Check Out with Workspace ONE

Created: Modified: Checkout

Like GroundControl, VMware Workspace ONE (aka “AirWatch”) includes features for shared device checkout. This article explains how to link GroundControl with Workspace ONE, so that the checkout features are synchronized between the two systems.

Once linked, a checkout in GroundControl — via a proximity badge tap, for example — will assign the device to the user in your MDM. This will trigger any user-assigned apps or policies for the device.

For example, imagine Alice checks out an iPhone. Here are some things that may then happen:

  • MDM will list the iPhone with “Alice” as the device user
  • The MDM can send an email configuration personalized for Alice
  • The MDM can use SCEP to create an identity certificate for Alice, and send that to the iPhone
  • SSO-aware apps on the iPhone, such as Voalte One or Box, can use Alice’s identity certificate to automatically sign in, without prompting for a username or password
Enroll to a Multi-User Staging User

The device must be initially enrolled into Workspace ONE UEM (aka “AirWatch”) with the Staging Mode set to “Multi-user device.” This enables GroundControl to manage the AirWatch checkout/in features.

This may be set in your DEP profile.

Assign the user during Check Out

Add the action “Perform MDM Command” to your “Check Out” workflow. Set this to assign the staged device to user “[Device User]”. That’s the attribute that contains the username of the person checking out the device.

Reset the user during Check In

Add the action “Perform MDM Command” to your “Check In” workflow. Set this to assign the staged device to the staging user’s user ID. Note: this is not needed if you erase devices on check-in.

Once you get this far, test a check out. If it is working properly, you will be able to look at the device listing in AirWatch and see the user’s name as the device owner. Once the device is checked in, the device owner should revert to the staging user.

Configure Workspace ONE Identity Manager

Next you need to configure your MDM to fetch and deploy identity certificates, and to configure your identity management software to accept those certificates for authentication. Those steps are beyond the scope of this documentation. Please refer to the VMware documentation.