Professional Documents
Culture Documents
Copyright © 2017 VMware, Inc. All rights reserved. This manual and its accompanying materials
are protected by U.S. and international copyright and intellectual property laws. VMware products
are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a
registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.
All other marks and names mentioned herein may be trademarks of their respective companies.
The training material is provided “as is,” and all express or implied conditions, representations,
and warranties, including any implied warranty of merchantability, fitness for a particular purpose
or noninfringement, are disclaimed, even if VMware, Inc., has been advised of the possibility of
such claims. This training material is designed to support an instructor-led training course and is
intended to be used for reference purposes in conjunction with the instructor-led training course.
The training material is not a standalone training tool. Use of the training material for self-study
without class attendance is not recommended.
These materials and the computer programs to which it relates are the property of, and embody
trade secrets and confidential information proprietary to, VMware, Inc., and may not be
reproduced, copied, disclosed, transferred, adapted or modified without the express written
approval of VMware, Inc.
www.vmware.com/education
CONTENTS
Lab 1 Workspace ONE Communication (SaaS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Lab 2 VMware Enterprise Systems Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Lab 3 AirWatch Directory Services Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Lab 4 Integrate AirWatch with VMware Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Lab 5 Configure User Authentication with VMware Identity Manager . . . . . . . . . . . . . . . . . . . . . . 55
Lab 6 Unified Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Lab 7 Implementing iOS Mobile SSO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Lab 8 Mobile Application Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
iii
iv Contents
Lab 1 Workspace ONE Communication
(SaaS)
Network Diagram
There are four main components to this activity:
1. VMware Enterprise Systems Connector (ESC)
2. On-premises Domain Controller
3. AirWatch SaaS
4. Identity Manager SaaS
1
The following diagram illustrates the architecture used in this lab.
NOTE
For Mac OS X, the VMware client software is not required. Also, “Copy and Paste” is not
supported within the VM. Either type in the value or enable the Windows on-screen keyboard,
when required.
NOTE
The ACC is a component of the ESC.
4. Close your browser, navigate to the downloads folder, and install the VMware-
ClientIntegrationPlugin-5.X.X.exe. Accept all default prompts for installation.
NOTE
If extensions are being used for Chrome, open the run prompt and execute the following
command:
taskkill /F /IM chrome.exe or taskkill /F /IM Chrome.exe
This kills all Chrome or Chrome browser processes to allow for the plug-in to install properly.
5. Re-open https://lab.air-watch.com/cloud/org/education/login.jsp in either
Chrome or Firefox.
7. If prompted for login credentials, re-enter the credentials to log into the VMware vCloud portal.
8. On the left side, click Open to change the view to the vApp Diagram, which provides access to
each server.
5
6. Verify that the Current Setting is in Override, if it is not, click Override and then click Save.
7. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > VMware
Enterprise Systems Connector.
8. Click Override and then select Enable VMware Enterprise Systems Connector.
NOTE
Enable Auto Update is a best practice in your production environment.
10. Click Save and wait for the certificate to be populated. This may take several minutes. When
the certificate is created, close the message box by clicking OK.
11. Click the General tab and then click Download VMware Enterprise Systems Connector
Installer.
13. Once downloaded, click the drop-down menu next to the filename and select Show in folder.
14. Right-click the executable in the Downloads folder, and select Run as administrator; the
VMware Enterprise Systems Connector installation wizard appears.
NOTE
The installation wizard may be branded “Cloud Connector” depending on your environment.
15. Perform the following process:
a. Click Next and accept the EULA. Click Next.
NOTE
If prompted, install Java.
f. Click Next and input the IDM Connector port number: 443
g. Deselect the Would you like to use your own SSL Certificate? box.
i. Select the Would you like to activate the IDM Connector now? check box.
NOTE
You must now move to your browser and complete Step 16 before proceeding with the
installation wizard.
c. Name your connector and click Generate Activation Code. Right-click to copy the code.
17. Return to your installer, paste the Activation Code and enter your VMware Identity Manager
administrator passcode. Click Next.
NOTE
At this step, perform the following checks:
a. Return to the ESC VM.
• Open the Services (click on Windows icon and search for services) and ensure that
Computer Browser service is running.
c. Hover over the network connection icon in the bottom right-hand corner of the screen and
confirm it reads as follows: vidm.local. If it does not, disable and re-enable the network
adapter.
18. Associate the VMware Connector Service Account. Use Browse to locate the VIDM domain
and then use them to locate the Administrator account
19. Use AirWatch for the password. Click Next and then clickInstall.
20. When the installer is completed click Finish.
21. Open Server Manager (the icon to the right of Start on the server).
These services may take up to 10 seconds to start. Once you have confirmed the service has
been started, close the Services window.
24. If the services do not start, open the log file (C:\VMware\Logs\CloudConnector) and check
for errors.
19
The Active Directory Users and Computers window appears.
NOTE
If you have not created a Salesforce Developer Account, these steps are reviewed in a later
chapter:
a. Enter First name.
NOTE
Paste your Active Directory First Name, Last Name and Username into your worksheet
document, and save the file for future reference.
d. Click Next.
7. Click Finish.
Your user appears in the right pane.
8. Assign an email address to your user.
a. Right-click your user from the Active Directory Users and Computers window, and select
Properties.
b. In the Email text box, enter an email address and click OK.
NOTE
This does not need to be a valid email address, however, it does need to be a unique entry.
9. Repeat steps 4-8 to create a second directory user.
NOTE
This directory user will function as an administrator in AirWatch and VMware Identity
Manager. You enter this Username in Lab 5-Task 3-Step 2 & Lab 6-Task 5-Step 5
Field Description
Directory Type Select the type of directory service your organization uses.
For this lab, select Active Directory.
Enable DNS SRV Select Disabled. With this feature disabled you must explicitly
define where the server is located on the network.
Encryption Type Select the type of encryption to use for directory services
communication.
For this lab, select None.
Protocol Version Select the version of the LDAP protocol that is in use. Active
Directory uses LDAP versions 2 or 3. If you are unsure of which
Protocol Version to use, try the commonly used value of 3.
For this lab, enter 3 in the Protocol Version text box.
Use Service Account Select the check box to use the credentials from the App pool of the
Credentials server on which EIS is installed for authenticating with the domain
controller. Enabling this option hides the Bind Username and Bind
Password fields.
Accept Disabled default setting
Bind Authentication Select the type of bind authentication that is used to enable the
Type AirWatch server to communicate with the domain controller. If you
are unsure of which Protocol Version to use, try the commonly used
value of GSS-NEGOTIATE.
For this lab, select GSS-NEGOIATE.
Domain Enter the default domain for any directory-based user accounts. If
only one domain is used for all directory user accounts, fill in the
field with the domain so that users are authenticated without
explicitly stating their domain.
For this lab, enter vidm.local in the Domain field.
Verify vidm.local appears in Domain text box and
vidmdc.vidm.local appears in Server text box.
If another value appears in the Domain text box, replace it with value
above.
b. Click the + (Fetch DB) below Base DN. A window appears with the Available Base DN’s.
Select DC=vidm,DC=local and click Save. Repeat the same process for the Group tab.
9. Click Save and then click Test Connection to verify connectivity once again. Alert the
instructor if an error occurs. Close the screen using the icon at the top right of the popup box.
5. From the Group Name drop-down menu, select Users and then click Save. The Add User
Group page closes.
6. Select the check box for the Users row.
7. From the More Actions drop-down menu select Add Missing Users.
NOTE
Alert the instructor if you are unable to pull the user group or users into the console.
4. Click Save.
AirWatch provides enterprise mobility management for devices and VMware Identity Manager
provides single sign-on (SSO) and identity management for users.
When AirWatch and VMware Identity Manager are integrated, users from AirWatch enrolled
devices can log in to their enabled apps securely without entering multiple passwords.
When AirWatch is integrated with VMware Identity Manager, you can configure the following
integrations with AirWatch:
• An AirWatch directory that syncs AirWatch users and groups to a directory in VMware Identity
Manager service and then set up password authentication through the Enterprise Systems
Connector.
• SSO to a unified catalog containing entitled apps from both AirWatch and VMware Identity
Manager.
• SSO using Kerberos authentication to iOS 9+ devices.
• Access policy rules to check that AirWatch-managed iOS 9+ devices are compliant.
35
• A REST API admin key for communication with the VMware Identity Manager service and a
REST enrolled user API key for VMware Enterprise Systems Connector password
authentication are created at the same OG where VMware Identity Manager is configured.
• API Admin account settings and the admin authentication certificate from AirWatch added to
the AirWatch settings in the VMware Identity Manager Admin Console.
• Active Directory user accounts set up at the same OG where VMware Identity Manager is
configured.
• If end users are placed into a child OG from where VMware Identity Manager is configured
after registration and enrollment, User Group mapping in the AirWatch enrollment
configuration must be used to filter users and their respective devices to the appropriate OG.
The following are set up in the AirWatch admin console:
• REST admin API key for communication with the VMware Identity Manager service
• API Admin account for VMware Identity Manager and the admin authentication certificate that
is exported from AirWatch and added to the AirWatch settings in VMware Identity Manager
• REST enrolled user API key used for VMware Enterprise Systems Connector password
authentication
NOTE
The OG type must be Customer.
NOTE
To view the group type, navigate to Groups & Settings > Groups > Organization Groups >
Organization Group Details.
IMPORTANT
Ensure the OG shown in the form is the same one where you created the the Rest API key and
that it is the Top-Level OG based on the previous configurations you used during the Mobile
Device Management labs.
6. Select the API tab and in the Authentication field, select Certificates.
7. Enter the certificate password AirWatch1. The password is the same password entered for the
admin on the Basic tab. Write down this password. You will need it later.
NOTE
Click Show to verify the password entered is correct.
8. Click Save. The new admin account and the client certificate are created.
9. On the Accounts > Administrators > List View page, click on the username of your new
admin.
10. Click the API tab and click Certificates.
11. Enter the password (AirWatch1) you set in the Certificate Password text box, click Export
Client Certificate and save the file to your Lab Files Folder. Click Save.
What to do next
Configure your AirWatch URL settings in the VMware Identity Manager Admin Console. (See
Setting up an AirWatch Instance in VMware Identity Manager)
NOTE
While logged in with this user, this is referred to as the System Domain. If vidm.local is
displayed select System Domain from the dropdown menu. Click the arrow next to Tenant
Admin and select Administrative Console from the drop-down menu.
Field Description
AirWatch API URL Enter the AirWatch API URL for the AirWatch Training server
where you obtained the AirWatch API; refer your worksheet.
CAUTION
The AirWatch Console does not provide the correct URL that the
vIDM Console wants populated in this field.
AirWatch Console Provides: https://train#.awmdm.com/API
VMware Identity Manager Console Wants: https://
train#.awmdm.com
IMPORTANT
REMOVE “/API” from the URL when entering it into the
VMware Identity Manager Console.
AirWatch API Certificate Upload the certificate file used to make API calls.
Upload the .p12 file you downloaded from the AirWatch Admin
Console.
AirWatch Admin API Enter the AirWatch API Key value; refer to your worksheet.
Key
AirWatch Enrolled User Enter the Identity Manager API Key for an enrolled user value;
API Key refer to your worksheet.
AirWatch Group ID. Enter the AirWatch Group ID for the customer type OG where
the API key and Admin Account were created; Top-Level OG.
For our lab, this will be idm<student#>.
What to do next
• Enable the feature option Unified Catalog to merge apps set up in the AirWatch catalog to the
unified catalog.
• Enable Compliance check to verify that AirWatch managed devices adhere to AirWatch
compliance policies. We will not perform this action in our lab. For more information, see
“Enable Compliance Checking for AirWatch Managed Devices” in the VMware Identity
Manager Administration Guide.
3. Click Save.
4. Follow the same procedure to complete the tasks for Compliance Check and User Password
Authentication through AirWatch
5. Navigate back to Identity & Access Management tab and click Manage
6. Click on the Authentication Methods tab and ensure the following are enabled:
a. Password (AirWatch connector)
b. Device Compliance (with AirWatch)
8. Click the Identity Providers tab under Identity & Access Management
9. Select Built-in
10. In the Authentication Methods section, verify the following are enabled:
then the user must authenticate using the Password (AirWatch Connector)
following method…
5. Leave the remaining fields set to their defaults and click OK.
6. Repeat for the Workspace ONE App policy by adding Password (AirWatch Connector)
authentication.
7. Click the top Green + icon to create another new rule.
then the user must authenticate using the Password (AirWatch Connector)
following method…
9. Leave the remaining fields set to their defaults and click OK.
10. Using the vertical arrow icons next to the Network Range heading, rearrange your rules so
they appear in the following order and click Save:
a. Workspace ONE
b. iOS
c. Web Browser
NOTE
VMware Enterprise Systems Connector must be configured on AirWatch version 8.4 and later for
authentication with VMware Identity Manager.
55
• Valid license for VMware Identity Manager.
• VMware Identity Manager local admin name and password.
• Identify custom directory attributes used between AirWatch and the directory service to map
with this configuration. See “Managing User Attributes Mapping.”
1. Go back into the AirWatch Admin Console where you have your device enrolled, expand the
OG hierarchy and select your Top-Level OG.
2. In the AirWatch admin console, navigate to Groups & Settings > All Settings > Enterprise
Integration > VMware Identity Manager.
3. Under the Server section, select Configure.
Option Description
URL Enter your VMware tenant URL.
Admin Username Enter the VMware Identity Manager local admin user name.
This is the Identity Manager tenant username you were assigned
for class.
Admin Password Enter the VMware Identity Manager local admin user’s password.
This is the Identity Manager tenant admin password for the
username above.
9. Scroll to bottom of page and click Sync Now to manually sync all users and groups to the
VMware Identity Manager service.
NOTE
The Sync Now command creates an AirWatch directory in the VMware Identity Manager
service, syncing all users and groups.
What to do next
• Review the Users and Groups tab in the VMware Identity Manager Admin Console to verify
the user and group names are synced.
• Review the Directories page in the VMware Identity Manager Admin Console to verify the user
and group names are synced.
NOTE
Alert the instructor if you either do not see the vidm.local directory or if the vidm.local
directory has 0 groups and 0 users.
NOTE
You created two directory users in Lab 3, Task 1. Select one of those users.
3. Select Administrator from the Role drop-down menu.
4. Click Save.
3. Select vidm.local for the Select your domain drop-down list and then click Next.
5. Click Sign In. Once Active Directory authenticates the user, Workspace ONE shows the
Unified Catalog for the user, but nothing has been configured for the user at this point.
NOTE
Do not use your corporate email address. However, you must use a valid email address as the
account requires activation. The username does NOT have to be an active or a valid email
address. However, it must be in the form of an email address, that is, name@company.com.
3. Accept the Terms of Use by selecting the check box and Click the Sign me up button at the
bottom of the form.
4. Check your email inbox for the confirmation email
5. If you have not done so already, please record your email address and username on your
worksheet.
NOTE
Be sure not to confuse your account username (in email format) with your email address (needs
to be valid for verification)
6. Click Verify Account in the verification email from Salesforce
7. Change/Create a password and click Change Password at the bottom of the page
• Your account is now created
8. Record your password on your Worksheet
65
9. Click on your profile icon on the right side of the page.
10. Click Switch to Salesforce Classic.
11. The first portion of Salesforce Developer exercise are now completed. The classic view is more
familiar for most users and subsequent directions in the workbook reference the classic user
interface.
NOTE
You will return to your Salesforce Developer account at various points throughout the
remainder of this lab. Be sure to follow the directions carefully. If there are any mistakes in the
Salesforce configuration, you cannot authenticate to the Salesforce application through the
Workspace ONE portal.
12. Click Setup. Navigate to Administer > Domain Management > My Domain. The My
Domain page appears.
13. Input a custom domain name and click Check Availability. If available, click Register
Domain to complete registration.
NOTE
You need to register a custom domain in Salesforce to direct the Salesforce application to
redirect to the correct URL (like autodiscovery in AirWatch). Registration can take several
minutes.
NOTE
You will receive an email that confirms the domain registration.
14. Click on the link provided in the confirmation email.
15. You need to login to salesforce with the username and password that you previously set up.
With the username and passworrd that you set up, log in to Salesforce and navigate to
Administer > Domain Management > My Domain.
16. Click Deploy to Users
NOTE
This is a critical step. If this is missed, it will be very difficult to troubleshoot this error.
17. Accept the warning that comes up by clicking OK
NOTE
Once you click OK, the page will refresh and the Redirect Policy under My Domain Settings
will be updated.
NOTE
If the tab does not appear, click the SAML Metadata tab on the left side of the interface.
NOTE
This saved filename looks like the following: IdP.xml
3. Click on the Download button for the Signing certificate file under the certificate box to
download the .cer file.
• Make sure these files are easily accessible for future reference.
NOTE
To confirm you are in classic mode for Salesforce, click on your account picture on top right to
“View Profile” and select Switch to Salesforce Classic. If there is no picture in the top right
corner, you are already in classic mode.
2. At the top right of the browser window, click Setup.
3. Navigate to Administer > Security Controls > Single Sign-On Settings.
4. Select New from Metadata File. The SAML Sign-On Settings page appears.
NOTE
The SAML Single Sign-ON Settings are populated.
7. Navigate to the Identity Provider Certificate.
8. Select Browse.
9. Upload the signingCertificate.cer file you downloaded in the previous exercise.
10. Navigate to SAML Identity Type.
11. Click the following radio button: Assertion contains the Federation ID from the User object.
12. Click Save.
13. Click on your SSO connector name and then select Download Metadata.
14. Save the metadata xml file to an accessible location.
• File type Example: SAMLSP-##@#@#######@@@@
15. Click the Single Sign-On Settings link on the left-hand side of the screen again. The Single
Sign-On Settings page appears.
16. At the top of the page, click Edit.
17. Select SAML Enabled and click Save
• The Single Sign-On Setting page appears with the SAML Enabled option selected.
18. Navigate to Domain Management and click on My Domain.
19. Navigate to Authentication Configuration > Edit.
a. In the Authentication Service field, check your SAML Single Sign-On Settings name.
EXAMPLE: awedu-student-###
IMPORTANT
Leave Login Page checked.
20. Click Save.
NOTE
Creating and activating the domain is complete.
IMPORTANT
The Active Directory Email Address will be populated as the Username, since this is
searched globally within Salesforce to find any association it must be unique for this lab.
5. Define the following:
• Role: CEO
• User License: Salesforce Platform
• Profile: Standard Platform User
6. Scroll down to Single Sign On Information section.
7. In the Federation ID text box, enter the user email address.
• This is the same email used in the General Information section. This is the same as your
AD user email address.
8. Click Save.
NOTE
The username must be prefixed with vidm.local\
(Example: vidm.local\myAdmin)
NOTE
It returns to original add app screen and the icon and name of the app is auto populated. Ensure
there is not an extra line before or after the text. Backspace to delete the carriage return (if
applicable)
NOTE
Do not click Manual, if Manual is active then click URL/XML to open a text box to paste the
metadata.
10. Click Next.
11. Review the summary page.
12. Click Save and Assign.
• This pops up the Assign dialog box
13. Search for the Active Directory user you created and used to test the identity provider and
access policy.
14. Select the Active Directory user from the search box and change the deployment type to
Automatic from User-Activated.
15. Click Save in the dialog box.
NOTE
This pops a message that the assignment has been added.
16. Navigate to Apps and Books > Applications > Web > SaaS
17. Select the Salesforce application.
18. Click Edit.
19. Click Configuration.
20. Change the username value to ${user.email}.
21. Click Next.
22. Click Save.
NOTE
If you have been logged out, ensure to select the vidm.local domain and use the same AD
credentials to log back in as the user.
2. Click Catalog.
3. Click Open under the Salesforce icon.
NOTE
You are signed in to Salesforce as the end user.
NOTE
If Salesforce is installed on your device, uninstall it.
5. Click Next and select the Salesforce application from the provided search results.
75
If you are unable to locate the app you seek, either scroll through the results or alter your search
terms. You can also verify that you are searching the correct app store by checking that you are
searching in the correct country.
1. Review the Details tab options, including adding comments, reimbursement information,
ratings, categories and Terms of Use.
2. Click Save & Assign.
3. Click Add Assignment.
4. In the Select Assignment Groups field, choose All Devices (Company).
5. Change App Delivery Method to On Demand.
6. Click Add.
7. Click Save &Publish to push the configuration to your device.
8. Click Publish.
Task 2: Edit and Deploy the Salesforce and Workspace ONE apps to
Integrate with VMware Identify Manager
In Task 2, you’ll continue with AppConfig settings before downloading the application from the
Unified Catalog.
1. In the AirWatch Admin Console, expand the OG hierarchy and select your Company OG.
NOTE
This is the OG where you deployed the Salesforce application earlier.
IMPORTANT
If you do not have an iOS device, making these changes to the application does not enable the
functionality since this flow is specific to iOS.
2. If you did not deploy the Salesforce app, for your iOS device, refer the MAM section of this
workbook to deploy the app and alter the Assignment settings as per the direction below.
IMPORTANT
Do NOT enter https://
NOTE
Salesforce is now ready for your device, which enrolls with the Active Directory user you
created.
IMPORTANT
If you do not have an iOS device, following these settings to deploy the Workspace ONE deploys
the app, but the SSO integration for the native app will not work, since the lab focuses on the iOS
SSO integration.
1. Expand the OG hierarchy and select your Company OG.
2. Navigate to Apps & Books > Applications > Native.
3. Click the Public tab.
4. Click Add Application.
5. Change Platform to Apple iOS and type Workspace ONE into the Name text box.
6. Click Next.
7. Find the app called VMware Workspace ONE (com.air-watch.appcenter), and click Select.
NOTE
Click + Insert Lookup Value to create two application configuration entry.
13. Click Add, and then Save & Publish.
14. Click Publish.
NOTE
VMware Workspace ONE now appears as a Public application in the List view.
Field Description
Enable KDC Select this check box to enable users to sign in using iOS
devices that support Kerberos authentication.
Realm VIDMPREVIEW.COM
Root and Intermediate CA Upload the certificate authority issuer certificate file.
Certificate Example: VidmAirWatchRootCertificate.cer
Uploaded CA Certificate The contents of the uploaded certificate file are displayed
Subject DNs here. More than one file can be uploaded and whatever
certificates that are included are added to the list.
Cancel Message Create a custom message that displays when the Kerberos
authentication is taking too long. If you do not create a
custom message, the default message is Attempting to
authenticate your credentials.
NOTE
Password (AirWatch Connector) and Device Compliance (With AirWatch) were enabled in a
previous chapter.
9. Click Save.
10. Navigate to Identity & Access Management > Identity Providers > Built-in to the KDC
Certificate Export and click Download Certificate to save this file to your Working Folder. It
is named KDC-root-cert.cer.
and the user is trying to access content Workspace ONE App/ iOS/ Web Browser
from…
then the user may authenticate using the Mobile SSO (for iOS) – Make sure this
following method… method comes first.
4. Leave the remaining fields set to their defaults and click OK.
6. Click Save.
9. In the left navigation pane, select Single Sign-On and click Configure.
NOTE
Case sensitive.
NOTE
You defined the user credentials when you went through the Active Directory lab exercise. The
password is case-sensitive and can only be changed on the Domain Controller server.
5. Select the option prompted to continue with the enrollment process, such as Redirect & Enable
for iOS.
IMPORTANT
Navigate to the Catalog Tab to locate the Salesforce App
4. Click Open below the Salesforce website icon.
Because Safari was specified for use via the SSO profile, you are signed into the web version of
Salesforce.
5. Click the home button on your iOS device to exit the app.
NOTE
Accept any prompt to complete installation.
3. Click the Salesforce app to launch and Accept the Salesforce EULA.
4. Since we didn’t completely disable the Salesforce login screen in Salesforce, you will see two
options:
• Authenticate using a Salesforce username / password
• Your SSO Configuration Defined in Salesforce
5. Click Your SSO Configuration Defined in Salesforce
NOTE
Observe that you are signed into the Salesforce app.
The Mobile Application Management (MAM) lab requires the core configurations you performed
during the completion of previous lab work. Required configurations include an OG hierarchy set up
with a defined Group ID, a test user, and an enrolled device.
4. Scroll down and find the app you recommended. Note that personal feedback about the app is
shown under the OG where the app is managed.
5. Under the Install Status column, verify whether your app is installed or not installed. It should
show assigned. Select the hyperlink options to install the app, remove it from the device, or
notify the user about the availability of the app in the AirWatch Catalog.
NOTE
Applications may require a check-in (query) to show an updated status, if the application is
installed on the device, but does not show an updated status dashboard.
6. Review the available options to the far right:
99
• Manage Devices: Install/remove the application and notify end users about app availability
on their devices.
• Deactivate: Remove all versions of the application from all managed devices.
• User Ratings: View app ratings and user-provided feedback.
• View Events: Display events for apps and export activity as a .CSV.
• Delete: Remove the app from the admin console.
NOTE
A similar flow could be done for other platforms if you have a signed application that has been
internally developed by your organization, such as an .ipa for iOS. If you do not have an
Android device enrolled, you are able to load the app by completing this lab module, but it will
not push down to your device since the app was built for Android platform.
5. Click the Details tab, update the Name of the app to MDM Info, and review the additional
fields.
NOTE
Depending on the app developer this information could be coded into the app, so it
automatically populates.
6. Click the Files tab and review the options. For other platforms, different options may be
available.
7. Click the Images tab and review the options, such as loading application images to represent
the apps in the AirWatch Catalog.
NOTE
Developer files may be required. A SDK and App Wrapping profile would be selected to turn
on SDK functionality.
10. Click Save & Assign, and then click Add Assignment.
11. Click the Smart Group tab and choose the All Devices @ Company Smart Group you defined
during the MDM lab exercise.
12. Click Auto for Push Mode and click Add.
NOTE
If the app was pushed in an On Demand capacity, the application would be installed either
through the AirWatch Catalog or the Workspace ONE application.
NOTE
Applications may require a check-in (query) to show an up-to-date status. This is necessary if
the application is installed on the device, but is not reflected as such on the status dashboard.
NOTE
If the icon and appliation are not shown, change the view by selecting the filter option in the top
right corner, next to the house and star icons.
5. Click on the pencil to the far-left side of the app to make changes to the deployment.
6. Click on the name of the app, MDM Info, to review the following options in the upper right
hand corner:
• Edit
• Assign
• Add Version: Update your internal application with a new version.
• Retire: Retire a version of the app and pushes an older app version out to the device and
updates the AirWatch Catalog.
• Deactivate: Deactivates all versions of the app, removes the app from the device and
AirWatch Catalog.
• User Ratings: View and delete user ratings and comments about applications.
• Events: Show device and console events for apps and export events as a .csv file.
NOTE
Once integrated, this is where purchased applications are found.
3. Navigate to Apps & Books > All Apps & Books Settings > Catalog and click the VPP
Managed Distribution tab.
4. Review the setting to integrate directly with Apple by uploading an Apple VPP token to
manage VPP licenses codes in bulk.
IMPORTANT
If you have an active VPP token for your company, do not upload it into the training
environment.
5. Navigate to Apps & Books > Applications Settings > Default Policy. The Security Policies
page appears.
6. Review the defined SDK settings for the OG.
7. Navigate to Settings and review additional SDK settings for the OG.
8. Navigate to Profiles, and review the options to create unique SDK profiles, which could be
enabled for individual iOS and Android internal applications.
NOTE
If you have an Android device, there must be an open space on your device’s home screen to
accommodate the AirWatch Catalog. The AirWatch Catalog may also be opened from the
AirWatch Agent. There may also be the MDM Info app you deployed earlier, if it’s supported
for your device.
8. Browse the AirWatch Catalog on your device and perform the following:
106 Lab 8 Mobile Application Management
9. Change filter options.
10. Select an application and view its description and provide an internal feedback.
11. Install or re-install any missing applications.
NOTE
The Workspace ONE app combines all the apps that are integrated with the App Catalog. When
Workspace ONE is fully integrated and deployed, you could disable the App Catalog and use
the Workspace ONE unified catalog.
For the purposes of this course, DISABLE the App Catalog.
NOTE
An Application Group for whitelisted and/or required apps may also be configured separately.
5. Select the type as Blacklisted Apps.
6. Click Add Application and search and select the following applications:
• Pandora Radio
• Facebook
• Dropbox
8. Click Next and review the options, under the Assignment tab and click Finish.
At this point, you have identified Pandora Radio, Facebook, and Dropbox as blacklisted apps.
You have not yet defined what actions are taken if any of these applications are installed. If you
do not pull Personal Application data, you are unable to monitor which applications are
installed onto devices within your deployment. Refer to Privacy settings in the AirWatch Admin
Console to determine if Personal Application data is pulled based on device ownership.
NOTE
Additional Smart Groups or Exclusions could be defined. Click View Device Assignment to
view impacted devices to adjust the assigned Smart Groups.
10. Click Next to review the summary.
11. Under the General tab, change the Name and Description to match the scope for the
compliance policy.
12. Refer to the Device Summary information to see how your device will be impacted by the
compliance rule.
If your device is compliant, no actions will be triggered. If your device is noncompliant, the
first compliance action would trigger within 5 minutes of detection.
NOTE
Select platforms, such as variants of Android, Windows Phone 8.1/10, Windows Desktop (10),
iOS 9.3+ with supervision, support similar application control for 8.3FP2/3+ by deploying
Restrictions and the Application Control profile payloads. The “Carrot and Stick” method of
setting up an application compliance rule may be used in conjunction with Restricted Mode
for Public iOS Applications to enforce compliance for other devices and non-supervised iOS
devices.
4. Click the Apps tab and view the application status for your device.
5. Review the options to remove or re-push “managed” applications.