Wednesday, November 21, 2018

Sorting Through All The Hubbub Around Workspace One Intelligent Hub

Workspace One Intelligent Hub has been generally available since late October 2018.  It's essentially an updated and rebranded version of the AirWatch agent, with the major added capability of providing an app catalog.  Before it's release, if you wanted the full blown Workspace One experience on your devices you needed to install both the AirWatch agent and Workspace One App.  Now all that functionality can be delivered through this single new app, the Intelligent Hub.

Intelligent Hub has full feature parity with the former AirWatch agent.   For pure Workspace One UEM (AirWatch) deployments there's no real difference aside from the name changing and rebranding.   However, the new catalog functionality it offers introduces dependencies not previously required by the Workspace One App it's intended to replace.   To provide catalog services from Intelligent Hub you need to configure Hub Services ahead of time.  These Hub Services are co-located in VMware Identity Manager cloud-hosted environment and are an absolute requirement if you want to provide an app catalog directly from the Intelligent Hub app. 

Relax, It's Not That Bad A Situation For Workspace One Admins

As a cranky techie that hates change, initially I was a bit put off by this new app.   The prospect of a migration from the Workspace One app to Intelligent Hub was intimidating, especially given the new dependencies.   However, there's a couple pieces of good news that really mitigated my concerns. First, the configuration of Hub services isn't exactly rocket science.  Configuring Hub Services within my Workspace One lab environment, one that already had vIDM and Workspace One UEM fully integrated, was for the most part straight forward and uneventful.  Second, the Intelligent Hub app, even with it's Hub Catalog enabled, can run side by side with the Workspace One App on the same device.   So you can configure and enable Hub Catalog on endpoint devices, but can postpone an actual migration from the Workspace One App till a more convenient and opportune time for you users.  

Given these 2 pieces of good news, and the promise of a better more interactive service that Hub Catalog can offer, there's only a few reasons why you wouldn't proceed with the configuration of Hub Services and publishing of the Hub Catalog:

  • You have an on premise instance of vIDM
  • You're using a Workspace One UEM version below 1810
  • You're attached to the Workspace One App for sentimental reasons 
  • The possible future deprecation of the Workspace One App is a reflection of your own mortality and you don't have time for an existential crisis

Unfortunately, Hub Catalog isn't currently supported for on premise implementations of vIDM and only works with vIDM cloud-hosted.   So customers using on premise vIDM for a Workspace One deployment should continue using the Workspace One App for catalog services.  The same goes for folks using a 9.x version of Workspace One UEM (AirWatch).   They can continue to use the Workspace One App app as well.  Otherwise, for folks who'd like to take the Hub Catalog for a test spin, here's the steps I followed to enable the Hub Catalog in my own lab environment. 

Enabling Hub App Catalog

Both the Workspace One UEM and vIDM include links to Hub Configuration.  Within the Workspace One UEM console, it can be access from Groups & Settings --> Hub Configuration.  On this initial Hub Configuration page, I entered in my vIDM tenant URL and then clicked Launch.  

At the customization page, I accepted the defaults.

Then I clicked save. 

Next, I accepted the defaults for branding and clicked save. 

Phhhhheeeeeeeeewwwwww!!!!!! Tired yet?  Well dig deep and push just a little harder.  We still have a few buttons to push. 

Setting The Source Authentication For Intelligent Hub To Identity Manager 

The official guidance indicates that when fully integrating Hub Services with vIDM, you need to select Identity Manager as the source of authentication for Intelligent Hub.  Accordingly, I navigated to Devices > Devices Settings > Devices & Users > General > Enrollment, then selected Identity Manager authentication manager as the source of authentication for Hub and clicked save.

Publishing The Hub Catalog 

Finally, I had to publish the Hub Catalog for iOS.    To do that, I navigated to Groups & Settings > All settings > Apps > Workspace ONE > AirWatch Catalog > General.  

Then I clicked override, enabled Hub Catalog (iOS) and clicked save. 

After performing the steps above, Hub Catalog was displayed after loading up the Intelligent Hub from the home screen.   On the first screen, I could seen, among my favorites my virtual desktop entitlement: 

I also found the self service catalog for the provisioning of mobile apps I'd been entitled to.  

Running Both Catalogs Side By Side 

As I previously mentioned, configuring Hub Services wasn't exactly rocket science, which takes the edge off making this transition.  Further, there's the fact that both catalogs can theoretically exist side side on the same device, which means you can enable the Hub Catalog on users devices without having to force an immediate transition away from the Workspace One app.  Here's a video demonstration of the Hub Catalog and Workspace One App catalog functioning from the same device:

Sunday, November 4, 2018

Integrating An On Premises RADIUS Solution With Cloud Hosted vIDM

With a VMware Identity Manger Cloud deployment you can use the vIDM Connector to integrate with a RADIUS instance located in your trusted network.  At that point, with the connector acting as a proxy between your RAIDUS server and vIDM Cloud instance, you can begin to mandate RADIUS authentication for endpoints connecting from anywhere, either for access to specific apps or general access to your Workspace One portal.  Further, leveraging vIDM conditional access policies, you can judiciously enforce or bypass 2FA requirements based on the users context or device posture.  For this post, I'm going to add 2FA as a requirement for access to Horizon when a user connects from a browser on an untrusted device.   

This recipe uses the 2018 September release of VMware Identity Manager Cloud, windows based vIDM Connector 2018.8.1 and a RADIUS server built with Ubuntu 16.04, FreeRADIUS and Google Authenticator.  For guidance on getting vIDM Connector setup, check out this previous post.   If you already have access to your own RADIUS solution, I'd go ahead and stick with that, otherwise, here's a recipe for standing up a free RADIUS solution using Google Authenticator.  Once you have your vIDM Connector stood up and RADIUS server configured to allow this Connector as a RADIUS client,  here are the steps you'd follow to integrate your on premises RADIUS solution through your vIDM Connector.   

Configuring The RADIUS Authentication Adapter

First, go to Identity & Access Management --> Setup -->  Connectors. Click on the Worker link within the Worker column for the vIDM connector you're looking to leverage for the integration. 

Next, click on the Auth Adapters option.  

From here, click on the hyperlink for RadiusAuthAdapter.  

At that point you'll get redirected to your vIDM Connector, so make sure you have network access to the vIDM Connector when performing this step.   

Populate the authentication adapter with info relevant to your RADIUS implementation, like the RADIUS server address, timeout, authentication port, authentication type and shared secret.   Then click save.  At this point, RadiusAuthAdapter will show up as enabled under Auth Adapters.  

Next, we want to enable this authentication method on our Built-in adapter.  Navigate to Identity and Access Management --> Setup --> and Identity Providers.   Click on the hyperlink for your Built-in provider. 

Scroll down to the Connector Authentication methods for your Connector and enable the option for RADIUS (cloud deployment).  

Then click save to make the new settings stick.

Mandate RADIUS Authentication Through An Access Policy

At this point, we can use access policies to mandate RADIUS authentication for either general Workspace One portal access or for individual applications.   For example, to pick on Mac users, I've edited the default policy to require RADIUS authentication for Mac users in order to login into the Workspace One.   After navigating to Identity & Access Management --> Manage --> Policies, I clicked on the option to, "Edit Default Policy."  

From there, I added a new access rule for Mac users.  Here's what it looks like:

Now, when I try to authenticate to vIDM from my Macbook pro, I'm initially prompted to provide my RADIUS passcode, rather than the default of AD credentials. 

Another option is to mandate RADIUS authentication for an individual application, rather than for general access to the portal.   For example, I can mandate RADIUS authentication for access to a Horizon environment.   So, initially, the user can access their portal with AD credentials, but then will be prompted for a RADIUS passcode when they try to launch their desktop.  Accordingly, on access policy defined for a specific Horizon desktop pool, I've added the following access rule: 

Now, my users logs into Workspace One using AD credentials and sees the virtual desktop their entitled to.  

However, when they double click on the entitlement, they're redirected to a prompt for their RADIUS passcode. 

After a valid RADIUS passcode is provided access is granted to the virtual desktop.