VMware Hands-on Labs - VMware AirWatch: Technology Partner Integration


Lab Overview - HOL-1857-08-UEM - Workspace ONE UEM - Technology Partner Integration

Lab Guidance


The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

AirWatch has native integration with many other technology vendors.  This lab explores the configurations between F5 and AirWatch to deliver secure access to your applications.

Each Module can be taken independently or you can start at the beginning and work your way through each module in sequence. In most cases, a unique "sandbox" instance of AirWatch will be created just for you when you begin a Module. When the Module has ended, this sandbox will be deleted and the device that you are enrolling in the lab will be returned to the state that it was in prior to the lab. The approximate time it will take to go through all the modules is around 2.5 hours.

Lab Module List:

 Lab Captains:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - F5 Integration with Workspace ONE UEM (30 min)

Introduction


With F5 BIG-IP APM, you may provide AirWatch mobile users unmatched secure remote access, performance, and availability. This module guides you through the configuration details required to integrate F5 BIG-IP APM with AirWatch. The steps are a series of recommended practices to follow in order to build an integrated solution. As with any system deployment, the steps are examples and the deployed environment may not exactly match these examples.


 

What to Expect

After completing this guide, you will be able to:

 

 

Requirements

This section covers various requirements for implementing in your own environment. These include prerequisites, product licensing, software, and/or hardware requirements. All prerequisites will be provided for use during this module.

Prerequisites:

This solution utilizes the following ancillary infrastructure:

AirWatch

F5 BIG-IP

 

F5 BigIP Configuration


This section covers the steps required to be performed within the BigIP web configuration utility. The BigIP you will be accessing for this lab has been pre-configured for the lab environment.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Open F5 Web Admin Console

 

  1. Select the "BIG-IP" shortcut from the bookmarks bar or navigate to "https://bigip-01.corp.local".
  2. Enter "admin" for the Username field.
  3. Enter "VMware1!" for the Password field.
  4. Click Login.

 

 

Create A Network Access Policy

This step will use the BIG-IP configuration utility wizard to assist you in creating a remote access configuration using Access Policy Manager (APM).

 

 

Adjust the Access Policy to Authenticate Client Certificates for Access

 

The Network Access Wizard created several components and we will now need to make a few changes to the default settings of those components to enable per-app VPN. Please note that the configuration we are setting up here is as basic as possible. Your organization can configure a more advanced security and access policy that suits your needs.

  1. Click Access Policy.
  2. Click Access Profiles.
  3. Click Edit... on the f5_airwatch_policy Access Policy.

 

 

Configure Advanced Settings of the Virtual Server

 

  1. Click Local Traffic.
  2. Click Virtual Servers.
  3. Click f5_airwatch_policy_vs.

 

 

F5 Configuration Wrap-Up

We've now completed configuration of the F5 Big IP. We have created a basic Network Access Policy that will allow us to connect our devices with the F5 Edge Client and securely access internal resources. Our next steps are to configure AirWatch to push all the necessary configurations and activate specified applications to leverage the VPN connection while ensuring other device applications are blocked from accessing your internal network.

 

Login to the Workspace ONE UEM Console


To perform most of the lab you will need to login to the Workspace ONE UEM Management Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Administration Console

 

The default home page for the browser is https://hol.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is you email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter "VMware1!" for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter "VMware1!" in the Password Recovery Answer field.
  4. Enter "VMware1!" in the Confirm Password Recovery Answer field.
  5. Enter "1234" in the Security PIN field.
  6. Enter "1234" in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

iOS Device Enrollment


In this section, we are going to enroll an iOS device to complete the steps on the device side.


 

Download/Install AirWatch MDM Agent Application from App Store - IF NEEDED

 

NOTE - Checked out devices will likely have the AirWatch MDM Agent already installed. You may skip this step if your device has the AirWatch MDM agent installed.

At this point, if using your own iOS device or if the device you are using does NOT have the AirWatch MDM Agent Application installed, then install the AirWatch Application.

To Install the AirWatch MDM Agent application from the App Store, open the App Store application and download the free AirWatch MDM Agent application.

 

 

Launching the AirWatch MDM Agent

 

Launch the AirWatch Agent app on the device.  

NOTE - If you have your own iOS device and would like to test you will need to download the agent first.

 

 

Choose the Enrollment Method

 

Click on the Server Details button.

 

 

Find your Group ID from AirWatch Console

 

 

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Attach the AirWatch MDM Agent to the HOL Sandbox

 

Once the Agent has launched you can enroll the device.  To do so, follow the below steps.

  1. Enter "hol.awmdm.com" for the Server field.
  2. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  3. Tap the Go button.

NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Continue button.

 

 

Authenticate the AirWatch MDM Agent

 

On this screen, enter the Username and Password for the basic user account.

  1. Enter "testuser" in the Username field.
  2. Enter "VMware1!" in the Password field.
  3. Tap the Go button.

 

 

Redirect to Safari and Enable MDM Enrollment in Settings

 

The AirWatch Agent will now redirect you to Safari and start the process of enabling MDM in the device settings.

Tap on Redirect & Enable at the bottom of the screen.

 

 

Allow Website to Open Settings (IF NEEDED)

 

If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

NOTE - If you do not see this prompt, ignore this and continue to the next step.  This prompt will only occur for iOS Devices on iOS 10.3.3 or later

 

 

Install the MDM Profile

 

Tap Install in the upper right corner of the Install Profile dialog box.

 

 

Install and Verify the AirWatch MDM Profile

 

Tap Install when prompted at the Install Profile dialog.

NOTE - If a PIN is requested, it is the current device PIN. Provided VMware devices should not have a PIN.

 

 

iOS MDM Profile Warning

 

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

 

 

Trust the Remote Management Profile.

 

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

 

 

iOS Profile Installation Complete

 

You should now see the iOS Profile successfully installed.

Tap Done in the upper right corner of the prompt.

 

 

AirWatch Enrollment Success

 

Your enrollment is now completed. Tap Open to navigate to the AirWatch Agent.

 

 

Accept the Authentication Complete Prompt

 

Click on Done to continue.

 

 

Accept Notification Prompt (IF NEEDED)

 

Tap Allow if you get a prompt for Notifications.

 

 

Accept the App Installation (IF NEEDED)

 

You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.

 

AirWatch Console Configuration


In this chapter you create a Per-App VPN profile and deploy an Application configured to use the F5 Access app on iOS.


 

Create an iOS VPN Profile

In this step you will configure the iOS profile that will be delivered to the device to configure the F5 Access app on the device to allow only designated applications to access content on internal servers.

 

 

Add the F5 Access App as a Public Application

In order to apply the VPN profile, the F5 Access app needs to be installed on your device. We can leverage AirWatch to deploy the F5 Access app to the device through MDM. This step will walk you through the process of adding an application from the Public App store.

 

 

Add VMware Browser as a Public Application

In order to associate the VPN profile to specific apps, you need to add the application through MDM. This step will walk you through the process of adding an application from the Public App store that will be associated to the VPN profile you created.

 

Testing Per App VPN


Now that the device is enrolled and has received settings that we configured in the AirWatch Console, we are ready to begin testing the Per-App VPN functionality.


 

Launch & Enable the F5 Access Application

 

This step is to enable the newly installed VPN client to handle network traffic and is required for the user to do only the 1st time that the application is installed.

Press the Home button on the iPad to return to the Launchpad. Swipe right if needed to see the downloaded applications. Select the F5 Access application to open it.

 

 

Launch VMware Browser

 

Press the Home button on the device to return to the Launchpad.  Tap the VMware Browser icon to launch the application.

 

 

Attempt to Access the Website From Safari

We will now show that although the VPN connection is active, other applications on the device will not be able to access the internal network resources.

 

 

Wrap-Up

The website is published to an internal web server that can only be accessed when the VPN connection is being used. Although the VPN connection may remain active (look for the VPN icon in the status bar), Safari is not designated as an application that is allowed to use the Per-App VPN connection. You may have multiple VPN configurations and multiple apps assigned for each VPN. Most Public applications are compatible with per-app VPN on iOS. If desired, you can authorize the native browser on iOS to leverage the per-app VPN connection, we have chosen not to for the purposes of this lab.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from AirWatch.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch MDM Agent application from the device as this was downloaded manually before AirWatch had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the AirWatch Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and "VMware1!" as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console ("1234").

  1. Enter "1234" for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  NOTE: If "1234" does not work, then you provided a different Security PIN when you first logged into the AirWatch Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the AirWatch services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through AirWatch should have been removed from the device.

NOTE - The applications and settings pushed through AirWatch management should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Management at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Workspace Services profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Workspace Services profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Workspace Services profile, the device will be un-enrolled.  Feel free to return to the "Verify the Un-Enrollment" step to confirm the successful un-enrollment of the device.

 

Conclusion


In addition to integrating with F5's Access Client and Big-IP Edge Client, AirWatch can also integrate with a large number of other partners' VPN clients to provide per-app VPN functionality.

To learn more about AirWatch's own per-app VPN offering using AirWatch Tunnel, consider taking HOL-1857-05-UEM - Module 4 - Per-App VPN using AirWatch Tunnel.

This concludes the F5 Integration with AirWatch module.


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1857-08-UEM

Version: 20180604-184151