MDM Integration: Omnissa Workspace ONE — Android

NOTE:

This topic applies to Android devices and Omnissa Workspace ONE (formerly VMware Workspace ONE). For iOS devices and Workspace ONE, see MDM Integration: Omnissa Workspace ONE — iOS.

Mobile Access Management has deep integration with Omnissa Workspace ONE. The instructions below describe how to set up Mobile Access Management to use Omnissa Workspace ONE APIs.

API Integration

API integration adds many additional features to customize your Workflows, including unenroll-before-enroll, assigning organization groups, setting friendly names, and more.

  • Android Devices — API Integration is required for Android enrollments.

Android Requirements

  • The Imprivata Locker Android app must be granted Lock Task permissions in the MDM.

  • The Imprivata Locker app must be added to the allowlist in your MDM.

Best Practices

  • Imprivata strongly recommends you use a local Workspace ONE admin account for Mobile Access Management APIs and avoid Active Directory accounts. Active Directory admins slow each API call by two seconds, which will make your checkouts slower.

  • Set up certificate authentication for the local admin user, which will avoid periodic password expirations.

  1. In the MAM console, navigate to Admin > MDMs. Click + Add, and select VMware AirWatch.

    screen-shot-2017-11-18-at-5-43-43-pm

  2. Switch the API Integration setting to ON. Click Configure.

    In the API Settings dialog, add API settings that you obtain from the Workspace ONE admin console.

  1. In your Workspace ONE console, visit Groups & Settings > All Settings > System > Advanced > API > REST API > General.

  2. Ensure that Enable API Access is selected.

  3. Add a new API key, and label it “GroundControl”.

  4. Copy the newly created API key and paste it into MAM’s API Key field.

  5. Enter the hostname of the REST API URL, for example “as700.awmdm.com”. Do not include "https" or a trailing slash.

    NOTE:

    This may be different from your AW console URL. See Omnissa KB 82724 for more information.

  6. After enabling APIs, create a dedicated administrator account for API authentication, ensuring the administrator has a role of "Console Administrator" or above. Then, select an authentication method using Option 1 or 2 below.

    1. In Workspace ONE admin console, navigate to the Authentication tab. Ensure Certificate authentication is enabled.

    2. In Accounts > Administrators > List View, select or create a Workspace ONE administrator account to use with Mobile Access Management. You can use a Basic or Directory account.

    3. To enable API access for one of your administrator accounts, edit the administrator and click the API tab.

    4. Select Certificates, then enter a Certificate password and click Generate Client Certificate.

    5. Export Client Certificate and click Save.

    6. In the MAM console, upload the certificate, enter admin username and the certificate password you just created.

    7. Click Test to confirm connection has been established. Click Save.

      IMPORTANT:

      If the API admin user account is locked, authentication will fail. Make sure the admin account is unlocked by resetting the user’s password.

      If the API admin user’s password expires, API integration will continue to work as expected.

    To configure authentication with username and password:

    1. In Workspace ONE admin console, navigate to the Authentication tab. Ensure Basic authentication is enabled.

    2. In Accounts > Administrators > List View, select or create an AirWatch administrator account to use with Mobile Access Management. You can use a Basic or Directory account.

      NOTE:

      If using this method, Imprivata recommends a dedicated directory account for Mobile Access Management, and using certificate based authentication as Workspace ONE may enforce a periodic password change for Basic users.

    3. To enable API access for one of your administrator accounts, edit the administrator, and click the API tab. Make sure Basic authentication is enabled.

    4. In the Roles tab, ensure the administrator has a role of Console Administrator or above.

      IMPORTANT:

      Each Administrator must log in once to the Workspace ONE console to accept the terms and conditions.

    5. In the MAM console, enter this Workspace ONE administrator username and password.

    6. Click Test to confirm connection has been established. Click Save.

  1. In the MAM console, in the Android Locker App Configuration section, click Show details.

  2. Copy the AppConfig values from the Android Locker App Configuration section using the copy to clipboard icon next to each item.

    1. Mobile Access Management MDM ID

    2. Mobile Access Management Server

    3. Device Identifier

      NOTE:

      The Device Identifier AppConfig value is formatted differently, depending on your MDM.

      You will use these values when configuring AppConfig values in Workspace ONE.

  3. In the Workspace ONE UEM console, specify the user groups that will receive the Imprivata Locker (Android) app.

    1. On the distribution screen, name the assignment and in the Assignment Groups field, enter the name of the user group or smart group.

    2. Configure how to deploy Imprivata Locker. Select Auto.

  4. From the menu on the left, click Application Configuration.

  5. Add three new keys for the AppConfig and paste the values you copied from the MAM MDM tab:

    • Mobile Access Management MDM ID

    • Mobile Access Management Server

    • Device Identifier

  6. Save the change, then click Save and Publish, then Publish.

    NOTE:

    If you change the existing AppConfig, wait 1-2 minutes before rebooting devices, because the AppConfig may not be updated in time if the device reboot is performed immediately.

The Workspace ONE Launcher and Deploying Apps

How you deploy the Imprivata Locker Android and other apps to your users depends on whether the devices are configured to use the native system launcher or the Workspace ONE launcher.

NOTE:

Choosing one Launcher deployment type over the other is based on the level of access your organization wants users to have on the mobile device.

Each deployment type has corresponding configuration tasks.

Consider the following:

  • Workspace ONE Launcher—The Workspace ONE Launcher gives you greater control of the device by limiting what users can access.

    For example, you can define a specific set of apps that are available to users, while preventing access to system settings and other functionality.

    To configure Imprivata Locker Android and other apps with the Workspace ONE Launcher, see Configure Android Locker App and Workspace ONE Launcher.

  • Native system launcher—The native system launcher gives users greater access to the device.

    For example, users can change system settings, customize the home screen, and generally manage the device as if it were their own.

    To configure Imprivata Locker Android and other apps using the native system launcher (without the Workspace ONE Launcher), see Configure Android Locker App and Native Launcher.

For deployments using the Workspace ONE launcher, the following profiles are required:

  • A profile for the Workspace ONE Launcher that distributes the Imprivata Locker app for Android and other user apps.

    In addition, this profile makes all of the required Android packages accessible to the device, but hidden from users.

  • A profile that enables permissions for all of the apps on the devices and enables Lock Task mode.

  1. In the Workspace ONE UEM console, open your Android Device Profile.

  2. Click Add Version to enable the profile editing.

  3. Click Launcher and then click Configure.

  4. In the Multi app block, click Select. The Launcher canvas appears.

  5. Click Layout, and then configure elements such as the icon grid and orientation preference.

  6. Under the App section, select Public from the list.

  7. Under the Launcher section, in Advanced Launcher settings, select Use Legacy Launcher APIs.

  8. Drag and drop the Imprivata Locker apps to the Launcher canvas, and then organize any other required apps.

  9. Select Miscellaneous from the list, click Add an App, and then enter the following:

    1. In the Application Name field, enter "Settings".

    2. In the Application ID field, enter "com.android.settings", and then click Add.

  10. Using the Miscellaneous value, continue to add the remaining required packages:

    1. System UI (com.android.systemui)

    2. NFC (com.android.nfc)

    3. Accessibility (com.samsung.accessibility) - required for Android 9 and later on Samsung devices.

  11. Open the Hidden Apps tab and drag and drop Settings, System UI, NFC, and if required, Accessibility to the Launcher canvas and then click Save.

    Click Save & Publish.

To configure lock task mode and add the Imprivata Locker app to the allowlist:

  1. In the Workspace ONE UEM console, expand the Lock Task Mode section to specify the lock task mode settings.

  1. From the Allowlisted Apps field, select Imprivata Locker.

  2. For the Home Button, select Disabled.

  3. For the Global Actions, select Enabled. This allows device reboot.

  4. Set System Info in status bar to Disabled.

  5. For the Lock Screen, select Disabled.

Enabling permissions prevents users from being prompted to allow permissions manually. The Imprivata Locker app requires permission to:

  • Draw over (overlay) other apps.

  • Read notifications and access notifications.

To enable permissions:

  1. In the Workspace ONE UEM console, click Devices > Profiles and Resources > Profiles.

    The Profiles screen appears.

  2. Click Add > Add Profile, and then click Android.

  3. Complete the following General settings:

    • Enter a name.

    • In the Smart Groups field, assign the same user groups that was assigned to the previous profile.

  4. Click Permissions, and then click Configure.

    The Permissions screen appears.

  5. From the Permission Policy list, select Grant all permissions, and then click Save and Publish.

    The Profiles screen appears and lists the new profile.

To configure lock task mode and add the Imprivata Locker app to the allowlist:

  1. In the Workspace ONE UEM console, expand the Lock Task Mode section to specify the lock task mode settings.

  1. From the Allowlisted Apps field, select Imprivata Locker.

  2. For the Home Button, select Disabled.

  3. For the Global Actions, select Enabled. This allows device reboot.

  4. Set System Info in status bar to Disabled.

  5. For the Lock Screen, select Disabled.

Enabling permissions prevents users from being prompted to allow permissions manually. The Imprivata Locker app requires permission to:

  • Draw over (overlay) other apps.

  • Read notifications and access notifications.

To enable permissions:

  1. In the Workspace ONE UEM console, click Devices > Profiles and Resources > Profiles.

    The Profiles screen appears.

  2. Click Add > Add Profile, and then click Android.

  3. Complete the following General settings:

    • Enter a name.

    • In the Smart Groups field, assign the same user groups that was assigned to the previous profile.

  4. Click Permissions, and then click Configure.

    The Permissions screen appears.

  5. From the Permission Policy list, select Grant all permissions, and then click Save and Publish.

    The Profiles screen appears and lists the new profile.