The Security Policies page lets you configure options that affect Workspace ONE UEM apps, Workspace ONE SDK-built apps, and wrapped apps.

Security Policies profiles offer security controls for SDK-built apps. Control security with authentication methods, tunneling app traffic, and restricting access to features with data loss prevention.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Profiles.

· Click Add Profile.

· Click SDK Profile.

· iOS and Android both need to be added for iOS Enterprise Apps and Android Enterprise Apps.

· Under Restrictions configure Enable Data Loss Prevention.

· Click Save.

Workspace ONE Assist includes the following components:

Workspace ONE Assist Core Services: Services responsible for coordinating communication and providing service discovery for all other Workspace ONE Assist services. All database communication is handled through these services.

Workspace ONE Assist Portal Services: Services that host the Workspace ONE Assist administration portal that manages remote device sessions and registration.

Workspace ONE Assist Application Services: Services responsible for communicating with devices available for remote management which already been enrolled before, please check devices enrollment from the basic guide: Deploy Workspace One 101 – For Beginners.

Workspace ONE Assist Connection Proctor: Proctor for managing device connections to the Workspace ONE Assist server. Simultaneously handles multiple requests for remote management sessions.

Database: Microsoft SQL Server database that stores the Workspace ONE Assist system and tenant configuration, operations, and logging, such as the accrual of historical data showing when a device was enrolled in remote management.

Install Workspace ONE Assist to an On-Premises Environment:

1. we will Generate the Workspace ONE Assist T10 API Certificate:

Download the installer package, Workspace ONE Assist installer from VMware Workspace ONE Assist 5.3 Installer (You must generate the T10 API root and intermediate certificates used during an on-premises installation).

Note: The certificate generator is called RemoteManagementCertificateGenerator_9_2. This installer must be run on a machine with the same locale settings as the database server to ensure that the same date format is set in the SQL script. You must run this certificate generator as an administrator.

Run the Remote Management Certificate Generator which is included in the installer package.

 From Workspace ONE UEM console, go to GROUPS & SETTINGS.

 Click All Settings.

 Click System.

Click Advanced.

 Click Site URLs.

Go to Workspace ONE section, then copy the string in the Remote Management CN text box.

Set the connection type to be Remote Management.

Set the deployment to be On-Premises.

Put the Remote Management CN which we copied before at the Certificate Common Name.

Click Generate Certificates.

Set a password for the certificate, we will use it later.

Go to the folder that contains the certificate, Copy the p7b file to c:\temp\certs folder on the Workspace ONE Assist Server.

The certificate has been generated successfully.

2. Install Site SSL Certificate, Assist On-Premises Only:

SSL certificates provide secure, encrypted communications between a website and an Internet browser. The SSL certificate secures HTTPS binding for the management website for port 443 and allows a secure connection. This secure connection is between the admin and Web services. Also, the SSL certificate secures the connection to the Connection Proctor on port 8443 (or port 443 when the Connection Proctor (CP) Service runs on a separate server). You must provide the SSL certificate is a wildcard or SAN certificate.

Run the Microsoft Management Console (MMC).

Click file then click Add/Remove Snap-in.

 Click Certificates, then click Add.

Click Computer Account, then click Next.

Click Local Computer, then click Finish.

 Click Ok.

 Click Certificates (Local Computer), then click Personal.

 Click Certificates.

 In the Action menu of the MMC application, click All Tasks.

 Click Import.

 Click Next to begin the Wizard.

 Click Browse to locate the SSL certificate in the PFX file format which we generated before, then give it a name.

 Click Open to import it.

 Enter the Certificate password.

 Add checkmarks to the two boxes labeled Mark this key as exportable and Include all extended properties.

 Click Next.

 Select Place all certificates in the following store and set the Certificate store to ‘Personal’.

 Click Next.

 Confirm all the presented information is correct, then click Finish.

Your SSL certificate has been installed successfully.

We are installing Workspace ONE Assist for the first time, so you do not need to bind the SSL certificate to a website or renew the site thumbprint.

3. Standard (Basic) Installation of Workspace ONE Assist:

Download Workspace ONE Assist installer from https://my.workspaceone.com, then save it to the Workspace ONE Assist server.

 Right-click the installer file and select Run as administrator.

 Click Next.

 Choose any directory to install Workspace ONE Assist on it.

 Click Standard Installation (Basic) and then select Next.

 Click Connect to existing SQL Server, then enter all required data for it.

 Enter your Tenant FQDN (we explained it before, please click here).

 In the SSL Certificate text box, select the folder button, then select the SSL certificate which we generated before.

 click OK.

 Uncheck Apply Default Settings.

 Select the folder icon to attach the T10 certificate.

 Browse for the T10 certificate which we downloaded before.

 Click Open.

 Click Save.

 Click Next.

 Click Install.

 Click Next after the installation is finished.

 Leave the Execute Resource pack check box selected, then click Finish.

You have successfully installed the Workspace ONE Assist.

A faster, smarter mobile inbox that can be configured to the unique way you work. Boxer is the most efficient way to manage your email.

You can use it as your organization’s email client.

Configuring the Workspace ONE Boxer application involves adding it as a public application and assigning it with set email configurations to end-users.

· From the Workspace ONE UEM console, click APPS & BOOKS.

· Click Applications.

· Click Native.

· Click List View.

· Click Public.

· Click Add Application.

· Enter the following data:

1. Managed By: View the organization group where the application is uploaded.

2. Platform: Choose the appropriate platform. Only iOS and Android devices are supported currently.

3. Source: Select to search for the application in the app store or play store.

4. Name: Enter “Workspace ONE Boxer”.

· Locate and select the Workspace ONE Boxer app in the search results screen.

· Click Select.

· Click SAVE & ASSIGN.

· Click Distribution:

· Enter a name for your assignment.

· Add your assignment groups.

· Click Email Settings, then complete the settings on it:

· Account Name: Enter a description of the mail account.

· Exchange ActiveSync Host: Enter your EAS server URL.

· Domain, User, Email Address: By default, the login information includes {EmailDomain}, {EmailUserName} and {EmailAddress} that are defined as lookup values in your directory service. If you need to override these values, you can use custom lookup values.

· Click App policies:

· Click App Passcode: Setting an app-level passcode for Workspace ONE Boxer also encrypts the application. Device users set their passcode on the device at the application level when they first access the application.

· Click Data Loss Prevention: Determine how your end users can access emails, email attachments, and hyperlinks by configuring the following settings:

· Copy Paste: If restricted: End users cannot copy and paste content from Workspace ONE Boxer to other applications.

· Screenshots (Android Only): If restricted, Android end users cannot take screenshots of the Workspace ONE Boxer application.

· Allow Email Widget (Android Only): If enabled, Android end users can add the Workspace ONE Boxer Email widget to their home screens.

· Allow Calendar Widget (Android Only): If enabled, Android end users can add the Workspace ONE Boxer Calendar widget to their home screens.

· Click Browser: Hyperlinks If restricted, end users can only open hyperlinks in Workspace ONE Web.

· Click Save.

You have successfully deployed Workspace ONE Boxer.

Supported Capabilities for Workspace ONE Boxer:

Information Rights Management: Workspace ONE Boxer supports information rights management for both iOS and Android platforms.

Google G Suite Support: Workspace ONE Boxer supports G Suite for both iOS and Android. For more information about the limitations of Workspace ONE Boxer when used with G Suite,

Workspace ONE Boxer supports both IRM and Email Classification when composing a message.

Phishing Report: Workspace ONE Boxer supports the ability to select and report any emails as phishing. The reported email is forwarded to the email address specified in the KVP set in the console. After reporting, the original email reported as phishing is permanently deleted.

Spam Reporting: Workspace ONE Boxer supports the ability to report any emails as spam. When the user marks an email as spam, the marked email is forwarded to the KVP specified email address. An extra KVP can be used to delete the email upon forwarding.