Quick-Start Tutorial Series for Cloud-Based VMware Workspace ONE

VMware Workspace ONE UEM 9.3 and later VMware Identity Manager 3.2

Cloud-Based VMware Workspace ONE Overview

Introduction

VMware Workspace ONE® simplifies access to cloud, mobile, and enterprise applications from supported devices. IT administrators can deploy, manage, and secure applications and, at the same time, offer a flexible, bring-your-own-device (BYOD) option for users.

Purpose

The Quick-Start Tutorial for Cloud-Based VMware Workspace ONE helps you evaluate Workspace ONE by offering practical exercises. This Quick-Start tutorial introduces Workspace ONE and its benefits, features, architecture, and components. Other articles in the tutorial offer hands-on exercises to set up your own proof-of-concept environment.

Important: This tutorial is designed for evaluation purposes only, based on using the minimum required resources for a basic deployment, and does not explore all possible features. This evaluation environment should not be used as a template for deploying a production environment. To deploy a production environment, see the VMware Workspace ONE Documentation.

Audience

This tutorial is for prospective IT administrators of Workspace ONE and anyone who uses the product. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is assumed. Knowledge of VMware Workspace ONE® UEM (unified endpoint management), formerly VMware Airwatch, VMware Identity Manager™, and VMware Horizon® 7 is also helpful.

Packaging and Licensing

All Workspace ONE editions are licensed on a per-named-user basis and available as an annual cloud subscription or a perpetual on-premises license.

For more information, see VMware Workspace ONE in the VMware Workspace ONE and VMware Horizon Packaging and Licensing guide.

Features

This section provides a description of the core features and capabilities of Workspace ONE. In subsequent articles of this Quick-Start Tutorial, you will walk through some of these features.

About Unified Endpoint Management

IT can use mobile OS management interfaces to preconfigure laptops, smartphones, and tablets. Workspace ONE UEM device management uses enterprise mobile management APIs to provision, configure, and secure applications and devices. This level of control allows IT to adopt a flexible BYOD program by giving users device choice while securing data.

Enrollment

Device enrollment establishes the initial communication with Workspace ONE UEM to enable Enterprise Mobility Management (EMM).

Device Profiles

Device Profiles allow you to modify behavior of enrolled devices. Device profiles, combined with compliance policies, help you to enforce corporate rules and procedures.

Create Workspace ONE UEM device profiles based on criteria such as users, groups, platforms, and OS, and assign profiles to smart groups.

Data Loss Prevention

You can prevent data leakage in a number of ways. Examples of data leakage include saving work documents to public storage, such as Dropbox, or receiving work emails in an unmanaged email client. You can encrypt email attachments and restrict how the files are edited and shared. You can require using corporate-approved applications instead of native applications. For secure browsing, you can enable access to intranet sites to ensure that the sites are opened only in approved browsers. However, these precautions might be insufficient for your security needs.

Directory Integration

Configure Workspace ONE to use an existing directory infrastructure, such as Active Directory or other LDAP-based directory, for user synchronization, authentication, and application access.

Software Distribution

Workspace ONE also enables you to automatically install, update, and remove software packages - simplifying software distribution. Use Workspace ONE to configure packages that install based on conditions (such as network status or defined schedules), deploy software updates automatically, and notify users when updates occur.

Getting Started Wizard

The Getting Started Wizard serves as a checklist that walks through key configurations in the Workspace ONE UEM Console, step by step. The wizard is divided into four modules: Workspace ONE, Device, Content, and Application. Each module contains steps to accomplish specific end goals. As some modules share steps, the wizard tracks progress across all four modules to ensure the same step never has to be completed twice.

About Application Management

Workspace ONE provides users access to cloud, mobile, and Windows applications using a unified application catalog. The application catalog contains applications published to VMware Identity Manager and Workspace ONE UEM. Supported application types include internal web, SaaS, native mobile, internally developed mobile, legacy and modern Windows, VMware Horizon® 7, VMware Horizon Cloud Service™, Citrix published, and VMware ThinApp®. The catalog also supports virtualized desktops.

Native Workspace ONE Catalog

Users install the Workspace ONE application on a mobile device and, using corporate credentials, get SSO access to corporate, cloud, and mobile applications. The Workspace ONE application uses native OS capabilities to protect application access, such as biometric fingerprint readers on Android, Touch ID on iOS, and Windows Hello on Windows 10.

Mobile SSO

Mobile SSO with Workspace ONE, establishes trust between the user, device, application, and enterprise, enabling one-touch login to mobile applications. To protect more sensitive applications, you can enable biometric or other multifactor authentication methods. Mobile SSO is available for Android, iOS, and Windows 10 devices.

VMware Verify

Workspace ONE, integrated with the mobile application VMware Verify™, provides strong, multifactor authentication that simplifies access across devices. When a user attempts to access the Workspace ONE application store, or any application requiring strong authentication, VMware Verify sends a notification to the user’s mobile phone.

Conditional Access with Device Compliance

Workspace ONE allows you to configure network, platform, and application-specific criteria for authentication. A device must prove compliance with security rules prior to authorizing access to an application. Compliance rules protect against rooted or jailbroken devices, and you can use them to whitelist and blacklist applications.

Adaptive Management

With adaptive management, users are not required to enroll their device into Workspace ONE UEM to access applications that require only a basic level of security. Instead, users download the Workspace ONE mobile application from the appropriate app store, and log in with their corporate credentials. From here, they can access their authorized applications. However, to access applications that require a higher level of security, you can require users to enroll their devices.

Based on the device profile assigned, the Catalog displays all entitled applications, including mobile applications, SaaS applications, and Horizon 7-based virtual applications and desktops. Applications that require enrollment are indicated with a lock icon. When the user tries to download an application with a lock icon, the enrollment process is triggered. For example, users can download a conferencing application, such as WebEx, without enrollment. But they are prompted to enroll when they try to download an enterprise application, such as Salesforce.

Product Interoperability

A Workspace ONE implementation can interoperate with other identity providers, like Ping, Okta, and Microsoft Azure, through integration with VMware Identity Manager and still present a common catalog interface for all applications.

For more information, see the VMware Workspace ONE Documentation.

Components and Architecture

This section provides a description of each component of Workspace ONE, as well as an overview of the architecture so you can see how the components relate to each other.

Services

Workspace ONE services are built on the integration of VMware Workspace ONE UEM, VMware Identity Manager, and VMware Horizon.

You can deploy Workspace ONE in many different configurations including:

  • On-premises deployments of VMware Identity Manager and Workspace ONE UEM
  • Cloud-based deployments of VMware Identity Manager and Workspace ONE UEM
  • Hybrid deployments with different components available either on-premises or in the cloud

This guide describes how to build a proof-of-concept for a cloud-based deployment of VMware Identity Manager and Workspace ONE UEM.

Components

Workspace ONE consists of a number of key components that work together to provide the product's capabilities.

Component Function
VMware Workspace ONE® UEM
Enterprise mobility management
VMware Identity Manager
Identity platform
VMware Workspace ONE® Intelligence™
Integrated insights, app analytics, and automation
Workspace ONE app
End-user access to apps
VMware Horizon
Virtual desktops and Remote Desktop Services (RDS) published applications delivered either through Horizon Cloud or VMware Horizon® 7
VMware Workspace ONE® Boxer
Secure email client
VMware Workspace ONE® Browser
Secure web browser
VMware Workspace ONE® Content
Mobile content repository
VMware Workspace ONE® Tunnel
Secure method for individual applications to access corporate resources
VMware AirWatch Cloud Connector
Directory sync with enterprise directories
VMware Identity Manager Connector

Directory sync with enterprise directories 

Sync to Horizon resources

VMware Unified Access Gateway
Gateway that provides secure edge services
VMware Workspace ONE® Secure Email Gateway
Email proxy server
Certificate Authority Integration Lifecycle management of provisioned certificates
VMware Email Notification Service Email notifications for Workspace ONE Boxer on iOS

Architecture

The previous components work together to provide the functionality of Workspace ONE. A basic Workspace ONE configuration consists of VMware Identity Manager and Workspace ONE UEM (formerly VMware AirWatch). VMware AirWatch Cloud Connector securely transmits requests from Workspace ONE UEM to the back-end infrastructure. Administrators define user groups, policy settings, and device configurations. Users access Workspace ONE and their applications based on the defined settings and configurations.

Figure: Major Components of a Workspace ONE Deployment with Network Ports

Network Considerations

Workspace ONE UEM leverages the existing enterprise network infrastructure to provide its own high availability, redundancy, and scalability for the applications and desktops that it provides to end users. Local load balancing is incorporated on the front end of the SaaS environment. Core network security infrastructure includes redundant Ethernet switches, LAN segregation, firewalls, intrusion detection, and monitoring.

Redundant, high-volume firewalls are located between the Internet and the VMware AirWatch environment. An intrusion detection system (IDS) monitors all internal network traffic, logs suspicious activity, and issues alerts when suspicious network activity is detected.

Security Considerations

Workspace ONE UEM takes a multilayered approach to data center security. Primary data centers are maintained with onsite backups for quick recovery and replicated offsite backups for disaster recovery.

Production systems are hosted at two primary data centers, with cross replication of nightly backups to support performance, growth, and security challenges.

Workspace ONE UEM implements security by

  • Isolating all Workspace ONE UEM web servers using a demilitarized zone (DMZ)
  • Using antivirus clients to protect all servers
  • Providing spam filtering and spam reporting for email

Administrators control Workspace ONE UEM from an HTML5 web-based management console. Workspace ONE UEM encrypts all data transmitted between the web console and mobile devices.

Cloud-based Workspace ONE components are automatically upgraded and patched, ensuring that your environment meets the latest security standards.

Setting Up Workspace ONE UEM

Introduction

This exercise helps you set up a cloud-based Workspace ONE environment. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must have the following components installed and configured:

  • On-premises Active Directory with users available to add to the Workspace ONE UEM tenant
  • Windows Server machine to access Workspace ONE from a web browser

Signing Up for a Free Trial

Complete the following steps to begin a 30-day trial version of Workspace ONE, that includes a cloud-based deployment of Workspace ONE UEM and VMware Identity Manager.

1. Access Free Trial

  1. Navigate to http://www.air-watch.com and click 30 Day Free Trial.
  2. Enter the required information and click Start Your Free Trial.
  3. Allow 24 hours for your request to process.

2. Record Environment Details

Check your email for two activation email messages that contain environment details and access credentials. Note this information in the following tables.

VMware Identity Manager Account Information

User name
Password
VMware Identity Manager server host name

VMware Workspace ONE UEM Information
User name
Password
VMware Workspace ONE UEM server host name

Now that you have signed-up for a cloud-based Workspace ONE trial and noted your environment details, you are ready to log in to the Workspace ONE UEM Console and launch the Getting Started wizard.

Launching the Workspace ONE UEM Console

The Workspace ONE UEM Console allows you to view and manage every aspect of your Mobile Device Management (MDM) deployment. With this single, web-based resource, you can quickly and easily add new devices and users, manage profiles, and configure system settings.

This activity helps you to log in to the Workspace ONE UEM Console and launch the Getting Started Wizard. Use the credentials received in the activation email to log in.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. For example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password. For example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

4. Accept the License Agreement

Accept the End User License Agreement

Review the End User License Agreement, and click Accept. 

5. Configure Security Settings

Address the Initial Security Settings

Configure the settings for the Password Recovery Question:

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. For Password Recovery Question, keep the default question selected.
  3. Enter the Password Recovery Answer. For example, VMware1!
  4. Reenter the password for Confirm Password Recovery Answer. For example, VMware1!

Configure the Security Pin, which protects certain administrative functions in the Workspace ONE UEM Console.  

  1. Enter the Security PIN. For example, 1234.
  2. Reenter the PIN for Confirm Security PIN. For example, 1234. 
  3. Click Save.

6. Close the Welcome Message

Close the Welcome Message

After completing the Security Settings, you are presented with the Workspace ONE UEM Console Highlights pop-up box.

  1. Select the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

Running the Workspace ONE Getting Started Wizard

Introduction

This exercise helps you to navigate through the Getting Started wizard and complete initial configurations for a cloud-based Workspace ONE environment. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must have the following components installed and configured:

  • On-premises Active Directory with users available to add to the Workspace ONE UEM tenant
  • Windows Server machine to access Workspace ONE from a web browser
  • Google admin account

Navigating the Getting Started Wizard

Split into four modules, the Getting Started wizard facilitates the initial configuration of Workspace ONE. For ease of use, it tracks progress and can be started, paused, and restarted later. You can also review and change previous settings.

This activity helps you to navigate the Getting Started wizard.

2. Explore the Getting Started Wizard

Note the following buttons and icons:

  1. Incomplete – Displays next to steps that have not been configured.
  2. Configure – Click to begin defining settings.
  3. Complete – Displays next to a completed step.
  4. Edit – Click to review or change a completed step’s settings.
  5. Scroll down and open the remaining modules to review their sections and steps.
  6. Use the percentage counter in the upper-right corner to track your configuration progress.

Generating the Apple Push Notification Service Certificate

Apple Push Notification service (APNs) is the messaging protocol created by Apple to manage mobile devices. To manage iOS devices, Workspace ONE UEM requires a valid APNs certificate. This activity helps you to generate the APNs certificate.

1. Configure Apple Push Notification Service (APNs)

In Workspace ONE UEM Console, navigate to the Workspace ONE Getting Started wizard.

  1. Click Getting Started.
  2. Click Workspace ONE.
  3. Navigate to Apple Push Notification Service (APNs).
  4. Click Configure.

2. Download Certificate Request

  1. Under Download Certificate Request, click MDM_APNsRequest.plist.
  2. Click Continue.

3. Enter Corporate Apple ID

Enter your Corporate Apple ID email address that you will use to manage all Apple devices for your organization.
If you do not have a Corporate Apple ID, Create an Account with Apple.

4. Create Certificate

Navigate to the Apple Push Certificates Portal and use your Corporate Apple ID credentials to authenticate.

Complete the following steps to create the APNs certificate.

  1. Enter your corporate Apple ID.
  2. Enter your Apple ID password.
  3. Click Sign In.
  4. Click Create a Certificate.

5. Upload Certificate Signing Request

  1. Click Choose File and select the MDM_APNsRequest.plist file you previously downloaded.
  2. Click Upload.

6. Download Certificate

Click Download.

7. Complete Certificate Generation

Return to the Getting Started wizard in the Workspace ONE UEM Console, and click Next.

7.1. Upload PEM Certificate

Click Upload.

7.2. Select the PEM Certificate

  1. Click Choose File and select the previously downloaded .pem file.
  2. Click Save.

7.3. Complete Request

  1. Enter your Apple ID. For example, appleid@vmware.com.
  2. Click Save.

Registering Android Enterprise Mobility Management

Android enterprise mobility management (EMM) separates personal data from work data at the operating system level—creating a clear separation between work and personal apps.

In this activity, use the setup wizard in the Workspace ONE UEM console to register your enterprise with Google. This creates an admin account that connects Google with Workspace ONE UEM for enterprise device management.

After your enterprise is registered, Android users can not access their device's work features until they register with Workspace ONE UEM.

2. Begin Google Registration

Click Register with Google.

 

3. Provide a Google Admin Account

Provide Google Admin Account
  1. Confirm you are logged into your Google Admin Account that you want to associate with your Android for Work configuration.

    Note: After you register a Google Admin Account to Android for Work, you cannot disassociate your Google Admin Account from that Organization. Ensure the Google Admin Account shown is the account you want to associate with your Organization.

  2. Click Get Started.

4. Provide Organization Details

Provide your Organization Details
  1. Enter your Organization name.
  2. Select the Google Play agreement check box.
  3. Click Confirm.

5. Complete Registration

Complete Registration

Click Complete Registration to return to the Android for Work configuration.

6. Confirm Integration in the Workspace ONE UEM Console

Confirm Android for Work Integration
  1. On the Android for Work Settings page, scroll down until you see the Google Admin Console Settings and Google API Settings sections.
  2. Under Google Admin Console Settings, note that the account information you provided during the Android for Work configuration step is displayed here.
  3. Confirm that Android for Work Registration Status is shown as Successful.

Note that the Client ID and Google Service Account Email Address have been created and configured for you automatically. No additional configurations with Android for Work or the Google Developers Console are required.

Downloading the Employee Email Template

In this activity, download an email template to introduce employees to Workspace ONE and how to get started.

1. Download Email Template

In Workspace ONE UEM Console, navigate to the Workspace ONE Getting Started wizard.

  1. Click Getting Started.
  2. Click Workspace ONE.
  3. Navigate to Employee Email Template.
  4. Click Download.

2. Select Email Template

  1. Select a category from the drop-down menu. For example, Enrollment.
  2. Select a message template. For example, User Activation.
  3. Click View to see the email template.

3. Edit and Copy Email Template

You can edit the email template and Save for later use, or copy the email template.

4. Confirm Email Template Download

When you are finished, the Employee Email Template section should be marked as Complete.

Retrieving the Group ID from Workspace ONE UEM Console

In this activity, retrieve your Group ID from the Workspace ONE UEM Console. The Group ID is required when enrolling your device.

In the Workspace ONE UEM Console:

  1. To find the Group ID, point your mouse over the Organization Group tab at the top of the screen.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

Integrating VMware Identity Manager with Workspace ONE UEM

Introduction

This exercise helps you to integrate VMware Identity Manager with Workspace ONE UEM using the Getting Started wizard. This integration allows Workspace ONE UEM to communicate with VMware Identity Manager to deploy identity-driven features such as a unified catalog, Mobile SSO, and device trust.

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must satisfy the following requirements.

  1. Check whether you have the following components installed and configured.
    • Cloud-based VMware Identity Manager tenant
    • Cloud-based VMware Workspace ONE UEM tenant
    • On-premises Active Directory with users available to add to the Workspace ONE UEM tenant
    • Workspace ONE UEM Administrator account – You must log in to the Workspace ONE UEM Console using an administrator user account to configure AirWatch Cloud Connector (ACC), configure Directory Services, and add Active directory user groups and web applications.
    • Domain Administrator account – You must provide a domain administrator with privileges to manage your active directory as part of the Directory Services setup in the Workspace ONE UEM console.
    • Windows Server machine to access Workspace ONE from a web browser
    • Windows Server machine to install the AirWatch Cloud Connector –  Ensure that this machine can reach the AirWatch Cloud Messaging (AWCM) server by browsing to https://awcmXXX.awmdm.com/awcm/status.Replace XXX with the number used in your environment URL, for example, 100 for cn100. If the status of the AWCM has SSL errors, resolve the errors before continuing. Otherwise, the connector does not function properly.

For more information, see the VMware Workspace ONE UEM Documentation.

2.  Make sure you have gathered the devices that you need

  • Android device of your choice
  • iOS device of your choice
  • macOS device of your choice
  • Windows 10 device of your choice

3.  Verify that your environment meets the networking requirements.

Source Component Destination Component Port 
End-user device Workspace ONE user portal (*.vmwareidentity.<region>)where region is .com, .eu, or .asia
443 (HTTPS)
End-user device Device Services
443 (HTTPS)
End-user device (Android) AirWatch Cloud Messaging (AWCM) Server
443 (HTTPS)
Administrative console users
*.awmdm.com
443 (HTTPS)
Administrative console users
*.vmwareidentity.<region> where region is .com, .eu, or .asia
443 (HTTPS)
AirWatch Cloud Connector
Workspace ONE UEM
443 (HTTPS)
AirWatch Cloud Connector
Active Directory
389, 636 (LDAPS) 3268 or 3269 (LDAPS)

4.  Verify that your environment meets the operating system and software requirements.

Workspace ONE Requirements Details
Active Directory
  • Windows Server 2008 R2
  • Windows Server 2012 or 2012 R2 
  • Windows Server 2016
Web browser to access VMware Identity Manager and Workspace ONE UEM Console

Latest versions of the following web browsers:

  • Internet Explorer for Windows
  • Google Chrome for Windows and macOS
  • Mozilla Firefox for Windows and macOS
  • Safari for macOS
AirWatch Cloud Connector server
  • Windows Server 2008 R2
  • Windows Server 2012 or 2012 R2
  • .NET framework 4.6.2

Configuring VMware Identity Manager Integration

In this activity, you integrate VMware Identity Manager with Workspace ONE UEM.

 

1. Configure VMware Identity Manager

  1. Click Getting Started.
  2. Click Workspace ONE.
  3. Navigate to Connect to VMware Identity Manager.
  4. Click Configure.

2. Enter VMware Identity Manager Details

Provide the VMware Identity Manager details.

  1. Enter the Tenant URL for VMware Identity Manager.
  2. Enter the Username for the VMware Identity Manager tenant.
  3. Enter the Password.
  4. Click Test Connection. If successful, you see the message Test connection successful!
  5. Click Save.

3. Confirm VMware Identity Manager Connection is Complete

After you have finished, the Connect to VMware Identity Manager section should be marked as Complete.

Configuring AirWatch Cloud Connector (ACC) and Directory

Introduction

This exercise helps you to configure the AirWatch Cloud Connector (ACC) and Directory Services using the Getting Started wizard. The AirWatch Cloud Connector (ACC) provides secure access to your resources and to Active Directory so you can import users and groups from your existing directory.

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must satisfy the following requirements.

  1. Check whether you have the following components installed and configured.
    • Cloud-based VMware Identity Manager tenant
    • Cloud-based VMware Workspace ONE UEM tenant
    • On-premises Active Directory with users available to add to the Workspace ONE UEM tenant
    • Workspace ONE UEM Administrator account – You must log in to the Workspace ONE UEM Console using an administrator user account to configure AirWatch Cloud Connector (ACC), configure Directory Services, and add Active directory user groups and web applications.
    • Domain Administrator account – You must provide a domain administrator with privileges to manage your active directory as part of the Directory Services setup in the Workspace ONE UEM console.
    • Windows Server machine to access Workspace ONE from a web browser
    • Windows Server machine to install the AirWatch Cloud Connector –  Ensure that this machine can reach the AirWatch Cloud Messaging (AWCM) server by browsing to https://awcmXXX.awmdm.com/awcm/status.Replace XXX with the number used in your environment URL, for example, 100 for cn100. If the status of the AWCM has SSL errors, resolve the errors before continuing. Otherwise, the connector does not function properly.

For more information, see the VMware Workspace ONE UEM Documentation.

2.  Make sure you have gathered the devices that you need

  • Android device of your choice
  • iOS device of your choice
  • macOS device of your choice
  • Windows 10 device of your choice

3.  Verify that your environment meets the networking requirements.

Source Component Destination Component Port 
End-user device Workspace ONE user portal (*.vmwareidentity.<region>)where region is .com, .eu, or .asia
443 (HTTPS)
End-user device Device Services
443 (HTTPS)
End-user device (Android) AirWatch Cloud Messaging (AWCM) Server
443 (HTTPS)
Administrative console users
*.awmdm.com
443 (HTTPS)
Administrative console users
*.vmwareidentity.<region> where region is .com, .eu, or .asia
443 (HTTPS)
AirWatch Cloud Connector
Workspace ONE UEM
443 (HTTPS)
AirWatch Cloud Connector
Active Directory
389, 636 (LDAPS) 3268 or 3269 (LDAPS)

4.  Verify that your environment meets the operating system and software requirements.

Workspace ONE Requirements Details
Active Directory
  • Windows Server 2008 R2
  • Windows Server 2012 or 2012 R2 
  • Windows Server 2016
Web browser to access VMware Identity Manager and Workspace ONE UEM Console

Latest versions of the following web browsers:

  • Internet Explorer for Windows
  • Google Chrome for Windows and macOS
  • Mozilla Firefox for Windows and macOS
  • Safari for macOS
AirWatch Cloud Connector server
  • Windows Server 2008 R2
  • Windows Server 2012 or 2012 R2
  • .NET framework 4.6.2

Downloading AirWatch Cloud Connector Installer

After you have successfully connected to VMware Identity Manager, you can configure the AirWatch Cloud Connector and Directory services. In this activity, download the ACC installer to an accessible location.

1. Configure AirWatch Cloud Connector and Directory

  1. Click Getting Started.
  2. Click Workspace ONE.
  3. Navigate to AirWatch Cloud Connector (ACC) and Directory.
  4. Click Configure.

2. Read the Overview

Read the details in the Overview section, then click Continue.

3. Download the ACC Installer

  1. Enter a password for the ACC certificate. For example, VMware1!.
  2. Re-enter the password.
  3. Click Download ACC-Installer.exe and save the file in an accessible location.

4. Continue to the Run ACC Installer Instructions

Click Continue after downloading the AirWatch Cloud Connector (ACC) Installer to proceed.

Installing AirWatch Cloud Connector

In this activity, install the AirWatch Cloud Connector component to integrate Workspace ONE UEM with back-end enterprise systems and then test the connection.

1. Install the AirWatch Cloud Connector

Follow the steps listed to install the AirWatch Cloud Connector. Click the right arrow to complete the steps.

2. Complete the ACC Connector Installation

After you have installed the AirWatch Cloud Connector, click Continue.

3. Test the Connection

Click Test Connection. You should see the message AirWatch Cloud Connector is active.

4. Continue to Configure Active Directory Details

Click Continue to configure Active Directory details.

Configuring Active Directory Details

The next step in AirWatch Cloud Connector and Directory is to integrate the connector with Active Directory. The values used in this section are based on a test environment. Your configuration values will differ.

1. Provide Active Directory Details

Enter the following Active Directory information.

  1. For Directory Type, select Active Directory from the drop-down menu.
  2. For Server, enter the FQDN of the Active Directory server.
  3. For Encryption Type, select the encryption type for your environment. This example uses None.
  4. For Port, keep the default value.
  5. For Protocol Version, keep the default value.
  6. For Bind Authentication Type, select Gss-Negotiate.
  7. For Bind Username, enter the user name that has permission to access the domain controller.
  8. For Bind Password, enter the password.
  9. Click Save.

2. Confirm Test Connection is Successful

  1. Click Test Connection. If successful, you see the message Connection successful with the given server name, bind username and password.
  2. Click Continue.

3. Optional - Install vIDM Connector

You have the option to install the VMware Identity Manager connector. However, this is outside the scope of this quick-start tutorial.

Click Continue to return to the Getting Started wizard.

Adding Active Directory User Groups to Workspace ONE UEM

In this activity, you add an Active Directory User Group to import domain users to Workspace ONE UEM. Ensure that you are logged in to the Workspace ONE UEM Console as a domain administrator. The values used in this section are based on a test environment. Your values will differ.

1. Navigate to User Groups

  1. In Workspace ONE UEM Console, select Accounts.
  2. Select User Groups > List View.

2. Add User Group

  1. Click Add.
  2. Click Add User Group.

3. Search for the Users Organizational Group

  1. Select Directory for the Type.
  2. Select Organizational Unit for the External type.
  3. Enter the group name. For example, Users.
  4. Click Search.

4. Confirm Group Name

  1. Select the Group Name. For example, Users.
  2. Confirm that the Distinguished Name is correct. For example, CN=Users,DC=corp,DC=local.

5. Modify and Save the User Group Settings

To ensure the Sync operation will complete based on your selected Group, modify the User Group settings.

  1. Select Custom for User Group Settings.
  2. Select Enabled for Auto Merge Changes.
  3. Enter a Maximum Allowable Changes, such as 100. This limits the number of changes that can occur on each sync.
  4. Select Enabled for Add Group Members Automatically to import users into the Workspace ONE UEM Console.
  5. Click Save.

6. Perform a User Group Sync

  1. Select the User Group you created. In this case, Users.
  2. Click Sync.
  3. Click OK when prompted if you wish to continue.
  4. After the sync completes, confirm that the Users column updates to show the number of synced users from your group.

Enabling Active Directory Basic

In this activity, you enable Active Directory Basic from the VMware Identity Manager configuration page. This allows you to sync a single directory to VMware Identity Manager without requiring the VMware Identity Manager Connector.

2. Enable Active Directory Basic

  1. Click System.
  2. Click Enterprise Integration.
  3. Click VMware Identity Manager.
  4. Click Configuration.
  5. Select Enabled for Active Directory Basic.

3. Provide Credentials for Directory Configuration

  1. Enter the Admin User Name. For example, Administrator.
  2. Enter the Admin Password. For example, VMware1!.
  3. Click Test Connection and confirm that the Connection successful with the given URL, Username and Password prompt displays.
  4. Click Next.

4. Configure the Directory and Attributes

  1. Enter the Directory name. For example, corp.local.
  2. Click Save.

No custom attribute mappings are required for this setup. If you require custom mappings, you would configure the settings here.

5. Confirm the Directory Sync Completed

  1. Confirm that the Directory Sync started and shows User Sync Succeeded.
  2. Click Close (X) to exit the VMware Identity Manager Configuration settings.

Logging In to the VMware Identity Manager Console

This exercise helps you to log in to your VMware Identity Manager tenant.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

3. Login to Your VMware Identity Manager Tenant

  1. Enter the administrator user name.
  2. Enter the administrator password.
  3. Click Sign In.

Verifying Workspace ONE UEM Users Appear in VMware Identity Manager

After you have authorized an Active Directory user group to access Workspace ONE UEM, the user group also appears in VMware Identity Manager.

1. Confirm the Workspace ONE UEM User Group is Available

  1. Click the Users & Groups tab.
  2. Click Groups.
  3. Verify that the Workspace ONE UEM user group is listed and that it has synced the users.

2. Force Sync If Required

If the users do not appear in VMware Identity Manager, you can force a sync from the Workspace ONE UEM Console.

2.3. Sync Users

Scroll down and click Sync Now.

After you verify that Workspace ONE UEM users appear in VMware Identity Manager, you are ready to configure Mobile Single Sign-On.

Configuring Mobile Single Sign-On for iOS

Introduction

Although we use an iOS device to test the mobile SSO feature, the wizard also configures mobile SSO for Android and Windows 10 devices.

This exercise helps you to configure Mobile SSO using the Getting Started wizard. Then, you configure the Salesforce application with the identity provider metadata and integrate VMware Identity Manager to a trial Salesforce account.

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

In addition, you need to create a trial Salesforce developer account. To register, you need a valid email address to receive your Salesforce password.

This exercise requires a user to enroll their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information

User name
testuser
Password VMware1!
Email testuser@company.com
Group ID ginad
Server hol.awmdm.com

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. This is the name provided in the activation email.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password. This is the password provided in the activation email.
  2. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Configuring Mobile Single Sign-On

In this activity, use the Getting Started wizard to configure mobile SSO.

1. Navigate to Mobile Single Sign-On

  1. Select Getting Started.
  2. Select Workspace ONE.
  3. Navigate to Mobile Single Sign-On.
  4. Click Configure.

2. Configure Mobile Single Sign-On

Click Get Started.

Click Continue.

3. Auto-Configure Mobile Single Sign-On Settings

Click Start Configuration.

4. Complete Mobile Single Sign-On Configuration

When the auto-configure checklist completes, click Finish.

Click Close.

Configuring the iOS Profile

A device profile allows you to manage devices with specific settings and rules. You can enforce corporate rules and procedures when device profiles are combined with compliance policies.

The mobile SSO feature creates default device profiles. You must update the iOS device profile to include the Salesforce application identifier. 

1. Select iOS Device Profile

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Click the iOS device profile.

2. Edit Device Profile Settings

  1. Select Single Sign-On.
  2. Click Add Version.

3. Add Salesforce Application Identifier

  1. In the Applications section, click Add.
  2. Enter com.salesforce.chatter.
  3. Click Save & Publish.
  4. Click Publish.

Assigning the iOS Profile

After a device profile has been created and configured, you can assign the profile to a smart group.

This exercise helps you to assign a Workspace ONE UEM device profile to a smart group.

1. Select iOS Device Profile

  1. In Workspace ONE UEM Console, select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Click the iOS device profile.

2. Select Create Assignment Group

  1. Select the General tab.
  2. Click the Smart Groups text box to open the drop-down menu.
  3. Select Create Smart Group.

3. Provide Smart Group Details

  1. Enter a Name for the smart group. This exercise uses iOS Smart Group.
  2. For Platform and Operating System, select the following options from the drop-down menus: Apple iOS, Greater Than or Equal To, iOS 11.0.0.
  3. Click Save.
  4. Click Save & Publish.
  5. Click Publish.

Export SAML Metadata from Workspace ONE UEM

Security Assertion Markup Language (SAML) is an open standard for SSO across multiple services. Using SAML authentication, a user logs in to an environment only once per web browser session to access all systems.

In this activity, export the identity provider SAML metadata from Workspace ONE UEM. The metadata is used to configure the Salesforce application.

2. Save Metadata File

Click Settings.

  1. Select SAML Metadata.
  2. Select Download SAML Metadata.
  3. Right-click Identity Provider (IdP) metadata, and select Save Link As.
  4. Save the metadata file in an accessible location.

Import SAML Metadata to Salesforce

In this activity, you log in to Salesforce and import the SAML metadata. Then, you specify how the identity provider identifies the Salesforce user and complete the metadata download.

1. Log in to Salesforce

  1. In a web browser, navigate to https://login.salesforce.com.
  2. Enter your Salesforce user name.
  3. Enter your Salesforce password.
  4. Click Login.

2. Locate Single Sign-On Settings

 

  1. In the search panel on the left, enter single to locate SSO settings.
  2. Click Single Sign-On Settings.

3. Edit Single Sign-On Settings

Click Edit.

4. Enable SAML

  1. Select SAML Enabled to enable SSO using SAML.
  2. Click Save.

5. Populate SAML Single Sign-On Settings

  1. Click New from Metadata File.
  2. Click Choose File, and select the metadata file saved in the previous exercise.
  3. Click Create to populate the SAML SSO settings.

6. Update SAML SSO Settings

  1. Select Assertion contains the Federation ID from the User object.
  2. Click Save.
  3. Click Download Metadata.

Registering Your Domain in Salesforce

After you have downloaded the SAML metadata file, you need to register your domain in Salesforce.

1. Select My Domain in Salesforce

  1. In the search box on the left, enter my domain
  2. Click My Domain.

2. Register Your Domain Name

  1. Under Choose Your Domain Name, enter a domain name in the text box.
  2. To confirm that your domain name is not being used, click Check Availability.
  3. Click Register Domain.

It can take a few minutes for Salesforce to complete the process. When the domain is registered, you receive an email. After you receive the email, you can edit the authentication configuration in My Domain.

3. Edit Authentication Configuration

Next to Authentication Configuration, click Edit.

4. Enable Authentication Service

  1. To enable the authentication service, select your Identity Manager user name in the Authentication Service section.
  2. Click Save.

Updating the Federation ID

The federation ID in Salesforce is a unique user name that can be shared across multiple applications. The federation ID allows administrators to choose a user name format to pass to Salesforce from their user directory for SSO. The user name format is often an attribute, such as the user’s email address.

1. Select Users in Salesforce

  1. In the search box on the left, enter users.
  2. Click Users.

2. Edit User Settings

Next to the user name used for the trial account, select the check box and click Edit.

3. Enter Federation ID

  1. In the Single Sign-On Information section, enter the federation ID as the UPN of the AD user account. For example, testuser@company.com.
  2. Click Save.

Configuring the Salesforce Application for SSO

You now add the Salesforce application to the Catalog and configure the application for SSO. To add a web application to Workspace ONE UEM Console, you must be logged in as a domain administrator.

1. Create New SaaS Application

  1. In Workspace ONE UEM Console, select Apps & Books.
  2. Select Applications.
  3. Select Web.
  4. Select SaaS.
  5. Click New.

2. Select the Salesforce Application

  1. In the Search text box, enter Salesforce.
  2. Select Salesforce from the list. The remaining options are auto-filled.
  3. Click Next.

3. Configure Salesforce Application Settings

Select URL/XML.

Open the previously saved metadata file (see Update the SAML Settings in Salesforce) using Notepad or TextEdit.

  1. Copy the data, and paste it into the URL/XML text box.
  2. Click Next.

4. Select Default Access Policy Set

Click Next.

5. Confirm Salesforce Configuration and Save

Click Save.

The Salesforce application has been added to the Catalog and configured for SSO.

Logging In to the VMware Identity Manager Console

This exercise helps you to log in to your VMware Identity Manager tenant.

1. Launch Google Chrome (If Needed)

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

3. Login to Your VMware Identity Manager Tenant

  1. Enter the administrator user name.
  2. Enter the administrator password.
  3. Click Sign In.

Adding User Assignment in VMware Identity Manager

You are now ready to assign users to the Salesforce application.

1. Select Salesforce from the Catalog

  1. In the VMware Identity Manager administration console, click the Catalog tab.
  2. Click the Salesforce icon from the application list.

2. Assign Salesforce to a User

Click Assign.

3. Select User Account

  1. Enter a user name in the search field.
  2. Select the user name.

4. Specify User Assignment Details

 

  1. Select Automatic from the drop-down menu.
  2. Click Save to complete the assignment process.

Launching the Workspace ONE User Portal

In this section, log in to a web browser and launch the Workspace ONE user portal.

1. Open a Web Browser

From your device, launch Google Chrome by double-clicking the icon.

3. Log In to the Workspace ONE User Portal

Enter the credentials for a user entitled to the Salesforce application.

  1. Enter the user name, for example testuser.
  2. Enter the password, for example VMware1!.
  3. Click Sign In.

Testing the Salesforce SSO Configuration

In this section, access the Salesforce application from the Workspace ONE user portal to confirm that SSO is correctly configured.

In the Workspace ONE user portal, find the Salesforce application and click Open.

If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password.

Enrolling an iOS Device

In this section, enroll your iOS device in Workspace ONE UEM by installing the Workspace ONE Intelligent Hub (formerly the AirWatch Agent). A Group ID is required to complete enrollment. See Retrieving Your Group ID from Workspace ONE UEM Console.

1. Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

Download/Install AirWatch MDM Agent Application from App Store - IF NEEDED

NOTE: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

2. Launch the Workspace ONE Intelligent Hub

Launching the AirWatch MDM Agent

Launch the Hub app on the device.  

NOTE: If you have your own iOS device and would like to test, you must download the Workspace ONE Intelligent Hub app first. 

3. Enter the Server URL

  1. Enter the Server URL for your Workspace ONE UEM environment.
  2. Click Next.

Click the Server Details button.

4. Enter the Group ID for Workspace ONE Intelligent Hub

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.
  2. Tap the Next button.

NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

5. Enter User Credentials

Authenticate the AirWatch MDM Agent

You now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter testuser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

6. Redirect to Safari and Enable MDM Enrollment in Settings

The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

7. Allow Website to Open Settings (IF NEEDED)

If you are prompted to allow the website to open Settings, tap Allow.

NOTE: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.

8. Install the Workspace ONE MDM Profile

Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.

9. Install and Verify the Workspace ONE MDM Profile

Install and Verify the AirWatch MDM Profile

Tap Install when prompted on the Install Profile dialog.

10. iOS MDM Profile Warning

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

11. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

12. iOS Profile Installation Complete

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper-right corner of the prompt.

13. Workspace ONE UEM Enrollment Success

AirWatch Enrollment Success

Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.

14. Accept the Workspace ONE Intelligent Hub Notice

Tap Done to confirm the notice and continue.

15. Accept Notifications for Hub (IF NEEDED)

Tap Allow if you get a prompt to allow notifications for the Hub app.

16. Accept the App Installation (IF NEEDED)

Accept the App Installation (IF NEEDED)

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.

17. Confirm the Privacy Policy

Tap I Understand when shown the Privacy policy.

18. Accept the Data Sharing Policy

Tap I Agree for the Data Sharing policy.

19. Confirm the Device Enrollment in the Hub App

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.

Testing Salesforce SSO on iOS

When you install a Workspace Services profile, Workspace ONE UEM pushes Salesforce to your iOS device. In this exercise, you log in to your enrolled iOS device and start Salesforce. If SSO is configured correctly, the Salesforce application starts without prompting for a user name and password.

1. Launch Salesforce on iOS Device

On your iOS device, tap the Salesforce application.

2. Confirm Redirection to Workspace ONE

Confirm redirection to Workspace ONE.

3. Validate SSO

Validate SSO. Authentication completes, and the application starts without requiring a user name and password.

Now that you have tested the Salesforce SSO configuration on your mobile device, the Salesforce Mobile Single Sign-On section is complete.

Configuring Adaptive Management for iOS

Introduction

This exercise helps you enable and test adaptive management. The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.

You can deploy internal and public applications as either managed or unmanaged when using Workspace ONE UEM for native application delivery. This adaptive management approach protects data inside applications without requiring devices to be managed.

Adaptive management is applied on a per-application basis in Workspace ONE UEM Console. With an application profile, an administrator can require device management prior to allowing the device to use an application.

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enroll their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information

User name
testuser
Password VMware1!
Email testuser@company.com

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. This is the name provided in the activation email.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password. This is the password provided in the activation email.
  2. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Configuring Adaptive Management

Adaptive management allows you to control which apps require enrollment (Protected Access) and which apps are always accessible to users (Open Access). Users can install open access apps on an unmanaged device. If they request a native app that requires management, they are prompted to install a Mobile Device Management (MDM) profile to manage and secure that native app. 

In this activity, use the Getting Started wizard to enable adaptive management and add Slack as a native app to the catalog.

1. Navigate to Apps

  1. In Workspace ONE UEM Console, click Getting Started.
  2. Click Workspace ONE.
  3. Navigate to Apps > Introduction to Adaptive Management.
  4. Click Configure.

2. Add Public Apps

Click Add Public Apps.

3. Add a New Application

Click Add Application.

4. Search for Slack

  1. For Platform, select Apple iOS.
  2. For Name, enter Slack.
  3. Click Next.

5. Select Slack

Click Select next to Slack.

6. Save Slack

Click Save & Assign.

7. Add Assignment

Click Add Assignment.

8. Provide Assignment Details

  1. For Selected Assignment Groups, select the iOS smart group that you created in Assign a VMware Device Profile. For example, iOS Smart Group.
  2. For App Delivery Method, select On Demand.
  3. For Managed Access, select Enabled.
  4. Click Add.

9. Publish Application

  1. Click Save & Publish.
  2. Click Publish.

Testing Adaptive Management

To test the adaptive management feature, you need an unmanaged iOS device—a device that is not enrolled in Workspace ONE UEM. In this activity, you download the VMware Workspace ONE app and log in to your Workspace. When you attempt to install the Slack app, you are first prompted to enable Workspace Services (install an MDM profile) before Slack can be installed.

1. Navigate to App Store

On your iOS device, tap the App Store icon.

2. Search for VMware Workspace ONE App

  1. Enter workspace one in the search field.
  2. Tap the cloud icon to install the Workspace ONE application.

3. Launch VMware Workspace ONE

Tap Open to launch VMware Workspace ONE application.

4. Enter VMware Identity Manager Credentials

Enter the VMware Identity Manager tenant address.

5. Select Your Domain

  1. Select the domain you synced to VMware Identity Manager from Workspace ONE UEM.
  2. Tap Next.

6. Enter Credentials

  1. Enter the username. (This user is part of the domain that you synced VMware Identity Manager from Workspace ONE UEM.)
  2. Enter the password.
  3. Tap Sign in.

7. Accept Privacy Notifications / Data Sharing

Tap I Understand.

Tap I agree.

8. Load Workspace

Tap Enter to load your workspace.

9. Install Slack from Workspace ONE Catalog

Note the star icon on the Slack app. Starred apps require device enrollment.

To install Slack, tap Install.

10. Enable Workspace Services

Tap Enable Workspace Services.

11. Install the MDM Profile

Install the MDM Profile

Tap Install in the upper-right corner of the Install Profile dialog box.

12. Enter Device PIN (If Required)

If a PIN is requested, enter your device PIN.

13. Install and Verify the Workspace ONE UEM MDM Profile

Install and Verify the AirWatch MDM Profile

Tap Install when prompted at the Install Profile dialog box.

14. iOS MDM Profile Warning

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

15. Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

16. iOS Profile Installation Complete

You should now see the iOS Profile successfully installed.

Tap Done in the upper right corner of the prompt.

17. Confirm App Installation

Tap Install.

18. Accept App Installation

Tap Install.

19. Confirm Slack Installation

After the Slack installation completes, the application is available on your device. Tap the application to launch it.

You have successfully completed Adaptive Management Configuration for iOS.

Managing Windows 10 Devices

Introduction

This exercise introduces you to managing Windows 10 devices in Workspace ONE. Windows 10 Management helps you to create a restrictions profile, create and distribute an application to your Windows 10 device, and then enroll your device to test the results. 

The procedures are sequential and build upon one another, so make sure that you complete each procedure in this section before going to the next procedure.


Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enroll their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information

User name
testuser
Password VMware1!
Email testuser@company.com

You must also must satisfy the following requirements:

  • Workspace ONE Advanced Edition installed.
    Note: Although it is possible to use Standard edition, standard only allows deploying MSI apps. Advanced is required for deploying MSI/MST/MSP/EXE/ZIP apps.
  • A virtual machine or spare Windows device running Windows 10 with the latest updates installed.
    Note: Although it is possible to use Home edition, it is not recommended as some advanced capabilities such as BitLocker encryption, software distribution, and scripting are not supported.
  • Administrative rights to the virtual machine or spare Windows device.
  • A Windows 10 Desktop app (*.msi, *.exe, or *.zip), such as 7-Zip. To follow these instructions, download a 7-zip installation file, and save it in your Documents folder.

Important: Do not access the Workspace ONE UEM Console from the same machine you are managing.

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. This is the name provided in the activation email.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password. This is the password provided in the activation email.
  2. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Configuring a Device Profile for Windows 10

Profiles allow you to modify how the enrolled devices behave. This activity helps you to configure and deploy a restrictions profile that we can verify has applied to the device later in the section.

1. Add a Profile

Add a Restriction Profile

In the upper-right corner of Workspace ONE UEM Console:

  1. Select Add.
  2. Select Profile.

2. Add a Windows Profile

Add a Windows Profile

Select the Windows icon.

Note: Make sure that you select Windows and not Windows Rugged.

3. Add a Windows Desktop Profile

Add a Windows Desktop Profile

Select Windows Desktop.

4. Select Context - Device Profile

Select Context - Device Profile

Select Device Profile.

5. Define the General Settings

  1. Select General if it is not already selected.
  2. Enter a profile name such as Windows Restrictions in the Name text box.
  3. Copy the profile name into the Description field.
  4. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Select the All Devices Assignment Group.
    Note: You may need to scroll down to view the Assigned Groups field.

Note: You do not need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

6. Select the Restrictions Payload

Select the Restrictions Payload

Note: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

  1. Select the Restrictions payload in the Payload section on the left.
  2. Click the Configure button to continue setting the Restrictions payload.

7. Add a Restriction - Disable Cortana

Adding a Restriction - Disable Cortana
  1. Using the scroll bar on the right, scroll down to the Device Functionality section.
  2. Select Don't Allow for Cortana.
  3. Notice the 10 on the right side of the Restrictions window. These are all the restrictions that Workspace ONE UEM can apply to a Windows 10 computer.
  4. Click Save & Publish.

8. Publish the Restrictions Profile

Publish the Restrictions Profile

Click Publish.

10. Verify the Restrictions Profile Now Exists

Verify the Restriction Profile Now Exists

You should now see your Restrictions Profile within the List View of the Devices Profiles window.

Note: If you need to edit the Restrictions Profile, this is where you would do so. To edit the profile, click the profile name, then select Add Version. Update the profile and click Save & Publish to push the new settings to the assigned devices.

Delivering Apps on Windows 10

You can distribute applications to Windows 10 devices, allowing for a seamless user experience. This exercise helps you to create and distribute an application to your Windows 10 device.

This activity uses the 7-Zip installation program downloaded and stored in the Documents folder.

1. Add Internal Application

Add Internal Application

In the upper-right corner of Workspace ONE UEM Console:

  1. Select Add.
  2. Select Internal Application.

2. Upload Application

Upload Application

Click Upload.

3. Find the Application MSI

Find the Application MSI

Click the Browse... button.

4. Upload the EXE File

Upload the MSI File

Navigate to your installation file. The 7-zip installation file has been downloaded to the server and placed in the Documents folder.

  1. Select Documents.
  2. Expand HOL.
  3. Select the Windows 10 folder.
  4. Select your installation file, for example, 7z1604-x64.exe.
  5. Click Open.

5. Save the EXE File

Saving the MSI File

Click Save.

6. Continue to the App Settings

  1. Select No for Is this a dependency app?
  2. Click Continue.

7. Configure App Details

  1. Enter a name for your application, for example, 7-Zip.
  2. Select 64-bit for the Supported Processor Architecture.

8. Configure Application Files

  1. Select the Files tab.
  2. Scroll down to find the App Uninstall Process section.
  3. Select Input for the Custom Script Type.
  4. Enter the following for Uninstall Command:
7z1604-x64.exe /Uninstall

Note: For information about copying text from the manual, see the Guidance section.

9. Select Deployment Options

  1. Select Deployment Options.
  2. Scroll down until you see the option for Install Command.
  3. Enter Install Command as:
7z1604-x64.exe /S

Note: For information about copying text from the manual, see the Guidance section.

10. Add Identify Application Condition

  1. Scroll down to find the When To Call Install Complete section.
  2. Select Defining Criteria for Identity Application By.
  3. Click Add.

11. Configure the Install Complete Defining Criteria

  1. Select File Exists for the Criteria Type.
  2. Enter C:\Program Files\7-Zip\7zFM.exe for the Path.
  3. Click Add.

Note: For information about copying text from the manual, see the Guidance section.

12. Save and Assign the Application

Click Save & Assign.

13. Add an Assignment

Add an Assignment

Click Add Assignment.

14. Add Assignment Group and Push Mode

Add Assignment Group and Push Mode
  1. Click the Select Assignment Groups search box and select All Devices (your.email@shown.here).
  2. Select Auto for the App Delivery Method.
  3. Select Show for Display in App Catalog.
  4. Select Enabled for Make App MDM Managed if User Installed.
  5. Click Add.

15. Save and Publish the Application

Save and Publish the Application

Click Save & Publish.

16. Preview the Assigned Devices

Preview the Assigned Devices

Click Publish.

Enrolling Your Windows 10 Device with a Basic Account

Next, enroll your Windows 10 device in Workspace ONE UEM. First, download the Workspace ONE Intelligent Hub. You also need a Group ID to complete enrollment. See Retrieving the Group ID from Workspace ONE UEM Console.

1. Download the Workspace ONE Intelligent Hub on the Windows 10 Device

From a new tab in the browser,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download Hub for Windows 10.
    NOTE: Wait until the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE: If you do not see the warning about the AirWatchAgent.msi file, continue to the next step.

2. Launch the Workspace ONE Intelligent Hub Installer

Click the AirWatchAgent.msi file in your download bar.

NOTE: The installer may take a few seconds to launch, be patient after clicking the AirWatchAgent.msi file.

3. Click Run

Click Run to proceed with the installation.

3.1. Accept the Default Install Location

Leave the default install location and click Next.

NOTE: The Next button may take several seconds to enable while the required additional features are installed.

3.2. Accept the License Agreement

  1. Select I accept the terms of the license agreement.
  2. Click Next.

3.3. Start the Workspace ONE Intelligent Hub Install

Click Install to start the installer.

3.4. Allow the Workspace ONE Intelligent Hub Installer to Run (IF NEEDED)

If prompted to allow the app to make changes on your device, click Yes.

3.5. Complete the Workspace ONE Intelligent Hub Installer

Click Finish to complete the Workspace ONE Intelligent Hub installer.

NOTE: After you click finish, the Native Enrollment application launches to guide you through enrolling into Workspace ONE UEM.  It will take around 45-60 seconds to launch the agent.

4. Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

Click Server Detail.

4.1. Enter the Server Details

  1. Enter the Server Name, for example, labs.awmdm.com.
  2. Enter Your Group ID for the Group ID field.

4.2. Enter Your User Credentials

  1. Enter your Username, for example, testuser.
  2. Enter the Password, for example, VMware1!.
  3. Click Next.

NOTE: Wait while the server checks your enrollment details.

4.3. Workspace ONE Application Launch

If your Workspace ONE UEM and VMware Identity Manager environments are linked, the Workspace ONE Application automatically opens after enrollment is complete. Click Close.

4.4. Finish the Workspace ONE UEM Enrollment Process

Click Finish to end the Enrollment process.  Your Windows 10 device is now successfully enrolled into Workspace ONE UEM.

Validating Windows 10 Device Enrollment

After your Windows device is enrolled, the restriction profile installs on the device. Verify that the restrictions are applied on your device to confirm enrollment was successful and that the profile installed correctly.

1. Open Cortana

Open Cortana
  1. On the enrolled Windows 10 machine, open the Start menu.
  2. From the apps list, select Cortana.

2. Confirm Cortana Settings are Disabled

Note: The following screenshots show a before and after view of Cortana settings. Your screen should look like the one on the right (After: Cortana Disabled).

Cortana Disabled
  1. Confirm Cortana no longer displays a greeting.
  2. Confirm Device only provides basic search capabilities.

3. Open File Explorer

Open file explorer

From the bottom toolbar, open File Explorer.

4. Open 7-Zip

Open 7-Zip
  1. Select Local Disk (C:).
  2. Select Program Files.
  3. Confirm that the 7-Zip folder exists. Select 7-Zip.
  4. Double-click 7zFM.exe to launch the 7-Zip File Manager.

Note: If you do not see the 7-Zip folder, your application may still be downloading. This can take several minutes to finish.

Now that you have confirmed enrollment, the Windows 10 Management section is complete.

Summary and Next Steps

Conclusion

This Quick-Start Tutorial introduced you to cloud-based VMware Workspace ONE and enabled you to set up a proof-of-concept environment through practical exercises.

After you have deployed your proof-of-concept implementation, you can explore the product further or plan your production environment by examining Additional Resources.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Authors and Contributors

The Quick-Start Tutorials for Cloud-Based VMware Workspace ONE was written and updated by

  • Gina Daly, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware 
  • Hannah Jernigan, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Appreciation and acknowledgment for considerable contributions from the following subject matter experts:

  • Josue Negron, Senior Solutions Architect, End-User-Computing Technical Marketing, VMware
  • Justin Sheets, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware
  • Camilo Lotero, Senior Solutions Engineer, End-User-Computing Field Engineering, VMware
  • Mike Nelson, Senior Solutions Engineer, End-User-Computing Field Engineering, VMware

Contributors to the original document include

  • Roger Deane, Senior Manager, End-User-Computing Technical Marketing, VMware
  • Kevin Sheehan, Senior Product Manager, Windows 10 Unified Endpoint Management, VMware
  • Andrew Hornsby, Product Manager, Mobile Identity, VMware
  • Vikas Jain, VMware alumnus
  • Ben Siler, VMware alumnus
  • Oliver Forder, Lead End-User-Computing Specialist, EMEA End-User-Computing Practice, VMware
  • Neil Tarbit, Director, Systems Engineering, End-User Computing, VMware

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.