This section covers VMware’s unified endpoint management software, Workspace ONE UEM, including the related VMware mobile applications.
a. Overview of the Workspace ONE UEM
Workspace ONE UEM (“UEM”) enables Customers to protect the confidentiality, security and integrity of Customer systems and information that are accessed by Users from corporate-owned and User-owned devices. UEM provides the Customer with controls which enable them to manage the access and security of its User’s devices. UEM consists of a Customer-specific console, which enables the Customer to manage its Users’ devices (“Console”) and software that is installed on a User’s device, which (i) facilitates communication between the User’s device and the Console, as well as other third-party endpoints (e.g. Apple or Google API) depending on Customer’s configuration, and (ii) provides the User with various productivity applications (i.e. an email client, a web browser, etc.). The specific features available to a Customer or a Customer’s Users will depend on the specific version/bundle purchased, how the Customer configures UEM, and which devices/platforms (i.e., iOS, Android, Windows, etc.) and mobile applications are used by the Users. The Console may be hosted by the Customer in its own IT environment (“On-Prem”) or may be hosted by VMware (“Hosted Service”).
b. Console Controls
The Console provides Customers with controls to assist them in complying with their legal obligations and internal compliance programs and requirements. The specific features available to a Customer or a Customer’s Users will depend on the specific version/bundle purchased, how the Customer configures UEM, and which devices/platforms (i.e., iOS, Android, Windows, etc.) and mobile applications are used by the Users. For example, the Customer can set password complexity, password expiration, and the timing for screen lockouts through the Console for the User’s device. Customer can also choose to enable different settings for corporate-owned devices and User-owned devices. Some of the other options available to Customers are outlined below:
i. Infrastructure. The Customer chooses whether to host the Console On-Prem or whether to have the Console hosted by VMware through the Hosted Service. If a Customer wants to maintain greater control over the environment hosting the Console, including the security thereof, the Customer can choose to host the Console On-Prem rather than having the Console hosted by VMware. The collected data is available to the Customer via the Console. If the Customer has chosen the Hosted Service, then VMware will also have access to the data collected through the Console; however, VMware only uses that data as stated in VMware’s Terms of Service and Privacy Notice.
ii. Data Collection. Using the Console, the Customer has the ability to control the types of information they collect about Users’ devices. Additionally, the Console gives the Customer the ability to have different data collection practices for corporate-dedicated, corporate-shared, and User-owned devices. For example, through the Console, the Customer can enable or disable the collection of the following data:
- GPS Data
- Carrier/Country Code
- Roaming Status
- Cellular Usage Data
- Call Usage
- SMS Usage
- Device Phone Number
- Personal Applications
- Unmanaged Profiles
- Public IP Address
iii. Device Commands. Using the Console, the Customer can elect to allow/prevent certain commands and can decide whether the execution of a command requires the User’s permission:
- Device Wipe
- Clear Device Passcode/Lock Device
- File Manager Access
- Remote Control
- Registry Manager
- Request Device Log
- Command Line/Remote Shell Access
iv. Display of User Data. The Console also contains settings that enable the Customer to decide what User data should be visible to its IT administrators via the Console. For example, the Customer can decide whether the following User data is visible to its IT administrators in the Console:
- First Name
- Last Name
- Phone Number
- Email Accounts
- User name
c. Collection of User and Device Data Through the UEM
User data that may be collected by UEM varies depending on the specific version/bundle purchased by the Customer, how the Customer configures UEM, and which devices/platforms (i.e., iOS, Android, Windows, etc.) and mobile applications are used by the Users. Examples of the data that may be collected by UEM are provided below.
i. General User and Device Data Collected by UEM
In connection with its core enterprise mobility management functions, UEM collects user and device data such as the following:
Identity and Authentication Information
- Identity details (including name, email address, phone number, etc.)
- Login credentials and security authentication data (including certificates, domain information, login and logout dates and times, usernames, enrollment IDs, etc.)
Employment Information
- Employer, job title, work address, employee number
- Information maintained in the Customer’s Active Directory
Device Information
- Device type, name, make, model, manufacturer, and device identifiers such as universal unique identifier (“UUID”), International Mobile Station Equipment Identity (“IMEI”), mobile equipment identifier (“MEID”), serial number, International Mobile Subscriber Identity (“IMSI”) number, Internet Protocol (“IP”) address and Media Access Control (“MAC”) address
- Last seen information (i.e., when the device last connected to the Console), log data
- Information about the device’s operating system (including operating system build, version, firmware/kernel versions, etc.)
- Battery capacity and availability, memory capacity and availability, storage capacity and availability
- Installed profiles on the device, including configuration data of Users’ devices and compliance status concerning requirements defined by the Customer in its Console settings
- Information about the device’s file manager and registry manager (Android/Windows devices)
UEM also may collect user and device data in connection with the following:
Data about Customer-Managed Applications
“Customer-Managed Applications” are Customer approved applications that are either pushed to User devices by the Customer or made available for download through the Workspace ONE Intelligent Hub™ app (formerly the AirWatch Agent®), Workspace ONE App Catalog™, or Customer application catalogues. These mobile applications may be public applications or internally-created applications. Information collected in connection with Customer-Managed Applications may include:
- Names and details of Customer-Managed Applications installed on the device, such as application name, version number, file size, configuration settings, installation progress status, app failure error codes, etc.
- Technical data generated from the use of Customer-Managed Applications, such as launch activities, clickstream data, crash reports and log files, which may contain personal data about the User.
Data about Personal Applications: “Personal Applications” are the applications Users purchase or download from a public app store (e.g. the Apple App Store, the Google Play Store) to their devices. They are not automatically pushed to the User’s devices by Customer and are not managed via UEM. Depending on how the Customer has configured UEM, UEM may collect limited details about Personal Applications to assist the Customer in knowing/verifying that its Users do not download Personal Applications which may pose a security threat. UEM does not collect or have access to any data inside any Personal Applications. The information collected about Personal Applications may include:
- Name, version, identifier, and total size of Personal Applications installed on the device
File Manager Access: File manager access is functionality that allows read only access to a device’s internal and external storage. Certain mobile applications (such as Workspace ONE® Content, formerly known as VMware Content Locker) may request file manager access from a User so that data may be synced between the User’s device and the Customer’s systems, files could be attached to emails that the User wants to send, etc. When enabled, UEM may collect the contents of the device storage, including the SD card and locally stored files. Depending on how the Customer has configured UEM, certain applications like Workspace ONE Assist may have read and write access to the device file system based on the platform type and the permissions granted by the User.
Telecom and Network Information: UEM may collect certain telecom data, such as carrier information, roaming status, and networks being used. This information helps the Customer know how the device is connected, to communicate with the device, and to enforce any restrictions implemented by Customer in its use of UEM, such as preventing large applications from automatically being pushed to a device that is roaming. Depending on how the Customer has configured UEM, this telecom and network information may include the following:
- Carrier information (including carrier settings versions, phone number, signal strength, roaming status, current and subscriber mobile country code and country location, current and subscriber mobile network code, SIM Carrier Network information, etc.)
- Information about the device’s cellular technology (such as its Global System for Mobile Communications Standard (“GSM”) and Code Division Multiple Access (“CDMA”))
- SSID, Internet Protocol (“IP”) and Media Access Control (“MAC”) addresses for the Wi-Fi network being used
- Amount of data used by the network connections, cellular data usage, and aggregated information about Wi-Fi bandwidth consumption (excluding content)
Communication Data: The Customer may configure UEM to collect usage information, such as the number of calls and text messages sent or received. This information may assist the Customer in managing SMS limits on the Customer’s cellular plan. UEM does not collect or have access to the contents of text messages, phone calls, or personal email accounts. Depending on how the Customer has configured UEM, this communications data may include:
- The amount of data used, the number of SMS sent or received, phone call usage statistics (number of calls sent or received, duration of calls), broken down on an enrolled device phone number basis
- Name of sender, name of recipient, date, time
Geo-location Data: Depending on how the Customer has configured UEM, UEM may collect geo-location data. By default, it does not collect geo-location data. UEM enables the Customer to collect geo-location data as it may enable a Customer to locate lost devices or to distribute functionality and content based on certain geo-fenced locations. Depending on the operating system and platform of the device, the User may be presented with an operating system notice, asking for the User’s consent to collect geo-location data. The User can change their selection by going into their device settings and revoking the geo-location permission.
Data via Remote Access: The Customer can use UEM to establish remote control access, which allows a Customer’s IT administrators to assist in troubleshooting a User’s device issue by remotely taking control of the device. A remote-control application must be installed on the device and, depending on platform and configuration, remote control may need to be approved by the User at the time when remote control is to be taken. This functionality enables the Customer to remotely access or control the device, including the use of remote locks, screen capture, remote device reboots or remote restart (for the device or applications).
ii. Additional Data for Specialized VMware Mobile App Functionality
VMware provides various mobile applications in connection with UEM (“VMware Mobile Apps”). Some of these VMware Mobile Apps collect or share additional data in order to support their specialized functionality. For example, VMware Mobile Apps that provide VPN or internet browsing functionality (such as Boxer and Web) collect the URLs visited through those VMware Mobile Apps. The data collected and shared will vary depending on the functionality provided by the mobile application, as detailed further in the product documentation. Below are some examples of this additional data collected by specific VMware Mobile Apps:
- VMware Workspace ONE® Boxer. Workspace ONE Boxer provides access to enterprise email, calendar and contacts. Boxer does not host the email or calendar content; instead, Boxer provides direct communication between the Customer’s backend email system and the User’s device. To operate, Boxer collects certain email header information (such as sender/recipient name, date, time, subject line, etc.) If configured to do so, Boxer has access to User device calendars to overlay the User’s corporate calendar and access to User device contacts to display them in Boxer as well as to write corporate contacts to the device contact app for call identification purposes. Boxer may also be configured to collect header information and snippets of the email body in order to generate a contextual notification and send to a User’s mobile device to deliver updates of incoming messages. The User can enable/disable these features via the UEM Console and mobile device operating system settings.
- VMware Workspace ONE® Web. Workspace ONE Web provides Users with secure VPN access to internet and intranet sites. It may also provide single sign-on capabilities allowing Users with access to the Customer designated web sites and web apps without the need to enter credentials. Web enables direct communication between Web on the User’s device and Customer’s backend systems. To operate, Web collects certain additional information such as the browser information and browsing history on the User’s device. Web records the URLs of websites and web pages viewed using Web but Webdoes not give VMware access to the content viewed using Web. (For clarity, UEM may have access to that content to the extent the Customer maintains the content in VMware Hosted Services.)
- VMware Workspace ONE® Content. Workspace ONE Content allows Customer content to be uploaded, stored, edited, shared and accessed from a User’s device. The content is stored in a corporate container on the User’s device or in a managed server-side repository, which the Customer may host using UEM (either On-Prem or in the Hosted Service, depending on the Customer’s deployment) or which the Customer may maintain in third-party services. The Content mobile app allows the User to securely access, distribute and collaborate on content from their device. The Customer may configure Content to allow or limit access to certain content. If Content is used, UEM will have access to data such as the date and times when files are accessed and shared, file size, file names, a history of User actions inside the Content, and details regarding with whom the User interacts through Content. Content has a geo-fencing feature that allows the Customer’s IT administrators to place geo-fencing restrictions on access to content stored in Content. The geo-fencing feature does not transmit the User’s geo-location data to the Console; instead, the Content mobile application uses the geo-location data locally on the device to perform the geo-fencing.
- VMware Workspace ONE® Assist™. The Workspace ONE Assist application provides Customer’s IT and support personnel with the ability to remotely view and control the device screen and applications, managed files and run commands with the User’s permission. Assist also provides the ability to capture screenshots and record the device screen for troubleshooting and training purposes. The level of access is configurable by the Customer.
- OEM Supplements to Agent App. For certain Customers, VMware operates customized OEM (Original Equipment Manufacturer referring to the hardware or platform manufacturer) mobile applications that accompany its standard Workspace ONE Intelligent Hub, used for mobile device management. These OEM mobile applications may offer additional functionality and collect additional data points based on the Customer’s and/or device’s specifications. For example, this may include information about carrier codes, battery health, and other data related to the Customer’s device or product specifications.
iii. Software Development Kit (SDK). The Workspace ONE Software Development Kit (“Workspace ONE SDK”) is a code library that mobile app developers can use to build security, configurations and management capabilities into their own, non-VMware mobile applications. Apps that use the Workspace ONE SDK collect and transmit certain data back to VMware, such as identity and authentication information and device information as described above, as well as crash reporting data and analytics data as described below. When an app uses the Workspace ONE SDK to provide tunneling functionality, the app also transmits to VMware’s systems the URLs of the sites accessed using that tunneling functionality. Developers of third-party apps that use the Workspace ONE SDK also may configure the Workspace ONE SDK to collect other custom data points as they determine in their discretion. This Privacy Disclosure describes only VMware’s collection of user data from the Workspace ONE SDK; it does not address the practices of third-party developers that may incorporate the Workspace ONE SDK into their non-VMware mobile apps.
d. Device Wiping
UEM allows for two different types of device wiping:
- Enterprise Wipe – An Enterprise Wipe deletes all Customer-Managed Applications and any information stored in the Customer-Managed Applications. Enterprise Wipes will not remove Personal Applications or photos, videos, text messages, or personal email stored in Personal Applications.
- Full Device Wipe – A Full Device Wipe is a complete full factory reset. Full Device Wipes will remove all data and applications from the device.
The Customer’s IT administrator may select which device wiping feature is enabled and can perform these wipes from the Console, either manually or via an automated compliance action. The ability to perform a Full Device Wipe for a device cannot be turned on for a particular device after enrollment, meaning if the setting is off when the User enrolls the device, the Customer cannot perform a Full Device Wipe on a User’s device even if the Customer enables the Full Device Wipe setting in the Console. Depending on the Customer’s configuration, Users may be able to choose to perform an Enterprise Wipe on their devices from the self-service portal.