English (US)
Log in
GETTING STARTED
Get your whole company connected in as little as 5 weeks.
Choosing Workplace
Let's get into all the reasons that Workplace is the right choice for your business.
Solutions
From leveling-up company communication to building a better culture, we’re here to solve your toughest challenges.
Customer Stories
Find out how organizations like yours are using Workplace to solve their most important business challenges.
Why Workplace
Why Workplace? Because it's familiar, mobile, secure, integrated and connects everyone. Why else?
Diversity & Inclusion
We’re doing our bit for a better world by making sure every employee feels seen, heard and valued.
How can Workplace help you?
From leveling-up company communication to building a better culture, we’re here to solve your toughest challenges.
Business Communication
Our easy-to-use tools will make your most important messages unmissable, and your intranet inspirational.
Employee Engagement
Ditch the email for more engaging company-wide conversations that give every employee a voice.
Strengthen Culture
Show people you’re committed to culture by empowering everybody to be the best version of themselves.
Getting Connected
Bring your entire organization together on Workplace, even if they don't have an email address.
Frontline Workers
61% of frontline managers say there’s a disconnect in communication with head office. We help close the gap.
Remote Working
37% of US employees will be working remotely by 2022. We help people stay connected even when they're apart.
Hybrid Working
Whether your employees are in the office or working from home, Workplace keeps people informed, productive and connected to your company's culture.
HR
Attract, train and keep the best talent
Comms
Share information and engage employees
IT
Securely connect everyone, everywhere
Enterprise
Make your large company feel smaller
Browse All
Organizations of all shapes and sizes are gaining a competitive edge with Workplace. Find your favorite story.
Podcasts
Check out this selection of Pioneer Podcasts to hear some of our favorite success stories straight from the horse's mouth.
TECHNICAL RESOURCES CENTER
Need help with setting up Workplace, managing domains or other technical info? Look no further.
Customer Resource Center
Just launched Workplace and not sure what to do next? We've got everything you need right here.
Technical Resources
You don't have to be an IT genius to launch Workplace, but if you are then these technical resources are for you.
In-depth hubs
Our resource hubs will help you master some of Workplace's most popular features and embrace new ways of working.
Help Center
Find step-by-step instructions and answers to frequently asked questions.
Start using Workplace
From step-by-step tutorials to in-depth launch guides and toolkits, you’ll find all the resources you need right here so you can hit the ground running.
Business Communication
From launching your Knowledge Library, to sharing company news, updates and more - we’ve got all the training you need to help you strengthen your business communications on Workplace.
Employee Engagement
Create a real connection between your teams, their work, and the rest of your organization with some of these tips and tricks.
Strengthen Culture
Strengthen your organization’s culture by celebrating the people behind the work, and build a real community on Workplace.
Set up Guides
From adding a domain to inviting users, follow this step-by-step guide to set up your Workplace.
Domain Management
Find out why domain management matters - and how to do it properly.
Workplace Integrations
Discover how to bring all your tools together. Something missing? Learn how to build your own integrations.
Account Management
Keep your Workplace up to date by creating, maintaining or deactivating user accounts.
Authentication
Make sure you only give access to the right people by integrating with your current identity solutions.
IT Configuration
Learn how to keep Workplace running smoothly with info on networks, email whitelisting and domains.
Account Lifecycle
Understand the process of inviting members of your organization to claim their accounts.
Security and Governance
Get the lowdown on how we keep your people and information safe on Workplace with added technical terminology.
Workplace API
Learn how you can automate and integrate your custom solutions with Workplace using our API.
Live Video resources
Looking to use Live Video to transform your Town Halls? This is the place to get tips, guides and practical insights.
Knowledge Library resources
Wish your intranet was a little more inspiring? Use these Knowledge Library resources to get started.
Working from Home with Workplace
So you've embraced remote work - now what? Stay on top of your game with these guides, videos and customer stories.
New rules of engagement
Turn hybrid teams into high-performing teams by learning more about the new rules of employee engagement.
Getting started
From launching Workplace to paying for it, learn more about those crucial first steps.
Using Workplace
This is where we reveal the hidden depths Workplace has to offer with tips and info on key features.
Managing Workplace
Got a specific question about managing content, data or employees? This is the place to ask it.
IT and Developer Support
Looking for answers to more technical questions about security, integration and the like? Start here.
Integrations
    Security
      Interactive Demo
        Customer Stories
        Workplace for Good
          Pricing Plans
            ROI Calculator
              Events & Webinars
                Ebooks & Guides
                  Newsroom
                    Workplace One Partner Program
                      Service & Reseller Partners
                        Workplace Academy
                          Support
                            Customer Communities
                              What's New in Workplace
                                English (US)

                                Security and Governance

                                Understand how your organization can control and protect your accounts.

                                Overview

                                Overview

                                Workplace's iOS and Android applications include security capabilities that give your organisation the option apply additional security checks as well as placing limits on copying or removing information from the apps. These restrictions can provide additonal guardrails that help keep sensitive company content isolated, especially when Workplace is accessed from a personal rather than a corporate device.

                                You can read more about Workplace's Mobile Security capabilties in general and the different modes of deployment in the Mobile Security deployment approaches.

                                Workplace and EMM

                                Workplace and EMM

                                This section discusses the activation of Workplace Mobile Security restrictions using the application configuration capabilities of Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) platforms. The documentation below applies only to either corporate or personal (BYOD) devices which are enrolled in these platforms. For further details on the enrollment requirements and provider specific information see integrating with your EMM Solution.

                                The Workplace-specific app configuration is described in the App Supported Configuration section, and the device-specific configuration is described in the OS Supported Configuration section.

                                Integrate with your EMM Solution

                                Integrate with your EMM Solution

                                Corporate devices must be registered and enrolled in an EMM solution. For Android devices, this means that they must have a work profile.

                                Once the device is enrolled, you have to follow these steps to configure and deploy Workplace Apps:

                                1
                                Register Workplace applications on EMM
                                In the apps section of the EMM solution, add Workplace and Workplace Chat as managed apps. Two applications per platform – iOS and Android – should be added.

                                2
                                Manage the access to the apps
                                Pick which users should have access to the Workplace applications.

                                3
                                Create a Configuration policy
                                In the app configuration section of the EMM solution, create a new Key Value (KV) pair configuration set following AppConfig guidelines.
                                See the section on OS Supported Configurations and App Supported Configurations for configuration values.

                                4
                                Assign the configuration policy
                                Assign the configuration policy created in the previous step to the Workplace apps and apply the policy to all the users of the Workplace apps.

                                5
                                Push the app to a device and test

                                For specific instructions, refer to the documentation of your own EMM:

                                VMWare
                                SAP
                                MobileIron
                                IBM
                                SOTI
                                JAMF
                                Blackberry
                                Microsoft Intune
                                App Supported Configuration

                                App Supported Configuration

                                The app supported configuration that can be set on Workplace via EMM adheres to the specifications defined by the AppConfig Community, which is a standards body formed by many of the leading EMM vendors and application providers. AppConfig members include VMWare, SAP, MobileIron, IBM, SOTI, JAMF and Blackberry. The Workplace apps are configurable by any of these solutions.

                                If your EMM solution is not a member of AppConfig, see the section on Support for non-AppConfig vendors.

                                Following the AppConfig standards, the Workplace apps support the ability to be pre-configured with Key Value Pairs (KVPs).

                                ?
                                Some keys should be mapped to a dynamic variable within the EMM solution representing the required value.

                                The KVPs (Key Value Pairs) that Workplace supports are listed below.

                                Key

                                Expected Value

                                Platform

                                Description

                                emailAddress

                                {wp_account_email_address}

                                iOS, Android

                                Represents the Workplace username of the device’s assigned user.

                                enableExternalBrowserSupport

                                YES

                                iOS, Android

                                Defines whether the links on the Workplace apps should be opened with a predefined browser app or with the default in-app browser. Requires externalBrowserURLScheme to be set.

                                externalBrowserURLScheme

                                {external_browser_app_http-url_scheme} or {android_app_id}

                                iOS, Android

                                Defines which browser app should be used to open urls on the Workplace apps. Requires enableExternalBrowserSupport to be set to YES.

                                enableAppLock

                                True/False

                                iOS, Android

                                Defines whether the user will be challenged to use fingerprint or face recognition when opening or returning to the Workplace applications. Enabling this feature ensures encryption (device-level) of Workplace contents.

                                timeBeforeShowingAppLock

                                0/1/15/60

                                iOS, Android

                                Time (in minutes) after which the reauthentication challenge will be required. A value of 0 means a challenge ever time.

                                disableCopyPaste

                                True/False

                                iOS, Android

                                Restricts people from directly pasting text copied within Workplace apps into other applications.

                                disableDownload

                                True/False

                                iOS, Android

                                Restricts people from downloading files or images from Workplace apps.

                                disableScreenshot

                                True/False

                                iOS, Android

                                Restricts people from taking screenshots and/or recording content in Workplace apps.

                                Email Address

                                i
                                Key: emailAddress

                                This configuration allows Workplace customers to pre-populate the Workplace account’s email that is going to be used in a given device.

                                If a customer knows that a corporate device belongs to a user, they can set this KV pair so the user doesn’t have to input their email address when login into the Workplace apps.

                                The field expects a string with the email of the user , i.e. john.doe@futureofwork.com.

                                Enable External Browser Support

                                i
                                Key: enableExternalBrowserSupport

                                By default, urls and links on Workplace apps are opened on an in-app browser. This configuration allows Workplace customers to define if the urls shared on Workplace should be opened with a different browser app, i.e. secure browser.

                                Managed/Secure browsers will frequently have different configuration and connection policies including per-app VPN, and that is why some customers may want to choose all Workplace linked traffic going to the corporate browser.

                                The field expects a string with YES in uppercase. It requires externalBrowserURLScheme KVP to be set.

                                External Browser URL Scheme

                                i
                                Key: externalBrowserURLScheme

                                This configuration allows Workplace customers to define which browser app should be used to open any url or link shared on Workplace.

                                For iOS, the field expects a string with the http-url scheme used by the external browser app in lowercase.

                                For Android, the field expects a string with the application ID used by the external browser app in lowercase.

                                It requires enableExternalBrowserSupport KVP to be set.

                                Below we offer a list of http-url schemes and Android application IDs for some of the most used browser apps. Check with browser vendors for further indications.

                                Browser

                                iOS http-url scheme

                                Android application ID

                                Apple Safari

                                safari-http

                                -

                                Google Chrome

                                googlechrome

                                com.android.chrome

                                Mozilla Firefox

                                firefox://open-url?url=

                                org.mozilla.firefox

                                Opera

                                opera-http

                                com.opera.browser

                                Microsoft Edge

                                microsoft-edge-http

                                com.microsoft.emmx

                                Microsoft Intune Managed Browser

                                http-intunemam

                                com.microsoft.intune.mam.managedbrowser

                                IBM MaaS360 Secure Mobile Browser

                                maas360browser

                                com.fiberlink.maas360.android.securebrowser

                                VMWare Airwatch Workspace ONE

                                awb

                                com.airwatch.browser

                                Citrix Secure Browser

                                ctxmobilebrowser

                                com.citrix.browser.droid

                                Blackberry Access

                                access://open?url=

                                com.good.gdgma

                                MobileIron Web@Work

                                mibrowser

                                -

                                Require reauthentication

                                i
                                Key: enableAppLock

                                This configuration allows Workplace customers to prompt people opening or returning to the Workplace applications with a biometric challenge. Enabling this setting will ensure encryption (device-level) is enforced.

                                On Android, devices without face and fingerprint login will not be able to log in to Workplace.

                                On iOS, people without Touch ID or Face ID will need to enter the passcode for their device.

                                The field expects a boolean with True or False.

                                Time before requiring reauthentication

                                i
                                Key: timeBeforeShowingAppLock

                                This configuration allows Workplace customers to set the time (in minutes) after which people will receive the biometric challenge to reauthenticate.

                                It requires enableAppLock KVP to be set.

                                The field expects an integer with 0, 1, 15 or 60. If not set or set to an unrecognized value, the time will default to 1. A value of 0 will force a challenge every time the app is opened or returned to.

                                Turn off copy/paste

                                i
                                Key: disableCopyPaste

                                This configuration allows Workplace customers to restrict people from directly pasting text copied within Workplace apps into other applications

                                The field expects a boolean with True or False.

                                Turn off screenshots and screen recordings

                                i
                                Key: disableScreenshot

                                This configuration allows Workplace customers to restrict people from taking screenshots and/or recording content in Workplace apps.

                                On iOS, you can only prevent people from recording content.

                                The field expects a boolean with True or False.

                                Turn off downloads

                                i
                                Key: disableDownload

                                This configuration allows Workplace customers to restrict people from downloading files or images from Workplace apps.

                                The field expects a boolean with True or False.

                                OS Supported Configuration

                                OS Supported Configuration

                                In addition to providing many device security features, most EMM solutions provide application security capabilities that are natively supported by the mobile OS and that can be applied to Workplace. These include:

                                • Remote wipe of the app.
                                • Encryption of app data.
                                • Restrict file export to managed apps.
                                • Prevent backup of app data.
                                • Route all app traffic through VPN (Per-App VPN).
                                • Block jailbroken/rooted devices.
                                • Block screenshots (only Android).
                                • Restrict copy-paste to managed apps (only Android).
                                • Biometric/Pin Reauthentication (only Android).

                                In some cases, customers may require that Workplace access be restricted to managed devices only. In these situations, there are two approaches that can be taken:

                                • Certificate Based Authentication: Distribute a user certificate to the device through EMM and enable 2-factor authentication on the identity provider with the certificate as a required authentication factor.
                                • IP Based Restriction: Configure the Workplace apps to use VPN through EMM and enable a policy on the identity provider limiting access based upon source IP address.
                                Support for non-appconfig.org vendors

                                Support for non-appconfig.org vendors

                                If your EMM solution is not a member of appconfig.org it may still support the use of app configurations, follow these steps:

                                1
                                Check with your EMM vendor on support for iOS managed app configurations.

                                2
                                Verify that the EMM vendor supports the use of a dynamic variable for user email address.

                                3
                                Create an iOS .plist file as shown below and replace the string variable with the email variable from your EMM solution.
                                <plist version="1.0">
                                <dict>
                                <key> emailAddress </key>
                                <string> {EMM_Email_Variable} </string>
                                </dict>
                                </plist>

                                4
                                Upload the .plist file to the EMM solution and associate with the Workplace apps.

                                5
                                Push the app to a device and test.