Lab Overview - HOL-1857-08-UEM - Workspace ONE UEM - Technology Partner Integration
The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.
AirWatch has native integration with many other technology vendors. This lab explores the configurations between F5 and AirWatch to deliver secure access to your applications.
Each Module can be taken independently or you can start at the beginning and work your way through each module in sequence. In most cases, a unique "sandbox" instance of AirWatch will be created just for you when you begin a Module. When the Module has ended, this sandbox will be deleted and the device that you are enrolling in the lab will be returned to the state that it was in prior to the lab. The approximate time it will take to go through all the modules is around 2.5 hours.
Lab Module List:
This lab manual can be downloaded from the Hands-on Labs Document site found here:
This lab may be available in other languages. To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:
During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.
You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.
You can also use the Online International Keyboard found in the Main Console.
When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.
One of the major benefits of virtualization is that virtual machines can be moved and run on any platform. The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters. However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.
Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements. The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation. Without full access to the Internet, this automated process fails and you see this watermark.
This cosmetic issue has no effect on your lab.
Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes. If after 5 minutes you lab has not changed to "Ready", please ask for assistance.
Module 1 - F5 Integration with Workspace ONE UEM (30 min)
With F5 BIG-IP APM, you may provide AirWatch mobile users unmatched secure remote access, performance, and availability. This module guides you through the configuration details required to integrate F5 BIG-IP APM with AirWatch. The steps are a series of recommended practices to follow in order to build an integrated solution. As with any system deployment, the steps are examples and the deployed environment may not exactly match these examples.
After completing this guide, you will be able to:
This section covers various requirements for implementing in your own environment. These include prerequisites, product licensing, software, and/or hardware requirements. All prerequisites will be provided for use during this module.
This solution utilizes the following ancillary infrastructure:
This section covers the steps required to be performed within the BigIP web configuration utility. The BigIP you will be accessing for this lab has been pre-configured for the lab environment.
Double-click the Chrome Browser on the lab desktop.
This step will use the BIG-IP configuration utility wizard to assist you in creating a remote access configuration using Access Policy Manager (APM).
The Network Access Wizard created several components and we will now need to make a few changes to the default settings of those components to enable per-app VPN. Please note that the configuration we are setting up here is as basic as possible. Your organization can configure a more advanced security and access policy that suits your needs.
We've now completed configuration of the F5 Big IP. We have created a basic Network Access Policy that will allow us to connect our devices with the F5 Edge Client and securely access internal resources. Our next steps are to configure AirWatch to push all the necessary configurations and activate specified applications to leverage the VPN connection while ensuring other device applications are blocked from accessing your internal network.
To perform most of the lab you will need to login to the Workspace ONE UEM Management Console.
Double-click the Chrome Browser on the lab desktop.
The default home page for the browser is https://hol.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.
NOTE - If you see a Captcha, please be aware that it is case sensitive!
NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.
NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.
After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.
In this section, we are going to enroll an iOS device to complete the steps on the device side.
NOTE - Checked out devices will likely have the AirWatch MDM Agent already installed. You may skip this step if your device has the AirWatch MDM agent installed.
At this point, if using your own iOS device or if the device you are using does NOT have the AirWatch MDM Agent Application installed, then install the AirWatch Application.
To Install the AirWatch MDM Agent application from the App Store, open the App Store application and download the free AirWatch MDM Agent application.
Launch the AirWatch Agent app on the device.
NOTE - If you have your own iOS device and would like to test you will need to download the agent first.
Click on the Server Details button.
NOTE - The Group ID is required when enrolling your device in the following steps.
Once the Agent has launched you can enroll the device. To do so, follow the below steps.
NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Continue button.
On this screen, enter the Username and Password for the basic user account.
The AirWatch Agent will now redirect you to Safari and start the process of enabling MDM in the device settings.
Tap on Redirect & Enable at the bottom of the screen.
If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.
NOTE - If you do not see this prompt, ignore this and continue to the next step. This prompt will only occur for iOS Devices on iOS 10.3.3 or later
Tap Install in the upper right corner of the Install Profile dialog box.
Tap Install when prompted at the Install Profile dialog.
NOTE - If a PIN is requested, it is the current device PIN. Provided VMware devices should not have a PIN.
You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.
Tap Install in the upper-right corner of the screen.
You should now see the iOS request to trust the source of the MDM profile.
Tap Trust when prompted at the Remote Management dialog.
You should now see the iOS Profile successfully installed.
Tap Done in the upper right corner of the prompt.
Your enrollment is now completed. Tap Open to navigate to the AirWatch Agent.
Click on Done to continue.
Tap Allow if you get a prompt for Notifications.
You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.
In this chapter you create a Per-App VPN profile and deploy an Application configured to use the F5 Access app on iOS.
In this step you will configure the iOS profile that will be delivered to the device to configure the F5 Access app on the device to allow only designated applications to access content on internal servers.
In order to apply the VPN profile, the F5 Access app needs to be installed on your device. We can leverage AirWatch to deploy the F5 Access app to the device through MDM. This step will walk you through the process of adding an application from the Public App store.
In order to associate the VPN profile to specific apps, you need to add the application through MDM. This step will walk you through the process of adding an application from the Public App store that will be associated to the VPN profile you created.
Now that the device is enrolled and has received settings that we configured in the AirWatch Console, we are ready to begin testing the Per-App VPN functionality.
This step is to enable the newly installed VPN client to handle network traffic and is required for the user to do only the 1st time that the application is installed.
Press the Home button on the iPad to return to the Launchpad. Swipe right if needed to see the downloaded applications. Select the F5 Access application to open it.
Press the Home button on the device to return to the Launchpad. Tap the VMware Browser icon to launch the application.
We will now show that although the VPN connection is active, other applications on the device will not be able to access the internal network resources.
The website is published to an internal web server that can only be accessed when the VPN connection is being used. Although the VPN connection may remain active (look for the VPN icon in the status bar), Safari is not designated as an application that is allowed to use the Per-App VPN connection. You may have multiple VPN configurations and multiple apps assigned for each VPN. Most Public applications are compatible with per-app VPN on iOS. If desired, you can authorize the native browser on iOS to leverage the per-app VPN connection, we have chosen not to for the purposes of this lab.
You are now going to un-enroll the iOS device from AirWatch.
NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.
It will NOT remove the AirWatch MDM Agent application from the device as this was downloaded manually before AirWatch had control of the device.
Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled. It will not affect anything that was on the device prior to enrollment.
To Enterprise Wipe your device you will first bring up the AirWatch Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and "VMware1!" as the password).
NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.
After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console ("1234").
NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:
NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.
Feel free to continue to the "Force the Wipe" step to manually uninstall the AirWatch services from the device if network connectivity is failing.
Press the Home button on the device to go back to the home screen. The applications pushed through AirWatch should have been removed from the device.
NOTE - The applications and settings pushed through AirWatch management should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.
If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.
Tap the Workspace Services profile that was pushed to the device.
After removing the Workspace Services profile, the device will be un-enrolled. Feel free to return to the "Verify the Un-Enrollment" step to confirm the successful un-enrollment of the device.
In addition to integrating with F5's Access Client and Big-IP Edge Client, AirWatch can also integrate with a large number of other partners' VPN clients to provide per-app VPN functionality.
To learn more about AirWatch's own per-app VPN offering using AirWatch Tunnel, consider taking HOL-1857-05-UEM - Module 4 - Per-App VPN using AirWatch Tunnel.
This concludes the F5 Integration with AirWatch module.
Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-1857-08-UEM