Integrating Cloud Instances Of Workspace One UEM (AirWatch) And VMware Identity Manager

The main integration between vIDM and AirWatch is accomplished by populating a single configuration page in vIDM with special credentials from AirWatch.  Gatherings these credentials ahead of time is probably the trickiest part of the process.

Gathering REST API Keys From Workspace One UEM (AirWatch) 

The first step is to create the REST API keys for Admin and Enrollment User account types.   Go to Groups & Settings > All Settings > System > Advanced > API > Rest API.   Click on the add button to create an API Key for an account type of Admin.  Use a descriptive name.  Then click Add again and create an API Key for an account type of Enrollment user.  For my environment, I created a service named AirWatchAPI4vIDM for the admin account type.   Then I created a service called AirWatchEnrollmentUser for the enrollment user account type.  The API key was automatically generated by AirWatch.  You'll need copies of both these API keys when populate AirWatch settings into vIDM a few steps from now.

Getting The AirWatch Administrator Root Certificate 

Next, you need to get your hands on an AirWatch administrator root certificate.    Go to Accounts > Administrators > List View to create a new admin account.  Select the Add option, then Add Admin.



Create an admin account with a memorable or not so memorable name.



Populate all the required fields.



Next click on the roles tab.   Ensure that you've selected the correct Organization group and AirWatch Administrator role.



With the admin account created, from list view, click on the hyperlink for the newly created account.  Navigate to the API tab, scroll down, enter in a certificate password and then export the client certificate to easily accessible location.



Export the client certificate and keep it somewhere easily accessible.

Putting Them Both Together 

With REST API keys and certificates in hand, we can begin the integration of vIDM with AirWatch.  Log into the vIDM as a tenant admin.   Then from within the admin console navigate to Identity And Access Management --> Setup --> AirWatch.  For the API URL, enter in your console URL.   Upload the certificate you just downloaded.   Enter in the API keys you created earlier.   Finally, enter in your group ID and hit save.  



Scroll down and select the option to integrate catalogs from AirWatch and vIDM.  

A Unified Self Service Console 

The immediate benefit of this initial integration between AirWatch and vIDM is a unified self service catalog.   There's a single self service portal to subscribe to both native Mobile apps from AirWatch  as well as web and virtual apps from vIDM.  If you're logged into the Workspace One mobile app on a device you've enrolled you'll see options to both install mobile apps as well as bookmark your web and virtual apps for the Workspace One portal.  When logged into my older iPad, I can see both the Horizon virtual desktop I'm entitled to through vIDM along side the mobile apps I've been assigned through AirWatch.



Whether I'm on my laptop or mobile device, I follow the same basic process for entitling myself to apps that are relevant to my underlying form factor.

A next step in the integration between AirWatch and vIDM enables conditional access based on device compliance.   A prerequisite for enabling device compliance is to setup and configure the Mobile SSO for iOS authentication method, something I detail in this next post, Configuring Mobile SSO For iOS In Workspace One UEM (AirWatch).