[Deep Dive] App Access & Management in VMware AirWatch 9.2

Oct 26, 2017

Author: Camilo Lotero

Camilo Lotero is a Senior Technical Marketing Manager at VMware End-User Computing (EUC) focusing in Identity and Access Management. He has been with VMware for 5 years in various teams including Technical Support, Sales Engineering and Technical Marketing. Camilo has served as a technical advisor for clients across all different market verticals, as well as provide technical enablement across different teams within VMware. Camilo holds a degree in Industrial and Systems Engineering from the Georgia Institute of Technology.

Share This Post On

VMware AirWatch unified endpoint management (UEM) empowers the digital workspace to meet business needs. By unifying endpoint management into a single point of reference, the solution delivers a premium user experience that doesn’t compromise enterprise security. Today’s post covers the new app access & management features in AirWatch 9.2.

New! App Access & Management Features

Check out these videos to see the newest features in action. Expand the drop-down menus for more details about each new feature.

VMware Workspace ONEAirWatch UEM technology powers the integrated VMware Workspace ONE platform.

Unified Workspace ONE Console for App Access & Management

More Details

VMware Workspace ONE Unified Console Requirements
AirWatch Deployment Working instance of a Software-as-a-Service (SaaS) or on-premises AirWatch deployment
Identity Manager Working instance of a SaaS or on-premises VMware Identity Manager (vIDM)
Configuration Integrate AirWatch with Identity Manager
Roles Domain account with an admin role in both AirWatch Customer Organization Group and Identity Manager Note: A global admin role does not work.
Organization Group Configure settings in the AirWatch console at a customer-level organization group. To check your organization group level, navigate to Groups & Settings > Groups Organization Groups > Organization Group Details.
Outbound Traffic SOURCE DESTINATION PROTOCOL PORT VERIFICATION
AirWatch Console Server AirWatch REST API endpoint https:// asXXX.awmdm.com or https://asXXX. airwatchportals.com HTTP or HTTPS 80 or 443 Use wget to https:// APIServerUrl/API/help Verify a “401 – not authorized” response
AirWatch Console Server vIDM API endpoint

SaaS Application Management

Manage SaaS applications (aka web applications in Identity Manager) in the same AirWatch console as native applications and web links. Use the unified console to add new SaaS applications, and to pull existing web apps from Identity Manager. Any applications added in the unified view automatically sync with Identity Manager.

More Details

Add or Edit SaaS Applications in Console v9.2

  1. Using an account with appropriate permissions, log into the AirWatch console at a customer-level organization.
  2. Navigate to Apps & Books > Applications > Web > SaaS.
  3. Configure the authentication method for application access from the Workspace ONE portal.

For more information, see “SaaS Applications in AirWatch.” 

Access Policy Management

Access policies map IP addresses to network ranges to determine user access, securing SaaS applications.

More Details

Add or Edit Access Policies in Console v9.2

  1. Navigate to Apps & Books > Applications > Access Policies.
  2. Use the default policy or create an application-specific access policy.
    • Default Access Policy: This policy allows access to all network ranges, from all device types, for all users.
    • Application-Specific Access Policies: These policies include IP addresses, authentication methods and session time allowed for access to specified SaaS applications. Use custom policies to allow lenient access or to enforce strict access control.

For more information, see “Use Access Policies with SaaS Applications.”

Workspace ONE Getting Started Wizard
The wizard serves as a step-by-step checklist for configuring the Workspace ONE catalog, its applications and the required components. In AirWatch v9.2, the wizard facilitates the entire configuration chain for Workspace ONE, mobile single sign-on and Microsoft Office 365 configurations.AirWatch 9.2

 

More Details

Access the Workspace ONE Getting Started Wizard

The primary purpose of the Workspace ONE wizard is automating initial setup. For this reason, new installations display the enhanced wizard at the top of the main menu by default. However, the enhanced wizard also provides value for existing customers.

For existing deployments, customers can use the wizard to evaluate their current setup or to add Workspace ONE, powered by AirWatch unified endpoint management technology. In either case, these customers must manually enable the Workspace ONE getting started wizard to access the configurations. In this post, access instructions for both customer types are included inline.

Workspace ONE Getting Started Wizard Configurations

The Workspace ONE getting started wizard displays a list of features that can be configured or ignored, according to the needs of the organization. Required configurations are marked by a red star (*).

Setup
Apple Push Notification Service (APNs)* Download an APNs certificate request to enable Workspace ONE communication with Apple iOS and macOS devices.
Enterprise Connector & Directory* Install the VMware Enterprise Systems Connector* server to secure communication between the console servers and corporate resources. Then, use this secure connection to import users and groups from Active Directory (AD).
Auto Discovery Enable end users to log into the appropriate domain with their email addresses.
NEW! Mobile Single Sign-On Auto-configure mobile single sign-on, simplifying employee access to select mobile apps.
Apps
Workspace ONE Catalog* Add and assign apps to the Workspace ONE app catalog. The catalog provides employees a single touchpoint for app access.
NEW! Office 365 Apps Select and configure the Office 365 apps for Android and iOS devices.
Intro to Public Apps Configure public app assignment for groups or individuals.
Add VMware Boxer­­­­ ­­­­­­Configure  an all-in-one email, calendar and contacts app.
Productivity
Secure Email Deploy a single mobile app that integrates email, calendar and contacts, regardless of device type or platform.
Secure Content Sync corporate repositories to mobile devices, providing employees anytime, anywhere access to corporate content.
Secure Browsing Connect employees to corporate web apps and intranet sites without requiring a manual VPN connection, or password challenges.
*Note: SaaS customers must install the VMware Enterprise System Connector. For on-premises customers, this requirement depends on network architecture. Consult the VMware AirWatch Reference Architecture guide for recommendations and more information.

Use the Workspace ONE Getting Started Wizard

The getting started wizard serves as an additional, guided configuration option. It does not replace the ability to configure or edit any individual setting. Therefore, any settings configured in the wizard are also individually available.

During configuration, the wizard checks the AirWatch console and Identity Manager for existing, potentially conflicting configurations. If the wizard discovers any discrepancies, it sends a notification that interrupts configuration.

You may see any of the following options while using the wizard:

Setting Description
Configure Define settings for a feature.
Incomplete Unconfigured features display an empty check box.
Complete Configured features display a green check box.
Edit Review or change settings of a complete feature.
Percentage Completed View on a progress bar.
Video Where available, watch a short feature demo. Option displays next to the Configure or Edit button.
Skip This Step Where available, select to remove the feature from your list.
Reactivate Select to display a skipped feature once again.
Continue Return to where you left, if you stopped the wizard before completing it.

Mobile Single Sign-On

Workspace ONE offers universal single sign-on to mobile applications. Mobile single sign-on allows users to sign in to enterprise apps securely, without the need for a password.

More Details

Mobile Single-Sign On Requirements
Organization Group Configure settings in the AirWatch console at a customer-level organization group.

To check your organization group level, navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details.
Components Install Enterprise Connector and Identity Manager.
Configurations Integrate Active Directory.
iOS Add any published applications to iOS SSO Profile. Check Realm value in iOS SSO Profile (defaults to VMWAREIDENTITY.COM ). No additional on-premises infrastructure required. Do not use on-premises KDC authentication unless dictated by IT security or network policy.*
Android Android 4.4+ Add VPN profile to published applications and add them to Networking Rules Check proxy URL in Network Rules page Applications must support SAML or another supported federation standard Note: Mobile SSO does NOT require VMware Tunnel Installation.
*Note: Mobile SSO for iOS transports certificates using the PKINIT Kerberos protocol. The identity management service provides a built-in Kerberos adapter to handle iOS authentication. This adapter removes the need for devices to communicate with the internal domain controller. Additionally, AirWatch can distribute identity certificates to devices, eliminating the requirement to maintain an on-premises CA.

Configure Workspace ONE Mobile SSO with the Wizard

  1. Log in to the AirWatch console at a customer-level organization group.
  2. Navigate to Getting Started > Workspace ONE > Setup > Mobile Single-Sign On.
    If the Getting Started option does not display in the navigation menu, follow these instructions instead:
    • Navigate to Groups & Settings > All Settings > System > Getting Started.
    • Set the Getting Started Workspace ONE Status to Enabled and Save.
    • Navigate to Getting Started > Workspace ONE > Setup > Mobile Single-Sign On.
  3. Click Configure.
  4. Wait for the configurations to complete. Do not refresh the page during this time.

Configure Office 365 Apps Using the Workspace ONE Wizard

Configure Office 365 mobile app(s) in the AirWatch console, and unify endpoint management for Android and iOS devices.

More Details

Office 365 Application Wizard Requirements
Organization Group Configure settings in the AirWatch console at a customer-level organization group.

To check your organization group level, navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details.
Operating System Android and iOS

Configure Office365 with the Getting Started Wizard

  1. Log in to the AirWatch console at a customer-level organization group.
  2. Navigate to Getting Started > Workspace ONE > Apps > Office 365 Apps.
    If the Getting Started option does not display in the navigation menu, follow these instructions instead:
    • Navigate to Groups & Settings > All Settings > System > Getting Started.
    • Set the Getting Started Workspace ONE Status to Enabled and Save.
    • Navigate to Getting Started >Workspace ONE > Apps > Office 365 Apps.
  1. Follow the wizard’s instructions and configure the settings, as prompted.

Azure Token Revocation Compliance Policy
 The compliance engine in AirWatch console v9.2 can now revoke the Azure refresh token. This policy disables any Microsoft apps that use the Azure token including Microsoft Outlook, Microsoft OneDrive and Office 365.

More Details

Azure Token Revocation Requirements
Organization Group Configure settings in the AirWatch console at a customer-level organization group.

To check your organization group level, navigate to Groups & Settings > Groups > Organization Groups > Organization Group Details.
Configurations Integrate AirWatch with Azure Active Directory.
UPN AirWatch UPN must match Azure UPN.
Operating System Android and iOS

Configure Azure Token Revocation

Add compliance policies that work with app groups to add a layer of security to the mobile network. Policy configurations enable the AirWatch compliance engine to take set actions on non-compliant devices.

To make the revocation of the Azure token part of your compliance policy:

  1. Log in to the AirWatch console at a customer-level organization group.
  2. Navigate to Devices > Compliance Policies > List View > Add.
  3. Select the platform, Android or Apple iOS.
  4. Configure the Rules tab. Open the Application List and select the options that reflect your desired compliance.
    Setting
    Description
    Contains Monitor devices for a specific application identifier. If detected, the engine performs the actions configured in the rule.
    Does Not Contain Monitor devices for a specific application identifier. If NOT detected, the engine performs the actions configured in the rule.
    Contains Blacklisted Apps Monitor devices for blacklisted apps. If detected, the engine performs the actions configured in the rule.
    Contains Vendor Blacklisted Apps In most cases, do not configure this advanced application management feature.
    Contains Non-Whitelisted Apps Monitor devices for non-whitelisted apps. If detected, the engine performs the actions configured in the rule.
    Does Not Contain Required Apps Monitor devices for apps from required app groups. If NOT detected, the engine performs the actions configured in the rule.
    Does Not Contain Version Monitor devices for a specific version of an application identifier. If NOT detected, the engine performs the actions configured in the rule.
  5. Provide the Application Identifier. Get the Application Identifier from the app store or the AirWatch console record.
    To view the AirWatch console record:
    • Navigate to Apps & Books > Applications > List View > Internal or Public.
    • Select View from the application’s actions menu.
    • Copy the Application ID.
  6. Click the Actions tab and configure escalating actions for out-of-compliance devices. The first action you select applies immediately. Select Add Escalations to augment or replace the immediate action with further delayed actions.
    To configure Azure token revocation as one of the actions in the escalation chain:
    • Select the Command action from the first drop-down menu.
    • Select Revoke Azure Tokens from the second menu.
  7. Click the Assignment tab. Then, assign the compliance rule to smart groups.
    Setting
    Description
    Managed By View or edit the organization group that manages and enforces the rule.
    Assigned Groups Type to add smart groups to which the rule applies.
    Exclusions Select Yes to exclude groups from the rule.
    View Device Assignment Select to view the devices affected by the rule.
  8. Open the Summary tab. Then, name the rule and give it a brief description.
  9. Select Finish and Activate to enforce the newly created rule.

For information on compliance policies and app groups, see “Application Groups and Compliance.”

Related:

Co-Authors & Reviewers:

Video content authored by Roger Deane I VMware I EUC Mobile Marketing I Sr. Technical Marketing Manager

Post reviewed by:

  • Josh Pelkey I VMware I EMM Mobile PM I Group Product Line Manager
  • Ben Siler I VMware I EUC Mobile Marketing I Product Marketing Manager
  • Rob Sterry I VMware I EMM Mobile PM  I Product Line Manager

Related:

468 ad
VMware Workspace ONE Free Hands On Lab