tag:blogger.com,1999:blog-74113637183373721072024-03-18T02:48:06.011-07:00Even GooderEvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.comBlogger39125tag:blogger.com,1999:blog-7411363718337372107.post-47250028367235475952023-07-05T15:41:00.006-07:002023-10-17T08:57:52.975-07:00A Primer On Unified Access Gateway For Citrix Admins Migrating To VMware Horizon<p><span style="color: #9fc5e8; font-size: medium;">Folks considering a migration from Citrix to Horizon naturally ask, "what's the Horizon equivalent of NetScaler?" Though Unified Access Gateway (UAG) is the closest comparison, it's not a like-for-like equivalent to NetScaler. NetScaler is a multi-purpose application delivery controller, traditionally sold in pairs of physical appliances, with a history of solving complex problems far beyond the scope of Citrix remoting. In contrast, Horizon's UAG is a purpose built, exclusively software based technology dedicated to VMware EUC workloads and little else. So, while both solutions are used to proxy display protocol traffic for their respective suites, they're very different in scope and approach. That said, to compete with the broader set of NetScaler capabilities UAG combines with components across the entire VMware portfolio to provide a modular, elastic, and cost effective alternative.</span></p><span style="color: #9fc5e8; font-size: medium;">To be clear, NetScaler is very impressive tech with a broad set of capabilities extending far beyond app and windows remoting. Load balancing, GSLB, web security, TCP offloading, etc... The common refrain is, "NetScaler does everything." The problem is NetScaler does everything and is priced accordingly, despite the fact most Citrix customers need it simply to proxy ICA sessions. Usually these organizations have some other load balancing or ADC solution in place and quite often you hear of NetScalers sitting in the same racks as F5 appliances. Unfortunately, NetScalers dedicated exclusively to the proxying of ICA sessions is an extremely common scenario, overkill most Citrix customers find themselves forced into as soon as remote access is required. A colleague of mine jokes it's like having a Ferrari to drive 35mph for three blocks to a local market once a week. In stark contrast stands Unified Access Gateway, a standard component of all VMware EUC suites, deployed at no additional cost, save the modest vSphere capacity used to run it. While it already had proven itself by 2019, it's stellar performance during the pandemic cemented it's status as a hardened and mature solution.</span><div><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_rrU5sZjUEbMPtvmLn2-YxEoWWmuVcPkvYJkDpJoqy0dD8KxPs126x-BwQFt-EdmWgs1CqiPslEnBX4PZvvAjk54Jmp7gcj1W8b_2jvjTcz2NZHNSNQnKgAGIM4d-5idLoFu29f4Bzy6zgoXXdoB-D1W0P3VHxbSixGPBZbaUnXwCvvLTnuPrT_bXEQ6g/s1970/Screenshot%202023-06-28%20at%202.55.11%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1020" data-original-width="1970" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_rrU5sZjUEbMPtvmLn2-YxEoWWmuVcPkvYJkDpJoqy0dD8KxPs126x-BwQFt-EdmWgs1CqiPslEnBX4PZvvAjk54Jmp7gcj1W8b_2jvjTcz2NZHNSNQnKgAGIM4d-5idLoFu29f4Bzy6zgoXXdoB-D1W0P3VHxbSixGPBZbaUnXwCvvLTnuPrT_bXEQ6g/w640-h332/Screenshot%202023-06-28%20at%202.55.11%20PM.png" width="640" /></a></div><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium;">Most Horizon customers have met their remote access requirements using UAG alone or UAG coupled with Workspace ONE Access, VMware's identity-as-a-service offering. However, some organizations looking to sever ties with Citrix entirely may have a broader set of NetScaler capabilities to consider, beyond windows/app remoting or the EUC space entirely. To<span> reiterate, the Horizon suite doesn't include a single product that competes directly with NetScaler. However, the foundational functionality of UAG combined with the rest of the VMware portfolio overlaps a great deal with what most Citrix customers are doing with NetScaler today. Though</span> this combined offering doesn't cover absolutely everything NetScaler does, it certainly covers what's most common and germane, while introducing modern software and SaaS based alternatives. Moreover, for a refreshing change, Citrix customers migrating to Horizon can freely and without coercion pick and choose amongst an al a carte alternative according to their specific needs.</span> </div><div class="separator" style="clear: both;"><span style="text-align: left;"><br /></span></div><div class="separator" style="clear: both;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOxN1IIMVFo-Ev6GETavhRfEAUgVSn7PKexbS1u0KmwpaEy_0YFZZ2KbtPVsdr-pP06ZaEJ40rJZsQp-v4HMpUANCLAtEaKcNyaIYiYxvgfuziIZaln1nZDdpipuXKskMRalkIhxitCrT6X5QVwpThcbzAhZ4cIAmzQp7lLxh5-vZahhVqkY71XUXrNX6H/s1186/Screenshot%202023-10-17%20at%208.19.34%20AM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1088" data-original-width="1186" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOxN1IIMVFo-Ev6GETavhRfEAUgVSn7PKexbS1u0KmwpaEy_0YFZZ2KbtPVsdr-pP06ZaEJ40rJZsQp-v4HMpUANCLAtEaKcNyaIYiYxvgfuziIZaln1nZDdpipuXKskMRalkIhxitCrT6X5QVwpThcbzAhZ4cIAmzQp7lLxh5-vZahhVqkY71XUXrNX6H/w400-h368/Screenshot%202023-10-17%20at%208.19.34%20AM.png" width="400" /></a></div><br /><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium;">Customers using NetScaler to simply proxy published applications and VDI can likely meet their Horizon remote access requirements using UAG and whatever load balancing solutions they already have deployed. If they're leveraging advanced authentication capabilities of NetScaler for Citrix sessions, for Horizon they can leverage UAG's built-in support for stronger forms of auth or tap into the capabilities of Workspace ONE Access. In the case of Citrix customers using NetScaler for load balancing enterprise wide, VMware's Advanced Network Load Balancer (Avi) is a compelling software based alternative to consider. For those leveraging the VPN capabilities of NetScaler, UAG and Workspace ONE UEM combine to deliver a Per-App VPN alternative. Heck, for certain NetScaler use cases some customers might find VMware's SD-WAN offering, based on VeloCloud, a better fit. The bottom line is that money spent on NetScaler could purchase an awful lot of different VMware products al a carte. Further, if there isn't commitment to a one throat to choke model, shoot, VMware has plenty of partners to choose from. Big picture, it's a question of what you can get done with the included capabilities of the Horizon suite + whatever solutions you could procure with resources previously dedicated to NetScalers. That's a lot to think about.</span></div></div><div class="separator" style="clear: both;"><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium;">Regardless of what NetScaler functionality might need replacing, UAG is definitely in the future of any Citrix admin migrating to Horizon, so this post begins with a concise primer on UAG that calls out key differences between UAG and NetScaler. It then details load balancing requirements for UAG. From there, stronger forms of authentication will be reviewed, both UAG's built-in capabilities and those gained from Workspace ONE Access, a SaaS solution included with Horizon Universal licensing. Both NSX Advanced Load Balancer and WS1 Access are excellent examples of VMware's ability to replace NetScaler functionality with modular and elastics solutions. Reviewing their potential adoption will shore up the readers understanding of UAG while providing context for other migration options from NetScaler to VMware solutions and services. In a final twist, I'll call out a very reasonable path forward, using NetScaler and UAG together. If not a permanent architecture, leveraging NetScaler + UAG is a very viable and in some cases, ideal solution, allowing folks to realize value in their NetScaler investments while they focus on the migration of app publishing and VDI to Horizon. </span></div></div><p><br /></p><p><span style="color: #cfe2f3; font-size: x-large;">Infrastructure As Code </span></p><p><span style="color: #9fc5e8; font-size: medium;">UAG was first released <a href="https://blogs.vmware.com/euc/2015/09/what-is-vmware-unified-access-gateway-secure-remote-access.html" target="_blank">8 years ago</a> as an alternative to the Windows based Horizon proxy solution called Horizon Security Server. As opposed to it predecessor, UAG is a <a href="https://docs.vmware.com/en/Unified-Access-Gateway/2207/vmware-uag-security-guide.pdf" target="_blank">hardened linux virtual appliance currently based on photon OS 3.0</a>. It's typically deployed on top of vSphere, though it's also deployed natively to clouds like AWS, Azure and GCP. Over the years it's role has expanded to accommodate Workspace ONE UEM solutions like Per-App VPN and SEG. Throughout the course of it's development security and stability have been a top priority, a fact quickly evident to anyone who's worked with the product. Quite frankly, these things don't really break. Most of the troubleshooting happens during initial setup and easily 95% of the time problems are with external environmental factors like misconfigured firewalls or <a href="https://www.evengooder.com/2018/01/troubleshooting-port-connectivity-for.html" target="_blank">general networking challenges</a>. Once UAGs are setup properly they just work and don't require much in the way of care, feeding, or maintenance. With the release of Horizon 8 in 2020 UAG became the primary mechanism for supporting remote Horizon access as Security Server was deprecated. By then, there was already tens of thousands of successfully deployed UAG instances, along with a rich set of documentation and <a href="https://www.youtube.com/watch?v=QcL0inoMkm8" target="_blank">codified best practices</a>. In short, UAG is boring, reliable, proven and predictable plumbing used by VMware's EUC solutions to provide secure access to on-premises resources. </span></p><p><span style="color: #9fc5e8; font-size: medium;">While security and reliability were top developmental objectives for UAG, ease of deployment was certainly lower down on the list of priorities. Typically, mature environments entail the deployment of UAGs through PoweShell scripts run against vSphere. This can be initially off-putting for folks, given network infrastructure specialist normally don't get their hands dirty with scripting. However, while you're running a pre-canned PowerShell script provided by VMware, you're not actually writing or tweaking out PowerShell. You're focus is on <a href="https://communities.vmware.com/t5/Horizon-Documents/Using-PowerShell-to-Deploy-VMware-Unified-Access-Gateway/ta-p/2782995" target="_blank">tweaking out an ini config file</a> that the PowerShell script is run against, populating the ini file with info about your UAG instance like ip addresses, gateway and Horizon configurations. Once you get a working config you end up with an easily repeatable and tweakable deployment process that typically takes about 3 minutes to stand up a new a completely functional UAG instance. It's very much in the spirt of infrastructure as code, providing complete transparency. We're not talking about standing up a physical device, giving it an adorable name, and marveling at it's mysterious and obscure workings. We know how these UAG instances work. It's spelled out clearly in an ini file that's reliably leveraged throughout various instantiations and upgrades.</span> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit0G-vlfcIem8EP_daIE3yiWzYxPF93GmJ5BLgQ4-JC9yr7alHsVxzt_JRa1Rm_lYsqechXb0_6h90hIGVflzBL-GlfQ1VVauYHaYQ29qXVRfJPBovyy6nogtfvupNK0p_WY1Wp5qKlzgBhDUkZa9qpLGJohroaPfbEuLMPNdvjbz7c4r1ic54DlRJJrOC/s1184/Screenshot%202023-06-24%20at%2011.22.42%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="588" data-original-width="1184" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit0G-vlfcIem8EP_daIE3yiWzYxPF93GmJ5BLgQ4-JC9yr7alHsVxzt_JRa1Rm_lYsqechXb0_6h90hIGVflzBL-GlfQ1VVauYHaYQ29qXVRfJPBovyy6nogtfvupNK0p_WY1Wp5qKlzgBhDUkZa9qpLGJohroaPfbEuLMPNdvjbz7c4r1ic54DlRJJrOC/w640-h318/Screenshot%202023-06-24%20at%2011.22.42%20AM.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">The first steps for most customers is to initially deploy a UAG appliance using an OVF wizard through vSphere, then fine tune the appliance configuration through it's web interface. Once they have a working instance setup, they export the configuration settings from the web interface, and voila, a working, reusable ini based config is available for redeployments, updates and scaling. Backups of a specific UAG instance amounts to one of these ini files, certificates, and standard downloaded .ova for the specific appliance version. Line these three resources up on a command line, and you're good to go with a redeploy in 3 minutes. Tweak out names of the appliance and ip address, and you've got your 2nd, 3rd, 4th, or 5th UAG in the works. With each UAG handling up to 2K sessions, logically you're entire UAG deployment adds up to a handful of ini's, certificates and downloaded .ova files. Upgrades amount to downloading a new .ova, tweaking out the the .ova path of your ini's and redeploying through PowerShell. New UAG instances are spun up behind the load balancer, while older versions are placed in a special <a href="https://docs.vmware.com/en/Unified-Access-Gateway/2303/uag-deploy-config/GUID-F165ECDA-2FD7-4C5A-BA76-2FFB3EFF6921.html#:~:text=When%20the%20Quiesce%20Mode%20toggle,is%20behind%20the%20load%20balancer." target="_blank">Quiesce Mode</a> as they're slowly drained of sessions and eventually decommissioned. All of this can occur with zero downtime.</span> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://media.giphy.com/media/v1.Y2lkPTc5MGI3NjExYWRiOTV0M3dqN21qMjltbjV6cXZ1MWdrMnd4NGozOWhlY3l1ZnU4ciZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/8wiP67jfoOy7BlFCcX/giphy.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="278" data-original-width="480" src="https://media.giphy.com/media/v1.Y2lkPTc5MGI3NjExYWRiOTV0M3dqN21qMjltbjV6cXZ1MWdrMnd4NGozOWhlY3l1ZnU4ciZlcD12MV9pbnRlcm5hbF9naWZfYnlfaWQmY3Q9Zw/8wiP67jfoOy7BlFCcX/giphy.gif" /></a></div><p><span style="color: #9fc5e8; font-size: medium;">When you get a process like this in place you get machine like reliability that rarely falters outside of environmental disruptions from dependencies like load balancers, ssl certs or the network. In a nutshell, supporting infrastructures typically wears out before the UAG's do. If there is a challenge suspected with the UAG instance itself, one of the first troubleshooting steps is to redeploy. With UAG deployments being repeatable and largely uneventful affairs, redeploys are commonly leveraged both for migrations to newer versions and troubleshooting purposes. This shift to a fluid, infrastructure as code, model is daunting at first, but with some planning and elbow grease, yields a reliable and transparent remote access solution that leverages and benefits from vSphere infrastructure. Backups are a piece of cake, upgrades are non events and replicating deployments for new environments is straight forward. Generally speaking, if something breaks, it's usually cause someone has done something stupid with a dependency. (Can you tell I love this solution? I do. Don't even get me talking about it when I'm drunk. I'll call it folksy and blue collar, sexy and a little bit edgy.) </span></p><p><br /></p><div><p><span style="color: #cfe2f3; font-size: x-large;">Meeting Load Balancing Requirements For UAG </span></p><p><span style="color: #9fc5e8; font-size: medium;">In typical deployments UAGs are placed within a DMZ between firewalls and 3rd party load balancers. Along with enabling redundancy load balancers are key to the zero down time upgrades described in the previous section. When comparing UAGs to NetScaler this requirement for external load balancing is one of the most common features gaps called out. Fortunately, you can use one of the gazillion load balancers in existence to address this challenge. Most customers I've interacted with have enterprise grade load balancers in place long before Horizon enters the picture. Fortunately, load balancing requirements for UAG are straight forward and, to date, I've never come across a situation where an enterprises grade solution wasn't able to accommodate UAG. The requirements are clearly spelled out in the article, <a href="https://techzone.vmware.com/resource/load-balancing-unified-access-gateway-horizon" target="_blank">Load Balancing Unified Access Gateway For Horizon</a>. Further, many vendors have their own processes specifically documented, such as this <a href="https://www.f5.com/pdf/partners/f5-load-balancing-vmware-unified-access-gateway-servers.pdf" target="_blank">article from F5</a>. There's even solid guidance on leveraging NetScaler's load balancing capabilities for UAG, such as <a href="https://www.carlstalhood.com/vmware-horizon-unified-access-gateway-load-balancing-citrix-adc/" target="_blank">this article from the venerable Carl Stalhood</a>. </span><span style="color: #cfe2f3; font-size: medium;"> </span></p><p><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiNzE9PV5b0UODCGV9tF3YeIgtLSt_RHdPkSFMB52IzQ2oJGDNHRdi6haJQ08qmqAWVZNx5l0KRz41q4AT9rAAVNpxiu1ML2p25Ez62egtOjBICnL1eQUUvYTBwqBukcur4B3v9AKB3hQ1myaHSyx70hg7mY--UFT9tcE-Vqp_qC6CmTgAQDWSEfRsCTA" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img alt="" data-original-height="828" data-original-width="1124" height="472" src="https://blogger.googleusercontent.com/img/a/AVvXsEiNzE9PV5b0UODCGV9tF3YeIgtLSt_RHdPkSFMB52IzQ2oJGDNHRdi6haJQ08qmqAWVZNx5l0KRz41q4AT9rAAVNpxiu1ML2p25Ez62egtOjBICnL1eQUUvYTBwqBukcur4B3v9AKB3hQ1myaHSyx70hg7mY--UFT9tcE-Vqp_qC6CmTgAQDWSEfRsCTA=w640-h472" width="640" /></a></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">All that said, if you're looking for a new load balancing solution VMware's is more than happy to sell you a software defined load balancing solution called NSX Advanced Load Balancer, what used to be called Avi Vantage. It enables elastic scaling and provisioning of load balancing functionality through service engines that are spun up and down across vSphere and native hyperscaler environments, with a software based Avi Controller centralizing control and management. When it comes to standard load balancing or global load balancing, it's competitive with any other load balancing solution you might run across, including NetScaler. Most notably, it's incredibly cost effective, enabling agile right sizing of load balancing capacity across vSphere and cloud environments, mirroring the agility offered through UAG. It's a compelling alternative to traditional hardware based load balancing solutions, so much so that NetScaler felt threatened enough to try and <a href="https://www.crn.com/news/cloud/citrix-and-vmware-settle-avi-networks-dispute" target="_blank">sue Avi out of existence back in 2017</a>, a law suit that was eventually settled. For a more in depth primer on NSX Advanced Load Balancers, check out this <a href="https://www.evengooder.com/2020/03/primer-avi-vantage-for-Horizon-and-WS1.html" target="_blank">article I wrote in 2020</a>. Further, as with many other load balancing vendors, there's UAG specific load balancing guidance provided in the article, <a href="https://avinetworks.com/docs/22.1/deploy-avi-for-load-balancing-uag-servers/" target="_blank">NSX Advanced Load Balancer for Load Balancing UAG Servers</a>. </span><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjrFyYJbooWt1I_CxK_5sDUJGcubJNwqFY8QSWYf_OQYZCkhgi9D3dWj2N2nNgzNHw9HNq1KR7DRtzCmmH4-PBljkLWE2AGHj_p18vN4AUviry-IKRbB2hNUv0yApvCi_ld1MrNgfRKdhr8IP8oHFW9u3hpR1wIWSy7UQM2CHahn-QY53UldmpEvdsVQ/s1880/Screenshot%202023-06-03%20at%2011.39.34%20AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjrFyYJbooWt1I_CxK_5sDUJGcubJNwqFY8QSWYf_OQYZCkhgi9D3dWj2N2nNgzNHw9HNq1KR7DRtzCmmH4-PBljkLWE2AGHj_p18vN4AUviry-IKRbB2hNUv0yApvCi_ld1MrNgfRKdhr8IP8oHFW9u3hpR1wIWSy7UQM2CHahn-QY53UldmpEvdsVQ/w640-h414/Screenshot%202023-06-03%20at%2011.39.34%20AM.png" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">Finally, while NSX Advanced Load Balancer and many other 3rd party solutions provide global server load balancing (GSLB), if your GSLB requirements are limited to Horizon there's a purposed built SaaS solution called Universal Broker. It works by leveraging the cloud based Horizon Control plane for authentication and intelligent routing of sessions across separate Horizon PODs. Horizon protocol traffic is bifurcated, with the primary protocol working against a cloud based URL and display protocol traffic traversing UAG appliances. Universal Broker is part of a larger initiative to enhance Horizon environments with cloud based services. While it isn't for everyone, it's a beautiful example of VMware offering a SaaS based alternative for functionality traditional delivered on-premises. For more information, check out this primer on Universal Broker, <a href="https://www.evengooder.com/2022/11/universal-broker-4-horizon.html" target="_blank">The Innovation And Current Limitations Of VMware's Universal Broker For Horizon</a>. </span></p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLF6PONaU51fvSg6VNH3znKyRZHVpfslsyNx3e-LK42_2qIk68KITDbQzjzXyEcUFOkr8E2GuKTS4JYhddmOybDZpMIjFhUoPSYkUEabeu5t5yHbgkiV8ntCo2d0uX-RJonSqo85Pne8BKPoyHlVXQFS8gbyokTpGxxpXTujouwwTmZvgXRrAApp24SvS0/s1098/universal_broker.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLF6PONaU51fvSg6VNH3znKyRZHVpfslsyNx3e-LK42_2qIk68KITDbQzjzXyEcUFOkr8E2GuKTS4JYhddmOybDZpMIjFhUoPSYkUEabeu5t5yHbgkiV8ntCo2d0uX-RJonSqo85Pne8BKPoyHlVXQFS8gbyokTpGxxpXTujouwwTmZvgXRrAApp24SvS0/w640-h486/universal_broker.png" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">Honestly, I don't hold much allegiance to any load balancing solution when it comes to designing Horizon environments. Quite frankly, for Horizon deployments I conceive of load balancers as a commodity, with the selection of vendor preordained by whatever solution customers already have in place. Though it's critical to get load balancing setup properly, there's not a lot of room for creativity or differentiation in terms of Horizon outcomes. It's more science than art. </span></p><p><br /></p><p><span style="color: #cfe2f3; font-size: x-large;">Stronger Forms Of Authentication For Horizon Remote Access</span></p><p><span style="color: #9fc5e8; font-size: medium;">Passthrough is the default authentication method for UAG deployments. Via the primary Horizon protocol, prior to the display protocol connection, AD credentials are passed through the UAG appliance onto the Horizon Connection servers, then executed against the AD environment the Connection server is joined to. While this is the default behavior, most organizations augment this security one way or another. For additional authentication from within the DMZ there's options for smart cards, certificates, RADIUS based solutions and RSA. There's also built-in support for <a href="https://docs.opswat.com/macloud-sdp/integrations/vmware-unified-access-gateway" target="_blank">OPSWAT endpoint compliance check</a>. Historically, RADIUS based integrations with 3rd party MFA solutions have been very popular, allowing for simple integrations with solutions like Duo or Symantec VIP. However, over the last few years direct SAML based integrations with solutions like Okta, Ping and Azure have become more popular, with support for such integrations starting around 2019. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI0FU4aeCwuHrrs5j_oSM7k_o28c4qIOm0vXpKkTe1uRYkT5d3cMt3g0XQQvoIPNzm5zH9AX6yDYsjtjlia27BWQ9eF3AadO81LHFkk1UH7o0dmC6lU6MvoSLozuDjA5Yr_1qXy0Izmjm3qNOR34UVFwUl2Gk6JtMQUdB4KBRB8FqB86In06_86xeOzA/s1666/auth_methods.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="738" data-original-width="1666" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI0FU4aeCwuHrrs5j_oSM7k_o28c4qIOm0vXpKkTe1uRYkT5d3cMt3g0XQQvoIPNzm5zH9AX6yDYsjtjlia27BWQ9eF3AadO81LHFkk1UH7o0dmC6lU6MvoSLozuDjA5Yr_1qXy0Izmjm3qNOR34UVFwUl2Gk6JtMQUdB4KBRB8FqB86In06_86xeOzA/w640-h284/auth_methods.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">While direct integrations between UAG and 3rd party solutions are apt to get the job done, a more ideal method for accommodating stronger forms of authentication is through Workspace ONE Access. WS1 Access is like Storefront in that it provides a catalog, a simple grid of icons through a browser for folks to consume. However, WS1 Access also acts as an IDP and policy engine, enabling federation with popular SaaS solutions like like ServiceNow or Office 365, while also supporting integration with 3rd party MFA solutions. It's policy engine is leveraged to enforce contextual authentication requirements for Horizon, integrated Citrix environments, and any federated SaaS solutions. It's an ideal mechanism for wrapping modern authentication around Horizon environments enterprise wide, enforcing security policies when Horizon is consumed from the WS1 catalog or directly accessed through the Horizon client. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Rsz__0HMxy0PtLTcKh7iyN0Yniu5KSVdpBIHO4iNqySMSCjNSRnp6dThzCiF_5CLOfXgv55n1IpanB7VrUXEia-iT46KE8wh7_Z7QdsdNHBmTKW38VbemglnQ1U9qc1703bZl1RG3F24qkekOuG4Rf6oYtrBB7VAEq6Jviryqj-mHFPFrIJyRhqRIrFJ/s2522/Screenshot%202023-07-05%20at%2011.42.09%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1336" data-original-width="2522" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0Rsz__0HMxy0PtLTcKh7iyN0Yniu5KSVdpBIHO4iNqySMSCjNSRnp6dThzCiF_5CLOfXgv55n1IpanB7VrUXEia-iT46KE8wh7_Z7QdsdNHBmTKW38VbemglnQ1U9qc1703bZl1RG3F24qkekOuG4Rf6oYtrBB7VAEq6Jviryqj-mHFPFrIJyRhqRIrFJ/w640-h340/Screenshot%202023-07-05%20at%2011.42.09%20AM.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">My favorite way to describe WS1 Access is that it acts as sort of an integration goo, allowing folks to leverage authentication solutions they already have in place. Through the WS1 Access Connector that's deployed on-premises AD environments are easily integrated with. Further, the connector has built in support for RSA and Duo, while allowing integrations to other 3rd party MFA solutions through RADIUS. The cloud based WS1 Access tenant itself can easily integrate with more modern MFA solutions provided by vendors like Okta, Ping and Azure through SAML federation, a very popular path forward nowadays. Most notably, for existing WS1 UEM customers, WS1 Access provides a built in integration allowing customer to extend WS1 UEM based security to Horizon access. This includes certificate based auth methods for Win10, macOS, iOS and Android, with an option to calibrate authentication requirements based on signals from underlying devices leveraging WS1 UEM's device compliance policies. In addition, WS1 UEM integration introduces an option to leverage VMware's own MFA solution <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/ws1_access_authentication_cloud/GUID-531B7205-2A51-40EA-BD4C-8E084AD1BC93.html" target="_blank">Verify (Intelligent Hub)</a>. Finally, WS1 Access can drive it's contextual authentication policies bases on analytics from WS1 Intelligence like <a href="https://mobile-jon.com/2023/01/16/workspace-one-login-risk-score-the-real-starting-point-of-zero-trust/" target="_blank">Login Risk</a> scores or device risk scores. Big picture, as a policy engine, WS1 Access allows us to enforce different authentication methods based on the context of the users, enabling admins to calibrate and right size security based on user and device context. For more background on WS1 Access check out these <a href="https://www.youtube.com/watch?v=u-BplQf-V88" target="_blank">intro</a> and <a href="https://www.youtube.com/watch?v=TpOjeeJffZo&t=459s" target="_blank">deep dive</a> videos on Youtube put out by VMware's healthcare focused EUC team. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlJTPzv3rUz30i48YWPw0pgQBYannnx1VYAuFuNheiBrR_MvLvfbig2WVBtNgcGAJa73_MNyjVamq-EERU0Xea72SMfGQlfEznh2F-mYFUUt0ARO4RB_Ph60Rpf5MgJI31PcQLUcyWJR-n4uavFoIODwvc3EI9a4-ghtk2sR4CQ11VCjY9IucNO261Bw/s1168/access_core.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="628" data-original-width="1168" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlJTPzv3rUz30i48YWPw0pgQBYannnx1VYAuFuNheiBrR_MvLvfbig2WVBtNgcGAJa73_MNyjVamq-EERU0Xea72SMfGQlfEznh2F-mYFUUt0ARO4RB_Ph60Rpf5MgJI31PcQLUcyWJR-n4uavFoIODwvc3EI9a4-ghtk2sR4CQ11VCjY9IucNO261Bw/w640-h344/access_core.png" width="640" /></a></div><br /><p><br /></p><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /><br /><br /><span style="color: #9fc5e8; font-size: medium;">Through these policy based controls WS1 Access enables us to wrap Zero Trust security around legacy windows. Access to full desktops or individual published applications are firmly controlled and tracked through contextual access policies. To further this Zero Trust adoption, we can inform these controls with device posture information and analytics from both WS1 UEM and Intelligence. With such a deployment, Horizon is combined with Access, UEM, and Intelligence to create a superb remote access solution <a href="https://www.evengooder.com/2023/05/HorizonAndZeroTrust.html" target="_blank">uncannily aligned with NIST Zero Trust guidance</a>. This ideal model is easily achieved by layering SaaS based instances of Workspace ONE services on top of Horizon environments, starting with the SaaS based version of WS1 Access included with Horizon Universal licenses.</span> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhN5RKQe5Us_zWr7lZoh0-FAnqJvL4YiXrB1MkDZttIn9MvxzlDYSu5WmTqJpDG0dG6IF9nd96lYG2coxfVWlT5C2Aevfmu8WSeOttDaUlt2vDOwjv190ccIENdILWuvucv3e9Nojxg-YitwIMhr4MkDpUj7nNL36TfAcJo7PLulYX9cSqY5Iwc28wytnq/s1224/ws1_for_zero.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="752" data-original-width="1224" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhN5RKQe5Us_zWr7lZoh0-FAnqJvL4YiXrB1MkDZttIn9MvxzlDYSu5WmTqJpDG0dG6IF9nd96lYG2coxfVWlT5C2Aevfmu8WSeOttDaUlt2vDOwjv190ccIENdILWuvucv3e9Nojxg-YitwIMhr4MkDpUj7nNL36TfAcJo7PLulYX9cSqY5Iwc28wytnq/w640-h394/ws1_for_zero.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="font-size: large;"><br /></span></p><p><span style="font-size: x-large;"><br /></span></p><p><span style="color: #cfe2f3; font-size: x-large;">(NetScaler + UAG) In The Meantime Or Indefinitely</span><span style="font-size: x-large;"> </span></p><p><span style="color: #9fc5e8; font-size: medium;">As mentioned earlier in this post, it's perfectly feasible to load balance UAG appliances with NetScaler. In fact, for many existing NetScaler customers it's an ideal and natural path forward. Quite often I hear the objection, "but I've already paid for these NetScalers and they're on a different renewal cycle than Citrix itself." Well, that's my kind of problem! The option to continue leveraging NetScaler appliances while migrating from Citrix to Horizon helps limit the scope of change during a major migration. Admins can focus on migrating the Citrix functionality itself without having to rip out load balancers or replace other NetScaler functionality at the same time, breaking down the overall transition into smaller bite size pieces. In the short term, continue leveraging NetScaler while adding load balancing support for UAG appliances. Chip away at your Citrix to Horizon migration first, then circle back later to replacing the NetScaler appliances if that's your eventual goal. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMYmgEdIzpC3Yj2YlpOrH3Wdyze_6hCivUWZxo0tf52KSnmCF7G_pRx0-wCcasHF8i2mRXHxHAM_OSdySKinIKzYvWUBhJ4uOBAxDMD3AyhJTuqlo1dKgL5qry11tLDYDiScX8ZLDf0Lv-qhsqr4OXgVH71J6Ch_RNjjAqcqZ_LhvV_lxOoViBJs0EpGsa/s1898/Screenshot%202023-06-27%20at%2011.38.30%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="994" data-original-width="1898" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMYmgEdIzpC3Yj2YlpOrH3Wdyze_6hCivUWZxo0tf52KSnmCF7G_pRx0-wCcasHF8i2mRXHxHAM_OSdySKinIKzYvWUBhJ4uOBAxDMD3AyhJTuqlo1dKgL5qry11tLDYDiScX8ZLDf0Lv-qhsqr4OXgVH71J6Ch_RNjjAqcqZ_LhvV_lxOoViBJs0EpGsa/w640-h336/Screenshot%202023-06-27%20at%2011.38.30%20AM.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /><span style="color: #9fc5e8; font-size: medium;">Or don't get rid of NetScaler at all. If you're happy with NetScaler and feel satisfied you're getting value out of it independently of proxying Citrix sessions, shoot, keep it. It's always possible your org is truly in need of a multi-purpose application delivery controller across the enterprise and NetScaler is fulfilling that function. Granted, that's usually not the case with my customers. Most of my customers are using NetScaler simply to proxy ICA sessions and maybe a little load balancing. Those organizations in particular should consider alternatives. However, if you are full-bore using advanced features of NetScaler across you entire enterprise and don't want to consider replacing this functionality AND you've made it this far through my article, heck, keep on keeping on. Treat Horizon and UAG as simply another solution to load balance and you're all good in the hood. In this situation, my best piece of advice would be to consider making the rest of the organization help flip the bill for the NetScaler functionality they're leveraging outside of Citrix remoting. </span></p><div class="separator" style="clear: both; text-align: center;"><br /></div><span style="color: #cfe2f3; font-size: x-large;">Credit Where Credit Is Due </span><div><br /></div><div><span style="color: #9fc5e8; font-size: medium;">In all the talk about Citrix superiority and success a key ingredient, the secrete sauce, is left out: the Citrix admins. These are the folks who know the special registry keys, the idiosyncrasies of specific apps, the weakness and strengths of organizations that need to be navigated to successfully deliver an app. Citrix admins are some of the most grizzled, experienced and knowledgable folks in the enterprises they work for. In a cliche and cringy caricature of corporate sleaziness, they're contributions, and those of their supporting shops, are attributed to Citrix, as if the solution stood itself up and flawlessly began accommodating the needs of the business without any input. The fact of the matter is that when you're marveling at a successful Citrix deployment, whether you realize it or not, you're marveling at the hard work, elbow grease and cumulative efforts of Citrix admins and their IT organizations. This is a reality that is typically completely lost in discussion about Citrix vs Horizon. So, as my contribution to this eternal debate, I'd like to call out that Citrix and Horizon are solutions sold business to business, while the IT shops themselves are what make their implementations successful. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">"You can't live without me," is the common refrain of psychopaths, wife beaters, and salesmen with coke habits and mistresses to feed. For quite some time now, but particularly in the year 2023, saying you can't run a business on Horizon instead of Citrix simply is not true. Personally, I deployed <a href="https://www.youtube.com/watch?v=HQk4zt-hmRE" target="_blank">Horizon to an emergency room in 2011</a>, so I have little tolerance for such hyperbole. Saying an organization with the capacity to support Citrix couldn't be successful with Horizon is frankly down right insulting. Yes, the migration will be quite involved. Yes, some processes will be changed. But can it be done? Hell yes, absolutely, 100%, especially if current Citrix admins are on board. Further there's a lot of operational efficiencies and cost savings to to be gained with technologies like Instant Clones, App Volumes, and Horizon Published Apps On Demand. Most notably, there's a real opportunity to modernize your remote access strategy using the standard functionality included in Horizon as well as solutions across the VMware portfolio. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">UAG or UAG combined with WS1 Access meets the majority of Horizon remote access needs while introducing the benefits of SaaS and infrastructure as code. It stands in stark contrast to standing up another physical piece of hardware or complex appliance on-premises. In addition, it opens the door to a clear and <a href="https://www.evengooder.com/2023/05/HorizonAndZeroTrust.html" target="_blank">proven path towards Zero Trust adoption</a>, arguably a future requirement for all of us. Further, both UAG and WS1 Access come standard with Horizon Universal licensing at no additional cost. For organizations using advanced NetScaler capabilities there's some careful analysis of functionality and cost to explore. If you really are leveraging some of it's more unique and compelling features to run your business you can continue to use NetScaler after migrating to Horizon. However, most customers stand a great deal to gain from exploring alternatives from VMware or VMware's partners.</span></div></div></div>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com1tag:blogger.com,1999:blog-7411363718337372107.post-41912196570151718852023-05-03T14:49:00.006-07:002023-05-14T08:01:50.750-07:00VMware Horizon's Uncanny Alignment With NIST Zero Trust Guidance<p><span style="color: #9fc5e8; font-size: medium;">The foundational components for Zero Trust architectures such as MFA, ICAM and endpoint security are solutions widely deployed today. While most organizations already have these building blocks in place achieving Zero Trust objectives with their aggregate capabilities requires a level of orchestration and synchronicity that is far less common. In that regard, the integration and orchestration of a broad set of security components through a single platform, the Anywhere Workspace, is something VMware has been perfecting for over a decade now. To modernize legacy windows experiences Horizon is combined with Access, UEM, and Intelligence to create a superb remote access solution uncannily aligned with NIST Zero Trust guidance. Such a deployment meets the immediate need to optimize support for a hybrid workforce while establishing a beachhead for further Zero Trust adoption.</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfSgYejy3xORkeX79hJhNBbg8y_4dei3l5OzOED6o93hjrpSQ5Be6Utnsut8Aj6X_lBju7hUIlRgVxk-TYW4xuFlK9TdOPsw8uXwxG5XWloA1PsTB5L7D-p5_VU17Cky3SMYYyt5gUp7JVTOZBxZZwMwFWZAvY8ugGGsRoHaJ3QZ5p8a89lLmu8vzEvA/s1890/Screenshot%202023-03-19%20at%202.10.10%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1178" data-original-width="1890" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfSgYejy3xORkeX79hJhNBbg8y_4dei3l5OzOED6o93hjrpSQ5Be6Utnsut8Aj6X_lBju7hUIlRgVxk-TYW4xuFlK9TdOPsw8uXwxG5XWloA1PsTB5L7D-p5_VU17Cky3SMYYyt5gUp7JVTOZBxZZwMwFWZAvY8ugGGsRoHaJ3QZ5p8a89lLmu8vzEvA/w640-h398/Screenshot%202023-03-19%20at%202.10.10%20PM.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">This post maps out Anywhere Workspace Zero Trust capabilities to guidance provided by NIST and it's subsequent work with the <a href="https://www.nccoe.nist.gov/sites/default/files/legacy-files/nccoe-fact-sheet.pdf" target="_blank">National Cybersecurity Center Of Excellence (NCCoE)</a>. The intent is to elevate a discussion about Horizon and Zero Trust by referencing a source respected and followed across the public and private sector. With federal agencies like CISA, DoD and the NSA paying deference to NIST guidance, along with it's reference by <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/" target="_blank">executive order 14028</a>, treating NIST as authoritative on the topic of Zero Trust is hardly controversial and can help ground a discussion. Accordingly, this post provides a primer on NIST guidance with a focus on the notional Zero Trust architecture first introduced in <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf" target="_blank">(SP) 800-207</a>, then practically demonstrated in <a href="https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture" target="_blank">Implementing A Zero Trust Architecture</a>. It then compares logical components of this conceptual model to a Horizon architecture leveraging the full breadth of Anywhere Workspace Zero Trust capabilities. This should be of interest to anyone looking to enhance windows desktops or applications with Zero Trust security, and, if nothing else, will enable Horizon admins to articulate advancements toward Zero Trust already achieved with their deployments.</span></p><p><br /></p><p><span style="color: #cfe2f3; font-size: x-large;">A Primer On NIST Zero Trust Guidance </span></p><p><span style="color: #9fc5e8; font-size: medium;">Most descriptions of Zero Trust start by declaring a need to shift from perimeter based network security to a model where hostile actors are always presumed present and within reach. Accordingly, instead of protecting networks the focus is on controlling access to the critical resources themselves through policy based controls that continually evaluate users and their requests. As the abstract for <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf" target="_blank">NIST (SP) 800-207</a> states, “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” While this article focusses on guidelines put forth by NIST and NCCoE, I'd like to call out the <a href="https://mobile-jon.com/2021/05/18/mobile-jons-guide-to-zero-trust-security/" target="_blank">folksier description of Zero Trust laid out by MobileJon</a>. For most organizations Zero Trust adoption entails a recognition that firewalls and kerberos based security provided by Active Directory no longer cut the mustard given what we know about today's threats.</span></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz03fomEgGBgazOPQRX1Ub3iQVgThCFjoS35juslKJddUVvsi5iEt9hrIEkaMu5PMquaelQSBOc5gNrdJjuc_nYwwMRARXyPQdnwpDiCWiq-p3_5c9aI7ASsx_pIkek013tUSaZBjX1Q68VWuFcqpjXr9W0LXGo5Or5DCcLZHkx2EEQ1a1hntW6TBy5A/s1106/mobile_jon.png" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz03fomEgGBgazOPQRX1Ub3iQVgThCFjoS35juslKJddUVvsi5iEt9hrIEkaMu5PMquaelQSBOc5gNrdJjuc_nYwwMRARXyPQdnwpDiCWiq-p3_5c9aI7ASsx_pIkek013tUSaZBjX1Q68VWuFcqpjXr9W0LXGo5Or5DCcLZHkx2EEQ1a1hntW6TBy5A/w640-h286/mobile_jon.png" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Mobile Jon's Guide To Zero Trust Security</td></tr></tbody></table><div class="separator" style="clear: both;"><br /><span style="color: #9fc5e8; font-size: medium;">To replace perimeter based network security (SP) 800-207 introduces a notional architecture detailing logical components required to achieved Zero Trust objectives. In the more recent NIST/NCCoE publication, <a href="https://www.nccoe.nist.gov/projects/implementing-zero-trust-architecture" target="_blank">Implementing A Zero Trust Architecture</a>, example deployments illustrate how commercially available solutions are used to achieve these ZTA objectives<span style="text-align: left;">. T</span>his series of guides, "demonstrate several example ZTA solutions—applied to a conventional, general-purpose enterprise IT infrastructure—that are designed and deployed according to the concepts and tenets documented in NIST Special Publication (SP) 800-207, Zero Trust Architecture." The core functionality driving these ZTA demonstrations is illustrated below: </span></div><div class="separator" style="clear: both;"><span style="text-align: left;"><br /></span></div><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOxl8Q-_8NspultD75Qh-WpZd6MXiGqut44QkbyxrCBDVb2lTVasH31_f-w_BoN7EUsPKpUCHRHzIeH1UChDb3Q9ZU2REu_VWLeW-3ycA0VRF4-w38sxzbOmM7N7RFFYumubK6py6tRWzS1vzDa1rg1JU7S-5KO0QTleQhTrO_q2cc8T4RyY-iob7xuQ/s1188/Screenshot%202023-04-01%20at%207.22.26%20PM.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="654" data-original-width="1188" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOxl8Q-_8NspultD75Qh-WpZd6MXiGqut44QkbyxrCBDVb2lTVasH31_f-w_BoN7EUsPKpUCHRHzIeH1UChDb3Q9ZU2REu_VWLeW-3ycA0VRF4-w38sxzbOmM7N7RFFYumubK6py6tRWzS1vzDa1rg1JU7S-5KO0QTleQhTrO_q2cc8T4RyY-iob7xuQ/w640-h352/Screenshot%202023-04-01%20at%207.22.26%20PM.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Zero Trust Architecture, NIST 802-207</td></tr></tbody></table><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium; text-align: left;">At the top of this model there's the brains of the entire operation, the Policy Decision Point (PDP), made up of a Policy Engine (PE) and Policy Administrator (PA). The Policy Engine makes the determination of whether or not a subject is granted access to a given resource. It works in tandem with a Policy Administrator responsible for executing it's decisions. To this end the PA helps establish the communication path between subject and resource, going on to, "generate any session-specific authentication and authentication token or credential used by a client to access an enterprise resource." Finally, there's the Policy Enforcement Point (PEP) working in conjunction with the Policy Administrator to allow or deny connections between the subject and resource. While there's certainly more details, this is the high level model proposed by NIST for enabling Zero Trust security. </span></div><p><span style="color: #9fc5e8; font-size: medium;">To make informed decisions about access requests the Policy Engine processes input from various sources, what are referred to as Policy Information Points (PIP). Data from these sources is ingested into a trust algorithm that determines whether a specific request to a resource should be allowed. Examples of PIPs include endpoint antivirus, endpoint management and security analytics solutions. PIPs contribute to a more comprehensive, 360-degree, contextual model for continually assessing the trust worthiness of a subject. We're not just talking about defense in depth, but rather the coordination and orchestration of various security solutions into a comprehensive model. </span></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNnCS9i6m1Ja5zdzeb8Lj3F7AZWxCVcV4G5ArrHBCBuvRNJDIWI5LeM4R2rnXFx2JxN32E4_rKqIl5UfsqHrTomBoYgKQKK2g980uO0Lgu0onVl9H2a7ksUmW7_Lk7U4nEelvU6EnCIANeyLxI25G7Mhs_AAd3YgUFuByyZQkvNf7glTeCKAKXfprjLg/s952/with_PiP.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="540" data-original-width="952" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNnCS9i6m1Ja5zdzeb8Lj3F7AZWxCVcV4G5ArrHBCBuvRNJDIWI5LeM4R2rnXFx2JxN32E4_rKqIl5UfsqHrTomBoYgKQKK2g980uO0Lgu0onVl9H2a7ksUmW7_Lk7U4nEelvU6EnCIANeyLxI25G7Mhs_AAd3YgUFuByyZQkvNf7glTeCKAKXfprjLg/w640-h364/with_PiP.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Implementing A Zero Trust Architecture (Fact Sheet)</td></tr></tbody></table><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium;"><span style="text-align: left;">While (SP) 802-207 establishes a high level framework for Zero Trust, Implementing A Zero Trust Architecture goes into the nitty gritty of how these PIPs are pieced together with PAs, PEs and PEPs to deliver Zero Trust objectives. Currently there's 5 sample architectures total, 3 of which are referred to as crawl phase architectures, E1B1, E2B1 and E3B1. These first 3 builds focus on enhanced identity governance (EIG), what's viewed as a, "foundational component of ZTA." Then, there's 2 more run phase architectures, E1B2 and E3B2, that build upon the crawl phase. Eventually the plan is to introduce additional advanced architectures with capabilities like micro-segmentation.</span> "After completing the EIG crawl phase builds, we enhanced these implementations by adding specialized PE and PA components, device discovery, and cloud-based resources in the EIG run phase. In future phases, we plan to introduce capabilities such as software-defined perimeter and micro-segmentation." Here's a graphical representation of crawl phase architecture E1B1, featuring Okta and Ivanti:</span></div><div class="separator" style="clear: both;"><span style="text-align: left;"><br /></span></div><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOeNWDqrw1SLRhNR2ZpDUgt-JUnt-v7AUyoPfFqI3G6cVyvR7CI9NHXZdhpmO0m1tWvb4bHjZBSUFcatH0XFZj8AvNmAegEF_X4OuVMuiX9D_r0ZNEuErrrpTorldec15NkqDpkEHnaamEcpVjpWmW2T2GVcVrC4X-FEealfLE_CFsfM4KENDBD6pezA/s1004/okta_example.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="630" data-original-width="1004" height="402" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOeNWDqrw1SLRhNR2ZpDUgt-JUnt-v7AUyoPfFqI3G6cVyvR7CI9NHXZdhpmO0m1tWvb4bHjZBSUFcatH0XFZj8AvNmAegEF_X4OuVMuiX9D_r0ZNEuErrrpTorldec15NkqDpkEHnaamEcpVjpWmW2T2GVcVrC4X-FEealfLE_CFsfM4KENDBD6pezA/w640-h402/okta_example.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Implementing A Zero Trust Architecture, Volume B: Approach, Architecture and Security Characteristics</td></tr></tbody></table><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">Again, while there's only 5 example architectures today the publication is a work in progress and there's additional examples planned for the future. If I had the option I'd bet large sums of money that VMware products will eventually find their way into future architectures. More conspicuous than the absence of VMware products in the current publication are the listed contributions of VMware employees in <a href="https://www.nccoe.nist.gov/sites/default/files/2022-12/zta-nist-sp-1800-35b-preliminary-draft-2.pdf" target="_blank">1800-35B</a>. One of these five is Peter Bjork, a very high profile evangelist of VMware's Zero Trust capabilities. While something more exhaustive and definitive might come out in an update to the publication, as a blogger and long time fan of VMware EUC I'm going to take a swag at mapping Horizon and Workspace ONE components to the notional ZTA architecture put forth by NIST. </span></p><p><br /></p><p><span style="color: #cfe2f3; font-size: x-large;"><span>Mapping VMware EUC Components To A Notional ZTA</span> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoXhE-CEsUAhu9WOsGN-t-qfyJ36YsxnN3aIoU8OXociGLF7_t9-TQa89JAdh5B3b5gnXde8TBjZsfhJBCOsAI-SHSAYFKg4t_9YLuz68RGTRqYgAcdiBRK1QXntIEsvXVtRGbNUGDLbuL1tHtxliuAXx2XIHS0-Xj6SJi7gI0MzYTryyYHOGWj0ur2A/s616/yogi_bera.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="616" data-original-width="410" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoXhE-CEsUAhu9WOsGN-t-qfyJ36YsxnN3aIoU8OXociGLF7_t9-TQa89JAdh5B3b5gnXde8TBjZsfhJBCOsAI-SHSAYFKg4t_9YLuz68RGTRqYgAcdiBRK1QXntIEsvXVtRGbNUGDLbuL1tHtxliuAXx2XIHS0-Xj6SJi7gI0MzYTryyYHOGWj0ur2A/s320/yogi_bera.jpg" width="213" /></a></div><p><span style="color: #9fc5e8; font-size: medium;">To those familiar with VMware's EUC stack the notional ZTA put forth by NIST can come across like a fun adaptation or clever spin on architectures put out by VMware for about a decade. Personally, reading NIST documentation on ZTA felt like deja-vu. (all over again) With it's identity capabilities, federation options and conditional access policies, Workspace ONE Access clearly fits the bill as a policy decision point (PDP), acting both as a policy engine (PE) and policy administrator (PA). These identity based policies for controlling access to resources are further enhanced by solutions like WS1 UEM, WS1 Inteligence and Carbon Black. While these provide relevant security capabilities in their own right, as sources of data providing context for access policies they're clearly acting as policy information points (PIP). Finally, sitting between endpoint devices and virtual desktops on the data plane is Unified Access Gateway acting as a policy enforcement point (PEP). </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAkopd2UdHHxckvfWtrfSk_ZefTfPsKFM9D2ogGicVmBiEPkHOvW2qsjJk6S1mj7XjfO-wjoEbW2itlB1JdZgy9yAcl_uXUWKbLLNI0QzIn6mnh-IGOOSEdoJGwoZpLW4JXpXPz3bwG_LLyE3u1n3pg_38KTPDSBtf94pStdVIFflmCLqPyz692FPztA/s1170/mappings.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="760" data-original-width="1170" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAkopd2UdHHxckvfWtrfSk_ZefTfPsKFM9D2ogGicVmBiEPkHOvW2qsjJk6S1mj7XjfO-wjoEbW2itlB1JdZgy9yAcl_uXUWKbLLNI0QzIn6mnh-IGOOSEdoJGwoZpLW4JXpXPz3bwG_LLyE3u1n3pg_38KTPDSBtf94pStdVIFflmCLqPyz692FPztA/w640-h416/mappings.png" width="640" /></a></div><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium; text-align: left;">For over a decade WS1 Access has offered admins a way to wrap modern authentication around Horizon. It's policy engine is driven by conditional access policies that enforce an adaptable set of authentication requirements based on user context. Some of these auth methods are built-in, some arise from a combination of Access and UEM, and others are available through 3rd party solutions via RADIUS or SAML based integrations. While Access supports several federation standards, SAML 2.0 is definitely the star of the show, key to it's policy administration for solutions like Horizon. Once a subject has met the requirements of these conditional access policies they're issued a SAML assertion granting access to the Horizon environment. </span></div><div class="separator" style="clear: both;"><span style="text-align: left;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoSv3BSKWs-OK7ZX8ui8pPwkwsNaB8n4F-K0n2Lo7b1dgrS7cCyv1x29MiNdij0oGXhajf1NiD7d4kzmankCazKj5d5PdGE3Ln_vbvWwotwJK84FWTVUj9hw7lujRnpdtUMi0B4j8DWR-8cRIioeJicFacZTRnaiG7ijkN8DCTYU7rsvMP45uNeNA5ww/s1692/Screenshot%202023-03-20%20at%208.54.42%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="880" data-original-width="1692" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoSv3BSKWs-OK7ZX8ui8pPwkwsNaB8n4F-K0n2Lo7b1dgrS7cCyv1x29MiNdij0oGXhajf1NiD7d4kzmankCazKj5d5PdGE3Ln_vbvWwotwJK84FWTVUj9hw7lujRnpdtUMi0B4j8DWR-8cRIioeJicFacZTRnaiG7ijkN8DCTYU7rsvMP45uNeNA5ww/w640-h332/Screenshot%202023-03-20%20at%208.54.42%20AM.png" width="640" /></a></div><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">The ability to drive adaptable authentication requirements through a policy engine has always been a major selling point for WS1 Access. It's conditional access policies for each application are initially defined based on a user's AD membership, general device type, and IP range a request comes from. This contextual insight is extended to device posture through a simple integration with WS1 UEM that incorporates device compliance status into conditional access polices. Historically referred to as, "conditional access based on device compliance," this functionality is achieved through a combination of certificate auth and UEM's device compliance policies. It's an option VMware has offered for about a decade now, functionality foundational to Zero Trust that's mandated by pretty much all sources on ZTA. For example, in <a href="https://research.google/pubs/pub43231/" target="_blank">BeyondCorp A New Approach to Enterprise Security</a>, a similar approach to incorporating device context is called out, with unique certificates on managed devices used as a conduit to device information. "While the certificate uniquely identifies the device, it does not single-handedly grant access privileges. Instead, it is used as a key to a set of information regarding the device." </span></p><p><span style="color: #9fc5e8; font-size: medium;">Access can also ingest data from Workspace ONE Intelligence regarding device and login risk, further extending the contextual insight of it's policy engine. Both solutions represents the results of analytics run against data collected into the Intelligence data lake from Access or UEM. Device Risk Score is driven by factors like OS patching, anomalous configuration and detected threats on a device. Login Risk Score, "<a href="https://blogs.vmware.com/euc/2021/02/new-risk-indicator-in-workspace-one-intelligence.html" target="_blank">uses machine learning models to analyze past user login patterns and determine if a login attempt is anomalous</a>." Collectively, these risks scores represent additional policy information points to further calibrate our conditional access policies by. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDiebcvfXiP8F3_bB0f4Bf73YSaGMAhfkk9mmiqcNvrnPDyOL4KHe25kk9GVc8tQPT_qOm67fRVhMDJA8DhUt8WDjtKROYOJYZWUQTFrnLAmTljURz5jsWuLWzW8uBfK1pCWtcV4wMpZR_j5mcPEefj4Jg1xyzgjWNql0p1HOdC1embcv7RY-T0ZDawA/s2656/Screenshot%202023-03-29%20at%209.51.20%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1248" data-original-width="2656" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDiebcvfXiP8F3_bB0f4Bf73YSaGMAhfkk9mmiqcNvrnPDyOL4KHe25kk9GVc8tQPT_qOm67fRVhMDJA8DhUt8WDjtKROYOJYZWUQTFrnLAmTljURz5jsWuLWzW8uBfK1pCWtcV4wMpZR_j5mcPEefj4Jg1xyzgjWNql0p1HOdC1embcv7RY-T0ZDawA/w640-h300/Screenshot%202023-03-29%20at%209.51.20%20AM.png" width="640" /></a></div><br /><br /><br /><br /><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><span style="color: #9fc5e8; font-size: medium;">Finally, there's my favorite bouncer Unified Access Gateway (UAG). Like any good bouncer it's lean on brains but intimidatingly hardened and experienced. Working in coordination with Access and Horizon Connection Server it guarantees all proxied Horizon display protocol traffic is on behalf of subjects vetted by conditional access policies. In this capacity it acts as a policy enforcement point (PEP) for remote Horizon Connections. Below is an illustration of how it facilitates SAML based authentication between Access and an internal Horizon environment prior to proxying display protocol traffic to a virtual desktop or RDS host. </span></div><div><br /></div><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-cGLWBSHC6U74Qkc1kf821i_AXZu-utUcbxT3hy60rFCGI7k_G6Nk-Gi3YsADNZx4PPnS9Wt2JQfFd2cWhnrcFSXeR7pPQh-1gJsVHd5T3lQvxBofEa2AFRaaRt6ujI4_Fl32g1bUL7bG4Oy1PbTI1tjvCS45Y7ZzeeNWt6tD4-snqzV1wPc9UD2i1g/s1396/Screenshot%202023-04-05%20at%204.10.38%20PM.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1066" data-original-width="1396" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-cGLWBSHC6U74Qkc1kf821i_AXZu-utUcbxT3hy60rFCGI7k_G6Nk-Gi3YsADNZx4PPnS9Wt2JQfFd2cWhnrcFSXeR7pPQh-1gJsVHd5T3lQvxBofEa2AFRaaRt6ujI4_Fl32g1bUL7bG4Oy1PbTI1tjvCS45Y7ZzeeNWt6tD4-snqzV1wPc9UD2i1g/w640-h488/Screenshot%202023-04-05%20at%204.10.38%20PM.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Setting Up Resources In VMware Workspace ONE Access</td></tr></tbody></table><br /><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><span style="color: #9fc5e8; font-size: medium;">The specific model above has been alive and well for over 6 years now, having replaced a legacy Security Server based model that itself was about 5 years old. Again, an example of Zero Trust functionality Horizon customers have had in place for about a decade. </span></div><div><p><span style="color: #9fc5e8; font-size: medium;">By encapsulating the windows experience into an portable and secure service Horizon provides a catch all solution for extending Zero Trust capabilities to legacy windows apps. Any windows desktop experience or windows app delivered through Horizon can be wrapped in modern auth that's driven by a contextual policy engine. This is no small feat. We're talking legacy applications that rarely support modern auth butting heads with the Zero Trust requirement for extended identity governance. Horizon bridges this gap to meet a fundamental requirement for ZTA. In addition, </span><span style="color: #9fc5e8;"><span style="font-size: medium;">there's many features of the stand alone Horizon solution, such as Instant Clones, that clearly advance the pursuit of Zero Trust. Non-peristent Horizon models isolate an endpoint device from windows workloads and introduce critical containment that reduces the blast radius of any potential compromise in terms of both space and time. The inherent security awesomeness of Horizon itself and it's contribution to Zero Trust outcomes is something I will detail in a future post. </span></span></p><p><br /></p><p><span style="color: #cfe2f3; font-size: x-large;">A Clear Path Forward For Existing Horizon Customers</span></p><p><span style="color: #9fc5e8; font-size: medium;">Existing Horizon customers can progress towards Zero Trust adoption by making incremental improvements to their remote access experience for windows workloads. This fulfills the immediate and practical need to support a hybrid workforce while developing capabilities for Zero Trust adoption across the board. Customers who own Horizon Universal licensing already have the key ingredients for getting started on this journey, Horizon, UAG and WS1 Access. These solutions meet core ZTA requirements and can later be augmented with UEM, Intelligence and Carbon Black. This process of wrapping Zero Trust security around your windows experience is easily adapted to secure SaaS solutions like Office, Salesforce, ServiceNow, Workday or Google Workspace. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmVpOTdbSUjgvVhpyO33aalvfOzSoDG8Xm5wh0uHu5-pYnWy5mJduK4S0Od5gBoNrsNj8wCvCiR_M8QVBlwHjOU1fWPD0HFxMpRINv6tYYxK0PtKPbN_b7-6QFNcPenInsc7FxBPDKb1BkAxqX8yqVtJ53JzhG5ztDKTHdCK_WoM1jA3uEdBo4QxH_AQ/s2558/Screenshot%202023-03-20%20at%2012.28.57%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1438" data-original-width="2558" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmVpOTdbSUjgvVhpyO33aalvfOzSoDG8Xm5wh0uHu5-pYnWy5mJduK4S0Od5gBoNrsNj8wCvCiR_M8QVBlwHjOU1fWPD0HFxMpRINv6tYYxK0PtKPbN_b7-6QFNcPenInsc7FxBPDKb1BkAxqX8yqVtJ53JzhG5ztDKTHdCK_WoM1jA3uEdBo4QxH_AQ/w640-h360/Screenshot%202023-03-20%20at%2012.28.57%20PM.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><div><br /></div><span style="color: #9fc5e8; font-size: medium;">With this framework in place you can increase SaaS adoption while expanding your Horizon deployment and shrinking the trusted network. Further, the path forward includes incremental wins along the way that our tangible and hold value in and of themselves, allowing you to eat this elephant one bite at a time. No one complains about having a unified catalog and providing SSO only makes friends. MFA is something we all know is necessary and extending it's reach while minimizing disruption amounts to rolling up your sleeves and taking care of business. Right sizing your security based on context is just good manners. Mandating device enrollment for sensitive services is hardly controversial. These steps represent small but very tangible wins as you progress along your Zero Trust journey. Eventually, in a perfect world you'd have a combination of Horizon, Access, UEM, Intelligence, Carbon Black and NSX protecting workloads from endpoints to the data center. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Vy0aq9exEkpcJr7fRQEeOS9sxqnzmIfPnHAcWtnnnSFi4My5UNi4IKV_c1mf_UwDjN6l_Z6_Mjtk93PyIgNG8-t655yAyBIuGz6DFDgPPLNeEXGoeA7cfgm-LBWCSkFGh9gBMnz6d4apu8FRT4aKMQsKPx9TMs4UWM7fR832lk8MOsR5mOfVythblw/s1162/Screenshot%202023-05-12%20at%209.48.22%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="702" data-original-width="1162" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0Vy0aq9exEkpcJr7fRQEeOS9sxqnzmIfPnHAcWtnnnSFi4My5UNi4IKV_c1mf_UwDjN6l_Z6_Mjtk93PyIgNG8-t655yAyBIuGz6DFDgPPLNeEXGoeA7cfgm-LBWCSkFGh9gBMnz6d4apu8FRT4aKMQsKPx9TMs4UWM7fR832lk8MOsR5mOfVythblw/w400-h241/Screenshot%202023-05-12%20at%209.48.22%20AM.png" width="400" /></a></div><br /><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><div><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #cfe2f3; font-size: x-large;">Some Excellent VMware Collateral On Zero Trust Adoption </span></p><p><span style="color: #9fc5e8; font-size: medium;">VMware provides some very impressive guidance on Zero Trust, particularly in Tech Zone. In respect to NIST SP 800-207, EO 14028, and their impact on the federal space there's a great article by Andrew Osborn called, <a href="https://techzone.vmware.com/blog/incorporating-vmware-zero-trust-presidential-executive-order" target="_blank">Incorporating VMware Zero-Trust For the Presidential Executive Order</a>. It offers a summary of cybersecurity mandates and models created to guide federal agencies in their adoption of Zero Trust. These include CISA's <a href="https://zerotrust.cyber.gov/cloud-security-technical-reference-architecture/" target="_blank">Cloud Security Technical Reference Model</a> and <a href="https://www.cisa.gov/zero-trust-maturity-model" target="_blank">Zero Trust Maturity Model</a>. At the end of the article Andrew states, "VMware will be augmenting our solution alignment and future whitepapers to incorporate the new CISA foundational pillars." </span></p><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgiSY_3_7s3AnNbRMYdgxtEwNxgZ_Wmm-j4fUwFunT_eGXH83jA5VZlOmJO48NHfTjYlNFRc1Ndy9iiFQVAaKRXhxWkqu_N2JHRvJF4IObqtmgdj_Pk3B8OhC2-KJWBFVJ_DSAbhgVoEeSeN0-ZdTsYJEBtMuR2yqsTNADdKbTcj_9HsxBvqXqwsmxGnQ" style="margin-left: auto; margin-right: auto;"><img alt="" data-original-height="744" data-original-width="1094" height="272" src="https://blogger.googleusercontent.com/img/a/AVvXsEgiSY_3_7s3AnNbRMYdgxtEwNxgZ_Wmm-j4fUwFunT_eGXH83jA5VZlOmJO48NHfTjYlNFRc1Ndy9iiFQVAaKRXhxWkqu_N2JHRvJF4IObqtmgdj_Pk3B8OhC2-KJWBFVJ_DSAbhgVoEeSeN0-ZdTsYJEBtMuR2yqsTNADdKbTcj_9HsxBvqXqwsmxGnQ=w400-h272" width="400" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Zero Trust Maturity Model 2.0</td></tr></tbody></table><p></p><p><span style="color: #9fc5e8; font-size: medium;">True to this promise is one of my favorite articles on Zero Trust and Horizon, <a href="https://techzone.vmware.com/resource/zero-trust-secure-access-traditional-applications-vmware" target="_blank">Zero Trust Secure Access to Traditional Applications with VMware</a>. It provides a very thorough and exhaustive account of how different capabilities across the Anywhere Workspace stack can contribute to a Zero Trust architecture for legacy windows applications. It organizes these capabilities according to 5 pillars of trust. They might look familiar to you.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjggujUMqkFMVoTXvElZ2KdnVNv7bIwubta1z2NV_z5wZ5a6E62aUi9gEbwDoPubdyBLH-mCJgXouPK2xisdO5Y2CNVfh0nRhZg24Wq76oq59Xr2N8d-ltW4f8W4PZBUd4wh9aki5lHTCMEbvY3OwGpfW-1Sh65J2Zx6R1qlFNGb5WS1n7wDt3IrU5MYw" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="268" data-original-width="1463" height="118" src="https://blogger.googleusercontent.com/img/a/AVvXsEjggujUMqkFMVoTXvElZ2KdnVNv7bIwubta1z2NV_z5wZ5a6E62aUi9gEbwDoPubdyBLH-mCJgXouPK2xisdO5Y2CNVfh0nRhZg24Wq76oq59Xr2N8d-ltW4f8W4PZBUd4wh9aki5lHTCMEbvY3OwGpfW-1Sh65J2Zx6R1qlFNGb5WS1n7wDt3IrU5MYw=w640-h118" width="640" /></a></div><br /><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><span style="color: #9fc5e8; font-size: medium;">Along the same vein there's an article on the use of VMware Tunnel for access to on-premises web applications called, <a href="https://techzone.vmware.com/resource/zero-trust-secure-access-premises-web-applications-vmware" target="_blank">Zero Trust Secure Access to On-Premises Web Applications with VMware</a>. Similar to the Horizon focussed article it provides a detailed and exhaustive account of the Anywhere Workspace capabilities that enable Zero Trust security for on-premises web apps. Finally, anything put out by <a href="https://blogs.vmware.com/euc/author/peter_bjork" target="_blank">Peter Bjork</a> is likely to further your understanding of Zero Trust capabilities offered by VMware. With extended identity governance at the core of Zero Trust, his expertise in WS1 Access is highly relevant. </span><p></p><p><br /></p><p><span style="color: #cfe2f3; font-size: x-large;">Conclusion </span></p><br /></div><div><span style="color: #9fc5e8; font-size: medium;">To quote chief justice Earl Warren, “Everything I did in my life that was worthwhile, I caught hell for.” Implementing Zero Trust isn't going to be fun, will involve a lot of work and invariably is going to frustrate some people. It's an interdisciplinary undertaking transcending traditional IT silos filled with hyper-focused specialist who don't get paid to think or care about the big picture. Success will require grit and confidence while striking a balance between the status quo and need to transform security. In a situation like this a mature platform integrating a broad set of capabilities really shines. With the Anywhere Workspace we gain a guaranteed level of interoperability amongst separate components needed to realize a Zero Trust architecture. Instead of sweating details about interoperation why not pass the work off to a single vendor with a solution that has aligned with NIST guidance for over a decade, long before (SP) 800-207 was even published? It's a path forward most existing Horizon customers can pursue with components already owned and in place. </span></div></div>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-23168445389428189872022-11-30T09:53:00.009-08:002022-11-30T14:55:42.704-08:00The Innovation And Current Limitations Of VMware's Universal Broker For Horizon<p><span style="color: #9fc5e8; font-size: medium;">VMware's Universal Broker allows Horizon users access to multiple Pods through a single URL, routing sessions based on resource availability, entitlements and shortest network paths. Traditionally, multi-site Horizon deployments require a combination of Cloud Pod Architecture (CPA) and 3rd party global load balancers to provide fluid failover and fall back. Universal Broker, part of the Horizon Control Plane, replaces these requirements with a purpose built SaaS based offering. The solution leverages the control plane's privileged insight into Horizon environments to deliver more efficient and error free placement of Horizon sessions across Pods. This addresses shortcomings of traditional CPA/GSLB deployments while laying the ground work for integrating Horizon deployments across various cloud vendors. </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjQzWNXDi2AMwvR0euSn4khdFpA8qeF3HjWaZzeaH4OB6ulXTucfXD7QdxY7yONcFyBKhyI97RJZOIQ-eE0wpGKGGQszaPyubLY-oiXUwy_2RxxoT-cxbsLSg8jNvmXBmFbtZI5tlVIxAvebi7d_UtGpwAI_Ztb-OPq3KIei2uh5-HXPUYWRp2bY-4XOg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="1274" data-original-width="1844" height="442" src="https://blogger.googleusercontent.com/img/a/AVvXsEjQzWNXDi2AMwvR0euSn4khdFpA8qeF3HjWaZzeaH4OB6ulXTucfXD7QdxY7yONcFyBKhyI97RJZOIQ-eE0wpGKGGQszaPyubLY-oiXUwy_2RxxoT-cxbsLSg8jNvmXBmFbtZI5tlVIxAvebi7d_UtGpwAI_Ztb-OPq3KIei2uh5-HXPUYWRp2bY-4XOg=w640-h442" width="640" /></a></div><br /><br /><p></p><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium;"><span style="text-align: left;">All that said, there are certainly caveats and limitations to the solution. In fact, you might say there's a conga line of caveats and limitations. However, while the technology is currently going through an awkward teenage phase of sorts, overall its a clever and compelling solution with a promising trajectory. It's not just a one for one replacement for</span> CPA and 3rd party GSLB. Universal Broker is an elegant innovation, a purpose built SaaS based solution for Horizon that parlays environmental information from the control plane into more efficient and error free placement of sessions. Key to its efficacy is an innovative bifurcation of the Horizon protocol, with the primary and secondary protocols following separate network paths. This shift helps avoid the need for east-west replication traffic between Horizon Pods, as is the case with CPA. Further it solves for a particularly acute affliction with east-west interpod traffic called Horizon protocol hair-pinning, a potential pitfall for the traditional combination of CPA and 3rd party GSLB. Overall, Universal Broker simplifies and improves on-premises multi-site deployments while enabling the effective adoption of Horizon 8 cloud based workloads. It's also integral to the new next-gen Horizon Control Plane currently supported for Horizon on Azure. This post will provide a brief overview of Universal Broker, the hair-pinning challenge it addresses, its setup for Horizon 8 environments and some current limitations. </span></div><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><p><span style="color: #cfe2f3; font-size: large;">The Innovation Of Universal Broker For Horizon</span></p><p><span style="color: #9fc5e8; font-size: medium;">Along with making it easier to deploy and support the cloudiness of Universal Broker is key to more efficient routing and placement of Horizon sessions across Pods. As part the Horizon Control Plane it has privileged information about home sites, resource availability, and established sessions, affording its global load balancing functionality a greater degree of integration with Horizon. Traditionally 3rd party GSLBs and CPA at best can be well coordinated with Horizon, but nothing near the synchronization achieved through Universal Broker. A further departure from the traditional model is how Universal Broker bifurcates <a href="https://techzone.vmware.com/resource/understand-and-troubleshoot-horizon-connections" target="_blank">Horizon protocol traffic</a> into two separate network paths. The primary Horizon protocol traffic, which handles authentication, travels between the client endpoint device and Universal Broker in the cloud. The secondary Horizon protocol traffic, the display protocol, traverses a second path between the client and actual Horizon environment. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEig6Pg1FezAIx1BfmPjCgSqBWw3FPVxDCAGZ9yoioEdkoFeMVclMfmAimnR6ycsoQohHqv0Jjl46r-igpswMj0Q22JyMNKTrxF3SvVl2y_SRr5nh0udH_e4YM2gzGTmd2QwRXuGTtxCf96PKIHx6z0g9zS0vC2YmF2Ozd9T2jHvUQyWinKeX0_bODIllA" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="684" data-original-width="898" height="488" src="https://blogger.googleusercontent.com/img/a/AVvXsEig6Pg1FezAIx1BfmPjCgSqBWw3FPVxDCAGZ9yoioEdkoFeMVclMfmAimnR6ycsoQohHqv0Jjl46r-igpswMj0Q22JyMNKTrxF3SvVl2y_SRr5nh0udH_e4YM2gzGTmd2QwRXuGTtxCf96PKIHx6z0g9zS0vC2YmF2Ozd9T2jHvUQyWinKeX0_bODIllA=w640-h488" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">For context, below is a representation of the flow of Horizon protocol traffic for a normal remote Horizon connection. Typically the primary protocol traffic is over TCP port 443 from the endpoint client through the Unified Access Gateway (UAG) appliance onto the Connection server. If this authentication is successful the Horizon secondary protocol kicks into gear, establishing a display protocol connection between the endpoint client and the virtual desktop. Under normal circumstances, using the Blast display protocol, this would consist of 8443 UDP based traffic to the UAG appliance and 22443 UDP traffic from the UAG appliance to the virtual desktop. </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgRbOBXiMODWlnrpVbnVsCnBVQPI1704Q5_35tNSdL17qZmVxnbBHZ5qo2Ex_avlmP7AjxxnH7-Nx230gV6SBGb9M83GpZ3DdRfthzYRjIMjKgsh6tafrFAYJNQuai_QDmu9xf84d8JY-z6G93Vkgg0du6cktYlzjUk8oSo4egp4UOxppzzT--TeDLVgg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="476" data-original-width="904" height="210" src="https://blogger.googleusercontent.com/img/a/AVvXsEgRbOBXiMODWlnrpVbnVsCnBVQPI1704Q5_35tNSdL17qZmVxnbBHZ5qo2Ex_avlmP7AjxxnH7-Nx230gV6SBGb9M83GpZ3DdRfthzYRjIMjKgsh6tafrFAYJNQuai_QDmu9xf84d8JY-z6G93Vkgg0du6cktYlzjUk8oSo4egp4UOxppzzT--TeDLVgg=w400-h210" width="400" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">With Universal Broker the Horizon protocol is bifurcated, traveling across two separate network paths. The primary Horizon protocol consists of a connection directly against Universal Broker for authentication over TCP 443. After successful authentication the secondary Horizon protocol traverses a connection between the endpoint device to the Horizon Pod itself. Again, under normal circumstances for Blast it would be UDP 8443 to the UAG appliance and UDP 22443 from the UAG appliance to the virtual desktop. Overall, we're talking about two very separate network paths. One from the endpoint device to the Universal Broker service in the Control Plane and a second path from the endpoint device to the Horizon environment itself. </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhxofyTMSQrG8QhCwsdjJtGEMWNij5s_SnMolMf3dQ5q1Busfg5G5VaOvUmYyk_v1gQve3xbJ-dNmEcKxixOk_Gu2rqgBu8ecCkw4msb2n3SuAj0OGj0WwG4FAqb4p4DoKGcojRlp3RE9ghdH2gh2n5YLTT6nNc_-sKv1dXqRaYWw1eb4bcaR_ZVq1jaA" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="478" data-original-width="902" height="213" src="https://blogger.googleusercontent.com/img/a/AVvXsEhxofyTMSQrG8QhCwsdjJtGEMWNij5s_SnMolMf3dQ5q1Busfg5G5VaOvUmYyk_v1gQve3xbJ-dNmEcKxixOk_Gu2rqgBu8ecCkw4msb2n3SuAj0OGj0WwG4FAqb4p4DoKGcojRlp3RE9ghdH2gh2n5YLTT6nNc_-sKv1dXqRaYWw1eb4bcaR_ZVq1jaA=w400-h213" width="400" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">So, when Universal Broker is in the mix the entire primary Horizon protocol connection is shifted and offloaded to the cloud. Though, relatively speaking the vast majority of Horizon protocol traffic is secondary protocol traffic, this shift of the primary protocol traffic is still significant, simplifying support of initial connectivity. If a user fails to authenticate to their Horizon environment through Universal Broker you don't need to investigate site specific challenges providing external world access to Horizon services. No load balancers to troubleshoot, no questions about client network connectivity to your on-premises environment and, if you leverage a subdomain of vmwarehorizon.com, no concerns about DNS records or expired certificates. All these typical primary protocol concerns are offloaded to Universal Broker. If the user is failing to see their entitlements most likely they're fat fingering their password or just failing to have access to the internet. By shifting the primary protocol exchange to the cloud a lot of the nittier grittier troubleshooting for remote connectivity is circumvented or at least simplified. </span></p><p><span style="color: #9fc5e8; font-size: medium;">The Horizon secondary protocol, the display protocol, is most relevant and impactful when it comes to user experience. Fortunately, the network path traversed by this protocol is established post authentication based on Universal Broker's assessment. An optimum Horizon Pod is judiciously selected based on, "insider information," regarding the status and configuration of the Horizon environment and entitlements. This leads to global load balancing that's better informed by the Horizon solution, providing a tighter integration than normally achievable. It's easy to appreciate this improvement when you consider an esoteric pitfall of the older traditional GSLB/CPA model: Horizon protocol traffic hair-pinning. </span></p><p><br /></p><p><span style="color: #cfe2f3; font-size: large;">Horizon Protocol Traffic Hair-Pinning - Ouch!</span></p><p><span style="color: #9fc5e8; font-size: medium;">For over a decade now VMware has offered a fully redundant Horizon architecture for customers who need a bullet proof, highly available Horizon deployment. It used to be referred to as, "AlwaysOn Point Of Care," in homage to the healthcare customers that were particularly fond of the solution. Nowadays, it's consider just plain redundancy, or a Horizon Multi-Site architecture. Prior to Universal Broker, an absolute requirement for this architecture was some combination of a 3rd party global load balancer and Cloud Pod Architecture (CPA). The GSLB solution provides a single name space for multiple sites, while CPA replicates entitlements, resource status and current session information between the separate Horizon Pods, providing minimal integration between otherwise fully redundant and independent Horizon environments. This ensures fluid failover and fall back in response to disruptions and outages, while also ensuring folks get properly routed according to home site preferences or pre-existing sessions. </span> <br /><br /><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjpLPx4Rh6fZDtBzVwMO2fEQLiGzPjIdcxyi0PpqJ73gKCJENGGGF_Eu3NZnpg23W7Id80Nnp52J5A3Amle2QuYSV9rlnnk8XhQs5sxBorLgGm9GzwjIBnS0QAuP9YvsQkpCOJ9T6ABkzW5M7O8Tz_rQlKOjfdRbRsHjLYKsIuP_ugW2B4--l2SG_YVtA"><img src="https://blogger.googleusercontent.com/img/a/AVvXsEjpLPx4Rh6fZDtBzVwMO2fEQLiGzPjIdcxyi0PpqJ73gKCJENGGGF_Eu3NZnpg23W7Id80Nnp52J5A3Amle2QuYSV9rlnnk8XhQs5sxBorLgGm9GzwjIBnS0QAuP9YvsQkpCOJ9T6ABkzW5M7O8Tz_rQlKOjfdRbRsHjLYKsIuP_ugW2B4--l2SG_YVtA=w581-h640" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">This model has been good enough to make it throughout the last decade but has a couple caveats less than ideal for traditional on-premises deployments and complete deal breakers for certain types of cloud based deployments. First off, it's predicated on network connectivity and east-west traffic between Horizon Pods, a requirement for replicating entitlements, resource availability and session status across separate environments. It's a potential challenge when you consider these Pods could be very far away from each other or on different clouds. </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgVo2HJpvkDzTV13cZ2AsgoIHK1l4efvNqKXJdKz08QF7RArxDkWFgfLLdqTy5KkWmbyzmEbbLbywLlaa336Z2A4K4Y2EGR2g1SyB539BIgnJsUfJkPhp_d-bAJ8LmaToV1y7hlm8-wMu7klv_5kaLo9mbOs2e81qkQInQTaP50Vjz2nefKljHXQlZkTA" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="264" data-original-width="822" height="206" src="https://blogger.googleusercontent.com/img/a/AVvXsEgVo2HJpvkDzTV13cZ2AsgoIHK1l4efvNqKXJdKz08QF7RArxDkWFgfLLdqTy5KkWmbyzmEbbLbywLlaa336Z2A4K4Y2EGR2g1SyB539BIgnJsUfJkPhp_d-bAJ8LmaToV1y7hlm8-wMu7klv_5kaLo9mbOs2e81qkQInQTaP50Vjz2nefKljHXQlZkTA=w640-h206" width="640" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">While CPA traffic isn't too extensive and is typically manageable, the need for east-west traffic between sites can really spike when remote connections through UAG appliances are in the mix and global load balancing isn't executed flawlessly. This ties back to UAG and how it handles the Horizon protocol. Traditionally you must have both the primary and secondary Horizon protocol traffic go through the same UAG appliance. In fact, outside of Universal Broker deployments, it's an absolute requirement. UAG's prime directive is to ensure all display protocol traffic passed is on behalf of a strongly authenticated user. To achieve this it only passes secondary protocol traffic for sessions its handled primary protocol traffic for. There's no way for UAG to communicate authenticity of a Horizon user to other UAGs. So, under normal circumstances, the same UAG that handles primary protocol traffic must handle the secondary protocol traffic or the session will otherwise break. This is by design. Now, this requirement for UAG can have some rough consequences in the context of a traditional Horizon multi-site architecture. If the 3rd party global load balancer doesn't do a flawless job getting folks routed to the proper Pod, there's potential for an inefficiency referred to as Horizon protocol traffic hair-pinning. </span></p><p><span style="color: #9fc5e8; font-size: medium;">For example, say an organization has two PODs, one in New York and one in Los Angeles. Then a jet setting banker working for that organization connects to his virtual desktop from a Manhattan penthouse. Accordingly, the GSLB routes him to the Horizon POD in New York. He disconnects from his virtual desktop, kisses his wife and kids good bye, then jumps on a private jet with his mistress for a weekend getaway to the Grand Teton National park in Wyoming. When he reaches the hotel room in Wyoming he remembers, "oh shoot I forgot a quick thing for work," then connects to his Horizon environment. The global load balancer sees he's in Wyoming and routes him to the closer California Pod. He hits the Horizon Connection server in California and through CPA the Connection Server is aware of the banker's currently open session in New York. It routes him back to that currently open session. Great, except, because he's initially connected the California Pod through a UAG appliance in California, he has to continue using that UAG appliance. So his traffic has to go from Wyoming to California, then back across the US from the UAG appliance in California to the Horizon Pod in New York. An extreme but perfect example of Horizon protocol hair-pinning. Not only could it make for a lousy user experience, but it could lead to an excessive amount of east-west traffic beyond what's been planed for. </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhPaizNgZP5ZYJc-_1Poaq0253fJsVf3LLq4mW5l0qjuNNwqict75jgkKfxXmaAkNQTkIpUrEireUvREkG3PY75hNlG4N8v2KJ2wfv-2d3Cu7jx6j9peO4qI55COzMem8PKbXkq--Idw-7xK15lxs40247Z7PMbFDjvwTIcxjkTxdJWjb41XoUse6RVoA" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="823" data-original-width="1603" height="328" src="https://blogger.googleusercontent.com/img/a/AVvXsEhPaizNgZP5ZYJc-_1Poaq0253fJsVf3LLq4mW5l0qjuNNwqict75jgkKfxXmaAkNQTkIpUrEireUvREkG3PY75hNlG4N8v2KJ2wfv-2d3Cu7jx6j9peO4qI55COzMem8PKbXkq--Idw-7xK15lxs40247Z7PMbFDjvwTIcxjkTxdJWjb41XoUse6RVoA=w640-h328" width="640" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">This example is extreme, but by no means outside the world of possibilities. There's certainly ways you could fine tune the coordination of your 3rd party global load balancer and Horizon environments to mitigate this challenge. (For instance I've heard F5 has an APM module that can more accurately route a user to a Pod where they already have an established session.) However, I don't think creating a GSLB/CPA solution that's bullet proof is a cake walk and that's why this challenge is called out in the Tech Zone article, <a href="https://techzone.vmware.com/resource/providing-disaster-recovery-vmware-horizon" target="_blank">Providing Disaster Recovery for VMware Horizon</a>. If you don't get things just right the impact could be fairly brutal on your user experience and networks, possibly in the middle of an outage, when hair-pinning challenges are the last thing you need. Potential for particularly acute challenges arise when considering cloud hosted desktops. Both the <a href="https://techzone.vmware.com/resource/horizon-on-vmware-cloud-on-aws-architecture#" target="_blank">AWS</a> and <a href="https://techzone.vmware.com/resource/horizon-on-google-cloud-vmware-engine-architecture#" target="_blank">GCVE</a> guides warn against this potential hair-pinning. In these scenarios, hair-pinning has the potential to saturate capacity on NSX gateways and kill session density. Further, it could lead to some expensive and senseless traffic flow between on-premises and cloud environments. Accordingly, it's recommended to leverage Universal Broker instead of CPA for these Horizon 8 based cloud deployments. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh8r2aNErVIk-suNKPVIVtCNm-lLTRw591p4lTDPmR53kCxJlO30vOq8j-ziGfgFZILOQf-ROHa3UOS9YodsDG-dCXHhAgfN_d_IAUglzyWn4qjKsHDY-dTYlDtec611JjZkkTGTh43fsgxOnh_6UZON4vSFOvkxCVDPVxegdorsILIB-MTN85yF9m9lw" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="476" data-original-width="1018" height="300" src="https://blogger.googleusercontent.com/img/a/AVvXsEh8r2aNErVIk-suNKPVIVtCNm-lLTRw591p4lTDPmR53kCxJlO30vOq8j-ziGfgFZILOQf-ROHa3UOS9YodsDG-dCXHhAgfN_d_IAUglzyWn4qjKsHDY-dTYlDtec611JjZkkTGTh43fsgxOnh_6UZON4vSFOvkxCVDPVxegdorsILIB-MTN85yF9m9lw=w640-h300" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">Despite working with Unified Access Gateway for over half a decade now I was completely blind sided by this esoteric gotcha. It took awhile for this challenge to sync in, but when it did, oh boy, did it! Fortunately, we can completely side step this potential pitfall by adopting Universal Broker. With Universal Broker no traffic hits a UAG appliance until after there's been a successful authentication against the cloud and an ideal path has been determined. So, with the adoption of Universal Broker we avoid this esoteric, but real, pitfall with on-premises Horizon environments while laying the ground work for successful multi-site adoption with cloud hosted virtual desktops. Speaking of cloud hosted desktops lets talk about Universal Broker and it's role in the next-gen Horizon Control Plane for Horizon on Azure.</span> </p><p><br /></p><p><span style="color: #cfe2f3; font-size: large;">Universal Broker And The next-gen Horizon Control Plane (Titan)</span></p><p><span style="color: #9fc5e8; font-size: medium;">For the next-gen Horizon Control Plane, currently limited to Horizon on Azure, Universal Broker is an essential built-in component. It plays a critical role in the transformation to a Horizon thin edge, helping eliminate the need to deploy Horizon Connection servers within Azure. Instead, there's a light weight deployment of a thin Horizon Edge on top of native Azure, consisting of only UAG appliances and Horizon Edge Gateways. The rest of the traditional infrastructure used to manage the Horizon environment is shifted to the next-gen Horizon Control Plane. This reduces consumption of Azure capacity while simplifying the deployment and maintenance of Horizon. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTi3jEyWYJ1dfnIzY9uGYLOI3KAW8EInPh_fKr_IJ73Uo2IZ3hcrNixL0m8FCM3Q_szNMs1wb6LO8biMeq9nSQ7ZSbONpmVW4LfuPv_bZXJKSZopfaApqRP-wG5OR1fdmE1hXggXs68_DtyUD-zoR1AEnP1kyp7saA78O5MgH9KA10XBOOuz-M9sWSOA/s904/Picture1.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="430" data-original-width="904" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTi3jEyWYJ1dfnIzY9uGYLOI3KAW8EInPh_fKr_IJ73Uo2IZ3hcrNixL0m8FCM3Q_szNMs1wb6LO8biMeq9nSQ7ZSbONpmVW4LfuPv_bZXJKSZopfaApqRP-wG5OR1fdmE1hXggXs68_DtyUD-zoR1AEnP1kyp7saA78O5MgH9KA10XBOOuz-M9sWSOA/w640-h304/Picture1.png" width="640" /></a></div><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">Again, with this next-gen architecture Universal Broker is an absolute requirement, an integral part of this new model. So much so, it doesn't even get specifically called out in the <a href="https://techzone.vmware.com/resource/horizon-cloud-service-next-gen-architecture" target="_blank">next-gen reference architecture</a> or <a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service---next-gen/services/hzncloud-nextgen.pdf" target="_blank">official documentation</a>. It's functionality requires no extra configuration and is assumed available as entitlements are created. While this new, stealthier, iteration of Universal Broker is certainly easier to deploy it's only available with the next-gen Horizon Control Plane, so its limited to Horizon on Azure for now. For those leveraging Horizon 8 deployments on-premises or on top of various SDDC public clouds - AVS, GCVE, AWS - v1 of Universal Broker is still relevant. At Explore Europe 2022 VMware announced <a href="https://blogs.vmware.com/euc/2022/11/whats-new-with-vmware-horizon-at-vmware-explore-2022-europe.html" target="_blank">intent on extending next-gen architecture to Horizon 8</a>, but it's limited in scope as of today and there's no committed time line for extending it's newer iteration of Universal Broker to Horizon 8. In the mean time there's the traditional Universal Broker deployment that's been available for sometime now and, while it's not as easy to deploy as v2, it's not rocket science.</span> </p><p><br /></p><p><span style="color: #cfe2f3; font-size: large;">Setting Up Universal Broker With My On-premises Lab </span></p><p><span style="color: #9fc5e8; font-size: medium;">Since the setup of Universal Broker for Horizon 8 is well documented I'm just going to provide a high level overview, call out some specific challenges, and include links to relevant documentation for those who want to get into the nitty gritty. The official documentation calls out four major steps for setting up Universal Broker for Horizon 8 environments. Assuming you already have a current version of Horizon Cloud Connector up and running, the next steps are:</span></p><p></p><ol style="text-align: left;"><li><span style="color: #9fc5e8; font-size: large;">Installing the Universal Broker Plugin on all Connection Servers </span></li><li><span style="color: #9fc5e8; font-size: large;">Configuring your UAG appliances with the required JWT settings </span></li><li><span style="color: #9fc5e8; font-size: large;">Enabling Universal Broker in your Horizon Universal Console </span></li><li><span style="color: #9fc5e8; font-size: medium;">Configuring multi-cloud entitlements within the Universal Console </span></li></ol><p></p><p><span style="color: #9fc5e8; font-size: medium;">Again, these steps are well documented in both the <a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure-15-admin.pdf" target="_blank">official documentation for Horizon Cloud Control Plane</a> and a really nifty Tech Zone article called, "<a href="https://techzone.vmware.com/resource/configuring-universal-broker-horizon" target="_blank">Configuring Universal Broker For Horizon</a>." Below is an excellent graphical representation of the architecture. </span> </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_i3RQLgFyciIw5DzDjvuOqXDaR3JX0-QFzThVeCLzzoBHOE2--ThpyZX9F-yYQBnR6URPdCOxT8I3KR3pSHsMmq7g8qZ9WVsX32UY-yG7Nglj2m3ZKBgiSXlFaTCDV4quiYJZa-ILnbew46DD0mOTeLKaca3ryYw-Rh4dt-fXNU12WT9_IwSKAv3krA" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="836" data-original-width="1136" height="470" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_i3RQLgFyciIw5DzDjvuOqXDaR3JX0-QFzThVeCLzzoBHOE2--ThpyZX9F-yYQBnR6URPdCOxT8I3KR3pSHsMmq7g8qZ9WVsX32UY-yG7Nglj2m3ZKBgiSXlFaTCDV4quiYJZa-ILnbew46DD0mOTeLKaca3ryYw-Rh4dt-fXNU12WT9_IwSKAv3krA=w640-h470" width="640" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">While in hindsight the configuration of UAG was relatively straightforward I personally struggled with it. The relevant settings are configurable through the web interface for the UAG appliance by navigating to advanced settings and clicking the gear box for JWT. All the settings to input are in regard to the supported Horizon Pod itself and are specially detailed <a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure.admin15/GUID-9CB1F1C6-CFA7-4BAD-A930-D0E0413FBBFA.html" target="_blank">here in the documentation</a>. First off there's the cluster name of the Horizon Pod. Unless you've bee supporting CPA, you've probably never been aware of this property. Its case sensitive so use caution. (I had challenges with this portion of the setup because CPA had been enabled for my Pod in the past, though it currently wasn't in use. That had the affect of changing the name of the cluster that was displayed versus what was needed for the UAG setting.) </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRVqe6uLvzhzEvZ7TrjPpr3XtCnp5zFylufVDhUOuVxaLiAtJ8xkPh_wqxLmmEYQ91l8SSS0Ov8dXs7p6VYu8SAa7HQCLqdhWvszzuIe3s6YzAuC9J5d0qT875qcOa1X8ZrJEg5pAsg_NsZaGn6CxUlAFcrEfOUj2ZYIbCCvORb579BFBnAIW9ZwVLYg/s1482/Screen%20Shot%202022-11-29%20at%201.24.55%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="402" data-original-width="1482" height="174" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRVqe6uLvzhzEvZ7TrjPpr3XtCnp5zFylufVDhUOuVxaLiAtJ8xkPh_wqxLmmEYQ91l8SSS0Ov8dXs7p6VYu8SAa7HQCLqdhWvszzuIe3s6YzAuC9J5d0qT875qcOa1X8ZrJEg5pAsg_NsZaGn6CxUlAFcrEfOUj2ZYIbCCvORb579BFBnAIW9ZwVLYg/w640-h174/Screen%20Shot%202022-11-29%20at%201.24.55%20PM.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">Another setting I initially struggled with was the Dynamic Public Key URL. This essentially amounts to appending "/broker/publicKey/protocolredirection" to the internal FQDN of your Horizon Pod. (I would think it's always going to be the same FQDN used for your, "Connection Server URL," under Horizon Edge settings.) Likewise, the, "Public key URL thumbprints," is the certificate thumbprint used by the FQDN leveraged for the Dynamic Public Key URL. (Again, probably the same as your Connection Server URL Thumbprint under Horizon Edge settings.). So, overall, the values are fairly similar to values you you're using already for your UAG's Horizon settings, but they have weird fancy names that can throw you off. For context, here's the settings I typically use for my Horizon Edge settings:</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjewTIn9WIMNNbDl8T6Nr9XudyYKbgrzaRY_7mc5nGILX-idiueUISQYG3llMa7ZP4YrsqkxzHBgnoJRTUE-XguvzRBFILgEn05-pUpV1MxE0f8SXkoa9RnksFG-7XrHAyZ2GtGKa4QtB7ZvJs_gFWeGatSmF51Ge0jSpTBulb-d-ackzTJ_OX_nG8Wsw" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="438" data-original-width="1326" height="212" src="https://blogger.googleusercontent.com/img/a/AVvXsEjewTIn9WIMNNbDl8T6Nr9XudyYKbgrzaRY_7mc5nGILX-idiueUISQYG3llMa7ZP4YrsqkxzHBgnoJRTUE-XguvzRBFILgEn05-pUpV1MxE0f8SXkoa9RnksFG-7XrHAyZ2GtGKa4QtB7ZvJs_gFWeGatSmF51Ge0jSpTBulb-d-ackzTJ_OX_nG8Wsw=w640-h212" width="640" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">And here's the JWT settings for Universal Broker: </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgM-3WjvN5sM7EU8ZrxU4E5xQ7cZ08UiRDH9RQrXbSECIOD9I9Z2P2CDJoqo9yIfHVoCBIfGw_cz9m_JsUwXKfPXvnwctL3Q1o9qACdznL1psoLd_K4RmHe_E0YGMedS0ySNPcEApu28EI22VAPyhesKO3r5ft_3IJFnVWttco-RTuoT-RPswJcn6fIig" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="558" data-original-width="1322" height="270" src="https://blogger.googleusercontent.com/img/a/AVvXsEgM-3WjvN5sM7EU8ZrxU4E5xQ7cZ08UiRDH9RQrXbSECIOD9I9Z2P2CDJoqo9yIfHVoCBIfGw_cz9m_JsUwXKfPXvnwctL3Q1o9qACdznL1psoLd_K4RmHe_E0YGMedS0ySNPcEApu28EI22VAPyhesKO3r5ft_3IJFnVWttco-RTuoT-RPswJcn6fIig=w640-h270" width="640" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">In hindsight it all makes sense enough but in the context of setting up a new solution it was a bit confusing at first. Another gotcha I bumped into was the need to define your desktop pools as, "Cloud Managed," when initially creating them, prior to creating your multi-cloud assignments within the Universal Console. Fortunately, once you know to do this, the procedure is simple enough. As you're walking through the desktop pool creation wizard check the box for, "Cloud Managed," and you're good to go.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_QCRH4_4nCVYHFtTgYXCEheBBUmZ5RudyDg_5_K_pElp10tp2NdQz_d0yUwIQX9TR8pGrSA83FLojRGko89cUs7sgL4gRRnNIdVLh8gckXZxm_VRQJXhcbXxla-MN582e40f2UIeNJjCqbIm8SIaB-jUr7T_BWKWEFWYlN9KZ4prdBOTf8bS4JcPF3g" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="540" data-original-width="970" height="357" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_QCRH4_4nCVYHFtTgYXCEheBBUmZ5RudyDg_5_K_pElp10tp2NdQz_d0yUwIQX9TR8pGrSA83FLojRGko89cUs7sgL4gRRnNIdVLh8gckXZxm_VRQJXhcbXxla-MN582e40f2UIeNJjCqbIm8SIaB-jUr7T_BWKWEFWYlN9KZ4prdBOTf8bS4JcPF3g=w640-h357" width="640" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">Again, there's a great article in Tech Zone that covers the the setup of Universal Broker called, "<a href="https://techzone.vmware.com/resource/configuring-universal-broker-horizon" target="_blank">Configuring Universal Broker For Horizon</a>." I'm sorry to say I didn't learn about this articles existence till I was almost completely done with the setup. Instead, I slogged through the entire setup using the official documentation, "<a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure-15-admin.pdf" target="_blank">Administration of Your Horizon Cloud Tenant Environment and Your Fleet of Onboarded PODs</a>." It was doable, just not the smooth and enjoyable guidance of a well put together Tech Zone article. </span></p><p><span style="color: #9fc5e8; font-size: medium;">Other portions of the setup were fairly straight forward. For instance, installing the Universal Broker Plugin was just a matter of locating the <a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure.admin15/GUID-97F058B0-4E17-439E-8358-04CB5CB5D6F9.html#GUID-97F058B0-4E17-439E-8358-04CB5CB5D6F9" target="_blank">right version</a> for my Connection Servers, accepting defaults, and going next-next-finish. Configuring the Broker service in the Universal Console was easy and straight forward as well, particularly because I choose to go with a subdomain of vmwarehorizon.com, rather than a customer provided FQDN. This avoids the need to generate any SSL certs or create any external DNS records, which I found to be a lovely convenience. (Otherwise, you can go with the customer provided option, then enter in your own FQDN and provide a cert.). </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBO8GbPH5nbJ64fBDvEQsFo6FKg_lc-4Cfum4t23w8iVe9FmFt_IGOVFSnzTVXyR_egxltUTFQ8AMbYxxPOWEP-clcOuoWS-udAYU-_x9En0RMjIDGqtl-MonS-MINVj6EBAuRtbQLeTdVwInu06U2B4z_2P7uPWYpqzloGf9338E4s6_wlEGTSUD37A/s1740/Screen%20Shot%202022-11-07%20at%2010.37.21%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="672" data-original-width="1740" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBO8GbPH5nbJ64fBDvEQsFo6FKg_lc-4Cfum4t23w8iVe9FmFt_IGOVFSnzTVXyR_egxltUTFQ8AMbYxxPOWEP-clcOuoWS-udAYU-_x9En0RMjIDGqtl-MonS-MINVj6EBAuRtbQLeTdVwInu06U2B4z_2P7uPWYpqzloGf9338E4s6_wlEGTSUD37A/w640-h248/Screen%20Shot%202022-11-07%20at%2010.37.21%20AM.png" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">With the plug-ins installed on your Connection Servers, UAG's properly configured and Broker enabled, you're ready to start creating your multi-cloud entitlements from the Universal Console. It's a relatively straight forward process so I'll leave that to the official documentation.</span> </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj_CbKOiV9YJHVSyqcYtjL3nP-_j2hDtqIqwkv67MPNYGtRPyggbFcfC3xCuQnl7EQ6gpyt-j-uz7eqLS3Xpfn9w73kDo8BBuQaS7mesEK-QiF-kCZ0ez1mZBv9CjYgS3yibSHovu0DEoW3rzN6-qQN98owRSL3j3Vkb5xor9o8qiwBKxpdU1-ThtTQOQ" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="1058" data-original-width="1430" height="296" src="https://blogger.googleusercontent.com/img/a/AVvXsEj_CbKOiV9YJHVSyqcYtjL3nP-_j2hDtqIqwkv67MPNYGtRPyggbFcfC3xCuQnl7EQ6gpyt-j-uz7eqLS3Xpfn9w73kDo8BBuQaS7mesEK-QiF-kCZ0ez1mZBv9CjYgS3yibSHovu0DEoW3rzN6-qQN98owRSL3j3Vkb5xor9o8qiwBKxpdU1-ThtTQOQ=w400-h296" width="400" /></a></div><br /><span style="color: #9fc5e8; font-size: medium;">One final thing I'd like to point out is that you can configure UAG's to support Universal Broker, without disrupting their use for traditional UAG access to Horizon environments. So folks can continue to hit these UAG devices directly for access to traditional Horizon pools while in parallel they can support access through Universal Broker. Further, while the local pools used for Universal Broker multi-cloud entitlements are configured from Universal Cloud, the entitlements made from the cloud trickle down to the local pools so these local pools are also accessible through direct UAG connections. </span><p></p><p><br /></p><p><span style="font-size: large;"><span style="color: #cfe2f3;">Current Limitations Of Universal Broker</span> </span></p><p><span style="color: #9fc5e8; font-size: medium;"><span>While Universal Broker presents some interesting innovation and a compelling future there's definitely some limitations. Most notably, Universal Broker v1 doesn't support application pools across multiple Pods. You can deliver a single Pod based application pool but you're not going to get load balancing for application pools across multiple Pods. So, as far v1 of Universal Broker is concerned, there's isn't parity between application pools and virtual desktop pools. </span>Another limitation as of today is <a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure.admin15/GUID-26FA255F-D0A3-48B4-8B4B-C8B9F9852A05.html" target="_blank">no support for mixing Horizon 8 based Pods and Horizon Cloud based Pods</a>. (Horizon on Azure.) So, for example, you can't have a multi-cloud entitlement that spans across an on-premises Horizon 8 Pod and a Horizon on Azure environment. However, you could have a multi-cloud assignment that spans across an on-premises Horizon 8 Pod and Horizon 8 Pod running on top of AWS, GCVE or AVS. It comes down to whether your deployment use traditional Horizon 8 Connection Servers or not. If they do then they can share multi-cloud entitlements with one another. (Assuming they're not application pools.)</span></p><p><span style="color: #9fc5e8; font-size: medium;"><span>There's also challenges regarding support for stronger forms of authentication. Leveraging the built in capabilities of UAG, there's support for RADIUS and RSA. However, there's no support for smart cards or certificate auth. Further, there isn't support for direct SAML integrations between UAGs and 3rd party IDPs, one of the fastest growing methods for strong authentication within the DMZ through UAG. So no support for direct integrations with IDPs like Okta, Ping or Azure. </span> That said, there is support for Workspace ONE Access, which in turn can be integrated with this 3rd party solutions. So Workspace ONE Access can be configured as a trusted IDP for Universal Broker, which in turn can leverage 3rd party solutions that have been configured as trusted IDPs for WS1 Access. (Kind of like the good old days before UAG started supporting direct integrations.). </span></p><p><span style="color: #9fc5e8; font-size: medium;">The integration of Universal Broker with WS1 Access makes for interesting discussion because there's a lot of confusion about the ability to replace the solutions with each other. While there's some slightly overlapping capabilities in the two products, by and large they are complementary solutions with very different competencies. Sure, Workspace ONE Access is a way to provide users with a single URL for access to multiple Horizon PODs, but the solution is squarely focused on identity and wrapping modern authentication around Horizon access. It's by no means a global load balancing solution. Conversely, while Universal Broker can support strong authentication through RADIUS and RSA, its core competency is providing global load balancing based on shortest network path, assignments and current Horizon environment status. So, when you focus on the core competencies of each of these solutions, what they're really good at, combing the technologies is possibility worthy of consideration. For a great overview of this integration, check out the section, "Workspace ONE Access And Horizon Integration," with the Tech Zone article, <a href="https://techzone.vmware.com/resource/platform-integration" target="_blank">Platform Integration</a>. Below is a great diagram of the integration. </span> </p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEj1aZ2u2_h8hEUsDU7yLZLS95yPUgell1Mr8FcABZnywPam_CXtSp6nLuK3kYsMK8GAyQlvfXX6la5ud1Gy-lacglC2M_GUen8I21hgxodpgaWZJhB4zLQ-scdYDWmftmeu90JTpOyQQDIxN63A4aUGNjpJjBVny9lkymHkY-CldkMtVXG4ES6AvWH1AA" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="830" data-original-width="1042" height="510" src="https://blogger.googleusercontent.com/img/a/AVvXsEj1aZ2u2_h8hEUsDU7yLZLS95yPUgell1Mr8FcABZnywPam_CXtSp6nLuK3kYsMK8GAyQlvfXX6la5ud1Gy-lacglC2M_GUen8I21hgxodpgaWZJhB4zLQ-scdYDWmftmeu90JTpOyQQDIxN63A4aUGNjpJjBVny9lkymHkY-CldkMtVXG4ES6AvWH1AA=w640-h510" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">However, there's an important caveat to be aware of. With this WS1 Access integration, as it stands today, there isn't an option to configure unique WS1 Access policies for the multi-cloud entitlements supported by Universal Broker. Buried in the documentation, under a section called, "<a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure.getstarted15/GUID-5F79C52F-4AE6-479C-8FCE-DEA251E78023.html" target="_blank">Horizon Cloud - Known Limitations</a>," it states, "access policies set in Workspace ONE Access do not apply to applications and desktops from a Horizon Cloud environment that has Universal Broker enabled." Instead, all the Universal Broker entitlements are protected by the default access policy of WS1 Access. Depending on your deployment this may or may not be a deal breaker. If you're using WS1 primarily for your Horizon deployment, and all your entitlements have the same access policy requirements, then having them all share the same default access policy could be feasible. However, if you need granularity in terms of your WS1 Access policies for these multi-pod assignments, say stricter requirements for some specific pools than others, this could be a problem. Or if you have a fairly mature WS1 Access deployment and want looser requirements for initial portal access it could be a challenge. For more granular WS1 Access policies to use for your desktop you need to fall back to Virtual App Collections which, unfortunately, are <a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure.admin15/GUID-31C7340C-3021-444A-A231-F91995E41261.html" target="_blank">incompatible with Universal Broker</a>. </span></p><p><br /></p><p><span style="color: #cfe2f3; font-size: large;">The Trajectory Of Universal Broker And next-gen Horizon Control Plane</span></p><p><span style="color: #9fc5e8; font-size: medium;">As called out earlier in this post, VMware recently announced plans to extend the next-gen Horizon Control Plane to Horizon 8 environments for better support of hybrid deployments across on-prem and Azure. Given Universal Broker is transparent and built into the next-gen Control Plane, extending this new control plane architecture to Horizon 8 shows a lot of promise for addressing the limitations of Universal Broker v1 as of today. Right off the bat, the next-gen Horizon Control Plane supports application pool entitlements across multiple Pods, addressing a long standing limitation. Further, extending support to Horizon 8 certainly implies that challenges with multi-cloud entitlements across Horizon and Horizon Cloud PODs will be addressed. Finally, there certainly appears to be commitment to ironing out challenges combining Universal Broker functionality with Workspace ONE Access. With this next-gen architecture, use of an IDP is no only supported, but is <a href="https://docs.vmware.com/en/VMware-Horizon-Cloud-Service---next-gen/services/hzncloud.nextgen/GUID-3A04B401-6574-48F3-BD94-19B7C40E1C9B.html" target="_blank">an absolute requirement</a>. As of today there's a choice between WS1 Access or Azure. </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjRdtWaTMzo7brr8Qcgf2M61ZaCaqpqpFkFt3frygB1UJz-JcPxGthqbJkdBUAwkt5HFmSELN4LgOOvbH826SVhG24-NUOoYYk8RqkuawGDh7N0t4uQo1-ehOnzv3-2pcmpuj3dbSgpk2SSZC6asbaBrHIz9FlMbH6ou9FUjX9TsndKXl1Pt0Upul6ivQ" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="584" data-original-width="1224" height="306" src="https://blogger.googleusercontent.com/img/a/AVvXsEjRdtWaTMzo7brr8Qcgf2M61ZaCaqpqpFkFt3frygB1UJz-JcPxGthqbJkdBUAwkt5HFmSELN4LgOOvbH826SVhG24-NUOoYYk8RqkuawGDh7N0t4uQo1-ehOnzv3-2pcmpuj3dbSgpk2SSZC6asbaBrHIz9FlMbH6ou9FUjX9TsndKXl1Pt0Upul6ivQ=w640-h306" width="640" /></a></div><br /><br /><p></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">Though there's no fixed promises made by VMware as of today, with this next-gen Horizon Control Plane and Universal Broker there's a clear trajectory towards addressing a lot of todays challenges. </span> </p><p><br /></p><p><span style="color: #cfe2f3; font-size: large;">Conclusion </span></p><p><span style="color: #9fc5e8; font-size: medium;">While there's work to be done and gaps to bridge I'm still incredibly excited about the Universal Broker technology and think every Horizon admin should at least be familiar with it. In some ways it reminds me of Instant Clones circa 2016 or <a href="https://blogs.vmware.com/euc/2015/09/what-is-vmware-unified-access-gateway-secure-remote-access.html" target="_blank">UAG in 2015</a>, back when it was called, "Access Point." Both these solutions seemed a little crackpot or science project-ish at the time. They weren't quite ready yet, not done baking till... they just were. Though we definitely had our reasons for being suspect or dubious upon their initial release these solutions eventually rounded the corner and established themselves as standard technologies, core to the Horizon stack. I think the case will be the same for Universal Broker simply because it has a lot going for it. First and foremost, it's not a solution looking for a problem, but rather a purpose built solution for addressing a Horizon specific requirement. More notably, the way it solves this challenge from the cloud makes it both clever and easy to deploy, while lending Horizon admins a greater degree of autonomy. Eventually, its adoption will become the path of least resistance. I wouldn't necessarily implore admins to rip out their current working implementations of CPA\GSLBs and slam this technology in. However, as new multi-site implementations get stood up I think the customer base will slowly migrate over to this new solution. By the time it becomes a new standard we probably wont even call it Universal Broker anymore. It will just be multi-cloud assignments through the Horizon Control Plane, something we take for granted. </span></p>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-32488190533065652122022-08-03T07:34:00.028-07:002022-08-15T10:31:58.155-07:00If You Can't Bring Your Virtual Desktop To The Cloud, Bring Cloud To Your Virtual Desktop<p><span style="color: #9fc5e8; font-size: medium;">In late June of this year I had the honor of pre-recording a VMware Explore session with Todd Dayton and Cris Lau. The session, <a href="https://event.vmware.com/flow/vmware/explore2022us/content/page/catalog?src=so_6268770a5c653&cid=7012H000001KawBQAS&tab.contentcatalogtabs=1627421929827001vRXW&search=EUSB2079USD" target="_blank">"Can't Take Your Virtual Desktop To The Cloud? Bring Cloud To It</a>," focuses on ways to enhance on-premises Horizon environments with VMware hosted services. It stems from a recognition that shifting VDI capacity to the cloud is not quite feasible for many customers, at least not yet. As Todd put's it, "VDI really isn’t an application workload itself. It’s a support system for Windows applications that typically can’t or wouldn’t be modernized….These Windows applications aren’t always a great cloud candidate." So, sure, you can stuff any application in a cloud based desktop, but if it's too resource hungry, too latency sensitive, or generates too much ingress/egress traffic there could be problems. Performance or cost savings, or both, can take a serious hit. For this and other reasons lots of customers have decided to keep virtual desktop workloads on-premises. However, all is not lost. There's still plenty to gain from slathering cloud services on top of existing on-premises Horizon environments, shifting management, monitoring, and security to VMware's SaaS offerings. </span> </p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-WJhWaG1V7qFeUYdJO8X_i_7KzBoIZHvAbDe0OgA81C-fT2XaIqVuLCnwx93S69pHi0w6QlUG8AVHFLGnXWih34Rt5KxO7cIR1ia0tb9FGZxxnozdjuVPOC7WG70odT6yB6RVZIipRKvfRP8JrElHTUAc-YxuEacd1Czo0NH1f3yTm9Mj2aGXysJFw/s1904/Screen%20Shot%202022-07-09%20at%209.00.48%20AM.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="1072" data-original-width="1904" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-WJhWaG1V7qFeUYdJO8X_i_7KzBoIZHvAbDe0OgA81C-fT2XaIqVuLCnwx93S69pHi0w6QlUG8AVHFLGnXWih34Rt5KxO7cIR1ia0tb9FGZxxnozdjuVPOC7WG70odT6yB6RVZIipRKvfRP8JrElHTUAc-YxuEacd1Czo0NH1f3yTm9Mj2aGXysJFw/w640-h360/Screen%20Shot%202022-07-09%20at%209.00.48%20AM.png" width="640" /></a></p><p><span style="color: #9fc5e8; font-size: medium;">These VMware hosted services ease the burden of on-premises Horizon management while wrapping modern capabilities around traditional Windows workloads. For day 2 operations the Horizon Control Plane, with features like the Universal Horizon Console, Help Desk Tool, and Assist for Horizon, enables effective support from anywhere in the world. Further, a subset of the Horizon Control Plane called the Cloud Monitoring Service (CMS) offers high level monitoring and reporting against Horizon from the cloud, capabilities recently improved upon through Workspace ONE Intelligence for Horizon. Along with SaaS based support and monitoring there's the ability to <a href="https://www.evengooder.com/2021/10/Securing-Horizon-From-The-Cloud.html" target="_blank">enhance remote Horizon access with cloud based Workspace ONE and Carbon Black</a>. These services allow customers to wrap modern capabilities around Horizon sessions while facilitating adoption of 3rd party SaaS like Office 365, Okta, and ServiceNow. The end result is a comprehensive remote access solution, an on-premises Horizon environment augmented with cloud based services to deliver a digital workspace for remote and hybrid workers. </span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #cfe2f3; font-size: large;"><b>COVID-19 Brings Horizon Remote Access To The Foreground</b></span></p><p><span style="color: #9fc5e8; font-size: medium;">Horizon is more relevant than ever given the spike in remote and hybrid work driven by the pandemic. For nearly 15 years Horizon had been a relatively niche solution, adopted primarily by segments sensitive to security and regulations. Despite this narrow vertical adoption, over the years Horizon progressively improved at remoting Windows through updates to its clients, agents and the Blast display protocol. This finely tuned capability was an absolute godsend as customers scrambled to accommodate remote access in the early days of the pandemic.</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoE_FXUCWZbAc4eTOGv6V2mnIGt0b5rA1AHMZbXZ1alUzTT40ITyvmLaI6lvX7kpvJq5b_L5IEwQA58j_T4sPA6F2yPfSglOyPhz0eF4pByXH66xSk2-Emlta0osZdUxU6kgr1G1eOyc3LlC2SElffLWgX_s_zqxn1tKl7icZNYbYnD5IlFWtYAN0b6w/s1664/Screen%20Shot%202022-07-25%20at%2011.27.35%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="872" data-original-width="1664" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoE_FXUCWZbAc4eTOGv6V2mnIGt0b5rA1AHMZbXZ1alUzTT40ITyvmLaI6lvX7kpvJq5b_L5IEwQA58j_T4sPA6F2yPfSglOyPhz0eF4pByXH66xSk2-Emlta0osZdUxU6kgr1G1eOyc3LlC2SElffLWgX_s_zqxn1tKl7icZNYbYnD5IlFWtYAN0b6w/w640-h336/Screen%20Shot%202022-07-25%20at%2011.27.35%20AM.png" width="640" /></a></div><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><div class="separator" style="clear: both;"><span style="color: #9fc5e8; font-size: medium;"><span>While Citrix and Horizon are very similar solutions, a clear distinction emerges as one explores innovations for remote access. For Citrix, remote access centers around hardware based versions of Citrix ADC, the artist formerly known as NetScaler. You place these multipurpose network appliances in your DMZ and, as they are packed with impressive but for most customers largely extraneous features, they cost a small fortune. In contrast, remote access for Horizon is handled by a free and flexible software based solution, a virtual appliance called Unified Access Gateway (UAG). It's a <a href="https://www.youtube.com/watch?v=QcL0inoMkm8&t=2165s" target="_blank">mature bespoke technology for securing remote Horizon access</a> with a proven track record integrating with 3rd party solutions to beef up security. That said, it shines brightest when we combine it with the Workspace ONE suite to wrap functionality like identity and modern management around remote Horizon sessions. This approach enhances remote access from the cloud while allowing customers to purchase germane technology a la carte. </span></span></div><div class="separator" style="clear: both;"><span><br /></span></div><p><span style="color: #cfe2f3; font-size: large;"><b>VMware Hosted Services Wrap Comprehensive Security And Management Around Remote Horizon Access</b></span></p><p><span style="color: #9fc5e8; font-size: medium;">Over half a decade ago Workspace ONE UEM (AirWatch) was already shifting towards predominantly SaaS based adoption. There's certainly exceptions, but generally speaking Workspace ONE UEM is a cloud first solution. The same goes with Workspace ONE Access nowadays, as customers are entitled to a SaaS based tenant through their Horizon Universal subscriptions. Offering a unique integration of identity and endpoint management capabilities, WS1 UEM and Access combined offer amazing enhancements to remote Horizon access like contextual authentication, endpoint management, and SSO. This ideal model for remote and hybrid workers is further enhanced through Workspace ONE Intelligence. Intelligence, along with providing advance reporting capabilities, enables <a href="https://www.evengooder.com/2021/06/Ruthless-Automation-With-WS1-Intelligence.html" target="_blank">ruthless automation</a> against WS1 UEM environments as well as any 3rd party solutions supporting REST APIs. Finally, Carbon Black, a VMware acquisition from 2019, provides cloud based next-gen antivirus for Windows 10 and macOS. When these VMware hosted services are combined with Horizon you get a solution ideally suited for remote and hybrid workers, a superb remote access Horizon experience augmented with mature cloud based security and management. </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLYiL2XJgpjuj9J8PtTeS6fOuL5SMtfKrzT8Fl-0tAqiApX6yeKOHOn2LAirr6nENdUF_EWMuwmkN-0lBAlj4iVbC2WmqNNwqVgdUwZJ8-yFLHnsVTycEO33RqsnHhKI57cSRhcIWcFDndeRGyRy3uFnafLqnrZPkaTvOAf0LVFpHdeyA5O2YvuGjU_w/s2552/Screen%20Shot%202022-08-08%20at%207.47.57%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1080" data-original-width="2552" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLYiL2XJgpjuj9J8PtTeS6fOuL5SMtfKrzT8Fl-0tAqiApX6yeKOHOn2LAirr6nENdUF_EWMuwmkN-0lBAlj4iVbC2WmqNNwqVgdUwZJ8-yFLHnsVTycEO33RqsnHhKI57cSRhcIWcFDndeRGyRy3uFnafLqnrZPkaTvOAf0LVFpHdeyA5O2YvuGjU_w/w640-h270/Screen%20Shot%202022-08-08%20at%207.47.57%20AM.png" width="640" /></a></div><br /><span style="color: #9fc5e8; font-size: medium;"><br /></span><p></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><br /><br /><br /></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;">These</span><span style="color: #9fc5e8;"> SaaS offerings </span><a href="https://www.evengooder.com/2021/03/WS1-certificates-4-zero-trust.html" target="_blank">wrap remote Horizon sessions in modern capabilities like Zero Trust</a><span style="color: #9fc5e8;">, beefing up security for Windows applications that historically have been less than secure. Further, while these services are a natural fit for remote endpoints, we can also use them to manage virtual desktop images themselves. WS1 UEM can be used to manage persistent VDI and Carbon Black is supported on both Instant Clones and Full Clones. Likewise, WS1 Access can be used to secure SaaS adoption both inside and outside the virtual desktop.</span></span><span style="color: #9fc5e8; font-size: large;"> </span></p><div><br /></div><div><div><span style="color: #cfe2f3; font-size: large;"><b>Harnessing 3rd Party SaaS Based Solutions For An Enhanced Horizon Experience</b></span></div><div><br /></div><div><span style="color: #9fc5e8; font-size: medium;">When it comes to enhancing Horizon from the cloud it's not just about VMware hosted services, but also 3rd party SaaS like Office 365, Okta or ServiceNow. For over a decade <a href="https://www.youtube.com/watch?v=u-BplQf-V88&t=5s" target="_blank">WS1 Access</a> has made access to 3rd party SaaS easy and secure for Horizon users. Within the virtual desktop it offers incredibly convenient consumption of <a href="https://www.youtube.com/watch?v=SvppXbpv-5k" target="_blank">SAML</a> integrated applications through the WS1 portal or directly from any supporting Windows apps. </span><span><span style="color: #9fc5e8; font-size: medium;"> Outside the virtual desktop security can be fully addressed by WS1 Access and the rest of the Workspace ONE suite. As with Horizon, we can use the Workspace ONE suite to enhance and secure access to these SAML integrated solutions.</span> </span></div><div><span><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwxRr898Ga43lSZ3W4rdF_ISLzBrzoJUsHh8ZxH6VARtKN8pJZCP76HxKXu7BnKNIZdREO0FtLnGbp4gFloiGlWttKzgHVvUiby1lA6vQy1C_rikRvJ28Qab_umMTYudrRd1oCR2hRGDaIwADmFTP98X_EEWvXEhfhm5m6-fBpMpqHLsF7n_1FkXyZjA/s2610/Screen%20Shot%202022-08-07%20at%207.32.48%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1352" data-original-width="2610" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwxRr898Ga43lSZ3W4rdF_ISLzBrzoJUsHh8ZxH6VARtKN8pJZCP76HxKXu7BnKNIZdREO0FtLnGbp4gFloiGlWttKzgHVvUiby1lA6vQy1C_rikRvJ28Qab_umMTYudrRd1oCR2hRGDaIwADmFTP98X_EEWvXEhfhm5m6-fBpMpqHLsF7n_1FkXyZjA/w640-h332/Screen%20Shot%202022-08-07%20at%207.32.48%20AM.png" width="640" /></a></div><br /><span><br /></span></div><div><span><br /></span></div><div><span><br /></span></div><div><span><br /></span></div><div><span><br /></span></div><div><span><br /></span></div><div><span><br /></span></div><div><span><br /></span></div><div><span><br /></span></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><p><span style="color: #9fc5e8; font-size: medium;">In addition to enabling the adoption of cloud based service providers, there's the option to leverage solutions like Okta, Ping or Azure as identity providers. By configuring these services as trusted IDPs we can <a href="https://techzone.vmware.com/modernize-application-access?check_logged_in=1" target="_blank">leverage their authentication mechanisms for securing Horizon or any other Workspace ONE integrated application</a>. It's a way to beef up the already impressive set of Workspace ONE security capabilities, another way of bringing cloud to the desktop. </span></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEibNot6qJQUy0f5R03lxHGFPpRxcleHJ1NmYmP9fXBVTk7dmZQFjoNmTNl2XS1kFsoPYGOzChjqW0aHKVdDJ-wTVS9570lKbYGuTn1ZyGD3G2saZl61eJ-_v9rmsQ5QkJfuZDEbtw91qVNIKT8lVSHH45auNe7kepV6fP-1liMc9Cn61CzEK2FY5b-Jtw" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="1038" data-original-width="2506" height="266" src="https://blogger.googleusercontent.com/img/a/AVvXsEibNot6qJQUy0f5R03lxHGFPpRxcleHJ1NmYmP9fXBVTk7dmZQFjoNmTNl2XS1kFsoPYGOzChjqW0aHKVdDJ-wTVS9570lKbYGuTn1ZyGD3G2saZl61eJ-_v9rmsQ5QkJfuZDEbtw91qVNIKT8lVSHH45auNe7kepV6fP-1liMc9Cn61CzEK2FY5b-Jtw=w640-h266" width="640" /></a></div><br /><br /></div><br /><p><span style="font-size: large;"><span style="font-size: medium;"><br /></span></span></p><p><span style="font-size: large;"><span style="font-size: medium;"><br /></span></span></p><p><span style="font-size: large;"><span style="font-size: medium;"><br /></span></span></p><p><span style="font-size: large;"><span style="font-size: medium;"><br /></span></span></p><p><span style="font-size: large;"><span style="font-size: medium;"><br /></span></span></p><p><span style="font-size: large;"><span style="font-size: medium;"><br /></span></span></p><p><span style="color: #9fc5e8; font-size: medium;">Finally, there are two very interesting ways in which Workspace ONE Intelligence facilitates cloud adoption. First, through the Trust Network it can ingest threat events not only from Carbon Black, but other cloud based members of the Trust Network like Lookout. Second, events collected in the Intelligence data lake can trigger actions through automation connectors. Out of the box there's built-in connectors for WS1 UEM, Slack and ServiceNow, however there's an option to create custom connectors for any solution that offers a REST API. </span></p><p><span></span></p><div class="separator" style="clear: both; text-align: center;"><span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWssVShq3U7W4e1ENrm2pyDxlbz61ri5MAScus4jMV-rWPUgKNv9Mgaufc_afl3Puo_Trlw0pMQC0KoAqiLFqOVid8foLiyvE6jwC9GN1NSRAmIkeVAicK1er33hD0Mt09Y_L_yBQlQ-6xewMB7RPSJrr-zYQADJ2r-Xb00iGje6jex-XiOs7FZeh9fw/s1432/REST%20API_calls.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="548" data-original-width="1432" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWssVShq3U7W4e1ENrm2pyDxlbz61ri5MAScus4jMV-rWPUgKNv9Mgaufc_afl3Puo_Trlw0pMQC0KoAqiLFqOVid8foLiyvE6jwC9GN1NSRAmIkeVAicK1er33hD0Mt09Y_L_yBQlQ-6xewMB7RPSJrr-zYQADJ2r-Xb00iGje6jex-XiOs7FZeh9fw/w640-h245/REST%20API_calls.png" width="640" /></a></span></div><p></p><p><span style="color: #9fc5e8; font-size: medium;"><span>These automation connectors represent an amazing opportunity to fine tune enhancement and support of Horizon environments from 3rd party cloud services. Horizon admins are usually grizzled veterans when it comes to scripting within the desktops. With Intelligence they can now turn their attention to scripting against SaaS, </span>automating REST API calls to 3rd party cloud solutions that are becoming increasingly relevant.</span></p><p><br /></p></div></div><p><span style="color: #cfe2f3; font-size: large;"><b>The Horizon Control Plane Services </b></span></p><p><span style="color: #9fc5e8;"><span style="font-size: medium;"><a href="https://techzone.vmware.com/resource/horizon-control-plane-services-architecture" target="_blank">Horizon Control Plane Services</a> enable day 2 support for on-premises Horizon environments from the cloud. Its Horizon Universal Console provides Horizon administration enterprise wide through a single web based URL while also providing global access to the Help Desk tool. So a support team, wherever they are in the world, without the need for direct network access to Horizon environments, can look up real time session details for any Horizon user. They'll also have the ability to troubleshoot through actions like killing processes or restarting VMs. If necessary there's even an option to remote into a virtual desktop using Workspace ONE Assist for Horizon. Finally, for more high level support and monitoring, "the big picture," there's the Cloud Monitoring Service (CMS). CMS provides health, capacity, and usage metrics for any cloud connected Horizon environment. (For example, if a certificate expires on a Horizon Connection server, this challenge will trickle up to the Horizon Universal Console through CMS.) The Universal Console, the Help Desk tool, Assist for Horizon and CMS all connect to on-premises environments through the Horizon Cloud Connector and clone Worker Node(s) that provide redundancy. </span><span style="font-size: medium;"> </span></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5bspcdsl6IpOK_KNtR3igP6ZkkPJ0GKG97oat0-WM3eXMYpKbPeHuAXzmIjbqB4Pc3lDbMjZ6LeZJcehKwhfyutQrej9w195gET3HZiw759ScnJRekL-VWxDRAXofNk_9wSyxsjUjwyyErRP8b2l1oBqesxasMMfsJKBA4EvQ7D3hzcGXPX6p65zVEw/s1156/Screen%20Shot%202022-07-21%20at%203.45.58%20PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1010" data-original-width="1156" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5bspcdsl6IpOK_KNtR3igP6ZkkPJ0GKG97oat0-WM3eXMYpKbPeHuAXzmIjbqB4Pc3lDbMjZ6LeZJcehKwhfyutQrej9w195gET3HZiw759ScnJRekL-VWxDRAXofNk_9wSyxsjUjwyyErRP8b2l1oBqesxasMMfsJKBA4EvQ7D3hzcGXPX6p65zVEw/w400-h350/Screen%20Shot%202022-07-21%20at%203.45.58%20PM.png" width="400" /></a></div><p><span style="color: #9fc5e8; font-size: medium;">While CMS provides high level insight Workspace ONE Intelligence for Horizon provides additional detail, granularity and customization in terms of monitoring and tracking the health of your on-premises Horizon environments. This provides more in-depth support for day 2 operations while laying the ground work for future Workspace ONE integration with Horizon.</span></p><p><br /></p><p><span style="color: #cfe2f3; font-size: large;"><b>Workspace ONE Intelligence For Horizon </b></span></p><br /><span style="color: #9fc5e8; font-size: medium;"><a href="https://techzone.vmware.com/blog/smarter-analytics-workspace-one-intelligence-horizon" target="_blank">Workspace ONE Intelligence For Horizon</a> was first announced during VMworld 2021 and as of July 28th, 2022 is <a href="https://blogs.vmware.com/euc/2022/06/workspace-one-intelligence-for-horizon-now-available.html" target="_blank">generally available</a>. This rounds out the overall strategy of porting information from all VMware EUC components into Intelligence. For someone that specializes in both Horizon and Workspace ONE this is welcome news. Intelligence has been offering advanced reporting and automation for WS1 UEM for years now and it's great to see VMware extend this functionality to Horizon. </span><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihky759IMkuupeaf7Pn-7dZONR8CgEiseKLz6imqO65pGBxHCEetSw34PQD3S4J-ScdeUosPOFQJJ7_vQ5jCStU0tfHX1-WqfY39hrg7LvanytEZpi1EgMZ_TDcafb7dMBVqU8yRkXAgx1qWWurNPaeFzaoxrdiZcDJCQSGp-wI5mUNsYXHG3N2BetpQ/s1948/Screen%20Shot%202022-07-27%20at%2011.44.58%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="972" data-original-width="1948" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihky759IMkuupeaf7Pn-7dZONR8CgEiseKLz6imqO65pGBxHCEetSw34PQD3S4J-ScdeUosPOFQJJ7_vQ5jCStU0tfHX1-WqfY39hrg7LvanytEZpi1EgMZ_TDcafb7dMBVqU8yRkXAgx1qWWurNPaeFzaoxrdiZcDJCQSGp-wI5mUNsYXHG3N2BetpQ/w640-h320/Screen%20Shot%202022-07-27%20at%2011.44.58%20PM.png" width="640" /></a></div><br /><div><br /></div><div><br /><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">This first iteration provides built-in dashboards, custom reports, and custom dashboards, expanding beyond the canned reporting capabilities of CMS. We're talking boat loads of raw and relevant data regarding the health and performance of Horizon. Just to give you a taste of how vast this dataset is here are screenshots from Intelligence custom reports detailing visible attributes from Horizon PODs, Pools and VMs:</span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS89Ybr4vN7bN0PMbYxgheFq_Ld-kokHXdbUEmRkyd5g2wqrGkiG1zP_RTdPQ7O7xOABetoRGATqbUwxEtUS1JBkCDWFlwTk4Y_UEisnoC-DZ5am2FoNqI2Rh6LJIPMXf_ZPTYPFwGAc4PPHJ5bhuVuhXzlb2JOuVzgw-CalMeGLxLNqF9iZwV9OWgLA/s2232/Screen%20Shot%202022-08-04%20at%204.54.39%20PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1128" data-original-width="2232" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS89Ybr4vN7bN0PMbYxgheFq_Ld-kokHXdbUEmRkyd5g2wqrGkiG1zP_RTdPQ7O7xOABetoRGATqbUwxEtUS1JBkCDWFlwTk4Y_UEisnoC-DZ5am2FoNqI2Rh6LJIPMXf_ZPTYPFwGAc4PPHJ5bhuVuhXzlb2JOuVzgw-CalMeGLxLNqF9iZwV9OWgLA/w640-h324/Screen%20Shot%202022-08-04%20at%204.54.39%20PM.png" width="640" /></a></div></div><div><br /><span style="color: #9fc5e8; font-size: medium;">Even more impressive and overwhelming are the available, "Session Snapshot," attributes:</span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWAgKomm4yDdDrMXEMgouU0potyvDVK_aDRjT_x88emGrzGNibOSTHdyS_gdDEhKRtCoQu6EZqyE6ghtufhqR-Rgb3AaS5s9nweZh097rnKSYIt78pwS1Yhy81gYo66XnlZxGrOdVgkF-NLWPQAd7BQjLbeogmqGtsMrohDPm8HpQpWn72BBZf_ykQ2Q/s2574/Screen%20Shot%202022-08-04%20at%205.06.50%20PM.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1128" data-original-width="2574" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWAgKomm4yDdDrMXEMgouU0potyvDVK_aDRjT_x88emGrzGNibOSTHdyS_gdDEhKRtCoQu6EZqyE6ghtufhqR-Rgb3AaS5s9nweZh097rnKSYIt78pwS1Yhy81gYo66XnlZxGrOdVgkF-NLWPQAd7BQjLbeogmqGtsMrohDPm8HpQpWn72BBZf_ykQ2Q/w640-h280/Screen%20Shot%202022-08-04%20at%205.06.50%20PM.png" width="640" /></a></div><br /></div><div><span style="color: #9fc5e8; font-size: medium;">So yeah, there's a lot to work with here. While this info is relevant for Horizon health and performance monitoring across the board, it certainly rounds out the already impressive model of supporting remote Horizon access with cloud based services. When troubleshooting performance challenges with remote access it can provide critical network insight like display protocol packet loss and round trip latency, along with detailed information of virtual desktop resource usage. You also get invaluable context regarding general POD health and performance. Finally, you get the ability to slice and dice through this information with WS1 Intelligence customizable dashboards and widgets, allowing you easily zero in on and visualize relevant data.</span></div><div><div><br /></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUYCRTcOb3Fm2e_z9uhSgiD8gj0uW902p3ze9BJ782vevxBcod9jTbrPmpq_1by9DjxmqIC6JsXHXPEmfdMM4S3KkxJ35Hzr4mA3641duUlTPgJWZlonOj_pVdtvNgtBIj38hruuXkZiaoayNVLoT3WnfGyICkE13ul5RqnVzXlBTFLs4q51RAeUTAhA/s1656/Screen%20Shot%202022-07-22%20at%205.39.07%20PM.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="1364" data-original-width="1656" height="528" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUYCRTcOb3Fm2e_z9uhSgiD8gj0uW902p3ze9BJ782vevxBcod9jTbrPmpq_1by9DjxmqIC6JsXHXPEmfdMM4S3KkxJ35Hzr4mA3641duUlTPgJWZlonOj_pVdtvNgtBIj38hruuXkZiaoayNVLoT3WnfGyICkE13ul5RqnVzXlBTFLs4q51RAeUTAhA/w640-h528/Screen%20Shot%202022-07-22%20at%205.39.07%20PM.png" width="640" /></a></div><div><br /></div><div><span style="color: #9fc5e8; font-size: medium;">The fact we get this info enterprise wide from a cloud based service is quite compelling and affords Horizon customers an opportunity to really up their game in terms of monitoring Horizon performance. Further, as a cloud based service that leverages Horizon Cloud Connectors many customers already have in place, it's very accessible and easy to stand up. (It took me less than 15 minutes to get it working for my lab.) Finally, it comes standard with most of the new Horizon entitlements at no additional cost, so the price is right. </span></div><div><br /></div><div><br /></div><div><span style="color: #cfe2f3; font-size: large;"><b>A VMware Explore Session On Extending Cloud To The Virtual Desktop</b></span></div><div><p><span style="color: #9fc5e8; font-size: medium;">Though not everyone is ready to move their VDI workloads to the cloud all existing Horizon customers stand to benefit from the adoption of VMware hosted services. These services, already available today, can be layered on top of existing Horizon environments non-disruptively and easily. These are the main takeaways of the explore session, <a href="https://event.vmware.com/flow/vmware/explore2022us/content/page/catalog?src=so_6268770a5c653&cid=7012H000001KawBQAS&tab.contentcatalogtabs=1627421929827001vRXW&search=EUSB2079USD" target="_blank">"Can't Take Your Virtual Desktop To The Cloud? Bring Cloud To It</a>." It begins with an amazing introduction from Todd Dayton. He elaborates on the benefits of cloud adoption, challenges with Windows workload migrations to the cloud, and the ideal compromise of shifting Horizon management to the cloud. Then Cris Lau provides an impressive demo of the Horizon Universal Console, Help Desk tool, Assist for Horizon and Intelligence for Horizon. Finally, I wrap things up reviewing ways we can enhance remote Horizon access with cloud based Workspace ONE and Carbon Black. </span></p><p><a href="#"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh02u5w6rpzi1sZSttZNojSv0Q7Jknb6_Zlg4uMXenGHVpVWAyGC8SAruwBbgdH4yNZYU16TtdxSm4kJw8N8RlqWeN4vTMhOO1CfWPYg9od0cWcvoi9WpbB8jPX-aCBLFmTHo3Z4EyKYvgBBpYCD7gWfHjaeYoCqpVWwfF3PbkxGvMGNUhD39sN5E1xOw/w640-h360/Screen%20Shot%202022-07-10%20at%2010.05.01%20AM.png" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">Also, one final anecdote. Todd pointed out that even if you're confident your virtual desktop workloads will eventually get migrated to the cloud there's absolutely nothing lost if you start off with these cloud based enhancements to your on-premises environment today. It's not like you'd be burning any bridges or painting yourself in a corner. In fact, arguably you'd be stacking the deck in your favor for a successful workload migration by already having cloud based management services configured, adopted and in place. So there's really nothing to loose except the burden of managing on-premises resources. </span><br /></p></div></div></div>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com2tag:blogger.com,1999:blog-7411363718337372107.post-88847745632284164982022-05-03T20:14:00.020-07:002022-05-15T09:19:14.092-07:00Driving Horizon Automation With WS1 Intelligence, Postman, And The Horizon REST API<p><span style="font-size: medium;"><span style="color: #9fc5e8;">Last year I published, "<a href="https://www.evengooder.com/2021/06/Ruthless-Automation-With-WS1-Intelligence.html" target="_blank">Ruthless Automation With Workspace ONE Intelligence</a>," an article highlighting the impressive automation capabilities of Intelligence. Well, in this post I'm going to detail adaptations to WS1 Intelligence that provide even ruthlesser automation! Huzzah! Using Postman webhooks and VMware's Unified Access Gateway you can amplify the sophistication and reach of Intelligence Custom Connectors. While any solution supporting a REST API may benefit from either enhancement, a Horizon on-premises environment benefits from both, making it an ideal use case to demonstrate. Traditionally Horizon has been out of reach from Intelligence automation but Postman webhooks and UAG's web reverse proxy capabilities combine to close the gap and enable the use of Custom Connectors for Horizon.</span></span></p><p><span style="font-size: medium;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-size: medium;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA10nbLOc7cLpFU5RBeIlH-TGaNebIyZBrTX4QWe_I0qQKxM3eaalUvG4iNbQD9jnY_GFNcviLZn7Ml9gMALCT9Wss6EfwLTcwKkUOlrjUBF0ZfqBYtQoi0ZA6i8AiEpSLR7pTB3jmq_CoVIowaZtpwVKXIWB3JqhhudeD-EcG8QwAd2cWbPcryPfj0g/s2678/Screen%20Shot%202022-05-13%20at%208.02.55%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1154" data-original-width="2678" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA10nbLOc7cLpFU5RBeIlH-TGaNebIyZBrTX4QWe_I0qQKxM3eaalUvG4iNbQD9jnY_GFNcviLZn7Ml9gMALCT9Wss6EfwLTcwKkUOlrjUBF0ZfqBYtQoi0ZA6i8AiEpSLR7pTB3jmq_CoVIowaZtpwVKXIWB3JqhhudeD-EcG8QwAd2cWbPcryPfj0g/w640-h276/Screen%20Shot%202022-05-13%20at%208.02.55%20PM.png" width="640" /></a></span></div><span style="font-size: medium;"><br /><span style="color: #9fc5e8;"><br /></span></span><p></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;"><br /></span></span></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;"><br /></span></span></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;"><br /></span></span></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;"><br /></span></span></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;"><br /></span></span></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;"><br /></span></span></p><p><br /><span style="font-size: medium;"><span style="color: #9fc5e8;"><span>In the illustrated solution </span></span><span style="color: #9fc5e8;">a REST API call is triggered by a defined event within the Intelligence data lake, as with any Custom Connector implementation. However, the call made from Intelligence is to a Postman webhook Url rather than directly to the Horizon environment. The webhook triggers an entire collection to run from the Postman cloud against the Horizon environment, an activity that's tracked and managed through a Postman Monitor. This allows Intelligence to trigger much more sophisticated REST API calls that are chained together and build upon each other, shifting complex logic to the Postman cloud where it's executed and tracked for fractions of a penny. Further, the reach of these calls from Intelligence are extended to an on-premises environment by using UAG as a web reverse proxy. This is critical for providing access to the Horizon REST API from the Postman cloud. The video below demonstrates both enhancements working in concert to integrate Intelligence and Horizon on-premises.</span><span> </span></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-size: medium;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/yoWMoD3R8g0" width="320" youtube-src-id="yoWMoD3R8g0"></iframe></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: medium;"><br /></span></div><span style="color: #9fc5e8; font-size: medium;">In the demo above actions against the Horizon environment are triggered manually using a test feature of the Custom Connector built for Horizon. However, in the demo below actions against Horizon are triggered by Carbon Black malware detection on an endpoint device, as dictated by a configured Intelligence automation workflow. </span><div><span style="font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: medium;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/SdwPfKTpAUU" width="320" youtube-src-id="SdwPfKTpAUU"></iframe></span></div><div><span style="font-size: medium;"><br /></span></div><div><div><span style="color: #9fc5e8; font-size: medium;">Again, both Postman webooks and UAG's web reverse proxy capabilities have potential to enable or enhance integration between Intelligence and any other REST API, not just Horizon's. So a deeper understanding of these adaptations is useful beyond the Horizon use case and could be of interest to anyone looking to explore options for WS1 Intelligence Custom Connectors. </span></div><div><p></p><span style="color: #9fc5e8; font-size: medium;">This post reviews in depth an integration between Horizon and Intelligence, starting with the Postman client and Horizon REST API. It explains the logic behind API calls executed from Postman, followed by a discussion on how UAG, acting as a reverse proxy, enables communication between the Postman cloud and on-premises Horizon environment. Further, it details the creation of webhooks in Postman as well as the configuration of Custom Connectors within Intelligence. Finally, it wraps up with a few security considerations and final thoughts. </span><p><span style="color: #9fc5e8;"><br class="Apple-interchange-newline" /><span style="font-size: x-large;">Getting Up To Speed On Postman</span></span></p><p><span style="color: #9fc5e8; font-size: medium;">Creating the Custom Connector detailed in this post definitely requires familiarity with Postman and REST APIs. Fortunately, the Postman website includes a <a href="https://learning.postman.com/docs/getting-started/introduction/" target="_blank">Learning Center</a> with incredibly helpful walk-throughs. Within minutes of reviewing this site I got my hands dirty with essentially the, "hello world," of Postman requests, postman-echo/get. This call leverages an open API server that doesn't require any kind of authentication, providing a very accessible introduction to REST API calls from the Postman client.</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIa_3Qxcl12oj-LSu7WPxw_N_yvAe70BQGSMyiL83tWWFRN0sFHMd3pfOCLvEqvO4isPwPdk5La23xSzCiX7w-eDDb6506bPraOoQHPqhgt9JSG3yETOVpFSnTJqGHAgtYY-Pec2PUHmgpbDBCtttkGOTObHi7Eecr8jQWcGDK8TknNpHy7ZB9eVnCPA/s1167/anatomy-of-a-request-v8.jpeg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="794" data-original-width="1167" height="435" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIa_3Qxcl12oj-LSu7WPxw_N_yvAe70BQGSMyiL83tWWFRN0sFHMd3pfOCLvEqvO4isPwPdk5La23xSzCiX7w-eDDb6506bPraOoQHPqhgt9JSG3yETOVpFSnTJqGHAgtYY-Pec2PUHmgpbDBCtttkGOTObHi7Eecr8jQWcGDK8TknNpHy7ZB9eVnCPA/w640-h435/anatomy-of-a-request-v8.jpeg" width="640" /></span></a></div><span style="font-size: medium;"><br /></span><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;">Along with the Learning Center itself, there's enablement available from Valentin Despa on YouTube. He has a 3 part video series called, "<a href="https://www.youtube.com/watch?v=iFMLyMgCUTs&list=PLM-7VG-sgbtBBnWb2Jc5kufgtWYEmiMAw" target="_blank">Introduction To APIs</a>," providing an excellent overview of the how and the why of REST APIs and API clients like Postman. Then there's his 6 part, "<a href="https://www.youtube.com/playlist?list=PLM-7VG-sgbtAgGq_pef5y_ruIUBPpUgNJ" target="_blank">Intro To Postman</a>," series which I absolutely loved. After working through this series I found myself dangerous enough to start hacking together my desired solution.</span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-size: medium;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/2oOSnxZ28fA" width="320" youtube-src-id="2oOSnxZ28fA"></iframe></span></div><p><span style="color: #9fc5e8; font-size: medium;">The series teaches that accessing a REST API from Postman can be as simple as executing a request against a single URL. However, for more complex operations you can chain multiple calls together in a collection. This allows you to take output from one call, then distill and leverage it during the execution of subsequent calls. Variables are passed from call to call, with JavaScript running within the Tests and Pre-request Scripts associated with each call. In a nutshell, your collection is a series of calls executed in a specific order, with chunks of JavaScript potentially performed before and after each call. Despa covers chaining in episode 5, "<a href="https://www.youtube.com/watch?v=4fULCou_7Wc&list=PLM-7VG-sgbtAgGq_pef5y_ruIUBPpUgNJ&index=5" target="_blank">Chain Requests</a>." </span></p><p><span style="color: #9fc5e8; font-size: medium;">Finally, since the Tests and Pre-request Script scripting is based on JavaScript, well, there's a whole internet out there to help you work through that. While I've executed Hello World in countless languages and have certainly gotten hot and heavy with VBScript and PowerShell, I had no prior experience with JavaScript. However, through Google-fu I was introduced to foreach loops and if statements, along with some variable management, and that was enough for me to get cooking with JavaScript. I think anyone with scripting experience could find themselves getting dangerous with Postman pretty quickly if they were motivated. </span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: x-large;">The Horizon REST API </span></p><p><span style="color: #9fc5e8; font-size: medium;">Info on the Horizon REST API is available directly from the Horizon Connection Server by pointing your browser to https://<Your-Connection-Server-FQDN>/rest/swagger-ui.html. However, there's a must see article available from VMware's Tech Zone, "<a href="https://techzone.vmware.com/resource/using-vmware-horizon-server-rest-api" target="_blank">Using The VMware Horizon Server REST API</a>," written by Chris Halstead. It provides an introduction to the Horizon REST API along with demonstrations on how to use its endpoints, "in combination to achieve your goals." Along with tons of useful information, it includes a link to sample collections that can be directly imported into your Postman workspace. The linked resource, available on VMware {code}, is called, "<a href="https://developer.vmware.com/samples/6432/postman-collection---horizon-7-rest-api" target="_blank">Postman Collection - Horizon REST API</a>." With Postman already open on my machine I clicked on the button, "Run In Postman," and voila, I had over a 100 preconfigured calls to work with. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpnbAbJRy76qclilF5Q5nh-4CbtX-XtRWGidfu0Zu28LkKIwBRLh00gY7Lo5MhW4El0CuKkm1iYcKvFZA9dUcOTVeJnYUcXxoYuQCEh8DcUEgjBz4EsGSuIo1Lo61jLSY9hUbdRFZYWcrBtMnfROB-UaVFmCt3aM55j1tFMRU79cj_VjFbw4TNFk9HqA/s1452/Screen%20Shot%202022-04-23%20at%204.28.46%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="720" data-original-width="1452" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpnbAbJRy76qclilF5Q5nh-4CbtX-XtRWGidfu0Zu28LkKIwBRLh00gY7Lo5MhW4El0CuKkm1iYcKvFZA9dUcOTVeJnYUcXxoYuQCEh8DcUEgjBz4EsGSuIo1Lo61jLSY9hUbdRFZYWcrBtMnfROB-UaVFmCt3aM55j1tFMRU79cj_VjFbw4TNFk9HqA/w640-h318/Screen%20Shot%202022-04-23%20at%204.28.46%20PM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">Dang!!! Talk about making folks dangerous quick. With a free Postman account you can import these samples and begin making calls against your local Horizon environment in a matter of minutes. Just update a handful of collection level variables and you're off to the races. These variables are required to successfully execute a call to the login endpoint on the Connection Server. A successful call returns a token from the Horizon environment that is assigned to a global variable which in turned is used by the rest of the sample calls for authorization. While some sample calls require additional information/parameters, many are immediately available once you've executed the login call successfully, such as all the Monitor samples. Other calls, arguably the more interesting ones, require additional info. For instance, the disconnect endpoint requires an active session ID from the Horizon environment to target its action. Chaining calls together to execute more complex actions like this is what we'll </span><span style="color: #9fc5e8; font-size: medium;">review next. </span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: x-large;">The Basic Logic Behind My Collections</span></p><p><span style="color: #9fc5e8; font-size: medium;">All four collections associated with the Custom Connector detailed in this post follow the same basic logic, so we'll review just one of them in detail. The collection, "Disconnect Horizon Session," is made up of 5 different calls to the Horizon REST API, each of which was copied from Halstead's samples. The collection begins with a call to the <a href="https://developer.vmware.com/apis/1189/view-rest-api#/Auth/loginUser" target="_blank">login endpoint</a> that uses the token returned to authorize the next 4 calls. Based on an AD username fed to the collection - more to come on that a bit later - the second call retrieves a list of AD accounts from the Horizon environment, finds the matching AD username, then passes the associated user_id to the next call via a global variable. This 3rd call retrieves a list of sessions from Horizon and finds the session associated with the targeted user_id. The matching session yields a session id that's key to executing the final two calls to the <a href="https://developer.vmware.com/apis/1007#/Inventory/sendMessageToSessions" target="_blank">send-message</a> and <a href="https://developer.vmware.com/apis/1007#/Inventory/disconnectSessions" target="_blank">disconnect</a> endpoints. <br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEQr24HuRwp4l3j1iCmq_SQqMkInDAUUsxzGU8iYPfDEL1dqw5bgGxmJv8w8SVvGAr_wP0K54RlN_2gF_VwAfOfpPpNmXomCgh3QZiehmspfKmZR85Murvod9YSYRFdrH8opVb3CuuVs9RGoXb6dX7ADYBeBoRu5jftq0Wx7gQ2AFkTKPAWkplYP54NA/s1628/Screen%20Shot%202022-04-28%20at%208.07.56%20AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEQr24HuRwp4l3j1iCmq_SQqMkInDAUUsxzGU8iYPfDEL1dqw5bgGxmJv8w8SVvGAr_wP0K54RlN_2gF_VwAfOfpPpNmXomCgh3QZiehmspfKmZR85Murvod9YSYRFdrH8opVb3CuuVs9RGoXb6dX7ADYBeBoRu5jftq0Wx7gQ2AFkTKPAWkplYP54NA/w640-h398/Screen%20Shot%202022-04-28%20at%208.07.56%20AM.png" /></a><br /><br />The first 3 calls are the real work horses of the collection, performing the critical task of locating the session ID to target. All the logic happens in either the Pre-request Script or the Tests associated with each call. For instance, here's the JavaScript used with the call to ad-users-or-groups: </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC_sfAny76gH0cR9rZSHmFZN_ACXXTuBZVwaDarzmzYFcfB3eIxEeJw7e0nVo0_ArRzMQ78OLvrgu2nGkkcXCA5SpvXLBMTBxvQGOf9bbLuVaiYA0CV99eh2iZDw6YprUNsk429WxU80mEI3sDaRsaZuy04I8qmCvbfTPzZhBfbwUUckSBevTo3UOGaQ/s1196/Screen%20Shot%202022-04-24%20at%2010.31.56%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="566" data-original-width="1196" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC_sfAny76gH0cR9rZSHmFZN_ACXXTuBZVwaDarzmzYFcfB3eIxEeJw7e0nVo0_ArRzMQ78OLvrgu2nGkkcXCA5SpvXLBMTBxvQGOf9bbLuVaiYA0CV99eh2iZDw6YprUNsk429WxU80mEI3sDaRsaZuy04I8qmCvbfTPzZhBfbwUUckSBevTo3UOGaQ/w640-h302/Screen%20Shot%202022-04-24%20at%2010.31.56%20AM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">In a nutshell, we're taking the response of our call to ad-users-or-groups endpoint and saving it to jsonData. Then we're fetching the global variable, "user" and adding that value to a local variable called targetUser. Finally, using a foreach function, each object stored within jsonData is walked through while comparing its AD account name with the target username. If there's a match, the ID associated with that matching AD account is copied to a global variable called user_id. This user_id global variable is then consumed by the next call to the sessions endpoint. The sessions endpoint call uses pretty much identical JavaScript logic.</span></p><a href="#"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKV6Y-zlbtjKuku2qlPQYmmT6jKUR8tVXasvFLQFFr-UNza5nuuNP7TX16C-jextOHCkWyulHxSKGMHgmVp8caLV_ii0dzHgIwd_qQOCAhlm1Iwpn9YuUb84RZwc5fjr79NvurLbMEzAZMmDci2U0a_M4L3dEuRDOZMH-fxflmOgHnMwrEj5faYR-4PQ/w640-h352/Screen%20Shot%202022-04-24%20at%2010.45.23%20AM.png" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">Looks familiar, right? The names have changed, but the logic is identical. The response to the sessions endpoint call is copied to jsonData. Then each object returned is searched for a matching user_id. When a match is found that objects session ID is copied to the global variable SessionHunt. And then the fun begins, with the session ID getting fed to the next call to the endpoint session-message.</span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span><a href="#"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7kp-2-1dw_ei60L35nDHnxpKoK3RM_BPBJDKlT9syZucOJOO5zSwKVrVMxt4jP_rg05uaUWfBWwoxRmHr9bi0974HEVRoWlk-mk4PQFGR3BI2IaHstiBrM0ESs9ddmcS_hZlV8tu9mKpmbCilzdLaeeoUoh_gB288RhKcbqP9QO_Qck-Ni8933ShPmA/w640-h288/Screen%20Shot%202022-04-24%20at%2010.52.26%20AM.png" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">And boom, you've got a message getting sent to your user's session.</span></div><div> <br /><a href="#"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT_XSnwkW5RhjCuBTl4LN2uZ6i1emiwjJ1oJLlsHt-LuMM04EfJfnovzkImneJATYxxdQJ1U1BS9G2kAPMnM21yTIlBAIAhLOyh9x1rpA5ARk69o-3Ai0cMVsGNUCf-2qS1itXdxd0MZlpWFzU1sZs0tobMSMCf18AZWZ-ELFWCQDReqe1N002ze96yQ/w640-h456/Screen%20Shot%202022-04-24%20at%2011.58.19%20AM.png" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">Finally, there's the actual disconnect. Similar to the send-message call, the SessionHunt global variable is used to target the action.</span></div><div> <br /><a href="#"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEichJ4NKJEZ-dqyIbGA_bnU2-vR58ISg94Ez88WeLc-3rCXL_l2SLfPQOyImAlX0cpm8UHLmqE_cVcI6gcZkORQ0h1QHSXFh3BuVCMHrfbyexe70uSv51yk9BtM90pt7-WZOA3P0ouhxA4QL1hDzeJEtayC0MOExERdKWYhMbyhmkgn9xiTj8HFOndchg/w640-h242/Screen%20Shot%202022-04-24%20at%2010.57.03%20AM.png" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">And there you have it. <a href="https://www.youtube.com/watch?v=Z8uY79zQeak" target="_blank">Waka! Waka!</a> 5 REST API calls, 2 foreach loops, two if statements, a handful of variables later and you've got yourself a sweet little collection for automating the task of messaging and disconnecting a specific user. An entire collection like this can be executed in sequence by right clicking on the collection and selecting the option, "Run Collection."</span><br /><br /><a href="#"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieteYCH3cEs0F2Lb0Zm4FBT_8TnAi4AdxktaE0WhgadaqGhPka5ACfC2tmOzn2JYuG-MOWornjxKKuBkFtYQiHLVAzwFtblj02ixnBEUJG1f1HK0S_cO_FcEMRDEljJqKMJi4_BdPdKDzGCW82zHVOVuSyb2cZTfEgLgiwawMYnm6qBi6metwvTFHzUQ/w400-h171/Screen%20Shot%202022-04-24%20at%2011.47.00%20AM.png" /></a><br /><br /><span style="color: #9fc5e8; font-size: medium;">Now, to make these actions accessible from Workspace ONE Intelligence a first step is to make the Horizon REST API available to the outside world. While there's countless solutions for achieving this, I'm going to turn to one of my favorite and dearest pieces of technology, VMware's Unified Access Gateway. </span><br /><br /><p><span style="color: #9fc5e8; font-size: x-large;">Making Calls Remotely Against An On-Premises Horizon Environment Through UAG</span></p><p><span style="color: #9fc5e8; font-size: medium;">While not the most popular of use cases, Unified Access Gateway (UAG) can act as a web reverse proxy. It's been a feature for years now, originally developed to provide access to on-premises vIDM environments, but now available for any on-premises resource. For my lab UAG plays the key role of making the Horizon REST API accessible to Postman, more specifically Postman Monitors that live in the cloud and are triggered by webhooks. </span></p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6xO5VCybeu_Eg4T9rkixukeHb5Mw66Dtzhak7NxNfYkq6T_nqKptWHEIeSdWIsieLAS8a2vFRUOr6QscrDUuA3SqCRI547qmt4BPToK4u62G3kJki-4OzEZlbT2Dynehy6f1NCRh3JMVagXZZ-I1szBCz627SFy11g9r15Ir5pTzyktnLGPAuoBFkww/s400/Screen%20Shot%202022-04-25%20at%209.58.06%20AM.png" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="102" data-original-width="400" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6xO5VCybeu_Eg4T9rkixukeHb5Mw66Dtzhak7NxNfYkq6T_nqKptWHEIeSdWIsieLAS8a2vFRUOr6QscrDUuA3SqCRI547qmt4BPToK4u62G3kJki-4OzEZlbT2Dynehy6f1NCRh3JMVagXZZ-I1szBCz627SFy11g9r15Ir5pTzyktnLGPAuoBFkww/w400-h103/Screen%20Shot%202022-04-25%20at%209.58.06%20AM.png" width="400" /></span></a></p><p><span style="color: #9fc5e8; font-size: medium;">Fortunately, the configuration as a reverse proxy is fairly straightforward. The trickiest part is configuring the <a href="https://docs.vmware.com/en/Unified-Access-Gateway/2106/uag-deploy-config/GUID-5AF13543-0547-40E6-BCF6-716AB2DD7694.html" target="_blank">proxy pattern</a>. To narrow down the reverse proxy functionality to only the REST API destination URL I went with this for a proxy pattern: (/rest(.*))</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG-9lkS-77A-bw-yeI5NFJgMq7rxfC_B_GZq25yLLVCscSNYg9blLlbzgGjaBL0oqm1-T3WH1FEOBI8veLIeffePeJUT8oIL8xkkW8OeDsu_hAsUbNEaifYMrD2vO9b6c-K-y8Q5S_v9Knk6de8HhdvK5wZGlf0l9u1PBeWRp1E-OHHY0rDodl97HyMQ/s1310/Screen%20Shot%202022-04-25%20at%2011.00.04%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="630" data-original-width="1310" height="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG-9lkS-77A-bw-yeI5NFJgMq7rxfC_B_GZq25yLLVCscSNYg9blLlbzgGjaBL0oqm1-T3WH1FEOBI8veLIeffePeJUT8oIL8xkkW8OeDsu_hAsUbNEaifYMrD2vO9b6c-K-y8Q5S_v9Knk6de8HhdvK5wZGlf0l9u1PBeWRp1E-OHHY0rDodl97HyMQ/w640-h309/Screen%20Shot%202022-04-25%20at%2011.00.04%20AM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">This prevents the reverse proxy from exposing the entirety of the Horizon Connection server to the outside world. Instead, only access to the REST API is possible when hitting the UAG appliance with a URI path that's matched to the destination url for the Horizon REST API. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSMMf9P_GEfLvUKdVeKAdPaJFORgD3JGJCTT0Rs_CaHtew4yowTb8Fuz4LTCUZ60RRbqH7_wiL3_WlAM09FEXORHVyx8RRJRskXV4EusdBH-M2sOwlT6RsB8YM_59CbsmgCWeHYqsMUaaV4vesRZ-O-3ncz65CKE_ptQJdKSREQLiOtMg5LubNZRyTkw/s1196/reverse_proxy.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="502" data-original-width="1196" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSMMf9P_GEfLvUKdVeKAdPaJFORgD3JGJCTT0Rs_CaHtew4yowTb8Fuz4LTCUZ60RRbqH7_wiL3_WlAM09FEXORHVyx8RRJRskXV4EusdBH-M2sOwlT6RsB8YM_59CbsmgCWeHYqsMUaaV4vesRZ-O-3ncz65CKE_ptQJdKSREQLiOtMg5LubNZRyTkw/w640-h268/reverse_proxy.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><span style="font-size: medium;"><br /></span></span></p><p><span style="color: #9fc5e8;"><span style="font-size: medium;">UAG's web reverse proxy capabilities provide Postman Monitors access to the Horizon Connection Server's REST API, allowing us to run collections against the Horizon environment whenever they're triggered by Intelligence. With a collection in Postman configured and reverse proxy solution in place, the next step is to create a webhook to trigger collections that runs across the UAG appliance. </span></span></p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipEj-rcsGWLyDREmBpxWO49VEyq-GXBsaXY9ubRXow92ZMeeALIpzreZwlmYvAE-mUCq-8yQkLjkL-HR3WZvoquc7dlRzxqngv19NP6-nistaX2yTq7kBKaqov995XLRYfeLJSPsTLZOlRq_Y9jkAL_6FXWHCvEzMwuYIaZqAIJJKxonjyGkvSeO-6lQ/s2506/Screen%20Shot%202022-04-28%20at%2011.35.44%20PM.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1364" data-original-width="2506" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipEj-rcsGWLyDREmBpxWO49VEyq-GXBsaXY9ubRXow92ZMeeALIpzreZwlmYvAE-mUCq-8yQkLjkL-HR3WZvoquc7dlRzxqngv19NP6-nistaX2yTq7kBKaqov995XLRYfeLJSPsTLZOlRq_Y9jkAL_6FXWHCvEzMwuYIaZqAIJJKxonjyGkvSeO-6lQ/w640-h348/Screen%20Shot%202022-04-28%20at%2011.35.44%20PM.png" width="640" /></span></a></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: x-large;"><span>Creating the Webhook To Your Postman Collection</span> </span></p><p><span style="color: #9fc5e8; font-size: medium;">While we can make calls directly to 3rd party REST APIs using a WS1 Intelligence Custom Connector, we can only make a single call at a time based on data already located within Intelligence. There's no option to probe these 3rd party REST APIs, collect some input, then process it in additional follow up calls. However, that's exactly what we need in order to do anything interesting with the Horizon REST API: chain multiple calls together. For instance, with the collection I walked through earlier, we're executing 5 different calls, passing variables from the first 3 calls to the final 2. To accommodate this challenge, we can leverage Postman webhooks to trigger a run of an entire collection stored in the Postman cloud. </span></p><p><span style="color: #9fc5e8; font-size: medium;">Creating a webhook generates a Url that can be called upon by a WS1 Custom Connector to trigger the collection associated with the webhook. Further, we can pass variables from the Intelligence data lake to the collection in the process of making a call to the webhook. In the case of the collection detailed earlier in this post, WS1 Intelligence passes an AD username to the collection through the webhook. While there's official documentation on webhooks in the Postman Learning Center, "<a href="https://learning.postman.com/docs/running-collections/collection-webhooks/" target="_blank">Triggering Runs With Webhooks</a>," I found this short and concise recorded presentation on Youtube, "<a href="https://www.youtube.com/watch?v=wdLvXKkXhLk" target="_blank">Postman Webhooks</a>," to be really helpful. (There's also a very interesting, though much longer, youtube video on Postman webhooks called, "<a href="https://www.youtube.com/watch?v=O23L_ctTEzQ" target="_blank">Automate All The Things With Webhooks</a>.") </span></p><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/wdLvXKkXhLk" width="320" youtube-src-id="wdLvXKkXhLk"></iframe></span></div><p><span style="color: #9fc5e8;"><span style="font-size: medium;">As you can see in the video a webhook is created leveraging the Postman API and an endpoint called <a href="https://documenter.getpostman.com/view/12959542/UV5XjJV8?_ga=2.97775519.1089200199.1650733259-1380970461.1647446583#8bec7537-cc5d-4ed7-a995-c7753e55ed28" target="_blank">webhooks</a>. Making this call successfully requires a workspace ID, an API key for your Postman account, and a UID for the collection you want to trigger with the webhook. Locating your workspace ID is easy enough, as you can see in the guidance <a href="https://learning.postman.com/docs/collaborating-in-postman/using-workspaces/managing-workspaces/#getting-the-workspace-id" target="_blank">provided here</a>. Generating an API key is fairly straight forward and is one of the first things covered in the official <a href="https://learning.postman.com/docs/developer/intro-api/" target="_blank">documentation for the Postman API</a>. Once you have this key generated and copied you can use it to obtain the required collection UID using the Postman API's <a href="https://documenter.getpostman.com/view/12959542/UV5XjJV8?_ga=2.97775519.1089200199.1650733259-1380970461.1647446583#c705956d-1005-4fbc-803c-b6b985242a85" target="_blank">collections</a> endpoint. To make a successful call against this endpoint you need to include the API key in the header, populating it as a value for the key, "x-api-key." </span><br /><br /><a href="#"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT9Gsdn2GPMjG9Qok4ENtzUviZ_X7_Fy72mIWE7oilK11nobu4dz7uTfFoxlio0qG3iGbvnUAvcedHB9yfKRyYuYby0Xzs48bEPG3X1JxBS7LDbTpNZVvQFwMBdkKoXnSjxZ8htHgGKUKriMA0cE5llAvPgapOgk2tPFU_9IWSOKVV9HNy90EHj0GIiw/w400-h149/Screen%20Shot%202022-04-26%20at%208.42.18%20AM.png" /></a><br /><br /><span style="font-size: medium;">With this proper header key in place execution of the call generates a response with info about all your collections, including the UID for the specific collection you want to trigger with your webhook. With the collection UID and workspace ID in hand you can create your webhook, populating the body of your request with the UID and adding the workspace ID as a parameter. (As with the call to the collections endpoint you'll need to include the API key in the header.) Successful execution will yield a webhook Url that can be called upon to trigger your collection. In the example below, a webhook Url of, https://newman-api.getpostman.com/run/13724510/69dbc0d3-0be9-4038-bf83-6c96da23dfe0, has been created and associated with the collection. </span></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiTjPkaqbBbL934hLD9M04zQgYEly1x2nkzviTNPuDoVrgBlfIYMxDihcRlA-Zbc419KNcmEuJp_mqYOwZg8JITCE1I8noWMbGwH1mWDrEZrSJzbH9WXhuIBIqFzUdtrdKPVPxTQhvvrpRkpJaeTDYZLuyllNU78m4dT1Ad8f3XfwqT1-jXRs1dFPuU3g" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="980" data-original-width="2322" height="270" src="https://blogger.googleusercontent.com/img/a/AVvXsEiTjPkaqbBbL934hLD9M04zQgYEly1x2nkzviTNPuDoVrgBlfIYMxDihcRlA-Zbc419KNcmEuJp_mqYOwZg8JITCE1I8noWMbGwH1mWDrEZrSJzbH9WXhuIBIqFzUdtrdKPVPxTQhvvrpRkpJaeTDYZLuyllNU78m4dT1Ad8f3XfwqT1-jXRs1dFPuU3g=w640-h270" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;">When making a call to this webhook behind the scenes your leveraging </span><a href="https://learning.postman.com/docs/monitoring-your-api/intro-monitors/" target="_blank">Postman Monitors</a><span style="color: #9fc5e8;">. These provide you the added bonus of a paper trail/tracking of collection execution. For each webhook you create there'll be a corresponding Monitor within your Postman workspace. </span></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc8en7AElutxe8owQ6BJ20uDxFDRGvmUBtbZjX11gbXy98NIb3YwgPsEspagWm3id5fUDlK5GfDsxmvCZdRKSsDFy-ND6LZtlQCmTBjvVglEmmysSsZyefBzJxY1ZJoQ7Gf4dPls6-q18WuSB-4vg13Apiyvf9eTr5DoaZ63AHQTmFAb1dnT1AFQMyDA/s2318/Screen%20Shot%202022-04-26%20at%202.58.04%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1244" data-original-width="2318" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc8en7AElutxe8owQ6BJ20uDxFDRGvmUBtbZjX11gbXy98NIb3YwgPsEspagWm3id5fUDlK5GfDsxmvCZdRKSsDFy-ND6LZtlQCmTBjvVglEmmysSsZyefBzJxY1ZJoQ7Gf4dPls6-q18WuSB-4vg13Apiyvf9eTr5DoaZ63AHQTmFAb1dnT1AFQMyDA/w640-h344/Screen%20Shot%202022-04-26%20at%202.58.04%20PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /><br /><br /><br /><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">When trying to figure out what went wrong with collection execution, or, more optimistically, what went right, you can drill into the events detailed under each monitor to get play by play action. Below, you can see all the calls that were made as a result of the collection getting triggered by its associated webhook at 2:34pm. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR_69QHkvsvary4eA1uvcCZOGG7dyz8I96nKqt4F8cO68HYhaYN-F8zM3tvPsxYQyolBpnOiU9jmxBFxZC6bGBY9n3lpyIe7k6MFM6AsUyrMfepcjxApXpsJBN2472vSEaSZDWpsUW67YtJrCostvDeuXwNjzbnvTNv3IQVBwA34hwpgqHj_VSSDU9dA/s1642/Screen%20Shot%202022-04-26%20at%202.58.56%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1286" data-original-width="1642" height="502" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiR_69QHkvsvary4eA1uvcCZOGG7dyz8I96nKqt4F8cO68HYhaYN-F8zM3tvPsxYQyolBpnOiU9jmxBFxZC6bGBY9n3lpyIe7k6MFM6AsUyrMfepcjxApXpsJBN2472vSEaSZDWpsUW67YtJrCostvDeuXwNjzbnvTNv3IQVBwA34hwpgqHj_VSSDU9dA/w640-h502/Screen%20Shot%202022-04-26%20at%202.58.56%20PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><span style="font-size: medium;">You can also get more in-depth, play by play insight, by clicking on console log. </span> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkhEXJIgNO-S1VyLQvKCkoZMGCaoLc9Ca0UmtOUZE2DUmdX-aQA-VD-ZkGoBCaO4gHB_GYe8teANo9LOY6NGbwot6AksVlnoxDVUDBXT6SHvq7chwhcV0EbBhCnGD8eKa-lEVHFK9U2sNr876agkPyu0rXp2KVBJvYYVpr77oLfMj6BAgGHN9cAdYOhg/s1538/Screen%20Shot%202022-04-26%20at%202.59.47%20PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1284" data-original-width="1538" height="534" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkhEXJIgNO-S1VyLQvKCkoZMGCaoLc9Ca0UmtOUZE2DUmdX-aQA-VD-ZkGoBCaO4gHB_GYe8teANo9LOY6NGbwot6AksVlnoxDVUDBXT6SHvq7chwhcV0EbBhCnGD8eKa-lEVHFK9U2sNr876agkPyu0rXp2KVBJvYYVpr77oLfMj6BAgGHN9cAdYOhg/w640-h534/Screen%20Shot%202022-04-26%20at%202.59.47%20PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">So, as if having the ability to trigger collections with a webhook Url wasn't enough, you also get the tracking and performance visibility normally afforded by Postman Monitors. Next, we'll create a Custom Connector that makes a call to our Postman webhook, completing a circuit between the WS1 Intelligence cloud and the on-premises Horizon environment. </span></p><p><span style="color: #9fc5e8;"><br /></span></p><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: x-large;">Creating A Custom Connector To The Webhook</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8aD979We7UjembHJBRdf1eYGNiPx2IXufckM1pGI_EztRcnrfIXQ1DD5ttddeWL9qyCNtWRJe9OnT9_RnONixlqDoOL16id_thOuNjgmJDaC0D9_Hy6zK1c4ua1PDJMy188KZdSZADMQqd7rrC5YikcerVQFCtsUtFlTfJhGFL4XMPf_25MnltJqPCw/s1920/custom_connectoers.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1012" data-original-width="1920" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8aD979We7UjembHJBRdf1eYGNiPx2IXufckM1pGI_EztRcnrfIXQ1DD5ttddeWL9qyCNtWRJe9OnT9_RnONixlqDoOL16id_thOuNjgmJDaC0D9_Hy6zK1c4ua1PDJMy188KZdSZADMQqd7rrC5YikcerVQFCtsUtFlTfJhGFL4XMPf_25MnltJqPCw/w640-h338/custom_connectoers.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: large;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">While WS1 Intelligence provides out-of-the-box integrations with UEM, ServiceNow and Slack, for years now it's offered the option of using Custom Connectors to integrate with any solution that supports a REST API. A Custom Connector can be setup to make calls to a Postman webhook by following the same guidance that's always applied to Custom Connector creation. Accordingly, useful guidance can be found is a post by Andreano Lanusse and Adam Hardy called,</span><span style="color: #9fc5e8; font-size: large;"> </span><span style="font-size: medium;"><span style="color: #9fc5e8;">"</span><a href="https://developer.vmware.com/samples/6524/workspace-one-intelligence-custom-connector-samples" target="_blank">Workspace ONE Custom Connector Samples</a><span style="color: #9fc5e8;">." Along with providing incredibly useful samples the article lays out the steps for creating your own Custom Connectors. The basic process is to craft an API call in Postman, save a successful result of the call, export the call as a json collection, then import the exported json into Intelligence while creating a Custom Connector. Accordingly, I went to Postman and created new collection called, "Disconnect Horizon Desktop - Execute webhook," placing in it a single call to the webhook Url that triggers the, "Disconnect Horizon Session," collection detailed earlier.</span></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj-sA_X62oBX72xICrgyWzpiqaz8OOaJBdhu_GlUcJTCFnf7byFDXh42ZCZbGuOEKKuOR3KUAojc3jMgDY0j6X02ukmApPnzXAa7y8yVLgQbCMZVrG9zAtiI2S9nCuhb-yqSX0KEKWDzMeV-pHscwXKC8EUFl3KrKuCwG0HwNgq2Zf2sCrN1Thb7kFvg/s2212/Screen%20Shot%202022-04-27%20at%208.10.33%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="504" data-original-width="2212" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj-sA_X62oBX72xICrgyWzpiqaz8OOaJBdhu_GlUcJTCFnf7byFDXh42ZCZbGuOEKKuOR3KUAojc3jMgDY0j6X02ukmApPnzXAa7y8yVLgQbCMZVrG9zAtiI2S9nCuhb-yqSX0KEKWDzMeV-pHscwXKC8EUFl3KrKuCwG0HwNgq2Zf2sCrN1Thb7kFvg/w640-h146/Screen%20Shot%202022-04-27%20at%208.10.33%20AM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><span style="font-size: medium;">We can pass variables from WS1 Intelligence through a webhook. In this example we're passing an AD username from Intelligence as a value for, "username2." The triggered collection is designed to ingest this parameter and target its search accordingly. Before exporting this collection, you need to execute this call successfully, then save the result as a sample. </span> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrNXlW_DErwQmKSet0DxdZ-YgBfyBZfoQkbEcPCxceOXgBG0KIY-8ItSCfrdX8AFHqlguI-7yM8X9gi_gdoJmd_G5_ORs62t_eDenhN92Y0qmQSv9b7k57-WNb2n9Cehk0VBVTZ8BLh26TgHWmzW-qaaUWOfewKrksn2NHIZtBkLWBN7VUGWyXc0pNcg/s1604/Screen%20Shot%202022-04-27%20at%208.17.26%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="662" data-original-width="1604" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrNXlW_DErwQmKSet0DxdZ-YgBfyBZfoQkbEcPCxceOXgBG0KIY-8ItSCfrdX8AFHqlguI-7yM8X9gi_gdoJmd_G5_ORs62t_eDenhN92Y0qmQSv9b7k57-WNb2n9Cehk0VBVTZ8BLh26TgHWmzW-qaaUWOfewKrksn2NHIZtBkLWBN7VUGWyXc0pNcg/w640-h264/Screen%20Shot%202022-04-27%20at%208.17.26%20AM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><div><br /></div><span style="color: #9fc5e8; font-size: medium;">At this point, you're ready to export the collection by navigating to collection, clicking on the 3 dots representing, "View more actions," and selecting export.</span></div><div> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_95GSzfiPPdEMbMi28ptzJfR8VUMXDlZ4PuvBeu1_S3hsiVd-VdndBNS8owhXoiHxlFFTSzOQSGRcWttubeNYDt9TE-q_5vZmuJhsth-Fbd9ubAtpXiuG8tvyzt-iJX3HKfXPwxdN-mP5-XOlmfpm-ChBfja88u1RIM7OJINXLHB_PU78pnYjJIojKQ/s1802/Screen%20Shot%202022-04-27%20at%208.24.46%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="698" data-original-width="1802" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_95GSzfiPPdEMbMi28ptzJfR8VUMXDlZ4PuvBeu1_S3hsiVd-VdndBNS8owhXoiHxlFFTSzOQSGRcWttubeNYDt9TE-q_5vZmuJhsth-Fbd9ubAtpXiuG8tvyzt-iJX3HKfXPwxdN-mP5-XOlmfpm-ChBfja88u1RIM7OJINXLHB_PU78pnYjJIojKQ/w640-h248/Screen%20Shot%202022-04-27%20at%208.24.46%20AM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">Go with the, "Collection v2.1," option and the exported json will download. Next, go to the WS1 Intelligence console, navigate to Integrations --> Outbound Connectors, and select add custom connector. For a base URL, you'll enter in the base url for your webhook, https://newman-api.getpostman.com. </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgONlNadcaJnodMMRUcsVkLXqveTF3yzPqwW8n42NhLD-cEm1ZYf9iAiT2ImHLyEj9UPVU9WBCyvyjatG_YO5BH5TqOb0Hrx2FE0TszDXo8gtIPqsQW_-nrhIreLuCHo04OHppN8cZ_zoUr1t0BIV9GuIhqEKga4wc7BZ18VKC7CxesU_6eKUTJ17HKtA" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="632" data-original-width="1152" height="352" src="https://blogger.googleusercontent.com/img/a/AVvXsEgONlNadcaJnodMMRUcsVkLXqveTF3yzPqwW8n42NhLD-cEm1ZYf9iAiT2ImHLyEj9UPVU9WBCyvyjatG_YO5BH5TqOb0Hrx2FE0TszDXo8gtIPqsQW_-nrhIreLuCHo04OHppN8cZ_zoUr1t0BIV9GuIhqEKga4wc7BZ18VKC7CxesU_6eKUTJ17HKtA=w640-h352" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span><p></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">Next, you're prompted to import your exported collection. Consistently I've run into challenges importing my own hand made custom connectors at this point with an error message of, "Invalid Postman JSON file: Content-Type header must be present." </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEghJGQyYAlHpeZzwPRZeS8tYavR-iIPHDhUO9UTZVvYDKaSe8l0lo2PfiY0PFCFjA4ZTqrXLm84kuyqh__v-jCpJuXeGoWJ_J11JB_tcs0Bz6nuKJXntCx0mKCscXbZb9MaroYyOuSAvAZDd_709EovZdcMCpUVTuq4FqT2kmgabvMYlGm9ksvDj_309g" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="1228" data-original-width="1608" height="489" src="https://blogger.googleusercontent.com/img/a/AVvXsEghJGQyYAlHpeZzwPRZeS8tYavR-iIPHDhUO9UTZVvYDKaSe8l0lo2PfiY0PFCFjA4ZTqrXLm84kuyqh__v-jCpJuXeGoWJ_J11JB_tcs0Bz6nuKJXntCx0mKCscXbZb9MaroYyOuSAvAZDd_709EovZdcMCpUVTuq4FqT2kmgabvMYlGm9ksvDj_309g=w640-h489" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span><p></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">This pitfall is referenced in the sample custom connector guidance article, which cautions, "Note: Consider adding headers as Content-Type: application/json. If you do not add headers as the content type JSON, the APIs can default to XML and XML does not work with custom connections." Accordingly, one way I've gotten around this challenge is by copying the header from the working samples and inserting them into my custom connectors. So it's all about replacing the default header on these exported collections from what's displayed here: </span></p><span><span><br /><span style="color: #ead1dc;"><span> "method": "POST",<br /> <span> </span>"header": [ <br /><br /> <span> </span><span> </span><span> </span><span> </span><span> </span><span> </span><span> </span>],<br /><span> </span>"body": {</span><br /></span></span><br /></span><p><span style="color: #9fc5e8; font-size: medium;">With this:</span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span><span style="color: #9fc5e8; font-family: Helvetica Neue;"> </span><br /> <span style="color: #ead1dc;"><span> </span>"method": "POST", </span></span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #ead1dc;"><span> </span>"header": [ </span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #ead1dc;"><span> </span>{ </span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #ead1dc;"><span> </span><span> <span> </span> </span>"key": "Content-Type", </span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #ead1dc;"><span> </span><span> <span> </span> </span>"name": "Content-Type",</span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #ead1dc;"><span> </span><span> <span> </span></span>"value": "application/json",</span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #ead1dc;"><span> </span><span> <span> </span> </span>"type": "text" }</span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #ead1dc;"><span> </span>], </span></p><p class="p1" style="font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span><span style="color: #ead1dc;"><span> </span>"body": {</span><br /></span></p><span style="color: #9fc5e8;"><br /><span style="font-size: medium;">Once I made this edit to my exported collections the imports completed successfully. In the end, after following this entire process for each of the collections a webhook was created for, I had these actions available from my outbound connector within Intelligence: </span></span></div><div><span style="color: #9fc5e8;"><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ4hYsZcYyCcgiyAfKfo1SoeQBR_r3zilULDaTFSMcKjnqab-wcYxJxjG_MHynL33DlUTLkUfdJoG-ZalgvL-XOc0oQSmW1KxbRwu4VmA0R5ZECP874w9GtLWobBOXNCD8BGbfB28oVQIdaicrXK_oW5JOd8woacYidWVHT5krgvaNF1_FOqDFwRcFsA/s1676/Screen%20Shot%202022-04-27%20at%2010.46.06%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="908" data-original-width="1676" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZ4hYsZcYyCcgiyAfKfo1SoeQBR_r3zilULDaTFSMcKjnqab-wcYxJxjG_MHynL33DlUTLkUfdJoG-ZalgvL-XOc0oQSmW1KxbRwu4VmA0R5ZECP874w9GtLWobBOXNCD8BGbfB28oVQIdaicrXK_oW5JOd8woacYidWVHT5krgvaNF1_FOqDFwRcFsA/w640-h346/Screen%20Shot%202022-04-27%20at%2010.46.06%20AM.png" width="640" /></span></a></div><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">While each action leverages a different collection, all actions traverse the same basic path:</span></p><p><span style="color: #9fc5e8; font-size: medium;">Intelligence --> Postman webhook --> UAG --> Horzon REST API</span></p><p><span style="color: #9fc5e8; font-size: medium;">To summarize, you have Intelligence triggering the Postman webhook based on reporting and automation configured within Intelligence. The calls within the collection are executed from the Postman cloud, traversing the UAG web reverse proxy to the internal Horizon Connection Server. Information about the environment is ascertained through a handful of initial calls and then leveraged by subsequent calls to target the automations within the internal Horizon environment.</span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc2H7njYlMSW0i9gerAbj0MensJiyXZG0M_2a8Twa07jw3zuVvjks-vdsJLLXIEAR4PCWRUFIchT8dY8IlrkXsQ-5dly3Ve4MyvFsq0beXKawPNZlp0N7y9y9-GsQgCWBURsqF_tIVJnoajfT2uALsBN8jlvZnKVWrPrQtieyKm_NCXDInXfBHd-NTVw/s2654/Screen%20Shot%202022-05-14%20at%2010.32.49%20AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1342" data-original-width="2654" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc2H7njYlMSW0i9gerAbj0MensJiyXZG0M_2a8Twa07jw3zuVvjks-vdsJLLXIEAR4PCWRUFIchT8dY8IlrkXsQ-5dly3Ve4MyvFsq0beXKawPNZlp0N7y9y9-GsQgCWBURsqF_tIVJnoajfT2uALsBN8jlvZnKVWrPrQtieyKm_NCXDInXfBHd-NTVw/w640-h324/Screen%20Shot%202022-05-14%20at%2010.32.49%20AM.png" width="640" /></a></div><br /><span style="color: #9fc5e8; font-size: medium;"><br /></span><p></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><br /></p><p><span style="color: #9fc5e8; font-size: xx-large;">Security Considerations</span></p><span style="font-size: medium;"><span style="color: #9fc5e8;">Exploring an option like this is destined to bring up security concerns. Below are a few I've run across as well as some relevant considerations. </span><br /><br /><span style="color: #cfe2f3;"><b>Storing credentials in Postman:</b></span></span><span style="font-size: medium;"><span style="color: #9fc5e8;"> Yes, scary indeed, particularly given that Horizon REST API credentials require root access for Horizon administration. However, any credentials stored in a Postman variable in your collections will be, "</span><a href="https://www.postman.com/trust/security/" target="_blank">encrypted on the server-side before storage</a><span style="color: #9fc5e8;">." Further, Postman has recently </span><a href="https://support.postman.com/hc/en-us/articles/115003693585-How-to-enable-two-factor-authentication" target="_blank">introduced support for MFA when you register using a Google based account</a><span style="color: #9fc5e8;">. While both encryption and MFA take the edge of this concern, it should also be considered that the REST API credential account doesn't necessarily have any special AD rights. </span><br /><br /><span style="color: #cfe2f3;"><b>Accepting Horizon Admin Credentials Through Public URL:</b></span></span><span style="font-size: medium;"><span style="color: #9fc5e8;"> Having to open up an administrative REST API of your internal Connection Server to the external world is certainly a bit nerve wracking. However, the Professional and Enterprise Postman customers have the option to </span><a href="https://learning.postman.com/docs/monitoring-your-api/using-static-IPs-to-monitor" target="_blank">run their monitors with static IPs</a><span style="color: #9fc5e8;">. So, through firewall rules you can limit access to your UAG appliance to the public IPs used by Postman Monitors. That certainly reduces your risk. Also, while it hasn't been built yet, there's definitely Postman customers </span><a href="https://github.com/postmanlabs/postman-app-support/issues/3706" target="_blank">asking for the ability to leverage certificate auth for Postman Monitors</a><span style="color: #9fc5e8;">. (I have seen </span><a href="https://learning.postman.com/docs/sending-requests/certificates/" target="_blank">client certificate authentication</a><span style="color: #9fc5e8;"> work through UAG for Postman requests from laptops, but it's not supported from Monitors yet.) </span><br /><br /><span style="color: #cfe2f3;"><b>Triggering Administrative Actions Through Webhooks:</b></span></span><span style="font-size: medium;"><span style="color: #9fc5e8;"> I'll forgive anyone for being nervous about raining down ruthless automation from the sky based on calls to webhooks. However, my understanding is that webhooks are often known to rely on security by obscurity. The Postman webhook Urls are pretty long and ugly and I'm not sure how easily they're ascertained. I've had monitors running for over a month now and I haven't seen a single unsolicited request. Further, these webhooks aren't exposing folks to any credentials or direct access to Horizon. Bad guys can make calls to them for cheep thrills or random maliciousness but the chances of them getting any meaningful access to anything doesn't strike me as high. They're simply calls to perform administrative tasks with impact that depends on what's been automated. In addition, all these calls are tracked through Postman Monitors so you would have a paper trail. All that said, if push comes to shove, there definitely appears to be some do it yourself options for securing webhooks. </span><br /><br /><span style="color: #cfe2f3;"><b>I'm Still Freaked Out:</b></span></span><span style="color: #9fc5e8; font-size: medium;"> Yeah, I get it. I think if security is a real sticking point for your team you could always develop your own full blown REST API. While developing your API would not be for the faint of heart, this post should provide a clear path forward to guide your development. <br /><br />I certainly respect there's security considerations and concerns to address before implementing these adaptations. However, I think the subject is much more debatable than it seems at first blush and for some folks the benefits could out weigh the risks. Is the juice worth the squeeze? Well, depending on your use case, the juice could be awfully sweet. (If everything about these Custom Connector adaptations sounds awesome to you, but security is a real gotcha, I'd love for you to leave some comments, particularly around what use cases you have in mind.) </span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8; font-size: x-large;">Final Thoughts </span></p><p><span style="color: #9fc5e8; font-size: medium;">The integration between WS1 Intelligence and Horizon detailed in this article is complicated and a lot to take in. In a cantankerous mood you might go so far as to say, "it's a hot mess." But, you know what's often the case with hot messes? They hot, and this solution is absolutely, utterly, freaking gorgeous! Driving automation against a Horizon environment based on a data lake in the cloud? Hot!!! Further, there's potential for the adaptations leveraged to span far beyond the Horizon use case. UAG can extend the reach of Intelligence to any REST API within an on-premises environment. Postman webhooks can increase the sophistication of REST API calls made to any 3rd party solution. Combined together these adaptations significantly expand the reach and efficacy of Intelligence Custom Connectors.</span><br /><br /><a href="#"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqxZCTkBZNik8KJwofT44WxAHgMwUh5_titUeaEhlIkCRVLEtrPXH59xvVGIL-rWOg1SjLvAf6amTVXpEzaNpw8_41je2Qm9c8LQNbWex10Fn-AGryJe9_XKwGB-Btr6GX7czhhlnhRJgmXM64JWwnPa6jI77F8cKr-JWAL_k906Q6RUWqUt4Rey2Cmg/w640-h290/Screen%20Shot%202022-05-01%20at%203.08.08%20PM.png" /></a><br /><br /><span style="font-size: medium;"><span style="color: #9fc5e8;">Finally, as complex as the Horizon integration is, the overall objective is very much in line with the trajectory of VMware's EUC stack. "If you can't bring v</span><span style="color: #9fc5e8;">irtual desktop to cloud, bring cloud to the desktop," seems to be the battle cry for the entire Horizon suite, with more and more functionality getting shifted to the cloud even if workloads must remain on-premises. Past success with SaaS based EUC solutions like UEM, Access and Intelligence not only enhance Horizon security, but also represent a shift to cloud management VMware's is striving to emulate for the Horizon stack. For that matter, all of VMware seems to be charging in that direction, </span><a href="https://blogs.vmware.com/vsphere/2021/10/how-innovations-in-vsphere-are-redefining-infrastructure-to-run-future-apps.html" target="_blank">including vSphere itself</a><span style="color: #9fc5e8;">. It that light, the solution detailed in this article seems more like acceleration to a very probable destiny rather than some off the wall innovation. While this seemingly destined future isn't here today, in the meantime, if you've got the will for this functionality there's a way. </span></span></p><p><span style="font-size: medium;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-size: medium;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/PCsGRCf8T9Y" width="320" youtube-src-id="PCsGRCf8T9Y"></iframe></span></div><p></p></div></div>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-92065401346476373762021-12-09T17:14:00.024-08:002021-12-23T13:39:01.858-08:00The Deprecation Of Basic Auth For Exchange And What It Means For VMware's Workspace ONE Customers<span style="color: #9fc5e8; font-size: medium;">After several delays due to Covid-19 Microsoft has finally fixed a date for prohibiting Basic Auth in Exchange Online. As of October 1st, 2022, Microsoft will begin disabling Basic Auth in all tenants, with short-term temporary disruptions for some customers beginning early 2022. This news is initially a bit unnerving given that historically a lot of AirWatch/Workspace ONE customers have leveraged Basic Auth within their ActiveSync profiles. However, it is limited to Exchange Online customers so on-premises Exchange customers, at least for now, need not worry. Further, for existing Exchange Online WS1 customers leveraging Basic Auth there's a clear path forward through the adoption of Modern Authentication or other OAuth based alternatives. This post begins with a quick overview of the ActiveSync Basic Auth deprecation and why it's relevant, then details the choice between Microsoft's Modern Auth or other OAuth based solutions for addressing the challenge. Of all these OA</span><span style="color: #9fc5e8; font-size: medium;">uth based alternatives Workspace ONE Access is certainly my favorite, so I'll detail the magic that happens when you federate Azure AD with Workspace ONE Access and then introduce certificate based authentication with VMware's proprietary Mobile SSO solution. </span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><div><p><span style="color: #9fc5e8; font-size: large;"><b>A MEM Misnomer: Rumors Of ActiveSync's Death Are Greatly Exaggerated</b></span></p><br /><span style="color: #9fc5e8; font-size: medium;">About a year and a half ago I started hearing grumblings of impending doom for WS1 customers and Mobile Email Management (MEM) in general. The rumor went something like this: ActiveSync is getting deprecated which will lead to chaos in MEM everywhere, possibly triggering World War 3. Making it somewhat believable was that ActiveSync hasn't been worked on for years now, with the latest version of <a href="https://docs.microsoft.com/en-us/archive/blogs/exchangedev/announcing-exchange-activesync-version-16-1" target="_blank">16.1 released in 2016.</a> Coupled with Microsoft's hyper focus on GRAPH APIs, in a bad mood, with your eyes squinted, it seemed possible ActiveSync could be going away. However, the truth was more nuanced. In August of 2020 I reached out to Martin Kniffin for guidance and he didn't fail to impress, providing me and a handful of colleagues excellent context. First and foremost he pointed out that it's not ActiveSync that's getting deprecated, but Basic Auth within ActiveSync. (More specifically, it's Basic Auth that's being deprecated almost across the board, not just within ActiveSync.) When Basic Auth is used with Exchange Online you have the mail client storing a user's typed in credentials and then passing those credentials to Exchange, which in turn <a href="https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online" target="_blank">proxies those credentials to Azure AD</a>. These stored credentials on the endpoint device are constantly replayed against Exchange Online throughout the course of email access. </span></div><div><span style="color: #9fc5e8; font-size: medium;"> </span></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/a/AVvXsEgfUN3pOi_WUeXjcJPHazNRiXNB11zoFtHVRdb31pSlmJXGZ7wdOE4_HhC1TyztsCBNk4zixrUi8hvv02fjyg2LRbETkMU02m_UnFLqeEugyi9s7d8tL1XGtNvxJ25pJSjJdBnwxH1_6dy9Q3fh9oDa83_MNtSIUyG4xC7DHAeYx0dkNcGydFSmgCSrxA=w640-h440" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="color: #9fc5e8;">Basic Authentication - Image taken from, <a href="https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online" target="_blank">"Disable Basic Authentication In Exchange Online"</a></span></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><a href="https://www.blogger.com/#" style="margin-left: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"></span></a></div><div><span style="color: #9fc5e8; font-size: medium;">So it's not ActiveSync that's dying off but rather this very rudimentary Basic Auth model that's going away, initially only in Exchange Online environments, not on-premises. This deprecation has been in the works for awhile. Plans to disable Basic Auth in Exchange Online were <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/improving-security-together/ba-p/805892" target="_blank">first announced in Sept of 2019</a> with a target date of Oct 2020. However, in response to Covid-19 it was <a href="https://devblogs.microsoft.com/microsoft365dev/deferred-end-of-support-date-for-basic-authentication-in-exchange-online/" target="_blank">postponed till the second half of 2021</a>. Then in February of 2021 Microsoft indicated they would <a href="https://docs.microsoft.com/en-us/lifecycle/announcements/exchange-online-basic-auth-deprecated" target="_blank">postpone until further notice.</a> At the same time they announced plans to begin disabling Basic Auth for tenants not currently using it. Now, finally in late September of 2021, it was announced that Basic Auth would be <a href="https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210" target="_blank">disabled on all tenants starting October 2022</a>, with more <a href="https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online" target="_blank">f</a><a href="https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online" target="_blank">ormal guidance</a> coming out early November this year. So, this hasn't exactly been a meteor the size of Texas hurling towards earth from out of nowhere. More like The Blob, a really, really, really slow moving blob that, nonetheless, needs to be addressed. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEidxeVKOy2huO6uR_cerR6roiHqlbC4el0ofpFxYR2nHCyalhX_9_gEzq2bUtETGDq2MmtNqWcaqRipDv2Pd8pK8_aJssQrVfLid5Qw4IeTKnOHRz9hkDb-SAj69mQypF4v4MUoOAXt2pGKFSFcy8FutrKLAShRVUyyzIfaWKBfE8xMVM9K56b_QgO7pg=s2048" style="margin-left: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="2048" data-original-width="1420" height="400" src="https://blogger.googleusercontent.com/img/a/AVvXsEidxeVKOy2huO6uR_cerR6roiHqlbC4el0ofpFxYR2nHCyalhX_9_gEzq2bUtETGDq2MmtNqWcaqRipDv2Pd8pK8_aJssQrVfLid5Qw4IeTKnOHRz9hkDb-SAj69mQypF4v4MUoOAXt2pGKFSFcy8FutrKLAShRVUyyzIfaWKBfE8xMVM9K56b_QgO7pg=w278-h400" width="278" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;">While ActiveSync payloads with Basic Auth have been wildly popular amongst Workspace ONE customers there's a clear path forward: leverage the OAuth ActiveSync payload setting for use with Microsoft's Modern Auth or a 3rd party federated IDP. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: large;"><b>Leveraging Microsoft Modern Auth With The ActiveSync OAuth Payload Setting</b></span></p><p><span style="color: #9fc5e8; font-size: medium;">If your Office 365 tenant is purely leveraging Azure for identity, with no federation, both Basic Auth and Modern Auth are currently options for email access. Modern Authentication is a Microsoft solution, <a href="https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online" target="_blank">"based on the Active Directory Authentication Library (ADAL) and Oauth 2.0."</a> With Modern Auth users authenticate with their AD credentials to Azure and then are issued a token granting access to Office 365. So instead of having credentials stored within a mail client and proxied through Exchange Online, users are redirected to Azure at login.microsoftonline.com and upon successful authentication are issued a token that grants access to email, as well as the entire Office 365 suite. </span></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh_UEb4t4kRJBtpLHN1mZO6MV20f8UzFmucVIy3kY06QGy01b4MoipHyl6e-khztJih9CdNPEpNhSGOLI4PW0Sqk9VTdsrPI21tqgOKIOf-DT7T-JCW_q5NaphjYyw-HJQzRMexRDht0tzSG1ceBuDTZ1Yw3jez3dOsa_jFa4I-vq-VtwbWnY03Sk8CHg=s814" style="margin-left: auto; margin-right: auto;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="757" data-original-width="814" height="597" src="https://blogger.googleusercontent.com/img/a/AVvXsEh_UEb4t4kRJBtpLHN1mZO6MV20f8UzFmucVIy3kY06QGy01b4MoipHyl6e-khztJih9CdNPEpNhSGOLI4PW0Sqk9VTdsrPI21tqgOKIOf-DT7T-JCW_q5NaphjYyw-HJQzRMexRDht0tzSG1ceBuDTZ1Yw3jez3dOsa_jFa4I-vq-VtwbWnY03Sk8CHg=w640-h597" width="640" /></span></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><span style="color: #9fc5e8;">Modern Authentication Workflow - Image Borrowed From <a href="https://shehanperera.com/2020/04/22/block-basic-auth/" target="_blank">Shehan Perera's Tech Blog</a></span></td></tr></tbody></table><p><span style="color: #9fc5e8; font-size: medium;">In the diagram above you have a representation of Modern Auth in the context of a <a href="https://docs.microsoft.com/en-us/microsoft-365/enterprise/plan-for-directory-synchronization?view=o365-worldwide" target="_blank">hybrid identity model</a> that merges on-premises AD environments with an Azure tenant, allowing users to leverage their on-premises AD credentials when authenticating to Azure. It starts with an on-premises Azure AD Connect instance that syncs accounts from on-premises with Azure. Then for authentication there's what's referred to as managed authentication, with a choice between password hash authentication (PHS) and pass-through authentication. (PTA) With PHS hashes of your AD passwords are synchronized from your on-premises AD environment to the cloud. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjYf-odMAL7SpaGW0B3V2bbQNhXrROz5TX9EOn4UC0S-v4fJ2pBNO10nelEZ9LsKqKU6FziPUtle2puPqKRChtDUH_6F70KLtYeVJZmkyR_f_Ay8refGL7vVimLk5gD4Hp0gz_sVckYl3qgUXrX4AQAIXjW-xg_fmZ9tjmagPC1fp0E-TMB1IllXQMvJw=s1226" style="margin-left: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="808" data-original-width="1226" height="264" src="https://blogger.googleusercontent.com/img/a/AVvXsEjYf-odMAL7SpaGW0B3V2bbQNhXrROz5TX9EOn4UC0S-v4fJ2pBNO10nelEZ9LsKqKU6FziPUtle2puPqKRChtDUH_6F70KLtYeVJZmkyR_f_Ay8refGL7vVimLk5gD4Hp0gz_sVckYl3qgUXrX4AQAIXjW-xg_fmZ9tjmagPC1fp0E-TMB1IllXQMvJw=w400-h264" width="400" /></span></a></div><p><span style="color: #9fc5e8; font-size: medium;">With PTA instead of having hashed passwords stored in the cloud validation occurs directly against your on-premises AD environment via an on-premises agent. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEgkDy4kgrWvJqMZ5VRJJ4fabns4IpDqlBKm5CYpe_Uk5KJq4JJDD70mo2grB4YpCk-fjb1C3nvigjSFKDxnQ7FVThfLsKyvEWDSTec33LYwGVvyvHuqKfV7Sta4WrFewjRxdi3pfskpduJtZvQUZ8Sb0d2TTQTpz8urUvM0ZiaerYYtA-SimJw-m4Bf9w=s1230" style="margin-left: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="816" data-original-width="1230" height="265" src="https://blogger.googleusercontent.com/img/a/AVvXsEgkDy4kgrWvJqMZ5VRJJ4fabns4IpDqlBKm5CYpe_Uk5KJq4JJDD70mo2grB4YpCk-fjb1C3nvigjSFKDxnQ7FVThfLsKyvEWDSTec33LYwGVvyvHuqKfV7Sta4WrFewjRxdi3pfskpduJtZvQUZ8Sb0d2TTQTpz8urUvM0ZiaerYYtA-SimJw-m4Bf9w=w400-h265" width="400" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br />Either model is supported with Modern Auth and the ActiveSync, "Use OAuth," payload setting. It's just a matter of personal taste for the organization. With both models you're extending your on-premises authentication to Azure and either one can work with the OAuth payload. As far as the ActiveSync payload settings in WS1 goes, all you have to do is check the box for, "Use OAuth, " and your email users will start getting prompted for Modern Auth. The, "OAuth Sign In URL," and, "OAuth Token URL," fields are not mandatory and can be left blank. When you leaves these fields blank an autodiscovery process kicks in, one that first redirects login.microsoftonline.com.</span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhotPtG5QYPJDWf5MjxFD9v4o7COzw-07aAFzbRlazZhTlvDEzgBzb20n7Kw23dCElbHUYuo_r7_2MCbv2WMc_eCE_PtFrU5zwBwxi9DB0Jevg-E2An-5_CYb9AgJCyqzVmyquyXIBSK6e8jy57rcz10jXkWG4C59lMBCmeOKBmuoP86BA_kkrFB9G77Q=s1586" style="margin-left: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="814" data-original-width="1586" height="328" src="https://blogger.googleusercontent.com/img/a/AVvXsEhotPtG5QYPJDWf5MjxFD9v4o7COzw-07aAFzbRlazZhTlvDEzgBzb20n7Kw23dCElbHUYuo_r7_2MCbv2WMc_eCE_PtFrU5zwBwxi9DB0Jevg-E2An-5_CYb9AgJCyqzVmyquyXIBSK6e8jy57rcz10jXkWG4C59lMBCmeOKBmuoP86BA_kkrFB9G77Q=w640-h328" width="640" /></span></a></div><p><span style="color: #9fc5e8; font-size: medium;">The redirect to login.microsoftonline.com creates a slightly different experience from the traditional Basic Auth workflow, but it's not insurmountable. Below is a recording that compares and contrast the two experiences with the built in iOS mail client. </span></p><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8; font-size: medium;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='526' height='437' src='https://www.blogger.com/video.g?token=AD6v5dzDjuDdVXzdhuOrX80cvZiVv8h4qcXIi4gRJN1KJ7XCoZA0P_dypyPmFpUTu5ELvKSF6U9WBQF0nfmKeRn6AA' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span></div><p><span style="color: #9fc5e8; font-size: medium;">Also, there's certainly support for Modern Auth from most other mail clients as well, such as Boxer or Outlook. Here's what the process looks like for Boxer: </span></p><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8; font-size: medium;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='519' height='432' src='https://www.blogger.com/video.g?token=AD6v5dzDolbLAprMmn2lBO3Q97ShoYCSLmfS8GfU0LZAWfmPaVWTNzgMw1NFut-5Wo6jc_MOTga3lYsvTlQNY7VWTQ' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span></div><p><span style="color: #9fc5e8; font-size: medium;"> </span></p><p><span style="color: #9fc5e8;"><span style="font-size: large;"><b>Leveraging Workspace ONE Access With The ActiveSync OAuth Payload Setting</b></span></span></p><p><span style="color: #9fc5e8; font-size: medium;">Along with Modern Auth, this, "Use OAuth," feature supports authentication against Workspace ONE Access, as well as various other federated IDPs such as ADFS, Okta or Ping. When it's time to authenticate the user first hits login.microsftonline.com, then based on their email address gets redirected to a federated IDP. In this example, AD authentication occurs through an instance of WS1 Access that's been federated with Azure. It's very similar to Microsoft's Modern Auth model, except there's a redirection to a WS1 Access tenant where credentials are manually entered. Here's a demonstration: </span></p><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8; font-size: medium;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='524' height='435' src='https://www.blogger.com/video.g?token=AD6v5dwldy27U2PS6mN7bc1OWHfNXksojb34qKOcO1Ten_n9lJcjF4peIndVSumHgzk8t5AcPn6B2bAoQGRHKcA1kw' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span></div><p><span style="color: #9fc5e8; font-size: medium;">For a more ideal experience you can accommodate authentication with Mobile SSO for iOS, an incredibly compelling proprietary VMware solution that combines WS1 UEM with WS1 Access to provide SSO for mobiles apps. </span></p><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8; font-size: medium;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='521' height='432' src='https://www.blogger.com/video.g?token=AD6v5dy72xWONeKAK05z5q4nGExCgKzFQTcxantBaBd4sVH1-EBMFgqTdUVuENw2s6HISTErmXTgL55yW58Ge-XmWg' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span></div><p><span style="color: #9fc5e8; font-size: medium;">First and foremost, <a href="https://www.youtube.com/watch?v=F4-kZMd9Cls" target="_blank">VMware's Mobile SSO</a> solution provides an incredibly convenient certificate based single sign-on experience. It also lays the ground work for the adoption of device compliance policies that allow us to factor in device enrollment and device posture while providing contextual authentication through conditional access policies. Further, this solution extends device compliance security against the entire Office 365 suite, not just email access. Even more exciting, since Mobile SSO for iOS or Android works for pretty much any Mobile App that supports SAML, adopting this solution for Office 365 puts into place a capability for securing mobile SaaS adoption across the board. Combine this with <a href="https://www.evengooder.com/2021/03/WS1-certificates-4-zero-trust.html" target="_blank">VMware's certificate based authentication for modern management</a> and you have a complete solution for layering zero trust security on top of SaaS adoption across most conceivable device types. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjGZKbzymmdlDtx12-vLSpOn5CZS3svKUiqZW4dDbGQ3F2qQUiwmmGx3ZosxlivGXCj5mOz3oQk36t2hGsKaDcqitpLz889Kl5H-WqfheGSYTC8l3QPo4PF2zqxITn-d80rk34fV3fdy1mDQPBoOhthWioCfnVWQBKAKYr0IJjdLgAFEtDpzzM7RFksMA=s1898" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="1082" data-original-width="1898" height="364" src="https://blogger.googleusercontent.com/img/a/AVvXsEjGZKbzymmdlDtx12-vLSpOn5CZS3svKUiqZW4dDbGQ3F2qQUiwmmGx3ZosxlivGXCj5mOz3oQk36t2hGsKaDcqitpLz889Kl5H-WqfheGSYTC8l3QPo4PF2zqxITn-d80rk34fV3fdy1mDQPBoOhthWioCfnVWQBKAKYr0IJjdLgAFEtDpzzM7RFksMA=w640-h364" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: large;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">One caveat to be aware of is that federation with an IDP like WS1 Access or other 3rd party solution is an all-or-nothing commitment. You can't just have a subset of users handled by the federated IDP. All of them will get initially redirected to the 3rd party IDP. So before actually federating with another IDP you need to make sure that all your Office 365 users can be properly handled by it. Further, federation will break Basic Auth, so you'd need to prepare accordingly. </span></p><p><span style="color: #9fc5e8; font-size: large;"> </span></p><p><span style="color: #9fc5e8; font-size: large;"><b>SEG For Office 365 Access</b></span></p><p><span style="color: #9fc5e8; font-size: medium;">Many folks have quite a visceral response to the deployment model I'm about to mention. There are indeed some organizations that leverage SEG for Office 365 access. I know, I know. While I can't throughly explain or exhaustively defend the design decision, to my understanding there are some use cases where this is a valid and legitimate option. More customers than you'd image have needed it. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhhqgj_gmIO0A9qYA5BKAptPGafSyDujhRHU_u2ol6X6wxvsJt8lwasPW6hhh_yi22Jf8CxykzCObCIAkR1ssY1uck3JWSw88bSTZSJr4zmtm-Jz0HSMUWepstxHV0GCSiHphUvoR_Qiv8-ulsctO1m5v2hbiIo8cTNztJdIHS_rAkE_o2Grl1Lrnpy7w=s906" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="448" data-original-width="906" height="316" src="https://blogger.googleusercontent.com/img/a/AVvXsEhhqgj_gmIO0A9qYA5BKAptPGafSyDujhRHU_u2ol6X6wxvsJt8lwasPW6hhh_yi22Jf8CxykzCObCIAkR1ssY1uck3JWSw88bSTZSJr4zmtm-Jz0HSMUWepstxHV0GCSiHphUvoR_Qiv8-ulsctO1m5v2hbiIo8cTNztJdIHS_rAkE_o2Grl1Lrnpy7w=w640-h316" width="640" /></a></div><p><span style="color: #9fc5e8; font-size: medium;">I only bring it up here in the context of this ActiveSync discussion because with this model there is some authentication against Exchange Online, so it's possible a subset of folks with this type of deployment could be using Basic Auth. Fortunately, these users can migrate to OAuth access as well. Here's a sample from my own lab:</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEh1zzLVpOr5-u90lxJNU-7Z_Bp-p8biaVjjR4DFi8sULSBvcJUAHcLrjzPPPpmSGYRoeW-daCrAEuMkOyotJEQRyNSWUYFbGnaC0SNEOsa7mSw1SOv5ZFwHe2N_R3spZFZtiwt1IACy5AsBzXWzHljq2gqzeZsuUfLL9UiPiTtJo5qB99JtyHTsNOnD8g=s976" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="452" data-original-width="976" height="296" src="https://blogger.googleusercontent.com/img/a/AVvXsEh1zzLVpOr5-u90lxJNU-7Z_Bp-p8biaVjjR4DFi8sULSBvcJUAHcLrjzPPPpmSGYRoeW-daCrAEuMkOyotJEQRyNSWUYFbGnaC0SNEOsa7mSw1SOv5ZFwHe2N_R3spZFZtiwt1IACy5AsBzXWzHljq2gqzeZsuUfLL9UiPiTtJo5qB99JtyHTsNOnD8g=w640-h296" width="640" /></a></div><br /><p><br /></p><p><br /></p><p><br /></p><p><br /></p><p><br /></p><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><br /></div><div><br /></div><div><br /></div><p><span style="color: #9fc5e8; font-size: large;">The Only Way Through Is Through - Tick Tock, Tick Tock</span></p><p><span style="color: #9fc5e8; font-size: medium;">In a nutshell, the deprecation of Basic Auth is forcing customers to fall back to Modern Auth/OAuth, or, more accurately, fall forward to Modern Auth/OAuth. As easy as it's been to just leverage Basic Auth we really should have already been marching away from it anyway, regardless of deprecation plans. While I don't normally feel the need to defend a monster corporation like Microsoft, technically, it sounds like they're just forcing customers to do what they ought do. Regardless, Workspace ONE/AirWatch has helped customer's navigate their mobile email management needs for over 10 years and is well positioned to assist with this challenge. </span></p><p><span style="color: #9fc5e8; font-size: medium;">There's no doubt in my mind that some VMware customers may still have some planning to do. As of the time of this writing, early December 2021, customers have about 9 and half months to act. Fortunately, Basic Auth is not dead yet, though the writing is certainly on the wall. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://www.youtube.com/watch?v=QcbR1J_4ICg" style="margin-left: 1em; margin-right: 1em;" target="_blank"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="462" data-original-width="908" height="326" src="https://blogger.googleusercontent.com/img/a/AVvXsEhDxY52SJShJg7Y38Yg3x4w3bIAYActm78TX3tZ_zjxGeZRnAT9vq8M74K3GJp6UsRc6VVLX2Os41MUgGybcPS-n61aAxXnZKg-sMaOlGktJz-mxhrvqajimxpcIeRLzOUgLYY9oOqoLRwTm_1AYUYrwP9KFfw0OVZGhLswRFMwRMdwa1W266-0zi6D_w=w640-h326" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><br /><br /></p></div></div></div>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com13tag:blogger.com,1999:blog-7411363718337372107.post-4097650711983136872021-10-10T14:02:00.021-07:002021-10-17T08:29:58.475-07:00Securing Horizon With Cloud Hosted Workspace ONE And Carbon Black<p><span style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: medium;"><b>For over a decade VMware's VDI solution has served up on-premises Windows desktops to remote Windows and Mac devices. While the original solution at its core has stayed relatively the same, the ability to secure Horizon sessions through a tightly integrated SaaS stack represents a dramatic shift. Using cloud instances of Workspace ONE Access, UEM, Intelligence and Carbon Black customers wrap comprehensive security around an already stellar remote Horizon user experience. The cloudiness of these offerings means this security is easily layered onto existing Horizon environments non-disruptively, with minimal on-premises footprint. </b></span></p><p></p><p></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4mdvdWSvBEDGWUOHN0Cu9F2zrWCYdkMOkCxzdtB4sJ3lwgrkpRhT8hnGIgtgfWJq4l75-mMPCtpZcaZ6rXvUE9LuVY2N3gAwTQ9nznzlFTCyA36IJNkKdRUon1zzHyJMm_G3SeWOiF_do/s2048/Screen+Shot+2021-10-09+at+10.32.25+PM.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="1156" data-original-width="2048" height="362" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4mdvdWSvBEDGWUOHN0Cu9F2zrWCYdkMOkCxzdtB4sJ3lwgrkpRhT8hnGIgtgfWJq4l75-mMPCtpZcaZ6rXvUE9LuVY2N3gAwTQ9nznzlFTCyA36IJNkKdRUon1zzHyJMm_G3SeWOiF_do/w640-h362/Screen+Shot+2021-10-09+at+10.32.25+PM.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Base Image Stolen From Andreano "The Moose With The Juice" Lanusse</td></tr></tbody></table><br /><span style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px;"><br /></span><p></p><p><span style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px;"><br /></span></p><p><span style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><b>This ideal remote access scenario begins with Horizon making virtual desktops and published applications available to the external world through Unified Access Gateway. Authentication for these Horizon sessions is brokered by a cloud instance of Workspace ONE Access that enforces contextual authentication requirements through conditional access policies. Workspace ONE UEM informs these policies with device posture insight, while also actively managing and securing these remote endpoint devices. Additionally, Carbon Black provides Next-Gen Antivirus protection not only for Win10 or macOS endpoint devices, but also for the virtual desktops or RDS hosts remotely accessed through Horizon. Finally, WS1 Intelligence pulls these solutions together, enhancing automation while further calibrating conditional access policies with information regarding anomalous or risky behavior. </b></span></span></p><p><span style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: medium;"></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><b><span class="s1" style="font-kerning: none;"><span style="font-size: medium;">This post is a primer on how cloud instances of Workspace ONE and Carbon Black are layered onto Horizon deployments to beef up security for remote access. It starts with a brief overview of Horizon remote access, then elaborates on the security enhancements provided by these cloud services. I'll essentially break down and explain the image above with, yet, more stolen images! Yes, for this post I've gathered some of the best images I've ever stolen, modified or otherwise used and abused in the name of love and technical clarity. </span></span><span style="font-size: medium;"><span style="font-family: "Helvetica Neue";">After using these images to illustrate the security enhancements enabled for Horizon from the cloud, I’ll move on to review VMware’s Secure Access, a key component of the Anywhere Workspace offering.</span><span class="Apple-converted-space" style="font-family: "Helvetica Neue";"> </span><span style="font-family: "Helvetica Neue";">VMware Secure Access offers an interesting alternative to Horizon, one that extends the benefits of SD-WAN and SASE to a less centralized remote access deployment. </span></span></b></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><span style="font-family: "Helvetica Neue";"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="font-size: x-large;">Delivering Windows Desktops Or Published Applications Through Horizon</span></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 14px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><br /></b></span></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijISZRLL2jGWhUyyhQD3Vwzil0e19uuw4XToVtQp4ETDF6pBuwHT3jtYHWLk3ftpEvXytwRd9sTlKOLzaHTo3CnYma0IqzPRg7xR1XkAnQ737LdIaHpe88BtTR5Zqqy_YtNKvGd6jo2bhW/s640/Screen+Shot+2021-09-18+at+12.11.15+PM.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="172" data-original-width="640" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijISZRLL2jGWhUyyhQD3Vwzil0e19uuw4XToVtQp4ETDF6pBuwHT3jtYHWLk3ftpEvXytwRd9sTlKOLzaHTo3CnYma0IqzPRg7xR1XkAnQ737LdIaHpe88BtTR5Zqqy_YtNKvGd6jo2bhW/w640-h172/Screen+Shot+2021-09-18+at+12.11.15+PM.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Stolen From Todd Dayton</td></tr></tbody></table><br /><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 14px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 14px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 14px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 14px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 14px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><br /></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><b>The above graphic presents a rudimentary but conceptually useful breakdown of VMware Horizon. To begin with, you have a desktop or RDSH image living within a VM, supported on the same vSphere technology used for traditional server workloads. A Horizon Connection Server, very much the brains of a Horizon deployment, has full admin access to this vSphere environment, using those rights for provisioning and inventory purposes. This Connection Server also acts as a broker for incoming connections, routing users to their assigned desktops or RDS hosts after they've been authenticated. User's eventually view and remotely control their desktops or published applications through display protocols like Blast or PCoIP. </b></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><b>So, to extend vSphere goodness to desktops we've had to bring the desktops to the vSphere infrastructure, with the desktop OS and supported apps shifting locality from the endpoint to the datacenter. From there, the Windows desktop is essentially converted into a service that can be consumed from pretty much any device that has network connectivity to the Horizon environment. The benefits of this model really start to pop when folks are mobile or shifting across various devices. While your device and network location may change, your virtual desktop stays the same, maintaining the Windows desktop session state. This leads to a consistent and reliable user experience often referred to as a "Follow-Me" desktop, a concept that's been breaking hearts and taking names in healthcare for over a decade. </b></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil9HJHC6lHRUi_WJj_T_9PAlcbJJZJla4aqzHyqn8Ps2k3WTIpclZvk6MD9b8LpneiluLIAtnN85oTMHHrSRx5durlPA9JT6YCCLce3bkRNE9t4kbKpLDqk-EDDSejR5lIT4glvkQMyeeI/s640/Screen+Shot+2021-08-30+at+8.14.44+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="302" data-original-width="640" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEil9HJHC6lHRUi_WJj_T_9PAlcbJJZJla4aqzHyqn8Ps2k3WTIpclZvk6MD9b8LpneiluLIAtnN85oTMHHrSRx5durlPA9JT6YCCLce3bkRNE9t4kbKpLDqk-EDDSejR5lIT4glvkQMyeeI/w640-h302/Screen+Shot+2021-08-30+at+8.14.44+PM.png" width="640" /></a></div><br /><p></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none; font-size: medium;"><b>With doctors and nurses highly mobile within the walls of a hospital this "Follow-Me" desktop experience really shines, especially when combined with a badge access solution like Imprivata. As a 13 year veteran from the mean streets of non-profit healthcare IT, I'd say this user experience is impossible to beat when supporting clinicians and is what drives a lot of VDI adoption in healthcare. Here's a quick demo: </b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"></p><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dwNBOoiHuBjxX88RcTrt5joNQeLBIoVmsQ49lvn8aigi4wb0VllTdKgVXHxg8fNk234cfuF7pjrs2amF9Td7g' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div><br /><span class="s1" style="font-kerning: none;"></span><p></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none; font-size: medium;"><b>High mobility, along with the need to share work areas, make clinicians uniquely suited to benefit from this model. That said, if you're an office worker with a dedicated cubicle and a dedicated workstation tethered to it, and all your work is done within that cubicle, then the "Follow-Me" desktop lacks wow factor. However, as soon as you throw in any kind of mobility, even if it's just between cubicles, the question of, "Why bother with Horizon?" starts to melt away. Throw in remote access from home, possibly in a BYOD scenario, and the question is completely obliterated. In those scenarios, a "Follow-Me" desktop, one that follows you from work to home, then back, makes for the most ideal Windows user experience imaginable. </b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioRkq3n5xuTRD1MhVF870sIZoWxCUvntu8D0L5I7e8x4JHb6Vh9K-9wBRG8HCR-F08Ij1_t6wryoT1k07EimDRqBuSZqhXTHTTQP_gfSPfmNiB7VR-k_643DQLGIAiE4Xmud_-gOjDw6lq/s638/from_home.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="266" data-original-width="638" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioRkq3n5xuTRD1MhVF870sIZoWxCUvntu8D0L5I7e8x4JHb6Vh9K-9wBRG8HCR-F08Ij1_t6wryoT1k07EimDRqBuSZqhXTHTTQP_gfSPfmNiB7VR-k_643DQLGIAiE4Xmud_-gOjDw6lq/w640-h266/from_home.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Original Image From: <a href="https://techzone.vmware.com/resource/using-horizon-access-physical-windows-machines#" target="_blank">Using Horizon To Access Physical Machines</a></td></tr></tbody></table><br /><span class="s1" style="font-kerning: none;"></span><p></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-size: medium;"><b>The path these remote Horizon sessions take to your trusted network from user's homes is provided and secured through Unified Access Gateway.</b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-size: large;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: x-large;"><b>Providing Remote Access To Your Horizon Service</b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><b><br /></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none; font-size: medium;"><b>Remote Horizon access is enabled through Unified Access Gateway (UAG), a Linux virtual appliance that's typically deployed in a DMZ. It acts as a gateway for your external Horizon users, ensuring all traffic from the remote endpoint device to the virtual desktop or RDS host is on behalf of a strongly authenticated user. Below is a depiction of Blast, Horizon's display protocol of choice, as it traverses a UAG appliance after successful authentication. Encryption of this traffic is handled end to end for the entire session through the Blast protocol itself. </b></span></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLPsDvRSxyQazL7cWh-NMd5lIf0fjSzcsZ8K1K-Wc0GXRK1iijVTg3tlIJZSNP1AgCBvd-7d_BT1ohlGXid6qyqEWci8CtcchWWO0T8ZNbY9iWVu7Z-I1h7utHGhyphenhyphenY3z0bInW8QxEqIQTk/s638/Screen+Shot+2021-08-30+at+8.22.47+PM.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="252" data-original-width="638" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLPsDvRSxyQazL7cWh-NMd5lIf0fjSzcsZ8K1K-Wc0GXRK1iijVTg3tlIJZSNP1AgCBvd-7d_BT1ohlGXid6qyqEWci8CtcchWWO0T8ZNbY9iWVu7Z-I1h7utHGhyphenhyphenY3z0bInW8QxEqIQTk/w640-h252/Screen+Shot+2021-08-30+at+8.22.47+PM.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><br /></td></tr></tbody></table><br /><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><b><span class="s1" style="font-kerning: none;">Now, as far as the initial authentication goes, there's various options with UAG. The default authentication method is passthrough against Horizon's local AD environment by typing in an AD username and password. However, when <a href="https://www.youtube.com/watch?v=YyKJxjZgZEI" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none;">Workspace ONE mode</span></a> is enabled on Horizon Connection Servers, UAG passes SAML traffic for authentication instead, ensuring all Horizon Blast traffic passing through the UAG appliance is for users that have been authenticated according to conditional access policies defined in Access. Leveraging WS1 </span><span>Access in this fashion provides admins with the most flexibility and widest range of options when it comes to securing remote access to Horizon.</span></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: x-large;"><b>Brokering Authentication For Horizon Using Workspace ONE Access</b></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 13px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 15px;"><span class="s1" style="font-kerning: none;"></span><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><b>Conversations around Workspace ONE Access typically focus on the portal and SSO experience it provides for Horizon and 3rd party SaaS apps. What's often neglected is how WS1 Access acts as broker for different authentication methods as someone initially logs into the portal or accesses a specific app. Through conditional access policies admins enforce contextual authentication against the various security solutions WS1 Access has been integrated with. Auth requirements for any particular app will be determined by the specifics of theses policies and a user's current context. App access may be a simple SSO experience or as complex as MFA from a fully enrolled and compliant device. For a deeper dive on conditional access polices and SAML check out this <a href="https://www.youtube.com/watch?v=TpOjeeJffZo&t=447s" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">overview on youtube.</span></a> </b></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_HZ7Efg9lXYgaLrgwrK6QLPrPMZQPSVZCy-DWxV0bUcMwdn33UNp0UtHpeDlwkiZdPITs-pTNEWeUGpFxa5raVkH4NiHvLCBVvajKxisVCdpRyII5wf6QvezR9YeQYqUmIcnu-BpsYAd3/s640/Screen+Shot+2021-08-30+at+8.39.36+PM.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="340" data-original-width="640" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_HZ7Efg9lXYgaLrgwrK6QLPrPMZQPSVZCy-DWxV0bUcMwdn33UNp0UtHpeDlwkiZdPITs-pTNEWeUGpFxa5raVkH4NiHvLCBVvajKxisVCdpRyII5wf6QvezR9YeQYqUmIcnu-BpsYAd3/w640-h340/Screen+Shot+2021-08-30+at+8.39.36+PM.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Base Image Stolen From Peter Bjork</td></tr></tbody></table><br /><span class="s1" style="font-kerning: none;"></span><p></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="color: #8fb8e2; font-family: "Trebuchet MS"; font-kerning: none; font-size: medium;"><b>Several of the inbound authentication options detailed above are made possible through the deployment of a Workspace ONE Access connector in the customers trusted network. This connector is key to an integration with an AD environment, syncing AD users to Workspace ONE access and providing the ability to authenticate to AD. It also enables your tenants integration with on-premises resources such as your Horizon environments or <a href="https://www.evengooder.com/2018/11/integrate-vIDM-Cloud-with-radius.html" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none;">security solutions that support RADIUS</span></a>. Depending on the specifics of your deployment these WS1 Access Connectors may be the only necessary additional on-premises resources required for securing Horizon from the cloud. </b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi167MAXa94nAkbCJa9kkWhsQ4NZ4-9L6TfKCoo2o9AbCe4xWnG-ekPn8f_Ks857MVXcna6sROhmsPryugntCgiZasPK2QxrBPtKZTZjKe1zNAAeRgVn1Gtbd82MGqLUG4hr1lkDrtUFY8S/s640/Screen+Shot+2021-09-07+at+9.06.30+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="493" data-original-width="640" height="494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi167MAXa94nAkbCJa9kkWhsQ4NZ4-9L6TfKCoo2o9AbCe4xWnG-ekPn8f_Ks857MVXcna6sROhmsPryugntCgiZasPK2QxrBPtKZTZjKe1zNAAeRgVn1Gtbd82MGqLUG4hr1lkDrtUFY8S/w640-h494/Screen+Shot+2021-09-07+at+9.06.30+AM.png" width="640" /></span></a></div><span style="font-size: medium;"><br /></span><p></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><b><br /></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-size: medium;"><b><span>Now when it comes to integrating WS1 Access with 3rd party security solutions, SAML chaining allows for integration with popular names like Okta, Ping, Azure, as well as any other solutions that support SAML. After configuring these 3rd party solutions as trusted IDPs for WS1 Access we can leverage their authentication mechanisms for applications managed through Access. Below is an example of this process for an Okta integration, something I'm seeing a lot of nowadays. With a fully documented process for configuring Okta as an IDP, "</span><a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/workspaceone_okta_integration.pdf" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none;">Integrating VMware Workspace ONE With Okta,</span></a><span>" it's a very accessible option for Workspace ONE customers who already leverage Okta for MFA. </span></b></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px;"><span style="font-size: medium;"><span class="s1" style="font-kerning: none;"></span><br /></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(173, 173, 173); color: #adadad; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 15px; text-align: center;"><span style="font-size: medium;"><span class="s1" style="font-kerning: none;"></span><br /></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-size: medium;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dwkxdWrG4nPY3Mj3Gxinnii1-FJ7E1d7UcNkwGVPoRgZ-o-1Aj-KcedpDrEgRu36lKPtqeD14FgoGd3NgQ3NA' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span></div><span style="font-size: medium;"><br /></span><p class="p4" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 14px; text-align: center;"><span style="font-size: medium;"><span class="s1" style="font-kerning: none;"></span><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><b>WS1 Access is basically integration goo, allowing you to integrate Horizon, or any other SAML compliant apps, with whatever security solutions you already have in place. By linking up with these 3rd party solutions we enjoy a richer set of conditional access policies, as we pick and choose amongst various auth requirements for Horizon across different use cases and scenarios. This ability to integrate with the security solutions customers are already using to protect their environments makes WS1 Access truly compelling. You end up with something a bit motley and Frankenstein-ish, or <a href="https://www.adultswim.com/videos/rick-and-morty/its-pickle-rick" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none;">pickle-Rick-ish</span></a> if you will, but arguably that's sort of unavoidable when you're stitching together disparate solutions from across your enterprise. </b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7zJfjaYysuZ7ANUEABG0csYEjvjrTq8HimWcchKV6pUc_xN0y2VBj6IEIsCF_2YGOYHo0v9jXVmDJbk-dE_zEWBMFao5zqTi1cEjas04QVxmdMXqStzMNynAgpINx4YW6UvGpuJ4bK0-q/s400/Screen+Shot+2021-09-30+at+8.30.52+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="398" data-original-width="400" height="398" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7zJfjaYysuZ7ANUEABG0csYEjvjrTq8HimWcchKV6pUc_xN0y2VBj6IEIsCF_2YGOYHo0v9jXVmDJbk-dE_zEWBMFao5zqTi1cEjas04QVxmdMXqStzMNynAgpINx4YW6UvGpuJ4bK0-q/w400-h398/Screen+Shot+2021-09-30+at+8.30.52+AM.png" width="400" /></span></a></div><span style="font-size: medium;"><br /><span class="s1" style="font-kerning: none;"></span></span><p></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><br /></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-size: medium;"><b>A WS1 Access deployment is only as interesting as the solutions it's been integrated with. While support for SAML and RADIUS integrations with 3rd parties offer many alternatives, where things get really exciting is with the built-in support for Workspace ONE UEM. When looking at the Inbound/Outbound graphic above, mechanisms like, "Certificate," "Mobile SSO For Android," "Mobile SSO For iOS," and "Device Compliance," result from the integration between Workspace ONE Access and Workspace ONE UEM.</b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="font-size: x-large;">Informing Conditional Access Policies With Device Status Insight From UEM</span></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="font-size: medium;"><br /></span></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none; font-size: medium;"></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><b>When Workspace ONE Access and UEM are integrated Horizon access can be predicated on enrollment or even device compliance. This leads to a much more discerning, richer set of conditional access policies. Essentially, we're taking WS1 Access conditional access policies and juicing them with UEM insight, leading to more informed polices to drive contextual authentication.</b></span></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" data-original-height="312" data-original-width="640" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdYAOR9zyj4w9naNxG7O5EK1Ebyn6VtgVyZ4IpPPwWKqlZZGvUr626QfC0OGjtMIU-TmFypdLacRmn1G33crpxPzUkpmKonaqN0pqGPzIXQ_mysrgIEJS6CJfzUjoA50ELFd2J2V83OLoz/w640-h312/Screen+Shot+2021-09-12+at+9.39.09+AM.png" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr><tr><td class="tr-caption" style="text-align: center;">Stolen Image From Andreano Lanusse</td></tr></tbody></table><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><b><span style="font-size: medium;">This progression towards zero trust begins with the various certificate based authentication options supported by the integration of UEM and WS1 Access. Going back to the Inbound/Outbound graphic of the previous section, the arrows for, "Mobile SSO for iOS," "Mobile SSO for Android," and "Certificates," for Win10 and macOS, are enabled through the integration of WS1 UEM and Access. While these methods are enforced through Access, the certificates are delivered through UEM, effectively mandating device enrollment in UEM for access to Horizon. Further, "Device Compliance," can only work in conjunction with one of these authentication methods. So, in the case of modern management, we're talking about a combination of Certificate auth through WS1 Access, certs delivered through UEM, as well as UEM device compliance policies for Win10 and macOS.</span><span style="font-size: large;"> </span></b></p><p class="p2" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"></p><div class="separator" style="clear: both; text-align: center;"><span style="clear: left; float: left; font-size: medium; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="456" data-original-width="639" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaTjBNVVsCFqwmxLulPbAYS48JQwhj3UNnm6kGuKAW33GPKrG1_Ih9cp2SSli85wmFjXBqYv_PvayS-EvFl3Yj9z9HBpCHHcQ8BhtG75MtpcbUMZeyfgn8WdsJyoCZAoYSk5tYZzukiLRP/w640-h456/Screen+Shot+2021-09-12+at+10.06.36+AM.png" width="640" /></span></div><span style="font-size: medium;"><br /></span><p></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><b>While device compliance policies wonderfully highlight the ability to interrogate devices with UEM, WS1 UEM enrollment actually MAKES devices more secure. It's not just about interrogation, but also the ability to help the device course correct and achieve a secure posture. The nitty gritty, under appreciated work that is, none the less, absolutely critical to security, like patching, firewall configuration, device encryption and general configuration management falls right in the wheelhouse of WS1 UEM. So along with vouching for the state of the device it's also literally making it more secure. This management and control is further extended through an integrated deployment of Carbon Black, a Next-Gen Antivirus solution for Win10 and macOS.</b></span></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); color: #adadad; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="font-size: x-large;">Carbon Black</span></b></span></p><p class="p4" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px; min-height: 15px;"><span style="font-size: medium;"><span class="s1" style="font-kerning: none;"></span><br /></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><span class="s1" style="font-kerning: none;"></span></span></p><p class="p5" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><b>While UEM management addresses security concerns from the perspective of system configuration and maintenance, Carbon Black addresses security head on when it comes to fighting off hackers, malware and Ransomware. Core to the suite is cloud based Next-Gen antivirus and behavioral EDR, with an option to fall back to more traditional signature protection. Carbon Black's NGAV and EDR entail the application of machine learning and AI against data aggregated from millions of customer endpoints. We're talking over 500 TB of endpoint data, over 1 Trillion events a day, getting reported to and processed in the Carbon Black cloud. This insight is then brought to bare when controlling behavior on endpoint devices.</b></span></span></p><p class="p5" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p5" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbAXP6cQ5F4Hum3iRUa5y_sNo_kDB8pYzD72rjzB7EUlOg9V-IpsjzFnPbwZVaG_TB62ydMj5IALmrNHk8WnoPwD2RGrSxaIARqa1HjSA_DV_7Oodm_4SHicDvlLVjkYKJ0ggu9MspBylC/s640/Carbon_Black.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="274" data-original-width="640" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbAXP6cQ5F4Hum3iRUa5y_sNo_kDB8pYzD72rjzB7EUlOg9V-IpsjzFnPbwZVaG_TB62ydMj5IALmrNHk8WnoPwD2RGrSxaIARqa1HjSA_DV_7Oodm_4SHicDvlLVjkYKJ0ggu9MspBylC/w640-h274/Carbon_Black.png" width="640" /></span></a></div><span style="font-size: medium;"><br /><span class="s1" style="font-kerning: none;"><br /></span></span><p></p><p class="p5" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p5" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p5" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p5" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p5" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="font-size: medium;"><span class="s1" style="font-kerning: none;"></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: large;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><b>While cloud is core to Carbon Black's security insight, it has the added benefit of making Carbon Black easier to deploy and manage. For a typical customer there's zero on-premises infrastructure to be concerned with. You have a cloud tenant to configure and an agent to deploy to your Win10 or macOS devices and that's the extent of your concern. For Horizon VDI environments you can simply add the agent to your gold images and you're off to the races. For endpoint devices Workspace ONE UEM itself can easily distribute the agent to managed endpoints. </b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><img border="0" data-original-height="326" data-original-width="640" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfq4GKe-dt8jHCuGSEH3v57vB1it1hIGeNyPkGLociUEIw8TDRJtlx6OlfBTswTBDD1cnlrdkEMZx3mpcmLhMTiiF6JsXpi9KqRQa1u7J9OZ_y9ah0W6-RL5sCsodCKtxrlYZapIZkBkD/w640-h326/Carbon_Black_WS1.png" style="margin-left: auto; margin-right: auto;" width="640" /></td></tr><tr><td class="tr-caption"><a href="https://www.youtube.com/watch?v=bAZIxhkuJhU&t=58s" target="_blank">Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine Feature Walkthrough</a></td></tr></tbody></table><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><b>Even more exciting is the ability to trigger actions in Workspace ONE UEM based on threats detected by Carbon Black on managed endpoint devices. </b><b>So, for example, if a threat is detected on a device not only can Carbon Black respond, but additional measures can be automatically executed through WS1 UEM to remediate the endpoint. This is made possible by WS1 Intelligence and the ruthless automation it can enable for WS1 environments. </b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><br /></span></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="font-size: x-large;">Workspace ONE Intelligence - Gelling It Together Even Further</span></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><span class="s1" style="font-kerning: none;"></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="font-size: medium;"><b>For this ideal remote access Horizon scenario, Workspace ONE Intelligence introduces <a href="https://www.evengooder.com/2021/06/Ruthless-Automation-With-WS1-Intelligence.html" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none;">ruthless automation</span></a> while also informing conditional access policies with User Risk Scores and Login Risk Scores. As mentioned above, we can trigger automated workflows within Intelligence based on threats detected by Carbon Black. We can also trigger this automation based on device info gather from WS1 UEM, which includes over 200 data points. Should you require data not collected by UEM out of the box, you can collect additional attributes using custom Sensors for your modern management scenarios. Sensors enable this extensibility using <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/Windows_Desktop_Device_Management/GUID-uemWindeskSensors.html" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none;">PowerShell scripts on Win10</span></a> or <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/macOS_Platform/GUID-0CF2ED40-3BF9-4064-B352-F6CDDEC95E4B.html" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none;">bash, python and Zsh scripts on macOS</span></a>. </b></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpe3PFJmPkLCrCR-YsxbO0g1N0BopeUHbIUnAoKuzUm06gNE9Dz3qjQymZBvCWs2WZcpptD7NAwfC6YCzCgBvS2NKBoNw2Po2cBh0TZh4LmPK9bha4mkrA3rAUikkWGesXJfHJw5lP0upe/s640/Screen+Shot+2021-09-14+at+9.53.26+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="273" data-original-width="640" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpe3PFJmPkLCrCR-YsxbO0g1N0BopeUHbIUnAoKuzUm06gNE9Dz3qjQymZBvCWs2WZcpptD7NAwfC6YCzCgBvS2NKBoNw2Po2cBh0TZh4LmPK9bha4mkrA3rAUikkWGesXJfHJw5lP0upe/w640-h274/Screen+Shot+2021-09-14+at+9.53.26+AM.png" width="640" /></span></a></div><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><br /></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); color: #8fb8e2; font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="font-size: medium;"><b><span class="s1" style="font-kerning: none;">The data collected within the Intelligence data lake drives ruthless automation that ensures Win10 and macOS devices are properly configured. This data is also leveraged to generate <a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/intelligence-documentation/GUID-14_intel_user_risk_dashboard.html" target="_blank"><span class="s2" style="-webkit-text-stroke-color: rgb(253, 134, 8); color: #fd8608; font-kerning: none;">User Risk Scores and Login Risk Scores</span></a> ingested by conditional access policies. In this manner, WS1 Intelligence Risk Analytics enable WS1 Access to calibrate contextual authentication with data regarding anomalous or risky behavior. </span><span class="s3" style="-webkit-text-stroke-color: rgb(173, 173, 173); color: #adadad; font-kerning: none;"> </span></b></span></p><p></p><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="color: #9fc5e8; font-size: medium;"><br /></span></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="color: #9fc5e8; font-size: x-large;">VMware Anywhere Workspace </span></b></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="color: #9fc5e8; font-size: medium;"><br /></span></b></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="color: #9fc5e8; font-size: medium;"><br /></span></b></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4bfRJJtaxGkh2xSwQqIL8EQB6PAJS2LLygmob4kPPUxfX9Is8edQ6xvlJO20repoVP6q_9veVl5aKAviCp7qJkYQPZJAxW42KXKS2cT3vXi1CgchYVuDGlrpgkjBoaM7DH9yKzwmDd5Vk/s1168/Screen+Shot+2021-10-05+at+8.20.00+AM.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="1062" data-original-width="1168" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4bfRJJtaxGkh2xSwQqIL8EQB6PAJS2LLygmob4kPPUxfX9Is8edQ6xvlJO20repoVP6q_9veVl5aKAviCp7qJkYQPZJAxW42KXKS2cT3vXi1CgchYVuDGlrpgkjBoaM7DH9yKzwmDd5Vk/w320-h291/Screen+Shot+2021-10-05+at+8.20.00+AM.png" width="320" /></span></a><span class="s1" style="font-kerning: none; font-size: medium;"></span></div><p class="p3" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #9fc5e8; font-size: medium;"><b>Cloud instances of WS1 and Carbon Black offer existing Horizon customers a clear path forward for enhancing security. However, if Horizon isn't viable but you still have a remote use case you'd like to enhance with the security capabilities discussed so far, then you probably want to check out VMware's Anywhere Workspace. Workspace ONE and Carbon Black are core to the Anywhere Workspace solution and can enhance VMware Secure Access with some of the same benefits they lend to Horizon. Secure Access marries together Workspace ONE with VMware's SASE solution based on SD-WAN by VeloCloud, offering an alternative that overlaps with remote Horizon access but, more notably, enhances connectivity and security for remote endpoints from the cloud. </b></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p class="p3" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span style="color: #9fc5e8; font-size: medium;"><b>Where Secure Access first differs from Horizon is that instead of providing remote connectivity to a desktop or RDS host back in the datacenter, you're running applications locally on your modern managed Win10 or macOS devices. Workspace ONE UEM can provision these applications as well as provide them remote access back to your trusted network through Workspace ONE UEM's Per-App VPN. With this model a TLS session is automatically established back to your trusted network for specific applications based on device compliance policies. This is ideal for a traditional client/server application running locally on your endpoint or perhaps a browser hitting an internal site. Per-App VPN has always distinguished itself from traditional VPN solutions by limiting VPN connectivity to specific defined apps, rather than the whole device. Further, it simplifies access because there's no need for a user to manually launch a VPN client. Instead, a TLS session is automagically established on behalf of the users when the enabled app is launched.</b></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"></span></p><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLTaBmK1YuDlzChtIw8z_LQ09SPYI7OEiHPbt9AfB5cTeGESGdJOJVrTT5y7WP6rLruh3eZpYr2EbvCTzPsoU50jSk202grrtx_untaZp-RPyEN8EAD_JElFphyij4xJiT4PCbSsRhzO6r/s873/per-app_vpn_.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="330" data-original-width="873" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLTaBmK1YuDlzChtIw8z_LQ09SPYI7OEiHPbt9AfB5cTeGESGdJOJVrTT5y7WP6rLruh3eZpYr2EbvCTzPsoU50jSk202grrtx_untaZp-RPyEN8EAD_JElFphyij4xJiT4PCbSsRhzO6r/w640-h242/per-app_vpn_.png" width="640" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><a href="https://techzone.vmware.com/deploying-vmware-workspace-one-tunnel-workspace-one-operational-tutorial" target="_blank">Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial</a></td></tr></tbody></table><div class="separator" style="clear: both; text-align: center;"><span class="s1" style="font-kerning: none;"></span></div><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="color: #9fc5e8; font-size: medium;"><b>Per-App VPN has been part of the AirWatch portfolio for over half a decade, supporting modern management use cases for years. Secure Access innovates by delivering this Per-App VPN capability through VMware's SASE offering, merging WS1 with VMware's SD-WAN solution. (Velo-Cloud). With this model instead of supporting Per-App VPN through VMware Tunnel on a UAG appliance sitting in the customers DMZ, the VMware Tunnel Service is hosted on behalf of the customer within SASE PoPs. In a nutshell, VMware Tunnel is hosted as a service, in containers, simultaneously across various SASE PoPs. Per-App connections are routed from the Tunnel app on endpoint devices to the closest SASE PoP, with most users able to find one within 10 milliseconds of latency. Once traffic hit's this PoP the benefits of VeloCloud SD-WAN are extended to this VPN access, with optimized connectivity to corporate data centers as well as SaaS and cloud service providers. </b></span><span style="color: #9fc5e8; font-size: large;"><b> </b> </span></p><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikutflYu0KctEYds9BrAVs94RKMQ3YVT1GifokDAO0RynN2-UEBF1xVdR1IXMyah2gu-p-ZonuflQh8FCBkKOINrWvd_Qs1K1b0gP2MJaGzH6g1uCuhbsMJZNsobAexJOYkjdGTv-NeSTh/s2572/Screen+Shot+2021-10-09+at+7.40.18+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="850" data-original-width="2572" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikutflYu0KctEYds9BrAVs94RKMQ3YVT1GifokDAO0RynN2-UEBF1xVdR1IXMyah2gu-p-ZonuflQh8FCBkKOINrWvd_Qs1K1b0gP2MJaGzH6g1uCuhbsMJZNsobAexJOYkjdGTv-NeSTh/w640-h212/Screen+Shot+2021-10-09+at+7.40.18+PM.png" width="640" /></a></div><br /><span style="color: #9fc5e8; font-size: medium;"><br /></span><p></p><div class="separator" style="clear: both; text-align: center;"><br /></div><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="color: #9fc5e8; font-size: medium;"><b>Along with enhancing network connectivity we're getting security enhancement from within the SASE PoP through Cloud Web Security. This new offering introduces features like SSL inspection, URL filtering and content filtering. So with the VMware Secure Access model you're not only farming out management of VPN concentrators or UAG instances, you're also moving traditional security security services from on-premises to the cloud. Running these services within the SASE PoPs circumvents the need for hair pinning internet traffic back through your on-premises network for inspection, certainly a boon for remote performance. </b></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="color: #9fc5e8; font-size: medium;"><b><span style="color: #9fc5e8; font-family: "Trebuchet MS";">Though there's overlap between Horizon and VMware Secure Access capabilities, they are very different solutions with different strengths and caveats. </span><span style="font-family: Trebuchet MS;">If you're looking to offer a highly curated Windows experience, particularly one that supports a traditional client/server app hosted internally, Horizon is compelling. </span></b><span style="color: #9fc5e8; font-family: Trebuchet MS;"><b>All that nitty gritty, unsexy, and persnickety Windows management, in particular customization of Windows applications, is centrally handled and managed by Horizon in a model that's over a decade old. Further with Horizon itself supporting SAML, you're extended the full breadth of WS1 Access capabilities when protecting legacy Windows applications. That said, VMware Secure Access is certainly an intriguing proposition, offering optimized connectivity to corporate networks and the cloud while moving security services closer to remote users. Ideally, as a customer I'd want Horizon around for the more meticulous Windows requirements, while leveraging Secure Access for everything else.</b> </span></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="color: #9fc5e8; font-size: medium;"><span style="color: #9fc5e8; font-family: Trebuchet MS;"> </span></span></p><p class="p2" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px;"><span class="s1" style="font-kerning: none;"><b><span style="color: #9fc5e8; font-size: x-large;">Final Thoughts</span></b></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="color: #9fc5e8; font-size: medium;"><br /></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(143, 184, 226); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span style="color: #9fc5e8; font-size: medium;"><span class="s1" style="font-kerning: none;"></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="color: #9fc5e8; font-size: medium;"><b>A couple months ago I presented this best case scenario for remote Horizon access to a session full of jaded, cynical and curmudgeonly IT veterans. As we digested the current state of the entire VMware EUC stack regarding remote access, I think our collective experience was similar to a parent who has just realized, "holly cow, my baby has grown up and baby is bad!" While VDI over the last 5 years, at its score, has stayed largely the same, albeit with tons of polish and stability enhancements, the methods for securing its remote consumption have very much changed and evolved. A decade ago it was all about, "slap a horizon client on whatever you want, no data will be at rest on that remote device, so, don't worry, be happy." Fast forward to 2021, we can now ensure that a device remotely accessing Horizon is absolutely secure and virus free, while authenticating a user from that device according to a wide range of contextual authentication options. This is all achieved leveraging mature and proven solutions delivered from the cloud, services that not only radically improved remote Horizon security but are also the foundation of VMware's new Anywhere Workspace offering. </b></span></span></p><p class="p1" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"></span></p><div class="separator" style="clear: both; text-align: center;"><span class="s1" style="font-kerning: none;"><iframe allowfullscreen="" class="BLOG_video_class" height="266" src="https://www.youtube.com/embed/ruAi4VBoBSM" width="320" youtube-src-id="ruAi4VBoBSM"></iframe></span></div><span class="s1" style="font-kerning: none;"><br /></span><p class="p1" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="color: #9fc5e8; font-size: medium;"><br /></span></span></p><h3 style="font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px; text-align: left;"><span class="s1" style="font-kerning: none; font-size: x-large;"><span style="color: #9fc5e8;">VMworld 2021 Announcement</span><span style="color: #9fc5e8;">s </span></span></h3><p class="p1" style="-webkit-text-stroke-color: rgb(173, 173, 173); font-family: "Trebuchet MS"; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal; margin: 0px 0px 13px;"><span class="s1" style="font-kerning: none;"><span style="color: #9fc5e8; font-size: medium;"><b>Several VMworld 2021 announcement regarding futures certainly shore up the already impressive story covered in this post. Continuous authentication, enhanced conditional access policies and support for Horizon on SASE show a lot of promise and further reenforce overall confidence in the VMware remote access vision. Additionally, cloud driven enhancements for simplifying on-premises Horizon management further elucidates a general trend of, "if you can't bring desktops to the cloud, bring cloud services to the desktops." I only failed to mention these announcements till now because, as a drearily sane engineer from healthcare IT, if a technology wasn't at least 6 months old, I just couldn't take it seriously. Along those lines, everything covered in this post up till this section is grounded in the here and now of what is GA'd and available. Yes, there are some shiny improvements on the way, but there's plenty to be accomplished with the stack as it stands today. </b></span></span></p><br />EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com1tag:blogger.com,1999:blog-7411363718337372107.post-61962377326070168692021-06-17T17:28:00.021-07:002021-07-09T11:20:19.776-07:00Ruthless Automation With Workspace ONE Intelligence<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDfBgPE33oQiZ059aNmsH_XFM4pKZpEpSj6Zc-dp2j_akBzIg54waEto8MGSfIac_PvqNMtu357ltVTmHl3eZFYbFNqIdRWFsZQ2EuLedxjM9raxgUdFnkeQ3v0CEoSrhIMw0GD-ep-7-Q/s1506/Screen+Shot+2021-05-08+at+5.54.31+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="626" data-original-width="1506" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDfBgPE33oQiZ059aNmsH_XFM4pKZpEpSj6Zc-dp2j_akBzIg54waEto8MGSfIac_PvqNMtu357ltVTmHl3eZFYbFNqIdRWFsZQ2EuLedxjM9raxgUdFnkeQ3v0CEoSrhIMw0GD-ep-7-Q/w602-h250/Screen+Shot+2021-05-08+at+5.54.31+PM.png" width="602" /></a></div><span style="color: #9fc5e8;"><br /></span><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><br /></span></p><p><span style="color: #9fc5e8;"><span style="font-size: medium;">A common description of Workspace ONE Intelligence goes like this: it allows you to aggregate, correlate and automate. While this is accurate, I'd like to reverse the order, emphasizing the solution allows you to automate, targeting this automation based on data aggregated in the Intelligence cloud. WS1 Intelligence enables ruthless automation and that truly distinguishes it as solution. It provides the ability to trigger automated responses across iOS, Android, Win10 and macOS devices anywhere in the world. We can finely tune and customize these actions within a WS1 UEM environment and, further, potentially extend this automation to any 3rd party solution that supports a REST API. </span></span></p><p><span style="color: #9fc5e8; font-size: medium;">This post begins by exploring the built-in automation capabilities of WS1 Intelligence for WS1 UEM, Slack, and ServiceNow. Through Intelligence, "Workflows," actions across these environments can be chained together to formulate a wholistic response to targeted incidents or state changes. Next, this article will review how custom connectors not only allow us to finely tune these triggered responses, but also extend the reach of Intelligence automation to 3rd party SaaS apps that support a REST API. To that purpose I'll explore the use of Postman in the creation of these custom connectors, using ServiceNow as a model. Finally, I'll circle back to the data within Intelligence that triggers this glorious and ruthless automation. </span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Built-In Automation For WS1 UEM</span></h3><span style="color: #9fc5e8; font-size: medium;"><br />Common tasks executed through the WS1 UEM console can be automated through WS1 Intelligence. Out of the box there are 28 built-in actions for UEM available within the Intelligence Workflows, anything from removing apps or profiles to enterprise and device wipes. Further, as a catch all, there's the option to TAG devices, which opens up the possibility to achieve anything normally accessible through policies and smart groups. Below is a partial screen shot of the UEM automations built-in to Intelligence. The official documentation enumerates these 28 options under the section, "<a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/intelligence-documentation/GUID-21_intel_automations.html" target="_blank">Automations For Workspace ONE Intelligence</a>." </span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6LraavGffrIvCXKBHdmkvHrkYFCGdG7QejzYFc5w5zXJe0xqypL2WzJw2Lq8tCxmnKSO_T0v0jm8BkP97MA_kI2E4RcOdy_-HfPHF2fudKi_d_P425WZKW-Fbf3y_ICfMDrEZCS8hLdPi/s1608/Screen+Shot+2021-06-10+at+12.07.09+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="876" data-original-width="1608" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6LraavGffrIvCXKBHdmkvHrkYFCGdG7QejzYFc5w5zXJe0xqypL2WzJw2Lq8tCxmnKSO_T0v0jm8BkP97MA_kI2E4RcOdy_-HfPHF2fudKi_d_P425WZKW-Fbf3y_ICfMDrEZCS8hLdPi/w640-h348/Screen+Shot+2021-06-10+at+12.07.09+PM.png" width="640" /></span></a></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><br /></div><span style="color: #9fc5e8; font-size: medium;">For those familiar with Workspace ONE UEM, another way to think of Inteligence is as an advancement of device compliance policies. Through device compliance policies we've always had the ability to trigger a handful of actions based on a handful of device properties. A compliance engine drives the enforcement of, "closed-loop workflows where a user can have resources after becoming compliant again." While device compliance policies are great at enforcing compliance, again, they're narrowly focused on a handful of device properties and actions. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijY2SP0GbJAeRoWsl2M3RcM3Iq-u9p44VCQZYqEtZfdCRLSGNaKWH-GyrH2dFcDdHQVjp_KeWAwR2JfiH9iFQzpLjUA5vFyXdrwPH5m331FO5HEkGYr3lGZSQCy3E3h8lIJ7agAmpfauc7/s1058/Screen+Shot+2021-05-08+at+5.18.45+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="608" data-original-width="1058" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijY2SP0GbJAeRoWsl2M3RcM3Iq-u9p44VCQZYqEtZfdCRLSGNaKWH-GyrH2dFcDdHQVjp_KeWAwR2JfiH9iFQzpLjUA5vFyXdrwPH5m331FO5HEkGYr3lGZSQCy3E3h8lIJ7agAmpfauc7/s320/Screen+Shot+2021-05-08+at+5.18.45+PM.png" width="320" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: large;"><br /></span></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;">Compliance policies are still relevant, however, in terms of pure range of actions, Intelligence takes automation to the next level, allowing folks to automate pretty much anything that can be done from the UEM console. Further, these actions can be triggered by an extensive range of attributes collected in the Intelligence cloud, with </span><a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/intelligence-documentation/GUID-28_intel_reporting.html" target="_blank">hundreds of UEM gathered device traits</a><span style="color: #9fc5e8;"> to choose from, let alone information gathered from Sensors or Trust Network partners. </span></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNxHzufrlQzXXB_dlQhnd85l1Hmwwu2wwSg7bB_l236C7c1WC_zIeFWTL4ssPlD1rWAYX7Z61EFSqOrfthg8VKiWm3wnja2ItGTI0zGkz1MdgaeeJatga0AQPmoaWPdx9-dX7UJJPHINhh/s744/Screen+Shot+2021-06-14+at+4.37.00+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="744" data-original-width="734" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNxHzufrlQzXXB_dlQhnd85l1Hmwwu2wwSg7bB_l236C7c1WC_zIeFWTL4ssPlD1rWAYX7Z61EFSqOrfthg8VKiWm3wnja2ItGTI0zGkz1MdgaeeJatga0AQPmoaWPdx9-dX7UJJPHINhh/w316-h320/Screen+Shot+2021-06-14+at+4.37.00+PM.png" width="316" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: large;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">So along with a wider range of actions we also gain the ability to drive this automation with information from the Intelligence data lake. Further, these actions can transcend the WS1 environment, extending to 3rd party apps that support REST APIs, starting with the built-in connectors for ServiceNow and Slack. </span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Built-In Connectors For ServiceNow And Slack </span></h3><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisH-fYwRnYFbVMV1b_EFAWSrCQrZBBHm3xV_ch4fxwGb0jhFhVVAaSPqdoWDduGzGamCbrgWOfTDvmZe4wAn39Q0B7mnRIwkSHOdJzPE-ET0YeRgAFzU9EsltTx31Ow9x2_1p2ZooYQBGJ/s1495/Service_Now_Slack_connector.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="570" data-original-width="1495" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisH-fYwRnYFbVMV1b_EFAWSrCQrZBBHm3xV_ch4fxwGb0jhFhVVAaSPqdoWDduGzGamCbrgWOfTDvmZe4wAn39Q0B7mnRIwkSHOdJzPE-ET0YeRgAFzU9EsltTx31Ow9x2_1p2ZooYQBGJ/w789-h302/Service_Now_Slack_connector.png" width="789" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">Along with WS1 UEM, there's built-in actions for ServiceNow and Slack. For ServiceNow there's options to create incidents and tickets, while for Slack you can send messages to channels and users. Enabling these integrations is simply a matter of adding base URLs and credentials to preconfigured connectors, so existing ServiceNow and Slack customers can quickly extend WS1 Intelligence goodness to these solutions. As you leverage these built-in automations within, "Workflows," there's options to populate fields with relevant variables from WS1 Intelligence, as illustrated in the image below.</span><span style="color: #9fc5e8; font-size: large;"> </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ4D6PPX4xx6F1ozr3bbpuD6uCIpmMsaTYhTV54U7UsR8U7guY9fbZAqx0Is_ztHT3EGGp28GtqcI2U1bJHGMyXZI4XIrJdF6BKYOS_NgQQwa2hnOcIkH8ErqHZYxU4zh33E79rrWB99Rk/s1552/Screen+Shot+2021-06-17+at+10.00.26+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="734" data-original-width="1552" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQ4D6PPX4xx6F1ozr3bbpuD6uCIpmMsaTYhTV54U7UsR8U7guY9fbZAqx0Is_ztHT3EGGp28GtqcI2U1bJHGMyXZI4XIrJdF6BKYOS_NgQQwa2hnOcIkH8ErqHZYxU4zh33E79rrWB99Rk/w640-h302/Screen+Shot+2021-06-17+at+10.00.26+AM.png" width="640" /></span></a></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><span style="color: #9fc5e8;">For a wonderful overview of enabling these built-in connectors check out this video in Tech Zone, </span><a href="https://www.youtube.com/watch?v=yNx93rlnO2g" target="_blank">VMware Workspace ONE Intelligence: Connectors - Feature Walk Through</a><span style="color: #9fc5e8;">. It not only reviews the process of authorizing these connectors but also introduces WS1 Intelligence Workflows, the mechanism for defining automated responses to changes within your environment.</span></span></div><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Chaining Automations Together With Workflows </span></h3><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Through WS1 Intelligence Workflows IT departments define automated responses to events within their Workspace ONE environments. These can include actions through UEM, ServiceNow, Slack and any 3rd party solution they've developed a custom connector for. Workflows not only streamline responses and resolutions but also enable proactive remediation before a user has been impacted by challenges. For example, consider a situation where someone is running low on disk space. Instead of having a user slowly experience performance degradation Intelligence can proactively trigger a series of actions. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjngH-FhhceOpFuILmcuZfkDii6EBLL6qo35s2CJzUqPkfV0xZPf8VsO0i7PLcb1pkxkwn5RS16A2Okwayx8zUSeTVCjvHL6YIEX7-SaV6kO7Phht_vFbrWs9XroT_r4nSOoz5HUGxAyFp3/s1302/Screen+Shot+2021-05-23+at+10.00.28+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="1288" data-original-width="1302" height="493" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjngH-FhhceOpFuILmcuZfkDii6EBLL6qo35s2CJzUqPkfV0xZPf8VsO0i7PLcb1pkxkwn5RS16A2Okwayx8zUSeTVCjvHL6YIEX7-SaV6kO7Phht_vFbrWs9XroT_r4nSOoz5HUGxAyFp3/w497-h493/Screen+Shot+2021-05-23+at+10.00.28+AM.png" width="497" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><br /></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">In the example above, when a device has less than 2 gigabits of storage the user is sent an email notification through WS1, a ticket is automatically created in ServiceNow, and a message is sent to the IT team through Microsoft Teams. This not only saves time for staff but also spares the user from performance degradation. The video below includes a demonstration of Workflows and also provides a general overview of integration options between Workspace ONE and ServiceNow.</span></p><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8; font-size: medium;"><iframe allowfullscreen="" class="BLOG_video_class" height="456" src="https://www.youtube.com/embed/9g24cVV1YXY" width="548" youtube-src-id="9g24cVV1YXY"></iframe></span></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;">The integration with Teams in the video above was made possible by a sample custom connector that interacts with a Microsoft REST API. It's a great example of the extensibility made possible by custom connectors. </span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p></div><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Sample Custom Connectors</span></h3><p><span style="color: #9fc5e8; font-size: medium;">Similar to the built-in connectors for Salesforce and ServiceNow, you can create <a href="https://blogs.vmware.com/euc/2019/10/intelligence-automation-connector.html" target="_blank">custom connectors</a> for other 3rd party applications that support REST APIs. In a nutshell, if you can execute a task in a 3rd party app with a single request through Postman there's potential to automate that process through WS1 Intelligence. Sample custom connectors are available from the VMware Sample Exchange, under the description, <a href="https://code.vmware.com/samples/6524/workspace-one-intelligence-custom-connector-samples" target="_blank">Workspace ONE Intelligence Custom Connector Samples</a>. These sample json files, collections that have been exported from Postman, can be directly imported into WS1 Intelligence to integrate with solutions like Jira, Salesforce and Remedy. For instance, the messaging to Microsoft Teams shown in the demo video above is achieved through a direct import of one of these samples. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRXvEiLJfKxkZhxH-oyv6teEZ8yYIvdfcRzHIfpMXNgoCNwLxQy7S0Ffxdx6WzL6VDgpXwBLi5JEFZ0MTPHUTiR7zNapHwuPho-KMk4exM81QutLt1tH4zoDUVE7mkIsEmcHm3tTvLuKNZ/s1220/Screen+Shot+2021-05-29+at+5.13.54+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="306" data-original-width="1220" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRXvEiLJfKxkZhxH-oyv6teEZ8yYIvdfcRzHIfpMXNgoCNwLxQy7S0Ffxdx6WzL6VDgpXwBLi5JEFZ0MTPHUTiR7zNapHwuPho-KMk4exM81QutLt1tH4zoDUVE7mkIsEmcHm3tTvLuKNZ/w640-h160/Screen+Shot+2021-05-29+at+5.13.54+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8;"><span style="font-size: medium;">While you can import these samples directly into WS1 Intelligence as is, you can also import them into Postman to take them for a test spin or tweak them out according to your needs. </span></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZye1jyykSfa8E8Wm-0K6x5iOgVpKaYEph4uACNLR7scVcLbeKLoicA-GSNE4i_2Orf8fqBLGL7BU9NLVLi9RJBZ50hawgm_5iWlwlXzymwnH2NqDs-BNqOD76yPnkZ1m2B0Z1KrJPTawu/s1404/Screen+Shot+2021-06-10+at+8.54.24+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="526" data-original-width="1404" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZye1jyykSfa8E8Wm-0K6x5iOgVpKaYEph4uACNLR7scVcLbeKLoicA-GSNE4i_2Orf8fqBLGL7BU9NLVLi9RJBZ50hawgm_5iWlwlXzymwnH2NqDs-BNqOD76yPnkZ1m2B0Z1KrJPTawu/w640-h240/Screen+Shot+2021-06-10+at+8.54.24+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><span style="color: #9fc5e8; font-size: medium;"><br />Postman, a REST Client that allows you to easily develop and test out REST API calls, is what Workspace ONE Intelligence itself uses behind the scenes to execute actions defined for connectors. Fortunately, the free version of Postman available at postman.com has all the features you need to create your own custom connectors. There's an excellent overview of the tool at https://learning.postman.com/, though I'm also quite fond of this short and concise <a href="https://community.servicenow.com/community?id=community_blog&sys_id=0f5de629dbd0dbc01dcaf3231f9619ca" target="_blank">ServiceNow oriented post in ServiceNow Communities</a>. Given the ubiquity of REST APIs throughout the Horizon and Workspace ONE stack it's a nifty tool to have lying around. </span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Creating Your Own Custom Connector </span></h3><p><span style="color: #9fc5e8; font-size: medium;">Creating your own custom connector begins with developing calls to the 3rd party solution's APIs through Postman. Once you have a request successfully tested you perform an export from Postman to a JSON file that's imported into Intelligence. After the import's complete you'll have access to the call within the Intelligence Workflows interface. Further details are provided in <a href="https://code.vmware.com/samples/6524/workspace-one-intelligence-custom-connector-samples" target="_blank">Workspace ONE Intelligence Custom Connector Samples</a> and within the official guide under the section, <a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/intelligence-documentation/GUID-27_intel_custom_connectors.html" target="_blank">Custom Connectors</a>. To illustrate the whole process from start to finish the following is an example customization for ServiceNow. </span></p><p><span style="color: #9fc5e8; font-size: medium;">Below is a request to ServiceNow that will create a new task under, "Service Catalog." It's based off of ServiceNow's <a href="https://docs.servicenow.com/bundle/paris-application-development/page/integrate/inbound-rest/concept/c_TableAPI.html#c_TableAPI" target="_blank">Table API</a> and it's <a href="https://docs.servicenow.com/bundle/quebec-servicenow-platform/page/administer/flow-designer/reference/create-catalog-task-flow-designer.html" target="_blank">sc_task</a> action for adding catalog task records. Accordingly, within Postman I've entered in the proper URL for this call along with parameters and authorization. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJAgeYAedyfxJAjRyzur4ewQ8TxT9b7QOfK32Xnxlbet04dvs8PYHMHAZK1Vn4rljMmJs9QKs1oUbMmUbaAacBRyJGnLCjT9fDOGjrZEQNH7gm70Ui4OxttHGY4WVWKG7pm01RHZSIvNMn/s1754/Screen+Shot+2021-06-07+at+3.44.42+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="522" data-original-width="1754" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJAgeYAedyfxJAjRyzur4ewQ8TxT9b7QOfK32Xnxlbet04dvs8PYHMHAZK1Vn4rljMmJs9QKs1oUbMmUbaAacBRyJGnLCjT9fDOGjrZEQNH7gm70Ui4OxttHGY4WVWKG7pm01RHZSIvNMn/w640-h190/Screen+Shot+2021-06-07+at+3.44.42+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">When this request is successfully sent a new task is created within ServiceNow. With the logic validated and tested you can begin the export process by saving this successful response as an example.</span><span style="color: #9fc5e8; font-size: large;"> </span></div><div><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaOcMnTYdYInE0wN_zGn7nu3-LPjnhpge-LK0Kon6rWKmEGnJ4TelNgsQbChEZ4aWDPYTqXMxlqxEgGMtcJ5kbxMs6KOJQ2KTiGOz2wHZIfVr5vzADc_jzb5ZUr0irUssdeYl10vnRXgLF/s1858/Screen+Shot+2021-06-07+at+3.53.59+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="836" data-original-width="1858" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaOcMnTYdYInE0wN_zGn7nu3-LPjnhpge-LK0Kon6rWKmEGnJ4TelNgsQbChEZ4aWDPYTqXMxlqxEgGMtcJ5kbxMs6KOJQ2KTiGOz2wHZIfVr5vzADc_jzb5ZUr0irUssdeYl10vnRXgLF/w640-h288/Screen+Shot+2021-06-07+at+3.53.59+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Also, be sure to add the header, Content-Type: application/json, or else the import process into WS1 Intelligence will fail. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIHOsJu1HHgs24SAKS0xg_6boPTwvAglBP6AcHZOfd5NM6xkRkEgrq84y0t9DEKMHujpThVUoSgecpTar6ga0ETZ5VABuHm4O9tC8i94to9zpTPFI7cInufTEbH6wUaJq1ZwaRxVjJvEhE/s1266/Screen+Shot+2021-06-07+at+4.23.45+PM.png" style="clear: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="480" data-original-width="1266" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIHOsJu1HHgs24SAKS0xg_6boPTwvAglBP6AcHZOfd5NM6xkRkEgrq84y0t9DEKMHujpThVUoSgecpTar6ga0ETZ5VABuHm4O9tC8i94to9zpTPFI7cInufTEbH6wUaJq1ZwaRxVjJvEhE/w640-h242/Screen+Shot+2021-06-07+at+4.23.45+PM.png" width="640" /></span></a></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><span style="color: #9fc5e8; font-size: medium;">Finally, with the collection selected in the Postman interface choose export and go with Collection v2.1 as the export type. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_odDiVbD4PQ1n7D7fwQNhCt5jUNA7BsQgN_ozVPukh-nGMLxK-XB1o8_1yan4KqNtscNiSIvC4kssqu2um5bhtH2WgC_L-AOnF6kNz__biVNQKR_jL7N_El-CYYhotdjmEYmxSzHfPI3g/s930/Screen+Shot+2021-06-07+at+4.04.43+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="730" data-original-width="930" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_odDiVbD4PQ1n7D7fwQNhCt5jUNA7BsQgN_ozVPukh-nGMLxK-XB1o8_1yan4KqNtscNiSIvC4kssqu2um5bhtH2WgC_L-AOnF6kNz__biVNQKR_jL7N_El-CYYhotdjmEYmxSzHfPI3g/s320/Screen+Shot+2021-06-07+at+4.04.43+PM.png" width="320" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Next, you want to take this JSON and import it into WS1 Intelligence. From within the Intelligence console navigate to Integrations --> Workflow Connectors. Click on the option, "Add Custom Connector." You'll be prompted for a custom connector name, as well as for a base URL and authorization for ServiceNow. Once you provide this information you'll have an option to import the JSON that's been exported from Postman. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUSDcvHk6agJI9enpApaB6zoB8kZ4nE1-M8dawqF_CaKkwZX-AmlPsWSNXoxlTB3-ZUCKhoLH1uU5eBkuqHpJhHCPHFP0W-DxXtUJsd3JL0N4FRzLS2R-65x-gg7FA2GtrnEJo3Nuc0SOL/s1730/Screen+Shot+2021-06-07+at+4.15.41+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="1216" data-original-width="1730" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUSDcvHk6agJI9enpApaB6zoB8kZ4nE1-M8dawqF_CaKkwZX-AmlPsWSNXoxlTB3-ZUCKhoLH1uU5eBkuqHpJhHCPHFP0W-DxXtUJsd3JL0N4FRzLS2R-65x-gg7FA2GtrnEJo3Nuc0SOL/w640-h450/Screen+Shot+2021-06-07+at+4.15.41+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /><br /><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">After a successful import you'll see the imported action. You can also test out the imported action as part of the import process. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpRyfXppRWEL9kqACc0Dcw_3gjTHGzTH_Q7gvADh3PtRSWncxzLm0sEuJYW-NzKQblHN_TA7DaQMLGTSK1tyYIrFtMwbz0Z3rFb_P1siVLqufigUq1nSLI94dw7ezFXVtV0y3-N5Mkpcw-/s1716/Screen+Shot+2021-06-07+at+4.25.30+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="688" data-original-width="1716" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpRyfXppRWEL9kqACc0Dcw_3gjTHGzTH_Q7gvADh3PtRSWncxzLm0sEuJYW-NzKQblHN_TA7DaQMLGTSK1tyYIrFtMwbz0Z3rFb_P1siVLqufigUq1nSLI94dw7ezFXVtV0y3-N5Mkpcw-/w640-h256/Screen+Shot+2021-06-07+at+4.25.30+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><br /></div><span style="color: #9fc5e8; font-size: medium;">Going forward you'll have this action to choose from when developing Workflows within WS1 Intelligence.</span><div><span style="color: #9fc5e8; font-size: medium;"> <br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrxIvLtwBQUEN-BTW7tdIao9u63_DTZXewj_xwXL2b0F8HEu8f8dszaEaBacOw0WCyOE9CDIm_pkE1svv2hTMtGrhVSeNk2XoDZM90_6wX1vxtuFJRMKF3PSFAgi75_6-yQKXZaVUMTrE7/s1476/Screen+Shot+2021-06-07+at+4.41.15+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="844" data-original-width="1476" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrxIvLtwBQUEN-BTW7tdIao9u63_DTZXewj_xwXL2b0F8HEu8f8dszaEaBacOw0WCyOE9CDIm_pkE1svv2hTMtGrhVSeNk2XoDZM90_6wX1vxtuFJRMKF3PSFAgi75_6-yQKXZaVUMTrE7/w640-h366/Screen+Shot+2021-06-07+at+4.41.15+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><br /></div><span style="color: #9fc5e8; font-size: medium;">To recap, if you can automate a task in a 3rd party app with a single request through Postman, there's potential to automate that process within WS1 Intelligence. That's not to say you can do anything and everything available in the 3rd party app's REST APIs. You're restricted to a single request, quick outbound calls without any kind of back and forth or chaining of request, so your mileage may very. However, a good friend of mine pointed out that a lot of times the 3rd party applications offer customizations of their services that allows you to push this trickier logic over for them to handle. A great example of this are the options in ServiceNow to create custom APIs. </span><div><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">ServiceNow Options </span></h3><p><span style="color: #9fc5e8; font-size: medium;">A few features of ServiceNow in particular make it well suited for integration with Workspace ONE Intelligence. To begin with there's the ability to create <a href="https://docs.servicenow.com/bundle/paris-application-development/page/integrate/custom-web-services/concept/c_CustomWebServices.html" target="_blank">custom REST APIs</a> and web services. Earlier I mentioned that WS1 Intelligence is limited to leveraging single calls from Postman, without the ability to chain multiple calls in a collection. Well, we can fill in the gap by creating custom services in ServiceNow, allowing for the handling of complex logic on the ServiceNow side of the equation. A wonderful example of this is detailed in the blog post, "<a href="https://blog.davidpacold.com/ws1-and-servicenow" target="_blank">WS1 And ServiceNow,</a>" by David Pacold. In this post David offers a recipe for populating ServiceNow with device asset information from WS1 by creating a system web service in ServiceNow that's fed asset information from a WS1 Intelligence connector. </span></p><p><span style="color: #9fc5e8; font-size: medium;">Another benefit to ServiceNow adoption is its REST API explorer. This utility, built right into ServiceNow console, facilitates the exploration and testing of REST API calls. It provides the ability to test calls in real time while providing guard rails, if you will, as you explore the APIs functionality. For example, to explore the Table API demonstrated in the previous section, you can open REST API explorer and select the api from an easy to use drop down menu. Then, after choosing the REST operation type, it guides you through the different parameters that can be used by the API call. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfLjXwrtNlEsQB38ejIdoJBk9a1b_F6aX4DE1cqSu3EKin1TKtVXtwaL9k_r8KLgmuIg6yfSs0avXKyaaMhjtrhOg7SPshlXFmVSkjtLoTF2CtcHxUxdkLWU6UtAmzbbFSVGlD5Q_WicAy/s1606/Screen+Shot+2021-06-08+at+9.41.57+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="882" data-original-width="1606" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfLjXwrtNlEsQB38ejIdoJBk9a1b_F6aX4DE1cqSu3EKin1TKtVXtwaL9k_r8KLgmuIg6yfSs0avXKyaaMhjtrhOg7SPshlXFmVSkjtLoTF2CtcHxUxdkLWU6UtAmzbbFSVGlD5Q_WicAy/w640-h352/Screen+Shot+2021-06-08+at+9.41.57+AM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;">Further, after selecting the parameters, you can test out the call directly from the utility with the results displayed at the bottom. If the results are desirable, you can copy the syntax of the command directly from explorer into the body of your request within Postman. </span></p><p><span style="color: #9fc5e8; font-size: medium;">Given the convenience the REST API explorer offers, a clear path forward when working with ServiceNow is: </span></p><p><span style="color: #9fc5e8; font-size: medium;">REST API Explorer —> Postman —> Collection_Export.json —> Custom_Connector</span></p></div><div><span style="color: #9fc5e8; font-size: medium;">With a well documented Rest API, a Rest API Explorer, and various options for creating custom services, ServiceNow is an ideal candidate for WS1 Intelligence integration. Fortunately, while ServiceNow provides a stellar example of what's possible, very arguably other 3rd party solutions will offer similar advantages. The question of, "what can we automate in 3rd party solutions using WS1 Intelligence," boils down to, "well, what kind of REST APIs are available from these 3rd party solutions and what kinds of customizations do they support?" Further there's the question of, "well, how comfortable and familiar are you with working with the REST API's of these 3rd party vendors?" If the answer is, "very," well, there's a lot of potential for creating rich automations an integrations between Intelligence and that 3rd party app. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Okay, Now Let’s Talk About Data</span></h3><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><span style="color: #9fc5e8; font-size: medium;">Now that it's clear what type of automation is possible and at stake, lets talk about driving this automation with data from Intelligence. If there's a single theme or thesis for this entire post, it's this: we leverage data from WS1 Intelligence to drive and trigger glorious and ruthless automation. Exploring Widgets within dashboards makes this clear. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-nr7wrWOkHWU7_rP0DNhsPARUiW_rFR-DSjpWUm0C5fI4rlymcNP57eTU9DNOGsIJl3qWrR1oh01IuwIa3F0u0q4rXTDYN47GsZJb4fIjPGW5Rv45Y8Ec4dtRNuJNnYG7S415EEkOaFBd/s1588/Screen+Shot+2021-06-16+at+9.35.21+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="698" data-original-width="1588" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-nr7wrWOkHWU7_rP0DNhsPARUiW_rFR-DSjpWUm0C5fI4rlymcNP57eTU9DNOGsIJl3qWrR1oh01IuwIa3F0u0q4rXTDYN47GsZJb4fIjPGW5Rv45Y8Ec4dtRNuJNnYG7S415EEkOaFBd/w640-h282/Screen+Shot+2021-06-16+at+9.35.21+AM.png" width="640" /></span></a></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">To illustrate, say you want to target an automation against a specific set of windows 10 devices. You might start with a simple widget that filters out devices from your environment by focusing on enrolled windows 10 devices that have checked in within the last 28 days.</span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUZ8X8lvDC-hzw8wHLFCWnDBi411Ur1AGFRhBPLndJr0Sne3FEAuBBm9AHrOKyORMrjAdWVqIPmVNx-Fra0Gmlv1gUlImd_jmraZk_ntKhEILcGkCk4LNdWIT0tY3qyrgBSd8gJHbB8jFL/s1554/Screen+Shot+2021-06-09+at+9.12.53+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="914" data-original-width="1554" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUZ8X8lvDC-hzw8wHLFCWnDBi411Ur1AGFRhBPLndJr0Sne3FEAuBBm9AHrOKyORMrjAdWVqIPmVNx-Fra0Gmlv1gUlImd_jmraZk_ntKhEILcGkCk4LNdWIT0tY3qyrgBSd8gJHbB8jFL/w640-h376/Screen+Shot+2021-06-09+at+9.12.53+AM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Now, you have a very simple widget that targets these active Windows 10 machines. If you wanted to target all these devices you could view the widget, click the automate button, then pick and choose from the automated actions. However, if you wanted to narrow the results down, you could could leverage the group by function within the widget to subdivide the displayed results by a wide range of options. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2wT6BMq9h38TMGlIiEpZaBjHdTbQdFOPkQ7gl9XVtHb-v4DMd5lsDHK1r1wlvy6FMGskbZk5ObIK3vALwMQLJWiIXViHm2nWwwdacwkPiizVomTXDP2BhN-7Iu26aJns5aF47ko0ycoO2/s692/Screen+Shot+2021-06-16+at+10.01.34+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="536" data-original-width="692" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2wT6BMq9h38TMGlIiEpZaBjHdTbQdFOPkQ7gl9XVtHb-v4DMd5lsDHK1r1wlvy6FMGskbZk5ObIK3vALwMQLJWiIXViHm2nWwwdacwkPiizVomTXDP2BhN-7Iu26aJns5aF47ko0ycoO2/s320/Screen+Shot+2021-06-16+at+10.01.34+AM.png" width="320" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">For instance, by choosing to group by encryption status, I have broken down the results into 2 sets of active Win10 machines, those encrypted and those that are not. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZeYO1TbR-xD-kETCxR9WRqV7gODsXV0dXzlD4OjNcGPDe4PkNbh1LkaugUoOU25xvcam1ap06aG-VF8aqzDgBD6YJ_2L_GJLtJv6d2-8WwJOKkJYMpYIdfoAmVeH708CpB_2mrQ6XKRjT/s1398/Screen+Shot+2021-06-09+at+9.19.22+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="908" data-original-width="1398" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZeYO1TbR-xD-kETCxR9WRqV7gODsXV0dXzlD4OjNcGPDe4PkNbh1LkaugUoOU25xvcam1ap06aG-VF8aqzDgBD6YJ_2L_GJLtJv6d2-8WwJOKkJYMpYIdfoAmVeH708CpB_2mrQ6XKRjT/w640-h416/Screen+Shot+2021-06-09+at+9.19.22+AM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">As I click through this visualization, perhaps drilling down into the unencrypted devices, again, I have the option to associate automations with this subset of the original query.</span><span style="color: #9fc5e8; font-size: large;"> </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVqWcr4w3h7Eye9CqKAmx-heAeDfNRyVQffg6rBQxDGkEnlED9PCYX9NCzyUxeBvHQTbV0r_S777qauJTecOZAT7BdEGgW6I_ZV3QaMIfJ0kxOcXLwGKlhAJVFdP9w_0rz_ZC1O07gkWf5/s1266/Screen+Shot+2021-06-09+at+9.23.58+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="1068" data-original-width="1266" height="541" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVqWcr4w3h7Eye9CqKAmx-heAeDfNRyVQffg6rBQxDGkEnlED9PCYX9NCzyUxeBvHQTbV0r_S777qauJTecOZAT7BdEGgW6I_ZV3QaMIfJ0kxOcXLwGKlhAJVFdP9w_0rz_ZC1O07gkWf5/w640-h541/Screen+Shot+2021-06-09+at+9.23.58+AM.png" width="640" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">So the widgets give us a useful way to absorb the data in a more visual way, shifting away from one dimensional reporting. Further as you crawl through the data you can add automations along the way. To my mind, this is a wonderful example of not only the data made available intelligence, but ways in which the solution allows us to sift through the data and finely target automation. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Sources Of Information For The WS1 Intelligence Data Lake</span></h3><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">With automation driven by information from the Intelligence data lake a natural question to ask is, "well, just what information is in there?" Out of the box there's a boat load coming from several datasources, as detailed in the TechZone article, "<a href="https://techzone.vmware.com/resource/workspace-one-intelligence-architecture#data-sources" target="_blank">Workspace ONE Intelligence Architecture</a>." From WS1 UEM alone there's over 200+ data points last I counted. Then there's WS1 Access for any applications integrated with the Workspace ONE portal through SAML. For any internally developed apps that have the Workspace ONE Intelligence SDK embedded there's additional app analytics made available from the solution formerly know as Aptelligent. Further, there's Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Exposure System (CVSS) information pulled in on a daily basis about Windows 10 and macOS. Finally, there's the extensibility afforded through <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/Windows_Desktop_Device_Management/GUID-uemWindeskSensors.html" target="_blank">Sensors</a>, allowing you to pull custom information from Win10 and macOS using scripts. Once collected, this information then becomes viewable and actionable form the WS1 Intelligence console, complementing the already extensive device information provided by UEM. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisU5_b5cLUBEHCnZ8mZ0Ax1jIbHNgky89fxtzWHxcu-v5if6RxcBHY2qHSbRieVgAqehJbidDYdwwqoP1U0xxDhVEK7emWYvBkC1tqSJlV9Gez-JCn-cFKR0Ti7p_VrCEj4tMxmjdbbEw1/s2614/Screen+Shot+2021-06-08+at+2.30.34+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="1198" data-original-width="2614" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisU5_b5cLUBEHCnZ8mZ0Ax1jIbHNgky89fxtzWHxcu-v5if6RxcBHY2qHSbRieVgAqehJbidDYdwwqoP1U0xxDhVEK7emWYvBkC1tqSJlV9Gez-JCn-cFKR0Ti7p_VrCEj4tMxmjdbbEw1/w801-h368/Screen+Shot+2021-06-08+at+2.30.34+PM.png" width="801" /></span></a></div><span style="color: #9fc5e8; font-size: medium;"><br /></span><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><span style="color: #9fc5e8;">Also, as depicted in the drawing above, we can populate Intelligence with threat information collected by security partners of the </span><a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/intelligence-documentation/GUID-12_intel_trust_network.html" target="_blank">Trust Network</a><span style="color: #9fc5e8;">. This Trust Network partnership currently includes about a dozen partners, though Carbon Black is arguably the crown jewel. Carbon Black can provide next generation antivirus protection and insight across both Windows 10 and macOS. As with the rest of the data ingested by intelligence, this threat data can be used to drive automation through Intelligence, starting with WS1 UEM itself but also extending to any other enabled connectors. </span></span></div><div><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipAvZbheGP5Z0_CY7LCgglcixy39bfhJM_81Mwk8LtmkxmR6jWfuHhfZHRj4j6VbCcJ4z1j11w-UecgbUYHNUVWhFZ72srkuH-Spr4FmbHfamy8MfPxfPM_9pU4xxTSeHbUyC6QXKT9LwN/s1168/Screen+Shot+2021-05-29+at+5.38.32+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="636" data-original-width="1168" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipAvZbheGP5Z0_CY7LCgglcixy39bfhJM_81Mwk8LtmkxmR6jWfuHhfZHRj4j6VbCcJ4z1j11w-UecgbUYHNUVWhFZ72srkuH-Spr4FmbHfamy8MfPxfPM_9pU4xxTSeHbUyC6QXKT9LwN/w640-h348/Screen+Shot+2021-05-29+at+5.38.32+PM.png" width="640" /></span></a></div><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><span style="color: #9fc5e8;">While I think WS1 Intelligence has potential to benefit most use cases, to my mind, modern management is where it shines brightest. </span><span style="color: #9fc5e8;"> </span><span style="color: #9fc5e8;">As someone who got clobbered by one worm after another throughout the 2000's, the ability to trigger a coordinated response to threat detection alone is extremely compelling. The range of visibility across modern managed devices is impressive as well. When you take the normal visibility offered through UEM, then enhance it with Sensors and Carbon Black, you're getting an awful lot of insight and perspective. If security is top of mind for Win10 and macOS users this stack is hard to beat. </span></span></p><p><span style="color: #9fc5e8; font-size: medium;"><br /></span></p><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Conclusion</span><span style="color: #9fc5e8; font-size: medium;"> </span></h3><p><span style="font-size: medium;"><span style="color: #9fc5e8;">Over the last couple years I've slowly been won over by WS1 Intelligence. I must admit, initially, I was a little bit cynical about the solution. The earlier marketing material sounded to me like </span><span style="color: #9fc5e8;">to the INXS song, </span><a href="https://www.youtube.com/watch?v=VFUEgFdP5zE" target="_blank">Mediate</a><span style="color: #9fc5e8;">. "It does everything that ends with, 'ate'! " In my snarkier moments, I'd compare it to a </span><span style="color: #9fc5e8;">Don King promotion. "You will aggregate, correlate, automate then absolutely fustigate your IT challenges!!! I don't care if your name is Kate or Nate! It will be the greatest data lake that no one can imitate! If you are into endpoint management it is your fate!!!"</span></span></p><p><span style="color: #9fc5e8; font-size: medium;">However, the acquisition of Carbon Black, the introduction of Sensors and increased relevance of modern management have made WS1 Intelligence advantages much more obvious. Increasing SaaS adoption and the introduction of custom connectors have also enhanced its overall appeal. The ability to automate ruthlessly across managed devices and SaaS landscape is a downright intoxicating proposition that speaks to the souls of most techies I know. We live for this stuff. </span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://www.youtube.com/watch?v=VFUEgFdP5zE" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><span style="color: #9fc5e8; font-size: medium;"><img border="0" data-original-height="575" data-original-width="979" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivQU-bCDUJwdMWHt9CZxKZqBPFLUiyfhyphenhyphenQekUSHm2Z2a0muWgI_5QPAZ3ucJAoANqDBPTMSXaykssihep1XGZai_11C_88kWGkPFMVNq4FLzfmyUAB5HCLmDp8sJdz09E_NG9pTOnBhjRO/w640-h376/inxs.jpeg" width="640" /></span></a></div><span style="font-size: medium;"><br /></span><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><br /></p></div></div>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com5tag:blogger.com,1999:blog-7411363718337372107.post-70468031306401598872021-03-07T10:25:00.030-08:002022-08-03T08:03:32.307-07:00A Quick And Easy Win Along The Path To Zero Trust: Workspace ONE's Certificate Authentication For Windows 10 And macOS<div><span style="color: #9fc5e8; font-size: medium;">I was recently introduced to an elegant solution for enabling certificate authentication on Windows 10 and macOS devices through VMware's Workspace ONE. By leveraging WS1 UEM's built in certificate authority WS1 admins benefit from a self-contained, entirely cloud based, end to end solution for both certificate authentication and distribution. It provides an efficient and wieldy means for enforcing cert auth in modern management use cases, enabling a significant leap forward on the journey to Zero Trust. While the required steps are a bit advanced, with the right expertise and access requirements, they can be easily implemented in less than an hour. Once completed, Horizon desktops or apps, SAML federated apps, or the Workspace ONE portal itself can benefit from certificate authentication on Windows 10 or macOS. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dyzcJ0HW9DrU2OoMQmdscSDuMWHpg_yswcwEzu0UwsLsTEq0DotbIT288GY8Vy5Z0xfAGX_2XFX1I_GbbvIjg' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span></div><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><span style="font-size: medium;">In and of itself certificate based authentication improves security while simplifying access for users. More notably, in the context of Workspace ONE modern management it lays the ground work for leveraging WS1 UEM's device compliance policies. Conditional access based on device compliance ensures that apps integrated with WS1 are only accessed from devices that have earned our trust through WS1 enrollment and compliance, regardless of network location. Trust is earned and verified at an on-going basis as device posture is regularly incorporated into conditional access policies applied to protected apps. As a result, clear progress along the path to Zero Trust is achieved given that a guiding principal of Zero Trust adoption is the need for continuous authentication and authorization of endpoint devices. </span> </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkn9-4EUp-hXbu_TZZehNmZ-Tp4K6iwKBk_JtZ35HcFduX9N-Csm5KcRSfJn9TagpYrVNiYM8OLqOQbOkFP_x_U7Px-DjwGaemBdytBUmnp5nbEXBy7Y8VCLqsyMOdZx3yVaT2yBM6Prin/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="860" data-original-width="1793" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkn9-4EUp-hXbu_TZZehNmZ-Tp4K6iwKBk_JtZ35HcFduX9N-Csm5KcRSfJn9TagpYrVNiYM8OLqOQbOkFP_x_U7Px-DjwGaemBdytBUmnp5nbEXBy7Y8VCLqsyMOdZx3yVaT2yBM6Prin/w640-h306/Office_365_windows10.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Very arguably the proliferation of mobile devices has played a major role in forcing traditional IT shops to embrace Zero Trust principals and adoption. Fortunately, capabilities developed supporting these devices within the enterprise are easily extended to Windows 10 and macOS through WS1. Conditional access based on device compliance is a prime example of this. For nearly half a decade this feature has been wildly popular among AirWatch customers supporting iOS and Android devices. As a result, it's a very mature and proven capability that modern managed devices stand to benefit from. Just as with mobile devices, UEM admins can define proper security posture for Win10 devices and macOS devices, then control access to apps accordingly. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKV4vvhUKQI0ZDwi2G-rVVqYFCwyhFf1pbtJIcE55GiPLHUNzMM1MggDa5ifr56a0jTBibVpkvRxlNxSWB2PNirTvZL-dT3A9r_s4sVarknI0wOJvdzJVU_iXuuJO0Mq_FC54AKVqMuDwd/s1694/Screen+Shot+2021-03-05+at+5.06.04+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1058" data-original-width="1694" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKV4vvhUKQI0ZDwi2G-rVVqYFCwyhFf1pbtJIcE55GiPLHUNzMM1MggDa5ifr56a0jTBibVpkvRxlNxSWB2PNirTvZL-dT3A9r_s4sVarknI0wOJvdzJVU_iXuuJO0Mq_FC54AKVqMuDwd/w640-h400/Screen+Shot+2021-03-05+at+5.06.04+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">When WS1 UEM device compliance policies are leveraged by WS1 Access policies, trust is constantly earned, as WS1 regularly monitors the posture of the underlying device. A device that is suitable for access today may be rejected tomorrow should it fail to maintain security posture defined and enforced through WS1 UEM. For example, an enforced requirement could be for devices to be both enrolled and and running anti-virus in order for them to gain access to Office 365. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dwVKhf6CvkpD5XqrQL3dBYAOz3SKooYtWXMJaI-mg1aoXm8sNwwfCagVsjZXeAgl6GlUJBEkslbKbZlXd88sQ' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">To further progress across the Zero Trust spectrum we can additionally inform conditional access policies with Risk Scores from Workspace ONE Intelligence. These Risk Scores not only factor in user behavior across enterprise devices, but can also incorporate insights from Carbon Black. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Regardless of whether you own WS1 Intelligence or not, the path to Zero Trust through WS1 modern management can begin with a very accessible and easy to implement process for enforcing certificate authentication. Considering the required effort versus the impact of this solution, the juice is definitely worth the squeeze. It shifts Zero Trust away from a lofty theoretical concept to something well within reach using mature and proven Workspace ONE capabilities. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><h2 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">The Recipe </span></h2><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">I was introduced to this recipe while training on support of Zero Trust with Workspace ONE. Though I'd love to simply share that course curriculum directly in this post it would be morally dubious to say the least. Fortunately, I found publicly available guidance that's damn near identical to what I received in my training. This guidance is called, <a href="https://euc-labs.livefire.solutions/m/84508/l/1146562-windows-10-certificate-single-sign-on-using-an-airwatch-certificate-authority" target="_blank">"Windows 10 Certificate Single Sign On Using An AirWatch Certificate authority."</a> Further, while scouring the internet for additional information I happened upon this personal blog post, <a href="https://blog.eucse.com/workspace-one-windows-and-macos-cloud-certificate-sso/" target="_blank">"Workspace ONE - Windows And macOS Certificate."</a> It's a lovely post, completely in line with the training I received, while also providing guidance on macOS.</span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Since folks can already access these resources for step by step specifics, here I'm simply going to present an outline of the recipe while calling out some highlights. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Implementing Certificate Auth On Workspace ONE:</span></div><ul style="text-align: left;"><li><span style="color: #9fc5e8; font-size: medium;"> Export issuer certificate from UEM</span></li><li><span style="color: #9fc5e8; font-size: medium;"> Enable Certificate Authentication on WS1</span></li><ul><li><span style="color: #9fc5e8; font-size: medium;"> Upload issuer certificate from UEM</span></li><li><span style="color: #9fc5e8; font-size: medium;"> Enable Cert Auth On Appropriate IDPs</span></li></ul><li><span style="color: #9fc5e8; font-size: medium;">Create SCEP User Based Profiles on UEM</span></li><li><span style="color: #9fc5e8; font-size: medium;"> Create Conditional Access Policies </span></li><li><span style="color: #9fc5e8; font-size: medium;">Disable certificate prompts</span></li></ul><span style="color: #9fc5e8; font-size: medium;"><br />After following the above steps, you'll have the basic use of certificate authentication available across your modern management use cases for Windows 10 and macOS. You can mandate certificate authentication for access to your WS1 portal, or on a more granular level, make certificate authentication a requirement for specific applications using conditional access policies. </span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Major Steps</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">What really helps simplify the whole strategy is leveraging the built-in CA of your Workspace ONE UEM tenant. Assuming your WS1 UEM tenant is already integrated with WS1 Access, navigate to Groups & Settings->All Settings->System->Enterprise Integration->Workspace ONE Access->Configuration. If Workspace ONE UEM certificate provisioning isn't already enabled, then enable it. Then export the issuer certificate. </span><div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir5chMYb7yxo-8zlpo6B9SEj1WCrsYF9cryfAnnA0-5NxH6FrX_SYFjoZl2uolue_ebwMAG16JtOoagF8F1IPouxjgox6hRITkJ-NGo8KETid-gCnUMmAiIbMnIuVZsZHDACIaWtfbyPVd/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="708" data-original-width="1937" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir5chMYb7yxo-8zlpo6B9SEj1WCrsYF9cryfAnnA0-5NxH6FrX_SYFjoZl2uolue_ebwMAG16JtOoagF8F1IPouxjgox6hRITkJ-NGo8KETid-gCnUMmAiIbMnIuVZsZHDACIaWtfbyPVd/w640-h234/issuer_cer.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Next, you're going to scoot on over to your WS1 Access administrator console, navigating to, "Authentication Methods," under, "Identity And Access Management." Here you're going to enable the, "Certificate (cloud deployment)," method, uploading the issuer certificate just obtained from the WS1 UEM console. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg42L1tdrp64STGyO9hPT7GNxCzRSVjJSvYvxMaFLgjFhfD7cTM9IjS2_O3-1mXvX4ErNM2wAjcZNP9ZiTpoXIzqsk1GVUIAgMJeOMbr3Nr7bcN9jiPteTBe2rv3-1pov6Od8tPppxgACQS/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="540" data-original-width="1230" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg42L1tdrp64STGyO9hPT7GNxCzRSVjJSvYvxMaFLgjFhfD7cTM9IjS2_O3-1mXvX4ErNM2wAjcZNP9ZiTpoXIzqsk1GVUIAgMJeOMbr3Nr7bcN9jiPteTBe2rv3-1pov6Od8tPppxgACQS/w640-h280/Screen+Shot+2021-02-12+at+5.00.38+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">You'll need to ensure the Certificate (cloud deployment) authentication method is enabled for your Built-in identity provider or any other relevant IDP configured for your environment, the same you would for any other authentication method. After that you need to configure your SCEP payloads to distribute and manage certs on your endpoint devices. These are going to be user based profiles for Win10 and macOS devices. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqfmVaTGjh6o7ZNl82hvuMLDvki_MFEqhQ3eSWp89hQETxX-wDW-AywhbG0twX_9nBya1gfqj69ZsL2m7rMZm7dWFqPA92c1iWanSph3IGnqjHWTVJ73tVxUlniwnDSjyJZ-nklhzymjpk/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="831" data-original-width="1758" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqfmVaTGjh6o7ZNl82hvuMLDvki_MFEqhQ3eSWp89hQETxX-wDW-AywhbG0twX_9nBya1gfqj69ZsL2m7rMZm7dWFqPA92c1iWanSph3IGnqjHWTVJ73tVxUlniwnDSjyJZ-nklhzymjpk/w640-h302/SCEP.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><span style="font-size: medium;">With Certificate authentication enabled and certs getting distributed through SCEP, a final step is configuring the enforcement of this authentication method through conditional access policies.</span> </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Creating Your Conditional Access Policies </span></h3><div><div><span style="color: #9fc5e8;"><br /><span style="font-size: medium;">When it comes to configuring conditional access policies a main consideration is whether you're going to combine certificate authentication with device compliance policies. If you just want any enrolled devices to have access, regardless of device posture, you can simply select Certificate (cloud deployment) as the primary auth method, along with any fall backs. Otherwise, if you want to predicate successful certificate auth on compliance with UEM device compliance policies, then choose to combine cert auth with device compliance. </span><br /><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdj64LGo9s04ddMJ5NsX6d0kynC7t_cCnWmulhMwzDZd-ZBgcA6VFjKexlGVeZrJ5HbLh6R6_p6gqmuczXEQGF7hjP9SV8qBYhSnDrckcBXes0CZ2qu7PHprY69YII10tITOPre6kZEKf7/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="964" data-original-width="2102" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdj64LGo9s04ddMJ5NsX6d0kynC7t_cCnWmulhMwzDZd-ZBgcA6VFjKexlGVeZrJ5HbLh6R6_p6gqmuczXEQGF7hjP9SV8qBYhSnDrckcBXes0CZ2qu7PHprY69YII10tITOPre6kZEKf7/w640-h294/Screen+Shot+2021-03-05+at+2.04.05+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">In the sample above, compliant devices will gain access to the application through certificate auth, while non-compliant devices will fall back to 2FA with VMware verify. Devices not enrolled in WS1 UEM or not assigned the proper SCEP policy won't have access at all. It's an example of where you might go with things if you wanted tighter security. Along those lines, if you wanted to layer WS1 Intelligence on top of this model, you might go with something like this:</span></div><div><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixaCYjkzWMpzKibZjfx57RKpD70PzwpMibIzsi08Os4NT_15c7BlF6g9oudiqAq_eMDxH4gtq4Y5gX5tUzdrNX8zw22ZCWyLh2zjfoaFmvb6JuNX7XaMuKg9M6gdn75G4jHO9HJjUgX1cy/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="728" data-original-width="2006" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixaCYjkzWMpzKibZjfx57RKpD70PzwpMibIzsi08Os4NT_15c7BlF6g9oudiqAq_eMDxH4gtq4Y5gX5tUzdrNX8zw22ZCWyLh2zjfoaFmvb6JuNX7XaMuKg9M6gdn75G4jHO9HJjUgX1cy/w640-h232/Screen+Shot+2021-03-05+at+9.36.13+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">In the example above, Risk Scores are incorporated into your conditional access policies, allowing us to adjust authentication requirements with analysis from Workspace ONE Intelligence. If a device is compliant and the user has a healthy risk score, they'll have a smooth access experience logging in. However, if their device meets compliance requirements but the user has a poor risk score, they'll be forced to provide a 2nd factor of authentication with VMware Verify. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">For a nice overview of conditional access policies here's some enablement I recently collaborated with some colleagues on called, "<a href="https://www.youtube.com/watch?v=TpOjeeJffZo&t=13s" target="_blank">WS1 Access Series Episode 2 Office 365 Integrations And Conditional Access</a>." In the video I spend about 25 minutes reviewing conditional access policies and device compliance. Further, if you're interested in getting deeper on the subject, I highly recommend this comprehensive and fairly new post, "<a href="https://theidentityguy.ca/2021/02/25/workspace-one-access-best-practices-in-policy-management/" target="_blank">Workspace ONE Access: Best Practices In Policy Management</a>."</span></div><div><div><span style="color: #9fc5e8;"><br /><br /></span><h3 style="text-align: left;"><span style="color: #9fc5e8; font-size: large;">Removing The Certificate Prompt</span></h3></div></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><span style="color: #9fc5e8; font-size: medium;">While the visible certificate prompts at login are useful for initial setup and troubleshooting, long term it's more desirable to have cert selection automated. Fortunately, there are ways to achieve this on both Win10 and macOS devices across various browsers. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div style="text-align: left;"><span style="color: #cfe2f3; font-size: medium;">Windows 10 Certificate Prompts</span></div><div><span style="color: #9fc5e8;"><br /></span></div><span style="color: #9fc5e8;"><span style="font-size: medium;">On Windows 10 devices, when leveraging Chrome for WS1 Access it's all about the <br /><a href="https://chromeenterprise.google/policies/#AutoSelectCertificateForUrls" target="_blank">AutoSelectCertificateForUrls</a> Chrome policy. To take this feature out for a very quick test spin you can create the registry edit manually by first adding the key:</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AutoSelectCertificateForUrls</span><div><span style="color: #9fc5e8;"><br />Then, create a string value of 1, with the catch all syntax of:<br /><br />{"pattern":"[*.]","filter":{}}</span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNLXNXw8DIhCOq1Hm8gF3b9Q9eVuGjpE9EUjjLi2lZM4bIbtUfv1EgJmvtOWgOkFH1IsFSaPt_v16jsVIGp7axrTQHzuws80JshKsud-XXTlvJvy04ow-kVWRJrTGTzNEfse-Wf2qTa_gB/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="306" data-original-width="1438" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNLXNXw8DIhCOq1Hm8gF3b9Q9eVuGjpE9EUjjLi2lZM4bIbtUfv1EgJmvtOWgOkFH1IsFSaPt_v16jsVIGp7axrTQHzuws80JshKsud-XXTlvJvy04ow-kVWRJrTGTzNEfse-Wf2qTa_gB/w640-h136/Screen+Shot+2021-03-04+at+6.04.49+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div><div><span style="color: #9fc5e8;">You could fine tune this syntax with something a bit more specific, for example: </span></div><div><span style="color: #9fc5e8;"><br /></span></div><span style="color: #9fc5e8;">{"pattern":"https://cas-aws.vmwareidentity.com/","filter":{}}</span></div><div><br /><div><span style="color: #9fc5e8;"><span style="font-size: medium;">For the Microsoft Edge browser, not surprisingly, we have a very similar process for handling the certificate prompts. Essentially, we have the same pattern format for catching the cert, just under a different key. </span> </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\AutoSelectCertificateForUrls</span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">For more specifics check out the official Microsoft documentation for <a href="https://docs.microsoft.com/en-us/deployedge/microsoft-edge-policies#autoselectcertificateforurls" target="_blank">AutoSelectCertificateForUrls</a>. Below is a screenshot from my own lab. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJbo4QmpiTZZzCllcxqFIu5czu7zCBjX9ESqPShJb4D2hg6tRJSqk72M40vpaaXcbx2hYc4-fcN6rMw0122wJ5ONDnobCCDONat7MfTZfT8Oci1mn2sNHNah2ag_cY2g8DXtvz163UtwGc/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="412" data-original-width="1444" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJbo4QmpiTZZzCllcxqFIu5czu7zCBjX9ESqPShJb4D2hg6tRJSqk72M40vpaaXcbx2hYc4-fcN6rMw0122wJ5ONDnobCCDONat7MfTZfT8Oci1mn2sNHNah2ag_cY2g8DXtvz163UtwGc/w640-h182/Screen+Shot+2021-03-04+at+5.56.33+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">Finally, when it comes to IE, there's an easy to use option from internet settings. You can navigate to Security Settings under Internet Options, then enable the policy, "Don't prompt for client certificate selection when only one certificate exists." </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-3XxpzNtifYZULKdEt3E0LLDTd34SwJ65AkK16W4MCbilwAY00hjMmJ5anm03BppNbe2-L6AmsQA3V9aPM2LLSTMED6bnkts0mLdTZ3e8zbYSqw1JoMdZqNXASimJ6-PBG8I5wvDcVhRz/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="1182" data-original-width="1332" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-3XxpzNtifYZULKdEt3E0LLDTd34SwJ65AkK16W4MCbilwAY00hjMmJ5anm03BppNbe2-L6AmsQA3V9aPM2LLSTMED6bnkts0mLdTZ3e8zbYSqw1JoMdZqNXASimJ6-PBG8I5wvDcVhRz/w400-h356/Screen+Shot+2021-03-05+at+5.41.00+PM.png" width="400" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><h3 style="text-align: left;"><span style="color: #9fc5e8;"><span>Getting These Win 10 Settings Pushed Out Throug</span>h UEM</span></h3><span style="color: #9fc5e8;"><br /><span style="font-size: medium;">To get these registry settings automatically pushed out to your endpoint devices, if your Win10 endpoints are domain joined, you could always turn to AD GPO settings for <a href="https://docs.microsoft.com/en-us/deployedge/configure-microsoft-edge" target="_blank">Edge</a> and <a href="https://support.google.com/chrome/a/answer/7649838?hl=en" target="_blank">Google Chrome</a>. Here’s a screenshot from my lab:</span><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd3iLJ6cd5PqOn6RqYHV_V2wwl6mXKfiAFB4Rb7d0X-bnyZDLmwo1aIC-O2PJNWnudpmq5SqDqwo2ugg5MKbwVL-0Y3Ap55Jpa2cLQfAgu0IiHvXePhFAI7WwcW3yJyBWPPqJcu6oT8zgP/"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd3iLJ6cd5PqOn6RqYHV_V2wwl6mXKfiAFB4Rb7d0X-bnyZDLmwo1aIC-O2PJNWnudpmq5SqDqwo2ugg5MKbwVL-0Y3Ap55Jpa2cLQfAgu0IiHvXePhFAI7WwcW3yJyBWPPqJcu6oT8zgP/w640-h324/Screen+Shot+2021-03-10+at+11.29.07+AM.png" /></a><br /><br /><span style="font-size: medium;">While using AD GPO’s is certainly an option, it doesn’t feel very modern management-ish, does it? A lot of us turn to modern management to break away from dependency on AD domains, so finding an alternative for delivering these settings through UEM is more desirable. Fortunately, when it comes to migrating away from AD GPOs to WS1 UEM delivery, <a href="https://www.evengooder.com/2020/06/ws1-modern-management-for-gpo-settings.html" target="_blank">there’s like 17 ways to skin that cat</a>. One option is to leverage Workspace ONE Baselines to deliver the GPO settings through a Custom Baseline. In my own lab this started by exporting the GPO using the Group Policy Management tool. Then, after zipping up this backup, I uploaded it to a Custom Baseline. </span><br /><br /></span><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0OLHsK_Ob8R4RNRA_9DUfY2hfkdBfEPgfrrReyasNaFnOPjXHof2fDa8VBrkWRjZNxoC-E4jcpr09hmUr-kiatvfZsH85jsatXyvF066JJ3dc5SExIDo7KOTfJDLjruK_iMbL8cCqXQdj/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="998" data-original-width="1470" height="434" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0OLHsK_Ob8R4RNRA_9DUfY2hfkdBfEPgfrrReyasNaFnOPjXHof2fDa8VBrkWRjZNxoC-E4jcpr09hmUr-kiatvfZsH85jsatXyvF066JJ3dc5SExIDo7KOTfJDLjruK_iMbL8cCqXQdj/w640-h434/Screen+Shot+2021-03-10+at+12.59.35+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><span style="color: #9fc5e8;"><br /><span style="font-size: medium;">Then, for extra credit I went ahead and added the option for configuring cert selection on Internet Explorer. (The backed up GPO already included settings from Chrome and Edge.)</span></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4woFgY001MOHfu-02hY4y9Q2IWJ9PNPaDJerkO_0Ree97c1mKoZ9-rXkZi2FPGYnyPu0PEeFHWITdJJ9QUthXChYGSqqTRSfRegPI0paLuiJOxaY-Nin7fQv0IS0JCP3xQKWlUGmk6TVp/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="698" data-original-width="2258" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4woFgY001MOHfu-02hY4y9Q2IWJ9PNPaDJerkO_0Ree97c1mKoZ9-rXkZi2FPGYnyPu0PEeFHWITdJJ9QUthXChYGSqqTRSfRegPI0paLuiJOxaY-Nin7fQv0IS0JCP3xQKWlUGmk6TVp/w640-h198/Screen+Shot+2021-03-10+at+1.03.37+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">After pushing this Baseline out to my Win10 endpoints I was in business and had the desired behavior. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><span style="color: #9fc5e8;">Again, because we're talking about Windows 10 and WS1 UEM, there's a lot of ways to approach getting these settings pushed out. For instance, there's <a href="https://mikenelsonjr.com/blog/2020/03/19/registrykey-customsettings" target="_blank">this option for pushing out registry settings with a custom profile</a>. </span><span style="color: #9fc5e8;">Also, there's this post on pushing out these setting via a </span><a href="https://blog.eucse.com/windows-10-true-sso-using-chrome/" target="_blank">reg file and UEM's product provisioning capabilities</a><span style="color: #9fc5e8;">. Hell, you could even use AirLift to export your Google Chrome GPOs to a custom profile. </span><span style="color: #9fc5e8;"> Along those lines, using CSPs to configure Chrome settings is detailed in this older article, </span><a href="https://code.vmware.com/samples/3329/windows-10---chrome-admx" target="_blank">Windows 10 - Chrome ADMX</a><span style="color: #9fc5e8;">. </span></span></div><div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div style="text-align: left;"><span style="color: #cfe2f3; font-size: medium;">macOS Certificate Prompts</span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div><span style="color: #9fc5e8; font-size: medium;">To rid yourself of certificate prompts on macOS for Safari we can use the Identity Preference option in the SCEP profile. By entering in the CAS URL, we can have the cert automatically selected when it comes times for cert authentication. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwjsU3ItfGH47W9zwAGD7PX6KdiPkQ-g-DJ1bZcjr2pD0DKPJHHa8cP07dEOF12Ox1gjLNzhppuuBv0m5ytS0XSnK60ygJD23IQHrvaS4Wgx4xbt0Q9dY1Iriw_9Ead623iPEcjiQJ2Mgr/" style="clear: left; margin-bottom: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="998" data-original-width="1718" height="372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwjsU3ItfGH47W9zwAGD7PX6KdiPkQ-g-DJ1bZcjr2pD0DKPJHHa8cP07dEOF12Ox1gjLNzhppuuBv0m5ytS0XSnK60ygJD23IQHrvaS4Wgx4xbt0Q9dY1Iriw_9Ead623iPEcjiQJ2Mgr/w640-h372/Screen+Shot+2021-02-28+at+5.54.46+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">For more details on this Identity Preference setting check out the official <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/WS1_macOS_Platform_Doc.pdf" target="_blank">macOS Device Management Guide</a>. </span></div><div><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">When it comes to disabling certificate prompts for Google Chrome, once again, it's all about the <a href="https://www.chromium.org/administrators/policy-list-3#AutoSelectCertificateForUrls" target="_blank">AutoSelectCertificateForUrls</a> Chrome policy. For macOS, this can be configured through a custom payload. Below is an example from my own lab:</span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsPX543n4sAwReETC-TGjiaGLkbhl-7YTbYnskZYME2EsYOrt9vtEiSJEeoCKMTekAY9WoZK8P0QKnYZuNNtWBYtd_abk1dt4-vNHic69ooRuHZ3D1UL8-iPCOtVGYJG-5ftf6jDtABllz/" style="clear: left; margin-bottom: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="876" data-original-width="1968" height="284" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsPX543n4sAwReETC-TGjiaGLkbhl-7YTbYnskZYME2EsYOrt9vtEiSJEeoCKMTekAY9WoZK8P0QKnYZuNNtWBYtd_abk1dt4-vNHic69ooRuHZ3D1UL8-iPCOtVGYJG-5ftf6jDtABllz/w640-h284/Screen+Shot+2021-03-04+at+10.15.42+AM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /><span style="font-size: medium;">For additional guidance on this macOS policy, you can check out VMware's guidance in this TechZone article, <a href="https://techzone.vmware.com/blog/managing-identity-preferences-streamline-single-sign-macos-revisited" target="_blank">Managing Identity Preferences To Streamline Single Sign-On For macOS</a>. </span></span></div></div><div><br /></div><h3 style="text-align: left;"><span style="color: #9fc5e8;">East Bound And Down!!!!!</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">During my recent training it became clear that Zero Trust is a worthy goal and destination, though the march towards it probably wont be fun or glorious. For most organizations it's not going to be a straight path but rather a series of bursts and stalls, as immediate needs are balanced with long term security objectives. Further, most organizations will never quite be completely, "there." That said, there's definitely examples of progress, with Workspace ONE certificate authentication being one of them. It's a clear win, a successful battle, in the long drawn out war that is Zero Trust adoption. Further, it's a quick win. To a dorcus malorkus such as myself, it feels swashbuckling, folksie, edgy and, most notably, wildly effective. When implementing the process for the first time I felt like <a href="https://www.youtube.com/watch?v=WJPM-M_Z65o" target="_blank">Jerry Reed in Smokey And The Bandit</a>, barreling across the Zero Trust spectrum with blinding efficiency.</span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><a href="https://www.youtube.com/watch?v=IOgUaFkpS3Y" style="margin-left: 1em; margin-right: 1em; text-align: center;" target="_blank"><span style="color: #9fc5e8;"><img border="0" data-original-height="600" data-original-width="755" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOtpPM6-ik7A0e4IP4nLom53BMgmsgIhAAW52GTaxe0dNLsGcUGiFcFsnmC0kAPdccaXPPa3Vt-8HnIP2AN20vq1tKvqsMqUvDW4PXa0EpmDtY1HzNDWzLF5pJJifBzMZrCAu96_2talUa/s320/east_bound_and_down.jpg" width="320" /></span></a></div><div><span style="color: #9fc5e8;"> </span></div></div></div></div></div><div><span style="color: #9fc5e8;"><br /></span></div><div><h3><span style="color: #9fc5e8;">Adding A 3rd Party CA Later On </span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8; font-size: medium;">One of my favorite aspects of this recipe is that it leverages Workspace ONE's built-in CA. Overall, this makes the entire solution much more accessible and easy to wrap your head around. When you start talking about 3rd party CA's, a lot of times, folks eyes begin to glaze over as hope drains away. Pulling off an integration between WS1 Access, WS1 UEM and your various endpoint devices is already daunting enough. Throw in a 3rd party CA that an WS1 admin probably doesn't have control of and things can get overwhelming. All that said, I've had brainier folks tell me there's scenarios where using a 3rd party CA is more flexible and appropriate for production. If that sounds like your situation, you can always start off with the basic recipe called out in this post, then move on to a 3rd party CA when you're ready. Steveidm details what the process could look like in the article, "<a href="https://theidentityguy.ca/2021/01/13/setting-up-a-3rd-party-ca-with-workspace-one-in-your-lab-environment/" target="_blank">Setting Up A 3rd Party CA With Workspace ONE In Your Lab Environment</a>." </span></div></div>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-77872071968228645002020-12-30T17:57:00.056-08:002021-07-01T18:59:38.947-07:00Wrapping VMware's Workspace ONE Security Around G Suite Consumption<div><span style="color: #9fc5e8;">Recently I helped design an integration between G Suite (Google Workspace) and VMware's Workspace ONE. A key objective of the design is to secure G Suite on mobile devices by requiring UEM enrollment for access to services like Gmail or Google Drive. While phones in a BYOD scenario are a primary focus, the solution accommodates an entire enterprise and range of endpoints including tablets, desktops, and laptops. Overall, the challenge of securing G Suite across multiple domains and various device types is met through a combination of WS1 Access and UEM, with an option to layer on additional security and automation through WS1 Intelligence. </span></div><div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdcABfNisjfvGiY1V5WjLiCZu2Ek7fHtwX0bTFQI0Jta3fUR9rkQKGwkGLAf22VbknMjrgzRuTfC4FDtzGwR03jxmuF0j0QGM6vkHCVKUXd4OS7KgMHr4TKITAzup81zAXcSdh_gbJS5ox/s1980/Screen+Shot+2021-01-04+at+10.04.05+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1098" data-original-width="1980" height="354" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdcABfNisjfvGiY1V5WjLiCZu2Ek7fHtwX0bTFQI0Jta3fUR9rkQKGwkGLAf22VbknMjrgzRuTfC4FDtzGwR03jxmuF0j0QGM6vkHCVKUXd4OS7KgMHr4TKITAzup81zAXcSdh_gbJS5ox/w640-h354/Screen+Shot+2021-01-04+at+10.04.05+AM.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div><span style="color: #9fc5e8;">The solution traverses a well-traveled and documented path for WS1, essentially the same strategy we'd employ for securing any SAML compliant application with WS1. Look at the graphic above. Replace the images of G Suite with a logo for Office 365, Salesforce, ServiceNow, Workday, Slack or Zoom. The relevant steps, strategies and capabilities are generally the same: perform a SAML federation, leverage mobile SSO, and use conditional access policies to judiciously enforce relevant security. It's a standard WS1 formula for enabling traditional IT shops to securely embrace SaaS adoption. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><h3><span style="color: white;">An Overview Of The Solution</span></h3></div><div><span style="color: white;"><br /></span></div><div><span style="color: #9fc5e8;">When it comes to the more advanced security capabilities of Workspace ONE, SAML is the star of the show. Fortunately, most modern SaaS solutions, including G Suite, support SAML and so stand to gain tremendously from Workspace ONE. Typically, an integration occurs directly between WS1 Access and the SaaS solution, however, it can also happen through the intermediary of a 3rd party IDP such as Okta, Ping or ADFS. Regardless, from the user's perspective the end result is usually the same: they're able to leverage their on-premises AD identity and associated authentication methods for secure access to a SaaS based solution. This article will initially focus on a direct integration between WS1 and G Suite, then elaborate on options for 3rd party IDPs a bit later on. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxkCmnUQIDPjVQr58-ufKKDsh59u9yjHG1qgLn66IDaGvZ4uFgqo5sZjDEby31UIAg62WfIJbsYvRTXb94K7qLSmwIjOz-DvOk1vcwFI6S4h3z4G60O2etucGXpASK9pVOYbjVOZC0UoVw/s1258/AD_to_SaaS.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="640" data-original-width="1258" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxkCmnUQIDPjVQr58-ufKKDsh59u9yjHG1qgLn66IDaGvZ4uFgqo5sZjDEby31UIAg62WfIJbsYvRTXb94K7qLSmwIjOz-DvOk1vcwFI6S4h3z4G60O2etucGXpASK9pVOYbjVOZC0UoVw/w640-h326/AD_to_SaaS.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">The basic idea with SAML is to have a trust established between an identity provider (IDP) and service provider (SP) through an exchange of metadata and a cert. Then, going forward, whenever anyone wants access to the service provider they must first prove their identity to the IDP through whatever authentication methods it accepts and enforces. It could be as simple as basic AD authentication or as complex as Mobile SSO based on device compliance. Regardless, once the user's identity has been proven to the satisfaction of the identity provider, the IDP will issue the user agent, typically a browser, a SAML assertion that is then forwarded to the service provider in exchange for access to the service. An absolutely amazing overview of SAML by Peter Pjork called, <a href="https://www.youtube.com/watch?v=SvppXbpv-5k&feature=youtu.be" target="_blank">SAML 2.0: Technical Overview</a>, is available on YouTube as well as VMware's TechZone. Below is one of my favorite graphics from this enablement. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzlAJWUxe3vXUIxLcrEdxK-BYK-nmu3gWuyF7in7ipAD2RFiyrNF-85-x8sw2Y8vZhW1E2MyqRdtlQ_xhRoFC0mZ4NPTJzyxNkL1yxRlvPx2eB3S4MsSBuoVUU6kmU3pzDbO1bx_CFJCNH/s929/SAML_overview.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="650" data-original-width="929" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzlAJWUxe3vXUIxLcrEdxK-BYK-nmu3gWuyF7in7ipAD2RFiyrNF-85-x8sw2Y8vZhW1E2MyqRdtlQ_xhRoFC0mZ4NPTJzyxNkL1yxRlvPx2eB3S4MsSBuoVUU6kmU3pzDbO1bx_CFJCNH/w400-h280/SAML_overview.png" width="400" /></span></a></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">In the G Suite integration detailed in this post WS1 Access is the identity provider while the G Suite tenant is the service provider. This SAML federation is the absolute backbone of the integration, first and foremost enabling users to access G Suite with their AD credentials. Further, it provides SSO and opens up G suite to a wide range of authentication methods, most notably conditional access based on device posture and compliance. In a nutshell most of the goodness discussed in this post is rooted in this SAML federation. The flow of this article is structured accordingly, starting with the G Suite SAML federation, then working through Mobile SSO, conditional access polices, device trust, and WS1 intelligence. It will also review some of the finer points of the integration particular to G Suite. Here's the basic outline for this post: </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><ul style="text-align: left;"><li><span style="color: #9fc5e8;">SAML Integration Between G Suite (Google Workspace) And WS1 Access </span></li><li><span style="color: #9fc5e8;">Mobile SSO for iOS and Android</span></li><li><span style="color: #9fc5e8;">Conditional Access Policies </span></li><li><span style="color: #9fc5e8;">Device Trust And 3rd Party IDPs</span></li><li><span style="color: #9fc5e8;">WS1 Intelligence</span></li><li><span style="color: #9fc5e8;">G Suite Specific Considerations:</span></li><ul><li><span style="color: #9fc5e8;">Pushing Out Email Profiles To Mobile Devices</span></li><li><span style="color: #9fc5e8;">Token Revocation </span></li><li><span style="color: #9fc5e8;">DLP</span></li></ul></ul><div><span style="color: #9fc5e8;"><br /></span></div></div><div style="text-align: left;"><span style="color: #9fc5e8;">With that said, I'll start with a review of the initial federation between G Suite and WS1 Access. </span></div><div style="text-align: left;"><span style="color: #9fc5e8;"><br /></span></div><div style="text-align: left;"><span style="color: #9fc5e8;"><br /></span></div><h3 style="text-align: left;"><span style="color: white;">SAML Integration Between G Suite (Google Workspace) And WS1 Access</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO_2T-j0Db2Oi9GHya2o0nF1c8IVBl_f9rrCYzXktF_YMPWOW70Ixi0wlJXhCbK_T_yKW-NRXZFv2Tlw1Lhyphenhyphen32hcoXC2xUW25NsSIbR4k8s2XpHOIkcGBntiCiI4MUncHDLGnvRxMxOqV2/s1289/SAML_Blog.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="889" data-original-width="1289" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO_2T-j0Db2Oi9GHya2o0nF1c8IVBl_f9rrCYzXktF_YMPWOW70Ixi0wlJXhCbK_T_yKW-NRXZFv2Tlw1Lhyphenhyphen32hcoXC2xUW25NsSIbR4k8s2XpHOIkcGBntiCiI4MUncHDLGnvRxMxOqV2/w400-h276/SAML_Blog.png" width="400" /></span></a></div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">For guidance on a direct SAML integration between G Suite and WS1 Access, I turned to the blog, "<a href="https://eucmasters.in/how-to-integrate-g-suite-with-workspace-one-access/" target="_blank">How To Integrate G Suite With Workspace ONE Access?</a>", by Aamir Khan. Following the steps detailed in this article was relatively straight forward and having it's guidance as a tailwind was extremely helpful. Lining up the pre-requisites was significantly more work than the actual SAML integration. Steps like getting a test domain setup, deploying a WS1 Access Connector and signing up for a G Suite eval tenant took me an evening, while the actual SAML integration itself was less than a 20 minute affair. The article breaks down the SAML integration into these 3 major steps: </span></div><div><ol style="text-align: left;"><li><span style="color: #9fc5e8;">Configuring the Google App within WS1 Access</span></li><li><span style="color: #9fc5e8;">Downloading the Signing Certificate From WS1 Access</span></li><li><span style="color: #9fc5e8;">Configuring SSO In The Google Admin Console </span></li></ol></div><div><span style="color: #9fc5e8;">While these steps aren't exactly intuitive or for the faint of heart, the blog post lays things out quite nicely. Executing the recipe involved switching back and forth between Aamir's blog post, my WS1 tenant and my Google Admin console. Essentially it was all plug 'n chug, replacing variables with the specifics of my environment like the G Suite primary domain name and the WS1 Access tenant url. For instance, here's a screenshot of me updating the preconfigured Google App template in WS1 Access with info about my G Suite tenant at BellflowerBlues.com. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMiDPzDEXwVlzByqkI8oqPuxbNIkJeFDsq6fVQeOyxLMI2rhkZl_f5FDg-hNUcB4hiVcO89L3ukGhIZQq1SrXp0a_yeyqzi9DvLiSFcTVyf7CHaiF8KjvBGoqC5MN2btj51ZVNI-gmlReE/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="647" data-original-width="800" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMiDPzDEXwVlzByqkI8oqPuxbNIkJeFDsq6fVQeOyxLMI2rhkZl_f5FDg-hNUcB4hiVcO89L3ukGhIZQq1SrXp0a_yeyqzi9DvLiSFcTVyf7CHaiF8KjvBGoqC5MN2btj51ZVNI-gmlReE/w400-h323/google_config.png" width="400" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">Plug and chug, plug and chug: </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTexi2BeQ19q6Sndpjwe9RjND5Fb_PYm0bTOfcolnaQ7u0wriRCIMxFpFQoU4SC9sjMVlG9n2IFn2laPNmc5v4Gq_XFncPRkeEpmR4GR6SRHIKPBN9bdRPNPaPLYqeT5jjlmh4pfLHgZbF/s2218/Screen+Shot+2020-12-21+at+9.38.08+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="794" data-original-width="2218" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTexi2BeQ19q6Sndpjwe9RjND5Fb_PYm0bTOfcolnaQ7u0wriRCIMxFpFQoU4SC9sjMVlG9n2IFn2laPNmc5v4Gq_XFncPRkeEpmR4GR6SRHIKPBN9bdRPNPaPLYqeT5jjlmh4pfLHgZbF/w640-h230/Screen+Shot+2020-12-21+at+9.38.08+AM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">Then, downloading the signing certificate was a matter of navigating to Catalog --> Web Apps --> Settings ---> SAML Metadata on my WS1 Access tenant. From there you can just hit the download button and you'll have the signing certificate. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFf0NRRH_Hpq1pY6UeJ48EaASB2avcdVbgytCl5moWoRCO-xOD-g8yv-L2quhPw6Qb73Q7wtVVRqJwlfXT-lnZ5PrsVac3HWo2z9JU8qOtu_eGpIpJg7fgqjj0B5G_aqJIKLUtzG7d7r0f/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img alt="" data-original-height="846" data-original-width="1556" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFf0NRRH_Hpq1pY6UeJ48EaASB2avcdVbgytCl5moWoRCO-xOD-g8yv-L2quhPw6Qb73Q7wtVVRqJwlfXT-lnZ5PrsVac3HWo2z9JU8qOtu_eGpIpJg7fgqjj0B5G_aqJIKLUtzG7d7r0f/w400-h217/Screen+Shot+2020-12-21+at+9.47.16+AM.png" width="400" /></span></a></div><span style="color: #9fc5e8;"><br /><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">Finally, there's the configuration of the WS1 Access tenant as an identity provider for G Suite. Again, just some plug 'n chug, updating the G Suite tenant with info about my WS1 Access tenant and uploading the signing certificate. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGhyphenhyphennIdxQ7s2fB3Zhmu9-_bb_rdn9Oxv_FY7auYyn5CI9V72QOv2Ne8gMCXANPqyN1z0cnt5LNCLQR1imEk4wZYin2Pm5RqEYcF-oLq5BDzA2xqKm_UV8DD9eUfkb_VvXoAjKiS_uNPWCM/s1930/Screen+Shot+2020-12-16+at+7.18.34+PM.png" style="clear: left; margin-bottom: 1em; margin-left: 1em; text-align: center;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1432" data-original-width="1930" height="474" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGhyphenhyphennIdxQ7s2fB3Zhmu9-_bb_rdn9Oxv_FY7auYyn5CI9V72QOv2Ne8gMCXANPqyN1z0cnt5LNCLQR1imEk4wZYin2Pm5RqEYcF-oLq5BDzA2xqKm_UV8DD9eUfkb_VvXoAjKiS_uNPWCM/w640-h474/Screen+Shot+2020-12-16+at+7.18.34+PM.png" width="640" /></span></a></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">With the integration between WS1 Access and G Suite complete I had the full breadth of the WS1 Access tenant's authentication methods and conditional access policies at my disposal That's no small thing and something I'm going to elaborate on in a bit. However, I want to first zero in on the mobile use case and SSO for G Suite applications. At this point, without further configuration on the UEM side of the equation, mobile G Suite user's are handed off to the WS1 Access tenant for authentication, similar to your normal desktop and laptop users. Here's a quick demo of what that looks like: </span></div><h3><div><div style="font-size: medium; font-weight: 400;"><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dxX0sW8VJdh7wCFLGm3NObfj-eunzPOQ79_yy-y3XqY3w0acvkOs5u8UvYdujSdmsjEDYK3KTk3nSOxVrUDNA' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div><div class="separator" style="clear: both; font-size: medium; font-weight: 400; text-align: center;"><br /></div><div style="text-align: left;"><span style="font-weight: normal;"><span style="color: #9fc5e8; font-size: small;">While this is fine and good, we can certainly enhance this mobile G suite experience using Mobile SSO for iOS and Android. </span></span></div></div><div style="font-size: medium; font-weight: 400;"><span style="color: #9fc5e8;"><br /></span></div><div style="font-size: medium; font-weight: 400;"><span style="color: #9fc5e8;"><br /></span></div></h3><h3><span style="color: white;">Mobile SSO For iOS And Android </span></h3><h3><div style="font-size: medium; font-weight: 400;"></div><div style="font-size: medium; font-weight: 400;"><span style="color: #9fc5e8;"><br /></span></div><div style="font-weight: 400; text-align: left;"><span style="color: #9fc5e8; font-size: small;">Mobile SSO is a solution from VMware that offers SSO for mobile applications on iOS or Android. It enables the use of certificate authentication for mobile apps with backends that have been federated with WS1 Access through SAML. Through a combination of WS1 UEM and WS1 Access, certificate authentication is completely managed and secured on behalf of the mobile app. Peter Bjork offers a wonderful review of this feature 5 minutes into the video, "<a href="https://www.youtube.com/watch?v=LGQRUe2vKWs&feature=youtu.b" target="_blank">Workspace ONE. Access: Feature Walk Through</a>." Mobile SSO enables VMware customers to overcome traditional challenges with leveraging certificate authentication for mobile apps, "offering near 100% application support," for any mobile solutions that have been federated with WS1 Access. </span></div><div style="font-weight: 400;"><span style="color: #9fc5e8; font-size: medium;"><br /></span></div><div style="font-weight: 400;"><span style="color: #9fc5e8;"><img border="0" data-original-height="768" data-original-width="1177" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoExDVuyBUxFe-BMraFKPTWQcyhag9Gefqlr6y2kwLp9O5ae6yz19ap_NAaF3WuSgfWPLRX3-nFAX-qeVnqbiByZ9VqZ0qrbd9lnAsLV0qv35301clbWCoIYmmzzGBSE0-VDwbEktIJzbu/w400-h261/mobile_sso.png" style="font-size: medium;" width="400" /></span></div><div style="text-align: left;"><span style="color: #9fc5e8; font-weight: normal;"><br /></span><div style="text-align: left;"><span style="font-weight: normal;"><span style="color: #9fc5e8; font-size: small;">When it's implemented for a mobile app, at login time, once a username has been provided, Mobile SSO will kick in, completing the login process for the user. By enabling certificate use for mobile apps Mobile SSO arguably achieves the remarkable feat of both increasing usability and security. In the context of a G Suite deployment, particularly in regard to Gmail, it absolutely shines, enabling a simpler user experience accessing email through either the Gmail mobile app or native iOS mail client. Here's a demo of the login process:</span></span></div></div><div style="text-align: left;"><span style="color: #9fc5e8; font-size: small; font-weight: normal;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dwDxMLL9KHjvOMgTHZYoKnn67194iWo74SrTrQVFIE0tNvod24RR_12RUiHSyBy4Y4-BUMYeJYQd7XDFisfRw' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div style="font-weight: 400;"><span style="font-size: small;"><span style="color: #9fc5e8;">While Mobile SSO is a mature and proven solution, it can be a little intimidating to setup. For guidance on Mobile SSO for iOS, check out this post I published a couple years ago, "</span><a href="https://www.evengooder.com/2018/10/configuring-mobile-sso-for-ios-in.html" target="_blank">Configuring Mobile SSO For iOS In Workspace ONE UEM</a><span style="color: #9fc5e8;">." There's also the official guidance from the Workspace ONE Access side of the house, </span><a href="https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/ws1_access_authentication_cloud/GUID-73DD7FBB-EF48-4E2A-9A0E-8D2D58B5DE51.html" target="_blank">Configuring Mobile SSO for iOS Authentication In Workspace ONE Access</a><span style="color: #9fc5e8;">. For Android, I found the article, "</span><a href="https://mobile-jon.com/2019/03/31/breaking-down-workspace-ones-android-sso/" target="_blank">Breaking Down Workspace One's Android SSO</a><span style="color: #9fc5e8;">", at mobile-jon.com very interesting.</span></span></div><div style="font-weight: 400;"><span style="color: #9fc5e8; font-size: small;"><br /></span></div><div style="font-weight: 400;"><span style="color: #9fc5e8; font-size: small;">A final step for getting Mobile SSO enabled is the configuration of conditional access policies on WS1 Access. This involves simply assigning Mobile SSO as an authentication method or paring it up with device compliance policies. Either way, conditional access policies are a very relevant topic and I'll be covering them next. </span></div><div style="font-weight: 400;"><span style="color: #9fc5e8; font-size: small;"><br /></span></div><div style="font-weight: 400;"><span style="color: #9fc5e8;"><br /></span></div></h3><h3 style="text-align: left;"><span style="color: white;">Conditional Access Policies</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">Workspace ONE conditional access policies can be used to secure G suite access once a WS1 Access tenant has been configured as an identity provider within the Google admin console. These policies define security requirements while taking into account a users context or device posture. Circumstances like AD group membership, network range, device enrollment or posture drive the enforcement of authentication methods across different scenarios and uses cases. The range of authentication methods to choose from can be quite broad in a mature WS1 deployment, enhancing G Suite security from both on-premises and cloud based solutions. After a user has proven their identity to the satisfaction of these conditional access policies, they're granted a SAML assertion for access to G Suite services. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG7IuOrL0pK1_th6YcmtMtbSbY5Z80THfhv1R4rP_puXxpE2ygiD12ewsk6HxUiEhcLeqRToWPE2vFln-jUx17pDUwAH8gTuttuVklsit7KR89_mBFVNep3jH9gJpcTKNxKN1ICsEsOyg6/s1580/Screen+Shot+2020-12-20+at+11.01.11+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="816" data-original-width="1580" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgG7IuOrL0pK1_th6YcmtMtbSbY5Z80THfhv1R4rP_puXxpE2ygiD12ewsk6HxUiEhcLeqRToWPE2vFln-jUx17pDUwAH8gTuttuVklsit7KR89_mBFVNep3jH9gJpcTKNxKN1ICsEsOyg6/w640-h330/Screen+Shot+2020-12-20+at+11.01.11+AM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">In a nutshell, conditional access policies map out different authentication requirements and fall bak methods required for G Suite access under various scenarios. For instance, you might spell out that Win10 users leverage kerberos on-premises, while requiring AD credentials, certificates or 2FA for off-premises access. Further, you may have different priorities and mechanism for iOS, Androids or Macs and can configure policies accordingly. Below is a sample policy configured for a single app in my lab. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAEEKtKYbqzJISRMigNBLtguXwEjcoPJbZVxWP_T5Fqmd3s5un7DyNJG2OkJsIF0JxCIWXeJdx8JeCsTK9XCn0CMLY4LsCPUV8DFL0aH3iiMdG-jprsOPMIyWrrxDqnDv9UoZ3CvirbJXa/s1462/conitional.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="600" data-original-width="1462" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAEEKtKYbqzJISRMigNBLtguXwEjcoPJbZVxWP_T5Fqmd3s5un7DyNJG2OkJsIF0JxCIWXeJdx8JeCsTK9XCn0CMLY4LsCPUV8DFL0aH3iiMdG-jprsOPMIyWrrxDqnDv9UoZ3CvirbJXa/w640-h262/conitional.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><br /><span style="color: #9fc5e8;"><br /><br /><br />For a more extensive overview of conditional access policies, check out <a href="https://www.blogger.com/#" target="_blank">this tutorial</a>, part of a 3 part series on WS1 Access in healthcare.</span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">While a G Suite deployment stands to gain from the entire range of WS1 authentication methods available, Mobile SSO is particularly relevant. Along with offering convenience for users it also provides a way of mandating device enrollment for G Suite access. We can further extend this functionality by leveraging device compliance policies to take into consideration the security posture of an underlying device someone is trying to consume G Suite from. In this manner, access is not only predicated on enrollment, but also device posture in regard to security concerns such as encryption status or OS version. </span></div><div><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8;"><br /></span></div></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnC8VdLeRapFjIqavmdgOvo12HJti_c1PX6gqVYHga5eJI8lA44dC8SI6XUz4J9hjI2hbdakk6QTv_q0naxXyftcJ97jnqRtXTZKOUWa-qTa-99c3681ES7KsG-tsgHm5qFYuhaWm9h5D2/s1284/Screen+Shot+2020-12-22+at+2.11.54+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="714" data-original-width="1284" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnC8VdLeRapFjIqavmdgOvo12HJti_c1PX6gqVYHga5eJI8lA44dC8SI6XUz4J9hjI2hbdakk6QTv_q0naxXyftcJ97jnqRtXTZKOUWa-qTa-99c3681ES7KsG-tsgHm5qFYuhaWm9h5D2/w400-h223/Screen+Shot+2020-12-22+at+2.11.54+PM.png" width="400" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">We're essentially taking conditional access policies and juicing them with privileged information gained through device enrollment in WS1 UEM. What constitutes compliance or non-compliance is configured on the WS1 UEM side of the house through device compliance policies. The various attributes that inform these compliance polices vary from platform to platform. Below is an example of the options for iOS. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK1FMST9NpKyBvyaWJcA3x9p8jLQjWw_opDq2_K_tDBcuhpsJ-YQzERUp-SeV3tmckGJAKfRc-nzJN2bvIja7UYkBSZvmsGpmDRikYm4dtZqn3E9dU1dfInUC9-VLTXIsHnEe_6UhYEldt/s1752/Screen+Shot+2020-12-16+at+11.43.55+PM.png" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><span style="color: #9fc5e8;"><img border="0" data-original-height="704" data-original-width="1752" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjK1FMST9NpKyBvyaWJcA3x9p8jLQjWw_opDq2_K_tDBcuhpsJ-YQzERUp-SeV3tmckGJAKfRc-nzJN2bvIja7UYkBSZvmsGpmDRikYm4dtZqn3E9dU1dfInUC9-VLTXIsHnEe_6UhYEldt/w640-h258/Screen+Shot+2020-12-16+at+11.43.55+PM.png" width="640" /></span></a></td></tr><tr><td class="tr-caption" style="text-align: center;"></td></tr></tbody></table><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">This fusion of identity and MDM marks a highpoint of WS1, an innovation embraced and well received by most customers. Fortunately, we can extend this device insight into other 3rd party IDPs like Okta, ADFS and Ping, a feature that's often referred to as device trust. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><h3 style="text-align: left;"><span style="color: white;">Device Trust And 3rd Party IDPs</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">Conditional access based on device compliance has been a marquee feature of the WS1 suite for some time now. Fortunately this capability can be extended to 3rd party IDPs by daisy chaining them with WS1 Access tenants. The WS1 Access tenant, through it's built-in integration with WS1 UEM, can lend device insight to your 3rd party IDP's policies, a capability usually referred to as, "device trust." An excellent example is the integration offered for WS1 and Okta. After establishing WS1 Access as a trusted IDP for Okta, Okta's routing rules can be informed by device posture information known through WS1 UEM. The details of this integration can be found in the document entitled, "<a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/workspaceone_okta_integration.pdf" target="_blank">Integrating VMware Workspace ONE With Okta</a>." </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="clear: left; color: #9fc5e8; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="808" data-original-width="1793" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisSvilApTj1zJB8Q5wgAkz2dY1RdN9TwhegZJjCp16izlSuaa-_buF4v0Djpe9aaNqGj3bUCpqMLNZUypdUFmfVLB2JJErd6Tlrd5UNq71SeNbd3hAkVP1uyLoI3sfZ1Lyo4Ilb3QeqNtQ/w640-h288/Okta_integration.png" width="640" /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">While Okta in particular offers <a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/workspaceone_okta_integration/GUID-3CA49953-A8F6-491D-90DF-63588EFC3292.html" target="_blank">some compelling enhancements for WS1 integrations</a>, as far as basic functionality goes, this device trust capability is something offered to 3rd party IDPs across the board. For example, similar to the Okta integration, VMware offers guidance for an integration between ADFS and WS1 Access in a document entitled, "<a href="https://docs.vmware.com/en/VMware-Workspace-ONE-Access/services/workspaceone_adfs_integration.pdf" target="_blank">Integrating VMware Workspace ONE Access With Active Directory Federation Services</a>." </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwQwmV2ojTMlVjlpvFMA0s5TzWOGt2x3SVuOYtuqFadLwk80P9upaIpWJZHHAbf_zWmzBljoxv8HUkFPVHGOBHtVcXAPKsiYKJFZhylRuJoLNX8O5winjfnGkV58Em0bB1JyPhXL8awFR8/s2234/Screen+Shot+2020-12-29+at+10.21.58+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1080" data-original-width="2234" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwQwmV2ojTMlVjlpvFMA0s5TzWOGt2x3SVuOYtuqFadLwk80P9upaIpWJZHHAbf_zWmzBljoxv8HUkFPVHGOBHtVcXAPKsiYKJFZhylRuJoLNX8O5winjfnGkV58Em0bB1JyPhXL8awFR8/w640-h310/Screen+Shot+2020-12-29+at+10.21.58+AM.png" width="640" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">This device trust option generally available for all 3rd party IDPs provides VMware customers flexibility and an easier path forward for WS1 adoption. You don't have to rip and replace an IDP you may have already invested time, money and processes into. Instead you can simply enhance it with device trust, fortifying what you already have in place with minimal disruption. In the case of a G Suite deployment, you can continue to have desktops or laptops leverage ADFS or Okta, but then beef up security for mobile iOS and Android use cases. A next step could be extending device trust to Win10 and MacOS through modern management. From there you could even begin a transition to a zero trust model. So, iOS and Android today, modern management use cases tomorrow, and then complete zero trust further years out. Along the way, you could eventually migrate away from your 3rd party IDP or continue down this federated path indefinitely. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><h3><span style="color: white;">WS1 Intelligence </span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">So far, the focus of this post has been on mature components of the WS1 suite. For a more innovative approach to securing G Suite we can introduce risk scores and advanced automation from WS1 Intelligence. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">Risk scores generated by WS1 intelligence can further enhance conditional access policies. So far we've talked about using conditional access policies to adjust authentication requirements based on device and identity context. With WS1 Intelligence Risk scores we can add a 3rd dimension to this model, informing conditional access policies with advanced analytics and machine learning from WS1 Intelligence. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><span style="clear: left; color: #9fc5e8; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="722" data-original-width="1189" height="389" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn2Gkvza155_di0L3b2FsbECcbURnmPJm2_prnBlAVtmHN_5HOSvxQ3f8EXxCjl9zMq0w8eV5-hMINIdVkbM7YC4wVoGsyhgxuvWpWeqsZH3zdXUgxPjr2I0d5KAH8WpE68MStQeAs6IOo/w640-h389/Risk_Scores_And_Conditional_Access.png" width="640" /></span></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><br /></div><div><br /></div><div><span style="color: #9fc5e8;"><br /></span></div><div><br /></div><div><br /></div><div><br /></div><div><span style="color: #9fc5e8;">These risk scores are automatically generated by WS1 Intelligence based on users behavior. They take into consideration actions like delaying critical updates or disabling firewalls and antivirus. They're also impacted by Carbon Black events. </span><span style="color: #9fc5e8;">Regularly updated and maintained for each of your users, risk scores are leveraged by conditional access policies to judiciously right size and enforce authentication requirements.</span></div><span style="color: #9fc5e8;"><img border="0" height="371" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9n1v0N8AMW5XWfYqHRV-8EBmADzS2DPiI5kYuekLFmXvAXxtwK9KAm-X5aIaIOYmuU4uKj0WeRRJxDOKT6zjZI8dxvn0FzvX09CgSdj9Tbx-ZPITrGQA4NXwQGVIwkvBS6FE-TD8guZSZ/w603-h371/risk_score_policy.png" width="603" /></span></div><div><span style="color: #9fc5e8;">Along with informing our conditional access policies, risk scores can be used to drive WS1 Intelligence's automation engine. For instance, based off risk scores we can automate actions like enterprise wipes or app removal through WS1 UEM. Or, on the less negative side of things, we can automate remediation of devices through other WS1 UEM functionality like the assignment of profiles. </span></div><div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">However, automated responses can extend even further through WS1 Intelligence. Using custom connectors we can integrate with any 3rd party solutions that support REST APIs. In a nutshell, if you can make it happen with a single request within Postman, you can automate it in WS1 Intelligence. This opens up a whole world of opportunities. Not only can you execute actions within UEM, but you can create a ticket within ServiceNow or send a message through Teams or Slack. All this automation can be driven through risk scores or triggered by events detected through the advanced reporting capabilities of WS1 Intelligence. For more info on automation through REST APIs and WS1 Intelligence, check out this article, "<a href="https://code.vmware.com/samples/6524/workspace-one-intelligence-custom-connector-samples" target="_blank">Workspace ONE Intelligence Custom Connector Samples</a>."</span></div></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><h3 style="text-align: left;"><span style="color: white;">G Suite Specific Considerations</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">The last leg of this post will focus on the G Suite specific considerations of the design. While WS1 capabilities discussed so far are applicable to a wide range or applications, there's definitely some G Suite specifics and challenges worth noting. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><h3 style="text-align: left;"><span style="color: white;">Pushing Out Email Profiles To Mobile Devices</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><br /><span style="color: #9fc5e8;">Traditionally ActiveSync, or Google Sync for Gmail, has been the mechanism of choice for pushing out email configs through WS1 UEM. However, with a shift to modern auth ActiveSync profiles are no longer an option. By default, when initially configuring email in a modern auth scenario, users will have to navigate wizards to get their email configured. This will involve launching the email client, selecting an email service, entering in an email addresses and providing authentication. Android and iOS offer different options to facilitate this process, each with their own caveats and varying degrees of success. For iOS, it’s the relatively new, “Google Account,” payload. For Android there’s a special EMM Registration option for WS1 UEM leveraging a managed Google domain. </span></div><div><br /></div><h3 style="text-align: left;"><span style="color: #9fc5e8;">Email Config For iOS</span></h3><div><span style="color: #9fc5e8;"><br />The Google Account iOS payload offers a way to simplify access to Gmail from the native iOS mail client. It provides a mechanism for pre-configuring a user’s G Suite account for use by the native client so that the user need only authenticate successfully to complete the configuration. </span><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1xSJAQwWK9E0I_PhDR9xDewS4aSQbFLhDDb1luhq3_A569GlisyPSJjIY79pOIOJNmg7Nklly2UOyV2Shx3vVQC_ohixoYb_3wTiYNVj4DcujNS5y6GVQdarivZc4p6LgH8Nr57pXm2w8/s1692/Screen+Shot+2020-12-23+at+4.30.11+PM.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="882" data-original-width="1692" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1xSJAQwWK9E0I_PhDR9xDewS4aSQbFLhDDb1luhq3_A569GlisyPSJjIY79pOIOJNmg7Nklly2UOyV2Shx3vVQC_ohixoYb_3wTiYNVj4DcujNS5y6GVQdarivZc4p6LgH8Nr57pXm2w8/w640-h334/Screen+Shot+2020-12-23+at+4.30.11+PM.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><span style="color: #9fc5e8;"><br />If a user is able to follow some basic instructions, the process is fairly convenient and they don't have to select an email service or punch in their email address. The main requirement is that upon the first launch of their native client, undeterred by an initial error message, they click on a, "details," hyperlink and follow the prompts. If they do that, they can have their profile configured pretty easily, especially if Mobile SSO for iOS is in place to authenticate on behalf of the user. Here's a demo of the what the process looks like: </span></div><div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dxHJ1UStUx_NcIQ4rtGexkUssQ3VppNpafSqq_9Yb6fXxJFiOv3hcYCf44o_uTPBBEsJRoC4Y4auti99r9Caw' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div><span style="color: #9fc5e8;">While this Google Account payload solution for email configuration isn’t completely on par with the convenance of an ActiveSync profile, it certainly offers a worthy alternative. ActiveSync, to say the least, is a bit long in the tooth. It was scheduled for deprecation October of this year, along with Google Sync, </span><a href="https://www.blogger.com/blog/post/edit/7411363718337372107/7787207196822864500">though a temporary reprieve was issued by Microsoft and Google due to challenges of Covid-19</a><span style="color: #9fc5e8;">. That said, the writings on the wall: the future is not with ActiveSync and folks need to get off of it. Using the Google Account payload with modern auth provides a path forward. </span></div><span style="color: #9fc5e8;"><br />Unfortunately, while the Google Account payload helps with the native iOS client, it doesn’t assist with the Gmail Mobile App on iOS. When first running the Gmail mobile client on iOS the user will have to select an email service, then punch in their email address. They'll then get redirected to WS1 Access, at which point Mobile SSO for iOS can take the wheel. It's not a horrible experience, just not on par with the connivence of an ActiveSync configured profile. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><h3 style="text-align: left;"><span style="color: #9fc5e8;">Email Config For Android </span></h3><span style="color: #9fc5e8;"><br />While configuration for the Gmail mobile app on iOS is a challenge, on Android there's a very compelling option. If Workspace ONE is <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/Android_Platform/GUID-AWT-SETUP-CONCEPT.html" target="_blank">registered as the Android EMM with a managed Google domain</a>, access to Gmail on your Android device is automated and fluid. When a device is registered the users G Suite credentials are associated with the Work Profile and access through Gmail is a snap. Here's a demo:</span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dxLC1FE1G40aJZnauxFu9ofykoX62ha8nGPo0lv6RRLV84HduaJzB9Wgn6-nEUzgWGXFLZQQKIqECwtFvJxLA' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div><br /></div><div><span style="color: #9fc5e8;">There is one major caveat though. While this offers really simplified access to G Suite mobile apps, it circumvents WS1 Access entirely, preventing the use of conditional access policies for G Suite mobile apps on Android. So there's a trade off. In exchange for simplified access you loose conditional access policies for G Suite mobile apps on Android. However, you're still meeting the bare requirement of UEM enrollment. This may or may not be an acceptable trade-off depending on your use cases and priorities. <br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><h3><span style="color: white;">Token Revocation </span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">A real world G Suite challenge I recently observed has to do with token revocation on unenrolled devices. Again, we have a situation where iOS devices present a challenge not experienced on Android. On iOS, after an enterprise wipe the G Suite token is still active and will continue to allow access to email until it's expired. For most folks, this contradicts the expected behavior of having G Suite access completely removed from an enterprise wipe. On Android the challenge is completely circumvented by the default behavior of Work Profiles, but for iOS additional steps are required.</span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">Fortunately, there's a work around available using the old <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/WS1_Gmail_Integration.pdf" target="_blank">Google Sync MEM configuration</a>. By creating a MEM configuration but not actually pushing out an ActiveSync profile we can leverage the token revocation feature traditionally used with Google Sync MEM management, while avoiding the pitfalls of ActiveSync. Essentially it involves going through the motions of a traditional Google Sync configuration, but not actually pushing out the ActiveSync profile. It's a clever way of harvesting this desirable token revocation feature that's traditionally paired with Google Sync while progressing to the use of modern auth. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQQuWWpq2kN02R7Y-Eiq5YpuRARt63SBQDAoojXUQLX5gj8qPTtxz1M1jKYJaCz1RB1_ZogIiJLyAJlhU2cXIJjjTLQxVJZlcK3vpHcWSdKuGMpidPAvnIe5dDlVYwxU7D30-MSoKlCmxe/s1314/Screen+Shot+2021-01-05+at+10.35.29+AM.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="904" data-original-width="1314" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQQuWWpq2kN02R7Y-Eiq5YpuRARt63SBQDAoojXUQLX5gj8qPTtxz1M1jKYJaCz1RB1_ZogIiJLyAJlhU2cXIJjjTLQxVJZlcK3vpHcWSdKuGMpidPAvnIe5dDlVYwxU7D30-MSoKlCmxe/w400-h275/Screen+Shot+2021-01-05+at+10.35.29+AM.png" width="400" /></a></div><br /><span style="color: #9fc5e8;"><div><span style="color: #9fc5e8;"><br /></span></div><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><br /></div><div><span style="color: #9fc5e8;">With token revocation enabled, when there's an enterprise wipe the user's token will be removed from all devices. To continue using G Suite the user's will have to re-authenticate on a remaining device or re-enroll a device into WS1 UEM. Here's a demo of what happens to email access when a device is unenrolled and this token revocation feature is enabled. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dwYJt5Z-QvahkmIvFr1_4xcxbcg9jAf3pTjngteuvWeAs_wM5ShqW3bIgZ0EHxVF302draSCo-E7V8cKpEuIQ' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div><br /></div><div><span style="color: #9fc5e8;">Overall, I'd say it's a nifty, though non-intuitive, hack for security conscious folks to tap into. It might not seem significant at first glance, but if you're knee deep in a G Suite deployment with WS1, it's highly relevant.</span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div></div><div><span style="color: #9fc5e8;"><br /></span></div><h3 style="text-align: left;"><span style="color: white;">DLP Considerations</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">With mobile applications like Google Drive in the mix, DLP is of pressing concern with a G Suite deployment. While G Suite offers some <a href="https://support.google.com/a/answer/9646351?hl=en" target="_blank">advanced DLP capabilities</a> through license enhancements, there's some DLP capabilities that WS1 UEM offers out of the box for any application it delivers. For iOS, there's the ability to prevent the exchange of data with non-managed apps on the device. While this might not be as granular as folks want, it is something and at least limits access to the data to other applications managed by UEM. </span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAjrdC6E7MmG-EKYxEJP2pHXsFV9Cb8cw-48cvCQDmYJXY7Hg0tVzjlOj0fy8hoT92RxRKhmXdmD7UvYww7j-qdFqGqMFN0NVnkPzPHHNcGz7cNyDKqNcZDViA5Rnf5YpJGl9m3uoAx_Bi/s966/iOs_dlp.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="927" data-original-width="966" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAjrdC6E7MmG-EKYxEJP2pHXsFV9Cb8cw-48cvCQDmYJXY7Hg0tVzjlOj0fy8hoT92RxRKhmXdmD7UvYww7j-qdFqGqMFN0NVnkPzPHHNcGz7cNyDKqNcZDViA5Rnf5YpJGl9m3uoAx_Bi/w400-h384/iOs_dlp.png" width="400" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">With Android, once again, through Work Profiles, we have clearer cut delineation between work and personal worlds. You can fine tune the details of the delineation through the restrictions profile for Android. </span></div><div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwa_zytqKrH7HuMV1I7_3xvOkJSL5HQlPdesdxAUPMfF7CDpqc5-BzF8-Ou4ZcsnHeHH8p06Ao9XgPuDccrGukPuKv0Th8FbIzDNPJueh6KX6fK6KwY1A5VOoSrZddjvXs-yRBGPHc2iIP/s1137/android_DLP.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="697" data-original-width="1137" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwa_zytqKrH7HuMV1I7_3xvOkJSL5HQlPdesdxAUPMfF7CDpqc5-BzF8-Ou4ZcsnHeHH8p06Ao9XgPuDccrGukPuKv0Th8FbIzDNPJueh6KX6fK6KwY1A5VOoSrZddjvXs-yRBGPHc2iIP/w640-h392/android_DLP.png" width="640" /></span></a></div><span style="color: #9fc5e8;"><br /></span><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><br /></div><div><span style="color: #9fc5e8;">Again, G Suite does offer it's own DLP functionality with additional licensing. I've reviewed these built in capabilities of WS1 UEM just to add some context. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><h3 style="text-align: left;"><span style="color: white;">BeyondCorp Alliance</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">An alternative solution that's currently baking will involve a direct integration option between G Suite and Workspace ONE UEM, without WS1 Access. This has been recently discussed in the blog post, "<a href="https://cloud.google.com/blog/products/identity-security/google-cloud-announces-new-partners-in-its-beyondcorp-alliance" target="_blank">Democratizing Zero Trust With An Expanded BeyondCorp Alliance</a>." I'm not fully aware of all the benefits this model will offer beyond the SAML integration covered in this post, but for those who are looking to exclusively protect G Suite it will offer an alternative. While I'm not certainly when this option will be available, I'm certainly looking forward to seeing what it has to offer. If nothing else, it could offer a simpler path forward for G Suite adoption when a customer doesn't have WS1 Access already in place. </span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><h3 style="text-align: left;"><span style="color: white;">Conclusion</span></h3><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;"><br /></span></div><div><span style="color: #9fc5e8;">It was an absolute blast helping design this solution for a customer. I haven't had a lot of exposure supporting G Suite, so watching it's deployment secured by traditional WS1 capabilities was certainly a sight to behold. Again, these are processes and capabilities that WS1 can offer any SAML based solution. It just so happens that, in this case, the SAML application was the incredibly impressive and feature rich G Suite solution. Further, while this current deployment model satisfied a real and immediate need, it also laid the ground for the customer's future cloud adoption. Typically, as folks of the vSphere generation, when we visualize cloud adoption we think of sucking VM's up in the cloud. However, practically speaking the path of lease resistance is just purchasing services from SaaS vendors instead. Well, with WS1 infrastructure in place, securely pivoting to these services is a lot simpler. </span></div><div><br /></div></div></div>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com2tag:blogger.com,1999:blog-7411363718337372107.post-73287483335603814462020-06-22T10:34:00.001-07:002020-07-20T08:32:35.596-07:00Workspace ONE UEM Alternatives To AD Group Policies: Get Yourself Free<span style="color: #9fc5e8;">Modern management promises the ability to administer desktops and laptops without requiring they have membership to a domain or even connectivity to a corporate network. A common techie response to this proposition is, "what about GPOs?" IT shops have managed desktops with AD based GPOs for decades now, a process that's been pretty much boiled down to a science. However, when it comes to switching from AD based GPOs to modern management the path forward is far less prescriptive or codified, with a wide range of options and room for creativity. At the risk of being crude I'd say there's <a href="https://www.youtube.com/watch?v=ABXtWqmArUU" target="_blank">50 Ways To Leave Your Lover</a> and over 10 ways to leave your AD GPOs while embracing modern management with Workspace ONE.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm3sWLa5i4C5TYULWXQ7-Ic97-IgZEjeP9fNRcPAr2OpUij837JPwDT720m_xAabfXN5tZtTjpqHn64R9IzlF4bdnh7vWS2QdCUgNoINkLJrnvw9yj3t-BjFdgUMFyxE4y7WlImmFvGSOW/s1600/Screen+Shot+2020-06-07+at+10.25.49+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgm3sWLa5i4C5TYULWXQ7-Ic97-IgZEjeP9fNRcPAr2OpUij837JPwDT720m_xAabfXN5tZtTjpqHn64R9IzlF4bdnh7vWS2QdCUgNoINkLJrnvw9yj3t-BjFdgUMFyxE4y7WlImmFvGSOW/s640/Screen+Shot+2020-06-07+at+10.25.49+AM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">There are 5 different Configuration Service Provider (CSP) based options alone, including WS1's native Win10 profiles, AirLift exports and Policy Builder. Then there's WS1 Baselines, which under the hood is an amalgamation of 3 different non-CSP based strategies. Finally, there's the GPO migration tool, customized scripts and various imaginable DIY permutations.</span><br />
<div class="p1" style="font-family: "Helvetica Neue"; font-size: 12px; font-stretch: normal; font-variant-east-asian: normal; font-variant-numeric: normal; line-height: normal;">
<br /></div>
<span style="color: #9fc5e8;">This post is a primer on transitioning from AD based GPOs to Workspace ONE's modern management alternatives. It will review and prioritize various guidance and strategies, with particular focus on the recently released tutorial, <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operation-tutorial" target="_blank">Understanding Windows 10 Group Policies: VMware Workspace ONE Operation Tutorial</a>. While providing brief descriptions of the different alternatives I want to zero in on a few key decision points along the path from traditional AD GPOs to modern management. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8;">
Do You Have An AD Legacy To Preserve?</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">With all the migration options available, overlapping capabilities, caveats and all, sorting out an optimal path forward is tough. While discussing this challenge a colleague of mine, Jason Walker, made an excellent point. "Well, if someones asking, 'which route should I take,' the first question to asks is, 'who are you and what's your normal role/technical back ground?'" So are you an MDM guy who's looking for some basic management or are you a grizzled AD administrator who's managed GPOs for decades? </span><span style="color: #9fc5e8;"> To further refine the question, “does your enterprise have a heavy investment and reliance on GPOs? Is there a GPO legacy you absolutely need to</span><span style="color: #9fc5e8;"> port over to modern management?" Getting this question answered elucidates a path forward. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For the traditional MDM guy or someone who doesn't have the luggage of an extensive AD GPO legacy, start with a careful investigation of WS1's native Win10 capabilities, then move on to WS1 UEM Baselines. On the other hand, if you have an AD legacy to preserve and extend to modern management, start with AirLift. The reporting capabilities of AirLift alone are worth the price of admission, providing key information for GPO rationalization. With this info in hand scan the built in Win10 profiles for overlapping functionality, then turn to WS1 Baselines or AirLift's export capabilities to fill in the gaps. Finally, in both scenarios, there's an option to fall back to various customized SyncXML alternatives or scripting strategies.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Whichever path you're on an investigation of WS1 UEM's built-in profiles is in your future, so I'm going to cover that next. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8;">WS1 Win 10 Management Out Of The Box</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Before diving into all the alternatives you should first investigate the <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/Windows_Desktop_Device_Management/GUID-AWT-PROFILE-OVERVIEWWD.html" target="_blank">built-in native Windows 10 payloads</a>. These payloads map to specific <a href="https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers" target="_blank">Configuration Service Providers (CSPs)</a>, essentially Microsoft's APIs for Windows 10 modern management. Out of the box there are 30 payload types that configure hundreds of settings. When you eyeball these payloads there's significant overlap with traditional AD GPOs. Examples include payloads for password settings, BitLocker, Defender, Windows updates and Windows Firewall.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4qbHdpXn5SU4fEgE6Iyd46xfsD585zNyClj-HHr6zRNEBGjbuwbB8Vc5hpwhG5SfppMMRVtW9fMqlkuh11Uv8hIrPiRBTulEblT4Iwa__ArNc1B4LcJO-GGtGTHcVxrSyMj5rhOwUM4Av/s1600/Screen+Shot+2020-06-17+at+9.44.05+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4qbHdpXn5SU4fEgE6Iyd46xfsD585zNyClj-HHr6zRNEBGjbuwbB8Vc5hpwhG5SfppMMRVtW9fMqlkuh11Uv8hIrPiRBTulEblT4Iwa__ArNc1B4LcJO-GGtGTHcVxrSyMj5rhOwUM4Av/s640/Screen+Shot+2020-06-17+at+9.44.05+AM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">These built-in WS1 Win10 payloads aren't a complete substitute for the thousands of GPO settings known to mankind. However, when you think tactically about what’s really essential for Win10 mobile management, what they do cover is formidable. </span><span style="color: #9fc5e8;">Given they are built-in capabilities, both easy to implement and maintain, it makes sense to exhaust them fully before exploring alternatives.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjubAGGicj7ckMttScRM9PCw1UWwb2H2tXJxiICP5tr9VWsxDES9KEpBQAlwjSMdQewdHfGuM_rVrv3Y7-O06ZyO1Dm4_MliANSYkd-lb7kwxwlh8KnKwtH1cGZyvisayiqvkzcKhJ8PWH8/s1600/Screen+Shot+2020-06-05+at+3.16.23+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjubAGGicj7ckMttScRM9PCw1UWwb2H2tXJxiICP5tr9VWsxDES9KEpBQAlwjSMdQewdHfGuM_rVrv3Y7-O06ZyO1Dm4_MliANSYkd-lb7kwxwlh8KnKwtH1cGZyvisayiqvkzcKhJ8PWH8/s400/Screen+Shot+2020-06-05+at+3.16.23+PM.png" width="400" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;">For a short but sweet description of WS1 Windows 10 modern management capabilities, check out this video by Chris Halstead, </span><a href="https://www.youtube.com/watch?v=VvMpROq3UG4&feature=youtu.be" target="_blank">VMware Workspace ONE: Windows 10 Modern Management - Technical Introduction</a><span style="color: #9fc5e8;">. For a very dense and comprehensive overview, check out this video by Pat Linsky: </span><a href="https://www.youtube.com/watch?v=6lImLjggIi8&feature=youtu.b" target="_blank">VMware Workspace ONE UEM: Windows 10 Modern Management - Technical Overview</a><span style="color: #9fc5e8;">.</span></span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt6GqZJyhADxC6aYTXjoCtNsifDnbqtY7-RXWai5C9lVQ5voL8hcdw2dD4Q4E5BaBaclF5UX7b7bRyDTkk3foPJf8nRRjSqdk1csZlNJjXbYQayzutKock8BxSYhekDnkiE8QCazR1m4xK/s1600/life_of_bryan.jpg" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt6GqZJyhADxC6aYTXjoCtNsifDnbqtY7-RXWai5C9lVQ5voL8hcdw2dD4Q4E5BaBaclF5UX7b7bRyDTkk3foPJf8nRRjSqdk1csZlNJjXbYQayzutKock8BxSYhekDnkiE8QCazR1m4xK/s400/life_of_bryan.jpg" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">The delta between WS1's built-in Win10 management capabilities and traditional AD GPO settings reminds me of a scene in Monty Python's Life Of Bryant. While the revolutionaries rant about, <a href="https://www.youtube.com/watch?v=Qc7HmhrgTuQ" target="_blank">"what have the romans ever done for us,"</a> they realize, oh yeah, they have done a lot, huh? Likewise, while WS1 out of the box doesn't have full parity with traditional AD based GPOs, a lot of relevant GPO functionality has been addressed. "Alright, but apart from Windows Updates, Anti-Virus, BitLocker, Firewall, certificates and settings associated with the other 23 built-in payloads, what has WS1 UEM ever done to replace traditional AD GPOs?" Well, there's plenty of alternatives to explore, with Workspace ONE Baselines shining brightest.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr0ylrWiDplbSEwMsdM1JPtpb-hF3WO_8k2PRhRK7eo2xn-yM6n1I9OWcJ9kw08Ms6pNHkDuV2ZEp2x0jPgDRKSf97oxuNp2zRxlKH87V2IO7FuhN4pVUcVWaglwGbftzwkfM_kCnPNOOT/s1600/platypus_thumb.ngsversion.1485376250110.adapt.1900.1.jpeg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><span style="color: #9fc5e8;"><img border="0" data-original-height="1600" data-original-width="1600" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhr0ylrWiDplbSEwMsdM1JPtpb-hF3WO_8k2PRhRK7eo2xn-yM6n1I9OWcJ9kw08Ms6pNHkDuV2ZEp2x0jPgDRKSf97oxuNp2zRxlKH87V2IO7FuhN4pVUcVWaglwGbftzwkfM_kCnPNOOT/s200/platypus_thumb.ngsversion.1485376250110.adapt.1900.1.jpeg" width="200" /></span></a></div>
<h3>
<span style="color: #9fc5e8;">
Bazooka Baselines - The Duck-Billed Platypus Of WS1 GPO Alternatives</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Workspace ONE Baselines, a component of WS1 Advanced edition, is, to say the least, one odd duck! Essentially, it's an offering of 3 very different methods for pushing out settings to Windows 10 devices: Baseline Templates, Custom Baseline and a service catalog of ADMX-backed settings. Through Baseline templates you apply 100's of settings at a time based off the Windows 10 Security Baseline or CIS Benchmarks. This is useful for situations where you really want to heavily lock down a Windows 10 device according to industry standards and best practices. It's ideal for a scenario where someone is looking to manage a Windows 10 device more like a purpose built mobile device. We're talking about a wad of settings here, 380+ regarding Windows 1809 for example, so there's certainly some commitment involved, with a lot of settings you may have vet. At first glance it can seem a bit unwieldy, however you can disable or tweak out values for these settings individually as needed.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeGhmoXnlAe1m_G0kdAQNOoO4a4MWluquCsvYsuvq3JAAotnn0VnR5b7hyphenhyphen1BUvO-mZsqF2greiXAkRa-r5NDBIVDM9PuUUo4U1kkIeAtjMWsYYhEKl_opukS9buyaC_VjAzJ2uglo0DL6o/s1600/Screen+Shot+2020-06-07+at+2.35.54+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeGhmoXnlAe1m_G0kdAQNOoO4a4MWluquCsvYsuvq3JAAotnn0VnR5b7hyphenhyphen1BUvO-mZsqF2greiXAkRa-r5NDBIVDM9PuUUo4U1kkIeAtjMWsYYhEKl_opukS9buyaC_VjAzJ2uglo0DL6o/s640/Screen+Shot+2020-06-07+at+2.35.54+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">This solution offers some very <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operational-tutorial#1235785" target="_blank">compelling compliance reporting</a>. Each device with a Baseline assigned to it will report back as Compliant, Intermediate Compliance or Non-Compliant. Compliant represents having 100% of the settings actively applied while Intermediate Compliance represents having 99% to 85% of the settings implemented. Anything less will report back as Non-Compliant. By default Compliance status is reported at intervals of every 6 hours, so you get a fairly up to date reflection of the actual state of the device. Even more impressive is the ability to zero in on a specific device and drill down into which particular settings are currently implemented versus settings that are non-compliant.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBBshnV9vH7Ti1bG0ednVr9YH1M2Z39_0aa-s3HYjrx1Xnq9KE8jdbW4D3rVst6aYve4Ti0x-DwEpEaydt2-WU47XO2TINsnuubIC6oEQEcIUhF9tbhZL5JVA2nAScL2eAENy1B1nkD_bi/s1600/Screen+Shot+2020-06-10+at+4.30.34+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="385" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBBshnV9vH7Ti1bG0ednVr9YH1M2Z39_0aa-s3HYjrx1Xnq9KE8jdbW4D3rVst6aYve4Ti0x-DwEpEaydt2-WU47XO2TINsnuubIC6oEQEcIUhF9tbhZL5JVA2nAScL2eAENy1B1nkD_bi/s640/Screen+Shot+2020-06-10+at+4.30.34+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">This granular reporting really sets the solution apart from other modern management alternatives. With other methods you can always test an individual device with tools like Policy Analyzer or RSoP, but with Baselines we're getting that functionality and insight built right into the UEM console. Further, there's an option to leverage a registry setting that will force the reapplication of Baselines at a defined interval, ensuring your desired settings remain enforced. This registry setting can get pushed out through a <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operational-tutorial#1235784" target="_blank">custom settings payload or manual registry edit, as specified in the latest guidance</a>.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">WS1 Baselines also offers a Custom Baseline option which involves pushing out an exported GPO rather than an industry standard template. You can use Group Policy Manager or <a href="https://docs.microsoft.com/en-us/archive/blogs/secguide/lgpo-exe-local-group-policy-object-utility-v1-0" target="_blank">LGPO.exe</a> to export a GPO from your current environment, then upload a zipped copy of that backup to the console. Baselines will then go on to import that GPO on a target device using a local instance of LGPO.exe. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdGifaTsL7pfRL1q3chrpy1vC31_09S9MYRdir18sBWSi0kARQH-KUNiO2t5Cx59vHWfQhiTDTUBRzfgkSnpySV7c6TxCtrIXJuax_XtWUo1DCpEJxePSRAxBsyeWQC5gR9-rV_k-xDO9S/s1600/Screen+Shot+2020-06-07+at+2.09.01+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdGifaTsL7pfRL1q3chrpy1vC31_09S9MYRdir18sBWSi0kARQH-KUNiO2t5Cx59vHWfQhiTDTUBRzfgkSnpySV7c6TxCtrIXJuax_XtWUo1DCpEJxePSRAxBsyeWQC5gR9-rV_k-xDO9S/s400/Screen+Shot+2020-06-07+at+2.09.01+PM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Custom baselines are a nice little option to have in your back pocket. If all else fails, do an export of your current AD GPOs and then just blast it out to your target devices. However, there's two caveats. One, you're not getting any kind of lifecycle management built into the UEM console. If you want to make a change to a GPO setting getting pushed out, you'd have to go back to your AD environment, edit the original GPO, do another export, then do another import to Baselines. Also, you don't get the benefit of compliance reporting like you do with Baseline templates. The latest guidance addresses these short coming quite succinctly with the statement, "You will find that custom baselines lack the ability for full lifecycle management such as, reporting and making edits directly via the console." </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Finally, a third capability of this solution involves a built in cloud based ADMX catalog. Whether you're going with Baseline Templates or a custom Baseline, you have the option to add additional settings from this catalog. Honestly, in my mind, this corollary to Baseline or Custom Baseline should be seen as it's own separate solution and represents the closest thing to an, "easy button," for configuring individual GPO settings with WS1. We're talking a very extensive catalog, with some 4300 group policy settings to choose from. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUMeaHfBTRUqKAw_lNJoQ-fOyHjGDga3QSv_3S963i9mn2DMwtnykGWFA204mczXTA52dP-vwoZtUDEKrXkds2W-yVXkSAYkypaWcR5nLu1XGTV9iL7-Mes06uUuFstOkrCDazVipdpcu_/s1600/Screen+Shot+2020-06-04+at+7.37.11+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUMeaHfBTRUqKAw_lNJoQ-fOyHjGDga3QSv_3S963i9mn2DMwtnykGWFA204mczXTA52dP-vwoZtUDEKrXkds2W-yVXkSAYkypaWcR5nLu1XGTV9iL7-Mes06uUuFstOkrCDazVipdpcu_/s640/Screen+Shot+2020-06-04+at+7.37.11+AM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After you make your selection, the tool actually leverages functionality traditionally associated with Dynamic Environment Manager, what used to be called, "User Environment Manager." It's really interesting to see how VMware has harnessed this traditional Horizon tool to round out WS1 Baselines. Fortunately, this subset of Dynamic Environment Manager's capabilities it built right into the WS1 agent and doesn't require any additional installs. Another piece of good news is that, like with Baseline templates, you do get compliance reported back regarding these ADMX-backed settings, so that's pretty awesome too.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">To wrap things up, here are the three different mechanisms offered by WS1 Baselines:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0lzEFSF25Rv_-x3VDhJqv8fTOt887TlYhu3AeskDHKHcwIOw5zinChi1EAxAIJdmLfa9leL0WfWoLI4rSBHGLBxhX_RNnyf9BXCf5OdK-46v6M9iET9pnl-Kvd2d74FrR5JtSYsCom6UK/s1600/Screen+Shot+2020-06-07+at+6.36.57+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0lzEFSF25Rv_-x3VDhJqv8fTOt887TlYhu3AeskDHKHcwIOw5zinChi1EAxAIJdmLfa9leL0WfWoLI4rSBHGLBxhX_RNnyf9BXCf5OdK-46v6M9iET9pnl-Kvd2d74FrR5JtSYsCom6UK/s640/Screen+Shot+2020-06-07+at+6.36.57+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">I told you, this thing is weird, like Weird Al Yankovic weird. Like a street performer playing Crocodile Rock on 9 separate musical instruments kind of weird. That said, it sure does cast a wide net. It's hard to imagine a GPO setting you couldn't theoretically push out with this tool one way or another. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For a greenfield deployment or situation without a GPO legacy to mind, WS1 Baselines are a dream come true. For that matter, it's still a very relevant and viable option for those looking to preserve a GPO legacy, with one major caveat. It doesn't really look backwards at your environment or offer any analysis of what you're currently doing with GPOs. So for an AD guy looking to preserve a legacy, even if you're determined to use Baselines, you'll still want to run AirLift for it's reporting capabilities. I'm going to detail AirLift's Policies features next.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For additional info on Baselines, check out:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Official documentation: <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/Windows_Desktop_Device_Management/GUID-35F5B92C-9331-48B6-B9D1-69DB682368B3.html" target="_blank">Using Baselines</a></span><br />
<span style="color: #9fc5e8;">Fantastic video: <a href="https://techzone.vmware.com/vmware?share=video1600" target="_blank">VMware Workspace ONE UEM: Baselines - Feature Walk-through</a></span><br />
<span style="color: #9fc5e8;">Latest Tech Zone guidance: <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operational-tutorial#324195" target="_blank">Modernizing Group Policies Using Workspace ONE Baselines</a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8;">
AirLift - It's Not Just For SCCM Migrations</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">The release of AirLift 2.x in 2019 introduced assistance with GPO migrations, making it relevant to pretty much all WS1 customers, not just SCCM admins. Sure, it's primarily focused on migrating folks from SCCM to WS1 UEM. However, the subset of it's functionality that addresses AD group policies, <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/AirLift_Configuration/GUID-622ADB09-1BE4-480F-9D59-3EA334C07C17.html" target="_blank">Workspace ONE AirLift Policies</a>, is applicable to any customer who has</span><span style="color: #9fc5e8;"> AD group policies they want to port over to modern management. Further, it's free, with very </span><a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/AirLift_Configuration/GUID-AWT-REQUIREMENTS-AIRLIFT.html" target="_blank">minimal requirements</a><span style="color: #9fc5e8;"> that are well worth the price of admission. After standing AirLift up and pointing it to your domain controllers you get an exhaustive report of all the GPOs within your domain, along with their associated settings. Useful information returned includes which OUs these GPOs are assigned to so you know their current scope within your environment. Most notably, you get feedback on why or why not such settings are suitable for modern management, as well as whether AirLift can automate the export of these GPO settings to UEM profiles for you. This reporting functionality is invaluable for planning and GPO rationalization, something I'll come back to shortly.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEht-VnuSyHnDb0TgQsCehk-3c-02odWKdLQh9IXvmqMgXuxK9lktaatNMZpodty9suMDQGGn6DWOUVc1qxdcEaVGWSWzzaoWal6Mfbf_DVYMseQMMAkGp_RS49V789Blj6uusDgiEBr0q/s1600/Screen+Shot+2020-06-05+at+11.32.34+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" height="345" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEht-VnuSyHnDb0TgQsCehk-3c-02odWKdLQh9IXvmqMgXuxK9lktaatNMZpodty9suMDQGGn6DWOUVc1qxdcEaVGWSWzzaoWal6Mfbf_DVYMseQMMAkGp_RS49V789Blj6uusDgiEBr0q/s640/Screen+Shot+2020-06-05+at+11.32.34+AM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Again, AirLift also offers an option to export group policies directly from Active Directory to your WS1 UEM environment. This process is dependent on whether or not a specific GPO setting has a corresponding <a href="https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers" target="_blank">Configuration Service Provider (CSP)</a>. CSPs represent Microsoft efforts to make Windows 10 a modern mobile operating system. They're essentially APIs for configuring GPO settings on Win 10 through XML, what's called SyncML. The Configuration Service Provider reference states, "A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files." Rumor has it that Microsoft has an army of geeks seeking to create CSPs for all relevant GPOs, but with over <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines" target="_blank">3,000 group policy settings for Windows 10 and 1,800 IE settings</a>, there's plenty of work to be done.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUf5faKcHpO6-tHo6fvi4OCPm7HK3YXBAyWqe1JXXu5nerNkBQOwBMs4GMS1lhcoVJIE2O8VDBpEfp-C-k7zF1smVtOzwi_RyMNQ2yklDHSXe8RPk7qCeyreyZXG-V2sSgrajflsKhP5Cp/s1600/Screen+Shot+2020-06-05+at+3.01.42+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="color: #9fc5e8;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUf5faKcHpO6-tHo6fvi4OCPm7HK3YXBAyWqe1JXXu5nerNkBQOwBMs4GMS1lhcoVJIE2O8VDBpEfp-C-k7zF1smVtOzwi_RyMNQ2yklDHSXe8RPk7qCeyreyZXG-V2sSgrajflsKhP5Cp/s640/Screen+Shot+2020-06-05+at+3.01.42+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;">In a nutshell, where it's possible, AirLift generates custom SyncML required to set the GPO settings through supported CSPs. This SyncML in turn is configured as the payload in a custom Windows 10 UEM profile that can then be assigned to your target devices through Smart Groups. If you like, the utility offers the option to combine multiple exportable GPOs as a a payload into a single custom profile. Further, it can also export some <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operational-tutorial#324197" target="_blank">3rd party ADMX policies</a> such as Google or Office.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Before charging ahead with AirLift's export capabilities, you should first leverage it's reporting capabilities for some critical GPO rationalization. That's a topic I'm going to review next.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For additional info on AirLift, check out:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Official Documentation: <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/AirLift_Configuration/GUID-AWT-INTRO-AIRLIFT.html" target="_blank">Introduction to VMware Workspace ONE AirLift</a></span><br />
<span style="color: #9fc5e8;">Great Video: <a href="https://www.youtube.com/watch?v=hqmhgDUazW0" target="_blank">VMware Workspace ONE AirLift: Windows 10 Migration - Expert Panel</a></span><br />
<span style="color: #9fc5e8;">Latest Tech Zone Guidance: <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operational-tutorial#1235758" target="_blank">Using Workspace ONE AirLift to Analyze Group Policies</a></span><br />
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"></span><br />
<h3>
<span style="color: #9fc5e8;">GPO Rationalization </span></h3>
</div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<h3>
<img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmeIZyutY93s50KTX6FuvCyxmRn7Qn-HyiNh9tTHrjmtJsieAJu7wdPiKABZsxaBE8CgeHfVNmKFhrD4OubAOfgyENjWcs4zTC0GeRC-vOdihTv_vXr_g1TBZCLDAcbIRXR2Fjuc613U0b/s640/The+pic.png" width="640" /><br />
<span style="color: #9fc5e8;"><div>
<span style="font-size: x-small; font-weight: 400;">GPO Migration Strategy [Graphic]. (2018). Retrieved June 2020 from <a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmw-developing-modern-management-adoption-process-with-workspace-one.pdf" target="_blank">Developing A Modern Management Adoption Process</a></span><br />
<span style="font-size: small; font-weight: 400;"><br /></span></div>
</span></h3>
<span style="color: #9fc5e8;">With AirLift reporting in hand you're well positioned to begin rationalizing your GPOs. As with house moving, it's best to throw away as much as you can rather than get caught up transporting stuff you really don't need. Perhaps a GPO setting is inherently dependent on domain membership. Maybe a GPO setting isn't applicable to the latest version of Windows 10, remote users or is just a vestige that's no longer relevant to your enterprise. Whatever the reason, if it doesn't have a place in the world of mobile Windows 10 management you need to let it go. So, rather than trying to port everything over, "just in case," it's best to start with some house cleaning.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After zeroing in on the GPO's that matter to you, the next question to ask is, "what of these settings are accommodated by the native capabilities of WS1 UEM?" This essentially amounts to, "of these settings which ones are both supported by CSPs AND WS1's built-in Win10 profiles?" WS1's built-in profiles are reliant on CSPs, so for anything AirLift reports as not being supported by a CSP, you can spare yourself the search. However, for any settings reported as exportable you'll want to search for a match in the UEM console or <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/WS1_Windows_MDM.pdf" target="_blank">Windows Desktop Device Management</a> guide.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For functionality not covered by the built-in UEM profiles, there's a judgement call to be made between leveraging WS1 Baselines or AirLift's policy export option. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8;">Baselines or AirLift Exports? Another Key Decision Point</span></h3>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">If a GPO setting isn't supported by a CSP WS1 Baselines is probably your best bet. However, let's say there's a GPO setting that isn't accommodated by native WS1 UEM functionality, but does have support from CSPs. Let's take it a step further and say not only is it supported by a CSP, but it's also reported by AirLift as exportable. Should you proceed with the AirLift export option or should you investigate Baselines? The latest VMware guidance describes this dilemma as making a choice between, <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operational-tutorial#1235758" target="_blank">"Modernize or Migrate."</a> </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">A lot of the decision hinges on what kind of administrative and lifecycle capabilities you'll need going forward. There's also a question of how much time and energy you have in the short term. If all you your settings are supported by the AirLift export option, you're just a few clicks away from a migration. With Baselines there's probably going to be more up front work, as you manually map out your GPO settings or vet excess settings associated with the templates, but you get a big fat gui at your disposal from start to finish. In the future this gui provides a straight forward process for pushing out updates or changes to your policy. Further, you get granular and up to date compliance reporting on all these settings, along with the ability to reinforce them. The case is very different if you choose to leverage AirLift's export functionality. While AirLift may provided a very fast and automated method for migrating your GPOs, it doesn't offer a mechanism for managing these settings going forward. Essentially, you get your GPO setting, or settings plural, combined into a big wad of SyncML that in turn is added as a payload to a custom profile.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0_2KmgOIaXMJyCM8TZRjrNXRidLUib2lbfYPqoOC_66FKXqDwvtOGZZtj-UuVcFdQ9cKY7J4Hecguu-Xvhp2tvFbO5mItOWlRG8M9lXtgHBGmSfR2HdQ_emNUCULrkWZqII8lEaOvmVOo/s1600/Screen+Shot+2020-06-18+at+12.21.59+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="245" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0_2KmgOIaXMJyCM8TZRjrNXRidLUib2lbfYPqoOC_66FKXqDwvtOGZZtj-UuVcFdQ9cKY7J4Hecguu-Xvhp2tvFbO5mItOWlRG8M9lXtgHBGmSfR2HdQ_emNUCULrkWZqII8lEaOvmVOo/s400/Screen+Shot+2020-06-18+at+12.21.59+PM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Now, should you want to tweak out the settings pushed out by this profile you'll have two major options going forward. One, you can edit the SyncML manually or through the assistance of Policy Builder, both of which require some skill. It's doable, but not for the faint of heart. A second option would be to edit the original AD GPO, then attempt a new export with AirLfit. That's a bit unsavory and hardly feels like freedom from AD GPOs. It feels more like a trial separation at best. Contrast this with making an update on an existing Baseline, where you make gui guided edits on the UEM console directly, push the new settings out, then later receive confirmation the settings have been implemented.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRJyYvh9mIqpQArE7hA0kqaOOWnScIgaNuCpr8rHWL1V7vUj6jkcc7C9_ZF8dd4YocGZxYlAyyjGWWyslYqea7X_4QWD5IucQxGzVnvRlxzrG62QHh_wccI2p3wsZQXUzemRCPQqhdHkkK/s1600/Screen+Shot+2020-06-18+at+12.15.41+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRJyYvh9mIqpQArE7hA0kqaOOWnScIgaNuCpr8rHWL1V7vUj6jkcc7C9_ZF8dd4YocGZxYlAyyjGWWyslYqea7X_4QWD5IucQxGzVnvRlxzrG62QHh_wccI2p3wsZQXUzemRCPQqhdHkkK/s400/Screen+Shot+2020-06-18+at+12.15.41+PM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">From the user's perspective there's no perceivable difference between a setting pushed out with a CSP versus Baselines. What's really a stake is administrative overhead and lifecycle capabilities going forward. With the AirLift export option you get something akin to an easy button for migrating your AD GPOs where CSPs support them, but limited manageability moving forward. With a transition to WS1 Baselines their might be more work up front, but there's simpler on-going manageability and a more promising shot at freedom from on-premises dependencies. Where possible, I would recommend aiming for Baselines adoption, assuming you have the WS1 Advanced licenses required for it. However, the ideal path forward for you is going to depend on your circumstances. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For a really interesting analysis on this decision point check out the section titled, <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operational-tutorial#1259702" target="_blank">Choosing The Correct Policy Delivery Model</a>, in the latest Tech Zone guidance.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8;">
Additional CSP Options</span></h3>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">If AirLift isn't feasible or it's export function needs customization or augmentation, VMware's documentation calls out 3 other CSP based options. All involve tweaking out SyncML that's delivered through a Custom Settings profile. One option is to leverage sample SyncML from the <a href="https://code.vmware.com/samples" target="_blank">VMware Sample Exchange</a>. Another is to generate it using a Fling called <a href="https://labs.vmware.com/flings/policy-builder" target="_blank">Policy Builder</a>. Finally, a third option is to leverage the Microsoft <a href="https://code.vmware.com/samples/3963/windows-10---csp-development-suite" target="_blank">CSP Development Suite</a>. Of these 3 choices, I find Policy Builder the most accessible and promising. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">To get access to Policy Builder, navigate to <a href="https://vmwarepolicybuilder.com/" target="_blank">https://vmwarepolicybuilder.com/</a> and login with your My VMware account. After selecting which version of Windows 10 you're focusing on you'll get presented with relevant CSPs. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjodRAegFFlndzsTUku1buSgh2cbqo-TVT2Ox0_u0Rn9mxd3QPKY5B33TWozC8GdCZWCmK-f_hsi-t1SwX9XqIsVTYn7T7X9G03wIy9i-8hJL5DIK7oI1t28MPuF1ApvZvDPhng-mQfT5ds/s1600/Screen+Shot+2020-06-06+at+9.24.23+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjodRAegFFlndzsTUku1buSgh2cbqo-TVT2Ox0_u0Rn9mxd3QPKY5B33TWozC8GdCZWCmK-f_hsi-t1SwX9XqIsVTYn7T7X9G03wIy9i-8hJL5DIK7oI1t28MPuF1ApvZvDPhng-mQfT5ds/s400/Screen+Shot+2020-06-06+at+9.24.23+AM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">There's a very wide range of depth and capabilities amongst these different CSPs. For example, the Accounts CSP has only two configurations options. On the other hand the Policy CSP has an absolutely mind blowing range of options. If you browse to Microsoft's Configuration Service Provider reference and select the <a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider" target="_blank">Policy CSP</a>, you'll see that the settings go on for days. Go ahead. I dare you. See how many scrolls it takes to get through the entire list. It's a whole lot of configuration options at your finger tips.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8KfsUV1bjcLNM-ttqTRfxbr3Q_kng-_41zKOYz1o0bx-_FR9LhscNyfabf6No9OldhWQUvfjVjBVCWooIAHeC8z_8hREG9YwcyFB2J343SlUmYQIZKnlZxI6UDoM9OYcKktLAh6hSsONj/s1600/Screen+Shot+2020-06-18+at+11.56.20+PM.png" imageanchor="1"><span style="color: #9fc5e8;"></span></a>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6WpI1h-eLxM_6NJz0T2QoZsTanuOIm6Qec0wUKF-cj-1KY_0eaJV5KJy7XANxCoijECFNoNMeNLnPlvykXpWIM6zkbhbYxcokSLwKocEaLqBfsKut3SzEPkAhNy5z-ntxJrqN3peJtysQ/s1600/Screen+Shot+2020-07-01+at+2.28.24+PM.png" imageanchor="1"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6WpI1h-eLxM_6NJz0T2QoZsTanuOIm6Qec0wUKF-cj-1KY_0eaJV5KJy7XANxCoijECFNoNMeNLnPlvykXpWIM6zkbhbYxcokSLwKocEaLqBfsKut3SzEPkAhNy5z-ntxJrqN3peJtysQ/s400/Screen+Shot+2020-07-01+at+2.28.24+PM.png" width="400" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For this example, while configuring the Policy CSP within Policy Builder navigate to Device --> Config --> Start. Here you'll find a boat load of start menu settings. Zero in on the options to hide the sign out and sleep options from the start menu. By researching these specific settings within the CSP service provider reference you'll discover that a value of 1 enables these settings. After punching in the number 1, SyncML is automatically generated on the right hand side of the page. Clicking the ADD button updates the SyncML to what's required for implementing this setting. The process is the same for the Hide Sleep option.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLMARrD53XJvK34kLJjzwcQf8ZwYdedn4GVjk5RmehF3JpT6p_a5e8cWge6PCRn-YWKBBKm1QTbdu1fmC4qnHZ9QpERPOC9vYW-GBYR4L6HuuZ1Coi8opZowBIr6ggWH_lwxr0fZYoH2Lp/s1600/Screen+Shot+2020-06-19+at+12.22.02+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLMARrD53XJvK34kLJjzwcQf8ZwYdedn4GVjk5RmehF3JpT6p_a5e8cWge6PCRn-YWKBBKm1QTbdu1fmC4qnHZ9QpERPOC9vYW-GBYR4L6HuuZ1Coi8opZowBIr6ggWH_lwxr0fZYoH2Lp/s640/Screen+Shot+2020-06-19+at+12.22.02+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Copy this generated SyncML into the Custom Settings payload of a new profile. For the remove settings, simply go back to Policy Builder and click on the Delete button instead of Add. The SyncML will change on the right accordingly, replacing <Add> with <Delete>. Copy this SyncML into the Remove Settings section. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3J6tcaYF7tzeLB_Vh3ZwufG4OOmO75qN2kTdWkhY3h9fu5Q3W1ddjCznQ3-9JcRPzMh3Lk0QEUSfYFNp_FkWO26L2VD0I0SqRB1MlgAyVf6vQyTeWdPfAIVa4R8Ifwyf2Z4dhRt0kHCBv/s1600/Screen+Shot+2020-06-19+at+2.16.54+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3J6tcaYF7tzeLB_Vh3ZwufG4OOmO75qN2kTdWkhY3h9fu5Q3W1ddjCznQ3-9JcRPzMh3Lk0QEUSfYFNp_FkWO26L2VD0I0SqRB1MlgAyVf6vQyTeWdPfAIVa4R8Ifwyf2Z4dhRt0kHCBv/s400/Screen+Shot+2020-06-19+at+2.16.54+PM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After assigning this profile to an endpoint you'll see the desired results. As expected, there's no sleep option on the power button and no sign-on off option on the user start menu option.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEhVbz7ghjA2kaiaUqbWYXtEwUXiLwkCT-y0ZhwFW4kMXwpPdTcP2TC7kaL6sxqcYSORt8KVYf5k-kkJyZUb8OmeqB3KvDJ_mijaCm4h-HfvpsgsxHF7zwT5Z25AecO8yqY-iGSCI0E97L/s1600/Screen+Shot+2020-06-19+at+2.47.09+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEhVbz7ghjA2kaiaUqbWYXtEwUXiLwkCT-y0ZhwFW4kMXwpPdTcP2TC7kaL6sxqcYSORt8KVYf5k-kkJyZUb8OmeqB3KvDJ_mijaCm4h-HfvpsgsxHF7zwT5Z25AecO8yqY-iGSCI0E97L/s400/Screen+Shot+2020-06-19+at+2.47.09+PM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Again, when you consider the vastness of something like the Policy CSP, this Policy Builder option is definitely worth more than an honorable mention. Yeah, it's not as nice as the completely supported processes offered by WS1 Baselines or AirLift. However, if you're someone who likes to tinker, oh boy! There's a lot to work with here.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For additional info on Policy Builder, check out:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Latest Tech Zone Guidance: <a href="https://techzone.vmware.com/understanding-windows-10-group-policies-vmware-workspace-one-operational-tutorial#1235773" target="_blank">Modernize Group Policies Using VMware Policy Builder</a></span><br />
<span style="color: #9fc5e8;">Excellent Overview: <a href="https://blogs.vmware.com/euc/2018/07/introducing-policy-builder.html" target="_blank">Introducing VMware Policy Builder: The Quick and Simple Way To Build Your Windows 10 Custom Settings</a></span><br />
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<h3>
<span style="color: #9fc5e8;">
But wait, there's more! </span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">So if for some reason you just have to say no to AirLift, Baselines or CSPs, no worries, there's more options. One is the <a href="https://code.vmware.com/samples/3527/airwatch-gpo-migration-tool">GPO Migration tool</a>, an alternative that's been around for a couple years now. This tool is similar to the Custom Baseline option in that it leverages GPO backups that are then pushed out to target devices. While this isn't a fully supported tool, it's certainly an interesting fall back option. If nothing else, it's a wonderful example of what can be done if someone rolls up their sleeves and decides to get-er-done. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">With WS1 provisioning packages in our back pocket we essentially have an elevated command prompt available on any of our managed Win10 devices. Well, there's an awful lot that can be done with a command prompt and script if you put your mind to it. </span><span style="color: #9fc5e8;">Further, there's an option to push out registry changes directly from a Custom Settings profile in UEM. This option gets called out in the appendix of the latest guidance, which references the blog post, "</span><a href="https://mikenelsonjr.com/blog/2020/03/19/registrykey-customsettings" target="_blank">How To Set Registry Values Using The Custom Setting Profile In Workspace ONE UEM</a><span style="color: #9fc5e8;">." Given that a large majority of GPO settings essentially map out to registry settings, there's a lot of ground you could cover with this option alone. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8;">Additional Resources For Reporting On GPOs</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">If you can't run AirLift, need to augment AirLift reporting or just want a quick look at a specific policy with minimal overhead, there's Microsofts own MDM Migration Analysis Tool, <a href="https://github.com/WindowsDeviceManagement/MMAT" target="_blank">MMAT</a>. Unlike AirLift, it wont give you an exhaustive enterprise view of all your GPOs and applicable modern management equivalents. However, on whatever target system you run it on it will analyze the GPOs currently assigned to that system and report back on the feasibility of migrating them to modern management. </span><span style="color: #9fc5e8;">Also, as previously mentioned, there's Microsoft's </span><a href="https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference" target="_blank">Configuration service provider reference</a><span style="color: #9fc5e8;"> that details the Windows 10 CSPs developed for modern management. If there's a specific setting you're interested in making customized SyncML for it makes sense to dive into this reference.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8;">
And Get Yourself Free</span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">The subject of WS1's modern management alternatives for GPO settings sits at the intersection of two very different worlds. On one end of the spectrum you have an MDM admin who, though possibly a brilliant tech, has never touched a production domain controller in their life. At the other end of the spectrum you've got a grizzled AD veteran who's managed enterprises desktops with GPOs for decades. They're two very different kinds of people with different expectations and priorities when it comes to AD GPOs. That their needs for GPO settings overlap may very well be the only thing they have in common. Accordingly, they're likely to require different paths on the journey to modern management.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For the traditional MDM guy or someone who doesn't have an AD legacy to preserve, I'd say start with a careful investigation of all built-in WS1 capabilities, then move on to to fill in any gaps through Baselines. On the other hand, if you're in an organization with significant investment in GPOs and need to port that legacy to modern management, the path ideally begins with AirLift. With that reporting you get your arms around what's going on in your environment, size up your challenges and rationalize your GPOs. Then thoroughly investigate the built in capabilities of UEM. You may find a lot of what you need is already built into the tool. From there, investigate Baselines and then fall back to AirLift's export capabilities. If there's still challenges, you can turn to the other CSP options, the GPO Migration Tool or various other DIY alternatives imaginable. </span><br />
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<span style="color: #9fc5e8;"><iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/ABXtWqmArUU" width="560"></iframe><br /></span>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-50122655975693148652020-03-26T21:46:00.001-07:002020-04-01T08:49:20.101-07:00A Primer On NSX Advanced Load Balancer (Avi Vantage) For Horizon And Workspace ONE<span style="color: #9fc5e8;">NSX Advanced Load Balancer, formerly called Avi Vantage, is a solution VMware secured through the acquisition of Avi Networks. A fully software defined load balancing solution/application delivery controller, Avi Vantage adds L4 - L7 server load balancing to NSX, rounding out an already impressive SDN solution. Overall, the Avi Vantage offering is a natural progression for VMware, a continuation of what the company has always been good at: replacing beefy, unwieldy hardware bound solutions with agile and efficient virtualization.</span><br />
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">While the acquisition has been cause for VMware network geeks to rejoice, it's also a particularly exciting development for VMware's end user computing products, Horizon and Workspace ONE. Traditionally these solutions have required the use of third party load balancers, which has been fine, though it does introduce a bit of complexity and another vendor to deal with. So to start with the Avi acquisition offers an opportunity to simplify the VMware EUC stack, along with the promise of a more tightly integrated load balancing solution. </span><span style="color: #9fc5e8;">In mid March the </span><a href="https://docs.vmware.com/en/Unified-Access-Gateway/3.9/rn/Release-Notes-for-VMware-Unified-Access-Gateway-39.html" target="_blank">release of UAG 3.9</a><span style="color: #9fc5e8;"> added, "Qualified support for the AVI Networks load balancer used in front-ending Unified Access Gateway for Horizon." Earlier in the year, a </span><a href="https://avinetworks.com/docs/18.2/avi-horizon-reference-architecture-guide/" target="_blank">Reference Architecture For Horizon</a><span style="color: #9fc5e8;"> leveraging Avi Networks was released. Further, there's this step by step configuration guide, </span><a href="https://avinetworks.com/docs/18.2/configure-avi-vantage-for-vmware-horizon/" target="_blank">Configure Avi Vantage For VMware Horizon</a><span style="color: #9fc5e8;">. While these documents are quite exhaustive, I put together this post as a primer on Avi Vantage for Horizon Admins. The idea is to give folks a high level overview of how Avi Vantage plugs into the Horizon/WS1 stack and why it's relevant.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiryyBb1eTMkGiIVUzXqD11bhWpbZfhfzTHae1hg1KKJXt5jOfprp2rn2dRvl1iL8P-mOhuH_4skWNo2R1wmLfrKgtwO5cf04wFEle3KYsExrlIidaJGqi1X0jch99K34yDTHXJ4wpDCmKX/s1600/Screen+Shot+2020-03-17+at+5.18.27+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1035" data-original-width="1600" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiryyBb1eTMkGiIVUzXqD11bhWpbZfhfzTHae1hg1KKJXt5jOfprp2rn2dRvl1iL8P-mOhuH_4skWNo2R1wmLfrKgtwO5cf04wFEle3KYsExrlIidaJGqi1X0jch99K34yDTHXJ4wpDCmKX/s640/Screen+Shot+2020-03-17+at+5.18.27+PM.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h3>
<span style="color: #9fc5e8; font-size: large;">Why I'm So Giddy About Avi Vantage And Horizon</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">When it comes to VDI and App Publishing it's essentially a 2 company game: VMware vs Citrix. The competition and rivalry is intense to say the least. Large fortunes and entire careers fuel fierce debate, endless FUD, mud slinging, hyper bake offs and neurotic excel spreadsheets filled with feature by feature comparisons. Fear and loathing abounds with otherwise genteel engineers staring out through dead shark eyes, broken half bottles in hand, ready to cut ya! At times it feels more akin to identity politics, fanatical sports rivalry or a down right Hatfiled vs McCoys family feud. As someone in the middle of this conflict I've always had to admit that Netscaler sounded like a pretty solid product. For awhile, the worst thing you heard about it was it's too expensive and offers more functionality than Citrix customers actually need. However, <a href="https://www.forbes.com/sites/kateoflahertyuk/2020/01/14/new-citrix-security-alert-us-government-issues-test-tool-for-serious-flaw/#6f99a9b02865" target="_blank">with it's latest vulnerability</a> Netscaler's stature as unquestionably awesome has come under scrutiny. Combined with the notoriously bad treatment and support customers receive from Citrix, folks are really starting to wonder if it's worth the trouble to rely on them for this critical functionality.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">More notably, both Citrix and VMware customers, being techies, are always looking for more innovative and smarter ways of handling things. In the field of load balancing there hasn't been a lot of innovation or change, so in that regard Avi Vantage really stands out. We're not talking about just P2V-ing a load balancer and patting ourselves on the back. With Avi Vantage we're talking about an elastic fabric that allows you to take advantage of the virtualization infrastructure you already have in place, whether it's across multiple data centers or even different cloud vendors. Accordingly, Avi Vantage is a real shot in the arm for VMware's EUC stack in a couple major ways. First, by adding load balancing and application controller capabilities to VMware's arsenal, it brings it's EUC stack much closer to parity with what Netscaler and Citrix offers. Two, while Avi Vantage might not be at complete parity with Netscaler, it does a lot that Netscaler can't. In light of the current pandemic and associated challenges this differentiator has some real teeth. When firing up a new data center in the middle of a crisis do you want to wait on the purchase and shipment of new hardware? Do you want to limp along with a virtual appliance that's a sub par version of the load balancer you normally work with? Or would you rather prefer walking through a few left clicks and right clicks on your Avi Controller, simply extending a fabric you already have in place?</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">No doubt, there will be plenty of debate over Netscaler + Citrix vs Avi Vantage + Horizon. If reason and cooler heads prevail it wont be a simple debate, but instead a thought provoking and interesting one.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8; font-size: large;">
Avi Vantage Overview</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">At a high level, Avi Vantage is a software defined load balancing solution/application delivery controller that functions across an entire enterprise, including separate cloud environments like AWS, Azure or Google Cloud. Most relevant for typical Horizon shops, it integrates quite impressively with traditional on-premisses vSphere environments. It all begins with a software based Avi Controller, the brains of the operation where all load balancing policies are defined. The Controller, or controller cluster, essentially binds to your vSphere environment(s). In turn, the Avi Controller manages and controls the placement of virtual services across your vSphere infrastructure, what are referred to as Avi Service Engines. Based on instructions received from the Avi Controller, the Service Engines, "perform load balancing and all client- and server-facing network interactions." They also collect, "real-time application telemetry from application traffic flows." The controller can automagically control the setup and distribution of these service engines across the ESXi host within your vSphere environment, ensuring proper redundancy, capacity and work load distribution.</span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3bXLewegIiQPLGi5h1KEG1Uxf7fryzmd4q_UtUW3ni2112WhSn7ODvZyccC5Srx_BZ2j99jZKKjFJ7JsQMsjXI5vzx6LJT9BSl2cr8GixbcWQP0RDN2D_q2-vfWcRtjt6m_Ydnji4cafO/s1600/Avi_vSphere.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1035" data-original-width="1489" height="443" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3bXLewegIiQPLGi5h1KEG1Uxf7fryzmd4q_UtUW3ni2112WhSn7ODvZyccC5Srx_BZ2j99jZKKjFJ7JsQMsjXI5vzx6LJT9BSl2cr8GixbcWQP0RDN2D_q2-vfWcRtjt6m_Ydnji4cafO/s640/Avi_vSphere.png" width="640" /></a></div>
<span style="color: #9fc5e8;">These different Service Engines laid out across the vSphere infrastructure are what endpoint clients actually connect to and interface with. They're associated with the VIPs and handle traffic based on the virtual services and pools defined on the Avi Controller. So essentially, you define the load balancing logic on the controller, then these Service Engines act as minions that execute the logic for incoming client connections.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdTyYprvSmWNOMFhg-CuXjt1eISntLSC_jcemUJTcf8PQeRyuJRxlqofXVvWtNwhacTF5QdR1F1M7ccFbVtw0ezUa5Ku7BkNgW4JrjQl35SOGuJ0-MBREGOvS0VG4C57pV9Xdard6qC-RM/s1600/service_engine.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="670" data-original-width="1012" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdTyYprvSmWNOMFhg-CuXjt1eISntLSC_jcemUJTcf8PQeRyuJRxlqofXVvWtNwhacTF5QdR1F1M7ccFbVtw0ezUa5Ku7BkNgW4JrjQl35SOGuJ0-MBREGOvS0VG4C57pV9Xdard6qC-RM/s400/service_engine.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;">The end result is an elastic load balancing solution that avoids the challenges with efficiency that plagued traditional hardware based load balancing solutions. The ability to automatically spin up Services Engines on the fly, scaling out VIPs horizontally as needed, allows for right sizing. Service Engines can be spun up or spun down in increments as small as 1 vCPU, 2 gigs of RAM and 10 GB of storage. Contrast this to redundant pairs of active/stand by hardware based appliances and this benefit of Avi Vantage becomes pretty compelling.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For more info check out this <a href="https://avinetworks.com/docs/18.2/architectural-overview/" target="_blank">Architectural Overview</a> for Avi Vantage.</span><br />
<br />
<br />
<h3>
<span style="color: #9fc5e8; font-size: large;">
Avi Vantage For UAG Appliances</span></h3>
<div>
<br /></div>
<span style="color: #9fc5e8;"></span>
<span style="color: #9fc5e8;">The Reference Architecture for Horizon reviews <a href="https://avinetworks.com/docs/18.2/avi-horizon-reference-architecture-guide/#load-balancing-for-uag" target="_blank">3 different methods</a> for load balancing external traffic to UAGs. Factors such as the need for HIPAA compliance or whether you’ll have multiple clients behind a single NAT, at a remote site, determine which method is most appropriate. For this post, I’m going to review the first option, <a href="https://avinetworks.com/docs/18.2/avi-horizon-reference-architecture-guide/#single-vip-with-two-virtual-services" target="_blank">Single VIP with two virtual services</a>.</span> <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYGS3kaRB61l-O5bEcItpp868lfWjbjS5UAaZtWOHqO_7mF5xKtNbPWDxyJ-Mib76AtXbI3DrdpEHhfDMgMwlOuwCsnGVJk8A6IQC9ETvDByUWEdZXUKhcIh4liG4ShohH8V511PDY73Pi/s1600/3-single-vip-two-vs.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="532" data-original-width="1140" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYGS3kaRB61l-O5bEcItpp868lfWjbjS5UAaZtWOHqO_7mF5xKtNbPWDxyJ-Mib76AtXbI3DrdpEHhfDMgMwlOuwCsnGVJk8A6IQC9ETvDByUWEdZXUKhcIh4liG4ShohH8V511PDY73Pi/s640/3-single-vip-two-vs.png" width="640" /></a></div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Regardless of which option you go with, it all begins with a Horizon client communicating with a virtual service supported on Avi Service Engines. Virtual services are comprised of IP and port combinations defined on the Avi Controllers. The client traffic is passed by these services to the optimal UAG appliance based on pools that have also been defined on the Avi Controller. Pools determine the ideal server to pass traffic to based off configurations like server lists, health monitoring, load balancing algorithms, etc... </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0dtAiPv0zSgj2J4ex59k13bKHaCC8nk_pv1IOm5peREn0v1Y5iOzfiEpPwK2Rj_eT8zCZ0_sHWfwXzHAcP8q0fklRDLP3WbhctnNwRuFBcITeL2wzcN9fk4bcAND-Lfh6vxhY-qSsSB9c/s1600/Screen+Shot+2020-03-17+at+10.07.41+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="882" data-original-width="1600" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0dtAiPv0zSgj2J4ex59k13bKHaCC8nk_pv1IOm5peREn0v1Y5iOzfiEpPwK2Rj_eT8zCZ0_sHWfwXzHAcP8q0fklRDLP3WbhctnNwRuFBcITeL2wzcN9fk4bcAND-Lfh6vxhY-qSsSB9c/s640/Screen+Shot+2020-03-17+at+10.07.41+AM.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;">To illustrate, below is a graphic detailing the anatomy of a typical Horizon Blast session through a UAG appliance. Initially you have the primary Horizon protocol handling authentication through XML structured messages over port 443. Then you have the secondary Horizon protocol, Blast in this example, operating over 8443. (For an excellent primer on UAG load balancing and Horizon protocols check out <a href="https://communities.vmware.com/docs/DOC-32792" target="_blank">this amazing post by Mark Benson.</a>)</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSRZFPtwEI8AIV39T8mrDIg8t9KdWmoVCMVjf-gwQ98nOU3mmI050Uq2xgTadyFDWx_ALPGjAXO8ROetlq6580IVAEw7GsfFRdoB-owWCrID462qF9_1jmLwoUbm7hubFV5pDAH0EvTnt4/s1600/UAG_Flow.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="556" data-original-width="1486" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSRZFPtwEI8AIV39T8mrDIg8t9KdWmoVCMVjf-gwQ98nOU3mmI050Uq2xgTadyFDWx_ALPGjAXO8ROetlq6580IVAEw7GsfFRdoB-owWCrID462qF9_1jmLwoUbm7hubFV5pDAH0EvTnt4/s640/UAG_Flow.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;">Accordingly, we have two virtual services to configure on Avi Vantage, one for the primary protocol and one for the secondary protocol. Below is a screen shot from my own lab. The virtual service Horizon_UAG_L7 is configured to accommodate the primary Horizon protocol operating over TCP 443, while Horizon_UAG_L4 is configured for both the PCoIP and Blast extreme secondary protocols that operate over TCP/UDP 4172 and 8443 respectively.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVd6GQawOP8oxZw0rl5AJdqdqjy6aholvIVL6SNWWIqIcughPflVD0vlMd0DAjuL0v_1boVJw3hlxwK8fclSX8ifJ2XGbCyYzujPGxsfgUB50OYUSVTTNkrodNsltnwubmDucTPPKuNe51/s1600/virtual_service.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="347" data-original-width="1135" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVd6GQawOP8oxZw0rl5AJdqdqjy6aholvIVL6SNWWIqIcughPflVD0vlMd0DAjuL0v_1boVJw3hlxwK8fclSX8ifJ2XGbCyYzujPGxsfgUB50OYUSVTTNkrodNsltnwubmDucTPPKuNe51/s640/virtual_service.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;">These virtual services in turn are associated with a pool that determines server selection for incoming traffic based off configurations such as load balancing algorithms, health monitoring and persistence profiles. </span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRr1nddBIx0OhGhtVeMSICOXSsy_JQMbo_8d_5k7Gyf7MzcYb2jU9JN1kGlIwwMp8I8lPZ1Fz1_TJn23d6AmJqWEDMWL9HkchKDF3T-B8z_WhQyisejYAPpNaMrqeK1DXLYzW6L_OkGffY/s1600/Screen+Shot+2020-03-22+at+11.10.01+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="1344" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRr1nddBIx0OhGhtVeMSICOXSsy_JQMbo_8d_5k7Gyf7MzcYb2jU9JN1kGlIwwMp8I8lPZ1Fz1_TJn23d6AmJqWEDMWL9HkchKDF3T-B8z_WhQyisejYAPpNaMrqeK1DXLYzW6L_OkGffY/s640/Screen+Shot+2020-03-22+at+11.10.01+AM.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;">Finally, below is a screenshot of a custom Health Monitor that's created for Horizon. The Health Monitor is associated with a pool and helps, "validate whether servers are working correctly and are able to accommodate additional workloads."</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2gYqI3yguPQ8GsCeEzqnVL0uNzKtwC32zRLm46xVeCqrfeen6Vy3I0id4DFhCdX4HLchPcNlB5mPPk0GyHN8BkcdHbLSHGv36-oMWiSloUB5scLSkGMElSjsma3a3RHeJjCXYq2_wvUqo/s1600/47-hm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="834" data-original-width="1600" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2gYqI3yguPQ8GsCeEzqnVL0uNzKtwC32zRLm46xVeCqrfeen6Vy3I0id4DFhCdX4HLchPcNlB5mPPk0GyHN8BkcdHbLSHGv36-oMWiSloUB5scLSkGMElSjsma3a3RHeJjCXYq2_wvUqo/s400/47-hm.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;">One of the key requirements of this entire setup is ensuring that users are routed to the same UAG appliance for both the primary and secondary protocols. In a nutshell, we have to ensure the same UAG appliance that authenticates a user is used for the display protocol traffic as well. For a single Horizon connection, you can't have authentication against one UAG appliance then display traffic flow over a separate UAG appliance.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">This has been a very basic high level overview of what's involved in load balancing UAG appliances through Avi Vantage. For more details and step-by-step guidance, check out the <a href="https://avinetworks.com/docs/18.2/avi-horizon-reference-architecture-guide/" target="_blank">Reference Architecture For Horizon</a> along with <a href="https://avinetworks.com/docs/18.2/configure-avi-vantage-for-vmware-horizon/" target="_blank">Configure Avi Vantage For VMware Horizon</a>. Again, three different methods to choose from, based off the specifics of your use case, are detailed in this documentation.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h3>
<span style="color: #9fc5e8; font-size: large;">
Horizon Connection Server </span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<span style="color: #9fc5e8;">Traditionally load balancers have always been a requirement for Horizon Connection servers, with at least two Connection servers needed to ensure redundancy for a production caliber deployment. So for a typical Horizon deployment with UAG appliances you'll need load balancing in front of both the the UAG appliances as well as in front of the Connection servers. Below is a helpful image to illustrate:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkksCEdt5JiSh-b_6PYdM4XtxtvU3E9PvVhgX8o3o3aelqduzy9DH3DGbb_JAZEvgEOHrQp2Fir5Os2qwpsJdNzdtVkYMK_lhtnMw0I84Nx84U5reXkOjhElclFHpKdtUgjE3l6_mXEPME/s1600/load_balancing.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="1075" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkksCEdt5JiSh-b_6PYdM4XtxtvU3E9PvVhgX8o3o3aelqduzy9DH3DGbb_JAZEvgEOHrQp2Fir5Os2qwpsJdNzdtVkYMK_lhtnMw0I84Nx84U5reXkOjhElclFHpKdtUgjE3l6_mXEPME/s640/load_balancing.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;">As you might imagine, accommodating this model is pretty much a slam dunk for Avi Vantage. Setting up load balancing for the Horizon Connection Servers is very similar to that for the UAG appliances. As with UAG appliances, you'll configure a virtual service(s), a pool and health monitor, then you're off to the races. For detailed step by step instructions on configuring Avi Vantage for Horizon Connection servers, check out <a href="https://avinetworks.com/docs/18.2/configure-avi-vantage-for-vmware-horizon/#connection" target="_blank">this section of the Reference Architecture For Horizon</a>.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For those familiar with UAG's built in load balancing-ish capability referred to as High Availability, note that HA for UAG doesn't include load balancing for the Horizon Connection servers, just rudimentary load balancing for the UAG appliances. This is a major advantage Avi Vantage offers over HA, though certainly not the only one.</span><br />
<br />
<br />
<h3>
<span style="color: #9fc5e8; font-size: large;">
Global Load Balancing For Always On Point Of Care Architecture</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/solutions/vmware-alwayson-poc-design-guide.pdf" target="_blank">Always On Point Of Care</a> is an architecture that's been around for about 9 years now. The basic idea is to provide a fully redundant, bullet-proof Horizon deployment. Essentially, you stand up two separate Horizon environments that share no interdependencies, so that theoretically you could loose an entire site but still have Horizon services available. Key to this model is a global load balancing solution that sits in front of the two sites, routing the client connections to the separate Horizon environments. Historically, this functionality has been handled by our load balancing partners. </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvaG9kOQ2cyvzJD3mrRrmggEJr9nJ-8FhH9TPy0V4uPhja_OEk5LLN58xkP7Lq9-LLiWZQFgdIwkL-A_n08eigvccdsRd77Gf1aXpUEvEEI5anLu1w5VBBi6qnmxM8K0bzP5IbxwPyEEd4/s1600/apoc.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="1125" data-original-width="1023" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvaG9kOQ2cyvzJD3mrRrmggEJr9nJ-8FhH9TPy0V4uPhja_OEk5LLN58xkP7Lq9-LLiWZQFgdIwkL-A_n08eigvccdsRd77Gf1aXpUEvEEI5anLu1w5VBBi6qnmxM8K0bzP5IbxwPyEEd4/s640/apoc.png" width="580" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: #9fc5e8;">Nowadays, rather than leaning on a partner, we can leverage Avi Vantage for global load balancing. The documentation refers to this global load balancing feature as Avi GSLB. For more details on configuring leveraging Avi GSLB for Horizon, check out <a href="https://avinetworks.com/docs/18.2/gslb-for-horizon-in-avi-vantage/" target="_blank">GSLB In Avi Vantage For Horizon</a>. Here's an awesome looking graphic on this deployment model for APOC that I stole from the Avi Networks website:</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg69utrzbd7t1j4n720I8cgkhDegqkOh7neBSDLVrZN74oN9AHZDtneg1T_GjBN1gAXTgoJR41BjTUo_Y6D4RqbWcWwSQuoeORm3idB1JQzi99kveOL3xcGVMo1MIlb4UH8uzaFwv5LNtFj/s1600/vmware-horizon-load-balancing-for-vdi-deployments-diagram.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="427" data-original-width="830" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg69utrzbd7t1j4n720I8cgkhDegqkOh7neBSDLVrZN74oN9AHZDtneg1T_GjBN1gAXTgoJR41BjTUo_Y6D4RqbWcWwSQuoeORm3idB1JQzi99kveOL3xcGVMo1MIlb4UH8uzaFwv5LNtFj/s640/vmware-horizon-load-balancing-for-vdi-deployments-diagram.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8; font-size: large;">
App Volumes</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Avi Vantage also supports the Always On Point Of Care model by providing load balancing for App Volumes. Load balancing has always been a requirement for App Volumes redundancy and scaling. You have multiple, essentially stateless App Volume managers that share a common database, sitting in front of a load balancer. Load balancing for App Volumes is <a href="https://avinetworks.com/docs/18.2/avi-horizon-reference-architecture-guide/#app-volume-manager-load-balancing" target="_blank">briefly covered in the Avi Reference Architecture for Horizon</a> . For reference you can also check out the F5 guide, <a href="https://www.f5.com/pdf/solution-center/f5-big-ip-vmware-app-volumes-integration-guide.pdf" target="_blank">Load Balancing VMware App Volumes</a>.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZoMhJtnZrEX9Bg4T3CVUmCkJ0d0VOVjg2na7Em-dqyapI8gZmUG8WN8fssWwK2_wnYv-z6VKNB36zzbJach9FJ-Jpxi2axSg_1GHPYQaNHGXpyj5jje1CKcoD-ygnyCzrIECwVNaOGZnM/s1600/app_volumes_load_balancer.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="516" data-original-width="960" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZoMhJtnZrEX9Bg4T3CVUmCkJ0d0VOVjg2na7Em-dqyapI8gZmUG8WN8fssWwK2_wnYv-z6VKNB36zzbJach9FJ-Jpxi2axSg_1GHPYQaNHGXpyj5jje1CKcoD-ygnyCzrIECwVNaOGZnM/s640/app_volumes_load_balancer.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<br />
<br />
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8; font-size: large;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8; font-size: large;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8; font-size: large;">
Client Connection Breakdown </span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Depending on the deployment method you go with, Avi Vantage can offer a nifty little break down of the session health for individual connections. It can distinguish between latency between the remote client and the Avi Service Engine versus latency between the service engine and the back end server. It can also account for fast or slow app server response time. This promises to come in handy when trying to get to the bottom of latency encountered by your Blast connections through UAG.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_QZmGgFCKk-1UBnsKcE2GdDTefYpOltAVe-3UbuigcdTx264cHafUj7qMVSC8OEf0X9QMxkhLqyzPz3q4yBrt9q6sL6KCkkrT0_cRXjflbyClRXRM8OIOBmkRg3kiofgJ3JDSHqpfYZDh/s1600/network_breakdown.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="1372" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_QZmGgFCKk-1UBnsKcE2GdDTefYpOltAVe-3UbuigcdTx264cHafUj7qMVSC8OEf0X9QMxkhLqyzPz3q4yBrt9q6sL6KCkkrT0_cRXjflbyClRXRM8OIOBmkRg3kiofgJ3JDSHqpfYZDh/s640/network_breakdown.png" width="640" /></a></div>
<br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
<span style="color: #9fc5e8; font-size: large;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8; font-size: large;">WS1 Use Cases</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">With official support for Horizon access already, it seems like only a matter of time before there's official support for WS1 UEM services on UAG like Secure Email Gateway (SEG), VMware Tunnel and Content Gateway. Further the resources these services provide access to - email, intranet sites, SharePoint, etc... - are the more typical types of servers Avi Vantage has always been able to accommodate. So just as for the Horizon use case, you'll have front-ending for the UAG appliances along with load balancing for on premises resources.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP949SwaDIw7QcEX9X-3i1EAjGqPJt1T-VbEMknZU2fXj_HFqqRbe36yJ0IyILJGtBCE9vSpVzO3o8FSfbSOcMJReLmPKK8HnAEYAQ5zgoYIGl37_KSm25RNi69MOFH5kRr21oW_WdUmdg/s1600/1UAG_ws1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="608" data-original-width="1436" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP949SwaDIw7QcEX9X-3i1EAjGqPJt1T-VbEMknZU2fXj_HFqqRbe36yJ0IyILJGtBCE9vSpVzO3o8FSfbSOcMJReLmPKK8HnAEYAQ5zgoYIGl37_KSm25RNi69MOFH5kRr21oW_WdUmdg/s640/1UAG_ws1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<h3>
</h3>
<h3>
<span style="color: #9fc5e8; font-size: large;">
vIDM Connector </span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">While it's kind of a niche scenario, there are situations that require load balancing for vIDM Connector, such as when it's used for kerberos authentication. I'm not aware of any official support but there's no reason to believe Avi Vantage can't provide load balancing for vIDM Connectors.</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3ijSF2GtL61wU3pgskqj_njIKxlnaWb8_b8jj7OR8v2MrkUqOhpCmct_3uPbQhcp8fh3GkW2NXfN_wRAXU8RiVEWOK4SjSDJcrf1u1hIJSDotlHAoR5u2364EozyrQFTjKahmAn9IOSYA/s1600/2vidm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="826" data-original-width="1306" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3ijSF2GtL61wU3pgskqj_njIKxlnaWb8_b8jj7OR8v2MrkUqOhpCmct_3uPbQhcp8fh3GkW2NXfN_wRAXU8RiVEWOK4SjSDJcrf1u1hIJSDotlHAoR5u2364EozyrQFTjKahmAn9IOSYA/s400/2vidm.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h3>
</h3>
<h3>
<span style="color: #9fc5e8; font-size: large;">
Conclusion</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">This is the most excited I've been about a VMware acquisition since AirWatch. Along with all the practical capabilities that Avi Vantage brings to the EUC stack in the here and now, there's all the speculation about what it might be built to do in the future. There's about 2 or 3 different scenarios that consistently pop up when I speculate with old timers over what VMware might do with Avi Vantage to further enhance the EUC experience. I'm not going to go into that here, but I'm confident I'll be writing about such enhancements in the future. </span><br />
<br /></div>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-87955611993525133462019-12-24T09:34:00.004-08:002021-06-28T17:09:06.811-07:00Using VMware's Horizon Performance Tracker For Rudimentary Blast Optimization<span style="color: #9fc5e8;">Recently updated for Horizon 7.10, the <a href="https://images.techzone.vmware.com/sites/default/files/VMware-Blast-Extreme-Optimization-Guide.pdf" target="_blank">VMware Blast Extreme Optimization Guide</a> focuses on, "two key configurable components: the transport protocol and display protocol codec." To gain real-time insight into the configuration of these components, and Blast performance in general, the Horizon Performance Tracker is a natural fit. Both free and built into the Horizon agent, it's a very accessible way to get started with rudimentary Blast optimization. This article details general principals behind Blast optimization and illustrate how Horizon Performance Tracker can assist in the fine tuning of Blast protocol behavior. It aims to provide context and guidance for tuning Blast's transport protocol, then moves on to codec and bandwidth considerations. Along the way it will also review how the Horizon Help Desk Tool, built into the Horizon solution as well, can further assist with Blast optimization.</span><br />
<br />
<div>
<h3>
<span style="color: #9fc5e8; font-size: large;">
The Basic Anatomy Of A Horizon Blast Session</span></h3>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<span style="color: #9fc5e8;">The blog post, </span><a href="https://communities.vmware.com/docs/DOC-32792" target="_blank">Load Balancing Across VMware Unified Access Gateway Appliances</a><span style="color: #9fc5e8;">, contains one my favorite descriptions of Horizon sessions. Under the section titled, "Horizon Protocols," i</span><span style="color: #9fc5e8;">t details the distinction between a primary and secondary Horizon protocol. The primary Horizon protocol is all about authenticating against the Horizon environment through XML over 443 . The secondary protocol is the display protocol itself, what translates/transmits pixels from within a virtual desktop OS to the display of an endpoint device. This is what we're primarily concerned with when optimizing the Blast experience. If you go with the default port of 8443 for Blast traffic here's what the traffic flow looks like when remoting into a Horizon environment through a UAG appliance: </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUzh4GZedrTrhoxeAG9i5YwQpHTeuUeR_ooVIxKOGDW_8KkUFoZjuCjdRftMN4Nl5z0HWxJuP4WD5nhGv5g89VAatQAk5FoJ4NiO2AzZ-pSuFpgC8rGVMEAn_jQKEyXNn3OHa3_JK9yVJc/s1600/Screen+Shot+2019-12-01+at+7.18.45+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUzh4GZedrTrhoxeAG9i5YwQpHTeuUeR_ooVIxKOGDW_8KkUFoZjuCjdRftMN4Nl5z0HWxJuP4WD5nhGv5g89VAatQAk5FoJ4NiO2AzZ-pSuFpgC8rGVMEAn_jQKEyXNn3OHa3_JK9yVJc/s640/Screen+Shot+2019-12-01+at+7.18.45+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Typically, the primary protocol is completely over 443 between the Horizon client and UAG appliance, as well as between the UAG appliance and Horizon Connection server. For the secondary protocol, Blast Extreme in this example, traffic flows over 8443 between the client and the UAG appliance. Then, from the UAG appliance to the virtual desktop or RDS host, traffic flows over 22443. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">In the context of optimizing Blast for your environment, one of the first questions to ask about your Blast traffic is whether UDP or TCP is used for the transport protocol. For most use cases UDP is more ideal and is what the Blast protocol first attempts to leverage by default. Accordingly, confirming that UDP is actually in use for your environment is a first step towards achieving an optimal Blast experience.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiXDnU0P0B9og-vctnGYyEknwfkaxC04NWFdYPOBcZregRlZdRFE-Asz_kIYsaLVko1oqze-VSS8ltpXIwlhT-CBkowMmFp4SzN3UWK2nnXRYGv9-mwpoSGNrivPijRe4Sj_PU5bKJ9AxB/s1600/Naughty.jpg" imageanchor="1"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiXDnU0P0B9og-vctnGYyEknwfkaxC04NWFdYPOBcZregRlZdRFE-Asz_kIYsaLVko1oqze-VSS8ltpXIwlhT-CBkowMmFp4SzN3UWK2nnXRYGv9-mwpoSGNrivPijRe4Sj_PU5bKJ9AxB/s320/Naughty.jpg" width="183" /></a></span><br />
<br />
<h3>
<span style="color: #9fc5e8; font-size: large;">
Observing The Transport Protocol In Use </span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">While you can look at Blast logs to determine what transport type is in use, the Horizon Performance Tracker offers a really, really, really easy and convenient way to determine this info. While not installed by default, Horizon Performance Tracker is built right into the Horizon agent and is offered as an optional component during the agent install. (Here's more official guidance on installing <a href="https://docs.vmware.com/en/VMware-Horizon-7/7.10/horizon-administration/GUID-E90DA3B8-6ADF-4130-B4C7-89E93CFC9D24.html" target="_blank">Horizon Performance Tracker.</a>) Once installed, f</span><span style="color: #9fc5e8;">rom within an active session launch Horizon Performance Tracker from your start menu. When it's launched you're presented the, "At a Glance," tab. </span><span style="color: #9fc5e8;">While this initial screen is certainly interesting in it's own right, things get particularly useful when you click on the icon with the grids in the right corner. (Underlined with red in the image below.)</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO8BZgu2wWb22gonEo-ky3rGScVedWVf7xHWaFkCSvckO00nmw1qUL1t8QXpr5JCrmN-0wMTItW0Owg5aSto5YIKzYDBWe_uMj4Pdey5eZWkfO7H290QYtMuMEnvz4smKhu5zV4TCHIjNX/s1600/Screen+Shot+2019-11-29+at+9.54.12+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO8BZgu2wWb22gonEo-ky3rGScVedWVf7xHWaFkCSvckO00nmw1qUL1t8QXpr5JCrmN-0wMTItW0Owg5aSto5YIKzYDBWe_uMj4Pdey5eZWkfO7H290QYtMuMEnvz4smKhu5zV4TCHIjNX/s400/Screen+Shot+2019-11-29+at+9.54.12+AM.png" width="310" /></span></a><br />
<br />
<span style="color: #9fc5e8;">In the screenshot below, under the transport section, there's confirmation that UDP is leveraged for the transport protocol in both directions, the default behavior that the Blast strives for. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifY_aihCSdmIu0g0ppZFFNjLW9s-FsHBhXfpKc7WMiWNTqCEQT1t4StfFSuDBnVuFBVhZDzs1CVADWKVZa8EdTdx33boWAgcDyKtXNuEWBns-RN7uTyOckugGgh4dY-uKYAQegHhf2FSYA/s1600/Screen+Shot+2019-11-29+at+10.08.56+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifY_aihCSdmIu0g0ppZFFNjLW9s-FsHBhXfpKc7WMiWNTqCEQT1t4StfFSuDBnVuFBVhZDzs1CVADWKVZa8EdTdx33boWAgcDyKtXNuEWBns-RN7uTyOckugGgh4dY-uKYAQegHhf2FSYA/s400/Screen+Shot+2019-11-29+at+10.08.56+AM.png" width="322" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">If UDP were being blocked for some reason, you'd see something like this:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSe4C19zHH23GyGAElos6xfHnzGzUTw70cLmHw7xvCrlCUyn2SEn8ej8yjYGpp7e1_HuEv4FvSTmcwOoat_8ZiWxTVPWEVRfLhZ8kzl_wSY1d1z5xlNpw1W7P_tbivZ7KNvGUAnIMXE2FC/s1600/Screen+Shot+2019-11-30+at+5.23.19+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSe4C19zHH23GyGAElos6xfHnzGzUTw70cLmHw7xvCrlCUyn2SEn8ej8yjYGpp7e1_HuEv4FvSTmcwOoat_8ZiWxTVPWEVRfLhZ8kzl_wSY1d1z5xlNpw1W7P_tbivZ7KNvGUAnIMXE2FC/s400/Screen+Shot+2019-11-30+at+5.23.19+PM.png" width="400" /></span></a><br />
<br />
<span style="color: #9fc5e8;">Again, for most uses cases, UDP is the optimal transport, with the optimization guide stating that with but two exceptions, "VMware recommends that you use UDP for the best user experience. And if Blast Extreme encounters problems making its initial connection over UDP, it will automatically switch and use TCP for the session instead." Accordingly, in most scenarios, if you see TCP in use as a transport protocol, something has gone wrong and tuning Blast involves making adjustments to ensure UDP is leveraged instead. Your first step is to determine if there's issues with UDP port connectivity for 8443 or 22443 along your Horizon session's network path. (I've provided guidance on this process in a previous post, <a href="https://www.evengooder.com/2018/01/troubleshooting-port-connectivity-for.html" target="_blank">Troubleshooting Port Connectivity For Horizon's Unified Access Gateway 3.2 Using Curl And Tcpdump</a>.) If you find that UDP traffic is getting blocked while traversing a foreign network outside of your control, you can try and stack the deck in your favor by leveraging port 443 for external Blast traffic on your UAG appliance. </span></div>
<div>
<br /></div>
<div>
<h3>
<span style="color: #9fc5e8; font-size: large;">Shifting External Blast Traffic To Port 443 On UAG</span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<span style="color: #9fc5e8;">Configuring your UAG appliance to leverage 443 for external Blast traffic increases the likelihood that external networks will allow your Blast traffic to pass. 443 TCP access is pretty much a given everywhere, a slam dunk in most uses cases. While 443 UDP connectivity isn't as certain as 443 TCP connectivity, it certainly has better odds that 8443 and is worth a shot. Further, as an added bonus, making this change will most certainly increases your odds of TCP connectivity and having at least some kind of successful Blast connection. Here's what the traffic flow will look like:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidSLDW1NjV3Ls-efu1Fn-Htp7yJfUfAn-oCsEbTnccEpKpHHnKFMDtE43iLiHk5WHrqiX5lba84K3aSIdsuhwV9zoo8s1SOt2CdbctkaEb5rG_jlZdoU0LmecwC74GucZ58lld0irUJHUY/s1600/Screen+Shot+2019-12-01+at+7.21.03+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidSLDW1NjV3Ls-efu1Fn-Htp7yJfUfAn-oCsEbTnccEpKpHHnKFMDtE43iLiHk5WHrqiX5lba84K3aSIdsuhwV9zoo8s1SOt2CdbctkaEb5rG_jlZdoU0LmecwC74GucZ58lld0irUJHUY/s640/Screen+Shot+2019-12-01+at+7.21.03+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Shifting Blast traffic to 443 on your UAG appliance is a relatively simple process. First, navigate to Horizon Edge services on the UAG appliance. Here's what it looks like when the Blast External URL is configured for port 8443:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSxC3jB08EJWA_fGF0Xb_F5woyQ6bIsZc3Nc7UCt5vhDPePC12MRtGLTUJA52dYH1kn7cAVrwV-4ruPAgyAofn8jWvgzVrvrCxAAZ4YybSunycoHLs0ZMGTAKmaWbjULOifu5L9lE5PpMm/s1600/Screen+Shot+2019-12-01+at+5.10.44+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSxC3jB08EJWA_fGF0Xb_F5woyQ6bIsZc3Nc7UCt5vhDPePC12MRtGLTUJA52dYH1kn7cAVrwV-4ruPAgyAofn8jWvgzVrvrCxAAZ4YybSunycoHLs0ZMGTAKmaWbjULOifu5L9lE5PpMm/s640/Screen+Shot+2019-12-01+at+5.10.44+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">To change it to 443, simply append 443 instead of 8443 to the configured URL:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB4Dm349gBvZ-wRC-kYnCnUFBvGxv63EQPuyTYwFxiNr8O8hPN9ud2jEVKte2H28S2lzcV_6b9k2hobs-v9gbhgUC2GoreU06eA1MFag8gN_HC8BIb_rbtMoxMyJVrWI0ZgZ30b0pFBeLU/s1600/Screen+Shot+2019-12-01+at+5.10.28+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="58" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB4Dm349gBvZ-wRC-kYnCnUFBvGxv63EQPuyTYwFxiNr8O8hPN9ud2jEVKte2H28S2lzcV_6b9k2hobs-v9gbhgUC2GoreU06eA1MFag8gN_HC8BIb_rbtMoxMyJVrWI0ZgZ30b0pFBeLU/s640/Screen+Shot+2019-12-01+at+5.10.28+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">When configuring the Blast External URL, I like to imagine I'm sitting inside a Horizon endpoint client itself, looking for a path to forward Blast traffic too. Think in terms of what's externally resolvable and accessible from the perspective of the endpoint. Typically, it ends up being the VIP and associated DNS on a load balancer.</span><br />
<br />
<h3>
</h3>
<h3>
<span style="color: #9fc5e8; font-size: large;">
When To Use TCP For Your Transport Protocol</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">The optimization guide indicates that UDP is usually the optimal transport to leverage, with two exceptions. First, you'd want to go with TCP if, "Traffic must pass through a UDP-hostile network service or device such as a TCP-based SSL VPN, which re-packages UDP in TCP packets." Since the days of PCoIP dominance TCP-based SSL VPNs have always been a challenge for Horizon. The encapsulation of UDP traffic into TCP packet by such VPNs is a real downer, nullifying the performance benefits of UDP. For Blast traffic it's best to stick to TCP when using these types of devices or when there's some other network challenges preventing UDP use. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">The second reason to go with TCP instead of UDP is when, "WAN circuits are experiencing very high latency (250 milliseconds and greater)" In regard to this 2nd consideration, Horizon Performance Tracker can again be of assistance. Round trip latency is prominently displayed under the network section in real-time.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivmjDxxYpLXwB1POJ1LiLRBW1Be19AU0Y5uIAm2penOAvaLgzGyNHuC18W8bX_0BLj0cz3LuBX8pWbe26hc3n1U3znIbKE_qLuEp1GodSEYceyXT7btiNqyguniaetX8jMXXS5P1orFzkG/s1600/Screen+Shot+2019-11-29+at+10.21.35+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivmjDxxYpLXwB1POJ1LiLRBW1Be19AU0Y5uIAm2penOAvaLgzGyNHuC18W8bX_0BLj0cz3LuBX8pWbe26hc3n1U3znIbKE_qLuEp1GodSEYceyXT7btiNqyguniaetX8jMXXS5P1orFzkG/s400/Screen+Shot+2019-11-29+at+10.21.35+AM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">In the above screen shot, with latency at 65ms it would seem that all is right with the world in terms of the transport selection of UDP. However, if we were witnessing some latency above 250ms, something like below, we'd want to consider forcing TCP usage. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4Y_tcFAIOVPd1QNdv36qllVVlIAgKVaNtOSud4ogTVjEYCksGDJ8MDXbUxb_9m1IvlojIPqhqQa954CiBYE17bsKuAXIveWaiigQA74mRulahyphenhyphenSKhFdkNeuS05EiuTp3YCyTKhvI98WaO/s1600/Screen+Shot+2019-12-21+at+11.15.48+PM.png" imageanchor="1"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4Y_tcFAIOVPd1QNdv36qllVVlIAgKVaNtOSud4ogTVjEYCksGDJ8MDXbUxb_9m1IvlojIPqhqQa954CiBYE17bsKuAXIveWaiigQA74mRulahyphenhyphenSKhFdkNeuS05EiuTp3YCyTKhvI98WaO/s400/Screen+Shot+2019-12-21+at+11.15.48+PM.png" width="400" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">With latency above 250 ms and low packet loss, the optimization guide is pretty clear in its guidance to leverage TCP for the transport protocol. However if packet loss were also high, the decision wouldn't be as straight forward. With Blast's UDP stack's better handling of packet loss than it's TCP stack, you might still want to stick with UDP as a transport protocol in a high latency situation. Fortunately the Horizon Help Desk Tool can provide insight into whether or not there's packet loss so we can make an informed decision. </span><br />
<br />
<h3>
<span style="color: #9fc5e8; font-size: large;">Horizon Help Desk Tool </span></h3>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">The <a href="https://docs.vmware.com/en/VMware-Horizon-7/7.10/horizon-console-administration/GUID-3BDDA228-84A9-4805-AD72-C15A42F91622.html" target="_blank">Horizon Help Desk Tool</a> offers an even more useful view of network latency for a particular Horizon session. It provides a breakdown of network latency for a specific session over the span of 15 minutes, given you a better overall sense of what latency is. Below is a graph cranked out by the tool for a particularly challenged Horizon session that spikes to latencies above 1200 ms, certainly not the most ideal of scenarios. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1VQcDAdtqAVz-JR5hHxq96-z-pjcyFZ57o9R7YzI0rTbw06IlO-YpekHDq80E6AB_YQjLkLPi9NRILUW-bGRodnjM9FyjHqHcL-kOENrftKaTWqGb0lRVd-yOCXcrQayGotRko4wrz1HU/s1600/Screen+Shot+2019-12-07+at+4.37.35+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1VQcDAdtqAVz-JR5hHxq96-z-pjcyFZ57o9R7YzI0rTbw06IlO-YpekHDq80E6AB_YQjLkLPi9NRILUW-bGRodnjM9FyjHqHcL-kOENrftKaTWqGb0lRVd-yOCXcrQayGotRko4wrz1HU/s640/Screen+Shot+2019-12-07+at+4.37.35+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">A further benefit of the tool is its ability to report on packet loss within a session which, as previously mentioned, is relevant in determining the optimal transport protocol. After looking up a user's session, from the details screen expand the user metrics session and under Blast counters you'll see the packet loss. For the session above, though there's high latency, there's no indication of packet loss. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKVgMzQ_l7XZGDMYS6NZ51oEEkIbIMxY_rRqHLcQlUPSa7KYq0h3qH2-z0Pg8C6RtM-Np17LETOd5Q5D0ju2VEdATndqxechFcFk25YUVpwv3X6XWgwIHyawkRjbTCN_9cipN2TtIl-s8s/s1600/Screen+Shot+2019-12-07+at+4.54.20+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKVgMzQ_l7XZGDMYS6NZ51oEEkIbIMxY_rRqHLcQlUPSa7KYq0h3qH2-z0Pg8C6RtM-Np17LETOd5Q5D0ju2VEdATndqxechFcFk25YUVpwv3X6XWgwIHyawkRjbTCN_9cipN2TtIl-s8s/s640/Screen+Shot+2019-12-07+at+4.54.20+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">With high latency and zero percent packet loss we have network conditions bettered accommodated by the TCP transport. However, had there been high packet loss, we'd have to make a choice between TCPs performance benefits in high latency environments versus the UDP stacks ability to better handle packet loss. </span><span style="color: #9fc5e8;">To simulate such a situation in my lab I used a utility called </span><a href="https://jagt.github.io/clumsy/download.html" target="_blank">clumsy</a><span style="color: #9fc5e8;"> on my remote endpoint. After configuring the utility to create significant packet loss the hit on network performance was clearly reflected through the Horizon Help Desk tool.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6FokoYlvfrMVU5HsyFvfH6Lc8e8lOcqrWgpFMp6Sl72QKEOZmpXl1g2S6KaJaS8ibOW05_9zXaKh26dxQq8UOE1OvmsijKNySaTKq_qNESvVNYdTd5SqC5omvNOYLxfX3NaLxnAlaneKa/s1600/Screen+Shot+2019-12-21+at+8.42.18+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6FokoYlvfrMVU5HsyFvfH6Lc8e8lOcqrWgpFMp6Sl72QKEOZmpXl1g2S6KaJaS8ibOW05_9zXaKh26dxQq8UOE1OvmsijKNySaTKq_qNESvVNYdTd5SqC5omvNOYLxfX3NaLxnAlaneKa/s640/Screen+Shot+2019-12-21+at+8.42.18+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">In this situation, where packet loss is high, UDP might be the preferred transport to stick with, despite the hight latency. Both the VMware Blast Extreme Optimization Guide and <a href="https://techzone.vmware.com/resource/blast-extreme-display-protocol-vmware-horizon-7" target="_blank">Blast Extreme Display Protocol In VMware Horizon 7</a> white paper indicate that UDP is the optimal transport to stick with under high packet loss conditions. The white paper specifically states that, "UDP is better at handling packet loss than TCP. UDP can deliver a good user experience in conditions of up to 20 percent packet loss."</span><br />
<br />
<h3>
<span style="color: #9fc5e8; font-size: large;">
Fun Facts About Codecs</span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_LfaRh9HLZnnpSFxr0rrumvBHvBOVwtMRX0SE46aix2ubFQ0Va0uOjnYieGQleFYNFDkWBbFrp1UgBC5cD_HoOiWMepnY5vPl9Ug7n1TfLqMBTCNF04r6yBPfORSDcBwxaXqx4ZWuEa3v/s1600/jannet_happy.jpg" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_LfaRh9HLZnnpSFxr0rrumvBHvBOVwtMRX0SE46aix2ubFQ0Va0uOjnYieGQleFYNFDkWBbFrp1UgBC5cD_HoOiWMepnY5vPl9Ug7n1TfLqMBTCNF04r6yBPfORSDcBwxaXqx4ZWuEa3v/s320/jannet_happy.jpg" width="320" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">The optimization guide states that, "A codec is a computer program that can encode or decode a digital data stream for transmission. The word codec is a blend of the words coder- decoder." As of today Blast offers a choice between three codecs, H.264, JPG/PNG and H.265, with H.264 being the default. </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">One of the H.264 codecs claims to fame is it's ability to handle rapidly changing content. Another major claim to fame is the ability to leverage the built in H.264 chip of endpoint devices for hardware based decoding, sparing the endpoint's CPUs the trouble. This both improves performance and extends the battery life of these endpoint devices. When NVIDIA grid cards are in the mix, things get even more exciting. The encoding of the codec can be offloaded to the NVIDIA GPU, improving performance and offloading the encoding from the server. This offloading in turn improves user density and efficiency on the ESXi hosts. </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">JPG/PNG, sometimes referred to as the adaptive encoder, is the original codec used by B</span><span style="color: #9fc5e8;">last and does software based encoding and decoding. While H.264 is the default, Blast will fall back to JPG/PNG when H.264 isn't option, such as when the HTML client is used from a non-chrome browser. It's also desirable when you have, "Images that require lossless compression," such as quality still images, complex fonts or medical imaging. </span><span style="color: #9fc5e8;"> </span><span style="color: #9fc5e8;">However, the optimization guide is pretty clear that it's not so great for rapidly moving content, something the H.264 codec excels at. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">H.265, referred to as High Efficiency Video Decoding (HEVC), is the bigger, badder successor to H.264. While it introduces bandwidth improvements, it absolutely requires the use of NVIDIA GRID GPUs on your ESXi hosts. It also requires clients with H.265 decode support, which is common nowadays but not guaranteed.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Finally, a new feature called Encoder Switcher allows Blast, "to dynamically switch between the JPG/PNG and H.264 codecs, depending on screen content type."</span><br />
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<h3>
<span style="color: #9fc5e8; font-size: large;">
Using Horizon Performance Tracker To Observer Codec Usage</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Regardless of which codec is best suited for your use case Horizon Performance Tracker can provide visibility into which one your session is actually using. To observe this in action we can control the codec selection using the VMware Blast settings on the Horizon client. Here's a screen shot of the codec settings from the Horizon client:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizz4pwOJUOxRBtC9yylyuvRR-MNk5roZYmBgNwRDp-ynSYn6n3FDY3tmSjXfP_2Xk1MppWbLHt4THN2tmdZew5OimvX4sRHKhcqrrByouyMzc-8Ems1GusjEAykt6iU467aDhR5q8zfio5/s1600/Screen+Shot+2019-12-12+at+2.20.37+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizz4pwOJUOxRBtC9yylyuvRR-MNk5roZYmBgNwRDp-ynSYn6n3FDY3tmSjXfP_2Xk1MppWbLHt4THN2tmdZew5OimvX4sRHKhcqrrByouyMzc-8Ems1GusjEAykt6iU467aDhR5q8zfio5/s640/Screen+Shot+2019-12-12+at+2.20.37+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">If you uncheck the option, "Allow H.264 decoding," you'll fall back to JPG/PNG and Performance Tracker will report, "adaptive", as the encoder. (Note: The </span><span style="color: #9fc5e8;">Blast Extreme Display Protocol in VMware Horizon 7 clarifies that, "JPG/PNG is referred to as the adaptive encoder.")</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9AyknI8V2QJ_VhnuRDwE5f-r27yqN-okHmQC_vd8nwTFypqafK3_kQmB1TwrA9LcpzyenXGl_7iG-aLENt68XhWpZpvKkR_X2VxcKzmxNPrZTnE4nOpxlVXuN7qZeAaMwkQc9JLxnZ-dZ/s1600/Screen+Shot+2019-12-21+at+10.29.39+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9AyknI8V2QJ_VhnuRDwE5f-r27yqN-okHmQC_vd8nwTFypqafK3_kQmB1TwrA9LcpzyenXGl_7iG-aLENt68XhWpZpvKkR_X2VxcKzmxNPrZTnE4nOpxlVXuN7qZeAaMwkQc9JLxnZ-dZ/s400/Screen+Shot+2019-12-21+at+10.29.39+AM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Whereas accepting the default of, "Allow H.264 decoding," under typical conditions, will cause Horizon Performance Tracker to report, "h264 4:2:0," as the encoder. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjknJ1OXi0bgKIBGMJH0Zj0WsMqllMyoZAdsseMkEEKVolf-w8unnSg6DxvPbzXTwQcgYE-LWfuOQDH1WpVzk3oHiJ-nTPmSbwQwR6w4pD0_glv-sVkM_nudSJa6TQI4eG5McY4LtG5QhFk/s1600/Screen+Shot+2019-11-30+at+10.00.25+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjknJ1OXi0bgKIBGMJH0Zj0WsMqllMyoZAdsseMkEEKVolf-w8unnSg6DxvPbzXTwQcgYE-LWfuOQDH1WpVzk3oHiJ-nTPmSbwQwR6w4pD0_glv-sVkM_nudSJa6TQI4eG5McY4LtG5QhFk/s400/Screen+Shot+2019-11-30+at+10.00.25+AM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Should you select the option, "Allow high color accuracy," and H.264 is successfully implemented, the tool will report back, "h264 4:4:4," as the encoder name. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGWEaOE4aFsPpt9Rc-qBX541BD843rpvlsDWxOSVtzGKONVZo0rHBum7S7sQDQkx_tXLw2k7Pms_COFgvk_zK2UWc0mW2yvf9k-JWW5-Fm3FBPZCRUSwkbAsb-yz2rXcdZyhdjbMCWddCw/s1600/Screen+Shot+2019-11-30+at+5.18.51+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="95" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGWEaOE4aFsPpt9Rc-qBX541BD843rpvlsDWxOSVtzGKONVZo0rHBum7S7sQDQkx_tXLw2k7Pms_COFgvk_zK2UWc0mW2yvf9k-JWW5-Fm3FBPZCRUSwkbAsb-yz2rXcdZyhdjbMCWddCw/s400/Screen+Shot+2019-11-30+at+5.18.51+PM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Further, if H.264 is enabled and there's an NVIDIA Grid card enabled for your VM, the tool reports back an encoder name of, "NVIDIA NvEnc H264." Here's an example from a GPU enabled VM in VMware's TestDrive environment: </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHu5XKlstPRHrHd5UGk9wsxbRmv1cMavV5WrCrMLtVoGnEWJhhFmpRtlT3kaxRZyWinAmDFfw9FBoRJh-bwN2EOyqIXsLHTKtn9aiiykGOZwOf7Hp3G45Mj_DqhRlmE0y7Qh8eQyc-g_rx/s1600/Screen+Shot+2019-12-07+at+6.12.23+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHu5XKlstPRHrHd5UGk9wsxbRmv1cMavV5WrCrMLtVoGnEWJhhFmpRtlT3kaxRZyWinAmDFfw9FBoRJh-bwN2EOyqIXsLHTKtn9aiiykGOZwOf7Hp3G45Mj_DqhRlmE0y7Qh8eQyc-g_rx/s400/Screen+Shot+2019-12-07+at+6.12.23+PM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Finally, to allow for use of H.265 when connecting to the same virtual desktop as detailed above, on the Horizon client I checked the box for, "Allow High Efficiency Video Decoding (HEVC)." With my client supporting H.265, Horizon Performance Tracker reports back that, "NVIDIA NvEnc HEV," as the encoder in use. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxh7PnrSExg-8Rm0UjG_zW6j_Or7MnN2ZbAtc1i_QoeyEY0h3EwJZIFGWmrYFbUDQB3ssSMhkPPELT5rZVy17l3cBY4c-bxEagxQSBpoJrlxajq3ZeeGsciGSvg5dm6QpTy7DIx_MGrFUP/s1600/Screen+Shot+2019-12-21+at+10.25.11+AM.png" imageanchor="1"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxh7PnrSExg-8Rm0UjG_zW6j_Or7MnN2ZbAtc1i_QoeyEY0h3EwJZIFGWmrYFbUDQB3ssSMhkPPELT5rZVy17l3cBY4c-bxEagxQSBpoJrlxajq3ZeeGsciGSvg5dm6QpTy7DIx_MGrFUP/s400/Screen+Shot+2019-12-21+at+10.25.11+AM.png" width="400" /></a></span><br />
<br />
<h3>
<span style="color: #9fc5e8; font-size: large;">
Observing Blast's Bandwidth Consumption In Real-Time</span></h3>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Roughly 5 and half years ago I had the honor of meeting the great Cale Fogel, Breaker Of Chains, Knower Of Things And Talker Of Straight. During some chit chat in the hallways of VMworld 2014 he summarized the situation with display protocols quite succinctly. "It's all about how much screen real estate you're dealing with, resolution, number of screens, versus the amount of changes on the screen. The more changes that occur and the higher the resolution, the more pixels that have to cross the wire and get reordered on the endpoint." So, if you have a single monitor with low resolution and a completely static screen, you'll have very few pixels to change and the protocol will gobble up very little in terms of compute resources and network bandwidth. On the other hand, if you have multiple monitors at high resolution, displaying a lot of active changing content, compute consumption will be high and bandwidth usage will be high. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">An easy way to see this first hand in real-time is through the Horizon Performance Tracker. Along with the nifty info we've discussed so far, it details how much bandwidth the display protocol is currently gobbling up. Under the encoder section, there's a field, "Bandwidth used." Reduce the screen resolution and do nothing within the VM, and you'll see the bandwidth usage plummet.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiQq5iWnY6-S5pEbvKdldYK211IMyPLpmxGkYVYibLYduB37TMD6k9Rwya1VIzVjzKAVw6OmI2sCy9WAMzAu887rIk7DuCosqidChyEJXbAP_s8JcHHUxj7SgmyM-28uyBQJRrfQmumU-O/s1600/Screen+Shot+2019-11-30+at+10.00.13+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiQq5iWnY6-S5pEbvKdldYK211IMyPLpmxGkYVYibLYduB37TMD6k9Rwya1VIzVjzKAVw6OmI2sCy9WAMzAu887rIk7DuCosqidChyEJXbAP_s8JcHHUxj7SgmyM-28uyBQJRrfQmumU-O/s400/Screen+Shot+2019-11-30+at+10.00.13+AM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Only 10k of traffic generated by the Blast protocol, woo-hoo! However, don't get too excited haole. Within the same session, move the Horizon Performance Tracker utility itself around on the desktop, shaking it hard and violently like a chimpanzee on meth. Bandwidth will temporarily spike.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjssPeTAL-FcGb5V_itq_qJLb23FX30D4RPwE-qs1gTlbGsOiM3QdvHMJtsYSnXzZQsorXnEJV2yjeHuk6J6Dmh48B7dVSaHgl5AUrdOpC9Yd-BxfT2VMGQKoIaK3v1Cf_Lt5eqvJA4ZkZZ/s1600/Screen+Shot+2019-11-30+at+10.00.25+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjssPeTAL-FcGb5V_itq_qJLb23FX30D4RPwE-qs1gTlbGsOiM3QdvHMJtsYSnXzZQsorXnEJV2yjeHuk6J6Dmh48B7dVSaHgl5AUrdOpC9Yd-BxfT2VMGQKoIaK3v1Cf_Lt5eqvJA4ZkZZ/s400/Screen+Shot+2019-11-30+at+10.00.25+AM.png" width="400" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Now, for some real fun, fire up youtube, put in a trailer for Star Wars, increase the youtube resolution to high definition and then take a look at performance tracker.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeQsAYwS99JABnKi60nQkNx-rMxeTdxnDoqEltwEB-7ReJx8bqihhbmJsE0NBG6QiqUIMWOuzi5OQ_nxkkIq04woh6sOYYnh8I_g7yDDXnnXyh9Y1Ja9MzSZOMzxOgnC-0bbldV7G5dVEm/s1600/Screen+Shot+2019-11-30+at+10.09.06+AM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeQsAYwS99JABnKi60nQkNx-rMxeTdxnDoqEltwEB-7ReJx8bqihhbmJsE0NBG6QiqUIMWOuzi5OQ_nxkkIq04woh6sOYYnh8I_g7yDDXnnXyh9Y1Ja9MzSZOMzxOgnC-0bbldV7G5dVEm/s640/Screen+Shot+2019-11-30+at+10.09.06+AM.png" width="640" /></span></a><br />
<br />
<span style="color: #9fc5e8;">When it comes to Horizon's display protocols, I like to say, the only way through is through. Lots of changes on the desktop translate to lots of compute and bandwidth usage. Fundamentally, it's more of a math problem than anything else. </span><span style="color: #9fc5e8;"> In the optimization guide, this dynamic is well articulated with the statement, "It is extremely important to recognize that optimizing for higher quality nearly always results in more system resources being used, not less. Except under very unique conditions, it is not possible to increase quality while limiting system resources." It goes on to elaborate on the inverse relationship between quality experience and optimized resource usage, stating, "Except in unique situations, optimizing quality increases bandwidth utilization, whereas optimizations for WANs require limiting quality to function over poor network conditions." So, you're going to have to be honest with yourself and pick your poison.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
</h3>
<h3>
</h3>
<h3>
</h3>
<h3>
<span style="color: #9fc5e8; font-size: large;">More Advanced Tuning Covered By The Optimization Guide</span></h3>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">The optimization guide goes on to cover additional Blast tuning settings such as Max Session Bandwidth, Minimum Session Bandwidth and Frame Per Second. While Horizon Performance Tracker can assist with the configuration of these more advanced settings, before mucking around with them I'd circle your attention back to the VM, OS and underlying infrastructure. </span><span style="color: #9fc5e8;">This isn’t to say that advanced Blast tuning methods are a waste of time. It’s just that in the absence of other information about your use case, holistically speaking, I'd say you’re more likely to have challenges with the user experience due to the VM and underlying infrastructure than due to advanced Blast tuning. The optimization guide echoes this sentiment, recommending that, </span><span style="color: #9fc5e8;">“Before tuning Blast Extreme, it is critical to properly size and optimize the virtual desktops, Microsoft RDSH servers, and supporting infrastructure.” </span><span style="color: #9fc5e8;"> Remember, key processes behind Blast, VMBlastS.exe, VMBlastW.exe and VMBlastP.exe, are running WITHIN the OS of your virtual desktops. So if those VMs are under specced or starved for resources, your Blast processes will be starved and Blast performance is going to suck. Further, if critical apps within your VM are starved for resources no amount of tuning is going to make up for an app experience that's ruined before anythings even been remotely displayed. Along those lines, after confirming your VMs are properly specced, optimized and supported by your infrastructure, I'd recommend taking a hard second look at profile configuration, critical apps and the network paths those apps rely on. Often a poor user experience is the result of a deficiency outside the Horizon stack, with Horizon just being the messenger. And we all know what folks love to do to messengers. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">So, in summary, when it comes to Blast tuning, to begin with I'd confirm you're getting the proper transport and codec selection. I'd also recommend being honest without yourself about the bandwidth requirements, use case requirements and network limitations. However, before doing a deep dive into the advance tuning of Blast, I'd take a very long, hard second look at the rest of your environment. </span><span style="color: #9fc5e8;"> </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8pW9uTnUX6eJvDQ492KjeSadUS1AzFRFJLbyK3GM3lqbW7Fz-3L1EmIgB-qDMYDIbr7zkMrR-Se4K5gJyswxDk3EwnLdkqndLBz8uIlzW6jIEVPKU9A4l9KB3fwCurV1fPcmIsh1ce6ss/s1600/Mr_t.jpg" imageanchor="1"><span style="color: #9fc5e8;"></span></a></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhamV-cVEZ0vwhfJ95SZ_yy_5Lqek75Ds-kdsr1NcUt37CcvOTLfdrwndCqZIOZ40Y25NQXF00qZcIaLwIkHq0ff1zB1B8xkqxyXScqp-_xzwraTp4gt18ww_ZzYYxrfn9nk8rMK8DxlXVt/s1600/Screen+Shot+2019-12-22+at+9.32.58+PM.png" imageanchor="1"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhamV-cVEZ0vwhfJ95SZ_yy_5Lqek75Ds-kdsr1NcUt37CcvOTLfdrwndCqZIOZ40Y25NQXF00qZcIaLwIkHq0ff1zB1B8xkqxyXScqp-_xzwraTp4gt18ww_ZzYYxrfn9nk8rMK8DxlXVt/s400/Screen+Shot+2019-12-22+at+9.32.58+PM.png" width="400" /></a></span></div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Helvetica}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Helvetica}
</style><span style="color: #9fc5e8;"><br /></span>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Helvetica}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'}
</style><span style="color: #9fc5e8;"><br /></span>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Helvetica}
</style><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Helvetica}
</style><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Helvetica}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 9.0px Helvetica}
</style>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com1tag:blogger.com,1999:blog-7411363718337372107.post-78654754646741177472019-09-22T10:45:00.001-07:002019-09-23T20:14:22.824-07:00Wrapping Workspace ONE Goodness Around Office 365 - A Primer<br />
<span style="color: #9fc5e8;">In my first desktop support role I’d hop from cubicle to cubicle, hurling my plastic Microsoft Office 2000 disk like a ninja star at beige Dell towers. I’d take a seat at a users desk, pop in my little silver friend, punch in a memorized CD key and then, 10 to 15 minutes later, I’d assure the user it was no problem at all and walk on to the next cubicle.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha0hENxQnuQ79cH0EHRKG46P_9uqU0VlXBHJajFerUOXRsoaAi9rNouRPdKOiP7h1MK1y-LJXXYsJz6skRKvBJURWu22XQl-pRe123IqyYNKssQqWkiYMiS2R1TvyiKU0yS8Wv09qklvMo/s1600/Microsoft_Office_2000_Professional_Microsoft_X03-80197_1999_Disc_1.jpeg"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEha0hENxQnuQ79cH0EHRKG46P_9uqU0VlXBHJajFerUOXRsoaAi9rNouRPdKOiP7h1MK1y-LJXXYsJz6skRKvBJURWu22XQl-pRe123IqyYNKssQqWkiYMiS2R1TvyiKU0yS8Wv09qklvMo/s200/Microsoft_Office_2000_Professional_Microsoft_X03-80197_1999_Disc_1.jpeg" width="197" /></a><br /><br />Well, it’s 2019 and everything’s more demanding and complex. With Office 365 deployments we're aiming to make Office available to users from anywhere on pretty much any mobile device. To fulfill this desire for ubiquitous Office access, engineers must design for a balance between convenience and security. To think such a task will be easy or without challenges is about as reasonable as this: </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKEtK39vZ56p2l6xNQLFQ1bf1SGpQeNbvth38FRiZ1Tpzx_xw9_a8vwH5WY-_DhfPG5b1UncbwjXx1QeedZbIIO7w7fnJfTi2cqNR-F8s84jIxOWhJ24-wvxI-tKg2Mgln6_IZ9IpT_i3P/s1600/everything.jpg" imageanchor="1"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKEtK39vZ56p2l6xNQLFQ1bf1SGpQeNbvth38FRiZ1Tpzx_xw9_a8vwH5WY-_DhfPG5b1UncbwjXx1QeedZbIIO7w7fnJfTi2cqNR-F8s84jIxOWhJ24-wvxI-tKg2Mgln6_IZ9IpT_i3P/s400/everything.jpg" width="300" /></a></span><br />
<br />
<span style="color: #9fc5e8;">After the challenge of securing Office 365 is truly appreciated the Workspace ONE solution becomes and incredibly compelling proposition. Leveraging cloud based instances of Workspace ONE Access and UEM, within hours we can wrap WS1 security and convenience around Office 365 access. </span><span style="color: #9fc5e8;">Not only does this address Office 365 deployment challenges, but it also establishes a foundation for the delivery of other SaaS based solutions within a digital workspace. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8;">Recipe Overview</span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<span style="color: #9fc5e8;">Key security benefits of Workspace One, such as SSO and conditional access based on device compliance, can be extended to Office 365 by federating an Azure tenant with Workspace ONE Access. (Workspace ONE Access is the artist formerly known as VMware Identity Manager, <a href="https://www.vmware.com/products/workspace-one/access.html">RIP</a>) In another post, <a href="https://www.evengooder.com/2019/09/WS1-Goodness-Arround-Office365-Quick-n-Dirty.html" target="_blank">Wrapping Workspace ONE Goodness Around Office 365 Access - A Quick And Dirty Recipe</a>, I fully detail an integration between Office 365 and WS1. The recipe calls for a federation directly between Azure and WS1, without the complexity of ADFS. </span><span style="color: #9fc5e8;"> If you're interesting in jumping right into this recipe, again, <a href="https://www.evengooder.com/2019/09/WS1-Goodness-Arround-Office365-Quick-n-Dirty.html" target="_blank">here's the link</a>. Otherwise, below is some overview and context on Office 365 and Workspace ONE.</span><br />
<br />
<div>
<h3>
<span style="color: #9fc5e8;">The Standard Microsoft Options For Office 365 Access </span></h3>
<span style="color: #9fc5e8;"><br />If you want to leverage local AD accounts for Office 365 access you start by standing up an instance of Azure AD Connector within your trusted network. This component syncs your local AD users to your Azure tenant, which in turn allows you to entitle them to office 365 licenses. Once these users are synchronized and enabled for Office 365 access, the next question is, "how do you authenticate these users against the local AD environment. For that you have 3 basic options: ADFS, PHS (Password Hash Synchronization), and PTA (Pass-through Authentication). </span><br />
<br />
<h3>
<span style="color: #9fc5e8;">Password Hash Synchronization</span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Password hash synchronization is the default authentication method when Azure AD Connect is installed. One of the more notable features of this option is that you don't need to pol any holes in any firewalls or setup any internet accessible infrastructure. Local AD passwords, via the Azure AD Connector, are hashed and stored in the Azure environment so that AD users can authenticate to Office 365 using their normal credentials. </span></div>
<span style="color: #9fc5e8;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzOukHDLwqnxbQJiqN90FUFzhI1NuqPScIsx9PIAh44W5IlRyAcvCLALVmo91nl09mCbXoGbhcZMRAn1dJNcd9nM3eUUyRhIe8Suh34NAaV5x330qUMO4VaMSkilMWqm-gMl8Fs7vjlapA/s1600/Screen+Shot+2019-08-10+at+3.07.42+PM.png" imageanchor="1"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzOukHDLwqnxbQJiqN90FUFzhI1NuqPScIsx9PIAh44W5IlRyAcvCLALVmo91nl09mCbXoGbhcZMRAn1dJNcd9nM3eUUyRhIe8Suh34NAaV5x330qUMO4VaMSkilMWqm-gMl8Fs7vjlapA/s640/Screen+Shot+2019-08-10+at+3.07.42+PM.png" width="640" /></a><br /> </span><br />
<h3>
<span style="color: #9fc5e8;">Pass-through Authentication </span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Similar to PHS, Pass-Through Authentication (PTA) allows you to authenticate against your on-premises AD environment without having to poke holes through firewalls or setup any internet accessible infrastructure. However, no AD password are hashed in your Azure environment. Instead, authentication against your local AD environment is handled by a special agent running on Azure AD Connect within your trusted environment. This agent communicates with the Azure tenant over outbound 443 traffic. </span></div>
<span style="color: #9fc5e8;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Fk0JQ7nZm2pXImJ3EwaJ4hZb1n9DUatQZbaDF8HcHzlDhm7X3N3XychCI-Bsmq9hwLkbgsppROjt-HobKJBI9_ReDN8303t6YRI_UTGnt4bB7cXLrcTk5o63XggkSI2chelpk7TAQ0sG/s1600/PTA.png" imageanchor="1"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8Fk0JQ7nZm2pXImJ3EwaJ4hZb1n9DUatQZbaDF8HcHzlDhm7X3N3XychCI-Bsmq9hwLkbgsppROjt-HobKJBI9_ReDN8303t6YRI_UTGnt4bB7cXLrcTk5o63XggkSI2chelpk7TAQ0sG/s640/PTA.png" width="640" /></a></span><br />
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;">Seamless Single Sign-On </span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Regardless of whether you go with PHS or PTA, you can leverage seamless single sign-on for your on premise users. This capability makes PHS or PTA a very attractive option for replacing ADFS in situations where Office 365 is the only application you need access to. </span></div>
<span style="color: #9fc5e8;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1EIi-7IabviAID2nfEzSOs7A5rV_k7TkdiFJmx0D3Oo7AY-lhZOujTRCs8n1EOi7raNAzTPrBWU2O50I8jHDsipDZ3QA9c2NFj8CVlQ_AAQHyX0FkNqOfKpYnVXdhpi7znhiYtfCsFaco/s1600/Screen+Shot+2019-08-10+at+3.13.46+PM.png" imageanchor="1"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1EIi-7IabviAID2nfEzSOs7A5rV_k7TkdiFJmx0D3Oo7AY-lhZOujTRCs8n1EOi7raNAzTPrBWU2O50I8jHDsipDZ3QA9c2NFj8CVlQ_AAQHyX0FkNqOfKpYnVXdhpi7znhiYtfCsFaco/s640/Screen+Shot+2019-08-10+at+3.13.46+PM.png" width="640" /></a></span><br />
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;">ADFS </span></h3>
<div>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span></div>
<div>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">ADFS is the original Microsoft solution for addressing authentication of on-premises AD users to Office 365. Unlike PHS or PTA, if you want users to have access to Office from the external world, with the ADFS model you'll need to setup some internet facing infrastructure. In light of this requirement, PHS or PTA appear to be the path of least resistance. However, if you're looking to integrate other SaaS solutions outside of Office, without the assistance of any other 3rd party IDPs, ADFS is still relevant. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghP88tfqBdqk-czmu5G9fwX01wdwv0sb6ZwGzLnXS1rwwahITHh2PbviskzNQwCa0LblscmC2F4saHiVW0XawROhpd1-DwJ7NrIts4eEOnmNEhHSigW8XsQvwU6Y09eWZFkc3dnQYyF8zo/s1600/ADFS_Feature_Page-750x375.png" imageanchor="1"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghP88tfqBdqk-czmu5G9fwX01wdwv0sb6ZwGzLnXS1rwwahITHh2PbviskzNQwCa0LblscmC2F4saHiVW0XawROhpd1-DwJ7NrIts4eEOnmNEhHSigW8XsQvwU6Y09eWZFkc3dnQYyF8zo/s640/ADFS_Feature_Page-750x375.png" width="640" /></a></div>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: white; font-size: large;">Utilizing Workspace ONE Access For Office 365</span></h3>
<div>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;">Workspace ONE Access Federation With ADFS</span></h3>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">One option for integrating Workspace ONE with Office 365 involves federation with ADFS. ADFS is federated with Azure, and then in turn is federated with Workspace ONE Access. This can involve setting up Workspace One Access as a 3rd party identity provider for ADFS or vis versa, configuring ADFS as 3rd party identity provider for Workspace One Access. </span><br />
<span style="color: #9fc5e8;"><br /></span></div>
<h3>
<span style="color: #9fc5e8;">Workspace ONE Federation With Another 3rd Party Identity Solution</span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Another option is to have some kind of federation between your Office 365 environment and another identity provider like Ping or Okta. Then in turn, you can federate the 3rd party IDP with Workspace ONE access, allowing the 3rd party IDP to leverage the device awareness of Workspace ONE UEM. </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpFvRNTntVleO8VrKaufxIMdyoqbKqkjavq46VvCdsnjY8YPywkCkA8yL77BN0QgGbzheUTcuQj0tqzf3M1CmgdbteNiGSCBuY6yh_foKnwiUme56ITWNCluCLC11WPlsIInlnhMJsw8Ij/s1600/Screen+Shot+2019-09-22+at+8.32.56+AM.png" imageanchor="1"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpFvRNTntVleO8VrKaufxIMdyoqbKqkjavq46VvCdsnjY8YPywkCkA8yL77BN0QgGbzheUTcuQj0tqzf3M1CmgdbteNiGSCBuY6yh_foKnwiUme56ITWNCluCLC11WPlsIInlnhMJsw8Ij/s640/Screen+Shot+2019-09-22+at+8.32.56+AM.png" width="640" /></a></span></div>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;">Direct Federation Between Azure And Workspace ONE Access</span></h3>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">The recipe detailed in my post, <a href="https://www.evengooder.com/2019/09/WS1-Goodness-Arround-Office365-Quick-n-Dirty.html" target="_blank">Wrapping Workspace ONE Goodness Around Office 365 - A Quick Dirty Recipe</a>, is based on a direct federation between Workspace ONE Access and an Azure tenant. With this model, Workspace One Access becomes the primary identity provider for your Office 365 subscription. A key capability that allows for this is configuring an on premise vIDM Connector in outbound mode. While Azure AD Connect continues to sync users to the Azure tenant, </span><span style="color: #9fc5e8;">actual authentication is handled by a vIDM Connector in a manner very similar to Microsoft's Pass-Through Authentication model. </span></div>
<span style="color: #9fc5e8;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPoZ3aHogZWHY4QTk3EC-iCiTRQe_rXKatFK8xWyXwZBbIoyOKYKvVhCJQARKARL2PZWwlNAyYTuF8U1TOLBTuHjSAW1CLWwCn92-IasYWV_L5whFjiWilktK1KN5OvTRO7GPCKXvK8DOJ/s1600/vIDM_Connector.png" imageanchor="1"><img border="0" height="486" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPoZ3aHogZWHY4QTk3EC-iCiTRQe_rXKatFK8xWyXwZBbIoyOKYKvVhCJQARKARL2PZWwlNAyYTuF8U1TOLBTuHjSAW1CLWwCn92-IasYWV_L5whFjiWilktK1KN5OvTRO7GPCKXvK8DOJ/s640/vIDM_Connector.png" width="640" /></a><br /><br />The benefit of this deployment model is the simplicity of setting up PTA combined with the full breath of Workspace ONE capabilities. Most notably, we get the benefits of an integration with Workspace One UEM (The artist formerly know as AirWatch.) Leveraging the device compliance policies of WS1 UEM (AirWAtch), we can factor in device posture when implementing our conditional access policies. <br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfEa8p9vidhqDMWVgbrSO_BVHzUM6D2RCuR49Ypdttu3NgZ11glQpF78FFnuxzNXKuPVr_wuXOkp_Cjq1i9vKfMltoCb_RdwKkSCTMYPdJCA3lCnabUt9ipIWOtA0lC1oA6iurL4OJNdhH/s1600/Office_for_ios.png" imageanchor="1"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfEa8p9vidhqDMWVgbrSO_BVHzUM6D2RCuR49Ypdttu3NgZ11glQpF78FFnuxzNXKuPVr_wuXOkp_Cjq1i9vKfMltoCb_RdwKkSCTMYPdJCA3lCnabUt9ipIWOtA0lC1oA6iurL4OJNdhH/s640/Office_for_ios.png" width="640" /></a></span><br />
<div>
<h3>
<span style="color: #9fc5e8;"><br /></span></h3>
<h3>
<span style="color: #9fc5e8;">Additional Resources</span></h3>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />Wrapping Workspace ONE Goodness Around Office 365 - A Quick And Dirty Recipe:<br />https://www.evengooder.com/2019/09/WS1-Goodness-Arround-Office365-Quick-n-Dirty.html<br /><br />Hybrid Identity And Directory Synchronization For Office 365:</span><br />
<span style="color: #9fc5e8;"><a href="https://docs.microsoft.com/en-us/office365/enterprise/plan-for-directory-synchronization">https://docs.microsoft.com/en-us/office365/enterprise/plan-for-directory-synchronization</a></span><br />
<span style="color: #9fc5e8;"><br /><span style="color: #9fc5e8;">Official VMware Guidance: </span><br /><a href="https://www.vmware.com/pdf/vidm-office365-saml.pdf" style="color: #9fc5e8;">https://www.vmware.com/pdf/vidm-office365-saml.pdf</a><br /><br /><span style="color: #9fc5e8;">Dean Flaming Elaboration: </span><br /><a href="https://m.youtube.com/watch?t=1s&v=fUSTdsGk6ko&noapp=1&client=mv-google" style="color: #9fc5e8;">https://m.youtube.com/watch?t=1s&v=fUSTdsGk6ko&noapp=1&client=mv-google</a><br /><br /><span style="color: #9fc5e8;">Peter Bjork Blog: </span><br /><a href="https://blogs.vmware.com/horizontech/2016/12/vmware-identity-manager-2-8-office-365-user-provisioning-federation.html" style="color: #9fc5e8;">https://blogs.vmware.com/horizontech/2016/12/vmware-identity-manager-2-8-office-365-user-provisioning-federation.html</a><br /><br /><span style="color: #9fc5e8;">Preparing a non-routable domain for directory synchronization: </span><br /><a href="https://docs.microsoft.com/en-us/office365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization" style="color: #9fc5e8;">https://docs.microsoft.com/en-us/office365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization</a></span></div>
<br />
<span style="color: #9fc5e8;">Configuring VMware Identity Manager As A Third Party IDP In AD FS:</span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><a href="https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vidm-configuring-vidm-in-adfs.pdf">https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/vidm-configuring-vidm-in-adfs.pdf</a></span><br />
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">VMware Identity Manager using Azure AD as 3rd party Identity Provider:<br /><a href="https://blogs.vmware.com/horizontech/2016/12/vmware-identity-manager-using-azure-ad-3rd-party-identity-provider.html">https://blogs.vmware.com/horizontech/2016/12/vmware-identity-manager-using-azure-ad-3rd-party-identity-provider.html</a></span></div>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com2tag:blogger.com,1999:blog-7411363718337372107.post-35436830320446138182019-09-22T10:37:00.001-07:002019-10-01T09:57:05.259-07:00Wrapping Workspace ONE Goodness Around Office 365 - A Quick And Dirty Recipe<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYomkG_L00980tv9Bzl4nmqSn0SKLZ-U6WgWU2FHJTuIlgI-o6xh_2ZI779LuAeWQnDoAuCErAGk7x-kD31ETjb5NEJgagy_7ljeaAX-xP7rkGJWvqO0g-vWXl4zVNtFFIm-wYXpWYt-Ep/s1600/Office365_access.png" imageanchor="1"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYomkG_L00980tv9Bzl4nmqSn0SKLZ-U6WgWU2FHJTuIlgI-o6xh_2ZI779LuAeWQnDoAuCErAGk7x-kD31ETjb5NEJgagy_7ljeaAX-xP7rkGJWvqO0g-vWXl4zVNtFFIm-wYXpWYt-Ep/s640/Office365_access.png" width="640" /></a></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">This recipe will detail a federation of Office 365 with a cloud instance of Workspace ONE Access, the product formerly know as VMware Identity Manger. It's a very quick and dirty, all in approach, to an integration between Workspace ONE and Office 365 that's ideal for POCs and lab environments. It's certainly not the only way to integrate Office 365 with Workspace ONE. The ideal production deployment strategy very much depends on the specifics of your circumstances, like current WS1 licensing, ADFS requirements or other identity providers in the mix. However, as far as standing something up quickly in a lab so that you can explore options of a Office 365/WS1 integration, I think this deployment model is the cats pajamas and I'm super excited to share it. </span><br />
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">With this recipe, Azure AD Connect is used to sync users from a local on-premises AD environment with an Azure tenant. While users will be synced using Azure AD Connect, actual authentication against the local AD environment will be handled through Workspace ONE Access through the deployment of an on-premise vIDM Connector. </span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Doing this allows for a very straight forward federation of Office 365 with Workspace ONE, bypassing the need for ADFS.</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> </span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">For additional context and pretty pictures about this strategy, <a href="https://www.evengooder.com/2019/09/WS1-Goodness-ArroundOffice365-Primer.html" target="_blank">check out this primer post</a>. Otherwise, below is a quick overview of the recipe, followed by actual steps.</span><br />
<br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Basic Resource Requirements</span></span></h3>
<br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Azure AD/Office 365 Subscription</span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Workspace ONE Access Cloud Tenant (The Artist Formerly Known As vIDM)</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> 1 Small On Premise Server For AD Connect</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> 1 Small On Premise Server For vIDM Connector</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> Elbow grease and access rights</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Deployment Outline</span></span></h3>
<br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span></span> <span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Preparing Office 365:</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Spinning up an Office 365 environment</span></span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Prepare non-routable domain for directory synchronization</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Integrate with on-premises AD through Azure AD Connect</span></span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span></span> <span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Prepare Workspace One Access Environment:</span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Deploy vIDM Connector</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Bind to on-premises AD </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Enable</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> outbound mode for vIDM Connector </span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> Integrate Office 365 with Workspace ONE Access:</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> </span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> Add Office 365 To Catalog</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> </span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> Federate Azure Tenant With Workspace ONE Access</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> </span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> Configure Conditional Access Policies</span><br />
<h3>
<span style="color: #9fc5e8;"><br />
</span></h3>
<h3>
<span style="color: #9fc5e8;">Preparing Office 365</span></h3>
<div>
<span style="color: #9fc5e8;"><br />
</span></div>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">After getting my hands on Azure tenant for Office 365, my next step was adding the friendlier custom domain name of EvenGooder.com. My on-premises AD environment uses non-routable .local domain name, lab.local. To enable these AD users to authenticate against this Office environment with their AD credentials, I next had to add the alternative UPN suffix of EvenGooder.com to the local AD domain. After that, I deployed Azure AD Connect on a server located within my trusted network. Deployed with the Pass-through Authentication option, initially Azure AD Connect not only synced user from the local AD domain to Azure, but could also authenticate these local AD users for access to the Office 365 environment. Later on in the deployment, after the federation of Office 365 with WS1, Azure AD Connect continues to sync local AD user, while authentication of these local AD users shifts over to Workspace ONE Access and an on-premises vIDM Connector. </span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<h3>
<span style="color: #9fc5e8;">Spinning Up An Office 365 Environment</span></h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">To get access to an Azure/Office 365 subscription, I'm leveraging the Office 365 Developer program through my MSDN subscription. This provides year round access to an Office 365 environment for development purposes. </span><span style="font-family: "arial" , "helvetica" , sans-serif;"> For more information, you can <a href="https://docs.microsoft.com/en-us/office/developer-program/office-365-developer-program-faq" target="_blank">check out this FAQ</a>. If you can get access to this program I highly recommend it. Otherwise, you can get a free 30 day Office 365 eval <a href="https://www.microsoft.com/en-us/evalcenter/evaluate-office-365-proplus" target="_blank">from here</a>. </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif;">Setting up my tenant was a fairly straightforward process. Eventually I was prompted for a domain name to use for my subscription. </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlReUi4KUWiZ3kh-TbuayNdwfnUIAqqWlKkpJivPDh3wZ8wkJsv0rxMzuTpMoS_Bwh_EfEJKGSkq6UiNXoCdv51bvyB12D2dSvMooTfq5-CRZfIPIGbRc1FCHTFIcC5WOt10TUdbFdjBFQ/s1600/Screen+Shot+2019-09-16+at+4.45.38+PM.png" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlReUi4KUWiZ3kh-TbuayNdwfnUIAqqWlKkpJivPDh3wZ8wkJsv0rxMzuTpMoS_Bwh_EfEJKGSkq6UiNXoCdv51bvyB12D2dSvMooTfq5-CRZfIPIGbRc1FCHTFIcC5WOt10TUdbFdjBFQ/s400/Screen+Shot+2019-09-16+at+4.45.38+PM.png" /></a></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">This lead to the creation of an Azure tenant environment for Office 365, with the domain name of evengooder.onmicrosoft.com. At this point, any account I created directly in my </span></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />Azure environment would have the UPN suffix of evengooder.onmicrosoft.com.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmEP_V7b3MpvVYSdTNIyCnf6GASJd8Ku0VX2tzuLExXpF8hFC6Goj0B5SufNeAGbw1sOe-pcRnVVi46ZCU3qrqlA0KT5kL5fHJW4EPMO8D4e-x78ikc1qm5vxUKAt_TczAyCL3hOQTYr9g/s640/Screen+Shot+2019-09-17+at+3.36.30+PM.png" /><br /><br />In turn, this new account provisioned in Azure automatically is populated in the Office 365 portal where an admin can entitle the user to an Office license. </span><br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></h3>
<div>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span></div>
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Us</span><span style="font-family: "arial" , "helvetica" , sans-serif;">ing A Friendlier UPN Suffix</span></span></h3>
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><br />If you want a friendlier UPN suffix, one without the onmicrosoft.com, you can add a custom domain name. In my environment, an Office 365 E3 Developer wizard guided me through the process of adding a public domain name I already own, evengooder.com.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzPzenf2mKNwwHrUbUAZEJngS08oEfya4cSwcyvgbQEnHawjLn7TQn_GOdvVILSE7YYrZi3-hvGfmt750MA4CAH0H8kKIck4PgqIOQ00vxC3zahZnXOk0XR5ZQrg-6PUdz_Y1BgFrirMRj/s1600/touched_Up.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzPzenf2mKNwwHrUbUAZEJngS08oEfya4cSwcyvgbQEnHawjLn7TQn_GOdvVILSE7YYrZi3-hvGfmt750MA4CAH0H8kKIck4PgqIOQ00vxC3zahZnXOk0XR5ZQrg-6PUdz_Y1BgFrirMRj/s640/touched_Up.png" /></a><br /> </span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">After providing evengooder.com as a domain to connect to, I was prompted for my GoDaddy credentials to prove I owned the domain.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN3_4FeKqUJPHr82awa_A6P-634mJxfhW_tUOdiMorGK4dwtnA_b8Lpsg3GBxMMJIl4ti4H5o7m5hBa42Wwqs5XGJ84ysX6YBf8BCxOlrD4irYIffw3d57voS7tPWL6nchsY8C61HMn-SH/s1600/Go_Daddy_Auth.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN3_4FeKqUJPHr82awa_A6P-634mJxfhW_tUOdiMorGK4dwtnA_b8Lpsg3GBxMMJIl4ti4H5o7m5hBa42Wwqs5XGJ84ysX6YBf8BCxOlrD4irYIffw3d57voS7tPWL6nchsY8C61HMn-SH/s400/Go_Daddy_Auth.png" /></a><br /><br /> After authorizing Microsoft to make changes to evengooder.com, I was walked through some necessary DNS changes. Once completed, I ended up with a 2nd custom domain name, evengooder.com.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwV0xMl688N5hNzULY1Jpg2Hxl3JXHsg-tNuLE3OP-5h9ewr70ZH1hsc2NZSgqxmvXSVwK4aAW1Kzsg9rR6llEufpa-e_xsNCM9Ygm6C1vFVQsueH9gT2zebxnFjCRNctUYA4HtoPXNEnu/s1600/Screen+Shot+2019-09-17+at+11.18.18+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwV0xMl688N5hNzULY1Jpg2Hxl3JXHsg-tNuLE3OP-5h9ewr70ZH1hsc2NZSgqxmvXSVwK4aAW1Kzsg9rR6llEufpa-e_xsNCM9Ygm6C1vFVQsueH9gT2zebxnFjCRNctUYA4HtoPXNEnu/s640/Screen+Shot+2019-09-17+at+11.18.18+AM.png" /></a><br /><br />At this point, when creating users directly in the Azure environment, they can have either the UPN suffix of evengooder.com or evengooder.onmicrosoft.com.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpArQKfOwpOIHaRrJgoTnjjW5Rejvri2eQSyQyGQshqZq7bbE9kmoXpolq2IOJcSiGUAZGKAEKdbh-MkUWtWyGEKEUMcjdrwlaR3uJWIYTXfwNewsTq8flWqsgCuqKCOBZZWXYdnveBHx_/s1600/Screen+Shot+2019-09-17+at+4.02.12+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpArQKfOwpOIHaRrJgoTnjjW5Rejvri2eQSyQyGQshqZq7bbE9kmoXpolq2IOJcSiGUAZGKAEKdbh-MkUWtWyGEKEUMcjdrwlaR3uJWIYTXfwNewsTq8flWqsgCuqKCOBZZWXYdnveBHx_/s640/Screen+Shot+2019-09-17+at+4.02.12+PM.png" /></a></span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> </span><br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Preparing A Non-routable Domain For Directory Synchronization</span></span></h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">Because my AD lab is leveraging a non-routable .local domain name, LAB.LOCAL, I had one more step before deploying Azure AD Connect. I needed to add evengooder.com as an alternative UPN suffix for members of the LAB.LOCAL domain. Fortunately, a brainy colleague of mine, Leonardo Valente, pointed me to a very relevant <a href="https://docs.microsoft.com/en-us/office365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization">Microsoft </a><a href="https://docs.microsoft.com/en-us/office365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization">article that provides guidance on this procedure.</a> Here are the steps.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">First, you need to log into Active Directory Domains And Trusts. Right click on Active Directory Domains And Trusts and select properties.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_J1IxhUYbqhY2l5k1OIttr0BtMQgstIZdTRm-S_nsef-PnAq6W3zdeD8QWsu3LoFyQFjvTiscwyxSlCdnYy_0PhrC2bJ-PDtd3uJqnz7qdJCzuK-ezmllKwIDqHg4aDOyLS4pivQVRv4P/s1600/Screen+Shot+2019-09-17+at+11.06.25+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_J1IxhUYbqhY2l5k1OIttr0BtMQgstIZdTRm-S_nsef-PnAq6W3zdeD8QWsu3LoFyQFjvTiscwyxSlCdnYy_0PhrC2bJ-PDtd3uJqnz7qdJCzuK-ezmllKwIDqHg4aDOyLS4pivQVRv4P/s400/Screen+Shot+2019-09-17+at+11.06.25+AM.png" /></a></span></span><br />
<br />
<span style="color: #9fc5e8;">Next, add the friendly UPN suffix you want to use against your Office 365 environment. In my case, it was the public domain name evengooder.com.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ8vFMCbVmDPAxvOFk5caeFcxySbDW_ITFsoZ9vBLaD9Cq4YVuomSGbQwdLIGMfGUY3pBKYjoLC0BBllDV3cET5UEa0DyDPOccqKAkdOha5vgXbOZ1_FqMdBCJsb0eq1eisAs1DT4-BbVM/s1600/Screen+Shot+2019-09-17+at+11.06.59+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ8vFMCbVmDPAxvOFk5caeFcxySbDW_ITFsoZ9vBLaD9Cq4YVuomSGbQwdLIGMfGUY3pBKYjoLC0BBllDV3cET5UEa0DyDPOccqKAkdOha5vgXbOZ1_FqMdBCJsb0eq1eisAs1DT4-BbVM/s640/Screen+Shot+2019-09-17+at+11.06.59+AM.png" /></a><br />
<br />
Finally, navigate to the account properties of any AD account you want to have access to Office 365. Change their logon name to leverage the new UPN suffix.</span><br />
<div>
<span style="color: #9fc5e8;"><br />
</span><span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXht6d9Jp27D1b08LG3XKF1uMmVNK8roRwHNmcCy_Pq6d0eyKZldMuiT2XVOIW5nFq9Y_sQcdRcNVIuHzKixvbpAvOtfpeTUQv0EBoplRdRZLZwL9zThfn1VRsNXwMuCZBWKljKu32Yyh1/s1600/Screen+Shot+2019-09-17+at+11.10.09+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXht6d9Jp27D1b08LG3XKF1uMmVNK8roRwHNmcCy_Pq6d0eyKZldMuiT2XVOIW5nFq9Y_sQcdRcNVIuHzKixvbpAvOtfpeTUQv0EBoplRdRZLZwL9zThfn1VRsNXwMuCZBWKljKu32Yyh1/s400/Screen+Shot+2019-09-17+at+11.10.09+AM.png" /></a></span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> At this point, when the user syncs to the Azure AD environment, they will show up as jj@evengooder.com and will be able to log into the Office environment accordingly. Before that happens though, Azure AD Connect needs to be stood up and configured.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Integrate With On Premise AD with Azure AD Connect</span></span></h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">To sync your on-premises AD users to an Azure tenant , you deploy Azure AD connect. It also can provide authentication of your local AD users against your Azure tenant through features like Password Hash Synchronization (PHS) and Pass-through Authentication (PTA).</span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqqSXaFpEnouw1orr0Bkeqs9pCZ0gjrwctAH4xwR4AGqghsK-pwQe-AwWwpQO6Fed4IJFpa9fa0zaAKiYU6Cv24HqD-k7jRwhskR6nqbQr0vXBCUOqNYH6OZq6CGLFPcC7v5QbV9aHy7N_/s1600/AzureADConnect.jpg"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqqSXaFpEnouw1orr0Bkeqs9pCZ0gjrwctAH4xwR4AGqghsK-pwQe-AwWwpQO6Fed4IJFpa9fa0zaAKiYU6Cv24HqD-k7jRwhskR6nqbQr0vXBCUOqNYH6OZq6CGLFPcC7v5QbV9aHy7N_/s400/AzureADConnect.jpg" /></a></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">After downloading Azure AD Connect from my Azure admin portal, I executed the installer on my local server and then walked through a wizard. For the initial setup I went with Pass-through Authentication.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguE-PSgDiAAP4_ibN5EA4NnfqnS1WHRpEVelneevGqwXliB-KbhQ9eZSzbicw0IqbU0jWB2lVssD96MlOQmLTH-1Den-aUhYnx6ItyHsvs-GdasAzXApRzbWpgYe4q163HBs6dmRQfINYG/s1600/Screen+Shot+2019-09-17+at+1.25.45+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguE-PSgDiAAP4_ibN5EA4NnfqnS1WHRpEVelneevGqwXliB-KbhQ9eZSzbicw0IqbU0jWB2lVssD96MlOQmLTH-1Den-aUhYnx6ItyHsvs-GdasAzXApRzbWpgYe4q163HBs6dmRQfINYG/s400/Screen+Shot+2019-09-17+at+1.25.45+PM.png" /></a></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> Next, I provided the wizard global admin credentials to Azure tenant. Then, when prompted for a on-premises directory to sync with, I selected LAB.LOCAL. </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQA4admGoQDSksWxrmYrBHjFVFbuyGtNmxKMlKIEBZj9ETZPi7c8lukC3OZNLV-pOhOZUavdbCc7Q2rAHx111_gPIc5DUTvTnBFfwX2W-_Qr7AdVw0neUNHOa9XPw3_Xgt-aKei9Cwlijz/s1600/Screen+Shot+2019-09-17+at+1.28.18+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQA4admGoQDSksWxrmYrBHjFVFbuyGtNmxKMlKIEBZj9ETZPi7c8lukC3OZNLV-pOhOZUavdbCc7Q2rAHx111_gPIc5DUTvTnBFfwX2W-_Qr7AdVw0neUNHOa9XPw3_Xgt-aKei9Cwlijz/s400/Screen+Shot+2019-09-17+at+1.28.18+PM.png" /></a><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">Then I provided enterprise admin credentials for LAB.LOCAL.</span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaUEaDvkfV8TwfXjsP86UFkRv_e6IfxT9SqowTn18BTGggxRzh8WivrNwq93C-zEUjb1BxuscjcNNklTWLzyf3MmWYl8xlNu2ln_Y05v2US0xNo6huSwFjrCxtO_H2I-Cyj1uqfrczh8tl/s1600/Screen+Shot+2019-09-17+at+8.00.56+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaUEaDvkfV8TwfXjsP86UFkRv_e6IfxT9SqowTn18BTGggxRzh8WivrNwq93C-zEUjb1BxuscjcNNklTWLzyf3MmWYl8xlNu2ln_Y05v2US0xNo6huSwFjrCxtO_H2I-Cyj1uqfrczh8tl/s400/Screen+Shot+2019-09-17+at+8.00.56+PM.png" /></a></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">Then I opted for the user principal name as an attribute to use for the Azure AD username.</span></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhftwlLZccb6qGVLSaLFl5LQsujd-ATxMhS8RAFtOdBvpFajm-7WPVscqfJmeItB0FtPIdWjFAY_AiUGipuhifML4PdcZ_bCw19cw7thYzmyKKFDcdQpJ1CLMJVkD0IUtAoaX-9kvdFlISS/s1600/Screen+Shot+2019-09-17+at+1.31.32+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhftwlLZccb6qGVLSaLFl5LQsujd-ATxMhS8RAFtOdBvpFajm-7WPVscqfJmeItB0FtPIdWjFAY_AiUGipuhifML4PdcZ_bCw19cw7thYzmyKKFDcdQpJ1CLMJVkD0IUtAoaX-9kvdFlISS/s640/Screen+Shot+2019-09-17+at+1.31.32+PM.png" /></a><br />
<br />
I then went on to next my way through the next 4 or 5 screens, essentially sticking with </span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">defaults. Soon, the wizard completed and I found members from my local AD environment had been successfully synced with my Azure environment. User who had the alternative UPN suffix configured in AD showed up accordingly under my Azure tenant users.</span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu30ubP-5VcpUT9T-gE0rPLm9AxhWHdFgnpzXHsgpko8Xy2uPyniXnZzzq3IgLq4dyfTfczItEAk9-FLXRxupVBEBooMCE0VNa3hsTLd8PIv726SEpwC7Pw89FlIyUKpOJKlkHfJJX5cwX/s1600/Screen+Shot+2019-09-20+at+11.08.50+AM.png" imageanchor="1"><img border="0" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu30ubP-5VcpUT9T-gE0rPLm9AxhWHdFgnpzXHsgpko8Xy2uPyniXnZzzq3IgLq4dyfTfczItEAk9-FLXRxupVBEBooMCE0VNa3hsTLd8PIv726SEpwC7Pw89FlIyUKpOJKlkHfJJX5cwX/s640/Screen+Shot+2019-09-20+at+11.08.50+AM.png" width="640" /></a></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">So, vditest2 and vditest3 are example of AD accounts configured with the alternative UPN. Vditest4 is an example of account that didn't have the alternative UPN configured, so it defaulted to vditest4@evengooder.onmicrosoft.com during the import. </span><span style="font-family: "arial" , "helvetica" , sans-serif;">Regardless, I could now log into the office environment using these local AD account credentials and the appropriate UPN.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLWlqNKORGFImhXzrApAVn9cQKxE97AU4iICdxxBKhlSJ36vlxxQaGF-tg9lW9oBl-oAqFaBrQHgJhARypwRCSzrzwjC1U2LHru712zVDrrZqGiTAaWTA3Xj6gDyEy8U5VZW-2W1qZ6e8W/s1600/Screen+Shot+2019-09-17+at+1.41.19+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLWlqNKORGFImhXzrApAVn9cQKxE97AU4iICdxxBKhlSJ36vlxxQaGF-tg9lW9oBl-oAqFaBrQHgJhARypwRCSzrzwjC1U2LHru712zVDrrZqGiTAaWTA3Xj6gDyEy8U5VZW-2W1qZ6e8W/s400/Screen+Shot+2019-09-17+at+1.41.19+PM.png" /></a></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Prepare Workspace ONE Access Environment</span></span></h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Fortunately, prior to this integration I already had access to a Workspace ONE Access (vIDM) cloud hosted tenant. If you reach out to your VMware sales rep they could help you get access to a test tenant. Also, if you register at VMw</span><span style="font-family: "arial" , "helvetica" , sans-serif;">are</span></span><span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> TestDrive, </span><a href="https://www.vmwdemo.com/">https://www.vmwdemo.com/</a>, you can get access to a tenant there as well. Once you have access to a Workspace ONE Access tenant, the next step is to integrate it with your local AD environment using vIDM Connector. This involves downloading and installing the connector, selecting proper user attributes, and binding to the local AD domain. Finally, you'll need to enable the connector in outbound mode so that folks outside your trusted network will be able to authenticate against the local AD environment. </span><br />
<br />
<br />
<br />
<h3>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Deploy vIDM Connector</span></h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">The latest version of vIDM Connector is 19.03, which you can <a href="https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_identity_manager/19_03">download from here.</a> For a small test deployment you need a Windows server with 2vCPU, 6 gigs of RAM and 50 gigs of storage. You need network connectivity to internal resources like AD and DNS. Also, you need outbound 443 access from your vIDM Connector to the Workspace ONE Access tenant. Essentially, make sure it has internet access. For more specifics on system requirements, check out the <a href="https://docs.vmware.com/en/VMware-Identity-Manager/services/identitymanager-connector-win/GUID-A401F9EA-0BD5-42E3-BF62-41F278724C85.html">official documentation here.</a></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">After executing the installer, you'll get the welcome window.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNz2SRINKlk5WQYg-s1uZNG5jNFkNKDIjeXjbK8JpsfBZSdiOlDoDklzZQDc3GMfigNjp_M-HilKfKLEMKBVfNFbSZktdQrX1OkiCCd6ZcaXYtABGwFeGmn-QeLbbN_xwjzAkNxNWnZQNw/s1600/Screen+Shot+2019-09-16+at+11.44.22+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNz2SRINKlk5WQYg-s1uZNG5jNFkNKDIjeXjbK8JpsfBZSdiOlDoDklzZQDc3GMfigNjp_M-HilKfKLEMKBVfNFbSZktdQrX1OkiCCd6ZcaXYtABGwFeGmn-QeLbbN_xwjzAkNxNWnZQNw/s400/Screen+Shot+2019-09-16+at+11.44.22+AM.png" /></a></span></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Next your way through the next few screens, accepting the defaults. Confirm you have the proper hostname for the vIDM Connector.</span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH3cYCvufJEWHZSDyYgTwzwpQQyQBCT6HH9v-1G-KgLNwimepiN0Ck1OEHtLxIAGG6iaONtO7SyXWCAOqz9xoTrjUPjlNb3apef44B8_Tomiw4gXPP0VIiefej0OecHJq-ePo4V2iRb6qH/s1600/Screen+Shot+2019-09-16+at+11.48.16+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiH3cYCvufJEWHZSDyYgTwzwpQQyQBCT6HH9v-1G-KgLNwimepiN0Ck1OEHtLxIAGG6iaONtO7SyXWCAOqz9xoTrjUPjlNb3apef44B8_Tomiw4gXPP0VIiefej0OecHJq-ePo4V2iRb6qH/s400/Screen+Shot+2019-09-16+at+11.48.16+AM.png" /></a></span></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Run the connector service as a domain user.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKVW_4lNj2nLnvFlH-gcN-es52bZ19MhBiHYiUxyKiJ8Zn5NO6GfTGVQ2f23fzv6scBX-c8RBRvLBKvbN99LVGk-N8cAFYbeDe1fMyDBeDZxA4ak7EK9mF-kiYByyk4kJ5e24I5AEsRYj0/s1600/Screen+Shot+2019-09-16+at+11.50.18+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKVW_4lNj2nLnvFlH-gcN-es52bZ19MhBiHYiUxyKiJ8Zn5NO6GfTGVQ2f23fzv6scBX-c8RBRvLBKvbN99LVGk-N8cAFYbeDe1fMyDBeDZxA4ak7EK9mF-kiYByyk4kJ5e24I5AEsRYj0/s400/Screen+Shot+2019-09-16+at+11.50.18+AM.png" /></a></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Click next, then next on the following screens and then finally install. After a successful installation, you'll get redirected to port 8443 on the local host. This is where you'll complete the setup from.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDEC93DHjpMuihon82UITQKcF0RvEWuU1-GVKOQI6x-bxL9VZBX91KjVBiM4jg-Ll59daT4u7Nh883VEo2KoMorvSyheKNawSELiPwo2ffsGmO0KM3sh_IwHatG8VnPVgjx1aPN2ea9_CD/s1600/Screen+Shot+2018-10-29+at+9.01.46+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDEC93DHjpMuihon82UITQKcF0RvEWuU1-GVKOQI6x-bxL9VZBX91KjVBiM4jg-Ll59daT4u7Nh883VEo2KoMorvSyheKNawSELiPwo2ffsGmO0KM3sh_IwHatG8VnPVgjx1aPN2ea9_CD/s400/Screen+Shot+2018-10-29+at+9.01.46+PM.png" /></a></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Click next on the first screen.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKELqSdUV9UPaCaPOaten8wGCEJdHLFkgNS7jv8uWfgoPycuR9aIPWiiZ5e8MjbP4pqhPv_jcNaqFVDfqDh4RyS4oJzO67-pj2rzddd0EWfL-xuFUrUTCmPzQ7LfxIrsZv2zyKcTNuyGcj/s1600/Screen+Shot+2018-10-29+at+9.04.19+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKELqSdUV9UPaCaPOaten8wGCEJdHLFkgNS7jv8uWfgoPycuR9aIPWiiZ5e8MjbP4pqhPv_jcNaqFVDfqDh4RyS4oJzO67-pj2rzddd0EWfL-xuFUrUTCmPzQ7LfxIrsZv2zyKcTNuyGcj/s400/Screen+Shot+2018-10-29+at+9.04.19+PM.png" /></a><br /><br />After setting the admin password for this local connector instance, you'll get prompted for an activation code. You need to grab the code from your Workspace ONE Access tenant.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuNiW4vBrlhnHIKoUYJokeXbLBs-uX7fsvy0vevYaPCRcq3fUG8KlJML-KxrUgPRnC1s_sWSaup9HCbabHz7-4-K3Ub4gu8TfAyyLza_szjJlfbkCjX9NF-oU770pwWHRtGFX7IdEUPwxh/s1600/Screen+Shot+2018-10-29+at+9.06.10+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuNiW4vBrlhnHIKoUYJokeXbLBs-uX7fsvy0vevYaPCRcq3fUG8KlJML-KxrUgPRnC1s_sWSaup9HCbabHz7-4-K3Ub4gu8TfAyyLza_szjJlfbkCjX9NF-oU770pwWHRtGFX7IdEUPwxh/s400/Screen+Shot+2018-10-29+at+9.06.10+PM.png" /></a></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Log into your tenant environment. Navigate to Identity & Access Management --> Setup --> Connectors. You'll see the unactivated connector.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjRosscmolN9ojLC-DH75fRUotcPyERJod5GLFhq8pO-WQyclXNo_PgLB2kEsT-1DVxb-9bNfL0ZAmDEZHUdMCveE_6EUacIk6ax_wdIs5IoIAb_Pal8XoCVAvedSEWCqhxmKzw2IfMw7A/s1600/Screen+Shot+2018-10-29+at+9.08.32+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjRosscmolN9ojLC-DH75fRUotcPyERJod5GLFhq8pO-WQyclXNo_PgLB2kEsT-1DVxb-9bNfL0ZAmDEZHUdMCveE_6EUacIk6ax_wdIs5IoIAb_Pal8XoCVAvedSEWCqhxmKzw2IfMw7A/s400/Screen+Shot+2018-10-29+at+9.08.32+PM.png" /></a><br /><br />Click on the view activation code option. From there you'll have an option to generate an activation code. Generate the activation code, then copy and paste that activation code into wizard for the connector activation.</span><br />
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihRpna5klRAyRyxy9JfIyddGw1C9C3zfYPJuAJp2jp6bEZL0OJKEYLZ_YanK5YPJMCT24YrHLllks83c2chNY8RPaamFGyD2-XZEZNxJRMES36ysqtqT18mYRaZyN9SP7c53RjcrKIrAvN/s1600/Screen+Shot+2018-10-29+at+9.10.01+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihRpna5klRAyRyxy9JfIyddGw1C9C3zfYPJuAJp2jp6bEZL0OJKEYLZ_YanK5YPJMCT24YrHLllks83c2chNY8RPaamFGyD2-XZEZNxJRMES36ysqtqT18mYRaZyN9SP7c53RjcrKIrAvN/s400/Screen+Shot+2018-10-29+at+9.10.01+PM.png" /></a><br /><br />If things go well, you'll get the, "Setup is complete," message. Now under Connectors within the admin console you'll see more info populated about the connector.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQKyPCf_henswwjCBPfEuUzgsxUqtoGjjPlELljvBpLpn6g40Z-ZevfvdRFKJNxP7eue8vuBOd2dOf8I7ljGtUYh3GB6SKqHzcjyCWWUiWO6JoVJy3AMT_4qOMEp2RYcQfpj5WkvjM89N8/s1600/Screen+Shot+2018-10-29+at+9.13.19+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQKyPCf_henswwjCBPfEuUzgsxUqtoGjjPlELljvBpLpn6g40Z-ZevfvdRFKJNxP7eue8vuBOd2dOf8I7ljGtUYh3GB6SKqHzcjyCWWUiWO6JoVJy3AMT_4qOMEp2RYcQfpj5WkvjM89N8/s400/Screen+Shot+2018-10-29+at+9.13.19+PM.png" /></a></span><br />
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Next, we have to associate this connector with a directory.</span><br />
<br />
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> </span><br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Configur</span><span style="font-family: "arial" , "helvetica" , sans-serif;">e The Required User Attributes</span></span></h3>
<br />
<br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Prior to binding to your local domain, you need to ensure you have the required user attributes configured for Office 365 integration . You'll need the user principal name and objectguid attributes enabled. Navigate to Identity & Access Manager --> Setup --> User Attributes. You should have something like this: </span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNpMsTfGylY5Cx04BzUNfmid1RcwZDPjKaiXrL13ye1hsBonoDAZD-1UuVmwwkRLlxdeCxsa4TKcTRKrY23umYQEvpnP-ucPWrf0xPnA3tqYOPz5RV_YfE5aTOE-R6PReZWGBhdCKIKwiV/s1600/Screen+Shot+2019-09-18+at+11.24.24+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNpMsTfGylY5Cx04BzUNfmid1RcwZDPjKaiXrL13ye1hsBonoDAZD-1UuVmwwkRLlxdeCxsa4TKcTRKrY23umYQEvpnP-ucPWrf0xPnA3tqYOPz5RV_YfE5aTOE-R6PReZWGBhdCKIKwiV/s640/Screen+Shot+2019-09-18+at+11.24.24+AM.png" /></a></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Bind To On-Premises AD</span></span></h3>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />After confirming your attributes are straight, proceed to Identity & Access Management --> Manage --> Directories click Add Directory.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOZUANPpig8hk06TNRxJORFMOWYQpffhulVWQIFL6SxmasPFlkLftC1Y-cnIDAd1cIYJW5mWUORB83qulYihOvpWnKSRKLmHwgmHU-rT1332sIqdbKbRWw1plXb8T8hfrv1Vf3ibZE4azL/s1600/Screen+Shot+2018-09-26+at+3.10.47+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOZUANPpig8hk06TNRxJORFMOWYQpffhulVWQIFL6SxmasPFlkLftC1Y-cnIDAd1cIYJW5mWUORB83qulYihOvpWnKSRKLmHwgmHU-rT1332sIqdbKbRWw1plXb8T8hfrv1Vf3ibZE4azL/s640/Screen+Shot+2018-09-26+at+3.10.47+PM.png" /></a><br /><br />Select the option for, "Add Active Directory over LDAP/IWA."<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvQd4OzDz8vfOtGOHOZaTrMPuecIlFnzGosapGrztg5AJa9ejTlhQ8bIYkpZ2hSW3gKnawcAWVTZLd-cvRMVRXt5_gxTy46UB8D1Txnao-_YLE9jpaz5OExfMmYEkaEWcaVnEuOFdgn_GY/s1600/Screen+Shot+2018-09-26+at+3.25.18+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvQd4OzDz8vfOtGOHOZaTrMPuecIlFnzGosapGrztg5AJa9ejTlhQ8bIYkpZ2hSW3gKnawcAWVTZLd-cvRMVRXt5_gxTy46UB8D1Txnao-_YLE9jpaz5OExfMmYEkaEWcaVnEuOFdgn_GY/s640/Screen+Shot+2018-09-26+at+3.25.18+PM.png" /></a></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Add the name of your directory. Ensure your vIDM Connector is selected as the Sync Connector. Choose Yes for, "Do you want this Connector to also perform authentication." Then, scroll down a bit and you'll get prompted for an account to bind with. Enter the bind account name in a user principal name format.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiwDoeTyNgdu9hN_CWJPs1ZPseJnRHDG0HnQIIfOzKZKfppqZW9YfhhyTk3KBkKimlJChDy1wbIgI4NAsqCMmQTRp_wHBOJTgKj1vhp3NOiTL8TIeYwU0ctdf9W_KDcPyzA1Gni5U9xBu_/s1600/Screen+Shot+2018-09-26+at+3.27.42+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiwDoeTyNgdu9hN_CWJPs1ZPseJnRHDG0HnQIIfOzKZKfppqZW9YfhhyTk3KBkKimlJChDy1wbIgI4NAsqCMmQTRp_wHBOJTgKj1vhp3NOiTL8TIeYwU0ctdf9W_KDcPyzA1Gni5U9xBu_/s640/Screen+Shot+2018-09-26+at+3.27.42+PM.png" /></a><br /><br />Hit Save & Next.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl7XhsUdFon_UVhyATlkTcpHIxb10xTAZp5ROfraPo9OALNaeM6xliFJ6kGZEBZer3afYbdTFvrHGC5U_0tSanUelU7GGF7qStKRmouvPdvryxb7qVej9hhbzjxOFJ-GWBcQzayl6yxobU/s1600/Screen+Shot+2018-09-26+at+3.28.02+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl7XhsUdFon_UVhyATlkTcpHIxb10xTAZp5ROfraPo9OALNaeM6xliFJ6kGZEBZer3afYbdTFvrHGC5U_0tSanUelU7GGF7qStKRmouvPdvryxb7qVej9hhbzjxOFJ-GWBcQzayl6yxobU/s400/Screen+Shot+2018-09-26+at+3.28.02+PM.png" /></a><br /><br />I then selected my lab.local domain.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8mCVdi6ZU5wMNfBenotJh7bmKr4stKuJOdh-0Nbopnk-I5AsPTbL52LjGn6qX_UBj77dj1pLYkYboYo_khxwvO9YJnXVPFk770k9zuV22YoB4d3YHtyxMUih_JB5Nhs-r2km8m52Qp5H2/s1600/Screen+Shot+2018-09-26+at+3.29.06+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8mCVdi6ZU5wMNfBenotJh7bmKr4stKuJOdh-0Nbopnk-I5AsPTbL52LjGn6qX_UBj77dj1pLYkYboYo_khxwvO9YJnXVPFk770k9zuV22YoB4d3YHtyxMUih_JB5Nhs-r2km8m52Qp5H2/s400/Screen+Shot+2018-09-26+at+3.29.06+PM.png" /></a><br />
<br />
I t</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">hen nexted my way through the next several screens, providing DNs like cn=users,dc=lab,dc=local to filter out users and groups. After getting a summary of changes the sync settings would trigger, I clicked on, "Sync Directory."<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD7iBLGWymsGLT2axXoDNHa7xjtn3_m56wD_g1Z-MWAPEX3QW4W500czeFtUz__WQokEYLopS2mAYDVq801EwVt5Lt5zzBlREtrnVdJtg585voAHghH2eFpgouhJrMFkU3CV4_9GUYc4h4/s1600/Screen+Shot+2018-09-26+at+3.20.09+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD7iBLGWymsGLT2axXoDNHa7xjtn3_m56wD_g1Z-MWAPEX3QW4W500czeFtUz__WQokEYLopS2mAYDVq801EwVt5Lt5zzBlREtrnVdJtg585voAHghH2eFpgouhJrMFkU3CV4_9GUYc4h4/s640/Screen+Shot+2018-09-26+at+3.20.09+PM.png" /></a><br />
<br />
After a successful sync, you'll see a bunch of new users under the Users & Groups tab.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<h3>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"> Authentic</span><span style="font-family: "arial" , "helvetica" , sans-serif;">ation In Inbound Mode</span></span></h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">By default, after creating a directory and and associating it with our vIDM Connector, you're connector can authenticate AD user in inbound mode, which involves users directly connecting against the vIDM connector located on the trusted network. Essentially, after pointing your browser to the Workspace ONE Access tenant in the cloud and selecting the local AD domain you want to authenticate against, you're redirected to the URL of the vIDM Connector. </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA_asxMI97JODQMADedpmD7FIBqEjUwx1WWY-D2AAG87s0dEyXuUde1_lSvQ3slVnQImOdOFjsBlqiK6-E40an3zdjXu8PCalvMM5jwczXYg_w9E1L5PFtObf6OkQjDxKzrjSdLcd9HNXZ/s1600/Screen+Shot+2018-09-26+at+3.40.06+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA_asxMI97JODQMADedpmD7FIBqEjUwx1WWY-D2AAG87s0dEyXuUde1_lSvQ3slVnQImOdOFjsBlqiK6-E40an3zdjXu8PCalvMM5jwczXYg_w9E1L5PFtObf6OkQjDxKzrjSdLcd9HNXZ/s640/Screen+Shot+2018-09-26+at+3.40.06+PM.png" /></a></span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">If you want folks to authenticate directly through cloud tenant, rather than against the vIDM connector, you can enable outbound mode.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Enabling Outbound Mode For vIDM Connector</span></span></h3>
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrkaGArCYrwm3cqpf9UqOOMMQdnVJ0BEKfEg6Q4N8sWxl-xTPbK0-03fEaZ8QHxk0qf4F4hEDXx8lPnW734uk-bmVt0zncj-wEgD8elo5yL4mVzTsKUQxVBobdAdrBKUrCDtMDvqX2ZCZ5/s1600/Screen+Shot+2019-08-10+at+2.24.31+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrkaGArCYrwm3cqpf9UqOOMMQdnVJ0BEKfEg6Q4N8sWxl-xTPbK0-03fEaZ8QHxk0qf4F4hEDXx8lPnW734uk-bmVt0zncj-wEgD8elo5yL4mVzTsKUQxVBobdAdrBKUrCDtMDvqX2ZCZ5/s640/Screen+Shot+2019-08-10+at+2.24.31+PM.png" /></a><br /><br /> We can enable outbound mode by associating our new Connector with the Built-In identity provider. Navigate to Identity And Access Management --> Manage --> Identity Providers.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJrO30C8B9DbD0JvuuYNLebNTuGtY4UU9-axbF_PmQx0LPzrd1nsvA8BKO3W4d5Ivtg439fTwo7EbEgZKg7L27QhtE8sYk4U29IQ9fIpvRF_ZkqOmAKaTwHJY-61lkRPylcLwtj-p-920x/s1600/Screen+Shot+2018-09-26+at+3.51.02+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJrO30C8B9DbD0JvuuYNLebNTuGtY4UU9-axbF_PmQx0LPzrd1nsvA8BKO3W4d5Ivtg439fTwo7EbEgZKg7L27QhtE8sYk4U29IQ9fIpvRF_ZkqOmAKaTwHJY-61lkRPylcLwtj-p-920x/s640/Screen+Shot+2018-09-26+at+3.51.02+PM.png" /></a><br /><br />Click on the hyperlink for Built-in. Select the relevant directory and network ranges. Then scroll down.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHCao8ExmwEi8LH1-cbbdsDCTqKelLgG4UTOdOM0iEuOs1T2bQNKzy7WPkkb3jl25CyNVcGFFYmAFq7C6PEb957gOnMKMMJkI72uuZY27OTzMrmuVQaXgHapWaJrj2mVAORIzizYq5tLsP/s1600/Screen+Shot+2018-10-01+at+10.08.45+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHCao8ExmwEi8LH1-cbbdsDCTqKelLgG4UTOdOM0iEuOs1T2bQNKzy7WPkkb3jl25CyNVcGFFYmAFq7C6PEb957gOnMKMMJkI72uuZY27OTzMrmuVQaXgHapWaJrj2mVAORIzizYq5tLsP/s640/Screen+Shot+2018-10-01+at+10.08.45+PM.png" /></a><br /><br />Under Connectors, select your new vIDM Connector. Then click on the, "Add Connector," button.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6sasE173Ec59JwTGutcRgh-VOtLmXNPV-nxH8QyT2vcPAcRk30RUsX3xP2l-gO-44bOBGBHYExPCRU7sUMqiz3aIFwheXFcvKDfd7aQRORTtriwkvj0YAuPAYnypg1Pf366gThQL90CpP/s1600/Screen+Shot+2018-09-25+at+3.29.43+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6sasE173Ec59JwTGutcRgh-VOtLmXNPV-nxH8QyT2vcPAcRk30RUsX3xP2l-gO-44bOBGBHYExPCRU7sUMqiz3aIFwheXFcvKDfd7aQRORTtriwkvj0YAuPAYnypg1Pf366gThQL90CpP/s640/Screen+Shot+2018-09-25+at+3.29.43+PM.png" /></a><br /><br />You'll now have the option to select Connector Authentication Methods. Select the option for, "Password (cloud deployment)."<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMLk2MaiX0UsWQFhpxYJ1W9-mo-g2nXjWYDT9zg-WBs0PKTeCN7UflYG2JqGH8G-trwmo5iaYuuQGyieu3mnZq-7kJj4gEIfcRZJka8p3EGfPQQBXCRURDehob0wI3HE7rQReXeqmme51G/s1600/Screen+Shot+2018-09-25+at+3.42.39+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMLk2MaiX0UsWQFhpxYJ1W9-mo-g2nXjWYDT9zg-WBs0PKTeCN7UflYG2JqGH8G-trwmo5iaYuuQGyieu3mnZq-7kJj4gEIfcRZJka8p3EGfPQQBXCRURDehob0wI3HE7rQReXeqmme51G/s640/Screen+Shot+2018-09-25+at+3.42.39+PM.png" /></a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cfe2f3;"><br /></span><span style="color: #9fc5e8;">After changing your access policy rules to use the Password (cloud deployment) authentication option, you'll have the ability to authenticate against the AD environment directly from your SaaS instances, without having your browser redirected to the vIDM Connector.</span></span><br />
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h3>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Integrate</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> Office tenant with Workspace Access</span></h3>
<br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">With both your Office 365 tenant and your Workspace One Access Manager cloud tenant integrated with your local AD domain, you can now proceed with the federation of the two environments. The first step is to add your Office 365 environment as an applicationto your Access manager catalog as a service provider. Then, you enable your Workspace One tenant as identity provider for Office 365 through a PowerShell command that federates the two environments.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> Add Office 365 To Catalog</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Fortunately, there’s already a preconfigured Office 365 integration wizard you can follow to guide you through the integration. Within your Workspace One Access manager </span></span><span style="color: #9fc5e8;"><br />
environment, navigate to Catalog --> Web Apps.</span><br />
<span style="color: #9fc5e8;"><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUTtQ5ohRWSB89L4f9Hs4jrB_N6SpSRaNsF7bvxGCqB8qlKpmQoGBfg84YkscyS3NCT-4pInf9A73cjxR-jP-qJO2z-WpKFfwXCi3BfZ1eL3I5GWtlKKdyRbUJEZuARjNHbBhiJVqzuviR/s1600/Screen+Shot+2019-09-14+at+9.21.38+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUTtQ5ohRWSB89L4f9Hs4jrB_N6SpSRaNsF7bvxGCqB8qlKpmQoGBfg84YkscyS3NCT-4pInf9A73cjxR-jP-qJO2z-WpKFfwXCi3BfZ1eL3I5GWtlKKdyRbUJEZuARjNHbBhiJVqzuviR/s400/Screen+Shot+2019-09-14+at+9.21.38+AM.png" /></a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Then click on the, New button to create a new SaaS application.</span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGFzEebOyUODAWlKaAaHH6IGvFj_bpqXG5ZF0kD2CgL4rkjf0n-W2_84Iap6I4pD3nl59b3QHcsTRdkJkROEzrUdQASe4vSfPVYEwE1qhzWii5yT6U5yXofY-TDqVFM_0kbN9_Z7zjlAA-/s400/Screen+Shot+2019-08-31+at+10.23.04+AM.png" /></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Click on the option to browse from catalog. Look for the preconfigured application called, "Office<br /> </span><span style="color: #9fc5e8;">365 with Provisioning."</span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinTrcFTMKesVLb6hN0Txk2RXkQZ7Qxrz5qf-iCXXjxCkLxMBEjiT-NnjMZwkvN6lOrez8K0k9QPuG4SPIDUIWSQN7tp7ge8Hec2e9Zt18O82hQV8YxXGR6PmSvKHfHuYQnnBfs2Vmod6lb/s1600/Screen+Shot+2019-08-31+at+10.23.32+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinTrcFTMKesVLb6hN0Txk2RXkQZ7Qxrz5qf-iCXXjxCkLxMBEjiT-NnjMZwkvN6lOrez8K0k9QPuG4SPIDUIWSQN7tp7ge8Hec2e9Zt18O82hQV8YxXGR6PmSvKHfHuYQnnBfs2Vmod6lb/s640/Screen+Shot+2019-08-31+at+10.23.32+AM.png" /></a></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Give it a name that will be displayed in your user's portals. I lack imagination, so I'm just going with Office 365.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2wp0_F2VTuJaG0Qu6u7Gk66J0i2cTY3o5gUHmKrtfPIrM2fpm4qw8uaX4LgDWEwZI7ySyBlmB-h_rBIEpXOBVOPMHFx36n9FpEMx-OmWL5jTMpinMJhVzaD2Z4evveF6n3kIox0-Xn0Zp/s1600/Screen+Shot+2019-08-31+at+10.26.18+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2wp0_F2VTuJaG0Qu6u7Gk66J0i2cTY3o5gUHmKrtfPIrM2fpm4qw8uaX4LgDWEwZI7ySyBlmB-h_rBIEpXOBVOPMHFx36n9FpEMx-OmWL5jTMpinMJhVzaD2Z4evveF6n3kIox0-Xn0Zp/s400/Screen+Shot+2019-08-31+at+10.26.18+AM.png" /></a></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;"><br /></span></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;"> Next, we have to populate some critical SAML information. Fortunately, a lot of information is already preconfigured for us. We essentially have only 3 pieces of information we have to add to the definition. These are a target URL, a tenant and an issuer. The target URL is where you get redirected to after SAML request is accepted. For my lab, I'm going with office.com. (I could just as well go with a specific office application by going with <a href="https://www.office.com/launch/word">https://www.office.com/launch/word</a> or <a href="https://www.office.com/launch/excel">https://www.office.com/launch/excel</a>.) </span></span><span style="color: #9fc5e8; font-family: Arial, Helvetica, sans-serif;">For this integration, I want to provided access to the entire office suite, so I'm just going with office.com.</span><br />
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5RMLx_FCMlgkwiUMIMpG1_ER0esaCp8JhZkRsg3oizV1ccAsRsdwr-Bnrdk4EeSXUnt0UbPyZsXceX-D5KsfKtx7iWCEteyuFmCTUXASMDLWc_gRCwd1Am6RyepF2aI0U_QCBPvRoiczF/s1600/Screen+Shot+2019-08-31+at+10.30.20+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5RMLx_FCMlgkwiUMIMpG1_ER0esaCp8JhZkRsg3oizV1ccAsRsdwr-Bnrdk4EeSXUnt0UbPyZsXceX-D5KsfKtx7iWCEteyuFmCTUXASMDLWc_gRCwd1Am6RyepF2aI0U_QCBPvRoiczF/s640/Screen+Shot+2019-08-31+at+10.30.20+AM.png" /></a><br /><br />Next, I have to enter in a tenant and an issuer. For the tenant, I'm entering the tenant url for my </span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Office 365/Azure registered domain, evengooder.com. For the issuer, I'm going with the URL of my Workspace One Access (vIDM) tenant, justinjohnson.vmwareidentity.com.</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc4CFZ71u89q-ITp8DATi0hUk9PeiAG_Jsn3ZUBnxC5NdMo1yGNOs351zs_rvsRYpC57yuPkMZheBbJ1JOuYExbvGczb9ya7Fii-ESMEY8Suu9KJ5qZJ8UfjglM63EtlqBJ7x8OhXVJ2HN/s1600/Screen+Shot+2019-08-31+at+10.32.25+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc4CFZ71u89q-ITp8DATi0hUk9PeiAG_Jsn3ZUBnxC5NdMo1yGNOs351zs_rvsRYpC57yuPkMZheBbJ1JOuYExbvGczb9ya7Fii-ESMEY8Suu9KJ5qZJ8UfjglM63EtlqBJ7x8OhXVJ2HN/s640/Screen+Shot+2019-08-31+at+10.32.25+AM.png" /></a></span></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Now, you’ll see an entry for Office 365 within the catalog.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuQP2JShIianlPUTT35rwGcsiYlxlDzBJrkiHbcERb1DQlW5Yo_8Xkn0q9bmmRrWxJfICPB-U2WoasTrZI2WMUlifopy8SBFVpsSg2Icm1F8CtMyY39_lfZ86Tbu1eMjfsaM649eBnyeXS/s1600/Screen+Shot+2019-09-14+at+9.43.22+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuQP2JShIianlPUTT35rwGcsiYlxlDzBJrkiHbcERb1DQlW5Yo_8Xkn0q9bmmRrWxJfICPB-U2WoasTrZI2WMUlifopy8SBFVpsSg2Icm1F8CtMyY39_lfZ86Tbu1eMjfsaM649eBnyeXS/s400/Screen+Shot+2019-09-14+at+9.43.22+AM.png" /></a></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">To actually make this configured application work, we have to federate the Office 365 tenant with our Workspace One Access tenant. All this will take is some very ugly PowerShell commands.</span></span><br />
<br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span><br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Federate Azure Tenant With Workspace ONE Access </span></span></h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="font-family: "arial" , "helvetica" , sans-serif;">With Office 365 added to your catalog you can complete the integration through a somewhat intimidating PowerShell command. The first step is adding the MSOline module to your PowerShell environment. </span></span><span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> For my desktop, in order to successfully install MSOnline module, I first had to install the Microsoft Online Services Sign-In Assistant. This is something I downloaded <a href="https://www.microsoft.com/en-us/download/details.aspx?id=41950" target="_blank">from here</a>. </span></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">With this component installed, I was able to install the module with this command:</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cfe2f3;">
Install-Module -Name MSOnline</span></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cfe2f3;"><br /></span></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">After installing the module, you should be able to run Connect-MsolService in order to connect to your Azure tenant. You’ll get prompted for your credentials.</span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjALZPPqkF8VDv2zsSBkVnFMh_znQrtwYAfraE5qgMQoZyQH5YIfcc9Dr0eNJt7zTmIYsQjcTzkOqCHZp8j2fvhs6AFfn08shvtKnb3JGXX1Y1IjDMz9qWdopSNmmxRxpS7_4REhl1XkIsK/s1600/Screen+Shot+2019-08-31+at+8.21.12+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjALZPPqkF8VDv2zsSBkVnFMh_znQrtwYAfraE5qgMQoZyQH5YIfcc9Dr0eNJt7zTmIYsQjcTzkOqCHZp8j2fvhs6AFfn08shvtKnb3JGXX1Y1IjDMz9qWdopSNmmxRxpS7_4REhl1XkIsK/s400/Screen+Shot+2019-08-31+at+8.21.12+PM.png" /></a></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span> <span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Assuming your credentials are accepted, you’ll now have access to your tenant environment. Run Get-Msoldomain to observe accessible domains within your environment.</span><br />
<br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrB8_rx0z75cTzxsWKTF1DPhyphenhyphenjf5a2-dEjpgtbPugmy52VJ19Bn_Mh-LJ9IG0UlQN81XO7AtV95glBO4pO0ZmXIIx_4W0HDCGxUBVN2U0qIKYUEnUZ-e23RlbSrHKqosRANgMs8UuB3iv6/s1600/Screen+Shot+2019-08-31+at+8.23.17+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrB8_rx0z75cTzxsWKTF1DPhyphenhyphenjf5a2-dEjpgtbPugmy52VJ19Bn_Mh-LJ9IG0UlQN81XO7AtV95glBO4pO0ZmXIIx_4W0HDCGxUBVN2U0qIKYUEnUZ-e23RlbSrHKqosRANgMs8UuB3iv6/s400/Screen+Shot+2019-08-31+at+8.23.17+PM.png" /></a></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Before running a really long ugly PowerShell command, you need to make sure the domain you're going to federate isn't the primary domain. Accordingly, I navigated to the custom domain names section of the Azure Active Directory Admin Console and selected the evengooder.onmicrosoft.com domain. After drilling into this custom domain name I clicked on the option, "Make Primary." </span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNUW6p0_CWIdU6WQb-7csTje4Vwmq2gLRFVOOk2LpS6vbW6V1jmXVL50u8lpLr_gZ-ffTIQQClTovOabEfkLLabZLBF4ZJFX3k04VYsi0MiFCFRFVC1GyA4CUGqA7uvQiTVhmE89jIrhnR/s1600/Screen+Shot+2019-09-20+at+8.29.37+PM.png" imageanchor="1"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNUW6p0_CWIdU6WQb-7csTje4Vwmq2gLRFVOOk2LpS6vbW6V1jmXVL50u8lpLr_gZ-ffTIQQClTovOabEfkLLabZLBF4ZJFX3k04VYsi0MiFCFRFVC1GyA4CUGqA7uvQiTVhmE89jIrhnR/s400/Screen+Shot+2019-09-20+at+8.29.37+PM.png" width="400" /></a></span></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After confirming the action I was able to proceed with the federation. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK7fbPCznQvga7l3Do1MUdpWOZkftbPEI57QZP2gLbnNSZI5GgFCf0O6HQEIiJdFLiyPhy41Q4HYeoknwsjCSClLAyCYZn019CGaCKZ25_E0gVqGVGQjgSMHVjzLeUJrEXo0SckOg-Kyaq/s1600/Screen+Shot+2019-09-20+at+8.30.04+PM.png" imageanchor="1"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK7fbPCznQvga7l3Do1MUdpWOZkftbPEI57QZP2gLbnNSZI5GgFCf0O6HQEIiJdFLiyPhy41Q4HYeoknwsjCSClLAyCYZn019CGaCKZ25_E0gVqGVGQjgSMHVjzLeUJrEXo0SckOg-Kyaq/s400/Screen+Shot+2019-09-20+at+8.30.04+PM.png" width="400" /></a></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">With the domain properly configured and an active connection to the Azure tenant through Connect-MsolService, there's just two PowerShell commands left to federate the environments. To get the syntax correct, I leaned on a blog post by Pete</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">r Bjo</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;">rk titled, "</span><span style="color: #9fc5e8;"><a href="https://blogs.vmware.com/horizontech/2016/12/vmware-identity-manager-2-8-office-365-user-provisioning-federation.html" target="_blank">VMware Identity Manager 2.8 – Office 365 User Provisioning and Federation</a>." </span><span style="color: #9fc5e8;">Within the arti</span><span style="color: #9fc5e8;">cle, he includes a wonderfully convenient template to work from. Here's the template for the first command:</span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><b><span style="color: #cfe2f3;">Set-MsolDomainAuthentication -DomainName </span><span style="color: #cc0000;">< O365 registered Domain ></span><span style="color: #cfe2f3;"> -Authentication Federated -IssuerUri “</span><span style="color: #cc0000;"><serviceportal.customer></span><span style="color: #cfe2f3;">” -FederationBrandName “</span><span style="color: #cc0000;"><Customer.com></span><span style="color: #cfe2f3;">” -PassiveLogOnUri “https://</span><span style="color: #cc0000;">< mycompany.vmwareidentity.com ></span><span style="color: #cfe2f3;">/SAAS/API/1.0/POST/sso” -ActiveLogOnUri “https://</span><span style="color: #cc0000;">< mycompany.vmwareidentity.com ></span><span style="color: #cfe2f3;">/SAAS/auth/wsfed/activelogon” -LogOffUri “https://login.microsoftonline.com/logout.srf”</span></b></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">And for the second command, he provides this template:</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><b style="color: #9fc5e8;"><span style="color: #cfe2f3; font-family: "arial" , "helvetica" , sans-serif;"> Set-MsolDomainFederationSettings -DomainName</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> </span><span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;">< O365 registered Domain ></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> -</span><span style="color: #cfe2f3; font-family: "arial" , "helvetica" , sans-serif;">MetadataExchangeUri “</span><span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;">< https:// mycompany.vmwareidentity.com SAAS/auth/wsfed/services/mex ></span><span style="color: #cfe2f3; font-family: "arial" , "helvetica" , sans-serif;">” -SigningCertificate</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"> </span><span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;">< X509Certificate ></span></b></span><br />
<span style="color: #9fc5e8;"><b style="color: #9fc5e8;"><span style="color: #cc0000; font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><span style="color: #9fc5e8;">To determine how to populate the different fields, I took advantage of presentation by Dean </span><span style="color: #9fc5e8;">Fla</span></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;">ming, "<a href="https://www.youtube.com/watch?t=1s&v=fUSTdsGk6ko&noapp=1&client=mv-google&app=desktop">VMware Identity Manager and Office 365 Integration</a>". Here's a very </span></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">relevant slide from that demo:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyaqrJ93VQpvq4DJe-GL82Mz_FbgNHBO7-7knjs75YBB2IjE5wtV7U4h2JKzMNKwVY0BWaBAKdQPmD5RXJKDFXThP9jpJvIFhzfDoWIz8FzGqW1oidbubMi1OMm-Sev5PJlDolNITz0uXb/s1600/Dean_Description.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyaqrJ93VQpvq4DJe-GL82Mz_FbgNHBO7-7knjs75YBB2IjE5wtV7U4h2JKzMNKwVY0BWaBAKdQPmD5RXJKDFXThP9jpJvIFhzfDoWIz8FzGqW1oidbubMi1OMm-Sev5PJlDolNITz0uXb/s640/Dean_Description.png" /></a></span><br />
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Accordingly, based on the particular of my installation, my first command used the following values:</span><br />
<br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">DomainName = </span><span style="color: #cfe2f3; font-family: "arial" , "helvetica" , sans-serif;">evengooder.com</span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Federation </span></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Brand Name = </span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #cfe2f3;">EvenGooder Inc</span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">PassiveLongUri = </span><span style="color: #cfe2f3; font-family: "arial" , "helvetica" , sans-serif;">https://justinjohnson.vmwareidentity.com/SAAS/API/1.0/POST/sso</span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">ActiveLogOnUri = </span><span style="color: #cfe2f3; font-family: "arial" , "helvetica" , sans-serif;">https://justinjohnson.vmwareidentity.com/SAAS/auth/wsfed/activelogon</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Leading to a command of:</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #cfe2f3; font-family: "arial" , "helvetica" , sans-serif;">Set-MsolDomainAuthentication -DomainName evengooder.com -Authentication Federated -IssuerUri justinjohnson.vmwareidentity.com -FederationBrandName “EvenGooder Inc.” -PassiveLogOnUri https://justinjohnson.vmwareidentity.com/SAAS/API/1.0/POST/sso -ActiveLogOnUri https://justinjohnson.vmwareidentity.com/SAAS/auth/wsfed/activelogon -LogOffUri https://login.microsoftonline.com/logout.srf</span></span><br />
<br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Also, please note that this entire command must be on a single line.</span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Then, for the second command, I needed the signing certificate from your Workspace One Access tenant. Within the console I navigated to Catalog --> Web Apps. From there I clicked on settings, then selected SAML Metadata under SaaS Apps.</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoxX9y5xubAvDMb3Qs4vodY4ogw5byQha15oVr1DrPK-ZV50eGbWkr0NqeqiprjobWnm1VI1YUTBRHLGRkvLdHGuM8yZBM-DjL4SbkMOnQdrOroafvT6deFdFdnrobQNlKmsj2K9Zr04oB/s1600/Screen+Shot+2019-09-01+at+9.38.00+AM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoxX9y5xubAvDMb3Qs4vodY4ogw5byQha15oVr1DrPK-ZV50eGbWkr0NqeqiprjobWnm1VI1YUTBRHLGRkvLdHGuM8yZBM-DjL4SbkMOnQdrOroafvT6deFdFdnrobQNlKmsj2K9Zr04oB/s640/Screen+Shot+2019-09-01+at+9.38.00+AM.png" /></a></span></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">Following Mr. Flamings instructions, I yanked off quotes, along with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----, so that there was only one long alphanumeric string for the certifi</span><span style="color: #9fc5e8;"><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">cate value. My command ended up looking like this:<br />
</span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;"><br />
</span><span style="color: #cfe2f3; font-family: "arial" , "helvetica" , sans-serif;">Set-MsolDomainFederationSettings -DomainName evengooder.com -MetadataExchangeUri https://justinjohnson.vmwareidentity.com/SAAS/auth/wsfed/services/mex -SigningCertificate MIIFHzCCAwegAwIB<REALLY_REALLY_REALLY_LONG_ALPHA_NUMERIC_STRING_REPRESENTING_THE_SIGNING_CERT></span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Again, this command too must be on a single line. </span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #9fc5e8;">The resulting output from the PowerShell console was rather uneventful.</span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd59MJYnWXoNuMXbEV3DVvzl1App1wf0aArxd42coWfYt3J1xIM-7OXwa5LiroOYv4QrCi2pwjWGpERBa-TgSnusz-ryFmTkIVKRcZDM_AhwFh-fWWDwYMJgCAvxIK4YbklXaFgc6mBEwa/s1600/Screen+Shot+2019-09-20+at+1.22.29+PM.png"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd59MJYnWXoNuMXbEV3DVvzl1App1wf0aArxd42coWfYt3J1xIM-7OXwa5LiroOYv4QrCi2pwjWGpERBa-TgSnusz-ryFmTkIVKRcZDM_AhwFh-fWWDwYMJgCAvxIK4YbklXaFgc6mBEwa/s640/Screen+Shot+2019-09-20+at+1.22.29+PM.png" /></a></span><span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"> However, after executing the command, I got the magic I was looking for. Issuing </span></span><span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">the </span><span style="font-family: "arial" , "helvetica" , sans-serif;">command Get-MsolDomainFederationSettings helped confirm a successful federation. </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6OaZnE67-KF19WV61tf1MSG-9G7F9J5UcxtJiYH4w1thS92xLou06Hee2rMG9J4CoqkZZp8Mia9O0Nn0pOq8a-GHCTEvjEXXJm7LicTTg5NoCkQjQV75YWhmM-yMRuPDruaGBFX7AVH3U/s1600/Screen+Shot+2019-09-20+at+12.44.21+PM.png" imageanchor="1"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6OaZnE67-KF19WV61tf1MSG-9G7F9J5UcxtJiYH4w1thS92xLou06Hee2rMG9J4CoqkZZp8Mia9O0Nn0pOq8a-GHCTEvjEXXJm7LicTTg5NoCkQjQV75YWhmM-yMRuPDruaGBFX7AVH3U/s640/Screen+Shot+2019-09-20+at+12.44.21+PM.png" width="640" /></a></span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br />
</span></span> <span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">More notably, signing into Office 365 from Workspace ONE portal started working. With the default access policy in place, providing my AD credentials to a Workspace One authentication prompt was enough to get me access to Office 365. </span></span><br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<br />
<h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Configure Conditional Access Policies</span></span></h3>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">With Workspace ONE Access now federated with Office 365, you can leverage conditional access policies to control access to Office 365. This means any authentication methods enabled for Workspace ONE can be leveraged for Office 365 access. For example, with your on premise domain joined desktops, you could SSO through Kerberos</span></span><span style="color: #9fc5e8; font-family: "arial" , "helvetica" , sans-serif;">. Here's a video recording of accessing Office 365 from an on premise virtual desktop leveraging kerberos:</span><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/aSTCHXrVXjw" width="480"></iframe><br />
<br />
<span style="color: #9fc5e8;"><span style="font-family: "arial" , "helvetica" , sans-serif;">And here's an example of Kerberos at work should the user try accessing Office 365 directly. They're briefly redirected to WS1, then handed back to Office 365 completed authenticated. </span></span><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/Fx0yuhvwEsw" width="480"></iframe><br />
<br />
<br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px 'Helvetica Neue'}
</style></div>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com4tag:blogger.com,1999:blog-7411363718337372107.post-79914422289649547212019-02-12T20:36:00.001-08:002019-04-24T11:50:05.749-07:00UAG 3.4 Cascade Mode Deployment For VMware Tunnel Components<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; line-height: 18.0px; font: 13.0px 'Trebuchet MS'; color: #bbbbbb; -webkit-text-stroke: #bbbbbb}
span.s1 {font-kerning: none}
</style>
<br />
<span style="color: #9fc5e8;">This is a recipe for a UAG 3.4 Cascade mode deployment that supports the Tunnel Proxy and Per-App Tunnel features of Workspace One UEM (AirWatch). In this deployment model UAG appliances are deployed in pairs, with one sitting in the DMZ as a front-end server and a 2nd appliance sitting in the internal network as a back-end server. The front-end server helps authenticate connecting devices and relays traffic from the external world to the back-end server. The back-end server in turn reaches out directly to internal resources. These resources are then accessible to users on their mobile devices through the Web Workspace One app (AirWatch Browser) or through a Per-App VPN enabled app. Below is a diagram of Cascade mode, within a Workspace One UEM SaaS deployment, using the default external ports of 2020 for Tunnel Proxy traffic and 8443 for Per-App VPN Tunnel traffic.</span><br />
<div>
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJq5qo7cCCrDMCo9Jx-6c12C9B5vslQX4tihpbqkPKGKpAtHvFtgN2hycQaCL-FHh7cCdzdf25AGcwN7LPe-Au-wVsg2zu9unDzzUaDSuqnwHJEdaTDBhyphenhyphenaMtXVMd5ySyWHhdgSaBCGwYK/s1600/Screen+Shot+2019-02-09+at+2.01.36+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="626" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJq5qo7cCCrDMCo9Jx-6c12C9B5vslQX4tihpbqkPKGKpAtHvFtgN2hycQaCL-FHh7cCdzdf25AGcwN7LPe-Au-wVsg2zu9unDzzUaDSuqnwHJEdaTDBhyphenhyphenaMtXVMd5ySyWHhdgSaBCGwYK/s640/Screen+Shot+2019-02-09+at+2.01.36+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">If your deployment is not particularly challenged by draconian security policies, a double-hop DMZ, DNS restrictions or a spirt crushing bureaucracy, Cascade mode might not be worth the trouble. </span><span style="color: #9fc5e8;">Ideally, you should chat with your Workspace One UEM (AirWatch) rep to confirm if the security enhancements warrant the up front complexity and potential latency. All that said, there are certainly folks who need Cascade mode.</span><span style="color: #9fc5e8;"> It is for these undeterred, Git-R-Done IT souls I dedicate the following process below. </span><span style="color: #9fc5e8;">For guidance on a single appliance, basic endpoint UAG deployment for Per-App VPN check out this previous </span><a href="http://www.evengooder.com/2018/06/leveraging-vmware-horizons-unified.html" target="_blank">post</a><span style="color: #9fc5e8;">.</span></div>
<div>
<span style="color: #9fc5e8;"><br /></span>
<br />
<h2>
<span style="color: #9fc5e8;"><span style="font-size: large;">
Deployment Overview</span> </span></h2>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">The above diagram applies to Cascade mode deployments that use default ports. However, it's recommended to go ahead and leverage 443 for Per-App VPN traffic. Accordingly, the setup and traffic flow looks like this:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2g2bzI2sL_ly2aJOO4m0CVEtn8qJqhreRSot_SqJ_nCW8XgS0gjtxNJH6IDwyfm3DkOPJLIGgfjBFIPMR7m6LqliPRW7iRRAdXkJK7auKJXuTvH45OlRtaf_bXp2U9XXD5PUqXPLu6tZa/s1600/Screen+Shot+2019-02-09+at+2.03.08+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2g2bzI2sL_ly2aJOO4m0CVEtn8qJqhreRSot_SqJ_nCW8XgS0gjtxNJH6IDwyfm3DkOPJLIGgfjBFIPMR7m6LqliPRW7iRRAdXkJK7auKJXuTvH45OlRtaf_bXp2U9XXD5PUqXPLu6tZa/s640/Screen+Shot+2019-02-09+at+2.03.08+PM.png" width="632" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For your front-end appliance you'll need ports 443 and 2020 opened up to it's external interface. Also, it will need to have internet access to your Workspace One SaaS instance over 443. Finally, it's going to pass traffic to the back-end server over 443 and 2010. You'll need to allow the back-end appliance to receive this traffic, as well as ensure it has connectivity to any of the targeted internal resources. Further, while this internal back-end server isn't going to have any external traffic hit it directly, it's definitely going to need internet access to your Workspace One SaaS instances, just as with your front-end appliance. (Both appliances reach out to the Workspace One SaaS instance to retrieve their configurations.) Here's the specifics on the traffic rules, along with other system requirements: <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMare-Tunnel-on-Linux/GUID-AWT-TUNNEL-VA-REQS.html" target="_blank">System Requirements for Deploying VMware Tunnel with Unified Access Gateway</a>.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">My high level steps for this Cascade mode deployment are:</span><br />
<ol>
<li><span style="color: #9fc5e8;">Deploy Front-end UAG Appliance </span></li>
<li><span style="color: #9fc5e8;">Deploy Back-end UAG Appliance </span></li>
<li><span style="color: #9fc5e8;">Configure VMware Tunnel On The Workspace One UEM (AirWatch) Console </span></li>
<li><span style="color: #9fc5e8;">Configure VMware Tunnel Edge Services On Front-end Appliance</span></li>
<li><span style="color: #9fc5e8;">Configure VMware Tunnel Edge Services On Back-end Appliance</span></li>
<li><span style="color: #9fc5e8;">Deploy The VMware Tunnel App </span></li>
<li><span style="color: #9fc5e8;">Configure A Per-App Tunnel Profile For iOS </span></li>
<li><span style="color: #9fc5e8;">Configure Apps To Use The Per-App profile</span></li>
<li><span style="color: #9fc5e8;">Configure Tunnel Proxy On The Workspace One UEM (AirWatch) Console</span></li>
</ol>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
</div>
<h2>
<span style="color: #9fc5e8; font-size: large;">
Deploy Front-end UAG Appliance </span></h2>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">The simplest way to initially deploy and configure UAG is through the vSphere Web Client OVF deployment wizard and the gui on the UAG appliance itself. You can download the UAG appliance <a href="https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_unified_access_gateway/3_4" target="_blank">here from My VMware.</a> Or you can use the link provided in the Workspace One UEM (AirWatch) console under the VMware Tunnel Settings Configuration.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCNVltay1l4h_zUsIjZLHkXDjaJ1Ai_jabIRv_k6niCC733Wq91jdok55WiVJT5SaNIBKSXqsb28fCZ9K5rSwX1aw6_WiDbMCFfr6JWI2s7yyeMSc9k2vX1jJzNyZfgKOvefqyTnFXNk45/s1600/Screen+Shot+2019-02-09+at+4.30.44+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCNVltay1l4h_zUsIjZLHkXDjaJ1Ai_jabIRv_k6niCC733Wq91jdok55WiVJT5SaNIBKSXqsb28fCZ9K5rSwX1aw6_WiDbMCFfr6JWI2s7yyeMSc9k2vX1jJzNyZfgKOvefqyTnFXNk45/s640/Screen+Shot+2019-02-09+at+4.30.44+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After downloading the UAG appliance fire up the vSphere Web Client and launch the Deploy OVF Template wizard.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimkYSWhsn37kEVzcQuys2I6gRgDL6dEu5Mz5hwAT2IsnporEcLOJ-k8KakyRusjHKHq1CT_dshfp8hdk0I8zMz4pxevvie1K6jJG4xsS1O-s4hlLfYV10hap0vwkqTzKVNIlHxLaJNuih7/s1600/Screen+Shot+2018-06-25+at+9.22.00+PM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimkYSWhsn37kEVzcQuys2I6gRgDL6dEu5Mz5hwAT2IsnporEcLOJ-k8KakyRusjHKHq1CT_dshfp8hdk0I8zMz4pxevvie1K6jJG4xsS1O-s4hlLfYV10hap0vwkqTzKVNIlHxLaJNuih7/s640/Screen+Shot+2018-06-25+at+9.22.00+PM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">When prompted browse to the UAG ova download and click next.</span><br />
<div>
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz7dNXlpzpOhSwtWfukuilm1l5zmhHow69YwLcinj4dsCcTAfX4n6apSBvJFnY1lSdOphyCQUPhHLAsd2tgQRf11onkr6zUM_w60zrMVdzbyYOpwmrL7hzbqCvdhDBnSpL8l2nHy6zwfDE/s1600/Screen+Shot+2018-06-25+at+9.27.22+PM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhz7dNXlpzpOhSwtWfukuilm1l5zmhHow69YwLcinj4dsCcTAfX4n6apSBvJFnY1lSdOphyCQUPhHLAsd2tgQRf11onkr6zUM_w60zrMVdzbyYOpwmrL7hzbqCvdhDBnSpL8l2nHy6zwfDE/s640/Screen+Shot+2018-06-25+at+9.27.22+PM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Provide a VM name for the appliance and select next.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJSW7dQzBfLm4g2S_Pw76UVE69bbN6FUWlyJRZiAxBdI-AbyAOPCqUcGZEy1etVBRBMq_Me_CndZJJ50UCv2KPx4FPbNiJagvdCzWXS6X3P91lto4dsb-TqVHcJkUeMnoQgxPLqyU7xRVf/s1600/Screen+Shot+2019-02-11+at+10.44.11+AM.png" imageanchor="1"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJSW7dQzBfLm4g2S_Pw76UVE69bbN6FUWlyJRZiAxBdI-AbyAOPCqUcGZEy1etVBRBMq_Me_CndZJJ50UCv2KPx4FPbNiJagvdCzWXS6X3P91lto4dsb-TqVHcJkUeMnoQgxPLqyU7xRVf/s640/Screen+Shot+2019-02-11+at+10.44.11+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Select a host or cluster for the appliance and select next.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwMbe6AHV4fuCK7G2vTD5IeL81D27msAm_UqiIkO_lt6xHsA6SNVsm_fwzKMhZPQ2QkrX51U-fz-945y6Bfm4sXswOLxSsSBk-rjQDHVZ8QBotnpWLAKYkJqLZliCkBiEEZdUdDeaxOEl3/s1600/Screen+Shot+2018-06-25+at+9.32.35+PM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwMbe6AHV4fuCK7G2vTD5IeL81D27msAm_UqiIkO_lt6xHsA6SNVsm_fwzKMhZPQ2QkrX51U-fz-945y6Bfm4sXswOLxSsSBk-rjQDHVZ8QBotnpWLAKYkJqLZliCkBiEEZdUdDeaxOEl3/s640/Screen+Shot+2018-06-25+at+9.32.35+PM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Review the details of the deployment and select next. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjwLM3VZbKUKKME_s6LdxsATnyjpOUKQPnm4aAqtzmkh3k9itlSOaOcfx2uzI6Ie0PYx6oKcBYpmCL5UhtxZQ721KVG-4fRAW-iSiB5yYKDFG37_Ym7z-rEVCqfkie9NkEVd2CVHaDioli/s1600/Screen+Shot+2018-06-25+at+9.33.32+PM.png"><span style="color: #9fc5e8;"></span></a>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4DDLUZQ88RYUf1c00eL9xQoiyC6olGXUXPCyQES8bhlv9ST87yH6KEEAxm2q_j0OQuTHr4N46aMnSCyFL3aTjLbvU7_hHe6DWH46OBFzwHtvCY8uD8_tdkkTD-CRVxMxD1TQjkmIR8ByC/s1600/Screen+Shot+2019-02-11+at+10.55.45+AM.png" imageanchor="1"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4DDLUZQ88RYUf1c00eL9xQoiyC6olGXUXPCyQES8bhlv9ST87yH6KEEAxm2q_j0OQuTHr4N46aMnSCyFL3aTjLbvU7_hHe6DWH46OBFzwHtvCY8uD8_tdkkTD-CRVxMxD1TQjkmIR8ByC/s640/Screen+Shot+2019-02-11+at+10.55.45+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">You'll be provided with an option of choosing between 1 to 3 nics for the appliance. For a POC or LAB go with a single nic.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim_Gz1uTgJcIHV3VOrVNiiFM41zKzjsHC-w-2J9KeYOyyGzfX0t1tIRIZkCHOt-4UUuf_CzxjElV_qhzR94u7JjEZ6_hbwStrAabgWwlsV5WbScd8wlTRZNqA8_3SSruoQQLYeWvW118Jn/s1600/Screen+Shot+2018-06-25+at+9.34.00+PM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim_Gz1uTgJcIHV3VOrVNiiFM41zKzjsHC-w-2J9KeYOyyGzfX0t1tIRIZkCHOt-4UUuf_CzxjElV_qhzR94u7JjEZ6_hbwStrAabgWwlsV5WbScd8wlTRZNqA8_3SSruoQQLYeWvW118Jn/s640/Screen+Shot+2018-06-25+at+9.34.00+PM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For storage, select the storage that screams at you the least and go with Thin provision.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimqbnx7oNDCS2DlgOzIsGaaFhl1n5Kaw-ChM-pBlGGuBJsD2zBjggCyJH5v-Cr-MNVp7F_SMvhFOz4L4l-SmhF5jMYSu4iT0miRgr6LRpy3Zhkl3AgwXQ8xHsyS25ILqTYdSzGm5J9GZLv/s1600/Screen+Shot+2018-06-25+at+9.36.06+PM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimqbnx7oNDCS2DlgOzIsGaaFhl1n5Kaw-ChM-pBlGGuBJsD2zBjggCyJH5v-Cr-MNVp7F_SMvhFOz4L4l-SmhF5jMYSu4iT0miRgr6LRpy3Zhkl3AgwXQ8xHsyS25ILqTYdSzGm5J9GZLv/s640/Screen+Shot+2018-06-25+at+9.36.06+PM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Confirm the virtual networks to leverage for the different types of traffic.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMxSkSDpbGQDHECzzIjQU5MJft8LY-WNKwYAiZV34t3jovWP6Z9JMYxAp9gpxnW3RPE7scIVZkPin4tA81yW-O2tDfVCMCB28_YA_ChyphenhyphenhZgeFHYu-sW39a09nKBySU78YScZqAwRK4_mq5/s1600/Screen+Shot+2018-06-25+at+9.37.19+PM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMxSkSDpbGQDHECzzIjQU5MJft8LY-WNKwYAiZV34t3jovWP6Z9JMYxAp9gpxnW3RPE7scIVZkPin4tA81yW-O2tDfVCMCB28_YA_ChyphenhyphenhZgeFHYu-sW39a09nKBySU78YScZqAwRK4_mq5/s640/Screen+Shot+2018-06-25+at+9.37.19+PM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Finally, for the most exciting part of the deployment, the customize template dialog. First off, disable CIEP because you're selfish. Minimize it and get started on the network properties. Skip the first two options about custom routes and forwarding rules. Enter in your DNS server(s) and the appropriate IPMode. (Most likely STATICV4)</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSFbV093RgQ0oyHtSegy_rlgmEBc-jmQOuhGxHiiAT5L3aUdMohKaaY3TDeGLoLz1eKdyDvTN0ehkIKtzAy2St0r2t2m0GdXoR84SlJ-oUqd8I1qtXvqc4tHCGFkx920XllGzVeLLnkDQs/s1600/Screen+Shot+2018-06-25+at+9.42.02+PM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSFbV093RgQ0oyHtSegy_rlgmEBc-jmQOuhGxHiiAT5L3aUdMohKaaY3TDeGLoLz1eKdyDvTN0ehkIKtzAy2St0r2t2m0GdXoR84SlJ-oUqd8I1qtXvqc4tHCGFkx920XllGzVeLLnkDQs/s640/Screen+Shot+2018-06-25+at+9.42.02+PM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Scroll down further and enter in a default gateway, IP address and subnet mask for the primary nic. Also, enter in hostname for the appliance.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXsC48B-vDxmR6PyGeAXu2BzhBoNz16jpApQFHSfFZXRVIv85SfIPShDDIejd0Uwrf57EFYyRDDJ4LQkZw9sLjKPxtKxX0oOR-gOLEHUf3bfe9rDolH_hmJ9DdcxNjsRgAd5ucbD3B-RTW/s1600/Screen+Shot+2018-06-25+at+9.44.08+PM.png"><span style="color: #9fc5e8;"></span></a>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq4r3gvZbHSdiIeCLZiabEIS3pyqxJQbmBY-YjWJMy_tb2qpsbNfKGTFsSi_RpVtxki0_bMUwylir4BGk7bgVigAPtM_2lGOyRVOH3jUKRK4scgCMMXAWBRFVeWzJdNz8bN0qASOcJpJGC/s1600/Screen+Shot+2019-02-11+at+11.01.01+AM.png" imageanchor="1"><img border="0" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq4r3gvZbHSdiIeCLZiabEIS3pyqxJQbmBY-YjWJMy_tb2qpsbNfKGTFsSi_RpVtxki0_bMUwylir4BGk7bgVigAPtM_2lGOyRVOH3jUKRK4scgCMMXAWBRFVeWzJdNz8bN0qASOcJpJGC/s640/Screen+Shot+2019-02-11+at+11.01.01+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Finally, expand the password options section. Enter in passwords for the admin account and root account. Also select the proper edition of UAG. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDm_iwezd8_gLUlWQpjOvW7iakkQYrfFacqXF4V3iZoyxxIB1Ny_CQui0Hqweemn9I15iJDn3HI33TGLPn8F_yU_385vfqqWhO6nRjEzOaFv1RsdyAnltjW60ylOunjTS9F1kBnYtbAPGm/s1600/Screen+Shot+2018-06-25+at+9.46.06+PM.png"><span style="color: #9fc5e8;"></span></a>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT1VIlhmViGImktVtpCjrYMO32VbIkaV4n0UKsfy-vSMai7E7iZa9O4lbxe1d81aulhSDNUnyzThxWigEwI7RRMG6U3iQcyUNTUoPfdwn8WCTjd3VcYL7xw6z7wvHW7VzlfsEZksC-TmzK/s1600/Screen+Shot+2019-02-11+at+11.05.33+AM.png" imageanchor="1"><img border="0" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT1VIlhmViGImktVtpCjrYMO32VbIkaV4n0UKsfy-vSMai7E7iZa9O4lbxe1d81aulhSDNUnyzThxWigEwI7RRMG6U3iQcyUNTUoPfdwn8WCTjd3VcYL7xw6z7wvHW7VzlfsEZksC-TmzK/s640/Screen+Shot+2019-02-11+at+11.05.33+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Confirm all your options and select finish. </span><span style="color: #9fc5e8;">Power on your VM once the appliance's deployment is complete.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For additional details and guidance on UAG deployments, check out this excellent blog: <a href="http://www.carlstalhood.com/vmware-access-point/">http://www.carlstalhood.com/vmware-access-point/</a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h2>
<span style="color: #9fc5e8; font-size: large;">
Deploy Back-end UAG Appliance</span></h2>
<div>
<span style="color: #9fc5e8; font-size: large;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">The process for the initial deployment of a back-end UAG appliance is pretty much identical to the process for your front-end appliance, with the major differences being the UAG appliance name, ip addresses and location within the trusted network. Otherwise, replicate the procedure you just followed for the front-end appliance. Here's the confirmation screen from my back-end server named UAGBackEnd:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie7yuuJ0fmiqjLQLDwOCUNw_T9j_KkajcxdaIcmc7ORhWQLGZxDaqVxKqZKcvavIoegdqJOVN2V4GU5mFetuJJ1v8zEhmWib6X-i4m1Wt7DDa8EID3EOJV1FTQ7JivIH2r_C9PD9pjZIg-/s1600/Screen+Shot+2019-02-11+at+11.07.30+AM.png" imageanchor="1"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie7yuuJ0fmiqjLQLDwOCUNw_T9j_KkajcxdaIcmc7ORhWQLGZxDaqVxKqZKcvavIoegdqJOVN2V4GU5mFetuJJ1v8zEhmWib6X-i4m1Wt7DDa8EID3EOJV1FTQ7JivIH2r_C9PD9pjZIg-/s640/Screen+Shot+2019-02-11+at+11.07.30+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<h2>
<span style="color: #9fc5e8; font-size: large;">Configure VMware Tunnel On The Workspace One UEM (AirWatch) Console</span></h2>
<div>
<span style="color: #9fc5e8; font-size: large;"><br /></span></div>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">To configure VMware Tunnel on your AirWatch Console, navigate to Groups And Settings --> System --> Enterprise Integration --> VMware Tunnel --> Configuration. Select override, then enable VMware Tunnel. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl7WJX3KUWTlR48_k6Gu-eUV0Es7eGd44r1F5uLrFYoymkwa3gJ_VWnB1802BsOM3pn8o4nlYBaImdIB8LW9dRWZj_4ZvvNijpN9ma05kvCuojA8ql0ZUURZ7Z_38f0HaOSKOQxLE-0CUy/s1600/Screen+Shot+2019-02-11+at+10.18.02+AM.png" imageanchor="1"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl7WJX3KUWTlR48_k6Gu-eUV0Es7eGd44r1F5uLrFYoymkwa3gJ_VWnB1802BsOM3pn8o4nlYBaImdIB8LW9dRWZj_4ZvvNijpN9ma05kvCuojA8ql0ZUURZ7Z_38f0HaOSKOQxLE-0CUy/s640/Screen+Shot+2019-02-11+at+10.18.02+AM.png" width="640" /></a></span><br />
<br />
<span style="color: #9fc5e8;">Click on the Configure button to start a wizard. Enable both Proxy and Per-App Tunnel. Select Relay-Endpoint for the Proxy Configuration Type and select Cascade for the VPN Configuration Type. (I know, it's a bit weird and confusing. I like to think of both of these types as Cascade, with Relay-Endpoint just being a special name for a Proxy Tunnel Cascade deployment.)</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGxOD9oJv-m27kNFDdoODyhTa6FWpG9kQzn0sTRm_XnwddyRJ_8o3CgjUr_1nDCOR65z40GxaMD5wEQfTwo8E3jFQQtuWXqpPiQXtxH5t0X0_kSPsQsbRGbDJsitqSkbaJD15HY4QVnYXQ/s1600/Screen+Shot+2019-02-11+at+10.19.23+AM.png" imageanchor="1"><img border="0" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGxOD9oJv-m27kNFDdoODyhTa6FWpG9kQzn0sTRm_XnwddyRJ_8o3CgjUr_1nDCOR65z40GxaMD5wEQfTwo8E3jFQQtuWXqpPiQXtxH5t0X0_kSPsQsbRGbDJsitqSkbaJD15HY4QVnYXQ/s640/Screen+Shot+2019-02-11+at+10.19.23+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"></span><br />
<span style="color: #9fc5e8;">The next Details screen is the most interesting and involved portion of the wizard. For the, "Relay Hostname," and "Frontend Hostname," provide the DNS name your external devices will connect to. For the, "Endpoint Hostname," and "Backend Hostname," provide the internal DNS name for your back-end UAG appliance. This is where the front-end UAG appliance is going to forward traffic to. (For very useful descriptions of these fields, check out this <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMare-Tunnel-on-Linux/GUID-AWT-CONFIGURELNX.html" target="_blank">section from the VMware Tunnel On Linux Guide</a>.) In my environment, the front-end appliance has the external DNS of connect.evengooder.com, while the back-end appliance resolves internally to uagbackend.lab.local. Accordingly, this is how I've filled out the wizard: </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ88A3dnnigLxQKRbba-u0OF9Jg6YGveL5HwBG7juVmR_xba89G5c39__uJWPciMC1WfViN7cuNY0Xp35MyYMF9MPATplXPzcPx-A0TVURTK0HVh0KlqjM8Gj534WRkzuGOni4hcDDymBb/s1600/Screen+Shot+2019-02-11+at+12.09.34+PM.png" imageanchor="1"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ88A3dnnigLxQKRbba-u0OF9Jg6YGveL5HwBG7juVmR_xba89G5c39__uJWPciMC1WfViN7cuNY0Xp35MyYMF9MPATplXPzcPx-A0TVURTK0HVh0KlqjM8Gj534WRkzuGOni4hcDDymBb/s640/Screen+Shot+2019-02-11+at+12.09.34+PM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Next, go with the default of using AirWatch certificates. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQx9CP1AVkHOPsp7nNs012mVvJkC0crRxgD_WDvMRtQYY13CBelU2Hmu57dg4ixRuX97jJUMa_vcC-QbINx-KR2Sim5gZICTrGckPDHFJ1tmcQyzVhYHLLK8QuoW0YV6r1goINL2ARMLRD/s1600/Screen+Shot+2019-02-11+at+12.13.56+PM.png" imageanchor="1"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQx9CP1AVkHOPsp7nNs012mVvJkC0crRxgD_WDvMRtQYY13CBelU2Hmu57dg4ixRuX97jJUMa_vcC-QbINx-KR2Sim5gZICTrGckPDHFJ1tmcQyzVhYHLLK8QuoW0YV6r1goINL2ARMLRD/s640/Screen+Shot+2019-02-11+at+12.13.56+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">For the authentication portion of the wizard, again, go with the default of using AirWatch issued certificates. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmkkg_0QTytuiTqLAAOmBr0JSE6I4Uv0oepQBQ8bX0qMk6JyGFf4EeUoa7h90SNdpiwAHMkP2w0tru6AvigforJwLry47AHCXQ1yQnpTjEYoeNeWoT08DhPIlJEDQJMew7zDf-0MIVb-QR/s1600/Screen+Shot+2019-02-11+at+12.14.04+PM.png" imageanchor="1"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmkkg_0QTytuiTqLAAOmBr0JSE6I4Uv0oepQBQ8bX0qMk6JyGFf4EeUoa7h90SNdpiwAHMkP2w0tru6AvigforJwLry47AHCXQ1yQnpTjEYoeNeWoT08DhPIlJEDQJMew7zDf-0MIVb-QR/s640/Screen+Shot+2019-02-11+at+12.14.04+PM.png" width="640" /></a></span><br />
<br />
<span style="color: #9fc5e8;">Under miscellaneous go with the defaults again. </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS8_WQx8duJkDXZ2oGL9gWaWY4v35QXxkriie71A4tvl02bhwOPey_7wYUVwr3TWEgsRhdG90uOlEjFdLsA2n5WgPgrZ3lbKVZytBcIjy_rKUrQeI9ZZM1E7HacDmiEsNaatgYpjnG8lom/s1600/Screen+Shot+2019-02-11+at+12.14.26+PM.png" imageanchor="1"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS8_WQx8duJkDXZ2oGL9gWaWY4v35QXxkriie71A4tvl02bhwOPey_7wYUVwr3TWEgsRhdG90uOlEjFdLsA2n5WgPgrZ3lbKVZytBcIjy_rKUrQeI9ZZM1E7HacDmiEsNaatgYpjnG8lom/s640/Screen+Shot+2019-02-11+at+12.14.26+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Confirm your summary and save. If all goes well, you'll see the settings permanently stick under configuration. </span><br />
<br />
<br /></div>
<h2>
</h2>
<h2>
<span style="color: #9fc5e8; font-size: large;">
Configure VMware Tunnel Edge Services On Front-end Appliance</span></h2>
<div>
<br /></div>
<span style="color: #9fc5e8;">After the initial OVF deployments, you can further configure the UAG appliances over a browser by navigating to https://APPLIANCE_HOSTNAME_OR_IP:9443/admin/index.html. To begin with, login to your front-end server with the admin account and whatever password you specified for it in the OFV wizard.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQkaWBgLIKuFAsZQjhTTa9UshyENlOFJXVg1q6XZQf5G61XcCzLPILOV3q5fZaHbUDU_i34jcqfxx7uDj_QlJU9jz8_71a3jWjN46GFijnGddicRe2p8kA8gnTvmiyznAVeZee6fzTFlAK/s1600/Screen+Shot+2018-06-25+at+9.05.09+PM.png"><span style="color: #9fc5e8;"></span></a>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVJd2dYyzxg0ouf8L9IjBB-9Fh0WRkY2SCQ5CJVa6zhLRbtLyBYYG_vN9tPdD-xntApNNn94I0etTRopT7DXqirs8AQqcmMgT_g5xHrHhOA5eeD8BwbpAMNGQwLL4WNec2aszPlg86awY6/s1600/Screen+Shot+2019-02-12+at+12.35.23+AM.png" imageanchor="1"><img border="0" height="436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVJd2dYyzxg0ouf8L9IjBB-9Fh0WRkY2SCQ5CJVa6zhLRbtLyBYYG_vN9tPdD-xntApNNn94I0etTRopT7DXqirs8AQqcmMgT_g5xHrHhOA5eeD8BwbpAMNGQwLL4WNec2aszPlg86awY6/s640/Screen+Shot+2019-02-12+at+12.35.23+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">After a successful login select the option to configure manually. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsqhLGbZjlQyFuqh8fslzGz6CTbX280RfnkVfNBv1DHD1PZz7xDPEEx6QV9JHoolUtSR2XoRQYEOmT5LYu9k4TRbIDkA-hG2myqo1zBnEhb5Vkn4_wMYiHZXkRTOCYQivxONeyDiL1Qgl9/s1600/Screen+Shot+2019-02-12+at+9.02.29+AM.png" imageanchor="1"><img border="0" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsqhLGbZjlQyFuqh8fslzGz6CTbX280RfnkVfNBv1DHD1PZz7xDPEEx6QV9JHoolUtSR2XoRQYEOmT5LYu9k4TRbIDkA-hG2myqo1zBnEhb5Vkn4_wMYiHZXkRTOCYQivxONeyDiL1Qgl9/s640/Screen+Shot+2019-02-12+at+9.02.29+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Next, click on the gear icon associated with, "VMware Tunnel Settings." </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB7qdx0h6YzbqVJGRI4tkcUIeDUTCrzZeGjhwDqDEOlz38db9wt2-f0WIm4bwdusIkNUlxT1aZii8CE2SiWLlFrFh_8zw9smLwOn1zDlD5PkQ4HpxmwP8Et2lWfEL34LRByuywj_h4O0iZ/s1600/Screen+Shot+2019-02-12+at+12.13.36+AM.png" imageanchor="1"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB7qdx0h6YzbqVJGRI4tkcUIeDUTCrzZeGjhwDqDEOlz38db9wt2-f0WIm4bwdusIkNUlxT1aZii8CE2SiWLlFrFh_8zw9smLwOn1zDlD5PkQ4HpxmwP8Et2lWfEL34LRByuywj_h4O0iZ/s640/Screen+Shot+2019-02-12+at+12.13.36+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For the API server URL enter in the console URL for your Workspace One UEM (AirWatch) instance. For the API Server Username and Password enter in credentials of an AirWatch admin account with console administrator privileges at minimum. (In my environment, I created a basic admin account of Acct4Tunnel and made sure it had console administrator privileges.) </span><span style="color: #9fc5e8;">Your organization group id can be determined by going to Groups And Settings --> Groups --> Organization Groups --> Organization Group Details. Finally, for your Tunnel Server hostname, enter in the external DNS of the UAG front-end appliance you specified in the Tunnel Configuration wizard on the console. The final configuration of VMware Tunnel Settings on your UAG appliance should look something like this:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgg9wVbnMlCNh5HZoLn4sbFNKs_OQSZy79dx3jXdSS7dA14-gMhDGkiXCa_8DPeNDbJ0p8W044OOmSR46eG74nIiNjfDplscjhpw0VTSRapkWWXWf-2ZkW_VDVKrGZf6hNnYWNX3MEwcKAy/s1600/Screen+Shot+2018-06-25+at+9.20.19+AM.png"><span style="color: #9fc5e8;"></span></a>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9zd9jOKQhS1oiuat5BOuvTUUBUodoiWZmafEupYr1FsiifSP11UVAwWmt7Cr8oYXHsfjDRJk0QVI4BbIOSB5ElIbeF1xVgUxkY2uWlstLVLVca2DQrlXTsMem8E487f-7qQe4QiiH3BrR/s1600/Screen+Shot+2019-02-11+at+10.11.32+AM.png" imageanchor="1"><img border="0" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9zd9jOKQhS1oiuat5BOuvTUUBUodoiWZmafEupYr1FsiifSP11UVAwWmt7Cr8oYXHsfjDRJk0QVI4BbIOSB5ElIbeF1xVgUxkY2uWlstLVLVca2DQrlXTsMem8E487f-7qQe4QiiH3BrR/s640/Screen+Shot+2019-02-11+at+10.11.32+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After configuring these settings there should be a happy green circle next to your VMware Tunnel Settings.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFz_bd_F6WcSdK5eAFZwAAwWWjLjLgPCsssQdkivsGTwKcHtg0orNpTMkpl9Ul7UAsNIvqFXAEkaobkpJEBXeAE2Vuh23ls74uyVzMvvp4oZ1CDDoUGQY04BrXu68JfM56XYABysCDG3nB/s1600/Screen+Shot+2018-06-25+at+9.22.57+AM.png"><span style="color: #9fc5e8;"></span></a>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUqiSWShFs52AY4VerlFvGVnVIuETl1DYV7yJON0MXwPZb7aRoy_aRust_SGGd8m-ENb6cZ90bFewG3fCTUKFV2cRxox1_4ZUJXlBbmhc1EUOfSX2NGqFnWx8hmSNuNEgK1J5puUFEI4yG/s1600/Screen+Shot+2019-02-11+at+10.12.48+AM.png" imageanchor="1"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUqiSWShFs52AY4VerlFvGVnVIuETl1DYV7yJON0MXwPZb7aRoy_aRust_SGGd8m-ENb6cZ90bFewG3fCTUKFV2cRxox1_4ZUJXlBbmhc1EUOfSX2NGqFnWx8hmSNuNEgK1J5puUFEI4yG/s640/Screen+Shot+2019-02-11+at+10.12.48+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">To further confirm things are working properly, you can also do a connection test from the AirWatch console. Go back to the VMware Tunnel Configuration settings, under Proxy (App Wrapping/Borowser/SDK) and click on the, "Test Connection," button.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdW2l5nAMsU5Li-Sgu_SHhsPISQqaGy9YZItdvbN9NMmOcmktMW1PUbgvC_gaBCj6FDIGbScuGxsz8PnpjEWtdyVridOAKLEGAKaX0QTgCG7zIf76yFwK9kM-u5Gm4mkxkNZvCxsbxmjfX/s1600/Screen+Shot+2019-02-11+at+12.29.29+PM.png" imageanchor="1"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdW2l5nAMsU5Li-Sgu_SHhsPISQqaGy9YZItdvbN9NMmOcmktMW1PUbgvC_gaBCj6FDIGbScuGxsz8PnpjEWtdyVridOAKLEGAKaX0QTgCG7zIf76yFwK9kM-u5Gm4mkxkNZvCxsbxmjfX/s640/Screen+Shot+2019-02-11+at+12.29.29+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">You'll get a result like this: </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNuCor08YNrJLchyphenhyphenf2VVyWwTcEjsS92Xxm2-o011-hBBnqoD7GIicW1tE4tJUJeEv9Z0zMfPNxWABrVeTpXMcXfgl7c23LYaV8pVyEx-j9EebC2QQNuW_ML-spT25ovI-Iq9hxuN5fEyg3/s1600/Screen+Shot+2019-02-11+at+2.18.20+PM.png" imageanchor="1"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNuCor08YNrJLchyphenhyphenf2VVyWwTcEjsS92Xxm2-o011-hBBnqoD7GIicW1tE4tJUJeEv9Z0zMfPNxWABrVeTpXMcXfgl7c23LYaV8pVyEx-j9EebC2QQNuW_ML-spT25ovI-Iq9hxuN5fEyg3/s640/Screen+Shot+2019-02-11+at+2.18.20+PM.png" width="640" /></a></span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqjLIfo7BdddUOBn5091qhDocSf6j6TunBS5xQY4OBlztDRzdMe9hCNHbvxumn2D0GEPhwtxtRaqp6gXhn0vdAvVKgfHzKHd68ZFm85Xx-OfDZXwtrkZ3gJM0Q2uc-SVd2RypeLq5pMDtA/s1600/Screen+Shot+2018-06-25+at+9.23.57+AM.png"><span style="color: #9fc5e8;"></span></a>
<span style="color: #9fc5e8;">At first the red might seem alarming, but it makes sense at this point given we haven't configured the back-end appliance yet. However, these results do confirm the front-end appliance is communicating with the Workspace One SaaS instance. We also know the Workspace One console is able to communicate back to the UAG external interface at 2020. The next step is to make these red messages go away by configuring the VMware Tunnel Edge Services on the back-end UAG appliance. </span><br />
<br />
<br />
<h2>
<span style="color: #9fc5e8; font-size: large;">Configure VMware Tunnel Edge Services On Back-end Appliance</span></h2>
<div>
<br />
<br /></div>
<div>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;">Just as with the front-end UAG appliance, begin your configuration of the back-end appliance by pointing your browser at </span><span style="color: #9fc5e8;">https://APPLIANCE_HOSTNAME_OR_IP:9443/admin/index.html and logging in as admin. </span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrufPsr5-b4c5VzStTAlip1u-WnbMJ4GDWZbHOK30VQKrMNqcNBS6tLkQFSevR7U3tRqVchbZlPWuhN5j2mgpMgruYQ_4lKOSD2HHjFfV1BESzVNkds6UP-trCjan7D4cxObqLDhEbfOo4/s1600/Screen+Shot+2019-02-12+at+12.19.07+AM.png" imageanchor="1"><img border="0" height="436" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrufPsr5-b4c5VzStTAlip1u-WnbMJ4GDWZbHOK30VQKrMNqcNBS6tLkQFSevR7U3tRqVchbZlPWuhN5j2mgpMgruYQ_4lKOSD2HHjFfV1BESzVNkds6UP-trCjan7D4cxObqLDhEbfOo4/s640/Screen+Shot+2019-02-12+at+12.19.07+AM.png" width="640" /></a></span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;">After a successful login select the option to configure manually. </span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKVWHRiTlVWVpQFchX-hLoJLZ0XTak14QtXo1ztk4mDbZ7ZyQMYV5-qgCQV7P1qtXv1-tXwjgIMseR7cmXy8vHvjdgLhxbLB1ImwOOHB58SK9Pc_mHBG5wAKSKeabE5IAOxkwjW1iWAehE/s1600/Screen+Shot+2019-02-12+at+9.02.29+AM.png" imageanchor="1"><img border="0" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKVWHRiTlVWVpQFchX-hLoJLZ0XTak14QtXo1ztk4mDbZ7ZyQMYV5-qgCQV7P1qtXv1-tXwjgIMseR7cmXy8vHvjdgLhxbLB1ImwOOHB58SK9Pc_mHBG5wAKSKeabE5IAOxkwjW1iWAehE/s640/Screen+Shot+2019-02-12+at+9.02.29+AM.png" width="640" /></a></span></span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;">Under General Settings click show next to the Edge Service Settings, then click the gear for VMware Tunnel Settings.</span></span><br />
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-UdkKsZv5DhWjs7EHa6ABzEwIZEdi94OZ6wjfCGzYslRxtr_iHtfSiXVBBaP0YPGi7tM9vXpr4jbnC541-tn6EjyO4mcQ-JVajEbZZJYqiYvli0RZfCrVRpOPO7Ae46OTL6TSt4Gqkaw_/s1600/Screen+Shot+2019-02-12+at+12.13.36+AM.png" imageanchor="1"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-UdkKsZv5DhWjs7EHa6ABzEwIZEdi94OZ6wjfCGzYslRxtr_iHtfSiXVBBaP0YPGi7tM9vXpr4jbnC541-tn6EjyO4mcQ-JVajEbZZJYqiYvli0RZfCrVRpOPO7Ae46OTL6TSt4Gqkaw_/s640/Screen+Shot+2019-02-12+at+12.13.36+AM.png" width="640" /></a></span></div>
<div>
<span style="color: #9fc5e8;"></span></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Here you'll fill out the VMware Tunnel Settings almost exactly the same as on the front-end appliance. The major difference in configuration will be the Tunnel Server Hostname. For that you'll enter in the internal DNS address of the back-end UAG appliance. </span><br />
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcnPyYol5kwC7SfCgcDj5erCy9Vj49QVluETqEFSDwmpZny1ZJtuIj4_LqVJ9XcutKCR6UfgCktq4EIwxkuSQ-8z0LNfE5e9XX7d-XUhOcJIO0A_HMPVw_gFWdzXeAQ59ttMEnkHTwwwa_/s1600/Screen+Shot+2019-02-11+at+2.41.06+PM.png" imageanchor="1"><img border="0" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcnPyYol5kwC7SfCgcDj5erCy9Vj49QVluETqEFSDwmpZny1ZJtuIj4_LqVJ9XcutKCR6UfgCktq4EIwxkuSQ-8z0LNfE5e9XX7d-XUhOcJIO0A_HMPVw_gFWdzXeAQ59ttMEnkHTwwwa_/s640/Screen+Shot+2019-02-11+at+2.41.06+PM.png" width="640" /></a></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">After hitting save you should get a happy green dot next to VMware Tunnel Settings. </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhghY1mfAxpCtYUKdzdqXRbrxbRkeYw88HD-3ZbuAThjM-qTa0Ow23otmXpx44oHhy0HNrLScwE6gub70E-bi7HhzUsAnPM6yxs7gZoSm1Ky5dshrTDnLmSqFAX56AAuLP927oonRe3O-th/s1600/Screen+Shot+2019-02-11+at+10.12.48+AM.png" imageanchor="1"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhghY1mfAxpCtYUKdzdqXRbrxbRkeYw88HD-3ZbuAThjM-qTa0Ow23otmXpx44oHhy0HNrLScwE6gub70E-bi7HhzUsAnPM6yxs7gZoSm1Ky5dshrTDnLmSqFAX56AAuLP927oonRe3O-th/s640/Screen+Shot+2019-02-11+at+10.12.48+AM.png" width="640" /></a></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Now, go back to the Workspace One console and navigate to </span><span style="color: #9fc5e8;">Groups And Settings --> System --> Enterprise Integration --> VMware Tunnel --> Configuration. From here, you can give the Test Connection option for Proxy another try. Here's a sample of successful test. </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLcGdbZe0noctlFQP1P_RmSJfi9alpvhELd_i7vSfwlmeoENs3W03rz09Q9tMf9VGb1iiR3caZ24sI6YGsoQrb9zjreO1UZsMZka5TDXxLkPuelo5spLM4T92O6BJE3XKN3S1drYdglJt/s1600/Screen+Shot+2019-02-11+at+2.46.21+PM.png" imageanchor="1"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLcGdbZe0noctlFQP1P_RmSJfi9alpvhELd_i7vSfwlmeoENs3W03rz09Q9tMf9VGb1iiR3caZ24sI6YGsoQrb9zjreO1UZsMZka5TDXxLkPuelo5spLM4T92O6BJE3XKN3S1drYdglJt/s640/Screen+Shot+2019-02-11+at+2.46.21+PM.png" width="640" /></a></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">You'll see similar positive results for the Per-App tunnel test. (This test is located directly below the Proxy configuration info.) </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-NBw77Scxa4ulCjDC1VSb7AmjMFHO-oYBhhTEPi8HiDr-MCupFSreAyJkC2fJqVN2XFl0upnUdeQrhMPtUBMavPgE_e1pZr7_IUcMevKyet3B_Zi2ggMmaUrbNf3n0_vzcXuwoxNBtxQS/s1600/Screen+Shot+2019-02-11+at+2.49.06+PM.png" imageanchor="1"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-NBw77Scxa4ulCjDC1VSb7AmjMFHO-oYBhhTEPi8HiDr-MCupFSreAyJkC2fJqVN2XFl0upnUdeQrhMPtUBMavPgE_e1pZr7_IUcMevKyet3B_Zi2ggMmaUrbNf3n0_vzcXuwoxNBtxQS/s640/Screen+Shot+2019-02-11+at+2.49.06+PM.png" width="640" /></a></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">After hitting Test Connection you'll hopefully see successful connections from both your front-end and back-end appliances to the Workspace One SaaS environment. </span></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivD3XCkvCkJMef-I65UiBjbZcXY6oVrwPMcq_eKxmhbcgyBNh1mflRcQRTN3Wj6JaXKhCgfAnpk2FE46IhdRvQFi2Z7dG6h_Ycpp_HVEUmp0wnhTNTH9K4fSRnx98eHCZpjBhVX0by_ZlV/s1600/Screen+Shot+2019-02-11+at+2.50.38+PM.png" imageanchor="1"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivD3XCkvCkJMef-I65UiBjbZcXY6oVrwPMcq_eKxmhbcgyBNh1mflRcQRTN3Wj6JaXKhCgfAnpk2FE46IhdRvQFi2Z7dG6h_Ycpp_HVEUmp0wnhTNTH9K4fSRnx98eHCZpjBhVX0by_ZlV/s640/Screen+Shot+2019-02-11+at+2.50.38+PM.png" width="640" /></a></span></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggFWXcK1KudDVJfdNKBmrRPyqzY_AgZNxwfVVMK6Y5qDEGdVE_dgVR0MV2XVSYawzWtrBSFg1l1r1MAb3VgsHXtdeIL33EvltZoEyIQzpDx_nasNOkuEra_55qNZ-tb_azW725xJ2TLz-H/s1600/Screen+Shot+2019-02-11+at+2.51.00+PM.png" imageanchor="1"><img border="0" height="34" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggFWXcK1KudDVJfdNKBmrRPyqzY_AgZNxwfVVMK6Y5qDEGdVE_dgVR0MV2XVSYawzWtrBSFg1l1r1MAb3VgsHXtdeIL33EvltZoEyIQzpDx_nasNOkuEra_55qNZ-tb_azW725xJ2TLz-H/s640/Screen+Shot+2019-02-11+at+2.51.00+PM.png" width="640" /></a></div>
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span></div>
<h2>
<span style="color: #9fc5e8; font-size: large;">
Deploy the VMware Tunnel App</span></h2>
<div>
<span style="color: #9fc5e8; font-size: large;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<span style="color: #9fc5e8;">A prerequisite for leveraging Per-App VPN on a device is to have the VMware Tunnel App installed. You don't need to configure it specifically at this point, just get it pushed out. So, go to Apps And Books -> Native -> Public. There, do a search for VMware Tunnel.</span></div>
<div>
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFMWAJWDDNWCkeNq03WM8zfk2QyGadI4ePdduN5f94GYtIUv4klDdSdgIke05bD5NA2ytOnczGjlqi2A4VEMybho_YutwvIsnHUslOwnA22s0n7HEvMQN6LigpfKs0yEDWz92uir-7KeSV/s1600/Screen+Shot+2018-06-24+at+7.47.22+AM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFMWAJWDDNWCkeNq03WM8zfk2QyGadI4ePdduN5f94GYtIUv4klDdSdgIke05bD5NA2ytOnczGjlqi2A4VEMybho_YutwvIsnHUslOwnA22s0n7HEvMQN6LigpfKs0yEDWz92uir-7KeSV/s640/Screen+Shot+2018-06-24+at+7.47.22+AM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Click on the hyperlink for the IOS version then navigate to the assignment tab. From there you can add an assignment of the app to the appropriate assignment group. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7V3XAhM6cucPPPLnSA8X9ddFV5sWcA-9BxQ-rnB20eZG21cLJMJkfqFiMmIJahGSqCgWLvOqTNYHp_00C6cfO8PbLNf87SSucSeUixKtvqiMRX9hiY9kVjVHUsttT4uFoadDcvKQCkaCw/s1600/Screen+Shot+2018-06-24+at+7.52.45+AM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7V3XAhM6cucPPPLnSA8X9ddFV5sWcA-9BxQ-rnB20eZG21cLJMJkfqFiMmIJahGSqCgWLvOqTNYHp_00C6cfO8PbLNf87SSucSeUixKtvqiMRX9hiY9kVjVHUsttT4uFoadDcvKQCkaCw/s640/Screen+Shot+2018-06-24+at+7.52.45+AM.png" /></span></a><br />
<span style="color: #9fc5e8;"><span style="font-size: large;"><br /></span></span>
<span style="color: #9fc5e8;"><span style="font-size: large;"><br /></span></span><br />
<span style="color: #9fc5e8;"><span style="font-size: large;">Configure A Per-App Tunnel Profile for iOS</span></span><br />
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span></div>
<span style="color: #9fc5e8;">Go to Devices --> Profiles and Resources --> Profiles. Select Add Profile.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5GfaLN49yzYMrLm1WohKF2jSkEcSFb6YpGs36OmPNqhEJutYDJGamgJtuhgrQLMrsmG7qq6yECseVj1nXBLIP-jAozyvZqtVBDyOmdEZ5Og7t04vOATqTK0aDHloWyJfsaoNxvIIF5Dec/s1600/Screen+Shot+2018-06-24+at+7.57.34+AM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5GfaLN49yzYMrLm1WohKF2jSkEcSFb6YpGs36OmPNqhEJutYDJGamgJtuhgrQLMrsmG7qq6yECseVj1nXBLIP-jAozyvZqtVBDyOmdEZ5Og7t04vOATqTK0aDHloWyJfsaoNxvIIF5Dec/s640/Screen+Shot+2018-06-24+at+7.57.34+AM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Provide a descriptive name for this new profile. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXtyqwpxl0XkQDBujZU7MRHANQ0mr2btQNd6P5C-Gwvg_rB83Xt5M70CBzO-yUTPruqs0m_Qe0OUFRHzZSrNn6ja8aXc1O4vTdjB88v13rR-fqlc2EGfAOm6QlhLQC-7Q4nTzX9YKwJuDj/s1600/Screen+Shot+2019-02-09+at+11.20.07+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXtyqwpxl0XkQDBujZU7MRHANQ0mr2btQNd6P5C-Gwvg_rB83Xt5M70CBzO-yUTPruqs0m_Qe0OUFRHzZSrNn6ja8aXc1O4vTdjB88v13rR-fqlc2EGfAOm6QlhLQC-7Q4nTzX9YKwJuDj/s640/Screen+Shot+2019-02-09+at+11.20.07+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Navigate to VPN and click configure. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKW6hWUZF14SJe73c13p-eoMIg6gv1KkVjsrXKg0ynZ-It9Wdeg4G0XfWey7Qkb-Du491Q2dCtoTJXc7hBFpj0SMLdDuQpaIIk8rQCxG8DrCjnUWacv9N_YX5XVawZ15I82Sxcvb-ZU2dc/s1600/Screen+Shot+2018-06-25+at+9.32.05+AM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKW6hWUZF14SJe73c13p-eoMIg6gv1KkVjsrXKg0ynZ-It9Wdeg4G0XfWey7Qkb-Du491Q2dCtoTJXc7hBFpj0SMLdDuQpaIIk8rQCxG8DrCjnUWacv9N_YX5XVawZ15I82Sxcvb-ZU2dc/s640/Screen+Shot+2018-06-25+at+9.32.05+AM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Note the server text box as been populated with your configured VMware Tunnel server. Check the box for "Enable VMware Tunnel." </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvQVAQV9WIUd7tsm18vcGSVOP38ctlStZPgpCsLZ3iQZKmWxEOCcT1VkSj6R5ez4-ymbrBKhPS2JGbSW67eiTqMRrlf9WsJEx4CoGMpm_K4oBRgwjakNduhtCaNQAUXi4O1WTxkEwOSvE_/s1600/Screen+Shot+2019-02-09+at+11.21.31+PM.png" imageanchor="1"><span style="color: #9fc5e8;"><img border="0" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvQVAQV9WIUd7tsm18vcGSVOP38ctlStZPgpCsLZ3iQZKmWxEOCcT1VkSj6R5ez4-ymbrBKhPS2JGbSW67eiTqMRrlf9WsJEx4CoGMpm_K4oBRgwjakNduhtCaNQAUXi4O1WTxkEwOSvE_/s640/Screen+Shot+2019-02-09+at+11.21.31+PM.png" width="640" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For additional details, check <a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.5/vmware-airwatch-guides-95/GUID-AW95-Configure_PAT_iOS.html">this out</a>.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h2>
<span style="color: #9fc5e8; font-size: large;">
Configure Apps To Use A Per-App profile</span></h2>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">For testing purposes you can use the VMware vSphere Mobile Watchlist app. Go to Apps & Books --> Applications --> Native and then navigate to the Public tab. Do a search for vSphere and you'll see a hit for the VMware vSphere Mobile Watchlist for iOS. Click on Assign.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixmwiv7Zt0eof0Z-JyjVTQ8Y9-8wuDKI_hJOjMwgMYNHFmJRE0cGwfy9GKAHii5GU-54qK2LT4yqGtLmhpcYxEDI3gfNXUvvq4xa9lUwvG5Qq02mQJZFiC_RpG6zUsb364dFb5Ta-m2Tid/s1600/Screen+Shot+2018-06-25+at+9.37.14+AM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixmwiv7Zt0eof0Z-JyjVTQ8Y9-8wuDKI_hJOjMwgMYNHFmJRE0cGwfy9GKAHii5GU-54qK2LT4yqGtLmhpcYxEDI3gfNXUvvq4xa9lUwvG5Qq02mQJZFiC_RpG6zUsb364dFb5Ta-m2Tid/s640/Screen+Shot+2018-06-25+at+9.37.14+AM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">When configuring the assignment select Auto as the app delivery method. Scroll down and enable App Tunneling, selecting the Per-App VPN profile you've just created.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKtZJLVL3XaiAqwKzEA0NQQxQUbjIK_eDVKYKvP4b77ZkklQJr7KGWQ70kdA0RtfResQET0RH__5dKLbOoizWrwnX1Lcb_etGIVPApYHgoVYItq646yr9P6NpP2iEZZ2fVSnrFY8gQU8Hv/s1600/Screen+Shot+2019-02-09+at+11.26.47+PM.png" imageanchor="1"><span style="color: #9fc5e8;"></span></a><span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-7VtEf1OCIBYOQ34LE5zyQYJwzOVv2MK1jpeHg6jIdba8aks0DUYOwHvxpY_VT6HrbZX8uSollKhnUKZLRGnehBdyZe9GkmWGND8uaMtFo7erNQHAeZPMlWT6waRDox_vzg-grNrss3Gt/s1600/Screen+Shot+2019-02-12+at+9.40.08+AM.png" imageanchor="1"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-7VtEf1OCIBYOQ34LE5zyQYJwzOVv2MK1jpeHg6jIdba8aks0DUYOwHvxpY_VT6HrbZX8uSollKhnUKZLRGnehBdyZe9GkmWGND8uaMtFo7erNQHAeZPMlWT6waRDox_vzg-grNrss3Gt/s640/Screen+Shot+2019-02-12+at+9.40.08+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Then proceed with publishing this assignment. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF3ogbsoZv9SK1srzSfJNziWH4pawGQt9R_cfStsQfzw1rbksh79KVq7fuIv11Bn84rX2xNSp3doPw9MV0OQ9qo2uJQMhcmWvFbLwjNq7v6n3SxbSPtNYAMB7tNKwfMXOGvLbEPHMeen5H/s1600/Screen+Shot+2018-06-25+at+9.39.04+AM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF3ogbsoZv9SK1srzSfJNziWH4pawGQt9R_cfStsQfzw1rbksh79KVq7fuIv11Bn84rX2xNSp3doPw9MV0OQ9qo2uJQMhcmWvFbLwjNq7v6n3SxbSPtNYAMB7tNKwfMXOGvLbEPHMeen5H/s640/Screen+Shot+2018-06-25+at+9.39.04+AM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">At this point, the watchlist app will be deployed to your iOS device, configured to automatically leverage the VPN tunnel at execution.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h2>
<span style="color: #9fc5e8; font-size: large;">
Testing Per-App VPN Out</span></h2>
<div>
<span style="color: #9fc5e8; font-size: large;"><br /></span></div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After confirming the VPN profile and Watchlist app has been assigned and installed to your mobile device, you can test the solution out. Fire up the Watchlist app. Enter in a vCenter server along with login credentials. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh-wsY5ZtLCFdlOE6iNptiP3_g74f4Shg8Yds5QmOfIBCDtgR6XtqWn6FWL6XMLL1oGRJ2Mw8WiaDkTXEXf-DWlZZDI_q4AnXpEk0YuznMelWiPmfDeCTojP8m1F1ej38eogt9uA7dzlqu/s1600/watchlist.jpg"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgh-wsY5ZtLCFdlOE6iNptiP3_g74f4Shg8Yds5QmOfIBCDtgR6XtqWn6FWL6XMLL1oGRJ2Mw8WiaDkTXEXf-DWlZZDI_q4AnXpEk0YuznMelWiPmfDeCTojP8m1F1ej38eogt9uA7dzlqu/s640/watchlist.jpg" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Upon successful login you'll have an option to select hosts or VMs from your vSphere environment. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOglFf655aakUHEs5-msXIPQtDy4vk9hdDW82NqDXgEx_1a-tabAaX6OXrhcIcNwuZ60dxaP9EUpP71cvhEsk-3RxTqM7jsfW12lb_G8PRpWoyO5QXcI9HgRlBB0EmQU9ITdO6gdNTgIyp/s1600/watchlist.PNG"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOglFf655aakUHEs5-msXIPQtDy4vk9hdDW82NqDXgEx_1a-tabAaX6OXrhcIcNwuZ60dxaP9EUpP71cvhEsk-3RxTqM7jsfW12lb_G8PRpWoyO5QXcI9HgRlBB0EmQU9ITdO6gdNTgIyp/s640/watchlist.PNG" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">At this point, you already know your VPN tunnel is working, but for fun you can traverse through your vSphere environment a bit. (Note: In the App Store reviews there's a lot of haters of this app. I'm not saying it's the best thing since sliced bread. It certainly makes for a handy test app though.)</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">It's not necessary to launch the VMware Tunnel mobile app for the process to work, but if you do open up the app you get a display confirming current connectivity.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFgzqPzJaodEhGkJuncQeyLn_rF-wkfq_Awu03Mva7B3S8IqRhl72yqsIHifYN7qupBMlnKop8Tm2pC9UtME8eZN6Z_pU68Aa4AWXtW2ewt9mtydGTo8xKPKFHXX0KqRIsCsmpU100jj25/s1600/Screen+Shot+2018-06-25+at+9.00.27+PM.png"><span style="color: #9fc5e8;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFgzqPzJaodEhGkJuncQeyLn_rF-wkfq_Awu03Mva7B3S8IqRhl72yqsIHifYN7qupBMlnKop8Tm2pC9UtME8eZN6Z_pU68Aa4AWXtW2ewt9mtydGTo8xKPKFHXX0KqRIsCsmpU100jj25/s640/Screen+Shot+2018-06-25+at+9.00.27+PM.png" /></span></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">And if you navigate to settings on your iOS device and look at VPN, you'll see some additional confirmation the connection has been made.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOVKNnY_XZ7ZBYTnkjuGDFxgZSxmOVA3ffiVbRYmM3XcaczyMpg-7zOxTTyaxDkr_eHUzHh6WrYcyH5D44u7R13HYZH9JWvTe9dA-wIWdejowLeHoIfu7qp-581PnvAI9JkuZU3GNQQrV9/s1600/IMG_0002.png" imageanchor="1"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOVKNnY_XZ7ZBYTnkjuGDFxgZSxmOVA3ffiVbRYmM3XcaczyMpg-7zOxTTyaxDkr_eHUzHh6WrYcyH5D44u7R13HYZH9JWvTe9dA-wIWdejowLeHoIfu7qp-581PnvAI9JkuZU3GNQQrV9/s640/IMG_0002.png" width="640" /></a><br />
<br />
<br />
<h2>
<span style="color: #9fc5e8; font-size: large;">Configuring Tunnel Proxy On The Workspace One UEM (AirWatch) Console</span></h2>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">To test out Tunnel Proxy, we need push out the Web Workspace One app (AirWatch Browser) and make just a couple adjustments on the console. To push out this browser app, go to Apps And Books --> Native --> Public and select the option to add an application. Do a search for Web - Workspace One. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeMh-7rjCszYpy293GzJmdb2GG8mNTUiCx43r1Q4hetsgb-lHNxAx9IpS46LmGeH3NloqKbpivpiktsw-9sgcbo3lCbdqYuoB1b6mClKdJXRsZkXWNqqNhZEabF8urXK1Po46sTOdE1M-s/s1600/Screen+Shot+2019-02-10+at+1.35.45+PM.png" imageanchor="1"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeMh-7rjCszYpy293GzJmdb2GG8mNTUiCx43r1Q4hetsgb-lHNxAx9IpS46LmGeH3NloqKbpivpiktsw-9sgcbo3lCbdqYuoB1b6mClKdJXRsZkXWNqqNhZEabF8urXK1Po46sTOdE1M-s/s640/Screen+Shot+2019-02-10+at+1.35.45+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Go ahead and push the app out to your endpoint. Then, navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Security Policies. Select Enabled for AirWatch App Tunnel and specify the App Tunnel Mode as VMware Tunnel – Proxy. If you want to enable split tunnel so that Tunnel Proxy is only used for specific URLs, while other traffic goes directly from the browser to the internet, add some app tunnel URLs. Otherwise, all request will be forwarded through VMware Tunnel. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7Lj__0Q9FABnbsHS1atPK_Div5EO93OTwarzW0PgyQYqyiXa-cyllT3yvEaXvV05WHBSMR0MA4w6m_3SFekLTcDNi7EE910u_nZVo1MuQQ58Khmp9GWSgxdXAqdkRK4zeezFd3okD4JXt/s1600/Screen+Shot+2019-02-10+at+1.42.08+PM.png" imageanchor="1"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7Lj__0Q9FABnbsHS1atPK_Div5EO93OTwarzW0PgyQYqyiXa-cyllT3yvEaXvV05WHBSMR0MA4w6m_3SFekLTcDNi7EE910u_nZVo1MuQQ58Khmp9GWSgxdXAqdkRK4zeezFd3okD4JXt/s640/Screen+Shot+2019-02-10+at+1.42.08+PM.png" width="640" /></a></span><br />
<br />
<span style="color: #9fc5e8;">Finally, go to Groups & Settings > All Settings > Apps > Workspace One Web. There you can enter in allowed sites and a home page. </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiOJFQvW2HxHir6FAEyC2UaKrCMFVjOmyrxU7BZjEqDAs9IJp-o3BvuBPWUXMAcFdBcYOrgVcfTy1CAhl-pngYWMP9buESFObVT0Kxq5lWX1jp6qm284AqBWRerTGJrrxjgoS4pQD2uVGG/s1600/Screen+Shot+2019-02-10+at+1.59.21+PM.png" imageanchor="1"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiOJFQvW2HxHir6FAEyC2UaKrCMFVjOmyrxU7BZjEqDAs9IJp-o3BvuBPWUXMAcFdBcYOrgVcfTy1CAhl-pngYWMP9buESFObVT0Kxq5lWX1jp6qm284AqBWRerTGJrrxjgoS4pQD2uVGG/s640/Screen+Shot+2019-02-10+at+1.59.21+PM.png" width="640" /></a></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Now, if you open up Workspace One Web mobile app, you can navigate to internal web sites when offsite. Here's a sample screenshot: </span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1690jCQXn5M2AImFsbhGpmfKqCn-6fYM6Uy2oSzOanTzNU-C03fetbhzGaLM7a4IqI8xum4aswJP3D4LEMdKyc1DHKOyZmIW4y9Pi32f8xglIfZtnqkHdpcPU0hb9ofYjwQTX-GXGnHWD/s1600/IMG_0003.jpg" imageanchor="1"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1690jCQXn5M2AImFsbhGpmfKqCn-6fYM6Uy2oSzOanTzNU-C03fetbhzGaLM7a4IqI8xum4aswJP3D4LEMdKyc1DHKOyZmIW4y9Pi32f8xglIfZtnqkHdpcPU0hb9ofYjwQTX-GXGnHWD/s640/IMG_0003.jpg" width="640" /></a></span></div>
<div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; color: #454545}
</style><br />
<h2>
<span style="color: #9fc5e8; font-size: large;">Some Incredibly Relevant Official VMware Documentation </span></h2>
<span style="color: #9fc5e8;"><br /></span>
<a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMare-Tunnel-on-Linux/GUID-AWT-TUNNEL-VA-REQS.html" target="_blank"><span style="color: blue;">System Requirements for Deploying VMware Tunnel with Unified Access Gateway</span></a></div>
<div>
<span style="color: blue;"><br /></span></div>
<span style="color: blue;"><a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMare-Tunnel-on-Linux/GUID-AWT-CONFIGURELNX.html" target="_blank"><span style="color: blue;">Configure VMware Tunnel - Workspace One Console</span></a><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; color: #454545}
</style></span><br />
<div>
<span style="color: blue;"><br /></span></div>
<a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMare-Tunnel-on-Linux/GUID-AWT-DEPLOYTUNNELVA-CUSTOMUI.html" target="_blank"><span style="color: blue;">Configure VMware Tunnel Settings in the Unified Access Gateway UI</span></a><br />
<div>
<span style="color: blue;"><br /></span></div>
<div>
<a href="https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1810/vmware-tunnel-guide-linux.pdf" target="_blank"><span style="color: blue;">VMware Tunnel Guide</span></a></div>
<div>
<span style="color: blue;"><br /></span></div>
<div>
<a href="https://docs.vmware.com/en/Unified-Access-Gateway/3.4/uag-34-deploy-config-guide.pdf" target="_blank"><span style="color: blue;">Deploying And Configuring VMware Unified Access Gateway</span></a></div>
<div>
<br />
<a href="https://techzone.vmware.com/configuring-edge-services-vmware-unified-access-gateway-vmware-workspace-one-operational-tutorial/configuring-vmware-tunnel-edge-services-unified-access-gateway" target="_blank">Configuring VMware Tunnel Edge Services on Unified Access Gateway</a></div>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com3tag:blogger.com,1999:blog-7411363718337372107.post-72541155005418175252018-11-21T13:58:00.000-08:002018-12-10T10:06:53.481-08:00Sorting Through All The Hubbub Around Workspace One Intelligent Hub<span style="color: #9fc5e8;">Workspace One Intelligent Hub has been generally available since late October 2018. It's essentially an updated and rebranded version of the AirWatch agent, with the major added capability of providing an app catalog. Before it's release, if you wanted the full blown Workspace One experience on your devices you needed to install both the AirWatch agent and Workspace One App. Now all that functionality can be delivered through this single new app, the Intelligent Hub.</span><br />
<div class="p1">
</div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnuRgI5gW-xWWFas4qm6eMKqRgZjRYhz45_bz7Ko4oIdFp_pmA4xYfbx1zVSKIdT2vH2xAVTjy_A_br1S2p5DHlpcGZqCc07ksZvToxVkIb0MbAy_0XkdJ9XjLzPT3Jlf1qFafEZM6dq73/s1600/Screen+Shot+2018-11-20+at+8.08.32+AM.png" imageanchor="1"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnuRgI5gW-xWWFas4qm6eMKqRgZjRYhz45_bz7Ko4oIdFp_pmA4xYfbx1zVSKIdT2vH2xAVTjy_A_br1S2p5DHlpcGZqCc07ksZvToxVkIb0MbAy_0XkdJ9XjLzPT3Jlf1qFafEZM6dq73/s640/Screen+Shot+2018-11-20+at+8.08.32+AM.png" width="640" /></a><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; color: #454545}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; color: #454545}
</style><br />
<div>
<span style="color: #9fc5e8;">Intelligent Hub has full feature parity with the former AirWatch agent. For pure Workspace One UEM (AirWatch) deployments there's no real difference aside from the name changing and rebranding. However, the new catalog functionality it offers introduces dependencies not previously required by the Workspace One App it's intended to replace. </span><span style="color: #9fc5e8;">To provide catalog services from Intelligent Hub you need to configure Hub Services ahead of time. These Hub Services are co-located in VMware Identity Manager cloud-hosted environment and are an absolute requirement if you want to provide an app catalog directly from the Intelligent Hub app. </span><br />
<br />
<h2>
</h2>
<h2>
Relax, It's Not That Bad A Situation For Workspace One Admins</h2>
<span style="color: #9fc5e8;"><br />
</span><span style="color: #9fc5e8;">As a cranky techie that hates change, initially I was a bit put off by this new app. The prospect of a migration from the Workspace One app to Intelligent Hub was intimidating, especially given the new dependencies. However, there's a couple pieces of good news that really mitigated my concerns. First, the configuration of Hub services isn't exactly rocket science. Configuring Hub Services within my Workspace One lab environment, one that already had vIDM and Workspace One UEM fully integrated, was for the most part straight forward and uneventful. Second, the Intelligent Hub app, even with it's Hub Catalog enabled, can run side by side with the Workspace One App on the same device. So you can configure and enable Hub Catalog on endpoint devices, but can postpone an actual migration from the Workspace One App till a more convenient and opportune time for you users. </span><br />
<span style="color: #9fc5e8;"><br />
</span> <span style="color: #9fc5e8;">Given these 2 pieces of good news, and the promise of a better more interactive service that Hub Catalog can offer, there's only a few reasons why you wouldn't proceed with the configuration of Hub Services and publishing of the Hub Catalog:</span><br />
<br />
<ul>
<li><span style="color: #9fc5e8;">You have an on premise instance of vIDM</span></li>
<li><span style="color: #9fc5e8;">You're using a Workspace One UEM version below 1810</span></li>
<li><span style="color: #9fc5e8;">You're attached to the Workspace One App for sentimental reasons </span></li>
<li><span style="color: #9fc5e8;">The possible future deprecation of the Workspace One App is a reflection of your own mortality and you don't have time for an existential crisis</span></li>
</ul>
<span style="color: #9fc5e8;"><br />
</span> <span style="color: #9fc5e8;">Unfortunately, Hub Catalog isn't currently supported for on premise implementations of vIDM and only works with vIDM cloud-hosted. So customers using on premise vIDM for a Workspace One deployment should continue using the Workspace One App for catalog services. The same goes for folks using a 9.x version of Workspace One UEM (AirWatch). They can continue to use the Workspace One App app as well. Otherwise, for folks who'd </span><span style="color: #9fc5e8;">like to take the Hub Catalog for a test spin, here's the steps I followed to enable the Hub Catalog in my own lab environment. </span></div>
<div>
<br />
<h2>
Enabling Hub App Catalog</h2>
<br />
<span style="color: #9fc5e8;">Both the Workspace One UEM and vIDM include links to Hub Configuration. Within the Workspace One UEM console, it can be access from Groups & Settings --> Hub Configuration. On this initial Hub Configuration page, I entered in my vIDM tenant URL and then clicked Launch. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGcHIdcrcNXg7FZZtsjtgiHFaVbKjQPqTgsFjN5DrPgp_R65hzO5jF7Jwcb9unVDMpXNQsxuA4b17_qdsVDYDUgPiFA0ElOAh2_hELV1IcFfGBrRzyJiuw8MxhqziQCSfG_1AK3Jl_wcYT/s1600/Screen+Shot+2018-11-20+at+8.23.29+AM.png" imageanchor="1"><img border="0" height="504" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGcHIdcrcNXg7FZZtsjtgiHFaVbKjQPqTgsFjN5DrPgp_R65hzO5jF7Jwcb9unVDMpXNQsxuA4b17_qdsVDYDUgPiFA0ElOAh2_hELV1IcFfGBrRzyJiuw8MxhqziQCSfG_1AK3Jl_wcYT/s640/Screen+Shot+2018-11-20+at+8.23.29+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">At the customization page, I accepted the defaults.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXI5-WWynrq7lL39y4dmX3c4y3qGEls03qRvlIHw4YRDzdluoP98yCeR2Xxx1e5w1qGShQIwMziIup4PnNuUcE94Q6T8aSSkWlleoEL8TjcAtHJgnMBMh_Y8fxUPmH1wWS-F1UdTTxjNHS/s1600/Screen+Shot+2018-11-20+at+8.23.53+AM.png" imageanchor="1"><img border="0" height="482" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXI5-WWynrq7lL39y4dmX3c4y3qGEls03qRvlIHw4YRDzdluoP98yCeR2Xxx1e5w1qGShQIwMziIup4PnNuUcE94Q6T8aSSkWlleoEL8TjcAtHJgnMBMh_Y8fxUPmH1wWS-F1UdTTxjNHS/s640/Screen+Shot+2018-11-20+at+8.23.53+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Then I clicked save. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEwF3fKrUYB6QlDSIGkQYE1ltYWwA1oAY68TE9n8G5sDrgdY-NnLNIvjc7RM77ZnXXU4u6lAOfxIT-nf4IH3K-xYnLEzI4OJ6zP1iO5aqnrYq5I-Vp6rDpyoqLQBsNzd-OTK_FkiFkR7_D/s1600/Screen+Shot+2018-11-20+at+8.25.19+AM.png" imageanchor="1"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEwF3fKrUYB6QlDSIGkQYE1ltYWwA1oAY68TE9n8G5sDrgdY-NnLNIvjc7RM77ZnXXU4u6lAOfxIT-nf4IH3K-xYnLEzI4OJ6zP1iO5aqnrYq5I-Vp6rDpyoqLQBsNzd-OTK_FkiFkR7_D/s640/Screen+Shot+2018-11-20+at+8.25.19+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Next, I accepted the defaults for branding and clicked save. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2YT6CqdmdFO1dpe5WYGSS-krbkrZ1rDbNh0_yFLE2Nr7j223ICrQW82ghNuS7WYH5M7ljLziuGSS9btYDpd8QNk0Clg_Ti9NQK37ORhKSX_dYD0offP1MnnVi9FZyMohAsfHY-uR1u6-J/s1600/Screen+Shot+2018-11-20+at+8.25.43+AM.png" imageanchor="1"><img border="0" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2YT6CqdmdFO1dpe5WYGSS-krbkrZ1rDbNh0_yFLE2Nr7j223ICrQW82ghNuS7WYH5M7ljLziuGSS9btYDpd8QNk0Clg_Ti9NQK37ORhKSX_dYD0offP1MnnVi9FZyMohAsfHY-uR1u6-J/s640/Screen+Shot+2018-11-20+at+8.25.43+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Phhhhheeeeeeeeewwwwww!!!!!! Tired yet? Well dig deep and push just a little harder. We still have a few buttons to push. </span><br />
<span style="color: #9fc5e8;"><br />
</span> <br />
<h2>
Setting The Source Authentication For Intelligent Hub To Identity Manager </h2>
<br />
<span style="color: #9fc5e8;">The <a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/WorkspaceONEHub/GUID-78DED192-719A-4940-B30D-EB5BD12A9F6A.html">official guidance</a> indicates that when fully integrating Hub Services with vIDM, you need to select Identity Manager as the source of authentication for Intelligent Hub. Accordingly, I navigated to Devices > Devices Settings > Devices & Users > General > Enrollment, then selected Identity Manager authentication manager as the source of authentication for Hub and clicked save.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmik4Y6-viMG8pKaFKOJrDaKW6V-ulNe0iHJit89B1IvdMV2papTV27VJtmRpdUQc15RLAEqHxGkEBIOfPvBxhw2edOXb_survXiV0Fm6OWZMgVLIwH6JORhVEEn207D8JL7mdI4g0ZCZy/s1600/Screen+Shot+2018-11-20+at+8.47.20+AM.png" imageanchor="1"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmik4Y6-viMG8pKaFKOJrDaKW6V-ulNe0iHJit89B1IvdMV2papTV27VJtmRpdUQc15RLAEqHxGkEBIOfPvBxhw2edOXb_survXiV0Fm6OWZMgVLIwH6JORhVEEn207D8JL7mdI4g0ZCZy/s640/Screen+Shot+2018-11-20+at+8.47.20+AM.png" width="640" /></a><br />
<br />
<br />
<h2>
Publishing The Hub Catalog </h2>
<br />
<span style="color: #9fc5e8;">Finally, I had to <a href="https://docs.vmware.com/en/VMware-Workspace-ONE/services/WorkspaceONEHub/GUID-E56EA5E4-A5DB-46A5-AB0F-8EA059395927.html#GUID-E56EA5E4-A5DB-46A5-AB0F-8EA059395927">publish the Hub Catalog for iOS</a>. To do that, I navigated to Groups & Settings > All settings > Apps > Workspace ONE > AirWatch Catalog > General. </span><br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBU8cFomzJD_QHuDaUQyvumr0oTyjVNeInpwIeWeIHhsmly0TZLdFhRzTk9lHp-sVI4SDtRjxF6K1g34oS4FKv5K3HoAOWYN4Ql9f7VQ2zjfyqkBVZeX5pxHUnHkqpnN2uoIg_Ga2MmDxl/s1600/Screen+Shot+2018-11-20+at+9.12.20+AM.png" imageanchor="1"><img border="0" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBU8cFomzJD_QHuDaUQyvumr0oTyjVNeInpwIeWeIHhsmly0TZLdFhRzTk9lHp-sVI4SDtRjxF6K1g34oS4FKv5K3HoAOWYN4Ql9f7VQ2zjfyqkBVZeX5pxHUnHkqpnN2uoIg_Ga2MmDxl/s640/Screen+Shot+2018-11-20+at+9.12.20+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Then I clicked override, enabled Hub Catalog (iOS) and clicked save. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi58WBlGWAsiUY_uu6g1oOFCZnSiqflWjopkY355AA87TNRvVqKzbQIklhBFfIfgStIA3NpGTiXL3V4UmJez63ucmqShqFdoIrVAoed2-NZyJ1NQ-86SNuqraf1W2mmgq-oQ0xUBvajRPH-/s1600/Screen+Shot+2018-11-20+at+9.13.17+AM.png" imageanchor="1"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi58WBlGWAsiUY_uu6g1oOFCZnSiqflWjopkY355AA87TNRvVqKzbQIklhBFfIfgStIA3NpGTiXL3V4UmJez63ucmqShqFdoIrVAoed2-NZyJ1NQ-86SNuqraf1W2mmgq-oQ0xUBvajRPH-/s640/Screen+Shot+2018-11-20+at+9.13.17+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">After performing the steps above, Hub Catalog was displayed after loading up the Intelligent Hub from the home screen. On the first screen, I could seen, among my favorites my virtual desktop entitlement: </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1cruHO_rFwfulPB8z8z2n5AyCfNboiu3pY8AUZqQyp_6G1v1MQ5Lgu_cMvA8SrMn6XGNZVMFYvQ5ACN4cfD28eq9BtsSzMJ-lATmiUSQixslAlmwOuYtvrVGDJjG5FsKfOhyqhp9AfSHk/s1600/Hub_catalog.png" imageanchor="1"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1cruHO_rFwfulPB8z8z2n5AyCfNboiu3pY8AUZqQyp_6G1v1MQ5Lgu_cMvA8SrMn6XGNZVMFYvQ5ACN4cfD28eq9BtsSzMJ-lATmiUSQixslAlmwOuYtvrVGDJjG5FsKfOhyqhp9AfSHk/s400/Hub_catalog.png" width="225" /></a><br />
<br />
<span style="color: #9fc5e8;">I also found the self service catalog for the provisioning of mobile apps I'd been entitled to. </span><br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8mziQZFv57dQUDvisxOiQBLbE0bEXoySdKtzFKBNXxfQ2vFjfTTkmwHQBrnIojCq_V02tTZ7IvD0W7xrgjHogQQBxc6EaXQdcc8UxLHlpDKuNjGZoRuOlpBLMsc32QqddX0o0mJurKkPM/s1600/Hub_self_serv.png" imageanchor="1"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8mziQZFv57dQUDvisxOiQBLbE0bEXoySdKtzFKBNXxfQ2vFjfTTkmwHQBrnIojCq_V02tTZ7IvD0W7xrgjHogQQBxc6EaXQdcc8UxLHlpDKuNjGZoRuOlpBLMsc32QqddX0o0mJurKkPM/s400/Hub_self_serv.png" width="225" /></a><br />
<br />
<br />
<h2>
Running Both Catalogs Side By Side </h2>
<br />
<span style="color: #9fc5e8;">As I previously mentioned, configuring Hub Services wasn't exactly rocket science, which takes the edge off making this transition. Further, there's the fact that both catalogs can theoretically exist side side on the same device, which means you can enable the Hub Catalog on users devices without having to force an immediate transition away from the Workspace One app. Here's a video demonstration of the Hub Catalog and Workspace One App catalog functioning from the same device:</span><br />
<br />
<br />
<div style="height: 0; padding-bottom: 56.25%; position: relative;">
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="360" src="https://www.youtube.com/embed/UW9oroQwewc?ecver=2" style="height: 100%; left: 0; position: absolute; width: 100%;" width="640"></iframe></div>
<br /></div>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com2tag:blogger.com,1999:blog-7411363718337372107.post-39780443208441563592018-11-04T15:40:00.000-08:002018-11-04T15:41:24.432-08:00Integrating An On Premises RADIUS Solution With Cloud Hosted vIDM<span style="color: #9fc5e8;">With a VMware Identity Manger Cloud deployment you can use the vIDM Connector to integrate with a RADIUS instance located in your trusted network. At that point, with the connector acting as a proxy between your RAIDUS server and vIDM Cloud instance, you can begin to mandate RADIUS authentication for endpoints connecting from anywhere, either for access to specific apps or general access to your Workspace One portal. </span><span style="color: #9fc5e8;"> Further, leveraging vIDM conditional access policies, you can judiciously enforce or bypass 2FA requirements based on the users context or device posture. </span><span style="color: #9fc5e8;">For this post, I'm going to add 2FA as a requirement for access to Horizon when a user connects from a browser on an untrusted device. </span><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica}
</style>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCcgNrSJERMu_PSnBBB2iGzMsGumLHl12N60C6Bp30OEeXJpToT6jje94KTNEtcRtF2AX9k3JvLx7mHKMaM14RPAKEa520zrTRBaQx_qzhgtuU0LnJ7nwKU3sbH3fZuOinPysAtNZGYGcw/s1600/vIDMConnector.png" imageanchor="1"><img border="0" height="486" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCcgNrSJERMu_PSnBBB2iGzMsGumLHl12N60C6Bp30OEeXJpToT6jje94KTNEtcRtF2AX9k3JvLx7mHKMaM14RPAKEa520zrTRBaQx_qzhgtuU0LnJ7nwKU3sbH3fZuOinPysAtNZGYGcw/s640/vIDMConnector.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">This recipe uses the 2018 September release of VMware Identity Manager Cloud, windows based vIDM Connector 2018.8.1 and a RADIUS server built with Ubuntu 16.04, FreeRADIUS and Google Authenticator. For guidance on getting vIDM Connector setup, check out <a href="http://www.evengooder.com/2018/10/integrating-cloud-instance-of-vmware_6.html">this previous post</a>. If you already have access to your own RADIUS solution, I'd go ahead and stick with that, otherwise, here's a <a href="http://www.evengooder.com/2018/04/providing-two-factor-authentication-for.html">recipe for standing up a free RADIUS solution using Google Authenticator</a>. Once you have your vIDM Connector stood up and RADIUS server configured to allow this Connector as a RADIUS client, here are the steps you'd follow to integrate your on premises RADIUS solution through your vIDM Connector. </span><br />
<br />
<h2>
Configuring The RADIUS Authentication Adapter</h2>
<br />
<span style="color: #9fc5e8;">First, go to Identity & Access Management --> Setup --> Connectors. Click on the Worker link within the Worker column for the vIDM connector you're looking to leverage for the integration. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYvQi3QRJYdOyePuMGN71vmO7eomXLbNj9QqxofNNCnLLFTcbprRVZdPVQr79H9SpmABMDn1Ar3ScyJ0ghu7frmlyXfZDdFDnRRmZIByrdGanmLpOkTggJ-uFk8IkJeWXQ0_LS9PxAwzvg/s1600/Screen+Shot+2018-11-02+at+2.02.32+PM.png" imageanchor="1"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYvQi3QRJYdOyePuMGN71vmO7eomXLbNj9QqxofNNCnLLFTcbprRVZdPVQr79H9SpmABMDn1Ar3ScyJ0ghu7frmlyXfZDdFDnRRmZIByrdGanmLpOkTggJ-uFk8IkJeWXQ0_LS9PxAwzvg/s640/Screen+Shot+2018-11-02+at+2.02.32+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Next, click on the Auth Adapters option. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqd_OjePVv98GsiKgWi1IufUU1sS3umXmnB7ggVqFdi2-VkOdWErw43-dgpGadGPl6f81nhVQ7TrOpQwGXxZNBcPdrGLFOkPuYdhojBV4RCr37knnlctb0jiVis7tnYrjVHHCohN_doLxg/s1600/Screen+Shot+2018-11-02+at+10.22.41+AM.png" imageanchor="1"><img border="0" height="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqd_OjePVv98GsiKgWi1IufUU1sS3umXmnB7ggVqFdi2-VkOdWErw43-dgpGadGPl6f81nhVQ7TrOpQwGXxZNBcPdrGLFOkPuYdhojBV4RCr37knnlctb0jiVis7tnYrjVHHCohN_doLxg/s640/Screen+Shot+2018-11-02+at+10.22.41+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">From here, click on the hyperlink for RadiusAuthAdapter. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjarcE4PNWL_crCHDJUL0Jub5EBTmHxRPA8UgdqZ4A48weloszOeEm8zGyqmM4aPV5NH0oVmgVpnfetiKoyMIIWhP8-XJzR36m4x2zFji2TmqFqgGhEaLCDYaJzPySmLIJMD2FQYlr8fQt8/s1600/Screen+Shot+2018-11-02+at+10.23.29+AM.png" imageanchor="1"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjarcE4PNWL_crCHDJUL0Jub5EBTmHxRPA8UgdqZ4A48weloszOeEm8zGyqmM4aPV5NH0oVmgVpnfetiKoyMIIWhP8-XJzR36m4x2zFji2TmqFqgGhEaLCDYaJzPySmLIJMD2FQYlr8fQt8/s640/Screen+Shot+2018-11-02+at+10.23.29+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">At that point you'll get redirected to your vIDM Connector, so make sure you have network access to the vIDM Connector when performing this step. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuaTp7P11mvv2hymW-CMxiuomYjoVsLJRrxI7zOQNCgv3hxDh4uiMztMqFk0D5Zndp-LP7YU-SmzXt34EmA0tvrYxp6J1DG-8qpmdAMkajhpKlEh8IMdyc-hekB1ISkLEC4zk4tsJhD7CT/s1600/Screen+Shot+2018-11-02+at+3.17.42+PM.png" imageanchor="1"><img border="0" height="408" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuaTp7P11mvv2hymW-CMxiuomYjoVsLJRrxI7zOQNCgv3hxDh4uiMztMqFk0D5Zndp-LP7YU-SmzXt34EmA0tvrYxp6J1DG-8qpmdAMkajhpKlEh8IMdyc-hekB1ISkLEC4zk4tsJhD7CT/s640/Screen+Shot+2018-11-02+at+3.17.42+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Populate the authentication adapter with info relevant to your RADIUS implementation, like the RADIUS server address, timeout, authentication port, authentication type and shared secret. Then click save. </span><span style="color: #9fc5e8;">At this point, RadiusAuthAdapter will show up as enabled under Auth A</span><span style="color: #9fc5e8;">dapters. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilt0D6fTCC_FxJnhz52OwJcHa2Y05nREuuNQ7TlltX-bLhJgFNZyoKIMsvGJSDs2qe-iOkpskAjO3bEpWH8kUoND7dxKM8GqmkwsOsTaQtFtXGNv9sZkKRfFQhrHVeXUoSRLfxoJE70Ocd/s1600/Screen+Shot+2018-11-03+at+11.11.47+AM.png" imageanchor="1"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilt0D6fTCC_FxJnhz52OwJcHa2Y05nREuuNQ7TlltX-bLhJgFNZyoKIMsvGJSDs2qe-iOkpskAjO3bEpWH8kUoND7dxKM8GqmkwsOsTaQtFtXGNv9sZkKRfFQhrHVeXUoSRLfxoJE70Ocd/s640/Screen+Shot+2018-11-03+at+11.11.47+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Next, we want to enable this authentication method on our Built-in adapter. Navigate to Identity and Access Management --> Setup --> and Identity Providers. Click on the hyperlink for your Built-in provider. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcJi5iAcNujeTtrfY2hljIIs6JYFDidkP4sulLdAgRbcvlangnFUsly80ixwBPLAvCYif08x1QwfeLbpQpiWQf8FRkUmjxPxHzaHMnZlJBuM2HmUQGGwIS2pFrvbXjDsQteVcfEmySIhnI/s1600/Screen+Shot+2018-11-02+at+10.44.16+AM.png" imageanchor="1"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcJi5iAcNujeTtrfY2hljIIs6JYFDidkP4sulLdAgRbcvlangnFUsly80ixwBPLAvCYif08x1QwfeLbpQpiWQf8FRkUmjxPxHzaHMnZlJBuM2HmUQGGwIS2pFrvbXjDsQteVcfEmySIhnI/s640/Screen+Shot+2018-11-02+at+10.44.16+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Scroll down to the Connector Authentication methods for your Connector and enable the option for RADIUS (cloud deployment). </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDg_Exu1kFDIu_EbkNN_z7uclxj3VQ42_Krays8anwasS5nHCvJlEg7A1FpOiuywPoGaZvlFH9wylMFakM9F9qw-1yT769foKxU8ukshW8zmZxzjNpCCDLfx2XwgL0dwuib9J0LBureK7W/s1600/Screen+Shot+2018-11-02+at+10.45.28+AM.png" imageanchor="1"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDg_Exu1kFDIu_EbkNN_z7uclxj3VQ42_Krays8anwasS5nHCvJlEg7A1FpOiuywPoGaZvlFH9wylMFakM9F9qw-1yT769foKxU8ukshW8zmZxzjNpCCDLfx2XwgL0dwuib9J0LBureK7W/s640/Screen+Shot+2018-11-02+at+10.45.28+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Then click save to make the new settings stick.</span><br />
<br />
<h2>
Mandate RADIUS Authentication Through An Access Policy</h2>
<div>
<br /></div>
<span style="color: #9fc5e8;">At this point, we can use access policies to mandate RADIUS authentication for either general Workspace One portal access or for individual applications. For example, to pick on Mac users, I've edited the default policy to require RADIUS authentication for Mac users in order to login into the Workspace One. After navigating to Identity & Access Management --> Manage --> Policies, I clicked on the option to, "Edit Default Policy." </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn0UFIW3gydOeaaTDPdqig-2qt2uOFt7Vc1hTEw3G_9fHjbFLVG603ChkMCdn5foUWdlY2Ond7sDsgkiZWzwcVnR1CkN8idAUBLSIckyerzZ8y5izBGuovwzQ0FAWXE9EZWu2K2VMFRJn5/s1600/Screen+Shot+2018-11-03+at+8.13.09+AM.png" imageanchor="1"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn0UFIW3gydOeaaTDPdqig-2qt2uOFt7Vc1hTEw3G_9fHjbFLVG603ChkMCdn5foUWdlY2Ond7sDsgkiZWzwcVnR1CkN8idAUBLSIckyerzZ8y5izBGuovwzQ0FAWXE9EZWu2K2VMFRJn5/s640/Screen+Shot+2018-11-03+at+8.13.09+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">From there, I added a new access rule for Mac users. Here's what it looks like:</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRyOfJ5_192yJ3B2gr11ZSWevd2HIChEfdJUG5lYA90i7wTKnfGGkPRNRsvpPZk7t78WUunf-1tH-Ab_WzLCfEtWnY342KxADFUwstezxSQ31UJd1_anCQJlRKKWC3yDK7NNg-mLprxRa4/s1600/Screen+Shot+2018-11-03+at+8.14.40+AM.png" imageanchor="1"><img border="0" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRyOfJ5_192yJ3B2gr11ZSWevd2HIChEfdJUG5lYA90i7wTKnfGGkPRNRsvpPZk7t78WUunf-1tH-Ab_WzLCfEtWnY342KxADFUwstezxSQ31UJd1_anCQJlRKKWC3yDK7NNg-mLprxRa4/s640/Screen+Shot+2018-11-03+at+8.14.40+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Now, when I try to authenticate to vIDM from my Macbook pro, I'm initially prompted to provide my RADIUS passcode, rather than the default of AD credentials. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHzPFZevOKKhUMwWPnZDVTmWsluWsiiZiZdvQIdSjwAsIOKphbBLahSnstpyxNwDVo_fmJvVfCmKcocU2B-HYDSh2oebMvyG_VTU9FpYYGIlnmVbUk4tN1ZwQkopfEbhURoWlRPZwN5Fxa/s1600/Screen+Shot+2018-11-03+at+9.01.44+AM.png" imageanchor="1"><img border="0" height="506" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHzPFZevOKKhUMwWPnZDVTmWsluWsiiZiZdvQIdSjwAsIOKphbBLahSnstpyxNwDVo_fmJvVfCmKcocU2B-HYDSh2oebMvyG_VTU9FpYYGIlnmVbUk4tN1ZwQkopfEbhURoWlRPZwN5Fxa/s640/Screen+Shot+2018-11-03+at+9.01.44+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Another option is to mandate RADIUS authentication for an individual application, rather than for general access to the portal. For example, I can mandate RADIUS authentication for access to a Horizon environment. So, initially, the user can access their portal with AD credentials, but then will be prompted for a RADIUS passcode when they try to launch their desktop. Accordingly, on access policy defined for a specific Horizon desktop pool, I've added the following access rule: </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0VXdDy6-6qa2jkXymUNTLm1fMShyphenhyphenTGYTlEyqzN4XIYTjCxaEqXXta38BTmpjtwOvYEwT_yFx3j7GwN8bFxsYKprF985UE_WSNvxm-1wBaSx00x5CUp2DEm8IaQm7RjlXLhFfVCs1D35jt/s1600/Screen+Shot+2018-11-02+at+12.13.03+PM.png" imageanchor="1"><img border="0" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0VXdDy6-6qa2jkXymUNTLm1fMShyphenhyphenTGYTlEyqzN4XIYTjCxaEqXXta38BTmpjtwOvYEwT_yFx3j7GwN8bFxsYKprF985UE_WSNvxm-1wBaSx00x5CUp2DEm8IaQm7RjlXLhFfVCs1D35jt/s640/Screen+Shot+2018-11-02+at+12.13.03+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Now, my users logs into Workspace One using AD credentials and sees the virtual desktop their entitled to. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnIZz4rMz48PzR6f6rH3Mr7BthnAi-rjhAtYKQwNUpw4Vx7MHulto6X62lby_mZCpWqMbKHVNwq6hcntHrwDNk0YrcncyelejceW3yfahwvOfaJDNcdJ9NUDxh7JGu8oPJwxW0L2axIh4z/s1600/Screen+Shot+2018-11-03+at+9.12.11+AM.png" imageanchor="1"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnIZz4rMz48PzR6f6rH3Mr7BthnAi-rjhAtYKQwNUpw4Vx7MHulto6X62lby_mZCpWqMbKHVNwq6hcntHrwDNk0YrcncyelejceW3yfahwvOfaJDNcdJ9NUDxh7JGu8oPJwxW0L2axIh4z/s640/Screen+Shot+2018-11-03+at+9.12.11+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">However, when they double click on the entitlement, they're redirected to a prompt for their RADIUS passcode. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1iUxxiUMc9PIS-WD0e5-WrpvqTg-t_2w4zFi9IR57Fzj-oZHli31D4af5U1Jr7Cqqf1yqnkxsyWJgUYj_bgzZ6Jsor4mRc5An7NskiJKjj64Bet_XNvaMW4tE9qZ27yJZH_Ny7YXFdB20/s1600/Screen+Shot+2018-11-03+at+9.13.26+AM.png" imageanchor="1"><img border="0" height="576" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1iUxxiUMc9PIS-WD0e5-WrpvqTg-t_2w4zFi9IR57Fzj-oZHli31D4af5U1Jr7Cqqf1yqnkxsyWJgUYj_bgzZ6Jsor4mRc5An7NskiJKjj64Bet_XNvaMW4tE9qZ27yJZH_Ny7YXFdB20/s640/Screen+Shot+2018-11-03+at+9.13.26+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">After a valid RADIUS passcode is provided access is granted to the virtual desktop. </span><br />
<br />
<br />EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-62887876692724453952018-10-06T21:05:00.002-07:002018-10-06T21:05:50.764-07:00Configuring Mobile SSO For iOS In Workspace One UEM (AirWatch) <span style="color: #9fc5e8;">A perquisite for leveraging AirWatch device compliance in vIDM is the configuration of Mobile SSO for iOS. The Workspace One deployment guide indicates that the device compliance authentication method, "works in an authentication chain with Mobile SSO for iOS." Accordingly, the access policy involves combining the two methods together and looks like this:</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl51uvs5STtZUj6mMXr5odK7KWL6yOTgLURX2x1HYQaR2RbQd2v4Dsxlj525dBrB343aeqBOZ8r8eBtW_p8OLDG-jJ5FfVBPI5UB0T7zVLQoBwSl2IGGVxzwon5wxFW-EWCTsTZbMXCoE-/s1600/Screen+Shot+2018-10-04+at+11.39.02+PM.png" imageanchor="1"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjl51uvs5STtZUj6mMXr5odK7KWL6yOTgLURX2x1HYQaR2RbQd2v4Dsxlj525dBrB343aeqBOZ8r8eBtW_p8OLDG-jJ5FfVBPI5UB0T7zVLQoBwSl2IGGVxzwon5wxFW-EWCTsTZbMXCoE-/s640/Screen+Shot+2018-10-04+at+11.39.02+PM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Long story short, we need to get Mobile SSO for iOS setup and configured properly before we can take advantage of device dompliance as an authentication method. To achieve this, we're first going to enable the built in certificate authority for AirWatch. Then we'll enable and configure the Mobile SSO for iOS authentication method. Next, we'll associate this authentication method with the new built-in IDM we're going to create. Finally, we'll push out required identity provider settings onto the target devices using a special iOS profile. </span><br />
<br />
<h2>
Enable AirWatch Certificate Authority</h2>
<br />
<span style="color: #9fc5e8;">While there's the option to use a Microsoft Certificate Authority, the path of least resistance is to leverage the built in certificate authority AirWatch can provide. To enable it, navigate to Groups And Settings --> All Settings --> System --> Enterprise Integration --> VMware Identity --> Configuration. Click on the enable button for Certificate Provisioning.</span><br />
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDESXYSdE-PjEVz4mdV672qjykEaw7F9TUP7YUTZA96RNTR1hp6y7wbD71zscW0_-_DJs0bzURF8-FFJe77lRKK-A0y9lIxXPN1-c8mV_kMGNhD7PWScXNYeHcNj9CPhSoTbRNZSnCTLSv/s1600/Screen+Shot+2018-10-04+at+3.43.33+PM.png" imageanchor="1"><img border="0" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDESXYSdE-PjEVz4mdV672qjykEaw7F9TUP7YUTZA96RNTR1hp6y7wbD71zscW0_-_DJs0bzURF8-FFJe77lRKK-A0y9lIxXPN1-c8mV_kMGNhD7PWScXNYeHcNj9CPhSoTbRNZSnCTLSv/s640/Screen+Shot+2018-10-04+at+3.43.33+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">After enabling certificate provisioning you'll see some info about the issuer certificate populated on the screen. </span> </div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrY6bY6rw21h3IlmRhCaqOlDNN5ZxHzXIf2QVQYOPNy4XD2nDLWZKipb-tP1zI271sUL5DfDj9HNBFGSt4jhRrL_iAONwZru0ojVKBj7pBRb9M6tezC9TOzbTyuEM1IKee3JCURdCYvXZW/s1600/Screen+Shot+2018-10-04+at+3.46.53+PM.png" imageanchor="1"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrY6bY6rw21h3IlmRhCaqOlDNN5ZxHzXIf2QVQYOPNy4XD2nDLWZKipb-tP1zI271sUL5DfDj9HNBFGSt4jhRrL_iAONwZru0ojVKBj7pBRb9M6tezC9TOzbTyuEM1IKee3JCURdCYvXZW/s640/Screen+Shot+2018-10-04+at+3.46.53+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Click the export button for the Issuer Certificate. You'll need this certificate to configure the Mobile SSO for iOS authentication method in vIDM.</span></div>
<div>
<br /></div>
<div>
<h2>
Configuring The Mobile SSO (for iOS) Authentication Method</h2>
</div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">In the vIDM admin console, navigate to Identity & Access Management --> Manage --> Authentication Methods. Click the pencil for Mobile SSO (for iOS).</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj54n8gzjjjcSaCtPMHXVbUga9EBWlKSJZZxgKMnd9-a__2Pweqg2ZQNCBW-LDpXsTxTm-8tl9hZoIRC7qEWagnGwQgMHheuysmLKhiZ0IgLfmh7fGTSLXRKwde2c8a1li9MeVuzSEtGamA/s1600/Screen+Shot+2018-10-05+at+12.03.46+AM.png" imageanchor="1"><img border="0" height="516" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj54n8gzjjjcSaCtPMHXVbUga9EBWlKSJZZxgKMnd9-a__2Pweqg2ZQNCBW-LDpXsTxTm-8tl9hZoIRC7qEWagnGwQgMHheuysmLKhiZ0IgLfmh7fGTSLXRKwde2c8a1li9MeVuzSEtGamA/s640/Screen+Shot+2018-10-05+at+12.03.46+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">You want to check the box for, "Enable KDC Authentication."</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6RFcwMkyvG___UyCcA1xYOEd-lDPM79H3VPtNqPGjj9n1sN7LL0_LZPcPKEBzQbUHeNMaCaRXYz3VEnG4yG3qF9TGn0vwEYP1_6JJBNp5fgWZQOYvsbTgbQtgMr7mZaizdXszVKwK75H3/s1600/Screen+Shot+2018-10-05+at+12.05.39+AM.png" imageanchor="1"><img border="0" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6RFcwMkyvG___UyCcA1xYOEd-lDPM79H3VPtNqPGjj9n1sN7LL0_LZPcPKEBzQbUHeNMaCaRXYz3VEnG4yG3qF9TGn0vwEYP1_6JJBNp5fgWZQOYvsbTgbQtgMr7mZaizdXszVKwK75H3/s640/Screen+Shot+2018-10-05+at+12.05.39+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">The realm will be automatically populated. Next, click on the Select File button to upload the issuer certificate we just exported from AirWatch. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3pqKQycdLHhLjKbmsuc8nVWYmuu-PHShNpD8TyV9LpZg9tCMZ8PC17OGg1467fIIm0dxdNeIyC3JrtwMdJn8FkJ5Jcj6CMK9TMsqZtdl_-d1xgkNh09xoSrn31xfV5Usq1YswXtumoKl_/s1600/Screen+Shot+2018-10-04+at+4.42.56+PM.png" imageanchor="1"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3pqKQycdLHhLjKbmsuc8nVWYmuu-PHShNpD8TyV9LpZg9tCMZ8PC17OGg1467fIIm0dxdNeIyC3JrtwMdJn8FkJ5Jcj6CMK9TMsqZtdl_-d1xgkNh09xoSrn31xfV5Usq1YswXtumoKl_/s640/Screen+Shot+2018-10-04+at+4.42.56+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Navigate to the certificate. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1tSzUeRaoUc0fFI4WhOZHj_F6pKz6qm6GR4URnrj0Sq5X_msNoasmAHw_ACIJwNEikcX7IMZjppwTBoeVOF-sY4watmu5xqAinOW9ynwdBhhDzfpvbf0FkyfY13WWTB0xTSiGeYr9Zywy/s1600/Screen+Shot+2018-10-04+at+4.43.49+PM.png" imageanchor="1"><img border="0" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1tSzUeRaoUc0fFI4WhOZHj_F6pKz6qm6GR4URnrj0Sq5X_msNoasmAHw_ACIJwNEikcX7IMZjppwTBoeVOF-sY4watmu5xqAinOW9ynwdBhhDzfpvbf0FkyfY13WWTB0xTSiGeYr9Zywy/s640/Screen+Shot+2018-10-04+at+4.43.49+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #cfe2f3;"><span style="color: #9fc5e8;">Click okay to confirm and upload the file.</span> </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjekNYLrO-129zUObrRtRSZ4Jt4N1xfaIXbpTJ7_4m8OqnValULTSwWd2QgVau7hbBkaA7OOLKffXfkEc_n63w0Ezip0aIYzdLIjbdJUa8TLPjgnL9eOVB-JGhwxz0PMbYu74abOrHRVqSm/s1600/Screen+Shot+2018-10-04+at+4.44.25+PM.png" imageanchor="1"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjekNYLrO-129zUObrRtRSZ4Jt4N1xfaIXbpTJ7_4m8OqnValULTSwWd2QgVau7hbBkaA7OOLKffXfkEc_n63w0Ezip0aIYzdLIjbdJUa8TLPjgnL9eOVB-JGhwxz0PMbYu74abOrHRVqSm/s640/Screen+Shot+2018-10-04+at+4.44.25+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">After a successful upload you'll see info about the certificate populate on the screen. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2KRJ77xfuaHTYuh24cx9_8LWIXNkdcETT2_zCiR2aAw3Ij_vIbpMe77MftA0bbZ1dRrfQIrPSmL7P-kyfT_kyKs30EJopAtvwidaFLJD5blJsdIoj09BgEqbht_VR5U0G3s6UooZGB9nR/s1600/Screen+Shot+2018-10-04+at+4.44.46+PM.png" imageanchor="1"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2KRJ77xfuaHTYuh24cx9_8LWIXNkdcETT2_zCiR2aAw3Ij_vIbpMe77MftA0bbZ1dRrfQIrPSmL7P-kyfT_kyKs30EJopAtvwidaFLJD5blJsdIoj09BgEqbht_VR5U0G3s6UooZGB9nR/s640/Screen+Shot+2018-10-04+at+4.44.46+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Also, for a reason I can't explain, the device compliance authentication method wouldn't work for me till I unchecked the option for, "Enable OCSP," and, "Send OCSP Nonce." Don't ask me why it was breaking things. All I know is that while googling an error message and following the suggestion of disabling OCSP in the following post, I was up and running:</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">https://communities.vmware.com/thread/547237</span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Finally, click save. You'll get a pop up message that the adapter has been updated.</span> </div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglUeMDL9jpu41PgkrpmiKa-YDtcQsx0ylJOSpi60GsTS-rbeNeHPoSKnng3UTxHLHcjy8wnTvRXloX7z57BwoJhYVZfLcXvL0tb0_Rl2zx69yKRE0Sl25pW5gl-ZIUnmqqKZ9QV0Ufeqqf/s1600/Screen+Shot+2018-10-04+at+8.20.49+PM.png" imageanchor="1"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglUeMDL9jpu41PgkrpmiKa-YDtcQsx0ylJOSpi60GsTS-rbeNeHPoSKnng3UTxHLHcjy8wnTvRXloX7z57BwoJhYVZfLcXvL0tb0_Rl2zx69yKRE0Sl25pW5gl-ZIUnmqqKZ9QV0Ufeqqf/s640/Screen+Shot+2018-10-04+at+8.20.49+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<h2>
Create A Built-in IDM And Associate It With Mobile SSO For iOS </h2>
<br />
<span style="color: #9fc5e8;">Navigate to Identity & Access Management --> Mange --> Identity Providers. Click on Add Identity Provider and select the option for, "Create Built-in IDP."</span> </div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3pzmRMocqPYE599tGZMc5Vy_DubUnP1Uhy4YH7P9DI0PYxiMWaZazQxOGiFSnFSPbwizPNQsLlgOtJ88wKUwWJlGlGsn_43AJmpFDFGMS-pwKdXFgWFEmN7n1Oi6yaf6DuUOjFEWsrFup/s1600/Screen+Shot+2018-10-04+at+8.28.52+PM.png" imageanchor="1"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3pzmRMocqPYE599tGZMc5Vy_DubUnP1Uhy4YH7P9DI0PYxiMWaZazQxOGiFSnFSPbwizPNQsLlgOtJ88wKUwWJlGlGsn_43AJmpFDFGMS-pwKdXFgWFEmN7n1Oi6yaf6DuUOjFEWsrFup/s640/Screen+Shot+2018-10-04+at+8.28.52+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Give it a fun name and select the appropriate directories and network ranges. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2mzyybhs-2wp6VkpS6Z5o6wln_vNCL1vSYg-g00ru5xwZst3o9_lRkLKlEfJXS-jRYdg-1DzvnXBHGnzLfOLl2_v-euXRf-N6PGyvyixFPgrZip9liOy2nvVdV7oKL2Dnpb3tMan__fr-/s1600/Screen+Shot+2018-10-04+at+8.30.27+PM.png" imageanchor="1"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2mzyybhs-2wp6VkpS6Z5o6wln_vNCL1vSYg-g00ru5xwZst3o9_lRkLKlEfJXS-jRYdg-1DzvnXBHGnzLfOLl2_v-euXRf-N6PGyvyixFPgrZip9liOy2nvVdV7oKL2Dnpb3tMan__fr-/s640/Screen+Shot+2018-10-04+at+8.30.27+PM.png" width="640" /></a></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Under Authentication Methods check the options for Device Compliance (with AirWatch) and Mobile SSO (for iOS). Finally, click Add. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHKuDArJHG7jFlZvKPtmnV63KxV072KGtiaEs4LLg4qfO6W_H_OCl5dGMh-gxCuYkcGvHZO6lRZ7Tr5TNUzG8hTqfGBtCucKFTKA3Nl8bm1hC7wlCW22jRfFKktn2ONYQ7N-zs6hJHvUoO/s1600/Screen+Shot+2018-10-04+at+8.31.42+PM.png" imageanchor="1"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHKuDArJHG7jFlZvKPtmnV63KxV072KGtiaEs4LLg4qfO6W_H_OCl5dGMh-gxCuYkcGvHZO6lRZ7Tr5TNUzG8hTqfGBtCucKFTKA3Nl8bm1hC7wlCW22jRfFKktn2ONYQ7N-zs6hJHvUoO/s640/Screen+Shot+2018-10-04+at+8.31.42+PM.png" width="640" /></a></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Now, when you navigate back to the newly created provider there's an option to download the certificate. Download the certificate. This cert will get pushed out to your iOS device by means of a device profile. </span><br />
<span style="color: #9fc5e8;"><br /></span></div>
<h2>
Creating An Apple iOS Profile To Push Out Identity Provider Settings To Your Devices </h2>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">You'll create an iOS profile in AirWatch to push out vIDM settings to your endpoint devices. Navigate to Devices --> Profiles & Resources --> Profile. Click on Add Profile.</span><br />
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Helvetica; color: #414141}
</style>
</div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBkHnLEFYI0GqEpMAcf1TUZG0ww4wdYWrQ16jWO0PJ2uOXsFXOtXAUFY3vNMSKn7qo9LA9ekfz_nTqf6-gze9RXtfdHdtIPZbfKEWPFHvTEMKegHKqj4vMxahjiczVcVyMc3brnyOIjVfg/s1600/Screen+Shot+2018-10-04+at+8.38.26+PM.png" imageanchor="1"><img border="0" height="412" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBkHnLEFYI0GqEpMAcf1TUZG0ww4wdYWrQ16jWO0PJ2uOXsFXOtXAUFY3vNMSKn7qo9LA9ekfz_nTqf6-gze9RXtfdHdtIPZbfKEWPFHvTEMKegHKqj4vMxahjiczVcVyMc3brnyOIjVfg/s640/Screen+Shot+2018-10-04+at+8.38.26+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Select iOS as the profile type. </span></div>
<div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-WHXLKVdohNQmDf-Bj4YYXTH4sOBv02g_QIq09gjJIoq1aUSN1Qmvj6KRYmTTr8xwN8jat9qhga3HCCG9Cc0CpMLzGI_o-7ZrLY-fMGHWoRCxq4UTDugQ_SLF6zdfTe0cpV72zhguqEDH/s1600/Screen+Shot+2018-10-04+at+8.39.17+PM.png" imageanchor="1"><img border="0" height="630" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-WHXLKVdohNQmDf-Bj4YYXTH4sOBv02g_QIq09gjJIoq1aUSN1Qmvj6KRYmTTr8xwN8jat9qhga3HCCG9Cc0CpMLzGI_o-7ZrLY-fMGHWoRCxq4UTDugQ_SLF6zdfTe0cpV72zhguqEDH/s640/Screen+Shot+2018-10-04+at+8.39.17+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Name the profile iOSKerberos. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMxqA0wVSCfteKFEOh-BYpYXqxmttFKnaoyuy45vtzqFJ_wIZTmXK1teMhTGZ700TR56EXPtxrvSw40occ7R7Gg0SSqXcvhECpWy0IjBqx_dCwAxK5vpcA_gukKEuAX5Db5uIDrLrJVRuF/s1600/Screen+Shot+2018-10-04+at+8.40.16+PM.png" imageanchor="1"><img border="0" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMxqA0wVSCfteKFEOh-BYpYXqxmttFKnaoyuy45vtzqFJ_wIZTmXK1teMhTGZ700TR56EXPtxrvSw40occ7R7Gg0SSqXcvhECpWy0IjBqx_dCwAxK5vpcA_gukKEuAX5Db5uIDrLrJVRuF/s640/Screen+Shot+2018-10-04+at+8.40.16+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Scroll down to SCEP and click on configure. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg1HxR0qmrY9bjL_oPLEOu2LBUt7HV0Pk9RnFuDothXHbt298Iz9GatfJqmJrmm5_jYcE9JejzeXunshunil_7S1MI5qoAmQTZSVBxyv-yCRj563vNzxB3BdJXQC9x6oZzx-GqKbsry91R/s1600/Screen+Shot+2018-10-04+at+8.41.50+PM.png" imageanchor="1"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg1HxR0qmrY9bjL_oPLEOu2LBUt7HV0Pk9RnFuDothXHbt298Iz9GatfJqmJrmm5_jYcE9JejzeXunshunil_7S1MI5qoAmQTZSVBxyv-yCRj563vNzxB3BdJXQC9x6oZzx-GqKbsry91R/s640/Screen+Shot+2018-10-04+at+8.41.50+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">From the drop down menu select AirWatch Certificate Authority for both the credential source and certificate authority. Select Single Sign-On for the certificate template. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTT1Jws_ybVxDc3NYtEiuSumLdttf8oruk04gqqAgq9v7M7m1bjAiHeJJESwjc4-32vnESkOBKMeUJqjpUxxWpnXlI6-CBIChYXubzFZvvJ5NC2qXFR9yYtZQN-FutQChAxjWOP5bz12h0/s1600/Screen+Shot+2018-10-04+at+8.43.02+PM.png" imageanchor="1"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTT1Jws_ybVxDc3NYtEiuSumLdttf8oruk04gqqAgq9v7M7m1bjAiHeJJESwjc4-32vnESkOBKMeUJqjpUxxWpnXlI6-CBIChYXubzFZvvJ5NC2qXFR9yYtZQN-FutQChAxjWOP5bz12h0/s640/Screen+Shot+2018-10-04+at+8.43.02+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Scroll down to Credentials an select configure. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7A5-qLjqpyHJR-K4sh1gqS5rSKt4KIG7wHkeJRIA-XLZATJZt07i-QxJCvQKrq4-fkEhC6N-uTB94XYomtD4CYrFv4_t8oJArxeph73RFhyphenhyphenefNPRQJl8UxwNrF-rpuZ0g9vM9iqM_3rKJ/s1600/Screen+Shot+2018-10-04+at+8.44.09+PM.png" imageanchor="1"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7A5-qLjqpyHJR-K4sh1gqS5rSKt4KIG7wHkeJRIA-XLZATJZt07i-QxJCvQKrq4-fkEhC6N-uTB94XYomtD4CYrFv4_t8oJArxeph73RFhyphenhyphenefNPRQJl8UxwNrF-rpuZ0g9vM9iqM_3rKJ/s640/Screen+Shot+2018-10-04+at+8.44.09+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Select the upload option and click on the upload button. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWpKTmB5yLYGTHxvwGRpqKEyC6zxkwGSFm1WeKirpsPLqdvrCGMFeZE_bXY7mrtb7EbXS5uqBEkDLBUhK4cYepizvBT0fxXOhZpHDn7x6_4tem65AivCy5fnq_g6ie0GZ2Fr1H2uoIuhO1/s1600/Screen+Shot+2018-10-05+at+12.45.44+AM.png" imageanchor="1"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWpKTmB5yLYGTHxvwGRpqKEyC6zxkwGSFm1WeKirpsPLqdvrCGMFeZE_bXY7mrtb7EbXS5uqBEkDLBUhK4cYepizvBT0fxXOhZpHDn7x6_4tem65AivCy5fnq_g6ie0GZ2Fr1H2uoIuhO1/s640/Screen+Shot+2018-10-05+at+12.45.44+AM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Navigate to the KDC certificate you just exported from the identity provider. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhESCWJhuP-4IRTguraZurGzt2TNxtHECMuPKSo9jgdpLhSLU7k9cr4tqpBqaD7DxGfziGpQu-JoMKWKXHcPPcJ8mWOJ_ZnFO9IUTdwhcQ0-hzvNwj5oY62jn3rAF2YlB_DKE61QikLuNUg/s1600/Screen+Shot+2018-10-04+at+8.45.21+PM.png" imageanchor="1"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhESCWJhuP-4IRTguraZurGzt2TNxtHECMuPKSo9jgdpLhSLU7k9cr4tqpBqaD7DxGfziGpQu-JoMKWKXHcPPcJ8mWOJ_ZnFO9IUTdwhcQ0-hzvNwj5oY62jn3rAF2YlB_DKE61QikLuNUg/s640/Screen+Shot+2018-10-04+at+8.45.21+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Info about the cert will get populated on the screen. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinA4gBrbbQ_jD8Pq44OEze4rQZ4in1pL-KL8WUJiQ2WKtEOSBj4HahKUhsVL633mWc8S_m0hh111C3TqN-I2tzDRojpk9zAlG51kYNk7cMTDAmYuPSSgiEGdFok8SjI5t1vBRh_P_19NPd/s1600/Screen+Shot+2018-10-04+at+8.45.37+PM.png" imageanchor="1"><img border="0" height="378" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinA4gBrbbQ_jD8Pq44OEze4rQZ4in1pL-KL8WUJiQ2WKtEOSBj4HahKUhsVL633mWc8S_m0hh111C3TqN-I2tzDRojpk9zAlG51kYNk7cMTDAmYuPSSgiEGdFok8SjI5t1vBRh_P_19NPd/s640/Screen+Shot+2018-10-04+at+8.45.37+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Finally, scroll down to Single Sign-On. Click on the configure button. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmNChk6TZaaIf5J3kNfLvb3S5j0cho77CSHjMbB2HOm6A4tOFgbEkBFeU8cFNY0ak9jAFpdGubKc8JZiOmVVuGKgqNo78eE6koYbLw2H2maGZvPuHfe5aacLuJNkiMv-zfHTbdXeEfBzVy/s1600/Screen+Shot+2018-10-04+at+8.47.10+PM.png" imageanchor="1"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmNChk6TZaaIf5J3kNfLvb3S5j0cho77CSHjMbB2HOm6A4tOFgbEkBFeU8cFNY0ak9jAFpdGubKc8JZiOmVVuGKgqNo78eE6koYbLw2H2maGZvPuHfe5aacLuJNkiMv-zfHTbdXeEfBzVy/s640/Screen+Shot+2018-10-04+at+8.47.10+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">For the account name enter in Kerberos. For the Kerberos Principal Name, click + and select {EnrollmentUser}. For the realm name, enter in the realm name of your tenant. (Most likely VMWAREIDENTITY.COM.) Under renewal certificate, I went with SCEP #1. For URL Prefixes, enter in the full name of your tenant. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyKgHA-WutVivf3BEZ0qKQeG4fpko6yOjFOF_jSt1L-fbgO9SWmlo5AWLoi4UpxBsdiZEKTDV__32UVwCwOCrImQfJcPWAa3l6oBBAma2ICHlNLRcqgjq4gUfNhHxxXHSZrMm7CYcsHpt-/s1600/Screen+Shot+2018-10-04+at+8.52.25+PM.png" imageanchor="1"><img border="0" height="342" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyKgHA-WutVivf3BEZ0qKQeG4fpko6yOjFOF_jSt1L-fbgO9SWmlo5AWLoi4UpxBsdiZEKTDV__32UVwCwOCrImQfJcPWAa3l6oBBAma2ICHlNLRcqgjq4gUfNhHxxXHSZrMm7CYcsHpt-/s640/Screen+Shot+2018-10-04+at+8.52.25+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Scroll down a bit. Then for an application identifier, add com.apple.mobilesafari.</span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6fjtxWCA2t-ni3j04nvg9c4GT-UkMTpQLXSmMfED9dfwKn9VqqvZeCpnwDDe1PLEZF1n4Frm_eyXJ0tW0-W74JvA24wKQX_df7Pss-o6dJBy6xYtDwbzX6YQzYNHZ9BFZvgwc3-s_VtCj/s1600/Screen+Shot+2018-10-04+at+8.55.06+PM.png" imageanchor="1"><img border="0" height="432" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6fjtxWCA2t-ni3j04nvg9c4GT-UkMTpQLXSmMfED9dfwKn9VqqvZeCpnwDDe1PLEZF1n4Frm_eyXJ0tW0-W74JvA24wKQX_df7Pss-o6dJBy6xYtDwbzX6YQzYNHZ9BFZvgwc3-s_VtCj/s640/Screen+Shot+2018-10-04+at+8.55.06+PM.png" width="640" /></a></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">Next, publish and assign this new profile to the target endpoints. Once the profile applied to the endpoint, you can confirm it's been applied by going to Settings --> General --> Device Management --> Device Manger. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMaImLYhFO84YSQLOu64Ii9-_j4mnSBCxoqYQNqtyL92tEQUk115KJKP1JVGBCOVxTZvgLms4808p53RMkQZ9zlEqn0GCrVNn4iHlHL2OvPER9P-OZoagAkk72_zVAtnftAII3lbRD92Db/s1600/IMG_0067.jpg" imageanchor="1"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMaImLYhFO84YSQLOu64Ii9-_j4mnSBCxoqYQNqtyL92tEQUk115KJKP1JVGBCOVxTZvgLms4808p53RMkQZ9zlEqn0GCrVNn4iHlHL2OvPER9P-OZoagAkk72_zVAtnftAII3lbRD92Db/s640/IMG_0067.jpg" width="480" /></a></span><br />
<span style="color: #9fc5e8;"></span><br />
<span style="color: #9fc5e8;">Click on more details. You'll see among other things, the kerberos settings included in the profile. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAoOSefhykNBcY5vsyn4fHPak6mxj1Mv-WVA2ASHeULgTy5xLJGNX9NojsoMdW2NAJxbeP0br9-w2a8HtLabxjSOKTGpez6i4KCZNYhQJaV5C-fnisBo5JCCS5G057uN_aPOfMEm44gAhv/s1600/IMG_0068.jpg" imageanchor="1"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAoOSefhykNBcY5vsyn4fHPak6mxj1Mv-WVA2ASHeULgTy5xLJGNX9NojsoMdW2NAJxbeP0br9-w2a8HtLabxjSOKTGpez6i4KCZNYhQJaV5C-fnisBo5JCCS5G057uN_aPOfMEm44gAhv/s640/IMG_0068.jpg" width="480" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Click on Kerberos and you can actually see some of the specific settings you just configured. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlbeTky48xFxH-ba-j2iSupAC2EcuJXVo7EAGMU2HfSgdrFVnkpoPFxZ0k1M-thpWQiDL8D14HARBtQCr0iiiluJumIedFRKO4SsW2v5H3VWPdOXasNs9jNEP3kN91WPZY8DSWj0Ef88eu/s1600/IMG_0069.jpg" imageanchor="1"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlbeTky48xFxH-ba-j2iSupAC2EcuJXVo7EAGMU2HfSgdrFVnkpoPFxZ0k1M-thpWQiDL8D14HARBtQCr0iiiluJumIedFRKO4SsW2v5H3VWPdOXasNs9jNEP3kN91WPZY8DSWj0Ef88eu/s640/IMG_0069.jpg" width="480" /></a></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">At this point, the configuration of Mobile SSO for iOS is complete. We can proceed to enable device compliance as an authentication method. For guidance, check out this next post, <a href="http://www.evengooder.com/2018/10/securing-access-to-horizon-through.html">Securing Access To Horizon Through AirWatch Based Device Compliance</a>.</span><span style="color: #9fc5e8;"> </span></div>
<div>
</div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Helvetica; color: #414141}
</style><br />EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com1tag:blogger.com,1999:blog-7411363718337372107.post-56066505333548762822018-10-06T21:05:00.001-07:002018-10-06T21:05:37.768-07:00Securing Access To Horizon Through AirWatch Based Device Compliance<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">With the steps detailed in my previous posts complete,</span><span style="color: #9fc5e8;"> we can begin to leverage AirWatch device compliance for conditional access. Using this authentication method you can mandate device compliance in AirWatch as a prerequisite for access to an application. In this post, access to a Horizon desktop pool is going to be restricted to devices that are not only AirWatch enrolled, but also compliant according to AirWatch compliance policies. </span><span style="color: #9fc5e8;">For guidance on the prerequisites for enabling this feature, see this </span><a href="http://www.evengooder.com/2018/10/cloud-options-for-accelerating.html">previous post</a><span style="color: #9fc5e8;">. Otherwise, follow the steps below to enable device compliance as an authentication method in vIDM. </span><br />
<br />
<h2>
Enabling Device Compliance </h2>
<br />
<span style="color: #9fc5e8;">Within the vIDM console, navigate to Identity & Access Management --> Setup --> AirWatch.</span><br />
<span style="color: #9fc5e8;">Scroll down to Compliance Check. Select enable and click save.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN-yRv0QqlufupUz5HkzQT21DEkw72R04JxpwXZA8L-BadlhsfZTSeE5zsr0zKq9egpHlXvb9JVkU6-B4R8PO3IqCs9dJUh_-B2Myapa8pBbHSQb2DX3iYBkZ4VizQbAkQf-70yJ3SqGYK/s1600/Screen+Shot+2018-10-03+at+9.34.10+AM.png" imageanchor="1"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN-yRv0QqlufupUz5HkzQT21DEkw72R04JxpwXZA8L-BadlhsfZTSeE5zsr0zKq9egpHlXvb9JVkU6-B4R8PO3IqCs9dJUh_-B2Myapa8pBbHSQb2DX3iYBkZ4VizQbAkQf-70yJ3SqGYK/s640/Screen+Shot+2018-10-03+at+9.34.10+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Next, to leverage device compliance as an authentication requirement within vIDM access policies it needs to be enabled as an authentication method within the Built-in identity provider. To do so, navigate to Identity & Access Management --> Manage --> Identity Providers. Click on the hyperlink for Built-in. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyBKPukHN4ivz03AT1DZLIeKItta6O0mQgCTSUnyIX0_TzqEMas-LzV_kxxG9BgvW9B7UybeAnAmS3ZYXHt5aOoCpDUrOEUd_EhJMUZUWSKVVvzE-Y6vw4Wo6mGZBhJgPOGYDLITqXu9Dd/s1600/Screen+Shot+2018-10-03+at+11.00.42+AM.png" imageanchor="1"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyBKPukHN4ivz03AT1DZLIeKItta6O0mQgCTSUnyIX0_TzqEMas-LzV_kxxG9BgvW9B7UybeAnAmS3ZYXHt5aOoCpDUrOEUd_EhJMUZUWSKVVvzE-Y6vw4Wo6mGZBhJgPOGYDLITqXu9Dd/s640/Screen+Shot+2018-10-03+at+11.00.42+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">From there, scroll down to authentication methods and check the box for, "Device Compliance (with AirWatch)." Then scroll down further and hit save. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXKOttQSx5IT_ZKx96rq4NXSFn01uTyYp4HicNNyme8ZfRxljuSLqGdKCCz2lxBHuvKn4XtRh5h5N8NtZspeNL7GPZF4ZbTxLivcJ3v1ADLxPnv6nQO0Rp9Ir3nm6fTTaD4TjTP1LFdx3g/s1600/Screen+Shot+2018-10-03+at+11.08.34+AM.png" imageanchor="1"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXKOttQSx5IT_ZKx96rq4NXSFn01uTyYp4HicNNyme8ZfRxljuSLqGdKCCz2lxBHuvKn4XtRh5h5N8NtZspeNL7GPZF4ZbTxLivcJ3v1ADLxPnv6nQO0Rp9Ir3nm6fTTaD4TjTP1LFdx3g/s640/Screen+Shot+2018-10-03+at+11.08.34+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">At this point, "Device Compliance (with AirWatch)," will show up as an option under access policies. </span><br />
<br />
<h2>
Mandate Device Compliance For Horizon Access</h2>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">We can now make AirWatch device compliance a prerequisite for Horizon access through the creation of an access policy in vIDM. Within the vIDM management console, navigate to Identity & Access Management --> Manage --> Policies. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jXFQJdVMpG1-4TO2epJwPcaK3obuhHHesiHiSgmGl-pASXidOvMpiXYThc7UNfNgzrQC8vnBOP4YNktVvNNHFWOUZhpmbViegqlvCZps_Fw5WZUmFrYqmvsfpgCnBStKNGAhbHMs3ZxF/s1600/Screen+Shot+2018-10-03+at+11.49.18+AM.png" imageanchor="1"><img border="0" height="214" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jXFQJdVMpG1-4TO2epJwPcaK3obuhHHesiHiSgmGl-pASXidOvMpiXYThc7UNfNgzrQC8vnBOP4YNktVvNNHFWOUZhpmbViegqlvCZps_Fw5WZUmFrYqmvsfpgCnBStKNGAhbHMs3ZxF/s640/Screen+Shot+2018-10-03+at+11.49.18+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Click the Add Policy option. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDnndWJLiKyP2hiA0TK4QxnyzRqqe8ft6kKCliAVBXJL5nb5mOHntZJNufmbTYiu8D7-y8bH0RshOg4LEMmBWE6d7BRuV4QVZElZUQBSHfZDLfsw4WVWzpCSXvB3jTxYbeZRdEKOvAuFoM/s1600/Screen+Shot+2018-10-03+at+11.51.04+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDnndWJLiKyP2hiA0TK4QxnyzRqqe8ft6kKCliAVBXJL5nb5mOHntZJNufmbTYiu8D7-y8bH0RshOg4LEMmBWE6d7BRuV4QVZElZUQBSHfZDLfsw4WVWzpCSXvB3jTxYbeZRdEKOvAuFoM/s640/Screen+Shot+2018-10-03+at+11.51.04+AM.png" width="640" /></a><span style="color: #9fc5e8;"><br /></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Provide a descriptive name for the policy and select the relevant Horizon entitlement. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNp6C_hBSW9hqX8CnV44YeC7KIKF1Qu7asn0uO5VMAdCWsR7BsCIm2u7bljpUPO7abwvK3yZlw5dsEoLY60B5sMv4vr09tCG7RCzWxYUXTF7a3fSmesVrwK2UVyVsfUfLeSWlXgsqgNgEm/s1600/Screen+Shot+2018-10-03+at+11.51.39+AM.png" imageanchor="1"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNp6C_hBSW9hqX8CnV44YeC7KIKF1Qu7asn0uO5VMAdCWsR7BsCIm2u7bljpUPO7abwvK3yZlw5dsEoLY60B5sMv4vr09tCG7RCzWxYUXTF7a3fSmesVrwK2UVyVsfUfLeSWlXgsqgNgEm/s640/Screen+Shot+2018-10-03+at+11.51.39+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Next, under configuration, select, "Add Policy Rule." </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX9LST1P0d29-D5Q7f1QWj-QdwlqENfdqYBnIWaGg5915ZmKLcPgs-x8vWpQfpkUnL1j9KKbzPTw10-C9U4UV2DQSag9m_QJ7gJYWqQIeDjnCaCijWEduiRYLL0fHocfsSBuS65FyzSfiz/s1600/Screen+Shot+2018-10-03+at+11.52.22+AM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX9LST1P0d29-D5Q7f1QWj-QdwlqENfdqYBnIWaGg5915ZmKLcPgs-x8vWpQfpkUnL1j9KKbzPTw10-C9U4UV2DQSag9m_QJ7gJYWqQIeDjnCaCijWEduiRYLL0fHocfsSBuS65FyzSfiz/s640/Screen+Shot+2018-10-03+at+11.52.22+AM.png" width="640" /></a><span style="color: #9fc5e8;">Pick a network range for this new rule as well as applicable device type. For this test, I'm going to select ALL Network ranges and iOS. Then, for authentication requirements I'm going to select both, "Mobile SSO (for iOS)," and, "Device Compliance (with AirWatch)." </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGWUMECxL_SMx_JU6pXWhSjSU62KuysAcc1NjRXDpH-UY3fRXlhVpY2wSWR5M8SlqFQh0t5IQ65a5xpj_oGXUnnp9EXi1jvMrWX2hX3UGXlXEbuQPl69e6xvdOc6iOG52FMCG07iSd9icq/s1600/Screen+Shot+2018-10-06+at+8.23.56+AM.png" imageanchor="1"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGWUMECxL_SMx_JU6pXWhSjSU62KuysAcc1NjRXDpH-UY3fRXlhVpY2wSWR5M8SlqFQh0t5IQ65a5xpj_oGXUnnp9EXi1jvMrWX2hX3UGXlXEbuQPl69e6xvdOc6iOG52FMCG07iSd9icq/s640/Screen+Shot+2018-10-06+at+8.23.56+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">This mandates that folks trying to access this Horizon desktop pool from an iOS device must have an AirWatch compliant device. </span><br />
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Confirm the summary information and hit save. </span></span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3fRAjsojdcDLeNOQZegaLES5MJKsjDnFE0AZ1l5xHPYKYm7SCrlS5gmb8inzYlZNOD2TLsNjMzwORShvKEWuH7qKvVXmAnzLyvYo52KAHQ4xhSWIQ2OUP94Td7DFfJ4yxc2GArK7OJfiD/s1600/Screen+Shot+2018-10-06+at+8.24.30+AM.png" imageanchor="1"><img border="0" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3fRAjsojdcDLeNOQZegaLES5MJKsjDnFE0AZ1l5xHPYKYm7SCrlS5gmb8inzYlZNOD2TLsNjMzwORShvKEWuH7qKvVXmAnzLyvYo52KAHQ4xhSWIQ2OUP94Td7DFfJ4yxc2GArK7OJfiD/s640/Screen+Shot+2018-10-06+at+8.24.30+AM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">You'll see your new access policy show up under policies. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir8WV1y8zPd1dIHodYFmkxBx3VYRjrPin6YTlv7omKA3vAjS-jPDVN0XD_2rkiURGSiUcpxu3luuoL5AeA2pGjdlFmn5UE-XzTKSTztyfiipFTJqFD9RxWnxv4mwVzkiDDRYceB7WAw9_0/s1600/Screen+Shot+2018-10-03+at+11.54.34+AM.png" imageanchor="1"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEir8WV1y8zPd1dIHodYFmkxBx3VYRjrPin6YTlv7omKA3vAjS-jPDVN0XD_2rkiURGSiUcpxu3luuoL5AeA2pGjdlFmn5UE-XzTKSTztyfiipFTJqFD9RxWnxv4mwVzkiDDRYceB7WAw9_0/s640/Screen+Shot+2018-10-03+at+11.54.34+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">With this policy in place folks who try to launch the Remote Worker Horizon desktop pool from iOS devices won't be granted access unless their device is compliant according to defined compliance policies in AirWatch. If they're endpoint isn't compliant, they'll get a message like this when trying to launch the virtual desktop.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcUc9aed9NS_IgbyOoA3sFnF4_45fPJX7gEswZIy3W3NsnU1lPqLR67gzY_FMzQk9O8Qz4GMlEzTs7OtiinTBtkPeHEAmjmNmlUu4zm9QayQXywmdcR2qoJ1lGLK87xUczLS5iaco2FPdS/s1600/IMG_0066.jpg" imageanchor="1"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcUc9aed9NS_IgbyOoA3sFnF4_45fPJX7gEswZIy3W3NsnU1lPqLR67gzY_FMzQk9O8Qz4GMlEzTs7OtiinTBtkPeHEAmjmNmlUu4zm9QayQXywmdcR2qoJ1lGLK87xUczLS5iaco2FPdS/s640/IMG_0066.jpg" width="640" /></a></span><br />
<br />
<h2>
Creating A Compliance Policy In AirWatch </h2>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">To test device compliance for Workspace One delivered applications we need to enable a test compliance policy within AirWatch. From the AirWatch console, navigate to Devices --> Compliance Policies --> List View. Click on the Add button. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwwU6_NCzTHP8l8qZxqCfzvbWK-o-GsWh3v9yaalfNA6mBU4ZqSRVNPTf3BGGQC2raMvI3UeICy3pDyg_vuvJW7HvvQTxyNZ2-i0ZVZGOMAq8ENMQVuakVFqfOfSP-9aA0Zv5H8FMmrD5C/s1600/Screen+Shot+2018-10-03+at+11.32.52+AM.png" imageanchor="1"><img border="0" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwwU6_NCzTHP8l8qZxqCfzvbWK-o-GsWh3v9yaalfNA6mBU4ZqSRVNPTf3BGGQC2raMvI3UeICy3pDyg_vuvJW7HvvQTxyNZ2-i0ZVZGOMAq8ENMQVuakVFqfOfSP-9aA0Zv5H8FMmrD5C/s640/Screen+Shot+2018-10-03+at+11.32.52+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Since I'm testing against an iPad device I'm going to create a compliance policy for iOS. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyQwq71pODhloU5nXRsJeAHMkG_KzERtlOyytikff2mU6fsbtHIB5LiktFqiekNhhfvjSC-GnxyhyExZB_6vUzlD5xssBtMyHOJfNTrafNPWbwpWmATVy_PIfonj5uAMComgkyVQ6xLvYM/s1600/Screen+Shot+2018-10-03+at+11.34.18+AM.png" imageanchor="1"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyQwq71pODhloU5nXRsJeAHMkG_KzERtlOyytikff2mU6fsbtHIB5LiktFqiekNhhfvjSC-GnxyhyExZB_6vUzlD5xssBtMyHOJfNTrafNPWbwpWmATVy_PIfonj5uAMComgkyVQ6xLvYM/s640/Screen+Shot+2018-10-03+at+11.34.18+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">For the sake of testing, I'm going to create a policy that's sure to mark my iPad as noncompliant, one that flags devices that are below iOS 11. (My iPad is 9.35.)</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsDpjKEQucSV5gqbMFfnzANmZ4zE69pk7HEg6Q8OgHLXRCYRT9WTX0i-TfUJQHHrd2mjYsjNMJJYHYz5rrjH5Ba3z9NIC4XD6ugMNn6CcSuneNIJnWAVAi0JYwna11oCqLbKijUSESRJVg/s1600/Screen+Shot+2018-10-03+at+11.41.17+PM.png" imageanchor="1"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsDpjKEQucSV5gqbMFfnzANmZ4zE69pk7HEg6Q8OgHLXRCYRT9WTX0i-TfUJQHHrd2mjYsjNMJJYHYz5rrjH5Ba3z9NIC4XD6ugMNn6CcSuneNIJnWAVAi0JYwna11oCqLbKijUSESRJVg/s640/Screen+Shot+2018-10-03+at+11.41.17+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">For actions, I'm just going go with notify. In real life, you'd probably get a little more involved than that. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh01fuuusfqZR70Vhn1YyuUdH2c8ZzXNoOL_w5Ebd-aBZYT9UdPqSmRClyOddZBJNFSsr-ylRanWWfwoCyJH4GIQsID2TT2CUw2l2EMgs8Xa4erdht3ocJU0OTeNfQDJJfOSjW22yVnzWme/s1600/Screen+Shot+2018-10-03+at+11.39.30+AM.png" imageanchor="1"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh01fuuusfqZR70Vhn1YyuUdH2c8ZzXNoOL_w5Ebd-aBZYT9UdPqSmRClyOddZBJNFSsr-ylRanWWfwoCyJH4GIQsID2TT2CUw2l2EMgs8Xa4erdht3ocJU0OTeNfQDJJfOSjW22yVnzWme/s640/Screen+Shot+2018-10-03+at+11.39.30+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Again, for testing, I'll just apply this policy to all devices. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaaJhcDPQA_pA4sS3nCvD70n4mKSnuwYdskMvVPvqRNMEWUHDUxYZfuUAD-RXsPhxfuwbjsQq-fdULBp08bWunxgcIzpZsj-dXQo-SiBpfrrlMzMhFGtsAj460K0dCbOCnjBRjnLVEc_pZ/s1600/Screen+Shot+2018-10-03+at+11.40.59+AM.png" imageanchor="1"><img border="0" height="432" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaaJhcDPQA_pA4sS3nCvD70n4mKSnuwYdskMvVPvqRNMEWUHDUxYZfuUAD-RXsPhxfuwbjsQq-fdULBp08bWunxgcIzpZsj-dXQo-SiBpfrrlMzMhFGtsAj460K0dCbOCnjBRjnLVEc_pZ/s640/Screen+Shot+2018-10-03+at+11.40.59+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Finally, after reviewing the summary, click Finish & Activate. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFD77XwfY__28SM0UwMU_Ui4HB0O2aHaOK144xrLj3Kp7DNmDprEzODUZEXRUu3kVl-A59xqbXAEj-7CTJqfXBVp69o4l1zJiFoy1LszheXhiplf-rjoIRuulvt6qEMXIrOKrpDuRe6cCT/s1600/Screen+Shot+2018-10-03+at+11.41.21+AM.png" imageanchor="1"><img border="0" height="424" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFD77XwfY__28SM0UwMU_Ui4HB0O2aHaOK144xrLj3Kp7DNmDprEzODUZEXRUu3kVl-A59xqbXAEj-7CTJqfXBVp69o4l1zJiFoy1LszheXhiplf-rjoIRuulvt6qEMXIrOKrpDuRe6cCT/s640/Screen+Shot+2018-10-03+at+11.41.21+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">At this point the newly created policy shows up under the list view for Compliance Policies. </span><br />
<span style="color: #9fc5e8;"></span><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVMDUXaXaXKDveLh7emH4VIkxYOTv4nmqJ1xei2tK9AsMNk2oUluWE3AKStx4WCCmj3D6-GCTdl_44_lpEOXhr4xlCaPd_pHLbee0VqCOQCB3bZrxrj1wv9RJlhqlA0hqjqBw1abHYp-pG/s1600/Screen+Shot+2018-10-06+at+4.12.59+PM.png" imageanchor="1"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVMDUXaXaXKDveLh7emH4VIkxYOTv4nmqJ1xei2tK9AsMNk2oUluWE3AKStx4WCCmj3D6-GCTdl_44_lpEOXhr4xlCaPd_pHLbee0VqCOQCB3bZrxrj1wv9RJlhqlA0hqjqBw1abHYp-pG/s640/Screen+Shot+2018-10-06+at+4.12.59+PM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Once this policy gets evaluated it's status shows up as red under my devices Compliance tab.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKdKBPSzKiS0mQu3w-dg61cXXETNUy2Lqjn1s_xngNc5H839ZtdNWUk0lgRvsiYBHKnK8PJFVqxLS_tNKxB_BOxc0hre5MDQXQLNgbfDMuXPxx4rhBW3KHNgz1hvHwXRYs62cVKTG5vBcv/s1600/Screen+Shot+2018-10-06+at+8.37.24+AM.png" imageanchor="1"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKdKBPSzKiS0mQu3w-dg61cXXETNUy2Lqjn1s_xngNc5H839ZtdNWUk0lgRvsiYBHKnK8PJFVqxLS_tNKxB_BOxc0hre5MDQXQLNgbfDMuXPxx4rhBW3KHNgz1hvHwXRYs62cVKTG5vBcv/s640/Screen+Shot+2018-10-06+at+8.37.24+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><span style="color: #9fc5e8;">And the device is reported as having a compliance violation. </span></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8j9UL1AlA-DryDDkCvy9hjCmc14OsDWb-TwXYDKB6Er1DmmRM37xEKeYWIBC96_a3bGNLUXb25kIiwcYPvXbo4DGhDX3_mV4hMHyvR-hOh_2uhma2Sy8BTApkRi9riy6rpCK4KUUv0lh6/s1600/Screen+Shot+2018-10-06+at+8.42.32+AM.png" imageanchor="1"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8j9UL1AlA-DryDDkCvy9hjCmc14OsDWb-TwXYDKB6Er1DmmRM37xEKeYWIBC96_a3bGNLUXb25kIiwcYPvXbo4DGhDX3_mV4hMHyvR-hOh_2uhma2Sy8BTApkRi9riy6rpCK4KUUv0lh6/s640/Screen+Shot+2018-10-06+at+8.42.32+AM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">At this point, if I try to access my Remote User Horizon desktop pool, I get the error: </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAhpXBqXGrapf0KlAYgOTdWCYHhjNirXaJPZ8ExN4uekUFylQGr1oAGE5-kPIeJwjM7gNq2Ne7QTAzjr1a-DC_Y1vvR9ICYKBka_VeyQ3sCGW60KitaXH_95Jq18i8m9whliUIrRyK9GfX/s1600/IMG_0066.jpg" imageanchor="1"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAhpXBqXGrapf0KlAYgOTdWCYHhjNirXaJPZ8ExN4uekUFylQGr1oAGE5-kPIeJwjM7gNq2Ne7QTAzjr1a-DC_Y1vvR9ICYKBka_VeyQ3sCGW60KitaXH_95Jq18i8m9whliUIrRyK9GfX/s640/IMG_0066.jpg" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;"><br />Not only do we get an explanation for why access is denied, but we also get the name of the violated policy and it's description. Theoretically, in the real world, a user would go on to upgrade the device in order to be complaint. For testing, you can just remove the OS Version compliance policy from the endpoint and the device will go from non compliant to compliant. At that point, access to the virtual desktop will work as expected. </span><br />
<br />
<br />
<br />
<div>
<br /></div>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com2tag:blogger.com,1999:blog-7411363718337372107.post-84297133325711463792018-10-06T21:05:00.000-07:002018-10-06T21:05:24.798-07:00Integrating Cloud Instances Of Workspace One UEM (AirWatch) And VMware Identity Manager <span style="color: #9fc5e8;">The main integration between vIDM and AirWatch is accomplished by populating a single configuration page in vIDM with special credentials from AirWatch. Gatherings these credentials ahead of time is probably the trickiest part of the process.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h2>
Gathering REST API Keys From Workspace One UEM (AirWatch) </h2>
<br />
<span style="color: #9fc5e8;">The first step is to create the REST API keys for Admin and Enrollment User account types. Go to Groups & Settings > All Settings > System > Advanced > API > Rest API. Click on the add button to create an API Key for an account type of Admin. Use a descriptive name. Then click Add again and create an API Key for an account type of Enrollment user. For my environment, I created a service named AirWatchAPI4vIDM for the admin account type. Then I created a service called AirWatchEnrollmentUser for the enrollment user account type. The API key was automatically generated by AirWatch. You'll need copies of both these API keys when populate AirWatch settings into vIDM a few steps from now.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTrMtLtf7O_RCusLl03EDy0GrnwETBIqI3iHsffV9Lh24O9TGi2G93Ql5tVVxA_yxqf6CmSnYNf0b4JyhRHzm6nKVLn6U7k1fXIcq8g2D7i6jPKExvzzDpX-kLwkEowX7c26YF9LjHa_UD/s1600/Screen+Shot+2018-09-22+at+9.18.16+AM.png" imageanchor="1"><img border="0" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTrMtLtf7O_RCusLl03EDy0GrnwETBIqI3iHsffV9Lh24O9TGi2G93Ql5tVVxA_yxqf6CmSnYNf0b4JyhRHzm6nKVLn6U7k1fXIcq8g2D7i6jPKExvzzDpX-kLwkEowX7c26YF9LjHa_UD/s640/Screen+Shot+2018-09-22+at+9.18.16+AM.png" width="640" /></a><br />
<br />
<h2>
Getting The AirWatch Administrator Root Certificate </h2>
<br />
<span style="color: #9fc5e8;">Next, you need to get your hands on an AirWatch administrator root certificate. Go to Accounts > Administrators > List View to create a new admin account. Select the Add option, then Add Admin.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoKjZiD9WaWnYtKvBni3qewAnGPl6ZbBut6DjpCSYg496w00CqWWc5RVtNKfnoF6F0gikQozlsLj_b2JIJgm4_TZBr6rZJ1xQWkpq3KC3JIQlYzTD_0ClgGvt3nCYhJLbE2MQCXOokhYIk/s1600/Screen+Shot+2018-10-01+at+2.48.56+PM.png" imageanchor="1"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoKjZiD9WaWnYtKvBni3qewAnGPl6ZbBut6DjpCSYg496w00CqWWc5RVtNKfnoF6F0gikQozlsLj_b2JIJgm4_TZBr6rZJ1xQWkpq3KC3JIQlYzTD_0ClgGvt3nCYhJLbE2MQCXOokhYIk/s640/Screen+Shot+2018-10-01+at+2.48.56+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Create an admin account with a memorable or not so memorable name.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5G6FAyt26dBANbgK96euj3gfqSDKP-Kaba6tRvmzNlb0QkfA609orF-WefrC8JULgenl7Fs1hsJt107VzMU2JkSohaKaWIZ3Lg08Q4lqwqZYYWQIRdFJKC5IyG2fyCwCBQf_Xb4GGtrI4/s1600/Screen+Shot+2018-09-21+at+9.23.46+PM.png" imageanchor="1"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5G6FAyt26dBANbgK96euj3gfqSDKP-Kaba6tRvmzNlb0QkfA609orF-WefrC8JULgenl7Fs1hsJt107VzMU2JkSohaKaWIZ3Lg08Q4lqwqZYYWQIRdFJKC5IyG2fyCwCBQf_Xb4GGtrI4/s640/Screen+Shot+2018-09-21+at+9.23.46+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Populate all the required fields.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihB3hyO1blvgXDkTwMsY_NmVlcbfEs9h-atnWWPLuFbchLB_Vcw8wAaBK0oCD-KMPD5LvojSlUKxbhir7AveU-jv6i-jKiyGQ0VV8FE7yIjVwZ46tDuBLLLJxmc3GDbt1P8PycN1Zvw1kU/s1600/Screen+Shot+2018-09-21+at+9.24.00+PM.png" imageanchor="1"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihB3hyO1blvgXDkTwMsY_NmVlcbfEs9h-atnWWPLuFbchLB_Vcw8wAaBK0oCD-KMPD5LvojSlUKxbhir7AveU-jv6i-jKiyGQ0VV8FE7yIjVwZ46tDuBLLLJxmc3GDbt1P8PycN1Zvw1kU/s640/Screen+Shot+2018-09-21+at+9.24.00+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Next click on the roles tab. Ensure that you've selected the correct Organization group and AirWatch Administrator role.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEichF-ULCMzn0FnhO-9-0BO31ETTYLBNIi4pFhU6ZJczO-J2OvD-ZShTF_jSLgDWsd-FNCjEBlTAV89h_Xv0zzObaRjGSV3GPR7CkM_R0wCaFRLNA7-eF36X6NeAvNQXgpWTURbp4ybp9dZ/s1600/Screen+Shot+2018-09-28+at+1.24.46+PM.png" imageanchor="1"><img border="0" height="482" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEichF-ULCMzn0FnhO-9-0BO31ETTYLBNIi4pFhU6ZJczO-J2OvD-ZShTF_jSLgDWsd-FNCjEBlTAV89h_Xv0zzObaRjGSV3GPR7CkM_R0wCaFRLNA7-eF36X6NeAvNQXgpWTURbp4ybp9dZ/s640/Screen+Shot+2018-09-28+at+1.24.46+PM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">With the admin account created, from list view, click on the hyperlink for the newly created account. Navigate to the API tab, scroll down, enter in a certificate password and then export the client certificate to easily accessible location.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrJD1vL9SwFnmJP25zh87ttq8Py5Vv6XE9FW7JH3N25qSjz_xpf43aSFcjROMq3V-n4R9cuZiG0UH6QALFqm_7m80gILHuABQvPNVW4A631N5TFlPDzJN8JhaNMnpEZaHtcgJaFE8CfOI_/s1600/Screen+Shot+2018-09-21+at+9.30.47+PM.png" imageanchor="1"><img border="0" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrJD1vL9SwFnmJP25zh87ttq8Py5Vv6XE9FW7JH3N25qSjz_xpf43aSFcjROMq3V-n4R9cuZiG0UH6QALFqm_7m80gILHuABQvPNVW4A631N5TFlPDzJN8JhaNMnpEZaHtcgJaFE8CfOI_/s640/Screen+Shot+2018-09-21+at+9.30.47+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Export the client certificate and keep it somewhere easily accessible.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw7n8DwfBENT2IHql4F-SsqEIH-2HPOvWYZDFLU9Og-yUqbIJ6pYHzTgeGPY7UEybSDsgHTHGTZgb_BfnKPzgdJ60ZN4ZAYHEo-Bdq_ouo2kO6issaflOumucNX4RZz_MwxlXBgpGK2cIc/s1600/Screen+Shot+2018-09-28+at+1.31.11+PM.png" imageanchor="1"><img border="0" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiw7n8DwfBENT2IHql4F-SsqEIH-2HPOvWYZDFLU9Og-yUqbIJ6pYHzTgeGPY7UEybSDsgHTHGTZgb_BfnKPzgdJ60ZN4ZAYHEo-Bdq_ouo2kO6issaflOumucNX4RZz_MwxlXBgpGK2cIc/s640/Screen+Shot+2018-09-28+at+1.31.11+PM.png" width="640" /></a><br />
<br />
<br />
<h2>
Putting Them Both Together </h2>
<div>
<br /></div>
<span style="color: #9fc5e8;">With REST API keys and certificates in hand, we can begin the integration of vIDM with AirWatch. Log into the vIDM as a tenant admin. Then from within the admin console navigate to Identity And Access Management --> Setup --> AirWatch. For the API URL, enter in your console URL. Upload the certificate you just downloaded. Enter in the API keys you created earlier. Finally, enter in your group ID and hit save. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC41d3Z2u0j1rHicc_mzGOf-RajWcFtbVnP-hCMC1ZDeLgty5d6K6No-RGQM_plV7qwTIoWCDXrxps29xc3Ns5ymhhCKv0XwBn4sVjVjSSECGWKTj8eOfozQlV8VGkpDHSU0HMR-pD8_xb/s1600/Screen+Shot+2018-09-22+at+9.36.28+AM.png" imageanchor="1"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC41d3Z2u0j1rHicc_mzGOf-RajWcFtbVnP-hCMC1ZDeLgty5d6K6No-RGQM_plV7qwTIoWCDXrxps29xc3Ns5ymhhCKv0XwBn4sVjVjSSECGWKTj8eOfozQlV8VGkpDHSU0HMR-pD8_xb/s640/Screen+Shot+2018-09-22+at+9.36.28+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Scroll down and select the option to integrate catalogs from AirWatch and vIDM. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0b0DJmVjl7KNHo4nucS-YFQ1ef4eA15UfQ664B53K9ycfXRpEsy5wBrLOpU3UiWW4T_hGvWplsYweS5LRbc43M5gWB5pZ59TsVD7b-tNWUHDZnWBXS51UIDtNHs_t5vy9JVvrbPO6b7A6/s1600/Screen+Shot+2018-09-21+at+9.44.46+PM.png" imageanchor="1"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0b0DJmVjl7KNHo4nucS-YFQ1ef4eA15UfQ664B53K9ycfXRpEsy5wBrLOpU3UiWW4T_hGvWplsYweS5LRbc43M5gWB5pZ59TsVD7b-tNWUHDZnWBXS51UIDtNHs_t5vy9JVvrbPO6b7A6/s640/Screen+Shot+2018-09-21+at+9.44.46+PM.png" width="640" /></a><br />
<br />
<h2>
A Unified Self Service Console </h2>
<br />
<span style="color: #9fc5e8;">The immediate benefit of this initial integration between AirWatch and vIDM is a unified self service catalog. There's a single self service portal to subscribe to both native Mobile apps from AirWatch as well as web and virtual apps from vIDM. If you're logged into the Workspace One mobile app on a device you've enrolled you'll see options to both install mobile apps as well as bookmark your web and virtual apps for the Workspace One portal. When logged into my older iPad, I can see both the Horizon virtual desktop I'm entitled to through vIDM along side the mobile apps I've been assigned through AirWatch.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy2Y7aakV-l0BCRhCM2FODjcjDKqkoG2C_SC5MAmn87YcDDyBU3bbMU7gMSXnkOJ7p0XaXOmc-Vg6KEMMTFH5J4ZslHXafSFWjxKjBL5Z2NWyuCFa6UFjFsVEWoUPNj3KD5az8_iAKbX3y/s1600/IMG_0060.jpg" imageanchor="1"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy2Y7aakV-l0BCRhCM2FODjcjDKqkoG2C_SC5MAmn87YcDDyBU3bbMU7gMSXnkOJ7p0XaXOmc-Vg6KEMMTFH5J4ZslHXafSFWjxKjBL5Z2NWyuCFa6UFjFsVEWoUPNj3KD5az8_iAKbX3y/s640/IMG_0060.jpg" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Whether I'm on my laptop or mobile device, I follow the same basic process for entitling myself to apps that are relevant to my underlying form factor.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">A next step in the integration between AirWatch and vIDM enables conditional access based on device compliance. A prerequisite for enabling device compliance is to setup and configure the Mobile SSO for iOS authentication method, something I detail in this next post, <a href="http://www.evengooder.com/2018/10/configuring-mobile-sso-for-ios-in.html">Configuring Mobile SSO For iOS In Workspace One UEM (AirWatch)</a>. </span><br />
<br />EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-21321253945468626162018-10-06T21:04:00.003-07:002021-03-11T16:45:36.754-08:00Integrating A Cloud Instance Of VMware Identity Manager With On Premise Horizon<h2>
</h2>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3O1S1pXNAAM4MgMRTl8t3CyCo1ud9RhFG7UywHnTvsbfMJSASO9xhyphenhyphenyAg_y3tAhn3Dd5MdH5X2x_wIRjbIdis8VKMpQOp3mEUV7lnKMgQOCDiwZ5YMx1AL5XkJe3xv-rGB-zCIYihhZoR/s1600/Screen+Shot+2018-09-22+at+5.06.45+PM.png"><img border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3O1S1pXNAAM4MgMRTl8t3CyCo1ud9RhFG7UywHnTvsbfMJSASO9xhyphenhyphenyAg_y3tAhn3Dd5MdH5X2x_wIRjbIdis8VKMpQOp3mEUV7lnKMgQOCDiwZ5YMx1AL5XkJe3xv-rGB-zCIYihhZoR/s640/Screen+Shot+2018-09-22+at+5.06.45+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Once a vIDM Connector is successfully deployed on premise and integrated with a customers Active Directory environment, integrating with Horizon is relatively straight forward. For guidance on getting the vIDM connector deployed and integrated with AD, check out this previous post, <a href="https://www.evengooder.com/2018/10/integrating-cloud-instance-of-vmware_6.html" target="_blank">Integrating A SaaS Instance Of VMware Identity Manager With On Premise Active Directory</a>.</span><br />
<br />
<h2>
Preparing The Horizon Connection Server</h2>
<br />
<span style="color: #9fc5e8;">Prior to syncing the vIDM connector with the Horizon environment, the Horizon Connection server must have SAML authentication enabled and SAML authenticators created. Within the Horizon Administrator, navigate to View Configuration --> Server --> Connection Servers. Select the Connection server you want to integrate vIDM with and select edit.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzZ4aqBBebWVn1j_AvhqijBI77P4ltOh2jsmYs-sniYEh51Um5M6YQP9OHcNkOMvk8BC0MmkqgdpF1CoWle3_5wrVJHnnkLvJERezXNuPCH7JufQ4io-h5tBBxQ2hF3Eg-zFFbVIVzrmQZ/s1600/Screen+Shot+2018-09-26+at+8.04.54+PM.png"><img border="0" height="438" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzZ4aqBBebWVn1j_AvhqijBI77P4ltOh2jsmYs-sniYEh51Um5M6YQP9OHcNkOMvk8BC0MmkqgdpF1CoWle3_5wrVJHnnkLvJERezXNuPCH7JufQ4io-h5tBBxQ2hF3Eg-zFFbVIVzrmQZ/s640/Screen+Shot+2018-09-26+at+8.04.54+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Then select the Authentication tab. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMvLuUeP_Z5Jpoqn52ZZuLezOZuqwo8YNIFixPmfNRVt0efumjo0I97d5PzENrUiNUxqAQRPFhRdDBP_6gmWaG7cvBSVZ8KBXm0jWNDu2q5fKYW7KHtfcyf6dGu8HL-kqRGkKQG3uTUYgU/s1600/Screen+Shot+2018-09-26+at+8.06.56+PM.png"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMvLuUeP_Z5Jpoqn52ZZuLezOZuqwo8YNIFixPmfNRVt0efumjo0I97d5PzENrUiNUxqAQRPFhRdDBP_6gmWaG7cvBSVZ8KBXm0jWNDu2q5fKYW7KHtfcyf6dGu8HL-kqRGkKQG3uTUYgU/s640/Screen+Shot+2018-09-26+at+8.06.56+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Select Allowed or Required for the, "Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator)." Then click on, "Manage SAML Authenticators."</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeG_Slw3vMwRjxL4q8TNaSkuTAmXlULBFmemnfpo4wcUgbJvIRkGozgy-9p7jFWcSyvHKLEqYTtZdnWSIpRCaCC96uLYngCiBXwXduWD_OJ9OxokhJlS9B6yeJzSOe3oiExy9-iRS7yeto/s1600/Screen+Shot+2018-09-26+at+8.10.27+PM.png"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeG_Slw3vMwRjxL4q8TNaSkuTAmXlULBFmemnfpo4wcUgbJvIRkGozgy-9p7jFWcSyvHKLEqYTtZdnWSIpRCaCC96uLYngCiBXwXduWD_OJ9OxokhJlS9B6yeJzSOe3oiExy9-iRS7yeto/s640/Screen+Shot+2018-09-26+at+8.10.27+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">From there, click the Add button to create a new SAML authenticator.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5lA8Q5dwlnoSPVQ6TbYR73m-scykA1Ug02J6hMfIDOc7o74qwGi-0hpLJJqFdfkIrhJJzdH9oHl3aoYagrVXSVuKlfLVw07Q69hMLRSx_Snvo6RfWSulNhgQwmPOqwLi7e4mpr8YvyQOQ/s1600/Screen+Shot+2018-09-26+at+8.12.23+PM.png"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5lA8Q5dwlnoSPVQ6TbYR73m-scykA1Ug02J6hMfIDOc7o74qwGi-0hpLJJqFdfkIrhJJzdH9oHl3aoYagrVXSVuKlfLVw07Q69hMLRSx_Snvo6RfWSulNhgQwmPOqwLi7e4mpr8YvyQOQ/s640/Screen+Shot+2018-09-26+at+8.12.23+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">The metadata URL is already pre-populated for you. You need to enter in the vIDM instance URL where it has <YOUR SAML AUTHENTICATOR NAME>. My vIDM instance is https://justinjohnson.vmwareidentity.com, so my entry looks like this:</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTveUZ5bhHdttGcUokUKLukdIiMMvlJqJce4kHh1-q68N8lWwOrTCEGEsD6IP_4yydRkTrEMQw5TeOQu5egPXtfSF1nWLGxRi9-k0clfN0rm91WF1R2j6MfTKjy30wEdtpnHk_n-u8Zka2/s1600/Screen+Shot+2018-09-26+at+8.17.13+PM.png"><img border="0" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTveUZ5bhHdttGcUokUKLukdIiMMvlJqJce4kHh1-q68N8lWwOrTCEGEsD6IP_4yydRkTrEMQw5TeOQu5egPXtfSF1nWLGxRi9-k0clfN0rm91WF1R2j6MfTKjy30wEdtpnHk_n-u8Zka2/s640/Screen+Shot+2018-09-26+at+8.17.13+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Click okay and then save. If all goes well, you'll get a message box indicating the vIDM server's identity has been verified. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5XgyF3jQMEuNyObz7N6_RngXgTvreG-LROwMTmNgvCs5ESao-BrfR37TKzBA3jo1jnKjquFcyweidsZvYyjejbYhkEWHZGlOd7v8RVqXD5HlcNxwRFo2wzo_SNB03i3ZbwoRXYA6HZifw/s1600/Screen+Shot+2018-09-26+at+8.20.03+PM.png"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5XgyF3jQMEuNyObz7N6_RngXgTvreG-LROwMTmNgvCs5ESao-BrfR37TKzBA3jo1jnKjquFcyweidsZvYyjejbYhkEWHZGlOd7v8RVqXD5HlcNxwRFo2wzo_SNB03i3ZbwoRXYA6HZifw/s640/Screen+Shot+2018-09-26+at+8.20.03+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Okay your way out of the dialog boxes and confirm your new authenticator is selected, then click okay a final time.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxGPekakmbPXu42f0CgtdXWwQUaHfs0oRM8o8r3WOCoeSjm2tzv12iyEglYMdoPHzgOQpgAkc5_rGSS18IglhK2wmn2MBFa4ncXVqhKgMsPnvyXRFaF_kKNhwE1DEzpATnmPY9quzMtE4b/s1600/Screen+Shot+2018-09-26+at+8.21.37+PM.png"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxGPekakmbPXu42f0CgtdXWwQUaHfs0oRM8o8r3WOCoeSjm2tzv12iyEglYMdoPHzgOQpgAkc5_rGSS18IglhK2wmn2MBFa4ncXVqhKgMsPnvyXRFaF_kKNhwE1DEzpATnmPY9quzMtE4b/s640/Screen+Shot+2018-09-26+at+8.21.37+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">The next step is to create a Virtual App Configuration in vIDM.</span><br />
<br />
<h2>
Creating A Virtual App Collection On vIDM </h2>
<br />
<span style="color: #9fc5e8;">Now that the Horizon Connection server is ready, log into the Administrator console of vIDM. Click on Catalog --> Virtual Apps.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkhFr9rItY_rOAXRz5FTSQS1b-PBFSRNhog16sirwfyoY4vCPEAgLpYM7x63jQcyzUVt0f3CH6n6GaXn-zjO3d5K0BLFW3O83_OoxwKuJXXdN3LnCnyuQAHxl3RBU11lJ7tr8D9LoXi7Bh/s1600/Screen+Shot+2018-09-26+at+8.29.28+PM.png"><img border="0" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkhFr9rItY_rOAXRz5FTSQS1b-PBFSRNhog16sirwfyoY4vCPEAgLpYM7x63jQcyzUVt0f3CH6n6GaXn-zjO3d5K0BLFW3O83_OoxwKuJXXdN3LnCnyuQAHxl3RBU11lJ7tr8D9LoXi7Bh/s640/Screen+Shot+2018-09-26+at+8.29.28+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">From there, click on Virtual App Configuration.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMvoKWCuZNCmHWhY0DACPyWuSnCnKuqPTgcc83jA_fMwu96mEH9SK5h3uDNjXTdUhAeemnfPkzUvBD_sX1Bo6Gw3xDyJu5fQhhYe05IiILAKAnL_8fKbHQBl7JJy5SuRerf48QNdQ-Kd-3/s1600/Screen+Shot+2018-09-26+at+8.30.37+PM.png"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMvoKWCuZNCmHWhY0DACPyWuSnCnKuqPTgcc83jA_fMwu96mEH9SK5h3uDNjXTdUhAeemnfPkzUvBD_sX1Bo6Gw3xDyJu5fQhhYe05IiILAKAnL_8fKbHQBl7JJy5SuRerf48QNdQ-Kd-3/s640/Screen+Shot+2018-09-26+at+8.30.37+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">You'll see a button, "Add Virtual Apps." Click on it and select, "Horizon View On-Premises." </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLgv86h27grD2gtel-SyvxiYO_oBOZWFsGHJ2QWonR2zUG-gUacuFOoV21f2Vhyxt-GkE63ZIx2Y3T2wr3uT-NzUl4Bm2zC7k69BY37BoDxpyRajtXfJCk4r89YPKn-oWjUnDw_a2gb5Ze/s1600/no_tennant.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLgv86h27grD2gtel-SyvxiYO_oBOZWFsGHJ2QWonR2zUG-gUacuFOoV21f2Vhyxt-GkE63ZIx2Y3T2wr3uT-NzUl4Bm2zC7k69BY37BoDxpyRajtXfJCk4r89YPKn-oWjUnDw_a2gb5Ze/s640/no_tennant.png" width="640" /></a></div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Next, add a name for this Virtual App Configuration. Select the recently created vIDM Connector as the Sync Connector. Also enter in the name of your Horizon Connection server and admin credentials for that environment. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghqmaBvb_Y3u74jPthyoujdGzRQ3hp2gFxeISizX0tu_iLpAdBHb2DjWalWILWlTkPE1JtFCIWLUra07IjA0YS4S2GLYkq7WfD0AtA2OU2D9istW_-jBGZ97n7CYs3IQvYZuReDRFWzHhf/s1600/Screen+Shot+2018-09-26+at+8.33.59+PM.png"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghqmaBvb_Y3u74jPthyoujdGzRQ3hp2gFxeISizX0tu_iLpAdBHb2DjWalWILWlTkPE1JtFCIWLUra07IjA0YS4S2GLYkq7WfD0AtA2OU2D9istW_-jBGZ97n7CYs3IQvYZuReDRFWzHhf/s640/Screen+Shot+2018-09-26+at+8.33.59+PM.png" width="600" /></a><br />
<br />
<span style="color: #9fc5e8;">Enable any other policies you want enabled, then select select save. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_aMDGISKTwXRYjDaFB65vaHQIPDFYJFQdqhC1K-R30DnbV6xdfvfUpeWJHbd3PxLKKbCaY-jOowN3PnVjdr13uvO_PohYSTUhym2DbsOiq-GfawHfuDaLfUQoR8s0_iQCFckZgjgTLlRG/s1600/Screen+Shot+2018-09-26+at+8.35.07+PM.png"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_aMDGISKTwXRYjDaFB65vaHQIPDFYJFQdqhC1K-R30DnbV6xdfvfUpeWJHbd3PxLKKbCaY-jOowN3PnVjdr13uvO_PohYSTUhym2DbsOiq-GfawHfuDaLfUQoR8s0_iQCFckZgjgTLlRG/s640/Screen+Shot+2018-09-26+at+8.35.07+PM.png" width="584" /></a><br />
<br />
<span style="color: #9fc5e8;">Now, you'll see this new configuration show up under Virtual App Configuration.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKTFElNxpQg-C67SCmnODcPGgq5GcJvKFxiITGM0QMbNxnBEEU11TQ0JjY_Hr3bi6nuL77Rc5UeMFWokIkVTu0mqTaH45XiRaB9H4U8QSWWW3Km9WCKEAmJUeHQDL-ZPWtTkEOCZ4DzQXq/s1600/Screen+Shot+2018-09-26+at+8.37.20+PM.png"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKTFElNxpQg-C67SCmnODcPGgq5GcJvKFxiITGM0QMbNxnBEEU11TQ0JjY_Hr3bi6nuL77Rc5UeMFWokIkVTu0mqTaH45XiRaB9H4U8QSWWW3Km9WCKEAmJUeHQDL-ZPWtTkEOCZ4DzQXq/s640/Screen+Shot+2018-09-26+at+8.37.20+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Click on Sync.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwH5c5MsOhD7ymN4FC95H1w7pq9BjJYYheEWF7IfeQIjWdULrc0Jn-0ZvJd40K-5iju1_wrT-1gt7uTNxRug5zNqYK7VVzF-ki6z6KRKmXIrLTCDVkXRpw1qcGWTrGmdT1UMpqCIY6S9G7/s1600/Screen+Shot+2018-09-26+at+8.38.15+PM.png"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwH5c5MsOhD7ymN4FC95H1w7pq9BjJYYheEWF7IfeQIjWdULrc0Jn-0ZvJd40K-5iju1_wrT-1gt7uTNxRug5zNqYK7VVzF-ki6z6KRKmXIrLTCDVkXRpw1qcGWTrGmdT1UMpqCIY6S9G7/s640/Screen+Shot+2018-09-26+at+8.38.15+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">After performing a sync, return back to Catalog --> Virtual App. You should see see your Horizon entitlement(s). </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkuR8HuKvjj2hT5OuWWL4SVtQYwMFvrSLUdNf6FaQUckgK1LvScyvJsfe4Ks4VtEhyi3XIJNje10ZJDu2OQoIzNp-OIg-He7y5dS1poBotwAI1aRYqb9b3qcWoUDgrEZ4SewPTihCQLGv9/s1600/virtual_desktops.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkuR8HuKvjj2hT5OuWWL4SVtQYwMFvrSLUdNf6FaQUckgK1LvScyvJsfe4Ks4VtEhyi3XIJNje10ZJDu2OQoIzNp-OIg-He7y5dS1poBotwAI1aRYqb9b3qcWoUDgrEZ4SewPTihCQLGv9/s640/virtual_desktops.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h2>
Leveraging Different Horizon Client Access URLs For Different Network Ranges</h2>
<br />
<span style="color: #9fc5e8;">A common desire for vIDM implementations is to redirect users from different network ranges to different Horizon Connection server URLs. For example, to have internal users hit internal connection servers directly as opposed to leveraging an external security server or UAG appliance. This is fairly easy to configure in vIDM. First, navigate to Catalog --> Virtual Apps --> Virtual App Settings. There, you'll see any network ranges that have been configured for vIDM under Manage --> Policies. Here's a screen shot from where you configure the networks:</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8av4fsWazaMb_Tdf9GRaTRu4IXASEMSoCrWMg5Dc5bM_ue3LaUG1AsbDUNG-mTGQA50N_uq5cyjc0Kgm78DahbzdTuAZBG6uF7OcXrrmSm2rQ5Mtt0z2CEbHgjEJoImj00YotdiEnDYFp/s1600/Screen+Shot+2018-09-27+at+3.06.00+PM.png"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8av4fsWazaMb_Tdf9GRaTRu4IXASEMSoCrWMg5Dc5bM_ue3LaUG1AsbDUNG-mTGQA50N_uq5cyjc0Kgm78DahbzdTuAZBG6uF7OcXrrmSm2rQ5Mtt0z2CEbHgjEJoImj00YotdiEnDYFp/s640/Screen+Shot+2018-09-27+at+3.06.00+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">You'll see these very same network ranges under Virtual App Settings --> Network Settings.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKGiV0Kw0hQPwxHPT6A336jiVV57fSR2eJcF6ppXyhptBcaosFXKTD7JaJJd2VvVI2mINn1dN5CFbps7bU-NANKKNMkfNPdm3IvfLd4Ioz95egjeqjetAcd_sjw1OxZQanGwRCtCI-ZTv9/s1600/Screen+Shot+2018-09-27+at+3.08.16+PM.png"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKGiV0Kw0hQPwxHPT6A336jiVV57fSR2eJcF6ppXyhptBcaosFXKTD7JaJJd2VvVI2mINn1dN5CFbps7bU-NANKKNMkfNPdm3IvfLd4Ioz95egjeqjetAcd_sjw1OxZQanGwRCtCI-ZTv9/s640/Screen+Shot+2018-09-27+at+3.08.16+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">For my environment, uag.evengooder.com is the default client access URL. When clicking on the hyperlink for, "ALL RANGES," in my environment, you'll see the following:</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcWeqJAn2OrYVunEmAaBROxB4WuXlnLU_YosNWzzrz_7Ph76RcauGS8ckuRaYb6dwmOA1gGANi9tmi1nQqFk5QXf3nChMlYLGxYpOBdzfZk4EYQn9UCKIhkhYhgmEfORmrClfG2CyEQUr4/s1600/Screen+Shot+2018-09-27+at+3.09.44+PM.png"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcWeqJAn2OrYVunEmAaBROxB4WuXlnLU_YosNWzzrz_7Ph76RcauGS8ckuRaYb6dwmOA1gGANi9tmi1nQqFk5QXf3nChMlYLGxYpOBdzfZk4EYQn9UCKIhkhYhgmEfORmrClfG2CyEQUr4/s640/Screen+Shot+2018-09-27+at+3.09.44+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">So everyone who isn't making a request from a defined scope will default to uag.evengooder.com. However, folks who's requests are originating from my home lab, as defined by the, "FromHome," network range, are redirected to my internal Horizon Connection server, horizon.lab.local.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe6QeGY1IZGQ3lDx_T9i0BG5wmCPskjSQBj8CBI0QrsFkUoNt0JmcqYx-qEqEdi9piiDARySTrJ9pVmrDzlCVnNtM3waAk6W5n-uQHwchrFs_NogRBN3vHQoVEYudf78Ye2W-sIEZsGOL2/s1600/Screen+Shot+2018-09-27+at+3.12.15+PM.png"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe6QeGY1IZGQ3lDx_T9i0BG5wmCPskjSQBj8CBI0QrsFkUoNt0JmcqYx-qEqEdi9piiDARySTrJ9pVmrDzlCVnNtM3waAk6W5n-uQHwchrFs_NogRBN3vHQoVEYudf78Ye2W-sIEZsGOL2/s640/Screen+Shot+2018-09-27+at+3.12.15+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">One thing to note is there's a bit of a limitation to this functionality when it comes to SaaS deployments of vIDM. The network range doesn't necessarily map out to ip addresses that are specifically assigned to endpoints. It's all about what IP address that endpoint request is working through to access vIDM. So if you have an endpoint that's connecting from an internal network through an NATted address, the source ip address for that endpoint is whatever that NAT address is, not the ip address that's directly assigned to the endpoint. So to accommodate my lab, I used the external IP address of my router for my network scope, not my internal IP address. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3uUh6GogOCcWkyP6usoILbbYeDM3uiYoeCZHACMU8c-ZdI2eCK8SDvSfMp8ijz-JE_dlbSFp6bJct64rj2cB7ywUWNw2KQ8AA-_YutNNmKy-qIoamCO-sBdSnxrFWmn2D0882CYhDVpzQ/s1600/Screen+Shot+2018-09-27+at+3.18.09+PM.png"><img border="0" height="428" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3uUh6GogOCcWkyP6usoILbbYeDM3uiYoeCZHACMU8c-ZdI2eCK8SDvSfMp8ijz-JE_dlbSFp6bJct64rj2cB7ywUWNw2KQ8AA-_YutNNmKy-qIoamCO-sBdSnxrFWmn2D0882CYhDVpzQ/s640/Screen+Shot+2018-09-27+at+3.18.09+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Just something to keep into consideration when defining network scopes. If you absolutely need to base conditional access off the directly assign IP address of your endpoints in an internal network, you'll need a vIDM instance that's setup within that trusted network.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">With both AirWatch and vIDM successfully integrated with your on premise environment, the next step is to integrate the 2 separate SaaS instances directly with each other. How to achieve this is the topic of my next post, </span><a href="http://www.evengooder.com/2018/10/integrating-cloud-instances-of.html">Integrating Cloud Instances Of Workspace One UEM (AirWatch) And VMware Identity Manager.</a><br />
<br />
<br />EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-47229464354881928562018-10-06T21:04:00.001-07:002018-10-29T22:51:31.526-07:00Integrating A Cloud Instance Of VMware Identity Manager With Active Directory<span style="color: #9fc5e8;">In a <a href="http://www.evengooder.com/2018/10/integrating-saas-deployment-of.html">previous post</a> I detailed how to integrate a local AD environment with a Cloud based instance of AirWatch using AirWatch Cloud Connector. For this post, I'm going to demonstrate how to integrate a local AD environment with a Cloud instance of vIDM using the VMware Identity Manager Connector. Getting vIDM Connector deployed and integrated with the local AD environment is a prerequisite for getting vIDM integrated with on premises Horizon.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgokckmBYCwixJUXAiukJ_QusjULq58wUO01isIsZqn8f0pNzMr35EHTeR4hUW9mBcLZquLH2ePGe066NUjUWSPRUOcR6rbcBHTQxlyDmZ8SeiXaFH2HP8XTmO9Uh0iJUh2P0N3wj_Ibyt4/s1600/Screen+Shot+2018-09-22+at+10.21.52+AM.png" imageanchor="1"><img border="0" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgokckmBYCwixJUXAiukJ_QusjULq58wUO01isIsZqn8f0pNzMr35EHTeR4hUW9mBcLZquLH2ePGe066NUjUWSPRUOcR6rbcBHTQxlyDmZ8SeiXaFH2HP8XTmO9Uh0iJUh2P0N3wj_Ibyt4/s640/Screen+Shot+2018-09-22+at+10.21.52+AM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Above is an excellent graphic detailing the capabilities of the VMware Identity Manager Connector. As with the AirWatch Cloud Connector, it allows for a successful integration between your on premises environment and SaaS environment without having to poke holes in any firewalls. All that's required for the integration between the vIDM SaaS instance and the vIDM Connector is out bound 443 connectivity from the vIDM Connector to the SaaS instance of vIDM.</span><br />
<div>
<br /></div>
<h2>
Installing The vIDM Connector</h2>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Hop on your target Windows server for the vIDM Connector and run the Windows based installer. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUv6OzD-b5dlsX22v8g96gJx1MCxHj_58_gkue1zv9B2n8OJy87mBqIweqJqs27QBOUAcrqVKglGqZOYMRVRz6tgEdEfJ7j7p7zgXQSede49Ej7VlD-W8yHrpZo9yIgZg19ZeUx9tg30kF/s1600/Screen+Shot+2018-10-29+at+8.44.48+PM.png" imageanchor="1"><img border="0" height="318" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUv6OzD-b5dlsX22v8g96gJx1MCxHj_58_gkue1zv9B2n8OJy87mBqIweqJqs27QBOUAcrqVKglGqZOYMRVRz6tgEdEfJ7j7p7zgXQSede49Ej7VlD-W8yHrpZo9yIgZg19ZeUx9tg30kF/s640/Screen+Shot+2018-10-29+at+8.44.48+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Click next on the welcome screen.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgClrjt_Nx2bTCoVfatuWL6clkK_vwDBKQmYm3xkG5NY4fOVLxCjlfA67IZ1K1poIbB2dxjPhiHCtR5humGPSx1gs1DPqGer_mRHosom3tGvHtj34iRUPWzWkMr2udkGoks9k3wSToKuhTn/s1600/Screen+Shot+2018-10-29+at+8.47.38+PM.png" imageanchor="1"><img border="0" height="490" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgClrjt_Nx2bTCoVfatuWL6clkK_vwDBKQmYm3xkG5NY4fOVLxCjlfA67IZ1K1poIbB2dxjPhiHCtR5humGPSx1gs1DPqGer_mRHosom3tGvHtj34iRUPWzWkMr2udkGoks9k3wSToKuhTn/s640/Screen+Shot+2018-10-29+at+8.47.38+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Select the default destination folder.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjtyZhn9kH2E4rr3t7wWMRnUu17BkuBj9Mnafpfw01rs-Q2EWY8DPbqjCnq4XQnyDtlpWjwkklfuBt6gfxJI56p4_rvqVwqTqFuGK4nyvLDtmgiaIpOEZeunGPmET0BZDoGRvIJbYeRZZU/s1600/Screen+Shot+2018-10-29+at+8.48.02+PM.png" imageanchor="1"><img border="0" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjtyZhn9kH2E4rr3t7wWMRnUu17BkuBj9Mnafpfw01rs-Q2EWY8DPbqjCnq4XQnyDtlpWjwkklfuBt6gfxJI56p4_rvqVwqTqFuGK4nyvLDtmgiaIpOEZeunGPmET0BZDoGRvIJbYeRZZU/s640/Screen+Shot+2018-10-29+at+8.48.02+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Enter a hostname for this Connector server. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKLKCRzXXa1gztzWAmDA_Un58wsWZUv9w5v73VoIoDUiRP_LEnT1mbIWb_dPa2z-R4IfuK5gsdL4nTWMJfCRbQ1oEd_fVS8EGT5JBMzVPpiBRWCVsSvoihhptpMxL6O35jBk7c7aUYVVd7/s1600/Screen+Shot+2018-10-29+at+8.54.41+PM.png" imageanchor="1"><img border="0" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKLKCRzXXa1gztzWAmDA_Un58wsWZUv9w5v73VoIoDUiRP_LEnT1mbIWb_dPa2z-R4IfuK5gsdL4nTWMJfCRbQ1oEd_fVS8EGT5JBMzVPpiBRWCVsSvoihhptpMxL6O35jBk7c7aUYVVd7/s640/Screen+Shot+2018-10-29+at+8.54.41+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Skip the outbound proxy configuration unless it's relevant for you. Then at the next screen specify that you want to run the connector service as a domain user account and enter in the relevant credentials. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibGabQkb7azMywLOTjtd5U7GNv0wWazKR0q8b0mAYEoei4hvSic_88orqfT1wYSddmlTldAQSe2FVvYS9d6VdKeX7HCNdTHWnxcN9HDxIcYTVGqGI6ShXuIQuxJsA8v6r3KyDn9tg0_Q-9/s1600/Screen+Shot+2018-10-29+at+8.56.54+PM.png" imageanchor="1"><img border="0" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibGabQkb7azMywLOTjtd5U7GNv0wWazKR0q8b0mAYEoei4hvSic_88orqfT1wYSddmlTldAQSe2FVvYS9d6VdKeX7HCNdTHWnxcN9HDxIcYTVGqGI6ShXuIQuxJsA8v6r3KyDn9tg0_Q-9/s640/Screen+Shot+2018-10-29+at+8.56.54+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Click on the install button to begin the installation. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC2vLyom4DMuV0-hNIzHRUXxiETr4qFLQiD0s68vMx7CTLSB4qquOmweJBfzh-mzK6Axn-Tm-QOdUOabJdHH312_AayrE_3sT8zaaMxSct7__rTvsDisq15sMQousScLErlxVB6bN8EBEF/s1600/Screen+Shot+2018-10-29+at+8.58.13+PM.png" imageanchor="1"><img border="0" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiC2vLyom4DMuV0-hNIzHRUXxiETr4qFLQiD0s68vMx7CTLSB4qquOmweJBfzh-mzK6Axn-Tm-QOdUOabJdHH312_AayrE_3sT8zaaMxSct7__rTvsDisq15sMQousScLErlxVB6bN8EBEF/s640/Screen+Shot+2018-10-29+at+8.58.13+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Upon successful completion you'll the, "Installation Wizard Completed," message. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYsfiumAMSM7bKqp69kpekRo_Qpfq7UehJ36b-gLw7z1ni1zL01cJDCU77FwfxJtvEr6BnXMKV1kqC46BJRRMNcdQzj9f32iCqphPx1XM52WjsNxJMW9B6aCzsBDNxeK5ame1UGy3huAhj/s1600/Screen+Shot+2018-10-29+at+9.01.18+PM.png" imageanchor="1"><img border="0" height="494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYsfiumAMSM7bKqp69kpekRo_Qpfq7UehJ36b-gLw7z1ni1zL01cJDCU77FwfxJtvEr6BnXMKV1kqC46BJRRMNcdQzj9f32iCqphPx1XM52WjsNxJMW9B6aCzsBDNxeK5ame1UGy3huAhj/s640/Screen+Shot+2018-10-29+at+9.01.18+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">After clicking finish, you'll be presented with a message box providing guidance on configuring the connector. Go with the Yes option to get the configuration page automatically loaded up for you. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDEC93DHjpMuihon82UITQKcF0RvEWuU1-GVKOQI6x-bxL9VZBX91KjVBiM4jg-Ll59daT4u7Nh883VEo2KoMorvSyheKNawSELiPwo2ffsGmO0KM3sh_IwHatG8VnPVgjx1aPN2ea9_CD/s1600/Screen+Shot+2018-10-29+at+9.01.46+PM.png" imageanchor="1"><img border="0" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDEC93DHjpMuihon82UITQKcF0RvEWuU1-GVKOQI6x-bxL9VZBX91KjVBiM4jg-Ll59daT4u7Nh883VEo2KoMorvSyheKNawSELiPwo2ffsGmO0KM3sh_IwHatG8VnPVgjx1aPN2ea9_CD/s640/Screen+Shot+2018-10-29+at+9.01.46+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Click next.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKELqSdUV9UPaCaPOaten8wGCEJdHLFkgNS7jv8uWfgoPycuR9aIPWiiZ5e8MjbP4pqhPv_jcNaqFVDfqDh4RyS4oJzO67-pj2rzddd0EWfL-xuFUrUTCmPzQ7LfxIrsZv2zyKcTNuyGcj/s1600/Screen+Shot+2018-10-29+at+9.04.19+PM.png" imageanchor="1"><img border="0" height="274" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKELqSdUV9UPaCaPOaten8wGCEJdHLFkgNS7jv8uWfgoPycuR9aIPWiiZ5e8MjbP4pqhPv_jcNaqFVDfqDh4RyS4oJzO67-pj2rzddd0EWfL-xuFUrUTCmPzQ7LfxIrsZv2zyKcTNuyGcj/s640/Screen+Shot+2018-10-29+at+9.04.19+PM.png" width="640" /></a></span><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Set an admin password for the connector. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBLo-59ZpgUY8hvKwxZ4EAYi6ZhTvtoAYNVwruqx3XzFzWxNWjyNMYGQUnPfILGWepudXRzPockEsNFA1219CNzhII47F606REBCETHkv3w85-GjsmbhbLIkx3d_yWEAicAc8tVA_3wE73/s1600/Screen+Shot+2018-10-29+at+9.05.15+PM.png" imageanchor="1"><img border="0" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBLo-59ZpgUY8hvKwxZ4EAYi6ZhTvtoAYNVwruqx3XzFzWxNWjyNMYGQUnPfILGWepudXRzPockEsNFA1219CNzhII47F606REBCETHkv3w85-GjsmbhbLIkx3d_yWEAicAc8tVA_3wE73/s640/Screen+Shot+2018-10-29+at+9.05.15+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">At the next screen, you'll get prompted for an activation code. You need to grab the code from the cloud based vIDM instance.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuNiW4vBrlhnHIKoUYJokeXbLBs-uX7fsvy0vevYaPCRcq3fUG8KlJML-KxrUgPRnC1s_sWSaup9HCbabHz7-4-K3Ub4gu8TfAyyLza_szjJlfbkCjX9NF-oU770pwWHRtGFX7IdEUPwxh/s1600/Screen+Shot+2018-10-29+at+9.06.10+PM.png" imageanchor="1"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuNiW4vBrlhnHIKoUYJokeXbLBs-uX7fsvy0vevYaPCRcq3fUG8KlJML-KxrUgPRnC1s_sWSaup9HCbabHz7-4-K3Ub4gu8TfAyyLza_szjJlfbkCjX9NF-oU770pwWHRtGFX7IdEUPwxh/s640/Screen+Shot+2018-10-29+at+9.06.10+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Log into your vIDM environment. Navigate to to Identity & Access Management --> Setup --> Connectors. You'll see the unactivated connector. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjRosscmolN9ojLC-DH75fRUotcPyERJod5GLFhq8pO-WQyclXNo_PgLB2kEsT-1DVxb-9bNfL0ZAmDEZHUdMCveE_6EUacIk6ax_wdIs5IoIAb_Pal8XoCVAvedSEWCqhxmKzw2IfMw7A/s1600/Screen+Shot+2018-10-29+at+9.08.32+PM.png" imageanchor="1"><img border="0" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjRosscmolN9ojLC-DH75fRUotcPyERJod5GLFhq8pO-WQyclXNo_PgLB2kEsT-1DVxb-9bNfL0ZAmDEZHUdMCveE_6EUacIk6ax_wdIs5IoIAb_Pal8XoCVAvedSEWCqhxmKzw2IfMw7A/s640/Screen+Shot+2018-10-29+at+9.08.32+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Click on the view activation code option.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-SQFxPiLMjtz2piRPBeUlo6ISCUechGTA6W6SZiNpGypSeeKFedoUYibOZvbegtDQdPOjtJbxg_B-vrWvQDNZWPDC1FjUQg5eMgcc6gMVGNjaJF28-o_ERBASofJ61D6tM1qYwOEI418o/s1600/Screen+Shot+2018-09-22+at+12.41.30+PM.png" imageanchor="1"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-SQFxPiLMjtz2piRPBeUlo6ISCUechGTA6W6SZiNpGypSeeKFedoUYibOZvbegtDQdPOjtJbxg_B-vrWvQDNZWPDC1FjUQg5eMgcc6gMVGNjaJF28-o_ERBASofJ61D6tM1qYwOEI418o/s640/Screen+Shot+2018-09-22+at+12.41.30+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">You're going to cut and paste this activation code back into the connector setup wizard. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihRpna5klRAyRyxy9JfIyddGw1C9C3zfYPJuAJp2jp6bEZL0OJKEYLZ_YanK5YPJMCT24YrHLllks83c2chNY8RPaamFGyD2-XZEZNxJRMES36ysqtqT18mYRaZyN9SP7c53RjcrKIrAvN/s1600/Screen+Shot+2018-10-29+at+9.10.01+PM.png" imageanchor="1"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihRpna5klRAyRyxy9JfIyddGw1C9C3zfYPJuAJp2jp6bEZL0OJKEYLZ_YanK5YPJMCT24YrHLllks83c2chNY8RPaamFGyD2-XZEZNxJRMES36ysqtqT18mYRaZyN9SP7c53RjcrKIrAvN/s640/Screen+Shot+2018-10-29+at+9.10.01+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">If things go well, you'll get the, "Setup is complete," message. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit6LVMBk_G5Udn5DBw61YMjLG3PaYrt9d_JNqgTPKqZBzmUGwgfvBcmqmqvYElBeTkJeNO5d1FwPkOId82oAcuCH-U6alAFHtk8iDCK7dpaFu3o4Wpx8uzapr5PF3bIq5swe8Yn0Nlwyb6/s1600/Screen+Shot+2018-10-29+at+9.12.09+PM.png" imageanchor="1"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit6LVMBk_G5Udn5DBw61YMjLG3PaYrt9d_JNqgTPKqZBzmUGwgfvBcmqmqvYElBeTkJeNO5d1FwPkOId82oAcuCH-U6alAFHtk8iDCK7dpaFu3o4Wpx8uzapr5PF3bIq5swe8Yn0Nlwyb6/s640/Screen+Shot+2018-10-29+at+9.12.09+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Now under Connectors within the vIDM admin console you'll see more info populated about the connector.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQKyPCf_henswwjCBPfEuUzgsxUqtoGjjPlELljvBpLpn6g40Z-ZevfvdRFKJNxP7eue8vuBOd2dOf8I7ljGtUYh3GB6SKqHzcjyCWWUiWO6JoVJy3AMT_4qOMEp2RYcQfpj5WkvjM89N8/s1600/Screen+Shot+2018-10-29+at+9.13.19+PM.png" imageanchor="1"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQKyPCf_henswwjCBPfEuUzgsxUqtoGjjPlELljvBpLpn6g40Z-ZevfvdRFKJNxP7eue8vuBOd2dOf8I7ljGtUYh3GB6SKqHzcjyCWWUiWO6JoVJy3AMT_4qOMEp2RYcQfpj5WkvjM89N8/s640/Screen+Shot+2018-10-29+at+9.13.19+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Next, we have to associate this connector with a directory.</span><br />
<br />
<h2>
Binding To Your Local Active Directory Environment </h2>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Before creating your AD directory, ensure you have the following attributes enabled under your users settings. If you don't set this properly ahead of time, you wont be able to change it after creating the directory. (To make changes to enabled attributes, you'd have to blow the directory away and recreate it. So just take care of it properly ahead of time.)</span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQbN1jDFYjTATbtPj2y5VC8M5x7wu4u5RFUdpgWgtz5AEN7xzIdZXiKs1KZHE6LuB3bNtQApyGZErk5mFS4ObdvXlcc-RtqI5yalW_S1QC8AEyg1Z3blT-AUnZC1YAJsRBG4caCAmOfkSO/s1600/Screen+Shot+2018-09-26+at+2.59.44+PM.png" imageanchor="1"><img border="0" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQbN1jDFYjTATbtPj2y5VC8M5x7wu4u5RFUdpgWgtz5AEN7xzIdZXiKs1KZHE6LuB3bNtQApyGZErk5mFS4ObdvXlcc-RtqI5yalW_S1QC8AEyg1Z3blT-AUnZC1YAJsRBG4caCAmOfkSO/s640/Screen+Shot+2018-09-26+at+2.59.44+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">After confirming your attributes are straight, proceed to Identity & Access Management --> Manage --> Directories. </span><br />
<br /></div>
<div>
</div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8B2maqMbr0GBpjaHK84lvQq94p4UXMJ1NpAIpmumVj8AFC5hzwC7KfxDcbSNWWsy9B-p8J0pDmD9zwn-xHaaeSPDtWgfZG4fyuKtndG1MZnNSLb5r4DGCR63txJoB2mkz4sQclBmGnIjb/s1600/Screen+Shot+2018-09-26+at+3.02.03+PM.png" imageanchor="1"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8B2maqMbr0GBpjaHK84lvQq94p4UXMJ1NpAIpmumVj8AFC5hzwC7KfxDcbSNWWsy9B-p8J0pDmD9zwn-xHaaeSPDtWgfZG4fyuKtndG1MZnNSLb5r4DGCR63txJoB2mkz4sQclBmGnIjb/s640/Screen+Shot+2018-09-26+at+3.02.03+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Click Add Directory. </span></div>
<div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOZUANPpig8hk06TNRxJORFMOWYQpffhulVWQIFL6SxmasPFlkLftC1Y-cnIDAd1cIYJW5mWUORB83qulYihOvpWnKSRKLmHwgmHU-rT1332sIqdbKbRWw1plXb8T8hfrv1Vf3ibZE4azL/s1600/Screen+Shot+2018-09-26+at+3.10.47+PM.png" imageanchor="1"><img border="0" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOZUANPpig8hk06TNRxJORFMOWYQpffhulVWQIFL6SxmasPFlkLftC1Y-cnIDAd1cIYJW5mWUORB83qulYihOvpWnKSRKLmHwgmHU-rT1332sIqdbKbRWw1plXb8T8hfrv1Vf3ibZE4azL/s640/Screen+Shot+2018-09-26+at+3.10.47+PM.png" width="640" /></a></div>
<div>
</div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Select the option for, "Add Active Directory over LDAP/IWA."</span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvQd4OzDz8vfOtGOHOZaTrMPuecIlFnzGosapGrztg5AJa9ejTlhQ8bIYkpZ2hSW3gKnawcAWVTZLd-cvRMVRXt5_gxTy46UB8D1Txnao-_YLE9jpaz5OExfMmYEkaEWcaVnEuOFdgn_GY/s1600/Screen+Shot+2018-09-26+at+3.25.18+PM.png" imageanchor="1"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvQd4OzDz8vfOtGOHOZaTrMPuecIlFnzGosapGrztg5AJa9ejTlhQ8bIYkpZ2hSW3gKnawcAWVTZLd-cvRMVRXt5_gxTy46UB8D1Txnao-_YLE9jpaz5OExfMmYEkaEWcaVnEuOFdgn_GY/s640/Screen+Shot+2018-09-26+at+3.25.18+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">Add the name of your directory. Ensure your vIDM Connector is selected as the Sync Connector. Choose Yes for, "Do you want this Connector to also perform authentication." Then, scroll down a bit and you'll get prompted for an account to bind with. Enter the bind account name in a user principal name format. So something like, username@your_domain.com. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiwDoeTyNgdu9hN_CWJPs1ZPseJnRHDG0HnQIIfOzKZKfppqZW9YfhhyTk3KBkKimlJChDy1wbIgI4NAsqCMmQTRp_wHBOJTgKj1vhp3NOiTL8TIeYwU0ctdf9W_KDcPyzA1Gni5U9xBu_/s1600/Screen+Shot+2018-09-26+at+3.27.42+PM.png" imageanchor="1"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiwDoeTyNgdu9hN_CWJPs1ZPseJnRHDG0HnQIIfOzKZKfppqZW9YfhhyTk3KBkKimlJChDy1wbIgI4NAsqCMmQTRp_wHBOJTgKj1vhp3NOiTL8TIeYwU0ctdf9W_KDcPyzA1Gni5U9xBu_/s640/Screen+Shot+2018-09-26+at+3.27.42+PM.png" width="640" /></a></div>
<div>
<br />
<span style="color: #9fc5e8;">Hit Save & Next. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl7XhsUdFon_UVhyATlkTcpHIxb10xTAZp5ROfraPo9OALNaeM6xliFJ6kGZEBZer3afYbdTFvrHGC5U_0tSanUelU7GGF7qStKRmouvPdvryxb7qVej9hhbzjxOFJ-GWBcQzayl6yxobU/s1600/Screen+Shot+2018-09-26+at+3.28.02+PM.png" imageanchor="1"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl7XhsUdFon_UVhyATlkTcpHIxb10xTAZp5ROfraPo9OALNaeM6xliFJ6kGZEBZer3afYbdTFvrHGC5U_0tSanUelU7GGF7qStKRmouvPdvryxb7qVej9hhbzjxOFJ-GWBcQzayl6yxobU/s640/Screen+Shot+2018-09-26+at+3.28.02+PM.png" width="640" /></a></div>
<br />
<span style="color: #9fc5e8;">Next, select the relevant domain. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8mCVdi6ZU5wMNfBenotJh7bmKr4stKuJOdh-0Nbopnk-I5AsPTbL52LjGn6qX_UBj77dj1pLYkYboYo_khxwvO9YJnXVPFk770k9zuV22YoB4d3YHtyxMUih_JB5Nhs-r2km8m52Qp5H2/s1600/Screen+Shot+2018-09-26+at+3.29.06+PM.png" imageanchor="1"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8mCVdi6ZU5wMNfBenotJh7bmKr4stKuJOdh-0Nbopnk-I5AsPTbL52LjGn6qX_UBj77dj1pLYkYboYo_khxwvO9YJnXVPFk770k9zuV22YoB4d3YHtyxMUih_JB5Nhs-r2km8m52Qp5H2/s640/Screen+Shot+2018-09-26+at+3.29.06+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Confirm proper attributes are selected. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk_7OlN7QGZXuL1EyJqA1hhZT4ASRTc_C7GsCZsdsdyXVwfZ8jq2iwcoy4E6UDOSSbs9eBXBCcJoWqi4URoR8KcHIbBgg9bZCtKb3qnY7mUv00RdP0V2gHODMvD90qSPsS2yBePxHu74cz/s1600/Screen+Shot+2018-09-26+at+3.29.51+PM.png" imageanchor="1"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk_7OlN7QGZXuL1EyJqA1hhZT4ASRTc_C7GsCZsdsdyXVwfZ8jq2iwcoy4E6UDOSSbs9eBXBCcJoWqi4URoR8KcHIbBgg9bZCtKb3qnY7mUv00RdP0V2gHODMvD90qSPsS2yBePxHu74cz/s640/Screen+Shot+2018-09-26+at+3.29.51+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Enter the group DNs to sync.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU3T9JDISTad5ZQ7zDglMfXK5E9UuMDKyQChF2sizy2-3Nn0ENodmFMSgZS3MKytmtGr-F0qvC98i6vc4IJJtRlIrmZuxQDCS1MHdylDl0_x7k54iYeeeGJ3kaiT1MEmfQxEKST7GVoLCq/s1600/Screen+Shot+2018-09-26+at+3.18.10+PM.png" imageanchor="1"><img border="0" height="442" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU3T9JDISTad5ZQ7zDglMfXK5E9UuMDKyQChF2sizy2-3Nn0ENodmFMSgZS3MKytmtGr-F0qvC98i6vc4IJJtRlIrmZuxQDCS1MHdylDl0_x7k54iYeeeGJ3kaiT1MEmfQxEKST7GVoLCq/s640/Screen+Shot+2018-09-26+at+3.18.10+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Enter the user DNs to sync. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTNWVEryKsd3aI3d1Uil2UPGJpSowA2tzOagDRKs5QYEk6RxS-pPgcSkYQEFnlPWgvv1OgYDv5r0D3IeNLToNb3vG_HKlGsTSTJh7kc9JHjzmXl7p6h1LxO54GRRqb73ZdvY4iscg0xg15/s1600/Screen+Shot+2018-09-26+at+3.18.26+PM.png" imageanchor="1"><img border="0" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTNWVEryKsd3aI3d1Uil2UPGJpSowA2tzOagDRKs5QYEk6RxS-pPgcSkYQEFnlPWgvv1OgYDv5r0D3IeNLToNb3vG_HKlGsTSTJh7kc9JHjzmXl7p6h1LxO54GRRqb73ZdvY4iscg0xg15/s640/Screen+Shot+2018-09-26+at+3.18.26+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Click on Sync Directory.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD7iBLGWymsGLT2axXoDNHa7xjtn3_m56wD_g1Z-MWAPEX3QW4W500czeFtUz__WQokEYLopS2mAYDVq801EwVt5Lt5zzBlREtrnVdJtg585voAHghH2eFpgouhJrMFkU3CV4_9GUYc4h4/s1600/Screen+Shot+2018-09-26+at+3.20.09+PM.png" imageanchor="1"><img border="0" height="346" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjD7iBLGWymsGLT2axXoDNHa7xjtn3_m56wD_g1Z-MWAPEX3QW4W500czeFtUz__WQokEYLopS2mAYDVq801EwVt5Lt5zzBlREtrnVdJtg585voAHghH2eFpgouhJrMFkU3CV4_9GUYc4h4/s640/Screen+Shot+2018-09-26+at+3.20.09+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Confirm the sync operation completed. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FW4AUF7usMTqkrO_52GGRD2DawE92h_z95c7ixmuuPvoZ3kjVz8O122baDjmSbHjFYuL3t0xK2zqErhB-j2ghb7FNqUV9YHZMcT5TwQlBooD5emairxAwgXf7K4stA8zu5T-mKeGBlSk/s1600/Screen+Shot+2018-09-26+at+3.31.49+PM.png" imageanchor="1"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8FW4AUF7usMTqkrO_52GGRD2DawE92h_z95c7ixmuuPvoZ3kjVz8O122baDjmSbHjFYuL3t0xK2zqErhB-j2ghb7FNqUV9YHZMcT5TwQlBooD5emairxAwgXf7K4stA8zu5T-mKeGBlSk/s640/Screen+Shot+2018-09-26+at+3.31.49+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">By default, after creating a directory and and associating it with our vIDM Connector, you're connector can authenticate AD user in inbound mode, which involves users directly connecting against the vIDM connector located on the trusted network. Here's what a login looks like in environment when the connector is setup in outbound mode. After selecting I want to authenticate to the LAB.LOCAL domain, I'm redirected to a url for the enterprise connector. So here's the initial login to my SaaS instance. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV-gH8H134UvWi_bbq_eNOPhg_lvM7ZjtQBBIIyVENYHz-jgGds0rGHxm1DjyjeVlE5vYKHcLRzuQ0xksXY81FE52WEsOkxbon4ZF-VDJc7D5fgN-PUG4x6io5Ncaw85VIqJeJIMeqWGTQ/s1600/Screen+Shot+2018-09-26+at+3.37.29+PM.png" imageanchor="1"><img border="0" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV-gH8H134UvWi_bbq_eNOPhg_lvM7ZjtQBBIIyVENYHz-jgGds0rGHxm1DjyjeVlE5vYKHcLRzuQ0xksXY81FE52WEsOkxbon4ZF-VDJc7D5fgN-PUG4x6io5Ncaw85VIqJeJIMeqWGTQ/s640/Screen+Shot+2018-09-26+at+3.37.29+PM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After selecting to login to my AD domain, my browser is redirected to the vIDM Connector I've just setup, entconnect.lab.local. In my environment, I haven't setup a certificate yet, so I initially get this error regarding the SSL cert on my vIDM Connector. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifGxRZc9ZmAdjoDzX9wyt5AA-agEdSTqjwWotbrcXMPcPskWHQzW1UYv1iGiaKKFBLE1pv3oNTbJ5Bdav6lbl-SNHc0FlnXbnrIitVArG6_fWptIp7gDQTPPiXcj48_3GJfeIyPQppSLG1/s1600/Screen+Shot+2018-09-26+at+3.38.59+PM.png" imageanchor="1"><img border="0" height="312" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifGxRZc9ZmAdjoDzX9wyt5AA-agEdSTqjwWotbrcXMPcPskWHQzW1UYv1iGiaKKFBLE1pv3oNTbJ5Bdav6lbl-SNHc0FlnXbnrIitVArG6_fWptIp7gDQTPPiXcj48_3GJfeIyPQppSLG1/s640/Screen+Shot+2018-09-26+at+3.38.59+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">After clicking to continue to the website, I get a login screen for my local AD environment. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA_asxMI97JODQMADedpmD7FIBqEjUwx1WWY-D2AAG87s0dEyXuUde1_lSvQ3slVnQImOdOFjsBlqiK6-E40an3zdjXu8PCalvMM5jwczXYg_w9E1L5PFtObf6OkQjDxKzrjSdLcd9HNXZ/s1600/Screen+Shot+2018-09-26+at+3.40.06+PM.png" imageanchor="1"><img border="0" height="458" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA_asxMI97JODQMADedpmD7FIBqEjUwx1WWY-D2AAG87s0dEyXuUde1_lSvQ3slVnQImOdOFjsBlqiK6-E40an3zdjXu8PCalvMM5jwczXYg_w9E1L5PFtObf6OkQjDxKzrjSdLcd9HNXZ/s640/Screen+Shot+2018-09-26+at+3.40.06+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">After entering in my domain credentials properly, I'm successfully logged into my Workspace One portal.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxG5sDf49FCP1TjlBxxa5M0U1n6-5k6It585OYi1VolGMi_uaQWkFhrfezxDgSM8lijCYgH9MimYI8n_gu0otVqamTGLTtOk_mK4fzgTimMXiYUcf2J1ZBt4pNmbyPZfx90qA8pPeESZF8/s1600/Screen+Shot+2018-09-26+at+3.40.23+PM.png" imageanchor="1"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxG5sDf49FCP1TjlBxxa5M0U1n6-5k6It585OYi1VolGMi_uaQWkFhrfezxDgSM8lijCYgH9MimYI8n_gu0otVqamTGLTtOk_mK4fzgTimMXiYUcf2J1ZBt4pNmbyPZfx90qA8pPeESZF8/s640/Screen+Shot+2018-09-26+at+3.40.23+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">If you want folks to authenticate directly against vIDM in cloud, rather than directly against the vIDM connector, you can enable outbound mode.</span><br />
<br />
<h2>
Setting Up Outbound Mode </h2>
<div>
<br /></div>
<div>
<span style="color: #9fc5e8;">We can enable outbound mode by associating our new Connector with the Built-In identity provider. Navigate to Identity And Access Management --> Manage --> Identity Providers. </span></div>
<div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJrO30C8B9DbD0JvuuYNLebNTuGtY4UU9-axbF_PmQx0LPzrd1nsvA8BKO3W4d5Ivtg439fTwo7EbEgZKg7L27QhtE8sYk4U29IQ9fIpvRF_ZkqOmAKaTwHJY-61lkRPylcLwtj-p-920x/s1600/Screen+Shot+2018-09-26+at+3.51.02+PM.png" imageanchor="1"><img border="0" height="224" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJrO30C8B9DbD0JvuuYNLebNTuGtY4UU9-axbF_PmQx0LPzrd1nsvA8BKO3W4d5Ivtg439fTwo7EbEgZKg7L27QhtE8sYk4U29IQ9fIpvRF_ZkqOmAKaTwHJY-61lkRPylcLwtj-p-920x/s640/Screen+Shot+2018-09-26+at+3.51.02+PM.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="color: #9fc5e8;">Click on the hyperlink for Built-in. Select the relevant directory and network ranges. Then scroll down. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHCao8ExmwEi8LH1-cbbdsDCTqKelLgG4UTOdOM0iEuOs1T2bQNKzy7WPkkb3jl25CyNVcGFFYmAFq7C6PEb957gOnMKMMJkI72uuZY27OTzMrmuVQaXgHapWaJrj2mVAORIzizYq5tLsP/s1600/Screen+Shot+2018-10-01+at+10.08.45+PM.png" imageanchor="1"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHCao8ExmwEi8LH1-cbbdsDCTqKelLgG4UTOdOM0iEuOs1T2bQNKzy7WPkkb3jl25CyNVcGFFYmAFq7C6PEb957gOnMKMMJkI72uuZY27OTzMrmuVQaXgHapWaJrj2mVAORIzizYq5tLsP/s640/Screen+Shot+2018-10-01+at+10.08.45+PM.png" width="640" /></a></span><br />
<br />
<span style="color: #9fc5e8;">Under Connectors, select your new vIDM Connector. Then click on the, "Add Connector," button. </span></div>
<div>
<br /></div>
<div>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6sasE173Ec59JwTGutcRgh-VOtLmXNPV-nxH8QyT2vcPAcRk30RUsX3xP2l-gO-44bOBGBHYExPCRU7sUMqiz3aIFwheXFcvKDfd7aQRORTtriwkvj0YAuPAYnypg1Pf366gThQL90CpP/s1600/Screen+Shot+2018-09-25+at+3.29.43+PM.png" imageanchor="1"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6sasE173Ec59JwTGutcRgh-VOtLmXNPV-nxH8QyT2vcPAcRk30RUsX3xP2l-gO-44bOBGBHYExPCRU7sUMqiz3aIFwheXFcvKDfd7aQRORTtriwkvj0YAuPAYnypg1Pf366gThQL90CpP/s640/Screen+Shot+2018-09-25+at+3.29.43+PM.png" width="640" /></a><br />
<br /></div>
<div>
<span style="color: #9fc5e8;">You'll now have the option to select Connector Authentication Methods. Select the option for, "Password (cloud deployment)." </span></div>
<div>
</div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMLk2MaiX0UsWQFhpxYJ1W9-mo-g2nXjWYDT9zg-WBs0PKTeCN7UflYG2JqGH8G-trwmo5iaYuuQGyieu3mnZq-7kJj4gEIfcRZJka8p3EGfPQQBXCRURDehob0wI3HE7rQReXeqmme51G/s1600/Screen+Shot+2018-09-25+at+3.42.39+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMLk2MaiX0UsWQFhpxYJ1W9-mo-g2nXjWYDT9zg-WBs0PKTeCN7UflYG2JqGH8G-trwmo5iaYuuQGyieu3mnZq-7kJj4gEIfcRZJka8p3EGfPQQBXCRURDehob0wI3HE7rQReXeqmme51G/s640/Screen+Shot+2018-09-25+at+3.42.39+PM.png" width="640" /></a></div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
</div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
</div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;">After changing your access policy rules to use the Password (cloud deployment) authentication option, you'll have the ability to authenticate against the AD environment directly from your SaaS instances, without having your browser redirected to the vIDM Connector. Your transition to outbound mode is complete. </span></div>
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAm3_I0JHqGQiFTXoEuuG8veg8SJ-BByB6Y0ts9Ac_LYNeZya7Pyjj2wfXQBhruLyXLpI8KFbirzu4ad1tndITN3-rTqSvKsMKVzFL98LyuB7s59QrlTZx7C2TIJDAKo646SnxPYFlfKda/s1600/Screen+Shot+2018-09-26+at+3.58.47+PM.png" imageanchor="1"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAm3_I0JHqGQiFTXoEuuG8veg8SJ-BByB6Y0ts9Ac_LYNeZya7Pyjj2wfXQBhruLyXLpI8KFbirzu4ad1tndITN3-rTqSvKsMKVzFL98LyuB7s59QrlTZx7C2TIJDAKo646SnxPYFlfKda/s640/Screen+Shot+2018-09-26+at+3.58.47+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">With your vIDM Connector integration with your local AD environment complete, you can now proceed to integrate vIDM with your on premise Horizon environment according to these instructions,</span> <a href="http://www.evengooder.com/2018/10/integrating-cloud-instance-of-vmware.html">Integrating A Cloud Instance Of VMware Identity Manager With On Premise Horizon</a>.</div>
</div>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com1tag:blogger.com,1999:blog-7411363718337372107.post-40122927110330337412018-10-06T21:04:00.000-07:002018-10-30T08:52:40.972-07:00Integrating A Cloud Instance Of Workspace One UEM (AirWatch) With Active Directory<span style="color: #9fc5e8;">You can easily integrate an Active Directory environment with cloud hosted AirWatch using the AirWatch Cloud Connector. T</span><span style="color: #9fc5e8;">he AirWatch Cloud Connector can sync users and groups from the on premises AD environment to your AirWatch environment. It can also handle AD authentication into that environment from AirWatch managed endpoints. </span><br />
<div>
<br /></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpFJyMg79R_MRnbTRLdF8RQ0ScbOZ_vzyx51lWEjEgbYlFGXGFX4iRgg_Z5DfX91clxGXlGkhGx1ENXUDrDfJOXwSM8Je6Tc0qOuUtzsgp5caZS2hcj4Uld8oQxbgoNsvn_kbjynWbW-ya/s1600/Screen+Shot+2018-09-20+at+4.31.43+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="406" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpFJyMg79R_MRnbTRLdF8RQ0ScbOZ_vzyx51lWEjEgbYlFGXGFX4iRgg_Z5DfX91clxGXlGkhGx1ENXUDrDfJOXwSM8Je6Tc0qOuUtzsgp5caZS2hcj4Uld8oQxbgoNsvn_kbjynWbW-ya/s640/Screen+Shot+2018-09-20+at+4.31.43+PM.png" width="640" /></a></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">While the ACC can handle AD integration for both vIDM and AirWatch, because we're looking to integrate with Horizon, we have to manage vIDM's integration with AD through the vIDM Connector, not the ACC. So, for the ACC deployment in this post we're just going to focus on getting AirWatch integrated with AD. In the <a href="http://www.evengooder.com/2018/10/integrating-saas-instance-of-vmware_1.html">next post</a> I'll cover getting vIDM integrated with AD using the vIDM Connector. </span><br />
<span style="color: #9fc5e8;"><br /></span></div>
<div>
<h2>
Deploying The AirWatch Cloud Connector</h2>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">To get the deployment started, navigate to your Workspace One UEM console directly from the Windows server your installing ACC on. Once logged in, go to Groups And Settings --> All Settings --> System --> Enterprise Integration --> Cloud Connector. From there select override, then select, "Enabled," for, "Enable AirWatch Cloud Connector." </span></div>
<div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXDuSWxL_OdbrS5r9saZRItmzSwUiemcVWQR1z4TTLnGjmTpGca3zMVMutVKVGLSj09dptO7AsT3o61OT8N7ETQXbHprEtTB9R11Ur6Tsr5BWuVMGrE9vG5wfE-kWlj1XwfMstSWShxHbK/s1600/Screen+Shot+2018-10-29+at+3.25.44+PM.png" imageanchor="1"><img border="0" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXDuSWxL_OdbrS5r9saZRItmzSwUiemcVWQR1z4TTLnGjmTpGca3zMVMutVKVGLSj09dptO7AsT3o61OT8N7ETQXbHprEtTB9R11Ur6Tsr5BWuVMGrE9vG5wfE-kWlj1XwfMstSWShxHbK/s640/Screen+Shot+2018-10-29+at+3.25.44+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Next, click on the download link for the AirWatch Cloud Connector installer. You'll get prompted for a certificate password. Enter in an easy to remember 6 character or longer password.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtf7LUriE_9_ahCY68pBKqjXi9qQ6CzUlXgoyW0Q3Ycqs9GS__7D6E4ctqWckDfaOdR7f2TF98J5v3C9MLX0_8td4FlKlu4WEZeHnBDx3QXIGzxmVNADuIN5hUvLZeWpxvpc_2p-ayLWSN/s1600/Screen+Shot+2018-10-29+at+3.28.11+PM.png" imageanchor="1"><img border="0" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtf7LUriE_9_ahCY68pBKqjXi9qQ6CzUlXgoyW0Q3Ycqs9GS__7D6E4ctqWckDfaOdR7f2TF98J5v3C9MLX0_8td4FlKlu4WEZeHnBDx3QXIGzxmVNADuIN5hUvLZeWpxvpc_2p-ayLWSN/s640/Screen+Shot+2018-10-29+at+3.28.11+PM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">Then click on the download button. The installer is less than 20 megs, so it shouldn't take long to download. Once it's downloaded locally to your Windows server, go ahead and start the install.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjREhLCGPJkmmfwN9eH8EAMHbJOF6SzopINERi_JZZOWN0I2Uq6DdvFVth70lZKc47g01NjlUeBttTE22rSIRLjIO0jQr2MTYJwkiM-agcTUeFn_e4byMj5lSQNyXB5zY2FcwFqoL6g3S9h/s1600/Screen+Shot+2018-10-29+at+3.36.27+PM.png" imageanchor="1"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjREhLCGPJkmmfwN9eH8EAMHbJOF6SzopINERi_JZZOWN0I2Uq6DdvFVth70lZKc47g01NjlUeBttTE22rSIRLjIO0jQr2MTYJwkiM-agcTUeFn_e4byMj5lSQNyXB5zY2FcwFqoL6g3S9h/s640/Screen+Shot+2018-10-29+at+3.36.27+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">You'll see the welcome screen. Click next.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgO1Q3fvO6LQdamSsmIH89bshqAACBiIk10Yu-kyZeGrD1mh3LJkRfGK8YSNQ_1UBaXsrWLFjSv9W1IJJcpYHpkwNItiSoanz7xjgL-22a6Mtbg4mhvPD85QcDcXLfUZIiZUWMTly3o764/s1600/Screen+Shot+2018-10-29+at+3.37.23+PM.png" imageanchor="1"><img border="0" height="492" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgO1Q3fvO6LQdamSsmIH89bshqAACBiIk10Yu-kyZeGrD1mh3LJkRfGK8YSNQ_1UBaXsrWLFjSv9W1IJJcpYHpkwNItiSoanz7xjgL-22a6Mtbg4mhvPD85QcDcXLfUZIiZUWMTly3o764/s640/Screen+Shot+2018-10-29+at+3.37.23+PM.png" width="640" /></a><br />
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">
Go ahead and accept the default install folder.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq3AXbwVJygzoVMqAjNBB2shcpsxsPX0tf7NQtunz6IeGzexVVrQ36YyhrT6SyhEuojDHtKdVPS7E2MYXPIE8tTiGAZE7CwoJo_-0TDBdkITC_IfY2ir5mZbOt2hzkk8648rlWCoBHOx8L/s1600/Screen+Shot+2018-10-29+at+3.38.08+PM.png" imageanchor="1"><img border="0" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq3AXbwVJygzoVMqAjNBB2shcpsxsPX0tf7NQtunz6IeGzexVVrQ36YyhrT6SyhEuojDHtKdVPS7E2MYXPIE8tTiGAZE7CwoJo_-0TDBdkITC_IfY2ir5mZbOt2hzkk8648rlWCoBHOx8L/s640/Screen+Shot+2018-10-29+at+3.38.08+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Enter in the certificate password you entered in earlier when downloading the ACC installer.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxYlLfRhThYQc6YboodD_wYuOaRq-6tsjtCTveklnzai9ticD1yuLWvmfeJhxeOgOehmQH-QX1zYeiyZUaS0k8JOFP826s0V52Fgg3k0X-Ta5WgdMvPSiAmel3LsV-CPel8bahMyHf1Jkt/s1600/Screen+Shot+2018-10-29+at+3.39.20+PM.png" imageanchor="1"><img border="0" height="496" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxYlLfRhThYQc6YboodD_wYuOaRq-6tsjtCTveklnzai9ticD1yuLWvmfeJhxeOgOehmQH-QX1zYeiyZUaS0k8JOFP826s0V52Fgg3k0X-Ta5WgdMvPSiAmel3LsV-CPel8bahMyHf1Jkt/s640/Screen+Shot+2018-10-29+at+3.39.20+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Leave the outbound proxy option unchecked. (Unless you have a proxy.) Then click install to proceed with the installation. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1EUlinlhuEzb5l0uZDa2mhrIl4mhcU6QrcxjCK6GhCn4VYW4NUGi9ej35TVZx6Oa6ZZ2eephzIB7NLB9j-XNUMTiBPUeu_Mb5Bd9dG3Lri1uD3bAjkxyg8ZVYimTTG2hyphenhyphenYZiLyvZpBwie/s1600/Screen+Shot+2018-10-29+at+3.40.49+PM.png" imageanchor="1"><img border="0" height="494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1EUlinlhuEzb5l0uZDa2mhrIl4mhcU6QrcxjCK6GhCn4VYW4NUGi9ej35TVZx6Oa6ZZ2eephzIB7NLB9j-XNUMTiBPUeu_Mb5Bd9dG3Lri1uD3bAjkxyg8ZVYimTTG2hyphenhyphenYZiLyvZpBwie/s640/Screen+Shot+2018-10-29+at+3.40.49+PM.png" width="640" /></a></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">At completion, you'll see:</span><span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjggwdSHAjVnyNGSS_nbEaKKAvLygRmvOOTlwlCEkUwU1s4vuuJNMBMykMa7tMe-eybfakvBT1HaDcrZiOLdU7r01cfGOQ9pppb87h7ru94tunfZ-iuuMjWOMJ614AfJpcPsWPSin3buM3n/s1600/Screen+Shot+2018-10-29+at+3.42.27+PM.png" imageanchor="1"><img border="0" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjggwdSHAjVnyNGSS_nbEaKKAvLygRmvOOTlwlCEkUwU1s4vuuJNMBMykMa7tMe-eybfakvBT1HaDcrZiOLdU7r01cfGOQ9pppb87h7ru94tunfZ-iuuMjWOMJ614AfJpcPsWPSin3buM3n/s640/Screen+Shot+2018-10-29+at+3.42.27+PM.png" width="640" /></a></span><span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">Finally, we can now test connectivity from the AirWatch environment to the connector. From the VMware Enterprise Systems Connector section under Enterprise Integration, beneath the download link is a test button. If all goes well after clicking the button you'll get the message, "AirWatch Cloud Connector is active."</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnSWXAvf-x0euusoCtJiJ1B3xHL3S6zJ-I2PalRd_q5nhzHv7sR9Rtm4DKHKIYb5FU_1DEaxYkAJqv0OTqte8wdwjqpMkRhUSA2eGfgpmcQXE8O3lGSehCM9-PWKR5yM6rQBz5Sy3EbimQ/s1600/Screen+Shot+2018-10-29+at+3.57.32+PM.png" imageanchor="1"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnSWXAvf-x0euusoCtJiJ1B3xHL3S6zJ-I2PalRd_q5nhzHv7sR9Rtm4DKHKIYb5FU_1DEaxYkAJqv0OTqte8wdwjqpMkRhUSA2eGfgpmcQXE8O3lGSehCM9-PWKR5yM6rQBz5Sy3EbimQ/s640/Screen+Shot+2018-10-29+at+3.57.32+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Now, with the AirWatch Cloud Connector in place, we can start to integrate the Workspace One UEM environment with the local Active Directory environment.</span><br />
<br />
<h2>
Binding To The Local AD Environment</h2>
<br />
<span style="color: #9fc5e8;">Navigate to Groups And Settings --> All Settings --> System --> Enterprise Integration --> Directory Services. Select the directory type, enter in the name of a domain controller and port number. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQwjPKxcSHq_twgpIPB1S4846DOHYJEVOCCJdPej8S3bRP_AUDxHrlv9rmonhurS2w-Cvv1Hd_yEtKJHbBXFGNog1KqWLe3oYneQ17Cy-19LifowgHel5ruc3q6o_gMeTx9pg3N2D_WSEo/s1600/Screen+Shot+2018-10-01+at+2.40.10+PM.png" imageanchor="1"><img border="0" height="386" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQwjPKxcSHq_twgpIPB1S4846DOHYJEVOCCJdPej8S3bRP_AUDxHrlv9rmonhurS2w-Cvv1Hd_yEtKJHbBXFGNog1KqWLe3oYneQ17Cy-19LifowgHel5ruc3q6o_gMeTx9pg3N2D_WSEo/s640/Screen+Shot+2018-10-01+at+2.40.10+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">After scrolling down, enter in the bind user credentials and domain name. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsY-5x4o6v5hky6bIXcKrjZQ4Fjh0BDvHZdDl-LWdlLMB3RrpG0wtK_neIP-EonR8cKtYGagsJWcN5eJkRPwZIH7sq04JgQGNxuzKkTemJHf0t9ykpWl30lijFQQKrqFwXvMuswi7cfEQn/s1600/Screen+Shot+2018-10-01+at+2.41.31+PM.png" imageanchor="1"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsY-5x4o6v5hky6bIXcKrjZQ4Fjh0BDvHZdDl-LWdlLMB3RrpG0wtK_neIP-EonR8cKtYGagsJWcN5eJkRPwZIH7sq04JgQGNxuzKkTemJHf0t9ykpWl30lijFQQKrqFwXvMuswi7cfEQn/s640/Screen+Shot+2018-10-01+at+2.41.31+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Navigate to the user tab. Enter in a base DN for your users.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYcW2qA-43W9fEDd2qxRoCtpPMpkSt4BoTO1oebrVnKNRGq_cfn5Ja-7mCO2NtC-ihyAOSV9lIox_m6iLllq93UN1ufnt5VEEkKySFFb5DX0fkgEhbdu5zkarJZOugsgVZLqFB3FrmaGbc/s1600/Screen+Shot+2018-10-01+at+2.42.41+PM.png" imageanchor="1"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYcW2qA-43W9fEDd2qxRoCtpPMpkSt4BoTO1oebrVnKNRGq_cfn5Ja-7mCO2NtC-ihyAOSV9lIox_m6iLllq93UN1ufnt5VEEkKySFFb5DX0fkgEhbdu5zkarJZOugsgVZLqFB3FrmaGbc/s640/Screen+Shot+2018-10-01+at+2.42.41+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Navigate to the Group tab. Enter in a base DN for your groups. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIegoNmdEK3BkIjTdxRw87mC-HLFhtyNu9kk5XaRL77Ctoan-Yytule-wUOSOIXM5kSAem-3RTn78AMJhfWjwt4RkPQZo4SsosQJ_ClwkKEHVS790goKhw89YCAYSQXeYCT7fyVSlkUsOL/s1600/Screen+Shot+2018-10-01+at+2.42.57+PM.png" imageanchor="1"><img border="0" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIegoNmdEK3BkIjTdxRw87mC-HLFhtyNu9kk5XaRL77Ctoan-Yytule-wUOSOIXM5kSAem-3RTn78AMJhfWjwt4RkPQZo4SsosQJ_ClwkKEHVS790goKhw89YCAYSQXeYCT7fyVSlkUsOL/s640/Screen+Shot+2018-10-01+at+2.42.57+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Finally, you can test the directory integration by clicking on the Test Connection button. If all goes well, you'll get the message, "Connection successful with the given server name, bind user name and password."</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGaa4-m_9m2lEWbTBcOABQVUDhqdwSGgf0jQ1r97Cgn6DuR2A355U7ZqNTbgB94N7segurLtCkZesu29Cv-mBV53qr-7RykG3-b3CuXLZuLbIkb9tuQZRwmi9V-d5-KbJ0UEHdGHEbD_mu/s1600/Screen+Shot+2018-10-01+at+10.53.46+PM.png" imageanchor="1"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGaa4-m_9m2lEWbTBcOABQVUDhqdwSGgf0jQ1r97Cgn6DuR2A355U7ZqNTbgB94N7segurLtCkZesu29Cv-mBV53qr-7RykG3-b3CuXLZuLbIkb9tuQZRwmi9V-d5-KbJ0UEHdGHEbD_mu/s640/Screen+Shot+2018-10-01+at+10.53.46+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Now, with the local directory added, you can go to Accounts --> List View, then click Add. You'll be able to add an AD account from your local AD directory. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_jC9y17_WWNhfkR6LGPQxSMEBLS6F0L5y3Xv6QeykytVamO5ns_qv7TcuZ8WY7yVMuSYc7w1xlQcKETgY2JTNxt-YG-8uCODscNwEIf7Yj0fnLcAh31L7LIatLPicHSa_GiCAIKXewrtB/s1600/add+users.png" imageanchor="1"><img border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_jC9y17_WWNhfkR6LGPQxSMEBLS6F0L5y3Xv6QeykytVamO5ns_qv7TcuZ8WY7yVMuSYc7w1xlQcKETgY2JTNxt-YG-8uCODscNwEIf7Yj0fnLcAh31L7LIatLPicHSa_GiCAIKXewrtB/s640/add+users.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">After clicking Add User, select Directory as the user type. Enter in the username of the AD account you'd like to add. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOI_GFT6LsriP3mKIzPXlwSY6rxYxJ8UqgsdfpqxRc_E6wrtYZAH90Br-gvy6lJmvayEka_w0GbOvQZi31dGy0od2IMBo0O4sAxDhmkLrs_pFwxUISgow4ta5gLCmHqpPKLoaUfNmxDFV7/s1600/Screen+Shot+2018-09-21+at+1.09.04+PM.png" imageanchor="1"><img border="0" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOI_GFT6LsriP3mKIzPXlwSY6rxYxJ8UqgsdfpqxRc_E6wrtYZAH90Br-gvy6lJmvayEka_w0GbOvQZi31dGy0od2IMBo0O4sAxDhmkLrs_pFwxUISgow4ta5gLCmHqpPKLoaUfNmxDFV7/s640/Screen+Shot+2018-09-21+at+1.09.04+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">After clicking on check name, a bunch of AD attributes from that account will be auto populated.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmBXcTJQ1c9xEdYECe1jjDzC2MKyHBsQiJv6_52X4efZx_9qRkcX1-GPKZJYpvtQjiZomTK2wXm2hXP09_Zmev0sF6e83CNwSD4STOalMQgaa3COadfuREaergNKRiHwQtA94PoNoGmL9F/s1600/Screen+Shot+2018-09-21+at+1.16.35+PM.png" imageanchor="1"><img border="0" height="464" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmBXcTJQ1c9xEdYECe1jjDzC2MKyHBsQiJv6_52X4efZx_9qRkcX1-GPKZJYpvtQjiZomTK2wXm2hXP09_Zmev0sF6e83CNwSD4STOalMQgaa3COadfuREaergNKRiHwQtA94PoNoGmL9F/s640/Screen+Shot+2018-09-21+at+1.16.35+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">Click save. The imported AD account will now show up under users in list view.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTbgRsu9sDHYTJiuT3m-n_wHy0E9gxsqrI0YTbjN4QLEP3cwIgXFVbnDVajz1dHj-oPYzIsu-AyUkZVM3Kgo0KKmzQ5n2mxwau3TkWn4l3wA70PI94yVfAv8XSgdacvvYRbRxNFpS111OH/s1600/Screen+Shot+2018-09-21+at+1.17.19+PM.png" imageanchor="1"><img border="0" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTbgRsu9sDHYTJiuT3m-n_wHy0E9gxsqrI0YTbjN4QLEP3cwIgXFVbnDVajz1dHj-oPYzIsu-AyUkZVM3Kgo0KKmzQ5n2mxwau3TkWn4l3wA70PI94yVfAv8XSgdacvvYRbRxNFpS111OH/s640/Screen+Shot+2018-09-21+at+1.17.19+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">You can further test out the integration by enrolling a device using the domain users credentials. Here's a screen shot from the enrollment process on my iPad.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPnB5CHg3Ghy6ZmBbqYOOH-p4v-1LdyhSMxHQ6exjy-HGgU7aehHCZ5qAQEl9k8_zGeTXZ-hT80af87n2U44XXJgfYedvQNAZ9VTAvjbga_87fDHsO658uGIcClkYnw3oxUH7N_N6_brN_/s1600/Boxer_1537634581.692468_asset.JPG" imageanchor="1"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPnB5CHg3Ghy6ZmBbqYOOH-p4v-1LdyhSMxHQ6exjy-HGgU7aehHCZ5qAQEl9k8_zGeTXZ-hT80af87n2U44XXJgfYedvQNAZ9VTAvjbga_87fDHsO658uGIcClkYnw3oxUH7N_N6_brN_/s640/Boxer_1537634581.692468_asset.JPG" width="480" /></a><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">After providing my AirWatch server and group id, I'm prompted for credentials. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv3dPMjEZPYRWGiPQdj9hVlXWE6aMMj5AkVblMNMiuO7qup3cCbS89kEXEJDh7cteDgEYqjrZyDpCQS2E0s5zz0i9UWmixJQgOjy6GBkHUNZx9gUPPMMfjLzoioYcZ56HPn16sluwc6ThT/s1600/Boxer_1537634631.368355_asset.JPG" imageanchor="1"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv3dPMjEZPYRWGiPQdj9hVlXWE6aMMj5AkVblMNMiuO7qup3cCbS89kEXEJDh7cteDgEYqjrZyDpCQS2E0s5zz0i9UWmixJQgOjy6GBkHUNZx9gUPPMMfjLzoioYcZ56HPn16sluwc6ThT/s640/Boxer_1537634631.368355_asset.JPG" width="480" /></a><br />
<br />
<span style="color: #9fc5e8;">After entering in the AD credentials there's a prompt to install the MDM profile on the device.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEQWbLlpNfwd8FD2YHMcTQYKf3Uo7UQOvf30-2TFRYnrOLg804Hi-gsur_7lI7M0xbrCoIeIgrHPf-USjq7W8HmNTtTHTGVoBVOugyLbBAmbgVvSzO2ZcKuBb5qftFO-M0dv4cFh3VUkLw/s1600/Boxer_1537634640.535693_asset.JPG" imageanchor="1"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEQWbLlpNfwd8FD2YHMcTQYKf3Uo7UQOvf30-2TFRYnrOLg804Hi-gsur_7lI7M0xbrCoIeIgrHPf-USjq7W8HmNTtTHTGVoBVOugyLbBAmbgVvSzO2ZcKuBb5qftFO-M0dv4cFh3VUkLw/s640/Boxer_1537634640.535693_asset.JPG" width="480" /></a><br />
<br />
<span style="color: #9fc5e8;">Now you should be able to see the device in the Workspace One UEM console.</span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv_OWWuZ_Ub7n14bGY3OT8bCOrnFzojrurWozmvOU63_RNLZMMtDxCs6-IJ7570maumbcm177fA-_0MBtOaOCFfv9npbcbDvOdVhlM8UQjdkWGwz-pDtncXuyNlCOdYLloq0T75CWZY4rC/s1600/Screen+Shot+2018-09-21+at+3.29.23+PM.png" imageanchor="1"><img border="0" height="364" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv_OWWuZ_Ub7n14bGY3OT8bCOrnFzojrurWozmvOU63_RNLZMMtDxCs6-IJ7570maumbcm177fA-_0MBtOaOCFfv9npbcbDvOdVhlM8UQjdkWGwz-pDtncXuyNlCOdYLloq0T75CWZY4rC/s640/Screen+Shot+2018-09-21+at+3.29.23+PM.png" width="640" /></a><br />
<br />
<span style="color: #9fc5e8;">At this point, the integration of the Workspace One UEM tenant with the local Active Directory environment is complete. Next, we can integrate vIDM as detailed in this next post, </span><a href="http://www.evengooder.com/2018/10/integrating-cloud-instance-of-vmware_6.html">Integrating A Cloud Instance Of VMware Identity Manager With Active Directory.</a><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<br /></div>
<style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Helvetica; color: #414141}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Helvetica; color: #414141}
</style><style type="text/css">
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 10.0px Helvetica; color: #414141}
</style>EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com0tag:blogger.com,1999:blog-7411363718337372107.post-3816233979995587872018-10-06T21:03:00.002-07:002018-10-30T08:45:50.314-07:00Cloud Options For Accelerating Workspace One Adoption In Traditional Horizon Environments<span style="color: #9fc5e8;">Cloud options for VMware Identity Manager and Workspace One UEM (AirWatch) make it easy to quickly extend the benefits of Workspace One to on premise Horizon environments. Leveraging these SaaS based instances we can essentially layer Workspace One functionality on top of existing Horizon environments with little disruption and minimal up front work. </span><br />
<span style="color: #9fc5e8;"><br /></span>
<span style="color: #9fc5e8;">This is part 1 of a 7 part series that details an integration between cloud based vIDM, cloud based AirWatch and a traditional Horizon on premise deployment. The ultimate aim is to simplify and secure mobile access for Horizon users with features like a unified access portal, automated device configuration, SSO and conditional access based on device compliance.</span><br />
<span style="color: #9fc5e8;"><br /></span>
<br />
<h2>
Deployment Overview</h2>
<span style="color: #9fc5e8;"><br /></span><span style="color: #9fc5e8;">SaaS instances of vIDM and AirWatch integrate with a customers environment through the deployment of special connectors on premise. System requirements for these connectors are negligible, and more importantly, their network requirements are incredibly simple. To communicate with SaaS instances of AirWatch and vIDM, connectors only need 443 outbound access to them. So, typically, they can communicate with these cloud environments without any firewall changes. For display protocol connectivity to the Horizon environment, Unified Access Gateway (UAG) is used to proxy connections from the outside world to the internal instance of Horizon. </span><br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF1NJaQuCAr93RRSnk3lNTQhG6wy3BFJyUdXWoF2V-PDy1vaA89ECF0Fy-v1UZQ_VbPHlRyustwj50UCCjEz4vzbncpVUuQKJFYOMUKLF-X9qUGMFbqKRplAbU8auBWkFKZmLR6_T1aPe2/s1600/Screen+Shot+2018-09-25+at+11.45.56+PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF1NJaQuCAr93RRSnk3lNTQhG6wy3BFJyUdXWoF2V-PDy1vaA89ECF0Fy-v1UZQ_VbPHlRyustwj50UCCjEz4vzbncpVUuQKJFYOMUKLF-X9qUGMFbqKRplAbU8auBWkFKZmLR6_T1aPe2/s640/Screen+Shot+2018-09-25+at+11.45.56+PM.png" width="640" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<h2>
Getting It Done </h2>
<br />
<span style="color: #9fc5e8;">I've created 6 separate posts that detail the process for integrating traditional on premises Horizon deployments with cloud instances of AirWatch and vIDM. With the SaaS instances already provisioned and prerequisites lined up properly, you could get these procedures completed in an afternoon. Here are the different procedures in the order I would recommend their execution:</span><br />
<br />
<a href="http://www.evengooder.com/2018/10/integrating-cloud-instance-of-workspace.html">Integrating A Cloud Instance Of Workspace One UEM (AirWatch) With Active Directory</a><br />
<a href="http://www.evengooder.com/2018/10/integrating-cloud-instance-of-vmware_6.html">Integrating A Cloud Instance Of VMware Identity Manager With Active Directory</a><br />
<a href="http://www.evengooder.com/2018/10/integrating-cloud-instance-of-vmware.html">Integrating A Cloud Instance Of VMware Identity Manager With On Premise Horizon</a><br />
<a href="http://www.evengooder.com/2018/10/integrating-cloud-instances-of.html">Integrating Cloud Instances Of Workspace One UEM (AirWatch) And VMware Identity Manager</a><span id="goog_331535670"></span><a href="https://www.blogger.com/"></a><span id="goog_331535671"></span><br />
<a href="http://www.evengooder.com/2018/10/configuring-mobile-sso-for-ios-in.html">Configuring Mobile SSO For iOS In Workspace One UEM (AirWatch) </a><br />
<a href="http://www.evengooder.com/2018/10/securing-access-to-horizon-through.html">Securing Access To Horizon Through AirWatch Based Device Compliance</a><br />
<br />
<h2>
Further Detail</h2>
<br />
<span style="color: #9fc5e8;">The deployment detailed in these posts uses Horizon 7.5, the September 2018 release of VMware Identity Manger Cloud and Workspace One UEM 1810. Through the use of connectors we're able to integrate both the Workspace One UEM (AirWatch) and vIDM SaaS instances with on premise environments. For Workspace One UEM, we'll use the AirWatch Cloud Connector for AD integration. For vIDM, were going to use the vIDM connector for integration with both AD and Horizon on premises environment. </span><span style="color: #9fc5e8;">After completing the deployment and configuration of the 2 connectors, we'll integrate the vIDM and AirWatch environments by populating vIDM with API keys and certificates for the AirWatch tenant. Then we'll enable features like the unified app catalog and device compliance. To get started, proceed with this first recipe, </span><a href="http://www.evengooder.com/2018/10/integrating-cloud-instance-of-workspace.html">Integrating A Cloud Instance Of Workspace One UEM (AirWatch) With Active Directory</a>. <span style="color: #9fc5e8;"> </span><br />
<br />
<h2>
</h2>
EvenGooderhttp://www.blogger.com/profile/02063688673110659593noreply@blogger.com1