Modern Workplace and Management with the efficiency of pure Cloud – Part 6 (User provisioning Workspace ONE UEM)

In case you want to use Enterprise Mobility Management or Modern management for your devices as well and additionally use the configuration as described before to let the users authenticate against Okta first before they can log into the Workspace ONE platform, you can integrate Workspace ONE UEM as well.

In the best case, the users can use their Okta account in Workspace ONE UEM as well and for every device they will use or use in the future. An example, the user has a Windows 10 Laptop to work in the office (will be described later) or from home but has additionally a smartphone, iPhone for instance. Then the user wants to login with the same account to every device with one single password, right.

Therefore, we configure the user provisioning from Workspace ONE Access to Workspace ONE UEM via the AirWatch provisioning application. As result the user will be created in Okta, will then provisioned to Workspace ONE Access and after that to Workspace ONE UEM. Is that cool?!

Another use case could be, the user / customer has an HR platform in place, Workday for instance. Okta can integrate Workday with his standard API and import user and groups through it. In that case you don´t need to create users in Okta, they will be directly imported from workday. But that is out of scope in this guide. But to give an example for more use cases and capabilities.

Configuration of the AirWatch provisioning application for user provisioning

As the next step we have to integrate the AirWatch provisioning app into the Workspace ONE Access catalog to provision the user from Workspace ONE Access (and such come from Okta) to Workspace ONE UEM.

  • Log into Workspace ONE Access admin console
  • Catalog
  • Web Apps
  • New
  • In the search box type AirWatch
  • Choose the AirWatch provisioning application
  • Next
  • In Configuration leave Single Sign-On URL and Receipt URL at default
    • Alternatively, you can use the option URL / XML instead of Manual. Then the web application will be configured by auto-discovery using metadata

Note: the configuration of the Single Sign-On URL and Receipt URL depends on the configuration in your company and their requirements.

  • Next
  • Next
  • Save
  • Choose the created AirWatch provisioning app
  • Edit
  • Check that Show Provisioning Options is enabled (Yes)
  • Check that Show in User Portal is disabled
  • Next
  • Next at Access Policy
  • In the provisioning step enter the necessary information
    • Workspace ONE UEM host (example: https://asxxx.awmdm.com)
      • Workspace ONE UEM console – Groups & Settings – All Settings – System – Advanced – Site URLs
    • Admin Username
    • Admin Password
      • Please be aware that the password for the admin account will be changed from the Workspace ONE UEM console every 30 days. Update your account in the AirWatch provisioning app as well to prevent issues. Best practice, use a service account where the password don´t expire because otherwise you have to change that and update the configuration every 30 days
      • Role in the Workspace ONE UEM console for that account have to be or should be Console Administrator
    • Workspace ONE UEM API Key
      • You have created that in a previous step (UEMAccessAPI). If you don’t have one go to Workspace ONE UEM console – Groups & Settings – All Settings – System – Advanced – API – REST API
        • Create a Service Name (for instance UEMAccessAPI) and as Account Type choose Admin
    • Workspace ONE UEM Group ID (Top Level OG Group ID)

Caution: Please double check the Group ID

  • Check that Provisioning is enabled
  • Test Connection
  • Next
  • In the User Provisioning
    • Verify that all attributes with which to provision users in Workspace ONE UEM are listed
    • Attributes with an asterisk are required for provisioning
  • Next
  • In the Group Provisioning you can add groups if you want to provision some
  • If a Group was provisioned before, you can deprovision it

Caution: That will make sure the created Group from Okta will be provisioned to Workspace ONE Access. In Workspace ONE Access have to additionally assign the AirWatch provisioning application to the synchronized group otherwise the members will not be provisioning with the group!

Additionally, assign the AirWatch application to the group which makes sure that all new users within the group get automatically the Workspace ONE UEM Self-Service Portal (AirWatch SSP) enabled.

  • Next
  • Save

Same procedure as before, now you have to assign the AirWatch provisioning application to the group you want to provision to Workspace ONE UEM.

  • Choose the AirWatch Provisioning application from the Catalog Web Apps
  • Assign
  • Search for user or group to which you want to assign to

How to check if provisioning of users and groups work

After all set, you can check the configuration as follows:

  • Click the AirWatch Provisioning application again
  • Assign
  • Check the provisioning status

Another option:

  • Click in the Workspace ONE Access administrator console Dashboard
  • Reports
  • Select Provisioning Status
  • For application choose AirWatch provisioning
  • Click Show

You should see like that. You can export this as CSV as well if you want.

67 Total Views 2 Views Today
twitterlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *