Workspace ONE UEM Configuration

This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Workspace ONE and Horizon solutions. This chapter provides information about common configuration and deployment tasks for VMware Workspace ONE UEM. Included are how to create SQL Server clustered instances that can fail over between sites, how to set up a highly available database for your Workspace ONE UEM instance, and how to set the management mode for the Intelligent Hub and for Workspace ONE apps.

Multi-site Deployment

Use the procedures, detailed here, to create SQL Server clustered instances that can fail over between sites and to set up a highly available database for VMware Workspace ONE® UEM. The following diagram shows the architecture.

Figure 1: On-Premises Multi-site VMware Workspace ONE UEM Architecture

The tasks you need to complete are grouped into the following procedures:

  1. Create a Windows Server Failover Cluster
  2. Configure Cluster Quorum Settings and Possible Owners for Each Cluster Instance
  3. Install the SQL Server on each server in the Windows Server Failover Cluster
  4. Create the Workspace ONE UEM Database
  5. Create the Workspace ONE UEM SQL Service Account and Assign Database Owner Roles
  6. Sync the Workspace ONE UEM Database Account Across SQL Server Availability Group Replicas
  7. Create an Always On Availability Group for the Workspace ONE UEM Database
  8. Set Advanced Always On Availability Group Listener Parameters for Multi-site or Multi-subnet Failover

For steps 1, 2, and 3, which involve creating a Windows Server Failover Cluster with Microsoft SQL Server, follow the procedures detailed in the Multi-site Deployment section of Workspace ONE Access Configuration.

The rest of this section details the procedures that begin with step 4 in the preceding list.

Create the Workspace ONE UEM Database

After you finish creating the Windows Server Failover Cluster (WSFC), you are ready to create the database and configure an Always On availability group for Workspace ONE UEM.

  1. Open SQL Server Management Studio and connect to your SQL Server database instance in Site 1.
  2. Log in as the sysadmin or as a user account with sysadmin privileges.
  3. Click Connect.
  4. Right-click Databases and select New Database.
  5. Enter wsouemDB as the database name.
  6. Scroll to the right side of Database files section, select the ellipses (…) for the DATABASE file in the Autogrowth column, and in the dialog box:
    1. Change File Growth to In Megabytes,
    2. Set the size to 128.
    3. Click OK.

  1. Select Options in the left pane, set Collation to SQL_Latin1_General_CS_AS, and let other options use the defaults.

  1. Select OK to create the database.
  2. Expand Databases and verify that the database is created.

Create the Workspace ONE UEM SQL Service Account and Assign Database Owner Roles

After you create the Workspace ONE UEM database, you must configure the SQL service account that will be used to connect to the Workspace ONE UEM database.

  1. Open SQL Server Management Studio.
  2. Log in to the database server that contains the Workspace ONE UEM database.
  3. Navigate to Security > Login, right-click Login, and select New Login to give the account a login name.
  4. Select whether to use your Windows account or the local SQL Server account for authentication.
  5. If you select SQL Server authentication, enter the password to be used.
  6. Select wsouemDB as the default database.

  1. Navigate to the Server Roles page and select public as the server role.

  1. Navigate to the User Mapping page and make the following selections:
    1. In the Users mapped to this login list, select wsouemDB, and in the Database role membership list, select the db_owner role.
      Important: The db_owner role must be selected for the SQL Server user account that you plan to use for running the Workspace ONE UEM database script.

  1. In the Users mapped to this login list, select the msdb database, and in the Database role membership list, select the SQLAgentUserRole and db_datareader roles.

Sync the Workspace ONE UEM Database Account Across SQL Server Availability Group Replicas

In this reference architecture, we leveraged Copy-DbaLogin and Sync-DbaLoginPermission commands to ensure consistency across both SQL Server instances. These are a part of the dbatools PowerShell module available on GitHub.

  1. Use the Copy-DbaLogin PowerShell command to sync the SQL wsouemDB account across all Always On instances.
    1. Syntax: Copy-DbaLogin -source <SQL_server> -Destination <SQL_server>
    2. Where the source server is the SQL Server instance where the Workspace ONE UEM SQL Server account was created, and the destination server is the additional SQL Server Always On replica server we plan to use in the Always On availability group.

  1. Use the Sync-DbaLoginPermission PowerShell command to sync account permissions across all Always On instances.
    1. Syntax: sync-DbaLoginPermission -source <SQL_server> -Destination <SQL_server>
    2. Where the source server is the SQL Server instance where the Workspace ONE UEM SQL Server account was created, and the destination server is the additional SQL Server Always On replica server we plan to use in the Always On availability group.

Create an Always On Availability Group for the Workspace ONE UEM Database

  1. Open SQL Server Management Studio and connect to the server where the wsouemDB database was created.
  2. Navigate to Always On High Availability, right-click, and select New Availability Group Wizard.

  1. Give the availability group for the wsouemDB database a name; for example, wsouem-AG.

  1. Select the wsouemDB database for the availability group.
    If you have not already done so, make a full backup of the database before you proceed.

  1. Click Add Replica and enter the credentials of the additional SQL Server instance to join the availability group.
  2. Configure synchronous replication with automatic failover for the primary and secondary replicas within Site 1, and configure asynchronous replication for the replicas in Site 2.

  1. On the Listener tab select Create an availability group listener, enter the Listener DNS Name and Port, and click Add, to add the listener IP addresses.
    Note: There are two subnets, one from each of site. Enter one unused IP address from each subnet. SQL Server will create the DNS record for the availability group listener.

  1. On the Select Initial Data Synchronization page, select Automatic Seeding.
    Important: Automatic seeding requires that data and log file paths be consistent across both availability replica SQL Server instances. If your configuration uses different data and log file paths, choose another data synchronization method.

Click Next and the Validation page, the Summary page, and the Results page take you through the process of creating the availability group, the listener, and adding the replicas.

When the process is complete, you can view the new availability groups using the Management Studio.

  1. Expand the Availability Group in SQL Server Management Studio and verify settings.

 

Set Advanced Always On Availability Group Listener Parameters for Multi-site or Multi-subnet Failover

  1. Open a PowerShell prompt and use the Get-ClusterResource and Get-ClusterParameter cmdlets to determine the name of the resource (wsouem-ag_wsouem-agl) and its settings, as shown in the following example.

  1. Change the HostRecordTTL to a lower value than the default using the following command: Set-ClusterParameter HostRecordTTL 120

A generally recommended value is 120 seconds, or 2 minutes, rather than the default of 20 minutes. Changing this setting reduces the amount of time to connect to the correct IP address after a failover for legacy clients that cannot use the MultiSubnetFailover parameter.

  1. Use the following command to change RegisterAllProvidersIP to false in multi-site deployments:

Set-ClusterParameter RegisterAllProvidersIP 0

With this setting, the active IP address is registered in the Client Access Point in the WSFC cluster, reducing latency for legacy clients.

For instructions on how to configure these settings, see RegisterAllProvidersIP Setting and HostRecordTTL Setting. For sample scripts to configure the recommended settings, see Sample PowerShell Script to Disable RegisterAllProvidersIP and Reduce TTL.

  1. Stop and restart the wsouem-ag_wsouem-agl resource so that the new settings can take effect. Enter the following commands:

stop-clusterresource
start-clusterresource

Now that the database is set up and the SQL Server Always On availability group is configured, you can deploy and configure VMware Workspace ONE UEM components to point to the Always On availability group for the database.

 

Using Intelligent Hub and Workspace ONE Apps on Devices That Are Not Fully Managed

Workspace ONE UEM administrators can enable the use of Workspace ONE Intelligent Hub and Workspace ONE apps on Android and iOS devices without also requiring full mobile device management (MDM). The method used in the Workspace ONE UEM console to set the management mode for the Intelligent Hub differs from that for Workspace ONE apps. This section includes procedures for both.

MDM Enrollment vs. Registered Mode vs. Adaptive Management

For most corporate-owned mobile devices, organizations require full device management, or MDM enrollment, before granting access to corporate apps and resources. But for employee-owned devices, UEM administrators can allow users to log in to the Intelligent Hub or Workspace ONE apps without requiring MDM enrollment. For example, the user can access the catalog of corporate applications without installing the iOS MDM profile on their device. This option is called registered mode: the user’s device is registered but not fully managed.

However, if an iOS user attempts to access a restricted corporate application in the catalog that requires MDM enrollment, the user will be prompted to install the iOS MDM profile. This is referred to as adaptive management, or step-up enrollment, and is supported only on iOS devices. The Android platform does not support adaptive management.

To learn how to enable adaptive management for restricted corporate applications that require MDM enrollment for access, see the Enabling Adaptive Management for iOS section of Workspace ONE UEM Architecture.

Enable Intelligent Hub Without Requiring Full Management

Most of the functionality within the Workspace ONE app, such as the user’s Favorites application list, is also included in the Intelligent Hub app, along with additional capabilities available only in the Intelligent Hub. Therefore, to access corporate applications from mobile devices, many organizations prefer using the Intelligent Hub over using the Workspace ONE mobile app.

Figure 2: The VMware Intelligent Hub App for iOS

The procedure that follows describes how to enable access to Intelligent Hub without requiring MDM enrollment or installing the iOS MDM profile on the device. The relevant settings for the Intelligent Hub app are located on the Management Mode tab of Enrollment settings in the Workspace ONE UEM console. 

Important: This procedure is about enabling access to the Intelligent Hub itself, but for end users to access the embedded app catalog within the Intelligent Hub, an administrator must also activate Hub Services and enable the Hub Catalog.

  1. From the desired organization group within the Workspace ONE UEM console, browse to Groups & Settings > All Settings > Devices & Users > General > Enrollment, select the Management Mode tab, and for Current Setting, select Override if Inherit is selected.

These settings will impact only the Workspace ONE Intelligent Hub app, formally called the AirWatch Agent.

  1. Configure the management mode to use for employee-owned devices.
    In this exercise, you will configure the following modes: full management, registered mode for a particular organization group, and registered mode for a smart group.
    1. Full management, requiring MDM enrollment ‑ Under the Management Mode tab, set iOS and Android to DISABLED to require MDM enrollment for all devices accessing the Workspace ONE Intelligent Hub app. This is the default.

  1. Registered mode for an organization group ‑ Enable all devices in the current organization group to access Intelligent Hub without requiring MDM enrollment, as follows:
    1. Set iOS and Android to ENABLED.
    2. Set All iOS devices in this Organization Group to ENABLED.
    3. Set All Android devices in this Organization Group to ENABLED.

  1. Registered mode for a Smart Group ‑ Require MDM enrollment for some devices, and enable a subset of devices to access Intelligent Hub without MDM enrollment:
    1. Set iOS to ENABLED.
    2. Set All iOS devices in this Organization Group to DISABLED.
    3. Start typing the name of the Smart Group in the iOS Smart Groups field or select from the list that appears. Only this Smart Group will be enabled to access Intelligent Hub without MDM enrollment.

  1. Set Prompt for Device Ownership Type to ENABLED under the Optional Prompt tab within Enrollment settings.

In order to successfully log in to the Intelligent Hub mobile app without MDM enrollment, the device must be enrolled as employee-owned. Corporate-owned devices default to requiring MDM enrollment.

Enable the Workspace ONE App Without Requiring Full Management

If your users utilize the Workspace ONE app to access corporate applications, administrators can use the following procedure to enable access to this app without requiring MDM enrollment or installing the iOS MDM profile. The relevant settings for the Workspace ONE app are located on the Restrictions tab of Enrollment settings in the Workspace ONE UEM console. 

Figure 3: The VMware Workspace ONE App for iOS

Note: Most of the functionality within the Workspace ONE app, such as the user’s Favorites application list, is also included in the Intelligent Hub app, along with additional capabilities available only in the Intelligent Hub.  Therefore, many organizations prefer using the Intelligent Hub over the Workspace ONE mobile app.

  1. From the desired organization group within the Workspace ONE UEM console, browse to Groups & Settings > All Settings > Devices & Users > General > Enrollment, select the Restrictions tab, and for Current Setting, select Override if Inherit is selected.

  1. Scroll down to the Management Requirements for Workspace ONE section.

These settings will impact only the VMware Workspace ONE app.

  1. Configure the management mode to use for employee-owned devices.
    In this exercise, you will configure the following modes: full management, registered mode for all devices, and full management for one user group.
    1. Full management, requiring MDM enrollment ‑ Require MDM enrollment for all devices accessing the Workspace ONE app, as follows:
      1. Set Require MDM for Workspace ONE to ENABLED.
      2. Set Assigned User Group to All Users.
      3. Set iOS and Android to ENABLED.

  1. Registered mode for all devices ‑ To enable all devices to access the Workspace ONE app without requiring MDM enrollment or installing the iOS MDM profile, set Require MDM for Workspace ONE to DISABLED.

  1. Full management for a particular user group ‑ Require MDM enrollment for a subset of devices, as follows:
    1. Set Require MDM for Workspace ONE to ENABLED.
    2. From the Assigned User Group drop-down list, select the user group that will be required to enroll to log in to the Workspace ONE app.
    3. Set iOS and Android to ENABLED.

In this example, all devices in the Dark Side user group will be required to install the MDM profile to access the Workspace ONE mobile app. However, all other users can log in to the Workspace ONE app without MDM enrollment.

Note: If you hover your mouse over the tooltip next to the Require MDM for Workspace ONE setting, you will see the following text:

“When enabled, devices that fit the assigned criteria are prompted to enroll immediately upon log in to Workspace ONE. Those devices that do not fit the assigned criteria are allowed to log in with an unmanaged state.”

This portion of the tooltip describes the ability to require MDM enrollment (that is, require the MDM profile) for some users, and other users are allowed to log in to the Workspace ONE app without MDM enrollment (that is, they can use registered mode).

The portion of the tooltip that says, “They may come under management later using Adaptive Management,” indicates that if an iOS user attempts to launch a corporate application that requires MDM enrollment, the user will be prompted to install the iOS MDM profile.

  1. Set Prompt for Device Ownership Type to ENABLED under the Optional Prompt tab within Enrollment settings.

In order to successfully log in to the Workspace ONE app without MDM enrollment, the device must be enrolled as employee-owned. Corporate-owned devices default to requiring MDM enrollment.

Summary and Additional Resources

Now that you have come to the end of this configuration chapter on Workspace ONE UEM, you can return to the landing page and use the tabs, search, or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters give design guidance on the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of products, components, and services you need to create the platform capable of delivering the services that you want to deliver to your users.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Workspace ONE, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Management, and more.

Additional Resources

For more information about VMware Workspace ONE UEM, you can explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2023-07-25

  • Added this Summary and Additional Resources section to list changelog, authors, and contributors within each design chapter.

2020-07-01

  • Added new section, Using Intelligent Hub and Workspace ONE Apps on Devices that are not fully managed.

Author and Contributors

This chapter was written by:

  • Andreano Lanusse, Staff End-User-Computing (EUC) Architect in End-User-Computing Technical Marketing, VMware.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Associated Content

home-carousel-icon From the action bar MORE button.

Filter Tags

Workspace ONE Workspace ONE UEM Document Reference Architecture Advanced Deploy Modern Management