we will use Workspace ONE Access Connector, and the Directory Sync Service, it works very well together with UEM implementation, Workspace ONE Access synchronize users using a read-only connection to the Active Directory

Steps:

1. We will add the Connector, and download the config file:

· From the Workspace ONE Access Console, click Identity & Access Management.

· In the top right, Click Setup.

· Click New

· In the top right, click Add

Download the Installer.

Click Next

· Put the password and download the configuration file.

2. We will download Workspace ONE Access (formerly Identity Manager) Connector 21.08.0.0nand set it up at your windows server machine:

From the windows server machine:

· From the Workspace ONE Access Console, click Identity & Access Management.

· In the top right, Click Setup.

· Click New.

· Click GO TO MYVMWARE.COM.

· Click DOWNLOAD NOW, to download it.

· Once it is downloaded into your Windows Server Machine, please right-click on it, then click Run it as administrator then install it.

· Once the installation is complete, it will show under Identity & Access Management.

The VMware Workspace One Access Connector service installed successfully.

The Workspace ONE Access (formerly Identity Manager) Connector has been downloaded and set up successfully.

3. We will bind Active Directory to authenticate and authorize your users to access it:

· From Workspace ONE Access console, click Identity & Access Management.

· Click Add Directory, then click Add Active Directory.

· Type your Directory Name, which is your Domain FQDN (Fully Qualified Domain Name), then select the Sync Connector (the FQDN one which we installed), then select Directory Search Attribute to be sAMAccountName.

· At the bottom part, just put your bind user details (the bind user who has permission to query users and groups for the required domains), and the password as below, then click Save & Next.

· After a couple of seconds, Workspace One Access will get the Domain (or domains if you have more than one configured into your environment), click Next until you Click Sync Directory.

We have successfully Synced Active Directory in the Workspace ONE Access console.

We will register the Workspace ONE UEM with Google using Google Account credentials.

Note: this is a necessary step if you want to enroll Android Device

Prerequisite:

You need a regular Google Account, or a G Suite account with administrative rights (Please use Corporate Google Account, not a personal one).

· From Workspace ONE UEM console, click GROUPS & SETTINGS, then click All Settings.

· Click Devices & Users, click Android, then click Android EMM registration, then click REGISTER WITH GOOGLE.

Note: if you are already signed in with your Google credentials, you are directed to the Google “Get Started” page.

· Select Sign In if you are not already, and enter your Google credentials and then select Get Started.

· Enter your Organization Name then press Next One, fill all required fields then click To Confirm then click Complete Registration.

· You are redirected to the Workspace ONE Console, click TEST CONNECTION to check that all configured successfully, then click Save.

You have successfully integrated your Workspace ONE UEM with Google

Enroll an Android Work Managed device using a unique identifier (afw#hub):

Prerequisites:

• Android device running version 5.0 or later.
• Factory reset device.
• Retrieve the Group ID from Workspace ONE UEM Console as we mentioned before.

1. Begin Enrollment:

·Start your phone after the factory reset is done, then click on the below arrow.

· Accept the privacy policy, then click Next.

· Connect to Wi-Fi, then click Next.

· Enter afw#hub into the Email, or phone text box to download the Workspace ONE Intelligent Hub.

· Install the Agent.

· Click Accept & Continue.

2. Configuring Workspace ONE UEM server details:

· Enter the Workspace ONE UEM server URL, then click Next.

· Enter your Group ID, then click Next.

· Enter your Active Directory credentials, then click Next.

· Click I UNDERSTAND.

· Click I AGREE, then it will set up your device.

3. Confirm Device Enrollment:

·After the device has completed enrollment, you can see the user account details. Tap This Device to view the device status.

You have successfully enrolled your Android Work Managed (Company Owned) device using a unique identifier.

we will need to configure Apple Push Notification Service (APNs) at the workspace UEM Console, then we will create a valid APNs certificate, and download it from Apple Push Certificate Portal (this will require you to have Apple Account ID), then upload it to Workspace UEM Console to Complete the Certificate Generation to integrate successfully with Apple.

Note: Apple Push Notification service (APNs) is the messaging protocol created by Apple to manage mobile devices.

Note: this is a necessary step if you want to enroll IOS or Mac OS devices.

Prerequisite:

Corporate Apple ID account: To create an Apple ID for business, a company owner enrolls the business in the Apple Business Manager program. To sign up for Apple Business Manager, provide information such as your organization’s name, D-U-N-S Number, phone number, and website.

Configure Apple Push Notification Service (APNs) :

· From Workspace ONE UEM console, click GROUPS & SETTINGS, then click All Settings.

· Click Devices & Users, then click Apple, then click APNs for MDM, then click Generate new certificate (this is a certificate for apple push notification service, any management tool that wants to manage mac OS or IOS needs to divert all their management traffic through the systems of apple).

· Click MDM_APNsRequest.plist, which will download a plist file, we will need it later, then click go to Apple. (here we Downloaded the Certificate Request)

Apple Push Notification service (APNs) is the messaging protocol created by Apple to manage mobile devices. To manage iOS devices, Workspace ONE UEM requires a valid APNs certificate, so we will create it :

Download the Certificate :

· Sign in with your Corporate Apple ID (please do not use personal Apple ID).

· Click Create Certificate.

· Click I have read and agree to these terms and conditions, then click Accept.

· Click Browse, then choose the MDM_APNsRequest.plist file, we downloaded before, then click Upload.

· Click Download

We have successfully downloaded the certificate

We will Complete the Certificate Generation, and upload it to Workspace UEM Console:

· Go back to Workspace ONE UEM console, press Next.

· Click Upload.

· Click Choose File, then choose the certificate we just downloaded, then click Save.

· Enter the Apple ID you used before to generate the Apple certificate, then press Save.

· Click TEST CONNECTION, to check that all configured successfully.

You have successfully integrated your Workspace ONE UEM with Apple.

Enroll an IOS device with the Workspace ONE Intelligent Hub:

· Navigate to getwsone.com from the Safari browser. Workspace ONE UEM automatically prompts the end-user to go to the App Store and download the Workspace ONE Intelligent Hub application. Follow the download prompts. An Apple ID is required to download the Workspace ONE Intelligent Hub from the iTunes store.

· Select the Workspace ONE Intelligent Hub application and then select either one of the following authentication methods:

· Email Address – Select auto-discovery, which we configured before.

· Server Details – Select to enroll using the server URL.

· QR Code – Select and use the device to scan the QR code received through email or the Support tab.

· Enter your AD credentials, which can include either a Username and Password.

· Select Next after reviewing privacy collection information.

· Once redirected to Safari WebView, you are prompted to download the MDM profile. The following message is displayed: This website is trying to download a configuration file. Do you want to allow this?

· Tap Allow and when the download is complete, tap Close.

· Select Allow downloading the MDM profile.

· Install the MDM profile. Accept any prompts for trust.

· Once the MDM profile is installed, navigate back to Hub.

· Select Done to complete enrollment. A success message is displayed. The enrollment into Workspace ONE UEM is now complete.

You have successfully enrolled an IOS device with the Workspace ONE Intelligent Hub.

Retrieve your Group ID from the Workspace ONE UEM Console. The Group ID is required when enrolling your device.

• From the Workspace ONE UEM console, select the Organization Group tab at the top of the screen.
• Your Group ID is displayed at the bottom of the Organization Group pop-up.

Enable Enrollment via E-mail Discovery:

To enroll any device, you will need a server URL, and Group ID of the environment you need to connect to it, so to prevent your users from needing to know that information, you can do an email auto-discovery, as it’s required for Windows.

When we configure email-based enrollment, it allows users to enter their email address during enrollment, and it will Autodiscover their correct environment.

· From Workspace ONE UEM console, click GROUPS & SETTINGS then, click All Settings.

· Click General.

· Click Enrollment.

· Click the ADD EMAIL DOMAIN button.

· Enter an email address from your domain, that you want to use. Note that you will need access to this email to confirm that you own the domain.

· Your status will now say “pending“. Go to your email account, and verify the email.

· Once you click on the link, refresh the page or status and the status will change to Complete

You have successfully Enabled Enrollment via E-mail Discovery, you can now enter an email address to enroll into your environment.

After installing the Workspace ONE Assist server and all its components, configure the UEM console to communicate with the Workspace ONE Assist server.

· From Workspace ONE UEM console, go to GROUPS & SETTINGS.

· Click All settings.

· Click System.

· Click Advanced.

· Click Site URLs.

· Click Workspace ONE Assist.

· Put your Console Connection Name which is the Workspace ONE Assist server fully qualified domain name (FQDN) plus “/t10”.

· Put your Device Connection Name which is the Workspace ONE Assist server fully qualified domain name (FQDN).

· Click Save.

Workspace ONE Assist is ready now to remote any enrolled device through your portal.

· In the Workspace ONE UEM Administration Console, go to Devices.

· Click Certificates.

· Click Certificate Authorities.

· Click Add.

· Provide a Name for the Template.

· Select your Certificate Authority which you just created.

· Enter your Issuing Template in the following format: certificatetemplate:[ADCS-TEMPLATE]. In my lab, my issuing template would be “certificatetemplate:WS1Cert”.

· Select the Subject Name. Remember, the subject name is what the browser will present to the user. In Workspace ONE Access, we don’t have to use the subject to match the correct user.

· Select the correct private key length (per your CA settings).

· Select both Signing and Encryption.

· Under SAN, add the following:

Email Address -> {EmailAddress}

User Principal Name -> {UserPrincipalName}

DNS Name -> UDID={DeviceUid}

· Select Automatic Certificate Renewal.

· Select Name Certificate Revocation.

· Click Save.

You have successfully created a new certificate template in Workspace ONE UEM.

Workspace ONE Assist includes the following components:

Workspace ONE Assist Core Services: Services responsible for coordinating communication and providing service discovery for all other Workspace ONE Assist services. All database communication is handled through these services.

Workspace ONE Assist Portal Services: Services that host the Workspace ONE Assist administration portal that manages remote device sessions and registration.

Workspace ONE Assist Application Services: Services responsible for communicating with devices available for remote management which already been enrolled before, please check devices enrollment from the basic guide: Deploy Workspace One 101 – For Beginners.

Workspace ONE Assist Connection Proctor: Proctor for managing device connections to the Workspace ONE Assist server. Simultaneously handles multiple requests for remote management sessions.

Database: Microsoft SQL Server database that stores the Workspace ONE Assist system and tenant configuration, operations, and logging, such as the accrual of historical data showing when a device was enrolled in remote management.

Install Workspace ONE Assist to an On-Premises Environment:

1. we will Generate the Workspace ONE Assist T10 API Certificate:

Download the installer package, Workspace ONE Assist installer from VMware Workspace ONE Assist 5.3 Installer (You must generate the T10 API root and intermediate certificates used during an on-premises installation).

Note: The certificate generator is called RemoteManagementCertificateGenerator_9_2. This installer must be run on a machine with the same locale settings as the database server to ensure that the same date format is set in the SQL script. You must run this certificate generator as an administrator.

Run the Remote Management Certificate Generator which is included in the installer package.

 From Workspace ONE UEM console, go to GROUPS & SETTINGS.

 Click All Settings.

 Click System.

Click Advanced.

 Click Site URLs.

Go to Workspace ONE section, then copy the string in the Remote Management CN text box.

Set the connection type to be Remote Management.

Set the deployment to be On-Premises.

Put the Remote Management CN which we copied before at the Certificate Common Name.

Click Generate Certificates.

Set a password for the certificate, we will use it later.

Go to the folder that contains the certificate, Copy the p7b file to c:\temp\certs folder on the Workspace ONE Assist Server.

The certificate has been generated successfully.

2. Install Site SSL Certificate, Assist On-Premises Only:

SSL certificates provide secure, encrypted communications between a website and an Internet browser. The SSL certificate secures HTTPS binding for the management website for port 443 and allows a secure connection. This secure connection is between the admin and Web services. Also, the SSL certificate secures the connection to the Connection Proctor on port 8443 (or port 443 when the Connection Proctor (CP) Service runs on a separate server). You must provide the SSL certificate is a wildcard or SAN certificate.

Run the Microsoft Management Console (MMC).

Click file then click Add/Remove Snap-in.

 Click Certificates, then click Add.

Click Computer Account, then click Next.

Click Local Computer, then click Finish.

 Click Ok.

 Click Certificates (Local Computer), then click Personal.

 Click Certificates.

 In the Action menu of the MMC application, click All Tasks.

 Click Import.

 Click Next to begin the Wizard.

 Click Browse to locate the SSL certificate in the PFX file format which we generated before, then give it a name.

 Click Open to import it.

 Enter the Certificate password.

 Add checkmarks to the two boxes labeled Mark this key as exportable and Include all extended properties.

 Click Next.

 Select Place all certificates in the following store and set the Certificate store to ‘Personal’.

 Click Next.

 Confirm all the presented information is correct, then click Finish.

Your SSL certificate has been installed successfully.

We are installing Workspace ONE Assist for the first time, so you do not need to bind the SSL certificate to a website or renew the site thumbprint.

3. Standard (Basic) Installation of Workspace ONE Assist:

Download Workspace ONE Assist installer from https://my.workspaceone.com, then save it to the Workspace ONE Assist server.

 Right-click the installer file and select Run as administrator.

 Click Next.

 Choose any directory to install Workspace ONE Assist on it.

 Click Standard Installation (Basic) and then select Next.

 Click Connect to existing SQL Server, then enter all required data for it.

 Enter your Tenant FQDN (we explained it before, please click here).

 In the SSL Certificate text box, select the folder button, then select the SSL certificate which we generated before.

 click OK.

 Uncheck Apply Default Settings.

 Select the folder icon to attach the T10 certificate.

 Browse for the T10 certificate which we downloaded before.

 Click Open.

 Click Save.

 Click Next.

 Click Install.

 Click Next after the installation is finished.

 Leave the Execute Resource pack check box selected, then click Finish.

You have successfully installed the Workspace ONE Assist.

After you set up a directory in the Workspace ONE Access service, you can view and modify the directory configuration and sync settings, you can trigger manual sync or wait for the next scheduled sync run for the changes to take effect.

1. Syncing a Directory manually in Workspace ONE Access:

When you want to sync updates from your active directory to your Workspace ONE Access directory immediately, you can start the sync process manually.

· Click Identity & Access Management, then click Manage.

· Click Directories.

· Click the directory you want to sync

· Click Sync, and select Sync with Safeguards, or Sync without Safeguards to sync it manually.

The sync safeguard thresholds that are set limit the number of changes that can be made to users and groups when the directory syncs.

· From the sync setting, you can click Safeguards, then Set the percentage of changes to trigger the sync to fail then click Save.

You have successfully Synced a Directory manually in Workspace ONE Access

2. Setting up a Directory Sync Schedule in Workspace ONE Access:

You can set up a sync schedule so that users and groups are synced automatically from your Active Directory or LDAP directory to the Workspace ONE Access service at regular intervals.

· Click Identity & Access Management, then click Manage.

· Click Directories.

· Click the directory you want to sync.

· Click Sync Settings.

· In the Sync Frequency tab, set the sync frequency to run the sync, then click Save.

You have successfully Setup a Directory Sync Schedule in Workspace ONE Access.

Integrating with directory services eliminates the need to create basic user accounts in your organization. Such integration can also help simplify the enrolment process for end-users by applying the information they already know. Ongoing LDAP synchronization detects any changes within the system. This synchronization performs necessary updates across all devices for affected users.

we will use Workspace ONE Access Connector, and the Directory Sync Service, it works very well together with UEM implementation, Workspace ONE Access synchronize users using a read-only connection to the Active Directory

Steps:

1. We will add the Connector, and generate the Activation Code:

· From the Workspace ONE Access Console, click Identity & Access Management.

· In the top right, Click Setup.

· Click Legacy Connector.

· In the top right, click Add.

· Name your Connector to identify it properly and click on Generate Activation Code. This will create a key, we will use it later, so copy it and save it for later.

2. We will download Workspace ONE Access (formerly Identity Manager) Connector 20.01.0.1 and set it up at your windows server machine :

From the windows server machine:

· From the Workspace ONE Access Console, click Identity & Access Management.

· In the top right, Click Setup.

· Click New.

· Click GO TO MYVMWARE.COM.

· Click DOWNLOAD NOW, to download it.

· Once it is downloaded into your Windows Server Machine, please right-click on it, then click Run it as administrator then install it.

The VMware Identity Manager Connector service installed successfully. To configure VMware Identity Manager Connector, Select “Yes” to launch the browser or “No” to exit the installation.

The Workspace ONE Access (formerly Identity Manager) Connector has been downloaded and set up successfully.

3. complete setup from the Workspace Identity Manager Connector side:

· Click Continue.

· After clicking on Continue, you need to set Passwords, so enter your password, then confirm it, then click Continue.

· You will see the Activate Connector page, which you need to paste the previous Activation Code generated by Workspace One Access admin page, then click Continue.

Congratulations! You have achieved the complete setup from the Workspace Identity Manager Connector side.

4. We will bind Active Directory to authenticate and authorize your users to access it:

· From Workspace ONE Access console, click Identity & Access Management.

· Click Add Directory, then click Add Active Directory over LDAP/IWA.

· Type your Directory Name, which is your Domain FQDN (Fully Qualified Domain Name), then select the Sync Connector (the FQDN one which we installed), then select Directory Search Attribute to be sAMAccountName.

· At the bottom part, just put your bind user details (the bind user who has permission to query users and groups for the required domains), and the password as below, then click Save & Next.

· After a couple of seconds, Workspace One Access will get the Domain (or domains if you have more than one configured into your environment), click Next until you Click Sync Directory.

We have successfully Synced Active Directory in the Workspace ONE Access console.