Evaluation Guide: Setting Up Cloud-Based VMware Workspace ONE

VMware Workspace ONE

Overview

This evaluation guide introduces you to cloud-based VMware Workspace ONE®. Workspace ONE integrates access control, application management, and multi-platform endpoint device management into a single platform. Workspace ONE is available as a cloud service or on-premises deployment. The exercises in this guide focus on setting up an environment using the cloud service.

Use Workspace ONE to manage mobile devices, desktops, rugged devices, and “things.” With Workspace ONE, end users can get password-less single sign-on to a catalog of mobile apps, web apps, cloud apps, and Windows apps.

Purpose of This Guide

The tutorials in this guide help you evaluate this product through a series of practical exercises. Each exercise includes a video that demonstrates how to perform the task. For your convenience, following the video are the written-out steps. This way, you can consume the information in the format that you prefer: video, text, or both.

This guide describes the process of setting up a cloud-based Workspace ONE environment. For day-2 operations, a section at the end of this guide points to other documents. Most of these other documents are called operational tutorials.

Important: The exercises in this guide are for evaluation purposes, based on minimum required resources for a basic deployment, and do not explore all possible features. The resulting environment should not be used as a template for deploying a production environment. To deploy a production environment, see the Workspace ONE Documentation.

Audience

This guide is intended for prospective IT administrators of Workspace ONE and anyone who uses the product. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is assumed. Knowledge of VMware Workspace ONE® UEM (unified endpoint management), VMware Workspace ONE® Access (formerly VMware Identity Manager), and VMware Horizon® is also helpful.

Note: Not all sections of this guide are necessarily applicable to your particular deployment. Optional sections are marked as such. If you have questions about the specifics of your order, reach out to your VMware sales representative.

Technical Introduction and Features

Workspace ONE is a digital platform that delivers and manages any app on any device by integrating access control, application management, and unified endpoint management. 

The main components of Workspace ONE are Workspace ONE® Unified Endpoint Management (UEM) powered by AirWatch and VMware Workspace ONE® Access (formerly known as VMware Identity Manager). Workspace ONE also integrates with VMware Horizon® to provide virtual desktops and apps.

Features and Benefits

Key features of Workspace ONE include:

  • Identity and access management: The Workspace ONE Access component of Workspace ONE uses certificates to establish trust. This way, end users can get password-less single sign-on to a catalog of mobile apps, web apps, cloud apps, and Windows apps. 

    To protect sensitive information, Workspace ONE enforces access decisions based on device compliance and identity context. If needed, administrators can apply conditional access policies on a per-application basis.
  • Unified endpoint management: With the Workspace ONE UEM component of Workspace ONE, the choice of endpoint device can be left up to employees. Administrators manage the full lifecycle of any endpoint—mobile (Android, iOS), desktop (Windows 10, macOS, Chrome OS), rugged, and even IoT. Device management types include bring-your-own, choose-your-own, corporate-owned, locked down, and so on.
  • Automated app management: Whether you are deploying Windows apps or mobile apps, with Workspace ONE, you can automate the application delivery process to allow better security and compliance. Administrators can create an automated workflow for software, applications, files, scripts, and commands to install on endpoint devices.
  • Windows application and desktop delivery: Users can access their VMware Horizon virtual apps and desktops from the Workspace ONE Intelligent Hub app, enabling the flexibility to be productive wherever they are.

For more information, see the video VMware Workspace ONE: Introductory Demo for IT Admins.

Components and Architecture

The core elements of cloud-based Workspace ONE that you must install or configure include:

  • Workspace ONE UEM tenant and console, for unified management of mobile devices, desktops, and BYOD endpoints
  • VMware AirWatch Cloud Connector, for transmitting information from your internal resources, such as Active Directory (AD) or LDAP, to the Workspace ONE UEM console without any firewall changes
  • Workspace ONE Access tenant and console, for secure, password-free single sign-on (SSO) to SaaS, mobile, Windows, virtual, and web apps on any device and OS
  • Workspace ONE Access Connector, for integrating with your on-premises infrastructure, such as AD, RSA SecurID, and VMware Horizon, to provide directory integration, user authentication, and virtual apps integration
  • VMware Tunnel, for authorizing both in-house and third-party apps to access resources on the corporate intranet using a secure network connection

This guide takes you through the process of setting up all of these components except the VMware Tunnel.

For a high-level overview of the architecture, see the What is the architecture of Workspace ONE? section of the What Is Workspace ONE? document.

For detailed descriptions of how the components work together, along with logical architecture diagrams, see the Workspace ONE UEM Architecture document and the Workspace ONE Access Architecture document.

Packaging and Licensing

Workspace ONE is licensed as a subscription, with various pricing packages.

Two licensing models are available: per user and per device. When licensing Workspace ONE in a device-license model, the SSO and access control technology is restricted to work only on licensed devices and from managed applications. Organizations looking to enable or allow access to enterprise applications from any web browser must license Workspace ONE in a per-user license model.

Acquiring a Cloud-Based Workspace ONE Environment

Most of the setup and administration tasks for Workspace ONE are accomplished by using the Workspace ONE UEM console. The exercises in this chapter walk you through signing up for a free trial and navigating through VMware Cloud Services to the Workspace ONE Cloud Admin Hub console, and then to the Workspace ONE UEM console and its Getting Started page.

Exercise: Sign Up for a Free Trial

To follow the exercises in this evaluation guide, you do not need to have purchased VMware Workspace ONE. You can sign up for a free trial. A trial Workspace ONE UEM environment can become production-ready. At any time, you can make your purchase and continue to use Workspace ONE beyond the trial period.

For your convenience, the following table lists (1) the information that you will need to supply when signing up for your free trial and (2), in the case of the tenant URLs, information that VMware will provide and that you can copy down for future reference.

Table 1: Information Associated with Your Free Trial of Workspace ONE

VMware Customer Connect user name
(If you do not have a VMware user account, you can create one by clicking CREATE YOUR VMWARE ACCOUNT on the VMware Cloud Services Welcome page.)

                                                                                                                 

VMware Customer Connect password

 

Tenant URL for Workspace ONE Access
(This URL will be generated as you work through the Welcome wizard. Record it here.)

 

Security PIN
(Choose a 4-digit PIN. You will be prompted for this PIN when configuring certain settings within Workspace ONE.)

 

Tenant URL for Workspace ONE UEM
(At the end of the procedure, you are taken to the Workspace ONE UEM console. You can copy the URL and record it here.)

 

Note: The following video, Starting a Free Trial of VMware Workspace ONE, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. Navigate to https://www.vmware.com/workspace-one/free-trial.html, complete the online form, accept the VMware Terms of Service, and click START YOUR FREE TRIAL.

    Note: Often a trial request is processed almost immediately, but it is possible that the request could take up to 24 hours to process.

    Important: When you complete the form, the company name you specify is used to create your cloud services organization in VMware Cloud.

  2. In your email app, open the Welcome to Workspace ONE email, which includes your unique service activation (Get Started) link.

    If you cannot find the email, check your Spam folder.

  3. Click the Get Started button in the email.

    This link directs you to the VMware Cloud console. Be sure to use this Get Started service activation link when you log in to the VMware Cloud console for the first time.

  4. Sign into the VMware Cloud console using your VMware Customer Connect user name and password.

    If you do not have an account, click CREATE YOUR VMWARE ACCOUNT on the Welcome page and create an account.

  5. On the Organization Setup page, verify the organization name (which is company name you specified when signing up for the trial), click the I agree to the VMware Cloud Services Terms of Service check box, and click CREATE ORGANIZATION AND COMPLETE SIGN-UP.
  6. Follow the prompts for the Welcome to Workspace ONE wizard, to supply information about your company and your interest in the free trial, and then click FINISH.
  7. On the Welcome to Onboarding page, when prompted to customize the URL for Workspace ONE Access, select I want to keep the tenant URL as is right now, and then copy the URL and record it for future reference. Click Continue.

    You are taken to the Workspace ONE Cloud Admin Hub console.
    Note: Because this is not a production environment, you do not need a customized URL. If you are interested in a customized URL, see the product documentation topic Change Your Workspace ONE Access URL.

  8. Scroll down to the Workspace ONE UEM tile and click MANAGE.

    If desired, note or bookmark the URL for the Workspace ONE UEM console so that you can go directly to the console in the future, rather than navigating to the VMware Cloud console (https://console.cloud.vmware.com) and finding the tile to click for Workspace ONE UEM.

  9. On the Security Settings page, enter a 4-digit PIN, which you will later need to use to confirm certain settings and actions within Workspace ONE.

If you were setting up a production environment rather than an evaluation, at this point you would add other accounts, assign roles, invite users, and federate user access to VMware Cloud, as described in the product documentation topic Account Creation, Inviting Other Admins, and Federation. But for the exercises in this guide, you can skip these tasks.

Exercise: Log In to and Explore the Workspace ONE UEM Console

The Workspace ONE UEM console allows you to quickly add new devices and users, manage proles, and congure system settings. In this exercise, you navigate to the console by first logging in to VMware Cloud Services.

Note: The following video, Exploring the VMware Workspace ONE UEM Console, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. Log in to VMware Cloud, at http://console.cloud.vmware.com, by using your VMware account ID and password.
  2. On the Services page, on the Workspace ONE tile, click LAUNCH SERVICE.

    You are taken to the Workspace ONE Cloud Admin Hub, and you see a range of Workspace ONE services, which will be discussed in this evaluation guide. 

  3. Scroll down to the Workspace ONE UEM tile and click MANAGE.
  4. Close the Workspace ONE UEM Console Highlights pop-up window.

    You see the Workspace ONE UEM console. You can copy or bookmark the URL for this page so that you can come directly to the Workspace ONE UEM console in the future, without having to navigate from the VMware Cloud page.

  5. Click the various items in the header menu to get an understanding of what they do. These items are described in the video above, and also in the product documentation topic Working in the Workspace ONE UEM Console – Header Menu.
  1. Click the Support tab on the right edge of the window to explore the various support options, which include raising support requests, searching documentation topics, and asking a question in the community forum.
  2. Finally, click through the items in the panel on the left, and expand the sub-menus to see the extensive set of configuration settings and monitoring tools available.

    The user interface is designed to let you perform actions from multiple areas. For example, from the MONITOR > Overview section, you can see a list of devices, but you can also add a device, or you can add a device from the DEVICES > List View page, if that location is more convenient for you.

In the next exercise, you use the Getting Started page to begin configuring Workspace ONE.

Registering Workspace ONE with Apple and Google

The first step to managing mobile devices with Workspace ONE is to integrate with the device OS. To deploy a mobile device management (MDM) product, such as Workspace ONE, to an Apple device, a company must have an MDM certificate from Apple and use the Apple Push Notification service. Similarly, to use Workspace ONE on an Android device, a company must register Workspace ONE as the enterprise mobile management (EMM) provider with Google.

Note: The exercises in this chapter pertain to Apple and Android devices but not Google Chrome devices. For instructions on Chrome devices, see the Tech Zone document Managing Chrome OS Devices: Workspace ONE Operational Tutorial, and see the Workspace ONE UEM Integration with Chrome OS document, and the topic Setup Chrome OS Configuration Settings in that guide.

Exercise: Configure the Apple Push Notification Service

To set up communication between Workspace ONE and your users’ Apple devices, Workspace ONE uses the Apple Push Notification service (APNs). In this exercise, you generate an APNs certificate to establish a secure connection.

Note: The following video, Configuring Workspace ONE to Use the Apple Push Notification Service, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
  2. In the Apple Push Notification Servi ce row, click CONFIGURE.
  3. On the Link Your Apple Account page, click MDM_APNsRequest.plist to download the certificate request, and then click CONTINUE.
  4. Enter the Apple ID that you want to use and click the Apple Push Certificates Portal link.

    VMware recommends that you create a corporate Apple ID that will be dedicated to mobile device management for your company. But for an evaluation, you do not have to have a corporate Apple ID.

  5. In the new browser tab that opens, sign in with that same Apple ID you entered in the wizard, and when prompted, enter the verification code that Apple texts to you.
  6. On the Apple Push Certificates Portal page, click Create a Certificate.
  7. Scroll through the terms of use, click the check box to agree to the terms, and click Accept.
  8. On the Create a New Push Certificate page, click Browse, select and open the MDM_APNsRequest.plist file that you previously downloaed, and click Upload.
  9. On the Confirmation page, click Download to download the certificate file, in .pem format.
  10. Go back to the browser tab that has the Workspace ONE APNs wizard, scroll down, and click CONTINUE.
  11. Click UPLOAD, browse to the .pem file that you just downloaded, select it, and click SAVE.
  12. Click the FINISH button to complete the wizard.

    Back on the Getting Started page, there is now a check mark under Apple Push Notification and the item is marked as complete.

  13. To verify the connection, in the APNs row, click EDIT, and on the APNs for MDM page, scroll down and click TEST CONNECTION.

    A status message confirms that the connection was successful. You may now close the window to return to the Getting Started page.

Exercise: Register Workspace ONE UEM as the Android EMM Provider

To manage Android devices with Workspace ONE UEM, you must register Workspace ONE UEM as the enterprise mobility management (EMM) provider with Google. This quick process involves signing in with a Gmail account and providing Google with some information about your company.

For this exercise, you will use a managed Google account to configure Android, although it is also possible to use a managed Google domain instead, if your company uses G Suite. For more information, see the product documentation topic Registering Android with Workspace ONE UEM.

Important: If you have not signed in with the Gmail account you want to use, you might be prompted to verify your identity by opening the Gmail app on your phone and responding to an email there. For this exercise, because you are not setting up a production environment, you can use any Gmail account that you have access to.

Important: After registering a Google Admin account in Android for Work, you cannot disassociate that Google Admin account from that organization. If you are setting up a production environment, make sure the Google Admin account used is the account you want to associate with your organization.

Note: The following video, Registering Workspace ONE UEM as the Android EMM Provider, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
  2. In the Android EMM Registration row, click CONFIGURE.
  3. In the Android EMM Registration window, click REGISTER WITH GOOGLE.

    A new browser tab opens on the Google Play – Bring Android to Work page.

  4. If the button under Bring Android to Work is a SIGN IN button, click the button and sign in. You might also be prompted to verify your identity by opening the Gmail app on your phone and responding to an email there.
  5. On the Google Play – Bring Android to Work page, click Get Started.
  6. On the Business Name page, enter your organization name and click Next. VMware Workspace ONE UEM is listed as the enterprise mobility manager (EMM) provider.
  7. Complete the Contact details form, select the check box to agree to the Managed Google Play agreement, and click Confirm.
  8. On the Set Up Complete page, click Complete Registration.

    You are returned to the Workspace ONE UEM console, to the Android EMM Registration page.

  9. Scroll down and click TEST CONNECTION. A status message confirms that the connection was successful.
  10. Click SAVE and close the window to return to the Getting Started page.

Back on the Getting Started page, there is now a check mark under Android EMM Registration and the item is marked as complete.

Integrating Workspace ONE UEM, Workspace ONE Access, and Active Directory

By completing the exercises in this chapter, you will connect the various Workspace ONE tenants to each other and integrate your company’s directory services with Workspace ONE. These exercises include:

  1. Verify or, if necessary, connect a Workspace ONE Access tenant to your Workspace ONE UEM tenant.
  2. Install and configure the AirWatch Cloud Connector so that communication is established between Workspace ONE UEM and your company’s Active Directory (AD) system.
  3. Add one or more user groups from AD and synchronize them with Workspace ONE UEM.
  4. Install and configure the Workspace ONE Access Connector so that communication is established between Workspace ONE Access and your company’s AD system.
  5. Add one or more user groups from AD and synchronize them with Workspace ONE Access.

Exercise: Connect to the Workspace ONE Access Tenant

When end users first log in, VMware Workspace ONE Access can check identification and note what permissions the user account has. The user then sees a personalized self-service catalog of applications and virtual desktops. Workspace ONE Access provides conditional access controls and single sign-on (SSO) for software as a service (SaaS), web, and cloud resources. Workspace ONE Access can act as an IDP (identity provider) or be integrated with authentication providers such as Active Directory, ADFS, Ping, and Okta.

When you start a free trial of Workspace ONE, a Workspace ONE Access tenant is automatically created and connected. If you go to the Getting Started page in the Workspace ONE UEM console and scroll down, you see that the Workspace ONE Access row is already marked complete.

That is, if you are using a free-trial version, you will not need to perform either of the following procedures. The procedures are provided in case you need to connect to an existing Workspace ONE Access tenant or create a new one.

Note: The following video, Connecting Workspace ONE UEM to a Workspace ONE Access Tenant, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

To connect to an existing Workspace ONE Access Tenant

  1. If you have an email from VMware that tells you what your Workspace ONE Access tenant URL is, go to the Getting Started wizard of Workspace ONE UEM, scroll down to the Connect to Workspace ONE Access row, and click CONFIGURE.
  2. In the Connect to Workspace ONE Access window, click CONTINUE.
  3. Enter the URL from your email and enter the credentials for the Workspace ONE Access tenant.
  4. Click TEST CONNECTION, and after you see a message that the connection was successful, click SAVE.

Back on the Getting Started page, there is now a check mark under Connect to Workspace ONE Access and the item is marked as complete.

To Acquire a Workspace ONE Access Tenant

  1. If you do not yet have a Workspace ONE Access tenant at all, in the panel on the left side of the Workspace ONE UEM console, click GROUPS & SETTINGS.
  2. On the Groups & Settings page, click Configurations.
  3. In the search bar, type in Intelligent Hub and select Intelligent Hub in the search results that are returned.

    Note: Intelligent Hub Services is co-located with Workspace ONE Access in the same cloud tenant.

  4. Click Intelligent Hub.
  5. On the Intelligent Hub configuration page, click GET STARTED.
  6. In the Activate Hub Services window, click REQUEST CLOUD TENANT.
  7. On the Administrator Details page, click NEXT.

    The administrator details match those that you are using for Workspace ONE UEM, including an email address.

  8. On the Select Data Center Location page, select the country where your data center is located and click NEXT.
  9. On the Tenant Name page, click SAVE.

    Now if you go back to the Getting Started page and scroll down, you see that there is now a check mark under Connect to Workspace ONE Access and the item is marked as complete.

  10. Because when you requested a cloud tenant, VMware sent an email to the email address listed in the wizard, be sure to check that email and click the link in it to reset the password.

Exercise: Install AirWatch Cloud Connector and Connect to the Directory Server

With the VMware AirWatch Cloud Connector, organizations can enjoy the benefits of VMware Mobile Device Management (MDM), running in any configuration, and integrated with their back-end enterprise systems. The AirWatch Cloud Connector runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM to the organization's existing LDAP, certificate authority, email, and other internal systems.

In this exercise, you download and install the AirWatch Cloud Connector (ACC) on Windows Server and then configure Directory Services. The AirWatch Cloud Connector (ACC) provides secure access to your resources and Active Directory so you can import users and groups from your existing directory.

Server host requirements: In the video demonstration, we used a Windows Server 2019 Desktop Experience virtual machine, with 2 CPU cores, 8 GB of RAM, and 100 GB of disk space because we will later use this same virtual machine to install the Workspace ONE Access connector. For complete system requirements, see the product documentation topic VMware AirWatch Cloud Connector System Requirements (On Premises and SaaS).

For your convenience, the following table lists the information that the wizard requires you to supply or create.

Table 2: Information for the ACC and Directory Wizard

Password for the ACC certificate
(You create the password using the wizard)

                                                                                   

Directory server fully qualified domain name
(Example: dc.acme.com)

 

Bind username
(for the ACC to the directory server)

 

Bind password

 

Domain name (name with “.com”)

 

Note: The following video, Installing AirWatch Cloud Connector and Binding It to the Directory Server, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. On the Windows Server machine that you want to use for hosting the ACC, open a browser and enter the following URL to find out whether the server you are using for the ACC can reach the AWCM (AirWatch Cloud Messaging) server:

    https://awcmXXX.awmdm.com/awcm/status (Replace XXX with the same number used in your environment URL, for example, 100 for cn100.)

    If the connection is successful, you will see OK in the upper-left corner of the window.

  2. On that same machine, log in to the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
  3. In the AirWatch Cloud Connector (ACC) and Directory row, click CONFIGURE.
  4. On the AirWatch Cloud Connector (ACC) and Directory page, click CONTINUE.
  5. On the AirWatch Cloud Connector (ACC) Setup page, in the Download Installer section of the table, create a password and then click Download AirWatch Cloud Connector (ACC) Installer.
  6. After you see a message saying the installer was downloaded, click CONTINUE.

    The next page of the wizard provides instructions on running the installer.

  7. If you do not have the .NET Framework Runtime installed on the server, use a browser to search for “.NET Framework Downloads” and then download and install it.

    At the time of this writing, .NET 4.8 Framework is required.

  8. After verifying that the .NET Framework is installed, locate and run the AirWatch Cloud Connector installer.

    Note: You will be prompted to supply the certificate password you created earlier in this procedure.

  9. Back in the Workspace ONE UEM console, on the ACC wizard page where you left off, click CONTINUE.
  10. Click TEST CONNECTION, and if the connection is successful, click CONTINUE.
  11. Complete the Directory Setup page as described in the following list, and click SAVE:
  • Server – The fully qualified domain name of the Active Directory server (domain controller).
  • Bind Username and Bind Password – Credentials for binding to the directory server.
  • Domain – The fully qualified domain name; for example, acme.com.
  • Other fields on this page – Use the defaults.
  1. Click TEST CONNECTION, and if the connection is successful, click SAVE.
  2. In the Next Steps dialog box, click CANCEL. You will set up the Workspace ONE Access Connector in a later exercise.

Workspace ONE UEM now has the necessary connection to Active Directory so you can import users and groups from your existing directory.

Exercise: Integrate Your Enterprise Directory with Workspace ONE UEM

Now that you have installed and configured the AirWatch Cloud Connector so that it is connected to your enterprise directory, you can add user groups from your enterprise Active Directory to Workspace ONE UEM and then automatically sync the groups. This exercise leads you through the process.

Important: Before you start this exercise, you must have an Active Directory security group whose members include the user accounts you want to add to Workspace ONE UEM. If necessary, create the group in Active Directory Users & Groups and add the accounts as members.

Note: The following video, Adding and Syncing Active Directory User Groups in Workspace ONE UEM, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, enable custom attributes, as follows:
    1. Click GROUPS & SETTINGS in the left panel, and then click All Settings > System > Enterprise Integration > Directory Services.
    2. On the Directory Services page, click the User tab and click to expand the Advanced section.
    3. Scroll down to Enable Custom Attributes and click ENABLED.
    4. Scroll down and click SAVE.
  2. Configure the Cloud Connector so that the only enterprise service that is enabled is Directory Services, as follows:
    1. From the Settings list in the left panel, click Cloud Connector.
    2. On the Cloud Connector page, click the Advanced tab.
    3. In the Enterprise Services section, leave Directory Services set to ENABLED, and then click DISABLED to turn off all the other items in the section.

      Only Directory Services should be turned on at this point. You can activate one or more of the other services in the future, as required. For more information about these services, see the product documentation topic Cloud Connector Settings.

    4. Scroll down, click SAVE, and click the X in the upper-right corner to close this page.
  3. Back on the Getting Started page, add a user group from Active Directory, as follows:
    1. Click ACCOUNTS in the left panel, and then click User Groups > List View.
    2. On the List View page, click Add and select Add User Group.
    3. In the Add User Group window, in the Search Text box, enter part or all of the AD user group name that you want to add and click SEARCH.

      The group should appear in the Group Name box.

    4. Click Save.

      You are returned to the User Groups page.

  4. Configure a setting so that group members can be added to Workspace ONE UEM automatically, as follows:
    1. Click the group name in the list.
    2. On the Summary page for the group, click the EDIT button in the upper-right corner of the page.
    3. In the Edit User Group window, scroll down to the setting Add Group Members Automatically and click ENABLED.
    4. Click SAVE.
  5. Synchronize the AD group with the directory service group in Workspace ONE UEM, as follows:
    1. On the Summary page for the group, click the SYNC button in the upper-right corner of the page.
    2. Click OK in the confirmation box, and click OK in the dialog box notifying you that the sync was successful.

      You are returned to the User Groups page.

  6. Click ACCOUNTS in the left page, which should by default take you to the Users > List View page, where you can see the list of users you just automatically added.

.

Exercise: Install the Workspace ONE Access Connector

The Workspace ONE Access Connector is required for identity-driven features such as mobile SSO, conditional access, people search, and the browser-based Hub portal, which provides a catalog of applications and virtual desktops.

In this exercise, you will perform a default installation, which installs the Directory Sync, User Auth, Kerberos Auth, and Virtual App services. For information about a custom installation, see the production documentation topic Installing the Workspace ONE Access Connector.

Server host requirements: In the video demonstration, we used a Windows Server 2019 Desktop Experience virtual machine, with 2 CPU cores, 8 GB of RAM, and 100 GB of disk space because we also used this same virtual machine to install the AirWatch Cloud Connector. For complete system requirements, see the product documentation topic Workspace ONE Access Connector 21.08 Systems Requirements.

Note: The .NET Framework Runtime must be installed on the Windows Server. If you are following the exercises in order, you installed .NET Framework as part of Exercise: Install AirWatch Cloud Connector and Connect to the Directory Server.

Table 3: Information for the Workspace ONE Access Connector

System domain admin credentials
(This is the account you set up when you got your Workspace ONE Access tenant. In all likelihood, it is the user name and password for your VMware account.)

 

Password for the connector configuration file
(You create the 14-character password using the wizard.)

 

Service account credentials
(Use a domain account, probably your own, that can be used to run the Kerberos Auth and Virtual App services. The only special characters allowed in the password are: @!*

 

Note: The following video, Installing VMware Workspace ONE Access Connector, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. On the Windows Server machine that you want to use for hosting the Workspace ONE Access Connector, log in to the Workspace ONE Access console, as follows:
    1. Open a browser and log in to the Workspace ONE UEM console.
    2. Click the app launcher icon in the upper-right corner of the screen and select Workspace ONE Access.
    3. Enter the credentials for System domain admin, which is the account you set up when you got your Workspace ONE Access tenant, and click Sign-in.

      You are taken to the Workspace ONE Access catalog portal.

    4. Click the user account button in the upper-right corner of the page, and select Workspace ONE Access Console.
  2. Click the Identity & Access Management tab, and then click the Setup button at the right end of the menu bar, and click Connectors in the menu bar.

    Important: The above instructions assume you are using the legacy navigation. If you are using the new navigation, click the Integrations tab and then click Connectors in the left pane.

  3. Click New.
  4. On the Select the Connector page, select Workspace ONE Access Connector 21.08 and click OK.

    Version 21.08 is the latest version at the time of this writing.

  5. In the confirmation dialog box, click PROCEED ANYWAY.
  6. On the Download Installer page, click GO TO MYVMWARE.

    You might be prompted to log in to your VMware account. The MyVMware page appears in a new tab.

  7. In the new tab, which displays the Download Product page, click DOWNLOAD NOW.
  8. After the installer is downloaded, go back to the Workspace ONE Access Console browser tab, and in the wizard, click NEXT.
  9. On the Download Configuration File page, create a 14-character password for the file, click DOWNLOAD CONFIGURATION FILE, and click NEXT.
  10. On the Summary page, click CLOSE.
  11. Locate and run the Workspace ONE Access Connector installer, using the following guidelines:
  • Use default settings and the default installation setup type.
  • Configuration file password – Supply the configuration file password you created earlier in this procedure.
  • Specify Service Account page – Use the Browse button to be sure you can select the domain and user. The only special characters that the password may contain are the at sign (@), exclamation point (!), and asterisk (*).
  1. Back in the Workspace ONE Access console, navigate back to the Identity & Access Management > Setup > Connectors page, and if necessary, refresh it, to verify that the newly added connector appears.

Workspace ONE Access now has the necessary connection to Active Directory so you can sync users and groups from your existing directory.

Exercise: Integrate Your Enterprise Directory with Workspace ONE Access

Now that you have installed the Directory Sync service, which is a component of the Workspace ONE Access Connector, you can create a directory in Workspace ONE Access and sync it to Active Directory users and groups in your enterprise. Although it is possible to use various types of directories, such as AD over LDAP and Oracle OpenLDAP, for this exercise, we will use Active Directory over Integrated Windows Authentication.

A limited number of user and group attributes, which you, the administrator, specify, are synced to the Workspace ONE Access service. User passwords and any attributes other than the ones specified by the administrator are not synced.

Important: Before you start this exercise, you must have an Active Directory security group whose members include the user accounts you want to add to Workspace ONE Access. Use the same AD user group you used in Exercise: Integrate Your Enterprise Directory with Workspace ONE UEM.

Table 4: Information for the Workspace ONE Access Connector

Bind user name and password that was used when installing the ACC Connector
(User name entered as sAMAccountName@domain; example: jdoe@acme.com)

 

User group that you used when syncing with Workspace ONE UEM
(User group name expressed as, for example, CN=users,DC=example,DC=company,DC=com)

 

Note: The following video, Adding and Syncing Active Directory User Groups in Workspace ONE Access, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE Access console, verify that New Navigation is turned on.
  2. Click Directories in the left pane, and on the Directories page, click Add Directory and select Active Directory.
  3. On the Add Directory page, for Directory Name, enter the name you want to use and select Active Directory over Integrated Windows Authentication.
  4. Scroll down and complete the Bind User Details section. Enter the user name as sAMAccountName@domain, where domain is the fully qualified domain name; for example, jdoe@acme.com.

    Use the same bind user name and password for binding to the directory server that you used when configuring the AirWatch Cloud Connector, as described in Exercise: Install AirWatch Cloud Connector and Connect to the Directory Server.

  5. Click Save & Configure.
  6. On the Select the Domains page, click Next.
  7. On the Map User Attributes page, scroll down to see what all the attributes are, and click Next.

    For more information, see the product documentation topic Managing User Attributes in Workspace ONE Access.

  8. On the Select the Groups You Want to Sync page, select the same group you selected when syncing to Workspace ONE UEM, as follows:
    1. In the Specify the top-level group row, click + and specify the top-level group DN. For example, CN=users,DC=example,DC=company,DC=com.
    2. Click the Select Groups button.
    3. From the list of group names returned, select the check box for the desired group and click Save.
    4. Back on the Select the Groups You Want to Sync page, click Next.
  9. On the Select the Users You Would Like to Sync page, specify the user group or OU, as follows:
    1. In the Specify the user DNs row, click + and enter the user DNs. You can enter the same top-level group that you entered in the previous step if you want to sync all the users found in that group.
    2. Click Test.
  10. On the Sync Frequency page, use the defaults or select a different schedule, such as Once per day, and click Sync Directory.

    You are returned to the Directories page. The newly added directory is listed under the System Directory.

Additional Identity and Access Management Tasks

The exercises in the previous chapters walked you through necessary procedures for getting Workspace ONE to work. These were one-time setup tasks. The exercises in this chapter introduce you to some of the powerful features of VMware unified endpoint management and access management. Now that the environment is working, you, as an administrator, will want to make use of the features shown in this chapter.

Exercise: Create Child Organization Groups

Organization groups constitute a very powerful feature in Workspace ONE UEM, supporting scalability, multi-tenancy, and inheritance. For example, you can create sibling organization groups, which keep settings separate from each other and have a multi-tenancy aspect.

Besides creating sibling organization groups, you can also create child organization groups, and allow some settings to be inherited from the parent, while other settings are overridden.

You can create an organization group (OG) hierarchy for:

  • Delegating administration of subgroups to lower-level administrators
  • Allowing settings such as authentication methods and privacy settings to be inherited or overridden
  • Creating different device profiles for different groups

For cloud-based Workspace ONE UEM, the top-level organization group is the customer-type organization group. All the organization groups you create are children of this one customer organization. Settings such as auto-discovery email domains, which you configure in the exercise following this one, should be configured for the customer organization group, and then the setting can filter down to lower organizations. For more information, see the product documentation topic Organization Groups.

In this exercise, you create an organization group hierarchy and see how to configure settings to be inherited or overridden by lower organization groups.

Note: The following video, Creating a Workspace ONE UEM Organization Group Hierarchy, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, click GROUPS & SETTINGS in the left pane, and navigate to Groups > Organization Groups > Details.

    Assuming no other organization groups have been created yet, you see the details of the top-level, or customer, organization group.

  2. Click Add Child Organization Group, which is beneath the Details heading on the page, and complete the page, as follows, before clicking SAVE:
  • Name – For the example in the video, we decided to use the name of a region we called Eastern US.
  • Group ID – For our example, the group ID is east-us.
  • Type – For our example, the type is Region, but you could also use Container.
  • Country, Locale, and Time Zone – Leave the defaults or modify them to fit your environment.
  1. Click the OG drop-down menu in the menu bar and select the top-level, customer organization group.
  2. On the Groups > Organization Groups > Details page, click Add Child Organization Group, and create another organization group, this time called Western US, with a group ID of west-us, and a group type of Container.

    You now have two sibling organization groups, and you are currently in the Western US organization group, on the Details page.

  3. Click Add Child Organization Group again and create a child organization group. For the example in the video, we used the name HR, the group ID hr, and a group type of Container.
  4. Click the OG drop-down menu in the menu bar and select the Eastern US organization group.
  5. On the Groups > Organization Groups > Details page, click Add Child Organization Group, and create a child organization group, this time called R&D, with a group ID of rd.

    For each sibling organization group, you now have a child organization group, completing the hierarchy.

  6. Click the OG drop-down menu in the menu bar, select the top-level, customer organization group, and navigate to the List View page.
  7. On the List View page for the top-level organization, click expander arrow next to the group name to see the two reginal child organization groups and their respective child organization groups.
  8. Use the OG drop-down menu to navigate to one of the child organization groups, such as the HR organization group.
  9. Click All Settings > System, and click one of the settings, such as Branding, to scroll through the settings and see which of the inherited settings you might override for this child organization.

Exercise: Configure Email Auto-Discovery for Enrolling Devices

You must enroll a device before you can manage it with Workspace ONE UEM. For this evaluation test environment, you will configure an email-based auto-discovery system to enroll devices. After you configure the Auto-Discovery service, end users will be able to enroll themselves by selecting the email address option for authentication, instead of having to enter an environment URL and group ID.

Note: To find the group ID, hover your pointer over the organization group name in the menu bar at the top of the window, next to the product name Workspace ONE UEM. If you have multiple organization groups, select the desired organization group in the menu bar and if the group ID is not listed, navigate to GROUPS & SETTINGS > Groups > Organization Groups > Details, and find the ID in the Group ID field.

Important: The server checks for email domain uniqueness, only allowing a domain to be registered at one organization group in one environment. Because of this server check, register your domain at your highest-level "customer" type organization group. The setting can then be inherited by child organization groups. For information about strategies for using customer organizational groups when enrolling devices in production environments, see the product documentation topic Device Enrollment.

Note: The following video, Configuring Email Auto-Discovery for Enrollment in Workspace ONE UEM, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
  2. Scroll down to the Auto-Discovery row and click CONFIGURE.
  3. In the Auto-Discovery wizard, enter the fully qualified domain name (for example: acme.com) and the email address of the user account that you will use to click the link in the confirmation email.

    The email address must use the same domain name (for example: uem-admin@acme.com).

  4. Click CONTINUE.
  5. Go to the email account you just specified, open the email with the subject line “Workspace ONE UEM Email Registration,” and click the confirmation link.

    A new browser tab appears, confirming that the email domain was successfully registered.
    Important: All email addresses that use this domain will be enrolled in the same Workspace ONE UEM organization group.

  6. Go back to the Workspace ONE UEM console, to the Getting Started > Workspace ONE page.
  7. Scroll down to the Auto-Discovery row and click CONFIGURE again.
  8. Click in the Active Domains text box and select the domain you entered previously.
  9. Click CONTINUE.

Back on the Getting Started page, there is now a check mark under Auto-Discovery and the item is marked as complete.

Important: If you ever need to verify or delete this domain, click GROUPS & SETTINGS in the left pane, and navigate to All Settings > Devices & Users > General > Enrollment, and then scroll down to the Domain list.

Exercise: Configure Workspace ONE Intelligent Hub

Employees use the VMware Workspace ONE Intelligent Hub app, or the browser-based Hub portal, to access, discover, and connect with corporate resources, teams, and workflows within a company. 

The back-end services that administrators configure for the Intelligent Hub are provided by Workspace ONE Hub Services, which is co-located with Workspace ONE Access. Hub Services is activated automatically as part of the Workspace ONE instance provisioning process. Because of this automatic activation, when you scroll down the Workspace ONE Getting Started page, the Workspace ONE Intelligent Hub row is already marked as complete.

In this exercise, you will take a brief tour of the Hub Services UI to see what features you might want to configure for your employees. If you have followed the exercises in this guide, by this point you have fully integrated Workspace ONE Access and Workspace ONE UEM, so that all Hub Services functionality can be made available to users, including:

  • A unified Hub Catalog, which can include mobile apps, web or SaaS apps, and virtualized apps and desktops, essentially unifying the Workspace ONE UEM and Workspace ONE Access catalogs
  • Interactive notifications that integrate with backend business systems
  • People Search, so that employees can find colleagues and browse the employee directory
  • Employee self-service support resources and links
  • Mobile single sign-on, multi-factor authentication, and conditional access

Note: The following video, Configuring Workspace ONE Hub Services for the Intelligent Hub, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, configure the Intelligent Hub so that it uses Workspace ONE Access for authentication rather than Workspace ONE UEM, as follows:
    1. Click GROPS & SETTINGS in the left panel, and then navigate to All Settings > Devices & Users > General > Enrollment.
    2. On the Authentication tab, scroll down to Source of Authentication for Intelligent Hub and click WORKSPACE ONE ACCESS.

      Using Workspace ONE Access for authentication allows the Workspace ONE Intelligent Hub to display SaaS applications and use associated SSO capabilities.

    3. Scroll down, click SAVE, and then close the window.
  2. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page, scroll down to the Workspace ONE Intelligent Hub row, and click EDIT.
  3. On the Intelligent Hub page, click LAUNCH.

    At this point you are taken to the Hub Services console.

  4. On the Getting Started with Hub Services page, click BEGIN.

    You are taken to the Hub Services Home page, which contains a configuration checklist.

  5. Scroll through the checklist to see what sorts of services you can configure.
  6. On the App Catalog tile, click CONFIGURE, and note that near the top of the page, you can click the VERSION GLOBAL drop-down list to create a new version of these settings.
  7. Review all the settings, and click your browser’s Back button.
  8. Note that the checklist on the Home page no longer includes a tile for App Catalog. If you want to go back to that settings page, use the panel on the left side of the window.
  9. Continue to explore the various Hub Services and settings.

For detailed information, see the VMware Workspace ONE Hub Services Documentation. Also see the 20-minute video Configuring Hub Services - Feature Walk-through. For information about Hub Services templates, watch the video Creating Intelligent Hub Configuration Templates - Feature Walk-through.

Exercise: Create Templates for Email to Employees

To help manage communication with employees about all stages of their experience with the Workspace ONE platform, you can use any of about 50 message templates. In this exercise, you create an email template to let an employee know when their device has been successfully enrolled.

You can customize the emails that a user will receive across various categories, such as enrollment, applications, compliance, terms of use, content, device lifecycle, and administrator-specific information.

Note: The following video, Configuring Employee Email Templates in Workspace ONE UEM, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page, scroll down to the Employee Email Template row, and click DOWNLOAD.
  2. In the Message Templates wizard, for Category, select Device Lifecycle, and in the list that appears, select the radio button for Device Enrolled Successfully, and click the COPY button.
  3. Give the copied template a unique name; for the example in the video, the words “ACME R&D Department” were appended to the default name.
  4. Scroll down and modify the message body, as appropriate.

    Notice that several variables are embedded in the text. To make the correct text appear in your employee’s email messages, you can either delete a variable and type in the text you want, or you can define the value you want to use by entering the information in the correct location in the settings. For example, to define the value to be used in the {EnrollmentSupportEmail} and {EnrollmentSupportPhone} variables, navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment., and click the Customization tab.

  5. Click SAVE.

    The newly created template appears in the list of message templates.

  6. In the left pane, click Notifications.

    The full navigation path is Groups & Settings > All Settings > Devices & Users > General > Notifications.

  7. Change Current Setting from Inherit to Override.
  8. In the Device Enrolled Successfully section, select USER, and from the Message Templates list, select the template you created earlier in this procedure.
  9. Scroll down, click SAVE, and close the settings window.

The email message you created will now be sent automatically to a user when their device is successfully enrolled. For more information about all the options available for message templates, see the product documentation topic Device and User Message Templates Settings.

 

Summary and Additional Resources

Now that you have completed the exercises in this guide, you should have a basic deployment of cloud-based Workspace ONE. First, you acquired a free-trial environment that includes a Workspace ONE UEM tenant and a Workspace ONE Access and Hub Services tenant.

Next, you connected the tenants to each other. You then installed and configured connectors for communication between your enterprise directory services and the Workspace ONE UEM and Workspace ONE Access tenants. Once these connections were made, you synchronized user groups. Finally, you explored some of the major components and features, such as Hub Services, organization groups, message templates, and auto-discovery for enrolling devices.

Although the basic environment you just set up is for evaluation purposes only, you can now explore further on your own as you evaluate this offering. When you are ready to deploy a production environment, see the Workspace ONE Documentation.

Next Steps

This guide addressed the one-time setup tasks required to deploy cloud-based Workspace ONE. For day-2, operational tasks, such as managing apps and devices, see the following documents and videos, available from VMware Digital Workspace Tech Zone:

Windows Devices:

Creating a Windows Virtual Machine to Test Workspace ONE

Planning Your Windows Deployment: Workspace ONE Operational Tutorial

Enrolling Windows Devices Using Azure AD: Workspace ONE UEM Operational Tutorial

Managing Updates for Windows Devices: Workspace ONE Operational Tutorial

Getting Started with Freestyle Orchestrator

Mac Devices:

Configuring Basic macOS Management: Workspace ONE Operational Tutorial

Managing Major macOS Updates: Workspace ONE Operational Tutorial

Getting Started with Freestyle Orchestrator

iOS Devices:

Managing iOS Updates: Workspace ONE Operational Tutorial

Managing iOS Custom Apps: Workspace ONE Operational Tutorial

How VMware IT Enrolls iOS Devices - VMware on VMware (video)

Android Devices:

Android Application Management: VMware Workspace ONE Operational Tutorial

Managing Android Devices: Workspace ONE Operational Tutorial

VMware Workspace ONE Intelligent Hub Android enrollment - Feature Walk-through (video)

Chrome Devices:

Managing Chrome OS Devices: Workspace ONE Operational Tutorial

VMware Workspace ONE: Chrome OS - Feature Walk-through (video)

4 reasons the Chromebook could be the ultimate enterprise client device (blog post)

All Devices:

Deploying VMware Unified Access Gateway: Workspace ONE Operational Tutorial

Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial

Automating Notifications: Workspace ONE Operational Tutorial

Workspace ONE Experience Workflows (video)

Product Documentation Resources

The following links go to the various product documentation websites associated with Workspace ONE:

VMware Workspace ONE Documentation, which has links to:

Workspace ONE Hub Services Documentation

Workspace ONE UEM Integration with Workspace ONE Access

Workspace ONE Cloud Admin Hub Documentation

VMware Workspace ONE UEM Documentation, which has links to release notes, as well as:

VMware Workspace ONE UEM Console Documentation

VMware Workspace ONE Productivity Apps Documentation and Release Notes

VMware Workspace ONE Access Documentation

Changelog

The following updates were made to this guide:

Date

Description of Changes

2022/16/03

Original publication date.

Authors and Contributors

The following authors, contributors, and subject-matter-expert reviewers collaborated to create this tutorial.

Authors

  • Caroline Arakelian, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
  • Darren Weatherly, Senior Technical Marketing Architect, End-User-Computing Technical Marketing, VMware
  • Darryl Miles, Staff Solution Engineer, End-User Computing, VMware

Contributors

  • Gina Daly, Technical Marketing Manager, End-User-Computing Technical Marketing, Vmware
  • Christina Minihan, Senior Staff End-User-Computing (EUC) Architect, End-User-Computing Technical Marketing, VMware

Feedback

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

 

 


 

Associated Content

From the action bar MORE button.

Filter Tags

Workspace ONE Workspace ONE Access Workspace ONE UEM Document Quick-Start Overview Intermediate Deploy App & Access Management Identity / Access Management