VMware Workspace ONE Workspace ONE Access

[Deep Dive] New Features in AirWatch 9.3 & Identity Manager 3.2

Today’s post covers the new features for VMware Workspace ONE provided in the VMware AirWatch 9.3 and VMware Identity Manager 3.2 releases.

VMware Workspace ONE

Workspace ONE unifies Identity Manager access control and application management and AirWatch unified endpoint management (UEM) technology into a single platform. Available as a cloud service or for on-premises deployments, the Workspace ONE platform enables IT to deliver and manage any app on any device.

What’s New in Unified Endpoint Management

AirWatch unified endpoint management (UEM) technology powers the integrated Workspace ONE platform, empowering the digital workspace to meet business mobility needs. By unifying endpoint management into a single point of reference, the solution delivers a premium user experience that doesn’t compromise enterprise security.

New! Windows 10 Features

[tabs slidertype=”simple”] [tab]

Improved Onboarding Flow for Staged Provisioning

[/tab] [tab]

Domain User Auto-Reassignment

The 9.3 AirWatch Agent has built-in logic (AssignToLoggedInUser) that supports domain-user auto reassignment to the already logged in user.

In this new workflow, AirWatch holds user reassignment until the next login, where it matches the users’ UPN. If the standard registrations fail, the AirWatch Agent prompts for the username and password as a fallback.

 

[/tab] [tab]

Benefits

Auto-reassignment removes the need to:

  • Pre-register domain account serial numbers
  • Log off and then log on to reassign devices

These improvements allow you to migrate from SCCM without pre-registering devices!

 

[/tab] [tab]

Command Line Enrollment

Here’s what the logic looks like during command-line enrollment:

[box]
msiexec AirWatchAgent.msi /quiet ENROLL=Y IMAGE=N SERVER=ds##.awmdm.com LGName={GroupID} USERNAME={StagingUN} PASSWORD={StagingPW} ASSIGNTOLOGGEDINUSER=Y

[/box]

 

[/tab] [/tabs] [tabs slidertype=”simple”] [tab]

BitLocker Enhancements for Standard Users

Standard Windows users will no longer see a credentials prompt when BitLocker attempts to apply. For more details, check out this reference article from Microsoft.[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Windows Updates Improvements

The Windows Update profile has been enhanced with new features.

AirWatch now supports Microsoft’s update branches.

Other enhancements include more control over delivery optimization network, memory, and disk space settings, dual scan settings for deferred updates, and automatic restart settings.

[/tab] [tab]

Deployment Rings

To leverage deployment rings in AirWatch, create a smart group for each deployment ring. Next, map the smart group to the target users and groups. Then, create a Windows Update profile to match the deployment ring update rhythm. Finally, assign the profile to your smart groups.

[/tab] [tab]

Branching and Deferral

The following options were added to the Update Branch setting:

  • Windows Insider Build – Applies to a few machines to evaluate early builds prior to their arrival to the semi-annual channel
  • Semi-Annual Channel (Targeted) – Applies to select devices across various teams used to evaluate the major release prior to broad deployment
  • Semi-Annual Channel – Broadly deployed to most of the organization and monitored for feedback; Pause updates if there are critical issues.[box type=”info”] Deferment Periods only available for Semi-Annual Channel branch.[/box]

 

 

 

[/tab] [tab]

Update Installation Behavior

New update installation behavior settings include the following:

  • Active Hours Max Range in Hours – Max number of hours from the start time
  • Auto Restart Deadline Period in Days – Deadline for mandatory reboot for updates
  • Auto Restart Notification Schedule in Minutes – Time period for auto-restart reminders
  • Auto Restart Required for Notification Dismissal – Dismissal method for the auto-restart required notification
  • Engaged Restart Deadline in Days – Deadline for executing a pending restart
  • Engaged Restart Snooze Schedule in Days – Number of days users can snooze restart notifications
  • Schedule Restart Warning in Hours – The period for auto-restart notifications
  • Schedule Imminent Restart Warning in Minutes – The period for auto-restart imminent notifications

For more details, check out Microsoft’s article, Policy CSP – Update.

[/tab] [tab]

Update Policies

The following update policies were added:

  • Update Scan Frequency in Hours – Specifies the scan frequency from every 1 – 22 hours
  • Dual Scan for Deferral Policies – Do not allow update deferral policies to cause scans against Windows Update. If this policy is not enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like.
  • Mobile Operator App Download Limit – Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates.
  • Mobile Operator Update Download Limit – Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates.

[/tab] [tab]

Delivery Optimization

The new delivery optimization settings include:

  • Allowed Peer-to-Peer Method: Simple download mode – Specifies that Delivery Optimization (DO) downloads Windows Updates, Apps and App updates using HTTP only, and does not attempt to contact the DO cloud services.
  • Allowed Peer-to-Peer Method: Bypass Mode – Functions the same way as Simple Download Mode, but uses BITS instead of DO.
  • VPN Peer Caching – Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network.
  • Minimum Battery Required For Peer Uploads (%) – Specifies percentage to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level.

[/tab] [tab]

Memory

The new memory settings include:

  • Maximum Allowed Cache Size – Specifies the maximum size in GB of DO cache.
  • Minimum Disk Size For Device To Use Peer Caching – Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means “not-limited” which means the cloud service set default value will be used.
  • Minimum RAM For Device To Use Peer Caching – Specifies the minimum RAM size in GB required to use Peer Caching.
  • Minimum Content File Size That Can Use Peer Caching – Specifies the minimum content file size in MB enabled to use Peer Caching.
  • Drive Location used for Peer Cache – Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.

[/tab] [tab]

Network

The following delivery optimization network policies were added:

  • Maximum Download Bandwidth – Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
  • Minimum QoS For Background Downloads – Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads.
  • Monthly Upload Data Cap (GB) – Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Dell Command | Monitor Enhancements

[/tab] [tab]

Dell Command | Update Integration

Dell Command | Update is part of the Dell Client Command Suite and provides a solution for getting all the latest drivers, firmware, and BIOS updates for your Latitude, Optiplex, and Precision systems.

 

 

[/tab] [tab]

Helpful Resources

 

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

BIOS Profile Enhancements

The BIOS profile configures certain BIOS settings – such as hardware virtualization and BIOS security – on select Dell enterprise devices. In AirWatch Console 9.3, the BIOS profile includes additional Custom settings as well as a new Configuration Package section.

[box type=”info”] The BIOS profile requires Dell Command | Monitor Integration.[/box]

[/tab] [tab]

Custom Settings

  • System Properties – Provide a DCIM Class and the corresponding System Property to pull these values into AirWatch. These values will be displayed under the BIOS tab on Device Details page. Both fields are auto-complete compatible.
  • BIOS Attributes – Provide a BIOS Attribute via the auto-complete feature, then set the corresponding value which also support auto-complete. If a value is not supplied, the BIOS Attribute is simply read and not set.

[/tab] [tab]

Configuration Packages

Use the Dell Command | Configure client in the BIOS payload to manage Configuration Package (.CCTK) files. If a conflict occurs, configuration package settings override custom attributes and predefined attributes.

 

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

OEM Updates Profile Enhancements

Use the OEM Updates payload to configure all of the Dell Command | Update settings instead of configuring the settings (policy.xml) via GUI, placing the file in the installation directory, or using CLI.

[/tab] [tab]

Schedule

The Schedule section of the OEM Updates payload defines when to scan for updates and how to apply these updates.

 

[/tab] [tab]

Level

The Level section of the OEM Updates payload defines the level classification of updates to apply on the device. Any of the three levels can be enabled or disabled.

[/tab] [tab]

Update Type

The Update Type section of the OEM Updates payload defines the type of updates to apply on the device. Any of the six update types can be enabled or disabled.

[/tab] [tab]

Device Categories

The Device Categories section of the OEM Updates payload defines update categories to be applied on the system provided by the OEM.

[/tab] [/tabs]

New! macOS Features

[tabs slidertype=”simple”] [tab]

Support for the Personal Recovery Key Management Mechanism

Requires the edit and republishing of the Disk Encryption profile so that the recovery key management features get pushed to devices.

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Staging Support for High-Touch Environments

Before AirWatch v9.3, macOS Staging was only supported with Domain Join using Network/Mobile users. But now, for organizations moving towards a deployment model without domain join, AirWatch also supports a single staging flow for a local user with pre-registration in the AirWatch Console.

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

macOS Software Distribution

Before VMware AirWatch Console v9.3, most of the macOS applications or software were deployed through Product Provisioning. In v9.3, AirWatch also offers a flexible deployment through an integration with Munki, an open source tool. Now all macOS application file types (.dmg, .pkg, .mpkg) can be managed in the Internal Applications section on the AirWatch Console (Apps & Books > Applications > Native > Internal).

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Enforce Software Delays

Delay the visibility of OS updates to end users for a specified number of days. Number of days range from 1 to 90. (iOS 11.3+ Supervised devices and macOS 10.13.4 only).

[/tab] [/tabs]

What’s New in App Access & Management

Identity Manager is an Identity as a Service (IDaaS) offering, providing application provisioning, self-service catalog, conditional access controls and Single Sign-On (SSO) for SaaS, web, cloud and native mobile applications.

New! VMware Identity Manager 3.2 Features

[tabs slidertype=”simple”] [tab]

Identity Manager 3.2 Feature Walk-Through

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

On-Demand Group Member Sync

Sync group members on demand from the Identity Manager Console without meeting entitlement, policy, or UserDN configuration requirements.

[/tab][tab]

How it Works

Sync one group on-demand at a time. Alternatively, use the Group / Users settings page to sync individual group members on-demand.

[/tab][tab]

What You See

Prior to on-demand sync, a limited set of data automatically syncs and displays:

  • Groups – Only group names sync to the service and are tagged as not synced
  • Group Members – Only application entitlement and group-based access policies sync

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Reset Desktop for Horizon Cloud/View

Users can now reset a Horizon Cloud or Horizon 7 desktop through the Workspace ONE portal or app. Resetting a remote desktop is equivalent to pressing the reset button on a physical computer to force the computer to restart. Reset can be used when a desktop operating system is unresponsive.

[one_half]

Horizon Cloud[/one_half]
[one_half_last]

Horizon 7[/one_half_last]

[/tab] [tab]

General Requirements

This functionality requires the following minimum requirements:

  • Latest  vIDM and Connector builds (3.2 and onwards)
  • SaaS or on-premises deployment model
Horizon Requirements
  • Floating/Dedicated Desktops Only
  • Horizon 7.x or above
  • Enable “Allow users to reset/restart their machines” for desktop pools in admin portal

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Role-Based Access Control

Role-based access control (RBAC) allows you to segment what type of access is granted to administrators in different functional roles.

It’s important to provide access to enough tools for an administrator to do their job, without granting the keys to the kingdom unnecessarily.

For example, you could create an administrator role that manages catalog resources, but cannot entitle users to resources, nor create access policies.

To learn more about RBAC, see the blog, Introducing Role-Based Access Control in VMware Identity Manager 3.2.

[/tab] [tab]

Getting Started

Pre-defined administrator roles are available by default, and cannot be modified or deleted. In addition to using pre-defined roles, you can now create custom administrator roles to provide a specific level of access in the admin console.
[one_half]

Pre-Defined Roles

Available pre-defined roles:

  • Super Administrator with full access and control
  • Read-only Administrator with read-only access to console information
  • Directory Administrator with the ability to manage users, groups, and directories

[/one_half][one_half_last]

Custom Roles

Create custom roles to target:

  • Specific services
    i.e. manage Web Apps
  • Specific resources within a service
    i.e. manage the Salesforce application

[/one_half_last]

[/tab] [tab]

Services – Part 1

Role-based access control can manage the following services in the administrator console:

  • Catalog – Repository of all the Workspace ONE resources that can be entitled to users. The Catalog service can manage the following types of actions.
    • Web applications
    • App sources
    • Third-party applications
    • Virtual Apps Collection which includes Horizon, Horizon Cloud, and Citrix-based applications.
  • Users and Groups – Manage the following types of actions in your organization, either as a whole or for specific domains:
    • Groups
    • Users
    • Password resets for local users

[/tab] [tab]

Services – Part 2

  • Directory Management – Add, edit, and delete enterprise and local directories. Editing a directory includes managing directory settings, including sync settings. Including the Directory Management service in a role, requires the inclusion of the Identity & Access Management service in the role.
  • Roles Administration – Add and remove users and groups to the administrator role. Creating a role with the Roles Administration service, requires the configuration of the User & Groups service as well as select Manage Users and Manage Groups actions.
  • Entitlements – Manage web and third-party entitlements for user-assigned applications. Configure the role to assign users and groups to all the resources in your organization or to specific applications. You can also entitle applications to users and groups within specific domains.
  • Identity and Access Management – Manage all the settings in the Identity & Access Management tab such as Authentication Adapters, Policies, Identity Providers, and other tenant level settings.

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

UI Changes

Several user experience (UX) updates were delivered to the admin console in VMware Identity Manager 3.2. The bulk of these changes in the admin console can be categorized into two buckets:

  1. UX changes in the Catalog section
  2. UX changes in Policies

For a deep dive into these changes, check out UX Updates Coming to the VMware Identity Manager 3.2 Admin Console

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

OIDC App in Catalog

Use OIDC as a protocol to SSO into applications. Assign users and access policies for OIDC applications the same way as for SAML applications.

VIDM-ODIC

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Admin Defined Bookmark Apps

Curate the first time experience for users by providing a set of preferred apps out of the box in the Bookmarks page in the Workspace ONE portal or app.[box type=”info”]

Applications that were previously un-bookmarked by the user are not displayed even if they are marked as recommended and this feature is enabled.

[/box][/tab][tab]

Bookmark an Application

  1. Mark an application as a recommended app.
  2. Navigate to Catalog > Settings > User Portal Configuration.
  3. Select the option Show recommended apps in Bookmarks tab.

 

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Hide the Catalog or Bookmarks tab in Workspace ONE

Hide either the Catalog or the Bookmarks tab in Workspace ONE to provide an experience that best suits end user needs.  When a tab is hidden, users do not see an option to bookmark any apps.

To configure these settings navigate to Catalog > Settings > User Portal Configuration.

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Improved Post-Login Experience

Upon first launch of Workspace ONE, if no applications have been bookmarked, the Catalog tab displays instead of an empty Bookmarks tab. However, after at least one application is bookmarked, users land on the Bookmarks tab when they launch Workspace ONE.

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

Promotion Banner for macOS Apps

A new banner provides a link to the Workspace ONE installer to promote the availability of the Workspace ONE client to macOS users.

 

[/tab] [tab]

Requirements

  • macOS 10.11.0 or greater
  • AirWatch Console 9.2.2 or greater

 

[/tab] [tab]

User Experience

  • Temporary Close – Click the close button in top right-hand corner of the banner. When user logs into the portal again, the banner reappears.
  • Permanent Close – Select the Don’t show this again checkbox then click the close button in top right-hand corner of the banner. This permanently dismisses the promotion banner. Users can download the app from Settings > About page at a later time if needed

[/tab] [/tabs]

[tabs slidertype=”simple”] [tab]

UX Improvements for Workspace ONE & VMware Tunnel Integration

Improved integration between Workspace ONE and Tunnel provides users with a clear visual indicator that denotes any Tunnel dependencies for any applications.

  • Tunnel is automatically installed for the user.
  • User is guided through the Tunnel initialization.

[/tab] [/tabs]