Configuring Mobile Flows: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.3 and later VMware Identity Manager 3.1 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. Workspace ONE simplifies access to cloud, mobile, and enterprise applications from supported devices. As an IT professional, you can use Workspace ONE to deploy, manage, and secure applications. At the same time, you can offer a flexible, bring-your-own-device (BYOD) initiative to your end users from a central location.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM (unified endpoint management), powered by  AirWatch, is also helpful.

Configuring Mobile Flows

Introduction

Mobile Flows helps users perform business-critical tasks from a single app — streamlining the user experience.

The components responsible for interacting with business systems are known as Mobile Flows Connectors. Use these connectors out-of-the-box for quick adoption, or customize them to address specific use cases. These connectors are responsible for surfacing context-based information or quick interactions with the business systems. e.g. The Workspace ONE Connector presents Mobile Flows Cards inviting users to install apps that are missing from the user's device. The Mobile Flows Client Framework is in the VMware Workspace ONE® Boxer app and is responsible for parsing the e-mail body for keywords. Once one of the keywords matches, the Workspace ONE Connector is responsible for requesting the application from the Workspace ONE Catalog using a Mobile Flows Card within that particular e-mail itself. This connector uses application keywords, device UDID, and device platform to request the correct app from the Catalog.

Workspace ONE offers out-of-the-box connectors targeting top use cases with the most popular business systems. All the source code for these connectors is open source, so anyone can modify the existing connectors or build their own custom connector using our API spec and sample connectors. Custom connectors can be built in around 250 lines of code or less and are flexible to be built using your preferred programming language. Custom Connectors allow you to match the data model of your business system and to create business logic that will meet the needs of your end users.

The Mobile Flows Client Framework embedded into Workspace ONE Boxer is responsible for parsing the email body for keywords and initiate the Mobile Flows card within the app. After that, Mobile Flows server does Connector discovery and authentication using the configuration in the Workspace ONE UEM Console.

  1. The VMware Identity Manager instance registers with the Mobile Flows Server.
  2. Application fetches a JSON Web Token (JWT) for Authentication.
  3. Application sends request to Mobile Flows Server to query details to populate a Mobile Flow Card.
  4. Mobile Flows Server discovers Connector and requests content.
  5. Connector fetches and consolidates business system data for the Mobile Flow Card.
  6. Data is returned to the Mobile Flows Server.
  7. Data is delivered to the app.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and the VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured:

  • Workspace ONE UEM Console 9.3 and later
  • VMware Workspace ONE Boxer 4.12 and later
  • VMware Identity Manager 3.1 and later
  • Workspace ONE Enterprise bundle or mobile flows add-on
  • Enrolled iOS device
  • Access to Microsoft Exchange mailbox

This exercise requires specific account details. Gather the required information, and record it in the following table. The account information provided in the table is based on a test environment. Your account details will differ.

Workspace ONE Enrollment User Account
Example Account Information
User Name
testuser

Password VMware1!

Exchange Active Sync Account

Email Address yourid1234@hol.airwlab.com

Email Password VMware1!

Account Name
HOL Email

Domain hol

EAS Host https://sme.airwlab.com

sAMAccountName yourid

Configuring the Remote App Access Template

In this section, watch a video that walks through setting up and configuring the Remote App Access Template in VMware Identity Manager. This template enables applications to request the JSON Web Token (JWT) token used to authenticate Mobile Flows traffic.

Note: The video contains no spoken instructions.  Refer to the subtitles for instructions about the installation process.

Building a Mobile Flows Connector

Workspace ONE offers open sourced Mobile Flows Connectors to interact with the most commonly used back-end systems and popular use cases. They can be used out of the box or can be used as a reference to build custom connectors to enhance feature and functionality.

For more information about Workspace ONE Mobile Flows Connectors, see Sample Connectors for VMware Workspace ONE Mobile Flows on GitHub.

In this section, watch a video that walks through setting up and configuring a Mobile Flows Connector. These components fetch data from integrated backend business systems and perform the actions requested by the client application.

Note: The video contains no spoken instructions.  Refer to the subtitles for instructions about the installation process.

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Integrating Workspace ONE UEM with VMware Identity Manager

VMware Identity Manager can be used to authenticate the information transfer when using connectors for client applications.

Leverage a Getting Started Wizard to integrate Workspace ONE UEM with VMware Identity Manager. 

In the Workspace ONE UEM Console:

  1. Select GETTING STARTED.
  2. Select Workspace ONE.
  3. In the IDENTITY AND ACCESS MANAGEMENT section, find Connect to VMware Identity Manager.
  4. Click Configure.

Follow the steps in the Getting Started Wizard to complete the integration of Workspace ONE UEM and VMware Identity Manager.

 

Configuring Mobile Flows Connectors

In this section, watch a video that shows how to configure a Mobile Flows Connector in the Workspace ONE UEM Console. This configuration enables connector discovery for the Mobile Flows server and client applications interactions with backend systems.

Note: The video contains no spoken instructions. Refer to the subtitles for instructions about the installation process.

Publishing VMware Workspace ONE Boxer for Mobile Flows

The previous sections have shown shown how to configure the Workspace ONE Mobile Flows Connector for App Discovery in a series of videos. This section helps you to configure Workspace ONE Boxer to leverage Mobile Flows in the Workspace ONE UEM Console.

1. Add a Public Application

Add a New Public Application
  1. Click Add.
  2. Click Public Application.

2. Define Search Parameters

  1. Select Apple iOS from the Platform drop-down.
  2. Enter Workspace ONE Boxer in the Name text box.
  3. Click Next.

3. Select VMware Workspace ONE Boxer

Click Select next to the Workspace ONE Boxer application.

4. Save and Assign

Click Save & Assign.

5. Add Assignment

Click + Add Assignment.

6. Configure Assignment Settings

  1. Click in the Selected Assignment Groups field. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Devices(your@email.shown.here).
  2. Select Auto for the App Delivery Method.

7. Configure Email Settings

  1. Scroll to the Email Settings section.
  2. Enter the Account Name, for example, HOL Email.
  3. Enter the Exchange ActiveSync Host, for example, https://sme.airwlab.com.
  4. Enter the Domain, for example, hol.
  5. Enter the lookup value {UserPrincipalName} for the User.
  6. Enter the lookup value {EmailAddress} for the Email Address.

8. Configure Application Policies

  1. Scroll down to the Policies section.
  2. Select Enabled for Device must be MDM Managed to install this App.
  3. Select Enabled for Remove on Unenroll.
  4. Select Enabled for Prevent Application Backup.

9. Enter Application Configurations

  1. Scroll down to Application Configuration (Optional).
  2. Use the values in the table to enter the Configuration Key, select the Value Type, and enter Configuration Value.
  3. Click Add to add the next row.
  4. Add all of the values in the table:
Configuration Key
Value Type Configuration Value

 AppMobileFlowsEnabled 

Boolean True

AppMobileFlowsHost

String https://prod.hero.vmwservices.com
AppMobileFlowsvIDM 
String
https://hol-cn1193-intelligence.vidmpreview.com
AppMobileFlowsSyncTimeHours 
Integer 1
AppMobileFlowsAutoEnableConnectors
Boolean True

10. Add the Assignment

Click Add.

11. Review Assignment and Save

  1. Confirm that the configured assignment displays.
  2. Click Save & Publish.

12. Review and Publish

Click Publish.

Publishing Coupa On-Demand

In this section, add Coupa as a public, iOS application that publishes on-demand. This exercise enables a Mobile Flows card to display for Coupa in Workspace ONE Boxer.

1. Add a Public Application

Add a New Public Application
  1. Click Add.
  2. Select Public Application.

2. Define Search Parameters

  1. Select Apple iOS from the Platform drop-down menu.
  2. Enter Coupa in the Name field.
  3. Click Next.

3. Select Coupa

Click Select next to the Coupa application.

4. Save and Assign

Click Save & Assign.

5. Add Assignment

Click + Add Assignment.

6. Configure Assignment Settings

  1. Click in the Selected Assignment Groups field. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Devices(your@email.shown.here).
  2. Select On-Demand for the App Delivery Method.

7. Add the Assignment

Review the default configurations in the Policies section, and click Add.

8. Review Assignment & Save

  1. Confirm that the configured assignment displays.
  2. Click Save & Publish.

9. Review and Publish

Click Publish.

Validating Coupa Assignment

In order for a Coupa Hero Card to populate in Workspace ONE Web, Coupa must be assigned to the device in the on-demand deployment mode. In this section, log in to the Workspace ONE Intelligent Hub app, and verify that Coupa appears in the Catalog.

1. Launch Intelligent Hub App

Tap the icon to launch the Intelligent Hub app.

2. Validate the Coupa App Assignment

  1. Depending on your setup, you will see Coupa app appearing as the newly added app.
  2. Alternatively, navigate to Mobile Apps and validate that Coupa app is assigned.

Enabling Mobile Flows in VMware Workspace ONE Boxer

This section helps you to enable mobile flows in Workspace ONE Boxer.

1. Launch Workspace ONE Boxer

From the iOS device spring board, tap the Boxer icon.

2. Accept the Privacy Prompt

Tap I understand to accept.

3. Agree to Data Sharing

Tap I agree to accept data sharing.

4. Authenticate

  1. Confirm your email address.
  2. Enter the password, for example, VMware1!.
  3. Click Login.

5. Accept Workspace ONE Boxer Prompts

If you see prompts for Contacts and Push Notifications, tap OK to accept.

6. Open Settings

After Workspace ONE Boxer opens, tap the Settings option on the bottom menu.

7. Open Advanced Settings

  1. Scroll down to the section labeled MORE.
  2. Tap Advanced.

8. Open Mobile Flows Settings

Under ENABLED FEATURES, tap Mobile Flows.

9. Enable Mobile Flows

Use the slider to Enable Mobile Flows.

10. Select the Domain

  1. Select the domain, for example, hol.
  2. Tap Next.

11. Enter Credentials

  1. Enter Your sAMAccountName.
  2. Enter the password, for example, VMware1!.
  3. Tap Sign in.

12. Validate that Mobile Flows and Connector are enabled

Validate that Mobile Flows and Workspace ONE App Discovery connector are enabled.

Experiencing Mobile Flows

In this section, compose an email in Workspace ONE Boxer that contains a keyword. Then, observe how Workspace ONE Boxer detects the keyword, and triggers the Workspace ONE App Discovery Connector.

1. Open Mail

In Workspace ONE Boxer, on the bottom toolbar, tap Mail.

2. Open a New Email

In the upper-left corner, tap the Edit icon to compose a new email.

3. Compose Email

Compose a simple email that contains the keyword for the Coupa app:

  1. Enter your email address.
  2. Enter Travel as the Subject.
  3. Enter Travel as the Body.
  4. Tap the Send icon.

4. Validate the Hero Card

  1. After about 10 seconds, verify that a Hero Card to install the Coupa application appears.
  2. Tap Install to proceed with the installation.

5. Accept Application Installation

Tap Install to proceed with the Coupa app installation.

6. Validate the Application Installed

Press the Home button on the iOS device, and verify the Coupa application appears on the device Spring Board.

You can define the set of keywords to populate the Mobile Flows Card, in the managed-apps.yml file of the connector.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to configure mobile flows in a Workspace ONE environment. 

Procedures included:

  • Configuring a remote app access template
  • Building and configuring a mobile flows connector
  • Integrating Workspace ONE UEM with VMware Identity Manager
  • Publishing Workspace ONE Boxer and on-demand Coupa for mobile flows
  • Enabling and testing mobile flows with Workspace ONE Boxer

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Author

This tutorial was written by:

  • Shardul Navare, Senior Technical Marketing Architect, End-User Computing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.