Quick-Start Tutorial for Cloud-Based VMware Workspace ONE

Workspace ONE Overview

Introduction

The Quick-Start Tutorial for Cloud-Based VMware Workspace ONE provides a comprehensive technical overview of VMware Workspace™ ONE™. Workspace ONE simplifies access to cloud, mobile, and enterprise applications from supported devices. IT administrators can deploy, manage, and secure applications and, at the same time, offer a flexible, bring-your-own-device (BYOD) option for users.

Purpose

The Quick-Start Tutorial for Cloud-Based VMware Workspace ONE helps you evaluate Workspace ONE by offering practical exercises. This overview is first in the Reviewer’s Guide series. It introduces Workspace ONE and its benefits, features, architecture, and components. Other articles in the tutorial offer hands-on exercises to set up your own proof-of-concept environment.

Important: This tutorial is designed for evaluation purposes only, based on using the minimum required resources for a basic deployment, and does not explore all possible features. This evaluation environment should not be used as a template for deploying a production environment. To deploy a production environment, see the VMware Workspace ONE Documentation.

Audience

This tutorial is for prospective IT administrators of Workspace ONE and anyone who uses the product. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is assumed. Knowledge of VMware Airwatch® and VMware Identity Manager™, is also helpful.

Technical Introduction to Workspace ONE and its Features

Introduction

Following are descriptions of the core features and capabilities of Workspace ONE, plus new features. In subsequent articles of this Quick-Start Tutorial, you will walk through some of these features.

Packaging and Licensing

All Workspace ONE editions are licensed on a per-named-user basis and available as an annual cloud subscription or a perpetual on-premises license.

For more information, see VMware Workspace ONE in the VMware Workspace ONE and VMware Horizon Packaging and Licensing guide.

Features

Following are descriptions of the core features and capabilities of Workspace ONE, plus new features. In subsequent articles of this Quick-Start Tutorial, you will walk through some of these features.

Enrollment

Device enrollment establishes the initial communication with VMware AirWatch to enable Enterprise Mobility Management (EMM).

Work Access Enrollment

Work Access is the native MDM enrollment method for Windows 10 devices. Enrolling through Work Access and using Windows Auto Discovery provides a quick and easy enrollment flow for end users.

All Windows Desktop enrollments use the native enterprise management app to complete the enrollment process. Windows Auto-Discovery is an optional method of enrolling devices that requires only the end-user's email address to begin enrollment.

Enrollment can also include the AirWatch Protection Agent. This agent adds endpoint security to Windows Desktop devices to ensure data and devices remain secure. The AirWatch Protection Agent for Windows Desktop co-opts the native Windows Desktop functionality such as BitLocker encryption, Windows Firewall, and Windows Automatic Updates to keep devices secure and up-to-date.

For more information, see the VMware AirWatch Documentation.

Device Profiles

Device Profiles allow you to modify behavior of enrolled devices. Device profiles, combined with compliance policies, help you to enforce corporate rules and procedures.

For more information, see the VMware AirWatch Documentation.

Getting Started Wizard

The Getting Started Wizard serves as a checklist that walks through key configurations in the AirWatch Console, step by step. The wizard is divided into four modules: Workspace ONE, Device, Content, and Application. Each module contains steps to accomplish specific end goals. As some modules share steps, the wizard tracks progress across all four modules to ensure the same step never has to be completed twice.

For more information, see the VMware Workspace ONE Quick Configuration Guide.

Native Mobile Workspace ONE Application

Users can install the Workspace ONE application on a mobile device and, using corporate credentials, get SSO access to corporate, cloud, and mobile applications.

The Workspace ONE application uses native OS capabilities to protect application access, such as biometric fingerprint readers on Android, Touch ID on iOS, and Windows Hello on Windows 10.

For more information, see the VMware Workspace ONE Documentation.

Integrated Application Store

Workspace ONE provides users access to cloud, mobile, and Windows applications using a unified application store. The application store contains applications published to VMware Identity Manager and VMware AirWatch. Supported application types include internal web, SaaS, native mobile, internally developed mobile, legacy and modern Windows, VMware Horizon® 7, VMware Horizon Cloud Service™, Citrix published, and VMware ThinApp®. The application store also contains virtualized desktops.

Using the Workspace ONE application, you access VMware Identity Manager applications from the Launcher tab and all published applications from the Catalog tab. The Workspace ONE application provides more functionality than accessing the application store from a browser, where only VMware Identity Manager applications are available.

The latest Workspace ONE release supports Spotlight Search in iOS devices. Users can search their home screen and Workspace ONE catalog at the same time.

For more information, see the VMware Workspace ONE Documentation.

Mobile SSO

Workspace ONE provides Mobile SSO, a one-touch login implementation to mobile applications using the patent-pending, secure-application token system (SATS) that establishes trust between the user, device, application, and enterprise. You can secure applications by locking a known, registered device through a PIN or biometric service. After users have provided credentials, they can touch an application to open it until the authentication window expires. Mobile SSO is available for Android, iOS, and Windows 10 devices.

For more information, see the Your Problem’s Solved: Enable Secure Native Mobile App SSO on Any Device blog post and VMware Workspace ONE Documentation.

Productivity Tools

Workspace ONE includes productivity tools, such as VMware AirWatch Inbox™, VMware AirWatch Content Locker™, VMware AirWatch Browser™, and VMware Boxer™. These tools maximize user productivity while securing corporate data.

For more information, see the VMware AirWatch Documentation.

Conditional Access with Device Compliance

Workspace ONE allows you to configure network, platform, and application-specific criteria for authentication. A device must prove compliance with security rules prior to authorizing access to an application. Compliance rules protect against rooted or jailbroken devices, and you can use them to whitelist and blacklist applications.

For more information, see the VMware Workspace ONE Documentation.

Multifactor Authentication

Workspace ONE, integrated with the mobile application VMware Verify™, provides strong, multifactor authentication that simplifies access across devices. When a user attempts to access the Workspace ONE application store, or any application requiring strong authentication, VMware Verify sends a notification to the user’s mobile phone. To verify attempted access to Workspace ONE and launch the application, the user must swipe Accept.

For more information, see the VMware Workspace ONE Documentation.

Windows 10 Management

Workspace ONE takes full advantage of Windows 10 management capabilities and simplifies the application and device life cycle.

Using Workspace ONE with VMware AirWatch eliminates the need for laptop imaging. IT can remotely configure, manage, and monitor devices in any location. Management configurations are based on dynamic smart groups, which consider device information and user attributes, and are automatically updated as that information changes.

You can use VMware AirWatch to automatically install, update, and remove software packages. It also provides scripting and file management tools. You can configure packages to install based on conditions, including network status or defined schedules, deploy software updates automatically, and notify users when updates occur.

For more information, see the VMware Workspace ONE Documentation.

Adaptive Management

For applications that require only a basic level of security, users are not required to enroll their device into VMware AirWatch Mobile Device Management™. Users can download the Workspace ONE mobile application and select the applications they want to install. For applications that require a higher level of security, users can enroll their device into VMware AirWatch directly from the Workspace ONE mobile application instead of through VMware AirWatch Agent™.

All entitled applications are listed in the catalog. Applications that require enrollment are indicated with a lock icon. When the user tries to download an application with a lock icon, the enrollment process is triggered. For example, users can download a conferencing application, such as WebEx, without enrollment. But they are prompted to enroll when they try to download an enterprise application, such as Salesforce.

For more information, see the VMware Workspace ONE Documentation.

Components and Architecture of Workspace ONE

Introduction

This section provides a description of each component of Workspace ONE, as well as an overview of the architecture so you can see how the components relate to each other.

How Workspace ONE Works

IT can deploy Workspace ONE in many different configurations. Options include on-premises deployments of VMware Identity Manager and VMware AirWatch, cloud-based deployments of VMware Identity Manager and VMware AirWatch, and hybrid deployments with different components available either on-premises or in the cloud.

Whichever deployment you choose, you can configure Workspace ONE to use an existing directory infrastructure, such as Active Directory or other LDAP-based directory, for user synchronization, authentication, and application access.

Administrators choose which applications to deploy and make them available from the VMware Identity Manager and VMware AirWatch Console.

Administrators create a unified catalog by configuring VMware Identity Manager with the VMware AirWatch instance. Configuring Workspace ONE involves creating a trusted relationship between the VMware Identity Manager and the VMware AirWatch implementations through their respective consoles. Each console is used to configure the relevant platform capabilities.

Workspace ONE supports one-touch login that can be used by Android, iOS 9 and later, and Windows 10 devices. One-touch login establishes trust between the user, device, and enterprise for one-touch authentication. For more sensitive applications, IT can enable biometric or other multifactor authentication methods.

In a traditional IT environment, you can prevent data leakage in a number of ways. Examples of data leakage include saving work documents to public storage, such as Dropbox, or receiving work emails in an unmanaged email client. You can encrypt email attachments and restrict how the files are edited and shared. You can require using corporate-approved applications instead of native applications. For secure browsing, you can enable access to intranet sites to ensure that the sites are opened only in approved browsers. However, these precautions might be insufficient for your security needs.

For increased security, you can enforce granular control of devices with Workspace ONE compliance checking, which combines VMware AirWatch device-based rules and VMware Identity Manager user-based identity rules. A user cannot access applications with a device unless the device adheres to the security rules applied. For example, you can deny application access based on the operating system (OS) or patch level of the device, if the device has been jailbroken, or if the device is in a foreign country.

IT can use mobile OS management interfaces to preconfigure laptops, smartphones, and tablets. VMware AirWatch device management uses enterprise mobile management APIs to provision, configure, and secure applications and devices. For example, you can configure supported devices to receive patches directly from the OS vendor. This level of control allows IT to adopt a flexible BYOD program by giving users device choice while securing data.

Windows 10 management capabilities allow desktop administrators to automate application delivery and updates. For example, IT can streamline how updates are managed and delivered by letting users control OS updates or enforcing them with Windows Update or Windows Update for Business. IT can also get users operational quickly by bulk-enrolling devices and delivering complete Windows provisioning packages for users to install with one click.

Administrators create VMware AirWatch device profiles based on criteria such as users, groups, platforms, and OS, and assign profiles to smart groups.

Using adaptive-management technologies, users can install the Workspace ONE mobile application from the application store for their platform and log in with their corporate credentials giving them access to their authorized applications in the catalog. If users need access to more privileged applications, they can be prompted to enroll their device into full VMware AirWatch management. Based on the device profile assigned, the VMware Identity Manager catalog displays all entitled applications, including mobile applications, SaaS applications, and Horizon 7-based virtual applications and desktops. The applications that require enrollment have a badge indicating higher security.

A Workspace ONE implementation can interoperate with other identity providers, like Ping, Okta, and Microsoft Azure, through integration with VMware Identity Manager and still present a common catalog interface for all applications.

Components of Workspace ONE

Workspace ONE consists of a number of key components and integrations that work together to provide the key capabilities of the product.

VMware Identity Manager

VMware Identity Manager is an identity-as-a-service (IDaaS) offering, providing application provisioning, an application store, conditional access controls, and SSO for SaaS, web, cloud, and native mobile applications.

For more information, see the VMware Identity Manager Documentation.

VMware AirWatch

VMware AirWatch is a comprehensive enterprise mobility platform that delivers simplified access to enterprise applications, secures corporate data, and enables mobile productivity. The VMware AirWatch family includes individual VMware AirWatch products.

For more information, see the VMware AirWatch Documentation.

VMware Horizon 7

Horizon 7 allows you to deliver virtual and hosted desktops and applications through a single platform.

For more information, see the VMware Horizon 7 Documentation.

Workspace ONE Native Application

You can install the Workspace ONE native application on Android, iOS, and Windows 10 devices. It allows users to access their digital workspace from any supported location.

For more information, see the VMware Workspace ONE Documentation.

VMware Enterprise Systems Connector

In VMware AirWatch 9.1, the VMware AirWatch Cloud Connector™ and VMware Identity Manager connector are included as components in a new Windows installer called the VMware Enterprise Systems Connector™. During the installation process, you can choose which components to install. It is recommended to install both components if you are upgrading to Workspace ONE and for full functionality of the Enterprise Systems Connector.

The VMware Identity Manager connector allows Active Directory (or other directory services) users and groups to synchronize with VMware Identity Manager and provide up-to-date authentication. The VMware Identity Manager connector supports integration with Horizon 7 and Citrix, RSA Secure ID, Windows authentication, and complex multi-domain and multi-forest Active Directory.

AirWatch Cloud Connector allows you to integrate VMware AirWatch with your back-end enterprise systems. AirWatch Cloud Connector runs in the internal network, acting as a proxy that securely transmits requests from VMware AirWatch to your organization’s critical enterprise infrastructure components. AirWatch Cloud Connector leverages the benefits of AirWatch Enterprise Mobility Management, installed on-premises or in the cloud, together with Active Directory (or other directory services), certificate authorities, email servers, and other internal systems.

For more information, see the VMware Workspace ONE Documentation.

VMware Identity Manager Administration Console

The VMware Identity Manager administration console is a web-based application for managing your cloud instance, or tenant.

For more information, see the VMware Identity Manager Documentation.

VMware Unified Access Gateway

VMware Unified Access Gateway secures external access to internal content. Users can remotely access data from corporate network shares or internal content repositories. Updates to your existing content are dynamic. Changes are immediately reflected in AirWatch Content Locker. Users can access only the files and folders that have been assigned to them through access control lists. 

VMware Tunnel™ is deployed using the Unified Access Gateway appliance and provides a secure and effective method for individual applications to access corporate resources. VMware Tunnel authenticates and encrypts traffic from individual applications on supported devices to the back-end system. Built using native operating system APIs, VMware Tunnel provides enhanced network security (including micro-segmentation), consistent enterprise network access for end users, and simplified management for IT.

For more information, see the VMware Unified Access Gateway Documentation.

VMware AirWatch Secure Email Gateway

VMware AirWatch Secure Email Gateway™ is a proxy server that is configured with AirWatch Mobile Email Management features to protect your email infrastructure. When AirWatch Secure Email Gateway is installed alongside your existing email server, it proxies all email traffic to enrolled devices. Based on settings defined in AirWatch Console, AirWatch Secure Email Gateway allows or blocks requests from every mobile device it manages. It filters all communication requests and relays traffic from approved devices, thereby protecting corporate email servers. Users can open email attachments only through AirWatch Content Locker and access hyperlinks contained in email messages only through AirWatch Browser, thus securing sensitive information.

For more information, see the VMware AirWatch Documentation.

VMware AirWatch Console

VMware AirWatch Console is a web-based application that allows you to monitor and manage enrolled devices.

For more information, see the VMware AirWatch Documentation.

VMware AirWatch Inbox

AirWatch Inbox is a containerized email client protected with 256-bit AES encryption. (In this context, containerized means that content in the email application is isolated from content in other applications on the device.) It is configured with data-loss-prevention capabilities to secure corporate data and allows for quick access to corporate email, calendars, and contacts.

For more information, see the VMware AirWatch Documentation.

VMware AirWatch Content Locker

AirWatch Content Locker protects your sensitive content in a corporate container and provides users with a central application to securely access, store, update, and distribute the latest documents from their mobile devices.

For more information, see the VMware AirWatch Documentation.

VMware AirWatch Browser

AirWatch Browser provides a secure alternative to the native browsers on mobile operating systems. You can secure all Internet browsing and limit browsing to certain websites.

For more information, see the VMware AirWatch Documentation.

VMware Boxer

VMware Boxer is an integrated mail, calendar, and contacts application for VMware AirWatch and Workspace ONE mobile users. It allows IT to configure and manage security policies at a granular level. Some features include the ability to select multiple email messages and perform a single task, such as delete, archive, or flag, compose an email message, and send available calendar times in just a few taps.

For more information, see the VMware AirWatch Documentation.

AirWatch Content Gateway

The AirWatch Content Gateway, together with VMware Content Locker, allows end users to securely access content from an internal repository. As files are added or updated within your existing content repository, the changes are immediately updated in VMware Content Locker. Users are granted access only to their approved files and folders based on the existing access control lists defined in your internal repository.

For more information, see the VMware AirWatch Documentation.

VMware AirWatch Email Notification Service

The Email Notification Service adds Apple Push Notification support to Microsoft Exchange. On iOS, this means the VMware Boxer and VMware AirWatch Inbox email apps can get notifications using Apple technologies such as background app refresh or Apple Push Notification Service (APNs). Email Notification Service adds APNs support to your deployment to allow quick and consistent notifications about new items in your end users' email inboxes.

For more information, see the VMware AirWatch Email Notification Service v2.0 Installation and Configuration Guide.

Android Apache Server

The Apache server allows VMware AirWatch to integrate with the Google Play Store, and is available only for on-premise AirWatch deployments. It serves as a connection between the AirWatch MDM and the Google Play Store. The server needs to be configured before an administrator can use the Search App Store feature for Android apps.

Certificate Authority

Certificate authority (CA) integration allows VMware AirWatch to manage the complete life cycle of provisioned certificates. VMware AirWatch integrates with many different third-party CAs. 

For more information, see the VMware AirWatch Documentation.

Memcached Caching Solution

For large environments scaling over 5,000 devices, a caching solution is recommended. Caching solutions help to reduce load on the database server caused by the volume of calls made to the database. After caching is configured, the AirWatch components contact the caching solution to obtain the required database information. If the information is not available on the cache server, the component contacts the database and then stores the value on the cache server for future use.

For more information, see the VMware AirWatch Memcached Integration Guide in VMware AirWatch Documentation.

VPN Server

If you have a VPN server, you can use a VPN profile in VMware AirWatch. Configure device VPN settings so that end users can remotely and securely access the internal network. VMware AirWatch supports specific VPN connection types for various third-party VPN providers. 

For more information, see the VMware AirWatch Documentation.

Architecture of Workspace ONE

The previous components work together to provide the functionality of Workspace ONE.

Architecture of Workspace ONE

Figure 2: Major Components of a Workspace ONE Deployment with Network Ports

A basic Workspace ONE configuration consists of VMware Identity Manager and VMware AirWatch. VMware Enterprise Systems Connector securely transmits requests from VMware AirWatch to the back-end infrastructure. Administrators define user groups, policy settings, and device configurations. Users access Workspace ONE and their applications based on the defined settings and configurations.

Network Considerations

VMware AirWatch leverages the existing enterprise network infrastructure to provide its own high availability, redundancy, and scalability for the applications and desktops that it provides to end users. Local load balancing is incorporated on the front end of the SaaS environment. Core network security infrastructure includes redundant Ethernet switches, LAN segregation, firewalls, intrusion detection, and monitoring.

Redundant, high-volume firewalls are located between the Internet and the VMware AirWatch environment. An intrusion detection system (IDS) monitors all internal network traffic, logs suspicious activity, and issues alerts when suspicious network activity is detected.

Security Considerations

VMware AirWatch takes a multilayered approach to data center security. Primary data centers are maintained with onsite backups for quick recovery and replicated offsite backups for disaster recovery.

Production systems are hosted at two primary data centers, with cross replication of nightly backups to support performance, growth, and security challenges.

VMware AirWatch implements security by

  • Isolating all VMware AirWatch web servers using a demilitarized zone (DMZ)
  • Using antivirus clients to protect all servers
  • Providing spam filtering and spam reporting for email

Administrators control VMware AirWatch from an HTML5 web-based management console. VMware AirWatch encrypts all data transmitted between the web console and mobile devices.

Cloud-based Workspace ONE components are automatically upgraded and patched, ensuring that your environment meets the latest security standards.

Installation and Setup

Introduction

This exercise helps you set up a cloud-based Workspace ONE environment. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must have the following components installed and configured:

  • On-premises Active Directory with users available to add to the VMware AirWatch tenant
  • Windows Server machine to access Workspace ONE from a web browser

Sign Up for a Free Trial of Cloud-Based Workspace ONE

Complete the following steps to begin a 30-day trial version of Workspace ONE, that includes a cloud-based deployment of VMware AirWatch and VMware Identity Manager.

1. Access Free Trial

try workspace ONE
  1. Navigate to http://www.air-watch.com and click 30 DAY FREE TRIAL.
  2. Enter the required information and click Start Your Free Trial.
  3. Allow 24 hours for your request to process.

2. Record Environment Details

Check your email for two activation email messages that contain environment details and access credentials. Note this information in the following tables.

VMware Identity Manager Account Information  
User name  
Password  
VMware Identity Manager server host name  
VMware AirWatch Account Information  
User name  
Password  
VMware AirWatch server host name  

Now that you have signed-up for a cloud-based Workspace ONE trial and noted your environment details, you are ready to log in to the AirWatch Console and launch the Getting Started Wizard.

Log In to the AirWatch Console and Launch the Getting Started Wizard

The AirWatch Console allows you to view and manage every aspect of your Mobile Device Management (MDM) deployment. With this single, web-based resource, you can quickly and easily add new devices and users, manage profiles, and configure system settings.

This exercise helps you to log in to the AirWatch Console and launch the Getting Started Wizard.

1. Log In to AirWatch Console

Navigate to the VMware AirWatch cloud tenant and enter your AirWatch Admin Account information to authenticate.

login into Airwatch console
AirWatch Console
  1. In the browser of your choice, navigate to the VMware AirWatch cloud tenant. For example, navigate to https://<AirWatchHostname> where AirWatchHostname is the host name of the VMware AirWatch tenant.
  2. For User name – Enter the name provided in the activation email.
  3. For Password – Enter the password provided in the activation email.
  4. Click the Login button.

2. Accept License Agreement

Accept the End User License Agreement

Review the End User License Agreement, and click Accept. 

3. Configure Security Settings

Address the Initial Security Settings

Configure the settings for the Password Recovery Question:

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Password Recovery Question – Keep the default question selected.
  3. Password Recovery Answer – Enter VMware1!
  4. Confirm Password Recovery Answer – Enter VMware1!

Configure the Security Pin, which protects certain administrative functions in the AirWatch Console.  

  1. Security PIN – Enter 1234.
  2. Confirm Security PIN – Enter 1234. 
  3. Click Save.

4. Launch Getting Started Wizard

Wordspace ONE

On the dialog box that appears, click Begin Setup to launch the Getting Started Wizard.

Now that you have successfully logged in to the AirWatch Console and launched the Getting Started Wizard, you are ready to Navigate the Getting Started Wizard.

Navigate the Getting Started Wizard

Split into four modules, the Getting Started Wizard facilitates the initial configuration of Workspace ONE. For ease of use, it tracks progress and can be started, paused, and restarted later. You can also review and change previous settings.

This exercise helps you to navigate the Getting Started Wizard.

1. Explore the Getting Started Wizard

Wordspace ONE

Open the Workspace ONE module and note the following buttons and icons:

  1. Incomplete – Displays next to steps that have not been configured.
  2. Configure – Click to begin defining settings.
  3. Complete – Displays next to a completed step.
  4. Edit – Click to review or change a completed step’s settings.
  5. Scroll down and open the remaining modules to review their sections and steps.
  6. Use the percentage counter in the upper-right corner to track your configuration progress.

Now that you have navigated the Getting Started Wizard, you are ready to Generate the Apple Push Notification Certificate.

Generate the Apple Push Notification Service Certificate

Apple Push Notification service (APNs) is the messaging protocol created by Apple to manage mobile devices. To manage iOS devices, AirWatch requires a valid APNs certificate.

To watch a video demonstrating this procedure, click Creating an Apple APNs Certificate.

1. Configure Apple Push Notification Service (APNs)

Apple Push Notification Service

In AirWatch Console, navigate to the Workspace ONE Getting Started Wizard.

  1. Select Getting Started.
  2. Select Workspace ONE.
  3. Navigate to SETUP > Apple Push Notification Service (APNs).
  4. Click Configure.

2. Download Certificate Request

download certificate request
  1. Under Download Certificate Request, click MDM_APNsRequest.plist.
  2. Click Continue.

3. Enter Corporate Apple ID

Enter Corporate Apple ID

Enter your Corporate AppleID email address that you will use to manage all Apple devices for your organization.
If you do not have a Corporate Apple ID, Create Account with Apple.

4. Create Certificate

Create Certificate
Apple certificate portal

Navigate to the Apple Push Certificates Portal and use your Corporate Apple ID credentials to authenticate.

Complete the following steps to create the APNs certificate.

  1. Enter your corporate Apple ID.
  2. Enter your Apple ID password.
  3. Click Sign In.
  4. Click Create a Certificate.

5. Upload Certificate Signing Request

certificate signing Request
Vender Signed request
  1. Click Choose File and select the MDM_APNsRequest.plist file you previously downloaded.
  2. Click Upload.

6. Download Certificate

Download Certificate

Click Download.

7. Complete Certificate Generation

Return to the Getting Started Wizard in the AirWatch Console, and click Next.

7.1. Upload PEM Certificate

Upload PEM Certificate

Click Upload.

7.2. Select the PEM Certificate

Select the PEM Certificate
  1. Click Choose File and select the previously downloaded .pem file.
  2. Click Save.

7.3. Complete Request

complete request
  1. Enter your Apple ID.
  2. Click Save.

Now that you have generated the Apple Push Notification Certificate, you are ready to Configure Android EMM Registration.

Complete Android Enterprise Mobility Management (EMM) Registration

Enabling Android for Work on devices separates personal data from the work data at the operating system level. Android for Work creates a clear separation between work and personal apps.

To use Android for Work inside the AirWatch Admin Console, you need to register your enterprise with Google. This creates your Android for Work admin account which connects with AirWatch to manage your enterprise devices. Users can not use Android for Work features from their devices until registered with VMware AirWatch. The Android for Work setup wizard simplifies the process.

In AirWatch Console, navigate to the Workspace ONE Getting Started Wizard.

  1. Select Getting Started.
  2. Select Workspace ONE.
  3. Navigate to SETUP > Android EMM Registration.
  4. Click Configure.

2. Register Google Admin Account

Register Google Admin Account

Click Register with Google.

 

3. Provide Google Admin Account

Provide Google Admin Account
  1. Confirm you are logged into your Google Admin Account that you want to associate with your Android for Work configuration.

    Note: After you register a Google Admin Account to Android for Work, you cannot disassociate your Google Admin Account from that Organization. Ensure the Google Admin Account shown is the account you want to associate with your Organization.
     
  2. Click Get Started.

4. Provide your Organization Details

Provide your Organization Details
  1. Enter your Organization name.
  2. Select the Google Play agreement check box.
  3. Click Confirm.

5. Complete Registration

Complete Registration

Click Complete Registration to return to the AirWatch Android for Work configuration.

6. Confirm Android for Work Integration

Confirm Android for Work Integration
  1. On the Android for Work Settings page, scroll down until you see the Google Admin Console Settings and Google API Settings sections.
  2. Under Google Admin Console Settings, note that the account information you provided during the Android for Work configuration step is displayed here.
  3. Confirm that Android for Work Registration Status is shown as Successful.

Note that the Client ID and Google Service Account Email Address have been created and configured for you automatically. No additional configurations with Android for Work or the Google Developers Console are required.

Your Organization Group is now successfully configured with Android for Work.

For more information about Android EMM, see the blog posts:

Download Employee Email Template

Download an email template to introduce employees to Workspace ONE and how to get started.

1. Download Email Template

In AirWatch Console, navigate to the Workspace ONE Getting Started Wizard.

  1. Select Getting Started.
  2. Select Workspace ONE.
  3. Navigate to SETUP > Employee Email Template.
  4. Click Download.

2. Copy Email Template

Copy Email Template

Copy the email template provided in the PDF document.

Employee Email Template

Now that you have downloaded the email template, the Installation and Setup section is complete.

Initial Configuration

Introduction

This exercise helps you to install and configure the VMware Enterprise Systems Connector. You can choose which components to install during the installation process. For this exercise, you install only the VMware AirWatch Cloud Connector component.

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must satisfy the following requirements.

  1. Check whether you have the following components installed and configured.
    • Cloud-based VMware Identity Manager tenant
    • Cloud-based VMware AirWatch tenant
    • On-premises Active Directory with users available to add to the VMware AirWatch tenant
    • Domain administrator in AirWatch Console – You must log in to AirWatch Console using a domain administrator user account to add Active Directory user groups and web applications.
    • Windows Server machine to access Workspace ONE from a web browser
    • Windows Server machine to install VMware Enterprise Systems Connector –  Ensure that this machine can reach the AirWatch Cloud Messaging (AWCM) server by browsing to https://awcmXXX.awmdm.com/awcm/status.Replace XXX with the number used in your environment URL, for example, 100 for cn100. If the status of the AWCM has SSL errors, resolve the errors before continuing. Otherwise, the connector does not function properly.
    • iOS device of your choice

For more information, see the VMware Identity Manager Documentation and VMware AirWatch Documentation.

  1. Verify that your environment meets the networking requirements.
Source Component Destination Component Port 
End-user device Workspace ONE portal (*.vmwareidentity.<region>)where region is .com, .eu, or .asia 443 (HTTPS)
End-user device Device Services 443 (HTTPS)
End-user device (Android) AirWatch Cloud Messaging (AWCM) Server 443 (HTTPS)
Administrative console users *.awmdm.com 443 (HTTPS)
Administrative console users *.vmwareidentity.<region> where region is .com, .eu, or .asia 443 (HTTPS)
Enterprise Systems Connector VMware AirWatch 443 (HTTPS)
Enterprise Systems Connector Active Directory 389, 636 (SLDAP) 3268 or 3269 (SLADP)
  1. Verify that your environment meets the operating system and software requirements.
Workspace ONE Requirements Details
Active Directory
  • Windows Server 2008 or 2008 R2
  • Windows Server 2012 or 2012 R2
Web browser to access VMware Identity Manager and AirWatch Console
  • Internet Explorer 11 for Windows
  • Google Chrome 42.0 or later for Windows and macOS
  • Mozilla Firefox 40 or later for Windows and macOS
  • Safari 6.2.8 or later for macOS
Enterprise Systems Connector server
  • Windows Server 2008 R2
  • Windows Server 2012 or 2012 R2
  • .NET framework 4.6.2

Download VMware Enterprise Systems Connector

The Getting Started Wizard guides you through the Connector configuration. Complete the steps to download the Enterprise Systems Connector.

1. Configure Enterprise Connector & Directory

Configure Enterprise Connector & Directory
  1. In AirWatch Console, select Getting Started.
  2. Select Workspace ONE.
  3. Navigate to SETUP > Enterprise Connector & Directory.
  4. Click Configure.

2. Complete Enterprise Systems Connector Details

Complete Enterprise Systems Connector Details
  1. For Password, enter VMware1!.
  2. For Confirm Password, enter VMware1!.

3. Download Enterprise Systems Connector

Download Enterprise Systems Connector

Click Download VMware Enterprise Systems Connector Installer. Save the downloaded .exe file in an accessible location.

Download VMware Enterprise Systems

After the Enterprise Systems Connector begins downloading, click Continue.

Install VMware Enterprise Systems Connector

Install the AirWatch Cloud Connector component to integrate VMware AirWatch with back-end enterprise systems.

[Optional:] To watch a video demonstrating this procedure, click VESC Install Demo, or click the video itself.

Note: The video contains no sound. Use the subtitles for installation details.

1. Launch the VMware Enterprise Systems Connector Installer

Ensure you are logged in to the machine where you will install the VMware Enterprise Systems Connector.

1.1. Run the VMware Enterprise Systems Connector Installer

vmware enterprise

Locate the .exe file downloaded in the previous exercise and double-click to run the installer.

install VMware Enterprise

Click Run when prompted to run this software.

1.2. Install Microsoft .NET Framework

Install Microsoft .NET Framework

If prompted to install Microsoft .NET Framework 4.6.2, click Install.

1.3. Reboot if Required

reboot

After Microsoft .NET Framework 4.6.2 completes its download, click Yes to reboot and continue the connector installation.

2. Begin the VMware Enterprise Systems Connector Installer

VMware Enterprise Systems Connector Installer

Click Next.

2.1. Accept the License Agreement Terms

Accept the License Agreement Terms
  1. Select I accept the terms in the license agreement.
  2. Click Next.

2.2. Choose the Program Features to Install

Choose the Program Features to Install
  1. Ensure that the AirWatch Cloud Connector is set to install and that the VMware Identity Manager Connector is not set to install.
  2. Click Next.

2.3. Accept the Default Destination Folder

Accept the Default Destination Folder

Click Next to accept the default destination folder.

2.4. Enter the Certificate Password

password
  1. Enter VMware1! for the Certificate Password.
  2. Click Next.

2.5. Disable Outbound Proxy

Disable Outbound Proxy

Ensure Outbound Proxy is not selected and click Next.

3. Begin the Installation Process

install

Click Install.

4. Close the VMware Enterprise Systems Connector Installer

VMware Enterprise Systems Connector Installer

Click Finish.

Test the Connection

After the Enterprise Systems Connector installs, return to the Getting Started wizard in the AirWatch Console to test the connection.

1. Return to Getting Started Wizard

Airwatch Console
  1. If the Workspace ONE Getting Started wizard closed, navigate to Getting Started > Workspace ONE to open it.
  2. In the SETUP section, next to Enterprise Connector & Directory, click Configure.

2. Continue Enterprise Connector Setup Wizard

run the vmware enterprise system
vmware enterprise system

In the Run the VMware Enterprise Systems Connector Installer section, scroll down and click Continue.

3. Confirm Test Connection Successful

connection test
  1. Click Test Connection, and confirm that you see the message VMware Enterprise Systems Connector is active.
  2. Click Continue.

Now that you have completed the VMware Enterprise Systems Connector installation, you are ready to begin the VMware Enterprise Systems Connector configuration.

Configure Active Directory Details

The next step in Enterprise Connector & Directory is to integrate the connector with Active Directory. The values used in this section are based on a test environment. Your configuration values will differ.

1. Provide Active Directory Details

Provide Active Directory Details

Enter the following Active Directory information.

  1. Directory Type – Select Active Directory from the drop-down menu.
  2. Server – Enter the FQDN of the Active Directory server.
  3. Encryption Type – Select the encryption type for your environment. This example uses SSL.
  4. Port – Keep the default value.
  5. Protocol Version – Keep the default value.
  6. Bind Authentication Type – Select GSS-NEGOTIATE.
  7. Bind Username – Enter the user name that has permission to access the domain controller.
  8. Bind Password – Enter the password.
  9. Click Save.

2. Confirm Test Connection is Successful

  1. Click Test Connection. If successful, you see the message Connection successful with the given server name, bind username and password.
  2. Click Continue.

For more information, see the VMware AirWatch Directory Services Guide in VMware AirWatch Documentation.

Integrate VMware Identity Manager with VMware AirWatch

After Directory Setup is complete, you are ready to integrate VMware Identity Manager with VMware AirWatch.

 

1. Enter VMware Identity Manager Details

VMware Identity Manager Details

Enter the following information for VMware Identity Manager.

  1. Tenant URL – The tenant URL for VMware Identity Manager
  2. Username – The user name for the VMware Identity Manager tenant
  3. Password – The password for the VMware Identity Manager tenant
  4. Click Test Connection. If successful, you see the message Test connection successful!
  5. Click Continue.

2. Use AirWatch to Authenticate Users

  1. For Do you want to use AirWatch to authenticate users, select Yes.
  2. Click Save. It can take a few minutes for the Save process to complete. The Finish button is available when the process completes.
  3. Click Finish.

Add Active Directory User Groups to VMware AirWatch

After Active Directory has been integrated with VMware AirWatch, you can enroll any Active Directory user or group into VMware AirWatch. You add or import the Active Directory users and groups who you want to access VMware AirWatch. For this exercise, you add a user group. Ensure that you are logged in to the AirWatch Console as a domain administrator. The values used in this section are based on a test environment. Your configuration values will differ.

1. Navigate to User Groups

navigation
  1. In AirWatch Console, select Accounts.
  2. Select User Groups > List View.

2. Add User Group

add user
  1. Click Add.
  2. Click Add User Group.

3. Find User Group

find user

Configure the user group information. Keep the default values unless otherwise specified.

  1. Search Text – Enter the user group name, for example, user.
  2. Click Search.
  3. Select the user group from the Group Name list.

4. Configure User Group Details

configure user
  1. User Group Settings – Select Custom.
  2. Maximum Allowable Changes – Enter 100.
  3. Add Group Members Automatically – Select Enabled.
  4. Click Save.

Sync Active Directory User Group in VMware AirWatch

After you have created an Active Directory user group, sync this group in VMware AirWatch to import the users immediately.

1. Sync User Group

sync user
  1. Select the check box next to the user group added in the previous exercise.
  2. Click Sync.

2. Confirm Synced Users

synced users

In the dialog box, click OK to confirm.

Check that the synced users appear in the Users column.

Login to the VMware Identity Manager Console

This exercise helps you to log in to your VMware Identity Manager tenant.

1. Launch Google Chrome (If Needed)

google chrome

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

3. Login to Your VMware Identity Manager Tenant

VMware Identity Manager Tenant
  1. Enter the administrator user name.
  2. Enter the administrator password.
  3. Click Sign In.

Verify That VMware AirWatch Users Appear in VMware Identity Manager

After you have authorized an Active Directory user group to access VMware AirWatch, the user group also appears in VMware Identity Manager.

1. Confirm the AirWatch User Group is Available

Groups
  1. Click the Users & Groups tab.
  2. Click Groups.
  3. Verify that the VMware AirWatch user group is listed.

2. Force Sync If Required

If the users do not appear in VMware Identity Manager, you can force a sync from the AirWatch Console.

settings
settings
  1. In AirWatch Console, select Groups & Settings.
  2. Select All Settings.
navigation
  1. Select System.
  2. Select Enterprise Integration
  3. Select VMware Identity Manager.
  4. Select Configuration.

2.3. Sync Users

sync users

Scroll down and click Sync Now.

After you verify that VMware AirWatch users appear in VMware Identity Manager, you are ready to configure Mobile Single Sign-On.

Configure Mobile Single Sign-On

The Getting Started wizard guides you through configuring mobile SSOs.

1. Navigate to Mobile Single Sign-On

single sign on
mobile single sign on
  1. Select Getting Started.
  2. Select Workspace ONE.
  3. Navigate to SETUP > Mobile Single Sign-On.
  4. Click Configure.

2. Configure Mobile Single Sign-On

configure

Click Get Started.

get started

Click Continue.

3. Auto-Configure Mobile Single Sign-On Settings

Click Start Configuration

4. Complete Mobile Single Sign-On Configuration

When the auto-configure checklist completes, click Finish.

checklist

Click Close.

After you configure Mobile Single Sign-On, the Initial Configuration section is complete.

Salesforce Mobile Single-Sign On

Introduction

Although we use an iOS device to test the mobile SSO feature, the wizard also configures mobile SSO for Android and Windows 10 devices.

This exercise helps you to configure the Salesforce application with the identity provider metadata and integrate VMware Identity Manager to a trial Salesforce account.

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

In addition, you need to create a trial Salesforce developer account. To register, you need a valid email address to receive your Salesforce password.

This exercise requires a user to enrol their device into AirWatch. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information  
User name testuser
Password VMware1!
Email testuser@company.com

AirWatch Console Login

To perform most of the steps in this exercise, you must first log in to the AirWatch Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate into the AirWatch Console

Authenticate to the AirWatch Administration Console
  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Configure the iOS Device Profile

A device profile allows you to manage devices with specific settings and rules. You can enforce corporate rules and procedures when device profiles are combined with compliance policies.

The mobile SSO feature creates default device profiles. You must update the iOS device profile to include the Salesforce application identifier. 

1. Select iOS Device Profile

iOS Device Profile
  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Click the iOS device profile.

2. Edit Device Profile Settings

Device Profile Settings
  1. Select Single Sign-On.
  2. Click Add Version.

3. Add Salesforce Application Identifier

Salesforce Application Identifier
publish
  1. Click Add.
  2. In the Applications section, enter com.salesforce.chatter.
  3. Click Save & Publish.
  4. Click Publish.

Assign a VMware AirWatch Device Profile

After a device profile has been created and configured, you can assign the profile to a smart group.

This exercise helps you to assign a VMware AirWatch device profile to a smart group.

1. Select iOS Device Profile

  1. In AirWatch Console, select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Click the iOS device profile.
 

2. Select Create Assignment Group

Create Assignment Group
  1. Select the General tab.
  2. Click the Assigned Groups text box to open the drop-down menu.
  3. Select Create Assignment Group.

3. Provide Smart Group Details

save and publish
publish
  1. Name  – Enter a name of your choice for the smart group. This exercise uses iOS Smart Group.
  2. Platform and Operating System  – From the drop-down menus, select the following options: Apple iOS, Greater Than or Equal To, iOS 10.2.0.
  3. Click Save.
  4. Click Save & Publish.
  5. Click Publish.

Now that you have completed assigning a VMware AirWatch device profile to the iOS smart group, you are ready to Configure the SAML Metadata Settings.

Configure SAML Metadata Settings

Security Assertion Markup Language (SAML) is an open standard for SSO across multiple services. Using SAML authentication, a user logs in to an environment only once per web browser session to access all systems.

This exercise helps you configure the SAML metadata settings. 

1. Export and Save Metadata File in VMware AirWatch

Export the identity provider SAML metadata from VMware AirWatch. The metadata is used to configure the Salesforce application.

Navigate to SaaS Applications
  1. In AirWatch Console, select Apps & Books
  2. Select Applications.
  3. Select Web.
  4. Select SaaS.

1.2. Save Metadata File

Metadata File

Click Settings.

settings
save the file
  1. Select SAML Metadata.
  2. Select Download SAML Metadata.
  3. Right-click Identity Provider (IdP) metatdata, and select Save Link As.
  4. Save the metadata file in an accessible location.

2. Import the Metadata File to Salesforce

2.1. Log in to Salesforce

salesforce
  1. In a web browser, navigate to https://login.salesforce.com.
  2. Enter your Salesforce user name.
  3. Enter your Salesforce password.
  4. Click Login.

2.2. Locate Single Sign-On Settings

single sign-on

 

  1. In the search panel on the left, enter single to locate SSO settings.
  2. Click Single Sign-On Settings.

2.3. Edit Single Sign-On Settings

single sign on

Click Edit.

2.4. Enable SAML

single sign on SAML
  1. Select SAML Enabled to enable SSO using SAML.
  2. Click Save.

2.5. Populate SAML Single Sign-On Settings

single sign on SAML
single sign on SAML
  1. Click New from Metadata File.
  2. Click Choose File, and select the metadata file saved in the previous exercise.
  3. Click Create to populate the SAML SSO settings.

3. Update the SAML Settings in Salesforce

Specify how the identity provider identifies the Salesforce user, and complete the metadata download.

single sign on SAML settings
download metadata
  1. Select Assertion contains the Federation ID from the User object.
  2. Click Save.
  3. Click Download Metadata.

Register Your Domain in Salesforce

After you have downloaded the SAML metadata file, you need to register your domain in Salesforce.

1. Select My Domain in Salesforce

domain salesforce
  1. In the search box on the left, enter my domain
  2. Click My Domain.

2. Register Your Domain Name

register the domain name
  1. Under Choose Your Domain Name, enter a domain name in the text box.
  2. To confirm that your domain name is not being used, click Check Availability.
  3. Click Register Domain.

It can take a few minutes for Salesforce to complete the process. When the domain is registered, you receive an email. After you receive the email, you can edit the authentication configuration in My Domain.

3. Edit Authentication Configuration

authentication configuration

Next to Authentication Configuration, click Edit.

4. Enable Authentication Service

Authentication Service
  1. To enable the authentication service, select your Identity Manager user name in the Authentication Service section.
  2. Click Save.

Update the Federation ID

The federation ID in Salesforce is a unique user name that can be shared across multiple applications. The federation ID allows administrators to choose a user name format to pass to Salesforce from their user directory for SSO. The user name format is often an attribute, such as the user’s email address.

1. Select Users in Salesforce

Salesforce User
  1. In the search box on the left, enter users.
  2. Click Users.

2. Edit User Settings

edit user settings

Next to the user name used for the trial account, select the check box and click Edit.

3. Enter Federation ID

edit federation id
Save
  1. In the Single Sign-On Information section, enter the federation ID as the UPN of the AD user account. For example, testuser@company.com.
  2. Click Save.

Configure the Salesforce Application for SSO

You now add the Salesforce application to the VMware AirWatch catalog and configure the application for SSO. To add a web application to AirWatch Console, you must be logged in as a domain administrator.

1. Create New SaaS Application

SaaS
  1. In AirWatch Console, select Apps & Books.
  2. Select Applications.
  3. Select Web.
  4. Select SaaS.
  5. Click New.

2. Select the Salesforce Application

  1. In the Search text box, enter Salesforce.
  2. Select Salesforce from the list. The remaining options are auto-filled.
  3. Click Next.

3. Configure Salesforce Application Settings

Select URL/XML.

Open the previously saved metadata file (see Update the SAML Settings in Salesforce) using Notepad or TextEdit.

  1. Copy the data, and paste it into the URL/XML text box.
  2. Click Next.

4. Select Default Access Policy Set

Click Next.

5. Confirm Salesforce Configuration and Save

Click Save.

The Salesforce application has been added to the AirWatch catalog and configured for SSO.

Login to the VMware Identity Manager Console

This exercise helps you to log in to your VMware Identity Manager tenant.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

3. Login to Your VMware Identity Manager Tenant

  1. Enter the administrator user name.
  2. Enter the administrator password.
  3. Click Sign In.

Add User Assignment in VMware Identity Manager

You are now ready to assign users to the Salesforce application.

1. Select Salesforce from the Catalog

  1. In the VMware Identity Manager administration console, click the Catalog tab.
  2. Click the Salesforce icon from the application list.

2. Assign Salesforce to a User

Click Assign.

3. Select User Account

  1. Enter a user name in the search field.
  2. Select the user name.

4. Specify User Assignment Details

 

  1. Select Automatic from the drop-down menu.
  2. Click Save to complete the assignment process.

Test the Salesforce SSO Configuration in a Web Browser

You can confirm that SSO is correctly configured by logging in to a web browser and accessing the Salesforce application from the VMware Identity Manager portal.

1. Launch Google Chrome (If Needed)

From a desktop computer, launch Google Chrome by double-clicking the icon.

3. Log In to VMware Identity Manager Portal

Enter the credentials for a user entitled to the Salesforce application.

  1. Enter the user name.
  2. Enter the password.
  3. Click Sign In.

4. Launch Salesforce Application

Click Open to launch the Salesforce application. If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password.

iOS Device Enrollment

You enroll your iOS device in VMware AirWatch by installing AirWatch Agent.

1. Install AirWatch Agent

  1. On your iOS device, in the web browser, navigate to http://awagent.com.
  2. Tap Go to Apple AppStore.

Tap the cloud icon to install AirWatch Agent.

2. Launch the AirWatch MDM Agent

To start the agent, tap the Agent icon.

3. Choose the Enrollment Method

Tap Server Details.

4. Find your Group ID from AirWatch Console

 

  1. In AirWatch Console, hover your mouse over the Organization Group tab at the top of the screen.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

Note: The Group ID is required when enrolling your device in the following steps.

5. Enter Server Details

After the Agent launches, you can enroll the device.

  1. Server – Enter the VMware AirWatch tenant name.
  2. Group ID – Enter your organization group ID. Your Group ID was noted in the previous exercise.
  3. Tap Next.

6. Authenticate the AirWatch MDM Agent

On this screen, enter the user credentials for a basic user account.

  1. Username – Enter the user name.
  2. Password – Enter the password.
  3. Tap Next.

7. Redirect to Safari and Enable MDM Enrollment in Settings

The AirWatch Agent redirects you to Safari and starts the process of enabling MDM in the device settings.

Tap Redirect & Enable.

8. Allow Website to Open Settings (If Required)

If prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

Note: If you do not see this prompt, ignore this and continue to the next step.  This prompt appears only for iOS Devices on iOS 10.3.3 or later

9. Enter Device PIN (If Required)

If a PIN is requested, enter your device PIN.

10. Install the MDM Profile

Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.

11. Install and Verify the AirWatch MDM Profile

Install and Verify the AirWatch MDM Profile

Tap Install when prompted at the Install Profile dialog box.

12. iOS MDM Profile Warning

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

13. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

14. iOS Profile Installation Complete

You should now see the iOS Profile successfully installed.

Tap Done in the upper right corner of the prompt.

15. AirWatch Enrollment Success

Your enrollment is now complete. Tap Open to navigate to the AirWatch Agent.

16. Accept the Authentication Complete Prompt

Tap Done to continue.

17. Accept Notification Prompt (If Required)

Tap Allow if you get a prompt for Notifications.

18. Accept the App Installation (If Required)

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.

Test the SSO Configuration of Salesforce on Your Mobile Device

When you install a Workspace Services profile, VMware AirWatch pushes Salesforce to your iOS device. In this exercise, you log in to your enrolled iOS device and start Salesforce. If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password.

1. Launch Salesforce on iOS Device

On your iOS device, tap the Salesforce application.

2. Confirm Redirection to Workspace ONE

Confirm redirection to Workspace ONE.

3. Validate SSO

Validate SSO. Authentication completes, and the application starts without requiring a user name and password.

Now that you have tested the Salesforce SSO configuration on your mobile device, the Salesforce Mobile Single Sign-On section is complete.

Adaptive Management Configuration for iOS

Introduction

This exercise helps you enable and test adaptive management. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

You can deploy internal and public applications as either managed or unmanaged when using VMware AirWatch for native application delivery. This adaptive management approach protects data inside applications without requiring devices to be managed.

Adaptive management is applied on a per-application basis in AirWatch Console. With an application profile, an administrator can require device management prior to allowing the device to use an application.

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enrol their device into AirWatch. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information  
User name testuser
Password VMware1!
Email testuser@company.com

AirWatch Console Login

To perform most of the steps in this exercise, you must first log in to the AirWatch Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate into the AirWatch Console

Authenticate to the AirWatch Administration Console
  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Enable Adaptive Management

Add the Socialcast® by VMware application to the VMware AirWatch catalog, and enable adaptive management.

1. Navigate to Add Application

  1. In AirWatch Console, select Apps & Books.
  2. Select Applications.
  3. Select Native.
  4. Select the Public tab.
  5. Click Add Application.

2. Add VMware Socialcast Application

2.1. Search for VMware Socialcast

  1. Platform – Select Apple iOS.
  2. Name – Enter Socialcast.
  3. Click Next.

2.2. Select VMware Socialcast

Click Select to select the Socialcast application.

2.3. Save VMware Socialcast

Click Save & Assign.

3. Add Assignment

Click Add Assignment.

4. Provide Assignment Details

  1. Selected Assignment Groups  – Select the iOS smart group that you created in Assign a VMware Device Profile.
  2. App Delivery Method  – Select On Demand.
  3. Managed Access  – Select Enabled.
  4. Click Add.

5. Publish Application

  1. Click Save & Publish.
  2. Click Publish.

Test Adaptive Management

To test the adaptive management feature, you need an unmanaged iOS device—a device that does not have AirWatch Agent installed.

1. Navigate to App Store

On your iOS device, tap the App Store icon.

2. Search for VMware Workspace ONE App

  1. Enter vmware workspace one in the search field.
  2. Tap the cloud icon to install the Workspace ONE application.

3. Launch VMware Workspace ONE

Tap Open to launch VMware Workspace ONE application.

4. Enter Workspace ONE Credentials

Enter the VMware Identity Manager tenant address.

  1. Enter the user name for Workspace ONE.
  2. Enter the password.
  3. Tap Sign in.

5. Load Workspace

If prompted, tap Enter to load your workspace.

6. Allow Notifications

If prompted, tap Allow to confirm notifications.

7. Install Socialcast from Workspace ONE Catalog

  1. Tap the Catalog tab.
  2. To install the Socialcast application, tap Install.

8. Enable Workspace Services

Tap Enable Workspace Services.

9. Install the MDM Profile

Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.

10. Enter Device PIN (If Required)

If a PIN is requested, enter your device PIN.

11. Install and Verify the AirWatch MDM Profile

Install and Verify the AirWatch MDM Profile

Tap Install when prompted at the Install Profile dialog box.

12. iOS MDM Profile Warning

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

13. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

14. iOS Profile Installation Complete

You should now see the iOS Profile successfully installed.

Tap Done in the upper right corner of the prompt.

Tap Open to open this page in Workspace ONE.

15. Confirm App Installation

Tap Install.

16. Accept App Installation

Tap Install.

17. Confirm Socialcast Installation

After the Socialcast installation completes, the application is available on your device. Tap the application to launch it.

You have successfully completed Adaptive Management Configuration for iOS.

Windows 10 Management

Introduction to Windows 10 Management

This exercise introduces you to managing Windows 10 devices in Workspace ONE. Windows 10 Management helps you to create a restrictions profile, create and distribute an application to your Windows 10 device, and then enroll your device to test the results. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

 

Prerequisites for Windows 10 Management

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enrol their device into AirWatch. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information  
User name testuser
Password VMware1!
Email testuser@company.com

You must also must satisfy the following requirements:

  • Workspace ONE Advanced Edition installed.
  • A virtual machine or spare Windows device running Windows 10 with the latest updates installed.
    Note: Although it is possible to use Home edition, it is not recommended as some advanced capabilities such as BitLocker encryption, software distribution, and scripting are not supported.
  • Administrative rights to the virtual machine or spare Windows device.
  • A Windows 10 Desktop app (*.msi, *.exe, or *.zip), such as 7-Zip. To follow these instructions, download a 7-zip installation file, and save it in your Documents folder.

Important: Do not access the AirWatch Console from the same machine you are managing.

AirWatch Console Login

To perform most of the steps in this exercise, you must first log in to the AirWatch Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate into the AirWatch Console

Authenticate to the AirWatch Administration Console
  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Windows 10 Restriction Profile

Profiles allow you to modify how the enrolled devices behave.  This section will walk you through how to configure and deploy a restriction profile that we can verify has applied to the device later in the module.

Continue to the next step.

1. Create a Restriction Profile

Add a Restriction Profile

In the top right corner of AirWatch console,

  1. Click Add.
  2. Click Profile.

1.1. Add a Windows Profile

Add a Windows Profile

Click on the Windows icon.

NOTE - Make sure that you are selecting Windows and NOT Windows Rugged.

1.2. Add a Windows Desktop Profile

Add a Windows Desktop Profile

Click on Windows Desktop

1.3. Select Context - Device Profile

Select Context - Device Profile

Click on Device Profile.

1.4. Define the General Settings

Define the General Settings
  1. Click on General if it is not already selected.
  2. Give the profile a name such as "Windows Restrictions” by entering the string the in the Name field.
  3. Copy the profile name into the Description field.
  4. Click in the Assigned Groups field.  This will pop-up the list of created Assignment Groups. Click on the All Devices Assignment Group.
    NOTE - You may need to scroll down to view the Assigned Groups field.

NOTE - You do not need to click SAVE AND PUBLISH at this point. This interface allows you to move around to different payload configuration screens before saving.

Click to the NEXT STEP in the lab manual to continue configuration of the profile.

1.5. Select the Restrictions Payload

Select the Restrictions Payload

NOTE - When initially setting a payload, a "Configure" button will show to reduce the risk of accidentally setting a payload configuration.

  1. Click on the Restrictions payload in the Payload section on the left.
  2. Click the Configure button to continue setting the Restrictions payload.

1.6. Adding a Restriction - Disable Cortana

Adding a Restriction - Disable Cortana
  1. Using the scroll bar on the right, scroll down to the Device Functionality section.
  2. Click on Don't Allow for Cortana
  3. Notice the 10 on the right side of the Restrictions window. These are all the restrictions that AirWatch is able to apply to a Windows 10 computer.
  4. Click Save & Publish.

1.7. Publish the Restrictions Profile

Publish the Restrictions Profile

Click Publish.

1.9. Verify the Restriction Profile Now Exists

Verify the Restriction Profile Now Exists

You should now see your Restrictions Profile within the List View of the Devices Profiles window.

NOTE - If you need to edit the Restrictions Profile, this is where you would come back to in order to do so. To edit the profile, click the profile name then select "Add Version", make your changes and click "Save & Publish" to push the new settings to the assigned devices. Feel free to explore the options available and continue to the next step when you are prepared to end the Module.

Windows 10 App Delivery

You can also distribute applications to Windows 10 devices, allowing for a seamless user experience.  Continue to explore the process of creating and distributing an application to your Windows 10 device.

1. Create an Internal Application Profile

This exercise requires the 7-Zip installation program which is already downloaded and stored for you in the Documents folder.

1.1. Add Internal Application

Add Internal Application

In the top-right corner of the AirWatch Console,

  1. Click Add.
  2. Click Internal Application.

1.2. Upload Application

Upload Application

Click on Upload.

1.3. Find the Application MSI

Find the Application MSI

Click on the Choose File button

1.4. Upload the MSI File

Upload the MSI File

The installation file for Google Chrome has already been downloaded to the server and placed in the Documents folder.

  1. Click on Documents.
  2. Expand HOL.
  3. Click on Folder Windows 10.
  4. Select 7z1604-x64.exe
  5. Click Open.

1.5. Saving the MSI File

Saving the MSI File

Click Save.

1.6. Continue to the App Settings

  1. Click No for is this a dependency File
  2. Click Continue

1.7. Configure App Details

  1. Enter "7-Zip" for the Name.
  2. Enter "16.04" for the Actual File Version.
  3. Select 64-bit for the Supported Processor Architecture.

1.8. Configure Application Files

  1. Click the Files tab.
  2. Scroll down to find the App Uninstall Process section.
  3. Select Input for the Custom Script Type.
  4. Enter the following for Uninstall Command:
7z1604-x64.exe /Uninstall

NOTE - Please refer the Lab Guidance section in the beginning for how to copy text from manual to use in VLP.

1.9. Click on Deployment Options

  1. Click on Deployment Options
  2. Scroll down until you see the option for Install Command
  3. Type Install Command as:
7z1604-x64.exe /S

NOTE - Please refer the Lab Guidance section in the beginning for how to copy text from manual to use in VLP.

1.10. Add Identify Application Condition

  1. Scroll down to find the When To Call Install Complete section.
  2. Select Defining Criteria for the Identity Application By field.
  3. Click Add.

1.11. Configure the Install Complete Defining Criteria

  1. Select File Exists for the Criteria Type.
  2. Enter "C:\Program Files\7-Zip\7zFM.exe" for the Path.
  3. Click Add.

NOTE - Please refer the Lab Guidance section in the beginning for how to copy text from manual to use in VLP.

1.12. Save and Assign the Application

Click Save & Assign.

1.13. Add an Assignment

Add an Assignment

Click Add Assignment.

1.14. Add Assignment Group and Push Mode

Add Assignment Group and Push Mode
  1. Click the Select Assignment Groups search box and select All Devices (your@email.shown.here).
  2. Select Auto for the App Delivery Method.
  3. Click Add.

1.15. Save and Publish the Application

Save and Publish the Application

Click Save & Publish

1.16. Preview the Assigned Devices

Preview the Assigned Devices

Click Publish

Windows 10 Work Access Enrollment

In this exercise, enroll your Windows 10 device through work access enrollment.

The following instructions use a virtual machine, accessible from the desktop.

1. Launch the Dedicated Windows 10 Machine

Launch Windows 10 VM

From your desktop, launch the Windows 10 virtual machine.

2. Launch Settings

Launching Settings
  1. On your Windows 10 machine, open the Start menu.  
  2. Click Settings.

3. Access Accounts

Accessing Accounts

Select the Accounts icon.

4. Access Work or School

Access Work or School
  1. Select Access work or school.
  2. Select Enroll only in device management.

5. Enter Corporate Email

Connecting to Windows Auto Discovery Service
  1. Enter your corporate email address to begin registering with the AirWatch tenant.
  2. Click Next. This will fail and return an error.

6. Enter the Server URL

Server URL
Next
  1. Enter https://<AirWatchHostname> where AirWatchHostname is the host name of the VMware AirWatch tenant.
  2. Click Next.

7. Authenticate

Username and Password
  1. In the Username field, enter your username.
  2. In the Password field, enter your password.
  3. Click Next.

8. Remember Sign-in Info

Remember Sign-In Info
Yes/Skip

Review the Remember Sign-In dialog, and select Yes to simplify future log-ins.

9. Complete Enrollment

Complete Enrollment

Click Finished.

10. Close Settings

Close Settings

To close the Settings page, click X in the upper-right corner.

11. Allow the App to Make Changes

Allowing Application to Make Changes

If prompted, click Yes to allow the app to make changes to the PC.

Mobile Device Management (MDM) Enrollment Confirmation

After work access enrollment completes, the restriction profile installs on the device.  Verify that the restrictions are applied on your device to confirm enrollment was successful and that the profile installed correctly.

1. Confirm Cortana is Disabled

1.1. Open Cortana

Open Cortana
  1. On the enrolled Windows 10 machine, open the Start menu.
  2. From the apps list, select Cortana.

1.2. Confirm Cortana Settings are Disabled

Note: The following screenshots show a before and after view of Cortana settings. Your screen should look like the one on the right (After: Cortana Disabled).

Cortana Disabled
  1. Confirm Cortana no longer displays a greeting.
  2. Confirm Device only provides basic search capabilities.

2. Confirm the Application File Installed

2.1. Open File Explorer

Open file explorer

From the bottom toolbar, open File Explorer.

2.2. Open 7-Zip

Open 7-Zip
  1. Select Local Disk (C:).
  2. Select Program Files.
  3. Select 7-Zip.
  4. Double-click 7zFM.exe to launch the 7-Zip File Manager.

Note: If you do not see the 7-Zip folder, your application may still be downloading. This can take several minutes to finish.

Now that you have confirmed enrollment, the Windows 10 Management section is complete.

Android Management

Introduction to Android Management

This exercise focuses on configurations for Work Managed Device mode. Also called Device Owner, this mode allows AirWatch to control the entire device. Work Managed Device mode is ideal for corporate-owned devices, and requires a parent staging process. Although there are several ways to enroll work managed devices, this exercise uses the AirWatch Identifier enrollment flow. For an overview of the available enrollment flows, see Work Managed Device Enrollment.

Prerequisites for Android Management

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enrol their device into AirWatch. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information  
User name testuser
Password VMware1!
Email testuser@company.com

You must also satisfy the following requirements:

  • Google Admin Account bound to AirWatch
  • Android device 5.0 or higher
  • Factory reset device in out of the box mode

Caution: Do not factory reset your personal device to complete these exercises. 

AirWatch Console Login

To perform most of the steps in this exercise, you must first log in to the AirWatch Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate into the AirWatch Console

Authenticate to the AirWatch Administration Console
  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Group ID Retrieval

Before enrolling your device, retrieve your Group ID from the AirWatch Console.

1. Point to the Organization Group

Finding your Group ID

Select the email address you used to log in to the AirWatch Console.

2. Copy the Group ID

Finding your Group ID

Copy the Group ID from the Organization Group tab.

Android Work Managed Enrollment Using AirWatch Identifier

In this section, use AirWatch Identifier Enrollment to set up your device in Work Managed Device mode.

Note: Screenshots may differ due to differences in device models and operating system versions.

1. Out of Box Enrollment

Turn on your device from a factory reset state and tap Start.

1.1. Connect to Wi-Fi

  1. Tap to connect to the appropriate Wi-Fi network based on your location.
  2. After connecting to Wi-Fi, tap Next.

1.2. Review the Terms and Conditions

Tap Next.

1.3. Accept the Terms and Conditions

Tap Agree.

1.4. Enter the AirWatch Identifier

  1. Enter afw#airwatch into the Email or phone field to download the AirWatch Agent.
  2. Tap Next.

1.5. Review and Configure Google Services

  1. Review and configure the Google Services, then scroll down to the bottom.
  2. Tap Next.

1.6. Install the AirWatch Agent

Tap Install.

1.7. Confirm AirWatch Agent Special Access and Install

Confirm the special access required by the AirWatch Agent and tap Install.

2. Enter AirWatch Server Details for Enrollment

Select AirWatch MDM Agent Authentication Method

After the Agent has launched, you can enroll the device. Select the AirWatch authentication method.

Tap Server Details.

2.1. Authenticate

Attach the AirWatch MDM Agent to the HOL Sandbox
  1. In the server field, enter <AirWatchHostname>.com where AirWatchHostname is the host name of the VMware AirWatch tenant.
  2. Enter the Group ID you retrieved from the AirWatch Console for the Group ID field.
  3. Tap Continue.

2.2. Allow Agent to Manage Phone Calls (IF NEEDED)

If prompted, tap Allow when the Agent requests permission to make and manage phone calls.  Otherwise, continue to the next step.

2.3. Authenticate the AirWatch MDM Agent

Authenticate the AirWatch MDM Agent
  1. Enter the user name.
  2. Enter the password.
  3. Tap Continue.

3. Encrypt Device

Tap Encrypt.

3.1. Review Encryption Requirements

Tap Encrypt Device.

3.2. Confirm and Begin Encryption

  1. When prompted, enable Fast Encryption to reduce the time required to encrypt the device.
  2. Tap Encrypt Device. The device encrypts and restarts.

4. Complete Enrollment

After the device restarts, review the Terms and Conditions for Android for Work, and tap Agree.

4.1. Set Up Android for work

Set Up Android for work

Tap NEXT.

Note: This may take some time, be patient while the setup process completes.

4.2. Administrator Rights

Administrator Rights
  1. Tap I consent to agree to the administrator rights terms.
  2. Tap OK to confirm the Privacy Policy.

Note: Enrollment time may vary depending on your network connectivity. Typically, it takes around 1 minute to complete. Be patient while this process completes.

Important: During the enrollment process, you will see several processing screens. Note that you do not need to interact with the device further until you see the AirWatch Agent app confirming your enrollment.

4.3. Wait for Device Connectivity (IF NEEDED)

It may take several minutes to establish a connection to Google Cloud Messaging. Wait until you see the Connectivity Issue notification change to Connectivity Normal before continuing.

4.4. Confirm Device Enrollment

Confirm Device Enrollment

You have now completed the AirWatch MDM Agent configuration wizard.  After the enrollment process completes, the AirWatch Agent will display the notification Congratulations! You have successfully enrolled your device.

You can now Exit the AirWatch Agent.

Bring-Your-Own-Device (BYOD) Management with Android

Introduction to BYOD with Android

This exercise focuses on Android Work Profile configurations which are ideal for BYOD scenarios. Work Profile mode separates the personal space and the corporate space in a device. This allows organizations to manage business data and applications without accessing the user's personal data and apps. To help distinguish personal and corporate apps, a red briefcase displays with corporate apps.

Prerequisites for Android BYOD Management

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enrol their device into AirWatch. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information  
User name testuser
Password VMware1!
Email testuser@company.com

You must also satisfy the following requirements:

  • Android device running version 5.0 or later

AirWatch Console Login

To perform most of the steps in this exercise, you must first log in to the AirWatch Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate into the AirWatch Console

Authenticate to the AirWatch Administration Console
  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Group ID Retrieval

Before enrolling your device, retrieve your Group ID from the AirWatch Console.

1. Point to the Organization Group

Finding your Group ID

Select the email address you used to log in to the AirWatch Console.

2. Copy the Group ID

Finding your Group ID

Copy the Group ID from the Organization Group tab.

Android Work Profile Enrollment for BYOD

In this section, enroll your device in AirWatch and set it up in Work Profile mode.

Note: Screenshots may differ due to differences in device models and operating system versions.

1. Download the AirWatch Agent

Navigate to https://www.awagent.com to download the latest version of the AirWatch Agent.

2. Launch the AirWatch MDM Agent

Launching the AirWatch MDM Agent

Launch the AirWatch Agent app on the device.  

3. Select the Authentication Method

Select AirWatch MDM Agent Authentication Method

Tap Server Details.

4. Authenticate

Attach the AirWatch MDM Agent to the HOL Sandbox
  1. In the server field, enter <AirWatchHostname>.com where AirWatchHostname is the host name of the VMware AirWatch tenant.
  2. Enter the Group ID you retrieved from the AirWatch Console for the Group ID field.
  3. Tap Continue.

5. Authenticate the AirWatch MDM Agent

Authenticate the AirWatch MDM Agent
  1. Enter the user name.
  2. Enter the password.
  3. Tap Continue.

6. Accept the Terms and Conditions

EULA

Tap Agree.

7. Set Up Android for work

Set Up Android for work

Tap NEXT.

Note: This may take some time, be patient while the setup process completes.

8. Device Encryption

Device Encryption

Tap Encrypt.

Important: Encrypting your devices can take some time depending on the amount of data on your device.

9. Administrator Rights

Administrator Rights

Tap OK to confirm the Privacy Policy.

Note: Enrollment time may vary depending on your network connectivity. Typically, it takes around 1 minute to complete. Be patient while this process completes.

Important: During the enrollment process, you will see several processing screens. Note that you do not need to interact with the device further until you see the AirWatch Agent app confirming your enrollment.

10. Wait for Device Connectivity (IF NEEDED)

Device Connectivity

If you see a Connectivity Issue notification, the device may be taking several minutes to establish a connection to Google Cloud Messaging. Wait until you see the Connectivity Issue notification change to Connectivity Normal before continuing.

Note: If you do not see any Connectivity Issue notifications, continue to the next step.

11. Confirm Device Enrollment

Confirm Device Enrollment

You have now completed the AirWatch MDM Agent configuration wizard.  After the enrollment process completes, the AirWatch Agent will display the notification Congratulations! You have successfully enrolled your device.

You can now Exit the AirWatch Agent.

12. Badged Apps

Badged Apps

On your Android device, you should now see the new Work applications. Android for Work apps are differentiated by an orange briefcase icon also referred to as Badged Apps.

In the Applications view, your Work apps and Personal apps are shown in a unified launcher.  For example, your device will show both a personal icon for Google Chrome and a separate icon for Work Chrome denoted by the badge. The AirWatch Agent is badged and exists only within the Work Profile data space.

Important: There is no control over personal apps nor will the Agent have access to personal information. There are a handful of system apps that come with the Work Profile by default such as Work Chrome, Google Play, Google settings, Contacts, and Camera.

13. Work Container

Work Container

On some devices, you may also notice the Work container on your device depending on the OS version.  This Work container can be used for quick access to your Work (Badged) Apps.

Android Enterprise Profiles

This exercise helps you to create Android for Work profiles to ensure proper usage of devices and protection of sensitive data. Profiles allow you to enforce corporate rules and procedures, and to customize Android for Work-capable devices.

Important: If your device is enrolled with Android for Work, then only Android for Work profiles will take effect on the device; Android device profile will not take effect.

1. Verify Restrictions

Restrictions profiles provide a second layer of device data protection by allowing you to specify and control how, when, and where your employees use their devices. The Restrictions profiles lock down native functionality of Android for Work devices and vary based on device enrollment.

1.1. Create a New Profile

Create a New Profile

In the AirWatch Console:

  1. Click Add.
  2. Click Profile.

1.2. Select the Android Platform

Select the Android Platform

Select Android.

1.3. Select the Android for Work Configuration Type

Select the Android for Work Configuration Type

Select Android for Work.

Note: In this example, we select the Android for Work configuration because we want to modify the Android for Work functionality, apps, and restrictions on the enrolled device. To modify the unbadged apps or base Android functionality, select Device.

1.4. Configure the General Settings

Configure the General Settings
  1. Ensure the General payload is selected.
  2. Enter AfW Restrictions in the Name field.
  3. Click Assigned Groups to display the list of available assignments.
  4. Select All Devices.

1.5. Configure Restrictions

Configure Restrictions
  1. Select the Restrictions payload.
  2. Click Configure.

1.6. Configure Screen Capture Restrictions

Configure Screen Capture Restrictions

Deselect the Allow Screen Capture check box.

1.7. Configure Camera Restrictions

Configure Camera Restrictions
  1. Scroll down to find the Applications section.
  2. Deselect the Allow Camera check box.
  3. Click Save & Publish.

1.8. Publish the Profile

Click Publish.

1.9. Verify the Android For Work Camera Restrictions

Verify the Android For Work Camera Restrictions

On your device, notice that after we push the profile, your device will no longer have the badged camera application available but your personal side (unbadged) camera is still available. This shows the camera restriction that we applied to the AirWatch profile.

1.10. Screenshot in a Non-Badged App

Verify the Android for Work Screen Shot Restriction
  1. Open your non-badged Contacts app.
  2. Take a screenshot (Power button and volume down / Power Button + Home Button at the same time for 2 seconds).

Note: The shortcut to change screenshot may vary depending on your device model.

Notice that the screen shot was successful.

1.11. Verify the Android for Work Screenshot Restriction

Verify the Android for Work Screen Shot Restriction
  1. Open the badged Contacts app.
  2. Attempt to take a screenshot within the app. Note that you cannot take the screenshot and a message appears depending on the device model and OS version.

This shows the screenshot restriction that we applied to the AirWatch profile.

Approving Applications

This section is designed to walk you through the process of approving applications for integration between AirWatch and Android for Work. Applications that you push through the integration of AirWatch and Android for Work have the same functionality as their counterparts from the Google Play Store. However, you can use AirWatch features to add functionality and security to these applications.

  • To add convenience of use, configure the Send Application Configuration option. Application configurations allow you to pre-configure supported key-value pairs and to push them down to devices along with the application. Examples of supported values may include usernames, passwords, and VPN settings. Support values depends upon the application.
  • To add secure features, use AirWatch profiles for Android for Work. Profiles let you set passcodes, apply restrictions, and use certificates for authentication.

1. Add Public Application

Add Public Application

In the AirWatch Console:

  1. Select Add.
  2. Select Public Application.

1.1. Search for Public Application

Search for Public Application
  1. Select Android from the Platform drop-down menu.
  2. Select Search App Store for the Source.
  3. Enter VMware Browser in the Name text box.

1.2. Select the VMware Browser App

Select the VMware Browser App

Click the VMware Browser app.

1.3. Approve VMware Browser (IF NEEDED)

Approve VMware Browser

Click Approve if not approved already.

1.4. Confirm Approval for VMware Browser (IF NEEDED)

Confirm Approval for VMware Browser
  1. You may need to scroll down to view the Approve button.
  2. Click Approve.

Click Approve again in the Application pop-up window.

Note: Scroll down if you do not see the pop-up window.

1.5. Click Save (IF NEEDED)

  1. You may need to scroll down to view the Approval Settings button.
  2. Select Keep approved when app requests new permission.
  3. Click Save.

1.6. Select the Approved App (IF NEEDED)

If the application was already approved, click SELECT.  If you had to approve the application in the previous step, skip to the next step.

2. Publish Public App

Click Save & Assign.

2.1. Add Assignment

Click Add Assignment.

2.2. Configure Assignment

  1. Click in the Selected Assignment Groups search box. This will pop-up the list of created Assignment Groups. Enter All Devices and select the All Devices (your@email.shown.here) Group.
  2. Select Auto for the App Delivery Method.
  3. Click Add.

2.3. Save and Publish VMware Browser

Click Save & Publish.

2.4. Preview Assigned Devices and Publish

Click Publish.

Verify Work Apps

In the previous exercise, we learned how to approve and push an Android application from the AirWatch Console. This exercise helps you to verify that Work apps installed correctly on the enrolled Android device.

Note: Screenshots may differ depending on device model and OS.

1. Confirm the Published VMware Browser Application Downloaded

Confirm the Published VMware Browser Application Downloaded

Return to your testing Android device and confirm that the VMware Browser application has downloaded and displays as a Work app.

Using this process, you can rapidly approve new applications and deploy them to your users.

2. Open the Badged Android for Work Play Store App

Open the Badged Android for Work Play Store App

Open your Work Play Store application on your Android device.

3. Accept Google Play Terms of Service (IF NEEDED)

If you are prompted with the Google Play Terms of Service, tap Accept. Otherwise, continue to the next step.

4. Open Play Store Menu

Open Play Store Menu

Tap the Menu button in the upper-left corner.

5. View Play Store Work Apps

View Play Store Work Apps

Tap My Work Apps from the menu.

6. Verify VMware Browser Is Available As A Work App

Verify VMware Browser Is Available As A Work App
  1. Tap INSTALLED.
  2. Confirm that the VMware Browser application is in your list of Work applications.  You may need to scroll down to find the application.

The VMware Browser app is listed as a Work app because it was approved as a Work app through the AirWatch Console while adding and assigning the application to your users.  This streamlines and rapidly improves the process of approving and deploying Work apps to your Android devices.

macOS Management

Introduction to macOS Management

This section covers basic macOS administration using AirWatch.  This exercise helps you to enroll a macOS device, create profiles, deploy an application, lock the device, and use Custom Attributes.  

Prerequisites for macOS Management

Before you can perform the procedures in this exercise, you must complete the following tutorials:

Account Requirements

Record the required account information in the following tables.

Note: The details provided in the tables are based on a test environment. Your user account details will differ.

  • This exercise requires an administrator to log into the device.  
Administrator Account Information Example  
User name administrator  
Password VMware1!  
  • This exercise requires a user to enroll their device into AirWatch.
User Account Information Example  
User name testuser  
Password VMware1!  
Email testuser@company.com  

Device Requirements

You must also satisfy the following requirements:

  • Apple device running macOS version 10.12.6 (Sierra) or later.
  • A macOS app, such as feedly. To follow the instructions in this exercise, download a feedly installation file and save it in the Documents folder.

AirWatch Console Login

To perform most of the steps in this exercise, you must first log in to the AirWatch Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate into the AirWatch Console

Authenticate to the AirWatch Administration Console
  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Group ID Retrieval

Before enrolling your device, retrieve your Group ID from the AirWatch Console.

1. Point to the Organization Group

Finding your Group ID

Select the email address you used to log in to the AirWatch Console.

2. Copy the Group ID

Finding your Group ID

Copy the Group ID from the Organization Group tab.

macOS Enrollment

In this exercise, use basic enrollment to bring a macOS device into AirWatch Unified Endpoint Management management.  

Note: The following instructions use a virtual machine, accessible from the desktop.

1. Download the AirWatch Agent

1.1. Log in to the MacBook

MacB Login
  1. Enter the administrator user name, for example, administrator.
  2. Enter the administrator password, for example, VMware1!.

1.2. Open the Safari Browser on the MacBook

Open the Safari Browser on the Mac Book

From the menu at the bottom of the screen, select the Safari icon (blue compass).

1.3. Download the AirWatch Agent

Download the AirWatch Agent
  1. Navigate to https://awagent.com in the URL field.
  2. Click Download. The MDM Agent begins to download, and saves to the downloads folder by default.

2. Install the AirWatch Agent

Install the AirWatch Agent on the device.

2.1. Launch the AirWatch Agent Installer

Launch the AirWatch Agent Installer
  1. Click the Downloads folder.
  2. Click the AirWatchAgent.dmg file to begin the installer.

2.2. Launch the AirWatch Agent Installer Package

Launch the AirWatch Agent Installer Package

Double-click the VMware AirWatch Agent.pkg file to start the install.

2.3. Continue and Agree to Terms

Continue and Agree to Terms
  1. In the Installer, click Continue > Continue.
  2. Click Agree.

2.4. Provide Credentials for the Installer

Provide Credentials for the Installer
  1. Click Install.  
  2. Enter the administrator Name, for example, administrator.
  3. Enter the administrator password, for example, VMware1!.
  4. Click Install Software.

2.5. Close and Move to Trash

Close and Move to Trash
  1. Click Close when the installer finishes.
  2. Click Move to Trash.

3. Enroll the macOS Device

These next steps enroll the macOS device, bringing it under control and management by AirWatch.

3.1. Select Authentication Method

Select macOS Auth

The Enrollment Wizard should start automatically. From within the Enrollment wizard window, click Server Detail

Note: The Enrollment Wizard may take several minutes to launch. If you do not see the Enrollment Wizard immediately, wait for it to appear.

3.2. Enter Enrollment Server Details

Enter Enrollment Server Details
  1. Enter the AirWatch tenant URL, for example, hol.awmdm.com.
  2. Enter the Group ID you previously recorded.
  3. Click Continue

3.3. Enter Enrollment Credentials

Enter Enrollment Credentials
  1. Enter the staging enrollment Username, for example, testuser.
  2. Enter the enrollment user Password, for example, VMware1!.
  3. Click Continue

3.4. Enable Device Management

Enable Device Management

Click Enable.

3.5. Enter Administrative Credentials for Profile Install

Enter Administrative Credentials for Profile Install
  1. Enter your administrator Password, for example, VMware1!
  2. Click OK.

3.6. Quit the Enrollment Wizard

Quit the Enrollment Wizard

Click Quit when the installation completes.

4. Enable Location Services

These steps enable location services on macOS, enabling the device to report its location to AirWatch.

4.1. Open Location Services

Open Location Services

If the location services are not already enabled (under System Preferences > Security & Privacy), the AirWatch Agent sends a prompt  to enable them.

When prompted, click OK.

4.2. Enable Location Services

Enable Location Services
  1. Click the lock icon to unlock the preference pane.
  2. Enter the password for the administrator account, for example, VMware1!.
  3. Click Unlock.
  4. Select the Enable Location Services check box.
  5. Select the airwatchd check box to grant the AirWatch Agent access to Location Services.
  6. Click the red Close button.

5. Validate Mac Enrollment

The following steps verify that the Mac enrolled successfully.

Validate Mac Enrollment
  1. In the upper-left menu bar, click the Shield icon.
  2. In the menu that displays, note the device displays as Enrolled.
  3. To review the options available in the Agent, select Preferences.

macOS Device and Application Management (MDM and MAM)

This exercise explores the basics of modifying macOS device behavior by using Profiles and how to easily distribute applications.

1. Configure macOS Profiles

Profiles are the mechanism by which AirWatch manages settings on a macOS device. macOS profile management is done in two ways; device level and enrollment-user level. You can set appropriate restrictions and apply appropriate settings regardless of the logged-on user. You can also apply settings specific to the logged-on user on the device. 

1.1. Close System Preferences if Opened

Close System Preferences if opened

In this section, we create a device profile which will change some system preferences in your Mac. However,  to see those changes, you must first close any existing System Preference sessions if they are already open.

If System Preferences are opened, click X to close.

1.2. Add a macOS Device Profile

Add a macOS Device Profile

In the AirWatch Console:

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Select Add.
  5. Select Add Profile.

1.3. Select Profile Platform

Select Profile Platform

Select the macOS icon.

1.4. Select the Profile Context

Select the Profile Context

Select Device Profile.

1.5. macOS Profiles

macOS Profiles

After you select the macOS icon, you are presented with the Add a New Apple macOS Profile. All profiles are broken down into two basic sections; the General section and the Payload section.

The General section contains Profile information such as the Profile name and some filters on which device the profile is assigned to.

The Payload sections define actions to be taken on the device.

Every Profile must have all required fields in the General section properly filled out and at least one payload configured.

Note: It is recommended that a Profile only contains one payload.

1.6. Profile General Settings

Profile General Settings

Device Profiles are typically used to control settings that apply system-wide.  Device profiles can include items such as VPN and Wifi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration. In this case, we create a profile that modifies the dock for all users on the machine.

Configure the profile as follows:

  1. Select General if it is not already selected.
  2. Enter a profile name, such as macOS Device Dock Settings.
  3. Copy the profile name into the Description field.
  4. Click in the Assigned Groups search box. This will pop-up the list of created Assignment Groups. Enter All Devices and select the All Devices (your@email.shown.here) Assignment Group.
    Note: You may need to scroll down to view the Assigned Groups field.

Note: You do not need to click Save or Save & Publish at this point.  This interface allows you to move around to different payload configuration screens before saving.

1.7. Select the Dock Payload

Select the Dock Payload

Note: When initially setting most payloads, a Configure button is displayed to reduce the risk of accidentally setting a payload configuration.

  1. Select Dock.
  2. Click Configure.

1.8. Configure the Dock Payload

Configure the Dock Payload
  1. Reduce the dock size.
  2. Change the position to Left.
  3. Click Save & Publish.

1.9. Publish the Device Profile

Click Publish.

1.10. Verify the Device Profile Now Exists

You should now see your Device Profile within the Profiles list.

1.11. Add an macOS User Profile

Add an macOS User Profile
  1. Select Add.
  2. Select Add Profile.

1.12. Select Profile Platform

Select Profile Platform

Select the macOS icon.

1.13. Select the Profile Context

Select the Profile Context

Select the User Profile icon.

1.14. Profile General Settings

Profile General Settings

User Profiles are typically used to control settings that apply to the enrolled user.  User profiles can include items such as Email configurations, web clips (URL shortcuts), credentials (certificates), and content filtering settings.  In this exercise, we create restrictions for system preferences panes for the enrolled user on this machine.

Configure the profile as follows:

  1. Select General.
  2. Enter a profile name, for example, macOS User Restrictions.
  3. Copy the profile name in the the Description field.
  4. Click in the Assigned Groups field.  This will pop-up the list of created Assignment Groups. Enter All Devices and select the All Devices (your@email.shown.here) Group.

Note: You do not need to click Save or Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

1.15. Select the Restrictions Payload

Select the Restrictions Payload
  1. Select Restrictions.
  2. Select Configure.

1.16. Configure the Restrictions Profile

Configure the Restrictions Profile
  1. Select the Preferences tab.
  2. Select the Restrict System Preferences Panes check box.
  3. Select Disable selected items
  4. Select the Bluetooth check box.
  5. Scroll down to see more restrictions.

1.17. Finish Configuring the Restrictions Profile

Finish Configuring the Restrictions Profile
  1. Select iCloud.
  2. Click Save & Publish.

1.18. Publish the User Profile

Click Publish.

1.19. Verify the User Profile

You should now see your User Profile within the list of the Profiles window.

1.20. Validate Applied Profiles

Validate Applied Profiles
  1. On your device, note that the dock has changed position and is now on the left side of the screen.
  2. Select the Apple icon in the upper-left corner, then select System Preferences
  3. If System Preferences shows you a specific subpanel, such as Time Machine, click the back button.
  4. Note that you cannot modify the settings for Bluetooth and iCloud as those icons are grayed-out.

1.21. Key Takeaways

  • You can use a combination of Device-level and User-level profiles for flexibility when configuring your macOS devices.
  • Profiles can be targeted against Assignment Groups for granular control.

2. Configure App Catalog and Publish Internal Apps

The application catalog is a website in your AirWatch instance that provides a user and device specific list of managed applications available for installation. The catalog is a self-service method for end-users to select the software and applications they want deployed to their device.

AirWatch provides multiple methods to manage applications on a macOS device. You can deliver  applications as self-contained *.app files, also known as internal applications.  AirWatch can also deliver applications as detailed manifests which allow step-by-step execution of multiple scripts and/or software packages. This second method, which AirWatch refers to as product provisioning, is outside the scope of this exercise.  

In this exercise, you enable the application catalog and deploy an internal application to your device.

2.1. View All Settings

View All Settings

In the AirWatch Console:

  1. Select Apps & Books.
  2. Select All Apps & Books Settings.

2.2. Enable the Application Catalog

Enable the Application Catalog
  1. Select Apps.
  2. Expand Workspace ONE.
  3. Expand AirWatch Catalog.
  4. Select General
  5. Select the Publishing tab.
  6. Select Override.
  7. Enter a Catalog title, for example, App Catalog.

2.3. Select Platform as macOS and Save

Select Platform as macOS and Save
  1. Scroll down until you see the platform macOS.
  2. Select Enabled for macOS.
  3. Click Save.
  4. Scroll to the top and click X to exit the pop-up window.

2.4. Add an Internal Application

Add an Internal Application
  1. Select Apps & Books.
  2. Expand Applications and select Native
  3. Select the Internal tab.
  4. Click Add Application

2.5. Select to Upload the Application

Select to Upload the Application

Click Upload.

2.6. Choose the File to Upload

Choose the File to Upload
  1. Ensure Local File is selected.
  2. Click Choose File.

2.7. Selecting the App File

Selecting the App File

Navigate to your application. In this example, feedly.zip is located in the Documents folder. 

  1. Select Documents.
  2. Select HOL.
  3. Select Mac OS X.
  4. Select the feedly.zip file.
  5. Click Open.

2.8. Saving the App File

Saving the App File

Click Save.

2.9. Finish the Internal Application Installation

Click Continue.

2.10. Accept Discovered Application Descriptor Information

Accept Discovered Application Descriptor Information

Click Save & Assign to begin the assignment of the app.

2.11. Add Application Assignment

Add Application Assignment

Click Add Assignment.

2.12. Set Assignment Options

Set Assignment Options
  1. If you do not have the All Devices group assigned then click in the Select Assignment Groups field. This will pop up a list of created Assignment Groups. Select the All Devices Group.
  2. Ensure the App Delivery Method is set to On Demand.  
  3. Ensure Remove On Unenroll is set to Enabled.  
  4. Click Add

2.13. Save the Assignment Rules

Save the Assignment Rules

Review the Assignment rules and click Save & Publish.  

2.14. Publish the Internal Application

Publish the Internal Application

Click Publish to publish the internal application.

2.15. View the Published Application in the Application Catalog

View the Published Application in the Application Catalog
  1. On your macOS test device, select the App Catalog web clip that was added to the Dock when you enrolled. 
  2. Note that the Feedly app is listed as an internal app.
  3. Click the Install button for Feedly. 

2.16. Confirm Feedly Installation Request

Confirm Feedly Installation Request

Click Install to confirm installation. Notice the AirWatch icon flashing in the menu bar. This indicates that the application is being downloaded and installed.

2.17. Open macOS Applications Folder

Open macOS Applications Folder
  1. Select Finder (Smiley Face) from the Dock.
  2. Select Go from the menu bar.
  3. Select Applications

2.18. Validate Feedly Application Installation

Validate Feedly Application Installation

There may be a slight delay while the AirWatch agent downloads and installs Feedly, but you can confirm the installation is complete when the Feedly icon appears in the Applications folder.

2.19. Key Takeaways

  • AirWatch provides an application catalog to allow user and device specific self-service requests for application installation.
  • macOS applications can deployed as a single item (Internal Application) or a detailed manifest of scripts and packages (Products).

3. Configure Device Lock

Device lock for macOS devices causes the machine to reboot into a firmware-lock screen.  This lock screen occurs at the firmware level prior to OS boot.

3.1. View macOS Device

View Device
  1. Select Devices.
  2. Select List View.
  3. Select your enrolled macOS device.

Note: This example uses a MacBook. Ensure that you select your enrolled macOS device.

3.2. Lock Device

Click Lock in the upper-right corner of your device details view.

3.3. Enter Device Lock Code

  1. Enter 111111 as the firmware lock code.
  2. Click Lock Device.

3.4. Device Reboot

Device Reboot

The Device will reboot after a short delay and the firmware will be locked.

3.5. Unlock The Device

Unlock The Device
  1. At the System Lock screen, enter the unlock code (111111).
  2. Click the Arrow (-->) to boot the device.

3.6. Key Takeaways

  • AirWatch supports a firmware-based device lock for macOS
  • The device cannot be booted until the device lock code has been entered

Intro to Custom Attributes

Custom attributes enable administrators to extract particular values from a managed device and return it to the AirWatch Admin Console.  This can be particularly useful for device configuration auditing and Product sequencing.

1. Custom Attributes

Custom Attributes are key-value pairs.  These key value pairs are generated by scripting/commands which execute on the device and whose values are returned to the console via the AirWatch Agent.  The scripts/commands are delivered to the device via a Custom Attributes payload in a profile.  The profile also allows scheduling of the script/command to re-occur on a schedule or based on an event.  Additionally, Custom Attribute payloads execute in the root context on the device, which allows you to gather information about the device without requiring the enrolled user to have Administrative permissions.

2. Custom Attribute Profiles

Previously, Custom Attributes were sent to the console by creating a shell script to write values to a specific Plist file monitored by the AirWatch Agent.  With AirWatch 8.2 and above, this functionality is now included as a profile and adds additional features such as scheduling.

2.1. Create Custom Attribute Profile

Create Custom Attribute Profile
  1. Click Devices
  2. Expand Profiles & Resources
  3. Click Profiles
  4. Click Add
  5. Click Add Profile

2.2. Select a Platform

Select a Platform

Click macOS.

2.3. Select Profile Context

Select Profile Context

Click Device Profile.

2.4. Configure General Profile Settings

Configure General Profile Settings
  1. Click on General if it is not already selected.
  2. Give the profile a name such as macOS Device Custom Attributes by entering the string in the Name field.
  3. Copy the profile name in the the Description field.
  4. Ensure the Assignment Type is set to Auto
  5. Click in the Assigned Groups field.   This will pop-up the list of created Assignment Groups.   Start Typing All Devices and select the All Devices (your@email.shown.here) Smart Group.
    NOTE - You may need to scroll down to find the Assigned Groups field.

NOTE - You do not need to click SAVE or SAVE AND PUBLISH at this point.  This interface allows you to move around to different payload configuration screens before saving.

2.5. Configure Custom Attributes Payload

Configure Custom Attributes Payload
  1. Scroll down the list of Payload Types on the left side
  2. Click Custom Attributes
  3. Click Configure

2.6. Enter Local Host Name Custom Attribute Command

Enter Local Host Name Custom Attribute Command
  1. Enter LocalHostName as the Attribute Name
  2. Enter the command shown below.  Be sure to use the correct slash, two hyphens, and proper capitalization.
  3. Select 1 Hour as the Reporting
  4. Click Save & Publish.

NOTE - Please refer the Lab Guidance section in the beginning for how to copy text from manual to use in VLP.

Custom Attribute Command:

/usr/sbin/scutil --get LocalHostName

2.7. Publish to Device Assignment

Click Publish.

3. Locating Custom Attributes

Once AirWatch delivers a Custom Attributes profile/payload to a device, the Agent will report the initial value of the Custom Attribute back to AirWatch and begin the Schedule or Event monitoring.  Custom Attribute values that have been reported back to the console can be viewed in the device details.

3.1. Access Device List View

Access Device List View
  1. Click on Devices
  2. Click on List View

3.2. Select Your Device

Select Your Device

Click on your device

3.3. Access Custom Attributes

Access Custom Attributes
  1. Click on More.
  2. Click on Custom Attributes.

3.4. Review Custom Attributes

Review Custom Attributes
  1. Notice that the Source of the Attributes is Device Sourced, meaning it was gathered at the device and sent to AirWatch.
  2. Note the list of Attributes.  
  3. Note the value of each Attribute.  These values were generated by the output of your command/script in the Custom Attributes payload.

Workspace ONE Intelligence

Introduction

Workspace ONE Intelligence provides insights into your digital workspace. It enables enterprise mobility management (EMM) planning and offers automation. The following components help to optimize resources, to strengthen security and compliance, and to increase user experience across your entire environment. 

Connections in the Cloud

Workspace ONE Intelligence uses deployment data to offer Custom Reports and My Dashboard. This feature enables access to streaming data from your Workspace ONE deployment.

Custom Reports

Custom reports capture data tailored to specific business cases. Workspace ONE custom reporting gathers an initial snapshot of your deployment and continues to capture ongoing changes.

To create customized reports, you can modify a starter template or create a new report from scratch. The data collection focuses on three categories: Apps, Devices, and OS Updates.

After the reports are created, the specified data gets captured and pushed to the cloud for reporting.

Custom Report Templates

Use the Custom Reports Wizard to modify an existing template, or create a report from scratch. Custom report templates enable you to create your own reports with the metrics and data you want to see.

The report templates have customizable filters to gather data from apps and devices based on key attributes. You can include as many filters as necessary to narrow the results of the report. Each filter added uses the AND operator. You then select the value for the value and the operator for each attribute.

For more information, see Run the Custom Reports Wizard in the VMware Workspace ONE Intelligence with Custom Reports and My Dashboard Technical Preview guide.

Custom Reports Management

After creating a custom report, manage your reports from the Custom Reports List View.

From this screen, you can generate a report on demand by manually running its template. Additionally, you can attach the report templates to a schedule to generate reports on a recurring basis or at a single specified moment.

For more information, see Custom Reports Management in the VMware Workspace ONE Intelligence with Custom Reports and My Dashboard Technical Preview guide.

My Dashboard Technical Preview

Use My Dashboard, currently available as a technical preview, to view the data streamed by Workspace ONE Intelligence. The analytics that display provide a current picture of the state of your Workspace ONE deployment.

Important: A technical preview is a free, time-limited release primarily aimed at gathering feedback.

Although the release is stable, Tech Preview builds are exclusively for testing purposes.

My Dashboard Widgets

Use My Dashboard Widgets to convert environment data into an easy-to-read graphic display. You can move, resize, and delete widgets as necessary to define the layout of My Dashboard.

Metric  Widget

Asset tracking

Platform and OS Breakdown

Security

Compromised Status by OS Version

Application deployment

Top 10 Popular Apps
Windows patches Security Patch Status

For more information, see My Dashboard Technical Preview in the VMware Workspace ONE Intelligence with Custom Reports and My Dashboard Technical Preview guide.

To provide feedback for this technical preview, navigate to the AirWatch Community Forums and select Data Driven from the menu.

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

You must also satisfy the following requirements:

  • AirWatch Console v9.2 and later.
  • Customer-level Organization Group. 
  • For shared and dedicated SaaS, contact your support representative to set up Custom Reports and Workspace ONE Intelligence.
  • Internal network access to the AirWatch Database. The port used is based on your AirWatch deployment.
  • Admin role with Custom Reports and Intelligence permissions. For information about admin roles and how to access, create, and compare them, see Admin Roles in the VMware AirWatch Mobile Device Management (MDM) Guide.

For a full list of requirements see Custom Reports Requirements and Preview: Requirements for My Dashboard in the Custom Reports and My Dashboard Powered by Workspace ONE Intelligence Guide.

 

Access My Dashboard Technical Preview

After meeting the requirements in the AirWatch Console, navigate to My Dashboard to begin the Workspace ONE Intelligence experience.

  1. In the AirWatch Console, select Hub.
  2. Select Intelligence.
  3. Click Next.

Opt-in to Use Intelligence

  1. Select the Opt-in check box.
  2. Click Save.

After you initially opt-in to use Intelligence, the next time you want to access the Workspace ONE Intelligence user interface (UI), you can click the Launch button.

Accept the Terms of Service

  1. Enter your details.
  2. Click Accept.

 

Launch Workspace ONE Intelligence

Click Get Started.

When the user interface (UI) changes to the Intelligence UI, select My Dashboard.

Configure Widgets for My Dashboard Technical Preview

Configure the data widgets display with filters, charts and diagrams, and parameters. Change widget configurations at any time to view data differently.

From My Dashboard, select Add Widget.

Templates

  1. Select the template type, Apps, Devices, or OS Updates.
  2. Select the template.
  3. Click Next.

Filters

Select Filters to define the baseline data sets for the widget. Use the Add Filter option and other parameters to define the data you want to see on your dashboard.

Data Visualization

 

  1. Select the Chart Type in the Data Visualization area. To preview visualizations, scroll down the user interface.
    • Horizontal and vertical bar charts compare the number of events that have occurred, such as the type of error that occurs the most in your system.
    • Doughnut or Pie charts compare the percentage of events that have occurred.
    • Metrics display one key value, such as the results of a query that returns only a single value and make that value stand out.
    • Tables show multiple data values in rows and columns for a comparison of report data.
  2. View or edit the titles of the widget in the Chart Title.
  3. Select and enter further parameters in the Measure, Key, Group, and Number of Groups fields to define how Workspace ONE Intelligence displays the data in My Dashboard.
    • Measure
      • Use the Count for the number of rows in a particular data set. The count is the simplest function for verifying results.
      • Use Min/Max to return the lowest and highest values in a particular data set. This option only works with numerical columns.
      • Use Average to calculate the average of a selected group of values. This option only works with numerical columns.
    • Key - Use this option to represent the data set you want aggregated by the Measure parameter. Device GUID is the default option because it best represents data when the Measure is equal to the Count.
    • by Group - Use this option to separate data into groups. My Dashboard allows two groupings per data set.
    • Accumulate - Enable this option to grow data from the initial visualization.
    • Cardinality - Use this option to reduce the results displayed. For example, use a value of 10 to show data for a top 10 list of the most installed applications.
    • Date Range - Use this option to define the range the system collects data to create the visualization.
  4. Save your widget.

If My Dashboard does not have information to display, it notifies you. However, you can change configurations to see if a different parameter, such as Measure or Chart Type, enables the dashboard to display your widget.

Run the Custom Reports Wizard

The Custom Reports wizard guides you through creating a customized report on your AirWatch environment. The wizard uses starter templates or enables you to create a report from scratch.

  1. Select the report category: Apps, Devices, or OS Updates.
  2. Select a template and choose Next.

Add Report

To run the Custom Reports wizard, take the following steps.

  1. From the Intelligence UI, select Reporting.
  2. Select Reports.
  3. Select Add Report.

Select Report Category

The template settings for each category are listed in the following tables.

Apps Template Setting Apps Template Description
Blank Report Select to create a custom report from a blank template.
Managed App Select to create a report that shows a list of all managed apps on your devices.
All Apps Select to create a report that lists all apps, managed or unmanaged, on your devices.
AirWatch iOS and Android Agents Select to create a report that lists all AirWatch Agent app details on your iOS and Android devices.
Device Template Setting Device Template Description
Blank Report Select to create a custom report from a blank template.
Enrolled devices Select to create a report that lists all enrolled devices and their details.
Non-Compliant Devices Select to create a report that lists all devices that violate your compliance policies.
OS Updates Template Settings OS Updates Template Description
Blank Report Select to create a custom report based on a blank template.
All Windows OS Updates Create a custom report on all (or filtered) updates to the Windows OS.
Critical Update Status Create a custom report containing all (or filtered) critical updates to the OS.
Security Update Status Create a custom report focused on security updates to the OS.
Service Pack Update Status Create a custom report about service pack updates to the OS.

Customize Report with Filters

On the Customize screen, select the Add Filter icon to add filters to your blank template or customize a starter template further. Each filter requires the following settings.

Setting Description
Filter

Select an attribute that corresponds to the data you are trying to gather.

For example, the Enrolled Devices start template uses Device Enrollment Status and Device Location Group Name attributes to narrow results.

Selectors  

Select an operator to apply to the value of the attribute.

For example, if you are using the Device Organization Group Name attribute, select the Include selector to include all devices in the OG that match the value.

Value

Enter a value you want to receive data on. Some selectors let you select the value from a drop-down menu while others require an explicit entry.

For example, if you are using the Device Enrollment Status attribute and the Include selector, select Enrolled to receive a report on all enrolled devices.

Conversely, if you are filtering devices by the Country attribute and the Include selector, you must type in the name of the country you wish to include in the report. You must Add Filter for each country you wish to filter.

Report Preview

Under Report Preview, select Edit Columns.

Edit Report Data

  1. Find the column that corresponds to the filter you have chosen to see a preview of the report.
  2. Select Save to return to the Add Report screen.

Select Next.

Save Report

  1. Enter in a Report Name and Report Description.
  2. Select Run your report now if you want to run the report after saving the customized report.
  3. Click Save to save the report.

Return to the AirWatch Console

To return to the AirWatch Console, follow these steps.

  1. Select the square menu for VMware Services in the upper-right corner of the UI.
  2. Select Workspace ONE UEM Console from the VMware Services menu.

You are now back in the AirWatch Console.

For more information about Workspace ONE Intelligence, see the Custom Reports and My Dashboard Powered by Workspace ONE Intelligence Guide

Advanced Configurations

Introduction

This section contains a list of Hand-On Labs you can use to test advanced configurations in Workspace ONE. 

VMware Hands-on Labs is a free online portal which provides access to the latest products in a tested and documented cloud-based virtual lab environment.

Unified Endpoint Management for Windows 10

To dive deeper into the aspects of managing, securing, and configuring Windows 10 devices, take the VMware AirWatch - Unified Endpoint Management for Windows 10 lab. This lab is organized into multiple modules that take approximately 2 hours to complete.

Available Modules

The Unified Endpoint Management for Windows 10 lab contains the following modules:

Workspace ONE Productivity App Configurations

To learn how to deliver enterprise-secure productivity apps, take the Workspace ONE Productivity Apps lab. This lab is organized into multiple modules that take approximately  2 hours to complete.

Available Modules

The Workspace ONE Productivity Apps lab contains the following modules:

  • Module 1 - VMware Boxer (30 minutes)
    Configure and explore VMware Boxer integration with AirWatch on an iOS device.
     
  • Module 2 - VMware AirWatch School Manager (45 minutes)
    AirWatch School Manager allows organizations to use the Apple Classroom application in organizations that are not eligible for Apple School Manager.
     
  • Module 3 - VMware Browser (45 Minutes)
    Configure and explore VMware Browser for iOS and learn how to use the features to meet your business requirements.

Advanced Mobile Application Management

To enhance enterprise applications with AirWatch REST APIs, AirWatch Tunnel Per-App VPN, AirWatch Android SDK, and Jenkins integration take the VMware AirWatch - Mobile Application Management and Developer Tools hands-on lab. Approximate time to complete the modules is 4 hours.

Available Modules

The Application Management hands-on lab includes the following modules:

Directory and Certificate Authority Integration

To learn how to establish certificate-based authentication take the Workspace ONE UEM - Directory and Certificate Authority Integration hands-on lab. The module takes approximately 1 hour to complete.

Available Modules

Module 1 - Advanced Workspace ONE UEM Configuration, AD Integration/Certificates (60 minutes)
Configure AirWatch to seamlessly integrate with certificate authority to distribute certificates for authentication.

Summary and Next Steps

Introduction

This Quick-Start Tutorial introduced you to cloud-based VMware Workspace ONE and enabled you to set up a proof-of-concept environment through practical exercises.

After you have deployed your proof-of-concept implementation, you can explore the product further or plan your production environment by examining Additional Resources.

Terminology Used in This Tutorial

The following terms are used in this guide.

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management (MDM) agent Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Authors and Contributors

The Quick-Start Tutorials for Cloud-Based VMware Workspace ONE was written and updated by

  • Gina Daly, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware 
  • Hannah Jernigan, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Appreciation and acknowledgment for considerable contributions from the following subject matter experts:

  • Karim Chelouati, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
  • Camilo Lotero, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
  • Josue Negron, Senior Solutions Architect, End-User-Computing Technical Marketing, VMware
  • Justin Sheets, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Contributors to the original document include

  • Kevin Sheehan, Senior Product Manager, Windows 10 Unified Endpoint Management, VMware
  • Andrew Hornsby, Product Manager, Mobile Identity, VMware
  • Vikas Jain, Director, Product Management, VMware Workspace ONE, VMware
  • Ben Siler, Product Marketing Manager, VMware Workspace ONE, VMware
  • Oliver Forder, Lead End-User-Computing Specialist, EMEA End-User-Computing Practice, VMware
  • Neil Tarbit, Director, Systems Engineering, End-User Computing, VMware
  • Roger Deane, Senior Manager, End-User-Computing Technical Marketing, VMware

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.