MDM Integration: VMware Workspace ONE (Airwatch)

Created: Modified: Documentation

NOTE: Applies to iOS and Android devices.

Mobile Access Management has deep integration with VMware Workspace ONE (formerly AirWatch). The instructions below describe how to set up Mobile Access Management to use AirWatch APIs.

For iOS devices you may optionally add an Enrollment Profile for touch-free enrollments of non-DEP devices.

API Integration

API integration adds many additional features to customize your Workflows, including unenroll-before-enroll, assigning organization groups, setting friendly names, and more.

  • iOS Devices — API Integration is recommended for both DEP and non-DEP enrollments for iOS devices.
  • Android Devices — API Integration is required for Android enrollments.
Android Requirements
  • The Imprivata Locker Android app must be granted Lock Task permissions in the MDM.
  • The Locker app must be added to the allowlist in your MDM.
Best Practices
  • Imprivata strongly recommends you use a local Workspace ONE admin account for Mobile Access Management APIs and avoid Active Directory accounts. Active Directory admins slow each API call by two seconds, which will make your checkouts slower.
  • Set up certificate authentication for the local admin user, which will avoid periodic password expirations.
Step 1: Configure Mobile Access Management
  1. In the MAM admin console, navigate to Admin > MDMs. Click + Add, and select AirWatch.
  2. Switch the API Integration setting to ON. Click Configure.
    In the configuration dialog, add API settings that you obtain from the Workspace ONE admin console.
Step 2: Enable REST APIs in Workspace ONE
  1. In your Workspace ONE console, visit Groups & Settings > All Settings > System > Advanced > API > REST API > General.screen-shot-2017-11-18-at-6-02-10-pm
  2. Ensure that Enable API Access is selected.
  3. Add a new API key, and label it “GroundControl”.screen-shot-2017-11-18-at-6-02-34-pm
  4. Copy the newly created API key and paste it into GroundControl’s API Key field.
  5. Enter the hostname of the REST API URL, for example “as700.awmdm.com”. Do not include “https” or a trailing slash.
    NOTE: This may be different from your AW console URL. See VMware KB 82724 for more information.
  6. After enabling APIs, create a dedicated administrator account for API authentication, ensuring the administrator has a role of “Console Administrator” or above. Then, select an authentication method using Option 1 or 2 below.
Step 3: Configure Android Locker App (Android only)

Applies to Android devices only.

Step 3a: Configure the App Config in Workspace ONE
  1. In the MAM admin console, in the Android Locker App Configuration section, click Show details.
  2. Copy the AppConfig values from the Android Locker App Configuration section using the copy to clipboard icon next to each item.
    1. GroundControl MDM ID
    2. GroundControl Server
    3. Device Identifier.
      NOTE: The Device Identifier AppConfig value is formatted differently, depending on your MDM. You will use these values when configuring AppConfig values in Workspace ONE.
  3. In the Workspace ONE UEM console, specify the user groups that will receive the Imprivata Locker (Android) app.
    1. On the distribution screen, name the assignment and in the Assignment Groups field, enter the name of the user group or smart group.
    2. Configure how to deploy Imprivata Locker. Select Auto.
  4. From the menu on the left, click Application Configuration.
  5. Add three new keys for the AppConfig and paste the values you copied from the GroundControl MDM tab:
    1. GroundControl MDM ID
    2. GroundControl Server
    3. Device Identifier
  6. Save the change, then click Save and Publish, then Publish.

NOTE: If you change the existing AppConfig, wait 1-2 minutes before rebooting devices, because the AppConfig may not be updated in time if the device reboot is performed immediately.

Step 3b: Configure Lock Task and Add Locker App to Allowlist

To configure lock task mode and add the Locker app to the allowlist:

  1. In the Workspace ONE UEM console, expand the Lock Task Mode section to specify the lock task mode settings.
  2. From the Allowlisted Apps field, select Imprivata Locker.
  3. For the Home Button, select Disabled.
  4. For the Global Actions, select Enabled. This allows device reboot.
  5. Set System Info in status bar to Disabled.
  6. For the Lock Screen, select Disabled.

Step 3c: Configure a Lock Task Profile

To enable lock task permissions, deploy a lock task profile:

In the Workspace ONE UEM console, navigate to Resources > Profiles > Add profile > Setup Custom Settings.

 <characteristic uuid="0bb1b271-b958-496d-a29b-6d7eb97ee0a1" type="com.airwatch.android.androidwork.kiosk" target="2">
    <parm name="packages" value="com.imprivata.locker" type="string" />
    <parm name="allowLockTaskHomeScreen" value="False" />
    <parm name="allowLockTaskOverview" value="False" />
    <parm name="allowLockTaskNotifications" value="False" />
    <parm name="allowLockTaskGlobalActions" value="True" />
    <parm name="allowLockTaskSystemInfo" value="False" />
    <parm name="allowLockTaskKeyguard" value="False" />
</characteristic>
Step 4: Non DEP Device Enrollment (iOS only)

Applies only to iOS devices.

Enrollment profiles are not required for DEP enrollments. If you have non-DEP devices to enroll, follow these instructions to obtain an enrollment profile from AirWatch.

Step 4a: Select an Enrollment Organization Group

Non-DEP devices will enroll devices into this group. You may use API integration to move devices into any child organization group of the enrollment group. Note you can not use APIs to move devices “sideways” into another group, only “down.” For maximum flexibility, we recommend you use the root organization group for enrollment.

Step 4b: Create a Staging User

Workspace ONE requires that every device is associated with a user. You will need to create a user (not administrator) to associate devices. Create this user in your staging organization group. You only need to enter the required fields. The password can be anything, as it will never be used.

screen-shot-2017-11-18-at-6-17-37-pm

If you are sharing devices, then this configuration is sufficient. All devices will belong to the same staging user. But if you are staging devices for later one-to-one assignment, select the Enable Device Staging box. With this box checked, the device may be re-assigned to a particular user later in the process.

Click Save when done.

Step 4c: Export the Enrollment Configuration Profile

The section to download the enrollment configuration profile is buried deep within Settings. Go to Devices > Device Settings > Apple > Automated Enrollment.

Ensure the correct staging organization group is selected at the top of the screen.

screen-shot-2017-11-18-at-6-11-02-pm

  1. Enable Automated Enrollment, and Apple iOS.
  2. For shared devices, set the staging mode to “None.” To stage 1-1 deployments, select “Single User.”
  3. Select the correct Default Staging User.
  4. Click Export to download a configuration profile containing this enrollment information. (If you are on a Mac, your Mac will attempt to install this configuration profile. Click Cancel or you will enroll your Mac into Workspace ONE!)
  5. Locate the downloaded configuration profile on your Mac or PC. Upload this file into the Workspace ONE setting within MAM.