AW - WS1DM - Lab Manual Days 3 - 4

VMware Workspace ONE: Deploy
and Manage (Days 3 & 4)

Lab Manual
VMware® Education Services

VMware, Inc.
www.vmware.com/education
VMware Workspace ONE: Deploy and Manage
VMware Workspace ONE & AirWatch
Part Number AW-EDU-WS1DM
Lab Manual
Copyright © 2017 VMware, Inc. All rights reserved. This manual and its accompanying materials
are protected by U.S. and international copyright and intellectual property laws. VMware products
are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a
registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.
All other marks and names mentioned herein may be trademarks of their respective companies.
The training material is provided “as is,” and all express or implied conditions, representations,
and warranties, including any implied warranty of merchantability, fitness for a particular purpose
or noninfringement, are disclaimed, even if VMware, Inc., has been advised of the possibility of
such claims. This training material is designed to support an instructor-led training course and is
intended to be used for reference purposes in conjunction with the instructor-led training course.
The training material is not a standalone training tool. Use of the training material for self-study
without class attendance is not recommended.
These materials and the computer programs to which it relates are the property of, and embody
trade secrets and confidential information proprietary to, VMware, Inc., and may not be
reproduced, copied, disclosed, transferred, adapted or modified without the express written
approval of VMware, Inc.
www.vmware.com/education
CONTENTS
Lab 1 Workspace ONE Communication (SaaS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Lab 2 VMware Enterprise Systems Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Lab 3 AirWatch Directory Services Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Lab 4 Integrate AirWatch with VMware Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Lab 5 Configure User Authentication with VMware Identity Manager . . . . . . . . . . . . . . . . . . . . . . 55
Lab 6 Unified Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Lab 7 Implementing iOS Mobile SSO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Lab 8 Mobile Application Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
iii
iv Contents
Lab 1 Workspace ONE Communication
(SaaS)
Network Diagram
There are four main components to this activity:
1. VMware Enterprise Systems Connector (ESC)
2. On-premises Domain Controller
3. AirWatch SaaS
4. Identity Manager SaaS
1
The following diagram illustrates the architecture used in this lab.
Task 1: Logging in to Training Servers

1. If possible, turn off all VPN and proxy software. Using Chrome or Firefox browser on your
computer, open https://lab.air-watch.com/cloud/org/education/login.jsp to
log in to the AirWatch VMware vCloud portal to access the assigned servers. Ensure all other
browsers are closed. Internet Explorer cannot be used to access the servers.
2. Enter your credentials to log into the VMware vCloud portal: (replace “###” with the student
number)
• Student Username: Student###
• Student Password: <Instructor Provided>
3. On the left side, click Open for the ILT-IDM-### vApp. Verify “###” matches the student
number. This will into to the vApp Diagram, which provides access to each VM server (VM =
Virtual Machine).
2 Lab 1 Workspace ONE Communication (SaaS)

NOTE
Skip to Chapter 2 if you are not prompted for a plugin: Click the ACC Blue Screen server
icon and accept the download of the VMware client software by clicking OK.
NOTE
For Mac OS X, the VMware client software is not required. Also, “Copy and Paste” is not
supported within the VM. Either type in the value or enable the Windows on-screen keyboard,
when required.
NOTE
The ACC is a component of the ESC.
4. Close your browser, navigate to the downloads folder, and install the VMware-
ClientIntegrationPlugin-5.X.X.exe. Accept all default prompts for installation.
NOTE
If extensions are being used for Chrome, open the run prompt and execute the following
command:
taskkill /F /IM chrome.exe or taskkill /F /IM Chrome.exe
This kills all Chrome or Chrome browser processes to allow for the plug-in to install properly.
5. Re-open https://lab.air-watch.com/cloud/org/education/login.jsp in either
Chrome or Firefox.
Lab 1 Workspace ONE Communication (SaaS) 3

6. If prompted, click Allow and then set the VMware Remote Console plug-in to Allow and
Remember. The activation of the plug-in may be different for other browsers. You may need to
additionally clean the browser cache prior to continuing for full functionality.
7. If prompted for login credentials, re-enter the credentials to log into the VMware vCloud portal.
8. On the left side, click Open to change the view to the vApp Diagram, which provides access to
each server.
4 Lab 1 Workspace ONE Communication (SaaS)

Lab 2 VMware Enterprise Systems
Connector
Task 1: Installing and Configuring the VMware Enterprise Systems

Connector
In this exercise, the VMware Enterprise Systems Connector will be installed on the ESC server, it
consists of two components and is connected to the AirWatch environment where your device is
currently enrolled. Refer to the Logging into the Training Servers section at the start of the
workbook to access the sandboxed VMware vCloud Director instance using a Chrome or Firefox
browser from your laptop.
1. To log in to the ESC server, double-click on the blue ESC VM icon, click the Ctrl+Alt+Del
icon in the top right side of the pop-up window, enter the Admin password AirWatch and
select the Chrome icon from the taskbar at lower left. Enter the AirWatch Console URL if
your device is currently enrolled. If your device is not currently enrolled refer to worksheet that
was provided by the instructor. If prompted, select Chrome as the default browser.
2. Log in to the AirWatch Admin Console with the credentials provided by the instructor. This
should be documented on your worksheet (found in the Academic Success Kit).
3. Accept the End User License Agreement (EULA), and create a Security PIN.
4. Hover over your Top Level Organization Group title and document your Group ID in your
worksheet.
5. Navigate to Groups & Settings > All Settings > System > Enterprise Integration >
Enterprise Integration Services.
5
6. Verify that the Current Setting is in Override, if it is not, click Override and then click Save.
7. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware
Enterprise Systems Connector.
8. Click Override and then select Enable VMware Enterprise Systems Connector.
NOTE
Enable Auto Update is a best practice in your production environment.
6 Lab 2 VMware Enterprise Systems Connector

9. Select the Advanced tab and ensure Use External AWCM URL is highlighted.
10. Click Save and wait for the certificate to be populated. This may take several minutes. When
the certificate is created, close the message box by clicking OK.
11. Click the General tab and then click Download VMware Enterprise Systems Connector
Installer.
Lab 2 VMware Enterprise Systems Connector 7

NOTE
If the vApp window freezes or becomes non-responsive please close and re-open the window
from vCloud director.
12. When prompted, create a six-digit certificate password and click Download. This password is
used dwhen you install the certificate on the ESC server.
13. Once downloaded, click the drop-down menu next to the filename and select Show in folder.
14. Right-click the executable in the Downloads folder, and select Run as administrator; the
VMware Enterprise Systems Connector installation wizard appears.
NOTE
The installation wizard may be branded “Cloud Connector” depending on your environment.
15. Perform the following process:
a. Click Next and accept the EULA. Click Next.

b. Choose the AirWatch Cloud Connector and VMware Identity Manager Connector as
the feature to install by selecting “This feature, and all sub-features will be installed on
the local hard drive.”
c. Click Next and choose the default destination folder.
NOTE
If prompted, install Java.

d. Click Next and enter the certificate password you created in Step 12; the Proxy Information
dialog box appears..
e. Click Next. There is no outbound proxy for these labs.
f. Click Next and input the IDM Connector port number: 443
g. Deselect the Would you like to use your own SSL Certificate? box.

NOTE
We will not be using a certificate or proxy.
h. Click Next.
i. Select the Would you like to activate the IDM Connector now? check box.
NOTE
You must now move to your browser and complete Step 16 before proceeding with the
installation wizard.

16. Open another tab in Chrome on the ESC VM.
a. Type your instructor provided VMware Identity Manager URL, enter your VMware
Identity Manager credentials, and accept the EULA.
b. Navigate to Identity & Access Management > Setup > Connectors > Add Connector.
c. Name your connector and click Generate Activation Code. Right-click to copy the code.

NOTE
At this step, utilize the on-screen keyboard to paste (Ctrl–v) the activation code.The on-
screen keyboard is located by selecting the Windows icon in the lower left corner. Scroll or
search to find the application.
17. Return to your installer, paste the Activation Code and enter your VMware Identity Manager
administrator passcode. Click Next.
NOTE
At this step, perform the following checks:
a. Return to the ESC VM.
• Open the Services (click on Windows icon and search for services) and ensure that
Computer Browser service is running.

b. Check the current time on your local system and make sure it matches on the ESC and
Domain Controller.
c. Hover over the network connection icon in the bottom right-hand corner of the screen and
confirm it reads as follows: vidm.local. If it does not, disable and re-enable the network
adapter.
18. Associate the VMware Connector Service Account. Use Browse to locate the VIDM domain
and then use them to locate the Administrator account
19. Use AirWatch for the password. Click Next and then clickInstall.
20. When the installer is completed click Finish.

The following is an Example of ACC installer log file
21. Open Server Manager (the icon to the right of Start on the server).

22. Navigate to Tools > Services.

23. Verify the AirWatch Cloud Connector and VMware Identity Manager Connector services
are running.
These services may take up to 10 seconds to start. Once you have confirmed the service has
been started, close the Services window.
24. If the services do not start, open the log file (C:\VMware\Logs\CloudConnector) and check
for errors.

25. Return to the Enterprise System Connector page in the AirWatch Admin Console, close the
download window and click Test Connection to verify connectivity. Alert the instructor if an
error occurs.

Lab 3 AirWatch Directory Services
Integration
Task 1: Create a Directory User in Active Directory

In this exercise, you create an Active Directory User to be enrolled into AirWatch which is itself
integrated with VMware Identity Manger. The Active Directory User is created on the Domain
Controller server. Using Chrome or Firefox, refer to the Logging into the Training Servers section
at the start of the workbook to access the sandboxed VMware vCloud Director instance.
1. After logging into the Domain Controller server, select Active Directory Users and
Computers from the Taskbar.
19
The Active Directory Users and Computers window appears.
2. In the left pane, expand vidm.local.

3. Click on Users.
20 Lab 3 AirWatch Directory Services Integration

4. Right-click on white space in the right details pane, and select New > User.
The New Object – User dialog box appears.

5. Create a unique user that is not tied to one you created in the AirWatch Admin Console or your
Salesforce Developer Account
NOTE
If you have not created a Salesforce Developer Account, these steps are reviewed in a later
chapter:
a. Enter First name.
Lab 3 AirWatch Directory Services Integration 21

b. Enter Last name.
c. Enter User logon name (Username).
NOTE
Paste your Active Directory First Name, Last Name and Username into your worksheet
document, and save the file for future reference.
d. Click Next.
6. Perform the following:

a. Enter AirWatch as the Password
b. Re-enter AirWatch as the password in the Confirm password field.
c. Deselect User must change password at next logon option.
d. Select Password never expires option.

e. Click Next.
7. Click Finish.
Your user appears in the right pane.
8. Assign an email address to your user.
a. Right-click your user from the Active Directory Users and Computers window, and select
Properties.
b. In the Email text box, enter an email address and click OK.
NOTE
This does not need to be a valid email address, however, it does need to be a unique entry.
9. Repeat steps 4-8 to create a second directory user.
NOTE
This directory user will function as an administrator in AirWatch and VMware Identity
Manager. You enter this Username in Lab 5-Task 3-Step 2 & Lab 6-Task 5-Step 5

Task 2: Configuring Directory Services
This task and all others can be performed from your local web browser outside the vAPP server.
To begin, you integrate your AirWatch environment with your directory service. Use the Directory
Services page to configure the settings that let you integrate your AirWatch server with your
organization's domain controller (the server hosting your directory services system). SAML settings
can also be configured on this page. After entering the server settings, you can filter searches to
identify users and user groups, set options to auto merge and sync changes between your AirWatch
configured groups and directory service groups, and map attribute values between AirWatch user
attributes and your directory attributes.
1. Go back into the AirWatch Admin Console where you have your device enrolled, expand the
OG hierarchy and select your Top-Level OG.

NOTE
Since IDM integration can only be setup as a Customer Type OG, and we need AD integration
to be enabled at the same level, we need to ensure AD is setup at the Top-Level OG. (If you are
in the two-day course, you will setup AD at the Company OG)
2. Navigate to Groups & Settings > All Settings > System > Enterprise Integration >
Directory Services.
3. Click Skip wizard and configure manually.
4. Enter your server information in the following fields:

(Assume defaults if not specified below)
Field Description
Directory Type Select the type of directory service your organization uses.
For this lab, select Active Directory.
Server Enter the address of your domain controller.

For this lab, enter vidmdc.vidm.local in the Server text box
Enable DNS SRV Select Disabled. With this feature disabled you must explicitly
define where the server is located on the network.
Encryption Type Select the type of encryption to use for directory services
communication.
For this lab, select None.

Port Enter the TCP port used to communicate with the domain controller.
The default for unencrypted directory service communication is 389.
Only SaaS environments allow SSL encrypted traffic using port 636.
(AirWatch SaaS IP range: 205.139.50.0 /23).
For this lab, enter 389 in the Port text box.
Protocol Version Select the version of the LDAP protocol that is in use. Active
Directory uses LDAP versions 2 or 3. If you are unsure of which
Protocol Version to use, try the commonly used value of 3.
For this lab, enter 3 in the Protocol Version text box.
Use Service Account Select the check box to use the credentials from the App pool of the
Credentials server on which EIS is installed for authenticating with the domain
controller. Enabling this option hides the Bind Username and Bind
Password fields.
Accept Disabled default setting
Bind Authentication Select the type of bind authentication that is used to enable the
Type AirWatch server to communicate with the domain controller. If you
are unsure of which Protocol Version to use, try the commonly used
value of GSS-NEGOTIATE.
For this lab, select GSS-NEGOIATE.

Bind Username and Enter the credentials used to authenticate with the domain controller.
Bind Password This account allows read-access permission on your directory server
and binds the connection when authenticating the users.
Select the Clear Bind Password check box to clear the bind
password from the database and then uncheck it to reveal the Bind
Password.
For this lab, enter the following:
• Bind Username: vidm\dcsrv
• Bind Password: AirWatch
Domain Enter the default domain for any directory-based user accounts. If
only one domain is used for all directory user accounts, fill in the
field with the domain so that users are authenticated without
explicitly stating their domain.
For this lab, enter vidm.local in the Domain field.
Verify vidm.local appears in Domain text box and
vidmdc.vidm.local appears in Server text box.
If another value appears in the Domain text box, replace it with value
above.
5. Do not enable Advanced Settings or Azure AD / SAML.

6. Click Test Connection to verify connectivity. Click Save.
7. Enter User Information:

a. Select the User tab on the Directory Services page.
b. Click the + (Fetch DB) below Base DN. A window appears with the Available Base DN’s.
Select DC=vidm,DC=local and click Save. Repeat the same process for the Group tab.

c. Change Organizational Unit Object Class to container.
d. Click Advanced to display additional settings.

e. Scroll down to the Attribute / Mapping Value region.
These columns show the mapping between AirWatch user attributes (left) and your
directory service attributes (right). By default, these attributes are the values most
commonly used in AD. You should update these mapping values to reflect the values used
for your own integration.

8. To change the value, click the pencil icon next to the current mapping value and then enter the
new mapping value. Modify the mapping value for Organizational Unit to cn.
9. Click Save and then click Test Connection to verify connectivity once again. Alert the
instructor if an error occurs. Close the screen using the icon at the top right of the popup box.
Task 3: Importing a User Group

Using this method, you add your existing directory service groups into AirWatch. While this does
not immediately create AirWatch user accounts for each of your directory service accounts, it does
ensure AirWatch recognizes them as belonging to a configured group, which you can then use as a
means of restricting who can enroll. User groups in AirWatch can be synced – automatically if
configured with a scheduler – with your directory service groups to merge changes or add missing
users.
1. Expand the OG hierarchy and select your Top-Level OG.

2. Navigate to Accounts > Users Groups > List View > Add > Add User Group.
3. In the External type drop-down menu, change the type to Organizational Unit.
4. Enter Users in the Search Text text box and click Search. The page refreshes and displays
additional fields.
5. From the Group Name drop-down menu, select Users and then click Save. The Add User
Group page closes.
6. Select the check box for the Users row.
7. From the More Actions drop-down menu select Add Missing Users.

A message box appears.
8. Click OK to process the request.
9. Click the refresh icon and verify eleven (11) users show up under the Users column.
NOTE
Alert the instructor if you are unable to pull the user group or users into the console.

10. Click the pencil icon next to the group name Users. The Edit User Group Users page appears.
Select the Add Group Members Automatically check box.
11. Click Save. The page closes.

You have successfully pulled the Active Directory users into the AirWatch Admin Console.
Task 4: Enabling Directory Authentication Enrollment

Use the Enrollment settings page to configure several options related to device and user enrollment.
2. Navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment >
Authentication and select Override.
3. For the Authentication Modes(s) check boxes select Basic and Directory.

• Basic – Basic user account (ones you create manually in the AirWatch Console) can enroll.
• Directory – Directory user accounts (ones that you have imported or allowed using
directory services integration) can enroll.
4. Click Save.

Lab 4 Integrate AirWatch with VMware
Identity Manager
AirWatch provides enterprise mobility management for devices and VMware Identity Manager
provides single sign-on (SSO) and identity management for users.
When AirWatch and VMware Identity Manager are integrated, users from AirWatch enrolled
devices can log in to their enabled apps securely without entering multiple passwords.
When AirWatch is integrated with VMware Identity Manager, you can configure the following
integrations with AirWatch:
• An AirWatch directory that syncs AirWatch users and groups to a directory in VMware Identity
Manager service and then set up password authentication through the Enterprise Systems
Connector.
• SSO to a unified catalog containing entitled apps from both AirWatch and VMware Identity
Manager.
• SSO using Kerberos authentication to iOS 9+ devices.
• Access policy rules to check that AirWatch-managed iOS 9+ devices are compliant.
Setting up AirWatch for Integration with VMware Identity Manager

You configure settings in the AirWatch admin console to communicate with VMware Identity
Manager before you configure AirWatch settings in the VMware Identity Manager Admin Console.
To integrate AirWatch and VMware Identity Manager, the following are required:
• The OG in AirWatch for which you are configuring VMware Identity Manager is Customer
Type.
35
• A REST API admin key for communication with the VMware Identity Manager service and a
REST enrolled user API key for VMware Enterprise Systems Connector password
authentication are created at the same OG where VMware Identity Manager is configured.
• API Admin account settings and the admin authentication certificate from AirWatch added to
the AirWatch settings in the VMware Identity Manager Admin Console.
• Active Directory user accounts set up at the same OG where VMware Identity Manager is
configured.
• If end users are placed into a child OG from where VMware Identity Manager is configured
after registration and enrollment, User Group mapping in the AirWatch enrollment
configuration must be used to filter users and their respective devices to the appropriate OG.
The following are set up in the AirWatch admin console:
• REST admin API key for communication with the VMware Identity Manager service
• API Admin account for VMware Identity Manager and the admin authentication certificate that
is exported from AirWatch and added to the AirWatch settings in VMware Identity Manager
• REST enrolled user API key used for VMware Enterprise Systems Connector password
authentication
Task 1: Creating REST API Keys in AirWatch

REST Admin API access and enrolled users access must be enabled in the AirWatch admin console
to integrate VMware Identity Manager with AirWatch. When you enable API access, an API key is
generated.
This allows users to authenticate to Workspace ONE with their vidm.local credentials.
NOTE
The OG type must be Customer.
NOTE
To view the group type, navigate to Groups & Settings > Groups > Organization Groups >
Organization Group Details.
36 Lab 4 Integrate AirWatch with VMware Identity Manager

2. Navigate to Groups & Settings > All Settings > System > Advanced > API > REST API and
select Override.
Lab 4 Integrate AirWatch with VMware Identity Manager 37

3. Copy the existing API Key for the AirWatchAPI service, paste it into worksheet document,
and save the file for future reference.
4. Click Add, and provide the following information:

• Service: Enter Identity Manager in the text box
• Account Type: Select Enrollment User from the drop-down menu
5. Click Save.

6. Copy the new API key for the Identity Manager Service, paste it into the worksheet document,
and save the file for future reference.
Task 2: Creating Admin Account and Certificate in AirWatch

After the admin API key is created, you add an admin account and set up certificate authentication
in the AirWatch admin console.
For REST API certificate-based authentication, a user level certificate is generated from the
AirWatch admin console. The certificate used is a self-signed AirWatch certificate generated from
the AirWatch admin root cert.
Prerequisite: The AirWatch REST admin API key is created.
2. Navigate to Accounts > Administrators > List View.
3. Select Add > Add Admin.
The Add/Edit Admin page appears.
4. In the Basic tab, enter the certificate admin user name and password in the required text boxes.
• Username: idmadmin###
• Password: AirWatch1
• Confirm Password: AirWatch1
• First Name: Enter your first name
• Last name: Enter your last name

• Email Address:Enter email address
IMPORTANT
Ensure the OG shown in the form is the same one where you created the the Rest API key and
that it is the Top-Level OG based on the previous configurations you used during the Mobile
Device Management labs.
5. Select the Roles tab.

a. Click in the Organization Group search box and select the Top-Level OG.

b. Click in the Role search box and select AirWatch Administrator.
6. Select the API tab and in the Authentication field, select Certificates.
7. Enter the certificate password AirWatch1. The password is the same password entered for the
admin on the Basic tab. Write down this password. You will need it later.
NOTE
Click Show to verify the password entered is correct.
8. Click Save. The new admin account and the client certificate are created.
9. On the Accounts > Administrators > List View page, click on the username of your new
admin.
10. Click the API tab and click Certificates.
11. Enter the password (AirWatch1) you set in the Certificate Password text box, click Export
Client Certificate and save the file to your Lab Files Folder. Click Save.

NOTE
The client certificate is saved as a .p12 file type. It will have this format:
CN=<locationGroupId>-<newAdminName>.p12.
What to do next
Configure your AirWatch URL settings in the VMware Identity Manager Admin Console. (See
Setting up an AirWatch Instance in VMware Identity Manager)
Task 3: Add AirWatch Settings to VMware Identity Manager

Configure AirWatch settings in VMware Identity Manager to integrate AirWatch with VMware
Identity Manager and enable the AirWatch feature integration options. The AirWatch API key and
the certificate are added for VMware Identity Manager authorization with AirWatch.
Prerequisites:
• AirWatch server URL that the admin uses to log in to the AirWatch admin console.
• AirWatch admin API key that is used to make API requests from VMware Identity Manager to
the AirWatch server to setup integration.

• AirWatch certificate file used to make API calls and the certificate password. The certificate file
must be in the .p12 file format.
• AirWatch enrolled user API key.
• AirWatch group ID for your tenant, which is the tenant identifier in AirWatch.
1. Open a new tab, and navigate to VMware Identity Manager Admin Console (your assigned
Identity Provider (IDM) URL) and log in using your IDM credentials. The instructor will
provide the URL and credentials, which should be saved in your worksheet.
NOTE
While logged in with this user, this is referred to as the System Domain. If vidm.local is
displayed select System Domain from the dropdown menu. Click the arrow next to Tenant
Admin and select Administrative Console from the drop-down menu.

2. Navigate to Identity & Access Management.
3. Select Setup on the right-hand side of the screen.

4. Click User Attributes. Select Required next to userPrincipalName and distinguishedName,
and click Save.

5. While still in the Setup section of Identity & Access Management, click the AirWatch tab.
The AirWatch page appears.

6. Enter the AirWatch integration settings in the following text boxes and upload the certificate
file used to make API calls.
Field Description
AirWatch API URL Enter the AirWatch API URL for the AirWatch Training server
where you obtained the AirWatch API; refer your worksheet.
CAUTION
The AirWatch Console does not provide the correct URL that the
vIDM Console wants populated in this field.
AirWatch Console Provides: https://train#.awmdm.com/API
VMware Identity Manager Console Wants: https://
train#.awmdm.com
IMPORTANT
REMOVE “/API” from the URL when entering it into the
VMware Identity Manager Console.
AirWatch API Certificate Upload the certificate file used to make API calls.
Upload the .p12 file you downloaded from the AirWatch Admin
Console.
Certificate Password Enter the certificate password.

Enter AirWatch1 which is the certificate password of the .p12
file you downloaded from AirWatch.
AirWatch Admin API Enter the AirWatch API Key value; refer to your worksheet.
Key
AirWatch Enrolled User Enter the Identity Manager API Key for an enrolled user value;
API Key refer to your worksheet.
AirWatch Group ID. Enter the AirWatch Group ID for the customer type OG where
the API key and Admin Account were created; Top-Level OG.
For our lab, this will be idm<student#>.

CAUTION
DO NOT check: Map Domains to Multiple Organization Groups

7. Click Save.
What to do next
• Enable the feature option Unified Catalog to merge apps set up in the AirWatch catalog to the
unified catalog.
• Enable Compliance check to verify that AirWatch managed devices adhere to AirWatch
compliance policies. We will not perform this action in our lab. For more information, see
“Enable Compliance Checking for AirWatch Managed Devices” in the VMware Identity
Manager Administration Guide.

Task 4: Enable Unified Catalog
When you configure VMware Identity Manager with your AirWatch instance, you can enable the
unified catalog which allows end users to view all apps that they are entitled to from both VMware
Identity Manager and AirWatch.
When AirWatch is not integrated with the unified catalog, end users see only the apps that they are
entitled to from the VMware Identity Manager service.
Prerequisite: AirWatch configured in VMware Identity Manager.
1. In the VMware Identity Manager Admin Console, click the Identity & Access Management
tab, select Setup > AirWatch.
2. In the Unified Catalog section, click Enable.
3. Click Save.
4. Follow the same procedure to complete the tasks for Compliance Check and User Password
Authentication through AirWatch
5. Navigate back to Identity & Access Management tab and click Manage
6. Click on the Authentication Methods tab and ensure the following are enabled:
a. Password (AirWatch connector)
b. Device Compliance (with AirWatch)

7. Click the pencil icon to edit the Password (AirWatch Connector) and verify the settings are
copied from the AirWatch section you configured earlier to integrate AirWatch with
Workspace ONE. Select the box for JIT Enabled.
8. Click the Identity Providers tab under Identity & Access Management
9. Select Built-in
10. In the Authentication Methods section, verify the following are enabled:

• Password (AirWatch Connector)
• Device Compliance (with AirWatch)
Task 5: Configuring Access Policy Settings

The Policies page lists the default access policy and any other Web application access policies you
created. Policies are a set of rules that specify criteria that must be met for users to access their Apps
portal or to launch Web applications that are enabled for them. You can edit the default policy and if
Web applications are added to the catalog, you can add new policies to manage access to these Web
applications.
1. Click Policies under Identity & Access Management tab.
2. Click the default_access_policy_set policy.
3. Click the blue link text next to Web Browser to edit the rule.

4. The following fields should use these values:
Field Select Option

If a user's Network Range is… ALL RANGES
and the user is trying to access content from… Web Browser
then the user must authenticate using the Password (AirWatch Connector)
following method…
If the preceding Authentication Method fails Password (Local Directory)

or is not applicable, then:
5. Leave the remaining fields set to their defaults and click OK.
6. Repeat for the Workspace ONE App policy by adding Password (AirWatch Connector)
authentication.
7. Click the top Green + icon to create another new rule.
8. Populate the following fields:
Field Select Option


and the user is trying to access content iOS
from…
then the user must authenticate using the Password (AirWatch Connector)
following method…
10. Using the vertical arrow icons next to the Network Range heading, rearrange your rules so
they appear in the following order and click Save:
a. Workspace ONE
b. iOS
c. Web Browser

Lab 5 Configure User Authentication with
VMware Identity Manager
Implementing Authentication with VMware Identity Manager

Connector
You can integrate your VMware ESC with the VMware Identity Manager service for user password
authentication. You can configure the ACC service to sync users from the AirWatch directory.
To implement authentication through the VMware Enterprise Systems Connector or through
AirWatch you can enable the given authentication in the built-in identity provider page in the
VMware Identity Manager Admin Console.
NOTE
VMware Enterprise Systems Connector must be configured on AirWatch version 8.4 and later for
authentication with VMware Identity Manager.
Task 1: Sync Users and Groups from AirWatch Directory to VMware

Identity Directory
You can configure the VMware Identity Manager settings in the AirWatch admin console to
establish a connection between your organization group's instance of the AirWatch Directory and
VMware Identity Manager to sync users and groups to a directory created in the VMware Identity
Manager service. This directory can be used with VMware ESC for password authentication.
Users and groups can initially sync to the VMware Identity Manager directory manually. The
periodic synchronization is based on a configured AirWatch sync schedule. When a user or a group
is added, or deleted on the AirWatch server. The change is automatically reflected at the VMware
Identity Manager service immediately.
Prerequisites:
• VMware Identity Manager tenant URL.
55
• Valid license for VMware Identity Manager.
• VMware Identity Manager local admin name and password.
• Identify custom directory attributes used between AirWatch and the directory service to map
with this configuration. See “Managing User Attributes Mapping.”
2. In the AirWatch admin console, navigate to Groups & Settings > All Settings > Enterprise
Integration > VMware Identity Manager.
3. Under the Server section, select Configure.
4. Enter the VMware Identity Manager settings.
Option Description
URL Enter your VMware tenant URL.
Admin Username Enter the VMware Identity Manager local admin user name.
This is the Identity Manager tenant username you were assigned
for class.
Admin Password Enter the VMware Identity Manager local admin user’s password.
This is the Identity Manager tenant admin password for the
username above.
56 Lab 5 Configure User Authentication with VMware Identity Manager

5.
6. Click Test Connection to verify that the settings are correct.

7. Click Next.
Lab 5 Configure User Authentication with VMware Identity Manager 57

8. Enter vidm.local for Directory and click Save. You do not need to do any kind of custom
mapping here. The page closes and the VMware Identity Manager page displays.
9. Scroll to bottom of page and click Sync Now to manually sync all users and groups to the
VMware Identity Manager service.
NOTE
The Sync Now command creates an AirWatch directory in the VMware Identity Manager
service, syncing all users and groups.
What to do next
• Review the Users and Groups tab in the VMware Identity Manager Admin Console to verify
the user and group names are synced.
• Review the Directories page in the VMware Identity Manager Admin Console to verify the user
and group names are synced.

Task 2: Verifying User Synchronization
1. Open the VMware Identity Manager Admin Console.
2. Navigate to Identity & Access Management > Directories.
The Directories page lists directories that you created. You create one or more directories and
then sync those directories with your Active Directory deployment. On this page, you can see
the number of groups and users that are synced to the directory and the last sync time.
3. Confirm that vidm.local appears as a directory and that the number of Synced Groups and
Synced Users is greater than 0.
NOTE
Alert the instructor if you either do not see the vidm.local directory or if the vidm.local
directory has 0 groups and 0 users.
Task 3: Change the Role of One Directory User to Administrator

This task must be completed to be able to add Web Apps to the Unified Catalog from the AirWatch
Console.
1. In the VMware Identity Manager Admin Console, navigate to Users & Groups.
2. Click on the vidm.local user you wish to make an administrator.
NOTE
You created two directory users in Lab 3, Task 1. Select one of those users.
3. Select Administrator from the Role drop-down menu.
4. Click Save.
Task 4: Configuring the Built-in Identity Provider for Authentication

In the VMware Identity Manager Admin Console, configure the Built-in identity provider to service
authentication methods from the VMware Identity Manager service.

Prerequisites:
• Users and groups located in an enterprise directory must be synced to the VMware Identity
Manager directory.
• List of the network ranges that you want to direct to the built-in identity provider instance for
authentication.
1. Navigate to Identity & Access Management > Identity Providers.
2. Select Built-in. The Built-in identity provider page appears.
3. Perform the following:
a. Select vidm.local option under Users (DO NOT select System Directory).
b. Select the ALL RANGES option under Network.
c. Click Save.
The page closes and the Identity Providers page displays:
Task 5: Logging in to Workspace One

1. Open a new incognito window and navigate to your VMware Identity Manager tenant.

2. Instead of just prompting for a username and password, you are now asked to select a directory.
3. Select vidm.local for the Select your domain drop-down list and then click Next.

4. Enter the username and password for the Active Directory user you created earlier; refer to your
worksheet.
5. Click Sign In. Once Active Directory authenticates the user, Workspace ONE shows the
Unified Catalog for the user, but nothing has been configured for the user at this point.
6. Minimize this incognito window. You will return to it in Lesson 6, Task 7.

Lab 6 Unified Catalog
Task 1: Create a Salesforce Developer Account

NOTE
If you have already created this account, skip this task.
1. Go to: https://developer.salesforce.com/signup
2. Complete the form; make sure you record your email address and username on your worksheet.
NOTE
Do not use your corporate email address. However, you must use a valid email address as the
account requires activation. The username does NOT have to be an active or a valid email
address. However, it must be in the form of an email address, that is, name@company.com.
3. Accept the Terms of Use by selecting the check box and Click the Sign me up button at the
bottom of the form.
4. Check your email inbox for the confirmation email
5. If you have not done so already, please record your email address and username on your
worksheet.
NOTE
Be sure not to confuse your account username (in email format) with your email address (needs
to be valid for verification)
6. Click Verify Account in the verification email from Salesforce
7. Change/Create a password and click Change Password at the bottom of the page
• Your account is now created
8. Record your password on your Worksheet
65
9. Click on your profile icon on the right side of the page.
10. Click Switch to Salesforce Classic.
11. The first portion of Salesforce Developer exercise are now completed. The classic view is more
familiar for most users and subsequent directions in the workbook reference the classic user
interface.
NOTE
You will return to your Salesforce Developer account at various points throughout the
remainder of this lab. Be sure to follow the directions carefully. If there are any mistakes in the
Salesforce configuration, you cannot authenticate to the Salesforce application through the
Workspace ONE portal.
12. Click Setup. Navigate to Administer > Domain Management > My Domain. The My
Domain page appears.
13. Input a custom domain name and click Check Availability. If available, click Register
Domain to complete registration.
NOTE
You need to register a custom domain in Salesforce to direct the Salesforce application to
redirect to the correct URL (like autodiscovery in AirWatch). Registration can take several
minutes.
NOTE
You will receive an email that confirms the domain registration.
14. Click on the link provided in the confirmation email.
15. You need to login to salesforce with the username and password that you previously set up.
With the username and passworrd that you set up, log in to Salesforce and navigate to
Administer > Domain Management > My Domain.
16. Click Deploy to Users
NOTE
This is a critical step. If this is missed, it will be very difficult to troubleshoot this error.
17. Accept the warning that comes up by clicking OK
NOTE
Once you click OK, the page will refresh and the Redirect Policy under My Domain Settings
will be updated.
66 Lab 6 Unified Catalog

Managing Catalog Settings
When you configure Web applications, you must copy your organization's SAML-signing certificate
and send them to the relying applications so they can accept user logins from the service. The
SAML certificate is used to authenticate user log ins from the service to relying applications, such
as WebEx or Google Apps.
You copy the SAML signing certificate and the SAML service provider metadata from the service
and edit the SAML assertion in the third-party identity provider to map VMware Identity Manager
users.
Task 2: Downloading SAML Certificates

1. In the Identity Manger Console, navigate to Catalog > Settings.
The SAML Metadata tab appears.
NOTE
If the tab does not appear, click the SAML Metadata tab on the left side of the interface.
Lab 6 Unified Catalog 67

2. Right-click the Identity Provider (IdP) metadata link and select Save Link As… to save it as
a file for future use.
NOTE
This saved filename looks like the following: IdP.xml
3. Click on the Download button for the Signing certificate file under the certificate box to
download the .cer file.
• Make sure these files are easily accessible for future reference.
Task 3: Configuring Salesforce Single Sign-on Settings

1. Open another tab, and sign in to your Developer Salesforce Account using your Salesforce
Custom Domain URL. You must have the Custom Domain URL to proceed.
NOTE
To confirm you are in classic mode for Salesforce, click on your account picture on top right to
“View Profile” and select Switch to Salesforce Classic. If there is no picture in the top right
corner, you are already in classic mode.
2. At the top right of the browser window, click Setup.
3. Navigate to Administer > Security Controls > Single Sign-On Settings.
4. Select New from Metadata File. The SAML Sign-On Settings page appears.

5. Select Browse.
6. Upload the idp.xml file you downloaded in the previous exercise. Click Create.
NOTE
The SAML Single Sign-ON Settings are populated.
7. Navigate to the Identity Provider Certificate.
8. Select Browse.
9. Upload the signingCertificate.cer file you downloaded in the previous exercise.
10. Navigate to SAML Identity Type.
11. Click the following radio button: Assertion contains the Federation ID from the User object.
12. Click Save.
13. Click on your SSO connector name and then select Download Metadata.
14. Save the metadata xml file to an accessible location.
• File type Example: SAMLSP-##@#@#######@@@@
15. Click the Single Sign-On Settings link on the left-hand side of the screen again. The Single
Sign-On Settings page appears.
16. At the top of the page, click Edit.
17. Select SAML Enabled and click Save
• The Single Sign-On Setting page appears with the SAML Enabled option selected.
18. Navigate to Domain Management and click on My Domain.
19. Navigate to Authentication Configuration > Edit.
a. In the Authentication Service field, check your SAML Single Sign-On Settings name.
EXAMPLE: awedu-student-###
IMPORTANT
Leave Login Page checked.
20. Click Save.
NOTE
Creating and activating the domain is complete.

Task 4: Creating a Salesforce User
In Lab 3, Task 1 you created a directory user in the Active Directory. For this exercise, you create
the same user in Salesforce. When you have completed the VMware Identity Manager and AirWatch
integration, this user is able to access Salesforce through Workspace ONE.
1. Log in to your Salesforce custom domain; refer to your worksheet for the URL and
credentials.
2. In Salesforce, navigate to Administer > Manage Users > Users.
3. Select New User.
4. From your worksheet, paste the Active Directory First Name, Last Name, and Email
Address to the appropriate fields.
IMPORTANT
The Active Directory Email Address will be populated as the Username, since this is
searched globally within Salesforce to find any association it must be unique for this lab.
5. Define the following:
• Role: CEO
• User License: Salesforce Platform
• Profile: Standard Platform User
6. Scroll down to Single Sign On Information section.
7. In the Federation ID text box, enter the user email address.
• This is the same email used in the General Information section. This is the same as your
AD user email address.
8. Click Save.
Task 5: Adding a Directory Administrator in AirWatch

This task must be completed to be able to add Web Apps to the Unified Catalog from the AirWatch
Console. The first part of this was completed in Lab 5, Task 3. You are essentially replicating the
administrator in AirWatch.
1. Log in to the AirWatch Console.
2. From the Top-Level OG, navigate to Accounts > Administrators > List View.
3. Click Add > Add Admin.
4. Change user type basic to Directory.

5. In the username field, input the username of the second directory user created in Lab 3-Task
1-Step 9.
6. Click Check User.

7. After the User Details populates, click the Roles tab.
a. In the Select Organization Group drop-down menu, select your Top-Level OG.
b. In the Role drop-down menu, select AirWatch Administrator
8. Click Save
9. Log out of the AirWatch Console
10. Log in with the Directory Administrator created in steps 1-8.
NOTE
The username must be prefixed with vidm.local\
(Example: vidm.local\myAdmin)
Task 6: Adding Salesforce to Your Catalog

Many Web applications use SAML 1 or SAML 2 to exchange authentication and authorization data
as verification that a user can legitimately access an app.
When you add a Web application , you are creating an entry that points indirectly to the Web
application. The entry is defined by the application record, which is a form that includes a URL to
the Web application.
1. Log in to the AirWatch console.
2. Navigate to Apps and books> Applications> Web>SaaS.
3. Click New.
• The New SaaS Application dialog box pops up
4. Under the search bar, click on browse from catalog.
5. In the Filter box on top type in Salesforce
6. In the filter results, click the + next to Salesforce app to add it to your catalog.
NOTE
It returns to original add app screen and the icon and name of the app is auto populated. Ensure
there is not an extra line before or after the text. Backspace to delete the carriage return (if
applicable)

NOTE
This is the SAMOSP-##@#@#####@@@@ file
7. Click Next to go to the configuration screen.
8. Click URL/XML.
9. Open your Salesforce metadata XML file, do a select all (CTRL/CMD+A), copy (CTRL/
CMD+C) to capture the contents of the file and paste (CTRL/CMD+V) content into the URL/
XML field.
NOTE
Do not click Manual, if Manual is active then click URL/XML to open a text box to paste the
metadata.
10. Click Next.
11. Review the summary page.
12. Click Save and Assign.
• This pops up the Assign dialog box
13. Search for the Active Directory user you created and used to test the identity provider and
access policy.
14. Select the Active Directory user from the search box and change the deployment type to
Automatic from User-Activated.
15. Click Save in the dialog box.
NOTE
This pops a message that the assignment has been added.
16. Navigate to Apps and Books > Applications > Web > SaaS
17. Select the Salesforce application.
18. Click Edit.
19. Click Configuration.
20. Change the username value to ${user.email}.
21. Click Next.
22. Click Save.

Task 7: Signing in to Salesforce from Workspace One
1. Open your window that you logged in to Workspace One as an end user with and verify that
you now have Salesforce assigned to you.
NOTE
If you have been logged out, ensure to select the vidm.local domain and use the same AD
credentials to log back in as the user.
2. Click Catalog.
3. Click Open under the Salesforce icon.
NOTE
You are signed in to Salesforce as the end user.

Lab 7 Implementing iOS Mobile SSO
Managing Public Applications – Salesforce
Task 1: Adding the Salesforce App

2. Navigate to Apps & Books > Applications > Native and click the Public tab.
3. Click Add Application.
4. In the platform field, Select Apple iOS. Select Search App Store as Source option, and enter
Salesforce as the name of the application to search for.
NOTE
If Salesforce is installed on your device, uninstall it.
5. Click Next and select the Salesforce application from the provided search results.
75
If you are unable to locate the app you seek, either scroll through the results or alter your search
terms. You can also verify that you are searching the correct app store by checking that you are
searching in the correct country.
1. Review the Details tab options, including adding comments, reimbursement information,
ratings, categories and Terms of Use.
2. Click Save & Assign.
3. Click Add Assignment.
4. In the Select Assignment Groups field, choose All Devices (Company).
5. Change App Delivery Method to On Demand.
6. Click Add.
7. Click Save &Publish to push the configuration to your device.
8. Click Publish.
Task 2: Edit and Deploy the Salesforce and Workspace ONE apps to
Integrate with VMware Identify Manager
In Task 2, you’ll continue with AppConfig settings before downloading the application from the
Unified Catalog.
1. In the AirWatch Admin Console, expand the OG hierarchy and select your Company OG.
NOTE
This is the OG where you deployed the Salesforce application earlier.
IMPORTANT
If you do not have an iOS device, making these changes to the application does not enable the
functionality since this flow is specific to iOS.
2. If you did not deploy the Salesforce app, for your iOS device, refer the MAM section of this
workbook to deploy the app and alter the Assignment settings as per the direction below.
76 Lab 7 Implementing iOS Mobile SSO

3. Navigate to Apps & Books > Applications > Native.
4. Select the Public tab and click the pencil next to the Salesforce app.
5. Click on Save & Assign.

a. Select the radio button next to All Devices.
b. Click Edit.
c. Enable Application Configuration, Managed Access and Remove on Unenroll.
d. Input the following application configuration:
Configuration Key Value Type Configuration Value

AppServiceHosts String Enter your Salesforce Custom Domain URL
form your worksheet minus the https://
Example:
<user-defined-domain>-dev-
ed.my.salesforce.com
IMPORTANT
Do NOT enter https://
Lab 7 Implementing iOS Mobile SSO 77

6. Click Add.
7. Click Save & Publish.
8. Click Publish.
NOTE
Salesforce is now ready for your device, which enrolls with the Active Directory user you
created.
Task 3: Adding Workspace ONE

To make the Workspace ONE application available to your enrolled users as a replacement for the
AirWatch catalog, push it using AirWatch application management. Workspace ONE is available
through the web browser of any device and as a mobile application on select platforms.
IMPORTANT
If you do not have an iOS device, following these settings to deploy the Workspace ONE deploys
the app, but the SSO integration for the native app will not work, since the lab focuses on the iOS
SSO integration.
1. Expand the OG hierarchy and select your Company OG.
2. Navigate to Apps & Books > Applications > Native.
3. Click the Public tab.
4. Click Add Application.
5. Change Platform to Apple iOS and type Workspace ONE into the Name text box.
6. Click Next.
7. Find the app called VMware Workspace ONE (com.air-watch.appcenter), and click Select.

Workspace ONE appears in the Add Application page.
8. Click Save and Assign. Click Add Assignment

9. Click All Devices (Company) for Select Assignment Group.
10. Click Auto for App Delivery Method.
11. Enable Application Configuration, Managed Access, and Remove on Unenroll.

12. Input the following application configurations:
Configuration Key Value Type Configuration Value

AppServiceHost String https://{tenant}.vidmpreview.com, where {tenant} is
your company identifier for VMware Identity
Manager. This URL is also how you access the
Workspace ONE catalog from a browser.
Example:
https://awedu-student-###.vidmpreview.com
deviceUDID String {DeviceUid}
NOTE
Click + Insert Lookup Value to create two application configuration entry.
13. Click Add, and then Save & Publish.
14. Click Publish.
NOTE
VMware Workspace ONE now appears as a Public application in the List view.
Configure Mobile SSO for iOS Authentication in the Built-in

Identity Provider
Use the VMware Identity Manager Admin Console to enable and configure the Mobile SSO for iOS
authentication method in the built-in identity provider. This provides SSO to the users’ app portal
and resources from AirWatch managed devices.

The built-in identity provider manages the KDC service. When users sign in from their iOS devices,
the Mobile SSO for iOS authentication method in the built-in identity provider is used to
authenticate users.
Prerequisites:
• Certificate authority .pem or .der file to issue certificates to users in the AirWatch tenant.
• For revocation checking, the OCSP responder's signing certificate.
Task 4: Enable and Export the AirWatch Certificate Authority

When VMware Identity Manager is enabled in AirWatch, you can generate the AirWatch issuer root
certificate and export the certificate for use with the Mobile SSO for iOS authentication on managed
iOS 9 mobile devices.
2. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware
Identity Manager.
3. In the Certificate section at the bottom of the page, click Enable. The page displays the issuer
root certificate details.
4. Click Export and save this file to your local Working Folder. It is called
VidmAirWatchRootCertificate.cer

Task 5: Configuring KDC
1. In the VMware Identity Manager Admin Console, navigate to Identity & Access Management
> Authentication Methods.
2. Click the pencil next to Mobile SSO (for iOS).
3. In the Authentication Methods section, click the Mobile SSO (for iOS) gear/pencil icon.

4. In the KdcKerberosAuthAdapter page, configure the Kerberos authentication method.
Field Description
Enable KDC Select this check box to enable users to sign in using iOS
devices that support Kerberos authentication.
Realm VIDMPREVIEW.COM
Root and Intermediate CA Upload the certificate authority issuer certificate file.
Certificate Example: VidmAirWatchRootCertificate.cer
Uploaded CA Certificate The contents of the uploaded certificate file are displayed
Subject DNs here. More than one file can be uploaded and whatever
certificates that are included are added to the list.
Enable OCSP DO NOT CHECK
Send OCSP Nonce DO NOT CHECK
OCSP Responder’s Signing DO NOT TAKE ANY ACTION

Certificate
OCSP Responder’s Signing N/A

Certificate Subject DN
Enable Cancel Link Enable Cancel Link

When authentication is taking too long, give the user the
ability to click Cancel to stop the authentication attempt and
cancel the sign-in.
When the Cancel link is enabled, Cancel appears at the end
of the authentication error message that displays.
Cancel Message Create a custom message that displays when the Kerberos
authentication is taking too long. If you do not create a
custom message, the default message is Attempting to
authenticate your credentials.

NOTE
Enable OCSP and Send OCSP Nonce should NOT BE CHECKED.
5. Click Save.
6. Click the Identity Providers tab under Identity & Access Management.
7. Select Built-in.
8. In the Authentication Methods section, select Mobile SSO (for iOS).
NOTE
Password (AirWatch Connector) and Device Compliance (With AirWatch) were enabled in a
previous chapter.
9. Click Save.
10. Navigate to Identity & Access Management > Identity Providers > Built-in to the KDC
Certificate Export and click Download Certificate to save this file to your Working Folder. It
is named KDC-root-cert.cer.

11. Click Save.
You will upload this certificate when you configure the iOS device profile in AirWatch.
Task 6: Updating the Access Policy in Identity Manager

A policy contains one or more access rules. Each rule consists of settings that you can configure to
manage user access to their apps portal or to specified Web applications.
You can edit the default access policy, which is a pre-existing policy that controls user access to the
service.
You can remove an entire Web-application-specific access policy at any time. The default access
policy is permanent. You can edit it, but you cannot remove it.
1. In the Identity Manager Console, navigate to Identity & Access Management > Policies.
2. Click on default_access_policy_set and then add Mobile SSO (for iOS) to each device type:
Workspace ONE App, iOS, Web Browser.
3. Click on each Authentication Method and populate the following fields:
Field Select Option

and the user is trying to access content Workspace ONE App/ iOS/ Web Browser
from…
then the user may authenticate using the Mobile SSO (for iOS) – Make sure this
following method… method comes first.
If preceding Authentication Method fails or Password (AirWatch Connector) – This

is not applicable, then… authentication method will be for non-iOS
devices.

NOTE
Leave Password (Local Directory) as a fallback method for the Web Browser.

5. Using the vertical arrow icons next to the Network Range heading, rearrange your rules so
they appear in the order displayed in the image below:
6. Click Save.
Task 7: Configuring SSO Profile in AirWatch

Create and deploy the Apple iOS device profile in AirWatch to push the Identity Provider settings to
the device. This profile contains the information necessary for the device to connect to the VMware
Identity Provider and the certificate that the device used to authenticate. Enable single sign-on to
allow seamless access without requiring authentication into each app.
1. From the AirWatch Admin Console, expand the OG hierarchy and select your Company OG.
2. Navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile.
3. Select Apple iOS when prompted for a platform.

4. Populate the following fields in the General payload:
Field Select Option

Name Identity Manager Credentials and SSO
Assigned Groups All Devices (Company)
5. In the left navigation pane, select Credentials, and click Configure.

6. Populate Credentials payload as follows:
a. Select Upload from the Credential Source drop-down menu.
b. Click Upload button.

c. Navigate to your Working Folder, select the KDC-root-cert.cer file, and click Save.
7. In the left navigation pane, select SCEP and click Configure.

8. Enter the SCEP information.
Field Select Option

Credential Source AirWatch Certificate Authority
Certificate Authority AirWatch Certificate Authority
Certificate Template Single Sign On
9. In the left navigation pane, select Single Sign-On and click Configure.

10. Enter the connection information.
Field Select Option or Enter

Account Name Enter a unique friendly name, such as idmtest
Kerberos Principal Name Click + and select {EnrollmentUser}.
Realm Enter VIDMPREVIEW.COM
NOTE
Case sensitive.
Renewal Certificate Select SCEP #1.
URL Prefixes Enter your vIDM tent URL.

Example:
https://awedu-student-###.vidmpreview.com
Leave off anything after “.com”
Applications Enter the following application bundle IDs:

• com.apple.mobilesafari
• com.salesforce.chatter
• com.air-watch.appcenter

11. Click Save & Publish and then Publish.

The profile appears in the console.
Task 8: Enrolling a Device and Testing SSO
Enroll Your Device

1. Open the AirWatch Agent and select Server Details.
2. In the text boxes, enter the Server, which is the URL of the AirWatch Admin Console, and the
Group ID, which you defined for business unit under your geographic region, such as Sales or
ITops.
3. Click Next to proceed with the enrollment process.
4. Input the user credentials for the Active Directory username and password by referring to your
worksheet.
NOTE
You defined the user credentials when you went through the Active Directory lab exercise. The
password is case-sensitive and can only be changed on the Domain Controller server.
5. Select the option prompted to continue with the enrollment process, such as Redirect & Enable
for iOS.

NOTE
iOS requires the user to install an Enrollment Profile and accept Remote Management.
6. Accept any prompts to install any apps pushed by AirWatch, specifically Salesforce
(“Salesforce”) and Workspace One (“Workspace”) are pushed to your device. Accept the
prompts to install them.
Task 9: Testing from Workspace One

1. Open Workspace One app on your iOS device.
• Observe that your tenant URL was pushed to the app.

2. Click Next.

3. Once it loads, you will be prompted to click Enter
IMPORTANT
Navigate to the Catalog Tab to locate the Salesforce App
4. Click Open below the Salesforce website icon.
Because Safari was specified for use via the SSO profile, you are signed into the web version of
Salesforce.
5. Click the home button on your iOS device to exit the app.
Task 10: Testing from Salesforce

1. Navigate to the Unified Catalog on your mobile device.
2. Click Install under the Salesforce App on your iOS device.
NOTE
Accept any prompt to complete installation.
3. Click the Salesforce app to launch and Accept the Salesforce EULA.
4. Since we didn’t completely disable the Salesforce login screen in Salesforce, you will see two
options:
• Authenticate using a Salesforce username / password
• Your SSO Configuration Defined in Salesforce
5. Click Your SSO Configuration Defined in Salesforce
NOTE
Observe that you are signed into the Salesforce app.

Lab 8 Mobile Application Management
The Mobile Application Management (MAM) lab requires the core configurations you performed
during the completion of previous lab work. Required configurations include an OG hierarchy set up
with a defined Group ID, a test user, and an enrolled device.
Managing Public Applications
Task 1: Managing Public Applications

2. From the Main Menu, navigate to Apps & Books > Applications > List View > Public tab.
3. View all the managed apps on the Applications page.
4. Scroll down and find the app you recommended. Note that personal feedback about the app is
shown under the OG where the app is managed.
5. Under the Install Status column, verify whether your app is installed or not installed. It should
show assigned. Select the hyperlink options to install the app, remove it from the device, or
notify the user about the availability of the app in the AirWatch Catalog.
NOTE
Applications may require a check-in (query) to show an updated status, if the application is
installed on the device, but does not show an updated status dashboard.
6. Review the available options to the far right:
99
• Manage Devices: Install/remove the application and notify end users about app availability
on their devices.
• Deactivate: Remove all versions of the application from all managed devices.
• User Ratings: View app ratings and user-provided feedback.
• View Events: Display events for apps and export activity as a .CSV.
• Delete: Remove the app from the admin console.
Managing Enterprise Applications
Task 2: Adding an Internal Application

2. From the Main Menu, navigate to Apps & Books > Applications > List View > Internal tab.
3. Click Add Application, select Upload, and browse and click the Android_MDM_Info.apk
from the Academic Success Kit.
NOTE
A similar flow could be done for other platforms if you have a signed application that has been
internally developed by your organization, such as an .ipa for iOS. If you do not have an
Android device enrolled, you are able to load the app by completing this lab module, but it will
not push down to your device since the app was built for Android platform.
100 Lab 8 Mobile Application Management

4. Click Continue when the upload is complete.
5. Click the Details tab, update the Name of the app to MDM Info, and review the additional
fields.
NOTE
Depending on the app developer this information could be coded into the app, so it
automatically populates.
6. Click the Files tab and review the options. For other platforms, different options may be
available.
7. Click the Images tab and review the options, such as loading application images to represent
the apps in the AirWatch Catalog.
Lab 8 Mobile Application Management 101

8. Click the Terms of Use tab to add an Application terms of use. If one has not been created, the
Manage Terms option could be selected to create one.
9. Click the More tab to review SDK and App Wrapping options for either enable or wrap SDK
capabilities with a define SDK profile.
NOTE
Developer files may be required. A SDK and App Wrapping profile would be selected to turn
on SDK functionality.
10. Click Save & Assign, and then click Add Assignment.
11. Click the Smart Group tab and choose the All Devices @ Company Smart Group you defined
during the MDM lab exercise.
12. Click Auto for Push Mode and click Add.
13. Click Save & Publish.

14. You device is shown based on its defined Smart Group. Click Publish to push the configuration
to your device.
15. On your Android device, verify the application is installed. For most vendors, this happens
silently with no prompt. If you provided an application file for another platform, the flow for
installation may be different. For example, with iOS it will prompt to install, but no Apple ID is
required since it’s not tied to the Apple Store.
NOTE
If the app was pushed in an On Demand capacity, the application would be installed either
through the AirWatch Catalog or the Workspace ONE application.

Task 3: Managing Internal Applications
2. From the Main Menu, navigate to Apps & Books > Applications > List View and click the
Internal tab.
3. View all the managed apps on the Applications page.
4. Under the Install Status column, verify if your app is installed by clicking the View option. It
should show assigned. Select the hyperlink options to install, remove from the device, or notify
the user about the availability of the app from the AirWatch Catalog.
NOTE
Applications may require a check-in (query) to show an up-to-date status. This is necessary if
the application is installed on the device, but is not reflected as such on the status dashboard.
NOTE
If the icon and appliation are not shown, change the view by selecting the filter option in the top
right corner, next to the house and star icons.
5. Click on the pencil to the far-left side of the app to make changes to the deployment.
6. Click on the name of the app, MDM Info, to review the following options in the upper right
hand corner:
• Edit
• Assign
• Add Version: Update your internal application with a new version.
• Retire: Retire a version of the app and pushes an older app version out to the device and
updates the AirWatch Catalog.
• Deactivate: Deactivates all versions of the app, removes the app from the device and
AirWatch Catalog.
• User Ratings: View and delete user ratings and comments about applications.
• Events: Show device and console events for apps and export events as a .csv file.

• Other Versions: Show previous versions added to the admin console.
Task 4: Reviewing VPP and AirWatch SDK Settings

2. Navigate to Apps & Books > Applications > List View and click the Purchased tab.
NOTE
Once integrated, this is where purchased applications are found.
3. Navigate to Apps & Books > All Apps & Books Settings > Catalog and click the VPP
Managed Distribution tab.
4. Review the setting to integrate directly with Apple by uploading an Apple VPP token to
manage VPP licenses codes in bulk.
IMPORTANT
If you have an active VPP token for your company, do not upload it into the training
environment.
5. Navigate to Apps & Books > Applications Settings > Default Policy. The Security Policies
page appears.
6. Review the defined SDK settings for the OG.
7. Navigate to Settings and review additional SDK settings for the OG.
8. Navigate to Profiles, and review the options to create unique SDK profiles, which could be
enabled for individual iOS and Android internal applications.

Building the AirWatch Catalog
Task 5: Configuring and Launching the AirWatch Catalog

2. Navigate to Apps & Books > All Apps & books Settings > Workspace ONE> AirWatch
Catalog > General.
3. Review the Authentication options for AirWatch Catalog authentication, which are disabled by
default.
4. Click the Publishing tab and define the following settings:
• Catalog Title: World Wide Apps
• Platforms: Enable all and Full Screen mode for iOS

NOTE
A default icon for the AirWatch Catalog is loaded in the database, but a custom one could be
loaded.
5. Click Save.
6. Click the Customization tab and review the options, such as branding logo, default filter,
sorting and pinned categories.
7. Verify the AirWatch Catalog is pushed to your device.
NOTE
If you have an Android device, there must be an open space on your device’s home screen to
accommodate the AirWatch Catalog. The AirWatch Catalog may also be opened from the
AirWatch Agent. There may also be the MDM Info app you deployed earlier, if it’s supported
for your device.
8. Browse the AirWatch Catalog on your device and perform the following:
9. Change filter options.
10. Select an application and view its description and provide an internal feedback.
11. Install or re-install any missing applications.
NOTE
The Workspace ONE app combines all the apps that are integrated with the App Catalog. When
Workspace ONE is fully integrated and deployed, you could disable the App Catalog and use
the Workspace ONE unified catalog.
For the purposes of this course, DISABLE the App Catalog.
Enforcing Application Security
Task 6: Adding an Application Group

2. Navigate to Groups & Settings > Groups > App Groups.
3. Click Add Group.
4. Click Blacklist and choose the platform you have enrolled.
NOTE
An Application Group for whitelisted and/or required apps may also be configured separately.
5. Select the type as Blacklisted Apps.
6. Click Add Application and search and select the following applications:
• Pandora Radio
• Facebook
• Dropbox

7. Use the magnifying glass icon to search and select the application to blacklist.
8. Click Next and review the options, under the Assignment tab and click Finish.
At this point, you have identified Pandora Radio, Facebook, and Dropbox as blacklisted apps.
You have not yet defined what actions are taken if any of these applications are installed. If you
do not pull Personal Application data, you are unable to monitor which applications are
installed onto devices within your deployment. Refer to Privacy settings in the AirWatch Admin
Console to determine if Personal Application data is pulled based on device ownership.

9. Review the options to sort and search Apps Groups based on platform or type. You can also
edit, delete, or deactivate the App Group.
Task 7: Adding an Application Compliance Policy

2. Navigate to Devices > Compliance Policies > List View > Add.
3. Select the platform you have enrolled.
4. Change the MDM Terms of Use Acceptance rule to Application List.
5. Change Contains to Contains Blacklisted Apps(s).
6. Click Next to define the actions.

7. Change Send Email to User to Send Push Notification to Device.

NOTE
Additional actions and escalation may be defined. An email is not being sent for this lab, since
you changed you email address during the MEM lab.
8. Click Next to define the assignment.
9. For Assignment, define the following:
• Managed By: Company OG
• Assigned Groups: All Devices @ (OG)
NOTE
Additional Smart Groups or Exclusions could be defined. Click View Device Assignment to
view impacted devices to adjust the assigned Smart Groups.
10. Click Next to review the summary.
11. Under the General tab, change the Name and Description to match the scope for the
compliance policy.
12. Refer to the Device Summary information to see how your device will be impacted by the
compliance rule.
If your device is compliant, no actions will be triggered. If your device is noncompliant, the
first compliance action would trigger within 5 minutes of detection.

13. Click Finish and Activate.
Task 8: Reviewing Platform-Specific Application Restrictions

2. Navigate to Apps & Books > All Apps & Books Settings > Catalog > App Restrictions.
3. Hover over the i to review how the “Restricted Mode for Public iOS Applications” may be
used. If deployed, the iOS App Store will be removed. The App Store can be trigged to open,
however, when a public application listed within the AirWatch Catalog is selected for
installation.
4. At the Company OG, navigate to Devices > Profiles & Resources > Profiles > Add Profile.
5. Click Android.
6. Define the following General properties:
• Name: Blacklisted Applications

• Assigned Groups: All Devices @ Company
7. From the left plane, select the Application Control payload.

8. Click Configure and review the Prevent Installation of Blacklisted Apps option.
Only supported Android devices can disable or block the removal of applications you defined in
the app group.
9. Review the options for Required and Whitelisted apps.

10. Exit the profile configuration.
NOTE
Select platforms, such as variants of Android, Windows Phone 8.1/10, Windows Desktop (10),
iOS 9.3+ with supervision, support similar application control for 8.3FP2/3+ by deploying
Restrictions and the Application Control profile payloads. The “Carrot and Stick” method of
setting up an application compliance rule may be used in conjunction with Restricted Mode
for Public iOS Applications to enforce compliance for other devices and non-supervised iOS
devices.
Task 9: Managing Applications

2. Navigate to Devices > List View.
3. Select the Friendly Name to view specific device details in the record.
4. Click the Apps tab and view the application status for your device.
5. Review the options to remove or re-push “managed” applications.

NOTE
If personal applications are not shown, then Privacy settings are configured to suppress this
information. The AirWatch Agent cannot be removed or re-pushed since it was installed before
enrollment; this is an example of a behavior that can only be performed on “managed” apps.
You have completed all lab activities.

AW - WS1DM - Lab Manual Days 3 - 4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AW - WS1DM - Lab Manual Days 3 - 4

Uploaded by

Copyright:

Available Formats

VMware Workspace ONE: Deploy

and Manage (Days 3 & 4)

VMware® Education Services

Task 1: Logging in to Training Servers

2 Lab 1 Workspace ONE Communication (SaaS)

Lab 1 Workspace ONE Communication (SaaS) 3

4 Lab 1 Workspace ONE Communication (SaaS)

Task 1: Installing and Configuring the VMware Enterprise Systems

6 Lab 2 VMware Enterprise Systems Connector

Lab 2 VMware Enterprise Systems Connector 7

8 Lab 2 VMware Enterprise Systems Connector

c. Click Next and choose the default destination folder.

Lab 2 VMware Enterprise Systems Connector 9

e. Click Next. There is no outbound proxy for these labs.

10 Lab 2 VMware Enterprise Systems Connector

Lab 2 VMware Enterprise Systems Connector 11

12 Lab 2 VMware Enterprise Systems Connector

Lab 2 VMware Enterprise Systems Connector 13

14 Lab 2 VMware Enterprise Systems Connector

Lab 2 VMware Enterprise Systems Connector 15

16 Lab 2 VMware Enterprise Systems Connector

Lab 2 VMware Enterprise Systems Connector 17

18 Lab 2 VMware Enterprise Systems Connector

Task 1: Create a Directory User in Active Directory

2. In the left pane, expand vidm.local.

20 Lab 3 AirWatch Directory Services Integration

The New Object – User dialog box appears.

Lab 3 AirWatch Directory Services Integration 21

6. Perform the following:

22 Lab 3 AirWatch Directory Services Integration

Lab 3 AirWatch Directory Services Integration 23

24 Lab 3 AirWatch Directory Services Integration

4. Enter your server information in the following fields:

Server Enter the address of your domain controller.

Lab 3 AirWatch Directory Services Integration 25

26 Lab 3 AirWatch Directory Services Integration

5. Do not enable Advanced Settings or Azure AD / SAML.

Lab 3 AirWatch Directory Services Integration 27

28 Lab 3 AirWatch Directory Services Integration

d. Click Advanced to display additional settings.

Lab 3 AirWatch Directory Services Integration 29

Task 3: Importing a User Group

30 Lab 3 AirWatch Directory Services Integration

Lab 3 AirWatch Directory Services Integration 31

32 Lab 3 AirWatch Directory Services Integration

11. Click Save. The page closes.

Task 4: Enabling Directory Authentication Enrollment

Lab 3 AirWatch Directory Services Integration 33

34 Lab 3 AirWatch Directory Services Integration

Setting up AirWatch for Integration with VMware Identity Manager

Task 1: Creating REST API Keys in AirWatch

36 Lab 4 Integrate AirWatch with VMware Identity Manager

Lab 4 Integrate AirWatch with VMware Identity Manager 37

4. Click Add, and provide the following information:

38 Lab 4 Integrate AirWatch with VMware Identity Manager

Task 2: Creating Admin Account and Certificate in AirWatch

Lab 4 Integrate AirWatch with VMware Identity Manager 39

5. Select the Roles tab.

40 Lab 4 Integrate AirWatch with VMware Identity Manager

Lab 4 Integrate AirWatch with VMware Identity Manager 41

Task 3: Add AirWatch Settings to VMware Identity Manager

42 Lab 4 Integrate AirWatch with VMware Identity Manager

Lab 4 Integrate AirWatch with VMware Identity Manager 43