Lab Overview - HOL-1857-06-UEM - Workspace ONE UEM Configuration, AD Integration/Certificates
The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.
The Advanced AirWatch lab targets some of more advanced features such as active directory integration and certificate authority integration. AD integration allows the admin and end users to use their corporate AD credentials, without having to create local accounts in the AirWatch console. Certificate based authentication is not only one of the more secured forms of authentication but it also enables better end user experience on their mobile devices.
Each Module can be taken independently or you can start at the beginning and work your way through each module in sequence. In most cases, a unique "sandbox" instance of AirWatch will be created just for you when you begin a Module. When the Module has ended, this sandbox will be deleted and the device that you are enrolling in the lab will be returned to the state that it was in prior to the lab. The approximate time it will take to go through all the modules is around 1 hours.
Lab Module List:
This lab manual can be downloaded from the Hands-on Labs Document site found here:
This lab may be available in other languages. To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:
During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.
You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.
You can also use the Online International Keyboard found in the Main Console.
When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters. However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements. The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation. Without full access to the Internet, this automated process fails and you see this watermark.
This cosmetic issue has no effect on your lab.
Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes. If after 5 minutes you lab has not changed to "Ready", please ask for assistance.
Module 1 - Advanced Workspace ONE UEM Configuration, AD Integration/Certificates (60 minutes)
AirWatch can integrate with your Certificate Authority to provide certificates to your enrolled devices. This enables your users to utilize certificates for authentication and other purposes for increased security and providing a better user experience by eliminating the need to authenticate with credentials.
This lab module will explore how to integrate a Certificate Authority authority with AirWatch, configure the templates, and distributing a certificate to a device by using a Profile.
The VMware Enterprise Systems Connector allows organizations to integrate AirWatch with back-end enterprise systems without exposing or compromising the security of these systems. The VMware Enterprise Systems Connector runs in the internal network and acts as a proxy that securely transmits requests from AirWatch to enterprise infrastructure components.
For the purposes of the lab, the VMware Enterprise Systems Connector is already setup and configured for you. The following steps will review the architecture and show a demo video of how to install the VMware Enterprise Systems Connector.
The simple architecture diagram above demonstrates the following concepts:
Continue to the next step when you are ready.
NOTE - You may need to scroll to the right to view the full screen button on the video above.
NOTE - The video contains no sound. Please note the subtitles for details the installation process.
Please watch this short demonstration of how to install the VMware Enterprise Systems Connector before continuing to the next step.
NOTE - Do not attempt to make any of the configurations or changes shown in the demo video! This demonstration is only to highlight the configuration and installation process for your knowledge.
To perform most of the lab you will need to login to the AirWatch Management Console.
Double-click the Chrome Browser on the lab desktop.
The default home page for the browser is https://hol.awmdm.com. Enter your AirWatch Admin Account information and click the Login button.
NOTE - If you see a Captcha, please be aware that it is case sensitive!
NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the AirWatch Hands On Labs server.
NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.
After completing the Security Settings, you will be presented with the AirWatch Console Welcome pop-up.
In this chapter, you will setup Active Directory Services to work with AirWatch MDM. If you haven't yet opened the console, please do so now by following the instructions in "Login to the AirWatch Console".
Configure the Server section of Directory Services as follows:
Configure the User section of Directory Services as follows:
Configure the Group section of Directory Services as follows:
After the Saving loading wheel finishes, you should see the Saved Successfully confirmation appear.
Click the Close (X) button in the top-right corner.
This module will walk through the configuration of a newly installed Enterprise Certificate Authority for use with AirWatch as well as how to integrate the Certificate Authority on your domain with AirWatch SaaS services using the VMware Enterprise Systems Connector.
The first step in this process is to prepare your Certificate Authority, create a template for use with AirWatch and assign security permissions to allow a service account to make requests to the CA. If you already have a PKI in your enterprise, AirWatch can seamlessly connect with your current infrastructure.
For this lab, the Certificate Authority has already been configured for you. To better learn and understand the configurations made to integrate the Certificate Authority with AirWatch, you can choose between watching a demo video on how to configure the Certificate Authority, or you can practice the steps hands-on using a local Certificate Authority.
Now that the configuration of the Certificate Authority itself is done, you will now be configuring the Certificate Authority within AirWatch.
In order for AirWatch to retrieve a certificate from a Certificate Authority (CA), you must configure the AirWatch console to use the communicate with the CA. There are two steps to this process:
Return to the AirWatch Console in your browser tab.
This concludes the configuration of Microsoft Active Directory, Microsoft Certificate Authority, and AirWatch with the VMware Enterprise Systems Connector.
Proceed to the next chapter to define an AirWatch profile and configure your device for use with this enterprise certificate.
We will now walk through the creation of an iOS Profile for a Credential Payload which will deliver a unique enterprise certificate to the device. Please be sure you are logged into the AirWatch web console before continuing.
You will now be presented with the Add Profile screen. Here you would select the operating system type of your device.
For this lab, select Apple iOS.
After clicking on the iOS icon, you will be presented with the Add a New Apple iOS Profile. All profiles are broken down into two basic sections, the General section and the Payload section.
The General section has information about the Profile, its name and granular filters to determine which devices will receive the configurations in the profile.
The Payload sections define actions to be taken on the device.
Every Profile must have all required fields in the General section properly filled out and at least one payload configured.
NOTE - In most cases, it is recommended a Profile contain only one Payload.
Configure the profile as follows:
NOTE - You do not need to click SAVE or SAVE AND PUBLISH at this point. This interface allows you to move around to different payload configuration screens before saving.
Continue to the next step in the lab manual to continue configuring this profile.
NOTE - When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.
After clicking on Save & Publish you will be presented with the Device Assignment screen. Click Publish.
Typically you would see the devices that your profile would be assigned to here. This allows you to verify the filters you applied on the general tab are applied correctly before pushing the profile to devices. If you haven't enrolled a device, you won't see any devices here.
You should now see your Restrictions Profile, named "iOS Certificate", within the List View of the Devices Profiles window.
NOTE - If you want to make changes to the profile, this is where you would do so. To edit a profile, click on the profile name and select Add Version, make your changes and then select Save & Publish.
You will now enroll your iOS device by using a directory account for use with this module.
NOTE - Checked out devices will likely have the AirWatch MDM Agent already installed. You may skip this step if your device has the AirWatch MDM agent installed.
At this point, if using your own iOS device or if the device you are using does NOT have the AirWatch MDM Agent Application installed, then install the AirWatch Application.
To Install the AirWatch MDM Agent application from the App Store, open the App Store application and download the free AirWatch MDM Agent application.
Launch the AirWatch Agent app on the device.
NOTE - If you have your own iOS device and would like to test you will need to download the agent first.
Click on the Server Details button.
The first step is to make sure you know what your Organization Group ID is.
NOTE - The Group ID is required when enrolling your device in the following steps.
Once the Agent has launched you can enroll the device. To do so, follow the below steps.
NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Continue button.
On this screen, enter the Username and Password for the basic user account.
If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.
NOTE - If you do not see this prompt, ignore this and continue to the next step. This prompt will only occur for iOS Devices on iOS 10.3.3 or later
The AirWatch Agent will now redirect you to Safari and start the process of enabling MDM in the device settings.
Tap on Redirect & Enable at the bottom of the screen.
Tap Install in the upper right corner of the Install Profile dialog box.
Tap Install when prompted at the Install Profile dialog.
NOTE - If a PIN is requested, it is the current device PIN. Provided VMware devices should not have a PIN.
You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.
Tap Install in the upper-right corner of the screen.
You should now see the iOS request to trust the source of the MDM profile.
Tap Trust when prompted at the Remote Management dialog.
You should now see the iOS Profile successfully installed.
Tap Done in the upper right corner of the prompt.
Your enrollment is now completed. Tap Open to navigate to the AirWatch Agent.
Click on Done to continue.
Tap Allow if you get a prompt for Notifications.
You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.
You can now confirm the certificate was issued and installed on the device. When you enrolled your device, the profile containing a certificate from the CONTROLCENTER-CA will be pushed down to your device. The speed at which the profile is installed on the device is dependent on many variables outside of the control of AirWatch. The profile with the certificate may arrive in few seconds or it may take a few minutes. We will go look in the settings for the certificate
On the iOS device, return to the launchpad by pressing the home button then select the Settings icon to open the menu.
Select More Details to view additional configuration.
Look for the Certificates section in this menu. What is seen on your screen may differ from the image above depending on your lab configuration. You should see a certificate issued to your AD user named imauser that has been issued form the CONTROLCENTER-CA that we previously integrated into AirWatch. This certificate can be used in conjunction with Email, Wi-Fi or VPN profiles. Certificates can also be used to authenticate to web resources or content repositories as well. You may select the certificate to view more details. When you are ready, continue to the next step.
This concludes configuring AirWatch to be used with an Enterprise Active Directory and Enterprise Certificate Authority for providing a single point of authentication and security using internal Enterprise security settings to ensure corporate data security is maintained even on end user personal devices. Please continue with the next steps to complete the module.
You are now going to un-enroll the iOS device from AirWatch.
NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.
It will NOT remove the AirWatch MDM Agent application from the device as this was downloaded manually before AirWatch had control of the device.
Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled. It will not affect anything that was on the device prior to enrollment.
To Enterprise Wipe your device you will first bring up the AirWatch Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and "VMware1!" as the password).
NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.
After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console ("1234").
NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:
NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.
Feel free to continue to the "Force the Wipe" step to manually uninstall the AirWatch services from the device if network connectivity is failing.
Press the Home button on the device to go back to the home screen. The applications pushed through AirWatch should have been removed from the device.
NOTE - The applications and settings pushed through AirWatch management should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.
If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.
Tap the Workspace Services profile that was pushed to the device.
After removing the Workspace Services profile, the device will be un-enrolled. Feel free to return to the "Verify the Un-Enrollment" step to confirm the successful un-enrollment of the device.
This lab module reviewed how to integrate a Certificate Authority with AirWatch to provision certificates to your enrolled devices. We were able to generate and deploy a certificate to our iOS device and confirm that the certificate was successfully downloaded.
This concludes this lab module.
Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-1857-06-UEM