Evaluation Guide: Setting Up Workspace ONE Cloud

Overview

This evaluation guide introduces you to cloud-based Omnissa Workspace ONE®. Workspace ONE integrates access control, application management, and multi-platform endpoint device management into a single platform.

Use Workspace ONE to manage mobile devices, desktops, rugged devices, and “things.” With Workspace ONE, end users can get password-less single sign-on to a catalog of mobile apps, web apps, cloud apps, and Windows apps.

Purpose of This Guide

The tutorials in this guide help you evaluate this product through a series of practical exercises. Each exercise includes a video that demonstrates how to perform the task. For your convenience, following the video are the written-out steps. This way, you can consume the information in the format that you prefer: video, text, or both.

This guide describes the process of setting up a cloud-based Workspace ONE environment. For day-2 operations, a section at the end of this guide points to other documents. Most of these other documents are called operational tutorials.

Important: The exercises in this guide are for evaluation purposes, based on minimum required resources for a basic deployment, and do not explore all possible features. The resulting environment should not be used as a template for deploying a production environment. To deploy a production environment, see the Workspace ONE Documentation and Workspace ONE UEM documentation.

This guide is intended for prospective IT administrators of Workspace ONE and anyone who uses the product. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is assumed.

Technical Introduction and Features

    Workspace ONE is a product family that delivers and manages any app on any device by integrating access control, application management, and unified endpoint management. 

The main components of Workspace ONE are Workspace ONE® Unified Endpoint Management (UEM) and Omnissa Access (formerly known as Workspace ONE Access). Workspace ONE also integrates with Omnissa Horizon® to provide virtual desktops and apps.

Features and Benefits

Key features of Workspace ONE include:

  • Identity and access management: The Omnissa Access component of Workspace ONE uses certificates to establish trust. This way, end users can get password-less single sign-on to a catalog of mobile apps, web apps, cloud apps, and Windows apps. 

    To protect sensitive information, Workspace ONE enforces access decisions based on device compliance and identity context. If needed, administrators can apply conditional access policies on a per-application basis.
  • Unified endpoint management: With the Workspace ONE UEM component of Workspace ONE, the choice of endpoint device can be left up to employees. Administrators manage the full lifecycle of any endpoint—mobile (Android, iOS), desktop (Windows 10, macOS, Chrome OS), rugged, and even IoT. Device management types include bring-your-own, choose-your-own, corporate-owned, locked down, and so on.
  • Automated app management: Whether you are deploying Windows apps or mobile apps, with Workspace ONE, you can automate the application delivery process to allow better security and compliance. Administrators can create an automated workflow for software, applications, files, scripts, and commands to install on endpoint devices.
  • Windows application and desktop delivery: Users can access their Horizon virtual apps and desktops from the Workspace ONE Intelligent Hub app, enabling the flexibility to be productive wherever they are.

Components and Architecture

The core elements of cloud-based Workspace ONE that you must install or configure include:

  • Workspace ONE UEM tenant and console, for unified management of mobile devices, desktops, and BYOD endpoints
  • Cloud Connector, for transmitting information from your internal resources, such as Active Directory (AD) or LDAP, to the Workspace ONE UEM console without any firewall changes
  • Omnissa Access tenant and console, for secure, password-free single sign-on (SSO) to SaaS, mobile, Windows, virtual, and web apps on any device and OS
  • Omnissa ONE Access Connector, for integrating with your on-premises infrastructure, such as AD, RSA SecurID, and Horizon, to provide directory integration, user authentication, and virtual apps integration
  • Omnissa Workspace ONE Tunnel, for authorizing both in-house and third-party apps to access resources on the corporate intranet using a secure network connection

This guide takes you through the process of setting up all these components except the Tunnel.

For a high-level overview of the architecture, see the What is the architecture of Workspace ONE? section of the What Is Workspace ONE? document.

For detailed descriptions of how the components work together, along with logical architecture diagrams, see the Workspace ONE UEM Architecture document and the Omnissa Access Architecture document.

Packaging and Licensing

Workspace ONE is licensed as a subscription, with various pricing packages. For a brief overview of the available packages, along with prices, see the “Compare Editions and Pricing” section of the Omnissa Workspace ONE website, and click the Price & Compare tab.

Two licensing models are available: per user and per device. When licensing Workspace ONE in a device-license model, the SSO and access control technology is restricted to work only on licensed devices and from managed applications. Organizations looking to enable or allow access to enterprise applications from any web browser must license Workspace ONE in a per-user license model.

Acquiring a Cloud-Based Workspace ONE Environment

Most of the setup and administration tasks for Workspace ONE are accomplished by using the Workspace ONE UEM console. The exercises in this chapter walk you through signing up for a free trial and navigating through Omnissa Cloud Services to the Workspace ONE Cloud Admin Hub console, and then to the Workspace ONE UEM console and its Getting Started page.

Exercise: Sign Up for a Free Trial

To follow the exercises in this evaluation guide, you do not need to have purchased Workspace ONE. You can sign up for a free trial. A trial Workspace ONE UEM environment can become production-ready. At any time, you can make your purchase and continue to use Workspace ONE beyond the trial period.

For your convenience, the following table lists (1) the information that you will need to supply when signing up for your free trial and (2), in the case of the tenant URLs, information that Omnissa will provide and that you can copy down for future reference.

Table 1: Information Associated with Setting Up Workspace ONE

Omnissa Customer Connect user name
(If you do not have an Omnissa user account, you can create one by going to the Omnissa Customer Connect Registration page.)

                                                                                                                 

Omnissa Customer Connect password

Tenant URL for Omnissa Access
(This URL will be generated as you work through the Welcome wizard. Record it here.)

Security PIN
(Choose a 4-digit PIN. You will be prompted for this PIN when configuring certain settings within Workspace ONE.)

Tenant URL for Workspace ONE UEM
(At the end of the procedure, you are taken to the Workspace ONE UEM console. You can copy the URL and record it here.)

Note: The following video, Starting a Free Trial of Workspace ONE, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. Navigate to https://www.omnissa.com/contact-us/, or go to the Omnissa.com website and click the Contact Us button so that you can contact a sales representative to request a free trial.

    A sales person will be in touch and once your free trial is approved, or once you purchase a subscription, Omnissa will send a Welcome to Workspace ONE email, which includes your unique service activation (Get Started) link.
  2. In your email app, open the Welcome to Workspace ONE email.

    If you cannot find the email, check your Spam folder.
  3. Click the Get Started button in the email.

    This link directs you to the Omnissa Cloud Services console. Be sure to use this Get Started service activation link when you log in to the Omnissa Cloud Services console for the first time.
  4. Sign into the console using your Omnissa Customer Connect user name and password.

    If you do not have an account, click CREATE YOUR OMNISSA ACCOUNT on the Welcome page and create an account.
  5. On the Organization Setup page, verify the organization name (which is the company name you want to use), click the I agree to the Omnissa Cloud Services Terms of Service check box, and click CREATE ORGANIZATION AND COMPLETE SIGN-UP.
  6. Follow the prompts for the Welcome to Workspace ONE wizard, to supply information about your company and your interest in the free trial, and then click FINISH.
  7. On the Welcome to Onboarding page, when prompted to customize the URL for Omnissa Access (formerly called Workspace ONE Access), select I want to keep the tenant URL as is right now, and then copy the URL and record it for future reference. Click Continue.

    You are taken to the Omnissa Connect console (formerly called the Workspace ONE Cloud Admin Hub).
    Note: Because this is not a production environment, you do not need a customized URL. If you are interested in a customized URL, see the product documentation topic Change Your Omnissa Access URL.
  8. Scroll down to the Workspace ONE UEM tile and click MANAGE.

    If desired, note or bookmark the URL for the Workspace ONE UEM console so that you can go directly to the console in the future, rather than logging in to the Omnissa Connect console (https://connect.omnissa.com/), launching the Workspace ONE Cloud service, and finding the tile for launching the UEM service.
  9. On the Security Settings page, enter a 4-digit PIN, which you will later need to use to confirm certain settings and actions within Workspace ONE.

If you were setting up a production environment rather than an evaluation, at this point you would add other accounts, assign roles, invite users, and federate user access to Omnissa Cloud Services, as described in the product documentation topic Next steps: Account creation, inviting other admins, and federation. But for the exercises in this guide, you can skip these tasks.

Exercise: Log In to and Explore the Workspace ONE UEM Console

The Workspace ONE UEM console allows you to quickly add new devices and users, manage proles, and congure system settings. In this exercise, you navigate to the console by first logging in to Omnissa Cloud Services.

Note: The following video, Exploring the Omnissa Workspace ONE UEM Console, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. Log in to Omnissa Cloud Services, at https://connect.omnissa.com/, by using your Omnissa Connect account ID and password.
  2. On the Services page, on the Workspace ONE Cloud tile, click LAUNCH SERVICE.

    You are taken to the Workspace ONE Cloud Service page, Workspace tab, and you see a range of Workspace ONE services, which will be discussed in this evaluation guide. 
  3. In the Services section, find the UEM tile and click LAUNCH.
  4. If a pop-up window appears, close it.

    You see the Workspace ONE UEM console. You can copy or bookmark the URL for this page so that you can come directly to the Workspace ONE UEM console in the future, without having to navigate from the Omnissa Cloud Services page.
  5. Click the various items in the header menu to get an understanding of what they do. These items are described in the video above, and also in the product documentation topic Working in the Workspace ONE UEM Console – Header Menu.
  1. Click the Support tab on the right edge of the window to explore the various support options, which include raising support requests, searching documentation topics, and asking a question in the community forum.
  2. Finally, click through the items in the panel on the left, and expand the sub-menus to see the extensive set of configuration settings and monitoring tools available.

    The user interface is designed to let you perform actions from multiple areas. For example, from the MONITOR dashboard, you can see a list of devices, but you can also add a device, or you can add a device from the DEVICES list, if that location is more convenient for you.

In the next exercise, you use the Getting Started page to begin configuring Workspace ONE.

Registering Workspace ONE with Apple and Google

The first step to managing mobile devices with Workspace ONE is to integrate with the device OS. To deploy a mobile device management (MDM) product, such as Workspace ONE, to an Apple device, a company must have an MDM certificate from Apple and use the Apple Push Notification service. Similarly, to use Workspace ONE on an Android device, a company must register Workspace ONE as the enterprise mobile management (EMM) provider with Google.

Note: The exercises in this chapter pertain to Apple and Android devices but not Google Chrome devices. For instructions on Chrome devices, see the Tech Zone document Managing Chrome OS Devices: Workspace ONE Operational Tutorial, and see the Workspace ONE UEM Integration with Chrome OS document

Exercise: Configure the Apple Push Notification Service

To set up communication between Workspace ONE and your users’ Apple devices, Workspace ONE uses the Apple Push Notification service (APNs). In this exercise, you generate an APNs certificate to establish a secure connection.

Note: The following video, Configuring Workspace ONE to Use the Apple Push Notification Service, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
  2. In the Apple Push Notification Service row, click CONFIGURE.
  3. On the Link Your Apple Account page, click MDM_APNsRequest.plist to download the certificate request, and then click CONTINUE.
  4. Enter the Apple ID that you want to use and click the Apple Push Certificates Portal link.

    Omnissa recommends that you create a corporate Apple ID that will be dedicated to mobile device management for your company. But for an evaluation, you do not have to have a corporate Apple ID.
  5. In the new browser tab that opens, sign in with that same Apple ID you entered in the wizard, and when prompted, enter the verification code that Apple texts to you.
  6. On the Apple Push Certificates Portal page, click Create a Certificate.
  7. Scroll through the terms of use, click the check box to agree to the terms, and click Accept.
  8. On the Create a New Push Certificate page, click Browse, select and open the MDM_APNsRequest.plist file that you previously downloaed, and click Upload.
  9. On the Confirmation page, click Download to download the certificate file, in .pem format.
  10. Go back to the browser tab that has the Workspace ONE APNs wizard, scroll down, and click CONTINUE.
  11. Click UPLOAD, browse to the .pem file that you just downloaded, select it, and click SAVE.
  12. Click the FINISH button to complete the wizard.

    Back on the Getting Started page, there is now a check mark under Apple Push Notification and the item is marked as complete.
  13. To verify the connection, in the APNs row, click EDIT, and on the APNs for MDM page, scroll down and click TEST CONNECTION.

    A status message confirms that the connection was successful. You may now close the window to return to the Getting Started page.

Exercise: Register Workspace ONE UEM as the Android EMM Provider

To manage Android devices with Workspace ONE UEM, you must register Workspace ONE UEM as the enterprise mobility management (EMM) provider with Google. This quick process involves signing in with a Gmail account and providing Google with some information about your company.

For this exercise, you will use a managed Google account to configure Android, although it is also possible to use a managed Google domain instead, if your company uses G Suite. For more information, see the product documentation topic Registering Android with Workspace ONE UEM.

Important: If you have not signed in with the Gmail account you want to use, you might be prompted to verify your identity by opening the Gmail app on your phone and responding to an email there. For this exercise, because you are not setting up a production environment, you can use any Gmail account that you have access to.

Important: After registering a Google Admin account in Android for Work, you cannot disassociate that Google Admin account from that organization. If you are setting up a production environment, make sure the Google Admin account used is the account you want to associate with your organization.

Note: The following video, Registering Workspace ONE UEM as the Android EMM Provider, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
  2. In the Android EMM Registration row, click CONFIGURE.
  3. In the Android EMM Registration window, click REGISTER WITH GOOGLE.

    A new browser tab opens on the Google Play – Bring Android to Work page.
  4. If the button under Bring Android to Work is a SIGN IN button, click the button and sign in. You might also be prompted to verify your identity by opening the Gmail app on your phone and responding to an email there.
  5. On the Google Play – Bring Android to Work page, click Get Started.
  6. On the Business Name page, enter your organization name and click Next. Workspace ONE UEM is listed as the enterprise mobility manager (EMM) provider.
  7. Complete the Contact details form, select the check box to agree to the Managed Google Play agreement, and click Confirm.
  8. On the Set Up Complete page, click Complete Registration.

    You are returned to the Workspace ONE UEM console, to the Android EMM Registration page.
  9. Scroll down and click TEST CONNECTION. A status message confirms that the connection was successful.
  10. Click SAVE and close the window to return to the Getting Started page.

Back on the Getting Started page, there is now a check mark under Android EMM Registration and the item is marked as complete.

Integrating Workspace ONE UEM, Omnissa Access, and Active Directory

By completing the exercises in this chapter, you will connect the various Workspace ONE tenants to each other and integrate your company’s directory services with Workspace ONE. These exercises include:

  1. Verify or, if necessary, connect an Omnissa Access tenant to your Workspace ONE UEM tenant.
  2. Install and configure the Cloud Connector so that communication is established between Workspace ONE UEM and your company’s Active Directory (AD) system.
  3. Add one or more user groups from AD and synchronize them with Workspace ONE UEM.
  4. Install and configure the Access Connector so that communication is established between Omnissa Access (formerly called Workspace ONE Access) and your company’s AD system.
  5. Add one or more user groups from AD and synchronize them with Omnissa Access.

Exercise: Connect to the Access Tenant

When end users first log in, Omnissa Access can check identification and note what permissions the user account has. The user then sees a personalized self-service catalog of applications and virtual desktops. Omnissa Access provides conditional access controls and single sign-on (SSO) for software as a service (SaaS), web, and cloud resources. Omnissa Access can act as an IDP (identity provider) or be integrated with authentication providers such as Active Directory, ADFS, Ping, and Okta.

When you start a free trial of Workspace ONE, an Omnissa Access tenant is automatically created and connected. If you go to the Getting Started page in the Workspace ONE UEM console and scroll down, you see that the Omnissa Access row is already marked complete.

That is, if you are using a free-trial version, you will not need to perform either of the following procedures. The procedures are provided in case you need to connect to an existing Omnissa Access tenant or create a new one.

Note: The following video, Connecting Workspace ONE UEM to an Omnissa Access Tenant, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

 To connect to an existing Omnissa Access Tenant

  1. If you have an email from Omnissa that tells you what your Omnissa Access tenant URL is, go to the Getting Started wizard of Workspace ONE UEM, scroll down to the Connect to Omnissa  Access row, and click CONFIGURE.
  2. In the Connect to Omnissa Access window, click CONTINUE.
  3. Enter the URL from your email and enter the credentials for the Omnissa Access tenant.
  4. Click TEST CONNECTION, and after you see a message that the connection was successful, click SAVE.

Back on the Getting Started page, there is now a check mark under Connect to Omnissa Access and the item is marked as complete.

 To Acquire an Omnissa Access Tenant

  1. If you do not yet have an Omnissa Access tenant at all, in the panel on the left side of the Workspace ONE UEM console, click GROUPS & SETTINGS.
  2. On the Groups & Settings page, click Configurations.
  3. In the search bar, type in Intelligent Hub and select Intelligent Hub in the search results that are returned.

    Note: Intelligent Hub Services is co-located with Omnissa Access in the same cloud tenant.
  4. Click Intelligent Hub.
  5. On the Intelligent Hub configuration page, click GET STARTED.
  6. In the Activate Hub Services window, click REQUEST CLOUD TENANT.
  7. On the Administrator Details page, click NEXT.

    The administrator details match those that you are using for Workspace ONE UEM, including an email address.
  8. On the Select Data Center Location page, select the country where your data center is located and click NEXT.
  9. On the Tenant Name page, click SAVE.

    Now if you go back to the Getting Started page and scroll down, you see that there is now a check mark under Connect to Omnissa Access and the item is marked as complete.
  10. Because when you requested a cloud tenant, Omnissa sent an email to the email address listed in the wizard, be sure to check that email and click the link in it to reset the password.

Exercise: Install the Cloud Connector and Connect to the Directory Server

With the Cloud Connector, organizations can enjoy the benefits of Omnissa Mobile Device Management (MDM), running in any configuration, and integrated with their back-end enterprise systems. The Cloud Connector runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM to the organization's existing LDAP, certificate authority, email, and other internal systems.

In this exercise, you download and install the Cloud Connector (ACC) on Windows Server and then configure Directory Services. The Cloud Connector provides secure access to your resources and Active Directory so you can import users and groups from your existing directory.

Server host requirements: In the video demonstration, we used a Windows Server 2019 Desktop Experience virtual machine, with 2 CPU cores, 8 GB of RAM, and 100 GB of disk space because we will later use this same virtual machine to install the Omnissa Access connector. For complete system requirements, see the product documentation topic Cloud Connector System Requirements (On Premises and SaaS).

For your convenience, the following table lists the information that the wizard requires you to supply or create.

Table 2: Information for the ACC and Directory Wizard

Password for the ACC certificate
(You create the password using the wizard)

                                                                                   

Directory server fully qualified domain name
(Example: dc.acme.com)

Bind username
(for the ACC to the directory server)

Bind password

Domain name (name with “.com”)

Note: The following video, Installing AirWatch Cloud Connector and Binding It to the Directory Server, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. On the Windows Server machine that you want to use for hosting the ACC, open a browser and enter the following URL to find out whether the server you are using for the ACC can reach the AWCM (AirWatch Cloud Messaging) server:

    https://awcmXXX.awmdm.com/awcm/status (Replace XXX with the same number used in your environment URL, for example, 100 for cn100.)

    If the connection is successful, you will see OK in the upper-left corner of the window.
  2. On that same machine, log in to the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
  3. In the Cloud Connector (ACC) and Directory row, click CONFIGURE.
  4. On the Cloud Connector (ACC) and Directory page, click CONTINUE.
  5. On the Cloud Connector (ACC) Setup page, in the Download Installer section of the table, create a password and then click Download Cloud Connector (ACC) Installer.
  6. After you see a message saying the installer was downloaded, click CONTINUE.

    The next page of the wizard provides instructions on running the installer.
  7. If you do not have the .NET Framework Runtime installed on the server, use a browser to search for “.NET Framework Downloads” and then download and install it.

    At the time of this writing, .NET 4.8 Framework is required.
  8. After verifying that the .NET Framework is installed, locate and run the Cloud Connector installer.

    Note: You will be prompted to supply the certificate password you created earlier in this procedure.
  9. Back in the Workspace ONE UEM console, on the ACC wizard page where you left off, click CONTINUE.
  10. Click TEST CONNECTION, and if the connection is successful, click CONTINUE.
  11. Complete the Directory Setup page as described in the following list, and click SAVE:
  • Server – The fully qualified domain name of the Active Directory server (domain controller).
  • Bind Username and Bind Password – Credentials for binding to the directory server.
  • Domain – The fully qualified domain name; for example, acme.com.
  • Other fields on this page – Use the defaults.
  1. Click TEST CONNECTION, and if the connection is successful, click SAVE.
  2. In the Next Steps dialog box, click CANCEL. You will set up the Omnissa Access Connector in a later exercise.

Workspace ONE UEM now has the necessary connection to Active Directory so you can import users and groups from your existing directory.

Exercise: Integrate Your Enterprise Directory with Workspace ONE UEM

Now that you have installed and configured the Cloud Connector so that it is connected to your enterprise directory, you can add user groups from your enterprise Active Directory to Workspace ONE UEM and then automatically sync the groups. This exercise leads you through the process.

Important: Before you start this exercise, you must have an Active Directory security group whose members include the user accounts you want to add to Workspace ONE UEM. If necessary, create the group in Active Directory Users & Groups and add the accounts as members.

Note: The following video, Adding and Syncing Active Directory User Groups in Workspace ONE UEM, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, enable custom attributes, as follows:
    1. Click GROUPS & SETTINGS in the left panel, and then click All Settings > System > Enterprise Integration > Directory Services.
    2. On the Directory Services page, click the User tab and click to expand the Advanced section.
    3. Scroll down to Enable Custom Attributes and click ENABLED.
    4. Scroll down and click SAVE.
  2. Configure the Cloud Connector so that the only enterprise service that is enabled is Directory Services, as follows:
    1. From the Settings list in the left panel, click Cloud Connector.
    2. On the Cloud Connector page, click the Advanced tab.
    3. In the Enterprise Services section, leave Directory Services set to ENABLED, and then click DISABLED to turn off all the other items in the section.

      Only Directory Services should be turned on at this point. You can activate one or more of the other services in the future, as required. For more information about these services, see the product documentation topic Cloud Connector Settings.
    4. Scroll down, click SAVE, and click the X in the upper-right corner to close this page.
  3. Back on the Getting Started page, add a user group from Active Directory, as follows:
    1. Click ACCOUNTS in the left panel, and then click User Groups > List View (or ACCOUNTS > Users > Users, depending on version).
    2. On the page displaying the list of users and groups, click Add and select Add User Group.
    3. In the Add User Group window, in the Search Text box, enter part or all of the AD user group name that you want to add and click SEARCH.

      The group should appear in the Group Name box.
    4. Click Save.

      You are returned to the User Groups page.
  4. Configure a setting so that group members can be added to Workspace ONE UEM automatically, as follows:
    1. Click the group name in the list.
    2. On the Summary page for the group, click the EDIT button in the upper-right corner of the page.
    3. In the Edit User Group window, scroll down to the setting Add Group Members Automatically and click ENABLED.
    4. Click SAVE.
  5. Synchronize the AD group with the directory service group in Workspace ONE UEM, as follows:
    1. On the Summary page for the group, click the SYNC button in the upper-right corner of the page.
    2. Click OK in the confirmation box, and click OK in the dialog box notifying you that the sync was successful.

      You are returned to the User Groups page.
  6. Click ACCOUNTS in the left pane, which should by default take you to the Users > Users page, where you can see the list of users you just automatically added.

Exercise: Install the Omnissa Access Connector

The Omnissa Access Connector is required for identity-driven features such as mobile SSO, conditional access, people search, and the browser-based Hub portal, which provides a catalog of applications and virtual desktops.

In this exercise, you will perform a default installation, which installs the Directory Sync, User Auth, Kerberos Auth, and Virtual App services. For information about a custom installation, see the production documentation topic Installing the Omnissa Access Connector.

        Server host requirements: In the video demonstration, we used a Windows Server 2019 Desktop Experience virtual machine, with 2 CPU cores, 8 GB of RAM, and 100 GB of disk space because we also used this same virtual machine to install the Cloud Connector. For complete system requirements, see the product documentation topic Omnissa Access Connector Systems Requirements.

Note: The .NET Framework Runtime must be installed on the Windows Server. If you are following the exercises in order, you installed .NET Framework as part of Exercise: Install Cloud Connector and Connect to the Directory Server.

Table 3: Information for the Omnissa Access Connector

System domain admin credentials
(This is the account you set up when you got your Omnissa Access tenant. In all likelihood, it is the user name and password for your Omnissa account.)

Password for the connector configuration file
(You create the 14-character password using the wizard.)

Service account credentials
(Use a domain account, probably your own, that can be used to run the Kerberos Auth and Virtual App services. The only special characters allowed in the password are: @!*

Note: The following video, Installing Omnissa Access Connector, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. On the Windows Server machine that you want to use for hosting the Omnissa Access Connector, log in to the Omnissa Access console, as follows:
    1. Open a browser and log in to the Workspace ONE UEM console.
    2. Click the app launcher icon in the upper-right corner of the screen and select Omnissa Access (or Workspace ONE Access).
    3. Enter the credentials for System domain admin, which is the account you set up when you got your  Access tenant, and click Sign-in.

      You are taken to the Omnissa Access catalog portal.
    4. Click the user account button in the upper-right corner of the page, and select Omnissa Access Console (or Workspace ONE Access Console).
  2. Click the Integrations tab, and then click Connectors in the left pane.
  3. Click New.
  4. On the Select the Connector page, select the latest Access connector and click OK.
  5. In the confirmation dialog box, click PROCEED ANYWAY.
  6. On the Download Installer page, click GO TO CUSTOMERCONNECT.

    You might be prompted to log in to your Customer Connect account.
  7. In the new tab, which displays the Download Product page, click DOWNLOAD NOW.
  8. After the installer is downloaded, go back to the Omnissa Access Console browser tab, and in the wizard, click NEXT.
  9. On the Download Configuration File page, create a 14-character password for the file, click DOWNLOAD CONFIGURATION FILE, and click NEXT.
  10. On the Summary page, click CLOSE.
  11. Locate and run the Access Connector installer, using the following guidelines:
  • Use default settings and the default installation setup type.
  • Configuration file password – Supply the configuration file password you created earlier in this procedure.
  • Specify Service Account page – Use the Browse button to be sure you can select the domain and user. The only special characters that the password may contain are the at sign (@), exclamation point (!), and asterisk (*).
  1. Back in the Omnissa Access console, navigate back to the Integration > Connectors page, and if necessary, refresh it, to verify that the newly added connector appears.

Omnissa Access now has the necessary connection to Active Directory so you can sync users and groups from your existing directory.

Exercise: Integrate Your Enterprise Directory with Omnissa Access

Now that you have installed the Directory Sync service, which is a component of the Omnissa Access Connector, you can create a directory in Omnissa Access and sync it to Active Directory users and groups in your enterprise. Although it is possible to use various types of directories, such as AD over LDAP and Oracle OpenLDAP, for this exercise, we will use Active Directory over Integrated Windows Authentication.

A limited number of user and group attributes, which you, the administrator, specify, are synced to the Omnissa Access service. User passwords and any attributes other than the ones specified by the administrator are not synced.

Important: Before you start this exercise, you must have an Active Directory security group whose members include the user accounts you want to add to Omnissa Access. Use the same AD user group you used in Exercise: Integrate Your Enterprise Directory with Workspace ONE UEM.

Table 4: Information for the Omnissa Access Connector

Bind user name and password that was used when installing the ACC Connector
(User name entered as sAMAccountName@domain; example: jdoe@acme.com)

User group that you used when syncing with Workspace ONE UEM
(User group name expressed as, for example, CN=users,DC=example,DC=company,DC=com)

Note: The following video, Syncing Active Directory User Groups in Omnissa Access, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Omnissa Access console, click Directories in the left pane, and on the Directories page, click Add Directory and select Active Directory.
  2. On the Add Directory page, for Directory Name, enter the name you want to use and select Active Directory over Integrated Windows Authentication.
  3. Scroll down and complete the Bind User Details section. Enter the user name as sAMAccountName@domain, where domain is the fully qualified domain name; for example, jdoe@acme.com.

    Use the same bind user name and password for binding to the directory server that you used when configuring the Cloud Connector, as described in Exercise: Install the Cloud Connector and Connect to the Directory Server.
  4. Click Save & Configure.
  5. On the Select the Domains page, click Next.
  6. On the Map User Attributes page, scroll down to see what all the attributes are, and click Next.

    For more information, see the product documentation topic Managing User Attributes in Omnissa Access.
  7. On the Select the Groups You Want to Sync page, select the same group you selected when syncing to Workspace ONE UEM, as follows:
    1. In the Specify the top-level group row, click + and specify the top-level group DN. For example, CN=users,DC=example,DC=company,DC=com.
    2. Click the Select Groups button.
    3. From the list of group names returned, select the check box for the desired group and click Save.
    4. Back on the Select the Groups You Want to Sync page, click Next.
  8. On the Select the Users You Would Like to Sync page, specify the user group or OU, as follows:
    1. In the Specify the user DNs row, click + and enter the user DNs. You can enter the same top-level group that you entered in the previous step if you want to sync all the users found in that group.
    2. Click Test.
  9. On the Sync Frequency page, use the defaults or select a different schedule, such as Once per day, and click Sync Directory.

    You are returned to the Directories page. The newly added directory is listed under the System Directory.

Additional Identity and Access Management Tasks

The exercises in the previous chapters walked you through necessary procedures for getting Workspace ONE to work. These were one-time setup tasks. The exercises in this chapter introduce you to some of the powerful features of Omnissa unified endpoint management and access management. Now that the environment is working, you, as an administrator, will want to make use of the features shown in this chapter.

Exercise: Create Child Organization Groups

Organization groups constitute a very powerful feature in Workspace ONE UEM, supporting scalability, multi-tenancy, and inheritance. For example, you can create sibling organization groups, which keep settings separate from each other and have a multi-tenancy aspect.

Besides creating sibling organization groups, you can also create child organization groups, and allow some settings to be inherited from the parent, while other settings are overridden.

You can create an organization group (OG) hierarchy for:

  • Delegating administration of subgroups to lower-level administrators
  • Allowing settings such as authentication methods and privacy settings to be inherited or overridden
  • Creating different device profiles for different groups

For cloud-based Workspace ONE UEM, the top-level organization group is the customer-type organization group. All the organization groups you create are children of this one customer organization. Settings such as auto-discovery email domains, which you configure in the exercise following this one, should be configured for the customer organization group, and then the setting can filter down to lower organizations. For more information, see the product documentation topic Organization Groups.

In this exercise, you create an organization group hierarchy and see how to configure settings to be inherited or overridden by lower organization groups.

Note: The following video, Creating a Workspace ONE UEM Organization Group Hierarchy, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, click GROUPS & SETTINGS in the left pane, and navigate to Groups > Organization Groups > OG Details.

    Assuming no other organization groups have been created yet, you see the details of the top-level, or customer, organization group.
  2. Click Add Child Organization Group, which is beneath the Details heading on the page, and complete the page, as follows, before clicking SAVE:
  • Name – For the example in the video, we decided to use the name of a region we called Eastern US.
  • Group ID – For our example, the group ID is east-us.
  • Type – For our example, the type is Region, but you could also use Container.
  • Country, Locale, and Time Zone – Leave the defaults or modify them to fit your environment.
  1. Click the OG drop-down menu in the menu bar and select the top-level, customer organization group.
  2. On the Groups > Organization Groups > OG Details page, click Add Child Organization Group, and create another organization group, this time called Western US, with a group ID of west-us, and a group type of Container.

    You now have two sibling organization groups, and you are currently in the Western US organization group, on the Details page.
  3. Click Add Child Organization Group again and create a child organization group. For the example in the video, we used the name HR, the group ID hr, and a group type of Container.
  4. Click the OG drop-down menu in the menu bar and select the Eastern US organization group.
  5. On the Groups > Organization Groups > OG Details page, click Add Child Organization Group, and create a child organization group, this time called R&D, with a group ID of rd.

    For each sibling organization group, you now have a child organization group, completing the hierarchy.
  6. Click the OG drop-down menu in the menu bar, select the top-level, customer organization group, and navigate to the page that lists the groups.
  7. From the list for the top-level organization, click expander arrow next to the group name to see the two reginal child organization groups and their respective child organization groups.
  8. Use the OG drop-down menu to navigate to one of the child organization groups, such as the HR organization group.
  9. Click All Settings > System, and click one of the settings, such as Branding, to scroll through the settings and see which of the inherited settings you might override for this child organization.

Exercise: Configure Email Auto-Discovery for Enrolling Devices

You must enroll a device before you can manage it with Workspace ONE UEM. For this evaluation test environment, you will configure an email-based auto-discovery system to enroll devices. After you configure the Auto-Discovery service, end users will be able to enroll themselves by selecting the email address option for authentication, instead of having to enter an environment URL and group ID.

Note: To find the group ID, hover your pointer over the organization group name in the menu bar at the top of the window, next to the product name Workspace ONE UEM. If you have multiple organization groups, select the desired organization group in the menu bar and if the group ID is not listed, navigate to GROUPS & SETTINGS > Groups > Organization Groups, and find the ID in the Group ID field.

Important: The server checks for email domain uniqueness, only allowing a domain to be registered at one organization group in one environment. Because of this server check, register your domain at your highest-level "customer" type organization group. The setting can then be inherited by child organization groups. For information about strategies for using customer organizational groups when enrolling devices in production environments, see the product documentation topic Device Enrollment.

Note: The following video, Configuring Email Auto-Discovery for Enrollment in Workspace ONE UEM, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page.
  2. Scroll down to the Auto-Discovery row and click CONFIGURE.
  3. In the Auto-Discovery wizard, enter the fully qualified domain name (for example: acme.com) and the email address of the user account that you will use to click the link in the confirmation email.

    The email address must use the same domain name (for example: uem-admin@acme.com).
  4. Click CONTINUE.
  5. Go to the email account you just specified, open the email with the subject line “Workspace ONE UEM Email Registration,” and click the confirmation link.

    A new browser tab appears, confirming that the email domain was successfully registered.
    Important: All email addresses that use this domain will be enrolled in the same Workspace ONE UEM organization group.
  6. Go back to the Workspace ONE UEM console, to the Getting Started > Workspace ONE page.
  7. Scroll down to the Auto-Discovery row and click CONFIGURE again.
  8. Click in the Active Domains text box and select the domain you entered previously.
  9. Click CONTINUE.

Back on the Getting Started page, there is now a check mark under Auto-Discovery and the item is marked as complete.

Important: If you ever need to verify or delete this domain, click GROUPS & SETTINGS in the left pane, and navigate to All Settings > Devices & Users > General > Enrollment, and then scroll down to the Domain list.

Exercise: Configure Workspace ONE Intelligent Hub

Employees use the Omnissa Workspace ONE Intelligent Hub app, or the browser-based Hub portal, to access, discover, and connect with corporate resources, teams, and workflows within a company. 

The back-end services that administrators configure for the Intelligent Hub are provided by Workspace ONE Hub Services, which is co-located with Omnissa Access. Hub Services is activated automatically as part of the Workspace ONE instance provisioning process. Because of this automatic activation, when you scroll down the Workspace ONE Getting Started page, the Workspace ONE Intelligent Hub row is already marked as complete.

In this exercise, you will take a brief tour of the Hub Services UI to see what features you might want to configure for your employees. If you have followed the exercises in this guide, by this point you have fully integrated Omnissa Access and Workspace ONE UEM, so that all Hub Services functionality can be made available to users, including:

  • A unified Hub Catalog, which can include mobile apps, web or SaaS apps, and virtualized apps and desktops, essentially unifying the Workspace ONE UEM and Omnissa Access catalogs
  • Interactive notifications that integrate with backend business systems
  • People Search, so that employees can find colleagues and browse the employee directory
  • Employee self-service support resources and links
  • Mobile single sign-on, multi-factor authentication, and conditional access

Note: The following video, Configuring Workspace ONE Hub Services for the Intelligent Hub, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, configure the Intelligent Hub so that it uses Omnissa Access for authentication rather than Workspace ONE UEM, as follows:
    1. Click GROPS & SETTINGS in the left panel, and then navigate to All Settings > Devices & Users > General > Enrollment.
    2. On the Authentication tab, scroll down to Source of Authentication for Intelligent Hub and click OMNISSA ACCESS (or WORKSPACE ONE ACCESS).

      Using Omnissa Access for authentication allows the Workspace ONE Intelligent Hub to display SaaS applications and use associated SSO capabilities.
    3. Scroll down, click SAVE, and then close the window.
  2. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page, scroll down to the Workspace ONE Intelligent Hub row, and click EDIT.
  3. On the Intelligent Hub page, click LAUNCH.

    At this point you are taken to the Hub Services console.
  4. On the Getting Started with Hub Services page, click BEGIN.

    You are taken to the Hub Services Home page, which contains a configuration checklist.
  5. Scroll through the checklist to see what sorts of services you can configure.
  6. On the App Catalog tile, click CONFIGURE, and note that near the top of the page, you can click the VERSION GLOBAL drop-down list to create a new version of these settings.
  7. Review all the settings, and click your browser’s Back button.
  8. Note that the checklist on the Home page no longer includes a tile for App Catalog. If you want to go back to that settings page, use the panel on the left side of the window.
  9. Continue to explore the various Hub Services and settings.

For detailed information, see the Setting Up Hub Services to Support Workspace ONE Intelligent Hub .

Exercise: Create Templates for Email to Employees

To help manage communication with employees about all stages of their experience with the Workspace ONE platform, you can use any of about 50 message templates. In this exercise, you create an email template to let an employee know when their device has been successfully enrolled.

You can customize the emails that a user will receive across various categories, such as enrollment, applications, compliance, terms of use, content, device lifecycle, and administrator-specific information.

Note: The following video, Configuring Employee Email Templates in Workspace ONE UEM, demonstrates how to perform this procedure. For your convenience, the steps are also provided in text format below the video.

  1. In the Workspace ONE UEM console, navigate to the Getting Started > Workspace ONE page, scroll down to the Employee Email Template row, and click DOWNLOAD.
  2. In the Message Templates wizard, for Category, select Device Lifecycle, and in the list that appears, select the radio button for Device Enrolled Successfully, and click the COPY button.
  3. Give the copied template a unique name; for the example in the video, the words “ACME R&D Department” were appended to the default name.
  4. Scroll down and modify the message body, as appropriate.

    Notice that several variables are embedded in the text. To make the correct text appear in your employee’s email messages, you can either delete a variable and type in the text you want, or you can define the value you want to use by entering the information in the correct location in the settings. For example, to define the value to be used in the {EnrollmentSupportEmail} and {EnrollmentSupportPhone} variables, navigate to Groups & Settings > All Settings > Devices & Users > General > Enrollment., and click the Customization tab.
  5. Click SAVE.

    The newly created template appears in the list of message templates.
  6. In the left pane, click Notifications.

    The full navigation path is Groups & Settings > All Settings > Devices & Users > General > Notifications.
  7. Change Current Setting from Inherit to Override.
  8. In the Device Enrolled Successfully section, select USER, and from the Message Templates list, select the template you created earlier in this procedure.
  9. Scroll down, click SAVE, and close the settings window.

The email message you created will now be sent automatically to a user when their device is successfully enrolled. For more information about all the options available for message templates, see the product documentation topic Device and User Message Templates Settings.

Summary and Additional Resources

Now that you have completed the exercises in this guide, you should have a basic deployment of cloud-based Workspace ONE. First, you acquired a free-trial environment that includes a Workspace ONE UEM tenant and an Omnissa Access and Hub Services tenant.

Next, you connected the tenants to each other. You then installed and configured connectors for communication between your enterprise directory services and the Workspace ONE UEM and Omnissa  Access tenants. Once these connections were made, you synchronized user groups. Finally, you explored some of the major components and features, such as Hub Services, organization groups, message templates, and auto-discovery for enrolling devices.

Although the basic environment you just set up is for evaluation purposes only, you can now explore further on your own as you evaluate this offering.

Next Steps

This guide addressed the one-time setup tasks required to deploy cloud-based Workspace ONE. For day-2, operational tasks, such as managing apps and devices, see the following documents and videos, available from Omnissa Tech Zone:

Windows Devices:

Mac Devices:

iOS Devices:

Android Devices:

Chrome Devices:

 Managing Chrome OS Devices: Workspace ONE Operational Tutorial

All Devices:

Product Documentation Resources

  The Omnissa Documentation page has links to:

Workspace ONE Hub Services Documentation

Omnissa Access (formerly called Workspace ONE Access) Documentation

Workspace ONE UEM Documentation

Workspace ONE Productivity Apps Documentation

Changelog

The following updates were made to this guide:

Date

Description of Changes

2024/08/29

  • Updated for Omnissa docs and Tech Zone links.

2022/03/16

  • Guide was published.

Authors and Contributors

The following authors, contributors, and subject-matter-expert reviewers collaborated to create this tutorial.

Authors

  • Caroline Arakelian, Senior Technical Marketing Manager, Omnissa
  • Darryl Miles, Staff Solution Engineer, Omnissa

Contributors

Feedback

Your feedback is valuable.

To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com. 

Filter Tags

Workspace ONE Workspace ONE Access Workspace ONE UEM Document Quick-Start Overview Intermediate Deploy App & Access Management Identity / Access Management