GroundControl has deep integration with VMware AirWatch. The instructions below describe how to set up GroundControl to use AirWatch APIs. Optionally, you may add an Enrollment Profile for touch-free enrollments of non-DEP devices.
AirWatch API Integration is recommended for both DEP and non-DEP enrollments. API integration adds many additional features to customize your workflows, including unenroll-before-enroll, assigning organization groups, setting friendly names, and more.
In GroundControl, navigate to Admin > MDMs. If you don’t already have an MDM for AirWatch, click the “+ Add” button, and select “AirWatch”.
Switch ON the “API Integration”. You’ll see a configuration panel.
Enter the hostname of your AirWatch console, for example “cn700.awmdm.com”. Do not include “https” or a trailing slash.
API User & Password
In the AirWatch console, set up API access as follows:
- Visit Groups & Settings > All Settings > System > Advanced > API > REST API > Authentication. Ensure “Basic” authentication is enabled.
- In Accounts > Administrators > List View, select or create an AirWatch administrator account to use with GroundControl. We recommend a dedicated account for GroundControl.
- To enable API access for one of your administrator accounts, edit the administrator, and click on the “API” tab. Make sure “Basic” authentication is enabled.
- In the “Roles” tab, ensure the administrator has a role of “Console Administrator” or above.
- Important: Each Administrator must log in once to the AirWatch console to accept the AirWatch terms & conditions.
Enter this AirWatch administrator username and password in GroundControl.
In your AirWatch console, visit Groups & Settings > All Settings > System > Advanced > API > REST API > General.
- Make sure “Enable API Access” is checked.
- Add a new API key, and label it “GroundControl”
- Copy the API key and paste into GroundControl’s “API Key” field.
Test the settings before saving.
Enrollment Profile for Non-DEP Devices
Enrollment profiles are not required for DEP enrollments. If you have non-DEP devices to enroll, follow these instructions to obtain an enrollment profile from AirWatch.
Select an enrollment organization group
Non-DEP devices will enroll devices into this group. You may use API integration to move devices into any child organization group of the enrollment group. Note you can not use APIs to move devices “sideways” into another group, only “down.” For maximum flexibility, we recommend you use the root organization group for enrollment.
Create a staging user
AirWatch requires that every device is associated with a user. You will need to create a user (not administrator) to associate devices. Create this user in your staging organization group. You only need to enter the required fields. The password can be anything, as it will never be used.
If you are sharing devices, then this configuration is sufficient. All devices will belong to the same staging user. But if you are staging devices for later one-to-one assignment, check the “Enable Device Staging” box. With this box checked, the device may be re-assigned to a particular user later in the process.
Click “Save” when done.
Export the enrollment configuration profile
The section to download the enrollment configuration profile is buried deep within Settings. Go to Devices > Device Settings > Apple > Automated Enrollment.
Ensure the correct staging organization group is selected at the top of the screen.
- Enable “Automated Enrollment”, and “Apple iOS”.
- For shared devices, set the staging mode to “None.” To stage 1-1 deployments, select “Single User.”
- Choose the correct Default Staging User.
Click “Export” to download a configuration profile containing this enrollment information. (If you are on a Mac, your Mac will attempt to install this configuration profile. Click “Cancel” or you will enroll your Mac into AirWatch!)
Locate the downloaded configuration profile on your Mac or PC. Upload this file into the AirWatch setting within GroundControl.