AirWatch Recommended Configuration Guide

AirWatch Recommended
Configuration Guide
Effective: March 1st, 2016
AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

Copyright 2016 VMware, Inc. All rights reserved. Proprietary and Confidential.
Page 1
Contents
1. Introduction ............................................................................................................... 4
2. AirWatch Foundational Elements .............................................................................. 5

2.1 Defining Organization Groups ...................................................................................................... 5
2.2 User Groups/Smart Groups ......................................................................................................... 6
2.3 Managing Administrators and Role-Based Access ...................................................................... 7
2.4 Enabling the Self Service Portal .................................................................................................. 7
2.5 Managing User Roles .................................................................................................................. 8
2.6 Device Lifecycle Notifications ...................................................................................................... 8
3. Identity and Access Management ............................................................................. 9

3.1 VMware Identity Manager ............................................................................................................ 9
3.2 MDM vs. Container Enrollment .................................................................................................... 9
3.3 Enrollment Authentication .......................................................................................................... 11
3.4 Apple Device Enrollment Program (DEP) .................................................................................. 11
3.5 Android for Work ........................................................................................................................ 12
3.6 AutoDiscovery ............................................................................................................................ 12
3.7 Terms of Use Policy ................................................................................................................... 13
3.8 Enrollment Restrictions .............................................................................................................. 14
4. MDM Setup and Policies ......................................................................................... 15

4.1 AirWatch Profiles ....................................................................................................................... 15
4.2 Passcode Profiles ...................................................................................................................... 15
4.3 Restriction Profiles ..................................................................................................................... 16
4.4 Enforcing Device Compliance .................................................................................................... 16
4.5 Privacy Policy ............................................................................................................................ 18
4.6 Privacy First ............................................................................................................................... 18
5. MAM Setup and Policies ......................................................................................... 19

5.1 Deploying and Managing Applications ....................................................................................... 19
5.2 Deploying the Enterprise App Catalog ....................................................................................... 20
5.3 Deploying Applications using Apple Volume Purchase Program (VPP)..................................... 20
6. AirWatch Application Security Settings and Policies ............................................... 22

6.1 Authentication ............................................................................................................................ 22
6.2 Single Sign On ........................................................................................................................... 22
Page 2
6.3 Integrated Authentication ........................................................................................................... 23
6.4 Offline Access ............................................................................................................................ 23
6.5 Compromised Protection ........................................................................................................... 23
6.6 AirWatch App Tunnel ................................................................................................................. 23
6.7 Data Loss Prevention................................................................................................................. 24
6.8 Network Access Control............................................................................................................. 24
7. MEM Setup and Policies ......................................................................................... 25

7.1 Deploying Corporate Email ........................................................................................................ 25
7.2 Email Notification Service .......................................................................................................... 26
7.3 Protecting Your Email Infrastructure .......................................................................................... 26
7.4 Enforcing Email Access Control ................................................................................................. 28
7.5 Protecting Email Attachments & Hyperlinks ............................................................................... 28
8. MCM Setup and Policies ......................................................................................... 30

8.1 AirWatch Content Locker ........................................................................................................... 30
8.2 Integrating with Content Repositories ........................................................................................ 30
8.3 Configuring AirWatch Browser Settings ..................................................................................... 31
8.4 Content Locker Collaborate ....................................................................................................... 31
8.5 Personal Content ....................................................................................................................... 31
9. Device Specific Recommendations ......................................................................... 33

9.1 iOS Recommendations .............................................................................................................. 33
9.2 Android Recommendations ........................................................................................................ 33
9.3 Mac OS X Recommendations .................................................................................................... 33
Appendix 1: Corporate Sample Terms of Use ............................................................. 35

Page 3
1. Introduction
The AirWatch Admin Console provides a centralized solution to view and manage every aspect of your MDM
deployment. Quickly and easily add new devices and users to your fleet, manage profiles and configure
system settings all within a single, web-based resource. The configuration guide for Bundled Customers
provides a walkthrough and worksheet for completing the core functionality that should be considered prior to
deploying your devices. This guide will cover the following areas:
AirWatch Console Setup
Enrollment Options and Settings
Security Setup
MDM Settings and Policies
MEM Setup and Policies
MAM Setup and Policies
MCM Setup and Policies
Additional Setup Options
All recommendations in this guide are given for a typical corporate deployment. If you do not fall into this
category or have concerns about a specific setup option, please first consult with your Deployments Engineer.

Page 4
2. AirWatch Foundational Elements
2.1 Defining Organization Groups
AirWatch identifies users and establishes permissions using Organization Groups. With Organization Groups,
you can establish an MDM hierarchy identical to your organization's internal hierarchy. Alternatively, you may
choose to establish Organization Groups depending on features and content that will be accessed from sets of
devices.
Organization groups allow you to:

Build groups for entities within your organization.
Customize hierarchies with parent and child levels.
Integrate with multiple internal infrastructures at the tier level.
Delegate role-based access and management based on multi-tenant structure.
Recommendations:
AirWatch recommends that customers make their organization group structure as flat as possible to minimize
unneeded manual administrative tasks when making changes to your deployment. If Administrators for your
environment will need access to only specific groups or levels, Organization Groups are the easiest way to
achieve this segmentation. Additionally we recommend configuring Organization groups for your Production
environment and for Testing purposes. Speak with your consultant for more information on setting this up.
Many customers choose to structure their Organization Groups to mirror their existing Active Directory/LDAP
Organization Unit structure. A one-to-one relationship is then created between AD Organization Unit and
AirWatch Organization Groups. During enrollment, AirWatch will automatically place devices into the
corresponding OG based on the users Organization Unit settings. Although this structure will work, typically
this method is more granular than most customers need in their environment.
When enrolling both Corporate and BYOD devices, specific consideration is required to ensure that these
devices can be managed in an appropriate manner to ensure both privacy and accurate device configuration.
One of the following approaches is typically selected to automate the configuration of these devices:
1. Enable a setting in the AirWatch Console to prompt the user during the enrollment process to select
which type of device they are enrolling (Corporate Dedicated or Employee Owned).
2. Set your default ownership type to Employee Owned and pre-register all Corporate Owned devices,
setting their ownership type to Corporate Owned.
If you opt to separate your Organization Groups by device ownership type, please be aware of the following
drawbacks:
It can be difficult to move devices and users between Organization Groups

Page 5
Your entire structure (including profiles, policies and settings) may need to be duplicated
*For non-typical corporate deployment (Education, Retail, etc.), further considerations will need to be made.
Please discuss these with your Deployments Engineer.
2.2 User Groups/Smart Groups

AirWatch allows you to group sets of users into User Groups, allowing you to further streamline MDM
management by leveraging existing LDAP/AD groups. User groups act as filters (in addition to Organization
Groups) for assigning MDM Profiles and applications. When configuring your MDM environment, it is a best
practice that User Groups be used to define Security Groups and/or Business Roles within your organization. It
is also recommended that User Groups/Smart Groups be used to assign Profiles, Compliance Policies,
Content, and Applications to users and devices.
Recommendations:
AirWatch recommends the following best practices for User Groups:
Enable your AD/LDAP to sync automatically with AirWatch to regularly update user and group
information
Unless you plan on restricting enrollment to only pre-approved users, it is unnecessary to bulk
import/sync user groups from your LDAP prior to enrollment
o Users will be created in AirWatch as they enroll
Map User Groups to desired Organization Groups so users are automatically enrolled into the desired
OG
Assign apps, profiles and compliance policies to different User Groups with the use of Assignment
Groups (User Groups, Smart Groups and Organization Groups)
Assign content to different users with the use of User Groups
*AirWatch recommends against manually selecting more than 500 devices when setting up smart
groups.

Page 6
2.3 Managing Administrators and Role-Based Access
Similar to how AirWatch has user accounts to keep track of users with devices, AirWatch administrator
accounts keep track of who has access to the AirWatch Admin Console. As an administrator, you can maintain
MDM settings, push or revoke features and content and much more from the centralized AirWatch Admin
Console.
Although many organizations have multiple administrators of their managed device fleet, each administrator
may require different levels of access depending on their specific corporate role. Admin Account roles provide
the proper level of access for different administrators. The AirWatch Admin Console allows a quick way to
change roles by simply selecting a new role from the Account Role dropdown box within the Account menu in
the top-right corner of the Console.
For ease of use, there are numerous Default Roles already provided by AirWatch from which you may select.
These default roles are available with every AirWatch upgrade and help quickly assign roles to new users. If
you require further customization, you have the option to create Custom Roles to further tailor the admin
privileges and permissions. Unlike default roles, custom roles require manual updates with every AirWatch
upgrade.
Recommendations:
AirWatch recommends setting up a separate Admin account for each person who will be logging in to the
Console. We also recommend the use of Default Roles over Custom Roles to avoid manual updates after
upgrades.
For On-Premise customers, AirWatch recommends that you maintain a basic administrator account at the
Global Organization Group level with System Administrator privileges. Additional basic or directory admin
accounts can be configured as needed.
2.4 Enabling the Self Service Portal

The AirWatch Self-Service Portal (SSP) is a useful online tool used to remotely monitor and manage devices. It
can help reduce the overall "hidden cost" of managing a device fleet. By empowering and educating device
users on how to perform basic device management tasks, investigate issues and fix problems, your
organization may be able to reduce the number of help desk tickets and support issues.
Recommendations:
AirWatch recommends the use of the Self Service Portal for most deployments in order to capitalize on the
benefits listed above.

Page 7
2.5 Managing User Roles
By defining user roles within the AirWatch Admin Console, you can set who has access to the Self Service
Portal (SSP) and what actions logged-in users can perform. Full Access and Basic Access user roles have
been added by default, but additional roles can be added for BYOD users.
Recommendations:
When defining custom user roles, AirWatch strongly recommends duplicating the Full Access role and re-
naming it to [COMPANY] Full Access. Then the Administrator can change the end user access for their
custom role based on the companys policies and goals. This custom role should then be set as the default
end-user role in the Admin Console.
2.6 Device Lifecycle Notifications

Within the AirWatch console, Administrators have the ability to control notifications that are sent when a device
successfully enrolls, is un-enrolled, or is blocked by an enrollment restriction. Admins are encouraged to set up
these notifications based on their specific needs.
Recommendations:
For the deployment of corporate owned devices, AirWatch recommends enabling a notification to email the
Administrator if a corporate device is unenrolled or a device is blocked by an enrollment restriction.

Page 8
3. Identity and Access Management
3.1 VMware Identity Manager

VMware Identity Manager is a service that extends your on premises directory infrastructure to provide a
seamless Single Sign-On (SSO) experience to Web, Mobile, SaaS and Legacy applications that may be
consumed as a SaaS service or downloaded and installed on premises. Identity Manager integrates with
AirWatch Enterprise Mobility Management to enable industry-first seamless SSO to Native Mobile Apps and
comes complete with an Enterprise App Store, SAML identity provider (IDP), application usage analytics,
Conditional access policy engine and more.
3.2 MDM vs. Container Enrollment

AirWatch offers two distinct approaches to managing and securing devices. Identify the right model for your
organization by using the table below. Your choice is not mutually exclusive as different groups of users and
different devices can be managed in either way.

Page 9
Full device security, flexible monitoring, management, and Management visibility and enforcement only over the corporate
enforcement over the entire lifecycle of a device. apps and data on the device. Complete containerization of
corporate apps and data from personal via the Container
Benefits
application.
Provides full protection & visibility of all data on device
Ease of access directly into both personal and corporate Benefits
apps Provides protection & visibility over corporate data on device
Extensive management capabilities including without managing the device
install/remove profiles and apps over-the-air Dual persona personal and corporate apps and data are
Flexible privacy policy enforcement to restrict IT from accessed separately on a device.
intrusive data and capabilities from console Avoid OS enrollment prompts warning users of intrusive
Provides integration with Samsung KNOX MDM capabilities and privacy concerns
Offers integration into native email client & device Unique passcode and email client separating corporate from
passcodes personal
Still provides all containerization capabilities of Container Identical corporate experience across Android manufactures
& versions
Considerations
Security policies might enforce policies which affect the Considerations
personal space on the device (e.g. device passcode, Cannot install/remove profiles and apps over-the-air
restrictions) automatically
Data being managed must be on a device that is not Cannot utilize device compliance policies
managed by another solution (e.g. only one MDM can Cannot integrate with native email clients and device
exist) passcodes
End user perception of privacy concerns Does not protect users personal data
Lost devices cannot be fully wiped even by the employee
Ideal For
Line-of-business & corporate dedicated devices Ideal For
Executives / Board of Directors with sensitive data BYOD deployments
BYOD deployments Complex Android deployments with multiple device
Organization wanting the devices to connect and join the manufacturers
corporate network Users outside of your organization you are collaborating with

Page 10
3.3 Enrollment Authentication
The type of user authentication you choose depends on the amount of back-end setup work required by the
administrator and the number of login required by the end-user on the device at enrollment. If you want the
enrollment process to be as simple as possible for the end-user, the administrator must do more work to set up
the back-end infrastructure. Likewise, a lighter workload for the administrator typically means there are more
steps required for the end-user.
Basic Authentication - Basic Authentication can be utilized by any AirWatch architecture, but offers no
integration to existing corporate user accounts.
Active Directory / LDAP Authentication - Active Directory / LDAP authentication is utilized to
integrate user and admin accounts of AirWatch with existing corporate accounts.
Authentication Proxy - Authentication Proxy is an AirWatch proprietary solution delivering directory
services integration across the cloud or across hardened internal networks. In this model, the AirWatch
MDM server communicates with a publicly-facing web server or an Exchange ActiveSync Server that is
able to authenticate users against the domain controller. This method can only be used when
organizations have a public-facing web server with hooks into the corporate domain controller.
VMware Identity Manager Identity Manager is a SAML authentication solution that offers single sign-
on support and federated authentication AirWatch never receives any corporate credentials. If an
organization has another SAML Identity Provider server, SAML 2.0 integration is recommended.
Token-based Authentication - AirWatch generates a token, which is placed within the enrollment
URL. For single-token authentication, the user accesses the link from the device to complete enrollment
and the AirWatch server references the token provided to the user.
Recommendations:
For a typical corporate deployment, AirWatch recommends using Basic or Active Directory enrollment with
Auto-Discovery enabled. (If Active Directory enrollment is being utilized in On Premise environments,
AirWatch recommends configuring this at the Company level, not the Global level.) If two-factor authentication
is required for security reasons, please speak with your consultant on how to best achieve this. AirWatch
always recommends utilizing agent based enrollment to ensure the greatest amount of functionality.
If you have additional questions on enrollment, please discuss these with your Deployments Consultant, or
reference the AirWatch Enrollment Process Guide.
3.4 Apple Device Enrollment Program (DEP)

The Device Enrollment Program from Apple is designed to help enterprises and educational institutions
simplify the MDM enrollment process for IT departments and end-users. The Device Enrollment Program
enables enterprises to automatically install MDM profiles onto devices during the initial device setup process
as well as supervise iOS devices over-the-air. Prior to the Device Enrollment Program, in order to supervise a
device, it had to be tethered via USB to a computer running Apple Configurator. Learn more about this
program with the AirWatch Guide for the Apple Device Enrollment Program (DEP).

Page 11
Recommendations:
AirWatch recommends the use of the Device Enrollment Program if it is available to you. When using DEP
enrollment, we recommend pushing the AirWatch Agent as a managed app.
3.5 Android for Work

Google is making Android more secure for enterprises by providing data separation and security through a
program called Android for Work. Android for Work not only improves Bring You Own Device
(BYOD) programs but also allows enterprises to deploy corporate owned devices that are enterprise ready.
Android for Work offers two modes depending on the ownership of the device being used within your
organization. The Android for Work Work Profile mode creates a dedicated space on the device for only work
applications and data. The Work Profile does not allow AirWatch to control the entire device. For devices that
are being deployed to end users as corporate owned, Work Managed Device mode allows AirWatch and
IT admin to control the entire device.
The benefits of Android for Work include:

Removes the fragmentation of manageability on Android devices, which standardizes the core
components of Android on the same operating systems across all devices regardless of manufacturer.
Integrates the use of Google applications for business purposes to provide personal and work profiles
in a single, unified launcher.
Recommendations:
Customers should plan on migrating their device fleet to Android for Work enabled devices over the next 2-3
years in order to be able to utilize the greatest amount of functionality for their Android devices.
3.6 AutoDiscovery
AirWatch AutoDiscovery allows your end users to enroll their device using information they already know
(corporate email address), rather than having to enter the AirWatch Server URL and Group ID. Learn more
about AutoDiscovery enrollment with the Guide to Simplified Enrollment with AutoDiscovery.

Page 12
Recommendations:
AirWatch recommends the use of AutoDiscovery for enrollment for standard corporate deployments if it is an
option.
3.7 Terms of Use Policy

Use built-in Terms of Use to ensure that all users with managed devices have agreed to the policy. The Terms
of Use displays during device enrollment and must be accepted by the user before proceeding with enrollment.
The AirWatch Admin Console allows you to fully customize each Terms of Use and assign a unique Terms of
Use to each Organization Group and Child Organization Group.
Recommendations:
AirWatch provides sample Terms of Use policies for Corporate deployments. This sample can be found in
Appendix 1.
**Please note that this Terms of Use is an example only and should not be considered a legally binding
contract. Always consult with your Legal team before publishing your corporate Terms of Use policy.**

Page 13
3.8 Enrollment Restrictions
Enrollment Restrictions allow you to customize enrollment policies by Organization Group and User Group
roles, including the ability to:
Create and assign existing enrollment Restrictions policies using the Policy Settings.
Blacklist or whitelist devices by platform, operating system, UDID, IMEI, etc.
Using the bottom configuration checkboxes, you may also choose to restrict enrollment to only known
users or users that are a member of configured groups, and specify whether administrators in child
location groups are allowed to create, edit and assign restriction policies.
Recommendations:
AirWatch recommends making the following enrollment restrictions for typical deployments:
Require Apple devices to be on the latest version of each OS that you wish to support to prevent
potential security risks
Require Android devices be on Android version 4.0 or higher; you may also enforce Android
requirements by certain device type or OEM
Restrict device ownership types you dont plan to support
Limit the number of devices that a user can enroll based on licenses purchased
Restrict any OS that you do not wish to support
Keep in mind that multiple enrollment restrictions can be put in place and assigned to user groups

Page 14
4. MDM Setup and Policies
4.1 AirWatch Profiles
Profiles are the primary means by which you can manage devices. You can think of profiles as the settings and
rules that, when combined with compliance policies, help you enforce corporate rules and procedures. They
contain the settings, configurations, and restrictions that you want to enforce on devices. Create profiles for
each platform type, and configure a payload, which are the individual settings you configure, such as those for
passcodes, Wi-Fi, restrictions, or VPN, for each one.
Recommendations:
AirWatch recommends only setting up one payload per profile. This allows you to more easily make changes
and updates to specific payloads without adversely impacting end users. Passcode and Restrictions profiles
(or other required settings) should have Allow Removal set to Never to prevent the end user from getting
around the policy. AirWatch also recommends using the following naming convention when creating profiles:
Payload Type Assignment Group
Please refer to the device platform guides for more information on device specific profiles and settings.
4.2 Passcode Profiles

End users access sensitive corporate information from their devices, making device security a major enterprise
concern. Setting a passcode policy requires your end users to enter a passcode, providing a first layer of
defense for sensitive data on devices.
When configuring a Passcode profile, consider:
Complexity simple passcodes for quick access or alphanumeric passcodes for security
Auto-Lock secure idle devices with short lock time
Maximum Passcode Age enforce renewal of passcodes at selected interval
Maximum Failed Attempts prevent unauthorized access by fully wiping after a set number of failed
attempts

Page 15
Recommendations:
AirWatch guidelines on passcode complexity are as follows:
1 Minimal Complexity 2 Moderate Complexity 3 High Complexity

Recommended Policy Recommended Policy Recommended Policy
Allow Simple Value: Yes Allow Simple Value: No Allow Simple Value: No
Require Alphanumeric: No Require Alphanumeric: No Require Alphanumeric: Yes
Min Number of Complex Min Number of Complex Min Number of Complex
Characters: 0 Characters: 0 Characters: 2
Min Passcode Length: 4 Min Passcode Length: 6 Min Passcode Length: 8
Max Age: None Max Age: 90 Max Age:30
History: None History: 3 History: 5
Auto Lock Timeout: 15 minutes Auto Lock Timeout 10 minutes: Auto Lock Timeout:3 minutes
Max Failed Attempts: 10 Max Failed Attempts:8 Max Failed Attempts:5
Ideal For Ideal For Ideal For
BYOD Most organizations requiring Devices with highly sensitive data
Devices without sensitive apps, strong security without Executives / Board of Directors
content, or data compromising user experience Finance / Government Customers
4.3 Restriction Profiles

Restrictions profiles provide a second layer of device data protection by allowing you to specify and control
how, when and where your employees use their devices. They are typically used to prevent an end user from
performing a specific action on their device. When configuring a Restrictions profile, consider:
Platform options vary based on OEM and OS
Device Functionality disable specific device functions to align with the device's purpose
Applications remove access to non-productive native apps
Data Loss Prevention force encryption and disable SD card access, USB and cloud backups
Recommendations:
All device restrictions are to be set by the prerogative of the client.
4.4 Enforcing Device Compliance

Another aspect of securing managed devices in your fleet is the Compliance Engine, AirWatch's automated
tool to ensure all devices adhere to your policies. Your policies may include basic security settings such as
requiring a passcode and minimum device lock period. You may also decide to set password strength, blacklist
certain apps and require device check-in intervals to ensure devices are safe and in-contact with the AirWatch
servers.

Page 16
Once configuration is complete and devices are out of compliance, the Compliance Engine begins to warn the
user to fix compliance errors to prevent disciplinary action on the device. For example, if a user loads
blacklisted games or social media apps onto their device, the Compliance Engine sends a message to notify
the user that their device is out of compliance. If the errors aren't corrected in the amount of time specified, the
device loses access to certain content and applications. You may even automate the escalation process if
corrections aren't made. Lock the device down and notify the user to contact you to unlock the device. These
escalation steps, disciplinary actions, grace periods and message are all completely customizable with the
AirWatch Admin Console. Enforcing mobile security policies is as easy as:
Building your policies Customize your policy to cover everything from application list, compromised
status, encryption, model and OS version, passcode and roaming
Defining escalation Configure time-based actions in minutes, hours or days and take a tiered
approach to those actions
Specifying actions Send SMS, email or push notifications to the user's device or send an e-mail only
to an Administrator. Request device check-in, remove or block specific profiles, install compliance
profiles, remove or block apps and perform an enterprise wipe
Recommendations:
As with profiles, AirWatch recommends only configuring one compliance rule per policy. We recommend
setting up specific policies based on the table below. All other policies are to be configured per the prerogative
of the client.
Compliance Policy Android iOS Windows 10 Windows 10 Mac OS X
Mobile
Passcode X* NA
Encryption X*

Compromised Status NA NA NA
Last Compromised Scan NA NA NA
Terms of Use Acceptance**
Antivirus Status NA NA NA NA
OS Version
Application List NA NA
*For iOS devices, AirWatch recommends NOT setting a compliance profile for Passcode or Encryption. This is automatically enforced
through the passcode/encryption profile as long as Allow Removal in the General settings is set to never.
**Compliance policies for Terms of Use Acceptance will only be enforced when pushing out a new Terms of Use, but not with the initial
acceptance that is required with enrollment
When enabling passcode compliance on Windows Phone devices, we recommend ensuring a passcode exists on the phone prior to
setting up compliance.

Page 17
4.5 Privacy Policy
Configuring privacy settings according to device ownership allows you to easily adhere to data privacy laws in
other countries or legally-defined restrictions and even ensure certain IT checks and balances are in place,
preventing overload of servers and systems.
Recommendations:
The default privacy settings in your console are set to AirWatchs best practice for all device ownership types.
Customers may adjust the settings as needed to comply with any country or industry standards.
4.6 Privacy First

The AirWatch Privacy First program is a new feature in version 8.3 that provides more transparent information
to end users on the information and settings being managed by AirWatch MDM. Privacy First is not a
replacement for the End User License Agreement or Terms of Use, but rather additional information that the
user always has access to regarding their privacy. This program aims to encourage BYOD adoption by
providing details on what AirWatch can and cannot do on users phones.
Recommendations:
AirWatch recommends enabling Privacy First for all Employee Owned devices. Customers should always
review their privacy settings prior enabling Privacy First. The default privacy settings in the AirWatch console
should be set to our recommendations to avoid any potential privacy violations. Please note that Privacy First
is not intended to replace an official Terms of Use.

Page 18
5. MAM Setup and Policies
5.1 Deploying and Managing Applications
Distribute, secure and track mobile applications across your mobile fleet with the AirWatchs Mobile Application
Management capabilities directly from the AirWatch Admin Console. These consist of the following three types
of applications:
Internal applications - Applications developed by your organization that you may not necessarily want
to be in a public app store. Since internal applications are company-specific applications, you can
obtain the application file from your developers and upload it to the AirWatch Admin Console. Once the
internal application is uploaded, you can manage the application's settings and deployment over-the-air
from the AirWatch Admin Console alongside publicly available applications or applications purchased in
bulk. Install, remove and update the application wirelessly and with minimal end-user interaction.
Additionally, take advantage of available AirWatch SDK and App Wrapping features to maximize your
internal application's potential.
Public Applications - Many of the applications available within public app stores can be used to
enhance the business interactions that take place on your managed devices. Deploy and manage
some of these applications from the AirWatch Admin Console for the specific groups and users within
your organization.
Purchased Applications - If you want to distribute a public or B2B application to hundreds or
thousands of iOS devices or users, you may consider using the Apple Volume Purchase Program
(VPP). The Apple VPP enables organizations to purchase publicly available applications or specifically
developed third-party applications in bulk for distribution.
Recommendations:
AirWatch makes the following recommendations in regards to deploying applications:
Always create a required app list
o This should include the AirWatch Agent and any other enterprise apps you want to enable your
users to access
Create a blacklist when
o Blacklist high risk or inappropriate apps
o Blacklist apps that can facilitate data loss (e.g. cloud storage apps)
o If devices are on a corporate data plan, blacklist video or music streaming apps
If App Groups (blacklist, whitelist, etc.) are created, a compliance policy should be set up to enforce the
requirements
Web Applications (in Apps & Books) should be used over Web Clip profiles whenever possible

Page 19
5.2 Deploying the Enterprise App Catalog
After you configure your public applications, internal applications and purchased applications in the AirWatch
Admin Console, you can deploy an Enterprise App Catalog to your end-users, which will let them access those
applications. While the AirWatch Admin Console allows you to manage applications over-the-air in a
centralized location, the App Catalog serves as a one-stop shop for your end-users to access applications
based on the settings you established in the AirWatch Admin Console.
The AirWatch App Catalog is where users can do the following tasks:
View and install recommended public, internal, purchased or web applications.
Browse and filter applications by type and category.
Receive notifications on application updates for both managed and unmanaged applications.
Install application updates for managed applications.
Add ratings and comments for public, internal or purchased applications.
View overall rating for the applications based on ratings provided by other users and view specific
comments provided by other users.
View application status whether an application is Not Installed, Installed, Needs Update or is Blocked.
Recommendations:
AirWatch recommends the use of the app catalog for all deployments that are pushing applications to their
users. The app catalog should be pushed as a seeded app upon enrollment, rather than through a manual
profile.
5.3 Deploying Applications using Apple Volume Purchase Program (VPP)

If you want to distribute a public or B2B application to hundreds or thousands of iOS devices or users, you may
consider using the Apple Volume Purchase Program (VPP). The Apple VPP enables organizations to purchase
publicly available applications or specifically developed third-party applications in bulk for distribution. Any paid
application from the App Store is available for volume purchase at the existing App Store price. Custom B2B
applications can be free or purchased at a price set by the developer. If your organization uses free public iOS
apps collected through the Apple VPP, AirWatch can distribute these apps, as well.
Recommendations:
AirWatch recommends using the Licensed-Based method of deploying apps over the Order-Based method.
With the Licensed-Based method, apps can be assigned out, revoked, and reassigned without the loss of a
license. Once a license has been redeemed using the Order-Based method, it cannot be recycled. If you are
pushing public applications, we recommend pushing these as VPP applications.

Page 20
With the release of iOS 9, Apple now provides support for both user based VPP and device based VPP.
Device based VPP is recommended in situations where Apple IDs may not be present on devices (education,
retail, etc.). User based VPP is recommended if Apple IDs will be on the devices and if users have multiple
devices that the application is needed on. If user based VPP is being utilized, a 1-1 user to Apple ID is
recommended.
To ensure that all apps deployed using license-based VPP can be managed from the AirWatch console, it is
recommended that a unique Apple ID be used on each device.
The preferred way to revoke a license is through the User. Unenroll all devices from a user and then delete
the User from the AirWatch Console. You may then re-add the user into the console after they have been
removed. The AirWatch Console will revoke the license so that it is now available for reuse. If you will be
migrating a VPP token from one environment to another, please speak to an AirWatch agent prior to doings so.

Page 21
6. AirWatch Application Security Settings and Policies
Through the AirWatch Admin Console, company administrators have the ability to change security settings for
AirWatch applications. The following sections give information and recommendations regarding editing the
Default SDK profile for these apps. These settings can also be configured in custom SDK profiles, but
AirWatch recommends against the use of custom SDK profiles unless you have a specific use case for an
application.
6.1 Authentication
Through the AirWatch Container, you can designate a requirement to access AirWatch applications or
wrapped applications. Configurable options are a passcode, username and password, or no authentication.
Please consider the following when determining authentication type:
Passcode Designates a local passcode requirement for AirWatch applications or wrapped
applications that have the default settings profile applied to them. Device users set their passcode on
the device at the application level when they first access the application.
Username and Password Requires a user to authenticate to AirWatch using the AirWatch
credentials. Set these credentials when you add users in the Accounts area of the AirWatch Admin
Console.
Disabled Requires no authentication to access the application
Recommendations:
For a Container deployment, AirWatch recommends the use of a passcode to secure Container applications. A
moderately complex passcode should be used to promote ease of use for end users while maintaining
corporate security. See Section 4.2 for more guidelines on password complexity.
6.2 Single Sign On

Single-Sign-On works in conjunction with Container authentication by allowing your end users to enter their
credentials only once during the SSO session in order to access Container applications. If SSO is disabled,
users must enter a separate passcode or credentials for each individual application.
Recommendations:
AirWatch recommends the use of Single-Sign-On with containerized applications. If a specific application
within Container has different requirements, a Custom SDK profile can be configured and require different
authentication for that app. Please speak with your Deployments engineer for more information on Custom
SDK profiles.

Page 22
6.3 Integrated Authentication
Integrated Authentication allows user credentials to be passed on from enrollment to other allowed sites/apps
to provide more seamless use.
Recommendations:
AirWatch recommends the use of Integrated Authentication for ease of use unless you have strict security
policies that require a sign in for each application or site.
6.4 Offline Access

Enabling offline access gives your end users the ability to access corporate resources using the SSO identity
when the device is offline.
Recommendations:
Administrators should create a policy for offline access that weighs the benefit of this access against potential
loss of security. We recommend against always allowing offline access, but the time frame should be
determined by your company policy.
6.5 Compromised Protection

Compromised protection can be enabled to automatically perform an Enterprise Wipe if the device is detected
as compromised. An Enterprise Wipe will remove all corporate data from the device and unenroll the user.
Recommendations:
AirWatch recommends the use of Compromised Protection for BYOD deployments to reduce security risks.
6.6 AirWatch App Tunnel

The AirWatch App Tunnel allows an application to communicate through a VPN or reverse proxy to access
internal resources such as SharePoint or other intranet sites. The App Tunnel can integrate with the AirWatch
Mobile Access Gateway, an F5 proxy, or a Standard Proxy.
Recommendations:
AirWatch recommends the use of the Mobile Access Gateway with the AirWatch App Tunnel.

Page 23
6.7 Data Loss Prevention
This feature allows administrators to protect sensitive data within applications by blocking end users from
performing certain actions. These actions include Copy and Paste, Printing, Camera, Composing Emails, Data
Backup, Location Services, Bluetooth, Watermark, and limiting documents to open only in approved apps.
Keep in mind that Data Loss Prevention is not specifically available for Container, but it is available for
applications contained in the Container.
Recommendations:
AirWatch recommends the use of Data Loss Prevention if you have sensitive information within the Container
applications that you are trying to protect. We do recommend setting Limit Documents to Only Open in
Approved Apps to only open in AirWatch applications (Content Locker, Browser, Inbox, or Wrapped/SDK-
enabled corporate apps).
6.8 Network Access Control

This feature allows the administrator to configure the type of network access an application is allowed to use. If
enabled, the admin can control when a device is allowed to use both a cellular connection and a Wi-Fi
connection.
Recommendations:
AirWatch recommends that Network Access Control is disabled unless you have a specific use case that
requires limitation to the network access of your Container or AirWatch applications.

Page 24
7. MEM Setup and Policies
7.1 Deploying Corporate Email
AirWatch provides advanced Mobile Email Management (MEM) solutions through email access control and
data loss prevention capabilities which are not provided by the native mail infrastructure.
Corporate email is established on devices with an Exchange ActiveSync (EAS) payload. When configuring an
EAS payload, consider:
SSL Use SSL to encrypt mail traffic.
Look-up Values Leverage user account information to simplify authentication.
Data-loss Prevention Prevent access in third-party email clients and moving messages.
Email Platform Choose the email client for select Android devices and iOS devices.
AirWatch allows customers to push mail through the native application or through an email container,
depending on device type. The table below provides recommendations for when to deploy corporate email
through the native email client or through a separate email container. Clients have the option of using the
AirWatch Inbox, Touchdown, or Traveler clients if they opt for the containerized experience.
Native Experience Containerized Experience

Access mail via the out-of-box mail application on your device Access mail via AirWatch Inbox application
Benefits Benefits
Intuitive native user experience Separation of corporate and personal mail into different
One mail client contains all mail on device app containers
Some platforms have built-in containerization (e.g. iOS 7) Deliver email to a device not managed by MDM
No cost or third-party application required built in Advanced DLP features: disable copy & paste, inbox
support passcode, etc.
Encrypt attachments without use of SEG proxy
Considerations
Corporate and personal mail located within same Considerations
application Requires a third-party application
Some platforms dont support things like additional PIN for Different mail clients for personal and corporate mail on
email and copy/past blocking device
Unique experience from native mail application
Ideal For
Ideal For
Businesses utilizing AirWatch Container
Businesses with moderate email security requirements
Regulated users with DLP requirements to block
Businesses valuing the native email experience on a
copy/paste on device
device
Android BYOD users for a consistent email experience
across manufacturers

Page 25
Recommendations:
We recommend the AirWatch Inbox for Android devices for cross OEM support and for iOS devices if email
containerization is required. Other considerations may need to be made if email attachment encryption is being
utilized.
7.2 Email Notification Service

Presently, the AirWatch Inbox on iOS devices syncs email from the Exchange server at a regular interval of
time. When a new email is available on the Exchange, Inbox fetches the message ID and displays a
notification to the device locally. This is only possible when the Inbox is running in the background and starts
polling with Exchange for some time duration. This time duration is decided by the operating system. Periodic
manual syncs from the Inbox may lead to battery drainage.
With AirWatch 8.2+, it is possible to receive real time email notifications in your AirWatch Inbox installed iOS
device. The AirWatch Email Notification Service (ENS) communicates with AirWatch and maintains the latest
set of enrolled iOS devices that have AirWatch Inbox installed. It then creates a persistent connection between
ENS and Exchange server. On receiving a new message from Exchange, ENS pushes this message event to
the specific device user via the Cloud Notification Service (CNS) and the Apple Push Notification
Service (APNS).
Recommendations:
AirWatch recommends the use of ENS when looking for real time email notifications for iOS devices using the
AirWatch Inbox. Use of ENS can also reduce battery drain on these devices from preventing the need to
manually sync mail.
7.3 Protecting Your Email Infrastructure

In order to take advantage of AirWatch's Mobile Email Management features and ultimately protect your mail
infrastructure, you must first configure one of AirWatchs MEM models:
Visibility Only
PowerShell Integration
Gateway Approach

Page 26
Models 2 and 3 below provide a very similar set of MEM capabilities and are, for the most part, selected solely
based on what type of email infrastructure you are utilizing. AirWatch recommends that you use the following
models based on your email infrastructure and security requirements:
1 Configuration Only 2 PowerShell Integration 3 Gateway Approach

Features Features Features
View managed devices with email View devices connected to email View real time details about
deployed server devices connected to email server
Remotely push/revoke email Remotely push/revoke email Remotely push/revoke email
No additional setup required Blacklist unmanaged devices from Blacklist unmanaged devices from
access access
Enable advanced troubleshooting Enable advanced troubleshooting
Considerations Content Transformation
Considerations
Unmanaged Devices may still
Requires Exchange 2010/2013 or Considerations
connect directly to email server
Office 365 architecture Requires Exchange 2003+, Lotus
No email access control to block
Additional setup required Notes, GroupWise, or other EAS
devices from accessing mail when
non-compliant No real time details about based architecture
unmanaged devices attempting to Lightweight on-premise
Ideal For connect to exchange architecture required
Businesses with moderate email
Ideal For
security requirements
Businesses with strict email
Ideal For
security requirements with
Businesses wanting email access
supported architecture
control without proxying email
Recommendations:
AirWatch recommends using PowerShell with Office 365 and Microsoft Exchange 2010 and above
environments. If a large number of devices (greater than 50,000) will be enrolled into your environment,
additional considerations may need to be made. PowerShell is typically used with the AirWatch Cloud
Connecter server. If you are integrating PowerShell with Office 365, the AirWatch Cloud Connecter is not
required.
If PowerShell is being utilized, AirWatch recommends enabling PowerShell before you begin enrolling devices
to streamline the admin and end-user experience. Compliance policies or restricted access can be enabled
later if desired. AirWatch recommends syncing mailboxes to the Console during the initial configuration.
Additional syncs post integration can cause overhead on the system and unwanted notifications to end-users.
If installing the Secure Email Gateway, AirWatch recommends installing the component on its own server
when possible. It can be combined with other servers if cost is an issue, but we do not support it being installed
on an EAS server.

Page 27
Regardless of the email management approach used, AirWatch recommends creating an EAS profile for all
platforms that could potentially be enrolled before any devices are enrolled. AirWatch also recommends
against the use of email on shared devices.
7.4 Enforcing Email Access Control

Now that email has been deployed, you can further protect your mobile mail with access control to only allow
secure, compliant devices to access your mail infrastructure. AirWatch recommends using mobile email access
control to restrict mail from:
Inactive or un-managed devices
Compromised or Non-encrypted
Devices from older Make/Model/OS
Recommendations:
AirWatch makes the following recommendations in regards to email compliance:
Email compliance should not be used to enforce a policy that can be enforced through MDM
compliance
All devices should be on allowed list before you turn on compliance to block users
Always block unmanaged devices
Do not use mail client compliance because of the frequent updates that are made to clients and the
potential of blocking mail from your users
Block devices based on device inactivity in order to prevent unmanaged devices from accessing
corporate mail
7.5 Protecting Email Attachments & Hyperlinks

Opening email attachments on mobile devices often require the use of external reader applications. However,
as they leave the corporate mailbox, they immediately become vulnerable to data loss. Even worse, these
attachments typically contain your most sensitive corporate information. Protect your corporate materials by
gaining control over mobile email attachments. Through the Secure Email Gateway AirWatch provides the
feature of securing your email attachment for both managed and un-managed devices.

Page 28
Recommendations:
Attachment encryption is to be used per the prerogative of the client. Basic security clients typically do not
require this level of security, but we do recommend it for high security clients. If you do choose to use email
attachment encryption, the following chart gives AirWatchs recommendations for whether to use a compliance
policy or the mail clients built in attachment encryption.
Attachment Encryption
Native AW Inbox
iOS Email Profile Setting Mail Client
Android Compliance Policy + SEG Mail Client
Windows 10 Mobile Compliance Policy + SEG Mail Client
Windows 10 Compliance Policy + SEG Mail Client

Page 29
8. MCM Setup and Policies
The use of mobile devices in the enterprise makes accessing corporate content easier and more convenient
than ever before, as documents can be shared and read on-the-go via mobile devices. However, the benefits
of accessibility come with increased security concerns for protecting sensitive corporate information.
Some security concerns you face when deploying content are: allowing employees to securely access
corporate data from devices, providing easy access to information and updating content in bulk.
8.1 AirWatch Content Locker

The AirWatch Mobile Content Management solution helps your organization address the challenge of securely
deploying content to a wide variety of devices through the Content Locker. The Mobile Content Management
Guide explains how to deploy and manage content from the AirWatch Admin Console as well as configure the
Content Locker to utilize advanced content management solutions including:
Ensuring data security
Syncing with AirWatch Content Repositories
Syncing with 3rd Party repositories hosted internally or in the cloud
Uploading content to the AirWatch Admin Console
Providing secure distribution
Integrating personal content
8.2 Integrating with Content Repositories

Integrate into your existing corporate infrastructure to update and manage content in one system. After your
initial setup, AirWatch maintains a synchronous relationship with repositories of up to 200 folders. Once
integration is established, end-users can access up-to-date content from the Content Locker anywhere in the
world. You can administer two types of repositories from the AirWatch Admin Console:
Admin Repositories integrate with your existing repository structure to send software, files and other
content to devices.
User Repositories allow administrators to dynamically assign each end-user a custom repository link.
End-users may also have the option to manually create their own repositories from the Self Service
Portal.

Page 30
8.3 Configuring AirWatch Browser Settings
The first step in setting up the AirWatch Browser is configuring its settings in the AirWatch Admin Console.
These basic settings allow you to specify the behavior of your browser, from the completely locked down Kiosk
Mode, to the more flexible, but equally secure, Restricted Mode. You may also create allowed or denied URL
lists to restrict the domains that users are able to browse to.
After configuring general settings, provide a list of bookmarks to make available as shortcuts for your end-
users. Bookmarks allow your end-users to maximize their efficiency, taking them directly to the sites they utilize
most frequently.
8.4 Content Locker Collaborate

Content Locker Collaborate allows end users to create or modify files stored in a network or SharePoint
directory. Repositories can be configured as Edit and/or Write enabled with advanced configurations allowing
the ability to enable/disable editing of specific files within a repository.
Users also have the option of creating new documents within the Content Locker, and saving locally or
uploading the file to a write-enabled repository.
8.5 Personal Content

Personal content is a stand-alone feature that can be used in conjunction with Admin or User repositories. This
feature allows users to easily sync their content between Content Locker on their devices, Content Locker
Sync on their Windows or Mac computer, as well as available in the SSP.
Following the reference sheet in the MCM Guide will set allocation of storage and user permissions. We offer
the ability to control folder sharing, the ability to email, print, and opening documents. For more flexible storage
sizing options, or to meet requirements to store content on-premise, the RFS allows SaaS customer to store
end-users personal content at an endpoint of their choosing.
MCM Recommendations:
AirWatch recommends using the Default SDK settings for AirWatch applications unless you have a specific
requirement. For agent based OS, be sure to set your SDK profile V2 to the default settings.
AirWatch recommends enabling a time limit for offline access for users based on the companys security
concerns.
If you are using Personal Content, AirWatch recommends changing the default Self-Service-Portal login page
to content, rather than device management with the use of user roles.

Page 31
To ensure data loss prevention, AirWatch recommends the following settings per document and per repository:
Restrict copy and paste
Restrict printing
Restrict data backup
Disable analytics and logging

Page 32
9. Device Specific Recommendations
AirWatch provides some recommendations that pertain to only certain device types or operating systems.
Please review the sections below for more information.
9.1 iOS Recommendations

Please consider the following items when using AirWatch with iOS devices:
The Apple Device Enrollment Program should be utilized for corporate devices whenever possible
Device supervision is recommended to ensure the greatest level of functionality
Although it is not required for enrollment, the AirWatch Agent should always be pushed to devices as a
managed application for full MDM functionality
9.2 Android Recommendations

Please consider the following items when using AirWatch with Android devices:
Android for Work or Knox Mobile Enrollment should be utilized whenever possible
If your corporate devices are not currently eligible for Android for Work or Samsung Bulk Enrollment,
you should plan on migrating your device fleet to Android for Work or Knox Mobile Enrollment enabled
devices over the next 2 to 3 years.
o Android for Work carrier and device manufacturer information can be found here.
o More information on Samsung Bulk Enrollment can be found here.
OEM specific settings or the AirWatch Secure Launcher should be used in conjunction with Android for
Work (or in place of if phone is not eligible) to add more device customization.
Android for Work is recommended in conjunction with VMware Identity Manager
AirWatch Service applications for Androids should be set to Push Service App from Play Store to
maintain device security
o Additional considerations may need to be made if Internal applications are being published
9.3 Mac OS X Recommendations

Please consider the following items when using AirWatch with Mac OS X devices:
The Apple Device Enrollment Program should be utilized for corporate devices whenever possible
If enrolling domain joined devices, AirWatch recommends:
o Standard Single User Staging if the device will be assigned to only 1 user
o Multi User Staging if the device will be shared between different users
If enrolling non domain joined device, AirWatch recommends:
Page 33
o Advanced Single User Staging to enroll on behalf of a user
o Agent based enrollment if the user will be enrolling their own device
If device imaging is currently part of your IT process, enrollment through the Export method is
recommended
For more information on any of these processes as well as additional enrollment options, please see
the AirWatch Mac OS X Platform Guide.
The following considerations should be made when applying profiles to Mac OS X devices:
o All system level profiles should be set as a Device Profile
o User profiles should be set when applied settings should change depending on current user
o We recommend the use of the Security and Privacy profile with the default options checked
o If applying a Credentials payload, always leave allow export from keychain unchecked to
prevent users from exporting your private key from the keychain
o AirWatch recommends preventing unapproved updates through a Software Updates profile in
order to ensure updates wont cause internal issues
More information can be found here on requirements for this configuration
o Only push restrictions to a User Profile when using shared devices
o Use the Global HTTP Proxy payload to restrict websites
Applications should be pushed to Mac OS X devices through one of the following methods (in preferred
order):
o Volume Purchase Program
o .APP files
o Standard Product Provisioning
o Multi-Step Product Provisioning

Page 34
Appendix 1: Corporate Sample Terms of Use
By enrolling this device, employees are agreeing to be bound by these Terms and Conditions and agree that
you are responsible for compliance with any applicable rules. Consent to the installation of a Mobile Device
Management application, including any restrictions it may enforce and access it may give to ___________
support personnel.
Employees are required to read and become familiar with the usage policy provided by Company for the
Equipment.
1. Usage Terms
Equipment is intended for use at work. Users are expected to responsibly use the equipment for the intended
purpose. Use of equipment other than deemed necessary may be restricted for work hours or permanently at
any time without prior notice
2. Privacy
____________ understands the privacy concerns of the participants enrolling the devices. However,
____________ may require access to the device in order to review or retain copies of information on the
device to comply with legal requirements or in cases in which the company has a reasonable basis to believe
there has been an infringement of this policy such that Confidential Information may have been compromised.
The privacy and dignity of the user will be respected to the extent possible.
____________ may collect personal data including, but not limited to, GPS Data, Roaming Status, Cellular
Data Usage, Call Usage, SMS Usage, Personal Applications, File Manager Access and Registry Manager. Any
device may be remote controlled, un-enrolled or enterprise wiped at any time without prior notice. Any device
not owned by the employee may also be factory reset/fully wiped at any time if necessary.
3. Alteration
Employees are not permitted to remove or alter any Profiles that may install with the MDM enrollment. Any
alteration or removal of profiles without prior permission from the MDM administrator will result in the
appropriate action. Any attempt to violate or bypass the MDM implementation will result in immediate
disconnection from all resources, and there may be additional consequences in accordance with the
companys overarching security policy.
4. Equipment Issues and Support
Employees shall not remove profiles or un-enroll their devices upon facing issues and will be required to call
the company for any technical support relating to the MDM enrollment. If the company is not able to provide
the required assistance, it shall refer to AirWatch for the support.
5. Loss and Damage
Employee shall take reasonable and prudent care to maintain the Equipment in good condition and protect it
from loss, theft, or damage. Employee shall bear the risk for lost, stolen, or damaged Equipment and
components from the date Employee receives delivery of the Equipment until the return of the Equipment to
___________.
Employee agrees to report all incidents of theft of or damage to the Equipment within twenty four hours of
Employees knowledge of the loss to their local law enforcement. Company and Employee shall cooperate fully
with the appropriate local law enforcement agencies in completing all necessary reports.

Page 35
Your device may allow for only the remote wipe of __________ data. This means your personal data is still
vulnerable, and thus it is recommended you also set a device password and take additional security
precautions.
Employee is ultimately responsible for any damage to or loss/theft of the Equipment while in his possession
and shall pay ___________ for any repair/replacement costs for damage to the Equipment and components.
7. Indemnity
Employee is solely responsible for the consequences of any misuse of the Equipment and the liability resulting
from misuse. Employee shall indemnify ___________ for any injuries, damages, or losses incurred due to the
intentional or negligent acts of the Employee. The Employees obligation of indemnification to Company
survives the term of this Agreement.
___________ is not responsible for injuries, damages, penalties, or losses, including legal costs and expenses
incurred by the Employee or other person due to installation of software, transporting the Equipment, or any
other use of Equipment described herein.
___________ is not responsible for unauthorized use of his/her resources, and security of data transmitted on
their information technology resources cannot be guaranteed.
8. Miscellaneous
Employee represents that he or she has the power to bind all of Employees agents and representative, all of
whom shall be bound by these terms. Employee cannot amend this Agreement unless accepted in writing by
an authorized representative of ___________. This Agreement shall constitute the entire agreement between
the parties with regard to the Equipment and any prior understanding or representation of any kind shall not be
binding on either party, except to the extent incorporated herein. The waiver of any right under this Agreement
by either party shall not be construed as a waiver of the same right at a future time or a waiver of any other
right under this Agreement. This Agreement shall be construed and enforced in accordance with the laws of
the __________. The parties acknowledge and expressly agree to waive any and all rights to a trial by jury of
any claim or dispute arising under this Agreement.
9. Terms of Use Modifications
____________ may revise these terms of use for its web site at any time without notice. By using this web site
you are agreeing to be bound by the then current version of these Terms and Conditions of Use.
By signing below, I acknowledge that I have read and understand the conditions stated above and in this
Agreement. I am aware of my responsibilities and the consequences of defaulting on this Agreement.

Page 36

AirWatch Recommended Configuration Guide

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AirWatch Recommended Configuration Guide

Încărcat de

Drepturi de autor:

Formate disponibile

AirWatch Recommended

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

2. AirWatch Foundational Elements .............................................................................. 5

3. Identity and Access Management ............................................................................. 9

4. MDM Setup and Policies ......................................................................................... 15

5. MAM Setup and Policies ......................................................................................... 19

6. AirWatch Application Security Settings and Policies ............................................... 22

7. MEM Setup and Policies ......................................................................................... 25

8. MCM Setup and Policies ......................................................................................... 30

9. Device Specific Recommendations ......................................................................... 33

Appendix 1: Corporate Sample Terms of Use ............................................................. 35

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

Organization groups allow you to:

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

2.2 User Groups/Smart Groups

AirWatch recommends the following best practices for User Groups:

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

2.4 Enabling the Self Service Portal

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

2.6 Device Lifecycle Notifications

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

3.1 VMware Identity Manager

3.2 MDM vs. Container Enrollment

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

3.4 Apple Device Enrollment Program (DEP)

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

3.5 Android for Work

The benefits of Android for Work include:

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

3.7 Terms of Use Policy

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

4.2 Passcode Profiles

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

1 Minimal Complexity 2 Moderate Complexity 3 High Complexity

4.3 Restriction Profiles

4.4 Enforcing Device Compliance

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

4.6 Privacy First

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

5.3 Deploying Applications using Apple Volume Purchase Program (VPP)

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

6.2 Single Sign On

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

6.4 Offline Access

6.5 Compromised Protection

6.6 AirWatch App Tunnel

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

6.8 Network Access Control

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

Native Experience Containerized Experience

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

7.2 Email Notification Service

7.3 Protecting Your Email Infrastructure

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

1 Configuration Only 2 PowerShell Integration 3 Gateway Approach

AirWatch Recommended Configuration Guide | v.2016.03 | March 2016

7.4 Enforcing Email Access Control

7.5 Protecting Email Attachments & Hyperlinks