1. In this section we will download a certificate from WorkspaceONE UEM and use to configure Android Mobile SSO in Workspace ONE Access. After we will round all the remaining Workspace ONE Access configurations.
   • Login to your Saas WorkspaceONE UEM with your custom credentials
     • Select GROUPS & SETTINGS > All Settings
     • Under System select Enterprise Integration
     • Under Enterprise Integration select VMware Tunnel

2. On the Tunnel Configuration page enter the following
   • Next to Hostname: EUClivefire
     • Note: This is a dummy value as we only leverage the Device Network traffic rules to send the Authentication request to a cert proxy service and not deploy a Tunnel Server physically.
   • Port: 444 (Choose any dummy port number)
   • At the top of the page select SAVE

3. In the Tunnel Configuration window
   • Expand Client Authentication
   • Below Thumbprint select EXPORT
   • Note the name of the certificate is TunnelDeviceRootCertificate.cer
   • if you get a security prompt click Keep

4. Switch to and if necessary, login to your SaaS instance of Workspace ONE Access
   • Select the Identity & Access Management tab
   • Select Manage
   • Select Authentication Methods
   • Under Authentication methods for Built-in Identity Providers
     • Select the Pencil Icon next to Mobile SSO  (for Android)
   • On the Mobile SSO (for Android) window select the following: Next to
     • Enable Certificate Adapter:  select the checkbox
     • Root and Intermediate CA certificates click on the Select File button, choose the TunnelDeviceRootCertificate.cer file you downloaded earlier and select Open.
       • On the Update Auth adapter window select OK
     • Use CRL from Certificates : Uncheck the checkbox
     • Use CRL in case of OCSP failure: Uncheck the checkbox
     • At the bottom of the page select Save

5. In the Workspace ONE Access Admin Console
   • Select the Identity & Access Management tab > Manage , select Identity Providers
   • On the Identity Providers window, select Built-in
     • In the Built-in Interface
       • In the Users area
         • Next to LivefireSync, select the Checkbox
       • In the Network area
         • Next to ALL RANGES, select the Checkbox
           • Notice that Mobile SSO (for Android) checkbox is already selected
   • Scroll down
   • Select Save

6. In the Workspace ONE Access Admin Console
   • On the Identity & Access Management tab > Manage, select Policies
   • Select ADD POLICY.
   • In the 1. Definition area
     • Enter a policy name: App_SSO Policy
     • Under Applies to section, select BambooHR. 
     • Select NEXT,
   • In the 2. Configuration area
     • Select +ADD POLICY RULE
       • On the Add Policy Rule page add the following, next to:
         • and user accessing content from *  : Android
         • then the user may authenticate using* : Mobile SSO (for Android)
         • if the preceding method fails or is not applicable, then * : Password (cloud deployment)
         • Select SAVE

7. In the Workspace ONE Access Admin Console, Edit Policy window
   • In the 2. Configuration area
     • Select +ADD POLICY RULE
       • On the Add Policy Rule page add the following, next to:
         • and user accessing content from *  : Web Browser
         • then the user may authenticate using* : Mobile SSO (for Android)
         • if the preceding method fails or is not applicable, then * : Password (cloud deployment)
         • Select SAVE
     • Select NEXT
   • On the 3. Summary area, select SAVE

Introduction: We have just configured the Workspace ONE Access Android SSO auth Adaptor, we will now configure the Android VPN profile and add a version to the profile in Workspace ONE UEM.

1. Switch to your Saas Workspace ONE UEM Admin Console, if necessary login
   • Select Devices > Profiles & Resources 
   • Under Profiles & Resources select Profiles> ADD dropdown, then select Add Profile
   • On the Add Profile window,  select Android.

2. Configuring Single-Sign-on for Android
   • In the Name Your Profile area
     • Type Android_Mobile_SSO
     • Next to Profile Scope, leave the default option Production
3. In the Search area type VPN
   • To the right of VPN select ADD

3. In the Android_Mobile_SSO window configure the following...
   • In the VPN window configure the following next to:-
     • Connection Type: WorkspaceONE Tunnel
     • Connection Name: Android_SSO
     • Server: (leave default)
     • Device Traffic Rules  (leave default)
     • Per-App VPN Rules: checkbox enabled (default)
   • In the bottom right corner
     • Select NEXT

4. In the Assignment window
   • Next to Smart Group, select All Devices("your org name")
   • In the bottom right corner
     • Select SAVE & PUBLISH

This section is dedicated to configuring Workspace ONE UEM to deliver native applications to your Android device

1. In the Workspace ONE UEM Admin Console
   • Select APPS & BOOKS > Applications > Native > Public tab
     1. Select +ADD APPLICATION
        • In the Add Application window next to: Select
          • Platform* : Android
          • Name*: Workspace ONE Tunnel
          • select NEXT
     2. In the Add Application window select Tunnel-Workspace ONE
     3. In the Tunnel - Workspace ONE section, click the Select button
        • Select SAVE & ASSIGN
     4. On the Tunnel - Workspace ONE -  Assignment window, enter the following:
        • In the Distribution area next to
          • Name: type,  Workspace ONE Tunnel Assignment
          • Assignment Groups*select  All Devices (your org)
          • App Delivery Method* select Auto radio button
        • Select Application Configuration
          • Select the following: next to
            • DisplayPrivacyDialog : Disable
            • PolicyAllowFeatureAnalytics : Disable
            • PolicyAllowCrashReporting : Disable
            • DisplayWelcomeScreen: Disable
     5. At the bottom select CREATE
     6. On the Tunnel- Workspace ONE - Assignment window
        • Select  SAVE
     7. On the Tunnel- Workspace ONE - Preview Assigned Devices
        • Select PUBLISH

2. Configuring BAMBOOHR for native Android Single Sign-On
   1. In the WorkspaceONE UEM console, select APPS & BOOKS > Applications > Native
      • Select the  Public tab
        • Select +ADD APPLICATION
   2. In Add Application window, select the following, next to:-
      • Platform*: Android
      • Name*: BAMBOOHR
      • Select NEXT
   3. In the Add Application window under Apps select BambooHR
   4. In the Add Application window under BambooHR click Select
   5. On the Edit Application - BambooHR window, select SAVE & ASSIGN
   6. On the BambooHR -  Assignment window, enter the following:
      1. In the Distribution area next to
         • Name: type, BambooHR Assignment
         • Assignment Groups*select  All Devices (your org)
         • App Delivery Method* select Auto radio button
      2. In the Tunnel area next to
         • Android : Android_Mobile_SSO @ your org
      3. In the  Application Configuration area
         • Select the Send Configuration, radio button
           • Select the ADD option
             • Under Configuration Key,
               • Type AppServiceHosts
             • Under Value Type
               • Select String dropdown
             • Under Configuration Value
               • Type in your custom your bambooHRce domain 
                 • e.g. https://SLGB55.bamboohr.com
   7. At the bottom select CREATE
   8. On the BambooHR - Assignment window select SAVE
   9. On the BambooHR - Preview Assigned Devices window select PUBLISH

3. Configuring your Chrome Browser for Single-Sign ON
   • Certain Applications like BambooHR integrate with your Browser. You will have to configure your browser for Single-Sign ON as well
     1. In the APPS & BOOKS > Applications > Native > Public tab continued..
     2. Select +ADD APPLICATION
     3. In the Add Application window next to:
        • Platform* : Android
        • Name*: Chrome
        • Select NEXT
     4. In the top of the  Add Application window select Google Chrome
     5. In the Chrome : Fast & Secure, click on Select
     6. In the Edit Application - Google Chrome, select SAVE & ASSIGN

1. On the Google Chrome: Fast & Secure -  Assignment window, enter the following:
   1. In the Distribution area next to
      • Name: type, Chrome Assignment
      • Assignment Groups*select  All Devices (your org)
      • App Delivery Method* select Auto radio button
   2. Select the Tunnel area next to
      • Android : Android_Mobile_SSO @ your org
   3. Select the  Application Configuration area
      • Select the Send Configuration, radio button
        • Next to Configure the home page URL, enter www.livefire.solutions
2. Select CREATE
3. Select SAVE
4. Select PUBLISH

1. Configuring Single-Sign-on for Android
   • On your ControlCenter Server desktop
     • Launch your browser to enter https://dw-livefire.awmdm.com
       • Log into your Workspace ONE UEM admin console with your Admin credentials.
     • In the Workspace ONE UEM admin console,
       • Select GROUPS & SETTINGS,  
       • Select All Settings

2. Configuring VMware Tunnel Component...
   • Under System select Enterprise Integration  
   • Select VMware Tunnel.

3. In the Tunnel Configuration Page
   • In the Device Traffic Rules section 
     1. Select EDIT
     2. In the Manage Trafic Assignments window
        • Select Default
          • In Device Traffic Rules window, configure the following:
            • Select ADD RULE
            • Next to Rank # 1, under Application in the drop down
              • Select BambooHR; Chrome ;  Android Workspace;

4. In Device Traffic Rules
   • Under Action from the dropdown 
     • Select PROXY
   • Under Web Proxy 
     • type certproxy.vidmpreview.com:5262
   • Under Destination
     • type *.vidmpreview.com
   • Next to Rank # 2, under Application leave (all other Apps) under Action
     • Select BYPASS
   • Select SAVE
   • On the Are you sure you want to continue? window
     • Select OK
   • Under Manage Traffic Assignments
     • Select CLOSE

4. Switch to your enrolled Android Emulator or physical Android device
   • Wait until all your apps have been deployed on your device.That being  BambooHR &  Chrome.

• Select your WORK Profile
• Select your Tunnel Application
  • In the Tunnel application, select CONTINUE
  • In the Privacy window, select I UNDERSTAND
  • In Data Sharing window, select I AGREE
  • On the Connection request window, select OK

 Wait until all your apps have been deployed on your device. That being  Workspace ONE Tunnel, BambooHR &  Chrome.

• On your Android device,
  • Look to be prompted for the following message
    • Connection request. Tunnel wants to set up a VPN connection.... 
      • Select OK

1. Testing Mobile SSO for BambooHR
   • On your Android Device select your BambooHR application
     1. In the bambooHR window type in your custom domain in the yourdomain.boomboohr.com section
        • eg. globalrn.bamboohr.com
        • select Continue
     2. Select the LOG IN button
     3. On the Welcome to Chrome window select Accept & Continue
     4. On the Sign in to Chrome select No thanks
     5. On the Workspace ONE console enter your username and select Next.
     6. Notice you were logged in without a need to provide password. This means Mobile Single Sign on was successful.

Proceed to the next lab.

About the Author

About the Author Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

For any questions please email Reinhart at [email protected]