Getting Started - Workspace (6.5)


AirWatch Workspace enables you to provide specific corporate resources to segments of BYOD users. For example, some groups of users may only require access to corporate email, while others may only require access to a specific enterprise app. With AirWatch Workspace, your BYOD users can enroll in AirWatch and securely access containerized business applications and resources without receiving the same AirWatch MDM profile corporate-owned devices receive.


AirWatch Workspace addresses privacy concerns users have about MDM by giving the administrators only the ability to control managed enterprise apps instead of the entire device.


With AirWatch Workspace, all corporate applications are bundled into a single, customizable view and capable of leveraging single sign-on (SSO) access, which minimizes the burden of logging into each application. This SSO ability extends to back-end systems and file shares, including SharePoint and other content integration systems. With SSO enabled, users who log into the AirWatch Workspace are automatically authenticated into apps without having to log in each time. Additionally, AirWatch Workspace runs background security checks to prevent unwanted activity.


AirWatch Workspace requires AirWatch version 6.5 and is currently available for Android Gingerbread 2.3+ and iOS 5.0+. You can download the AirWatch Workspace app from the Google Play Store and Apple's App Store.

This guide covers the steps required to establish a successful AirWatch Workspace deployment, including:

  • Configuring AirWatch Workspace and application settings
  • Enrolling users into AirWatch Workspace

Configuring AirWatch Workspace

Configure AirWatch Workspace settings in regards to SSO, security, branding and more to custom-tailor your users' experience and organization's requirements. Automatically set SSO sessions to lock AirWatch Workspace after a determined period of inactivity. Disable copy and paste, screenshot, print, and more when using Workspace-enabled and wrapped applications. Additionally, customize the look and feel of your AirWatch Workspace according to your organization's brand and aesthetic.

Enabling Single Sign-On

Configure single sign-on to apply a single passcode to authenticate into all AirWatch applications and wrapped applications.

  • Navigate to Configuration ► System Configuration ► Apps ► Settings and Policies ► Security Policies.


  • Select Enabled for Single Sign-On to apply the use of a single passcode to access all AirWatch applications and maintain a persistent login.
  • Select Enabled for Integrated Authentication to set whether to enable Integrated Authentication for end-users, which will allow the credentials used for applications to be passed on and used for authenticating into websites, such as content repositories (SharePoint) or wikis. Currently this setting only applies to the AirWatch Browser. Once enabled, you must define a list of allowed sites, which are the only sites that willsupport Integrated Authentication. In addition, for this feature to work:
    • SSO must be enabled and the user must successfully authenticate within an SSO session.
    • The URL of the requested website must match an entry in your list of allowed sites.
    • The website must use NTLM or basic authentication and return a 401 status code requesting authentication.

Setting Application Security Policies

Configure Security Policies to set options for accessing and using AirWatch applications or internal applications wrapped with AirWatch SDK features. With SSO, users can jump from app to app without entering login information at each instance. Define the grace period before requiring passcode re-entry and set the complexity of passcodes to maximize security.


  • Navigate to Configuration ► System Configuration ► Apps ► Settings and Policies ► Security Policies.


  • Select Passcode Mode and set the passcode to be Numeric or Alphanumeric. This option sets the passcode for the SSO feature. Complete other passcode options:
    • Passcode Timeout – Sets the period of inactive time before automatic logout of SSO.
    • Allow Simple Value – Sets the passcode to allow simple strings.
    • Minimum Passcode Length – Sets the minimum number of characters for the passcode.
    • Minimum Number Complex Characters – Sets the minimum number of complex characters for the passcode.
    • Maximum Passcode Age (Days) – Sets the time frame for using the passcode.
    • Passcode History – Sets the number of passcodes the AirWatch Admin Console stores so users cannot reuse passcodes for a specified time frame.
    • Maximum Failed Attempts – Sets the maximum times a user can log in with the passcode before having an action taken in response to the failed attempts.
  • Set Offline Access to Enabled to set the duration of time to allow access to applications when the device is offline and to also continue to apply App Configuration settings. Also select action take on device, whether block managed apps or perform automatic enterprise wipe.
  • Set Compromised Protection to Enabled to select the action that the AirWatch Admin Console will perform in case the device is compromised. For example, if a user roots a device.
  • Set App Tunnel to Enabled to allow the application to travel through a proxy such as the Mobile Access Gateway (MAG).
  • Set Geofencing to Enabled to restrict access to Workspace applications depending on geofencing settings in the AirWatch Admin Console. Set geofencing areas in Profiles & Policies ► Profiles ► Configuration ► Geofencing.
  • Set Data Loss Prevention to Enabled to protect sensitive data in applications. This setting controls copying and pasting, taking pictures and screen captures, using the microphone, printing, and the use of unmanaged applications.
  • Set Network Access to Enabled to allow applications to access the mobile network. The following options are available:
    • Allow Cellular Connection – Set to Always allow, Allow when not roaming, or Never allow.
    • Allow Wi-Fi Connection – Set to Always allow, Allow but limit by SSID, or Never allow. If you choose to allow but limit by SSID, then enter the SSID details in the Allowed SSIDs textbox

Configuring Application Settings

Configure Settings to set options for behaviors and customization of applications.

  • Navigate to Configuration ► System Configuration ► Apps ► Settings and Policies ► Settings.


  • Set Branding to Enabled to access a number of fields that you can set to apply branding to applications.
  • Set Logging to Enabled and specify a Logging Level and whether to Send Logs Over Wifi. This will record log files concerning application processes.
  • Set Analytics to Enabled to capture application data for use in business intelligence systems and data marts.
  • Set Custom Settings to Enabled to add text, such as XML code, for custom processes and apply them to applications.

Configuring Applications

Now that you've enabled AirWatch Workspace and configured the security, customization and single sign-on settings, you can distribute additional applications to AirWatch Workspace users. Distributing apps uses the same process for other users – either automatically once an app is activated in the AirWatch Admin Console, or on-demand through an App Catalog. The following notes apply for different types of apps you can publish:

  • AirWatch applications
  • Internal applications
  • Public/Purchased applications
  • Web applications

Note: For more information on managing apps with the App Catalog, please see the AirWatch Mobile Application Management Guide.

Configuring AirWatch Email Client for AirWatch Workspace Email Access

Configure the AirWatch Email Client (AWEC) to sync Email, Calendar, and Contacts for email accounts via the AirWatch Workspace.

Deploying the AirWatch Email Client enables key benefits, including:

  • Configuration
    • Over-the-air configuration of EAS, sync, and general settings through profile
    • Automatic configuration when device enrolls and checks in with AirWatch server
  • Security
    • Prevent copy/paste of text
    • Prevent attachments
    • Set maximum attachment size
    • Email debug logs directly to AirWatch

For more information on configuring the AirWatch Email Client, please see the AirWatch Email Client Guide


Enrolling Devices in AirWatch Workspace

Enroll devices into AirWatch Workspace by obtaining the AirWatch Workspace application from the respective app store and providing information used to assign your device to corporate apps and content.

  • Confirm that the AirWatch Agent is not loaded on the device you are attempting to enroll.
  • Download the AirWatch Workspace application and launch the downloaded application from the app menu.
  • Enter the corporate email address. If auto-discovery is not configured, enter the  server and Group ID that will be associated.


  •  Enter the username and password.


  • Create and confirm a unique PIN that will be used to facilitate single sign-on to all apps connected via AirWatch Workspace.

The device is now enrolled and authenticated in AirWatch Workspace. From the moment the user confirms their unique PIN, the containers are secured and the device begins checking with AirWatch which applications are available to the device or already present on the device.



Have more questions? Submit a request


Article is closed for comments.