Monday, October 14, 2019

Adding iOS Applications to Workspace ONE UEM

There are three main ways to get an application installed onto an iOS device. The most common way will be to install applications on devices directly from the iOS App Store, or if your organisation has developed their own application in-house or through a developer you can deploy this as an internal application.

Once the application is added to the Workspace ONE UEM Console it is will be available to install by end users. All pretty straight forward however there is more ways can we make this process even easier.


Tuesday, October 8, 2019

The nuances of enrolling Android Devices in Workspace ONE

So Android is Android right? Well not exactly. There are technically four modes where you can utilise Android on a managed device, but one doesn't really count anymore because its been deprecated by Google.

Android has come along way in the last few years and has some very interesting and unique features. Some of these features are only available in the different modes, where those modes can only enabled on a device during enrollment.

This may be a little confusing to start with but I'll explain a bit more in the rest of this article.

Wednesday, October 2, 2019

Introduction to Organisation Groups and Smart Groups



Workspace ONE UEM right back to the early days when it was Airwatch is inherently multi-tenanted. We achieve this through Organisation Groups.

Our Shared SaaS tenants are the same codebase as what you'd get to deploy On-Premises so even we rely on Org Groups to achieve the required separation.

With this in mind, there are many reasons why you as a customer may need to rely on this capability. Read on to find out more.


Tuesday, October 1, 2019

How to build your Workspace ONE Sandbox

Workspace ONE is incredibly powerful. But with so many features and functions, its no wonder people can get lost when working out where to start on configuring it to test with your scenarios in your environment.

As part of VMware Testdrive, other than getting access to a pre-configured testing environment and walkthroughs you also get a full fledged trial environment we refer to as a Sandbox.


This has all the capabilities of Workspace ONE where you can integrate it with all services to test it in your environment with real users and real devices.

So, this is where this guide comes in. Even I struggle to explain or give a place for my customers to go for all they need to get started. I'll add to the below information over time but this will be enough to get you started with Workspace ONE as part of a pilot or proof of concept.

Configuring Mobile SSO for iOS Devices in Workspace ONE



One of big differentiators we have with Workspace ONE is ability to use MobileSSO to drastically improve security and the user experience.

MobileSSO with Workspace ONE leverages certificates deployed to devices to seamlessly sign the user into the Workspace ONE Intelligent Hub and any federated SaaS services.

This solution requires both Workspace ONE UEM (to deploy and manage the lifecycle of the certificates) and Workspace ONE Access (to challenge the device for the certificate and authenticate the user). On iOS MobileSSO technically uses Kerberos by validating the certificate on the device and generating a Kerberos token the device can then present back for authentication.

In this post I'll discuss how to configure Workspace ONE Access for iOS MobileSSO and how to create a profile in Workspace ONE UEM to deploy the required certificate and approve the domains and applications that can use it.


Basics of Device Profiles in Workspace ONE UEM



Profiles are configurations that are sent to our devices in Workspace ONE UEM to configure our devices.

They're very small in size usually, and contain information that the device Operating System can understand to effect changes.

The important part to note here is that we are typically bound by what the vendor makes available via their APIs as to what we can configure. To put it more simply, the capability to make changes to settings needs to be made available by the vendor - then we can push a profile to configure it.

Seeing our environment is configured to enroll iOS devices, Android Enterprise Devices, and Windows 10 devices I'll cover some basics of profiles that are relevant to all.


Configuring Workspace ONE UEM for Windows 10 enrollment



There are a few configuration and settings changes that we need to do to make our environment able to support Windows 10 device management.

Given we've already set up our email domain for email based enrollment on iOS and Android, we now need to configure Windows Auto-Discovery Services (WADS) which allows us to use email addresses for Windows Enrollment.

Typically you will want to use the Cloud-Hosted version of WADS and this is what we'll cover in this post.


Setting up email based autodiscovery enrollment in Workspace ONE UEM

What is something that all users know? OK, what's something they should know.

Yes, it's their email address.

When we configure email based enrollment, it allows users to enter their email address during enrollment and it will autodiscover their correct environment.

It's pretty straightforward, but I wanted to make sure it was documented because its actually required for Windows enrollment.


How to configure Workspace ONE UEM to enable Android Enterprise device management

Setting up Android Enterprise device enrollment got a lot easier about a year ago. Previously you needed to create a full blown GSuite deployment, do a heap of DNS stuff and certificates.

Now its as simple as creating a Gmail account, entering it into the Workspace ONE Console and approving some applications.

 That's not to say that the Gsuite method shouldn't be used - there are definite scenarios where this is preferred - but for testing and POC purposes (any many others) using the Gmail method is perfectly fine.

Generating an Apple Push Notifications Certificate to enroll and manage Apple Devices

Most of the time it seems like magic that Apple devices 'just work'. However, there is one fundamental service that makes this happen - the Apple Push Notification Service. This is a set of services that Apple use (and that Apple devices leverage) to communicate with MDM, App Store, Email infrastructure etc.

The part that Mobility Administrators need to do to utilise this in Workspace ONE is generate their own Apple Push Notification Services certificate to secure traffic and communicate with Apple.

It essentially allows the entire mobility infrastructure to communicate freely in a "push" fashion rather than on-demand or schedule.

Now the important part here is that this certificate needs to be renewed every 12 months. I say important because if you don't renew it and let it expire, you have to reenroll every Apple device (manually) for them to function properly again.

Enough chit-chat, lets generate an APNs certificate and upload it to the Workspace ONE UEM Console.


Monday, September 30, 2019

Enabling Password (Cloud Deployment) Auth Method in Workspace ONE Access

In our current configuration, when we try to authenticate as a user in Workspace ONE Access it will probably fail. This is because we don't have an authentication method available to users that is able to authentication successfully.

The simplest way to do this is to enable Password (cloud deployment) so that our users are able to authenticate with their Active Directory credentials using the Identity Manager Connector we installed and configured. What's great about this method is that its outbound meaning that a user authentication request never comes inbound so there's no inbound firewall rules.

Let's look at how to configure this authentication method and set up our default access policy to use it.

Integrating Workspace ONE UEM and Workspace ONE Access

So you've got your Airwatch Cloud Connector installed and configured and you have your Identity Manager Connector installed and configured, but right now Workspace ONE UEM and Workspace ONE Access are not talking to each other.

We need to configure this integration so that we can start enrolling devices, using Workspace ONE Intelligent Hub, Unified App Catalog and Mobile SSO.

Luckily, this process is pretty straight foward. The wizard that does this integration works well and does all the heavy lifting.

Lets check out the process.

Installing Airwatch Cloud Connector and Configuring Directory Services in Workspace ONE UEM

Welcome to the first installment to my end-to-end lab and Testdrive Sandbox configuration series.

In this post we'll look at installing the Airwatch Cloud Connector (ACC) and integrating with your On-Premises Active Directory.

I do get asked this a bit as to why you would use the ACC and Active Directory if you're using SAML authentication with either Identity Manager/AzureAD/Okta etc. Although in this article I won't cover SAML integration I'll point out why we still recommend full directory integration.

Firstly, it allows users to authenticate securely with their directory credentials. It also pre-populates all the required user metadata in the console (email address, UPN, immutableID, phone number etc.). Using SAML without directory integration would mean the user gets created in Workspace ONE UEM using SAML JIT therefore it won't bring in the rest of those attributes. The other main reason we recommend using this is so that Administrators can use Active Directory groups for Assignment Groups in Workspace ONE UEM. As an example, you could assign a policy or application to your HR Department if that group exists in AD. If you don't have these groups, you would need to manually go into the Workspace ONE Console and assign the configurations to those users one by one.

The ACC also facilitates integration with On-Premises Certificate Authorities, Syslog servers and SMTP services (amongst other things)

So, back to the actual configuration.

Using Google Cloud Identity Secure LDAP with Workspace ONE

Most of my posts on my blog here have been about how to integrate other Identity Solutions with Workspace ONE.  However, the thing that all of these typically had in common was that they were synchronised with an On-Premises Active Directory.

This works well, but what happens when a customer has no On-Premises AD or is trying to get away from using one?

About a year ago, Google Announced their Cloud Identity Premium product which included a preview of LDAP connectivity. I played around with it then and it was good but for our purposes I could never get it to work - it requires the client service to use certificates to authenticate which is something that Workspace ONE doesn't support.

Recently a few customers have been asking whether there was ways to use Google Directories within Workspace ONE other than Just-In-Time provisioning and seeing that Secure LDAP from Google was now Generally Available globally it thought I'd give it another look.

Turns out I was able to get it to work! Read on to work out how, with some help from my colleagues, I was able to get it all integrated.

Thursday, September 26, 2019

Installing Identity Manager Connector and Configuring Directory Services in Workspace ONE Access


In this article we're going to talk about installing the VMware Identity Manager Connector in your environment to allow you connect to your On-Premises Active Directory. This connector also has a few other purposes like additional inbound authentication methods and the ability to synchronise Horizon Applications and Desktops.

We're just going to talk go through installation and configuring synchronisation with Active Directory in this article. I'll cover the rest in a later post.


Wednesday, June 26, 2019

Replacing CRTs with iPads for Patient Entertainment Systems in Healthcare

Back in my day our TVs were big square boxes. The one my family owned had a wood look vinyl covering and I think a "remote" control that had a cable. I didn't even know how to program the VCR.

I'm not that old yet my (grey) beard suggests otherwise - but I still see oldschool TVs in hospitals. You know why? Its because Patient Entertainment Systems cost a FORTUNE when they are first implemented. And if you still do it the same way, it will cost a fortune again. They are hard to repair or replace, and the content is old and static.

This post is an extension to my post from yesterday around using GroundControl with Workspace ONE. Using iPads for a Patient Entertainment System (hereby referred to as PES) was actually the first use case that introduced me to GroundControl. There is a great case study out of the US for Pheonix Children's Hospital where they are doing exactly this.

I won't get into as much detail as my last post around how GroundControl works, but read on and you'll find out exactly why Hospitals are moving toward iPads with Workspace ONE and GroundControl.

Monday, June 24, 2019

Secure, Automated and Passwordless Mobile Clinical Device Provisioning

If you've ever been in a hospital, I'm sure you would have seen clinical staff (literally at times) running between rooms, back to nursing stations or if they're lucky into the hall to enter notes or lookup information on a WOW (Workstation on Wheels). Apart from the time it takes to get back to any of these places, they have to leave the patient bedside and remember what they need to capture in the medical records. Typically, to try and gain some time back computers are logged in as generic accounts (shudder) and there is no user personalisation or account auditing on these devices. To me, this just sounds like a recipe for disaster.

In recent years, we've seen the uptake of VDI (year of the desktop anyone?) and that brought some improvements around session portability between devices but there is no true mobility use case like a mobile tablet or phone that the clinician or doctor can take with them and complete their tasks at the bedside.

True, a device for every employee would be expensive. And they could just use their own devices to take notes or photos, but from a regulatory and compliance perspective this is really not a good idea.

This is where GroundControl and VMware Workspace ONE come in to save the day.

Imagine being a nurse, doctor or any healthcare employee for that matter. You now walk up to a pool of iOS devices, tap your RFID Employee badge onto the proximity card reader and in seconds a device is allocated to you which is completely personalised with your authentication credentials, your relevant applications and is ready to use without having to enter and passwords or further configuration. When you're done, just dock it back where you got it and it is securely erased to factory defaults ready for the next user.

Sound too good to be true?

Nope. Read to find out how and see this is action.


Friday, June 21, 2019

Velocloud Dynamic Multi-Pathing and Identity Manager

I was lucky enough a few weeks ago to get a Velocloud SD-WAN by VMware router for my homelab. This post won't be about all the features and capabilities of Velocloud, but there is one particular capability that, although useful, causes a few challenges with Horizon and Identity Manager.

I'm talking about Dynamic Multi Path Optimisation. Being an End User Computing specialist, I'm not going to pretend I am a networking expert but I will try to explain it as best as I can. On my Veloloud Edge Router in my lab, traffic is dynamically routed through the Velocloud Edge Gateway hosted by VMware on the megaclouds like AWS. Read the document linked above, but what it allows is Velocloud to optimise and improve internet and network traffic when routed through one of these Gateways.

However, after setting one of these bad boys in my homelab I noticed that things weren't quite working quite as expected for Horizon and Identity Manager.

Monday, May 13, 2019

Managing Augmented Reality with VMware

Image result for deal with it glassesSeriously, it took me more time to think of a title for this post than it actually took to enrol and manage the Hololens. And this is what I came up with. Anyway, I digress.

A couple of weeks ago I was lucky to get my hands on a Microsoft Hololens Developer Kit device from our campus in Palo Alto. In case you weren't aware, VMware has an amazing and incredibly talented team in our Research and Development area working on many emerging technologies with Augmented Reality being one of them. Using my contacts within the CTO Ambassador Program I had the opportunity to meet many of them in person and see what they're working on, and as a result I was able to present our capabilities locally here in Australia at a Technology in Healthcare roadshow.

At this event I presented on how Blockchain, Machine Learning and Artificial Intelligence, Internet of Things, Virtual and Augmented Reality and Digital Twins will shape the future of Healthcare. After the presentation the VMware stand was inundated with clinicians and nurses right through to training coordinators trying out the Hololens and discussing how we can enable these kinds of devices now into organisations.

It doesn't seem to be that well known or understood how VMware can do this, so I thought I'd do a write up and give a bit of an example of what we're able to do.


Friday, April 12, 2019

Federating Multiple Identity Managers for VMware Services

For those who may have wondered, yes I am still alive.

Image result for twoIt's been a massive few months with overseas travel, new certifications and being admitted as a VMware CTO Ambassador. I'll make sure I write about all of this another time.

For background there has been a decision made by VMware recently where a lot of our Non-EUC solutions include a VMware Identity Manager licensing entitlement. What this is meant to allow is something like VMware Log Insight to be able to authenticate with Identity Manager allowing simplified SSO for administrators. This entitlement to Identity Manager is for the On-Premises version only.

So now, let's go into this scenario posed to me recently. What if that customer already has an entitlement to a SaaS Identity Manager tenant? Do they need both? Without opening a can of worms and entering the realms of licensing, the answer is "probably" and it's actually not a bad thing. Their situation was that they had some users who needed access to Log Insight that had an entitlement to a Workspace ONE SaaS license but not all of them. This meant we had to leave Log Insight federated with the On-Premises Identity Manager. If there is where we stopped everything would have worked, but the user experience would be pretty ordinary as they'd need to authenticate to both Identity Managers.

That's not how we roll at VMware! Lets make it simple!

Monday, January 7, 2019

Delivering complex Windows 10 app install routines in Workspace ONE UEM

With Windows being around for 30 years, it is no surprise that the software and configuration baggage its brings along with it to enterprise is extensive.

Unlike the truly modern mobile world, Apps for Windows 10 are typically not just a single file that lands on the device and runs with configuration being sent over APIs along with the install. Microsoft in some way have tried to transition to this with its Universal Windows Platform (UWP) Apps from the Microsoft Store and Microsoft Store for Business, but in my experience I have yet to see any organisation deliver (or develop) and truly enterprise level application using this platform.

This is why we are still nearly completely reliant on traditional Win32 Apps and needing to find a way to manage those "legacy" formats and processes in a modern management framework. VMware Workspace ONE UEM has made massive investment in development and enhancement in these capabilities and our customers are continuing to see our leadership in this space. We've talked a lot about how we can simply and robustly deliver .MSI and .EXE files and at scale, however its most often used when deploying a single installer with maybe a transform file and some checks to see if there's enough disk space.

But what if your install routine is more complex?