MDM Integration: Omnissa Workspace ONE — iOS

NOTE:

This topic applies to iOS devices and Omnissa Workspace ONE (formerly VMware Worskspace ONE). For Android devices and Workspace ONE, see MDM Integration: Omnissa Workspace ONE — Android.

Mobile Access Management has deep integration with Workspace ONE. The instructions below describe how to set up Mobile Access Management to use Workspace ONE APIs.

For iOS devices, you may optionally add an Enrollment Profile for touch-free enrollments of non-DEP devices.

API Integration

API integration adds many additional features to customize your Workflows, including unenroll-before-enroll, assigning organization groups, setting friendly names, and more.

  • iOS Devices — API Integration is recommended for both DEP and non-DEP enrollments for iOS devices.

Best Practices

  • Imprivata strongly recommends you use a local Workspace ONE admin account for Mobile Access Management APIs and avoid Active Directory accounts. Active Directory admins slow each API call by two seconds, which will make your checkouts slower.

  • Set up certificate authentication for the local admin user, which will avoid periodic password expirations.

  1. In the MAM console, navigate to Admin > MDMs. Click + Add, and select VMware AirWatch.

  2. Switch the API Integration setting to ON. Click Configure.

    In the API Settings dialog, add API settings that you obtain from the Workspace ONE admin console.

  1. In your Workspace ONE console, visit Groups & Settings > All Settings > System > Advanced > API > REST API > General.

  2. Ensure that Enable API Access is selected.

  3. Add a new API key, and label it “GroundControl”.

  4. Copy the newly created API key and paste it into MAM’s API Key field.

  5. Enter the hostname of the REST API URL, for example “as700.awmdm.com”. Do not include "https" or a trailing slash.

    NOTE:

    This may be different from your AW console URL. See VMware KB 82724 for more information.

  6. After enabling APIs, create a dedicated administrator account for API authentication, ensuring the administrator has a role of "Console Administrator" or above. Then, select an authentication method using Option 1 or 2 below.

    1. In Workspace ONE admin console, navigate to the Authentication tab. Ensure Certificate authentication is enabled.

    2. In Accounts > Administrators > List View, select or create a Workspace ONE administrator account to use with Mobile Access Management. You can use a Basic or Directory account.

    3. To enable API access for one of your administrator accounts, edit the administrator and click the API tab.

    4. Select Certificates, then enter a Certificate password and click Generate Client Certificate.

    5. Export Client Certificate and click Save.

    6. In the MAM console, upload the certificate, enter admin username and the certificate password you just created.

    7. Click Test to confirm connection has been established. Click Save.

      IMPORTANT:

      If the API admin user account is locked, authentication will fail. Make sure the admin account is unlocked by resetting the user’s password.

      If the API admin user’s password expires, API integration will continue to work as expected.

    To configure authentication with username and password:

    1. In Workspace ONE admin console, navigate to the Authentication tab. Ensure Basic authentication is enabled.

    2. In Accounts > Administrators > List View, select or create an AirWatch administrator account to use with Mobile Access Management. You can use a Basic or Directory account.

      NOTE:

      If using this method, Imprivata recommends a dedicated directory account for Mobile Access Management, and using certificate based authentication as Workspace ONE may enforce a periodic password change for Basic users.

    3. To enable API access for one of your administrator accounts, edit the administrator, and click the API tab. Make sure Basic authentication is enabled.

    4. In the Roles tab, ensure the administrator has a role of Console Administrator or above.

      IMPORTANT:

      Each Administrator must log in once to the Workspace ONE console to accept the terms and conditions.

    5. In the MAM console, enter this Workspace ONE administrator username and password.

    6. Click Test to confirm connection has been established. Click Save.

Enrollment profiles are not required for DEP enrollments. If you have non-DEP devices to enroll, follow these instructions to obtain an enrollment profile from Workspace ONE.

Non-DEP devices will enroll devices into this group. You may use API integration to move devices into any child organization group of the enrollment group. Note you can not use APIs to move devices “sideways” into another group, only “down.” For maximum flexibility, Imprivata recommends you use the root organization group for enrollment.

Workspace ONE requires that every device is associated with a user. You will need to create a user (not administrator) to associate devices. Create this user in your staging organization group. You only need to enter the required fields. The password can be anything, as it will never be used.

If you are sharing devices, then this configuration is sufficient. All devices will belong to the same staging user.

But if you are staging devices for later one-to-one assignment, select the Enable Device Staging box. With this box checked, the device may be re-assigned to a particular user later in the process.

Click Save when done.

The section to download the enrollment configuration profile is buried deep within Settings. Go to Devices > Device Settings > Apple > Automated Enrollment.

Ensure the correct staging organization group is selected at the top of the screen.

  1. Enable Automated Enrollment and Apple iOS.

  2. For shared devices, set the Staging Mode to None. To stage 1-1 deployments, select Single user device.

  3. Select the correct Default Staging User.

  1. Click Export to download a configuration profile containing this enrollment information. If you are on a Mac, your Mac will attempt to install this configuration profile. Click Cancel or you will enroll your Mac into Workspace ONE.

  1. Locate the downloaded configuration profile on your Mac or Windows computer. Upload this file into the VMware setting within Mobile Access Management.