment is also available
as an option when performing an Enterprise Wipe.
8. Select Save and the Add / Edit Enrollment Restriction Policy screen will save your changes and close, taking you
back to the Devices &Users / General / Enrollment screen.
9. Use the Group Assignment Settings section (scroll past the Policy Settings section) to assign customized policies to
user groups. Set the rank of precedence and select a policy for each user group. This can be particularly useful if you
are integrating with directory services.
10. SelectSave.

Page 23

Overview
This section details configuring BYOD devices that are enrolled through the AirWatch Workspace. As described in BYOD
Enrollment, Workspace-based enrollment does not install an MDMprofile on the device and therefore limits the overall
level of management you have. These settings and features are split into two types: automatic and configurable.
Automatic items are enabled at all times and streamline the tracking and access features of the AirWatch Workspace.
Configurable items provide specific options to custom-tailor your AirWatch Workspace deployment according to your
organizations needs.
For more information on the features listed below please refer to the AirWatch Workspace Guide, available via AirWatch
Resources.
In This Section
l
Automatic Features See a list of features that require no prior setup or configuration.
Configurable Features See a list of features you can customize to meet your organization's needs.
Automatic Features
Automatic features require no additional setup or configuration and work as soon as you download and start using the
AirWatch Workspace app.
Feature
Description
Security
Encryption
Full device encryption or SDcard encryption cannot be enforced.

Encryption is supported at the individual application level only for wrapped apps, SDK-enabled
apps and AirWatch apps. These apps do not allow enterprise data to be exported outside of the
Workspace.
On iOS devices (only), all corporate data within the Workspace is secured with FIPS 140-2
encryption.
Apps
App Tracking
AirWatch Workspace only tracks enterprise apps that are installed.
App Security
Application security and compliance is enforced for Workspace-enabled apps.
Content
AirWatch Content Content management is supported using the AirWatch Content Locker.
Locker
Asset Tracking
Asset Tracking
Only device platform, model and OS are tracked.

Page 24
Feature
Description
Location
Location data is not tracked.
Support
Notifications
Notifications are supported. Push messages from the AirWatch Admin Console to the Workspace.

Page 25
Configurable Features
Configurable features can be controlled from Settings and Policies in the AirWatch Admin Console.
Feature
Description
Security
Passcode Policy
Containerized AirWatch and wrapped apps within AirWatch Workspace leverage single sign on
(SSO)to share the same SSOPasscode across applications. Configure SSOPasscode complexity in
the AirWatch Admin Console. This SSO Passcodeis set when the user initially enrolls using their
username and password.
Compromised
Detection
Compromised device detection is supported to control access to enterprise apps. A compromised

device check occurs when an AirWatch app or wrapped app is launched. If the app detects that a
device is compromised, the app wipes its data and blocks access.
Clear SSO
Passcode
Clear the current passcode used to sign in to apps and prompt the user to enter a new one.
SSOPasscode
Lock
Sign the user out of all active Workspace-enabled apps and require the use of an SSO Passcode
when any of the apps are opened again.
Enterprise Wipe
Perform an enterprise wipe on a Workspace-enabled device, which clears all enterprise data within
AirWatch Workspace, AirWatch apps and wrapped apps and revokes all access the next time a
user opens an enterprise app.
Configure
Terms of Use
(TOU)
Generate a fully customizable and enforceable Terms of Use policy.

Page 26
Feature
Description
Email
Set up email configuration through AirWatch Workspace using AirWatch Inbox or Lotus Notes for
Android.
Workspace integration is currently only available for the Android and iOS platforms.
Wi-Fi
Use Wi-Fi to connect devices to corporate networks, even if they are hidden, encrypted or
password protected. Available on Android (7.1 HF6+). Available on iOS as an unmanaged profile.
Apps
Deploying
Apps/App Catalog
Internal, public/purchased, and web apps can all be deployed to the AirWatch Workspace. Certain
limitations may apply for apps that are not app wrapped or integrated with the AirWatch SDK.
Branding
Format AirWatch Workspace menu options, backgrounds, and fonts to match your organization's
brand and aesthetic.
Single Sign On
(SSO)
Single sign on allows a user to access all Workspace-enabled and wrapped applications with a
single SSO Passcode without having to enter login credentials for each app. SSO may also allow
access to SharePoint and external file shares.
App Tunnel
Create a secure tunnel, such as the AirWatch Mobile Access Gateway, from Workspace-enabled
apps and wrapped apps to your internal systems.
Note: Any of the profiles detailed above may be overridden at the app-level. For example, set a Passcode profile that
affects all Workspace-related applications. Then, configure a AirWatch Content Locker-specific passcode on the
AirWatch Content Locker app configuration page (Content Applications Content Locker) by switching the
Application Profile from Default to Custom and selecting the alternate profile.

Page 27

Overview
This section details configuring BYOD devices that are enrolled through the AirWatch Agent. As described in BYOD
Enrollment, Agent-based enrollment installs an MDMprofile on the device and lets you manage employee-owned
devices with the same level of MDMfunctionality you use for corporate ones.
Comprehensive security is an integral part of MDM, and AirWatch lets you maintain a high level of security for both
employee-owned and corporate devices. In addition to providing full administrative visibility over the security status of a
device, AirWatch also continuously works in the background and proactively alerts you to any potential issues. With
flexible management options, you can deploy one set of security policies and restrictions to employee-owned devices
while simultaneously provisioning a greater level of restrictions to corporate-dedicated devices.
In This Section
l
Creating Restrictions for BYOD Deploy restrictions profiles meant specifically for employee-owned devices.
Defining Compliance Policies for BYOD Create compliance policies that will apply to BYOD users.
Managing Access to Corporate Resources Ensure BYODusers can access the applications and content necessary to
perform work.
Reclaiming Corporate Data upon Employee Departure Remove traces of corporate content from the device when
an employee leaves your organization.
Creating Restrictions for BYOD

AirWatch offers a number of restriction profiles through over-the-air profile provisioning and a range of related custom
settings. This enables you to set very tight restrictions for corporate-dedicated devices while applying looser restrictions
to employee-owned devices. For example, while some restrictions prohibit the use of certain features on the device, such
as the iTunes store or YouTube, these restrictions are not typically deployed to employee-owned devices. Instead, you
can create security profiles and restrictions that increase the level of device security without having a negative impact on
functionality. AirWatch includes the following options, which are excellent examples of restriction policies for BYOD
devices:
l
Encrypted backups Protect all backups with data encryption for BYOD devices with access to corporate content.
Force fraud warning in supported browsers Require users to acknowledge all warnings issued by the browser
when it detects a suspicious site.
Disable moving emails Prohibit the exposure of sensitive corporate data by disabling the ability to forward a
corporate email to a personal account or open it in third party applications.
Platform-specific restrictions Each platform, most notably Android and iOS, have their own list of restrictions you
can enforce. You should evaluate these individually to determine whether or not they would be appropriate to your
organization's deployment. For example, evaluating specific end user's job functions and their level of access to

Page 28
sensitive information. Some, like iOSrestrictions limited to supervised devices, do not apply, since employee-owned
devices will not be enrolled with Apple Configurator.
You can create security profiles and restrictions by navigating to Devices Profiles List View and selecting Add, then
the appropriate platform. If you create profiles for employee-owned devices specifically, be sure to select it as the
Ownership type on the General tab. For more information about creating security profiles and restrictions, refer to the
specific platform guides and the AirWatch Mobile Device Management Guide, available via AirWatch Resources.
Defining Compliance Policies for BYOD

In addition to provisioning device restrictions, you can use compliance policies to monitor the security status of all
devices in your fleet and respond to any policy violations. AirWatch contains a robust and highly customizable
compliance policy engine to help you create and enforce custom policies for employee-owned devices. For example, you
can define specific rules for employee-owned devices and then configure escalating actions that occur over time, such as
restricting access to corporate content, if they do not comply. For additional information on creating compliance policies,
refer to the AirWatch Mobile Device Management Guide, available via AirWatch Resources.
The following options are prime examples of compliance policies for employee-owned devices:
l
Encryption Enforcement Require full device and SD card encryption.

Passcode Policies Require that a passcode should be present and enforced. For example, you could apply a
passcode policy for any devices that have access to corporate content. This provides hardware-level encryption and
protects information in the event of a lost or stolen device. Note that if you decide to set a maximum number of
failed attempts before a device is wiped, then you may want to explicitly inform the user of this in your Terms of Use
agreement.
Compromised Detection Detect devices that have been modified to remove security limitations imposed by
manufacturers. Such devices are known as jailbroken or rooted devices and are deemed compromised by
AirWatch. Because of the security vulnerabilities these devices can be exposed to, it is recommended they not be
granted access to corporate content. As soon as devices are detected as compromised, AirWatch can automatically
remove access to all corporate content enabled through MDM.
MDMTerms of Use Acceptance Ensure users accept your Terms of Use agreement by performing escalating
actions that increasingly restrict access to corporate content the longer users go without accepting.
You can create compliance policies by navigating to Devices Compliance Policies List View and selecting Add. If you
create policies for employee-owned devices specifically, be sure to select it as the Ownership type on the Assignment
tab. For more information about creating compliance policies, refer to the specific platform guides and the AirWatch
Mobile Device Management Guide, available via AirWatch Resources.
Managing Access to Corporate Resources

Ensuring employee-owned devices are secure should not come at the cost of convenience to employees. With AirWatch
MDM you can provide convenient access to email, VPN, Wi-Fi, apps and content.
Provide Access to Email, VPN and Wi-Fi

By creating configuration profiles you can configure employee-owned devices to access and automatically authenticate
email, VPN and Wi-Fi settings while they are enrolled in AirWatch MDM. Since these are managed profiles on the devices,

Page 29
you can remove access to these resources at any time. To add configuration profiles, navigate to Devices Profiles List
View and select Add, then the platform. Configure a single payload, such as email, VPNor Wi-Fi per profile. Ensure
Ownership is set to Employee Owned under the General tab if this profile should only apply to employee-owned
devices.
For more information about creating configuration profiles, refer to the specific platform guides and the AirWatch
Mobile Device Management Guide, available via AirWatch Resources.
Email Containerization
For employee-owned devices, you can utilize the NitroDesk TouchDown email client for iOS and Android or the AirWatch
Inbox to further secure access to corporate email. These containerized solutions allow you to require a passcode to
access email while not forcing end users to have a passcode to access their devices. It also provides additional separation
between their personal and work-related content. Refer to the specific platform guides, the AirWatch Inbox Guide and
the AirWatch Mobile Email Management Guide, available via AirWatch Resources.
Enable Secure Access to Internal Apps

In addition to deploying your organization's internal apps to your device fleet, AirWatch can filter which device types
receive certain apps. For example, your organization may have certain proprietary apps that do not belong on personal
devices. By leveraging device ownership types in AirWatch, you can protect sensitive applications from employee-owned
devices. To modify application assignments, navigate to Apps &Books Applications List View, select the Internal
tab, then select an application from the list. Click the Assignment tab and select or create a Smart Group. When creating
or editing Smart Groups, you can modify the Ownership to include or exclude Employee Owned devices.
For more information about Smart Groups and managing application access, refer to the AirWatch Mobile Application
Management Guide.
Ensure Secure Access to Content

The AirWatch Content Locker enables your employees to securely access organization resources on-the-go from their
mobile devices. Similar to managing the deployment of applications, you can configure which device ownership types
have access to sensitive documents. To maximize content security as part of your BYOD program, you can enforce the
following criteria:
l
Require the device to be enrolled in MDM order to access content. This ensures employee-owned devices are subject
to the security profiles and compliance policies you define before having access to sensitive content.
o
Prevent content access if the device is compromised. This maximizes security by preventing potentially vulnerable
devices from accessing content.
o
Navigate to Groups &Settings All Settings Content Applications Content Locker and select Require
MDMEnrollment.
Navigate to Groups &Settings All Settings Content Applications Content Locker to determine if you are
using a Default or Custom Application Profile. If using a Default application profile, you can configure this setting
at Groups &Settings All Settings Apps Settings and Policies Security Policies by enabling
Compromised Detection. If using a Custom profile, the Prevent Compromised Devices setting will be an option
you can enable from this page.
Allow access to content only while online. This ensures the device is compliant with your AirWatch policies, which
may not be true if the device is offline and cannot report in.

Page 30
Navigate to Content List View and select a content entry from the list. Click the Security tab and set the Access
Control for allowing offline viewing.
Edit the Assignment criteria for specific content, for example, if certain content should not be made available to
employee-owned devices.
o
Navigate to Content List View and select a content entry from the list. Click the Assignment tab and set the
Device Ownership type or Organization Group that applies.
For more information about securing access to sensitive content, refer to the AirWatch Mobile Content Management
Guide, available via AirWatch Resources.
Reclaiming Corporate Data upon Employee Departure

An essential aspect of your BYODprogram is removing corporate content when an employee leaves or when a device is
lost or stolen. With AirWatch you can easily perform an Enterprise Wipe on devices to remove all corporate content and
access while leaving personal files and settings untouched. This command also un-enrolls the device from AirWatch and
strips it of all content enabled through MDM. This includes email accounts, VPNsettings, Wi-Fi profiles, secure content
and enterprise apps. Consider the following when an employee-owned device should no longer be a part of your BYOD
program:
l
To perform an Enterprise Wipe to ensure a device is fully unenrolled and no longer has access to content and settings
enabled through MDM:
1. Select the appropriate Organization Group, then navigate to Devices List View and search for and select a
device from the list. The device details view displays, with a list of actions you can perform under the More dropdown in the top right.
2. Select Enterprise Wipe . A confirmation screen displays asking you to confirm the action. Select Prevent ReEnrollment if you wish to prevent this device from enrolling again. Enter a Security PIN if applicable and then
select Enterprise Wipe to complete the action.
AirWatch lets you decide how an Enterprise Wipe applies to public and purchased VPP applications that sit in a gray
area between corporate and employee-owned devices. To require that an application be removed:
1. Navigate to Apps &Books Applications List View, select whether to view Public, Internal, or Purchased
apps, and click the app name from the list. The application screen displays. Click Edit.
2. For public apps, select the Deployment tab, if it displays. Check the Remove on Unenroll check box.
For purchased VPPapps, check the Remove on Unenroll check box under the Deployment section.
Note:Even if you opt to remove an app purchased through Apple's Volume Purchase Program, you cannot
reclaim any redeemed licenses for that app if you used redemption codes for iOS6 and earlier devices. This is
because when installed, the app is associated to the user's App Store account. On the other hand, license
codes used for iOS7 and later devices can be redeemed. Refer to the AirWatch Mobile Application
Management Guide for more details.
While Enterprise Wipes may be appropriate for employee-owned devices, you may want to eliminate the chance of
issuing a full device wipe on personal devices. To disable this command as an option for employee-owned devices:

Page 31
1. Navigate to Devices Device Settings Devices &Users General Privacy.

2. Scroll down to the Commands section and under the Employee Owned column set Full Wipe to Prevent.
ClickSave.

Page 32

Overview
The AirWatch Self-Service Portal (SSP)is a useful online tool used to remotely monitor and manage smart devices and
can help reduce the overall "hidden cost"of managing a device fleet. By empowering and educating device users on how
to perform basic device management tasks, investigate issues and fix problems, your organization may be able to reduce
the number of help desk tickets and support issues.
In This Section
l
Performing Remote Actions See the various remote actions you can perform on managed devices as an
administrator.
Viewing Tabs See the various tabs users can utilize to view information about their devices.
Defining User Roles See how to define the user roles that determine who has access to the Self-Service Portal.
Performing Remote Actions

AirWatch gives you as an administrator several remote actions and options to perform on managed devices. However,
when devices are employee-owned, those employees may want to access similar management tools for their own use.
The AirWatch SSP provides a means for employees to utilize some key MDM tools without any IT involvement. If you
enable it, end users can launch the SSP in a web browser and access key MDMsupport tools. You can also enable or
disable the displays of information and the ability to perform remote actions from the SSP.
Note:For information on deploying, accessing and using the SSP, refer to the appropriate platform guides, available
via AirWatch Resources.
Here are some examples of information you can let end users view and actions you can allow them to perform:
The Remote Actions menu, if enabled, allows users to perform the following remote actions over-the-air to their selected
devices:
l
Device Query Manually requests the device to send a comprehensive set of MDM information to the AirWatch
Server.
Lock Device Locks the selected device so that an unauthorized user cannot access it. This feature is useful if the
device is lost or stolen. If using AirWatch Workspace, it signs the end user out of Workspace-enabled apps and
requires them to enter their PIN the next time they access them.
Clear Passcode Clears the passcode on the selected device and will prompt for a new passcode. This is useful if you
forget your device passcode and are locked out of your device. If using AirWatch Workspace, it clears the PINused to
sign in to Workspace-enabled apps.

Page 33
Device Wipe Wipes all data from the selected device, including all data, Email, profiles and MDM capabilities and
returns the device to factory default settings. If using AirWatch Workspace, this remote command is not available.
Enterprise Wipe Wipes all corporate data from the selected device and removes the device from AirWatch MDM.
All of the enterprise data contained on the device is removed, including MDM profiles, policies and internal
applications. The device will return to the state it was in prior to the installation of AirWatch MDM.
Send Message Sends a message via email, phone notification or SMS to the device.
Find Device Plays an audible tone on the device in the event it is nearby but hard to locate.
Viewing Tabs
The Self Service Portal automatically matches the browser's default language, however, you may opt to override this
default setting by choosing from the Select Language drop-down field directly from the login screen.
Upon logging in to the SSP, by default, the first device appears in the main viewer displaying basic information such as
Enrollment Date, the Last Seen date and the device's Status.
The Go to Details button, when selected, displays the following tabs containing information about the selected device
under the selected user account:
l
Security This tab shows the following general security information about a particular device enrolled under your
user account.
Compliance This tab shows the compliance status of the device, including the name and level of all compliance
policies that apply to the device. It is important for end users to take note of these policies to ensure devices remain
compliant and operate as intended.
Profiles This tab shows all of the MDM profiles that have been sent to the devices enrolled under your user
account and the status of each profile.
Apps This tab displays all applications that have been installed on the selected device and provides basic
application information.
Location This tab displays the coordinates of the selected device.
Event Log This tab contains a comprehensive log of all interactions between the AirWatch Admin Console and the
device.
Support This tab contains detailed device information and contact information for your organization's support
representatives.
Defining User Roles

By defining user roles on the Add/Edit Role page you can set who has access to the Self Service Portal (SSP), what the
initial SSP landing page will be and what actions logged-in users can perform. Creating multiple user roles is a time saving
measure; making comprehensive configurations across different Organization Groups or changing the user role for a
specific user at any time.

Page 34
Define a User Role

In addition to the preset Basic Access and Full Access roles, you can also create customizable roles.
1. Navigate to Accounts Users Roles and click Add. Enter a Name, Description and select the Initial Landing Page
of the SSP for users with this new role.
Note: For existing User Roles, the default InitialLanding Page is the MyDevices page.
2. Select from a list of options the level of access and control end users of this assigned role should have in the SSP.
3. Select Save when you are finished.
Configure a Default Role

A default role is the baseline role from which all user roles begin. Configuring a default role enables you to set the
permissions and privileges users will automatically receive upon enrollment.
1. Navigate to Devices Device Settings Devices & Users General Enrollment and select the Grouping tab.
2. Select a Default Role to configure a default level of access end users should have in the SSP. These role settings are
customizable by Organization Group.
3. Select Save.
Set a Role for a Specific User

You can also edit the role for a specific user, for example, to grant or restrict access.
1. Select the appropriate Organization Group, navigate to Accounts Users List View and search for and select a
user from the list. The Edit User screen displays.
2. Select Edit. Scroll down and select a User Role to set a role for this specific user.
3. Select Save.

Page 35

While reading through this documentation you may encounter topics that reference other documents that are not
included here. You may also be looking for separate documentation that is not a part of this resource. You can access this
additional documentation through the AirWatch Resources page (https://resources.air-watch.com) on myAirWatch.
Note: It is always recommended you pull the document from AirWatch Resources each time you need to reference it.
To search for and access additional documentation via the AirWatch Resources page, perform the following step-by-step
instructions:
1. Navigate to http://my.air-watch.com and log in using your AirWatch ID credentials.
2. Select AirWatch Resources from the navigation bar or home screen. The AirWatchResources page displays with a list
of recent documentation and a list of Resources Categories on the left.
3. Select your AirWatch Version from the drop-down list in the search parameters to filter a displayed list of documents.
Once selected, you will only see documentation that pertains to your particular version of AirWatch.
4. Access documentation using the following methods:

l
Select a resource category on the left to view all documents belonging to that category. For example, selecting
Documentation filters your search to include the entire technical documentation set. Selecting Platform filters
your search to only include platform guides.
Search for a particular resource using the search box in the top-right by entering keywords or document names.
Add a document to your favorites and it will be added to My Resources. Access documents you have favorited
by selecting myAirWatch from the navigation bar and then selected My Resources from the toolbar.

Page 36
Download a PDF of a document by selecting the button. Note, however, that documentation is frequently
updated with the latest bug fixes and feature enhancements. Therefore, it is always recommended you pull the
document from AirWatch Resources each time you need to reference it.
Having trouble finding a document?Make sure a specific AirWatch Version is selected. All Versions will typically
return many results. Make sure you select Documentation from the category list, at a minimum. If you know which
category you want to search (e.g., Platform, Install &Architecture, EmailManagement) then selecting that will also
further narrow your search and provide better results. Filtering by PDFas a File Type will also narrow your search
even further to only include technical documentation manuals.

Page 37

000AirWatch BYOD Guide v8 - 0 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

000AirWatch BYOD Guide v8 - 0 PDF

Uploaded by

Copyright:

Available Formats

AirWatch Bring Your Own Device (BYOD)

2015 VMware, Inc. All rights reserved.

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Before You Begin

Configuring Privacy Settings

Privacy Best Practices

Creating your Terms of Use

Disseminating the Terms of Use

Configuring Terms of Use

Workspace vs. Agent-based Enrollment

Configuring Device Ownership

Configuring Enrollment Restrictions

BYODDevices (Using the Workspace)

BYOD Devices (Using the Agent)

Creating Restrictions for BYOD

Defining Compliance Policies for BYOD

Managing Access to Corporate Resources

Reclaiming Corporate Data upon Employee Departure

Self-Service Portal (SSP) Permissions

Performing Remote Actions

Defining User Roles

Finding Additional Documentation

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Cost savings Reduce overhead costs in managing a corporate plan.

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Before You Begin

Before You Begin

Android versions 2.3+

Windows Mobile 5/6 and Windows CE 4/5/6

Windows Phone 7 and 7.5 Mango

iOS versions 4.0+

Symbian OS ^3 and S60

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Before You Begin

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Configuring Privacy Settings

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

3. Select the Commands that can be performed on devices.

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Privacy Best Practices

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Creating your Terms of Use

Highlight key MDMallowances (such as administrator permissions).

Address user obligations in the event of a lost or stolen device.

Disseminating the Terms of Use

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Configuring Terms of Use

Creating Enrollment Terms of Use

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Creating Application or Console Terms of Use

View Terms of Use Acceptance

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

View Previous Versions View previous iterations of the agreement.

View Terms of Use View the Terms of Use agreement.

Tracking Terms of Use Acceptance via Reports

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015

Workspace vs. Agent-based Enrollment

AirWatch Bring Your Own Device (BYOD)Guide | v.2015.02 | February 2015