Configuring the Content Gateway Edge Service: Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.5 and later
VMware Unified Access Gateway 3.3 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial walks through configuring the Content Gateway edge service on VMware Unified Access Gateway™.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as network, VPN configuration,  VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Configuring Content Gateway Edge Services on Unified Access Gateway

Introduction

The Content Gateway provides a secure and effective method for end users to access internal repositories. Using Content Gateway with VMware Workspace ONE® Content (formerly Content Locker) provides levels of access to your corporate content. End users can remotely access their documentation, financial documents, board books, and more, directly from content repositories or internal file shares. As files are added or updated within your existing content repository, the changes immediately display in Workspace ONE Content. Users are granted access to their approved files and folders based on the existing access control lists defined in your internal repository.

Workspace ONE Content not only provides access to on-premises content repositories, but also enables users to have access to multiple cloud repositories.

This section helps you to configure the Content Gateway edge service on Unified Access Gateway.

Procedures include:

  • Enrolling an iOS device
  • Enabling Content Gateway settings in Workspace ONE UEM
  • Deploying Unified Access Gateway and enabling Content Gateway edge service using PowerShell
  • Deploying Workspace ONE Content application
  • Validating access to internal files with Workspace ONE Content

 The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Content Gateway Edge Service on Unified Access Gateway

Before deploying the Unified Access Gateway with Content Gateway, it is important to understand the Content Gateway architecture and deployment models available to provide secure internal access to file repositories from your device fleet.

The Content Gateway works as a edge service on the Unified Access Gateway appliance, and can be configured automatically during deployment of the appliance using PowerShell or after deployment, using the Unified Access Gateway administration console.

The Unified Access Gateway appliance OVF template product, contains several edge services, beyond  Content Gateway. The template includes VMware Tunnel, Web Reverse Proxy, and Horizon. This appliance runs from a VMware standard hardened image.

Content Gateway Deployment Model on Unified Access Gateway

Content Gateway Single and Multi-tier SaaS Model (Content Locker, airwatch, airwatch content locker, vmware content locker)

The Content Gateway can be deployed in one of two configurations:

  • Basic Mode consists of a single Unified Access Gateway appliance, typically situated in the DMZ, where devices can connect to the appropriate port for each feature, authenticate with a certificate issued from the Workspace ONE UEM Console, and connect to internal sites.
  • The Cascade Mode option allows devices to authenticate to the front-end Content Gateway on the Unified Access Gateway appliance located in the DMZ, then connect to the back-end Content Gateway enabled on another Unified Access Gateway appliance over a single port and then access internal resources.

1. Basic Model

Content Gateway Single-tier Model (Content Locker, airwatch, airwatch content locker, vmware content locker)

The Basic deployment model includes a single Unified Access Gateway appliance, as you can enable VMware Tunnel on port 443 as well, VMware Tunnel and Content Gateway require distinct host names on the Unified Access Gateway appliance.

The default port for Content Gateway is 443 as TLS Port Sharing is enabled by default on Unified Access Gateway. When TLS Port Sharing is disabled, Content Gateway listens on port 10443.

These ports are secured with a public third-party SSL certificate, which includes the subject name of the server host name.

 

2. Cascade Model

Content Gateway Multi-tier Model (Content Locker, airwatch, airwatch content locker, vmware content locker)

The Cascade deployment model architecture includes two instances of Unified Access Gateway with  Content Gateway enabled on each. In cascade mode, the front-end server resides in the DMZ and communicates to the back-end server in your internal network.

The flow is as follows:

  1. The Content Gateway requests originate from port 443 when TLS Port Sharing is enabled on the front-end Unified Access Gateway, and forward the traffic to the Content Gateway service on local port 10443.
  2. Content Gateway authenticates the device and forward the request to the back-end Content Gateway based on the port and hostname configured on Workspace ONE UEM, and not based on 10443, which is just a local port used by Content Gateway service on the appliance
  3. As the back-end appliance receives the incoming traffic and use 443, it will perform the same local redirect mentioned on item #1 and then access the internal resource request by the device/users.

Architecture

The architectural diagram below shows an example environment which emulates a typical environment, including DMZ and internal networks.

In this example, external requests to the vApp are sent to the vPod Router, which directs those requests to the appropriate resource based on the incoming port. Ports 4000-6500 are reserved for the environment components so all traffic coming in on these ports is forwarded to your Unified Access Gateway appliance's appropriate edge service. In addition, ports 443 and 9443 are forwarded to the Unified Access Gateway appliance over the respective ports.

The vApp Networks (internal, DMZ, and transit) are created within the vApp.  The internal and transit networks are NATed to the SE-UCS-Network for outbound internet connectivity while the DMZ network routes through the vPodRouter for inbound and outbound access. Note that the vPodRouter does not have a NIC on the Internal network and therefore cannot route external traffic to resources on the internal network.

vPod Router | ESXi01 6.5.0 U1 | Control Center | vCenter Server 6.5 U1 deployed in the ESXi01

1. Architecture Overview Diagram

The following architectural diagram shows an example of two major networks that you can deploy your servers into. For this set of exercises, you deploy the Unified Access Gateway appliance on a DMZ and assign the respective NICs.

HOL Architecture Overview (Content Locker, airwatch, airwatch content locker, vmware content locker)

At the top of the diagram is vCenter Networking. At the bottom of the diagram is the vApp network required to support the environment. For these exercises, the focus is on the network hosted on the ESXi, and represented by the following three networks:

  • VM Network & Management: Represents the dedicated network to access the Management Console
  • Internal Network: Represents the internal network on 172.16.0.x range. The Control Center, ESXI, and vCenter are part of the internal network.
  • DMZ Network: Represents the DMZ network on 192.168.110.x which is where the Unified Access Gateway appliance is to be deployed. The Unified Access Gateway Internet-facing NIC is associated to this network.

High-level Overview of Traffic Routing

The architectural diagram is based on two ports and two host names that route through the F5 load balancer. In this example, non-standard ports are used for these services in the 6000 - 6500 port range, due to F5 configuration for an internal network.

The next steps detail how the traffic is routed:

  1. The host names ( pool##.airwlab.com) are CNAMEs that point to the external IP of the F5.  When these host names are resolved, they are routed to the F5 to be inspected and forwarded to the internal networks.
  2. If the request includes only the host name ( pool##.airwlab.com), the F5 uses the Hostname iRule. This Hostname iRule inspects inbound traffic to the F5 over port 443 (HTTPS). The traffic is decrypted using the *.airwlab.com SSL certificate and chain. The Hostname iRule then inspects the traffic, re-encrypts the traffic using the SSL certificate and chain, and then routes the inbound request to the appropriate destination server based on the host name of the request. This process is known as SSL Bridging, which is not supported by Per-App Tunnel.
  3. If the request includes the host name and port ( pool##:airwlab.com:6000), the F5 uses the Port iRule. This Port iRule inspects inbound traffic to the F5 over non-443 ports. Unlike the Hostname iRule, the Port iRule parses the request for the port number and then routes the inbound request to the appropriate destination server based on the port of the request. This process does not involve decrypting or re-encrypting the traffic; it forwards the request to the desired destination. This process uses SSL Passthrough.
  4. From the F5 Hostname or Port iRules, the traffic is forwarded to the configured IP address.
  5. The vPodRouter is configured to forward Unified Access Gateway traffic to the 192.168.110.20 IP address over the DMZ Network.
  6. The Nested DMZ Network (192.168.110.0 on vmnic2) is provided by NIC 2 on the ESXi-01 Host (192.168.110.160).
  7. The request reaches the nested Unified Access Gateway appliance deployed on 192.168.110.20.

Avoid SSL Bridging

In this example, non-443 ports are used for VMware Tunnel and Content Gateway to avoid decrypting and re-encrypting the traffic because this is not supported with Per-App Tunnel. In other scenarios, you would use the standard ports where possible. This exercise demonstrates that the ports for both services can be configured to work within the architecture.

2. Network Interfaces

Unified Access Gateway supports deployments with one, two, or three NICs. This means that the server can be partitioned to receive traffic on a single interface or to route traffic to different interfaces, based on the source of the request. Most often, if you need to implement multiple NICs, you already follow this standard with other web applications in your organization.

You must determine what is appropriate for your environment when selecting the number of NICs during installation. It is important for you to understand the expected behavior when two or three NICs are enabled.

To explore these options, see Deploying VMware Unified Access Gateway: VMware Workspace ONE Operational Tutorial.

3. General Considerations

In the exercises for deploying the Unified Access Gateway server through vSphere, the vCenter setup is hosted in a nested template. This is not usually the case when working with users in a live environment.

User environments can include multiple networks and can optionally have a Network Protocol Profiles (NPP) that corresponds to the networks to connect to the Unified Access Gateway. Prior to version 3.3, NPP was a requirement. Since version 3.3, NPP is no longer required.

Note: Keep in mind that the Unified Access Gateway requires a netmask, default gateway, and subnet to be defined for each network enabled during deployment.

Prerequisites

Before you can perform the steps in this exercise, you must install and configure the following components:

  • VMware AirWatch 8.4 and later or VMware Workspace ONE UEM 9.5 and later
  • VMware vSphere ESX host with a vCenter Server (vSphere 6® and later)
  • vSphere data store and network to use
  • PowerShell script running on Windows 8.1 or later machines, or Windows Server 2008 R2 or later
  • Windows machine running the PowerShell script with VMware OVF Tool command installed (see OVR Tool Software Download to install OVF Tool 4.3 or later)
  • Unified Access Gateway PowerShell script, such as  uagdeploy-VERSION.ZIP, available at my.vmware.com, after download extract the files into a folder on your Windows machine)
  • iPhone, iPad, and iPod Touch devices running iOS 9.0 and later

Ensure the following settings are enabled in the Workspace ONE UEM Console:

  • Organization Group created and set as Customer Type 
  • Device Root Certificate issued
  • REST API Key generated at the Organization Group where VMware Tunnel will be enabled

Logging In to the vSphere Web Client

To perform most of this exercise, you need to log in to the vSphere Web Client.

1. Launch Chrome Browser

Launch Chrome Browser (Content Locker, airwatch, airwatch content locker, vmware content locker)

Double-click the Google Chrome browser icon on the desktop.

2. Authenticate to the vSphere Web Client

Authenticate to the vCenter vSphere Web Client (Content Locker, airwatch, airwatch content locker, vmware content locker)
  1. Launch the Chrome browser from your desktop and click the bookmark for vSphere.
  2. Enter the username, such as administrator@vsphere.local.
  3. Enter the password, such as VMware1!.
  4. Click Login.

After completing the login, you are presented with the vSphere Web Client.

Logging In to the Workspace ONE UEM Console

To deploy a 3rd party macOS app, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser (mobile connector, coupa tutorial)

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

Workspace ONE UEM login screen for Android enterprise enrollment
  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
Workspace 1 login (mobile connector, coupa tutorial)
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Retrieving the Group ID from the Workspace ONE UEM Console

In this activity, retrieve your Group ID from the Workspace ONE UEM Console. The Group ID is required when enrolling your device.

In the Workspace ONE UEM Console:

  1. To find the Group ID, point your mouse over the Organization Group tab at the top of the screen.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

Enrolling an iOS Device

In this section, enroll your iOS device in Workspace ONE UEM by installing the Workspace ONE Intelligent Hub (formerly the AirWatch Agent). A Group ID is required to complete enrollment. See Retrieving Your Group ID from the Workspace ONE UEM Console.

1. Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

Download/Install AirWatch MDM Agent Application from App Store - IF NEEDED

Note: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

2. Launch the Workspace ONE Intelligent Hub

Launching the AirWatch MDM Agent

Launch the Hub app on the device.  

3. Enter the Server URL

  1. Enter the Server URL for your Workspace ONE UEM environment.
  2. Click Next.

Click the Server Details button.

4. Enter the Group ID for Workspace ONE Intelligent Hub

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.
  2. Tap the Next button.

Note: On an iPhone, you may have to close the keyboard by clicking Done to click the Next button.

5. Enter User Credentials

Authenticate the AirWatch MDM Agent

You now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter the Username, for example, testuser.
  2. Enter the Password, for exmaple, VMware1!.
  3. Tap Next.

6. Redirect to Safari and Enable MDM Enrollment in Settings

The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

7. Allow Website to Open Settings (IF NEEDED)

If you are prompted to allow the website to open Settings, tap Allow.

Note: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.

8. Install the Workspace ONE MDM Profile

Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.

9. Install and Verify the Workspace ONE MDM Profile

Install and Verify the AirWatch MDM Profile

Tap Install when prompted on the Install Profile dialog.

10. iOS MDM Profile Warning

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

11. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

12. iOS Profile Installation Complete

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper-right corner of the prompt.

13. Workspace ONE UEM Enrollment Success

AirWatch Enrollment Success

Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.

14. Accept the Workspace ONE Intelligent Hub Notice

Tap Done to confirm the notice and continue.

15. Accept Notifications for Hub (IF NEEDED)

Tap Allow if you get a prompt to allow notifications for the Hub app.

16. Accept the App Installation (IF NEEDED)

Accept the App Installation (IF NEEDED)

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.

17. Confirm the Privacy Policy

Tap I Understand when shown the Privacy policy.

18. Accept the Data Sharing Policy

Tap I Agree for the Data Sharing policy.

19. Confirm the Device Enrollment in the Hub App

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.

Enabling Content Gateway Settings on Workspace ONE UEM Console

When the Content Gateway edge service is enabled on the Unified Access Gateway appliance, it retrieves the Content Gateway configuration from Workspace ONE UEM. Therefore, the Content Gateway must be configured first in the Workspace ONE UEM Console, prior to deployment of the Unified Access Gateway appliance.

This section helps you to configure Content Gateway in Workspace ONE UEM Console.

1. Open All Settings

Open All Settings
  1. Select Groups & Settings.
  2. Select All Settings.

 

2. Enable Content Gateway

Enabling Content Gateway
  1. Select System.
  2. Select Enterprise Integration.
  3. Select Content Gateway.
  4. Change the setting to Override.
  5. Select Enabled for Content Gateway.
  6. Click Save.
  7. Click Add.

3. Add Configuration

Configuration Type
  1. Select UAG for Installation Type.
  2. Select Basic (Single-Tier) for Choose Configuration Type.
  3. Enter a Name, for example, Content Gateway on UAG.
  4. Enter the Content Gateway server host name (for example, https://contentgateway.vmware.com) for Content Gateway Endpoint Address.
  5. Enter a port number for Content Gateway Endpoint Port.
  6. Click Upload and select your certificate.
  7. Click Save.

4. Obtain Content Gateway Configuration GUID

Content Gateway Configuration added
  1. Select the Content Gateway configuration that you just added.
  2. Select More Actions and select Download Unified Access Gateway, which redirects to the Workspace ONE Resources portal where the Unified Access Gateway virtual appliance OVF package is hosted.
  3. Copy the Content Gateway Configuration GUID—this is required to enable the Content Gateway edge service on Unified Acces Gateway.

Extract the ZIP file on the Windows machine where you will install Unified Access Gateway.

The next section helps you to deploy the Unified Access Gateway appliance OVF through PowerShell and configure the Content Gateway edge service based on the settings configured in Workspace ONE UEM.

Preparing Content Gateway INI Settings for Deployment

This section covers the required INI settings to enable the Content Gateway edge service during the Unified Access Gateway appliance deployment. Ensure you are logged in to the machine where you will install Unified Access Gateway. Extract the contents of the Unified Access Gateway ZIP file on this machine.

1. Configure the General Deployment Settings

The INI file contains all the configuration settings required to deploy the Unified Access Gateway appliance.

This exercise uses the uag-CG.ini file and is configured for a Unified Access Gateway appliance called UAG-CG, that has two NICs—NIC one is set to internet facing and NIC two for back end and management.

The INI file is located in the Unified Access Gateway installer ZIP package downloaded in the previous exercise.

2. Edit the INI File

Editing UAG-2NIC.ini

Navigate to your Unified Access Gateway INI file. In this example, the INI file is located in UAG Resources.

  1. Click the File Explorer icon from the task bar.
  2. Select Desktop.
  3. Select UAG Resources.
  4. Right-click the INI file, for example, uag-CG.ini.
  5. Select Edit with Notepad++.

3. General and Network Settings

INI File

In this example, the settings are already filled out. The General section includes details such as deployment location and network configuration for the Unified Access Gateway appliance.

The SSLCert and SSLCertAdmin sections contain SSL certificate location for the administrator and Internet interfaces.

4. Configure Content Gateway Settings

AirWatch settings

The AirWatchContentGateway section contains the required parameters to enable Content Gateway edge service on your Unified Access Gateway appliance.

  1. Paste the Content Gateway configuration GUID for cgConfigId. You copied this value in the previous exercise.
  2. Enter the apiServerUsername, for example, apiuser.
  3. Enter the apiServerUrl, for example, https://v9.airwlab.com.
  4. Enter the apiServerPassword, for example, VMware1!.
  5. Enter the airwatchServerHostname, for example, https://pool###.airwlab.com.

If you do not provide the apiServerPassword as part of the INI settings, the administrator must enter the password in the Unified Access Gateway administration console.

Deploying Unified Access Gateway Appliance

After you have configured the INI file for your Unified Access Gateway deployment, the next step is to run the PowerShell script passing the INI as a parameter.

1. Open PowerShell

Open PowerShell

Click the PowerShell icon.

2. Deploy Unified Access Gateway Using PowerShell

Running the script

After you run the script, it prompts for input.

  1. Navigate to the folder containing your INI file. For example, enter cd '.\Desktop\UAG Resources' then press Enter.
  2. Enter the following command line, replace the INI filename with the one you have used.
.\uagdeploy.ps1 .\uag-cg.ini 
           -rootPwd VMware1! 
           -adminPwd VMware1!
           -disableVerification false
           -noSSLVerify false
           -ceipEnabled yes
           -awContentGatewayAPIServerPwd <password>
  • -rootPwd - set the root password for the Unified Access Gateway appliance.
  • -adminPwd - set the admin password for the REST API management access.
  • -disableVerification - perform validation of signature and certificate.
  • -noSSLVerify - perform SSL verification for the vSphere connection.
  • -ceipEnabled - Join the VMware Customer Experience Improvement Program ("CEIP") program.
  • -awAPIServerPwd - API password for the respective configured API user under AirWatch section of the INI file.

Note: 3. You might get prompted to enter the password related to the certificates defined on the SSLcert and SSLcertAdmin settings. Certificates can be passed in PEM format using the pemCerts and pemPrivKey settings for the SSLCert and SSLCertAdmin sections of the INI file.

If the -awContentGatewayAPIServerPwd is incorrect, you will get prompted to enter the correct password for the UEM API account.

The deployment starts and you can follow the progress on the same window or on your vSphere Web Client, which you opened at the beginning of this tutorial.

3. Confirm the PowerShell Script Deployment Completes

Deployment finished
  1. Confirm the deployment has been completed successfully. The Completed successfully text is shown in the output.
  2. Click Close.

After a successful deployment, the script automatically powers on the VM UAG-2NIC-CG.

The Received IP address presented by the script log is a temporary IP; the final IPs for NIC one and NIC two are assigned to the Unified Access Gateway appliance during the first start. Return to the vSphere Web Client and validate the IP address in the next step.

4. Validate Unified Access Gateway Deployment

Validating UAG Appliance status
  1. Click VM and Templates.
  2. Click UAG-2NIC.
  3. Click View all 2 IP addresses.

Important: If the Unified Access Gateway appliance does not finalize the configuration during the first startup, you receive an error message from vSphere Web Client. If that happens, wait for the appliance to finalize, and refresh the entire Google Chrome browser.

Validating Content Gateway Settings on the Unified Access Gateway Appliance

The Content Gateway is now enabled and running based on the INI settings that you provided during the Unified Access Gateway deployment.

As an alternative to deploying the Content Gateway using PowerShell, you can use the Unified Access Gateway administration console, which allows you to enable or change the current Content Gateway settings.

This section helps you to validate the Content Gateway settings using the Unified Access Gateway administration console.

1. Log In to Unified Access Gateway Administration Console

UAG Admin UI Login
  1. Click the New Tab button to open a new tab.
  2. Navigate to the Unified Access Gateway administration console URL, for example,  https://uagmgt-int.airwlab.com:9443/admin.
  3. Enter the username, for example, admin .
  4. Enter the password, for example, VMware1!.
  5. Click Login.

2. Validate Configuration Settings

Select Configuration Settings

A successful login redirects you to the following screen. Keep this window open as you will return to the administration console later.

Click Select to configure settings manually.

3. Access the Content Gateway Settings

General Settings
  1. Click SHOW, after you click SHOW, it changes to HIDE.
  2. Click the gear icon next to Content Gateway Settings. The circle should be green, which means the Unified Access Gateway appliance and Workspace ONE UEM Console can communicate.

4. Validate the Content Gateway Settings on Unified Access Gateway

Content Gateway Settings

The Content Gateway edge service is enabled based on the configuration defined in the INI file.

You can change the configuration any time, or choose not to configure settings in the INI file and later enable the settings through the Unified Access Gateway administration console.

Each time you change the configuration and Save, the changes are applied to the configuration files and the Content Gateway edge service restarts automatically. Devices cannot communicate with the service during the restart.

Click Cancel.

Setting Up a Content Repository

To grant end-users access to corporate file servers from their devices and keep those files synchronized, IT administrators must configure an Admin repository, an Automatic user-added repository, or a Manual user-added repository. 

Workspace ONE UEM supports integration with various corporate file servers. The syncing method support and requirement of the Content Gateway component vary by repository type.

The following are available syncing methods for repositories:

  • Admin — A repository that is fully configured and synced by an administrator in the Workspace ONE UEM console.
  • Automatic — A repository that is configured by an administrator in the Workspace ONE UEM console, but is synced by end users on their devices.
  • Manual — A repository that gets configured in the UEM console, but relies on the end user to add the link manually and sync the repository on their device.

This exercise helps you to add a network file share as an Admin Repository and make that available to end users through the Workspace ONE Content application. In this example, the network file share is Corp Files. The folder and files names in your environment will differ.

1. Add Content Repository

Add Profile
  1. Select Content.
  2. Select Repositories.
  3. Select Admin Repositories.
  4. Click Add.

2. Define Content Repository Details

Profile Platform
  1. Enter a Name, for example, Corp Files.
  2. Select Network Share for Type.
  3. Enter the Link, for example, \\intranet.corp.local\Corp Files.
  4. Enter the Organization Group, for example, Exercise 02.
  5. Select USER for Authentication Type.
  6. Enter the User name, for example, corp\administrator.
  7. Enter the Password, for example, VMware1!.
  8. Select your Content Gateway, for example, Content Gateway on UAG. Access to this internal repository goes through the Content Gateway that you set up in the previous exercise.
  9. Click Continue.

3. Save Content Repository

Save Configuration

Click Save.

5. Edit Corporate Folder Properties

Edit properties

Although you configured the security configurations on the network file share, Workspace ONE UEM allows you to set up a new layer of security for the content on mobile devices.

  1. Navigate back to the Corp Files folder.
  2. Click Edit for one of your folders.

6. Configure Security Proprierties for Corporate Folder

Allow printing

There are a number of configurations that you can apply to increase security of the asset on the mobile devices. In this example, you edit security for the IT folder, however, you can override the security properties on multiple levels, such as navigating to a specific file.

In this example, you allow the end-user to print any content under the IT Folder from a managed mobile device using Workspace ONE Content.

  1. Select Override.
  2. Select the Allow Printing check box.
  3. Click Save.

Deploying the Workspace ONE Content Application

This exercise helps you to deploy the Workspace ONE Content (formerly Content Locker) application on a managed device from the Workspace ONE UEM Console.

1. Add Application

Add App
  1. Select Apps & Books.
  2. Select Applications.
  3. Select Native.
  4. Select Public.
  5. Click Add Application.

2. Search for Application

Search App
  1. Select Apple iOS for Platform.
  2. Enter Content Locker for Name.
  3. Click Next.

3. Select Application

Select Tunnel

Click Select.

4. Save Application

Saving

Click Save & Assign.

5. Add Assignment

Add Assignment

Click Add Assignment.

6. Configure Assignment

Config Assignment
  1. Enter your assignment group, for example, Exercise 02.
  2. Select AUTO for App Delivery Method.
  3. Select Enabled for Managed Access.
  4. Click Add.

7. Publish Application to Assigned Group

Publish App

Click Save & Publish and then click Publish.

After you click Publish, you should receive a prompt on your device requesting confirmation to install the Workspace ONE Content application. Confirm and launch the application after the installation completes.

 

Validating Access to Internal Files with Workspace ONE Content

After enrollment is complete, ensure that the Workspace ONE Content application is installed on your device. This section helps you to validate access to internal files using Workspace ONE Content.

1. Launch Workspace ONE Content Application

Launch &amp; Enable the AirWatch Tunnel Client

Tap Content to open Workspace ONE Content.

2. Select Corporate Repository

Open Corp Files
  1. Tap the Repositories icon.
  2. Tap Corp Files.

3. Provide User Credentials

Provide user credentials
  1. Enter a User ID, for example, CORP\jdoe.
  2. Enter the Password, for example, VMware1!.

4. Navigate Through Corporate Folders

Launch the AirWatch Browser

Repeat the following steps for each folder you see under Corp Files. You can see the available files in each folder.

Tap the IT folder.

 

5. Open a File in the IT Folder

File under IT Folder

Tap a file to open it.

6. Validate Printing Permission for IT Content

Print
  1. Tap the Share icon. The Print option is available based on the security properties previously defined for the IT folder.
  2. Tap < to return to Corp Files.

7. Open a File in the Finance Folder

File under Finance Folder
  1. Tap another folder in Corp Files, for example, Finance.
  2. Tap a file to open it.

The file is downloaded to your device and opened.

8. Validate Printing Permission for Finance Content

Finance File
  1. Tap the Share icon. The Print option is not available for this file.
  2. Tap < to return to Corp Files.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to configure the Content Gateway edge service for Unified Access Gateway in a Workspace ONE UEM environment. 

The following procedures were included:

  • Configure VMware Content Gateway in the Workspace ONE UEM Console
  • Deploy Unified Access Gateway enabling Content Gateway edge services through PowerShell
  • Add network file share as a content repository in Workspace ONE UEM
  • Define security policies for mobile devices when accessing corporate files in specific folders
  • Use Workspace ONE Content application to access internal files

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Unified Access Gateway Workspace ONE UEM Document Operational Tutorial Advanced Deploy Secure Remote Access