Friday, November 23, 2018

Transitioning to Workspace ONE Intelligent Hub in Workspace ONE UEM

If you missed all of our announcements around this in the last few weeks, VMware Workspace ONE Intelligent Hub is the replacement of the VMware AirWatch Agent. The first phase of the rollout is to be an in-place upgrade for iOS and Android devices that are already enrolled into Workspace ONE UEM. By default, the changeover to Intelligent Hub on iOS and Android brought a new icon and branding change and didn't require any re-enrollment of devices and functioned with the same capabilities as the Agent. We also flowed the look and feel changes through to macOS and Windows 10 device Agents too.

However, for the last 18 months or so we've had the Workspace ONE App. This App includes a heap of capabilities that the Agent didn't have. It was the entry point and enrolment method for Adaptive Management and Unified Catalog and was a a key part of our Conditional Access strategy allowing different levels access to resources based on Ownership Type, Network Location, Management Status etc.

In the Release Announcements VMware also mentioned about unifying the capabilities of the AirWatch Agent and the Workspace ONE App into a single unified Intelligent Hub. If you go back to the first paragraph you would notice I said by default it only replaced the capabilities of the Agent. At VMworld Las Vegas we showed off the full  Intelligent Hub capabilities and with Workspace ONE UEM Console 1810 Release the full Workspace ONE Intelligent Hub capabilities are now GA on iOS and Android to all, with Windows 10 and macOS to be released at a later date.

I hadn't set this up in my lab yet as I was on leave during the whole release period, and being a tinkerer I wanted to make sure I had the latest capabilities for some upcoming customer demos. The configuration wasn't exactly straight forward (in all honesty I hadn't read any documentation and hadn't completed the training on what the current capabilities were, but shhh...) so I thought I'd just quickly write up the steps to bring all the Workspace ONE App capabilities into the Workspace ONE Intelligent Hub to unify the capabilities of all agents.

Wednesday, November 21, 2018

Using Azure AD B2B Guest Accounts in VMware Identity Manager

Creating and managing the lifecycle of user accounts for users outside your organisation painful. Whether they are for contractors or external vendors, the time in creating these resetting passwords and then deprovisioning them is very time consuming - let alone the security implications if the accounts aren't removed.

A little while ago I was introduced to Azure AD Guest Accounts by a colleague. Guest Accounts are part of the Azure Active Directory Business to Business (B2B) capability where you can invite users from another Organisation's Azure Active Directory to have access to resources in yours. This means that if you have a Cloud Application federated with your Azure Tenant, you can simply invite their account and once they accept they can log in with their existing credentials and gain access.

This sounded great. But what I realised was that we were able to leverage this for using Guest Accounts in VMware Identity Manager. When using Azure Active Directory as a 3rd Party IDP in Identity Manager, you can invite a user to your Directory and they can log into Identity Manager and access the portal and any SaaS Applications you assign. You don't need to manage their account - if they forget their password its done at their Company's end, and you can even enforce additional Multifactor Authentication.

The requirements for Guest Accounts in Identity Manager are:

  • Your ‘Organisation’ must be using Azure Active Directory (doesn’t require Premium).
  • The ‘Guest’ account you are inviting must be an Azure AD account from another directory or be a Microsoft Account.
  • The ‘Service’ you’re entitling the Guest User to must have an account with a valid SAML attribute/NameID format. You can also use JIT to provision accounts into this service as well.
  • You need to have configured Azure Active Directory as a 3rd Party IDP in Identity Manager.
Let's go through how this all fits together.

Wednesday, November 14, 2018

Using JIT to Provision User Accounts into Workspace ONE UEM

A few days ago I mentioned in an article with the shocking news that not everyone had Active
Directory for their user accounts. I talked about Just-In-Time Provisioning into Identity Manager
using Google Cloud Identity as the IDP. Now, this is great for getting user accounts into VMware Identity Manager but without an AD/LDAP directory to sync to our Enterprise Systems Connector with Workspace ONE UEM doesn't have a way to get user accounts automatically.

Well that's not technically true.

A while ago myself and a colleague had this exact scenario - a customer only used Google Cloud Directory and needed to get accounts into  Identity Manager and Workspace ONE UEM. What we discovered was that we were able to also JIT user accounts into Workspace ONE UEM during enrollment. This meant we didn't have to manually create accounts in Identity Manager or Workspace ONE UEM because we couldn't use the Enterprise Systems Connector due to not having an LDAP source.

Here's how we did it.

Tuesday, November 13, 2018

Google Cloud Directory as a 3rd Party IDP in VMware Identity Manager

Believe it or not, not everyone uses Microsoft Active Directory for their User Directory. Even more shocking is that many customers are using GSuite - not Office365 - for their Productivity Apps, Google Pixelbooks as their devices, and if they're smart Google Pixel devices for their mobile devices. Obviously all managed by VMware Workspace ONE UEM.

All jokes and shameless plugs aside, I am starting to see a few customers now who live only in the Google ecosystem and don't need or want to keep other services. They only use GSuite and as a result they don't have Active Directory to sync to Identity Manager and I'm being asked by colleagues around the region on how to use all the benefits of Workspace ONE UEM while still being able to leverage their Google investment.

Below, I am going to start off by showing you how to configure Google as a 3rd Party IDP in Identity Manager. There will a follow up article to this in the coming days which will talk about how to also use this configuration with the Workspace ONE UEM (Airwatch) components to round out the full set of capabilities.

This article will show you all the steps to add Google as a 3rd Party IDP in vIDM, add users via Just-In-Time Provisioning and sign into Identity Manager.

Lets dig in.

What is Just-In-Time Provisioning?

Managing user accounts and identities is pretty a pretty tedious task.
One of the biggest benefits we talk about with Single Sign On and SAML authentication is the
ability Airwatch Workspace ONE UEM etc.) a user account needs to exist in that service for the user to sign in to.
to federate services to Identity Manager, but in order for a user to be able to sign into those services (Salesforce,

With any Identity Provider -  Identity Manager, Azure AD, Google IDP etc. -  typically those user accounts are synchronised with an On-Premises directory. If you're not synchronising those from another directory using some form of sync tool, you are manually creating those either via bulk upload, or even worse, manually typing them in.

The same requirement exists when you're using a cloud service. A user cannot log in with an account. Something somewhere is the source of truth of all user's identities, but having multiple sync tools out there syncing user accounts is not great. Wouldn't it be great if there was an easier way?

This is where Just-In-Time (JIT) provisioning comes in.

Friday, November 9, 2018

Microsoft Autopilot with VMware Workspace ONE UEM

One of the biggest misconceptions I seem to come across is that Windows Autopilot is only available to devices being managed by Microsoft Intune.

For those who aren't aware, Autopilot is a capability from Microsoft that allows pre-configuration for Windows 10 devices in conjunction with the Out-Of-Box-Enrollment (OOBE) experience. One of the
biggest capabilities is gives that you can directly ship an end-user a Windows 10 device and as soon as it is powered on, it will show the user a customised login screen during OOBE requesting the user to enter their credentials. Once successfully authenticated the result is that the device will be joined to Azure AD, automatically enrolled into Workspace ONE and all the user's apps and configurations are automatically installed.

There are a few steps to getting this configured and my obvious implication here is that you have integrated Microsoft Azure AD with VMware Workspace ONE. I won't be going into detail about how to integrate Workspace ONE UEM and Azure AD to enable the general OOBE capabilities as this is already well documented, however below I will cover off the steps and requirements to configure Autopilot and how to assign the Autopilot profiles out to a device to get the best outcome for your end users.

Let's have a look how things all fits together.

Monday, November 5, 2018

Azure Active Directory as a 3rd Party IDP in VMware Identity Manager

For my very first (technical) post I wanted to start with a bang.

As I mentioned in my introduction, I am Subject Matter Expert (herein and forever referred to as SME to save on typing) in VMware Identity Manager (vIDM) and all the things that come along with it. This along with my enjoyment of tinkering, integrating and playing with things, I talk about Identity and Authentication a lot with my customers and the one thing that keeps coming up a lot is how can they integrate vIDM with Azure Active Directory. Whether customers are actually using AAD or not is a different story, but it seems that everyone is at least looking at it. 

I'm not going to get on my soapbox about how Azure Active Directory is not a replacement for Microsoft Active Directory Domain Services (yet), but I will outline the steps required below to integrate vIDM and Azure AD and allow users to authenticate with the AAD credentials.

Why do they want to do this? There could be a few reasons:

  • They want to use Microsoft Risk Based/Conditional Access Policies.
  • Their SaaS Applications are federated with Azure AD and don't want to change this to vIDM.
  • Because they can (just like I wanted to prove).

VMware Identity Manager is a great product and can do all kinds of things that Azure AD doesn't, but I think it's important to point out how we can use the best available for the customer's requirements.

Anyway enough justification, in the steps below I'll show you how to do it.

Adding Azure AD as a Third-Party IDP in Identity Manager

This is a straight forward process. In your Azure Portal you need to create an 'Enterprise Application' (your Identity Manager Tenant) and then add Azure AD as a third-party IDP in Identity Manager.

1. Login to your Azure Portal and select Azure Active Directory.

2. Find 'Enterprise Applications' in the list under Manage and then 'New Application'.

@echo `hello world`

So, it has finally happened.

A couple of weeks ago I presented again at my 3rd VMware vForum in Sydney on Horizon on VMware Cloud on AWS and also on VMware Identity Manager. After my presentations I was stayed around for some Q&A and kept being asked "Where can I learn more about this!? Do you have a blog or something?" to which I gave the same response that I have had for a couple of years, "it's coming". And here we are - I decided to just get on with it - I've finally made the leap.

Before we get too far, I should give some background on who I am. My name is Pete Lindley, I am a Senior End-User Computing Specialist System Engineer at VMware based in Brisbane, Queensland, Australia. I started at VMware in January 2015 where I was originally an Airwatch SE however over the years have progressed more to now looking after the entire VMware End-User Computing Product Portfolio. Although covering the whole gamut, I am a Subject Matter Expert in macOS, Windows 10 Modern Management, and Pulse IoT but probably more known for my specialisation for VMware Identity Manager and Identity and Access Management in the APJ region.

The whole idea behind this blog is a place where I can share useful information about any new technologies or product updates and releases, but not just from VMware. It is a big world out there and although I am an employee of VMware, I want to talk about any integrations from all vendors where it gives the best outcome for users. 

Anyway, enough for now. I'm off to start adding some more content. Please feel free to make comments and I'll respond where I can.