Guide to Deploying VMware Workspace ONE with Workspace ONE ... · Introduction to Workspace ONE 1 VMware Workspace ONE® is a secure enterprise platform that delivers and manages

Guide to Deploying VMware Workspace ONE with Workspace ONE Access

DEC 2019VMware Workspace ONEVMware Workspace ONE Access

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright © 2017-2019 VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2


mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

1 Introduction to Workspace ONE 5Workspace ONE Architecture Overview 5

Workspace ONE Deployment Requirements 6

Workspace ONE Feature Details 7

2 Integrating Workspace ONE UEM With Workspace ONE Access 9Getting Started with the Workspace ONE 9

Set Up Integration From Workspace ONE UEM Console 10

Create REST API Keys in Workspace ONE UEM 10

Export VMware Workspace ONE UEM Administrator Root Certificate 11

Setting Up a Workspace ONE UEM Instance in Workspace ONE Access 12

Add Workspace ONE UEM Settings to Workspace ONE Access 13

Mapping Workspace ONE Access Domains to Multiple Organization Groups in Workspace ONE UEM 15

Deployment Strategies for Setting Up Multiple Workspace ONE UEM Organization Groups 15

Enable Workspace ONE Catalog for Workspace ONE UEM 19

Enabling Compliance Checking for Workspace ONE UEM Managed Devices 20

Configure Compliance Checking Rules 20

Enable User Password Authentication through Workspace ONE UEM 22

Updating Workspace ONE Access After Upgrading Workspace ONE UEM 22

Implementing Authentication with AirWatch Cloud Connector 23

Managing User Attributes Mapping 23

Sync Users and Groups from Workspace ONE UEM Directory to Workspace ONE Access Directory 24

Managing Configuration of Password Authentication to Workspace ONE UEM 25

Configure Built-in Identity Providers in Workspace ONE Access 26

3 Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM-Managed iOS Devices 28Using Workspace ONE UEM Certificate Authority for Kerberos Authentication 29

Enable and Export the Workspace ONE UEM Certificate Authority 29

Configure Active Directory Certificate Authority in Workspace ONE UEM 30

Configuring Workspace ONE UEM to Use Active Directory Certificate Authority 31

Add Certificate Template in Workspace ONE UEM 32

Using a Key Distribution Center for Authentication from iOS Devices 34

Using the Cloud Hosted KDC Service 35

Configure Mobile SSO for iOS Authentication in Workspace ONE Access 35

Configure the Built-In Identity Provider for Mobile SSO iOS Authentication 37

Create a Conditional Access Policy Rule 38

VMware, Inc. 3

Configure Apple iOS Profile in Workspace ONE UEM Using Workspace ONE UEM Certificate Authority39

Configure Apple iOS Profile in Workspace ONE UEM Using Active Directory Certificate Authority and Certificate Template 41

Assign a Workspace ONE UEM Device Profile to Smart Groups 42

4 Implementing Mobile Single Sign-On Authentication for Managed Android Devices 44Supported Android Device 44

5 Using the Workspace ONE Catalog 46Managing Resources in the Catalog 46

Adding Web Applications to Your Organization's Catalog 47

Grouping Apps into Categories 47

6 Custom Branding for Workspace ONE Access Services 48Customize Branding in Workspace ONE Access Service 48

Customize Branding for the Workspace ONE User Portal 49

7 Accessing Other Documents 51


VMware, Inc. 4

Introduction to Workspace ONE 1VMware Workspace ONE® is a secure enterprise platform that delivers and manages applications on iOS, Android, macOS, and Windows 10 devices. Identity, access, application, and enterprise mobility management are integrated into the Workspace ONE platform. Workspace ONE can be installed on premises or delivered as a SaaS deployment.

VMware Workspace ONE Access delivers risk-based conditional access and single sign-on for VMware Workspace ONE. Workspace ONE Access utilizes the user’s identity combined with factors including information about their device and network to make intelligence-driven conditional access decisions.

Workspace ONE UEM services provide device enrollment, application distribution, and compliance checking tools to ensure that remote access devices meet corporate security standards. Users from Workspace ONE UEM enrolled devices can log in to their enabled applications securely without entering multiple passwords.

Your PrivacyFor information about how VMware handles information collected through this product, such as analytic, see the VMware's Privacy Notices page.

This chapter includes the following topics:

n Workspace ONE Architecture Overview

n Workspace ONE Deployment Requirements

n Workspace ONE Feature Details

Workspace ONE Architecture OverviewWorkspace ONE provides users secure access to cloud, mobile, and Windows applications managed from a unified catalog. For device access, the Workspace ONE native application is available for iOS, Android, macOS, and Windows 10 devices.

When Workspace ONE is deployed, the following Workspace ONE Access and Workspace ONE UEM services must be implemented.

n You can either configure the Workspace ONE Access Connector component or the AirWatch Cloud Connector (ACC) component.

VMware, Inc. 5

https://www.vmware.com/help/privacy.html

n Integration of your company's Active Directory with Workspace ONE Access or with Workspace ONE UEM Cloud Connector to sync users and groups from Active Directory to the Workspace ONE service.

n Configure Workspace ONE Access with Workspace ONE UEM API keys and the administrator root certificate and enable the Workspace ONE catalog, compliance check, and user password authentication through Workspace ONE UEM.

Figure 1-1. Workspace ONE Architecture Overview

Workspace ONE Deployment RequirementsTo deploy Workspace ONE, the following must be set up.


VMware, Inc. 6

Table 1-1. Workspace ONE System Requirements

Workspace ONE Requirements Details

Active Directory Windows Server 2008 and 2008 R2

Windows Server 2012 and 2012 R2

Windows Server 2016

Network access to a web browser to access the administration services consoles.

Internet Explorer 11 for Windows

Google Chrome 42.0 and later

Mozilla Firefox latest version

Safari 6.2.8 and later

Microsoft Edge latest version

Workspace ONE Access connector or AirWatch Cloud Connector installed.

n The Workspace ONE Access connector is the on-premises component of the Workspace ONE Access service for tenants. The connector provides directory integration, user authentication, and integration with resources such as Horizon 7. On-premises customers might require this connector depending on their network architecture. You integrate your enterprise directory with Workspace ONE Access to sync users and groups to the directory. For the VMware Workspace ONE Access Connector installation guide, go to the Workspace ONE Access Documentation Center.

n The AirWatch Cloud Connector is a simple, but feature limited implementation. You set up a connection to the Active Directory to sync users and groups to the Workspace ONE UEM directory. For the AirWatch Cloud Connector installation guide, go to the Workspace ONE UEM Documentation Center.

Windows Server 2008 R2

Windows Server 2012 or 2012 R2

.NET framework 4.6.2

Workspace ONE Feature DetailsThe major features in Workspace ONE are described below.

Native Mobile Workspace ONE ApplicationsUsers can install the Workspace ONE application on a mobile device and use corporate credentials for single sign-on (SSO) access to corporate, cloud, and mobile applications.

Self-Service App Catalog for Web, Horizon, and Citrix ResourcesWorkspace ONE provides users access to cloud, mobile, and Windows applications using a unified catalog. The catalog contains applications published to Workspace ONE Access and Workspace ONE UEM. Supported application types include internal web, SaaS, native mobile, internally developed mobile, legacy and modern Windows, Horizon 7, VMware Horizon Cloud Service™, Citrix published, and ThinApp packages. The application store also contains virtualized desktops.


VMware, Inc. 7


https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/index.html


Launch Web and Virtual Apps with Single Sign-onWorkspace ONE provides mobile single sign-on (SSO), a one-touch login implementation to mobile applications. Mobile SSO is available for Android and iOS devices. Kerberos authentication is available for Windows 10 and MacOS devices.

Conditional Access with Device ComplianceWith Workspace ONE, you can enforce conditional access based on the network range, platform, and application-specific criteria for authentication. A device must prove compliant with security rules before authorizing access to an application. Workspace ONE Access includes an access policy option that can be configured to check the Workspace ONE UEM server for device compliance status when users sign in from the device.

Multi Factor AuthenticationWorkspace ONE provides multi factor authentication through the VMware Workspace ONE Verify application. When a user attempts to access the Workspace ONE catalog or any application requiring strong authentication, Workspace ONE Verify sends a notification to the user’s phone. To verify attempted access to Workspace ONE, the user must swipe Accept to access the application.

Adaptive ManagementFor applications that require only a basic level of security, users are not required to enroll their device into Workspace ONE UEM Mobile Device Management™. Users can download the Workspace ONE mobile application and select the applications they want to install. For applications that require a higher level of security, users can enroll their device into Workspace ONE UEM directly from the Workspace ONE mobile application.


VMware, Inc. 8

Integrating Workspace ONE UEM With Workspace ONE Access 2To set up Workspace ONE UEM mobile management services for devices with Workspace ONE Access services for single sign-on and identity management for users, you must integrate the services.

When Workspace ONE UEM and Workspace ONE Access are integrated, users from Workspace ONE UEM enrolled devices can log in to their Workspace ONE app to access their enabled applications securely without entering multiple passwords.

The Workspace ONE Getting Started wizard can guide you through many of the configuration steps to integrate Workspace ONE UEM and Workspace ONE Access.


n Getting Started with the Workspace ONE

n Set Up Integration From Workspace ONE UEM Console

n Setting Up a Workspace ONE UEM Instance in Workspace ONE Access

n Enable Workspace ONE Catalog for Workspace ONE UEM

n Enabling Compliance Checking for Workspace ONE UEM Managed Devices

n Configure Compliance Checking Rules

n Enable User Password Authentication through Workspace ONE UEM

n Updating Workspace ONE Access After Upgrading Workspace ONE UEM

n Implementing Authentication with AirWatch Cloud Connector

Getting Started with the Workspace ONEIn the Workspace ONE UEM console, you can use the Workspace ONE Getting Started tools to guide you through many of the configuration steps to integrate Workspace ONE UEM and Workspace ONE Access services to create the Workspace ONE environment.

The Getting Started tools do not replace the ability to configure or edit any individual setting, but significantly automates the initial setup for most customers.

VMware, Inc. 9

The Workspace ONE Identity and Access Management getting started tools can be used to set up the following.

n Connect to Workspace ONE Access service. You are sent to the Systems > Enterprise > Workspace ONE Access page to enter your Workspace ONE Access tenant URL, admin user name, and admin password.

n AirWatch Cloud Connector (ACC) and Directory. The wizard walks you through the steps to set up the AirWatch Cloud Connector and configure the Active Directory connection from the Workspace ONE UEM cloud connector to import users and groups from your company's directory.

n Auto Discovery. Register your email domain in the auto discovery service to make it easier for end users to access their apps portal through the Workspace ONE application. End users then enter their email address instead of the organization's URL.

n Workspace ONE Intelligent Hub. You are sent to the Workspace ONE UEM Intelligent Hub Configuration page to configure your tenant to use Hub Services.

Note The Workspace ONE Intelligent Hub app with Hub Services is not available for on-premises and dedicated SaaS deployments.

n Employee Email template

The Getting Started wizard alerts you if existing potentially conflicting configurations are already enabled in Workspace ONE UEM or the Workspace ONE Access services. If this occurs, or the getting started wizard only partially completes the steps, features can be configured manually. Use this guide to configure the Workspace ONE UEM and Workspace ONE Access services manually for Workspace ONE.

Set Up Integration From Workspace ONE UEM ConsoleTo integrate with Workspace ONE Access services, configure these settings in the Workspace ONE UEM console.

n Rest API admin key for communication with the Workspace ONE Access service

n REST enrolled user API key for AirWatch Cloud Connector password authentication created in the same organization group where Workspace ONE Access is configured.

n API Admin account for Workspace ONE Access and the admin auth certificate that is exported from Workspace ONE UEM and added to the AirWatch settings in the Workspace ONE Access console.

Create REST API Keys in Workspace ONE UEMREST Admin API access and enrolled users access must be enabled in the Workspace ONE UEM console to integrate Workspace ONE Access with Workspace ONE UEM. When you enable API access, an API key is generated.

Procedure

1 In the Workspace ONE UEM console, select the Global > Customer-level organization group and navigate to Groups & Settings > All Settings > System > Advanced > API > Rest API.


VMware, Inc. 10

2 In the General tab, click Add to generate the API key to use in the Workspace ONE Access service. The account type should be Admin.

Provide a unique service name. Add a description, such as UEMAPI for WS1Access.

3 To generate the enrollment user API key, click Add again.

4 In the Account Type drop-down menu, select Enrollment User.

Provide a unique service name. Add a description such as UserAPI for WS1Access.

5 Copy the two API keys and save the keys to a file.

You add these keys when you set up Workspace ONE UEM in the Workspace ONE Access console.

6 Click Save.

Export VMware Workspace ONE UEM Administrator Root CertificateAfter the admin API key is created, you add an admin account and set up certificate authentication in the Workspace ONE UEM console.

For REST API certificate-based authentication, a user level certificate is generated from the Workspace ONE UEM console. The certificate used is a self-signed Workspace ONE UEM certificate generated from the Workspace ONE UEM admin root cert.

When you configure an admin for the certificate, select an admin user from the Active Directory who has a password that does not expire. Because a basic user password can expire, it is not recommended to configure a basic user name and password for the certificate. If the password expires, user sync with Workspace ONE Access directory fails.

Prerequisites

The Workspace ONE UEM REST admin API key is created.


VMware, Inc. 11

Procedure

1 In the Workspace ONE UEM console, select the Global > Customer-level organization group and navigate to Accounts > Administrators > List View.

2 Click Add > Add Admin.

3 In the page, select Basic and enter the user name and password for the admin user in the Active Directory. Make sure to enter an admin user name with a password that does not expire.

4 Select the Roles tab and select the current organization group followed by the Role as AirWatch Administrator.

5 Select the API tab and in the Authentication text box, select Certificates.

6 Enter the certificate password. The password is the same password entered for the admin on the Basic tab.

7 Click Save.

The new admin account and the client certificate are created.

8 In the List View page, select the admin you created and open the API tab again.

The certificates page displays information about the certificate.

9 Enter the password you set in the Certificate Password text box, click Export Client Certificate and save the file.

The client certificate is saved as a .p12 file type.

What to do next

Configure your Workspace ONE UEM URL settings in the Workspace ONE Access console.

Setting Up a Workspace ONE UEM Instance in Workspace ONE AccessAfter you configure the settings in the Workspace ONE UEM console, in the Workspace ONE Access console Identity & Access Management page, you enter the Workspace ONE UEM URL; the API key


VMware, Inc. 12

values, and the certificate. After Workspace ONE UEM settings are configured, you can enable feature options available for Workspace ONE.

Add Workspace ONE UEM Settings to Workspace ONE AccessConfigure Workspace ONE UEM settings in Workspace ONE Access to integrate Workspace ONE UEM with Workspace ONE Access and enable the Workspace ONE UEM feature integration options. The Workspace ONE UEM API key and the certificate are added for Workspace ONE Access authorization with Workspace ONE UEM.

Prerequisites

n Workspace ONE UEM server URL that the admin uses to log in to the Workspace ONE UEM console.

n Workspace ONE UEM admin API key that is used to make API requests from Workspace ONE Access to the Workspace ONE UEM server to set up integration.

n Workspace ONE UEM certificate file used to make API calls and the certificate password. The certificate file must be in the .p12 file format.

n Workspace ONE UEM enrolled user API key.

n Workspace ONE UEM group ID for your tenant, which is the tenant identifier in Workspace ONE UEM.

Procedure

1 In the Workspace ONE Access console, Identity & Access Management tab, click Setup > AirWatch.

2 Enter the Workspace ONE UEM integration settings in the following fields.

Field Description

Workspace ONE UEM API URL Enter the Workspace ONE UEM URL. For example, https://myco.ws1uem.com

Workspace ONE UEM REST API Certificate

Upload the AirWatch .p12 certificate file used to make REST API calls.

Certificate Password Enter the certificate password.

Workspace ONE UEM Admin API Key Enter the admin API key value. Example of an API key value FPseqCSataGcnJf8/Rvahzn/4jwkZENGkZzyc+jveeYs=

Workspace ONE UEM Enrolled User API Key

Enter the enrolled user API key value.

Workspace ONE UEM Group ID. Enter the Workspace ONE UEM group ID for the organization group that the API key and admin account were created in.


VMware, Inc. 13

3 (Optional) Enable Map Domains to Multiple Organization Groups when you have multiple directories configured with the same email domain.

When the Map Domains to Multiple Organization Groups option is enabled, domains configured in Workspace ONE Access can be mapped to the Workspace ONE UEM organization group IDs. The admin REST API key is also required. See Mapping Workspace ONE Access Domains to Multiple Organization Groups in Workspace ONE UEM.

4 Click Save.

What to do next

n Enable the feature option Workspace ONE Catalog to merge apps set up with the Workspace ONE UEM catalog to the Workspace ONE catalog. See Enable Workspace ONE Catalog for Workspace ONE UEM

n Enable Compliance Check to verify that Workspace ONE UEM-managed devices adhere to Workspace ONE UEM compliance policies. See Enabling Compliance Checking for Workspace ONE UEM Managed Devices


VMware, Inc. 14

Mapping Workspace ONE Access Domains to Multiple Organization Groups in Workspace ONE UEMWhen setting up users and devices in Workspace ONE UEM, Workspace ONE UEM uses organization groups (OG) to organize and group users and to establish permissions. When Workspace ONE UEM is integrated with Workspace ONE Access, the admin and enrollment user REST API keys can only be configured at the Workspace ONE UEM organization group of type Customer.

In Workspace ONE UEM environments configured for multi-tenancy, many organization groups are created for users and devices. Devices become registered or enrolled into an organization group. Organization groups can be set up in unique configurations in a multi-tenancy environment. For example, organization groups by separate geographies, departments, or use cases.

You can link domains configured in Workspace ONE Access to specific organization groups in Workspace ONE UEM to manage device registration through Intelligent Hub. When users log in to the Intelligent Hub app, a device registration event is triggered within Workspace ONE Access. During the device registration, a request is sent to Workspace ONE UEM to pull any applications that the user and device combination is entitled to.

The device organization groups must be identified when Workspace ONE UEM is integrated with Workspace ONE Access so that identity manager can locate the user and successfully register the device into the appropriate organization group.

When you configure the Workspace ONE UEM settings in the Workspace ONE Access service, you can enter device organization group IDs and the API keys to map multiple OG to a domain. When users sign into Intelligent Hub from their devices, the user records are verified and the device is registered to the appropriate organization group in Workspace ONE UEM.

To learn more about how to configure multiple organization groups, see Deployment Strategies for Setting Up Multiple Workspace ONE UEM Organization Groups.

Note When Workspace ONE UEM is integrated with Workspace ONE Access and multiple Workspace ONE UEM organization groups are configured, the Active Directory Global Catalog option cannot be configured for use with the Workspace ONE Access service.

Deployment Strategies for Setting Up Multiple Workspace ONE UEM Organization GroupsWorkspace ONE UEM uses organization groups (OG) to identify users and establish permissions. When Workspace ONE UEM is integrated with Workspace ONE Access, the admin and enrollment user REST API keys are configured at the Workspace ONE UEM organization group type called Customer.

When users sign in to the Intelligent Hub app from a device, a device registration event is triggered within Workspace ONE Access. A request is sent to Workspace ONE UEM to pull any applications that the user and device combination is entitled to. The request is sent using the REST API to locate the user within Workspace ONE UEM and to place the device in the appropriate organization group.

To manage organization groups, two options can be configured in Workspace ONE Access.

n Enable Workspace ONE UEM auto discovery.


VMware, Inc. 15

n Map Workspace ONE UEM organization groups to domains in the Workspace ONE Access service.

If neither of these two options are configured, Intelligent Hub attempts to locate the user at the organization group where the REST API key is created. That is the Customer group.

Using Workspace ONE UEM Auto DiscoverySet up Auto Discovery when a single directory is configured at a child group to the Customer Organization Group, or when multiple directories are configured below the Customer group with unique email domains. See #unique_16.

Figure 2-1. Example 1

In example 1, the email domain of the organization is registered for auto discovery. Users enter only their email address in the Intelligent Hub sign-in page.

In this example, when users in the NorthAmerica domain sign in to the Intelligent Hub app, they enter the complete email address as [email protected]. The application looks for the domain and verifies that the user exists or can be created with a directory call in the NorthAmerica organization group. The device can be registered.

Using Workspace ONE UEM Organization Group Mapping to Workspace ONE Access DomainsConfigure the Workspace ONE Access service to the Workspace ONE UEM organization group mapping when multiple directories are configured with the same email domain. You enable Map Domains to Multiple Organization Groups in the AirWatch configuration page in the Workspace ONE Access console.

When the Map Domains to Multiple Organization Groups option is enabled, domains configured in Workspace ONE Access can be mapped to the Workspace ONE UEM organization group IDs. The admin REST API key is also required.

In example 2, two domains are mapped to different organization groups. An admin REST API key is required. The same admin REST API key is used for both organization group IDs.



VMware, Inc. 16

In the AirWatch configuration page in the Workspace ONE Access console, configure a specific Workspace ONE UEM organization group ID for each domain.

Figure 2-3. Example 2 Organization Group Configuration

With this configuration, when users logs in to Intelligent Hub app from their device, the device registration request attempts to locate users from Domain3 in the organization group Europe and users from Domain4 in organization group AsiaPacific.

In example 3, one domain is mapped to multiple Workspace ONE UEM organization groups. Both directories share the email domain. The domain points to the same Workspace ONE UEM organization group.


In this configuration, when users sign in to the Intelligent Hub app, the application prompts the users to select which group they want to register into. In this example, users can select either Engineering or Accounting.


VMware, Inc. 17

Figure 2-5. Organization Groups Where Directories Share the Same Domain

Placing Devices in the Correct Organization GroupWhen a user record is successfully located, the device is added to the appropriate organization group. The Workspace ONE UEM enrollment setting Group ID Assignment Mode determines the organization group to place the device. This setting is in the System Settings > Device & Users > General > Enrollment > Grouping page in the Workspace ONE UEM console.

Figure 2-6. Workspace ONE UEM Group Enrollment for Devices

In example 4, all users are at the Corporate organization group level.


Device placement depends on the selected configuration for the Group ID Assignment Mode at the Corporate organization group.

n If Default is selected, the device is placed in to the same group where the user is located. For example 4, the device is placed into the Corporate group.


VMware, Inc. 18

n If Prompt User to Select Group ID is selected, users are prompted to select which group to register their device into. For example 4, users see a drop-down menu within the Intelligent Hub app with Engineering and Accounting as options.

n If Automatically Selected Based on User Group is selected, devices are placed into either Engineering or Accounting based on their user group assignment and corresponding mapping in the Workspace ONE UEM console.

Understanding the Concept of a Hidden GroupIn example 4, when users are prompted to select an organization group from which to register, users also can enter a group ID value that is not in the list presented from the Intelligent Hub app. This is the concept of a hidden group.

In example 5, in the Corporate organization group structure, North America, and Beta are configured as groups under Corporate.


In example 5, users enter their email address into the Intelligent Hub app. After authentication, users are shown a list that displays Engineering and Accounting from which to select. Beta is not an option that is displayed. If users know the organization group ID, they can manually enter Beta in to the group selection text box and successfully register their device into Beta.

Enable Workspace ONE Catalog for Workspace ONE UEMWhen you configure Workspace ONE Access with your Workspace ONE UEM instance, you can enable the Workspace ONE catalog to include the apps from the Workspace ONE UEM Catalog. End users see all applications that they are entitled to from their Workspace ONE portal.

Procedure

1 In the Workspace ONE Access console, Identity & Access Management tab, click Setup > AirWatch and navigate to the Workspace ONE Catalog section.

2 To include apps from the Workspace ONE UEM catalog with apps in the identity manager catalog, enable both Fetch from IDM and Fetch from Workspace ONE UEM.

When using Workspace ONE catalog on mobile devices without the Workspace ONE Access service configured, select only Fetch from Workspace ONE UEM.

The default is Fetch from Workspace ONE Access (IDM) enabled.


VMware, Inc. 19

3 Click Save.

What to do next

Notify Workspace ONE UEM end users about how to access the catalog and view their Workspace ONE portal.

Enabling Compliance Checking for Workspace ONE UEM Managed DevicesWhen users enroll their devices, samples containing data used to evaluate compliance are sent on a scheduled basis. The evaluation of this sample data ensures that the device meets the compliance rules set by the administrator in the Workspace ONE UEM console. If the device goes out of compliance, corresponding actions configured in the UEM console are taken.

The Workspace ONE Access service includes an access policy option that can be configured to check the Workspace ONE UEM server for device compliance status when users sign in from the device. The compliance check ensures that users are blocked from signing in to an application or using single sign-in to the Workspace ONE portal if the device goes out-of-compliance. When the device is compliant again, the ability to sign in is restored.

The Workspace ONE application automatically signs out and blocks access to the applications if the device is compromised. If the device was enrolled through adaptive management, an enterprise wipe command issued through the UEM console unenrolls the device and removes the managed applications from the device. Unmanaged applications are not removed.

For more information about Workspace ONE UEM compliance policies, see the VMware Workspace ONE UEM Mobile Device Management Guide, in the VMware Workspace ONE UEM Documentation pages.

Configure Compliance Checking RulesWhen Compliance Check is enabled, you create an access policy rule that requires authentication and device compliance verification for devices managed by Workspace ONE UEM.

The compliance checking policy rule works in an authentication chain with Mobile SSO for iOS, Mobile SSO for Android, and Certificate cloud deployment. When configuring the rule, select the device authentication method to use before selecting Device Compliance in the rule.

Prerequisites

Authentication methods configured and associated to a built-in identity provider.

Compliance checking enabled in the Workspace ONE Access Workspace ONE UEM page.

Procedure

1 In the Workspace ONE Access console Identity & Access Management tab, select Manage > Policies.

2 Click Edit Default Policy.


VMware, Inc. 20


3 Click Next.

4 Click Add Policy Rule to add a rule, or select a rule to edit.

Option Description

If a user's network range is Verify that the network range is correct. If adding a new rule, select the network range.

and user accessing content from Select the mobile device type.

and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

If no group is selected, the access policy applies to all users.

Then perform this action Select Authenticate using....

then the user may authenticate using Select the mobile device authentication method to apply.

Click + and in the drop-down menu select Device Compliance (with Workspace ONE UEM).

If the preceding method fails or is not applicable, then

Configure the fallback authentication method, if necessary.

Re-authenticate after Select the length of the session, after which users must authenticate again.

5 Click Save.


VMware, Inc. 21

Enable User Password Authentication through Workspace ONE UEMTo implement authentication with the AirWatch Cloud Connector, you must enable the Password Authentication through Workspace ONE UEM feature.

Prerequisites

n Workspace ONE UEM configured in Workspace ONE Access.

n AirWatch Cloud Connector installed and activated.

n Workspace ONE UEM directory services integrated with Active Directory.

Procedure

1 In the Workspace ONE Access console, Identity & Access Management tab, click Setup > Workspace ONE UEM.

2 In the User Password Authentication through AirWatch section, select Enable.

3 Click Save.

What to do next

See Implementing Authentication with AirWatch Cloud Connector to use AirWatch Cloud Connector authentication.

Updating Workspace ONE Access After Upgrading Workspace ONE UEMWhen you upgrade Workspace ONE UEM to a new version, you must update the Workspace ONE Catalog and User Password Authentication options on the Workspace ONE UEM configuration page in the Workspace ONE Access console.

When you upgrade to a new version of Workspace ONE UEM, the Workspace ONE UEM settings in the Workspace ONE Access service must be updated.

Procedure

1 After you upgrade Workspace ONE UEM, sign in to the Workspace ONE Access console.

2 In the Identity & Access Management tab, click Setup > Workspace ONE UEM.

3 Scroll down the page to the Workspace ONE Catalog section and click Save.

4 Scroll down to the User Password Authentication through Workspace ONE UEM section and click Save.

The Workspace ONE UEM configuration is updated with the new version in the Workspace ONE Access service.


VMware, Inc. 22

Implementing Authentication with AirWatch Cloud ConnectorThe AirWatch Cloud Connector (ACC) is integrated with Workspace ONE Access for user password authentication in Workspace ONE.

Note You install ACC and configure the ACC component in Workspace ONE UEM. After the ACC is installed and configured, you integrate the Workspace ONE UEM directory services with Active Directory. See the VMware Workspace ONE UEM Directory Services Guide for information about enabling the directory services.

To implement AirWatch Cloud Connector authentication for Workspace ONE, in the Workspace ONE Access console, the Password (for Workspace ONE UEM) authentication method is associated to a built-in identity provider.

You can enable just-in-time support in Workspace ONE UEM to add new users to the Workspace ONE Access directory when users sign in for the first time. When just-in-time support is enabled, users do not need to wait for the next scheduled sync from the Workspace ONE UEM server to access Workspace ONE. Instead, new users sign in to their Workspace ONE portal, either from their devices or from their desktop computer and enter their Active Directory user name and password. The Workspace ONE Access service authenticates the Active Directory credentials through the AirWatch Cloud Connector and adds the user profile to the directory.

After you associate the authentication methods in the built-in identity provider, you create access policies to apply to this authentication method.

Note User name and password authentication are integrated into the AirWatch Cloud Connector deployment. To authenticate users using other Workspace ONE Access -supported authentication methods, the Workspace ONE Access connector must be configured.

Managing User Attributes MappingYou can configure the user attribute mapping between the Workspace ONE UEM directory and the Workspace ONE Access directory.

The User Attributes page in the Workspace ONE Access Identity & Access Management tab lists the default directory attributes that are mapped to Workspace ONE UEM Directory attributes. Attributes that are required are marked with an asterisk. Users missing a required attribute in their profile are not synced to the Workspace ONE Access service.

Table 2-1. Default Workspace ONE UEM Directory Attributes Mapping

Workspace ONE Access User Attribute Name Default Mapping to Workspace ONE UEM User Attribute

userPrincipalName userPrincipalName

distinguishedName distinguishedName

employeeID employeeID

domain Domain


VMware, Inc. 23

Table 2-1. Default Workspace ONE UEM Directory Attributes Mapping (continued)

Workspace ONE Access User Attribute Name Default Mapping to Workspace ONE UEM User Attribute

disabled (external user disabled) disabled

phone telephoneNumber

lastName lastname*

firstName firstname*

email Email*

userName username*

Sync Users and Groups from Workspace ONE UEM Directory to Workspace ONE Access DirectoryYou configure the Workspace ONE Access settings in the Workspace ONE UEM console to establish a connection between your organization group instance of the Workspace ONE UEM Directory and Workspace ONE Access. This connection is used to sync users and groups to a directory created in the Workspace ONE Access service.

Users and groups initially sync to the Workspace ONE Access directory manually. The Workspace ONE UEM sync schedule determines when users and groups sync with the Workspace ONE Access directory.

When a user or a group is added or deleted on the Workspace ONE UEM server, the change is reflected on the Workspace ONE Access service immediately.

Prerequisites

n Workspace ONE Access local admin name and password.

n Identify attribute values to map from the Workspace ONE UEM directory. See Managing User Attributes Mapping.

Procedure

1 In the Workspace ONE UEM console, Groups & Settings, All Settings page, select the Global > Customer-level organization group and navigate to System > Enterprise Integration >Workspace ONE Access.

2 In the Server section, click Configure.

Note The configuration button is only available when the Directory Service is also configured for the same organization group. If the Configure button is not visible, you are not in the correct organization group. You can change the organization group in the Global drop-down menu.


VMware, Inc. 24

3 Enter the Workspace ONE Access settings.

Option Description

URL Enter your tenant URL. For example, https://myco.identitymanager.com.

Admin Username Enter the Workspace ONE Access local admin user name.

Admin Password Enter the Workspace ONE Access local admin user's password.

4 Click Next.

5 Enable custom mapping to configure the user attributes mapping from Workspace ONE UEM to the Workspace ONE Access service.

6 Click Test Connection to verify that the settings are correct.

7 Click Sync Now to manually sync all users and groups to Workspace ONE Access service.

Note To control the system load, manual sync can only be performed four hours after a previous sync.

An Workspace ONE UEM directory is created in the Workspace ONE Access service and the users and groups are synced to a directory in Workspace ONE Access.

What to do next

Review the Users and Groups tab in the Workspace ONE Access console to verify that the user and group names are synced.

Managing Configuration of Password Authentication to Workspace ONE UEMYou can review and manage the Password (for Workspace ONE UEM) configuration that was set up when you installed Workspace ONE UEM and added the Workspace ONE Access service.

The Password (for Workspace ONE UEM) authentication method is managed from the Identity & Access Management > Authentication Methods page and is associated to the built-in identity provider in the Identity Providers page.

Important When the AirWatch Cloud Connector software is upgraded, make sure that you update the Workspace ONE UEM configuration in the Workspace ONE Access console AirWatch page.

Procedure

1 In the Workspace ONE Access console Identity & Access Management tab, select Authentication Methods.

2 In the Password (for Workspace ONE UEM) Configure column, click the pencil icon.


VMware, Inc. 25

3 Review the configuration.

Option Description

Enable Workspace ONE UEM Password Authentication

This check box enables Workspace ONE UEM password authentication.

Workspace ONE UEM Admin Console URL

Pre-populated with the Workspace ONE UEM URL.

Workspace ONE UEM API Key Pre-populated with the Workspace ONE UEM Admin API key.

Certificate Used for Authentication Pre-populated with the AirWatch Cloud Connector certificate.

Password for Certificate Pre-populated with the password for the AirWatch Cloud Connector certificate.

Workspace ONE UEM Group ID Pre-populated with the organization group ID.

Number of authentication attempts allowed

The maximum number of failed login attempts when using the Workspace ONE UEM password for authentication. No more login attempts are allowed after the failed log ins reach this number. The Workspace ONE Access service tries to use the fallback authentication method if it is configured. The default is five attempts.

JIT Enabled If JIT is not enabled, select this check box to enable just-in-time provisioning of users in the Workspace ONE Access service dynamically when they log in the first time.

4 Click Save.

Configure Built-in Identity Providers in Workspace ONE AccessYou can configure multiple built-in identity providers and associate authentication methods that have been configured in the Identity & Access Management > Auth Methods page.

Procedure

1 In the Workspace ONE Access console Identity & Access Management tab, go to Manage > Identity Providers.

2 Click Add Identity Provider, and select Create Built-in IDP.

Option Description

Identity Provider Name Enter the name for this built-in identity provider instance.

Users Select which users to authentication. The configured directories are listed.

Network The existing network ranges configured in the service are listed. Select the network ranges for the users based on the IP addresses that you want to direct to this identity provider instance for authentication.

Authentication Methods The authentication methods that are configured on the service are displayed. Select the check box for the authentication methods to associate to this built-in identity provider.

For Device Compliance (with Workspace ONE UEM) and Password (for Workspace ONE UEM), make sure that the option is enabled in the Workspace ONE configuration page.

3 Click Add.


VMware, Inc. 26

What to do next

Configure the default access policy rule to add the authentication policy to the rule. See Configure Compliance Checking Rules


VMware, Inc. 27

Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM-Managed iOS Devices

3The Mobile SSO for iOS authentication method is used for single sign-on authentication in Workspace ONE UEM-managed iOS devices. For iOS device authentication, Workspace ONE Access uses an identity provider that is built into the service to provide access to mobile SSO authentication. Mobile SSO (for iOS) authentication uses a Key Distribution Center (KDC) that is part of the Workspace ONE Access service.

For iOS mobile SSO authentication, makes use of a certificate that is deployed in a device profile to authenticate the user with Workspace ONE UEM. The iOS Mobile SSO certificate authentication relies on Kerberos to collect the certificate.

The following is configured for ]Mobile SSO for iOS authentication.

n Download the issuer certificate to configure Mobile SSO for iOS.

n If you are using Workspace ONE UEM Certificate Authority, in the Workspace ONE UEM console, enable Certificates in the Enterprise Integrations > Workspace ONE Access page. Download the issuer certificate to configure Mobile SSO for iOS.

n If you are using Active Directory Certificate Services, configure a certificate authority template for Kerberos certificate distribution in the Active Directory Certificate Services. Then configure Workspace ONE UEM to use Active Directory Certificate Authority. Add the Certificate template in the Workspace ONE UEM console. Download the issuer certificate to configure Mobile SSO for iOS.

n Establish the Key Distribution Center (KDC) to use in the Workspace ONE UEM console. Download the KDC certificate from the Workspace ONE Access console.

n Configure the iOS device profile and enable single sign-in from the Workspace ONE UEM console.

n Configure the Mobile SSO (iOS) authentication method.

n Configure the built-in identity provider and associate the Mobile SSO for iOS authentication method in the Workspace ONE Access console.

In addition to configuring mobile SSO for iOS, you configure mobile device management for iOS devices in the Workspace ONE UEM console. See iOS Device Management documentation.

VMware, Inc. 28

https://docs-staging.vmware.com/en/VMware-Workspace-ONE-UEM/1909/iOS_Platform/GUID-AWT-IOSINTRODUCTION.html

Supported Apple iOS DevicesiOS 9 or late is supported.


n Using Workspace ONE UEM Certificate Authority for Kerberos Authentication

n Configure Active Directory Certificate Authority in Workspace ONE UEM

n Using a Key Distribution Center for Authentication from iOS Devices

n Configure Mobile SSO for iOS Authentication in Workspace ONE Access

n Configure the Built-In Identity Provider for Mobile SSO iOS Authentication

n Create a Conditional Access Policy Rule

n Configure Apple iOS Profile in Workspace ONE UEM Using Workspace ONE UEM Certificate Authority

n Configure Apple iOS Profile in Workspace ONE UEM Using Active Directory Certificate Authority and Certificate Template

n Assign a Workspace ONE UEM Device Profile to Smart Groups

Using Workspace ONE UEM Certificate Authority for Kerberos AuthenticationYou can use the Workspace ONE UEM Certificate Authority to set up single sign-on with built-in Kerberos authentication to Workspace ONE UEM managed iOS mobile devices. You enable Workspace ONE UEM Certificate Authority in the Workspace ONE UEM console and export the CA issuer certificate for use in the Workspace ONE Access service.

The Workspace ONE UEM Certificate Authority follows Simple Certificate Enrollment Protocol (SCEP) and works with Workspace ONE UEM managed devices that support SCEP.

Workspace ONE Access integration with Workspace ONE UEM uses the Workspace ONE UEM Certificate Authority to issue certificates to iOS mobile devices as part of the profile.

The Workspace ONE UEM Certificate Authority issuer root certificate is also the OCSP signing certificate.

Enable and Export the Workspace ONE UEM Certificate AuthorityWhen Workspace ONE Access is enabled in Workspace ONE UEM, you can generate the Workspace ONE UEM issuer root certificate and export the certificate for use with the Mobile SSO for iOS authentication method.


VMware, Inc. 29

Procedure

1 In the Workspace ONE UEM console, navigate to System > Enterprise Integration > Workspace ONE Access.

To enable Workspace ONE UEM Certificate Authority, the organization group type must be Customer.

Tip To view or change the group type, navigate to Groups & Settings, Groups > Organization Groups> Organization Group Details.

2 Click Configuration.

3 In the CERTIFICATE section, click Enable.

The page displays the issuer root certificate details.

4 Click Export and save the file.

What to do next

In the Workspace ONE Access console, configure Kerberos Authentication in the built-in identity provider and add the certificate authority issuer certificate.

Configure Active Directory Certificate Authority in Workspace ONE UEMWhen you use Active Directory when you set up single sign-on authentication for Workspace ONE UEM managed iOS mobile devices, you set up a trust relationship between Active Directory and Workspace ONE UEM. After that, you enable the Mobile SSO for iOS authentication method in Workspace ONE Access.

After you configured the certificate authority and certificate template for Kerberos certificate distribution in the Active Directory Certificate Services, you enable Workspace ONE UEM to request the certificate used for authentication and add the certificate authority to the Workspace ONE UEM console.

Procedure

1 In the Workspace ONE UEM console main menu, navigate to Devices > Certificates > Certificate Authorities.

2 Click Add.

3 Configure the following in the Certificate Authority page.

Note Make sure that Microsoft AD CS is selected as the Authority Type before you start to complete this form.

Option Description

Name Enter a name for the new Certificate Authority.

Authority Type Make sure that Microsoft ADCS is selected.


VMware, Inc. 30

Option Description

Protocol Select ADCS as the protocol.

Server Hostname Enter the URL of the server. Enter the host name in this format https://{servername.com}/certsrv.adcs/. The site can be http or https depending on how the site is set up. The URL must include the trailing /.

Note If the connection fails when you test the URL, remove the http:// or https:// from the address and test the connection again.

Authority Name Enter the name of the certificate authority that the ADCS end point is connected to. This name can be found by launching the Certification Authority application on the certificate authority server.

Authentication Make sure that Service Account is selected.

Username and Password Enter the user name and password of the AD CS admin account with sufficient access to allow Workspace ONE UEM to request and issue certificates.

4 Click Save.

What to do next

Configure the Certificate Template in Workspace ONE UEM.

Configuring Workspace ONE UEM to Use Active Directory Certificate AuthorityYour certificate authority template must be properly configured for Kerberos certificate distribution. In the Active Directory Certificate Services (AD CS), you can duplicate the existing Kerberos Authentication template to configure a new certificate authority template for the iOS Kerberos authentication.

When you duplicate the Kerberos Authentication template from AD CS, you must configure the following information in the Properties of New Template dialog box..

Figure 3-1. Active Directory Certificate Services Properties of New Template Dialog Box

n General tab. Enter the Template display name and the Template name. For example, iOSKerberos. This is the display name that is shown in the Certificate Templates snap-in, Certificates snap-in, and Certification Authority snap-in.

n Request Handling tab. Enable Allow private key to be exported.


VMware, Inc. 31

n Subject Name tab. Select Supply in the request radio button. Workspace ONE UEM supplies the subject name when the certificate is requested.

n Extensions tab. Define the application policies.

n Select Applications Policies and click Edit to add a new application policy. Name this policy Kerberos Client Authentication.

n Add the object identifier (OID) as follows: 1.3.6.1.5.2.3.4. Do not change.

n In the Description of Application Policies list delete all policies listed except for the Kerberos Client Authentication policy and the Smart Card Authentication policy.

n Security tab. Add the Workspace ONE UEM account to the list of users that can use the certificate. Set the permissions for the account. Set Full Control to allow the security principal to modify all attributes of a certificate template, including the permissions for the certificate template. Otherwise, set the permissions according to your organization's requirements.

Save the changes. Add the template to the list of templates used by the Active Directory Certificate Authority.

In Workspace ONE UEM configure the Certificate Authority and add the Certificate Template.

Add Certificate Template in Workspace ONE UEMYou add the certificate template that associates the certificate authority used to generate the user's certificate.

Prerequisites

Configure the Certificate Authority in Workspace ONE UEM.

Procedure

1 In the Workspace ONE UEM console, navigate to System > Enterprise Integration > Certificate Authorities.

2 Select the Request Template tab and click Add.

3 Configure the following in the certificate template page.

Option Description

Name Enter the name for the new request template in Workspace ONE UEM.

Certificate Authority In the drop-down menu, select the certificate authority that was created.

Issuing Template Enter the Microsoft CA certificate template name exactly as you created in AD CS. For example, iOSKerberos.


VMware, Inc. 32

Option Description

Subject Name Enter the Subject name for the template. You can click + to select a lookup value from the list. Make sure that the value is entered after CN= in the text box. If you select the lookup type DeviceUid, enter a colon (:) after the value and select the lookup value from the list.

For example, CN={DeviceUid}:{lookupvalue}, where the {} text box is the Workspace ONE UEM lookup value. Make sure to include the colon (:). The text entered in this text box is the Subject of the certificate, which can be used to determine who or what device received the certificate.

Private Key Length This private key length matches the setting on the certificate template that is being used by AD CS. It is usually 2048.

Private Key Type Select the check boxes for Signing and Encryption.

SAN Type Click +Add. For the Subject Alternate Name, select User Principal Name. The value must be {EnrollmentUser}.

When device compliance check is configured with Kerberos authentication, if you did not configure the DeviceUid as the Subject Name lookup value, add a second SAN type to include the device unique identifier (UDID). Select the SAN type DNS Name. The value must be UDID={DeviceUid}.

Automatic Certificate Renewal Select the check box to have certificates that use this template automatically renewed before their expiration date.

Auto Renewal Period (days) Specify the auto renewal in days.

Enable Certificate Revocation Select the check box to have certificates automatically revoked when applicable devices are unenrolled or deleted, or if the applicable profile is removed.

Publish Private Key Select this check box to publish the private key.

Private Key Destination Either Directory Service or Custom Web Service


VMware, Inc. 33

4 Slick Save.

What to do next

In the Workspace ONE Access console, configure the built-in identity provider with the Mobile SSO for iOS authentication method.

Using a Key Distribution Center for Authentication from iOS DevicesFor iOS device authentication, you integrate the service with Kerberos. Kerberos authentication provides users, who are successfully signed in to their domain, access to their application portal without additional credential prompts. The iOS device authentication method uses a Key Distribution Center (KDC) without the use of a connector or a third-party system.

Workspace ONE Access Cloud tenants do not need to manage or configure the KDC.

For on premises deployments, two KDC service options are available.

n Built-in KDC. The built-in KDC requires initializing KDC on the appliance and creating public DNS entries to allow the Kerberos clients to find the KDC. For more information about enabling the built-in KDC, see the Workspace ONE Access Administration guide.


VMware, Inc. 34

n KDC as a Workspace ONE Access cloud hosted service. Using KDC in the cloud requires selecting the appropriate realm name in the iOS authentication adapter page.

Using the Cloud Hosted KDC ServiceTo support using Kerberos authentication for mobile SSO for iOS, Workspace ONE Access provides a cloud hosted KDC service.

To use the KDC managed in the Workspace ONE Access appliance, see the Preparing to Use Kerberos Authentication on iOS devices in the Workspace ONE Access Installation and Configuration Guide.

When you configure Mobile SSO for iOS authentication, you configure the realm name for the cloud hosted KDC service. The realm is the name of the administrative entity that maintains authentication data. When you click Save, the Workspace ONE Access service is registered with the cloud hosted KDC service. The data that is stored in the KDC service is based on your configuration of the Mobile SSO for iOS authentication method. The data that is stored includes the CA certificate, the OCSP signing certificate, and the OCSP request configuration details.

The logging records are stored in the cloud service. The Personally Identifiable Information (PII) in the logging records include the Kerberos principal name from the user's profile, the subject DN, UPN and email SAN values, the device ID from the user's certificate, and the FQDN of the IDM service that the user is accessing.

To use the cloud hosted KDC service, Workspace ONE Access must be configured as follows.

n The FQDN of the Workspace ONE Access service must be reachable from the Internet. The SSL/TLS certificate used by Workspace ONE Access must be publicly signed.

n An outbound request/response port 88 (UDP) and port 443 (HTTPS/TCP) must be accessible from the Workspace ONE Access service.

n If you enable OCSP, the OCSP responder must be reachable from the Internet.

n Verify that you added the correct whitelist IP addresses to your external firewall. See Adding Whitelist IP Addresses to Your External Firewall.

Configure Mobile SSO for iOS Authentication in Workspace ONE AccessYou configure the Mobile SSO for iOS authentication method from the Authentication Methods page in the Workspace ONE Access console. Select the Mobile SSO (for iOS) authentication method in the built-in identity provider.

Prerequisites

n Certificate authority PEM or DER file used to issue certificates to users in the Workspace ONE UEM tenant.

n For revocation checking, the OCSP responder's signing certificate.


VMware, Inc. 35

https://docs.vmware.com/en/VMware-Identity-Manager/3.3/vidm-install/GUID-073BBC3D-4E47-43CC-9822-1FF049ADC768.html?hWord=N4IghgNiBcIO4AsCWAXAphJBnFIC+QA

https://docs.vmware.com/en/VMware-Identity-Manager/3.3/vidm-install/GUID-073BBC3D-4E47-43CC-9822-1FF049ADC768.html?hWord=N4IghgNiBcIO4AsCWAXAphJBnFIC+QA

n For the KDC service, select the realm name of the KDC service. If using the built-in KDC service, the KDC must be initialized. See the Installing and Configuring Workspace ONE Access for the built-in KDC details.

Procedure

1 In the Workspace ONE Access console, select Identity & Access Management and with the Manage page selected, click Authentication Methods.

2 In the Configure column for Mobile SSO (for iOS), click the pencil icon.

3 Configure the Kerberos authentication method.

Option Description

Enable KDC Authentication To enable users to sign in using iOS devices that support Kerberos authentication, select this check box.

Realm For tenant deployments in the cloud , the realm value is read-only. The realm name displayed is the identity manager realm name for your tenant.

For on-premises deployments, if you are using the cloud hosted KDC, enter the pre-defined supported realm name that is supplied to you. The text in this parameter must be entered in all caps. For example, OP.VMWAREIDENTITY.COM. If you are using the built-in KDC, the realm name that you configured when you initialized the KDC displays.

Root and Intermediate CA Certificate Upload the certificate authority issuer certificate file. The file format can be either PEM or DER.

Uploaded CA Certificate Subject DNs The content of the uploaded certificate file is displayed here. More than one file can be uploaded and whatever certificates that are included are added to the list.

Enable OCSP To use the Online Certificate Status Protocol (OCSP) certificate validation protocol to get the revocation status of a certificate, select the check box

Send OCSP Nonce If you want the unique identifier of the OCSP request to be sent in the response, select this check box.

OCSP Responder’s Signing Certificate

Upload the OCSP certificate for the responder.

When you are using the Workspace ONE UEM Certificate Authority, the issuer certificate is used as the OCSP certificate. Upload the Workspace ONE UEM certificate here as well.

OCSP Responder’s Signing Certificate Subject DN

The uploaded OCSP certificate file is listed here.

Cancel Message Create a custom sign-in message that displays when authentication is taking too long. If you do not create a custom message, the default message is Attempting to authenticate your credentials.

Enable Cancel Link When authentication is taking too long, give users the ability to click Cancel to stop the authentication attempt and cancel the sign-in.

When the Cancel link is enabled, the word Cancel appears at the end of the authentication error message that displays.

Enterprise Device Management Server URL

Enter the Mobile Device Management (MDM) server URL to redirect users when access is denied because the device is not enrolled into Workspace ONE UEM for MDM management. This URL displays in the authentication failure error message. If you do not enter a URL here, the generic Access Denied message displays.


VMware, Inc. 36

4 Click Save.

What to do next

n Associate the Mobile SSO (for iOS) authentication method in the built-in identity provider.

Configure the Built-In Identity Provider for Mobile SSO iOS AuthenticationYou configure the built-in identity provider and associate the provider with the Mobile SSO for iOS authentication method that has been configured in Workspace ONE Access console.

Prerequisites

Mobile SSO for iOS authentication configured in Workspace ONE Access on the Authentication Methods page.

Procedure

1 In the Workspace ONE Access console, select Identity & Access Management and with the Manage page selected, click Identity Providers.

2 Click Add Identity Provider, and select Create Built-in IDP.

Option Description

Identity Provider Name Enter the name for this built-in identity provider instance.

Users Select which users to authentication. The configured directories are listed.

Network The existing network ranges configured in the service are listed. Select the network ranges for the users based on the IP addresses that you want to direct to this identity provider instance for authentication.

Authentication Methods The authentication methods that are configured on the service are displayed. Select the check box for the iOS authentication method to associate to this built-in identity provider. Add any other authentication methods.

For Device Compliance (with Workspace ONE UEM) and Password (for Workspace ONE UEM Connector), make sure that the option is enabled in the Workspace ONE UEM configuration page.

3 In the KDC Certificate Export section, click Download Certificate. Save this certificate to a file that

can be access from the Workspace ONE UEM console.

You upload this certificate when you configure the iOS device profile in Workspace ONE UEM.

4 Click Add.

What to do next

n Configure the default access policy rule for Kerberos authentication for iOS devices. Make sure that this authentication method is the first method set up in the rule.


VMware, Inc. 37

n Go to the Workspace ONE UEM console and configure the iOS device profile in Workspace ONE UEM and Workspace ONE Access add the KDC server certificate issuer certificate from .

Create a Conditional Access Policy RuleYou must edit the Workspace ONE Access default access policy to add the iOS Mobile SSO authentication method that you configured to the rules.

When users attempt to sign in from their iOS devices, Workspace ONE Access service evaluates the default access policy rules to select the rule that applies to iOS Mobile SSO authentication. The authentication policy you create determines which authentication method Workspace ONE Access implements, based on the network range, device type, and user group.

Procedure

1 In the Workspace ONE Access console Identity & Access Management tab, select Manage > Policies.

2 Click Edit Default Policy and then click Next.

3 Add a new policy rule, click Add Policy Rule.

Option Description

If a user's network rang is Select the network range for this policy rule.

and user accessing content from Select iOS.

and user belongs to groups If this access rule is going to apply to specific groups, search for the groups in the search box.

If you do not select a group, the access policy applies to all users.

Then perform this action Select Authenticate using....

then the user may authenticate using Select Mobile SSO (for iOS).

If the preceding methods fails or is not applicable, then

Configure additional fallback authentication methods.

You can add Device Compliance to check the Workspace ONE UEM server for device compliance status when users sign in from their devices. See Configure Compliance Checking Rules.

Re-authenticate after Select the length of the session, after which users must authenticate again.

4 (Optional) In Advanced Properties, create a custom access denied error message that displays when user authentication fails. You can use up to 4000 characters, which are about 650 words. If you want to send users to another page, in the Custom Error Link URL text box, enter the URL link address. In the Custom Error Link text text box, enter the text to describe the custom error link. This text is the link. If you leave this text box blank, the word Continue displays as the link.

5 Click Save.

6 Drag and drop this rule before the Web Browser rule in the list of default access policy rules.

7 Click Next to review the rules and then click Save.


VMware, Inc. 38

What to do next

Go to the Workspace ONE UEM console and configurer the iOS device profile and add the KDC server issuer certificate from Workspace ONE Access. See Configure Apple iOS Profile in Workspace ONE UEM Using Workspace ONE UEM Certificate Authority.

Configure Apple iOS Profile in Workspace ONE UEM Using Workspace ONE UEM Certificate AuthorityTo push the identity provider settings to the device, create and deploy the Apple iOS device profile in Workspace ONE UEM. This profile setting includes the information necessary for the device to connect to the Workspace ONE Access service and the certificate that the device uses to authenticate.

To allow iOS devices to connect to the Workspace ONE Access identity provider, first use Workspace ONE UEM to create and deploy the Apple iOS device profile, then assign the profile to a smart group.

Prerequisites

n Built-in Kerberos configured in Workspace ONE Access.

n A mobile iOS authentication rule configured in the Workspace ONE Access default access policy.

n Workspace ONE Access KDC server root certificate file saved to a computer that can be accessed from the Workspace ONE UEM console.

n Certificate enabled and downloaded from the Workspace ONE UEM console System > Enterprise Integration > Workspace ONE Access page.

n List of URLs and application bundle IDs that use Built-in Kerberos authentication on iOS devices.

Procedure

1 In the Workspace ONE UEM console, navigate to Devices > Profiles & Resources > Profile > Add Profile and select Apple IOS.

2 Configure the profile’s General settings and enter the name of the device as iOSKerberos.

3 In the left navigation pane, select SCEP > Configure to configure the credential.

Option Description

Credential Source Select AirWatch Certificate Authority from the drop-down menu.

Certificate Authority Select the AirWatch Certificate Authority from the drop-down menu.

Certificate Template Select Single Sign On to set the type of certificate that is issued by the AirWatch Certificate Authority.

4 Click Credentials > Configure and create a second credential.

5 In the Credential Source drop-down menu, select Upload.

6 Enter the iOS Kerberos credential name.


VMware, Inc. 39

7 Click Upload to upload the Workspace ONE Access KDC server root certificate that is downloaded from the Identity & Access Management > Manage > Identity Providers > Built-in Identity provider page.

8 In the left navigation pane, select Single Sign-On.

9 Enter the connection information.

Option Description

Account Name Enter Kerberos.

Kerberos Principal Name Click + and select {EnrollmentUser}.

Realm For tenant deployments in the cloud, enter the Workspace ONE Access realm name for your tenant. The text in this parameter must be capitalized. For example, VMWAREIDENTITY.COM.

For on premises deployments, enter the realm name you used when you initialized KDC in the Workspace ONE Access machine. For example, EXAMPLE.COM.

Renewal Certificate On iOS 8 and later devices, select the certificate used to reauthenticate the user automatically without any need for user interaction when the user's single sign-on session expires.

URL Prefixes Enter the URL prefixes that must match to use this account for Kerberos authentication over HTTP.

For tenant deployments in the cloud, enter the Workspace ONE Access server URL as https://<tenant>.vmwareidentity.<region>.

For on premises deployments, enter the Workspace ONE Access server URL as https://myco.example.com.

Applications Enter the list of application identities that are allowed to use this sign-in. To perform single sign-on using iOS built-in Safari browser, enter the first application bundle ID as com.apple.mobilesafari. Continue to enter application bundle IDs. The applications listed must support SAML authentication.

10 Click Save & Publish.

When the iOS profile is successfully pushed to users' devices, users can sign in to Workspace ONE Access using the Built-in Kerberos authentication method without entering their credentials.

What to do next

Assign the device profile to a smart group. Smart groups are customizable groups that determine which platforms, devices, and users receive an assigned application, book, compliance policy, device profile, or provision. See Assign a Workspace ONE UEM Device Profile to Smart Groups


VMware, Inc. 40

Configure Apple iOS Profile in Workspace ONE UEM Using Active Directory Certificate Authority and Certificate TemplateCreate and deploy the Apple iOS device profile in Workspace ONE UEM to push the Identity Provider settings to the device. This profile contains the information necessary for the device to connect to the Workspace ONE Access Identity Provider and the certificate that the device used to authenticate. Enable single sign-on to allow seamless access without requiring authentication into each app.

Prerequisites

n Mobile SSO for iOS is configured in Workspace ONE Access.

n Mobile iOS authentication configured in the Workspace ONE Access default access policy.

n iOS Kerberos certificate authority file saved to a computer that can be accessed from the Workspace ONE UEM admin console.

n Your Certificate Authority and Certificate Template is properly configured in Workspace ONE UEM.

n List of URLs and application bundle IDs that use Mobile SSO for iOS authentication on iOS devices.

Procedure

1 In the Workspace ONE UEM console, navigate to Devices >Profiles & Resources > Profiles .

2 Select Add > Add Profile and select Apple iOS.

3 Enter the name as iOSKerberos and configure the General settings.

4 In the left navigation pane, select Credentials > Configure to configure the credential.

Option Description

Credential Source Select Defined Certificate Authority from the drop-down menu.

Certificate Authority Select the certificate authority from the list in the drop-down menu.

Certificate Template Select the request template that references the certificate authority from the drop-down menu. This is the certificate template created in Adding the Certificate Template in Workspace ONE UEM.

5 Click + in the lower right corner of the page again and create a second credential.

6 In the Credential Source drop-down menu, select Upload.

7 Enter a credential name.

8 Click Upload to upload the KDC server root certificate that was downloaded from the Identity & Access Management > Manage > Identity Providers > Built-in Identity Provider page.

9 In the left navigation pane, select Single Sign-On and click Configure.


VMware, Inc. 41

10 Enter the connection information.

Option Description

Account Name Enter Kerberos.

Kerberos Principal Name Click + and select {EnrollmentUser}.

Realm For tenant deployments in the cloud, enter the Identity Manager realm name for your tenant. The text in this parameter must be capitalized. For example, VMWAREIDENTITY.COM.

For on premises deployments, enter the realm name you used when you initialized KDC in the Workspace ONE Access appliance. For example, EXAMPLE.COM

Renewal Certificate Select Certificate #1 from the drop-down menu. This is the Active Directory CA cert that was configured first under credentials.

URL Prefixes Enter the URL prefixes that must match to use this account for Kerberos authentication over HTTP.

For tenant deployments in the cloud, enter the Workspace ONE Access server URL as https://<tenant>.vmwareidentity.<region>.

For on premises deployments, enter the Workspace ONE Access server URL as https://myco.example.com.

Applications Enter the list of application identities that are allowed to use this sign-on. To perform single sign-on using iOS built-in Safari browser, enter the first application bundle ID as com.apple.mobilesafari. Continue to enter application bundle IDs. The applications listed must support SAML authentication.


What to do next

Assign the device profile to a smart group. Smart groups are customizable groups that determine which platforms, devices, and users receive an assigned application, book, compliance policy, device profile, or provision. See Assign a Workspace ONE UEM Device Profile to Smart Groups.

Assign a Workspace ONE UEM Device Profile to Smart GroupsAfter you create a device profile in Workspace ONE UEM, you assign the profile to a smart group.

Smart groups are customizable groups that determine which platforms devices, and users receive an assigned application, compliance policy, device profile, or provision. See the Workspace ONE UEM Mobile Device Management Guide.

Procedure

1 In the Workspace ONE UEM console, navigate to Devices > Profiles & Resources > Profiles.

2 Select the device profile that you want to assign to the smart group.

3 In the General tab, click the Assigned Groups text box and select Create Assignment Group.

4 In the Create New Smart Group page, enter the name for the smart group.


VMware, Inc. 42

5 Select Platform and Operating System and select the correct operating system and version from the drop-down menus.


After you assign a smart group to the device option, users can sign in to Workspace ONE and access applications from the catalog.


VMware, Inc. 43

Implementing Mobile Single Sign-On Authentication for Managed Android Devices 4Mobile single sign-on (SSO) for Android is an implementation of the certificate authentication method for Workspace ONE UEM managed Android devices. Mobile SSO allows users to sign in to their device and securely access their Workspace ONE apps without reentering a password.

The Workspace ONE Tunnel® mobile app is installed on the Android device to add certificate and device ID information into authentication flows. The Tunnel settings are configured in the Workspace ONE UEM console to access the Workspace ONE Access service for authentication, and the service retrieves the certificate from the device for authentication.

In the Workspace ONE UEM console, you also configure the following settings.

n Android VPN profile. This profile is used to enable the per app tunneling capabilities for Android.

n Enable VPN for each app that uses the app tunnel functionality from the Workspace ONE UEM console.

n Create network traffic rules with a list of all the apps that are configured for Per App VPN, the proxy server details, and the Workspace ONE Access URL.

When implementing mobile SSO for Android with the Workspace ONE Access service on premises, you configure the cert proxy service on the Workspace ONE Access appliance. After the cert proxy service is configured, you can configure certificate authentication in the Workspace ONE Access built-in identity provider from the Workspace ONE Access console.

When implementing mobile SSO for Android with the Workspace ONE Access service in the cloud, you can configure certificate authentication in the Workspace ONE Access built-in identity provider from the Workspace ONE Access console. The cert proxy service is managed for you.

See the Android Mobile Single Sign-on to VMware Workspace One publication in the Workspace ONE Documentation Center for detailed information about setting up Android Mobile SSO.


n Supported Android Device

Supported Android DeviceAndroid 5.1 or later is supported.

VMware, Inc. 44

https://docs.vmware.com/en/VMware-Workspace-ONE/index.html


Applications accessed from an Android device must support SAML or another supported federation standard for single sign-on.


VMware, Inc. 45

Using the Workspace ONE Catalog 5When Workspace ONE UEM and Workspace ONE Access are integrated, the Workspace ONE catalog is the repository of all the resources that you entitle to users. Users access enterprise applications that you manage in the Workspace ONE catalog based on the settings you establish for the application.

Cloud, Mobile, and Windows applications are accessed from the catalog. Native applications that are internally developed or publicly available in app stores are made available to your end users from the Workspace ONE portal.

In the Workspace ONE Catalog pages, you perform the following tasks.

n Add new resources to your catalog.

n View the resources to which you can currently entitle users.

n Access information about each resource in your catalog

Some web applications are added to your catalog directly from the Catalog pages. Other resource types require you to take action outside the administration console. See the Workspace ONE Access Setting Up Resources guide for information about setting up resources.


n Managing Resources in the Catalog

Managing Resources in the CatalogBefore you can entitle a particular resource to your users, you must populate your catalog with that resource. The method you use to populate your catalog with a resource depends on what type of resource it is.

The types of resources that you can define in your catalog for entitlement and distribution to users are Web applications, Windows applications captured as VMware ThinApp packages, Horizon Client desktop pools and Horizon virtual applications, or Citrix-based applications.

To integrate and enable Horizon Client desktop and application pools, Citrix-published resources, or ThinApp packaged applications, you use the Virtual Apps Collection feature available in the Catalog tab drop-down menu.

VMware, Inc. 46

For information, requirements, installation, and configuration of these resources, see Setting Up Resources in Workspace ONE Access.

Adding Web Applications to Your Organization's CatalogYou can add Web applications to your catalog by either selecting them from the cloud application catalog or creating new ones.

The cloud application catalog contains commonly used enterprise Web applications. These applications are partially configured and you must provide additional information to complete the application record. You might also need to work with your Web application account representatives to complete other required setup.

Many of the applications in the cloud application catalog use SAML 2.0 or 1.1 to exchange authentication and authorization data to enable single sign-on from Workspace ONE to the Web application.

When you create an application, you need to enter all the configuration information for the application. The configuration varies based on the type of application you are adding. For applications with no federation protocol, you only require a Target URL.

While adding an application, you also select an access policy to control user access to the application. A default access policy is available and you can also create new policies from the Identity & Access Management > Manage > Policies page. See Workspace ONE Access Administration guide for more information about access policies.

Grouping Apps into CategoriesYou can organize apps into logical categories to make it easier for users to locate the apps they need in their user portal.

When you create categories consider the structure of your organization, the job function of the apps, and type of app resource. You can assign more than one category to an app. For example, you might create a category called Sales Associate and another category called Staff Sales Resources. Assign Sales Associate to all the sales apps in your catalog. Also assign Staff Sales Resources to specific sales apps that are shared with only the staff associates.

After you create a category, you can apply that category to any of the apps in the catalog. You can apply multiple categories to the same app.

When users sign in to their user portal, they see the categories that you enabled for their view.

See the Workspace ONE Access Administration guide, Managing the Catalog.


VMware, Inc. 47

Custom Branding for Workspace ONE Access Services 6You can customize the logos, fonts, and background that appear in the Workspace ONE Access console, the user and administrator sign-in screens, the Web view of the Workspace ONE portal, and the Workspace ONE app page viewed on mobile devices.

You can use the customization tool to match the look and feel of your company's colors, logos, and design.


n Customize Branding in Workspace ONE Access Service

n Customize Branding for the Workspace ONE User Portal

Customize Branding in Workspace ONE Access ServiceYou can add your company name, product name, and favicon to the address bar for the administration console and the user portal. You can also customize the sign-in page to set background colors to match your company's colors and logo design.

Procedure

1 In the Workspace ONE Access console Identity & Access Management tab, select Setup > Custom Branding.

2 Edit the following settings in the form as appropriate.

Form Field Description

Names and Logos Tab

Company Name Company Name applies to both desktops and mobile devices. You can add your company's name as the title that appears in the browser tab.

Enter a new company name over the existing one to change the name.

Product Name Product Name applies to both desktops and mobile devices. The product name displays after the company name in the browser tab.

VMware, Inc. 48

Form Field Description

Favicon A favicon is an icon associated with a URL that is displayed in the browser address bar.

The maximum size of the favicon image is 16 x 16 px. The format can be JPEG, PNG, GIF, or ICO.

Click Upload to upload a new image to replace the current favicon. You are prompted to confirm the change. The change occurs immediately.

Sign-In Screen Tab

Logo Click Upload to upload a new logo to replace the current logo on the sign-in screens. When you click Confirm, the change occurs immediately.

The minimum image size recommended to upload is 350 x 100 px . If you upload images that are larger than 350 x 100 px, the image is scaled to fit 350 x 100-px size. The format can be JPEG, PNG, or GIF.

Background Color The color that displays for the background of the sign-in screen.

Enter the six-digit hexadecimal color code over the existing one to change the background color.

Box Background Color The sign-in screen box color can be customized.

Enter the six-digit hexadecimal color code over the existing code.

Login Button Background Color

The color of the login button can be customized.

Enter the six-digit hexadecimal color code over the existing one.

Login Button Text Color The color of the text that displays on the login button can be customized.

Enter the six-digit hexadecimal color code over the existing one.

When you customize the sign-in screen, you can see your changes in the Preview pane before you save your changes.

3 Click Save.

Custom branding updates to the Workspace ONE Access console and the sign-in pages are applied within five minutes after you click Save.

What to do next

Check the appearance of the branding changes in the various interfaces.

Update the appearance of the end-user Workspace ONE portal, mobile, and tablet views. See Customize Branding for the Workspace ONE User Portal

Customize Branding for the Workspace ONE User PortalYou can add a logo, change the background colors, and add images to customize the Workspace ONE portal.

Procedure

1 In the Workspace ONE Access console Catalogs tab, select Settings > User Portal Branding.


VMware, Inc. 49

2 Edit the settings in the form as appropriate.

Form Item Description

Logo Add a masthead logo to be the banner at the top of the Workspace ONE Access console and Workspace ONE portal Web pages.

The maximum size of the image is 220 x 40 px. The format can be JPEG, PNG or GIF.

Portal

Masthead Background Color

Enter a six-digit hexadecimal color code over the existing one to change the background color of the masthead. The background color changes in the application portal preview screen when you type in a new color code.

Masthead Text Color Enter a six-digit hexadecimal color code over the existing one to change the color of the text that displays in the masthead.

Background Color The color that displays for the background of the Web portal screen.

Enter a new six-digit hexadecimal color code over the existing one to change the background color. The background color changes in the application portal preview screen when you type in a new color code.

Select Background Highlight to accent the background color. If Background Highlight is enabled, browsers that support multiple background images show the overlay in the launcher and catalog pages.

Select Background Pattern to set the predesigned triangle pattern in the background color.

Icon Background Color Enter a six-digit hexadecimal color code to change the background color box surrounding application icons.

Icon Background Opacity To set a transparency, move the slider on the bar.

Name and Icon Color You can select the text color for names listed under the icons on the app portal pages.

Enter a hexadecimal color code over the existing one to change the font color.

Lettering effect Select the type of lettering to use for the text on the Workspace ONE portal screens.

Background Highlight If enabled, for browsers that support multiple background images, the background overlay displays in the bookmark and catalog pages.

Background Pattern If enabled, for browsers that support multiple bg images, the background overlays display in the bookmark and catalog pages.

Image (Optional) To add an image to the background on the app portal screen instead of a color, upload an image.

3 Click Save.

Custom branding updates are refreshed every 24 hours for the user portal. To push the changes sooner, as the administrator, open a new tab and enter this URL, substituting your domain name for myco.example.com. https://<myco.example.com>/catalog-portal/services/api/branding?refreshCache=true.

What to do next

Review the appearance of the branding changes in the various interfaces.


VMware, Inc. 50

Accessing Other Documents 7As you configure Workspace ONE integration, you might need to access additional documentation from these documentation centers.

n VMware Workspace ONE Document Centern Workspace ONE Integrations, Installing and Configuring the Connector

n Deploying VMware Workspace ONE Intelligent Hub

n Workspace ONE Integrations, Android Mobile Single Sign-On to VMware Workspace ONE

n VMware Workspace ONE UEM Document Centern AirWatch Cloud Connector

n VMware Workspace ONE UEM Mobile Device Management documentation

n VMware Workspace ONE UEM Mobile Application Management documentation

n iOS Device Management documentation

n Android Platform documentation

n VMware Workspace ONE Access Documentation Centern Workspace ONE Access Administration Guide

n Setting Up Resources in Workspace ONE Access

VMware, Inc. 51



https://docs.vmware.com/en/VMwareWorkspace-ONE-Access/index.html