EUCEUC: Advanced Integrations_PSO Session_2020 Day 1 Configuring the Workspace ONE Access and the AirWatch Cloud Connector

Configuring the Workspace ONE Access and the AirWatch Cloud Connector

Part 1. Configuring the Workspace ONE Access Connector

We have pre-installed the Workspace ONE Access Connector for you in the Lab environment. However since we have cloned the machine the connector is in an idle state and needs to be re-initiated.

  1. Log into your ControlCenter2 server with username [email protected] and password VMware1!
    1. On your ControlCenter2 server desktop select your Remote Desktops folder and select and launch your WS1-Connector.RDP shortcut.
    2. When prompted log in as username [email protected] with the password VMware1!
    3. On the WS1-Connector server open the File Explorer to the following path
      C:\VMware\VMwareidentityManager\Connector
  1. Right Click the install.bat file and click Run as Administrator
  1. This will launch a PowerShell window that will clear out the state of the connector. Wait till the Powershell Window closes which confirms it has run successfully.
  1. Open services.msc and start the VMware IDM Connector service
  1. Wait for a few minutes till all the services have launched and move on to the next part of the lab.
  1.  Our objective is to associate our on-premise connector instance with our SaaS instance of Workspace ONE Access.
    • On your Control Center2 server desktop, Open your Google Chrome browser.
      1. On your chrome select the WS1-connnector shortcut or type https://ws1-connector.euc-livefire.com:8443/cfg in the address bar
      2. On the Your Connection is not private page, select Advanced and select Proceed to ws1-connector.euc-livefire.comue.
      3. On the Get Started Window select Continue
      4. In the Set Passwords section next to Username type admin next to password  type VMware1! next to Confirm Password type VMware1! select Continue at the bottom of the page.
  1. On your browser, open up a second Tab, navigate to your unique Workspace ONE Access Tenant and if you have not done so login as Administrator with your unique password, that your received in your e-mail login
    • Navigate to Identity & Access Management > Setup > Legacy Connectors  
    • On the Virtual Apps Usage Confirmation window, Select the  radio button  next Use legacy connectors, if you want to use Virtual Apps Select OK
  1. In the Legacy Connectors area , select Add Connector
    • In the Add a Connector window. Next to Connector ID Name: type WS1-Connector. Next select Generate Activation Code . Next copy this code
  1. Revert back to your WS1-Connector Server setup:  On the activate connector page Paste this code into the Activation Code box of your Connector configuration setup, select Continue
    • You should get a setup is complete page inside the Workspace ONE Access Console.

Part 2 . Configuring Active Directory Sync

We will now configure and synchronise Active Directory to the Workspace ONE Access server using the external connector.

First we will configure the Attributes. Note!  Every organisation will need to research their requirements when deciding whether or not to set attributes to required. For specific applications where this needs to be considered,  if the associated user object does not have the attribute, authentication might fail.

  1. Navigate to Identity & Access Management > Setup > User Attributes
    Notice the attributes that are available and the option available to set these to Required. IMPORTANT NOTE: The attributes set to required cannot be changed after a directory sync has taken place.
  2. Set the attribute distinguishedName and userPrincipalName to Required 
  3. Under Attributes to the right select the Green Plus ( Add the following additional attributes (case sensitive) :
    • objectGUID 
    • title
    • managerDN
  4. Select Save
  1. Configure our AD-sync configuration with Workspace ONE Access.
    • To the right of the screen select Manage, select Directories
    • Select Add Directory > Add Active Directory over LDAP/IWA
  1. In the Add Directory Page, configure the following
    1. Directory Name: LivefireSync
    2. Ensure the Active Directory over LDAP radio button is selected
    3. The Sync Connector select the external connector ws1-connector.euc-livefire.com
    4. Directory Search Attribute: sAMAccountName
    5. Base DN: dc=EUC-Livefire,dc=com
    6. Bind DN: cn=administrator,ou=corp,dc=EUC-Livefire,dc=com
    7. Bind DN Password: VMware1!
    8. Select Test Connection. You will see Test connection successful.  
    9. Select Save & Next

 

  1. On the Select the Domains page, select Next. euc-livefire.com should be discovered.

 

  1. On the Map User Attribute page configure the following :
    • Scroll down to objectGuid and select the drop down arrow select objectGUID.
    • Since this is the attribute we setup earlier in User Attributes we will also need to map it to an AD attribute.
    • Next to managerDN select custom input and type manager in the dropdown
    • Next to title select title in the dropdown
    • Select Next  
  1. Configure our AD-sync configuration with Workspace ONE Access....continued
    • On the Select the Groups you want to sync page, select the green plus (+) to the right of the page,
    • Under Specify the group DNs type the following dc=euc-livefire,dc=com next to the distinguished name you added, select Find Groups then the Select All  check box
    • select Next.
  1. Configure our AD-sync configuration with Workspace ONE Access....continued
    1. On the Select the Users you would like to sync page, under specify the user DNs type ou=corp,dc=EUC-Livefire,dc=com
    2. Select Next, notice the objects to sync in the Review page.
      • There may be an error, "Missing required attributes email for imaservice" Disregard this error. The sync will stil work.
    3. Select Sync Directory

Part 3: Configuring the Built-in IDP in Workspace ONE Access

  1. Navigate to and select Identity & Access Management >  Manage, select Identity Providers.
    • Notice you now have an additional Identity Provider which is a Workspace IDP called WorkspaceIDP_xxxx which is associated with the LiveFireSync directory we just created above. This is an automatic process whereby when the built in connector is associated with Active Directory this Identity Provider gets created.
  1. We will now associate the Built-In iDP with  our LivefireSync Directory and the external connector to ensure Password (Cloud Deployment) can be used as an authentication method.
    1. Select Built-In.
    2. In the Built-in IDP windows select the following:
      • Select LivefireSync under Users
      • All Ranges under Network
      • Add the WS1-Connector.euc-livefire.com to the connector section
        • Click Add Connector to confirm
      • Select Password (Cloud Deployment) checkbox
      • Select Save at the bottom of the page.
  1. We need to ensure that our default access policy has Password (Cloud Deployment) set as the authentication method.
    • Navigate to Identity & Access Management > Manage > Policies .
    • Select the radio button next to default_access_policy_set and select EDIT
    • Select Configuration on the left navigation
  1. Select ALL RANGES next to  Workspace One App Policy
    • Next to then the user may authenticate using * and select Password (Cloud Deployment) as the first authentication form.
    • Next to If the preceding method fails or is not applicable, then  select Password (Local Directory)
    • Select SAVE at the bottom of the page.
  1. Select ALL RANGES next to Web Browser
    • Next to then the user may authenticate using * and select Password (Cloud Deployment) as the first authentication form.
    • Next to If the preceding method fails or is not applicable, then  select Password (Local Directory)
    • Select SAVE at the bottom of the page.
  1. On the Edit Policy window, select Next
    • Select SAVE

Part 4: AirWatch Cloud Connector -  Installation

  1. On the ControlCenter2 desktop open and locate the Remote Desktop Folder. Launch  WS1-Connector.euc-livefire.com RDP shortcut. 
    • Open your chrome browser and login to dw-livefire.awmdm.com, using your custom username and password  VMware1! (or your custom password if the default needed to be changed)
    • If you get prompted with Workspace ONE UEM highlightsClose the window.
  1. Navigate to Groups & Settings > All Settings > System > Enterprise Integration  > Cloud Connector
  1. Select the overide radio button and then select ENABLED on both toggle options.
    • Select Save at the bottom of the page
  1. Now click the Download AirWatch Cloud Connector Installer
  1. On the Download AirWatch Cloud Connector (ACC-installer.exe)
    • Type VMware1! in the Password and Confirm Pasword boxes.
    • Select DOWNLOAD
  1. On the Ws1-Connector machine, install the ACC using the installer that you have downloaded. This might require a reboot of the Server.
    1. Select Airwatch Cloud Connector.exe and select open
    2. Select Run
    3. if prompted, click Install on the microsoft .NET framework 4.8 window
    4. Select Next
    5. Select the licensing to accept terms... radio button , select Next
    6. Select Next
    7. In the ACC Certificate Password window type the password VMware1! and select Next
    8. Select Next
    9. Select Install
    10. Select OK in the Registry Key prompt
    11. Select Finish
    12. Click Yes to restart your Airwatch Cloud Connector
  1. Once the WS1-Connector VM restarts you can connect again with RDP and test the connection inside the UEM console.

You should see AirWatch Cloud Connector is active. Leave this window open.

  1. You will now see that there are two services in the Programs and Features that are considered "connectors" We have the AirWatch Cloud Connector and the VMware Identity Manager Connector

 

Part 5 Workspace ONE UEM & Active Directory Integration

  1.  From the left hand navigation pane select Directory Services under Enterprise Integration. 
  2. Select the radio button next to Override.
  3. Select Skip Wizard and Configure Manually 
  1. From the Directory Services Interface, Under the Server Tab ensure the following are selected
    • Directory Type: LDAP Active Directory
    • DNS SRV: Disabled
    • Server : ControlCenter2.euc-livefire.com
    • Encryption Type: None
    • Port: 389
    • Protocol Version: 3
    • User Service Account Credentials: Disabled
    • Bind Authentication Type: GSS-Negotiate
    • Bind User Name: administrator
    • Bind Password: VMware1!
    • Domain: euc-livefire.com
  1. Scroll back up to the User tab:
  • Under Base DN, ensure that DC=euc-livefire,DC=com has automatically populated. If not, click on the + icon and add DC=euc-livefire,DC=com you might have to fill this field manually
  • Next to User Object Class, ensure person is the property
  • Next to User Search Filter,  ensure (&(objectCategory=person)(sAMAccountName={EnrollmentUser})) is the string
  1. Repeat these steps for the third tab Group
    • Under Base DN, next to defaultUserDN select the + icon
    • Select the first option which is DC=euc-livefire,DC=com, you may be require to manually type this value.
    • Scroll to the bottom of the page and select Save
    • Select TEST CONNECTION
    • Close the Settings window
  1. You should have a Test Connection window launch saying Connection successful, click Cancel
  1. Let's ensure users can enroll their devices using Active Directory credentials.
    • Select Groups & Settings , > All Settings under Devices & User > General  > Enrollment
    •  Ensure the Override radio button is selected.
    • Next to Authentication Modes(s) select the  Directory check box
    • Select Save
    • Close the Settings window, by selecting the X on the right of the window.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.