Saturday, October 6, 2018

Configuring Mobile SSO For iOS In Workspace One UEM (AirWatch)

A perquisite for leveraging AirWatch device compliance in vIDM is the configuration of Mobile SSO for iOS.  The Workspace One deployment guide indicates that the device compliance authentication method, "works in an authentication chain with Mobile SSO for iOS."  Accordingly, the access policy involves combining the two methods together and looks like this:

Long story short, we need to get Mobile SSO for iOS setup and configured properly before we can take advantage of device dompliance as an authentication method.   To achieve this, we're first going to enable the built in certificate authority for AirWatch.   Then we'll enable and configure the Mobile SSO for iOS authentication method.  Next, we'll associate this authentication method with the new built-in IDM we're going to create.  Finally, we'll push out required identity provider settings onto the target devices using a special iOS profile.  

Enable AirWatch Certificate Authority

While there's the option to use a Microsoft Certificate Authority, the path of least resistance is to  leverage the built in certificate authority AirWatch can provide.   To enable it, navigate to Groups And Settings --> All Settings --> System --> Enterprise Integration --> VMware Identity --> Configuration.  Click on the enable button for Certificate Provisioning.

After enabling certificate provisioning you'll see some info about the issuer certificate populated on the screen.  

Click the export button for the Issuer Certificate.  You'll need this certificate to configure the Mobile SSO for iOS authentication method in vIDM.

Configuring The Mobile SSO (for iOS) Authentication Method

In the vIDM admin console, navigate to Identity & Access Management --> Manage --> Authentication Methods.   Click the pencil for Mobile SSO (for iOS).

You want to check the box for, "Enable KDC Authentication."

The realm will be automatically populated.  Next, click on the Select File button to upload the issuer certificate we just exported from AirWatch.  

Navigate to the certificate. 

Click okay to confirm and upload the file.  

After a successful upload you'll see info about the certificate populate on the screen. 

Also, for a reason I can't explain, the device compliance authentication method wouldn't work for me till I unchecked the option for, "Enable OCSP," and, "Send OCSP Nonce."  Don't ask me why it was breaking things.  All I know is that while googling an error message and following the suggestion of disabling OCSP in the following post, I was up and running:

Finally, click save.  You'll get a pop up message that the adapter has been updated. 

Create A Built-in IDM And Associate It With Mobile SSO For iOS 

Navigate to Identity & Access Management --> Mange --> Identity Providers.   Click on Add Identity Provider and select the option for, "Create Built-in IDP."  

Give it a fun name and select the appropriate directories and network ranges.   

Under Authentication Methods check the options for Device Compliance (with AirWatch) and Mobile SSO (for iOS).   Finally, click Add.  

Now, when you navigate back to the newly created provider there's an option to download the certificate.  Download the certificate.  This cert will get pushed out to your iOS device by means of a device profile. 

Creating An Apple iOS Profile To Push Out Identity Provider Settings To Your Devices 

You'll create an iOS profile in AirWatch to push out vIDM settings to your endpoint devices.  Navigate to Devices --> Profiles & Resources --> Profile.  Click on Add Profile.

Select iOS as the profile type. 

Name the profile iOSKerberos.  

Scroll down to SCEP and click on configure. 

From the drop down menu select AirWatch Certificate Authority for both the credential source and certificate authority.   Select Single Sign-On for the certificate template. 

Scroll down to Credentials an select configure.  

Select the upload option and click on the upload button. 

Navigate to the KDC certificate you just exported from the identity provider. 

Info about the cert will get populated on the screen. 

Finally, scroll down to Single Sign-On.  Click on the configure button. 

For the account name enter in Kerberos.   For the Kerberos Principal Name, click + and select {EnrollmentUser}.    For the realm name, enter in the realm name of your tenant.  (Most likely VMWAREIDENTITY.COM.) Under renewal certificate, I went with SCEP #1.  For URL Prefixes, enter in the full name of your tenant.  

Scroll down a bit.  Then for an application identifier, add

Next, publish and assign this new profile to the target endpoints.   Once the profile applied to the endpoint, you can confirm it's been applied by going to Settings --> General --> Device Management --> Device Manger. 

Click on more details.   You'll see among other things, the kerberos settings included in the profile.  

Click on Kerberos and you can actually see some of the specific settings you just configured. 

At this point, the configuration of Mobile SSO for iOS is complete.  We can proceed to enable device compliance as an authentication method.  For guidance, check out this next post, Securing Access To Horizon Through AirWatch Based Device Compliance. 

Securing Access To Horizon Through AirWatch Based Device Compliance

With the steps detailed in my previous posts complete, we can begin to leverage AirWatch device compliance for conditional access.  Using this authentication method you can mandate device compliance in AirWatch as a prerequisite for access to an application.  In this post, access to a Horizon desktop pool is going to be restricted to devices that are not only AirWatch enrolled, but also compliant according to AirWatch compliance policies.   For guidance on the prerequisites for enabling this feature, see this previous post. Otherwise, follow the steps below to enable device compliance as an authentication method in vIDM.

Enabling Device Compliance 

Within the vIDM console, navigate to Identity & Access Management --> Setup -->  AirWatch.
Scroll down to Compliance Check.  Select enable and click save.

Next, to leverage device compliance as an authentication requirement within vIDM access policies it needs to be enabled as an authentication method within the Built-in identity provider.   To do so, navigate to Identity & Access Management --> Manage --> Identity Providers.   Click on the hyperlink for Built-in.  

From there, scroll down to authentication methods and check the box for, "Device Compliance (with AirWatch)."  Then scroll down further and hit save. 

At this point, "Device Compliance (with AirWatch)," will show up as an option under access policies. 

Mandate Device Compliance For Horizon Access

We can now make AirWatch device compliance a prerequisite for Horizon access through the creation of an access policy in vIDM.  Within the vIDM management console, navigate to Identity & Access Management --> Manage --> Policies.  

Click the Add Policy option. 

Provide a descriptive name for the policy and select the relevant Horizon entitlement.  

Next, under configuration, select, "Add Policy Rule." 

Pick a network range for this new rule as well as applicable device type.  For this test, I'm going to select ALL Network ranges and iOS.   Then, for authentication requirements I'm going to select both, "Mobile SSO (for iOS)," and,  "Device Compliance (with AirWatch)." 

This mandates that folks trying to access this Horizon desktop pool from an iOS device must have an AirWatch compliant device. 

Confirm the summary information and hit save. 

You'll see your new access policy show up under policies. 

With this policy in place folks who try to launch the Remote Worker Horizon desktop pool from iOS devices won't be granted access unless their device is compliant according to defined compliance policies in AirWatch.  If they're endpoint isn't compliant, they'll get a message like this when trying to launch the virtual desktop.

Creating A Compliance Policy In AirWatch 

To test device compliance for Workspace One delivered applications we need to enable a test compliance policy within AirWatch.  From the AirWatch console, navigate to Devices --> Compliance Policies --> List View.  Click on the Add button. 

Since I'm testing against an iPad device I'm going to create a compliance policy for iOS. 

For the sake of testing, I'm going to create a policy that's sure to mark my iPad as noncompliant, one that flags devices that are below iOS 11.  (My iPad is 9.35.)

For actions, I'm just going go with notify.  In real life, you'd probably get a little more involved than that. 

Again, for testing, I'll just apply this policy to all devices. 

Finally, after reviewing the summary, click Finish & Activate. 

At this point the newly created policy shows up under the list view for Compliance Policies. 

Once this policy gets evaluated it's status shows up as red under my devices Compliance tab.

And the device is reported as having a compliance violation. 

At this point, if I try to access my Remote User Horizon desktop pool, I get the error: 

Not only do we get an explanation for why access is denied, but we also get the name of the violated policy and it's description.  Theoretically, in the real world, a user would go on to upgrade the device in order to be complaint.  For testing, you can just remove the OS Version compliance policy from the endpoint and the device will go from non compliant to compliant.   At that point, access to the virtual desktop will work as expected. 

Integrating Cloud Instances Of Workspace One UEM (AirWatch) And VMware Identity Manager

The main integration between vIDM and AirWatch is accomplished by populating a single configuration page in vIDM with special credentials from AirWatch.  Gatherings these credentials ahead of time is probably the trickiest part of the process.

Gathering REST API Keys From Workspace One UEM (AirWatch) 

The first step is to create the REST API keys for Admin and Enrollment User account types.   Go to Groups & Settings > All Settings > System > Advanced > API > Rest API.   Click on the add button to create an API Key for an account type of Admin.  Use a descriptive name.  Then click Add again and create an API Key for an account type of Enrollment user.  For my environment, I created a service named AirWatchAPI4vIDM for the admin account type.   Then I created a service called AirWatchEnrollmentUser for the enrollment user account type.  The API key was automatically generated by AirWatch.  You'll need copies of both these API keys when populate AirWatch settings into vIDM a few steps from now.

Getting The AirWatch Administrator Root Certificate 

Next, you need to get your hands on an AirWatch administrator root certificate.    Go to Accounts > Administrators > List View to create a new admin account.  Select the Add option, then Add Admin.

Create an admin account with a memorable or not so memorable name.

Populate all the required fields.

Next click on the roles tab.   Ensure that you've selected the correct Organization group and AirWatch Administrator role.

With the admin account created, from list view, click on the hyperlink for the newly created account.  Navigate to the API tab, scroll down, enter in a certificate password and then export the client certificate to easily accessible location.

Export the client certificate and keep it somewhere easily accessible.

Putting Them Both Together 

With REST API keys and certificates in hand, we can begin the integration of vIDM with AirWatch.  Log into the vIDM as a tenant admin.   Then from within the admin console navigate to Identity And Access Management --> Setup --> AirWatch.  For the API URL, enter in your console URL.   Upload the certificate you just downloaded.   Enter in the API keys you created earlier.   Finally, enter in your group ID and hit save.  

Scroll down and select the option to integrate catalogs from AirWatch and vIDM.  

A Unified Self Service Console 

The immediate benefit of this initial integration between AirWatch and vIDM is a unified self service catalog.   There's a single self service portal to subscribe to both native Mobile apps from AirWatch  as well as web and virtual apps from vIDM.  If you're logged into the Workspace One mobile app on a device you've enrolled you'll see options to both install mobile apps as well as bookmark your web and virtual apps for the Workspace One portal.  When logged into my older iPad, I can see both the Horizon virtual desktop I'm entitled to through vIDM along side the mobile apps I've been assigned through AirWatch.

Whether I'm on my laptop or mobile device, I follow the same basic process for entitling myself to apps that are relevant to my underlying form factor.

A next step in the integration between AirWatch and vIDM enables conditional access based on device compliance.   A prerequisite for enabling device compliance is to setup and configure the Mobile SSO for iOS authentication method, something I detail in this next post, Configuring Mobile SSO For iOS In Workspace One UEM (AirWatch)