Below is a wonderful graphic depicting the Workspace One deployment model detailed in this blog series. SaaS instances of vIDM and AirWatch integrate with a customers environment through the deployment of special connectors on premise. System requirements for these connectors are negligible, and more importantly, their network requirements are incredibly simple. To communicate with these SaaS instances of AirWatch and vIDM, connectors only need 443 outbound access to them. So, typically, they can communicate with these cloud environments without any firewall changes. For display protocol connectivity to the Horizon environment, Unified Access Gateway (UAG) is used to proxy connections from the outside world to the internal instance of Horizon.
Getting It Done
I've created 6 separate posts that detail the process for integrating traditional on premise Horizon deployments with SaaS instances of AirWatch and vIDM. With the SaaS instances already provisioned and prerequisites lined up properly, you could get these procedures completed in an afternoon. Here are the different procedures in the order I would recommend their execution:
Integrating A Cloud Instance Of Workspace One UEM (AirWatch) With Active Directory
Integrating A Cloud Instance Of VMware Identity Manager With Active Directory
Integrating A Cloud Instance Of VMware Identity Manager With On Premise Horizon
Integrating Cloud Instances Of Workspace One UEM (AirWatch) And VMware Identity Manager
Configuring Mobile SSO For iOS In Workspace One UEM (AirWatch)
Securing Access To Horizon Through AirWatch Based Device Compliance
Below is a brief overview of what the process involves.
The deployment detailed in these posts uses Horizon 7.5, the May 2018 release of VMware Identity Manger Cloud and Workspace One UEM 9.7. By far, the star of this deployment is the Enterprise System Connector, version 9.7. Through the use of this single installer we're able to integrate both the Workspace One UEM (AirWatch) and vIDM SaaS instances with an on premise Active Directory environment. Most notably, the Enterprise System Connector can achieve this without any changes to a organizations typical firewall rules. All that's needed is outbound 443 connectivity from the Windows server running Enterprise System Connector to the SaaS instances of Workspace One UEM and vIDM.
The Enterprise Systems Connector consist of two components, the AirWatch Cloud Connector and the VMware Identity Manager Connector. Both these components provide integration into AD for their respective solutions. They also offer additional on premise integrations relevant to their solutions historical use cases. For this deployment, we're going to use ACC to handle AD integration for AirWatch and vIDM to handle both AD integration and on premise Horizon integration. After completing the deployment and configuration of the 2 connectors, we'll integrate the vIDM and AirWatch environments by populating vIDM with API keys and certificates for the AirWatch tenant. Then we'll enable features like the unified app catalog and device compliance. To get started, proceed with this first recipe, Integrating A Cloud Instance Of Workspace One UEM (AirWatch) With Active Directory.
It appears as though to spite me, with the September 2018 release of vIDM Cloud and 3.3 release of vIDM on premise, the windows based vIDM Connector is delivered through a new dedicated Windows installer that is separate from the AirWatch Cloud Connector. No more Enterprise Systems Connector. I believe the setup process is largely the same though and that most of the guidance in this blog series will continue to hold true. Over the next couple weeks I'll review this new installer and upgrade my blog accordingly. Till then, replace the image above with this one:
It's the same scenario where we have two different connector components, one for AirWatch, one for vIDM. It's just that now they have their own dedicated windows installers instead of being bundled together. For more info, you can check out the release notes for the September 2018 release of vIDM Cloud: https://docs.vmware.com/en/VMware-Identity-Manager/services/rn/vIDM-Cloud-Release-Notes-0918.html
Here are links to the official VMware documentation that has guided these blog posts. The procedures in this series were cobbled together from bits and pieces of all these guides, along with some expert google queries.
VMware Enterprise Systems Connector Installation A Configuration
VMware Identity Manager Cloud Deployment
Setting Up Resources In VMware Identity Manager (SaaS)
Guide To Deploying VMware Workspace One