Integrating the Horizon Universal Console with Workspace ONE
Part 1 - Completing Workspace ONE Integration Prerequisites
- Part 1 contains 11 sections
- We will build an integrated Workspace ONE platform and then we will integrate Horizon Cloud services with this platform
- All of these sections have to be completed to complete further labs
- On your ControlCenter server
- Open your Workspace ONE Access, Admin console URL
- Under Username
- enter Administrator
- Under Password
- enter VMware1!
- Select Sign In
- Under Username
- Open your Workspace ONE Access, Admin console URL
- In the Web Intelligent Hub Console
- To the right,
- select TA
- From the dropdown
- select Workspace ONE Access Console
- To the right,
- In the Workspace ONE Access Console
- Select Integrations
- Under Integrations
- Select Connectors
- In the Connectors area
- Select NEW
- In the Connector Usage Confirmation window
- Select the radio button, next to :-
- Latest Workspace ONE Access Connector
- Select OK
- Select the radio button, next to :-
- In the Confirm the latest Workspace ONE Connector window
- Select CONFIRM
- In the Add New Connector window
-
Downloader Installer area
- Select NEXT
-
Downloader Installer area
- In the Add New Connector window
-
Download Configuration File area
- Next to Password: enter VMware1!VMware1!
- Next to Reenter Password: enter VMware1!VMware1!
- Select DOWNLOAD CONFIGURATION FILE
- note an es-config.json file gets downloaded
- Select NEXT
-
Download Configuration File area
- In the Add New Connector window
-
Summary window
- Select CLOSE
-
Summary window
- On your ControlCenter server browser
- Next to the es-config.json
- Select the Dropdown
- Select Show in folder
- Next to the es-config.json
- In the File Explorer window
- Select and right-click the es-config.json file
- Select Copy
- In the left pane
- Select Desktop
- In the File Explorer window
-
Desktop area
- Select the Software shortcut
- In the Software folder
- Open the ACCESS folder
-
Desktop area
- In the File Explorer window
-
ACCESS folder
- Paste your es-config.json file
- Close your File Explorer window
-
ACCESS folder
- On your ControlCenter server
- On the Desktop.
- Open the Remote Desktops\Site1 folder
- Select and launch the WS1-Connector.RDP shortcut
- On the Desktop.
- On your WS1-Connector server
- Open the Software Folder
- Select the ACCESS Folder
- Select and Launch
- Workspace-ONE-Access-Connector-Installer-22.09.0.0.exe
- On your WS1-Connector server
- On the Open File - Security Warning window
- Select Run
- On the Open File - Security Warning window
- On the Workspace ONE Access Connector - InstallShield Wizard
- In the Welcome to the Installation Wizard for Workspace ONE Access Connector 22.09.0.0
- Select Next
- In the Welcome to the Installation Wizard for Workspace ONE Access Connector 22.09.0.0
- On the Workspace ONE Access Connector - InstallShield Wizard
-
Licence Agreement window
- Select the radio button next to:-
- I accept the terms in the license agreement
- Select Next
- Select the radio button next to:-
-
Licence Agreement window
- On the Workspace ONE Access Connector - InstallShield Wizard
-
Service Selection window
- Select Next
-
Service Selection window
- On the Workspace ONE Access Connector - InstallShield Wizard
-
Specify Configuration File window
- In the box in front of Browse...
- type \\horizon-01a\software\ACCESS\es-config.json
- Next to Password: type VMware1!VMware1!
- In the box in front of Browse...
- Select Next
-
Specify Configuration File window
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Select Default or Custom Installation window
- Select the radio button next to Custom
- Select Next
-
Select Default or Custom Installation window
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Specify Proxy Server Information window
- Select Next
-
Specify Proxy Server Information window
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Specify Syslog Server Information window
- Select Next
-
Specify Syslog Server Information window
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Citrix configuration
- (leave default)
- Select Next
-
Citrix configuration
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Install Trusted Root Certificates window
- Select Next
-
In the No certificates page
- Select Yes
-
Install Trusted Root Certificates window
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Specify Ports window
- Select Next
-
Specify Ports window
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Install SSL Certificate for Kerberos Auth Service window
- Next to: Would you like to use your own SSL certificate?
- Select the Checkbox
- Under , Click Browse and select the certificate file
- Select Browse
- Next to: Would you like to use your own SSL certificate?
-
Install SSL Certificate for Kerberos Auth Service window
- In the InstallShield window
-
Browse to:
-
\\horizon-01a\software\certificates
- Select Wildcard2022
- Select Open
-
\\horizon-01a\software\certificates
-
Browse to:
- In the Workspace ONE Access Connector - InstallShield Wizard
- Install SSL Certificate for Kerberos Auth Service window
- Next to: Certificate Password:
- Enter : VMware1!
- Select the Next
- Enter : VMware1!
- In the Workspace ONE Access Connector - InstallShield Wizard
- Specify Service Account window
- Under User name: type
- euc-livefire.com\administrator
- Under Password:
- type VMware1!
- Select Next
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Ready to Install window
- Select Install
-
Ready to Install window
The Installation of the Workspace ONE Access Connector will take about 10 minutes to complete
- In the Workspace ONE Access Connector - InstallShield Wizard
-
Installation Wizard Completed window
- Select Finish
-
Installation Wizard Completed window
First we will configure the Attributes. Note! Every organisation will need to research their requirements when deciding whether or not to set attributes to required. For specific applications where this needs to be considered, if the associated user object does not have the attribute, authentication might fail.
- In the Workspace ONE Access Admin console
- Select Settings
- Select User Attributes
- Select Settings
- In the User Attributes console
-
In the right area under Custom Attributes
- Select ⊕ ADD ROW 4 times
-
In the right area under Custom Attributes
- In the User Attributes console
- Under Name
- Add the following additional attributes
- note this is case sensitive :
- objectGuid
- managerDN
- sid
- netBios
- Add the following additional attributes
- Under Name
- In the User Attributes console
- Under User Attributes
- Select SAVE
- In the Workspace ONE Access admin console.
- Select Integrations,
- Select Directories
- Select Integrations,
- In the Directories area
- To the right
- Select Add Directory
-
In the Add Directory dropdown
- Select Active Directory
- To the right
- In the Add Directory Page,
- Configure the following: next to
- Directory Name: type EUC-Livefire
- Ensure the Active Directory over LDAP radio button is selected
- Scroll down to Bind User Details
- Configure the following: next to
- In the Add Directory Page,
- In the Bind User Details area
- Enter the following Next to :
- Base DN: dc=EUC-Livefire,dc=com
- Bind DN: cn=administrator,ou=corp,dc=EUC-Livefire,dc=com
- Bind DN Password: VMware1!
- Enter the following Next to :
- Select Save & Configure
- In the Bind User Details area
- In the Select the Domains page,
- euc-livefire.com (EUC-LIVEFIRE)
- Select Next.
- euc-livefire.com (EUC-LIVEFIRE)
- On the Map User Attribute page
- Map the following attributes : next to:-
- (what you enter here is case sensitive)
- managerDN select custom input and type manager
- netbios: select custom input type msDS-PrincipalName
- (what you enter here is case sensitive)
- Map the following attributes : next to:-
- On the Map User Attribute page
- Map the following attributes :
- Scroll down next to:-
- objectGuid: select objectGUID
- sid: select custom input type objectSid
- Scroll down next to:-
- Map the following attributes :
- On the Map User Attribute page
- Map the following attributes :
- Scroll down next to:-
-
title : from the dropdown
- select title
- Validate that userPrincipalName maps to userPrincipalName
- Select Next
- Map the following attributes :
- On the Select the Groups you want to sync page,
- select the green plus (+) to the right of the page,
- Under Specify the group DNs
- enter dc=euc-livefire,dc=com
- Select the Select All writing
- You will notice the check box now becomes available
- On the Select the Groups you want to sync page,
- Under Select All
- Select the check box
- Select Next.
- Under Select All
- In the Select Users you would like to sync window
- Under Specify the user DNs
- edit the existing syntax so that it reads
- ou=corp,dc=EUC-Livefire,dc=com
- Select Next
- edit the existing syntax so that it reads
- Under Specify the user DNs
- On the Sync Frequency window
- Select Sync Directory
- On the Directories window
-
Refresh your browser window
- Note the Synced Groups and Synced Users
-
Refresh your browser window
- In your Workspace ONE Access admin console
- Select Settings
- Select Login Preferences
-
Under Login Preferences
- Select EDIT
- Select Settings
- In the Login Preferences area
-
In line with:
-
Sync Group Members to the Directory When Adding Group
- select the Checkbox
-
Sync Group Members to the Directory When Adding Group
-
In line with:
- In the Login Preferences area
- In the bottom right
- select SAVE
- In the bottom right
- In the Workspace ONE Access console
- select Integrations
- select Directories
- select Integrations
- In the Directories area
- select EUC-Livefire
- In the EUC-Livefire directory area
- In the right corner
- Next to Sync
- select the dropdown
- select Sync without Safeguards
- select the dropdown
- Next to Sync
- In the right corner
- On your ControlCenter server
- On the Desktop
- Open the Remote Desktops\Site1 folder
- Launch WS1-Connector.RDP
- On the Desktop
- On the WS1-Connector desktop
- Open your chrome browser
- In the address bar, enter dw-livefire.awmdm.com,
- Login using your registered course email (
- password VMware1!
- Login using your registered course email (
- In the address bar, enter dw-livefire.awmdm.com,
- Open your chrome browser
If you are unclear what your registered course email is. Go back to your lab document you configured and filled in on Day 1, in the introduction
If you have not completed this, then please do
- In the UEM Admin Console
- Navigate to Groups & Settings > All Settings
- Under Settings select System > Enterprise Integration
- Under Enterprise Integration
- select Cloud Connector
- In the Cloud Connector area
- Select the Overide radio button
- Scroll down, select Save at the bottom of the page
- Select the Overide radio button
- In the Cloud Connector area
- Scroll down
- Select the Download AirWatch Cloud Connector Installer
- On the Download AirWatch Cloud Connector (ACC-installer.exe)
- Type VMware1! in the Password and Confirm Pasword boxes.
- Select DOWNLOAD
- On the Ws1-Connector machine,
- Select the Select Airwatch Cloud Connector.exe
- Select open
- Select More Info
- Select Run Anyway
- Select Next
- Select the licensing to accept terms... radio button , select Next
- Select Next
- In the ACC Certificate Password window
- type the password VMware1!
- select Next
- Select Next
- Select Install
- Select OK
- Select Finish
- Select Yes
-
Wait for the WS1-Connector server to reboot
- RDP to the server and re-login
- Select the Select Airwatch Cloud Connector.exe
- On your ControlCenter server
- Open a new tab on your Chrome browser
- Enter dw-livefire.awmdm.com in your address bar
- Login with your custom email username
- Enter your custom Password
- Select Log In
- In the UEM Admin Console
- Go to Groups & Settings > All Settings
- Under System, select Enterprise Integration
- Under Enterprise Integration, select Cloud Connector
- In the Cloud Connector window
- Scroll down
- Select TEST CONNECTION
Note the screenshot
Your environment should also reflect that the Cloud Connector has been reached
- In the Cloud Connector window
- Select the X to right to close the window
- In the Workspace ONE UEM admin console
- Select Groups & Settings > All Settings > System > Enterprise Integration
- Under Enterprise Integration
- Select Directory Services
- In the Directory Services window
- Select the Overide radio button
- Select Skip wizard and configure manually
- From the Directory Services Interface,
- Under the Server Tab , enable the following .
- Directory Type*: LDAP-Active Directory
- DNS SRV: Disabled (default)
- Server : ControlCenter.euc-livefire.com
- Bind User Name: administrator
- Bind Password: VMware1!
- Domain: euc-livefire.com
- Under the Server Tab , enable the following .
- From the Directory Services Interface,
- Under the User Tab ,
- Validate the following configuration is configured
- Under Base DN,
- ensure that DC=euc-livefire,DC=com has automatically populated.
- If not, click on the + icon
- add DC=euc-livefire,DC=com
- Next to User Object Class,
- ensure person is the property
- Next to User Search Filter,
- ensure (&(objectCategory=person)(sAMAccountName={EnrollmentUser})) is the string
- Under Base DN,
- Validate the following configuration is configured
- Under the User Tab ,
- From the Directory Services Interface,
- Repeat these steps for the third tab Group
- Under Base DN,
- notice validate that DC=euc-livefire,DC=com, is entered.
-
Scroll to the bottom of the page
- select Save
-
Scroll to the bottom of the page
- Select TEST CONNECTION
- Under Base DN,
- Repeat these steps for the third tab Group
-
You should have a Test Connection window launch saying Connection successful....
- Select CANCEL to close the window
- Let's ensure users can enroll their devices using Active Directory credentials.
- Under Settings ,
- select Devices & Users
-
Select > General
- Select > Enrollment
-
Select > General
- select Devices & Users
- Under Settings ,
- Under the Enrollment area
- Select the Override radio button
- Scroll down.
- Under the Enrollment area
- In line with Authentication Modes(s)
- ensure the the Directory check box is selected
- In line with Source of Authentication for Intelligent Hub,
- select Workspace ONE ACCESS
-
Scroll down
- Select SAVE
-
Close the Settings window,
- by selecting the X on the right of the window
- In line with Authentication Modes(s)
- In your Workspace ONE UEM Admin console
- Navigate to Groups and Settings > All Settings > System > Enterprise Integration> Workspace ONE Access > Configuration
- Under the Server area,
- Select CONFIGURE
- On the Connect to Workspace ONE Access window,
- Select CONTINUE
-
On the Connect to Workspace ONE Access window enter the following:
- Tenant URL: Your Tenant eg. https://aw-livefirehorizonrn.vidmpreview.com/
- User Name: Your Tenant Admin account
- Password: Your Tenant Password
- Select TEST CONNECTION to ensure Tenant configuration has been entered successfully.
- Select SAVE and close the settings window
- In the Workspace ONE UEM admin console
- Select GROUPS & SETTINGS
- Select Configurations
-
In the Group & Settings > Configurations window
- Select GO TO CONFIGURATIONS
- Under Configurations
- In the Enter a name or category area
- Type Int
-
Under Configuration Name
- Select Intelligent Hub
- In the Enter a name or category area
- Under Hub Services
- Select GET STARTED
- In the Activate Hub Services
- Select YES
- On your ControlCenter server
- Open a new tab on your Browser
- Paste your custom Workspace ONE Access URL in the address bar
- Launch your custom Workspace ONE Access URL
- In the Select Your Domain window
- Ensure System Domain is selected
- Select Next
- In the Workspace ONE Access login
- Under Username
- Enter your custom SysAdmin username
- Under Password
- Enter VMware1! (hopefully that is what you have changed it to)
- Select Sign in
- Under Username
- In the Web version of Intelligent Hub
- In the top right - corner
- Select and right-click your Sysadmin Initial Icon
- Select Workspace ONE Access Console
- In the top right - corner
- In the Workspace ONE Access admin console
- Select Integrations
- Select Hub Configuration
- In the Hub Configuration window
- Under Hub Services
- Select LAUNCH
- Under Hub Services
- In the Optimize the Intelligent Hub Experience window
- Select BEGIN
- In the Welcome to Hub Services
- Review the associated options.
- In Section 8: We will configure Hub Services
- In Workspace ONE Hub Services
- Select the Branding section
- Find Logos > Organization Logo , to the right select UPLOAD
- In the left pane,
- Under Quick access, select Desktop
- Select Software
- Select and open Logo
- Select vmware livefire.png
- Select Open
-
Scroll down
- and select SAVE
- Select the Branding section
- In the Workspace ONE Hub Services page
- In the left pane, select People
- Under People area,
- next to Enable People,
- move the toggle to the right
- next to Enable People,
- Select SAVE
- In the Workspace ONE Hub Services page
- From the left menu,
-
Select the Custom Tab.
- Next to Enable Custom Tab,
- move the toggle right.
- Next to Web
- move the toggle right.
- Next to Title
- enter: EUCLF (Best practice is not use a label longer than 6 characters).
- Next to URL:
- enter https://www.Livefire.solutions
-
Next to Position,
- enable the First radio button.
- Select SAVE
- Next to Enable Custom Tab,
-
Select the Custom Tab.
- From the left menu,
- To the top right of the Workspace ONE Hub Services page
- Select LOG OUT OF HUB SERVICES
- In the Workspace ONE Access Console
- Under Integrations
- Select People Search
- Under Integrations
- In the People Search area
- Next to Directory,
- from the dropdown
- Select the EUC-Livefire
- Select NEXT
- from the dropdown
- Next to Directory,
- In the People Search page
- Step 2 Select User attributes
- note the attributes
- Scroll down
- In the bottom left
- Select NEXT
- Step 2 Select User attributes
- In the People Search page `
- Step 3 Select users and sync to directory
- review the User DNs
- It should read
- ou=corp,DC=euc-livefire,DC=com
- Select SAVE & SYNC
- It should read
- review the User DNs
- Step 3 Select users and sync to directory
- Under People Search
- Select SYNC DIRECTORY
Step 1 : Enrolling W10Client-01a on Site 1 with the Active Directory Domain User Mark
Steps 1 - 4 could all be done in parallel, So whilst waiting for enrollment to complete on one virtual machine, feel free to move on the next step
- On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
- Open the Site1 folder
- Select the W10Client-01a RDP client and
- Sign-in with
- username: [email protected]
- Password: VMware1!
- Sign-in with
- To the right of the Start button
- in the search area,
- start typing intel
- in the search area,
- Select the Workspace ONE Intelligent Hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- From the RUN > Services.msc > Start the Airwatch service
- Attempt to re-launch the hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- On the Desktop open the Remote Desktop folder.
- Under Email or Server Address,
- Enter https://dw-livefire.awmdm.com
- Select Next
- Under Group ID unique enter your unique your Workspace ONE UEM tenant Group ID
- To get your unique Workspace ONE UEM Group ID, revert back to your Workspace ONE UEM tenant and look for the following next to the Workspace ONE UEM logo, select your Organization Group and note your Group ID
- Select NEXT
- In the Workspace ONE Intelligent Hub under
- Under Select Your Domain
- Select euc-livefire.com
- Select Next
- Select euc-livefire.com
- Under the Username area
- Enter Mark
- Under the Password area
- Enter VMware1!
- Select Sign in
- Under Select Your Domain
- In the Workspace ONE Intelligent Hub
- Select I Agree
- On the Congratulations window,
- Select Done
- Re-open the Intelligent Hub
- Select Get Started
Step 2 : Enrolling W10Ext-01a on Site 1 with the Active Directory Domain User Jill
- On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
- Open the Site1 folder
- Select the W10EXT-01a.RDP client and
- Sign-in with
- username [email protected]
- Password VMware1!
- Sign-in with
- To the right of the Start button in the search area, start typing intel
- Select the Workspace ONE Intelligent Hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- From the RUN > Services.msc > Start the Airwatch service
- Attempt to re-launch the hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- On the Desktop open the Remote Desktop folder.
- Under Email or Server Address,
- Enter https://DW-livefire.awmdm.com
- Select Next
- Under Group ID unique enter your unique your Workspace ONE UEM tenant Group ID
- To get your unique Workspace ONE UEM Group ID, revert back to your Workspace ONE UEM tenant and look for the following next to the Workspace ONE UEM logo, select your Organization Group and note your Group ID
- Select NEXT
- In the Workspace ONE Intelligent Hub under
- Under Select Your Domain
- Select euc-livefire.com
- Select Next
- Select euc-livefire.com
- Under the Username area
- Enter Jill
- Under the Password area
- Enter VMware1!
- Select Sign in
- Under Select Your Domain
- In the Workspace ONE Intelligent Hub
- Select I Agree
- On the Congratulations window,
- Select Done
- Re-open the Intelligent Hub
- Select Get Started
Step 3 : Enrolling W10Client-02a on Site 2 with the Active Directory Domain User Fernando
- On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
- Open the Site2 folder
- Select the W10Client-02a RDP client and
- Sign-in with
- username [email protected]
- Password VMware1!
- Select OK
- Sign-in with
- To the right of the Start button in the search area, start typing intel
- Select the Workspace ONE Intelligent Hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- From the RUN > Services.msc > Start the Airwatch service
- Attempt to re-launch the hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- On the Desktop open the Remote Desktop folder.
- Under Email or Server Address,
- Enter https://dw-livefire.awmdm.com
- Select Next
- Under Group ID unique enter your unique your Workspace ONE UEM tenant Group ID
- To get your unique Workspace ONE UEM Group ID, revert back to your Workspace ONE UEM tenant and look for the following next to the Workspace ONE UEM logo, select your Organization Group and note your Group ID
- Select NEXT
- In the Workspace ONE Intelligent Hub under
- Under Select Your Domain
- Select euc-livefire.com
- Select Next
- Select euc-livefire.com
- Under the Username area
- Enter Fernando
- Under the Password area
- Enter VMware1!
- Select Sign in
- Under Select Your Domain
- In the Workspace ONE Intelligent Hub
- Select I Agree
- On the Congratulations window,
- Select Done
- Re-open the Intelligent Hub
- Select Get Started
Step 4: Enrolling W10Ext-02a on Site 2 with the Active Directory Domain User Tom
- On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
- Open the Site1 folder
- Select the W10EXT-02a.RDP client and
- Sign-in with
- username [email protected]
- Password VMware1!
- Sign-in with
- To the right of the Start button in the search area, start typing intel
- Select the Workspace ONE Intelligent Hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- From the RUN > Services.msc > Start the Airwatch service
- Attempt to re-launch the hub
-
Please Note! If the Workspace ONE Intelligent Hub does not load,
- On the Desktop open the Remote Desktop folder.
- Under Email or Server Address,
- Enter https://dw-livefire.awmdm.com
- Select Next
- Under Group ID unique enter your unique your Workspace ONE UEM tenant Group ID
- To get your unique Workspace ONE UEM Group ID, revert back to your Workspace ONE UEM tenant and look for the following next to the Workspace ONE UEM logo, select your Organization Group and note your Group ID
- Select NEXT
- In the Workspace ONE Intelligent Hub under
- Under Select Your Domain
- Select euc-livefire.com
- Select Next
- Select euc-livefire.com
- Under the Username area
- Enter tom
- Under the Password area
- Enter VMware1!
- Select Sign in
- Under Select Your Domain
- In the Workspace ONE Intelligent Hub
- Select I Agree
- On the Congratulations window,
- Select Done
- Re-open the Intelligent Hub
- Select Get Started
Part 2. Integrating Workspace ONE Access with Horizon Cloud services
In Part 2 , we will work through the requirement to setup a federation with Horizon Cloud Services and Workspace ONE Access.
The approach to federating Horizon Cloud Services with Workspace ONE Access differs from the approach we following with on-premises Horizon PODS
- In the Workspace ONE Access Console
- Select Settings
- Under Settings
- Select OAuth 2.0 Management
- Under Settings
- Select Settings
- In the OAuth 2.0 Management window
- Select ADD CLIENT
- In the Add Client interface
- Configure the following information next to:-
-
Access Type*,
- select Service Client Token
-
Client ID*,
- type HZNXXINTCorp
- (xx is your POD ID)
- type HZNXXINTCorp
-
Access Type*,
- Select SAVE
- Configure the following information next to:-
- In the OAuth 2.0 Management window
- COPY the Client ID
-
COPY the Shared Secret
- Save to Notepad++ on the ControlCenter server
Don't move from this page until you have saved the Client ID and Shared Secret
-
On your Site 1 profile - Chrome browser
-
On the Favourites bar
- Select HZN Cloud
-
On the Favourites bar
- On the Welcome to VMware Horizon® page
- Under My VMware Credentials, enter the following
- In the Username area,
- type your, assigned Horizon Cloud email
- In the Password area,
- type , VMware1!
- In the Username area,
- Select LOGIN
- Under My VMware Credentials, enter the following
- On the Welcome to VMware Horizon® page
- Under Active Directory Credentials, enter the following
- In the Username area,
- type Administrator
- In the Password area,
- type , VMware1!
- In the Username area,
- Select LOGIN
- Under Active Directory Credentials, enter the following
- In the What's New in Horizon Cloud window
-
Turn off the toggle next to :-
- Continue to show this Notification
- Select CLOSE
-
Turn off the toggle next to :-
- In the Horizon Universal Console
- Expand Settings
- Under Settings,
- Select Broker
- Under Settings,
- Expand Settings
- In the Broker area
- Select the Identity & Access tab
- In the Workspace ONE Access and Intelligent Hub window
-
Provide Workspace ONE Access Cloud Tenant section
- Enter the following next to:
-
Workspace ONE Access Cloud Tenant*
- select Add existing cloud tenant cloud tenant.
-
Under Add existing cloud tenant cloud tenant.
- enter your assigned Access tenant FQDN
-
Next to : -
- OAuth Client ID * : enter your recorded Client ID
- Shared Secret * : enter Your Shared Secret
- Select the check box, next to :-
- I have read and agree to the Terms of Service.
-
Workspace ONE Access Cloud Tenant*
- Select NEXT
- Enter the following next to:
-
Provide Workspace ONE Access Cloud Tenant section
- In the Workspace ONE Access and Intelligent Hub window
- In the following sections:-
-
Complete Workspace ONE Access and Horizon Prerequisites section
- Note the following requirements before you carry one:
-
Complete Workspace ONE Access and Horizon Prerequisites section
-
Expand the Provide Workspace ONE Access Cloud area above step 2.:
- Note your tenant information
- Select NEXT
- In the following sections:-
- In the Workspace ONE Access and Intelligent Hub window
- In the following section:-
-
Activate Intelligent Hub
- Select ACTIVATE
-
Activate Intelligent Hub
- In the following section:-
- In the Workspace ONE Access and Intelligent Hub window
- Under the Workspace ONE Access Cloud Tenant area
- select the checkbox next to
- I have verified that end-users can access virtual desktops and apps in Intelligent Hub.
- Select CONFIRM
- select the checkbox next to
- Under the Workspace ONE Access Cloud Tenant area
- In the Broker window
- Notice you now have an Authentication tab next to Identity & Access
- Select the Authentication Tab
- In the Broker window
- Under the Authentication tab
- Next to Workspace ONE Intelligent Hub Enforcement
- select the Pencil Icon
- Next to Workspace ONE Intelligent Hub Enforcement
- Under the Authentication tab
- In the Edit Intelligent Hub Enforcement window
- Next to Enforce Intelligent Hub
- Select the toggle and move it to the right
- Next to Enforce Intelligent Hub
- In the Edit Intelligent Hub Enforcement window
- Select SAVE
Part 3 : Testing client integration with the Universal Broker platform
In this part of the we will test our configuration and view how this works
This part also serves as an introduction to Part 4 as to why we need VMware Horizon TRUESSO
- On your ControlCenter server
- Open your Remote Desktops folder
- Open the Site 1 folder
- Launch w10Client-01a.RDP
- Open the Site 1 folder
- Open your Remote Desktops folder
- In the Windows Security window
- Under [email protected]
- enter VMware1! as the password
- Select OK
- Under [email protected]
- On the W10client-01a desktop
- Launch your Chrome browser
- In the Chrome browser address bar
- enter your Assigned Workspace ONE ACCESS Url
- e.g. https://aw-livefirernpod25.vidmpreview.com/
-
On your keyboard
- select ENTER
- enter your Assigned Workspace ONE ACCESS Url
- In the Workspace ONE auth page
- Under Select Your Domain
- From the dropdown
- Select euc-livefire.com
- Select Next
- From the dropdown
- Under Select Your Domain
- In the Workspace ONE auth page
- Under username
- type Mark
- Under password
- type VMware1!
- Select Sign In
- Under username
- In the Intelligent Hub console
- Note that now you have your Desktop Entitlement and Published Application assignments
- Launch your CorpXX-HZN
- XX is representative of your assigned POD ID
- In the Horizon Client window
- Select Launch
- In the Password Request window
- Note that you have not received a Single Sign-On experience
- For Password-based authentication we can solve this
- With any other authentication method, only the use of VMware Horizon TRUESSO will solve this
- Select Cancel
- On your ControlCenter server
- Revert back to your Workspace ONE Access Admin Console
- Select the Settings tab
- Under Settings
- Select Login Preferences
- Under Login Preferences
- Select EDIT
- Under Login Preferences
- Select Login Preferences
- Under Login Preferences
- Scroll down
- Next to Cache passwords
- Select the Checkbox
- Under Login Preferences
- To the bottom right. corner of this window
- Select SAVE
- To the bottom right. corner of this window
- On the Controlcenter server
- Revert back to your W10Client-01a.rdp session
- Sign out of your existing Intelligent Hub session
- Close your browser
- Revert back to your W10Client-01a.rdp session
- On the W10client-01a desktop
- If necessary
- Close your Chrome browser
- Re-Launch your Chrome browser
- In the Chrome browser address bar
- enter your Assigned Pod broker ID
-
e.g. brokerXX.euc-livefire.com
- XX represents your assigned POD ID
-
e.g. brokerXX.euc-livefire.com
-
On your keyboard
- select ENTER
- enter your Assigned Pod broker ID
- If necessary
- In the Workspace ONE auth page
- Under Select Your Domain
- From the dropdown
- Select euc-livefire.com
- Select Next
- From the dropdown
- Under Select Your Domain
- In the Workspace ONE auth page
- Under username
- type Mark
- Under password
- type VMware1!
- Select Sign In
- Under username
- In the Web version of the Intelligent Hub
- Under Apps
- Launch your Desktop Assignment
- Under Apps
- In the Open VMware Horizon Client?
- Next to Always allow YOURSERVER.vidmpreview.com to open links of this type in the associated app
- select the Checkbox
- Select Open VMware Horizon Client
-
When prompted by the VMware Horizon Client for Drive Sharing
- Select Allow
- Next to Always allow YOURSERVER.vidmpreview.com to open links of this type in the associated app
- In your Horizon Client Session
- Note that you were not prompted a second time for a password
- This will only work provided you authenticate with a password on Workspace ONE Access and Password caching remains enabled.
- Password Caching was disabled in Workspace ONE Access as a default configuration for security reasons.
- We will now look at Part 4 and the implementation of VMware Horizon TRUESSO to allow for a single sign on experience, irrespective of the Authentication method, even when Password Caching feature is disabled.
Part 4: Integration VMware Horizon TRUESSO with Horizon Cloud services
When using Horizon with Workspace ONE Access and a 3rd Party Authentication method, the only way we can get a good user experience with Single Sign-On is to deploy Enrollment Services also known as TRUESSO.
We will not be deploying Horizon Enrollment services but integrating it with Horizon Cloud and seeing how it works with Workspace ONE Access.
- On your ControlCenter server
- Switch to your custom UEM Saas Tenant
- If necessary, authenticate using your Saas Admin credentials
- Switch to your custom UEM Saas Tenant
- In the Workspace ONE UEM Admin Console
- Navigate to Groups & Settings > All Settings >
- In the Settings window under
-
Select System
- Select Enterprise Integration >
-
Select Workspace ONE Access >
- Select Configuration
-
Select Workspace ONE Access >
- Select Enterprise Integration >
-
Select System
- In the Workspace ONE Access area
- Below Certificate
- Next to Certificate Provisioning
- Select ENABLE
- Next to Certificate Provisioning
- Below Certificate
- In the Workspace ONE Acces window
-
Scroll down to the Certificate area
- Select EXPORT
- At the bottom of your browser
- select Keep
- Note this will download :-
- VidmAirWatchRootCertificate.cer
- Note this will download :-
- select Keep
- To close the Settings window
- Select X
-
Scroll down to the Certificate area
- From the UEM Console
- Navigate to Devices > Profiles & Resources > Profiles
- Select > ADD > Add Profile
-
In the Add Profile window
- Select Windows > Windows Desktop > User Profile
- Next to Name* enter: W10 - SCEP - SSO .
- In the General tab,
-
Scroll down to Smart Groups
- Select All Devices(YOUR SAAS Tenant)
-
Scroll down to Smart Groups
- In the Add Profile window
- In the left inventory menu
- Navigate down to the SCEP tab
- Select SCEP
- Navigate down to the SCEP tab
- In the SCEP area
- Select CONFIGURE
- In the left inventory menu
- In the SCEP window
- Change the following:
-
Next to :
-
Key Location: from the dropdown
- select Software
-
Key Location: from the dropdown
-
Next to :
- At the bottom right of the window
- Select SAVE AND PUBLISH
- Change the following:
- In the View Device Assignment page
- Confirm your devices are showing
- In the bottom right corner
- Select PUBLISH
- In the bottom right corner
- Confirm your devices are showing
- On your ControlCenter
- Switch to your custom Saas Workspace ONE Access tenant
- In the Workspace ONE Login
- Under Select Your Domain
- Select System Domain,
- Select Next
- Under Username
- type administrator
- Under Password
- type VMware1!
- Select Sign in
- Under Username
- Under Select Your Domain
- In the Workspace ONE Login
- Switch to your custom Saas Workspace ONE Access tenant
- In the Intelligent Hub Console
- Top right corner
- Select the TA icon
- Select Workspace ONE Access Console
- Top right corner
- In the Workspace ONE Access admin console
- Navigate to the Integrations tab
- In the Integrations area, validate you are in Authentication Methods
- Next Certificate (Cloud Deployment)
- Select the pencil icon
- Navigate to the Integrations tab
- In the Certificate (Cloud Deployment) page
- Below Enable Certificate Adapter
- Below Root and Intermediate CA Certificates
- select SELECT FILE...
- In the File Explorer window
- In the Quick Access Menu
- Select Downloads
- Select the VIDMAirWatchRootCertificate.Cer certificate
- Select Open
-
In the Update Authentication Adapter window
- select Y£S
- Select Downloads
- In the Quick Access Menu
- In the Certificate (cloud deployment) window
- In the bottom right corner
- select SAVE
- In the bottom right corner
- In the Workspace ONE Access Console
- Under Integrations
- Select Identity Providers
- In the Identity Providers area
- Select Built-in
- In the Identity Providers area
- Select Identity Providers
- Under Integrations
- In the Built-In Identity Providers window
-
NOTE :
- In the Authentication Methods area
- The checkbox next Certificate (cloud deployment) is already enabled
-
NOTE :
- In the Built-In window
- In the Users area
- Next to EUC-Livefire
- select the checkbox
- Next to EUC-Livefire
- In the Network area
- Next to ALLRANGES
- select the checkbox
- Next to ALLRANGES
- At the bottom of the page.
- Select Save
- In the Users area
- In the Workspace ONE Access Admin console
- Select the Resources tab
- In the Resources area
- Select Policies
- In the Resources area
- Select the Resources tab
- In the Workspace ONE Access Admin console
- Under the Policies area
- Next to default_access_policy_set
- Select the radio button
- Select EDIT
- Next to default_access_policy_set
- Under the Policies area
- In the Edit Policy window,
- In the left column
- Select Configuration
- To the left of Web Browser,
- Select All Ranges
- In the left column
- In the Edit Policy Rule window
- Next to then the user may authenticate using *
- select Certificate (cloud deployment)
- Next to if preceding method fails or is not applicable, then *
- select Password (cloud deployment),
- Select ADD FALLBACK METHOD
- Next to if preceding method fails or is not applicable, then *
- select Password (Local Directory)
- Next to if preceding method fails or is not applicable, then *
- Select SAVE at the bottom of the window
- Next to then the user may authenticate using *
- In the Edit Policy Rule window
- Select + ADD POLICY RULE
- In the Edit Policy Rule window
- Next to: -
-
and user accessing content from*
- select Windows 10
-
then the user may authenticate using*
- select Certificate (cloud Deployment)
-
if the preceding method fails or is not applicable, then
- select Password (cloud deployment)
- Select + ADD FALLBACK METHOD
-
if the preceding method fails or is not applicable, then
- Select Password (Local Directory)
-
if the preceding method fails or is not applicable, then
-
and user accessing content from*
- At the botom right hand side of the page
- Select SAVE
- Next to: -
- In the Edit Policy window
- Next to ALL RANGES for Windows 10
- Select the 6 DOTS and drag to the top
- Select NEXT on the Edit Policy Page
- Next to ALL RANGES for Windows 10
- On the Edit Policy Page.
- Summary tab
- Select SAVE
- Summary tab
You have now enabled Certificate (Cloud Deployment) as an authentication method on the default access policy. Our next step is to ensure this implementation is working.
- On the ControlCenter server Desktop,
- Open the Remote Desktops folder,
- Select the W10Client-01a.RDP shortcut
- Log in as [email protected],
- enter the password VMware1!,
- Select OK
If there are any existing Horizon Desktop sessions , Workspace ONE Access logins still open. Log out and close all sessions and browsers
- On W10Client-01a desktop
- Select Start > Run,
- Next to Open, type mmc,
- Select OK
- In the Console, select Add/Remove Snap-in
- In the Add or Remove Snap-ins window
- Select Certificates,
- Select Add
- Select OK
-
Expand Certificates - Current User
- Expand Personal
- Select Certificates
- Note you have an enrolled certificate. If you dont have a certificate,
- Follow steps 6 - 8 .
- If you have an enrolled certificate
- Carry on from step 9
- Note you have an enrolled certificate. If you dont have a certificate,
- On your W10Client-01a desktop
- In the right bottom corner of your Taskbar
- To the left of the Network icon
- Select the UP arrow
- To the left of the Network icon
- In the right bottom corner of your Taskbar
- On your W10Client-01a desktop
- Select and right-click the Intelligent Hub icon
- Select Sync
- In the Certificates snap-in
- Under Personal
- Select Certificates
- In the Toolbar
- Select Refresh
- In the Toolbar
- Select Certificates
- Under Personal
- On your W10Client-01a Desktop
- Open a browser on your windows 10 desktop
- In the address bar enter the URL of your Saas Access Tenant
- In the Select a certificate window
- Select OK
- On the Workspace ONE console ,
- In the Apps tab
- Select Calculator
- In the Apps tab
- In the Intelligent Hub
-
Notice we are getting a Password request.
- We used a 3rd party Auth method to login to Workspace ONE Access. (In our session a Certificate based Auth method was used) Workspace ONE Access did not have the UPN it would have received from a password Auth method, to pass on to the Horizon Agent.
- We will now move forward with Configuring HORIZON TRUESSO
- Select Cancel to close the Password Request window.
- Logout and close all windows on W10Client-01a
-
Notice we are getting a Password request.
Part 5. Integrating Horizon TRUESSO with the Horizon Universal Console
- On your ControlCenter server
- On your Site 1 Browser
- Open a new Tab
- Select Horizon Site 1
- On your Site 1 Browser
- On VMware Horizon login
- In the Username area
- type Administrator
- In the Password area
- type VMware1!
- Select Sign In
- In the Username area
- In the Horizon Admin console
- In the Dashboard area
- Select VIEW
- In the Dashboard area
- In the Components window
- Select TrueSSO
- In the TrueSSO area of Components
- Note that Enrollment and Sub-ordinate CA servers have been deployed and configured
- To Close the Components window
- Select OK
- On your ControlCenter server
- On your Site 2 Browser
- Open a new Tab
- Select Horizon Site 2
- On your Site 2 Browser
- On VMware Horizon login
- In the Username area
- type Administrator
- In the Password area
- type VMware1!
- Select Sign In
- In the Username area
- In the Horizon Admin console
- In the Dashboard area
- Select VIEW
- In the Dashboard area
- In the Components window
- Select TrueSSO
- In the TrueSSO area of Components
- Note that Enrollment and Sub-ordinate CA servers have been deployed and configured
- To Close the Components window
- Select OK
- On your ControlCenter server
- Revert to your Site 1 browser
- Open a new tab
- Select the HZN Cloud shortcut
- On the Welcome to VMware Horizon® page
- Under My VMware Credentials, enter the following
- In the Username area, type your, assigned Horizon Cloud email
- In the Password area, type , VMware1!
- Select LOGIN
- Under My VMware Credentials, enter the following
- On the Welcome to VMware Horizon® page
- Under Active Directory Credentials, enter the following
- In the Username area, type Administrator
- In the Password area, type , VMware1!
- Select LOGIN
- Under Active Directory Credentials, enter the following
- In the Horizon Universal Console
- Expand Settings
- Select Active Directory
- Expand Settings
- In the Active Directory area
- In the True SSO Configuration area
- Next to Horizon pods on VMware SDDC
- Select SYNC
- Next to Horizon pods on VMware SDDC
- In the True SSO Configuration area
- On your ControlCenter server,
- Switch to your Remote Desktops session to W10Client-01a.RDP session.
- If necessary, login again with
- Username : [email protected]
- Password: VMware1!
-
Sign out of any existing sessions,
- close all windows
- If necessary, login again with
- Switch to your Remote Desktops session to W10Client-01a.RDP session.
- On your W10Client-01a desktop,
-
Open your browser
- Enter your custom Workspace ONE Access URL
-
Open your browser
- On the Select a certificate window,
- Select OK
- In the Intelligent Hub
- Under Apps
- Select CorpXX-HZN
- where XX is your assignment
- Select CorpXX-HZN
- Under Apps
- On the W10Client-01a
- Note that you have now observed a Single sign-on session
- Possibly launch a RDSH session from your Workspace ONE Access console
- This concludes this lab
After initiating the TRUESSO SYNC, the initial testing of this Horizon Cloud Connector and version of Horizon 2209. I took up to 10 minutes for the SYNC, to take effect. Keep trying until it works
0 Comments
Add your comment