Quick-Start Tutorial Series for Cloud-Based VMware Workspace ONE
VMware Workspace ONE UEM 9.3 and laterVMware Identity Manager 3.2
Cloud-Based VMware Workspace ONE Overview
Introduction
VMware Workspace ONE® simplifies access to cloud, mobile, and enterprise applications from supported devices. IT administrators can deploy, manage, and secure applications and, at the same time, offer a flexible, bring-your-own-device (BYOD) option for users.
Purpose
The Quick-Start Tutorial for Cloud-Based VMware Workspace ONE helps you evaluate Workspace ONE by offering practical exercises. This Quick-Start tutorial introduces Workspace ONE and its benefits, features, architecture, and components. Other articles in the tutorial offer hands-on exercises to set up your own proof-of-concept environment.
Important: This tutorial is designed for evaluation purposes only, based on using the minimum required resources for a basic deployment, and does not explore all possible features. This evaluation environment should not be used as a template for deploying a production environment. To deploy a production environment, see the VMware Workspace ONE Documentation.
Audience
This tutorial is for prospective IT administrators of Workspace ONE and anyone who uses the product. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is assumed. Knowledge of VMware Workspace ONE® UEM (unified endpoint management) powered by AirWatch, VMware Workspace ONE® Access (formerly VMware Identity Manager), and VMware Horizon® 7 is also helpful.
Packaging and Licensing
All Workspace ONE editions are licensed on a per-named-user basis and available as an annual cloud subscription or a perpetual on-premises license.
For more information, see VMware Workspace ONE in the VMware Workspace ONE and VMware Horizon Packaging and Licensing guide.
Features
This section provides a description of the core features and capabilities of Workspace ONE. In subsequent articles of this Quick-Start Tutorial, you will walk through some of these features.
About Unified Endpoint Management
IT can use mobile OS management interfaces to preconfigure laptops, smartphones, and tablets. Workspace ONE UEM device management uses enterprise mobile management APIs to provision, configure, and secure applications and devices. This level of control allows IT to adopt a flexible BYOD program by giving users device choice while securing data.
Enrollment
Device enrollment establishes the initial communication with Workspace ONE UEM to enable Enterprise Mobility Management (EMM).
Device Profiles
Device Profiles allow you to modify behavior of enrolled devices. Device profiles, combined with compliance policies, help you to enforce corporate rules and procedures.
Create Workspace ONE UEM device profiles based on criteria such as users, groups, platforms, and OS, and assign profiles to smart groups.
Data Loss Prevention
You can prevent data leakage in a number of ways. Examples of data leakage include saving work documents to public storage, such as Dropbox, or receiving work emails in an unmanaged email client. You can encrypt email attachments and restrict how the files are edited and shared. You can require using corporate-approved applications instead of native applications. For secure browsing, you can enable access to intranet sites to ensure that the sites are opened only in approved browsers. However, these precautions might be insufficient for your security needs.
Directory Integration
Configure Workspace ONE to use an existing directory infrastructure, such as Active Directory or other LDAP-based directory, for user synchronization, authentication, and application access.
Software Distribution
Workspace ONE also enables you to automatically install, update, and remove software packages - simplifying software distribution. Use Workspace ONE to configure packages that install based on conditions (such as network status or defined schedules), deploy software updates automatically, and notify users when updates occur.
Getting Started Wizard
The Getting Started Wizard serves as a checklist that walks through key configurations in the Workspace ONE UEM Console, step by step. The wizard is divided into four modules: Workspace ONE, Device, Content, and Application. Each module contains steps to accomplish specific end goals. As some modules share steps, the wizard tracks progress across all four modules to ensure the same step never has to be completed twice.
About Application Management
Workspace ONE provides users access to cloud, mobile, and Windows applications using a unified application catalog. The application catalog contains applications published to Workspace ONE Access and Workspace ONE UEM. Supported application types include internal web, SaaS, native mobile, internally developed mobile, legacy and modern Windows, VMware Horizon® 7, VMware Horizon Cloud Service™, Citrix published, and VMware ThinApp®. The catalog also supports virtualized desktops.
Native Workspace ONE Catalog
Users install the Workspace ONE application on a mobile device and, using corporate credentials, get SSO access to corporate, cloud, and mobile applications. The Workspace ONE application uses native OS capabilities to protect application access, such as biometric fingerprint readers on Android, Touch ID on iOS, and Windows Hello on Windows 10.
Mobile SSO
Mobile SSO with Workspace ONE, establishes trust between the user, device, application, and enterprise, enabling one-touch login to mobile applications. To protect more sensitive applications, you can enable biometric or other multifactor authentication methods. Mobile SSO is available for Android, iOS, and Windows 10 devices.
VMware Verify
Workspace ONE, integrated with the mobile application VMware Verify™, provides strong, multifactor authentication that simplifies access across devices. When a user attempts to access the Workspace ONE application store, or any application requiring strong authentication, VMware Verify sends a notification to the user’s mobile phone.
Conditional Access with Device Compliance
Workspace ONE allows you to configure network, platform, and application-specific criteria for authentication. A device must prove compliance with security rules prior to authorizing access to an application. Compliance rules protect against rooted or jailbroken devices, and you can use them to allowlist and denylist applications.
Adaptive Management
With adaptive management, users are not required to enroll their device into Workspace ONE UEM to access applications that require only a basic level of security. Instead, users download the Workspace ONE mobile application from the appropriate app store, and log in with their corporate credentials. From here, they can access their authorized applications. However, to access applications that require a higher level of security, you can require users to enroll their devices.
Based on the device profile assigned, the Catalog displays all entitled applications, including mobile applications, SaaS applications, and Horizon 7-based virtual applications and desktops. Applications that require enrollment are indicated with a lock icon. When the user tries to download an application with a lock icon, the enrollment process is triggered. For example, users can download a conferencing application, such as WebEx, without enrollment. But they are prompted to enroll when they try to download an enterprise application, such as Salesforce.
Product Interoperability
A Workspace ONE implementation can interoperate with other identity providers, like Ping, Okta, and Microsoft Azure, through integration with Workspace ONE Access and still present a common catalog interface for all applications.
For more information, see the VMware Workspace ONE Documentation.
Components and Architecture
This section provides a description of each component of Workspace ONE, as well as an overview of the architecture so you can see how the components relate to each other.
Services
Workspace ONE services are built on the integration of VMware Workspace ONE UEM, Workspace ONE Access, and VMware Horizon.
You can deploy Workspace ONE in many different configurations including:
- On-premises deployments of Workspace ONE Access and Workspace ONE UEM
- Cloud-based deployments of Workspace ONE Access and Workspace ONE UEM
- Hybrid deployments with different components available either on-premises or in the cloud
This guide describes how to build a proof-of-concept for a cloud-based deployment of Workspace ONE Access and Workspace ONE UEM.
Components
Workspace ONE consists of a number of key components that work together to provide the product's capabilities.
Component | Function |
---|---|
VMware Workspace ONE® UEM | Enterprise mobility management |
VMware Workspace ONE® Access™ | Identity platform |
VMware Workspace ONE® Intelligence™ | Integrated insights, app analytics, and automation |
Workspace ONE app | End-user access to apps |
VMware Horizon | Virtual desktops and Remote Desktop Services (RDS) published applications delivered either through Horizon Cloud or VMware Horizon® 7 |
VMware Workspace ONE® Boxer | Secure email client |
VMware Workspace ONE® Browser | Secure web browser |
VMware Workspace ONE® Content | Mobile content repository |
VMware Workspace ONE® Tunnel | Secure method for individual applications to access corporate resources |
VMware AirWatch Cloud Connector | Directory sync with enterprise directories |
VMware Identity Manager Connector |
Directory sync with enterprise directories Sync to Horizon resources |
VMware Unified Access Gateway™ | Gateway that provides secure edge services |
VMware Workspace ONE® Secure Email Gateway | Email proxy server |
Certificate Authority Integration | Lifecycle management of provisioned certificates |
VMware Email Notification Service | Email notifications for Workspace ONE Boxer on iOS |
Architecture
The previous components work together to provide the functionality of Workspace ONE. A basic Workspace ONE configuration consists of Workspace ONE Access and Workspace ONE UEM (formerly VMware AirWatch). VMware AirWatch Cloud Connector securely transmits requests from Workspace ONE UEM to the back-end infrastructure. Administrators define user groups, policy settings, and device configurations. Users access Workspace ONE and their applications based on the defined settings and configurations.

Figure: Major Components of a Workspace ONE Deployment with Network Ports
Network Considerations
Workspace ONE UEM leverages the existing enterprise network infrastructure to provide its own high availability, redundancy, and scalability for the applications and desktops that it provides to end users. Local load balancing is incorporated on the front end of the SaaS environment. Core network security infrastructure includes redundant Ethernet switches, LAN separation, firewalls, intrusion detection, and monitoring.
Redundant, high-volume firewalls are located between the Internet and the VMware AirWatch environment. An intrusion detection system (IDS) monitors all internal network traffic, logs suspicious activity, and issues alerts when suspicious network activity is detected.
Security Considerations
Workspace ONE UEM takes a multilayered approach to data center security. Primary data centers are maintained with onsite backups for quick recovery and replicated offsite backups for disaster recovery.
Production systems are hosted at two primary data centers, with cross replication of nightly backups to support performance, growth, and security challenges.
Workspace ONE UEM implements security by
- Isolating all Workspace ONE UEM web servers using a demilitarized zone (DMZ)
- Using antivirus clients to protect all servers
- Providing spam filtering and spam reporting for email
Administrators control Workspace ONE UEM from an HTML5 web-based management console. Workspace ONE UEM encrypts all data transmitted between the web console and mobile devices.
Cloud-based Workspace ONE components are automatically upgraded and patched, ensuring that your environment meets the latest security standards.
Setting Up Workspace ONE UEM
Introduction
This exercise helps you set up a cloud-based Workspace ONE environment. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.
Prerequisites
Before you can perform the procedures in this exercise, you must have the following components installed and configured:
- On-premises Active Directory with users available to add to the Workspace ONE UEM tenant
- Windows Server machine to access Workspace ONE from a web browser
Signing Up for a Free Trial
Complete the following steps to begin a 30-day trial version of Workspace ONE, which includes a cloud-based deployment of Workspace ONE UEM and Workspace ONE Access.
1. Access Free Trial

- Navigate to
http://www.air-watch.com
and click 30 Day Free Trial. - Enter the required information and click Start Your Free Trial.
- Allow 24 hours for your request to process.
2. Record Environment Details
Check your email for two activation email messages that contain environment details and access credentials. Note this information in the following tables.
Workspace ONE Access Account Information | |
---|---|
User name | |
Password | |
Workspace ONE Access server host name |
VMware Workspace ONE UEM Information | |
---|---|
User name | |
Password | |
VMware Workspace ONE UEM server host name |
Now that you have signed-up for a cloud-based Workspace ONE trial and noted your environment details, you are ready to log in to the Workspace ONE UEM Console and launch the Getting Started wizard.
Launching the Workspace ONE UEM Console
The Workspace ONE UEM Console allows you to view and manage every aspect of your Mobile Device Management (MDM) deployment. With this single, web-based resource, you can quickly and easily add new devices and users, manage profiles, and configure system settings.
This activity helps you to log in to the Workspace ONE UEM Console and launch the Getting Started Wizard. Use the credentials received in the activation email to log in.
1. Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.
3. Authenticate In to the Workspace ONE UEM Console

- Enter your Username. For example,
administrator
. Click Next. After you click Next, the Password text box is displayed. - Enter your Password. For example,
VMware1!
- Click Login.
Note: If you see a Captcha, be aware that it is case sensitive.
4. Accept the License Agreement
Review the End User License Agreement, and click Accept.
5. Configure Security Settings

Configure the settings for the Password Recovery Question:
- You may need to scroll down to see the Password Recovery Questions and Security PIN section.
- For Password Recovery Question, keep the default question selected.
- Enter the Password Recovery Answer. For example,
VMware1!
- Reenter the password for Confirm Password Recovery Answer. For example,
VMware1!
Configure the Security Pin, which protects certain administrative functions in the Workspace ONE UEM Console.
- Enter the Security PIN. For example,
1234
. - Reenter the PIN for Confirm Security PIN. For example,
1234
. - Click Save.
6. Close the Welcome Message

After completing the Security Settings, you are presented with the Workspace ONE UEM Console Highlights pop-up box.
- Select the Don't show this message on login check box.
- Close the pop-up by clicking on the X in the upper-right corner.
Running the Workspace ONE Getting Started Wizard
Introduction
This exercise helps you to navigate through the Getting Started wizard and complete initial configurations for a cloud-based Workspace ONE environment. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.
Prerequisites
Before you can perform the procedures in this exercise, you must have the following components installed and configured:
- On-premises Active Directory with users available to add to the Workspace ONE UEM tenant
- Windows Server machine to access Workspace ONE from a web browser
Navigating the Getting Started Wizard
Split into four modules, the Getting Started wizard facilitates the initial configuration of Workspace ONE. For ease of use, it tracks progress and can be started, paused, and restarted later. You can also review and change previous settings.
This activity helps you to navigate the Getting Started wizard.
2. Explore the Getting Started Wizard

Note the following buttons and icons:
- Incomplete – Displays next to steps that have not been configured.
- Configure – Click to begin defining settings.
- Complete – Displays next to a completed step.
- Edit – Click to review or change a completed step’s settings.
- Scroll down and open the remaining modules to review their sections and steps.
- Use the percentage counter in the upper-right corner to track your configuration progress.
Generating the Apple Push Notification Service Certificate
Apple Push Notification service (APNs) is the messaging protocol created by Apple to manage mobile devices. To manage iOS devices, Workspace ONE UEM requires a valid APNs certificate. This activity helps you to generate the APNs certificate.
1. Configure Apple Push Notification Service (APNs)


In Workspace ONE UEM Console, navigate to the Workspace ONE Getting Started wizard.
- Click Getting Started.
- Click Workspace ONE.
- Navigate to Apple Push Notification Service (APNs).
- Click Configure.
2. Download Certificate Request

- Under Download Certificate Request, click MDM_APNsRequest.plist.
- Click Continue.
3. Enter Corporate Apple ID

Enter your Corporate Apple ID email address that you will use to manage all Apple devices for your organization.
If you do not have a Corporate Apple ID, Create an Account with Apple.
4. Create Certificate


Navigate to the Apple Push Certificates Portal and use your Corporate Apple ID credentials to authenticate.
Complete the following steps to create the APNs certificate.
- Enter your corporate Apple ID.
- Enter your Apple ID password.
- Click Sign In.
- Click Create a Certificate.
5. Upload Certificate Signing Request


- Click Choose File and select the
MDM_APNsRequest.plist
file you previously downloaded. - Click Upload.
6. Download Certificate

Click Download.
7. Complete Certificate Generation

Return to the Getting Started wizard in the Workspace ONE UEM Console, and click Next.
7.1. Upload PEM Certificate

Click Upload.
7.2. Select the PEM Certificate

- Click Choose File and select the previously downloaded
.pem
file. - Click Save.
7.3. Complete Request

- Enter your Apple ID. For example,
appleid@vmware.com
. - Click Save.
Downloading the Employee Email Template
In this activity, download an email template to introduce employees to Workspace ONE and how to get started.
1. Download Email Template


In Workspace ONE UEM Console, navigate to the Workspace ONE Getting Started wizard.
- Click Getting Started.
- Click Workspace ONE.
- Navigate to Employee Email Template.
- Click Download.
2. Select Email Template

- Select a category from the drop-down menu. For example, Enrollment.
- Select a message template. For example, User Activation.
- Click View to see the email template.
3. Edit and Copy Email Template

You can edit the email template and Save for later use, or copy the email template.
4. Confirm Email Template Download

When you are finished, the Employee Email Template section should be marked as Complete
.
Retrieving the Group ID from Workspace ONE UEM Console
In this activity, retrieve your Group ID from the Workspace ONE UEM Console. The Group ID is required when enrolling your device.

In the Workspace ONE UEM Console:
- To find the Group ID, point your mouse over the Organization Group tab at the top of the screen.
- Your Group ID is displayed at the bottom of the Organization Group pop up.
Integrating Workspace ONE Access with Workspace ONE UEM
Introduction
This exercise helps you to integrate Workspace ONE Access with Workspace ONE UEM using the Getting Started wizard. This integration allows Workspace ONE UEM to communicate with Workspace ONE Access to deploy identity-driven features such as a unified catalog, Mobile SSO, and device trust.
The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.
Prerequisites
Before you can perform the procedures in this exercise, you must satisfy the following requirements.
- Check whether you have the following components installed and configured.
- Cloud-based Workspace ONE Access tenant
- Cloud-based VMware Workspace ONE UEM tenant
- On-premises Active Directory with users available to add to the Workspace ONE UEM tenant
- Workspace ONE UEM Administrator account – You must log in to the Workspace ONE UEM Console using an administrator user account to configure AirWatch Cloud Connector (ACC), configure Directory Services, and add Active directory user groups and web applications.
- Domain Administrator account – You must provide a domain administrator with privileges to manage your active directory as part of the Directory Services setup in the Workspace ONE UEM console.
- Windows Server machine to access Workspace ONE from a web browser
- Windows Server machine to install the AirWatch Cloud Connector – Ensure that this machine can reach the AirWatch Cloud Messaging (AWCM) server by browsing to
https://awcmXXX.awmdm.com/awcm/status
.ReplaceXXX
with the number used in your environment URL, for example,100
forcn100
. If the status of the AWCM has SSL errors, resolve the errors before continuing. Otherwise, the connector does not function properly.
For more information, see the VMware Workspace ONE UEM Documentation.
2. Verify that your environment meets the networking requirements.
Source Component | Destination Component | Port |
---|---|---|
End-user device | Workspace ONE user portal (*.vmwareidentity.<region> )where region is .com , .eu , or .asia |
443 (HTTPS) |
End-user device | Device Services | 443 (HTTPS) |
End-user device (Android) | AirWatch Cloud Messaging (AWCM) Server | 443 (HTTPS) |
Administrative console users | *.awmdm.com |
443 (HTTPS) |
Administrative console users | *.vmwareidentity.<region> where region is .com , .eu , or .asia |
443 (HTTPS) |
AirWatch Cloud Connector | Workspace ONE UEM | 443 (HTTPS) |
AirWatch Cloud Connector | Active Directory | 389, 636 (LDAPS) 3268 or 3269 (LDAPS) |
3. Verify that your environment meets the operating system and software requirements.
Workspace ONE Requirements | Details |
---|---|
Active Directory |
|
Web browser to access Workspace ONE Access and Workspace ONE UEM Console |
Latest versions of the following web browsers:
|
AirWatch Cloud Connector server |
|
Configuring Workspace ONE Access (VMware Identity Manager) Integration
In this activity, you integrate Workspace ONE Access with Workspace ONE UEM.
1. Configure Workspace ONE Access


- Click Getting Started.
- Click Workspace ONE.
- Navigate to Connect to VMware Identity Manager.
- Click Configure.
2. Enter Workspace ONE Access Details

Provide the Workspace ONE Access details.
- Enter the Tenant URL for Workspace ONE Access.
- Enter the Username for the Workspace ONE Access tenant.
- Enter the Password.
- Click Test Connection. If successful, you see the message
Test connection successful!
- Click Save.
3. Confirm Workspace ONE Access Connection is Complete

After you have finished, the Connect to VMware Identity Manager section should be marked as Complete
.
Configuring AirWatch Cloud Connector (ACC) and Directory
Introduction
This exercise helps you to configure the AirWatch Cloud Connector (ACC) and Directory Services using the Getting Started wizard. The AirWatch Cloud Connector (ACC) provides secure access to your resources and to Active Directory so you can import users and groups from your existing directory.
The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.
Prerequisites
Before you can perform the procedures in this exercise, you must satisfy the following requirements.
- Check whether you have the following components installed and configured.
- Cloud-based Workspace ONE Access tenant
- Cloud-based VMware Workspace ONE UEM tenant
- On-premises Active Directory with users available to add to the Workspace ONE UEM tenant
- Workspace ONE UEM Administrator account – You must log in to the Workspace ONE UEM Console using an administrator user account to configure AirWatch Cloud Connector (ACC), configure Directory Services, and add Active directory user groups and web applications.
- Domain Administrator account – You must provide a domain administrator with privileges to manage your active directory as part of the Directory Services setup in the Workspace ONE UEM console.
- Windows Server machine to access Workspace ONE from a web browser
- Windows Server machine to install the AirWatch Cloud Connector – Ensure that this machine can reach the AirWatch Cloud Messaging (AWCM) server by browsing to
https://awcmXXX.awmdm.com/awcm/status
.ReplaceXXX
with the number used in your environment URL, for example,100
forcn100
. If the status of the AWCM has SSL errors, resolve the errors before continuing. Otherwise, the connector does not function properly.
For more information, see the VMware Workspace ONE UEM Documentation.
2. Verify that your environment meets the networking requirements.
Source Component | Destination Component | Port |
---|---|---|
End-user device | Workspace ONE user portal (*.vmwareidentity.<region> )where region is .com , .eu , or .asia |
443 (HTTPS) |
End-user device | Device Services | 443 (HTTPS) |
End-user device (Android) | AirWatch Cloud Messaging (AWCM) Server | 443 (HTTPS) |
Administrative console users | *.awmdm.com |
443 (HTTPS) |
Administrative console users | *.vmwareidentity.<region> where region is .com , .eu , or .asia |
443 (HTTPS) |
AirWatch Cloud Connector | Workspace ONE UEM | 443 (HTTPS) |
AirWatch Cloud Connector | Active Directory | 389, 636 (LDAPS) 3268 or 3269 (LDAPS) |
3. Verify that your environment meets the operating system and software requirements.
Workspace ONE Requirements | Details |
---|---|
Active Directory |
|
Web browser to access Workspace ONE Access and Workspace ONE UEM Console |
Latest versions of the following web browsers:
|
AirWatch Cloud Connector server |
|
Downloading AirWatch Cloud Connector Installer
After you have successfully connected to Workspace ONE Access, you can configure the AirWatch Cloud Connector and Directory services. In this activity, download the ACC installer to an accessible location.
1. Configure AirWatch Cloud Connector and Directory


- Click Getting Started.
- Click Workspace ONE.
- Navigate to AirWatch Cloud Connector (ACC) and Directory.
- Click Configure.
2. Read the Overview

Read the details in the Overview section, then click Continue.
3. Download the ACC Installer
- Enter a password for the ACC certificate. For example,
VMware1!
. - Re-enter the password.
- Click Download ACC-Installer.exe and save the file in an accessible location.
4. Continue to the Run ACC Installer Instructions

Click Continue after downloading the AirWatch Cloud Connector (ACC) Installer to proceed.
Installing AirWatch Cloud Connector
In this activity, install the AirWatch Cloud Connector component to integrate Workspace ONE UEM with back-end enterprise systems and then test the connection.
1. Install the AirWatch Cloud Connector
Follow the steps listed to install the AirWatch Cloud Connector. Click the right arrow to complete the steps.
2. Complete the ACC Connector Installation

After you have installed the AirWatch Cloud Connector, click Continue.
3. Test the Connection
Click Test Connection. You should see the message AirWatch Cloud Connector is active
.
4. Continue to Configure Active Directory Details

Click Continue to configure Active Directory details.
Configuring Active Directory Details
The next step in AirWatch Cloud Connector and Directory is to integrate the connector with Active Directory. The values used in this section are based on a test environment. Your configuration values will differ.
1. Provide Active Directory Details


Enter the following Active Directory information.
- For Directory Type, select Active Directory from the drop-down menu.
- For Server, enter the FQDN of the Active Directory server.
- For Encryption Type, select the encryption type for your environment. This example uses
None
. - For Port, keep the default value.
- For Protocol Version, keep the default value.
- For Bind Authentication Type, select Gss-Negotiate.
- For Bind Username, enter the user name that has permission to access the domain controller.
- For Bind Password, enter the password.
- Click Save.
2. Confirm Test Connection is Successful
- Click Test Connection. If successful, you see the message
Connection successful with the given server name, bind username and password
. - Click Continue.
3. Optional - Install vIDM Connector

You have the option to install the VMware Identity Manager connector. However, this is outside the scope of this quick-start tutorial.
Click Continue to return to the Getting Started wizard.
Adding Active Directory User Groups to Workspace ONE UEM
In this activity, you add an Active Directory User Group to import domain users to Workspace ONE UEM. Ensure that you are logged in to the Workspace ONE UEM Console as a domain administrator. The values used in this section are based on a test environment. Your values will differ.
1. Navigate to User Groups

- In Workspace ONE UEM Console, select Accounts.
- Select User Groups > List View.
2. Add User Group

- Click Add.
- Click Add User Group.
3. Search for the Users Organizational Group

- Select Directory for the Type.
- Select Organizational Unit for the External type.
- Enter the group name. For example,
Users
. - Click Search.
4. Confirm Group Name

- Select the Group Name. For example, Users.
- Confirm that the Distinguished Name is correct. For example,
CN=Users,DC=corp,DC=local
.
5. Modify and Save the User Group Settings

To ensure the Sync operation will complete based on your selected Group, modify the User Group settings.
- Select Custom for User Group Settings.
- Select Enabled for Auto Merge Changes.
- Enter a Maximum Allowable Changes, such as
100
. This limits the number of changes that can occur on each sync. - Select Enabled for Add Group Members Automatically to import users into the Workspace ONE UEM Console.
- Click Save.
Enabling Active Directory Basic
In this activity, you enable Active Directory Basic from the Workspace ONE Access configuration page. This allows you to sync a single directory to Workspace ONE Access without requiring the VMware Identity Manager Connector.
2. Enable Active Directory Basic

- Click System.
- Click Enterprise Integration.
- Click VMware Identity Manager.
- Click Configuration.
- Select Enabled for Active Directory Basic.
3. Provide Credentials for Directory Configuration

- Enter the Admin User Name. For example,
Administrator
. - Enter the Admin Password. For example,
VMware1!
. - Click Test Connection and confirm that the
Connection successful with the given URL, Username and Password
prompt displays. - Click Next.
4. Configure the Directory and Attributes

- Enter the Directory name. For example,
corp.local
. - Click Save.
No custom attribute mappings are required for this setup. If you require custom mappings, you would configure the settings here.
Logging In to the VMware Identity Manager Console
This exercise helps you to log in to your VMware Identity Manager tenant.
1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.
3. Login to Your VMware Identity Manager Tenant

- Enter the administrator user name.
- Enter the administrator password.
- Click Sign In.
Verifying Workspace ONE UEM Users Appear in Workspace ONE Access
After you have authorized an Active Directory user group to access Workspace ONE UEM, the user group also appears in Workspace ONE Access.
1. Confirm the Workspace ONE UEM User Group is Available


- Click the Users & Groups tab.
- Click Groups.
- Verify that the Workspace ONE UEM user group is listed and that it has synced the users.
2. Force Sync If Required
If the users do not appear in Workspace ONE Access, you can force a sync from the Workspace ONE UEM Console.
2.2. Sync Users

Scroll down and click Sync Now.
After you verify that Workspace ONE UEM users appear in Workspace ONE Access, you are ready to configure Mobile Single Sign-On.
Configuring Mobile Single Sign-On for iOS
Introduction
Although we use an iOS device to test the mobile SSO feature, the wizard also configures mobile SSO for Android and Windows 10 devices.
This exercise helps you to configure Mobile SSO using the Getting Started wizard. Then, you configure the Salesforce application with the identity provider metadata and integrate Workspace ONE Access to a trial Salesforce account.
The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.
Prerequisites
Before you can perform the procedures in this exercise, you need to create a trial Salesforce developer account. To register, you need a valid email address to receive your Salesforce password.
This exercise requires a user to enroll their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.
User Account Information | |
---|---|
User name | testuser |
Password | VMware1! |
testuser@company.com |
|
Group ID | ginad |
Server | hol.awmdm.com |
Logging In to the Workspace ONE UEM Console
To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.
1. Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.
3. Authenticate In to the Workspace ONE UEM Console

- Enter your Username. This is the name provided in the activation email.
- Click Next. After you click Next, the Password text box is displayed.

- Enter your Password. This is the password provided in the activation email.
- Click the Login button.
Note: If you see a Captcha, be aware that it is case sensitive.
Configuring Mobile Single Sign-On
In this activity, use the Getting Started wizard to configure mobile SSO.
1. Navigate to Mobile Single Sign-On


- Select Getting Started.
- Select Workspace ONE.
- Navigate to Mobile Single Sign-On.
- Click Configure.
2. Configure Mobile Single Sign-On

Click Get Started.

Click Continue.
3. Auto-Configure Mobile Single Sign-On Settings

Click Start Configuration.
4. Complete Mobile Single Sign-On Configuration


When the auto-configure checklist completes, click Finish.

Click Close.
Configuring the iOS Profile
A device profile allows you to manage devices with specific settings and rules. You can enforce corporate rules and procedures when device profiles are combined with compliance policies.
The mobile SSO feature creates default device profiles. You must update the iOS device profile to include the Salesforce application identifier.
1. Select iOS Device Profile

- Select Devices.
- Select Profiles & Resources.
- Select Profiles.
- Click the iOS device profile.
2. Edit Device Profile Settings


- Select Single Sign-On.
- Click Add Version.
3. Add Salesforce Application Identifier


- In the Applications section, click Add.
- Enter
com.salesforce.chatter
. - Click Save & Publish.
- Click Publish.
Assigning the iOS Profile
After a device profile has been created and configured, you can assign the profile to a smart group.
This exercise helps you to assign a Workspace ONE UEM device profile to a smart group.
1. Select iOS Device Profile

- In Workspace ONE UEM Console, select Devices.
- Select Profiles & Resources.
- Select Profiles.
- Click the iOS device profile.
2. Select Create Assignment Group


- Select the General tab.
- Click the Smart Groups text box to open the drop-down menu.
- Select Create Smart Group.
3. Provide Smart Group Details




- Enter a Name for the smart group. This exercise uses
iOS Smart Group
. - For Platform and Operating System, select the following options from the drop-down menus: Apple iOS, Greater Than or Equal To, iOS 11.0.0.
- Click Save.
- Click Save & Publish.
- Click Publish.
Export SAML Metadata from Workspace ONE UEM
Security Assertion Markup Language (SAML) is an open standard for SSO across multiple services. Using SAML authentication, a user logs in to an environment only once per web browser session to access all systems.
In this activity, export the identity provider SAML metadata from Workspace ONE UEM. The metadata is used to configure the Salesforce application.
2. Save Metadata File

Click Settings.


- Select SAML Metadata.
- Select Download SAML Metadata.
- Right-click Identity Provider (IdP) metadata, and select Save Link As.
- Save the metadata file in an accessible location.
Import SAML Metadata to Salesforce
In this activity, you log in to Salesforce and import the SAML metadata. Then, you specify how the identity provider identifies the Salesforce user and complete the metadata download.
1. Log in to Salesforce

- In a web browser, navigate to
https://login.salesforce.com
. - Enter your Salesforce user name.
- Enter your Salesforce password.
- Click Login.
2. Locate Single Sign-On Settings

- In the search panel on the left, enter
single
to locate SSO settings. - Click Single Sign-On Settings.
3. Edit Single Sign-On Settings

Click Edit.
4. Enable SAML

- Select SAML Enabled to enable SSO using SAML.
- Click Save.
5. Populate SAML Single Sign-On Settings


- Click New from Metadata File.
- Click Choose File, and select the metadata file saved in the previous exercise.
- Click Create to populate the SAML SSO settings.
6. Update SAML SSO Settings


- Select Assertion contains the Federation ID from the User object.
- Click Save.
- Click Download Metadata.
Registering Your Domain in Salesforce
After you have downloaded the SAML metadata file, you need to register your domain in Salesforce.
1. Select My Domain in Salesforce

- In the search box on the left, enter
my domain
- Click My Domain.
2. Register Your Domain Name

- Under Choose Your Domain Name, enter a domain name in the text box.
- To confirm that your domain name is not being used, click Check Availability.
- Click Register Domain.
It can take a few minutes for Salesforce to complete the process. When the domain is registered, you receive an email. After you receive the email, you can edit the authentication configuration in My Domain.
3. Edit Authentication Configuration

Next to Authentication Configuration, click Edit.
4. Enable Authentication Service

- To enable the authentication service, select your Workspace ONE Access user name in the Authentication Service section.
- Click Save.
Updating the Federation ID
The federation ID in Salesforce is a unique user name that can be shared across multiple applications. The federation ID allows administrators to choose a user name format to pass to Salesforce from their user directory for SSO. The user name format is often an attribute, such as the user’s email address.
1. Select Users in Salesforce

- In the search box on the left, enter
users
. - Click Users.
2. Edit User Settings

Next to the user name used for the trial account, select the check box and click Edit.
3. Enter Federation ID


- In the Single Sign-On Information section, enter the federation ID as the UPN of the AD user account. For example,
testuser@company.com
. - Click Save.
Configuring the Salesforce Application for SSO
You now add the Salesforce application to the Catalog and configure the application for SSO. To add a web application to Workspace ONE UEM Console, you must be logged in as a domain administrator.
1. Create New SaaS Application

- In Workspace ONE UEM Console, select Apps & Books.
- Select Applications.
- Select Web.
- Select SaaS.
- Click New.
2. Select the Salesforce Application
- In the Search text box, enter
Salesforce
. - Select Salesforce from the list. The remaining options are auto-filled.
- Click Next.
3. Configure Salesforce Application Settings

Select URL/XML.

Open the previously saved metadata file (see Update the SAML Settings in Salesforce) using Notepad or TextEdit.

- Copy the data, and paste it into the URL/XML text box.
- Click Next.
4. Select Default Access Policy Set

Click Next.
5. Confirm Salesforce Configuration and Save

Click Save.

The Salesforce application has been added to the Catalog and configured for SSO.
Logging In to the VMware Identity Manager Console
This exercise helps you to log in to your VMware Identity Manager tenant.
1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.
3. Login to Your VMware Identity Manager Tenant

- Enter the administrator user name.
- Enter the administrator password.
- Click Sign In.
Adding User Assignment in Workspace ONE Access
You are now ready to assign users to the Salesforce application.
1. Select Salesforce from the Catalog

- In the Workspace ONE Access administration console, click the Catalog tab.
- Click the Salesforce icon from the application list.
2. Assign Salesforce to a User

Click Assign.
3. Select User Account

- Enter a user name in the search field.
- Select the user name.
Launching the Workspace ONE User Portal
In this section, log in to a web browser and launch the Workspace ONE user portal.
1. Open a Web Browser

From your device, launch Google Chrome by double-clicking the icon.
3. Log In to the Workspace ONE User Portal

Enter the credentials for a user entitled to the Salesforce application.
- Enter the user name, for example
testuser
. - Enter the password, for example
VMware1!
. - Click Sign In.
Testing the Salesforce SSO Configuration
In this section, access the Salesforce application from the Workspace ONE user portal to confirm that SSO is correctly configured.

In the Workspace ONE user portal, find the Salesforce application and click Open.
If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password.
Enrolling an iOS Device
In this section, enroll your iOS device in Workspace ONE UEM by installing the Workspace ONE Intelligent Hub (formerly the AirWatch Agent). A Group ID is required to complete enrollment. See Retrieving Your Group ID from the Workspace ONE UEM Console.
1. Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

Note: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.
At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.
To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.
2. Launch the Workspace ONE Intelligent Hub

Launch the Hub app on the device.
3. Enter the Server URL

- Enter the Server URL
for your Workspace ONE UEM environment
. - Click Next.
Click the Server Details button.
4. Enter the Group ID for Workspace ONE Intelligent Hub

Return to the Workspace ONE Intelligent Hub application on your iOS Device,
- Enter your Group ID for your Organization Group for the Group ID field.
- Tap the Next button.
Note: On an iPhone, you may have to close the keyboard by clicking Done to click the Next button.
5. Enter User Credentials

You now provide user credentials to authenticate to Workspace ONE UEM.
- Enter the Username, for example,
testuser
. - Enter the Password, for exmaple,
VMware1!
. - Tap Next.
6. Redirect to Safari and Enable MDM Enrollment in Settings

The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.
Tap Next to begin.
7. Allow Website to Open Settings (IF NEEDED)

If you are prompted to allow the website to open Settings, tap Allow.
Note: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.
8. Install the Workspace ONE MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.
9. Install and Verify the Workspace ONE MDM Profile

Tap Install when prompted on the Install Profile dialog.
10. iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.
Tap Install in the upper-right corner of the screen.
11. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.
Tap Trust when prompted at the Remote Management dialog.
12. iOS Profile Installation Complete

You should now see that the iOS Profile was successfully installed.
Tap Done in the upper-right corner of the prompt.
13. Workspace ONE UEM Enrollment Success

Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.
14. Accept the Workspace ONE Intelligent Hub Notice

Tap Done to confirm the notice and continue.
15. Accept Notifications for Hub (IF NEEDED)

Tap Allow if you get a prompt to allow notifications for the Hub app.
16. Accept the App Installation (IF NEEDED)

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.
17. Confirm the Privacy Policy

Tap I Understand when shown the Privacy policy.
18. Accept the Data Sharing Policy

Tap I Agree for the Data Sharing policy.
19. Confirm the Device Enrollment in the Hub App

Confirm that the Hub app shows the user account that you enrolled with.
You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.
Testing Salesforce SSO on iOS
When you install a Workspace Services profile, Workspace ONE UEM pushes Salesforce to your iOS device. In this exercise, you log in to your enrolled iOS device and start Salesforce. If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password.
1. Launch Salesforce on iOS Device

On your iOS device, tap the Salesforce application.
2. Confirm Redirection to Workspace ONE

Confirm redirection to Workspace ONE.
3. Validate SSO

Validate SSO. Authentication completes, and the application starts without requiring a user name and password.
Now that you have tested the Salesforce SSO configuration on your mobile device, the Salesforce Mobile Single Sign-On section is complete.
Configuring Adaptive Management for iOS
Introduction
This exercise helps you enable and test adaptive management. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.
You can deploy internal and public applications as either managed or unmanaged when using Workspace ONE UEM for native application delivery. This adaptive management approach protects data inside applications without requiring devices to be managed.
Adaptive management is applied on a per-application basis in Workspace ONE UEM Console. With an application profile, an administrator can require device management prior to allowing the device to use an application.
Prerequisites
This exercise requires a user to enroll their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.
User Account Information | |
---|---|
User name | testuser |
Password | VMware1! |
testuser@company.com |
Logging In to the Workspace ONE UEM Console
To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.
1. Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.
3. Authenticate In to the Workspace ONE UEM Console

- Enter your Username. This is the name provided in the activation email.
- Click Next. After you click Next, the Password text box is displayed.

- Enter your Password. This is the password provided in the activation email.
- Click the Login button.
Note: If you see a Captcha, be aware that it is case sensitive.
Configuring Adaptive Management
Adaptive management allows you to control which apps require enrollment (Protected Access) and which apps are always accessible to users (Open Access). Users can install open access apps on an unmanaged device. If they request a native app that requires management, they are prompted to install a Mobile Device Management (MDM) profile to manage and secure that native app.
In this activity, use the Getting Started wizard to enable adaptive management and add Slack as a native app to the catalog.
1. Navigate to Apps


- In Workspace ONE UEM Console, click Getting Started.
- Click Workspace ONE.
- Navigate to Apps > Introduction to Adaptive Management.
- Click Configure.
2. Add Public Apps

Click Add Public Apps.
3. Add a New Application

Click Add Application.
4. Search for Slack


- For Platform, select Apple iOS.
- For Name, enter
Slack
. - Click Next.
5. Select Slack


Click Select next to Slack.
6. Save Slack

Click Save & Assign.
7. Add Assignment


Click Add Assignment.
8. Provide Assignment Details


- For Selected Assignment Groups, select the iOS smart group that you created in Assign a VMware Device Profile. For example, iOS Smart Group.
- For App Delivery Method, select On Demand.
- For Managed Access, select Enabled.
- Click Add.
9. Publish Application


- Click Save & Publish.
- Click Publish.
Testing Adaptive Management
To test the adaptive management feature, you need an unmanaged iOS device—a device that is not enrolled in Workspace ONE UEM. In this activity, you download the VMware Workspace ONE app and log in to your Workspace. When you attempt to install the Slack app, you are first prompted to enable Workspace Services (install an MDM profile) before Slack can be installed.
1. Navigate to App Store

On your iOS device, tap the App Store icon.
2. Search for VMware Workspace ONE App

- Enter
workspace one
in the search field. - Tap the cloud icon to install the Workspace ONE application.
3. Launch VMware Workspace ONE

Tap Open to launch VMware Workspace ONE application.
4. Enter Workspace ONE Access Credentials

Enter the Workspace ONE Access tenant address.
5. Select Your Domain

- Select the domain you synced to Workspace ONE Access from Workspace ONE UEM.
- Tap Next.
6. Enter Credentials

- Enter the username. (This user is part of the domain that you synced Workspace ONE Access from Workspace ONE UEM.)
- Enter the password.
- Tap Sign in.
7. Accept Privacy Notifications / Data Sharing

Tap I Understand.

Tap I agree.
8. Load Workspace

Tap Enter to load your workspace.
9. Install Slack from Workspace ONE Catalog

Note the star icon on the Slack app. Starred apps require device enrollment.
To install Slack, tap Install.
10. Enable Workspace Services

Tap Enable Workspace Services.
11. Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.
12. Enter Device PIN (If Required)

If a PIN is requested, enter your device PIN.
13. Install and Verify the Workspace ONE UEM MDM Profile

Tap Install when prompted at the Install Profile dialog box.
14. iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.
Tap Install in the upper-right corner of the screen.
15. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.
Tap Trust when prompted at the Remote Management dialog.
16. iOS Profile Installation Complete

You should now see the iOS Profile successfully installed.
Tap Done in the upper right corner of the prompt.
17. Confirm App Installation

Tap Install.
18. Accept App Installation

Tap Install.
19. Confirm Slack Installation

After the Slack installation completes, the application is available on your device. Tap the application to launch it.
You have successfully completed Adaptive Management Configuration for iOS.
Summary and Next Steps
Conclusion
This Quick-Start Tutorial introduced you to cloud-based VMware Workspace ONE and enabled you to set up a proof-of-concept environment through practical exercises.
After you have deployed your proof-of-concept implementation, you can explore the product further or plan your production environment by examining Additional Resources.
Additional Resources
For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.
For information about deployment, see Deploying Workspace ONE Intelligence and VMware Carbon Black Cloud: Workspace ONE Operational Tutorial.
Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.
For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management activity path. The content in this path helps you establish a basic understanding of Windows 10 management in the following categories:
About the Authors and Contributors
The Quick-Start Tutorial for Cloud-Based VMware Workspace ONE was written and updated by
- Gina Daly, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
- Hannah Jernigan, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
Appreciation and acknowledgment for considerable contributions from the following subject matter experts:
- Josue Negron, Senior Solutions Architect, End-User-Computing Technical Marketing, VMware
- Justin Sheets, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
- Camilo Lotero, Senior Solutions Engineer, End-User-Computing Field Engineering, VMware
- Mike Nelson, Senior Solutions Engineer, End-User-Computing Field Engineering, VMware
Contributors to the original document include
- Roger Deane, Senior Manager, End-User-Computing Technical Marketing, VMware
- Kevin Sheehan, Senior Product Manager, Windows 10 Unified Endpoint Management, VMware
- Andrew Hornsby, Product Manager, Mobile Identity, VMware
- Vikas Jain, VMware alumnus
- Ben Siler, VMware alumnus
- Oliver Forder, Lead End-User-Computing Specialist, EMEA End-User-Computing Practice, VMware
- Neil Tarbit, Director, Systems Engineering, End-User Computing, VMware
Feedback
Your feedback is valuable.
To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.