Workspace App Ios



Combine Workspace ONE UEM MDM features with Workspace ONE UEM apps to even further enhance security and functionality. Easily manage Workspace ONE UEM apps throughout the entire lifecycle across employee-owned, corporate-owned, and shared devices from the UEM console.

Workspace ONE UEM applications allow you and your end users to:

  • Explore the VMware Workspace ONE Content to sync a personal content folder.
  • Configure VMware Workspace ONE Web to secure Internet searches.
  • Enable VMware Workspace ONE Boxer to configure email.
  • Use the AirWatch Container as an alternative to MDM by providing separation of corporate and personal data on device, while maintaining employee privacy.

For more information about managing applications, see Mobile Application Management.

  1. Jan 27, 2021 Citrix Workspace app for iOS is client software available for download from the App Store. It enables you to access and run virtual desktops and hosted applications delivered by Citrix Virtual Apps and Desktops. IOS is the operating system for Apple mobile devices such as iPads and iPhones.
  2. What are the most common capabilities for iOS in Workspace ONE UEM? 1) Automated, out-of-the-box device activation and configuration with User Enrollment to keep the user’s personal data completely separate from work data. 2) Unified app catalog enables self-service for users as well as admin-controlled app download and management.
  3. Add a workspace. To get a list of managed resources you can access on your iOS, add a workspace by subscribing to the feed provided by your admin. To add a workspace: On the Connection Center screen, tap +, and then tap Add workspace. In the Feed URL field, enter the URL for the feed you want to add. This URL can be either a URL or an email.

Workspace ONE Intelligent Hub for iOS

(Citrix Workspace app for iOS uses platform (iOS) crypto for connections between Citrix. Citrix Workspace app for iOS.

The Workspace ONE Intelligent Hub for iOS collects and delivers managed device information to the UEM console. Because this information may contain sensitive data, Workspace ONE UEM takes extensive measures to ensure that the information is encrypted and that it originates from a trusted source.

Workspace ONE UEM uses a unique certificate pair to sign and encrypt all communication between Workspace ONE Intelligent Hub for iOS and the server. These certificates also allow the server to verify the identity and authenticity of each device enrolled in Workspace ONE UEM. This overview details the benefits and necessities of both security enhancements.

Understanding the Certificate Exchange

Before any data is transferred, the Workspace ONE Intelligent Hub application and the server trade personalized certificates. This relationship is established when Workspace ONE Intelligent Hub for iOS checks into the Workspace ONE UEM server for the first time during enrollment.

  1. Workspace ONE Intelligent Hub for iOS communicates with the Workspace ONE UEM server to obtain the server’s certificate public key. Both Workspace ONE Intelligent Hub for iOS and the Workspace ONE UEM server trust the public key of the Workspace ONE UEM Root certificate, which verifies the authenticity of all certificates involved in the enrollment exchange.
  2. Workspace ONE Intelligent Hub for iOS validates the server’s certificate against the Workspace ONE UEM Root CA certificate.
  3. Workspace ONE Intelligent Hub for iOS sends a unique certificate public key to the Workspace ONE UEM server.
  4. The Workspace ONE UEM server associates the Workspace ONE Intelligent Hub’s certificate with that device in the database.

Securing the Data in Transit

After the initial exchange of certificates, all data sent to the UEM console is encrypted from that point forward. The following table shows the two certificates involved and their responsibility in the transaction.

Hub CertificateServer Certificate
Workspace ONE Intelligent HubSign the DataEncrypt the Data
Workspace ONE UEM ServerVerify the Data OriginDecrypt the Data

APIs and Application Functionality

There are two categories of APIs that Workspace ONE UEM uses with iOS devices for management and tracking capabilities:

  • Over-the-Air (OTA) MDM APIs are activated through the enrollment process regardless if Workspace ONE Intelligent Hub for iOS is used or not.
  • Native iOS SDK APIs are available to any third-party application, including Workspace ONE Intelligent Hub applications and any other application using the Workspace ONE UEM Software Development Kit (SDK).

The Workspace ONE Intelligent Hub for iOS acts as the broker application that integrates with the Native iOS SDK API layer of management. When using Workspace ONE Intelligent Hub for iOS combined with the Workspace ONE UEM SDK for iOS, administrators can take advantage of more MDM features for applications, more so than what is offered in the Over-the-Air (OTA) MDM API layer.

  • Configure Workspace ONE Intelligent Hub Settings for iOS Devices
    You can customize the Workspace ONE Intelligent Hub settings in the UEM console. For example, specify an SDK Profile to use with the Workspace ONE Intelligent Hub to harness Workspace ONE UEM functionality.
  • Workspace ONE Intelligent Hub Mobile Application for iOS
    After enrolling the Workspace ONE Intelligent Hub, the application defaults to a My Device screen. Here you can view real-time information about your device, sync the device, re-enroll the device, and read messages that have been sent from the UEM console.

Configure Workspace ONE Intelligent Hub Settings for iOS Devices**

You can customize the Workspace ONE Intelligent Hub settings in the UEM console. For example, specify an SDK Profile to use with the Workspace ONE Intelligent Hub to harness Workspace ONE UEM functionality.

Procedure

  1. Navigate to Devices > Device Settings > Apple > Apple iOS > Hub Settings.
  2. Configure the following settings for the Workspace ONE Intelligent Hub:
SettingDescription
Disable Un-Enroll in HubThis setting deactivates the user's ability to unenroll from Workspace ONE UEM MDM using the Workspace ONE Intelligent Hub. This setting is only available in the Workspace ONE Intelligent Hub v4.9.2 and higher.
Background App RefreshThis setting tells the Workspace ONE Intelligent Hub the maximum allowed time interval to refresh app content. Some applications run for a brief period before reaching a suspended state.
Background App Refresh is a feature in iOS where the application itself wakes from this suspended state. During this refresh, the Workspace ONE Intelligent Hub reports information, such as compromised detection, hardware details, GPS, iBeacon, and telecom, to the UEM console. The frequency at which the Workspace ONE Intelligent Hub refreshes is controlled by the OS and only completed during efficient times, such as when the device is plugged into a power source, frequency of use, or connected to Wi-Fi.
To take advantage of the Background App Refresh feature, this setting must be enabled in the UEM console, the Workspace ONE Intelligent Hub cannot be stopped on the device, and Background App Refresh must be enabled on the device for the Workspace ONE Intelligent Hub under Settings > General > Background App Refresh.
Minimum Refresh IntervalSelect the minimum amount of time that must pass before the device attempts to refresh app content.
Transmit on Wi-Fi onlyEnable background refresh to occur over Wi-Fi connections only.
  1. Customize the following extra configurations for the Workspace ONE Intelligent Hub from the Settings and Policies page in the UEM console for Single Sign On in this guide.

What to do next

For information about offline access, branding, and other Settings and Polices, refer to the VMWare AirWatch Mobile Application Management Guide.

Workspace ONE Intelligent Hub Mobile Application for iOS

After enrolling the Workspace ONE Intelligent Hub, the application defaults to a My Device screen. Here you can view real-time information about your device, sync the device, re-enroll the device, and read messages that have been sent from the UEM console.

The Self Service Enabled check box must be selected in the Hub Settings in the UEM console to see all the status information.

Note: If the Disable Un-enroll Hub option is not checked in Hub Settings, select Un-enroll Device before re-enrolling with the Workspace ONE Intelligent Hub v4.9.2.

My Device Functionality

  • Tap the Status menu to view various statuses and self-service diagnostic options:

    • Sync Device – Tap this action to send a request to resync the device with the UEM console.

    • Current Status – Use the menus to find information about enrollment, re-enroll the device, view accounts, and compliance.

    • Diagnostics – Use these menus to test connectivity, view Internet access, connectivity issues, server information, and view and send Hub and Device logs.

  • Tap the Device Details menu to view various status options:
    • Network – View network adapters and IP addresses.
    • Advanced – Use these menus to find information about the device's battery, memory, and disk space.
    • Location– View GPS coordinates for your device for the current and previous time periods
    • iBeacon – View the name of the iBeacon region. If iBeacon is configured but location data is not configured, then the device displays only the iBeacon area. If iBeacon and location data are enabled, then the device displays the iBeacon region and the map with the location on the device.
  • Use the dock at the bottom of the screen to find additional information including:
    • Messages– Read notifications from the UEM console. For example, you may receive notifications in the message center to complete a required compliance check to ensure that your device can be successfully monitored.
    • About – Find information about the Workspace ONE Intelligent Hub application and legal information.

VMware Workspace ONE Content

VMware Workspace ONE Content is an application that enables your end users to access important content on their devices while ensuring file safety for your organization.

From the Workspace ONE Content, end users can access content you upload in the UEM console, content from synced corporate repositories, or their own personal content.

Use the UEM console to add content, sync repositories and configure the actions that end users can take on content opened within the application. These configurations prevent content from being copied, shared, or saved without approval.

For more information about MCM and configuring the VMware Workspace ONE Content, see the VMware Workspace ONE UEM Mobile Content Management Guide.

VMware Workspace ONE Web

VMware Workspace ONE Web is an application that provides a manageable and secure alternative to native Web browsers. You can secure the browsing experience on an application, tunnel, and Web site level.

You can configure the Workspace ONE Web to meet unique business needs by restricting Web access to Web sites and providing a secure Internet portal for mobile point-of-sale devices. Provide users with a standard browsing experience, including support of multi-tabbed browsing and JavaScript dialog box. For maximum security on your Android and iOS devices, consider deploying the Workspace ONE Web with a Restrictions profile blocking the native browser.

For additional information about preparing and configuring the Workspace ONE Web for deployment, see the VMware Workspace ONE Web Admin Guide.

VMware Workspace ONE Boxer

VMware Workspace ONE Boxer is an email application that offers a consumer-centric focus on mobile productivity with enterprise-grade security in the form of AES 256-bit encryption. This app containerizes business data from personal data, providing frictionless access to enterprise email, calendar, and contacts across corporate-owned and employee owned.

Workspace ONE Boxer allows users to personalize the app to meet their needs with features like custom swipe gestures, contact avatars, custom smart folders, and account color preferences. The all-in-one email, calendar, and contacts app provides an intuitive user experience following native design paradigms on devices.

For more information on VMware Workspace ONE Boxer, see the VMware Workspace ONE Boxer Admin Guide.

AirWatch Container for iOS

AirWatch Container offers a flexible approach to Bring Your Own Device (BYOD) management by pushing a secure work space to a personal device. Businesses can distribute Workspace ONE UEM applications and internal applications to the AirWatch Container for employees to use on their mobile devices.

Applications are visible inside and outside the AirWatch Container, but the enterprise applications are secure through a common SDK framework and a container passcode. These apps can interact seamlessly using single sign on authentication and can connect securely to the Internet through an app tunnel VPN.

For more information about the AirWatch Container, refer to the VMware AirWatch Container Admin Guide.

Enforcing Application-Level Single Sign On Passcodes

Single sign on (SSO) allows end users to access Workspace ONE UEM apps, wrapped apps, and SDK-enabled apps without entering credentials for each application. Using the Workspace ONE Intelligent Hub or the AirWatch Container as a 'broker application,' end users authenticate once per session using their normal credentials or an SSO Passcode.

Enable SSO as part of the Security Policies that you configure to apply to all Workspace ONE UEM apps, wrapped apps, and SDK-enabled apps using a Default SDK Profile.

  1. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.

  2. Set Single Sign On to Enabled to allow end users to access all Workspace ONE UEM applications and maintain a persistent login.

  3. Authentication Type to Passcode and set the Passcode Mode to either Numeric or Alphanumeric to require an SSO Passcode on the device. If you enable SSO but do not enable an Authentication Type, end users use their normal credentials (either directory service or Workspace ONE UEM account) to authenticate, and an SSO Passcode does not exist.

Once an end user authenticates with an application participating in SSO, a session establishes. The session is active until the Authentication Timeout defined in the SDK profile is reachedor if the user manually locks the application.

Apple Configurator Overview

Workspace ONE UEM integrates with Apple Configurator to enable you to supervise and manage scaled deployments of Apple iOS devices. Administrators can create configuration profiles, import existing profiles from the iPhone Configuration Utility, install specific operating system versions and enforce iOS device security policies.

Install and run Apple Configurator 2 from a macOS laptop to integrate with the Workspace ONE UEM console to supervise and configure one or many devices at the same time.

  • Install the Workspace ONE UEM MDM profile as part of the configuration to enroll devices silently.
  • Supervise dedicated line-of-business devices that are shared among different users.
  • Create configuration profiles to change device settings for Wi-Fi networks, preconfigure mail and Microsoft Exchange settings, and more.
  • Distribute public apps without entering an Apple ID on the device using Configurator.
  • Create blueprints to automate device management. Use blueprints as templates to configure profiles and application and push them quickly to devices
  • Add Supervision to devices and take advantage of even more management capabilities including showing or hiding applications, modifying the device name, wall paper, passcodes, keyboard short cuts and more.
  • Back up user settings and app data, including new user-created data using Configurator.

Apple Configurator 2 also works with Apple's Device Enrollment Program (DEP) to automate Mobile Device Management (MDM) enrollment and the Volume Purchase Program (VPP) by assigning managed licenses apps to devices.

For a complete list of features and functionality available to supervised and unsupervised devices, refer to the iOS Functionality appendix.

For information on enrolling iOS devices with Apple Configurator, see Enrolling iOS Devices in Bulk using Apple Configurator and the Integration with Apple Configurator guide.

Upload a Signed Apple Configurator Profile to the UEM console

You can export a signed profile from Apple Configurator (or IPCU) directly to the UEM console.

  1. Configure supervision and management settings in Apple Configurator (or IPCU).

  2. Export and save the newly created profile to somewhere easily accessible on your computer.

  3. Navigate to Resources > Profiles & Baselines > Profiles within the UEM console and select Upload.

  4. Enter the Managed By group and select Upload to locate and upload the profile exported from Apple Configurator (or IPCU). Click Continue.

  5. Enter the general profile description, including name, description, and assigned organization groups.

  6. Click Save & Publish to send the profile down to assigned devices.

-->

Applies to: Windows 10, Windows 8.1, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2

You can use the Remote Desktop client for iOS to work with Windows apps, resources, and desktops from your iOS device (iPhones and iPads).

Use the following information to get started. Be sure to check out the FAQ if you have any questions.

Note

  • Curious about the new releases for the iOS client? Check out What's new for Remote Desktop on iOS?.
  • The iOS client supports devices running iOS 6.x and newer.

Get the Remote Desktop client and start using it

This section will tell you how to download and set up the Remote Desktop client for iOS.

Download the Remote Desktop client from the iOS store

First you'll need to download the client and configure your PC to connect to remote resources.

To download the client:

  1. Download the Microsoft Remote Desktop client from the iOS App Store or iTunes.
  2. Set up your PC to accept remote connections.

Add a PC

After you've downloaded the client and configured your PC to accept remote connections, it's time to actually add a PC.

To add a PC:

  1. In the Connection Center, tap +, then tap Add PC.
  2. Enter the following information:
    • PC name – the name of the computer. The PC name can be a Windows computer name, an Internet domain name, or an IP address. You can also append port information to the PC name (for example, MyDesktop:3389 or 10.0.0.1:3389).
    • User name – The user name you'll use to access the remote PC. You can use the following formats: user_name, domainuser_name, or user_name@domain.com. You can also select Ask when required to be prompted for a user name and password when necessary.
  3. You can also set the following additional options:
    • Friendly name (optional) – An easy-to-remember name for the PC you're connecting to. You can use any string, but if you don't specify a friendly name, the PC name is displayed instead.
    • Gateway (optional) – The Remote Desktop gateway that you want to use to connect to virtual desktops, RemoteApp programs, and session-based desktops on an internal corporate network. Get the information about the gateway from your system administrator.
    • Sound – Select the device to use for audio during your remote session. You can choose to play sound on the local devices, the remote device, or not at all.
    • Swap mouse buttons – Whenever a mouse gesture would send a command with the left mouse button, it sends the same command with the right mouse button instead. Swapping mouse buttons is necessary if the remote PC is configured for left-handed mouse mode.
    • Admin Mode - Connect to an administration session on a server running Windows Server 2003 or later.
    • Clipboard - Choose whether to redirect text and images in your clipboard to your PC.
    • Storage - Choose whether to redirect storage to your PC.
  4. Tap Save.

Need to edit these settings? Press and hold the desktop you want to edit, then tap the settings icon.

Add a workspace

To get a list of managed resources you can access on your iOS, add a workspace by subscribing to the feed provided by your admin.

To add a workspace:

  1. On the Connection Center screen, tap +, and then tap Add workspace.
  2. In the Feed URL field, enter the URL for the feed you want to add. This URL can be either a URL or an email address.
    • If you use a URL, use the one your admin gave you.
      • This URL is usually a Windows Virtual Desktop URL. Which one you use depends on which version of Windows Virtual Desktop you're using.
        • For Windows Virtual Desktop (classic), use https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx.
        • For Windows Virtual Desktop, use https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery.
    • If you use an email address, enter your email address. Entering your email address tells the client ot search for a URL associated with your email address if your admin configured the server that way.
  3. Tap Next.
  4. Provide your credentials when prompted.
    • For User name, give the user name of an account with permission to access resources.
    • For Password, give the password for the account.
    • You may also be prompted to give additional information depending on the settings your admin configured authentication with.
  5. Tap Save.

After you've finished, the Connection Center should display the remote resources.

Once subscribed to a feed, the feed content will update automatically on a regular basis. Resources may be added, changed, or removed based on changes made by your administrator.

Manage your user accounts

When you connect to a PC or workspace, you can save the user accounts to select from again.

To create a new user account:

  1. In the Connection Center, tap Settings, and then tap User Accounts.
  2. Tap Add User Account.
  3. Enter the following information:
    • User Name - The name of the user to save for use with a remote connection. You can enter the user name in any of the following formats: user_name, domainuser_name, or user_name@domain.com.
    • Password - The password for the user you specified.
  4. Tap Save.

To delete a user account:

  1. In the Connection Center, tap Settings, and then tap User Accounts.
  2. Select the account you would like to delete.
  3. Tap Delete.

Connect to an RD Gateway to access internal assets

A Remote Desktop Gateway (RD Gateway) lets you connect to a remote computer on a corporate network from anywhere on the Internet. You can create and manage your gateways using the Remote Desktop client.

To set up a new gateway:

  1. In the Connection Center, tap Settings > Gateways.
  2. Tap Add gateway.
  3. Enter the following information:
    • Gateway name – The name of the computer you want to use as a gateway. The gateway name can be a Windows computer name, an Internet domain name, or an IP address. You can also add port information to the server name (for example, RDGateway:443 or 10.0.0.1:443).
    • User name - The user name and password to be used for the Remote Desktop gateway you're connecting to. You can also select Use connection credentials to use the same user name and password that you used for the remote desktop connection.

Navigate the Remote Desktop session

This section describes tools you can use to help navigate your Remote Desktop session.

Start a Remote Desktop connection

  1. Tap the remote desktop connection to start the remote desktop session.
  2. If you're asked to verify the certificate for the remote desktop, tap Accept. To accept by default, set Don't ask me again for connections to this computer to On.

Connection bar

The connection bar gives you access to additional navigation controls.

Workspace App Ios 7

  • Pan Control: The pan control enables the screen to be enlarged and moved around. Pan control is only available using direct touch.
    • To enable or disable the pan control, tap the pan icon in the connection bar to display the pan control. The screen will zoom in while the pan control is active. the pan icon in the connection bar again to hide the control and return the screen to its original resolution.
    • To use the pan control, tap and hold the pan control. While holding, drag your fingers in the direction you want to move the screen.
    • To move the pan control, double-tap and hold the pan control to move the control on the screen.
  • Connection name: The current connection name is displayed. Tap the connection name to display the session selection bar.
  • Keyboard: Tap the keyboard icon to display or hide the keyboard. The pan control is displayed automatically when the keyboard is displayed.
  • Move the connection bar: Tap and hold the connection bar. While holding the bar, drag it over to its new location. Let go of the bar to place it at the new location.

Session selection

You can have multiple connections open to different PCs at the same time. Tap the connection bar to display the session selection bar on the left-hand side of the screen. The session selection bar enables you to view your open connections and switch between them.

Workspace app download

Here's what you can do with the session selection bar:

  • To switch between apps in an open remote resource session, tap the expander menu and choose an app from the list.
  • Tap Start New to start a new session, then choose a session from the list of available sessions.
  • Tap the X icon on the left side of the session tile to disconnect from your session.

Command bar

The command bar replaced the Utility bar starting in version 8.0.1. You can use the command bar to switch between mouse modes and return to the connection center.

Use touch gestures and mouse modes in a remote session

The client uses standard touch gestures. You can also use touch gestures to replicate mouse actions on the remote desktop. The mouse modes available are defined in the table below.

Note

In Windows 8 or later, the native touch gestures are supported in Direct Touch mode. For more information on Windows 8 gestures, see Touch: Swipe, tap, and beyond.

Mouse modeMouse operationGesture
Direct touchLeft-clickTap with one finger
Direct touchRight-clickTap and hold with one finger
Mouse pointerLeft-clickTap with one finger
Mouse pointerLeft-click and dragTap and hold with one finger, then drag
Mouse pointerRight-clickTap with two fingers
Mouse pointerRight-click and dragDouble-tap and hold with two fingers, then drag
Mouse pointerMouse wheelDouble-tap and hold with two fingers, then drag up or down
Mouse pointerZoomWith two fingers, pinch to zoom out and spread fingers apart to zoom in

Supported input devices

The client has Bluetooth mouse support for iOS 13 and iPadOS as an accessibility feature. You can use Swiftpoint GT or ProPoint mice for deeper mouse integration. The client also supports external keyboards that are compatible with iOS and iPadOS.

For more information about device support, see What's new in the iOS client and the iOS App Store.

Tip

Workspace App For Ios

Swiftpoint is offering an exclusive discount on the ProPoint mouse for iOS client users.

Use a keyboard in a remote session

You can use either an on-screen keyboard or physical keyboard in your remote session.

For on-screen keyboards, use the button on the right edge of the bar above the keyboard to switch between the standard and additional keyboard.

Workspace App Download

If Bluetooth is enabled on your iOS device, the client automatically detects the Bluetooth keyboard.

While certain key combinations might not work as expected in a remote session, many of the common Windows key combinations, such as CTRL+C, CTRL+V, and ALT+TAB will work.

Tip

Workspace App Ios 11

Questions and comments are always welcome. However, if you post support requests or product feedback in this article's comments section, we won't be able to respond to your feedback. If you need help or want to troubleshoot your client, we highly recommend you go to the Remote Desktop client forum and start a new thread. If you have a feature suggestion, you can tell us using the Client UserVoice forum.