Monday, October 14, 2019

Adding iOS Applications to Workspace ONE UEM

There are three main ways to get an application installed onto an iOS device. The most common way will be to install applications on devices directly from the iOS App Store, or if your organisation has developed their own application in-house or through a developer you can deploy this as an internal application.

Once the application is added to the Workspace ONE UEM Console it is will be available to install by end users. All pretty straight forward however there is more ways can we make this process even easier.

Tuesday, October 8, 2019

The nuances of enrolling Android Devices in Workspace ONE

So Android is Android right? Well not exactly. There are technically four modes where you can utilise Android on a managed device, but one doesn't really count anymore because its been deprecated by Google.

Android has come along way in the last few years and has some very interesting and unique features. Some of these features are only available in the different modes, where those modes can only enabled on a device during enrollment.

This may be a little confusing to start with but I'll explain a bit more in the rest of this article.

Wednesday, October 2, 2019

Introduction to Organisation Groups and Smart Groups

Workspace ONE UEM right back to the early days when it was Airwatch is inherently multi-tenanted. We achieve this through Organisation Groups.

Our Shared SaaS tenants are the same codebase as what you'd get to deploy On-Premises so even we rely on Org Groups to achieve the required separation.

With this in mind, there are many reasons why you as a customer may need to rely on this capability. Read on to find out more.

Tuesday, October 1, 2019

How to build your Workspace ONE Sandbox

Workspace ONE is incredibly powerful. But with so many features and functions, its no wonder people can get lost when working out where to start on configuring it to test with your scenarios in your environment.

As part of VMware Testdrive, other than getting access to a pre-configured testing environment and walkthroughs you also get a full fledged trial environment we refer to as a Sandbox.

This has all the capabilities of Workspace ONE where you can integrate it with all services to test it in your environment with real users and real devices.

So, this is where this guide comes in. Even I struggle to explain or give a place for my customers to go for all they need to get started. I'll add to the below information over time but this will be enough to get you started with Workspace ONE as part of a pilot or proof of concept.

Configuring Mobile SSO for iOS Devices in Workspace ONE

One of big differentiators we have with Workspace ONE is ability to use MobileSSO to drastically improve security and the user experience.

MobileSSO with Workspace ONE leverages certificates deployed to devices to seamlessly sign the user into the Workspace ONE Intelligent Hub and any federated SaaS services.

This solution requires both Workspace ONE UEM (to deploy and manage the lifecycle of the certificates) and Workspace ONE Access (to challenge the device for the certificate and authenticate the user). On iOS MobileSSO technically uses Kerberos by validating the certificate on the device and generating a Kerberos token the device can then present back for authentication.

In this post I'll discuss how to configure Workspace ONE Access for iOS MobileSSO and how to create a profile in Workspace ONE UEM to deploy the required certificate and approve the domains and applications that can use it.

Basics of Device Profiles in Workspace ONE UEM

Profiles are configurations that are sent to our devices in Workspace ONE UEM to configure our devices.

They're very small in size usually, and contain information that the device Operating System can understand to effect changes.

The important part to note here is that we are typically bound by what the vendor makes available via their APIs as to what we can configure. To put it more simply, the capability to make changes to settings needs to be made available by the vendor - then we can push a profile to configure it.

Seeing our environment is configured to enroll iOS devices, Android Enterprise Devices, and Windows 10 devices I'll cover some basics of profiles that are relevant to all.

Configuring Workspace ONE UEM for Windows 10 enrollment

There are a few configuration and settings changes that we need to do to make our environment able to support Windows 10 device management.

Given we've already set up our email domain for email based enrollment on iOS and Android, we now need to configure Windows Auto-Discovery Services (WADS) which allows us to use email addresses for Windows Enrollment.

Typically you will want to use the Cloud-Hosted version of WADS and this is what we'll cover in this post.