VMware Hands-on Labs - HOL-1957-03-UEM


Lab Overview - HOL-1957-03-UEM - Workspace ONE UEM - Intelligence

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Discover the latest features of Workspace ONE Intelligence which provides rich analytics from your deployments and applications while reducing the cumbersome administrative workload by automating tasks and OS updates and patches. Learn how you can interact with different business system without ever leaving VMware Boxer lab to maximize the productivity of your users.

Lab Module List:

Lab Captains:

Subject Matter Experts:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

 
 

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Introduction to Dashboards, Automation, and Reports

Introduction


With so much data available to IT admins managing modern, mobile work styles and no single tool to make sense of it, IT is faced with a huge challenge to manage the digital workspace. The lack of unified visibility across devices, applications and users makes it particularly hard to make data-driven decisions. As a result, manual processes become the norm, and IT is cornered into being reactive to employee demands and external events instead of being proactive.

Deep insights empower IT admins to better plan and optimize their app and policy deployments based on network performance, resource entitlement and deployment risk. And with the ability to automate processes, IT admins can proactively increase their level of security hygiene and meet compliance requirements, while improving user experiences.

With the new rules engine at the heart of Workspace ONE Intelligence, IT admins can automate processes across their environments by defining rules that take actions based on a rich set of parameters. This allows IT to create contextual workflows that take automated remediation actions based on security threats, and meet compliance requirements through automated access control. And because Workspace ONE Intelligence provides extensibility with an API layer for third parties, IT admins can build workflows that leverage their unique environment to meet their needs.

With automation, Workspace ONE Intelligence helps IT meet compliance requirements and increase security through automated remediation.


Change the Screen Resolution


Before proceeding to the Workspace ONE Intelligent Console, you will increase the screen resolution of the virtual machine for a better experience.

NOTE: The Intelligent Opt-In form will NOT be visible later in the lab unless the resolution is increased!


 

Open the Screen Resolution Settings

 

Return to the Desktop, then right-click and select Screen Resolution.

 

 

Increase the Screen Resolution

 

  1. Click the Resolution dropdown.
  2. Increase the Resolution to 1280x800.
  3. Click Apply.

 

 

Keep Display Settings

 

Click Keep Changes when prompted after changing your resolution.

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Intelligence Opt-in Process


The first step to start using Workspace ONE Intelligence is to authorize the data synchronization between Workspace ONE UEM and Intelligence Cloud Service, this is done through the Opt-in Process that needs to performed by some one with administrator privilege at Workspace ONE UEM.


 

Access to Intelligence

 

In the Workspace ONE UEM Console,

  1. Click HUB.
  2. Click Intelligence.

 

 

Getting Started

 

Click GET STARTED to initiate the Opt-in process

 

 

Authorizing Intelligence to collect and replicate the data (Opt-In)

 

  1. You may need to scroll down to find the Opt In button.
  2. Enable the Opt In checkbox.
  3. Click Next.

 

 

Complete the Terms of Service

 

This is the final step on the opt-in Process, where you will be providing your information and accept the VMware Cloud Services TERMS OF SERVICE

  1. Enter your Name
  2. Enter your Email Address
  3. Enter your Title
  4. Enter your Company Name
  5. Enter your Company Address
  6. Click Accept

After the accepting you will be redirect to the Workspace ONE Intelligence Console.

 

 

Start the 30 Day Trial

 

Click Start 30 Day Trial in the bottom-right corner.

 

 

Enter the details for 30 Day trial

 

  1. Enter your Name.
  2. Enter your Email Address.
  3. Enter your Job Title.
  4. Enter your Company Name.
  5. Enter your Phone Number.
  6. Click Accept.

 

 

Returning to Workspace ONE UEM Console

In order to execute this lab properly, you need to setup the Workspace ONE UEM Automation Connector between Workspace ONE UEM and Intelligence.

Let's return to the Workspace ONE UEM Console where the first setup needs to be made.

 

  1. Click on the Square menu
  2. Click on Workspace ONE UEM Console

 

Connect to Windows 10 VM


We have provided you a Windows 10 VM to complete the necessary steps for this lab. Let's connect to it to complete the steps in the following section.


 

Connect to the Windows 10 VM

 

Double-click the Win10-01a.rdp shortcut on the lab desktop.

If prompted, the login credentials for the Windows 10 VM are:

 

Enrolling Your Windows 10 Device with a Basic Account


We will now enroll our Windows 10 device in Workspace ONE UEM.  First, we will need to download the Workspace ONE Intelligent Hub.


 

Download the Workspace ONE Intelligent Hub on the Windows 10 VM

 

From a new tab in the browser, if not opened already,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download Hub for Windows 10.
    NOTE: Please wait while the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE - If you do not see the warning about the AirWatchAgent.msi file, skip this and continue to the next step.

 

 

Launch the Workspace ONE Intelligent Hub Installer

 

Click the AirWatchAgent.msi file in your download bar.

NOTE - The installer may take a few seconds to launch, please be patient after clicking the AirWatchAgent.msi file.

 

 

Click Run

 

Click Run to proceed with the installation.

 

 

Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

 

Click Server Detail.

 

Data Visualization through Dashboards


Dashboard is a powerfull tool in Workspace ONE Intelligence that allow IT Administrators to build a rich data visualization of the data available, most of the time reports are the primary source of data representation and provide helpfull information, however using charts or graphs to visualize large amounts of complex data is easier than over spreadsheets or reports.

Data Visualization can also:

  1. Identify areas that need attention or improvement.
  2. Clarify which factors influence employee adoption of specific applications.
  3. Help you understand how secure your environment it's based on OS Updates applied to the machine and new patches available out there.
  4. Predict hardware failures
  5. Etc..

Workspace ONE Intelligence brings out of the box on Dashboard, that includes nine Widgets and you can customize as your want.

For this chapter you will be adding a new widget based on Historical information showing enrollment over the 14 days, different from current widget on the standard dashboard that only show amount of enrollment today and total overtime.


 

Launch Intelligence Console

 

  1. Click HUB
  2. Click Intelligence
  3. Click Launch

 

 

Add Widget

 

  1. Click on My Dashboard
  2. Click on Add Widget

 

 

Selecting Category

When adding widgets, the first step is to select from each category you want to obtain data, which can be a snapshot of most recent data or historical that you can look into the data overtime and represent that into the charts.

Each category comes with a set of templates that can be customized as you create the widget, you can use start from scratch using Starter/blank template.

 

  1. Click Devices
  2. Select Total Enrollments template
  3. Select Next

 

 

Using Total Enrollments Template

 

The default template show the amount of devices enrollment today.

Based on that template you will learn how to make changes that will show the enrollment overtime, looking at the historical data.

 

 

Creating Total Enrollments Over time Widget

 

  1. Scroll down until you see the option for Data Visualization
  2. Enter Total Enrollments Over time for Chart Title
  3. Click Historical
  4. Click Line for Chart Type
  5. Enter Platform for by Group
  6. Set Last 14 Days to Date Range
  7. Click Save

Note: The above chart is an chart example with certain amount of data, your chart will be presented based on the current amount of devices and results will differ from that.

 

 

Setting Widget location and sizing on the Dashboard

 

The Widget has been added to the bottom of your dashboard.

  1. You can move the widget around, clicking and holding on the Chart tile
  2. Also you resize the widget selecting the edges and dragging.

 

Getting Insights through Reports


Report is a powerful tools in Workspace ONE Intelligence that allows IT Administrator to get easy access and visibility into devices, applications and OS update data. It's a scalable and won't  impact on the performance of the entire solution because you have a lot of data or are running too many reports daily.

All the data synced by the Workspace ONE Intelligence Connector (ETL service) is available through reports, after opt-in on Intelligence, ETL service will push all the available on AirWatch database and after that just the delta, the delta is based on device samples sent to Workspace ONE UEM.

In this chapter you will learn how to create reports that can drive business decisions, help to mitigate issues and automatically share information with other departments.


 

Creating Device Report

 

  1. Click Reports
  2. Click Add Report

 

 

Selecting Report Category

When creating reports, the first step is to select from each category you want to obtain data, the columns to display and to be used as filter on the  report relays on that information.

The categories available today are:

Each category comes with a set of templates that can be customized as you create the report, you can use start from scratch using Starter/blank template.

 

Feel free to click on each category and check the templates available to each, in this module we will create two reports, one based on Device Category and the other based on OS Updates.

  1. Click Devices
  2. Select Enrolled Devices
  3. Click Next

 

 

Customizing Report Filter

The Enrolled Devices template creates a report with pre-defined columns and filtering only enrolled devices, right after you can see a preview of the report based on live data.

 

  1. Click + to add a new filter
  2. Enter Platform for the field
  3. Select Includes for the filter type
  4. Enter WinRT, Android and Apple for the value field

The Report Preview will show the number of Windows devices enrolled at this point.

Note: The report preview results is an example based on certain amount of data, your report results will be presented based on the current amount of devices and results will differ from that.

 

 

Customizing Report Columns

 

You can easily add or remove columns from the report, to start:

  1. Scroll down until you see the option Report Preview
  2. Click Edit Columns

 

 

Selecting Columns

 

  1. Select the following columns: Available Capacity, Available Physical Memory, BIOS Version and Battery Percent
  2. Click ADD

 

 

Changing Columns Order

 

  1. Select the four columns you just added, clicking on each one
  2. Click Down button four times
  3. Click Save

 

 

Preview with new columns

 

  1. New columns has been added to the report and are available on the Report Preview.
  2. Click Next

 

 

Saving the Report

 

  1. Enter Windows, Android and Apple Enrolled Devices for the Report name
  2. Enter All enrolled Windows, Android and Apple devices with details for the Description
  3. Check the Run Report now - that will generata CSV file and make available for download - we will review that later in this chapter
  4. Click Save

 

 

Report Preview

 

Click Overview

A preview of the report will show up based on the conditions previous defined, this report is part of the list of reports available. The EDIT option allow you to make changes on the report

 

 

Downloading Report

 

  1. Click Downloads
  2. Click on the Refresh Icon
  3. Validate that the status is now Completed
  4. Click Download link to download the report in CSV format
  5. Validate that report gets downloaded in the CSV format.

 

 

Adding Schedule Report

Requests for reports is something quite common in every organizations, most of the time marketing, purchased, HR and other departments request some type of report regarding their Digital Workspace to be send on weekly, monthly or sometime other time period. Workspace ONE Intelligence allow Reports to be schedule, which runs the report and send via e-mail to a list of people or distribution list defined by the IT Administrator.

 

  1. Click Schedules
  2. Click ADD

 

 

Configuring Report Schedule

 

  1. Enter Windows, Android and Apple Enrolled Devices for Schedule Name
  2. Select Monthly for Recurrence
  3. Select 1 for Day of the Month
  4. Enter 08:00 AM for Starts At
  5. Set 12/31/2018 as the End date
  6. Enter your company e-mail and press ENTER
  7. Enter Windows, Android and Apple Enrolled Devices for Subject
  8. Enter Monthly report containing the list of Windows Desktop, Android and Apple devices managed by Workspace ONE UEM for Message
  9. Click SCHEDULE

 

 

Confirming Report Schedule

 

  1. Click on Schedules
  2. Confirm that your schedule has been added based on the parameters previous defined.

 

Integrating Automation and Workspace ONE UEM API



 

Returning to Workspace ONE UEM Console

 

  1. Click on the Square menu
  2. Click on Workspace ONE UEM Console

 

 

Access All Settings

 

  1. Click Groups & Settings
  2. Click All Settings

 

 

Enable Workspace ONE UEM API

In this step you will obtain the API Key for your Tentant and later use on Workspace ONE Intelligence Console, to keep that information we recommend you to open Notepad on your Windows Desktop and copy/paste the API Key there, you can also just copy using CTRL+C, but reminder that right after this step you will be using the API Key value, see below the steps on how to obtain the API Key.

 

 

Navigate to REST API

 

  1. Click on System
  2. Click on Advanced
  3. Click on API
  4. Click on REST API
  5. Click Override, that will generate a new API Key and is required to Override the Customer OG when integrating with Workspace ONE Intelligence
  6. Select the API Key for AirWatchAPI Service and right click Copy, switch to Notepad and right click to paste the API Key
  7. Click Save
  8. Click X to close the pop-up window

 

 

Save API Key

 

  1. Click the Windows button.
  2. Type Notepad to search.
  3. Click Notepad from the list of results.

 

 

Return to Workspace ONE Intelligence Console

 

  1. Click HUB
  2. Click Intelligence
  3. Click Launch

 

 

Navigate to Automation Connections

 

  1. Under Reporting, click on Settings
  2. For the option Automation Connection, select VIEW

 

 

Setup Workspace ONE UEM Connector

 

Click Authorize for Workspace ONE UEM API

 

 

Provide Credentials for Workspace ONE UEM Connector

 

  1. Click Provide Credentials
  2. Enter https://labs.awmdm.com for Base URL
  3. Enter YOUR VLP E-MAIL for API User Name
  4. Enter VMware1! for API User Password
  5. Enter the API Key that you just saved on your Notepad for Workspace ONE UEM Tenant Code  API Key
  6. Click Connect

 

 

Validate Successful Authorization

 

You should see DEAUTHORIZE on the Workspace ONE UEM Card, that confirms the integration was done successfully.

 

Predicting Windows 10 Dell Battery Failures and Automate Replacement


Employees are using Windows devices that no longer last a full work day without charging. It disrupts their workday, reduces mobility, increases dissatisfaction and employees either seek remediation via helpdesk or do nothing and end up plugging their laptops at all times.

How Workspace ONE Intelligence can help:

Key benefits: Reduce costs linked to user-generated support tickets or calls, increase employee experience and productivity. Increase lifespan of devices.


 

Creating Automation

 

Click Add Automation

 

 

Select Automation Template

 

  1. Click on Create a custom automation
  2. Click Next

 

 

Defining the conditions to Trigger the automation

 

  1. Under Filter, Enter Dell Battery Replacement for Name
  2. Enter Dell Battery Health for the filter field
  3. Enter Less Than for the Condition
  4. Enter 25 for the field value

 

 

Adding Workspace ONE UEM Action

 

  1. Scroll down until you see the section Add Action
  2. Click on + sign to expand the options
  3. Click on Workspace ONE UEM API
  4. Click on Add Tag to Device

 

 

Configuring Action

 

  1. Enter 257 for Tag ID - that will tag the device on Workspace ONE UEM Console as Needs battery replacement
  2. Turn ON for Enable this automation after saving
  3. Click Save

 

 

Saving and Enabling Automation

 

  1. Click Save & Enable

 

 

Access to Automation Logs

 

The automation that will always be looking for Dell Devices that needs battery replacement has been created, the View Logs shows the logs for each time this automation is triggered. 

 

 

Viewing Automation Logs

 

For this Lab you will see the log Empty, as we enrolled a Windows VM and not a physical Windows 10 Dell device.

The above image shows you a log example of multiple actions taking on different Services.

For this example that you just created, in a real world you could also setup a Service Now integration, and create a Helpdesk ticket that includes the user and devices information, requesting to ship a new battery to the user home.

 

Un-enrolling your Windows 10 Device


In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules. We will delete the device record from the console, which will also un-enroll the device and remove all the apps and profiles that are pushed from Workspace ONE UEM console, also known as managed content.


 

Delete Device from Workspace ONE UEM Console

 

From the Workspace ONE UEM Console,

  1. Click on Devices
  2. Click on List View
  3. Select the check box next to your device friendly name.
  4. Click on More Actions
  5. Click on Delete Device

 

 

Enter Reason and Delete

 

  1. Enter the reason as lab completed.
  2. Click on Delete

 

 

Validate DELETE IN PROGRESS...

 

  1. You may see device friendly name changing to DELETE IN PROGRESS...
  2. Click on the Refresh Icon to validate if the device deletion is successful.

 

 

Ensure that device record is deleted

 

  1. Use the Refresh Button if needed.
  2. Ensure that the device record is now deleted from the Workspace ONE UEM console and you see the message No Records Found.

 

 

 

Navigate to Windows 10 Settings

 

  1. Click on the Windows Icon
  2. Click on the gear icon to access Windows 10 Settings

 

 

 

Access Accounts Settings

 

From the Settings Menu, access Accounts

 

 

Validate That No Management Account Exists

 

 

  1. Click on Access work or school
  2. Validate that you DO NOT see any account connected to AirWatchMDM.

NOTE - The CORP AD domain is the local domain in this lab and is not controlled by AirWatch Enrollment, so you will see this connection if your device is enrolled or unenrolled.

 

Conclusion


In this module, you've learned:

For additional on Workspace ONE Intelligence, be sure to check out the VMware Workspace ONE Intelligence page at https://www.vmware.com/products/workspace-one/intelligence.html


Module 2 - Mobile Flows

Introduction


Workspace ONE Mobile Flows is the latest addition to the VMware Workspace ONE platform. Mobile Flows helps device users perform tasks across multiple business backend systems within any application that has been integrated with Mobile Flows. This eliminates the need to visit multiple websites to perform different business tasks. You can use the Mobile Flows either by leveraging different preconfigured connectors or by building custom developed services.


Change the Screen Resolution


Before proceeding to the Workspace ONE Intelligent Console, you will increase the screen resolution of the virtual machine for a better experience.

NOTE: The Intelligent Opt-In form will NOT be visible later in the lab unless the resolution is increased!


 

Open the Screen Resolution Settings

 

Return to the Desktop, then right-click and select Screen Resolution.

 

 

Increase the Screen Resolution

 

  1. Click the Resolution dropdown.
  2. Increase the Resolution to 1280x800.
  3. Click Apply.

 

 

Keep Display Settings

 

Click Keep Changes when prompted after changing your resolution.

 

Mobile Flows Logical Overview


In this section, we are going to see what are the different components and sub-systems involved with Mobile Flows and how they interact with each other.

 

 

  1. The VMware Identity Manager instance is registered with the Mobile Flows Server.
  2. Application fetches a JSON Web Token (JWT) for Authentication.
  3. Application sends request to Mobile Flows Server to query details to form a Mobile Flow Card.
  4. Mobile Flows Server discovers Connector and requests content.
  5. Connector fetches and consolidates business system data for the Mobile Flow Card.
  6. Data is returned to the Mobile Flows Server.
  7. Data is delivered to the app.

High Level Configuration Walkthrough


In order to limit the scope of the lab, you will be working with a pre-configured setup. The high level steps of setting up Mobile Flows are as follows:

  1. Integrate Workspace ONE UEM with VMware Identity Manager.
  2. Configure Remote App Access template in VMware Identity Manager.
  3. Build a custom Mobile Flows Connector or use the Out of the Box Connector.
  4. Install Mobile Flows Connector on a server with a public URL.
  5. Configure Mobile Flows Connectors in Workspace ONE UEM Console.
  6. Configure VMware Boxer to leverage Mobile Flows using App Config.
  7. Install VMware Boxer on a  managed device.
  8. Enable Mobile Flows in VMware Boxer App.

Integrate Workspace ONE with VMware Identity Manager


VMware Identity Manager (vIDM) can be used to authenticate the information transfer when using connectors for client applications. If your environment includes VMware Identity Manager, you can create a VMware Identity Manager template to fetch user specific JSON Web Token (JWT) for connector authentication.

We have already integrated Workspace ONE and VMware Identity Manager for this lab. However, if you want to learn more about how this integration and configuration can be performed, please refer the following HOL from Workspace ONE HOL Catalog - HOL-1957-01-UEM / Module 1 - Workspace ONE Setup and Configuration. This lab will also walk through the AD integration using VMware Enterprise Systems Connector to so that we can leverage AD accounts as administrators.


Configure Remote App Access Template in VMware Identity Manager


This section will walk you through on how to create a template within VMware Identity Manager (vIDM) to request the JSON Web Token (JWT) token to authenticate Mobile Flows traffic. This template is already setup for you for this lab. Let's go through the following video to see how the template was configured.


 

Remote App Access Template in VMware Identity Manager

This video will walk you through how to setup and configure Remote App Access Template in VMware Identity Manager.

NOTE - The video contains no spoken instructions.  Please refer to the subtitles for instructions about the installation process. Do not attempt to make any of the configurations or changes shown in the demo video!  This demonstration is only to highlight the configuration and installation process for your knowledge.

 

Build Mobile Flows Connector


Mobile Flows Connectors are the components responsible for interacting with the backend business systems that you integrate with. They are responsible for data fetching and also for performing the actions as requested by the client application.

Workspace ONE offers out-of-the-box connectors targeting top use cases with the most popular business systems. All the source code for these connectors is open source, so anyone can modify the existing connectors or build their own custom connector using our API spec and sample connectors.  Custom connectors can be built in around 250 lines of code or less and are flexible to be built using your preferred programming language. Custom Connectors allow you to match the data model of your business system and to create business logic that will meet the needs of your end users.


 

Workspace ONE Mobile Flows Connector

Workspace ONE administrators deploy a lot of applications to their end users targeting different use cases. Sometimes it might happen that your end users don't know that they have certain applications available to download On-Demand. While other times, they are aware that a certain application is available in their Workspace ONE catalog but they don't know what it is used for.

The Workspace ONE Connector presents Mobile Flows Cards inviting users to install apps that are missing from the user's device. The Mobile Flows Client Framework is in the VMware Boxer app and is responsible for parsing the e-mail body for keyword. Once one of the keywords matches, the Workspace ONE Connector is responsible for requesting the application from the Workspace ONE Catalog via a Mobile Flows Card within that particular e-mail itself. This connector uses application keywords, device UDID and device platform to request the correct app from Workspace ONE Catalog.

 

 

Setup and Configuration Video

This video will walk you through how to setup and configure Workspace ONE Connector.

NOTE - The video contains no spoken instructions.  Please refer to the subtitles for instructions about the installation process. Do not attempt to make any of the configurations or changes shown in the demo video!  This demonstration is only to highlight the configuration and installation process for your knowledge.

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Configure Connectors in Workspace ONE UEM Console


Once we have successfully deployed the Mobile Flows Connector on a public facing URL, the next step is to add the connection information in the Workspace ONE Console. These details will be used by Mobile Flows server for Connector discovery and by the client applications to interact with the backend systems.

For this lab, Workspace ONE App Discovery Connector is already hosted for you. The following video will walk you though the process.

 


 

Configure Connector in Console

This video will walk you through how to configure Mobile Flows Connector in Workspace ONE UEM Console.

NOTE - The video contains no spoken instructions.  Please refer to the subtitles for instructions about the installation process. Do not attempt to make any of the configurations or changes shown in the demo video!  This demonstration is only to highlight the configuration and installation process for your knowledge.

 

Configuration File for mapping of keywords to Apps


For this lab, we are going to validate the scenario where the email body is parsed for the keyword travel and it should populate a Mobile Flows Card to install the Coupa app.


 

Application Configuration File for mapping of keywords to Apps (FOLLOW ALONG)

 

The Mobile Flows Connector gets the mapping of keywords to apps from the file located at /etc/opt/vmware/connectors/airwatch/managed-apps.yaml.

For this lab, the file is configured as follows:

  1. Populate the hero card pointing to the app with bundle ID com.coupa.push
  2. For the keyword travel

NOTE - For the flow to work the application should already be assigned to the device with the deployment type as On Demand. Mobile Flows Cards will not appear if the app is already installed on the device.

NOTE - You do not need to complete any configurations on this step, it is only used to highlight the changes already setup for you.

 

Retrieve Your Exchange Account Details


A temporary Exchange mailbox has been generated for you to use throughout this lab.  The account credentials are uploaded to the Content section of the Workspace ONE UEM Console.


 

Locate Your Exchange Account Details

 

In the Workspace ONE UEM Console,

  1. Click Content
  2. Expand Content Locker.
  3. Click List View.
  4. Find the text file named Mailbox Details for your@email.shown.here.txt and click the toggle button beside it to select the file.
  5. Click Download.

 

 

Open the Downloaded Text File

 

After the file downloads, click the Mailbox Details for your@email.shown.here.txt file from the download bar to open it.

 

 

Note the Email Address

 

You will use this Email Address and sAMAccountName in an upcoming exercise enroll your iOS Device and to send an email with VMware Boxer.  Leave this Notepad file open while you complete the lab to refer to the details when instructed.

 

Switch Account Role to the Mobile Flows Organization Group


Before making any configurations within the Workspace ONE UEM console, you will need to change your Account Role to the Mobile Flows organization group that has been created for you as part of this lab.  This separate organization group in Workspace ONE UEM contains the various components you have been reviewing so far that have been preconfigured for you, requiring your additional console configurations to be made at this organization group to function properly once you enroll your device.


 

Switch to Your mflows Organization Group

 

In the Workspace ONE UEM Console,

  1. Click the User dropdown in the top-right corner.  The text will be your VLP Email Address.
  2. Click the Account Role dropdown.
  3. Click the AirWatch Administrator at mflows_your@email.shown.here role.

 

 

Confirm the mflows Organization Group is Active

 

  1. The Organization Group tab at the top of the Workspace ONE Console should now show mflows_your@email.shown.here.
  2. Make note of your Group ID.  This Group ID is separate from your original Organization Group ID and will be used when you enroll a device in an coming exercise.

 

Configure VMware Boxer to leverage Mobile Flows


We have seen how to configure Workspace ONE Mobile Flows Connector for App Discovery.  The Mobile Flows Client Framework embedded into VMware Boxer is responsible for parsing the email body for keywords and initiate the Mobile Flows card within the app. After that, Mobile Flows server does Connector discovery and authentication using the configuration in the Workspace ONE UEM Console.

In this section, we are going to see how we can use Application Configuration to enable VMware Boxer to leverage Mobile Flows.


 

Add the VMware Boxer Client as an iOS Public Application

 

  1. Click Add.
  2. Click Public Application.

 

 

Add the Assignment

 

Click the Add button at the bottom of the page.

 

iOS Device Enrollment for Mobile Flows


Before enrolling, you will need to locate a few details from the Workspace ONE UEM Console and the Mailbox Details text file you downloaded previously in order to enroll your device.  Follow the next steps to retrieve the needed details and make note of their values, as you will use them in the upcoming steps.


 

Locate your Exchange Account Credentials

 

  1. Click the Mailbox Details for your@email.shown.here text file from the task bar that you opened in the previous steps.
  2. Note your Email Address.  This will be the username you provide during iOS enrollment.
  3. Note the Email Password.  This will be the password you provide during iOS enrollment.
  4. Note the sAMAccountName.  This will be the username you provide when signing into the Workspace ONE App on the iOS device.

Leave this Notepad file open while you advance through the rest of the exercise, as you will need to refer back to these values in upcoming steps.

 

 

Enroll Your iOS Device

In this section, we are going to enroll an iOS device to complete the steps on the device side.

 

Validate that the Coupa App is assigned


The pre-requisite for the Hero Card to populate is that the app needs to be assigned to the device with the deployment mode as On Demand.


 

Launch Workspace ONE App

 

Tap on the icon to launch the Workspace ONE App.

 

 

Select the HOL domain

 

  1. Select hol for the domain.
  2. Tap Next

 

 

Enter Credentials

 

  1. Enter Your sAMAccountName from the Mailbox Details text file you downloaded when retrieving your Exchange Account Details.
  2. Enter VMware1! for the password.
  3. Tap Sign in.

 

 

Enter the App Catalog

 

You will see a series of screens updating the progress on building your workspace.  When the process is complete, tap Enter.

 

 

Accept Push Notifications from Workspace ONE

 

Tap Allow when prompted to accept push notifications from Workspace ONE.

 

 

Validate that Coupa app is assigned

 

Validate that you see Coupa - Expenses & Approvals in the Workspace ONE Catalog. Do NOT install the application from Workspace ONE, as the application will need to be uninstalled for the upcoming Mobile Flows Hero Card demonstration to work.

In the next section, we will see how a Hero Card is populated to prompt the install of the Coupa App.

 

 

Return to the iOS device Spring Board

Click the home button of your iOS device to return to the Spring Board.

 

Experience Mobile Flows in action


in this section, we are going to see how to Mobile Flows enhances the functionality of VMware Boxer. We have already deployed the app with Application Configuration to enable Mobile Flows. The client framework is responsible to parse the email body for the keyword and it will trigger the Workspace ONE App Discovery Connector.


 

Launch VMware Boxer

 

Tap on the icon to launch VMware Boxer.

 

 

Accept the Privacy Prompt

 

Tap I understand to accept the Privacy prompt.

 

 

Enter the password for the email account

 

  1. Enter VMware1! for the password.
  2. Click Get Started.

 

 

Accept the Boxer Prompts

 

You might see several prompts for permissions and push notifications for Boxer.  Click OK or Allow as necessary.

 

 

Enable Mobile Flows in Settings

 

From the bottom right corner, tap on the option Settings

 

 

Tap on Mail

 

From the bottom toolbar, tap on option Mail to return to the Inbox

 

 

Compose a new email

 

Tap the icon to compose a new email.

 

 

Validate the Hero Card

 

  1. If the email does not display, you may need to swipe down to refresh your inbox.
  2. Tap the email you sent to yourself, if it is not already selected.
  3. After about 10 seconds, validate that the Hero Card pops up to prompt to install the Coupa app.
  4. Tap Install to proceed with the installation.

 

 

Accept the prompt for Application Installation

Click Install to proceed with the installation of the Coupa app.

 

 

Validate the App Installation

 

Press the home button of the iOS Device to return to the Spring Board. Validate that the Coupa application is installed as initiated from the Hero Card within the Boxer email.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


Mobile Flows helps users to perform majority of business critical tasks from a single app which significantly reduces the overhead of switching amongst different apps and the related configurations. Mobile Flows Connectors are the components responsible for interacting with the business systems. These are offered out-of-the-box for a quick adoption and also open sourced so that they can be customized as per various use cases.


Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1957-03-UEM

Version: 20181104-163018