This Privacy Disclosure covers VMware's unified endpoint management software, Workspace ONE® Unified Endpoint Management™ (UEM) powered by AirWatch®, including the related VMware mobile applications (collectively, the "Software"). The purpose of this Privacy Disclosure is to inform customers who purchase the Software to perform unified endpoint management ("Customers") and those individuals whose devices are being managed by the Software ("Users") regarding the types of information collected by the Software about Users and their devices.
Users should be aware that the data collected by the Software depends on how the Customer configures the Software. Users should review the Customer's privacy policies or notice. Additionally, VMware and its service providers may collect data when the Software is used, as well as Customer relationship data. VMware uses this data in accordance with VMware's Privacy Notice and VMware's Terms of Service. The Customer is responsible for providing any necessary notices to its Users, and obtaining any legally required authorizations or consents from Users regarding use of the Software.
This Privacy Disclosure may be updated from time to time as new features and functionality are added. We encourage Customers and Users to periodically review this page.
The Software enables Customers to protect the confidentiality, security and integrity of Customer systems and information that are accessed by Users from corporate-owned and User-owned devices. The Software provides the Customer with controls which enable the Customer to manage the access and security of its User's devices. The Software consists of a Customer-specific console, which enables the Customer to manage its Users' devices ("Console") and software that is installed on a User's device, which (i) facilitates communication between the User's device and the Console, and (ii) provides the User with various productivity applications (i.e. an email client, a web browser, etc.). The specific features available to a Customer or a Customer's Users will depend on the specific version/bundle purchased, how the Customer configures the Software, and which devices/platforms (i.e., iOS, Android, Windows, etc.) and mobile applications are used by the Users. The Console may be hosted by the Customer in its own IT environment ("On-Prem") or may be hosted by VMware ("Hosted Service").
The Console provides Customers with controls to assist them in complying with their legal obligations and internal compliance programs and requirements. The specific features available to a Customer or a Customer's Users will depend on the specific version/bundle purchased, how the Customer configures the Software, and which devices/platforms (i.e., iOS, Android, Windows, etc.) and mobile applications are used by the Users. For example, the Customer can set password complexity, password expiration, and the timing for screen lockouts through the Console for the User's device. Customer can also choose to enable different settings for corporate-owned devices and User-owned devices. Some of the other options available to Customers are outlined below:
VMware is constantly updating and improving the Software to include new features and functionality. It is the responsibility of the Customer to ensure it uses the Software in accordance with its internal policies and legal requirements, including providing any required notice to Users and obtaining any required consents.
User data that may be collected by the Software varies depending on the specific version/bundle purchased by the Customer, how the Customer configures the Software, and which devices/platforms (i.e., iOS, Android, Windows, etc.) and mobile applications are used by the Users. Examples of the data that may be collected by the Software are provided below.
In connection with its core enterprise mobility management functions, the Software collects user and device data such as the following:
Identity and Authentication Information
Employment Information
Device Information
The Software also may collect user and device data in connection with the following:
Data about Customer-Managed Applications: "Customer-Managed Applications" are Customer approved applications that are either pushed to User devices by the Customer or made available for download through the AirWatch Agent®, Workspace ONE App Catalog™, Workspace ONE Intelligent Hub™, or Customer application catalogues. These mobile applications may be public applications or internally-created applications. Information collected in connection with Customer-Managed Applications may include:
Data about Personal Applications: "Personal Applications" are the applications Users purchase or download from a public app store (e.g. the Apple App Store, the Google Play Store) to their devices. They are not automatically pushed to the User's devices by Customer and are not managed via the Software. Depending on how the Customer has configured the Software, the Software may collect limited details about Personal Applications to assist the Customer in knowing/verifying that its Users do not download Personal Applications which may pose a security threat. The Software does not collect or have access to any data inside any Personal Applications. The information collected about Personal Applications may include:
File Manager Access: File manager access is functionality that allows read only access to a device's internal and external storage. Certain mobile applications (such as Workspace ONE Content™, formerly known as Content Locker) may request file manager access from a User so that data may be synced between the User's device and the Customer's systems, files could be attached to emails that the User wants to send, etc. When enabled, the Software may collect the contents of the device storage, including the SD card and locally stored files.
Telecom and Network Information: The Software may collect certain telecom data, such as carrier information, roaming status, and networks being used. This information helps the Customer know how the device is connected, to communicate with the device, and to enforce any restrictions implemented by Customer in its use of the Software, such as preventing large applications from automatically being pushed to a device that is roaming. Depending on how the Customer has configured the Software, this telecom and network information may include the following:
Communication Data: The Customer may configure the Software to collect usage information, such as the number of calls and text messages sent or received. This information may assist the Customer in managing SMS limits on the Customer's cellular plan. The Software does not collect or have access to the contents of text messages, phone calls, or personal email accounts. Depending on how the Customer has configured the Software, this communications data may include:
Geo-location Data: Depending on how the Customer has configured the Software, the Software may collect geo-location data. By default, the Software does not collect geo-location data. The Software enables the Customer to collect geo-location data as it may enable a Customer to locate lost devices or to distribute functionality and content based on certain geo-fenced locations. Depending on the operating system and platform of the device, the User may be presented with an operating system notice, asking for the User's consent to collect geo-location data. The User can change their selection by going into their device settings and revoking the geo-location permission.
Data via Remote Access: The Customer can use the Software to establish remote control access, which allows a Customer's IT administrators to assist in troubleshooting a User's device issue by remotely taking control of the device. A remote-control application must be installed on the device and, depending on platform and configuration, remote control may need to be approved by the User at the time when remote control is to be taken. This functionality enables the Customer to remotely access or control the device, including the use of remote locks, screen capture, remote device reboots or remote restart (for the device or applications).
The Software allows for two different types of device wiping:
The Customer's IT administrator may select which device wiping feature is enabled and can perform these wipes from the Console, either manually or via an automated compliance action. The ability to perform a Full Device Wipe for a device cannot be turned on for a particular device after enrollment, meaning if the setting is off when the User enrolls the device, the Customer cannot perform a Full Device Wipe on a User's device even if the Customer enables the Full Device Wipe setting in the Console. Depending on the Customer's configuration, Users may be able to choose to perform an Enterprise Wipe on their devices from the self-service portal.
As part of the device enrollment process, the Software pushes a privacy dialog to the User's mobile device, which enables the User to review a summary of the settings enabled for the Software on their device. In some cases, the User may also have the ability to control the enablement of certain features of the Software, via the self-service portal and/or their device settings. Most VMware Mobile Apps made available by VMware have a privacy dialog that includes (i) an overview of the data collected by the mobile application, (ii) the permissions that the mobile application will request, and (iii) an option to send analytics data to VMware (unless the Customer has disabled the sending of analytics data for all Users). The Software also provides functionality that Customers can use through the Console to provide Users with a link to their privacy notice via the privacy dialog.
The portions of the Software that allow devices to be monitored by the Console run in the background of the devices, and may not provide additional notice when these functions are occurring in real time.
VMware has no direct relationship with the Users whose data it processes in connection with providing the Software and any related services. A User who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to the Customer. If the Customer requests VMware to modify or remove the data, we will respond to the Customer’s request in accordance with our agreement with the applicable Customer or as may otherwise be required by applicable law.
If you have any questions or concerns regarding this Privacy Disclosure, you may write to us at privacy@vmware.com or by mail to: Office of the General Counsel of VMware, Inc., 3401 Hillview Ave, Palo Alto, California, 94304, USA.