Featured Post

Cloud Options For Accelerating Workspace One Adoption In Traditional Horizon Environments

Cloud options for VMware Identity Manager and Workspace One UEM (AirWatch) make it really easy to extend the benefits of Workspace One to on...

Saturday, October 6, 2018

Integrating A Cloud Instance Of Workspace One UEM (AirWatch) With Active Directory

You can easily integrate an Active Directory environment with cloud hosted AirWatch using the AirWatch Cloud Connector.  The AirWatch Cloud Connector can sync users and groups from the on premise AD environment to your AirWatch environment.   It can also handle AD authentication into that environment from AirWatch endpoints.   Further, there's even the option to share this AD information with your vIDM instance as well as handle AD authentication into vIDM.   This allows users to both enroll AirWatch on their devices and log into Workspace One using their AD credentials.   Here's a wonderful illustration of what the AirWatch Cloud Connector (ACC) is capable of: 

While the ACC can handle AD integration for both vIDM and AirWatch, because we're looking to integrate with Horizon, we have to manage vIDM's integration with AD through the vIDM Connector, not the ACC.  So, for the ACC deployment in this post we're just going to focus on getting AirWatch integrated with AD.   In the next post I'll cover getting vIDM integrated with AD using the vIDM Connector.  Fortunately, for both processes we can leverage the Enterprise System Connector installer.   

Deploying VMware Enterprise System Connector

The system requirements for VMware Enterprise System Connector in this deployment are pretty straight forward and basic.   For my lab, I used a 2012 R2 VM with 2 vCPUs and 4 gigs of RAM.  According to the official guidance, for a smaller deployments,  you'd need a Windows Server 2008 R2 or above, 4 vCPU, 10 gigs of ram, and 100 gigs of storage.   You'll need powershell and .Net 4.62 on the server.  Additional specifics are available here: https://docs.vmware.com/en/VMware-Identity-Manager/3.2/com.vmware.aw-enterpriseSystemsConn/GUID-D74BA464-BA40-4FD8-9308-976493538E64.html

To get the deployment started, navigate to your Workspace One UEM console directly from the Windows server.   Once logged in, go to Groups And Settings --> All Settings --> System --> Enterprise Integration --> VMware Enterprise System Connector.   From there, select override, then select, "Enabled," for, "Enable VMware Enterprise Systems Connector."  

Next, click on the download link for the VMware Enterprise Systems Connector.  You'll get prompted for a certificate password.  Enter in an easy to remember 6 character or longer password.

Then click on the download button.  The installer is less than 400 megs, so it shouldn't take long to download.   Once it's downloaded locally to your Windows server, go ahead and start the install.

You'll see the welcome screen.  Click next.

For now, just go with the AirWatch Cloud Connector. (We'll come back here later in the next post to setup the vIDM Connector.)  

Go ahead and accept the default directory.   Leave the outbound proxy option unchecked. (Unless you have a proxy.)

Finally, we can now test connectivity from the AirWatch environment to the connector.  From the VMware Enterprise Systems Connector section under Enterprise Integration, beneath the download link is a test button.   If all goes well after clicking the button you'll get the message, "VMware Enterprise Systems Connector is active."

Now, with the Enterprise System Connector in place, we can start to integrate the Workspace One UEM environment with the local Active Directory environment.

Binding To The Local AD Environment

Navigate to Groups And Settings --> All Settings --> System --> Enterprise Integration --> Directory Services.   Select the directory type, enter in the name of a domain controller and port number.  

After scrolling down, enter in the bind user credentials and domain name.  

Navigate to the user tab.   Enter in a base DN for your users.

Navigate to the Group tab.   Enter in a base DN for your groups. 

Finally, you can test the directory integration by clicking on the Test Connection button.  If all goes well, you'll get the message, "Connection successful with the given server name, bind user name and password."

Now, with the local directory added, you can go to Accounts --> List View, then click Add.  You'll be able to add an AD account from your local AD directory. 

After clicking Add User, select Directory as the user type.   Enter in the username of the AD account you'd like to add. 

After clicking on check name, a bunch of AD attributes from that account will be auto populated.

Click save.  The imported AD account will now show up under users in list view.

You can further test out the integration by enrolling a device using the domain users credentials.  Here's a screen shot from the enrollment process on my iPad.

After providing my AirWatch server and group id, I'm prompted for credentials. 

After entering in the AD credentials there's a prompt to install the MDM profile on the device.

Now you should be able to see the device in the Workspace One UEM console.

At this point, the integration of the Workspace One UEM tenant with the local Active Directory environment is complete.   Next, we can integrate vIDM as detailed in this next post,  Integrating A Cloud Instance Of VMware Identity Manager With Active Directory.

No comments:

Post a Comment