Table of Contents - VMwaredocs.hol.vmware.com/HOL-2017/hol-1757-mbl-3_pdf_en.pdf · Lab Overview -...

Table of ContentsLab Overview - HOL-1757-MBL-3 - VMware AirWatch: Workspace ONE, Single Sign-onand VMware Identity Manager .......................................................................................... 2

Lab Guidance .......................................................................................................... 3Module 1 - Workspace ONE Setup and Configuration (60 minutes) ..................................8

VMware Enterprise Systems Connector Setup ........................................................ 9Login to the AirWatch Console .............................................................................. 30Directory Services Integration and Identity Manager User Sync ..........................32Integrate AirWatch and VMware Identity Manager using the Cloud KDC .............59iOS Device Enrollment With Directory Account ..................................................... 86SSO Validation ...................................................................................................... 99Un-enrolling Your Device ..................................................................................... 110

HOL-1757-MBL-3

HOL-1757-MBL-3

Lab Overview -HOL-1757-MBL-3 -VMware AirWatch:

Workspace ONE, SingleSign-on and VMware

Identity Manager

HOL-1757-MBL-3

HOL-1757-MBL-3

Lab GuidanceExplore Workspace One configuration and how it simplifies authentication by leveragingSingle Sign On. Setup Cloud Connector, AD integration and provide ease of use byleveraging Cloud KDC for signing in automatically. The approximate time required tofinish this lab is 1 hour.

Lab Module List:

• Workspace One Setup and Configuration (60 minutes) (Advanced) Set ACC,AD integration and complete Identity manager configuration. The goal of this labis to perform the setup which will offer automatic signing in. Validate the setup onan iOS device by performing Single Sign On.

Lab Captains:

• All modules: Roger Deane, Shardul Navare, Justin Sheets.

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

HOL-1757-MBL-3

HOL-1757-MBL-3

http://docs.hol.vmware.com

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Location of the Main Console

1. The area in the RED box contains the Main Console. The Lab Manual is on the tabto the Right of the Main Console.

2. A particular lab may have additional consoles found on separate tabs in the upperleft. You will be directed to open another specific console if needed.

3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All yourwork must be done during the lab session. But you can click the EXTEND toincrease your time. If you are at a VMware event, you can extend your lab timetwice, for up to 30 minutes. Each click gives you an additional 15 minutes.Outside of VMware events, you can extend your lab time up to 9 hours and 30

minutes. Each click gives you an additional hour.

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing itin, there are two very helpful methods of entering data which make it easier to entercomplex data.

HOL-1757-MBL-3

HOL-1757-MBL-3

Click and Drag Lab Manual Content Into Console ActiveWindow

You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console.

Accessing the Online International Keyboard

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=xS07n6GzGuo" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>

HOL-1757-MBL-3

HOL-1757-MBL-3

Click once in active console window

In this example, you will use the Online Keyboard to enter the "@" sign used in emailaddresses. The "@" sign is Shift-2 on US keyboard layouts.

1. Click once in the active console window.2. Click on the Shift key.

Click on the @ key

1. Click on the "@" key.

Notice the @ sign entered in the active console window.

Activation Prompt or Watermark

When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated.

HOL-1757-MBL-3

HOL-1757-MBL-3

One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform. The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters. However, these datacenters may not have identicalprocessors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements. The lab that you are using is a self-contained pod and does nothave full access to the Internet, which is required for Windows to verify the activation.Without full access to the Internet, this automated process fails and you see this

watermark.

This cosmetic issue has no effect on your lab.

Look at the lower right portion of the screen

Please check to see that your lab is finished all the startup routines and is ready for youto start. If you see anything other than "Ready", please wait a few minutes. If after 5minutes you lab has not changed to "Ready", please ask for assistance.

HOL-1757-MBL-3

HOL-1757-MBL-3

Module 1 - WorkspaceONE Setup and

Configuration (60minutes)

HOL-1757-MBL-3

HOL-1757-MBL-3

VMware Enterprise Systems ConnectorSetupThis chapter will walk through the setup of the VMware Enterprise Systems Connectorand connection to Active Directory for use as a single point of authentication.

Access the AirWatch Console from the ACC Server

You will now install the VMware Enterprise Systems Connector onto the ACC Server inthe lab. The VMware Enterprise Systems Connector allows users and administrators toauthenticate to AirWatch using their Active Directory accounts. The VMware EnterpriseSystems Connector will also allow us to connect to your internal Certificate Authorityand retrieve certificates to issue to your mobile devices for use with authentication.Certificate authentication allows your users to authenticate to services without the needto remember user names and passwords.

HOL-1757-MBL-3

HOL-1757-MBL-3

Connect to the ACC Server

On the Lab desktop, double click on the ACC Server remote desktop icon.

NOTE - If you are prompted for a password for the “corp\administrator” user,enter the password “VMware1!” and click the OK button.

Launch Internet Explorer

Now that you are remotely connected, open Internet Explorer on the ACC Server fromthe toolbar.

Authenticate to the AirWatch Administration Console fromthe ACC Server

1. Navigate to "https://hol.awmdm.com" which will display the login page shownabove.

HOL-1757-MBL-3

HOL-1757-MBL-3

2. Enter your Username. This is your email address that is associated with yourVMware Learning Platform (VLP) account.

3. Enter "VMware1!" for the Password field.4. Click Login.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

NOTE - Due to lab restrictions, you may need to wait here for a minute or sowhile the Hands On Lab contacts the AirWatch Hands On Labs server.

HOL-1757-MBL-3

HOL-1757-MBL-3

Accept the End User License Agreement

NOTE - The following steps of logging into the Administration Console will onlyneed to be done during the initial login to the console.

You will be presented with the AirWatch Terms of Use. Click the Accept button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Address the Initial Security Settings

After accepting the Terms of Use, you will be presented with a Security Settings pop-up. The Password Recovery Question is in case you forget your admin password andthe Security PIN is to protect certain administrative functionality in the console.

1. You may need to scroll down to see the Password Recovery Questions andSecurity PIN sections.

2. Select a question from the Password Recovery Question drop-down (defaultselected question is ok here).

3. Enter "VMware1!" in the Password Recovery Answer field.4. Enter "VMware1!" in the ConfirmPassword Recovery Answer field.5. Enter "1234" in the Security PIN field.6. Enter "1234" in the Confirm Security PIN field.7. Click the Save button when finished.

HOL-1757-MBL-3

HOL-1757-MBL-3

HOL-1757-MBL-3

HOL-1757-MBL-3

Close the Welcome Message

After completing the Security Settings, you will be presented with the AirWatch ConsoleWelcome pop-up.

1. Click on the Don't show this message again check box.2. Close the pop-up by clicking on the X in the upper-right corner.

Enabling and Downloading the VMware EnterpriseSystems Connector

You will now enable and download the VMware Enterprise Systems Connector (VESC).

HOL-1757-MBL-3

HOL-1757-MBL-3

Accessing the Settings

Once you are authenticated, you now need to navigate to the Settings window.

1. Click on Groups & Settings in the left menu.2. Click on All Settings in the middle menu.

Overriding the Enterprise Integration Services

You will now be presented with the Settings pop-up screen.

Because you will be using VMware Enterprise Systems Connector VESC), EnterpriseIntegration Services must be overridden at the Organization Group level and disabled.

1. Click on System in the top of the left-hand menu to expand it.2. Click on Enterprise Integration under System in the left-hand menu to expand

it.

HOL-1757-MBL-3

HOL-1757-MBL-3

3. Click on Enterprise Integration Services to select it.4. Ensure Current Setting is set to Override.5. Click on the Save button.

NOTE - Do not click on the “Enable Enterprise Integration Service” check box.

HOL-1757-MBL-3

HOL-1757-MBL-3

Enabling and Saving VESC Settings

1. Click on VMware Enterprise Systems Connector under System >Enterprise Integration in the left-hand menu.

2. You may need to scroll down to view all configuration options.3. Click to ensure the Override radio button setting is selected for Current

Setting.4. Check the Enable VMware Enterprise Systems Connector check box.5. You will now see the Enable Auto Update check box, ensure it is also selected.6. Click the Save button.

Confirm VESC Settings Saved

After clicking the Save button you should see a message stating the save wassuccessful. Click on the OK button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Downloading VMware Enterprise Systems ConnectorInstaller

1. Scroll down until you see the Download VMware Enterprise SystemsConnector Installer link.

2. Click on the Download VMware Enterprise Systems Connector Installer linkto download the installation program onto the ACC server.

HOL-1757-MBL-3

HOL-1757-MBL-3

Setting the VESC Certificate Password

In order to download the VESC Installer, you need to enter a password for the VESCCertificate.

1. Type "VMware1!" in the Certificate Password box.2. Type "VMware1!" again in the Confirm Password box.3. Click the Download button.

NOTE - This password can be anything you want. Please note you will need toenter it again during the installation of the application.

HOL-1757-MBL-3

HOL-1757-MBL-3

Running the Cloud Connector Installer

After clicking the Download button in the previous link, you will be prompted byInternet Explorer to either Run, Save, or Cancel.

1. Click on the Save button.2. Click Run when Internet Explorer prompts you about running a program from an

unknown publisher.

NOTE - The VMware Enterprise Systems Connector may take several minutesto download, please be patient while the download completes!

Installing the VMware Enterprise Systems Connector

When the Welcome screen appears, click the Next button. The installer will verify pre-requisites and may take some time to load.

HOL-1757-MBL-3

HOL-1757-MBL-3

Accept the EULA and the location path for installation.

1. Click the Accept radio button for the license agreement.2. Click the Next button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Select the Program Features to Install

1. Ensure that the AirWatch Cloud Connector is set to install and that theVMware Identity Manager Connector is not set to install.

2. Click Next.

HOL-1757-MBL-3

HOL-1757-MBL-3

Accept the Default Installation Path

Click the Next button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Enter the VESC Certificate password

1. Enter the password "VMware1!" that was set when the installer was downloadedfrom the console.

2. Click the Next button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Proxy Information

Click the Next button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Start the VESC installation

Click the Install button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Complete the VMware Enterprise Systems ConnectorInstallation

When the installation is complete, a dialog box will be displayed.

1. Leave the Show the Windows Installer log box unchecked.2. Click the Finish button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Testing the VMware Enterprise Systems Connector

Verify that the VMware Enterprise Systems Connector was installed correctly byreturning to the console and clicking on the Test Connection button at the bottom.

You should see the message VMware Enterprise Systems Connector is active tothe right of the Test Connection button.

Wrap Up the VMware Enterprise Systems ConnectorInstallation

You may now exit the RDP session on the ACC Server.

1. Click the Windows Start button.2. Click the Log off button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Login to the AirWatch ConsoleTo perform most of the lab you will need to login to the AirWatch Management Console.

Launch Firefox Browser

Double-click the Firefox Browser on the lab desktop.

HOL-1757-MBL-3

HOL-1757-MBL-3

Authenticate to the AirWatch Administration Console

The default home page for the browser is https://hol.awmdm.com. Enter yourAirWatch Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

1. Enter your Username. This is you email address that you have associated withyour VMware Learning Platform (VLP) account.

2. Enter "VMware1!" for the Password field.3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or sowhile the Hands On Lab contacts the AirWatch Hands On Labs server.

HOL-1757-MBL-3

HOL-1757-MBL-3

Directory Services Integration andIdentity Manager User SyncIn this chapter, you will setup Active Directory Services to work with AirWatch MDM. Youshould have closed the RDP connection and returned to the main console desktop. Fromhere you will pull up the AirWatch console which you should have authenticated to onthis server prior to installing the VMware Enterprise Systems Connector. If you haven'tyet opened the console, please do so now by following the instructions in Login to theAirWatch Console.

Open All Settings

1. Click the Groups & Settings button on the left menu.2. Click the All Settings button from the middle menu.

HOL-1757-MBL-3

HOL-1757-MBL-3

Selecting Directory Services

1. Click the System section to expand the section.2. Click the Enterprise Integration dropdown section.3. Click the Directory Services button.4. Click the Skip wizard and configure manually link.

HOL-1757-MBL-3

HOL-1757-MBL-3

Server Setup

Configure the Server section of Directory Services as follows:

1. Confirm that the Server tab is selected.2. Enter "controlcenter.corp.local" in the Server box.3. Confirm that the Encryption Type is set to None.4. Scroll down to continue configuring the Server section.

HOL-1757-MBL-3

HOL-1757-MBL-3

Server Setup (continued)

1. Enter "389" for the Port field.2. Enter "3" for the Protocol Version field.3. Select GSS-NEGOTIATE for the Bind Authentication Type. NOTE - You may

need to scroll to the right to see this option.4. Enter "corp\administrator" for the Bind Username field.5. Enter "VMware1!" for the Bind Password field.6. Enter "corp.local" in the Domain field.

HOL-1757-MBL-3

HOL-1757-MBL-3

User Setup

Configure the User section of Directory Services as follows:

1. If necessary, scroll back to the top of the menu where the Server, User, andGroup tabs are.

2. Click the User tab.3. Enter "dc=corp,dc=local" for the Base DN box.

HOL-1757-MBL-3

HOL-1757-MBL-3

Group Setup

Configure the Group section of Directory Services as follows:

1. Click the Group tab.2. Enter "dc=corp,dc=local" for the Base DN field.3. Enter "container" for the Organizational Unit Object Class field.4. Expand the Advanced section by clicking the > Advanced button.5. Scroll down to the bottom.

HOL-1757-MBL-3

HOL-1757-MBL-3

Group Setup (continued)

1. Click the Pencil button beside the Organizational Unit field to edit the entry.2. Enter "cn" for the Organizational Unit field.3. Click Save.

Confirm Directory Services Saved Successfully

After the Saving loading wheel finishes, you should see the Saved Successfullyconfirmation appear.

Test Directory Services Connection

1. Scroll down to the bottom of the Group section again.2. Click the Test Connection button.

HOL-1757-MBL-3

HOL-1757-MBL-3

3. Confirm that the Connection successful with the given Servername, BindUsername and Password message is displayed.

HOL-1757-MBL-3

HOL-1757-MBL-3

vIDM Tenant information e-mail

You should have received an email titled HOL-1757-MBL-3 with steps to setup yourvIDM tenant. This email is sent to the account you use to sign into VLP. In the e-mail,notice your:

1. Tenant: This should be in the formathttps://{FirstNameLastName4digits}.vmwareidentity.com. You will use thisURL to access your vIDM tenant admin console.

2. Admin Username: This should be in the format{FirstNameLastName4digits}. You will use this admin account to log into yourvIDM tenant admin console.

3. Admin Password setup: You will use this link to reset your vIDM adminpassword in the next step.

Click the Admin Password Setup link provided to set a new password for your tenant.

HOL-1757-MBL-3

HOL-1757-MBL-3

Setting up VMware Identity admin password

NOTE - You must complete this step on a device outside of the labenvironment as you won't be able to access your email from the server. Youcan use your smart phone or laptop computer.

1. Enter "VMware1!" for the New Password field.2. Enter "VMware1!" for the Confirm Password field.3. Click the Change Password button.

Now you should return to your lab environment.

HOL-1757-MBL-3

HOL-1757-MBL-3

Confirm Password was Changed

You should see a confirmation that the password was successfully changed. Click theGo to Sign In Page button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Login to your VMware Identity Manager Tenant

Back in the main console of the lab, navigate to your tenant URL if not done already.

1. Enter the Admin Username you received in the email for the Username field.NOTE - This will also be the same name as your tenant. If you check theURL, you should see https://[tenantName].vmwareidentity.com. Thetext within [tenantName] is your Admin username as well.

2. Enter "VMware1!" for the Password field.3. Click the Sign In button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Accept the Terms and Conditions

Click the Accept button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Switch to the Administration Console (If Needed)

NOTE - You will only need to complete this step if you see the User Portal viewthat says "No apps are currently available." If you do not see this message,you can skip these steps!

1. If you see the "No apps are currently available" message, you are currently inthe User Portal section of the Identity Manager console and will need to switch tothe Administration Console before continuing.

2. Click the Tenant Admin menu in the top-right.3. Click Administration Console. This will open the Administration Console in a

separate tab.

Navigate to Identity & Access Management Setup

1. Click the Identity & Access Management button.2. Click the Setup button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Ignore the warning message

You might see a warning message specifying that a Connector has not been configured.Ignore this message for now, as we will be covering this step in a later section. Click onX to get rid of the warning message, if needed.

HOL-1757-MBL-3

HOL-1757-MBL-3

Edit User Attributes

1. Click the User Attributes button.2. Scroll down to find the distinguishedName and userPrincipalName fields.3. Enable the Checkbox for the distinguishedName field.4. Enable the Checkbox the userPrincipalName field.

Save User Attribute Changes

HOL-1757-MBL-3

HOL-1757-MBL-3

Switch to the AirWatch Console

In the browser, click the AirWatch tab to return to the AirWatch Console.

Navigate to All Settings

1. Click Groups & Settings.2. Click All Settings.

HOL-1757-MBL-3

HOL-1757-MBL-3

Navigate to the VMware Identity Manager Settings

1. Click System2. Click Enterprise Integration3. Click VMware Identity Manager4. Click the Configure button under the Server section.

Configure the Server Settings

To configure the settings on this page, you will need to enter your Tenant URL and yourTenant Admin Username that used in previous steps. If you've forgotten yourinformation, refer to the email you received (entitled "HOL-1757-MBL-3"). Thecontents of this email will be formatted as below:

------------------------

Hello,

You have been generated a vIDM tenant with the following details:

Tenant: https://{FirstNameLastName####}.vmwareidentity.com

Admin UserName: {FirstNameLastName####}

Admin Password setup: {Password Reset Link}

HOL-1757-MBL-3

HOL-1757-MBL-3

Please follow the link to setup your password for your Admin user ([adminUsername])for your vIDM tenant: [resetURL}.

Please note that you will not be able to log into your vIDM tenant using the above Adminuser until you setup your password using the above link!

------------------------

1. Enter the Tenant URL from the email in the URL field.2. Enter the Tenant Admin Username from the email in the Admin Username

field.3. Enter "VMware1!" for the Admin Password field.4. Click Test Connection, you should receive a Connection successful with the

given URL, Username and Password message.5. Click Next.

HOL-1757-MBL-3

HOL-1757-MBL-3

Directory Configuration

1. Enter "corp.local" in the Directory field.2. Click the Save button.

Switch to VMware Identity Manger Console

Click on the VMware Workspace One tab.

HOL-1757-MBL-3

HOL-1757-MBL-3

Navigate to Directories

1. Click Identity & Access Management.2. Click Directories.3. Confirm that the corp.local Directory has been added as the Other Directory.


In the browser, click on the AirWatch tab.

HOL-1757-MBL-3

HOL-1757-MBL-3

Navigate to User Groups

1. Click Accounts.2. Click User Groups.3. Click List View.4. Hover the mouse over Add.5. Click Add User Group.

HOL-1757-MBL-3

HOL-1757-MBL-3

Search for a User Group

1. Select Organizational Unit in the External type dropdown.2. Type "Users" in the Search Text field.3. Click Search.

HOL-1757-MBL-3

HOL-1757-MBL-3

Select the "Users" User Group

1. Select Users from the list that is returned.2. Click Save.

Edit the new User Group

Click the Pencil icon for the new Users user group.

HOL-1757-MBL-3

HOL-1757-MBL-3

Add Group Members Automatically

1. Scroll down if necessary to see the Maximum Allowable Changes and AddGroup Members Automatically fields.

2. Enter "100" for the Maximum Allowable Changes field.3. Enable the Add Group Members Automatically check box.4. Click Save.

HOL-1757-MBL-3

HOL-1757-MBL-3

Sync AD Users

1. Click the Check box next to the Users user group to select it.2. Click on the Sync button. This will add all the users in AD to AirWatch.

Acknowledge Sync

Click OK.

HOL-1757-MBL-3

HOL-1757-MBL-3

Confirm Sync

1. To view the number of Users synced to the Users user group, you may need toscroll your screen to the right.

2. Confirm that you see 24 Users synced for the group.

HOL-1757-MBL-3

HOL-1757-MBL-3

Integrate AirWatch and VMwareIdentity Manager using the Cloud KDCNavigate to All Settings

1. Click Groups & Settings.2. Click All Settings.

Enable the Certificate

1. Click System2. Click Enterprise Integration3. Click VMware Identity Manager4. Scroll down to the Certificate section

HOL-1757-MBL-3

HOL-1757-MBL-3

5. Click Enable

HOL-1757-MBL-3

HOL-1757-MBL-3

Export the Certificate

1. Scroll back down to the Certificate section again.2. Click the Export button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Save the Certificate

1. In the Save Dialog prompt, select Save File.2. Click OK.

The Certificate (VidmAirWatchRootCertificate.cer) will be saved in the Downloadsfolder. You will need this certificate in an upcoming step.

Switch to VMware Identity Manger Console

Click on the VMware Workspace One tab.

HOL-1757-MBL-3

HOL-1757-MBL-3

Navigate to Directories Settings

1. Click the Identity & Access Management tab2. Confirm that the corp.local Directory and Users have been synced.

Navigate to the Identity Providers page

1. Click Identity Providers2. Click Built-in

HOL-1757-MBL-3

HOL-1757-MBL-3

Navigate to the Built-in Kerberos Configuration Page

1. Click on Authentication Methods section.2. Ensure that you are changing the settings for Authentication Methods for

Built-in Identity Providers.3. Click on the Edit icon for Mobile SSO (for iOS).

NOTE - If for any reason, you cannot see authentication methods, pleasefollow the next steps as a work-around.

HOL-1757-MBL-3

HOL-1757-MBL-3

Configure Mobile SSO (for iOS)

1. Enable the Enable KDC Authentication check box.2. Click the Select File button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Upload the Root Certificate

1. Select the Downloads folder.2. Select the VidmAirWatchRootCertificate.cer file that was downloaded

previously.3. Click Open.

Confirm the Authentication Adapter Update

Click OK in the confirmation dialog box.

HOL-1757-MBL-3

HOL-1757-MBL-3

Save the Kerberos Auth Settings

1. Confirm the Certificate was uploaded.2. Click Save.

Navigate to the Identity Providers page

1. Click Identity Providers2. Click Built-in

Configure the Identity Provider Settings

1. Check the box in the Users section for corp.local.

HOL-1757-MBL-3

HOL-1757-MBL-3

2. Check the box in the Network section for ALL RANGES.

Save the Identity Provider Settings

1. Scroll down to the bottom of the page to find the Save button.2. Click Save.

HOL-1757-MBL-3

HOL-1757-MBL-3

Navigate to the Build-in Identity Providers settings page

Click Built-in again to return to the Identity Provider settings page.

Download the KDC Server Root certificate

1. Scroll down to the bottom of the page to find the KDC Certificate Exportsection.

2. Click the Download Certificate link.

HOL-1757-MBL-3

HOL-1757-MBL-3

Save the KDC Server Root Certificate

1. In the Save Dialog prompt, select Save File.2. Click OK to save the KDC-root-cert.cer in the Downloads folder.

Navigate to the Policies page

1. Click Identity & Access Management.2. Click Policies.3. Click the default_access_policy_set link.

HOL-1757-MBL-3

HOL-1757-MBL-3

Create a new Policy Rule

1. Scroll down to the bottom to view the Policy Rules section.2. Click the + button to add a new Policy Rule.

HOL-1757-MBL-3

HOL-1757-MBL-3

Configure the new Policy Rule

1. Select ALL RANGES in the Network Range dropdown.2. Select iOS in the Device Type dropdown.3. Select Mobile SSO (for iOS) from the Authentication Method dropdown.4. Confirm that the Re-authenticate after time is 8 hours.5. Click OK.

HOL-1757-MBL-3

HOL-1757-MBL-3

Update the Policy Rules order and Save

1. Click and drag the Mobile SSO (for iOS)handle to the top of the list. Thiscauses our Mobile SSO (for iOS) Policy to be processed first.

2. Click Save.


Click on the AirWatch tab in Firefox to return to the AirWatch Console.

Close the Settings Page

If necessary, close the Settings page that was left open on a previous step by clickingon the X.

HOL-1757-MBL-3

HOL-1757-MBL-3

Create a Credentials Profile

1. Click Devices.2. Click Profiles & Resources.3. Click Profiles.4. Hover the mouse over Add.5. Click Add Profile.

Select Apple iOS platform

Click Apple iOS.

HOL-1757-MBL-3

HOL-1757-MBL-3

Profile General Settings

1. Click General.2. Enter "iOS Identity KDC Cert" in the Name field.3. Scroll down if needed.4. Click in the Assigned Groups field and a list of groups will appear.5. Click All Devices ([email protected]).

HOL-1757-MBL-3

HOL-1757-MBL-3

Configure the Credentials Payload

1. Click the Credentials payload.2. Click Configure.

HOL-1757-MBL-3

HOL-1757-MBL-3

Upload the KDC Certificate

1. Ensure Upload is selected for the Credential Source field.2. Click Upload.

Browse for the KDC Certificate to Upload

Click Browse in the Add popup.

HOL-1757-MBL-3

HOL-1757-MBL-3

Select the KDC Certificate to Upload

1. Click the Downloads folder.2. Select the KDC-root-cert.cer file by clicking on it.3. Click Open.

HOL-1757-MBL-3

HOL-1757-MBL-3

Save the KDC Certificate

Click Save.

HOL-1757-MBL-3

HOL-1757-MBL-3

Configure the SCEP Payload

1. Scroll down to find the <--> SCEP payload.2. Click <--> SCEP.3. Click Configure.

HOL-1757-MBL-3

HOL-1757-MBL-3

Confirm SCEP Settings

1. Select AirWatch Certificate Authority for the Credential Source dropdown.2. Select AirWatch Certificate Authority for the Certificate Authority

dropdown.3. Select Single Sign On for the Certificate Template dropdown.

HOL-1757-MBL-3

HOL-1757-MBL-3

Create the Single Sign-On Payload

1. Scroll down to view the Single Sign-On payload.2. Click Single Sign-On.3. Click Configure.

HOL-1757-MBL-3

HOL-1757-MBL-3

Configure the Single Sign-On Payload

1. Enter a friendly name like "testsso" in the Account Name field.2. Enter the "{EnrollmentUser}" lookup value in the Kerberos Principal Name

field.3. Enter "VMWAREIDENTITY.COM" in the Realm field.4. Select "SCEP #1" from the Renewal Certificate dropdown.

HOL-1757-MBL-3

HOL-1757-MBL-3

Configure the Single Sign-On Payload (continued)

1. Scroll down until you see the URL Prefixes and Applications sections.2. Enter your VMware Identity Manager URL

(https://{firstnamelastname####}.vmwareidentity.com) in the URLs field.3. Enter "com.apple.mobilesafari" for the Application Bundle ID field.4. Click Save & Publish.

HOL-1757-MBL-3

HOL-1757-MBL-3

Publish the Profile

Click Publish.

HOL-1757-MBL-3

HOL-1757-MBL-3

iOS Device Enrollment With DirectoryAccountEnroll Your iOS Device

You are now going to enroll your iOS device for use with this module.

HOL-1757-MBL-3

HOL-1757-MBL-3

Download/Install AirWatch MDM Agent Application fromApp Store - IF NEEDED

NOTE - Checked out devices will likely have the AirWatch MDM Agent alreadyinstalled. You may skip this step if your device has the AirWatch MDM agentinstalled.

At this point, if using your own iOS device or if the device you are using does NOT havethe AirWatch MDM Agent Application installed, then install the AirWatch Application.

To Install the AirWatch MDM Agent application from the App Store, open the App Storeapplication and download the free AirWatch MDM Agent application.

Finding your Group ID

The first step is to make sure you know what your Organization Group ID is.

HOL-1757-MBL-3

HOL-1757-MBL-3

1. To find the Group ID, hover your mouse over the Organization Group tab at thetop of the screen. Look for the email address you used to log in to the lab portal.

2. Your Group ID is displayed at the bottom of the Organization Group pop up. TheGroup ID is required when enrolling your device in the following steps.

Launching the AirWatch MDM Agent

Launch the AirWatch Agent app on the device.

NOTE - If you have your own iOS device and would like to test you will need todownload the agent first.

HOL-1757-MBL-3

HOL-1757-MBL-3

Choose the Enrollment Method

Click on the Server Details button.

Attach the AirWatch MDM Agent to the HOL Sandbox

Once the Agent has launched you can enroll the device. To do so, follow the belowsteps.

1. Enter "hol.awmdm.com" for the Server field.2. Enter your Group ID for your Organization Group for the Group ID field. Your

Group ID was noted previously in the Finding your Group ID step.3. Tap the Go button.

HOL-1757-MBL-3

HOL-1757-MBL-3

NOTE - If on an iPhone, you may have to close the keyboard by clicking Donein order to click the Continue button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Authenticate the AirWatch MDM Agent

1. Enter "imauser" in the Username field.2. Enter "VMware1!" in the Password field.3. Tap the Go button.

HOL-1757-MBL-3

HOL-1757-MBL-3

Redirect to Safari and Enable MDM Enrollment in Settings

The AirWatch Agent will now redirect you to Safari and start the process of enablingMDM in the device settings.

Tap on Redirect & Enable at the bottom of the screen.

HOL-1757-MBL-3

HOL-1757-MBL-3

Install the MDM Profile

Tap Install in the upper right corner of the Install Profile dialog box.

HOL-1757-MBL-3

HOL-1757-MBL-3

Install and Verify the AirWatch MDM Profile

You will now be taken to the Profile installation screen. If a PIN is requested, it is thecurrent device PIN. Provided VMware devices should not have a PIN.

Tap Install when prompted at the Install Profile dialog.

HOL-1757-MBL-3

HOL-1757-MBL-3

iOS MDM Profile Warning

You should now see the iOS Profile Installation warning explaining what this profileinstallation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

HOL-1757-MBL-3

HOL-1757-MBL-3

Trust the Remote Management Profile.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

HOL-1757-MBL-3

HOL-1757-MBL-3

iOS Profile Installation Complete

You should now see the iOS Profile successfully installed.

Tap Done in the upper right corner of the prompt.

HOL-1757-MBL-3

HOL-1757-MBL-3

AirWatch Enrollment Success

Your enrollment is now completed. Tap Open to navigate to the AirWatch Agent.

Accept the App Installation (IF NEEDED)

You may be prompted to install a series of applications depending on which Module youare taking. If prompted, tap Install to accept the application installation.

HOL-1757-MBL-3

HOL-1757-MBL-3

SSO ValidationIn this section, we will validate that the SSO configuration is working on our iOS device.

Open Settings

Tap Settings.

HOL-1757-MBL-3

HOL-1757-MBL-3

Navigate to General Settings, Digital Workspace

1. Tap General.2. Scroll down to find the Device Management option.3. Tap Device Management.

Open the Digital Workspace profile

Tap the Workspace Services profile.

HOL-1757-MBL-3

HOL-1757-MBL-3

View More Details

Tap More Details.

HOL-1757-MBL-3

HOL-1757-MBL-3

Open the Singe Sign On Account

You should see the Single Sign On Account that you added in the Profile created in theprevious section.

Tap testsso.

Verify Settings

Verify that the following SingleSignOn settings are correct:

1. Principal Name is set to "imauser".2. Realm is set to VMWAREIDENTITY.COM.3. URL Prefix Matches is set to

"https://{firstNameLastName####}.vmwareidentity.com/". This URL willbe your VMware Identity Manager Tenant URL.

4. Eligible App IDs includes "com.apple.mobilesafari".

HOL-1757-MBL-3

HOL-1757-MBL-3

NOTE - If any of these settings are incorrect, return to the AirWatch Consoleand inspect your iOS Identity KDC Cert Profile that was previously created.

HOL-1757-MBL-3

HOL-1757-MBL-3

Clear the Safari Cache

Navigate back to the main Settings page.

1. Tap Safari.2. Scroll down to find Clear History and Website Data.3. Tap Clear History and Website Data.

HOL-1757-MBL-3

HOL-1757-MBL-3

Launch Safari on the iOS Device

Tap the Safari icon, it should be on the bottom tray.

HOL-1757-MBL-3

HOL-1757-MBL-3

Navigate to Identity Manager in Safari

1. Enter the URL of your Identity Manager tenant in the URL bar.2. Click Go

HOL-1757-MBL-3

HOL-1757-MBL-3

Workspace One Single Sign-On

Notice that Identity Manager is signing you in without requiring any authentication.

HOL-1757-MBL-3

HOL-1757-MBL-3

Identity Manager Application Catalog

You are now signed into Workspace One using Single Sign On automatically withouthaving to enter any credentials!

There are no applications visible because they haven't been added in Identity Manageror AirWatch.

HOL-1757-MBL-3

HOL-1757-MBL-3

HOL-1757-MBL-3

HOL-1757-MBL-3

Un-enrolling Your DeviceYou are now going to un-enroll the iOS device from AirWatch.

NOTE: The term "Enterprise Wipe" does not mean reset or completely wipe yourdevice. This only removes the MDM Profiles, Policies, and content which the AirWatchMDM Agent controls.

It will NOT remove the AirWatch MDM Agent application from the device as this wasdownloaded manually before AirWatch had control of the device.

Enterprise Wipe (un-enroll) your iOS device

Enterprise Wipe will remove all the settings and content that were pushed to the devicewhen it was enrolled. It will not affect anything that was on the device prior toenrollment.

To Enterprise Wipe your device you will first bring up the AirWatch Console in a webbrowser. You may need to re-authenticate with your credentials (VLP registered emailaddress and "VMware1!" as the password).

1. Click Devices on the left column.2. Click List View.3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what isshown. It will, however, be in the same location as shown on image in thisstep.

HOL-1757-MBL-3

HOL-1757-MBL-3

Find the Enterprise Wipe Option

1. Click More Actions. NOTE - If you do not see this option, ensure you havea device selected by clicking the checkbox next to the device.

2. Click Enterprise Wipe under Management.

Enter your security PIN.

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN whichyou set after your logged into the console ("1234").

1. Enter "1234" for the Security PIN. You will not need to press enter or continue,the console will confirm your PIN showing "Successful" below the Security PINinput field to indicate that an Enterprise Wipe has been requested. NOTE: If"1234" does not work, then you provided a different Security PIN when you firstlogged into the AirWatch Console. Use the value you specified for your SecurityPIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the belowsteps to force a device sync:

1. On your device, open the AirWatch Agent application.2. Tap the Device section (under Status) in the middle of the screen.3. Tap Send Data near the top of the screen. If this does not make the device

check in and immediately un-enroll, continue to Step #4.4. If the above doesn't make it immediately un-enroll, then tap Connectivity

[Status] under Diagnostics.5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device andresponsiveness of the lab infrastructure, this could take a couple of minutes

HOL-1757-MBL-3

HOL-1757-MBL-3

or more if there is excessive traffic occurring within the Hands On Labenvironment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the AirWatchservices from the device if network connectivity is failing.

Verify the Un-Enrollment

Press the Home button on the device to go back to the home screen. The applicationspushed through AirWatch should have been removed from the device.

NOTE - The applications and settings pushed through AirWatch managementshould have been removed. The Agent will still be on the device because thatwas downloaded manually from the App Store. Due to lab environmentsettings, it may take some time for the signal to traverse through the various

HOL-1757-MBL-3

HOL-1757-MBL-3

networks out and back to your device. Continue on to the next step to forcethe wipe if the needed.

HOL-1757-MBL-3

HOL-1757-MBL-3

Force the Wipe - IF NECESSARY

If your device did not wipe, follow these instructions to ensure the wipe is forcedimmediately. Start by opening the iOS Settings app.

1. Tap General in the left column.2. Scroll down to view the Device Management option.3. Tap Device Management at the bottom of the list of General settings.

HOL-1757-MBL-3

HOL-1757-MBL-3


Tap the Workspace Services profile that was pushed to the device.


1. Tap Remove Management on the Workspace Services profile. NOTE - Ifprompted for a device PIN, enter it to continue. VMware provisioneddevices should not have a device PIN enabled.

2. Tap Remove on the Remove Management prompt.

After removing the Workspace Services profile, the device will be un-enrolled. Feel freeto return to the "Verify the Un-Enrollment" step to confirm the successful un-enrollment of the device.

HOL-1757-MBL-3

HOL-1757-MBL-3

ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1757-MBL-3

Version: 20170616-002629

HOL-1757-MBL-3

HOL-1757-MBL-3

http://hol.vmware.com/

Table of Contents - VMwaredocs.hol.vmware.com/HOL-2017/hol-1757-mbl-3_pdf_en.pdf · Lab Overview -...

Documents

Transcript of Table of Contents - VMwaredocs.hol.vmware.com/HOL-2017/hol-1757-mbl-3_pdf_en.pdf · Lab Overview -...