VMware Hands-on Labs - HOL-1957-01-UEM


Lab Overview - HOL-1957-01-UEM - Workspace ONE UEM with App & Access Management

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Looking for the latest on the VMware Workspace ONE solution? Integrate Workspace ONE UEM and Workspace ONE Identity Manager to enable Single Sign-On from any device to any application, and deploy applications through Workspace ONE.  Learn how Workspace ONE provides a best-in-class user experience without sacrificing enterprise security.

Lab Module List:

 Lab Captains:

 

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

 
 

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes your lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Workspace ONE Setup and Configuration

Introduction


Workspace ONE UEM integrated with VMware Identity Manager is the core of Workspace ONE, providing Single Sign-On access to applications by providing various authentication mechanisms to ensure secure access and improving user experience.  This module will detail how to configure VMware Identity Manager with Workspace ONE UEM and how to enable Single Sign-On access into the VMware Identity Manager console from the iOS device.

Although the focus of this module highlights the iOS implementation and functionality, you can provide Single Sign-On capabilities for other devices (like Android, macOS, and Windows 10) as well.


VMware Enterprise Systems Connector Setup


The VMware Enterprise Systems Connector allows organizations to integrate AirWatch with back-end enterprise systems without exposing or compromising the security of these systems.  The VMware Enterprise Systems Connector runs in the internal network and acts as a proxy that securely transmits requests from AirWatch to enterprise infrastructure components.

For the purposes of the lab, the VMware Enterprise Systems Connector is already setup and configured for you.  The following steps will review the architecture and show a demo video of how to install the VMware Enterprise Systems Connector.


 

Architecture Overview

 

The simple architecture diagram above demonstrates the following concepts:

Continue to the next step when you are ready.

 

 

Video Demo of Installation

NOTE: The video contains no spoken instructions.  Please refer to the subtitles for instructions about the installation process.

Please watch this short demonstration of how to install the VMware Enterprise Systems Connector before continuing to the next step.

NOTE: Do not attempt to make any of the configurations or changes shown in the demo video!  This demonstration is only to highlight the configuration and installation process for your knowledge.

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Login to the VMware Identity Manager Console


A temporary VMware Identity Manager tenant has been generated for you to use throughout this lab.  The VMware Identity Manager tenant URL and login details were uploaded to the Content section in the Workspace ONE UEM Console at the start of the lab.


 

Accessing Your Tenant Details in the Workspace ONE UEM Console

 

In the Workspace ONE UEM Console:

  1. Click Content.
  2. Expand Content Locker.
  3. Click List View.
  4. Find the text file named vIDM Tenant Details for your@email.shown.here.txt and click the toggle button beside it to select the file.
  5. Click Download.

 

 

Login to Your VMware Identity Manager Tenant

You will now login to your VMware Identity Manager tenant for the following steps.

 

Configure Your VMware Identity Manager Tenant


Before configuring the Directory Services and the VMware Identity Manager settings in the AirWatch Console, you will need to make some configurations your VMware Identity Manager tenant to ensure our Active Directory users are imported and mapped properly based on our configuration.  

Continue to the next step.


 

Edit User Attributes

 

  1. Click Identity & Access Management.
  2. Click Setup.
  3. Click User Attributes.
  4. Enable distinguishedName by clicking the checkbox next to the field.
  5. Enable userPrincipalName by clicking the checkbox  next to the field.
    NOTE - You may need to scroll down to find the distinguishedName and userPrincipalName attributes.

 

 

Save User Attribute Changes

 

  1. Scroll down to the bottom of the page.
  2. Click Save.

 

Configure Directory Services and VMware Identity Manager User Sync


You will now use the Workspace ONE Getting Started Wizard to configure Directory Services and to sync a directory to VMware Identity Manager.

Continue to the next step.


 

Setup Directory Services

 

You will now configure Directory Services through the Workspace ONE Getting Started Wizard to sync AD users to the Identity Manager tenant.

Return to the Workspace ONE UEM Console,

  1. Click Getting Started.
  2. Expand Getting Started.
  3. Click Workspace ONE.
  4. If the Setup section is minimized, click the + button to expand it.
    NOTE - You may need to scroll to the right to see the + button on the Setup bar.
  5. Click Configure for the Enterprise Connector & Directory section under Setup.
    NOTE - You may need to scroll to the right to see the "Configure" button.

 

 

Setup the VMware Identity Manager Settings

 

With the Directory Services integration completed, return to the Workspace ONE Getting Started Wizard to integrate your VMware Identity Manager tenant.

  1. Click Getting Started.
  2. Expand Getting Started.
  3. Click Workspace ONE.
  4. If the Setup section is minimized, click the + button to expand it.
    NOTE - You may need to scroll to the right to see the + button on the Setup bar.
  5. Click Configure for the Enterprise Connector & Directory section under Setup.

 

 

Add A New User Group

 

Next, you will create a User Group from our AD users for use within our VMware Identity Manager tenant.

  1. Click Accounts.
  2. Expand User Groups.
  3. Click List View.
  4. Mouse over Add.
  5. Click Add User Group.

 

 

Confirm User Sync in VMware Identity Manager

 

Return to your VMware Identity Manager to confirm that the corp.local domain and users successfully synced.

  1. Click Identity & Access Management.
  2. Click Directories.
  3. Locate the Directory that was synced from Workspace ONE UEM.  The Workspace ONE Getting Started Wizard will generate a unique name, which will be Company_Directory_{GroupID}.  Ensure that you have 1 synced domain and 5 synced users.

 

Review Your Configuration in VMware Identity Manager


In one of the previous sections, we configured Workspace ONE Getting Started Wizard from the console. The Getting Started Wizard generates an AirWatch API admin key and an AirWatch API Enrollment User Key. These API keys are used by Identity Manager to communicate with Workspace ONE UEM and populate the related configurations within Identity Manager console.

Let's review our configuration in VMware Identity Manager to see where these changes are made.


 

Navigate to the VMware Identity Manager Tab

 

Click to navigate to VMware Identity Manager Admin Console in Google Chrome.

 

 

Validate the Configuration for AirWatch

 

In your VMware Identity Manager Tenant,

  1. Click on Identity & Access Management
  2. Click on Setup
  3. Click AirWatch to view the related configurations
  4. Validate that you are seeing AirWatch API URL as https://as1193.awmdm.com
  5. Validate that you are seeing an API Key populated
  6. Validate that you have AirWatch Enrolled User API Key is also populated

NOTE - API key and AirWatch Enrolled User API Key will be different for each lab session.

 

 

Confirm Group ID and Save

 

  1. Scroll down if needed.
  2. Ensure that you are seeing your Group ID getting populated.
    (NOTE - You can find your Group ID by hovering over your organization group name in the Workspace ONE UEM Console)
  3. Click Save

 

 

Enable App Catalog (IF NEEDED)

 

  1. Scroll down if needed until you see a section for Workspace ONE Catalog.
  2. Ensures the boxes for the options Fetch from IDM and Fetch from AirWatch are checked.  If they are not checked, click each box to select them.
  3. Click Save.

 

 

Validate Compliance Check and Password Authentication

 

  1. Scroll down if needed.
  2. Validate that Compliance Check is Enabled
  3. Click Save
  4. Validate that User Password Authentication through AirWatch is Enabled
  5. Click Save

 

 

Return to the Workspace ONE UEM Console

 

For the next steps, we will return to the Workspace ONE UEM Console and complete the Workspace ONE Getting Started wizard.

Click the Workspace ONE UEM tab, which should be the first tab, on your browser to return to the Workspace ONE UEM Console Login page.

NOTE - Your Workspace ONE UEM tab may not be at the Login page as shown in the picture depending on your previous steps.

 

Integrate Workspace ONE UEM and VMware Identity Manager using the Cloud Kerberos Key Distribution Center (KDC)


This section will review how to integrate the Cloud Kerberos Key Distribution Center (KDC) between Workspace ONE UEM and VMware Identity Manager.  Continue to review the necessary steps.


 

Configure VMware Identity Manager Settings in Workspace ONE UEM

 

The first steps for configuring the Cloud Kerberos Key Distribution Center (KDC) is to setup the VMware Identity Manager Certificate in Workspace ONE UEM.

  1. Click Groups & Settings.
  2. Click All Settings.

 

 

Enable and Setup Cloud Kerberos Key Distribution Center (KDC)

With the Certificate exported from Workspace ONE UEM, return to your VMware Identity Manager tenant to continue the Cloud Kerberos Key Distribution Center (KDC) configuration.

 

 

Update the Access Policy

 

With the Identity Provider (IdP) configured, we now need to update the Policies to use our Identity Provider (IdP).

  1. Click Policies.
  2. Click Edit Default Policy.

 

 

Create Workspace ONE UEM Profiles for Single Sign-On

 

With our Access Policies and Identity Providers (IdP) configured, we now need to create a profile to enable our iOS device to Single Sign-on into our VMware Identity Manager tenant.

Click on the Workspace ONE UEM tab to return to the Workspace ONE UEM Console.

 

iOS Device Enrollment With Directory Account


In this section, we are going to enroll an iOS device. The upcoming steps will need to be completed from an iOS device.


 

Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

 

NOTE - Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does NOT have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To Install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

 

 

Launching the Workspace ONE Intelligent Hub

 

Launch the Hub app on the device.  

NOTE - If you have your own iOS device and would like to test you will need to download the Workspace ONE Intelligent Hub app first.

 

 

Enter the Server URL

 

  1. Enter labs.awmdm.com for the Server URL.
  2. Click Next.

Click on the Server Details button.

 

 

Find Your Group ID From the Workspace ONE UEM Console

 

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Attach the Workspace ONE Intelligent Hub to the HOL Sandbox

 

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

 

 

Enter User Credentials

 

You will now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter aduser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

 

 

Redirect to Safari and Enable MDM Enrollment in Settings

 

The Workspace ONE Intelligent Hub will prompt you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

 

 

Allow Website to Open Settings (IF NEEDED)

 

If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

NOTE - If you do not see this prompt, ignore this and continue to the next step.  This prompt will only occur for iOS Devices on iOS 10.3.3 or later

 

 

Install the Workspace ONE MDM Profile

 

Tap Install in the upper right corner of the Install Profile dialog box.

 

 

Enter Device Passcode (IF NEEDED)

 

If prompted, enter your device passcode to continue.

If you do NOT receive this prompt, continue to the next step.

 

 

Install and Verify the Workspace ONE MDM Profile

 

Tap Install when prompted at the Install Profile dialog.

 

 

iOS MDM Profile Warning

 

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

 

 

Trust the Remote Management Profile.

 

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

 

 

iOS Profile Installation Complete

 

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper right corner of the prompt.

 

 

Workspace ONE UEM Enrollment Success

 

Your enrollment is now completed! Tap Open to navigate to the Workspace ONE Intelligent Hub.

 

 

Accept the Workspace ONE Intelligent Hub Notice

 

Tap Done to confirm the notice and continue.

 

 

Accept Notifications for Hub (IF NEEDED)

 

Tap Allow if you get a prompt to allow notifications for the Hub app.

 

 

Accept the App Installation (IF NEEDED)

 

You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.

 

 

Confirm the Privacy Policy

 

Tap I Understand when shown the Privacy policy.

 

 

Accept the Data Sharing Policy

 

Tap I Agree for the Data Sharing policy.

 

 

Confirm the Device Enrollment in the Hub App

 

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM!  Continue to the next step.

 

SSO Validation


In this section, we will validate that the SSO configuration is working on our iOS device.


 

Open Settings

 

Tap Settings on the iOS device.

 

 

Navigate to General Settings, Digital Workspace

 

  1. Tap General.
  2. Scroll down to find the Device Management option.
  3. Tap Device Management.

 

 

Open the Digital Workspace profile

 

Tap the Device Manager profile.

 

 

View More Details

 

Tap More Details.

 

 

Open the Singe Sign On Account

 

You should see the Single Sign On Account that you added in the Profile created in the previous section.

Tap testsso.

 

 

Verify Settings

 

Verify that the following Single Sign-On settings are correct:

  1. Principal Name is set to aduser.
  2. Realm is set to VIDMPREVIEW.COM.
  3. URL Prefix Matches is set to https://{tenantName}.vidmpreview.com/.  This URL will be your VMware Identity Manager Tenant URL.
  4. Eligible App IDs includes com.apple.mobilesafari.

NOTE - If any of these settings are incorrect, return to the AirWatch Console and inspect your iOS Identity KDC Cert Profile that was previously created.

 

 

Clear the Safari Cache

 

Navigate back to the main Settings page.

  1. Scroll down to find the Safari settings.
  2. Tap Safari.
  3. Scroll down to find Clear History and Website Data.
  4. Tap Clear History and Website Data.

 

 

Confirm the Clear History and Data Prompt

 

Click Clear.

 

 

Launch Safari on the iOS Device

 

Tap the Safari icon, it should be on the bottom tray.

 

 

Navigate to Identity Manager in Safari

 

  1. Enter the URL of your Identity Manager tenant in the URL bar.
  2. Click Go

 

 

Workspace One Single Sign-On

 

Notice that Identity Manager is signing you in without requiring any authentication.

 

 

Identity Manager Application Catalog

 

You are now signed into Workspace ONE using Single Sign On automatically without having to enter any credentials!

There are no applications visible because they haven't been added in VMware Identity Manager or Workspace ONE UEM.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


Workspace ONE enables users to access their applications from any device at any time, providing a rich user experience while ensuring corporate resources and apps are accessed securely and by the appropriate users.  Integrating VMware Identity Manager with Workspace ONE UEM allows administrators to control what authentication methods are available to users to access and download apps while providing Single Sign-On for secure and quick access.  

This concludes this module.


Module 2 - Workspace ONE UEM Configuration, AD Integration/Certificates

Introduction


Workspace ONE UEM can integrate with your Certificate Authority to provide certificates to your enrolled devices.  This enables your users to utilize certificates for authentication and other purposes for increased security and providing a better user experience by eliminating the need to authenticate with credentials.

This lab module will explore how to integrate a Certificate Authority with Workspace ONE UEM, configure the templates, and distributing a certificate to a device by using a Profile.


VMware Enterprise Systems Connector Setup


The VMware Enterprise Systems Connector allows organizations to integrate AirWatch with back-end enterprise systems without exposing or compromising the security of these systems.  The VMware Enterprise Systems Connector runs in the internal network and acts as a proxy that securely transmits requests from AirWatch to enterprise infrastructure components.

For the purposes of the lab, the VMware Enterprise Systems Connector is already setup and configured for you.  The following steps will review the architecture and show a demo video of how to install the VMware Enterprise Systems Connector.


 

Architecture Overview

 

The simple architecture diagram above demonstrates the following concepts:

Continue to the next step when you are ready.

 

 

Video Demo of Installation

NOTE: The video contains no spoken instructions.  Please refer to the subtitles for instructions about the installation process.

Please watch this short demonstration of how to install the VMware Enterprise Systems Connector before continuing to the next step.

NOTE: Do not attempt to make any of the configurations or changes shown in the demo video!  This demonstration is only to highlight the configuration and installation process for your knowledge.

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Directory Services Integration


In this chapter, you will setup Active Directory Services to work with Workspace ONE UEM.  This will allow Workspace ONE UEM to import your Active Directory Users and Groups

If you haven't yet opened the console, please do so now by following the instructions in Login to the Workspace ONE UEM Console.


 

Open All Settings

 

  1. Click the Groups & Settings button on the left menu.
  2. Click the All Settings button from the middle menu.

 

 

Selecting Directory Services

 

  1. Click the System section to expand the section.
  2. Click the Enterprise Integration dropdown section.
  3. Click the Directory Services button.
  4. Click the Skip wizard and configure manually link.

 

 

Server Setup

 

Configure the Server section of Directory Services as follows:

  1. Confirm that the Server tab is selected.
  2. Enter controlcenter.corp.local for the Server.
  3. Confirm that the Encryption Type is set to None.
  4. Enter 389 for the Port.
  5. Enter 3 for the Protocol Version.

 

 

Server Setup (continued)

 

  1. Set Disabled for Use Service Account Credentials.
  2. Select GSS-NEGOTIATE for the Bind Authentication Type.
  3. Enter corp\administrator for the Bind Username field.
  4. Enter VMware1! for the Bind Password field.
  5. Enter corp.local in the Domain field.

 

 

User Setup

 

Configure the User section of Directory Services as follows:

  1. Scroll back to the top of the menu where the Server, User, and Group tabs are.
  2. Click the User tab.
  3. Enter dc=corp,dc=local for the Base DN box.

 

 

Group Setup

 

Configure the Group section of Directory Services as follows:

  1. Click the Group tab.
  2. Enter dc=corp,dc=local for the Base DN field.

 

 

Save Directory Services Configuration

 

  1. Scroll down to find the Save button if it is not visible on your screen.
  2. Click Test Connection.
  3. Ensure the Connection successful with the given server name, bind user name, and password success message is displayed.
  4. Click Save.

 

 

Confirm Directory Services Saved Successfully

 

  1. After the Saving loading wheel finishes, you should see the Saved Successfully confirmation appear.
  2. Click the Close (X) button in the top-right corner.

 

Configuring an Enterprise Certificate Authority


This module will walk through the configuration of a newly installed Enterprise Certificate Authority for use with Workspace ONE UEM as well as how to integrate the Certificate Authority on your domain with Workspace ONE UEM SaaS services using the VMware Enterprise Systems Connector.


 

Configure the Certificate Authority

The first step in this process is to prepare your Certificate Authority, create a template for use with Workspace ONE UEM and assign security permissions to allow a service account to make requests to the CA. If you already have a PKI in your enterprise, Workspace ONE UEM can seamlessly connect with your current infrastructure.

For this lab, the Certificate Authority has already been configured for you.  To better learn and understand the configurations made to integrate the Certificate Authority with Workspace ONE UEM, you can choose between watching a demo video on how to configure the Certificate Authority, or you can practice the steps hands-on using a local Certificate Authority.  

 

 

Watch a Certificate Authority Configuration Demo

NOTE - You may need to scroll to the right to view the full screen button on the video above.
NOTE - The video contains no sound.  Please note the subtitles for details the installation process.

The embedded video will showcase the configurations to the Certificate Authority used for this lab to integrate with Workspace ONE UEM.  After finishing the video, click here to continue.

 

 

Configure an Example Certificate Authority

In this section, you will utilize a local Certificate Authority provided to better learn how to configure the Certificate Authority to interact with Workspace ONE UEM.

NOTE - The Certificate Authority that this lab accesses to issue certificates has already been configured, you are only editing a local Certificate Authority that will not impact the ability to issue certificates for this lab.

 

Login to the Workspace ONE UEM Console (IF NEEDED)


To perform most of the lab you will need to login to the Workspace ONE UEM Management Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Administration Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

Add the Certificate Authority in Workspace ONE UEM


Now that the configuration of the Certificate Authority itself is done, you will now be configuring the Certificate Authority within Workspace ONE UEM.

In order for Workspace ONE UEM to retrieve a certificate from a Certificate Authority (CA), you must configure the Workspace ONE UEM console to use the communicate with the CA. There are two steps to this process:

Return to the Workspace ONE UEM Console in your browser tab.


 

Add the Certificate Authority in Workspace ONE UEM

 

  1. Click Groups & Setting.
  2. Click All Settings.

 

 

Conclusion and Wrap Up

This concludes the configuration of Microsoft Active Directory, Microsoft Certificate Authority, and Workspace ONE UEM with the VMware Enterprise Systems Connector.

Proceed to the next chapter to define an Workspace ONE UEM profile and configure your device for use with this enterprise certificate.

 

Create an iOS Profile with a Credential Payload


We will now walk through the creation of an iOS Profile for a Credential Payload which will deliver a unique enterprise certificate to the device. Please be sure you are logged into the AirWatch web console before continuing.


 

Navigate to the Devices Profile List View

 

  1. Click Devices.
  2. Expand Profiles & Resources.
  3. Click on the Profiles option under Profiles & Resources.
  4. Click on the Add dropdown.
  5. Click Add Profile.

 

 

Add an iOS Profile

 

You will now be presented with the Add Profile screen. Here you would select the operating system type of your device.

For this lab, select Apple iOS.

 

 

Configure the iOS Restriction Profile

 

After clicking on the iOS icon, you will be presented with the Add a New Apple iOS Profile. All profiles are broken down into two basic sections, the General section and the Payload section.

The General section has information about the Profile, its name and granular filters to determine which devices will receive the configurations in the profile.

The Payload sections define actions to be taken on the device.

Every Profile must have all required fields in the General section properly filled out and at least one payload configured.

NOTE - In most cases, it is recommended a Profile contain only one Payload.

 

 

Define the General Settings for the Profile

 

Configure the profile as follows:

  1. Click General.
  2. Enter iOS Certificate for the Name.
  3. Click in the Assigned Smart Groups field to view a list of available groups.
  4. Click All Devices (your@email.shown.here) from the list.

NOTE - You do not need to click SAVE or SAVE AND PUBLISH at this point.  This interface allows you to move around to different payload configuration screens before saving.

Continue to the next step in the lab manual to continue configuring this profile.

 

 

Select the Credentials Payload

 

NOTE - When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

  1. Click on the Credentials payload.
  2. Click the Configure button to continue setting the Restrictions payload.

 

 

Configure the Credentials Payload

 

  1. Select Defined Certificate Authority for the Credential Source.
  2. Select CONTROLCENTER-CA for the Certificate Authority.
  3. Select the Certificate Template named after your VLP email address.
  4. Click Save & Publish

 

 

Publish the Profile

 

After clicking on Save & Publish you will be presented with the Device Assignment screen. Click Publish.

Typically, you would see the devices that your profile would be assigned to here. This allows you to verify the filters you applied on the general tab are applied correctly before pushing the profile to devices. If you haven't enrolled a device, you won't see any devices here.

 

 

Verify the Certificate Profile Now Exists

 

  1. You should now see your Credentials Profile, named iOS Certificate, within the List View of the Devices Profiles window.
  2. If you do not see the Credentials Profile, click the Refresh button.

NOTE - If you want to make changes to the profile, this is where you would do so. To edit a profile, click on the profile name and select Add Version, make your changes and then select Save & Publish.

 

iOS Device Enrollment With Directory Account


In this section, we are going to enroll an iOS device. The upcoming steps will need to be completed from an iOS device.


 

Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

 

NOTE - Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does NOT have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To Install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

 

 

Launching the Workspace ONE Intelligent Hub

 

Launch the Hub app on the device.  

NOTE - If you have your own iOS device and would like to test you will need to download the Workspace ONE Intelligent Hub app first.

 

 

Enter the Server URL

 

  1. Enter labs.awmdm.com for the Server URL.
  2. Click Next.

Click on the Server Details button.

 

 

Find Your Group ID From the Workspace ONE UEM Console

 

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Attach the Workspace ONE Intelligent Hub to the HOL Sandbox

 

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

 

 

Enter User Credentials

 

You will now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter aduser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

 

 

Redirect to Safari and Enable MDM Enrollment in Settings

 

The Workspace ONE Intelligent Hub will prompt you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

 

 

Allow Website to Open Settings (IF NEEDED)

 

If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

NOTE - If you do not see this prompt, ignore this and continue to the next step.  This prompt will only occur for iOS Devices on iOS 10.3.3 or later

 

 

Install the Workspace ONE MDM Profile

 

Tap Install in the upper right corner of the Install Profile dialog box.

 

 

Enter Device Passcode (IF NEEDED)

 

If prompted, enter your device passcode to continue.

If you do NOT receive this prompt, continue to the next step.

 

 

Install and Verify the Workspace ONE MDM Profile

 

Tap Install when prompted at the Install Profile dialog.

 

 

iOS MDM Profile Warning

 

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

 

 

Trust the Remote Management Profile.

 

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

 

 

iOS Profile Installation Complete

 

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper right corner of the prompt.

 

 

Workspace ONE UEM Enrollment Success

 

Your enrollment is now completed! Tap Open to navigate to the Workspace ONE Intelligent Hub.

 

 

Accept the Workspace ONE Intelligent Hub Notice

 

Tap Done to confirm the notice and continue.

 

 

Accept Notifications for Hub (IF NEEDED)

 

Tap Allow if you get a prompt to allow notifications for the Hub app.

 

 

Accept the App Installation (IF NEEDED)

 

You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.

 

 

Confirm the Privacy Policy

 

Tap I Understand when shown the Privacy policy.

 

 

Accept the Data Sharing Policy

 

Tap I Agree for the Data Sharing policy.

 

 

Confirm the Device Enrollment in the Hub App

 

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM!  Continue to the next step.

 

View the Certificate on the Device


You can now confirm the certificate was issued and installed on the device. When you enrolled your device, the profile containing a certificate from the CONTROLCENTER-CA will be pushed down to your device. The speed at which the profile is installed on the device is dependent on many variables outside of the control of Workspace ONE UEM. The profile with the certificate may arrive in few seconds or it may take a few minutes. We will go look in the settings for the certificate


 

Navigate to Settings on the iOS device

 

On the iOS device, return to the launchpad by pressing the home button then select the Settings icon to open the menu.

 

 

Validate the Certificate is Pushed to the Device

 

  1. Tap to select General settings in the left column.
  2. Scroll to the bottom of the general menu and tap Device Management - Device Manager in the right side of the window. Here you will see details of the configuration information which has been pushed to the device.

 

 

Select Workspace Services

 

Select Device Manager

 

 

Select More Details

 

Select More Details to view additional configuration.

 

 

Select the MDM Profile

 

Look for the Certificates section in this menu. What is seen on your screen may differ from the image above depending on your lab configuration. You should see a certificate issued to your AD user named aduser that has been issued form the CONTROLCENTER-CA that we previously integrated into Workspace ONE UEM. This certificate can be used in conjunction with Email, Wi-Fi or VPN profiles. Certificates can also be used to authenticate to web resources or content repositories as well. You may select the certificate to view more details. When you are ready, continue to the next step.

 

 

Wrap Up

This concludes configuring Workspace ONE UEM to be used with an Enterprise Active Directory and Enterprise Certificate Authority for providing a single point of authentication and security using internal Enterprise security settings to ensure corporate data security is maintained even on end user personal devices. Please continue with the next steps to complete the module.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


This lab module reviewed how to integrate a Certificate Authority with Workspace ONE UEM to provision certificates to your enrolled devices.  We were able to generate and deploy a certificate to our iOS device and confirm that the certificate was successfully downloaded.

This concludes this lab module.


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1957-01-UEM

Version: 20190109-165014