The wizard serves as a step-by-step checklist for configuring the Workspace ONE catalog, its applications and the required components. In AirWatch v9.2, the wizard facilitates the entire configuration chain for Workspace ONE, mobile single sign-on and Microsoft Office 365 configurations. [learn_more caption=”More Details”] Access the Workspace ONE Getting Started Wizard The primary purpose of the Workspace ONE wizard is automating initial setup. For this reason, new installations display the enhanced wizard at the top of the main menu by default. However, the enhanced wizard also provides value for existing customers. For existing deployments, customers can use the wizard to evaluate their current setup or to add Workspace ONE, powered by AirWatch unified endpoint management technology. In either case, these customers must manually enable the Workspace ONE getting started wizard to access the configurations. In this post, access instructions for both customer types are included inline. Workspace ONE Getting Started Wizard Configurations The Workspace ONE getting started wizard displays a list of features that can be configured or ignored, according to the needs of the organization. Required configurations are marked by a red star (*). | Setup | | Apple Push Notification Service (APNs)* | Download an APNs certificate request to enable Workspace ONE communication with Apple iOS and macOS devices. | | Enterprise Connector & Directory* | Install the VMware Enterprise Systems Connector* server to secure communication between the console servers and corporate resources. Then, use this secure connection to import users and groups from Active Directory (AD). | | Auto Discovery | Enable end users to log into the appropriate domain with their email addresses. | | NEW! Mobile Single Sign-On | Auto-configure mobile single sign-on, simplifying employee access to select mobile apps. | | Apps | | Workspace ONE Catalog* | Add and assign apps to the Workspace ONE app catalog. The catalog provides employees a single touchpoint for app access. | | NEW! Office 365 Apps | Select and configure the Office 365 apps for Android and iOS devices. | | Intro to Public Apps | Configure public app assignment for groups or individuals. | | Add VMware Boxer | Configure an all-in-one email, calendar and contacts app. | | Productivity | | Secure Email | Deploy a single mobile app that integrates email, calendar and contacts, regardless of device type or platform. | | Secure Content | Sync corporate repositories to mobile devices, providing employees anytime, anywhere access to corporate content. | | Secure Browsing | Connect employees to corporate web apps and intranet sites without requiring a manual VPN connection, or password challenges. | | *Note: SaaS customers must install the VMware Enterprise System Connector. For on-premises customers, this requirement depends on network architecture. Consult the VMware AirWatch Reference Architecture guide for recommendations and more information. | Use the Workspace ONE Getting Started Wizard The getting started wizard serves as an additional, guided configuration option. It does not replace the ability to configure or edit any individual setting. Therefore, any settings configured in the wizard are also individually available. During configuration, the wizard checks the AirWatch console and Identity Manager for existing, potentially conflicting configurations. If the wizard discovers any discrepancies, it sends a notification that interrupts configuration. You may see any of the following options while using the wizard: | Setting | Description | | Configure | Define settings for a feature. | | Incomplete | Unconfigured features display an empty check box. | | Complete | Configured features display a green check box. | | Edit | Review or change settings of a complete feature. | | Percentage Completed | View on a progress bar. | | Video | Where available, watch a short feature demo. Option displays next to the Configure or Edit button. | | Skip This Step | Where available, select to remove the feature from your list. | | Reactivate | Select to display a skipped feature once again. | | Continue | Return to where you left, if you stopped the wizard before completing it. | [/learn_more] Mobile Single Sign-On Workspace ONE offers universal single sign-on to mobile applications. Mobile single sign-on allows users to sign in to enterprise apps securely, without the need for a password.[learn_more caption=”More Details”] | Mobile Single-Sign On Requirements | | Organization Group | Configure settings in the AirWatch console at a customer-level organization group. To check your organization group level, navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details. | | Components | Install Enterprise Connector and Identity Manager. | | Configurations | Integrate Active Directory. | | iOS | Add any published applications to iOS SSO Profile.
Check Realm value in iOS SSO Profile (defaults to VMWAREIDENTITY.COM ).
No additional on-premises infrastructure required. Do not use on-premises KDC authentication unless dictated by IT security or network policy.* | | Android | Android 4.4+
Add VPN profile to published applications and add them to Networking Rules
Check proxy URL in Network Rules page
Applications must support SAML or another supported federation standard
Note: Mobile SSO does NOT require VMware Tunnel Installation. | | *Note: Mobile SSO for iOS transports certificates using the PKINIT Kerberos protocol. The identity management service provides a built-in Kerberos adapter to handle iOS authentication. This adapter removes the need for devices to communicate with the internal domain controller. Additionally, AirWatch can distribute identity certificates to devices, eliminating the requirement to maintain an on-premises CA. | Configure Workspace ONE Mobile SSO with the Wizard - Log in to the AirWatch console at a customer-level organization group.
- Navigate to Getting Started > Workspace ONE > Setup > Mobile Single-Sign On. [box] If the Getting Started option does not display in the navigation menu, follow these instructions instead:
- Navigate to Groups & Settings > All Settings > System > Getting Started.
- Set the Getting Started Workspace ONE Status to Enabled and Save.
- Navigate to Getting Started > Workspace ONE > Setup > Mobile Single-Sign On. [/box]
- Click Configure.
- Wait for the configurations to complete. Do not refresh the page during this time.
[/learn_more] Configure Office 365 Apps Using the Workspace ONE Wizard Configure Office 365 mobile app(s) in the AirWatch console, and unify endpoint management for Android and iOS devices. [learn_more caption=”More Details”] | Office 365 Application Wizard Requirements | | Organization Group | Configure settings in the AirWatch console at a customer-level organization group. To check your organization group level, navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details. | | Operating System | Android and iOS | Configure Office365 with the Getting Started Wizard - Log in to the AirWatch console at a customer-level organization group.
- Navigate to Getting Started > Workspace ONE > Apps > Office 365 Apps.[box] If the Getting Started option does not display in the navigation menu, follow these instructions instead:
- Navigate to Groups & Settings > All Settings > System > Getting Started.
- Set the Getting Started Workspace ONE Status to Enabled and Save.
- Navigate to Getting Started >Workspace ONE > Apps > Office 365 Apps.[/box]
- Follow the wizard’s instructions and configure the settings, as prompted.
[/learn_more]
Azure Token Revocation Compliance Policy | The compliance engine in AirWatch console v9.2 can now revoke the Azure refresh token. This policy disables any Microsoft apps that use the Azure token including Microsoft Outlook, Microsoft OneDrive and Office 365.
[learn_more caption=”More Details”] | Azure Token Revocation Requirements | | Organization Group | Configure settings in the AirWatch console at a customer-level organization group. To check your organization group level, navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details. | | Configurations | Integrate AirWatch with Azure Active Directory. | | UPN | AirWatch UPN must match Azure UPN. | | Operating System | Android and iOS | Configure Azure Token Revocation Add compliance policies that work with app groups to add a layer of security to the mobile network. Policy configurations enable the AirWatch compliance engine to take set actions on non-compliant devices. To make the revocation of the Azure token part of your compliance policy: - Log in to the AirWatch console at a customer-level organization group.
- Navigate to Devices > Compliance Policies > List View > Add.
- Select the platform, Android or Apple iOS.
- Configure the Rules tab. Open the Application List and select the options that reflect your desired compliance.
Setting | Description | | Contains | Monitor devices for a specific application identifier. If detected, the engine performs the actions configured in the rule. | | Does Not Contain | Monitor devices for a specific application identifier. If NOT detected, the engine performs the actions configured in the rule. | | Contains Blacklisted Apps | Monitor devices for blacklisted apps. If detected, the engine performs the actions configured in the rule. | | Contains Vendor Blacklisted Apps | In most cases, do not configure this advanced application management feature. | | Contains Non-Whitelisted Apps | Monitor devices for non-whitelisted apps. If detected, the engine performs the actions configured in the rule. | | Does Not Contain Required Apps | Monitor devices for apps from required app groups. If NOT detected, the engine performs the actions configured in the rule. | | Does Not Contain Version | Monitor devices for a specific version of an application identifier. If NOT detected, the engine performs the actions configured in the rule. | - Provide the Application Identifier. Get the Application Identifier from the app store or the AirWatch console record.[box]To view the AirWatch console record:
- Navigate to Apps & Books > Applications > List View > Internal or Public.
- Select View from the application’s actions menu.
- Copy the Application ID. [/box]
- Click the Actions tab and configure escalating actions for out-of-compliance devices. The first action you select applies immediately. Select Add Escalations to augment or replace the immediate action with further delayed actions.[box]To configure Azure token revocation as one of the actions in the escalation chain:
- Select the Command action from the first drop-down menu.
- Select Revoke Azure Tokens from the second menu. [/box]
- Click the Assignment tab. Then, assign the compliance rule to smart groups.
Setting | Description | | Managed By | View or edit the organization group that manages and enforces the rule. | | Assigned Groups | Type to add smart groups to which the rule applies. | | Exclusions | Select Yes to exclude groups from the rule. | | View Device Assignment | Select to view the devices affected by the rule. | - Open the Summary tab. Then, name the rule and give it a brief description.
- Select Finish and Activate to enforce the newly created rule.
For information on compliance policies and app groups, see “Application Groups and Compliance.” [/learn_more] | |
