EUCHorizon Cloud Services Advanced Integrations Day 3Integrating the Horizon Universal Console with Workspace ONE

Integrating the Horizon Universal Console with Workspace ONE

Part 1 - Completing Workspace ONE Integration Prerequisites

  • Part 1 contains 11 sections
    • We will build an integrated Workspace ONE platform and then we will integrate Horizon Cloud services with this platform
    • All of these sections have to be completed to complete further labs
Part 1:Section 1: Workspace ONE Access , Connector pairing pre-requisites
  1. On your ControlCenter server
    • Open your Workspace ONE Access, Admin console URL
      • Under Username
        • enter Administrator
      • Under Password
        • enter VMware1!
      • Select Sign In
  1. In the Web Intelligent Hub Console
    • To the right,
      • select TA
    • From the dropdown
      • select Workspace ONE Access Console
  1. In the Workspace ONE Access Console
    • Select Integrations
    • Under Integrations
      • Select Connectors
    • In the Connectors area
      • Select NEW
  1. In the Connector Usage Confirmation window
    • Select the radio button, next to :-
      • Latest Workspace ONE Access Connector
    • Select OK
  1. In the Confirm the latest Workspace ONE Connector window
    • Select CONFIRM
  1. In the Add New Connector window
    1. Downloader Installer area
      • Select NEXT
  1. In the Add New Connector window
    1. Download Configuration File area
      • Next to Password: enter VMware1!VMware1!
      • Next to Reenter Password: enter VMware1!VMware1!
      • Select DOWNLOAD CONFIGURATION FILE
        • note an es-config.json file gets downloaded
      • Select NEXT
  1. In the Add New Connector window
    1. Summary window
      • Select CLOSE
  1. On your ControlCenter server browser
    • Next to the es-config.json
      • Select the Dropdown
      • Select Show in folder
  1. In the File Explorer window
    • Select and right-click the es-config.json file
    • Select Copy
    • In the left pane
      • Select Desktop
  1. In the File Explorer window
    • Desktop area
      • Select the Software shortcut
      • In the Software folder
        • Open the ACCESS folder
  1. In the File Explorer window
    • ACCESS folder
      • Paste your es-config.json file
    • Close your File Explorer window
Part 1:Section 2: Installing and Configuring the Workspace ONE Access connector
  1. On your ControlCenter server
    • On the Desktop.
      • Open the Remote Desktops\Site1 folder
      • Select and launch the WS1-Connector.RDP shortcut
  1. On your WS1-Connector server
    • Open the Software Folder
    • Select the ACCESS Folder
    • Select and Launch
      • Workspace-ONE-Access-Connector-Installer-22.09.0.0.exe
  1. On your WS1-Connector server
    • On the Open File - Security Warning window
      • Select Run
  1. On the Workspace ONE Access Connector - InstallShield Wizard
    • In the Welcome to the Installation Wizard for Workspace ONE Access Connector 22.09.0.0
      • Select Next
  1. On the Workspace ONE Access Connector - InstallShield Wizard
    • Licence Agreement window
      • Select the radio button next to:-
        • I accept the terms in the license agreement
      • Select Next
  1. On the Workspace ONE Access Connector - InstallShield Wizard
    • Service Selection window
      • Select Next
  1. On the Workspace ONE Access Connector - InstallShield Wizard
    • Specify Configuration File window
      • In the box in front of Browse...
        • type \\horizon-01a\software\ACCESS\es-config.json
      • Next to Password: type VMware1!VMware1!
    • Select Next
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Select Default or Custom Installation window
      • Select the radio button next to Custom
    • Select Next
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Specify Proxy Server Information window
      • Select Next
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Specify Syslog Server Information window
      • Select Next
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Citrix configuration
      • (leave default)
    • Select Next
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Install Trusted Root Certificates window
      • Select Next
    • In the No certificates page
      • Select Yes
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Specify Ports window
      • Select Next
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Install SSL Certificate for Kerberos Auth Service window
      • Next to: Would you like to use your own SSL certificate?
        • Select the Checkbox
      • Under , Click Browse and select the certificate file
        • Select Browse
  1. In the InstallShield window
    • Browse to:
      • \\horizon-01a\software\certificates
        • Select Wildcard2022
      • Select Open
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Install SSL Certificate for Kerberos Auth Service window
    • Next to: Certificate Password:
      • Enter : VMware1!
        • Select the Next
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Specify Service Account window
    • Under User name: type
      • euc-livefire.com\administrator
    • Under Password:
      • type VMware1!
    • Select Next
  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Ready to Install window
      • Select Install

The Installation of the Workspace ONE Access Connector will take about 10 minutes to complete

  1. In the Workspace ONE Access Connector - InstallShield Wizard
    • Installation Wizard Completed window
      • Select Finish
Part 1:Section 3: Configuring Directory Sync with  Workspace ONE Access connector

First we will configure the Attributes. Note!  Every organisation will need to research their requirements when deciding whether or not to set attributes to required. For specific applications where this needs to be considered,  if the associated user object does not have the attribute, authentication might fail.

  1. In the Workspace ONE Access Admin console
    • Select Settings 
      • Select User Attributes
  1. In the User Attributes console
    • In the right area under Custom Attributes
      • Select  ⊕ ADD ROW  4 times
  1. In the User Attributes console
    • Under Name
      • Add the following additional attributes
        • note this is case sensitive :
      • objectGuid
      • managerDN
      • sid
      • netBios
  1. In the User Attributes console
    • Under User Attributes
    • Select SAVE
  1. In the Workspace ONE Access admin console.
    • Select Integrations,
      • Select Directories
  1. In the Directories area
    • To the right
      • Select Add Directory
    • In the Add Directory dropdown
      • Select Active Directory
  1. In the Add Directory Page,
    • Configure the following: next to
      • Directory Name: type EUC-Livefire
      • Ensure the Active Directory over LDAP radio button is selected
    • Scroll down to Bind User Details
  1. In the Add Directory Page,
    • In the Bind User Details area
      • Enter the following Next to :
        • Base DN: dc=EUC-Livefire,dc=com
        • Bind DN: cn=administrator,ou=corp,dc=EUC-Livefire,dc=com
        • Bind DN Password: VMware1!
    • Select Save & Configure
  1. In the Select the Domains page,
    • euc-livefire.com (EUC-LIVEFIRE)
      • Select Next.
  1. On the Map User Attribute page
    • Map the following attributes : next to:-
      • (what you enter here is case sensitive)
        • managerDN select custom input and type manager
        • netbios: select custom input  type msDS-PrincipalName
  1. On the Map User Attribute page
    • Map the following attributes :
      • Scroll down next to:-
        • objectGuid: select objectGUID
        • sid: select custom input  type objectSid
  1. On the Map User Attribute page
    • Map the following attributes :
      • Scroll down next to:-
      • title : from the dropdown
        • select title
      • Validate that userPrincipalName maps to userPrincipalName
    • Select Next
  1. On the Select the Groups you want to sync page,
    1. select the green plus (+) to the right of the page,
    2. Under Specify the group DNs  
      • enter dc=euc-livefire,dc=com
    3. Select the Select All writing
      • You will notice the  check box now becomes available
  1. On the Select the Groups you want to sync page,
    • Under Select All
      • Select the check box
    • Select Next.
  1. In the Select Users you would like to sync window
    • Under Specify the user DNs
      • edit the existing syntax so that it reads
        • ou=corp,dc=EUC-Livefire,dc=com
      • Select Next
  1. On the Sync Frequency window
    • Select Sync Directory
  1. On the Directories window
    • Refresh your browser window
      • Note the Synced Groups and Synced Users
  1. In your Workspace ONE Access admin console
    • Select Settings
      • Select Login Preferences
      • Under Login Preferences
        • Select EDIT
  1. In the Login Preferences area
    • In line with:
      • Sync Group Members to the Directory When Adding Group
        • select the Checkbox
  1. In the Login Preferences area
    • In the bottom right
      • select SAVE
  1. In the Workspace ONE Access  console
    • select Integrations
      • select Directories
  1. In the Directories area
    • select EUC-Livefire
  1. In the EUC-Livefire directory area
    • In the right corner
      • Next  to Sync
        • select the dropdown
          • select Sync without Safeguards
  1. On your ControlCenter server
    • On the Desktop
      • Open the Remote Desktops\Site1 folder
      • Launch WS1-Connector.RDP
Part 1:Section 4: Configuring the AirWatch Cloud Connector
  1. On the WS1-Connector desktop
    • Open your chrome browser 
      • In the address bar, enter dw-livefire.awmdm.com,
        • Login using your registered course email (
          • password  VMware1! 

If you are unclear what your registered course email is. Go back to your lab document you configured and filled in on Day 1, in the introduction

If you have not completed this, then please do

  1. In the UEM Admin Console
    • Navigate to Groups & Settings > All Settings
    • Under Settings select  System > Enterprise Integration  
    • Under Enterprise Integration  
      • select Cloud Connector
  1. In the Cloud Connector area
    • Select the Overide radio button
      • Scroll down, select Save at the bottom of the page
  1. In the Cloud Connector area
    • Scroll down
    • Select the Download AirWatch Cloud Connector Installer
  1. On the Download AirWatch Cloud Connector (ACC-installer.exe)
    • Type VMware1! in the Password and Confirm Pasword boxes.
    • Select DOWNLOAD
  1. On the Ws1-Connector machine,
    • Select the Select Airwatch Cloud Connector.exe
      • Select open
      • Select More Info
      • Select Run Anyway
      • Select Next
      • Select the licensing to accept terms... radio button , select Next
      • Select Next
      • In the ACC Certificate Password window
        • type the password VMware1!
        • select Next
      • Select Next
      • Select Install
      • Select OK
      • Select Finish
      • Select Yes
    • Wait for the WS1-Connector server to reboot
      • RDP to the server and re-login
  1. On your ControlCenter server
    • Open a new tab on your Chrome browser
    • Enter dw-livefire.awmdm.com in your address bar
    • Login with your custom email username
    • Enter your custom Password
    • Select Log In
  1. In the UEM Admin Console
    • Go to Groups & Settings > All Settings
    • Under System, select Enterprise Integration
    • Under Enterprise Integration, select Cloud Connector
  1. In the Cloud Connector window
    • Scroll down
    • Select TEST CONNECTION

Note the screenshot

Your environment should also reflect that the Cloud Connector has been reached

  1. In the Cloud Connector window
    • Select the X to right to close the window
Part 1:Section 5: Workspace ONE UEM & Active Directory Integration
  1. In the Workspace ONE UEM admin console
    • Select Groups & Settings > All Settings > System > Enterprise Integration
    • Under Enterprise Integration
      • Select Directory Services
    • In the Directory Services window
      • Select the Overide radio button
    • Select Skip wizard and configure manually
  1. From the Directory Services Interface,
    • Under the Server Tab , enable the following .
      • Directory Type*: LDAP-Active Directory
      • DNS SRV: Disabled (default)
      • Server : ControlCenter.euc-livefire.com
      • Bind User Name: administrator
      • Bind Password: VMware1!
      • Domain: euc-livefire.com
  1. From the Directory Services Interface,
    • Under the User Tab ,
      • Validate the following configuration is configured
        • Under Base DN,
          • ensure that DC=euc-livefire,DC=com has automatically populated.
          • If not, click on the + icon
            • add DC=euc-livefire,DC=com
        • Next to User Object Class,
          • ensure person is the property
        • Next to User Search Filter,  
          • ensure (&(objectCategory=person)(sAMAccountName={EnrollmentUser})) is the string

 

  1. From the Directory Services Interface,
    • Repeat these steps for the third tab Group
      • Under Base DN,
        • notice validate that DC=euc-livefire,DC=com, is entered.
      • Scroll to the bottom of the page
        • select Save
      • Scroll to the bottom of the page
        • Select TEST CONNECTION
  1. You should have a Test Connection window launch saying Connection successful....
    • Select CANCEL to close the window
  1. Let's ensure users can enroll their devices using Active Directory credentials.
    • Under Settings ,
      • select  Devices & Users
        • Select > General
          • Select > Enrollment
  1. Under the Enrollment area 
    • Select the Override radio button
    • Scroll down.
  1. Under the Enrollment area 
    • In line with Authentication Modes(s)
      • ensure the the  Directory check box is selected
    • In line with Source of Authentication for Intelligent Hub,
      • select Workspace ONE ACCESS
    • Scroll down
      • Select SAVE
    • Close the Settings window,
      • by selecting the X on the right of the window
Part 1:Section 6: Workspace ONE Access and Workspace ONE UEM  Integration
  1. In your  Workspace ONE UEM Admin console
    • Navigate to Groups and Settings > All Settings > System > Enterprise Integration> Workspace ONE Access > Configuration

 

  1. Under the Server area,
    • Select  CONFIGURE

 

  1. On the Connect to Workspace ONE Access window,
    • Select CONTINUE  

 

  1. On the Connect to Workspace ONE Access window enter the following:
    • Tenant URL: Your Tenant eg. https://aw-livefirehorizonrn.vidmpreview.com/
    • User Name: Your Tenant Admin account
    • Password: Your Tenant Password
    • Select TEST CONNECTION to ensure Tenant configuration has been entered successfully.
    • Select SAVE and close the settings window
  1. In the Workspace ONE UEM admin console
    1. Select GROUPS & SETTINGS
    2. Select Configurations
    3. In the Group & Settings > Configurations window
      • Select GO TO CONFIGURATIONS
  1. Under Configurations
    • In the Enter a name or category area
      • Type Int
    • Under Configuration Name
      • Select Intelligent Hub
  1. Under Hub Services
    • Select GET STARTED
  1. In the Activate Hub Services
    • Select YES
Part 1:Section 7: Workspace ONE Hub Services Integration with Workspace ONE Access
  1. On your ControlCenter server
    • Open a new tab on your Browser
    • Paste your custom Workspace ONE Access URL in the address bar
    • Launch your custom Workspace ONE Access URL
    • In the Select Your Domain window
      • Ensure System Domain is selected
      • Select Next
  1. In the Workspace ONE Access login
    • Under Username
      • Enter your custom SysAdmin username
    • Under Password
      • Enter VMware1! (hopefully that is what you have changed it to)
    • Select Sign in
  1. In the Web version of Intelligent Hub
    • In the top right - corner
      • Select and right-click your Sysadmin Initial Icon
      • Select Workspace ONE Access Console
  1. In the Workspace ONE Access admin console
    • Select Integrations
    • Select Hub Configuration
  1. In the Hub Configuration window
    • Under Hub Services
      • Select LAUNCH
  1. In the Optimize the Intelligent Hub Experience window
    • Select BEGIN
  1. In the Welcome to Hub Services
    • Review the associated options.
    • In Section 8: We will configure Hub Services
Part 1:Section 8: Configuring Workspace ONE Hub Services
  1. In Workspace ONE Hub Services
    • Select the Branding section
      • Find Logos > Organization Logo , to the right select UPLOAD
      • In the left pane,
        • Under Quick access, select Desktop
        • Select Software
        • Select and open Logo
        • Select vmware livefire.png
        • Select Open
        • Scroll down
          • and select SAVE
  1. In the Workspace ONE Hub Services page
    • In the left pane, select People
    • Under People area,
      • next to Enable People,
        • move the toggle to the right
    • Select SAVE
  1. In the Workspace ONE Hub Services page
    • From the left menu,
      • Select the Custom Tab.
        • Next to Enable Custom Tab,
          • move the toggle right.
        • Next to Web
          • move the toggle right.
        • Next to Title
          • enter: EUCLF (Best practice is not use a label longer than 6 characters).
        • Next to URL:
          • enter https://www.Livefire.solutions
        • Next to Position,  
          • enable the First radio button.
        • Select SAVE
  1. To the top right of the Workspace ONE Hub Services page
    • Select LOG OUT OF HUB SERVICES  
  1. In the Workspace ONE Access Console
    • Under Integrations
      • Select People Search
  1. In the People Search area
    • Next to Directory,
      • from the dropdown
        • Select the EUC-Livefire
      • Select NEXT
  1. In the People Search page
    • Step 2 Select User attributes
      • note the attributes
    • Scroll down
    • In the bottom left
      • Select NEXT
  1. In the People Search page `
    • Step 3 Select users and sync to directory
      • review the User DNs
        • It should read
          •  ou=corp,DC=euc-livefire,DC=com
        • Select SAVE & SYNC
  1. Under People Search
    • Select SYNC DIRECTORY
Part 1:Section 9: Enrolling Intelligent Hub on Microsoft Windows 10

Step 1 : Enrolling W10Client-01a on Site 1 with the Active Directory Domain User  Mark

Steps 1 - 4 could all be done in parallel, So whilst waiting for enrollment to complete on one virtual machine, feel free to move on the next step

  1. On your  ControlCenter server
    • On the Desktop open the Remote Desktop folder.
      • Open the Site1 folder
    • Select the W10Client-01a RDP client and
    • To the right of the Start button
      • in the search area,
        • start typing intel
    • Select the Workspace ONE Intelligent Hub
      • Please Note! If the Workspace ONE Intelligent Hub does not load,
        • From the RUN > Services.msc > Start the Airwatch service
        • Attempt to re-launch the hub
  1. Under Email or Server Address,
    • Enter https://dw-livefire.awmdm.com
    • Select Next
  1. Under Group ID unique enter your unique your Workspace ONE UEM tenant Group ID
    • To get your unique Workspace ONE UEM Group ID, revert back to your Workspace ONE UEM tenant and look for the following next to the Workspace ONE UEM logo, select your Organization Group and note your Group ID
    • Select NEXT
  1. In the Workspace ONE Intelligent Hub under
    • Under Select Your Domain
      • Select euc-livefire.com
        • Select Next
    • Under the Username area
      • Enter Mark
    • Under the Password area
      • Enter VMware1!
    • Select Sign in
  1. In the Workspace ONE Intelligent Hub
    • Select I Agree
  1. On the Congratulations window,
    • Select Done
    • Re-open the Intelligent Hub
    • Select Get Started

Step 2 : Enrolling W10Ext-01a on Site 1 with the Active Directory Domain User Jill

  1. On your  ControlCenter server
    • On the Desktop open the Remote Desktop folder.
      • Open the Site1 folder
    • Select the W10EXT-01a.RDP client and
    • To the right of the Start button in the search area, start typing intel
    • Select the Workspace ONE Intelligent Hub
      • Please Note! If the Workspace ONE Intelligent Hub does not load,
        • From the RUN > Services.msc > Start the Airwatch service
        • Attempt to re-launch the hub
  1. Under Email or Server Address,
    • Enter https://DW-livefire.awmdm.com
    • Select Next
  1. Under Group ID unique enter your unique your Workspace ONE UEM tenant Group ID
    • To get your unique Workspace ONE UEM Group ID, revert back to your Workspace ONE UEM tenant and look for the following next to the Workspace ONE UEM logo, select your Organization Group and note your Group ID
    • Select NEXT
  1. In the Workspace ONE Intelligent Hub under
    • Under Select Your Domain
      • Select euc-livefire.com
        • Select Next
    • Under the Username area
      • Enter Jill
    • Under the Password area
      • Enter VMware1!
    • Select Sign in
  1. In the Workspace ONE Intelligent Hub
    • Select I Agree
  1. On the Congratulations window,
    • Select Done
    • Re-open the Intelligent Hub
    • Select Get Started

Step 3 : Enrolling W10Client-02a on Site 2 with the Active Directory Domain User  Fernando

  1. On your  ControlCenter server
    • On the Desktop open the Remote Desktop folder.
      • Open the Site2 folder
    • Select the W10Client-02a RDP client and
    • To the right of the Start button in the search area, start typing intel
    • Select the Workspace ONE Intelligent Hub
      • Please Note! If the Workspace ONE Intelligent Hub does not load,
        • From the RUN > Services.msc > Start the Airwatch service
        • Attempt to re-launch the hub
  1. Under Email or Server Address,
    • Enter https://dw-livefire.awmdm.com
    • Select Next
  1. Under Group ID unique enter your unique your Workspace ONE UEM tenant Group ID
    • To get your unique Workspace ONE UEM Group ID, revert back to your Workspace ONE UEM tenant and look for the following next to the Workspace ONE UEM logo, select your Organization Group and note your Group ID
    • Select NEXT
  1. In the Workspace ONE Intelligent Hub under
    • Under Select Your Domain
      • Select euc-livefire.com
        • Select Next
    • Under the Username area
      • Enter Fernando
    • Under the Password area
      • Enter VMware1!
    • Select Sign in
  1. In the Workspace ONE Intelligent Hub
    • Select I Agree
  1. On the Congratulations window,
    • Select Done
    • Re-open the Intelligent Hub
    • Select Get Started

Step 4: Enrolling W10Ext-02a on Site 2 with the Active Directory Domain User Tom

  1. On your  ControlCenter server
    • On the Desktop open the Remote Desktop folder.
      • Open the Site1 folder
    • Select the W10EXT-02a.RDP client and
    • To the right of the Start button in the search area, start typing intel
    • Select the Workspace ONE Intelligent Hub
      • Please Note! If the Workspace ONE Intelligent Hub does not load,
        • From the RUN > Services.msc > Start the Airwatch service
        • Attempt to re-launch the hub
  1. Under Email or Server Address,
    • Enter https://dw-livefire.awmdm.com
    • Select Next
  1. Under Group ID unique enter your unique your Workspace ONE UEM tenant Group ID
    • To get your unique Workspace ONE UEM Group ID, revert back to your Workspace ONE UEM tenant and look for the following next to the Workspace ONE UEM logo, select your Organization Group and note your Group ID
    • Select NEXT
  1. In the Workspace ONE Intelligent Hub under
    • Under Select Your Domain
      • Select euc-livefire.com
        • Select Next
    • Under the Username area
      • Enter tom
    • Under the Password area
      • Enter VMware1!
    • Select Sign in
  1. In the Workspace ONE Intelligent Hub
    • Select I Agree
  1. On the Congratulations window,
    • Select Done
    • Re-open the Intelligent Hub
    • Select Get Started

Part 2. Integrating Workspace ONE Access with Horizon Cloud services

In Part 2 , we will work through the requirement to setup a federation with Horizon Cloud Services and Workspace ONE Access.

The approach to federating Horizon Cloud Services with Workspace ONE Access differs from the approach we following with on-premises Horizon PODS

Part 2: Integrating Workspace ONE Access with Horizon Cloud services
  1. In the Workspace ONE Access Console
    • Select Settings
      • Under Settings
        • Select OAuth 2.0 Management

 

  1. In the OAuth 2.0 Management window
    • Select ADD CLIENT
  1. In the Add Client interface
    • Configure the following information next to:-
      • Access Type*,
        • select Service Client Token
      • Client ID*,
        • type HZNXXINTCorp
          • (xx is your POD ID)
    • Select SAVE
  1. In the OAuth 2.0 Management window
    • COPY the Client ID
    • COPY the Shared Secret  
      • Save to Notepad++ on the ControlCenter server

Don't move from this page until you have saved the Client ID and Shared Secret

  1. On your Site 1 profile - Chrome browser
    • On the Favourites bar
      • Select HZN Cloud
  1. On the Welcome to VMware Horizon® page
    • Under My VMware Credentials, enter the following
      • In the Username area,
        • type your, assigned Horizon Cloud email
      • In the Password area,
        • type , VMware1!
    • Select LOGIN
  1. On the Welcome to VMware Horizon® page
    • Under Active Directory Credentials, enter the following
      • In the Username area,
        • type Administrator
      • In the Password area,
        • type , VMware1!
    • Select LOGIN
  1. In the What's New in Horizon Cloud window
    • Turn off the toggle next to :-
      • Continue to show this Notification
    • Select CLOSE
  1. In the Horizon Universal Console
    • Expand Settings
      • Under Settings,
        • Select Broker

 

  1. In the Broker area
    • Select the Identity & Access tab
  1. In the Workspace ONE Access and Intelligent Hub window
    1. Provide Workspace ONE Access Cloud Tenant section
      • Enter the following next to:
        • Workspace ONE Access Cloud Tenant*
          • select Add existing cloud tenant cloud tenant.
        • Under Add existing cloud tenant cloud tenant.
          • enter your assigned Access tenant FQDN
        • Next to : -
          • OAuth Client ID * : enter your recorded Client ID
          • Shared Secret * : enter Your Shared Secret
        • Select the check box, next to :-
          • I have read and agree to the Terms of Service.
      • Select NEXT
  1. In the Workspace ONE Access and Intelligent Hub window
    • In the following sections:-
      1. Complete Workspace ONE Access and Horizon Prerequisites section
        • Note the following requirements before you carry one:
    • Expand the  Provide Workspace ONE Access Cloud area above step 2.:
      • Note your tenant information
    • Select NEXT
  1. In the Workspace ONE Access and Intelligent Hub window
    • In the following section:-
      1. Activate Intelligent Hub
        • Select ACTIVATE
  1. In the Workspace ONE Access and Intelligent Hub window
    • Under the Workspace ONE Access Cloud Tenant area
      • select the checkbox next to
        • I have verified that end-users can access virtual desktops and apps in Intelligent Hub.
      • Select CONFIRM
  1. In the Broker window
    • Notice you now have an Authentication tab next to Identity & Access
    • Select the Authentication Tab
  1. In the Broker window
    • Under the Authentication tab
      • Next to Workspace ONE Intelligent Hub Enforcement
        • select the Pencil Icon
  1. In the Edit Intelligent Hub Enforcement window
    • Next to Enforce Intelligent Hub
      • Select the toggle and move it to the right
  1. In the Edit Intelligent Hub Enforcement window
    • Select SAVE

Part 3 : Testing client integration with the Universal Broker platform

In this part of the we will test our configuration and view how this works

This part also serves as an introduction to Part 4 as to why we need VMware Horizon TRUESSO

Part 3: Testing client integration with the Universal Broker platform
  1. On your ControlCenter server
    • Open your Remote Desktops folder
      • Open the Site 1 folder
        • Launch w10Client-01a.RDP
  1. In the Windows Security window
  1. On the W10client-01a desktop
    • Launch your Chrome browser
    • In the Chrome browser address bar
      • enter your Assigned Workspace ONE ACCESS Url
        • e.g. https://aw-livefirernpod25.vidmpreview.com/
      • On your keyboard
        • select ENTER
  1. In the Workspace ONE auth page
    • Under Select Your Domain
      • From the dropdown
        • Select euc-livefire.com
      • Select Next
  1. In the Workspace ONE auth page
    • Under username
      • type Mark
    • Under password
      • type VMware1!
    • Select Sign In
  1. In the Intelligent Hub console
    • Note that now you have your Desktop Entitlement and Published Application assignments
    • Launch your CorpXX-HZN
      • XX is representative of your assigned POD ID
  1. In the Horizon Client window
    • Select Launch
  1. In the Password Request window
    • Note that you have not received a Single Sign-On experience
    • For Password-based authentication we can solve this
    • With any other authentication method, only the use of VMware Horizon TRUESSO will solve this
    • Select Cancel  
  1. On your ControlCenter server
    • Revert back to your Workspace ONE Access Admin Console
    • Select the Settings tab
    • Under Settings
      • Select Login Preferences
        • Under Login Preferences
          • Select EDIT
  1. Under Login Preferences
    • Scroll down
    • Next to Cache passwords
      • Select the Checkbox
  1. Under Login Preferences
    • To the bottom right. corner of this window
      • Select SAVE
  1. On the Controlcenter server
    • Revert back to your W10Client-01a.rdp session
      • Sign out of your existing Intelligent Hub session
      • Close your browser
  1. On the W10client-01a desktop
    • If necessary
      • Close your Chrome browser
      • Re-Launch your Chrome browser
    • In the Chrome browser address bar
      • enter your Assigned Pod broker ID
        • e.g. brokerXX.euc-livefire.com
          • XX represents your assigned POD ID
      • On your keyboard
        • select ENTER
  1. In the Workspace ONE auth page
    • Under Select Your Domain
      • From the dropdown
        • Select euc-livefire.com
      • Select Next
  1. In the Workspace ONE auth page
    • Under username
      • type Mark
    • Under password
      • type VMware1!
    • Select Sign In
  1. In the Web version of the Intelligent Hub
    • Under Apps
      • Launch your Desktop Assignment
  1. In the Open VMware Horizon Client?
    • Next to Always allow  YOURSERVER.vidmpreview.com to open links of this type in the associated app
      • select the Checkbox
    • Select Open VMware Horizon Client
    • When prompted by the VMware Horizon Client for Drive Sharing
      • Select Allow
  1. In your Horizon Client Session
    • Note that you were not prompted a second time for a password
    • This will only work provided you authenticate with a password on Workspace ONE Access and Password caching remains enabled.
    • Password Caching was disabled in Workspace ONE Access as a default configuration for security reasons.
    • We will now look at Part 4 and the implementation of VMware Horizon TRUESSO to allow for a single sign on experience, irrespective of the Authentication method, even when Password Caching feature is disabled.

Part 4:  Integration VMware Horizon TRUESSO with Horizon Cloud services

When using Horizon with Workspace ONE Access and a 3rd Party Authentication method, the only way we can get a good user experience with Single Sign-On is to deploy Enrollment Services also known as TRUESSO.

We will not be deploying Horizon Enrollment services but integrating it with Horizon Cloud and seeing how it works with Workspace ONE Access.

Part 4 Section 1: Deploying a Workspace ONE UEM - Certificate Profile
  1. On your ControlCenter server
    • Switch to your custom UEM Saas Tenant
      • If necessary, authenticate using your Saas Admin credentials
  1. In the Workspace ONE UEM Admin Console
    • Navigate to Groups & Settings > All Settings >
    • In the Settings window under  
      • Select System
        • Select Enterprise Integration >
          • Select Workspace ONE Access >
            • Select Configuration
  1. In the Workspace ONE Access area
    • Below Certificate
      • Next to Certificate Provisioning
        • Select ENABLE
  1. In the Workspace ONE Acces window
    • Scroll down to the Certificate area
      • Select  EXPORT
      • At the bottom of your browser
        • select Keep
          • Note this will download :-
            • VidmAirWatchRootCertificate.cer
    • To close the Settings window
      • Select X
  1. From the UEM Console
    • Navigate to Devices > Profiles & Resources > Profiles
    • Select > ADD > Add Profile
  1. In the Add Profile window  
    • Select Windows > Windows Desktop > User Profile
    • Next to Name* enter: W10 - SCEP - SSO .
  1. In the General tab,
    • Scroll down to Smart Groups
      • Select  All Devices(YOUR SAAS Tenant)
  1. In the Add Profile window  
    • In the left inventory menu
      • Navigate down to the SCEP tab
        • Select SCEP
    • In the SCEP area
      • Select CONFIGURE
  1. In the SCEP window
    • Change the following:
      • Next to :
        • Key Location: from the dropdown
          • select Software
    • At the bottom right of the window
      • Select SAVE AND PUBLISH
  1. In the View Device Assignment page
    • Confirm your devices are showing
      • In the bottom right corner
        • Select PUBLISH
Part 4 Section 2: Configuring Workspace ONE Access for Certificate Authentication
  1. On your ControlCenter
    • Switch to your custom Saas Workspace ONE Access tenant
      • In the Workspace ONE Login
        • Under Select Your Domain
          • Select System Domain,
        • Select Next
          • Under Username
            • type administrator
          • Under Password
            • type VMware1!
          • Select Sign in
  1. In the Intelligent Hub Console
    • Top right corner
      • Select the TA icon
      • Select Workspace ONE Access Console
  1. In the Workspace ONE Access admin console
    • Navigate to the Integrations tab
      • In the Integrations area, validate you are in Authentication Methods
      • Next Certificate (Cloud Deployment)
      • Select the pencil icon
  1. In the Certificate (Cloud Deployment) page
    • Below Enable Certificate Adapter
    • Below Root and Intermediate CA Certificates
      • select SELECT FILE...
  1. In the File Explorer window
    • In the Quick Access Menu
      • Select Downloads
        • Select the VIDMAirWatchRootCertificate.Cer certificate  
      • Select Open
      • In the Update Authentication Adapter window
        • select Y£S
  1. In the Certificate (cloud deployment) window
    • In the bottom right corner
      • select SAVE
  1. In the Workspace ONE Access Console
    • Under Integrations  
      • Select Identity Providers
        • In the Identity Providers area
          • Select Built-in
  1. In the Built-In Identity Providers window
    • NOTE :
      • In the Authentication Methods area
      • The checkbox next Certificate (cloud deployment) is already enabled
  1. In the Built-In window
    • In the Users area
      • Next to EUC-Livefire
        • select the checkbox
    • In the Network area
      • Next to ALLRANGES
        • select the checkbox
    • At the bottom of the page.
      • Select Save
  1. In the Workspace ONE Access Admin console
    • Select the  Resources tab
      • In the Resources area
        • Select Policies
  1. In the Workspace ONE Access Admin console
    • Under  the Policies area
      • Next to default_access_policy_set
        • Select the radio button
        • Select EDIT
  1. In the Edit Policy window,
    • In the left column
      • Select Configuration
    • To the left of Web Browser,
      • Select All Ranges
  1. In the Edit Policy Rule window
    • Next to then the user may authenticate using *
      • select Certificate (cloud deployment)
    • Next to if preceding method fails or is not applicable,  then *
      • select Password (cloud deployment),
    • Select    ADD FALLBACK METHOD
      • Next to if preceding method fails or is not applicable,  then *
        • select Password (Local Directory)
    • Select SAVE at the bottom of the window
  1. In the Edit Policy Rule window
    • Select + ADD POLICY RULE
  1. In the Edit Policy Rule window
    • Next to: -
      • and user accessing content from*
        • select Windows 10  
      • then the user may authenticate using*
        • select Certificate (cloud Deployment)
      • if the preceding method fails or is not applicable, then
        • select Password (cloud deployment)
      • Select + ADD FALLBACK METHOD
        • if the preceding method fails or is not applicable, then
          • Select Password (Local Directory)
    • At the botom right hand side of the page
      • Select SAVE
  1. In the Edit Policy window
    • Next to ALL RANGES for Windows 10
      • Select the 6 DOTS and drag to the top
    • Select NEXT on the Edit Policy Page
  1. On the Edit Policy Page.
    • Summary tab
      • Select SAVE

You have now enabled Certificate (Cloud Deployment) as an authentication method on the default access policy. Our next step is to ensure this implementation is working.

Part 4 Section 3: Log into a Windows 10 Desktop and demonstrate the limitation
  1. On the ControlCenter server Desktop,
    • Open the Remote Desktops folder,
    • Select the  W10Client-01a.RDP shortcut
    • Log in as [email protected],
      • enter the password VMware1!,
    • Select OK

If there are any existing Horizon Desktop sessions , Workspace ONE Access logins still open. Log out and close all sessions and browsers

  1. On W10Client-01a desktop
    • Select Start > Run,
    • Next to Open, type mmc,
    • Select OK
    • In the Console, select Add/Remove Snap-in
  1. In the Add or Remove Snap-ins window
    • Select Certificates,
    • Select Add
    • Select OK
  1. Expand Certificates - Current User
    • Expand Personal
    • Select Certificates
      • Note you have an enrolled certificate. If you dont have a certificate,
        • Follow steps 6 - 8 .
      • If you have an enrolled certificate
        • Carry on from step 9
  1. On your W10Client-01a desktop
    • In the right bottom corner of your Taskbar
      • To the left of the Network  icon
        • Select the UP arrow
  1. On your W10Client-01a desktop
    • Select and right-click the Intelligent Hub icon
    • Select Sync
  1. In the Certificates snap-in
    • Under Personal
      • Select Certificates
        • In the Toolbar
          • Select Refresh
  1. On your W10Client-01a Desktop
    • Open a browser on your windows 10 desktop
    • In the address bar enter the URL of your Saas Access Tenant
    • In the Select a certificate window
      • Select OK
  1. On the Workspace ONE console ,
    • In the Apps tab
      • Select Calculator
  1. In the Intelligent Hub
    • Notice we are getting a Password request.
      • We  used a 3rd party Auth method to login to Workspace ONE Access. (In our session a Certificate based Auth method was used) Workspace ONE Access did not have the UPN it would have received from a password Auth method, to pass on to the Horizon Agent.
      • We will now move forward with Configuring HORIZON TRUESSO
    • Select Cancel to close the Password Request window.
    • Logout and close all windows on W10Client-01a

Part 5. Integrating Horizon TRUESSO with the Horizon Universal Console

Part 5 Section 1: Integrating Horizon TRUESSO with Horizon Universal Console
  1. On your ControlCenter server
    • On your Site 1 Browser
      • Open a new Tab
    • Select Horizon Site 1

 

  1. On VMware Horizon login
    • In the Username area
      • type Administrator
    • In the Password area
      • type VMware1!
    • Select Sign In
  1. In the Horizon Admin console
    • In the Dashboard area
      • Select VIEW
  1. In the Components window
    • Select TrueSSO
  1. In the  TrueSSO area of Components
    • Note that Enrollment and Sub-ordinate CA servers have been deployed and configured
    • To Close the Components window
      • Select OK
  1. On your ControlCenter server
    • On your Site 2 Browser
      • Open a new Tab
    • Select Horizon Site 2

 

  1. On VMware Horizon login
    • In the Username area
      • type Administrator
    • In the Password area
      • type VMware1!
    • Select Sign In
  1. In the Horizon Admin console
    • In the Dashboard area
      • Select VIEW
  1. In the Components window
    • Select TrueSSO
  1. In the  TrueSSO area of Components
    • Note that Enrollment and Sub-ordinate CA servers have been deployed and configured
    • To Close the Components window
      • Select OK
  1. On your ControlCenter server
    • Revert to your Site 1 browser
    • Open a new tab
    • Select the HZN Cloud shortcut
  1. On the Welcome to VMware Horizon® page
    • Under My VMware Credentials, enter the following
      • In the Username area, type your, assigned Horizon Cloud email
      • In the Password area, type , VMware1!
    • Select LOGIN
  1. On the Welcome to VMware Horizon® page
    • Under Active Directory Credentials, enter the following
      • In the Username area, type Administrator
      • In the Password area, type , VMware1!
    • Select LOGIN
  1. In the Horizon Universal Console
    • Expand Settings
      • Select Active Directory
  1. In the Active Directory area
    • In the True SSO Configuration area
      • Next to Horizon pods on VMware SDDC
        • Select SYNC
Part 5 Section 2: Testing to see if TRUESSO works
  1. On your ControlCenter server,
    • Switch to your Remote Desktops session to  W10Client-01a.RDP session.
      • If necessary, login again with
      • Sign out of any existing sessions,
        • close all windows
  1. On your W10Client-01a desktop,  
    • Open your browser
      • Enter your custom Workspace ONE Access URL
  1. On the Select a certificate window,
    • Select OK
  1. In the Intelligent Hub
    • Under Apps  
      • Select CorpXX-HZN
        • where XX is your assignment
  1. On the W10Client-01a
    • Note that you have now observed a Single sign-on session
    • Possibly launch a RDSH session from your Workspace ONE Access console
    • This concludes this lab

After initiating the TRUESSO SYNC, the initial testing of this Horizon Cloud Connector and version of Horizon 2209. I took up to 10 minutes for the SYNC, to take effect. Keep trying until it works

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.