Workspace ONE Cards

VMware Workspace ONE UEM Workspace ONE Cards

You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/

VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

© Copyright 2020 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc. 2 Contents

1 VMware Workspace ONE Cards Admin Guide 4

2 Configuring Workspace ONE Cards 6

3 Application Configurations for Workspace ONE Cards 11

4 Deploying Workspace ONE Cards 15

VMware, Inc. 3 VMware Workspace ONE Cards Admin Guide 1

Welcome to VMware Workspace ONE Cards admin guide. Workspace ONE Cards is a mobile application that reads and saves a physical business card as a contact in your Exchange account through Exchange Web Services (EWS). You can scan business cards using your smartphone camera and convert them to contacts.

Workspace ONE Cards for iOS and Android helps you scan and manage all your business cards quickly and accurately. It enhances your mobile productivity by reducing the time spent on inserting the contact details and focuses on the enterprise content security.

Capabilities of Workspace ONE Cards

With Workspace ONE Cards, you can save all the details of a business card without manually entering the information on your mobile device. After you scan a card, the contact details are synchronized with your contact database in Microsoft Exchange, that helps you to manage the data in the same way you manage any other Exchange contact.

VMware, Inc. 4 Workspace ONE Cards

Workspace ONE Cards for iOS and Android provides you with the following capabilities: n Take a photo of a business card and convert it into an Exchange contact. n Scan business cards from 17 different languages. n Edit details or add custom details when previewing a contact before saving. n Rescan the business cards. n Set up the Exchange sync from within the Cards application n View the scanned contact history with the Exchange sync status.

Requirements to Deploy Workspace ONE Cards

To deploy and use Workspace ONE Cards, you must meet the requirements related to the UEM console version, operating system, and software.

You must use the Workspace ONE UEM console 1902 or later versions to deploy Workspace ONE Cards.

Application Requirements - VMware Workspace ONE Intelligent Hub

Software Requirements - Workspace ONE Cards supports Exchange Server 2010 and later versions including Office 365.

Supported Mobile Operating Systems: n iOS 11 and later n Android 5.1 and later

Access and Authentication Requirements: n Workspace ONE Cards requires access to the EWS endpoint. Workspace ONE Cards must access the EWS URL either directly or through the Secure Email Gateway or VMware Tunnel Per-App VPN. It also requires the HTTPS protocol and port 443 to access EWS. n Workspace ONE Cards supports Basic, NTLM, Certificate, and Modern authentications.

VMware, Inc. 5 Configuring Workspace ONE Cards 2

Workspace ONE Cards fetches configurations through the SDK profile from the Workspace ONE UEM console. These configurations include Exchange Server settings and other security policies. Workspace ONE Cards connects with the Exchange Server based on the authentication method configured in the UEM console, and upload contacts to the Exchange Server after scanning on the device.

You can configure the SDK profile to apply either general or application-specific settings for Workspace ONE Cards. For app-specific settings, configure the Custom Settings payload of the SDK profile. You can set these app-specific settings either as a part of a configured default profile, or as a part of a custom SDK profile that you have explicitly assigned to Workspace ONE Cards.

You can assign only one SDK profile to an application, so you must select either the default or the custom SDK profile for Workspace ONE Cards. The default profile is the same for both iOS and Android, whereas custom profiles are platform-dependent. A custom SDK profile can have additional details as per your organization's requirements.

For more information about default versus custom SDK profile, see App Suite SDK Configurations from the Mobile Content Management Guide.

Configure a Default SDK Profile for Workspace ONE Cards

You can select and configure a default SDK profile to define the behavior that applies to Workspace ONE Cards.

The default SDK profile shares settings across all applications configured for a specific Organization Group (OG) and its subgroups. If you have deployed other Workspace ONE applications, such as Workspace ONE Intelligent Hub, Workspace ONE Boxer, Workspace ONE Web, or Workspace ONE Content, you do not have to configure the default SDK profile explicitly for Cards.

1 In Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies.

VMware, Inc. 6 Workspace ONE Cards

2 Configure Security Policies.

Option Description

Authentication Type

Passcode Prompt end users to authenticate with a user-generated passcode when the app starts for the first time, and after an app session timeout.

Username and Password Prompt end user to authenticate by reentering their enrollment credentials when the app starts for the first time, and after an app session timeout.

Disabled Allow the user to open apps without entering credentials.

SSO

Enabled Establish a single app session across all Workspace ONE UEM and Workspace ONE UEM wrapped apps.

Disabled Establish app sessions for each app.

Offline Access

Enabled Allow end users to open and use Workspace ONE UEM and wrapped apps when disconnected from Wi-Fi. When the device is offline, the Workspace ONE UEM applications cannot perform downloads. For a successful download, users must connect their device to Internet. Configure the Maximum Period Allowed Offline to set limits on the offline access.

Disabled Remove access to Workspace ONE UEM and wrapped apps on offline devices.

Compromised Protection

Enabled If enabled, this option overrides the MDM protection. App level Compromised Protection blocks the compromised devices from enrolling, and enterprise wipes enrolled devices that report a compromised status.

Disabled Rely only on the MDM compliance engine for the compromised device protection.

Data Loss Prevention

Enabled Access and configure settings intended to reduce data leaks.

Enable Copy And Paste

Allows an application to copy and paste when set to Yes.

Enable Printing

Allows an application to print from devices when set to Yes.

Enable Camera

VMware, Inc. 7 Workspace ONE Cards

Option Description

Allows application to access the device camera when set to Yes.

Enable Composing Email

Allows application to access the device camera when set to Yes.

Enable Data Backup

Allows wrapped applications to sync data with a storage service such as iCloud when set to Yes.

Enable Location Services

Allows wrapped applications to receive the latitude and longitude of the device when set to Yes.

Enable Bluetooth

Allows applications to access bluetooth functionality on devices when set to Yes.

Enable Screenshot

Allows applications to access screenshot functionality on devices when set to Yes.

Enable Watermark

Displays text entered in Overlay Text as a watermark in documents in the VMware Workspace ONE Content when set to Yes.

Note You cannot change the design of a watermark from the Workspace ONE UEM console.

Limit Documents to Open Only in Approved Apps

Select this option to control the applications used to open resources on devices. For iOS devices, you can use the UEM configuration values to restrict users from importing files from third-party applications into Workspace ONE Cards. For more information, see Configure Import Restriction in Workspace ONE Content Guide.

Allowed Applications List

Enter the applications that are allowed to open documents.

Disabled Allow user to access all device functions.

3 Select Save.

4 Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Settings.

VMware, Inc. 8 Workspace ONE Cards

5 Configure Settings. You must enter specific application settings.

Action Description

Branding

Enabled Apply the organization-specific logo and colors wherever applicable to the app suite.

Disabled Maintain the Workspace ONE UEM brand throughout the app suite.

Logging

Enabled Access and configure settings related to collecting logs.

Logging Level Select a logging level for Workspace ONE Cards: n Error - Records only errors. An error indicates a failure in processes such as a failure to look up UIDs or an unsupported URL. n Warning - Records errors and warnings. A warning displays a possible issue with processes such as bad response codes and invalid token authentications. n Information - Records a significant amount of data for informational purposes. An information logging level displays general processes and warning and error messages. n Debug - Records all data to help with troubleshooting. This option is not available for all functions.

Send logs over Wi-Fi only

Select to prevent data from being transferred when roaming and to limit data charges.

Disabled When disabled, the application does not collect any logs.

Analytics

Enabled Collect and view the useful statistics about apps in the SDK suite.

Disabled When disabled, the application does not collect useful statistics.

6 Click Save.

VMware, Inc. 9 Workspace ONE Cards

Configure a Custom App SDK Profile for Workspace ONE Cards

If Workspace ONE Cards has Data Loss Prevention (DLP) or authentication requirements that differ from other Workspace ONE applications, you must select and configure a custom SDK profile to deploy Workspace ONE Cards.

1 In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles > Add Profiles.

2 Select SDK Profile.

3 Select a platform.

4 Configure General Settings.

5 Configure Custom Settings with configuration keys listed in Application Configurations for Workspace ONE Cards.

6 Select Save.

Configure Workspace ONE Cards Using Certificate-Based Authentication (CBA) with Exchange

To authenticate users, you can configure Workspace ONE Cards using the Certificate-Based Authentication (CBA) with Exchange in Workspace ONE UEM.

1 If you are using a default SDK profile, select the Integrated Authentication from the check box.

2 If you are using a custom SDK profile, perform the following steps:

a Select Certificate Authority and Template.

b List the Exchange URL in the allowlist URL text box.

3 Add KVPs such as AccountUseCBA and AccountUseDualAuth under Custom Settings in the Workspace ONE UEM console. For more information about the Keys, see Application Configurations for Workspace ONE Cards.

VMware, Inc. 10 Application Configurations for Workspace ONE Cards 3

As an admin, you must ensure that the policies are added to Workspace ONE UEM console to apply settings to Workspace ONE Cards.

The configurations that are required for Workspace ONE Cards are set as a part of the SDK profile. If you are using the default SDK profile, set the application configuration keys by navigating to Groups & Settings > All Settings > Apps > Settings and Policies > Settings.

For example:

If you are using a custom SDK profile, navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles and select the profile that you have created for iOS and Android Cards.

For example:

VMware, Inc. 11 Workspace ONE Cards

Account and Key Settings

Configuration Key Value Type Configuration Value Description

{"exchangeURL"} String Enter the EWS URL. Use This key enables this format: https:// synchronization of notes server.domain.com/EWS/ with the Exchange Server. Exchange.asmx.

{"userEmail"} String Provide a valid user email. This configuration key is required. It supports the {EmailAddress} lookup value.

{"userName"} String Domain/Username Domain/Username as {EmailDomain}\ {EmailUserName} OR {EmailAddress}.

Note For NTML authentication, it is in the Domain/Username format.

{"PolicyAllowLogging":true} Boolean True - enabled This key is configured to False - disabled collect the crash reporting data. It controls the application reporting diagnostic data, to troubleshoot a failure and provide support. If set to true, the privacy manager allows user to disable reporting.

{"PolicyAllowMetrics":true} Boolean True - enabled Set to True to enable the False - disabled data collection for Workspace ONE Cards. This data is used to improve user experience.

VMware, Inc. 12 Workspace ONE Cards

Configuration Key Value Type Configuration Value Description

{"DisplayPrivacyDialog": 1} Integer 1 - enabled (default) When set to 1 (enabled), 0 - disabled Workspace ONE Cards displays a privacy notice to users about the data collected and the permissions that are required on the device for the application to function. If you do not set this configuration key, by default the privacy dialog box is shown.

{"PrivacyPolicyLink"} String Example: https:// Enter the URL to the privacy www.acme.com policy that you want your users to view when your company's privacy policy is selected from the privacy notice.

Sample SDK configuration- { “allowExchange”: true, “exchangeURL”: “https://outlook.office365.com/ews/ exchange.asmx”, “userName”: “{EmailDomain}\\{EmailUserName}“, “userEmail”: “{EmailAddress}” “AccountUseOauth”: true}

OAuth-based Authentication

To enable the OAuth-based authentication with Exchange Server, add the following key:

Configuration Key Value Type Configuration Value Description

{"AccountUseOauth":False} Boolean False - disabled (default) Set the value to true to True - enabled enable the OAuth-based authentication support with the Exchange Server.

Configure Certificate-Based Authentication with Exchange

To enable CBA with Exchange Server, add the following keys:

Configuration Key Value Type Configuration Value Description

{"AccountUseCBA":False} Boolean False - disabled (default) Set this value to true to True - enabled enable the certificate-based authentication.

{"AccountUseDualAuth":False} Boolean False - disabled (default) Set this value to true to True - enabled enable dual authentication (CBA and Basic).

VMware, Inc. 13 Workspace ONE Cards

Kerberos Authentication

To enable the Kerberos authentication, add the following key:

Configuration Key Value Type Configuration Value Description

{"enableKerberos":False} Boolean False - disabled (default) Set this value to true to True - enabled enable the Kerberos authentication.

VMware, Inc. 14 Deploying Workspace ONE Cards 4

Deploy Workspace ONE Cards with security configurations on your users' mobile devices using the Workspace ONE UEM console.

You must use the Workspace ONE UEM console 9.3 or later versions. For more information about requirements, see Requirements for Workspace ONE Cards.

Add Workspace ONE Cards to Workspace ONE UEM

Add Workspace ONE Cards as a public application to the Workspace ONE UEM console.

1 In the Workspace ONE UEM console, navigate to Apps & Books > Applications > Native > List View > Public.

2 Select Add Application, and enter the required information.

Option Description

Managed By Select the organization group.

Platform Select an appropriate platform.

Name Enter Workspace ONE Cards.

Search App Store (iOS only) Select to make the application available in the App Store.

Enter URL Enter the URL of the application.

Import from Play (Android only) Select to make the application available in the Play Store. To search the Google Play Store in an on- premises deployment, you must integrate a Google Account with the Workspace ONE UEM MDM environment.

3 Select the Workspace ONE Cards application.

4 If you plan to use a custom SDK profile, select the profile on the SDK tab.

5 Select Save and Assign.

6 On the updated assignment page, select Add Assignment, and enter the name of assignment group in the Select Assignment Groups text box.

7 Select Add.

VMware, Inc. 15 Workspace ONE Cards

8 Click Save and Publish.

Users must install Workspace ONE Cards on a mobile device that is registered or enrolled using Workspace ONE Intelligent Hub. To synchronize with the Exchange content, users must enter their Exchange credentials after they start Workspace ONE Cards.

Configure Workspace ONE Cards with Derived Credentials (PIV-D)

Create and configure an SDK profile with the derived credentials and assign the profile to Workspace ONE Cards. The SDK profile helps Cards to fetch the derived credential certificates from Workspace ONE PIV-D Manager. These certificates are used by devices to access resources securely.

A derived credential is a client certificate that is generated or issued on a mobile device after users prove their identity using their existing smart card (CAC or PIV) during the enrollment process.

When you set the Credential Source as Derived Credential on the Credential payload, Cards imports the authentication, signing, and encryption certificates from the PIV-D application. The PIV-D certificate is then used to authenticate users against the Exchange Server through CBA and dual authentication in Cards. For more information on the PIV-D application, see Workspace ONE PIV-D Manager Admin Guide.

1 Configure the SDK profile.

a In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Profiles and select Add Profiles.

b Select SDK Profile.

c Select a platform.

d Configure the profile's General Settings.

e Select the Credentials payload and select Configure.

f Set the Credential Source to Derived Credentials.

g Select the Key Usage based on how the certificate is used. Select Authentication, Signing, or Encryption. To add additional certificates, use the plus sign at the bottom of the profile screen.

h Select Save and Publish.

2 Assign the SDK Profile to Cards.

a Navigate to Apps & Books > Native > Public > Add Application and add Workspace ONE Cards. If the Cards application has already been added, you can skip the preceding step.

b Select Edit.

VMware, Inc. 16 Workspace ONE Cards

c On the SDK tab, set the SDK profile to the one configured with the derived credential source and key usage.

d Select Save and Assign.

VMware, Inc. 17