MITRE ATT&CK (tactics, techniques, matrix, IDs)
Prisma Cloud in 60s
Changed focus – The world of…
Horizon – Brokering
Horizon Golden Master – Best practice
Horizon Cloud on Azure
Horizon Cloud on Azure – How to start with subscription
App Volumes – Prepare provisioning machine / VM
Horizon Cloud on Azure – Onboarding
SAML SSO Okta Org2Org

Modern Workplace and Management with the efficiency of pure Cloud – Part 1 (Workspace ONE configuration)

How to configure Workspace ONE

If we want to use Unified Endpoint Management with Identity and Access Management, we have to configure first the connection between both parts of Workspace ONE. That means to configure Workspace ONE UEM and Workspace ONE Access.

Configuration of Workspace ONE UEM

The first step will be to integrate the Workspace ONE UEM into Workspace ONE Access for Enterprise Mobility Management and other things like to provision users and groups from Workspace ONE Access to Workspace ONE UEM for the user devices and used accounts. That will be described later in the document.

First of all, we have to integrate Workspace ONE UEM with Workspace ONE Access.

Go to: All settings – System – Advanced – API – Rest API

  • In the General tab, click Add to generate the API key to use it in the Workspace ONE Access Console. The account tape is Admin
  •  Enter a unique service name in the service column (for instance UEMAPI)
  • In the description column put in a clear description like UEM API for WS1Access
  • To generate the enrollment user API key, click Add again
  • Enter a unique service name in the service column (for instance UserAPI)
  • In the description column put in a clear description like User API for WS1Access
  • Copy both API keys and save it to a text file for later use
    • Will be needed for Integrate Workspace ONE UEM in the Workspace ONE Access console.

It should look as in the picture below.

After done that you have to create an admin account in the Workspace ONE UEM console for certificate-based authentication. Use an Active Directory admin user who has a password which does not expire for that. A basic user password can expire, therefore it´s not recommended to use that account type. Reason is, if the password expires the user sync with the Workspace ONE Access Directory fails.

To create the user account go to:

Accounts – Administrators – List View and create the amin account.

Basic tab and enter username and password of an Active Directory admin user (Check that this account has password expires option disabled in Active Directory).

In the Roles tab select the current organization group and set the AirWatch Administrator role.

Select the API tab and in the authentication text box, select certificates. Type in the certificate password which is the same as you set before for the admin in the basic tab.

Save.

The new admin account and client certificate are created.

List View – select the created admin account and open the API tab.

Enter the certificate password you created / put in before in the account creation task (certificate password text box) and click Export Client Certificate. Save the file.

The Client certificate should be saved as a .p12 file type.

Now we login to the Workspace One UEM Console. Under Groups & Settings – All settings – System – Enterprise Integration – Workspace ONE Access – Configuration click under Server Configure to enter your Workspace ONE Access information.

Tenant URL: https:xxxx.vmwareidentity.com

Username: your admin user account

Password: your pw

Test Connection is always a good first try 😉

Now it should look like that:

The configuration for the Workspace ONE Access integration is done so far in Workspace ONE UEM.

Configuration of Workspace ONE Access

Login to Workspace ONE Access administration console. Click tab setupVMware Workspace ONE UEM tab

Put in your information below as you configured in the Workspace ONE UEM console under the RestAPI.

Caution: The Workspace ONE UEM GroupID field is case sensitive and can cause issue if you don´t write it exactly as in the UEM console.

Keep it enabled (default).

346 Total Views 1 Views Today
twitterlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *