VMware AirWatch Mobile Application Management Guide Enable access to public and enterprise apps

Transcription

1 VMware AirWatch Mbile Applicatin Management Guide Enable access t public and enterprise apps Wrkspace ONE UEM v9.4 Have dcumentatin feedback? Submit a Dcumentatin Feedback supprt ticket using the Supprt Wizard n supprt.air-watch.cm. This prduct is prtected by cpyright and intellectual prperty laws in the United States and ther cuntries as well as by internatinal treaties. VMware prducts are cvered by ne r mre patents listed at VMware is a registered trademark r trademark f VMware, Inc. in the United States and ther jurisdictins. All ther marks and names mentined herein may be trademarks f their respective cmpanies. 1

2 Table f Cntents Chapter 1: Overview 6 Intrductin t Mbile Applicatin Management - MAM 7 Wrkspace ONE UEM Applicatin Types and Their Supprted Platfrms 7 Explanatins f Managed Applicatins and Their Benefits 8 Applicatin Cnfiguratin Infrmatin 9 App and Prfile Mnitr Overview 10 Chapter 2: Getting Started 13 Create Custm Ntificatins fr Applicatins 14 Cnfigure Applicatin Categries 15 Cnfigure Ggle Play Integratin fr n-premises Custmers 15 Windws Desktp and Yur Cmpany's Rt CA 16 Enable Wrkspace ONE UEM t Distribute Windws Desktp Internal Applicatins 16 Register Applicatins With the Windws Phne Dev Center 17 Enable Wrkspace ONE UEM fr Windws Phne Applicatin Distributin 18 Chapter 3: Internal Applicatins 19 Supprted File Types fr Internal Applicatins 20 Uplad Internal Applicatins with a Lcal File 22 Use External App Repsitries That Hst Internal Applicatins 27 Use Flexible Deplyment t Assign Applicatins 30 Benefits f Tracking Internal App Deplyments 35 Prvisining Prfiles fr Enterprise Distributin 38 Distributin f Win32 Applicatins 40 Peer Distributin fr Win32 Applicatins 53 Applicatin Remval Prtectin Overview 66 Safeguards fr Prprietary, Nn-Stre, Wrkspace ONE UEM Applicatins 69 Chapter 4: Public Applicatins 71 Add Public Applicatins frm an App Stre 72 Paid Public ios Applicatins and Wrkspace ONE UEM 74 Public Applicatin Installatin Cntrl n ios Devices 76 2

3 The Micrsft Stre fr Business and Wrkspace ONE UEM 78 Chapter 5: Purchased Applicatins Apple VPP 88 Purchased Applicatins -Apple VPP Feature Overview 89 Redemptin Cde Methd Overview 90 Managed Distributin by Apple IDs Overview 94 Custm B2B Applicatins and Apple's VPP 104 Managed Distributin by Device Serial Number 106 Chapter 6: SaaS Applicatins 111 SaaS Applicatins in Wrkspace ONE UEM 112 Requirements t Supprt SaaS Applicatins 113 Methds t Add SaaS Applicatins 114 Client Access Plicy 121 Assign SaaS Applicatins 124 Prvisining Adapters 124 Settings fr SaaS Applicatins 126 SSO Between Wrkspace ONE UEM and VMware Identity Manager fr SaaS Apps and Access Plicies 133 Chapter 7: Web Links Applicatins 135 Web Links Applicatin Features and Supprted Platfrms 136 Web Links Tab r Device Prfiles 136 Web Links Applicatin Behavirs in Apps & Bks and Devices 137 Web Apps Admins and Rles Exceptins 137 Add Web Links Applicatins 138 Cnfigure View Devices fr Web Links Applicatins 139 Chapter 8: Manage Applicatins 141 Use Access Plicies with SaaS Applicatins 142 Native List View Optin s fr Applicatins 144 Details View Setting s 146 Make App MDM Managed If User Installed 148 Cnfigure Manage Devices 149 3

4 Access the Manage Feedback Page 150 Cnfigure User Ratings 151 Active and Inactive Status 151 The Delete Actin and Its Alternatives 151 Internal App Versins in Wrkspace ONE UEM 154 Cnfigure View Lgs fr Internal Applicatins 157 Access SDK Analytics Apps That Use SDK Functinality 158 Chapter 9: Applicatin Grups 160 Applicatin Grups and Cmpliance Plicies Wrk Tgether t Apply Standards Acrss Devices 161 Cnfigure an Applicatin Grup 161 Create Required Lists fr the AirWatch Catalg 163 Enable Custm MDM Applicatins fr Applicatin Grups 163 Chapter 10: Cmpliance 165 Cmpliance fr Mbile Applicatin Management 166 Build an Applicatin Cmpliance Plicy 166 Chapter 11: AirWatch Catalg 169 Wrkspace ONE and AirWatch Catalg Settings 170 Migrating VMware AirWatch Catalg t Wrkspace ONE Catalg 171 AirWatch Catalg Features and Deplyment Methds 172 Standalne Catalg fr MAM Only Deplyments 182 Chapter 12: Wrkspace ONE 186 Wrkspace ONE UEM Applicatins and the Wrkspace ONE Managed Access Feature 187 Supprted Platfrms fr Open and Managed Access 187 View the Installatin Status f Windws 10 Applicatins in the Wrkspace ONE Catalg 188 Chapter 13: MAM Features with SDK Functins 190 MAM Functinality with Settings and Plicies and the AirWatch SDK 191 Cnfigure Default SDK Security Settings 191 Assign the Default r Custm Prfile 197 4

5 Supprted Settings and Plicies Optins by Cmpnent and Wrkspace ONE UEM App199 5

6 Chapter 1: Overview Intrductin t Mbile Applicatin Management - MAM 7 Wrkspace ONE UEM Applicatin Types and Their Supprted Platfrms 7 Explanatins f Managed Applicatins and Their Benefits 8 Applicatin Cnfiguratin Infrmatin 9 App and Prfile Mnitr Overview 10 6

7 Chapter 1: Overview Intrductin t Mbile Applicatin Management - MAM Organizatins use mbile applicatins t deply mbile pints f sale, cnfigure sales kisks, create business intelligence, and perfrm everyday wrk-related tasks. VMware Wrkspace ONE UEM Mbile Applicatin Management (MAM) functinality can manage mbile applicatins, deply them t devices, secure the applicatins with cmpliance plicies. Wrkspace ONE UEM ffers advanced management functinality t internal applicatins using the AirWatch SDK and app wrapping. Wrkspace ONE UEM Applicatin Types and Their Supprted Platfrms Wrkspace ONE UEM classifies applicatins as internal, public, purchased, and Web and yu uplad applicatins depending n the type. Wrkspace ONE UEM supprts many platfrms and perating systems fr mst f the applicatin types. View which platfrm and OS versins Wrkspace ONE UEM supprts fr each applicatin type. Applicatin Type Industry Templates Any Supprted App Type Supprted Platfrms Apple ios v7.0+ with limitatins fr cmpliance plicies Internal Andrid v4.0+ Apple ios v7.0+ Apple macos v10.9+ Apple tvos v10.2+ Windws Phne Windws Desktp Nte: Ensure that the auxiliary files packaged with Apple ios r macos applicatins d nt have spaces in the names. Spaces can cause issues when yu lad the applicatin t the cnsle. 7

8 Chapter 1: Overview Applicatin Type Supprted Platfrms Public (Free and Paid) Andrid v4.0+ Apple ios v7.0+ Chrme OS Windws Phne Wrkspace ONE UEM can manage free, public applicatins n Windws 10+ devices when yu integrate with the Micrsft Stre fr Business. Windws Desktp Wrkspace ONE UEM can manage free, public applicatins n Windws 10+ devices when yu integrate with the Micrsft Stre fr Business. Purchased Custm B2B Purchased VPP Apple ios v7.0+ Apple ios v7.0+ Apple macos v10.9+ Web Links Andrid v4.0+ Apple ios v7.0+ Apple macos v10.9+ Windws Desktp SaaS Andrid v4.0+ Apple ios v7.0+ Apple macos v10.9+ Windws Desktp Explanatins f Managed Applicatins and Their Benefits Wrkspace ONE UEM can deply yur applicatins as managed and unmanaged. The Wrkspace ONE UEM cnsle can perfrm particular tasks fr the managed cntent that it cannt perfrm fr the unmanaged cntent. Explanatin f Managed Use the Wrkspace ONE UEM public applicatin feature t search and uplad public applicatins frm app stres. If yu use anther way t add public applicatins t devices, Wrkspace ONE UEM des nt manage these applicatins. Management functins include these features. Autmatically deply applicatins t devices thrugh a catalg fr installatin. Deply versins f applicatins. 8

9 Chapter 1: Overview Feature applicatins in catalgs s that device users can easily access and install them. Track installatins f applicatins and push the installatin frm the cnsle. T remve the applicatins frm devices but t keep them in Wrkspace ONE UEM, yu can deactivate public applicatins. Delete applicatins and all their versins frm Wrkspace ONE UEM and frm devices. Benefits f Management Wrkspace ONE UEM can manage mst applicatins unless there is a platfrm-specific reasn hindering management r yu uplad the public cntent withut searching fr it in an app stre. Managed cntent Distribute Wrkspace ONE UEM pushes managed cntent with a catalg t devices. The catalg autmatically installs cntent r makes the cntent available fr dwnlad depending upn the cnfigured push mde. Remve Wrkspace ONE UEM can remve the managed cntent ff devices. Unmanaged cntent Distribute Wrkspace ONE UEM must direct end users thrugh the catalg t an app stre t dwnlad dcuments. Remve Wrkspace ONE UEM cannt remve the unmanaged cntent frm devices. Applicatin Cnfiguratin Infrmatin Applicatin cnfiguratins are key-value pairs that yu can deply with the applicatin t precnfigure features fr users. Yu can enter supprted pairs when yu uplad applicatins t the Wrkspace ONE UEM cnsle. Yu can als cde them int yur applicatins. Currently, applicatin cnfiguratins are available fr Andrid and ios. Yu must knw the supprted key-value pairs fr yur applicatin t deply them and t cde them. T find supprted applicatin cnfiguratins, review the listed resurces. Find Supprted Cnfiguratins The applicatin vendr sets the supprted cnfiguratins fr the applicatin, s yu can cntact the vendr r visit ther sites with infrmatin abut applicatin cnfiguratins. T find the supprted applicatin cnfiguratins, cntact the applicatin vendr. See these resurces with infrmatin abut applicatin cnfiguratins. AppCnfig Cmmunity at VMware Wrkspace ONE UEM Develpers at 9

10 Chapter 1: Overview Wrkspace ONE UEM Articles n Adding Applicatin Cnfiguratins The Wrkspace ONE UEM knwledge base has articles abut wrking with applicatin cnfiguratins when yu develp applicatins. See Wrkspace ONE UEM Managed App Cnfiguratin at App and Prfile Mnitr Overview The App and Prfile Mnitr prvides a quick methd fr tracking the recent deplyment f apps and prfiles t yur devices. The mnitr displays histrical data n the deplyment prcess and the install status f the app r prfile n devices. The App and Prfile Mnitr tracks the status f app and prfile deplyments t yur end-user devices. The mnitr nly tracks apps and prfiles deplyed in the past 15 days. This data allws yu t see the status f yur deplyments and diagnse any issues. When yu search fr an app r prfile, a card cntaining the deplyment data is added t the App and Prfile Mnitr view. Yu can nly display five cards at a time. These cards remain added until yu lg ut. Any cards must be added again when yu lg in again. The Histrical sectin nly shws the past seven days f data. It shws the number f devices reprting the Dne status fr deplyment. The Current Deplyment sectin shws the device deplyment status. Fr mre infrmatin n the deplyment statuses, see App and Prfile Mnitr Statuses n page 10. If yu see an Incmplete status, select the number next t the status t see a Device List View f all devices reprting the status. This feature lets yu examine devices with issues s yu can trublesht yur deplyment. The App and Prfile Mnitr nly tracks deplyments started after upgrading t Wrkspace ONE UEM v If yu deplyed the app r prfile befre upgrading, the mnitr des nt track any data n the deplyment. App and Prfile Mnitr Statuses The App and Prfile Mnitr displays the current deplyment status fr devices during a deplyment. The status cmbines different app and prfile installatin statuses int Dne, Pending, r Incmplete. Status Dne Devices reprt the Dne status when the app r prfile installs successfully. 10

11 Chapter 1: Overview Status Pending Devices reprt the Pending Status when an app r prfile reprts the fllwing statuses. Prfiles Pending Install Uncnfirmed Remval Pending Remval Cnfirmed Remval Apps Needs Redemptin Awaiting Install n Device Redeeming Prmpting fr Lgin Prmpting Updating Installing Pending Release MDM Remval Prmpting fr Management MDM Remved Install Cmmand Dispatched Unknwn Dwnlad in Prgress Install Cmmand Ready fr Device Cmmand Acknwledged Incmplete Device reprts the Incmplete Status when an app r prfile reprts the fllwing statuses. Pending Infrmatin User Remved Install Rejected Install Failed License Nt Available Rejected Prfiles Apps Management Rejected Dwnlad Failed Criteria Missing Cmmand Failed If yu see an Incmplete status, select the number next t the status t see a Device List View f all devices reprting the status. This feature lets yu examine devices with issues s yu can trublesht yur deplyment. Track a Deplyment with the App and Prfile Mnitr Track a deplyment f an applicatin r prfile t end-user devices with the App and Prfile Mnitr. This mnitr prvides at-a-glance infrmatin n the status f yur deplyments. T track a deplyment: 11

12 Chapter 1: Overview 1. Navigate t Hub > App and Prfile Mnitr. 2. In the search field, enter the name f the app r prfile. Yu must select the Enter key n yur keybard t start the search. 3. Select the app r prfile frm the drp-dwn menu and select Add. The app r prfile data displays n a card. Yu can nly have five cards added at ne time. 12

13 Chapter 2: Getting Started Create Custm Ntificatins fr Applicatins 14 Cnfigure Applicatin Categries 15 Cnfigure Ggle Play Integratin fr n-premises Custmers 15 Windws Desktp and Yur Cmpany's Rt CA 16 Enable Wrkspace ONE UEM t Distribute Windws Desktp Internal Applicatins 16 Register Applicatins With the Windws Phne Dev Center 17 Enable Wrkspace ONE UEM fr Windws Phne Applicatin Distributin 18 13

14 Chapter 2: Getting Started Create Custm Ntificatins fr Applicatins Update end users abut changes t applicatins and bks thrugh custm ntificatins. Yu can send messages using , SMS, r push ntificatin. Custm Ntificatin Uses Custmize a message template t include applicatin r bk names, descriptins, images, and versin infrmatin. Templates can als include links t yur app and bk catalgs, and they can prmpt end users t dwnlad cntent frm the ntificatin. Wrkspace ONE UEM sends this message when yu use the Ntify Devices ptin n the actins menu r frm the manage devices feature. Cnfigure Custm Ntificatins Use a message template t create a custm ntificatin message. 1. Navigate t Grups & Settings > All Settings > Devices & Users > General > Message Templates. 2. Select Add, cmplete the required infrmatin, and save the settings. Setting Name Categry Type Select Language Default Message Type Message Bdy Enter the name f the new template. Yu can use bk in this text bx t distinguish the message ntificatin frm an applicatin ntificatin. Enter a descriptin f the message that is used internally by Wrkspace ONE UEM t describe this template. Select Applicatin as the message template categry. Select Applicatin Ntificatin as the message template type. Enter a parameter t limit the message delivery t nly devices that belng t end users wh understand the specified languages. Select whether the Wrkspace ONE UEM cnsle uses this message template by default fr the Categry Applicatin and the Type Applicatin Ntificatin. This ptin enables , SMS, and push ntificatins fr yur template. If yu d nt want t use all types, disable this ptin and select the nes t use in the Message Type ptin. If yu d nt want t use all three types, select the message types ( , SMS, r push) that Wrkspace ONE UEM uses fr this template. Enter the message Wrkspace ONE UEM displays n the end-user devices fr each message type. Use the {ApplicatinName} lkup value t ppulate the applicatin name in each message, autmatically. 14

15 Chapter 2: Getting Started Cnfigure Applicatin Categries Applicatin categries help rganize yur applicatins and help device users find applicatins easier. Apps Have Pre-Cded Categries Yu d nt have t create yur wn categries. Wrkspace ONE UEM installs applicatins and bks with their native, pre-cded categries s that yu can use them t rganize cntent immediately and apply filters t them. Uses fr Custm Categries Hwever, if yu want t custmize categries, yu can grup applicatins in numerus ways. Tw suggestins are t create categries based n the actual names f the business units r t create categries based n the needs f thse units. Organizatin units Make categries that match business units like IT, Accunting, Sales, Prfessinal Services, and Human Resurces. Fr example, yu can apply categries t applicatins and bks and filter them s that nly Sales cntent displays n the app r bk page. Organizatin needs Make categries that match business needs like Security, Cmmunicatin, Travel, Medical, and Educatin. Yu can filter applicatins and bks t display security cntent and ensure that the latest versin is deplyed. Add Custm Applicatin Categries When yu add a new internal r public applicatin r bk, the system applies the categry that best matches based n meta data frm the develper r the app stre. Yu can verride this initial assignment and apply yur wn custm categries. Fllw the listed steps t add custm categries. 1. Navigate t Apps & Bks > Applicatins > Applicatins Settings > App Categries. 2. Select Add Categry. 3. Prvide the Categry Name and Categry and save the settings. Cnfigure Ggle Play Integratin fr n-premises Custmers Fr n-premises custmers, Wrkspace ONE UEM has updated the lgic fr hw t search fr public Andrid applicatins frm the Ggle Play Stre fr deplying applicatins. 1. Navigate t Grups & Settings > All Settings > Device & Users > Andrid > Ggle Play Integratin. 2. Cmplete the frm fr a Phne r a Tablet, r bth, with the applicable infrmatin. Setting Ggle accunt user name Enter a placehlder Ggle Accunt user name. Ggle accunt passwrd Andrid Device ID Enter a placehlder Ggle Accunt passwrd. Enter a placehlder Andrid Device ID. 15

16 Chapter 2: Getting Started If yu used placehlder data, Test Cnnectin might nt verify a successful integratin and it is a nrmal behavir. Yur ability t search fr public Andrid apps might nt be affected. Windws Desktp and Yur Cmpany's Rt CA Yu can push internal applicatins made fr the latest Windws Desktp versin frm Wrkspace ONE UEM with the rt certificate authrity (CA) f yur cmpany instead f with a third-party rt CA. Trusted Rt CA Make sure that yur rt CA is part f the trusted rt CA list f the device. If it is nt trusted, the Wrkspace ONE UEM system cannt deply the applicatin t Windws devices. The Certificate Authrities (CA) settings page is used t cnfigure integratin with varius certificate authrities and yu can find it at Grups & Settings > All Settings > System > Enterprise Integratin > Certificate Authrities. Enable Wrkspace ONE UEM t Distribute Windws Desktp Internal Applicatins Set the Wrkspace ONE UEM cnsle t distribute apprved Windws Desktp internal applicatins autmatically with a side lading key. This prcess is nt needed fr Windws 10+. Pre-Requisites Befre yu can distribute internal applicatins t Windws Desktp devices, yu must btain tw items frm Micrsft. Side lading key (nt needed fr Windws 10+) Wrkspace ONE UEM sets a prperty t allw the side lading f applicatins n Windws 10 devices. This step ccurs after the device enrlls with the Wrkspace ONE UEM system. Cde signing certificate Visit the Windws Dev Center fr infrmatin abut side lading keys and cde signing certificates fr Windws Desktp applicatins. Enter the Side Lading Key t Wrkspace ONE UEM Enable Wrkspace ONE UEM t uplad yur side lading key s that it can distribute internal applicatins t Windws Desktp devices that are nt n Windws 10+. Imprtant: The key prvided by a Vlume Licensing prtal, such as might be limited t a specific number f device activatins. Verify that there is a key available fr yur use. Fr mre infrmatin abut a Micrsft accunt, visit the Micrsft Develper Netwrk site. 1. Navigate t Grups & Settings > All Settings > Devices & Users > Windws > Windws Desktp > Enterprise Apps. 16

17 Chapter 2: Getting Started 2. Cmplete the fllwing ptins. Setting Enable Enterprise Applicatin Manager Side Lading Key Allws Wrkspace ONE UEM t push apprved internal applicatins t Windws Desktp devices. Enter the key prvided by the Windws Dev Center. Fr example: ADQ2Z-6TP3W-4QGHK-PSDAW-8WKYR 3. Select Save. This prcess uplads the side lading key int the UEM cnsle and autmatically enables crprate devices t install the enterprise internal applicatin. Imprtant: These settings affect devices enrlled after yu have prepared the UEM cnsle fr applicatin distributin. If yu change the side lading key after devices enrll, all devices must re-enrll t access internal applicatins. Register Applicatins With the Windws Phne Dev Center Befre yu can distribute internal applicatins t Windws Phne devices, yu must create, register, and gain apprval frm the Windws Phne Dev Center. See the Windws Dev Center fr current dcumentatin n hw t develp applicatins fr Windws Phne and fr prices t jin the develpment center. 1. Register a Micrsft accunt fr yur cmpany with the Windws Phne Dev Center. There is a small fee t jin, and the subscriptin enables yur cmpany t add applicatins t the Windws Phne Stre. Registratin creates a Windws accunt ID that yu must use t btain a Symantec authenticatin certificate. Fr mre infrmatin abut a Micrsft accunt, visit the Micrsft Develper Netwrk site. 2. Obtain a Symantec Enterprise Mbile Cde Signing Certificate fr the internal applicatin. Obtain an Enterprise Mbile Cde Signing Certificate frm Symantec with the Windws accunt ID. Use the certificate t sign and verify that yur cmpany built the applicatin. Als, use the certificate t generate the applicatin enrllment tken (AET) used by each device t btain a cpy f the applicatin. 3. Build and digitally sign the internal applicatin. Develp and test the crprate applicatin. When the applicatin is ready fr distributin, digitally sign the applicatin by fllwing the Precmpile and Signature steps utlined in the Windws Phne Dev Center instructins. 4. Generate an AET fr the internal applicatin. Generate an AET that devices use t authenticate befre installing the internal applicatin. Yu can uplad the AET t the Wrkspace ONE UEM cnsle. This actin autmatically enables crprate devices t install the internal applicatin. Generate an AET by fllwing the AET generatin walkthrugh utlined by the Windws Phne Dev Center. 17

18 Chapter 2: Getting Started Enable Wrkspace ONE UEM fr Windws Phne Applicatin Distributin The AirWatch Catalg is nt supprted fr Windws Phne devices. Hwever, yu can distribute applicatins t devices using the AirWatch Agent. Set the Wrkspace ONE UEM cnsle t distribute apprved Windws Phne internal applicatins autmatically with the AET yu received when registering with the Windws Phne Dev Center. 1. Navigate t Grups & Settings > All Settings > Devices & Users > Windws > Windws Phne > Agent Settings. 2. Select the Enable Enterprise App Management ptin in the Enterprise App Management sectin. 3. Select Uplad in the Uplad Enterprise Tken text bx t brwse fr the AET file and save yur settings. 18

19 Chapter 3: Internal Applicatins Supprted File Types fr Internal Applicatins 20 Uplad Internal Applicatins with a Lcal File 22 Use External App Repsitries That Hst Internal Applicatins 27 Use Flexible Deplyment t Assign Applicatins 30 Benefits f Tracking Internal App Deplyments 35 Prvisining Prfiles fr Enterprise Distributin 38 Distributin f Win32 Applicatins 40 Peer Distributin fr Win32 Applicatins 53 Applicatin Remval Prtectin Overview 66 Safeguards fr Prprietary, Nn-Stre, Wrkspace ONE UEM Applicatins 69 19

20 Chapter 3: Internal Applicatins Supprted File Types fr Internal Applicatins Wrkspace ONE UEM supprts specific file types fr internal applicatins. Fr sme file types, yu uplad mre than ne file s that the applicatin wrks acrss devices. Find ut what file type the system supprts and which file types require yu t uplad multiple files. Nte: Ensure that the auxiliary files packaged with Apple ios r macos applicatins d nt have spaces in the names. Spaces can cause issues when yu lad the applicatin t the cnsle. Platfrm Andrid Apple ios macos Symbian tvos File Type APK IPA APP package bundles Use the prduct prvisining feature t deply macos internal applicatins as DMG, PKG, and APP files. SIS SISX IPA 20

21 Chapter 3: Internal Applicatins Platfrm Windws Desktp File Type APPX Uplad a neutral file that wrks fr all three prcessrs. Uplad files fr all three prcessrs. On lder Windws platfrms, yu must build prcessr files fr the type f device yu want the applicatin t run n. Fr example, build the three prcessr files fr a Windws Desktp device. Then create and build the prcessr files fr a Windws Phne device. Then yu must uplad the files fr each device type. Uplad a universal applicatin that includes all three prcessrs. Windws universal applicatins are a single versin f an applicatin accessed n any Windws device, including desktps, tablets, and phnes. Wrkspace ONE UEM supprts the uplad f universal applicatins t yur devices, and yu can uplad the three APPX files (desktps, tablets, and phnes) fr all architectures. Nte: Uplad the same APPX file fr bth Windws Phne and Windws Desktp in the Wrkspace ONE UEM cnsle if yu want the universal app t run n bth types f devices. Windws Phne EXE Uplad an EXE package f Win32 applicatins fr Windws 10. MSI The MSI file, als called a Windws Installer, is a package that cntains everything t install, maintain, and remve the sftware. ZIP Uplad a ZIP package f Win32 applicatins fr Windws 10. Fr infrmatin n the deplyment f EXE, MSI, r ZIP files, see Distributin f Win32 Applicatins n page 40. APPX Uplad a neutral file. Uplad the ARM prcessr file build fr Windws Phne devices. Uplad the ARM prcessr file f the universal applicatin. Windws universal applicatins are a single versin f an applicatin accessed n any Windws device, including desktps, tablets, and phnes. Wrkspace ONE UEM supprts the uplad f universal applicatins t yur devices, and yu can uplad the three APPX files (desktps, tablets, and phnes) fr all architectures. Nte: Uplad the same APPX file fr bth Windws Phne and Windws Desktp in the UEM cnsle if yu want the universal app t run n bth types f devices. XAP 21

22 Chapter 3: Internal Applicatins Suggestin fr Develping Internal Applicatins Fllw the requirements fr applicatin develpment n the Andrid Develpers, ios Develper, and Micrsft Develper sites. The UEM cnsle accepts mst applicatins built t platfrm specificatins. Nte: If yu build Andrid applicatins with Gradle, currently, the cnsle accepts applicatins built with Gradle 3.0 r lder. The develpment team is wrking t integrate with newer Gradle versins. Uplad Internal Applicatins with a Lcal File Uplad internal applicatins with lcal files t deply them t yur mbile netwrk and t take advantage f the mbile applicatin management features f AirWatch. Review instructins frm platfrm sites abut hw t develp and package applicatins. 1. Navigate t Apps & Bks > Applicatins > Native > Internal and select Add Applicatin. 2. Select Uplad > Lcal File t brwse fr the applicatin file n the system. 3. Select Cntinue and cnfigure the Details tab ptins. Nt every ptin is supprted fr every platfrm. Setting Name Managed By Applicatin ID Actual File Versin Build Versin Versin Is Beta Change Lg Categries Minimum OS Enter a name fr the applicatin. View the rganizatin grup (OG) that the applicatin belngs t in yur Wrkspace ONE UEM OG hierarchy. Represents the applicatin with a unique string. This ptin is pre-ppulated and was created with the applicatin. Wrkspace ONE UEM uses the string t identify the applicatin in systems like applicatin whitelists and blacklists. Displays the cded versin f the applicatin set by the applicatin's develper. Displays an alternate "File Versin" fr sme applicatins. This entry ensures Wrkspace ONE UEM recrds all versin numbers cded fr applicatins because develpers have tw places within sme applicatins they can cde a versin number. Displays the internal versin f the applicatin set by the Wrkspace ONE UEM cnsle. Tags the applicatin as still under develpment and testing, a BETA versin. Enter ntes in this text bx t prvide cmments and ntes t ther admins cncerning the applicatin. Prvide a categry type in the text bx t help identify hw the applicatin can help users. Yu can cnfigure custm applicatin categries r keep the applicatin's pre-cded categry. Select the ldest OS that yu want t run this applicatin. 22

23 Chapter 3: Internal Applicatins Setting Supprted Mdels Is App Restricted t Silent Install Andrid Default Scheme Select all the mdels that yu want t run this applicatin. Assigns this applicatin t thse Andrid devices that supprt the Andrid silent installatin feature. The end user des nt have t cnfirm installatin activity when yu enable this ptin. This feature makes it easier t uninstall many applicatins simultaneusly. Only Andrid devices in the smart grup that supprts the silent uninstallatin benefit frm this ptin. These Andrid devices are als called Andrid enterprise devices. Indicates the URL scheme fr supprted applicatins. The applicatin is packaged with the scheme, s Wrkspace ONE UEM parses the scheme and displays the value in this field. A default scheme ffers many integratin features fr yur internal applicatins, including but nt limited t the fllwing ptins: Use the scheme t integrate with ther platfrm and web applicatins. Use the scheme t receive messages frm ther applicatins and t initiate specific requests. Use the scheme t launch Apple ios applicatins in the AirWatch Cntainer. Describe the purpse f the applicatin. Nte: D nt use '<' + String in the, as yu might encunter an Invalid HTML cntent errr. Keywrds URL Supprt Supprt Phne Internal ID Cpyright Enter wrds that might describe features r uses fr the applicatin. These entries are like tags and are specific t yur rganizatin. Enter the URL frm where yu can dwnlad the applicatin and get infrmatin abut it. Enter an t receive suggestins, cmments, r issues cncerning the applicatin. Enter a number t receive suggestins, cmments, r issues cncerning the applicatin. Enter an identificatin string, if ne exists, that the rganizatin uses t catalg r manage the applicatin. Enter the publicatin date fr the applicatin. Cmplete the ptins in the Develper Infrmatin area: Setting Develper Develper Develper Phne Enter the develper's name. Enter the develper's s that yu have a cntact t whm t send suggestins and cmments. Enter a number s that yu can cntact the develper. 23

24 Chapter 3: Internal Applicatins (Apple ios nly) Cmplete the ptins in the Lg Ntificatin fr App SDK area: Setting Send Lgs T Develper Lgging Template Enable sending lgs t develpers fr trubleshting and frensics t imprve their applicatins created using a sftware develpment kit. Select an template uses t send lgs t develpers. (Windws Desktp MSI files nly) Cmplete the ptins in the Installer Package Deplyment area: Setting Cmmand Line Arguments Timeut Retry cunt Retry interval Enter cmmand-line ptins that the executin system uses t install the MSI applicatin. Enter the time, in minutes, that the installer waits with n indicatin f installatin cmpletin befre it identifies an installatin failure. When the system reaches the timeut number, it stps mnitring the installatin peratin. Enter the number f attempts the installer tries t install the applicatin befre it identifies the prcess as failed. Enter the time, in minutes, the installer waits between installatin attempts. The maximum interval the installer waits is 10 minutes. Cmplete the ptins in the Applicatin Cst Infrmatin area: Setting Cst Center Cst Currency Enter the business unit charged fr the develpment f the applicatin. Enter cst infrmatin fr the applicatin t help reprt metrics cncerning yur internal applicatin develpment systems t the rganizatin. Select the type f currency that paid fr the develpment, r the currency that buys the applicatin, r whatever yu want t recrd abut the applicatin. 4. Cmplete the Files tab ptins. Review the file initially upladed and uplad auxiliary files t distribute internal applicatins. Yu must uplad a prvisining prfile fr Apple ios applicatins and yu must uplad the architecture applicatin files fr Windws Desktp applicatins. If yu d nt uplad the architecture applicatin files, the Windws Desktp applicatin des nt functin. Platfrm Auxiliary File All Applicatin File Cntains the applicatin sftware t install and run the applicatin and is the applicatin yu upladed at the beginning f the prcedure. 24

25 Chapter 3: Internal Applicatins Platfrm Auxiliary File Andrid Apple ios Apple ios Windws Desktp Ggle Clud Messaging (GCM) Tken Prvisining Prfile APNs files fr develpment r prductin Neutral architecture applicatin file This is an AirWatch SDK feature and des nt apply t all Andrid applicatins. Sme internal, Andrid applicatins supprt push ntificatins frm the applicatin t device-users. a. Select Yes fr the Applicatin Supprts Push Ntificatin ptin. b. Enter the Server API key in the GCM Tken (API Key) ptin. Get this frm the Ggle Develper's site. A develper cdes a crrespnding SenderID int the internal applicatin. T use the feature, push the ntificatin frm the applicable device recrd in the cnsle using the Send admin functin n the Devices tab. Authrizes develpers and devices t create and run Apple ios applicatins. See Apple ios Prvisining Prfiles fr infrmatin abut AirWatch integratin with this auxiliary file. Ensure this file cvers enterprise distributin and nt app stre distributin and that it matches the IPA file (Apple ios applicatin file). If the applicatin supprts Apple Push Ntificatins Services (APNs), this file enables messaging functinality. Yu must uplad either the develpment r prductin APNs certificate. Cntains the applicatin sftware t install and run the applicatin fr the specific Windws Desktp architecture. X64, X86, and ARM files built fr Windws Desktp Universal X64, X86, and ARM files MSI file Dependency files 25

26 Chapter 3: Internal Applicatins Platfrm Auxiliary File Windws Phne Neutral ARM architecture applicatin file Cntains the applicatin sftware t install and run the applicatin fr the specific Windws Phne architecture. ARM file built fr Windws Phne devices Universal ARM file Dependency files 5. Cmplete the ptins n the Images tab. Setting Mbile Images Tablet Images Icn Uplad r drag and drp images f the applicatin t display in the App Catalg fr mbile devices. Uplad r drag and drp images f the applicatin t display in the App Catalg fr tablets. Uplad r drag and drp images f the applicatin t display in the App Catalg as its icn. Nte: T achieve best results fr Mbile and Tablet Images, refer fr ios and fr Andrid. 6. Cmplete the Terms f Use tab. Terms f use state specifically hw users are expected t use the applicatin. They als make expectatins clear t end users. When the applicatin pushes t devices, users view a terms f use page that they must accept t use the applicatin. If users d nt accept, they cannt access the applicatin. 7. Cmplete the Mre > SDK tab. Setting SDK Prfile Applicatin Prfile Select the prfile frm the drp-dwn menu t apply features cnfigured in Settings & Plicies (Default) r the features cnfigured in individual prfiles cnfigured in Prfiles. Select the certificate prfile frm the drp-dwn menu s that the applicatin and AirWatch cmmunicate securely. 8. Cmplete the Mre > App Wrapping tab. Yu cannt wrap an applicatin that yu previusly saved in the AirWatch Cnsle. Yu have tw ptins: 26

27 Chapter 3: Internal Applicatins Delete the unwrapped versin f the applicatin, uplad it t AirWatch, and wrap it n the App Wrapping tab. Uplad an already wrapped versin f the applicatin, if yu have ne, which des nt require deleting the unwrapped versin. Setting Enable App Wrapping App Wrapping Prfile Mbile Prvisining Prfile (ios Apple) Cde Signing Certificate (ios Apple) Require encryptin (Andrid) Enables AirWatch t wrap internal applicatins. Assign an app wrapping prfile t the internal applicatin. Uplad a prvisining prfile fr Apple ios that authrizes develpers and devices t create and run applicatins built fr Apple ios devices. Uplad the cde signing certificate t sign the wrapped applicatin. Enable this ptin t use Data At Rest (DAR) encryptin n Andrid devices. AirWatch uses the Advanced Encryptin Standard, AES-256, and uses encrypted keys fr encryptin and decryptin. When yu enable DAR in App Wrapping, the App Wrapping engine injects an alternative file system int the applicatin that securely stres all the data in the applicatin. The applicatin uses the alternative file system t stre all files in an encrypted strage sectin instead f string files in disk. DAR encryptin helps prtect data in case the device is cmprmised because the encrypted files created during the lifetime f the applicatin are difficult t access by an attacker. This prtectin applies t any lcal SQLite database, because all lcal data is encrypted in a separate strage system. 9. Select Save & Assign t cnfigure flexible deplyment ptins fr the applicatin. 10. After adding Assignments, Click Save & Publish, then Publish t deply the app t yur Smart Glasses. Assign the Applicatin t Grups T assign and deply internal applicatins, cnfigure the flexible deplyment ptins explained in Add Assignments and Exclusins t Applicatins n page 30. Use External App Repsitries That Hst Internal Applicatins Hst internal applicatins n yur netwrk with an external applicatin repsitry and manage the applicatins with the Wrkspace ONE UEM. The Wrkspace ONE UEM uses Windws File Share prtcls t make externally hsted applicatins available t user devices. Cmmunicatin is secure because n-premises deplyments must use the Cntent Gateway fr Windws t transfer data frm the n-premises netwrk t the Wrkspace ONE UEM. 27

28 Chapter 3: Internal Applicatins 1. Cnfigure and use the Cntent Gateway fr Windws t secure cmmunicatins between yur netwrk and Wrkspace ONE UEM if yu have an n-premises deplyment. 2. Enter the credentials fr the external app repsitry s Wrkspace ONE UEM can direct device users t the internal applicatins n yur netwrk in the external app repsitry. Wrkspace ONE UEM supprts ne set f credentials t authenticate t repsitries that require it. If yu have multiple repsitries set up n the Cntent Gateway, use a cmmn set f credentials, if yur repsitries require authenticatin. See Add Credentials fr the External App Repsitry n page Enter the lcatin f internal applicatins n the external app repsitry using a link. See Add Internal Applicatins Frm External Repsitries n page 29. Fr a list f the supprted cmpnents fr the use f this feature, see Supprted Cmpnents fr External App Repsitries n page 28. Difference Between External App Repsitries and File Strage Systems in VMware Wrkspace ONE UEM The service that facilitates the cnnectin fr sending and receiving applicatins n an external app repsitry is different than the ne fr a file strage system. External App Repsitry - The Cntent Gateway facilitates the cnnectin fr the device t get the applicatin frm the external app repsitry when the cnsle initiates the deplyment. File Strage - The Devices Services server facilitates the cnnectin fr the device t get the applicatin frm the file strage system when the cnsle initiates the deplyment. Supprted Cmpnents fr External App Repsitries If yu use the Cntent Gateway fr Windws and huse applicatins n an external server system, set external repsitries fr varius platfrms and applicatin types. Supprted App Types The external app repsitry feature supprts nly internal applicatins. Supprted File Types Yu can add the fllwing supprted file types t the external app repsitry feature. IPA fr Apple ios Applicatin package bundles fr macos APK fr Andrid SIS and SISX fr Symbian XAP fr Windws Phne APPX fr Windws Desktp that wrks fr all three prcessrs, x64, x86, and ARM 28

29 Chapter 3: Internal Applicatins Imprtant: The link fr the applicatin must end in ne f the supprted file types r users cannt access the applicatin. Supprted Deplyments SaaS deplyments using the Cntent Gateway fr Windws fr secure cmmunicatins n-premises deplyments using the Cntent Gateway fr Windws fr secure cmmunicatins Credentials fr Multiple Repsitries If yur repsitries require authenticatin, Wrkspace ONE UEM uses ne set f credentials t cmmunicate between the Cntent Gateway and yur repsitries. Fr this feature t wrk, use a cmmn set f credentials fr the Cntent Gateway t cmmunicate with yur repsitries. Add ne set f credentials fr yur repsitries yu cnfigured with the Cntent Gateway. Fr details, see Add Credentials fr the External App Repsitry n page 29. See Add Internal Applicatins Frm External Repsitries n page 29 fr an explanatin f hw t uplad the applicatin t Wrkspace ONE UEM. Add Credentials fr the External App Repsitry Allw Wrkspace ONE UEM t direct users t internal applicatins n yur netwrk in an external app repsitry. The Cntent Gateway fr Windws uses this infrmatin t access the repsitry and t pen cmmunicatins between the device and the repsitry. 1. Navigate t Grups & Settings > All Settings > Apps > Wrkspace ONE > External App Repsitry. 2. Cmplete the fllwing ptins: Setting Username Passwrd Enter the username fr the external app repsitry. Enter the passwrd fr the external app repsitry. 3. Select Save. Add Internal Applicatins Frm External Repsitries Set an external resurce that yu stre in a secure repsitry as an internal applicatin that device users access thrugh the Cntent Gateway fr Windws. 1. Navigate t Apps & Bks > Applicatins > Native > Internal and select ADD APPLICATION. 2. Select Uplad, select Link, cnfirm that access uses the Cntent Gateway, and select the gateway yu want t use. 3. Enter the lcatin f the internal applicatin in yur external app repsitry. Yu can use a server file path, netwrk file share path, an HTTP address, r an HTTPS address. The string must include the name f the internal applicatin and the file extensin. An example f this lcatin is 29

30 Chapter 3: Internal Applicatins 4. Select Cntinue and cnfigure the remaining tabs.] 5. Select Save & Assign t cnfigure flexible deplyment ptins fr the applicatin. Use Flexible Deplyment t Assign Applicatins Wrkspace ONE UEM ffers a flexible deplyment feature fr internal and public applicatins. They are flexible because they allw yu t schedule multiple applicatin deplyment scenaris. Yu can cnfigure deplyments fr internal applicatins fr a specific time and let the Wrkspace ONE UEM cnsle carry ut the deplyments withut further interactin. The flexible deplyment feature resides in the Assign sectins f the applicatin area and ffers advantages t the assigning prcess. Cnfigure deplyment assignments. Assign multiple deplyments simultaneusly. Order assignments s that critical deplyments are nt missed due t the limited bandwidth. Custmize assignments fr multiple smart grups. Add Assignments and Exclusins t Applicatins T cntrl the deplyment f applicatins, add a single assignment r multiple assignments. Als, exclude grups frm receiving the assignment. If yu add multiple assignments, priritize the imprtance f the assignment by mving its place in the list up fr mst imprtant r dwn fr least imprtant. Nte: If yu use APIs t assign applicatins, d nt use the exclusins in the cnsle. APIs fr exclusins are in develpment at this time. If yu want t use exclusins, assign applicatins thrugh the cnsle, d nt use APIs fr assignment. 1. Navigate t Apps & Bks > Applicatins > Native > Internal r Public. 2. Uplad an applicatin and select Save & Assign r select the applicatin and chse Assign frm the actins menu. 3. On the Assignments tab, select Add Assignment and cmplete the fllwing ptins: Setting Select Assignment Grups Type a smart grup name t select the grups f devices t receive the assignment. 30

31 Chapter 3: Internal Applicatins Setting App Delivery Methd On Demand Deplys cntent t a catalg r ther deplyment agent and lets the device user decide if and when t install the cntent. This ptin is the best chice fr cntent that is nt critical t the rganizatin. Allwing users t dwnlad the cntent when they want helps cnserve bandwidth and limits unnecessary traffic. Autmatic Deplys cntent t a catalg r ther deplyment agent n a device upn enrllment. After the device enrlls, the system prmpts users t install the cntent n their devices. This ptin is the best chice fr cntent that is critical t yur rganizatin and its mbile users. Deplyment Begins On Internal Applicatins DLP Andrid ios Windws Desktp Windws Phne Set a day f the mnth and a time f day fr the deplyment t start. The Pririty setting gverns which deplyments push first. Wrkspace ONE UEM then pushes deplyments accrding t the Effective cnfiguratin. T set a beginning date with enugh bandwidth fr successful deplyment, cnsider the traffic patterns f yur netwrk. Plicies Cnfigure a device prfile with a Restrictins prfile t set data lss preventin plicies fr the applicatin. Select Cnfigure. The system navigates t Devices > Prfiles. Select Add > Add Prfile and the platfrm. Fr Andrid and ios devices, select Restrictins and enable ptins in the Data Lss Preventin sectin. Fr Windws Desktp, select Device Prfile > Restrictins and enable ptins that apply t the data yu want t prtect. Fr Windws Phne, select Restrictins and enable ptins that apply t the data yu want t prtect. Managed Access Andrid ios Remve n Unenrll ios Enable adaptive management t set Wrkspace ONE UEM t manage the device s that the device can access the applicatin. Wrkspace ONE cntrls this feature and is nt supprted by the AirWatch Catalg. Set the remval f the applicatin frm a device when the device unenrlls frm Wrkspace ONE UEM. If yu chse t disable this ptin, prvisining prfiles are nt pushed alng with the installed applicatin. That is, if the prvisining prfile is updated, the new prvisining prfile is nt autmatically deplyed t devices. In such cases, a new versin f the applicatin with the new prvisining prfile is required. 31

32 Chapter 3: Internal Applicatins Setting Prevent Applicatin Backup ios Make App MDM Managed if User Installed ios App Tunneling Andrid ios Applicatin Cnfiguratin Andrid ios 4. Select Add. Disallw backing up the applicatin data t iclud. Assume management f applicatins previusly installed by users n their devices, supervised and unsupervised. Enable this feature s that users d nt have t delete the applicatin versin installed n the device. Wrkspace ONE UEM manages the applicatin withut having t install the applicatin catalg versin n the device. Cnfigure a VPN at the applicatin level, and select the Per-App VPN Prfile. Users access the applicatin using a VPN, which helps ensure that applicatin access and use is trusted and secure. Send applicatin cnfiguratins t devices. Uplad XML (Apple ios) Select this ptin t uplad an XML file fr yur ios applicatins that autmatically ppulates the key-value pairs. Get the cnfiguratins supprted by an applicatin frm the develper in XML frmat 5. Use the Mve Up and Mve Dwn ptins t rder assignments if yu have mre than ne. Place critical assignments at the tp f the list. This cnfiguratin displays as the Pririty. The Pririty setting takes precedence when there are cnflicting deplyments assigned t a single device. 6. Select the Exclusins tab and enter smart grups, rganizatin grups, and user grups t exclude frm receiving this applicatin. The system applies exclusins frm applicatin assignments at the applicatin level. Cnsider the rganizatin grup (OG) hierarchy when adding exclusins. Exclusins at a parent OG d nt apply t the devices at the child OG. Exclusins at a child OG d nt apply t the devices at the parent OG. Add exclusins at the desired OG. 7. Select Save & Publish. Applicatin cnfiguratins are vendr-specific key-value pairs yu can deply with an applicatin t precnfigure the applicatin fr users. Fr resurces abut applicatin cnfiguratins, see Applicatin Cnfiguratin Infrmatin n page 9. Fr mre infrmatin abut the flexible deplyment page, where yu can edit schedules fr deplyments and view settings cnfigured upn uplad, see Flexible Deplyment fr Applicatins Setting s n page 32. Flexible Deplyment fr Applicatins Setting s The flexible deplyment page cntains infrmatin abut yur applicatin assignments. Frm this page, edit schedules fr deplyments and view settings cnfigured upn uplad. 32

33 Chapter 3: Internal Applicatins Optins displayed n this windw depend n the platfrm. Setting Edit Delete Mve Up Mve Dwn Name Pririty App Delivery Methd Effective (Internal Applicatins) Managed Access Remve n Unenrll (Apple ios) Applicatin Backup (Apple ios) VPN Access (Apple ios 7+) Send Cnfiguratin Assume Management Edit assignment cnfiguratins, including the smart grup and push mde. Remve the selected assignment frm the applicatin deplyment. Raise the selected pririty f the assignment by mving it up n the list f assignments. Reduce the selected pririty f the assignment by mving it dwn n the list f assignments. View the assigned smart grup. View the pririty f the assignment yu cnfigured when placing the selected assignment in the list f assignments. Pririty 0 is the mst imprtant assignment and takes precedence ver all ther deplyments. Yu can use this ptin with Effective t help plan deplyments t avid times when yur mbile netwrk experiences heavy traffic. View hw the applicatin pushes t devices. Aut pushes immediately thrugh the AirWatch Catalg with n user interactin. On Demand pushes t devices when the user initiates an installatin frm the AirWatch Catalg. Review the status f the assignment, whether it is in effect nw r will be effective at sme future date. View whether the applicatin has adaptive management enabled. View whether Wrkspace ONE UEM remves the applicatin frm a device when the device unenrlls frm Wrkspace ONE UEM. If yu chse t disable this ptin, prvisining prfiles are nt pushed alng with the installed applicatin. That is, if the prvisining prfile is updated, the new prvisining prfile is nt autmatically deplyed t devices. In such cases, a new versin f the applicatin with the new prvisining prfile is required. View whether Wrkspace ONE UEM disallws backing up the applicatin data t iclud. Hwever, the applicatin can still back up t iclud. View if Wrkspace ONE UEM uses a VPN cnnectin at the applicatin level. This ptin sets end users t access the applicatin using a VPN, which helps ensure that applicatin access and use is trusted and secure. This ptin is Disabled fr platfrms ther than Apple ios. View if Wrkspace ONE UEM sends cnfiguratins t managed Andrid and Apple ios applicatins. View if Wrkspace ONE UEM is enabled t assume management f user-installed applicatins withut requiring the deletin f the previusly installed applicatin frm the device. This ptin crrespnds t the Make App MDM Managed if User Installed ptin. 33

34 Chapter 3: Internal Applicatins Fr infrmatin abut assuming management f applicatins installed by users, see Make App MDM Managed If User Installed n page 148. Flexible Deplyment Cnflicts and Pririties If a device belngs t mre than ne smart grup and yu assign these smart grups t an applicatin with several flexible deplyments, the device receives the scheduled flexible deplyment with the mst immediate Pririty. As yu assign smart grups t flexible deplyments, remember that a single device can belng t mre than ne smart grup. In turn, ne device can be assigned t mre than ne flexible deplyment fr the same applicatin. Example Device 01 belngs t Smart Grup HR and Smart Grup Training. Yu cnfigure and assign tw flexible deplyments fr applicatin X, which include bth Smart Grups. Device 01 nw has tw assignments fr applicatin X. The fllwing example shws hw Device 01 can receive an assignment later than expected due t the flexible deplyment pririty. Pririty Smart Grup Deplyment Parameters Deplyment Received Device 01 Pririty 0 Pririty 1 Smart Grup HR Smart Grup Training Deply in 10 days time On Demand Deply nw Aut Receives this assignment, 10 days later with installatin initiated by the user (n demand). Nt received because it received the Pririty 0 assignment. Cntrl Batch Optins fr Flexible Deplyments Wrkspace ONE UEM ffers the System Admin the ability t cntrl sme batching ptins fr flexible deplyments. Yu can change the size f batches, the frequency Wrkspace ONE UEM releases batches, and the frequency Wrkspace ONE UEM checks fr new assignments. Make edits t batching using scheduler tasks and perfrmance tuning. Cntrl Frequency Cntrl the frequency at which Wrkspace ONE UEM checks fr new flexible deplyment assignments. 1. Navigate t Grups & Settings > All Settings > Admin > Scheduler. 2. Find Scheduled Applicatin Publish and select edit. 3. Cmplete the ptins in the Recurrence Type sectin and save yur settings. Cntrl the frequency at which Wrkspace ONE UEM releases batches f applicatins. 1. Navigate t Grups & Settings > All Settings > Admin > Scheduler. 2. Find Scheduled Applicatin Batch Release and select edit. 3. Cmplete the ptins in the Recurrence Type sectin and save yur settings. Cntrl Perfrmance Tuning Cntrl the size f batches f applicatins that Wrkspace ONE UEM cmpiles and deplys t devices. 1. Navigate t Grups & Settings > All Settings > Installatin > Perfrmance Tuning. 2. Edit Batch Size fr Internal Applicatin Deplyment. 34

35 Chapter 3: Internal Applicatins 3. Save yur settings. Bypass Batching Yu can bypass the batching prcess and release all installatin cmmands fr applicatins. 1. Navigate t Apps & Bks > Applicatins > Native > Internal, and select the applicatin. 2. Select frm the actins menu Mre > Manage > Bypass Batching. Benefits f Tracking Internal App Deplyments Yu can use the applicatin Details View, particularly the Summary, and Devices tabs, t track the deplyment f applicatins. The Details View cnslidates applicatin tracking functins t help with many applicatin management cmmitments. Gather data cncerning applicatin deplyments and install r remve applicatins frm a single lcatin. Cmply with enterprise mandates t deply required applicatin versins. Ntify devices f nn-cmpliance with installatin requirements. View reasn cdes that represent steps in the prgress f installing applicatins. Track Internal Applicatins With Details View Track internal applicatins with the Summary and Devices tabs f the Details View t audit applicatin deplyments and perfrm management functins. 1. Navigate t Apps & Bks > Applicatins > List View > Internal. 2. Search fr and select the desired applicatin. 3. Select the Summary tab and review the applicatin infrmatin. Analytic Data Snapsht Available Actins Install Status Installed Lists the number f devices that have installed the applicatin. Nt Installed Lists the number f devices that have nt installed the applicatin. Select the Nt Installed area t discver which devices have nt installed the applicatin. This actin navigates t the Devices tab. 35

36 Chapter 3: Internal Applicatins Analytic Data Snapsht Available Actins Deplyment Prgress Versins Installed Install Status Breakdwn Assigned T Lists the smart grups assigned t the applicatin's Flexible Deplyment. Status Reprts Wrkspace ONE UEM's release f the installatin cmmand t devices. Deplyment Displays the applicatin's Push Mde, Aut, r On Demand. Displays all the versins installed n devices. Displays reasns fr Installed and Nt Installed statuses. Use the table t review if Wrkspace ONE UEM has released the installatin f the applicatin, the Push Mde used t deliver the applicatin t devices, and the assigned smart grups. Select a nn-cmpliant versin area t determine which devices have nt installed the required versin f the applicatin. This actin navigates t the Devices tab. Select the Nt Installed label t discver the reasns why devices have nt installed a required applicatin versin. This actin navigates t the Devices tab. See Reasns fr Installatin Status fr descriptins. 4. Select the Devices tab, and use the fllwing management functins t act n installatin issues. Setting Send Message t All Install On All Remve Frm All Send a ntificatin t all devices listed n the Devices tab. Install the applicatin n all devices listed n the Devices tab. Remve the applicatin, if managed, frm all the devices listed n the Devices tab. Select individual devices and use the available management functins. Setting Query Send a query t the device fr data cncerning the state f the applicatin. Send Send a ntificatin t the selected device cncerning the applicatin. Install Install the applicatin n the selected device. Remve Remve the applicatin, if managed, frm the selected device. Installatin-Status Reasn Cde s Wrkspace ONE UEM displays reasns that describe the installatin prgressin f internal applicatins n the Details View, Devices tab. The reasn cdes help identify the status f an installatin and if there is an issue with an installatin, s that yu can easily track and trublesht applicatin deplyments. Wrkspace ONE UEM displays the reasns in Apps & Bks > Applicatins > Native > Internal > Details View [fr the specific applicatin] > Devices tab. 36

37 Chapter 3: Internal Applicatins Reasn All Awaiting Install n Device Failed Install Cmmand Dispatched Install Cmmand Ready fr Device Installing Managed Management Rejected MDM Remved Pending Remval Prmpting Prmpting fr Lgin Prmpting fr Management Rejected Unknwn Updating User Installed User Installed App Shws all devices. Acts as the default filter n the Devices tab. Wrkspace ONE UEM sent the installatin cmmand and it has nt yet prmpted device users t accept the installatin. Wrkspace ONE UEM attempted t install the applicatin but encuntered an errr. The device cmmunicated that it received the install cmmand. Wrkspace ONE UEM queued the cmmand and cmmunicated t devices t select in but devices have nt checked in yet. Wrkspace ONE UEM is installing the applicatin. Wrkspace ONE UEM installed the applicatin and nw manages it. The users f ios 9+ devices rejected prmpts t install applicatins r t enter their credentials, s Wrkspace ONE UEM cannt install the applicatin. Wrkspace ONE UEM remved the applicatin due t a mbile device management actin perfrmed with the cnsle. Wrkspace ONE UEM sent an applicatin remval cmmand t devices but the applicatin has nt been remved yet. Wrkspace ONE UEM is prmpting device users t install the applicatin. The app stre is prmpting device users fr their app stre credentials s that they can install the applicatin. Wrkspace ONE UEM is prmpting ios 9+ device users t accept the Make App MDM Managed if User Installed cnfiguratin. T accept the prmpt permits Wrkspace ONE UEM t manage an applicatin that users previusly installed n their devices. The device user rejected the prmpt t install a bk. The device and Wrkspace ONE UEM are nt cmmunicating abut the installatin f the applicatin. Wrkspace ONE UEM pushed an applicatin update cmmand but the device has nt cmmunicated that the applicatin update is cmplete. Wrkspace ONE UEM pushed a bk t devices but device users had already installed it. Wrkspace ONE UEM pushed an applicatin t devices but device users already installed it. 37

38 Chapter 3: Internal Applicatins Reasn User Rejected User Remved Device user rejected the prmpt t install the applicatin. Wrkspace ONE UEM still manages the applicatin but users remved it frm their devices. Reasns Display in Order f Installatin Prgressin Wrkspace ONE UEM displays the install status reasns, r reasn cdes, t help yu determine the status f yur applicatin in the deplyment prcess. The clear shapes represent prcesses that trigger the reasn cde in the clr blck shapes. Prvisining Prfiles fr Enterprise Distributin When yu uplad an internal applicatin t the Wrkspace ONE UEM cnsle, uplad the prvisining prfile that yu generated fr that particular applicatin, t. Fr an internal Apple ios applicatin t wrk, every device that runs the applicatin must als have the prvisining prfile installed n it. The prvisining prfile authrizes develpers and devices t create and run applicatins built fr Apple ios devices. 38

39 Chapter 3: Internal Applicatins Fr internal applicatins, use files frm the Apple ios Develper Enterprise Prgram and nt the Apple ios Develper Prgram. These prgrams are different. When yu get a mbile prvisining prfile fr yur internal applicatins, verify that it is fr enterprise (internal) distributin. Apple ios Develper Enterprise Prgram This prgram facilitates the develpment f applicatins fr internal use. Use prfiles frm this prgram t distribute internal applicatins in Wrkspace ONE UEM. Apple ios Develper Prgram This prgram facilitates the develpment f applicatins fr the app stre. Prvisining Prfiles and Updates Apple generates develpment certificates that expire within three years. Hwever, the prvisining prfiles fr the applicatins made with the develpment certificates still expire in ne year. This mdel can create issues in Wrkspace ONE UEM. Issues exist fr develpers and device users. Develpers wh build and deply multiple versins f an applicatin need a way t remve expired prvisining prfiles that are assciated with active applicatins. Device users receive warnings cncerning the status f an applicatin 30 days befre a prvisining prfile expires. Hwever, if yu can manage renewals, yu can mitigate these issues. Yu can use the expiratin dates Wrkspace ONE UEM displays t mitigate issues. Wrkspace ONE UEM displays expiratin ntices in the cnsle 60 days befre the expiratin date. Yu can update prvisining prfiles and apply them t all assciated applicatins managed in Wrkspace ONE UEM. If the prvisining prfiles are nt assciated t ther applicatins, yu can remve them r replace lder nes. Renew Apple ios Prvisining Prfiles Yu can renew yur Apple ios prvisining prfiles withut requiring end users t reinstall the applicatin. The Wrkspace ONE UEM cnsle ntifies yu 60 days befre the prvisining prfile expires with the expiratin links in the Renewal Date clumn n the Internal tab. Wrkspace ONE UEM als enables yu t renew the file fr all applicatins assciated with it. Yu can access expiratin links fr Apple ios prvisining prfiles frm within the applicable rganizatin grup (OG). The UEM cnsle des nt allw access unless yu are in the crrect OG. 1. Navigate t Apps & Bks > Applicatins > Native > Internal. 2. Select the expiratin link (Expires in XX days) in the Renewal Date clumn fr the applicatin fr which yu want t update the prvisining prfile. 3. Use the Renew ptin n the Files tab t uplad the replacement file. 4. Select the Update Prvisining Prfile Fr All Applicatins setting t apply the renewed file t all assciated applicatins. Wrkspace ONE UEM displays this ptin nly if multiple applicatins share the prvisining prfile. Wrkspace ONE UEM lists the applicatins that share this prvisining prfile fr yu n the Files menu tab. Wrkspace ONE UEM silently pushes the updated prvisining prfile t all devices that have the applicatin installed. 39

40 Chapter 3: Internal Applicatins Expired Apple ios Prvisining Prfiles When an Apple ios prvisining prfile expires, device users cannt access the assciated applicatin, and new device users cannt install the applicatin. Distributin f Win32 Applicatins Wrkspace ONE UEM can deply Win32 applicatins frm the Apps & Bks sectin s that yu can use the applicatin flw that exists fr all internal applicatins. This feature is called sftware distributin. If yu have scripting needs, use the prduct prvisining feature described in the Intrductin t Prduct Prvisining fr Windws Desktp in the VMware Wrkspace ONE UEM Prduct Prvisining fr Windws Desktp Guide. Fr mre infrmatin n sftware distributin and hw t trublesht the system, see the fllwing Wrkspace ONE UEM Knwledge Base article: Requirements t Deply Win32 Applicatins fr Sftware Distributin T deply Win32 applicatins with the sftware distributin, use supprted file types, perating systems, and platfrms. Supprted Platfrms The supprted platfrm t deply Win32 Applicatins is Windws Desktp. Supprted Operating Systems Windws 10 Supprted File Types MSI EXE ZIP CDNs and File Strage Systems All deplyments use a cntent delivery netwrk (CDN) t deply applicatins. This ptin has the advantage f sending cntent t devices in the netwrk and t remte devices. It als ffers increased dwnlad speeds and reduces bandwidth n Wrkspace ONE UEM servers. Hwever, in sme scenaris, a CDN is nt a viable ptin. Fr these instances, use a file strage system. Enable Sftware Package Deplyment Cnfigure Wrkspace ONE UEM t recgnize the deplyment f Win32 applicatins thrugh the sftware distributin methd. SaaS Envirnments Fr the Sftware Package Deplyment ptin t display, Wrkspace ONE UEM enables the CDN fr the envirnment. G t Grups & Settings > All Settings > Device & Users > Windws > Windws Desktp > App Deplyments and enable Sftware Package Deplyment. 40

41 Chapter 3: Internal Applicatins Nte: If yur deplyment whitelists Wrkspace ONE UEM IP addresses, the CDN des nt wrk. On-premises Envirnments On-premises envirnments use a file strage system t stre the large Win32 applicatins. They als use a CDN t dwnlad the applicatins and t reduce the bandwidth n ther servers. 1. First, enable the CDN at Grups & Settings > All Settings > System > Enterprise Integratin > CDN. 2. Enable the file strage system. See Intrductin t File Strage n page 41 fr mre infrmatin and server requirements. Nte: If yur deplyment cannt use the CDN but still wants t deply Win32 applicatins with the sftware distributin, cntact yur VMware Wrkspace ONE UEM representative t get a SQL script t enable the feature. Intrductin t File Strage Certain Wrkspace ONE UEM functinality uses a dedicated file strage service t handle prcessing and dwnlads, which reduces the verall burden n yur Wrkspace ONE UEM database and increases its perfrmance. It als includes certain Wrkspace ONE UEM reprts, internal applicatin deplyment, and Wrkspace ONE UEM managed cntent. When yu enable file strage fr any f these functinalities, it is applied t the thers autmatically. Setting up file strage causes all reprts, all internal applicatins, and all managed cntent t be stred there. Cnfiguring file strage manually is nly applicable t n-premises custmers. It is autmatically cnfigured fr SaaS custmers. Wrkspace ONE UEM Reprts In v9.0.2 cnsle versin three new reprts were added that appear the same as existing reprts but use a revamped back end framewrk. This new framewrk generates reprts with greater reliability and faster dwnlad times. T take advantage f these benefits, yu must set up file strage. Fr mre infrmatin abut these reprting updates, see the fllwing Knwledge Base article: Internal Applicatins When file strage is enabled, all internal applicatin packages (.ipa,.pak,.appx,.msi.,.exe, and s n) that yu uplad thrugh the UEM cnsle are stred in a file strage lcatin. File strage is required t deply Win32 applicatins frm the Apps & Bks area f the UEM cnsle. This feature is called sftware distributin. Wrkspace ONE UEM Managed Cntent Yu can separate the managed cntent frm the Wrkspace ONE UEM database by string it in a dedicated file strage lcatin. Uplading large amunts f managed cntent might cause issues with database perfrmance. In this case, npremises custmers can free up space in the database by mving the managed cntent t an integrated lcal file strage slutin. 41

42 Chapter 3: Internal Applicatins Persnal cntent als mves t the file strage slutin is enabled. By default, persnal cntent is stred in the SQL database. If yu have a Remte File Strage enabled, persnal cntent is stred in the RFS and nt in the file strage r SQL database. File Strage Requirements T set up lcal file strage, yu must meet the fllwing requirements. Imprtant: File Strage is required fr Windws 10 Sftware Distributin. Create the Shared Flder n a Server in yur Internal Netwrk File strage can reside n a separate server r the same server as ne f the ther AirWatch applicatin servers in yur internal netwrk. It is nly accessible t cmpnents that require access t it, such as the Cnsle and Device Services servers. If the Device Services server, Cnsle server, and the server hsting the shared flder are nt in the same dmain, then establish Dmain Trust between the dmains t avid the authenticatin failure. If the Device Services server r Cnsle server is nt jined t any dmain, then supplying the dmain during service accunt cnfiguratin is sufficient. Cnfigure the Netwrk Requirements If using Samba/SMB TCP: 445, 137, 139. UDP: 137, 138 If using NFS TCP and UDP: 111 and 2049 Allcate Sufficient Hard Disk Capacity Yur specific strage requirements may vary depending n hw yu plan t use file strage. The file strage lcatin shuld have enugh space t accmmdate the internal apps, managed cntent, r reprts yu intend t use. Take int the accunt the fllwing cnsideratins. If yu enable caching fr internal apps r cntent, then a best practice is t size the Device Services server fr 120 percent f the cumulative size f all the apps/cntent yu need t publish. Fr string reprts, yur strage requirements depend n the number f devices, the daily amunt f reprts, and the frequency with which yu purge them. As a starting pint, yu shuld plan t allcate at least 50 GB fr deplyment sizes up t 250,000 devices running abut 200 daily reprts. Adjust these numbers based n the actual amunt yu bserve in yur deplyment. Apply this sizing t yur Cnsle server as well if yu enable caching. Create a Service Accunt with Crrect Permissins Create an accunt with read and write permissins t the shared strage directry. Create the same lcal user and passwrd n the Cnsle, Device Services, and the server that is being used fr File Strage. Give the lcal user read/write/mdify permissins t the file share that is being used fr the File Strage Path. Cnfigure the File Strage Impersnatin User in AirWatch with the lcal user. Yu can als use a dmain service accunt instead f a lcal user accunt. 42

43 Chapter 3: Internal Applicatins Cnfigure File Strage at the Glbal Organizatin Grup Cnfigure file strage settings at the Glbal rganizatin grup level in the UEM Cnsle. Enable File Strage fr Applicatins Cnfigure file strage fr internal applicatins using the prcedure belw. This is required if yu are deplying Win32 apps using sftware distributin, but will apply t all internal apps nce cnfigured. 1. At the Glbal rganizatin grup level, navigate t Grups & Settings > All Settings > Installatin > File Path and scrll t the bttm f the page. 2. Select File Strage Enabled and cnfigure the settings. Setting File Strage Path File Strage Caching Enabled File Strage Impersnatin Enabled File Strage Impersnatin Username Passwrd Enter yur path in the fllwing frmat: \\{Server Name}\{Flder Name}, where Flder Name is the name f the shared flder yu created n the server. When enabled, a lcal cpy f files requested fr dwnlad is stred n the Device Services server as a cache cpy. Subsequent dwnlads f the same file retrieve it frm the Device Services server as ppsed t file strage. If yu enable caching, accmmdate fr the amunt f space needed n the server where these files cache. Fr mre infrmatin, see File Strage Requirements n page 42. If yu integrate with a CDN, then apps and files are distributed thrugh the CDN prvider, and a lcal cpy is nt stred n the Device Services server. Fr mre infrmatin, refer t the VMware Wrkspace ONE UEM CDN Integratin Guide ( Select t add a service accunt with the crrect permissins. Prvide a valid service accunt username t btain bth read and write permissins t the shared strage directry. Prvide a valid service accunt passwrd t btain bth read and write permissins t the shared strage directry. 3. Select the Test Cnnectin buttn t test the cnfiguratin. Applicatin Lifecycle fr Sftware Distributin Wrkspace ONE UEM can help manage Win32 applicatins with its lifecycle features, s that yu can knw their installatin statuses, keep them current, and delete them. T manage the deplyment f yur Win32 applicatins, use the life cycle f internal applicatin 43

44 Chapter 3: Internal Applicatins Phase Uplad Win32 Files n page 44 Cnfigure, Assign, and Deply Win32 Files n page 44 Inventry Win32 Applicatins with Tracking Features n page 52 Add Versins fr Internal Applicatins n page 156 Delete Win32 Files n page 53 Add the Win32 applicatin and define if it is a dependency file. Enter details fr the Win32 applicatin, add supprting files, enter deplyment criteria, and assign t devices. Track the installatin prgress f Win32 applicatins. Add full versins f Win32 applicatins and patches. Delete applicatins with several ptins. Uplad Win32 Files Uplad Win32 applicatins as either main files r dependency files. Use the same prcess fr EXE, MSI, and ZIP files. 1. Navigate t Apps & Bks > Applicatins > Native > Internal and select Add Applicatin. 2. Select Uplad, and then select Lcal File and select the applicatin t uplad. 3. Select an answer t Is this a dependency file. Select Yes t tag a dependency file and assciate it t Win32 applicatins. Examples f dependency files are libraries and framewrks. Select Cntinue t g t the next phase in the life cycle. Cnfigure, Assign, and Deply Win32 Files Cnfigure details abut the Win32 applicatin, which include t define when t install it, hw t install it, and when t identify the installatin is cmplete. T cmplete the prcess, assign the applicatin t smart grups with the flexible deplyment feature. 44

45 Chapter 3: Internal Applicatins Fr cnsideratins t review when cnfiguring the Hw T Install sectin, see Cnsideratins fr Retry Cunt, Retry Interval, and Install Timeut Optins n page 50. Cnfiguratin Prcess 1. Cnfigure the Details tab ptins. The Wrkspace ONE UEM system cannt parse data frm an EXE r ZIP file. Enter the infrmatin fr the EXE and ZIP files n this tab. The system parses the listed infrmatin fr MSI files. Applicatin name Applicatin versin Applicatin identifier (als called a prduct cde) 2. Cmplete the Files tab ptins. Review the file initially upladed and uplad dependencies, transfrms, patches, and uninstallatin prcesses. File Cnfiguratins App Dependencies MSI, EXE, ZIP App Transfrms MST file type App Patches MSP file type The envirnment and devices need these applicatins t run the Win32 applicatin. These files cntrl the installatin f the applicatin and can add r prevent cmpnents, cnfiguratins, and prcesses during the prcess. These files add changes that are fixes, updates, r new features t applicatins. The tw types are additive and cumulative. Additive Includes nly changes develped after the latest versin f the applicatin r the last additive patch. Cumulative Includes the entire applicatin including any changes since the latest versin f the applicatin r the last patches. a. Select dependency files in the Select Dependent Applicatins ptin. b. Enable the system t apply dependencies in a specified rder. The system wrks frm tp t bttm. Select Add t brwse t the MST file n the netwrk. a. Select Add. b. Identify the patch as cumulative r additive. c. Select File t brwse t the MSP file n the netwrk. 45

46 Chapter 3: Internal Applicatins File Cnfiguratins App Uninstall Prcess These scripts instruct the system t uninstall an applicatin under specific circumstances. Custmized scripts are ptinal fr MSI files. a. Select the Use Custm Script ptin. b. Select t uplad r enter a script t the system fr Custm Script Type. Select Uplad and brwse t the script file n the netwrk. Select Input and enter the custm script. 3. Cmplete the settings n the Deplyment Optins tab. This tab instructs the system t install the applicatin with specific criteria. The system can parse infrmatin fr MSI files. Hwever, fr EXE and ZIP files, the system requires yu t enter this infrmatin. a. When T Install Cnfigure Wrkspace ONE UEM t install Win32 applicatins when devices and yur mbile netwrk are in a specific state. Data cntingencies wrk fr bth when t install and when t call install cmplete. Instructin This explanatin describes system behavir fr When T Install. Cmpletin This explanatin describes system behavir fr When T Call Install Cmplete. Setting Data Cntingencies Select Add and cmplete the ptins that depend n the criteria type yu select. Set cntingencies fr these scenaris: Instructin Cntingencies instruct the system t install applicatins when the device meets specific criteria. Cmpletin Cntingencies identify when an installatin is cmplete. Add multiple criteria and cnfigure the system t apply all cntingencies (and) r t apply alternative nes (OR). App exists App des nt exist Criteria Type App Instructin Cnfigure the system t install the applicatin when a specific applicatin is r is nt n devices. Cmpletin Cnfigure the system t identify the installatin is cmplete when a specific applicatin is r is nt n devices. Wrkspace ONE UEM checks fr the existence f the applicatin but it des nt deply the applicatin t devices. 46

47 Chapter 3: Internal Applicatins Setting Applicatin Identifier Applicatin Versin File exists File des nt exist Path Mdified On Registry exists Registry des nt exist Path Value Name Value Type Value Data Enter the applicatin identifier s the system can recgnize the existence r nn-existence f the auxiliary applicatin. This value is als knwn as the prduct cde f the applicatin. Enter the specific versin. Criteria Type File Instructin Cnfigure the system t install the applicatin when a specific file is r is nt n devices. Cmpletin Cnfigure the system t identify the installatin is cmplete when a specific file is r is nt n devices. Enter the path n the device where yu want the system t lk fr the file and include the filename. Enter the date the file was last mdified. Criteria Type Registry Instructin Cnfigure the system t install the applicatin when a specific registry is r is nt n devices. Cmpletin Cnfigure the system t identify the installatin is cmplete when a specific registry is r is nt n devices. Enter the path n the device where the system can find the keys and values. Include the entire path, beginning with HKLM\ r HKCU\. Enter the name f the key. This cntainer bject stres the value and it displays in the file structure f the device. Select the type f key displayed in the file structure f the device. Enter the value f key. The name-data pairs stred in the key display in the file structure f the device. Select Add t cntinue setting deplyment ptins. Setting Disk Space Required Device Pwer Required RAM Required Set the disk space devices must have available fr the system t install the applicatin. Set the battery pwer devices must have available fr the system t install the applicatin. Set the randm access memry devices must have available fr the system t install the applicatin. b. Hw T Install 47

48 Chapter 3: Internal Applicatins Cnfigure Wrkspace ONE UEM t install Win32 applicatins t define the installatin behavir n devices. Setting Install Cntext Select hw the system applies the installatin. Device- Define the installatin by the device and all the users f that device. User- Define the installatin by particular user accunts (enrlled). Install Cmmand Enter a cmmand t cntrl the installatin f the applicatin. MSI- The system autmatically ppulates the installatin cmmands, and the cmmands include patches and transfrms. Patches- T update the rder in which the patches install n devices, update their listed rder in the install cmmand. Transfrms- The rder in which the system applies transfrms is set when yu assign the applicatin. Yu see a placehlder name fr the transfrm until yu assciate the transfrm during the assignment prcess. EXE and ZIP- Ppulate the install cmmand and specify the patch names and their rder f applicatin in the cmmand. Yu must als enter the install cmmand that triggers the installatin f the Win32 applicatin. If yu d nt package the patches and transfrms in the EXE r ZIP file and yu add them separately, ensure t add the patch filenames and the transfrm lkup text bxes in the install cmmand. Admin Privileges Device Restart Retry Cunt Retry Interval Install Timeut Installer Rebt Exit Cde Installer Success Exit Cde Set the installatin t bypass admin privilege requirements. Require the device t restart after the applicatin installs successfully, require the device t restart nly if necessary fr the applicatin t functin, r d nt require the device t restart. Enter the number f times the system attempts t install the applicatin after an unsuccessful attempt. Enter the time, in minutes, the system waits when it tries t install the applicatin after an unsuccessful attempt. Enter the maximum time, in minutes, the system allws the installatin prcess t run withut success. Enter the cde the installer utputs t identify a rebt actin. Review the entry fr Device Restart. If yu selected t D nt restart but yu enter a rebt exit cde, the system cnsiders the installatin a success after the rebt cmpletes even thugh the Device Restart settings d nt require a restart fr success. Enter the cde the installer utputs t identify a successful installatin. c. When T Call Install Cmplete 48

49 Chapter 3: Internal Applicatins Cnfigure Wrkspace ONE UEM t identify the successful installatin f Win32 applicatins. The system requires this infrmatin fr EXE and ZIP files. Setting Use Additinal Criteria Identify Applicatin By Cnfigure the system t use specific criteria t recgnize the cmpletin f the installatin prcess. T identify the installatin cmpletin r use custm scripts, add a specific criteria. Defining Criteria Select Add t enter criteria t identify the installatin is cmplete. These settings are the same as the data cntingencies. Script Type Cmmand t Run the Script Custm Script Type Success Exit Cde Select the type f script. Using Custm Script Enter the value that triggers the script. 4. Select Save & Assign t cnfigure flexible deplyment ptins. 5. Select Add Assignment and cmplete the ptins. Select Uplad and navigate t the custm script file n the netwrk. Enter the cde that the script utputs t identify the successful installatin. Setting Select Assignment Grups App Delivery Methd Type a smart grup name t select the grups f devices t receive the assignment. On Demand Deplys cntent t a catalg r ther deplyment agent and lets the device user decide if and when t install the cntent. This ptin is the best chice fr cntent that is nt critical t the rganizatin. Allwing users t dwnlad the cntent when they want helps cnserve bandwidth and limits unnecessary traffic. Autmatic Deplys cntent t a catalg r ther deplyment agent n a device upn enrllment. After the device enrlls, the system prmpts users t install the cntent n their devices. This ptin is the best chice fr cntent that is critical t yur rganizatin and its mbile users. Deplyment Begins On Set a day f the mnth and a time f day fr the deplyment t start. The Pririty setting gverns which deplyments push first. Wrkspace ONE UEM then pushes deplyments accrding t the Effective cnfiguratin. T set a beginning date with enugh bandwidth fr the successful deplyment, cnsider the traffic patterns f yur netwrk. 49

50 Chapter 3: Internal Applicatins Setting DLP Make App MDM Managed if User Installed Applicatin Transfrms Plicies Cnfigure a device prfile with a Restrictins prfile t set data lss preventin plicies fr the applicatin. Select Cnfigure. The system navigates t Devices > Prfiles. Select Add > Add Prfile and the platfrm. Fr Windws Desktp, select Device Prfile > Restrictins and enable ptins that apply t the data yu want t prtect. Assume management f Win32 applicatins. The system des nt prmpt users t allw r deny this actin when yu enable this feature. If a device is emplyee wned, this ptin des nt wrk. Assciate transfrm files t the Win32 applicatins. This setting replaces the placehlder transfrm name in the Install Cmmand ptin. 6. Select Add and then Save & Publish. Fr infrmatin abut cnsideratins and system behavir fr setting Make App MDM Managed if User Installed, see Assume Management f Win32 Applicatins n page 52. Cnsideratins fr Retry Cunt, Retry Interval, and Install Timeut Optins The values fr Retry Cunt, Retry Interval, and Install Timeut ptins fr Win32 applicatins affect the length the system takes t reprt a failed installatin prcess. Cnsider changing the default values t decrease deplyment times. Default Values and Time t Installatin Failure Reprted The default values fr the ptins Retry Cunt - three times Retry Interval - five minutes Install Timeut - 60 minutes wrk in the fllwing sequence fr a single failed installatin prcess. 60 minutes65 minutes 125 minutes 130 minutes 190 minutes 195 minutes (ne hur) (ne hur and five min) (tw hurs and five min) (tw hurs and 10 min) (three hurs and 10 min) (three hurs 15 m Win32 app fails t install and reaches install the timeut f 60 minutes. System retries the installatin (retry cunt #1) at a retry interval f 5 minutes. Win32 app fails t install and reaches install timeut f 60 minutes. System retries the installatin (retry cunt #2) at a retry interval f 5 minutes. Win32 app fails t install and reaches install the timeut f 60 minutes. System retries the installatin (retry cunt #3) at a retry interval f 5 minutes. 50

51 Chapter 3: Internal Applicatins After 3 hurs and 15 minutes, the system reprts a single applicatin installatin as failed. Then, the system installs the next applicatin. Cnfigure Optins Depending n the Applicatin Cnfigure values that cmpliment the applicatin. Fast Installatin Example A brwser applicatin installs n a device in fur minutes. Cnsider setting these values fr this applicatin. Retry Cunt - tw times Retry Interval - five minutes Install Timeut - five minutes The system reprts the failure f this applicatin within 20 minutes. Then, it installs the next applicatin. Slw Installatin Example A large prductivity applicatin installs n a device in 30 minutes. Cnsider these values fr these applicatins. Retry Cunt - three times Retry Interval - five minutes Install Timeut - 35 minutes The system might reprt the failure f this applicatin within 120 minutes. Then, it installs the next applicatin. Fr infrmatin n cnfiguring Hw T Install settings fr the sftware distributin applicatin, see Cnfigure, Assign, and Deply Win32 Files n page 44. Dependency Files in Sftware Distributin Dependency files in the sftware distributin feature are applicatins that are necessary fr a Win32 applicatin t functin. Examples include framewrk packages and libraries. Althugh yu uplad them like a file and yu can view them in the List View, they have reduced features. Dependency File Features Dependency file des nt have assignments f their wn. The applicatins t which they are assciated give the dependency files their assignments. Every dependency file is a separate file and the system des nt create versins fr the file. The system cannt parse infrmatin frm dependency files s yu must enter details such as uninstallatin prcesses. Dependency files have reduced ptins n the Deplyment Optins tab. Yu cannt assciate patches r transfrms t dependency files. Delete Cnsideratins Befre yu delete a dependency, ensure that ther applicatins are nt assciate t it. When yu delete the dependency file, the system remves its assciatin frm all applicatins. Devices newly assigned t the applicatin d nt get the dependency. Deletin des nt remve the dependency frm devices that had the applicatin previus t deletin. 51

52 Chapter 3: Internal Applicatins Assume Management f Win32 Applicatins The system t assume management f Win32 applicatins includes certain caveats t wrk. After yu enable the ptin, the system acts in a specific rder t cmplete the assuming management prcess. Cnsideratins This feature wrks fr devices that meet these caveats. Devices that enrlled r were assigned after yu enabled this ptin and did nt have the applicatin installed. Devices that enrlled r were assigned after yu enabled this ptin and did have the applicatin installed with a status f user-installed. This feature des nt supprt the management assumptin prcess n devices that meet these caveats. Devices that enrlled r were assigned befre yu enabled this ptin and have the applicatin installed with a status f user-installed. Devices that are emplyee wned. If users have BYODs, yu cannt assume management f Win32 applicatins n these devices. System Behavir If yu enable Make App MDM Managed if User Installed, the management assumptin prcess takes the listed actins. 1. Enable Make App MDM Managed if User Installed and publish the Win32 applicatin. 2. VMware Wrkspace ONE UEM sends install cmmands t devices that enrll after publicatin. 3. The device respnds that it received the cmmand. 4. If the admin is trying t assume management f the applicatin, the device prcesses the cmmand by selecting Nt assuming management - The applicatin installs with the usual prcess. Assuming management - The system lks fr the applicatin n the device. Applicatin installed - The system re dwnlads and reinstall the applicatin. 5. The device reprts the status f the applicatin as managed t the cnsle. If yu disable the ptin and the user installs the applicatin, the system marks the applicatin as user-installed. Inventry Win32 Applicatins with Tracking Features Mnitr yur Win32 applicatins deplyed thrugh sftware distributin with the statistics n the Details View and by reviewing installatin status cdes. Use the Details View f internal applicatins t view the prgress and status f installatins. See Track Internal Applicatins With Details View n page 35. View the reasns in the Details View t track the prgressin f an installatin. The reasn cdes help identify the status f an installatin and if there is an issue with an installatin, s that yu can easily track and trublesht applicatin deplyments. Find descriptins fr cmmn reasn cdes in the tpic Installatin-Status Reasn Cde s n page

53 Chapter 3: Internal Applicatins Delete Win32 Files AirWatch includes several methds t remve Win32 applicatins ff devices. Several admin functins impact multiple assets, s understand the changes befre yu prceed. Methd Details View Device Organizatin Grup Assignment Grup User Select the Delete Applicatin functin in the details view f the applicatin. This actin remves the Win32 applicatin ff devices in smart grups assigned t the applicatin. Delete the applicable device frm the cnsle. Delete the rganizatin grup. This actin impacts all assets and devices in the rganizatin grup. Delete the smart r user grup assigned t the Win32 applicatin. This actin impacts every device in the grup. Delete the applicable user accunt frm the cnsle. Patches in Sftware Distributin Use patches t update and fix Win32 applicatins. Wrkspace ONE UEM supprts additive and cumulative patches. In certain cases, a cumulative patch might trigger the system t create a versin f an applicatin. Cumulative Patches and System Deplyment Behavir When yu apply a cumulative patch by editing an applicatin, the system creates a versin f the applicatin with the new patch applied. It makes the nn-patched versin inactive and creates and deplys the patched versin f the applicatin t devices. Patch Restrictins Wrkspace ONE UEM des nt supprt patches that d nt update the versin, and the upgrade cde must match the Win32 MSI applicatin. Peer Distributin fr Win32 Applicatins Wrkspace ONE UEM ffers a peer distributin system t deply Win32 applicatins t enterprise netwrks. Peer distributin can reduce the time t dwnlad large applicatins t multiple devices in deplyments that use a branch ffice structure. Win32 Distributin Challenge In the default distributin prcess, sftware distributin, the Wrkspace ONE UEM cnsle deplys Win32 applicatins frm a secure file strage system r frm a cntent delivery netwrk (CDN). Win32 applicatins are large and it takes time fr them t dwnlad t devices. The dwnlading f Win32 applicatins can als increase the traffic n cmmunicatin channels. Multiple devices use the channel t retrieve the large applicatin simultaneusly frm the CDN r file strage. This cnstant traffic can hamper the netwrk availability needed fr ther critical applicatins. 53

54 Chapter 3: Internal Applicatins Win32 Distributin Optin - Peer Distributin VMware Wrkspace ONE UEM partners with Adaptive t ffer the peer distributin system. The peer distributin system wrks t reduce the traffic n netwrks and the time t install Win32 applicatins. Installatin begins with a specific device in the ffice r subnet called the rendezvus pint (RVP). This initial dwnlad takes time. Hwever, installatin times imprve because devices are nt taxing the strage system r the line f cmmunicatin fr the applicatin package. Instead, devices receive the package frm ther devices in the netwrk. The system als mnitrs the netwrk fr traffic. If the netwrk is busy, installatins pause until the netwrk availability increases. Envirnments That Benefit frm Peer Distributin Peer distributin benefits envirnments with specific characteristics. Offices in remte lcatins with the lw bandwidth and with little means t increase the netwrk bandwidth. Enterprises that use branch ffice hierarchies. Enterprises that have multiple branch ffices that have many devices. Fr required cmpnents f the peer distributin system, see Requirements fr Peer-T-Peer Distributin n page 55. Peer Distributin Cmpnent Rles Peer distributin uses tw main cmpnents: a peer-t-peer server and peer-t-peer clients. Peer-t-peer server This cmpnent maintains the metadata f the Win32 applicatins but nt the actual applicatin packages. It als maintains infrmatin abut clients, client IP addresses, the number f active clients, and the cntent presently at each client. This cmpnent resides in yur netwrk and it must cmmunicate with these cmpnents. VMware Enterprise Systems Cnnectr Yu can install the server and the VMware Enterprise Systems Cnnectr n the same machine. SQL Database r SQL Server Express Peer-t-peer clients n devices Dwnlad and install the server frm the UEM cnsle befre yu cnfigure the peer distributin. Peer-t-peer clients This cmpnent distributes applicatin packages between peers, r devices, and it receives applicatin metadata frm the server. These clients use licenses yu buy with the peer distributin feature. This cmpnent resides n devices and it must cmmunicate with these cmpnents: Sftware distributin clients n devices Peer-t-peer server 54

55 Chapter 3: Internal Applicatins The peer distributin system autmatically deplys clients t devices when yu cmplete the peer distributin sftware setup. An installed peer-t-peer client uses ne license. Netwrk Tplgy This cmpnent represents yur netwrk as ffices in a hierarchy. It enables the peer distributin system t deply applicatins mre efficiently. It uses the hierarchy t cntrl what clients get dwnlads and in what rder. It uses devices called rendezvus pints, r RVPs, as master clients in an ffice. The RVP receives dwnlads and disseminates the applicatins t peer clients. This cmpnent is a spreadsheet that yu uplad t the UEMcnsle. If yu d nt have a netwrk tplgy, yu can dwnlad the spreadsheet frm the cnsle and edit the tplgy initially identified by the peer distributin system. Thugh this cmpnent is ptinal, it greatly imprves efficiencies and dwnlad speeds. Requirements fr Peer-T-Peer Distributin Peer distributin needs the listed cmpnents and cnfiguratins t wrk. Ensure that yur Wrkspace ONE UEM deplyment includes these requirements. Supprted Platfrms and Applicatin Types Windws Desktp (Windws 10) Win32 applicatins Required Cmpnents SQL - Get SQL Server Express r see if yur rganizatin uses SQL Database. The peer-t-peer server uses SQL Database t stre applicatin metadata and infrmatin abut the netwrk tplgy. T dwnlad SQL Server Express, utbund prt 443 must be pen. Ensure that the peer-t-peer server can cmmunicate with SQL Server Express r the rganizatin's SQL Database. VMware Enterprise Systems Cnnectr - Ensure that VMware Enterprise Systems Cnnectr is enabled. This cmpnent ensures secure cmmunicatin between yur netwrk and Wrkspace ONE UEM. Ensure that the All Other Cmpnents ptin is enabled in the VMware Enterprise Systems Cnnectr cnfiguratins lcated in the cnsle at Grups & Settings > All Settings > Enterprise Integratin > VMware Enterprise Systems Cnnectr > Advanced > AirWatch UEM Services > All Other Cmpnents. Sftware Package Deplyment - Cnfigure Wrkspace ONE UEM t recgnize the deplyment f applicatin packages thrugh the sftware distributin methd. The sftware distributin client resides n devices t cmmunicate with the peer-t-peer system and the Wrkspace ONE UEM cnsle. G t Grups & Settings > All Settings > Device & Users > Windws > Windws Desktp > App Deplyments and enable Sftware Package Deplyment. File Strage (n-premises) - Wrkspace ONE UEM stres Win32 applicatins n a secure file strage system. Peer-tpeer clients receive applicatin packages frm the strage system when clients cannt find ther clients with the applicatin package. See Intrductin t File Strage n page 41 fr mre infrmatin and server requirements. 55

56 Chapter 3: Internal Applicatins Peer-t-Peer Server Requirements Ensure that the machine that huses the peer-t-peer server meets these requirements. Cmpnent Requirement Operating system Windws Server Prcessr Xen Prcessr, single quad cre Memry allcatin 0 5,000 clients MB SQL Requirements Service Accunt Permissins n the SQL Database 5,001 t 10,000 clients MB 10,001 19,999 clients MB 20,000 49,999 clients MB 50, MB On the machine hsting the SQL Database instance r SQL Server Express, grant the entity Service Accunt Permissins SQL sysadmin server rles fr the initial installatin f the peer distributin system. The rle is nt needed fr everyday peratin f the peer distributin system. Required Databases db_datareader db_datawriter db_ddladmin Required Database Size The database requires 200 KB per client. Required Cnfiguratins fr Deplyment The deplyment f applicatins with the peer-t-peer distributin system requires yu t set the listed cnfiguratins in the UEM cnsle and n devices. Enable the sftware package deplyment. See Requirements t Deply Win32 Applicatins fr Sftware Distributin n page 40. Cnfigure the peer distributin sftware. See Cnfigure Peer Distributin Sftware Setup n page 63. Install and activate peer-t-peer clients n devices. See Cnfigure Peer Distributin Sftware Setup n page 63. Uplad and publish applicatins t the peer-t-peer server. See Applicatin Lifecycle fr Sftware Distributin n page

57 Chapter 3: Internal Applicatins CDN fr n-premises, Optinal On-premises deplyments can use a cntent delivery netwrk (CDN) as the backup delivery system instead f the file strage system. Wrkspace ONE UEM partners with a third-party vendr t ffer a CDN fr the n-premises envirnment at a cst. Wrkspace ONE UEM als integrates this CDN slutin fr SaaS envirnments. This ptin has the advantage f sending the cntent t devices in the netwrk and t remte devices. Whereas the peer distributin system with the file strage backup, sends cntent t nly devices in the netwrk. Althugh ptinal, a CDN ffers increased dwnlad speeds and reduces bandwidth n Wrkspace ONE UEM servers. Find settings fr this ptin in Grups & Settings > All Settings > System > Enterprise Integratin > CDN. Cnsideratins fr Peer Distributin Understand the behavir f the netwrk, the types f cmmunicatin, the cmmunicatin channels between cmpnents, and license management. T avid pssible issues, review the cnsideratins Imprtant: D nt send cnfidential packages with the peer distributin. See the encryptin sectin in this tpic fr infrmatin. Cmmn Netwrk - The peer-t-peer server, the VMware Enterprise Systems Cnnectr, and the peer-t-peer clients must all cmmunicate n the same netwrk. If these system cmpnents are n subnets f yur netwrk and the subnets can cmmunicate, then the feature can transfer applicatins. Clients that are nt n the netwrk cannt receive applicatins with the peer-t-peer distributin. Encryptin - Cmmunicatin between the peer-t-peer server and Wrkspace ONE UEM is encrypted. The cmmunicatin is nt encrypted between peer-t-peer clients in the netwrk. This cmmunicatin uses UDP but the package itself is nt encrypted between clients. Althugh the system checks fr tampered packages, a best practice is nt t send cnfidential packages with the peer-t-peer distributin. UDP - The peer-t-peer server and client use UDP t cmmunicate with Wrkspace ONE UEM. Central Office - The peer-t-peer server must reside in ne f the subnets in the tp-tiered Central Office. License Overages - The peer-t-peer system des nt stp yu frm assigning mre licenses than yu have bught. If yu assign extra licenses, the system charges yu fr them. T help gauge license usage, the rati f client installatin t the used license is ne t ne. Open Prts - The peer-t-peer client needs specific prts pen t transfer metadata. Find ut if yur netwrk management team has clsed the required prts r has blcked bradcasting n these prts. If these prts are clsed r d nt allw bradcasting, cntact yur VMware Wrkspace ONE UEM representative abut alternative prts. See Prts Used fr Peer Distributin n page 58 fr infrmatin. Cnsle, Client, and Server Versins - Yu must deply and use the supprted versin f the peer-t-peer client and the peer-t-peer server. Update the peer-t-peer server when the Wrkspace ONE UEM cnsle includes an update t the peer-t-peer client. If the versins are nt supprted, the feature des nt wrk. SQL Server Express - Dwnlad and install SQL Server Express n the same server that has the VMware Enterprise Systems Cnnectr. Install this cmpnent befre cnfiguring peer-t-peer setup because it might take sme time t cmplete its installatin. 57

58 Chapter 3: Internal Applicatins Applicatin Metadata - The peer-t-peer system stres and transmits the blb ID (r cntent ID), the applicatin size, and the applicatin hash. It des nt stre r transfer any ther data. Initial Dwnlads - The first dwnlad in a peer distributin prcess takes the lngest time. After the initial dwnlads and as mre devices in the subnet receive the applicatin, dwnlad times get faster. Activatin Prcesses - After yu save yur cnfiguratins, the system activates the peer-t-peer server and clients with a license key. Yu can input yur tplgy r use the ne the netwrk generates at activatin. Als at the time f activatin, the system publishes all the existing Win32 applicatin cntent t the peer-t-peer server. Frm this pint n, devices that belng t the peer distributin netwrk begin t receive the applicatin dwnlad. Prts Used fr Peer Distributin The listed prts must be pen s that the peer-t-peer clients can transfer metadata t the peer-t-peer server. Nte: If yu have n grup plicies that blck the creatin f firewall plicies, the peer distributin cmpnent installers create the necessary firewall rules. Sending Cmpnent Receiving Cmpnent Prtcl Prt Messaging frm Client t Server Peer-t-peer clients Peer-t-peer server UDP After clients receive small messages, they acknwledge r reply t the server Clients send small messages t the server Large replies frm clients t the server using Fregrund Prtcl Clients send large messages t the server using Fregrund Prtcl Large replies frm clients t the server using Backgrund Prtcl Clients send large messages t the server using Backgrund Prtcl. 58

59 Chapter 3: Internal Applicatins Sending Cmpnent Receiving Cmpnent Prtcl Prt Messaging Frm Server t Client Peer-t-peer server Peer-t-peer clients UDP After the server receives small messages, it acknwledges r replies t clients. Peer-t-peer clients Peer-t-peer clients Peer-t-peer server Peer-t-peer clients Same ffice Parent ffices Child ffices Peer-t-peer clients in the same subnet Peer-t-peer clients in the Central Office Messaging frm Client t Client Server sends small messages t clients Large replies frm the server t clients using Fregrund Prtcl Server sends large messages t clients using Fregrund Prtcl Large replies frm the server t clients using Backgrund Prtcl Server sends large messages t clients using Backgrund Prtcl. UDP After clients receive small messages frm anther client, acknwledgments and replies are sent t this prt Messaging Client t Client Bradcast Clients send small messages t ther clients Large replies frm clients t clients using Fregrund Prtcl Clients send large messages t ther clients using Fregrund Prtcl Large replies frm clients t clients using Backgrund Prtcl Clients send large messages t ther clients using Backgrund Prtcl. UDP Clients bradcast requests t ther clients Data Transfer frm Server t Client UDP Server sends cntent t clients using Fregrund Prtcl. 59

60 Chapter 3: Internal Applicatins Sending Cmpnent Receiving Cmpnent Prtcl Prt Peer-t-peer clients Peer-t-peer clients in the same ffice Peer-t-peer clients in child ffices Data Transfer frm Client t Client UDP Clients send cntent t ther clients in the same lgical ffice using Fregrund Prtcl. Data Transfer Cntrl Prts Clients send cntent t clients in child ffices using Backgrund Prtcl. Peer-t-peer clients Peer-t-peer server UDP Clients send a cntrl signal t the server fr any large transfer using Adaptive Prtcl. VMware Enterprise Systems Cnnectr (VESC) Peer-t-peer clients in the same ffice, in parent ffices, and in child ffices Data Transfer between VESC, Server, and Database Clients send a cntrl signal t ther clients fr any large transfer using Adaptive Prtcl. Peer-t-peer server UDP VESC sends messages fr activatin, health checks, applicatin metadata t the peert-peer server. Peer-t-peer server VESC UDP Peer-t-peer server respnds t requests frm the VESC. Data Transprt Behavirs fr Peer-T-Peer Netwrks T plan fr the distributin ptimizatin in yur peer-t-peer deplyment, cnsider hw data transfers within netwrks. Offices and Subnets Define an ffice with ne r mre subnets r subnet ranges cnnected ver a lcal area netwrk (LAN). Offices retrieve the cntent frm their parent ffices, and distribute them t their child ffices. Office Types Peer distributin has three types f ffices, and these ffice types share data in specific ways. Default - Defines a standard wired LAN. Clients attempt t the share cntent and they send bradcast discvery requests. VPN - Defines an ffice and subnet range allcated fr clients cnnecting thrugh VPN. Clients within a VPN ffice d nt attempt t the share cntent, but they d send bradcast discvery requests. WiFi - Defines an ffice and subnet range allcated t clients cnnected ver WiFi. Clients within a WiFi ffice share cntent, but they d nt send bradcast discvery requests. 60

61 Chapter 3: Internal Applicatins Nte: If yu have a physical ffice with a wired (default) subnet and a WiFi subnet, create an ffice fr each netwrk. Make the WiFi ffice a child f the wired ffice s that the WiFi netwrk receives packages frm the wired parent ffice. Central Office and the Peer-t-Peer Server The peer-t-peer server must reside in ne f the subnets in the tp-tiered Central Office. This placement makes it available t all clients in the hierarchy. Data Transprt in Offices The system distributes cntent frm a parent t child ffice nce. This behavir limits data sent acrss wide area netwrk (WAN) links. Adaptive Prtcl The adaptive prtcl is a prprietary prtcl that mnitrs the length f edge ruter queues and sends data when queues are nearly empty. This prtcl, implemented by an advanced kernel driver, remves the need t thrttle the bandwidth when deplying applicatins with the peer distributin. Within Offices Data transprt within ffices uses the LAN, r Fregrund prtcl. The peer distributin system des nt manage this prtcl. Between Offices Data transprt between ffices uses the WAN, r Backgrund prtcl. This prtcl is als called the Adaptive Prtcl that prtects the bandwidth availability n WAN links. Between Subnets Define subnets cnnected ver a WAN link as separate ffices. If ffices are miscnfigured, the LAN prtcl might be used ver a WAN link, causing saturatin f the WAN. Clients Receive Applicatins Accrding t Ordered Criteria The peer-t-peer system sends and receives applicatins accrding t many factrs, including the available device space, device frm factr, and perating system type. The dwnlad rder fllws these electins frm tp t bttm. 1. Devices with the largest actual free space 2. Devices that are identified as preferred, als called RVPs (rendezvus pints) 3. Device chassis type (desktps are selected ver laptps) 4. Device perating system type (servers are selected ver wrk statins) 5. Devices with the lnger system up-times 6. Devices with the largest usable free space 61

62 Chapter 3: Internal Applicatins Backup Systems Peer-t-peer clients receive applicatin packages frm a CDN r a file strage system when they cannt find packages within the hierarchy. A CDN, which is ptinal fr n-premises deplyments, ffers increased dwnlad speed ver the file strage system. Plan fr Distributin Optimizatin with a Netwrk Hierarchy Use the distributin ptimizatin feature t cntrl the surces f the applicatin package. Dwnlad the spreadsheet frm the Peer Distributin page and add ffices, subnets, and IP ranges t represent yur peer-t-peer netwrk. Cnsider asking yur netwrk management team fr their tplgy f the netwrk. During yur planning, review the system behavirs utlined in Data Transprt Behavirs fr Peer-T-Peer Netwrks n page 60. Disabling Distributin Optimizatin When yu d nt use the distributin ptimizatin, the peer distributin system assumes that every subnet receives ne package dwnlad. The system generates the default tplgy based n the clients that get registered with the server. One ffice lcatin is created per subnet. When the clients in the ffice r subnet try t dwnlad a new piece f cntent, the system initiates ne dwnlad per subnet. Hierarchical Representatin Optimizatin wrks best if yu represent yur peer-t-peer netwrk as a hierarchy. One example f a simple netwrk tplgy is pictured. In the example, the rendezvus pint (RVP) in the central ffice sends the initial applicatin package t Bstn (Default) and Lima. Fllwing the Nrth American side, the RVPs in the Bstn (WiFi), Baltimre, and Trnt ffices receive the applicatin package frm the Bstn (Default) ffice. The RVP in Miami receives the package frm the Baltimre ffice. If 62

63 Chapter 3: Internal Applicatins a package is nt available fr any reasn, ffices receive it frm the backup file strage system r cntent delivery netwrk. Cnfigure Peer Distributin Sftware Setup Enable the peer-t-peer distributin and dwnlad the peer-t-peer distributin server. Imprtant: Cpy the shared key the peer-t-peer server installer displays. If yu lse this key, yu must install the server again and select t regenerate the key. Yu enter this shared key in the Wrkspace ONE UEM cnsle. 1. Navigate t Grups & Settings > All Settings > System > Enterprise Integratin > Peer Distributin. 2. Dwnlad the peer-t-peer server and install it, as the admin, in yur netwrk n the same server as the VMware Enterprise Systems Cnnectr and the SQL database r SQL Server Express. Ensure t cpy and save the shared key t enter t the UEM cnsle. If yu d nt install the server n the same machine with the ther cmpnents, then install the server in the secured netwrk s that it can cmmunicate with the ther cmpnents and the clients after yu distribute them. 3. After installing the peer-t-peer server, cmplete the rest f the ptins n the Peer Distributin page. Setting Cnfiguratin Server Name/ IP Shared Authenticatin Key Enter the server name r IP address f the peer-t-peer server. If yu put the server n the same machine as the VMware Enterprise Systems Cnnectr, use that name r IP address. Enter the key cpied during the installatin f the peer-t-peer server. This key activates trusted cmmunicatin between the peer-t-peer server, the peer-t-peer clients, and the Wrkspace ONE UEM infrastructure. If yu d nt enter the mst recent key generated, the system displays a key mismatch errr. 63

64 Chapter 3: Internal Applicatins Setting Distributin Optimizatin Enable this ptinal feature t uplad a spreadsheet f yur netwrk tplgy. Yu can als dwnlad the tplgy fr yur netwrk as recrded by the peer-t-peer system. Netwrk tplgies can be intricate. Befre yu enable this feature, speak with yur netwrk team abut the cmpany's netwrk tplgy. If yu disable this ptin, the system creates ne ffice fr each subnet f the registered clients. These ffices are cnnected t the central ffice as children. There are benefits t this setting. It helps cntrl the initial dwnlad t preferred devices in a subnet. Preferred devices have a histry f being available n the netwrk and successfully dwnlading t ther devices in their subnet. Assigned T Grups Trubleshting Server ID Health select Publish Cntent. Activated Licenses It keeps IP ranges intact because split netwrk ranges cause n-ffice clients and n-ffice clients d nt get dwnlads frm the peer-t-peer server. It ensures dwnlads initiate n cnfigured netwrks befre defaulting t cntent delivery netwrks r file strage systems. Enter grups t receive applicatins with the peer-t-peer system. Use this value when yu talk t a Wrkspace ONE UEM representative abut issues with the peer distributin system. Validates that cmmunicatin wrks between the peer-t-peer system and the Wrkspace ONE UEM infrastructure. It als validates that the current system is using the supprted peer-t-peer client and server versins. Publishes every applicatin in the system. This ptin helps t rebuild applicatin deplyments if there is a catastrphic incident. Dwnlad Activated Devices is a reprt that lists the devices that have installed the peer-t-peer client and are currently using a license. 4. Save the settings and the system autmatically deplys peer-t-peer clients t the devices in the grups entered n this page. Once yu cmplete the peer-t-peer server cnfiguratin, and save the settings, the Wrkspace ONE UEM server reaches t the Adaptiva clud licensing server t get a license key. The license key is sent t the peer distributin server fr activatin. The peer distributin server peridically cnnects t the Adaptiva clud licensing server and sends the number f used licenses t receive a new tken. Fr mre infrmatin n the Peer Distributin setup, cnfiguratin, and installatin see Peer Distributin fr Win32 Applicatins n page

65 Chapter 3: Internal Applicatins Install the Peer-t-Peer Server Dwnlad the peer-t-peer server frm the Peer Distributin page in the Wrkspace ONE UEM cnsle. Fllw the prmpts in the installatin wizard. Fr reference, the wizard includes the depicted instances. 1. Ensure the machine that hsts the peer-t-peer server meets the requirements listed in Requirements fr Peer-T- Peer Distributin n page Navigate t Grups & Settings > All Settings > System > Enterprise Integratin > Peer Distributin and dwnlad the server. 3. Open the server installer executable. 4. Select a SQL Server Type and cnfigure the Settings. T dwnlad and use a new instance f SQL Server Express, cnfigure where the wizard installs SQL Server Express. T use an existing SQL Database r SQL Express Server, enter the SQL server and lgin infrmatin. Details include the name f the database server, the SQL instance name, the prt f cnnectin and the authenticatin details. 5. Select Install. The peer distributin server dwnlads and installs. If yu dwnladed a new instance f SQL Server Express, the server dwnlads and installs with the peer distributin server. 65

66 Chapter 3: Internal Applicatins 6. Cpy the Security Key t enter in t the UEM cnsle. Als, enter the name and IP address f the new. Re-Run the Installer fr a New Security Key If yu misplace the riginal ne, yu can generate a new key: 1. Rerun the installer. 2. Select the ptin Generate a New VMware Shared Key in the Installatins Settings area. 3. Select Upgrade. Firewall Rules Blck SQL Server Express If yur firewall rules n the server blck the free SQL Server Express dwnlad, install it manually. 1. Dwnlad SQL Server Express frm n a machine withut firewall restrictins. 2. On the server machine, cpy and extract the dwnladed SQL Server Express setup in c:\sqltemp. 3. Enter the cmmand-line parameter. C:\sqltemp\Setup.exe /q /Hidecnsle /ACTION=Install /IACCEPTSQLSERVERLICENSETERMS /Features=SQLEngine /TCPENABLED=1 /BROWSERSVCSTARTUPTYPE=Autmatic /AddCurrentUserAsSQLAdmin /SQLSYSADMINACCOUNTS="NT AUTHORITY\LOCAL SERVICE" "NT AUTHORITY\SYSTEM" /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" /SQLSVCSTARTUPTYPE=Autmatic /INSTANCENAME=ADAPTIVASQL The system generates SQL setup lgs in %temp%. 4. Run the peer-t-peer server installatin wizard with the SQL Server Express. Applicatin Remval Prtectin Overview The applicatin remval prtectin feature helps ensure that the system des nt remve business-critical applicatins unless apprved by the admin. 66

67 Chapter 3: Internal Applicatins Internal applicatins are ften develped t perfrm enterprise-specific tasks. Their abrupt remval can cause user frustratin and halt wrk. T prevent the remval f imprtant internal applicatins, the feature hlds remval cmmands accrding t threshld values. Until an admin acts n the held cmmands, the system des nt remve internal applicatins. General Steps fr the Feature Cnfigure the feature with the utlined steps. 1. View default threshld values r edit the threshld values fr the rganizatin grup. If threshld values are met, Wrkspace ONE UEM hlds the applicatin remval cmmands and displays them by applicatin in the App Remval Lg. Enter addresses that receive ntificatins abut the prblem with the App Remve Limit Reached Ntificatin template. 2. Act n the applicatin remval cmmands held by the system. Purge applicatin remval cmmands frm the cmmand queue by selecting Dismiss. Remve internal applicatins frm devices by selecting Release, which sends applicatin remval cmmands. 3. Assign thse applicatins back t the desired smart grups if yu dismissed the cmmands. Applicatin Remval Prtectin System Behavirs T help set effective threshld values and t decide hw best t handle held cmmands, review the behavirs f the prtectin system. Triggers f Applicatin Remval Cmmands The system canvasses the applicatin remval cmmand queue fr values that meet r exceed yur threshld values. The listed actins trigger applicatin remval cmmands. Edit smart grups Publish applicatins Deactivate applicatins Retire applicatins Delete applicatins 67

68 Chapter 3: Internal Applicatins Cnfiguratins and Actins Apply t Bundle IDs The system applies threshld values per bundle ID. It is pssible fr a single applicatin t have varying names and still have the same bundle ID. If this prblem arises, the prtectin system selects ne name t display in the lg. Hwever, the system applies admin cmmands t the bundle ID. The System Fllws Organizatin Grup Hierarchies The system sets default threshld values at a Custmer type rganizatin grup. Child rganizatin grups inherit these values. Nte: Admins cannt verride threshld values in child rganizatin grups. Admins' placement in the rganizatin grup hierarchy cntrls their available rles and actins. Admins in child rganizatin grups can act n remval cmmands in their assigned rganizatin grups. Admins in parent rganizatin grups can edit values and act n remval cmmands in the parent grup and in child rganizatin grups. Held Cmmand Status Explanatins The cmmand status the cnsle displays in the applicatin remval lg represents the listed phase f the prtectin prcess. Status Cause Held fr apprval Released t device Dismissed by admin The prtectin system hlds remval cmmands, and the system des nt remve the assciated internal applicatin. The remval cmmands are in the cmmand queue but the system cannt prcess them withut admin apprval. The prtectin system sent the cmmands t remve applicable internal applicatins ff devices. The prtectin system purged the remval cmmands frm the cmmand queue. The system did nt remve applicable internal applicatins ff devices. The system hlds remval cmmands because the threshld values were met. The system released the cmmands because an admin cnfigured the release. The system purged the cmmands because an admin cnfigured the dismissal. Edit Threshld Values fr Applicatin Remval Prtectin Use the default values r enter the limits that trigger the system t hld applicatin remval cmmands. These actins stp the system frm remving the assciated internal applicatins ff devices. Select values that reflect the level f risk the enterprise tlerates if the system remves ne critical applicatin frm a set f devices. 1. Cnfigure the feature in an rganizatin grup at the custmer level r belw in the Wrkspace ONE UEM cnsle. 2. Navigate t Grups & Settings > All Settings > Apps > Wrkspace ONE > App Remval Prtectin. 68

69 Chapter 3: Internal Applicatins 3. Cmplete the threshld ptins. Setting Devices Affected Within (minutes) Template Send t 4. Save the settings. Enter the maximum amunt f devices that can lse a critical applicatin befre the lss hinders the wrk f the enterprise. Enter the maximum amunt f minutes that the system sends remval cmmands befre the lss f a critical applicatin hinders devices frm perfrming business tasks. Select an ntificatin template and make custmizatins. The system includes the App Remve Limit Reached Ntificatin template, which is specific t app remval prtectin. Enter addresses t receive ntificatins abut held remval cmmands s that the recipients can take actins in the app remval lg. Act n Held Applicatin Remval Cmmands Use the App Remval Lg page t cntinue t hld applicatin remval cmmands, dismiss cmmands, r release the cmmands t devices. 1. Navigate t Apps & Bks > Applicatin Settings > App Remval Lg. 2. Filter, srt, r brwse t select data. Filter results by Cmmand Status list applicatins. Srt by Bundle ID t select data. Select an applicatin. Yu can select the Impacted Device Cunt link t brwse the list f devices affected by actins. This actin displays the App Remval Lg Devices page that lists the device name f the devices. Yu can use the device name t navigate t the devices' Details View. 3. Select Release r Dismiss. The Release ptin sends the cmmands t devices and the system remves the internal applicatin ff devices. The Dismiss ptin purges the remval cmmands frm the queue and the system des nt remve the internal applicatin ff devices. 4. Fr dismissed cmmands, return t the internal applicatins area f the cnsle and check the smart grup assignments f the applicatin fr which yu dismissed cmmands. Ensure that the internal applicatin's smart grup assignments are still valid. If the smart grup assignment is invalid and yu d nt check it, the system might remve the applicatin when the device checks-in with the system. Safeguards fr Prprietary, Nn-Stre, Wrkspace ONE UEM Applicatins Wrkspace ONE UEM includes safeguards t prevent the remval f prductin versins f Wrkspace ONE UEM prprietary applicatins when yu remve the test versins frm the cnsle. Add and remve the test versin by 69

70 Chapter 3: Internal Applicatins fllwing a specific task rder. Definitin f Prprietary, Nn-Stre, Wrkspace ONE UEM Applicatins A prprietary, nn-stre, Wrkspace ONE UEM applicatin, like Secure Launcher, is seeded r included in the Wrkspace ONE UEM instance. It is part f the Wrkspace ONE UEM Installer and yu deply it t devices with a prfile r with ther settings in the cnsle. Sme enterprises want t test versins f these applicatins befre they deply them t prductin. Cnsideratins Separate Testing Wrkspace ONE UEM cnsle Instance and Test Grups If pssible, test applicatins in a separate envirnment with a testing instance f the UEM cnsle. Applicatin ID Wrkspace ONE UEM uses the applicatin ID t identify the test versin f the prprietary applicatin. Applicatin Remval Cmmands Remve the test versin befre yu retire r delete the applicatin. If yu skip this step, Wrkspace ONE UEM des nt queue applicatin remval cmmands fr these test applicatins. Add Prcess f Test Applicatins Add a test versin f a prprietary Wrkspace ONE UEM applicatin with these steps. 1. Use a test instance f the Wrkspace ONE UEM cnsle. 2. Create a grup f devices n which t deply the test applicatin in their wn rganizatin grup. 3. Uplad the test applicatin t the Internal tab f Apps & Bks, enter infrmatin yu want, and select Save & Assign. 4. Assign the applicatin t the test grup with the Add Assignment ptin. The App Delivery Methd fr seeded applicatins is On Demand and is nt cnfigurable. Yu can als edit the applicatin, select the Devices tab, and select the Install On All ptin. Remval Prcess f Test Applicatins Remve a test versin f a prprietary Wrkspace ONE UEM applicatin with these steps. 1. G t the Internal tab in Apps & Bks and edit the applicatin. 2. On the Devices tab, select the Remve Frm All ptin. 3. G t the Details View f the applicatin n the Internal tab f Apps & Bks and delete r retire the applicatin frm the actins menu. 70

71 Chapter 4: Public Applicatins Add Public Applicatins frm an App Stre 72 Paid Public ios Applicatins and Wrkspace ONE UEM 74 Public Applicatin Installatin Cntrl n ios Devices 76 The Micrsft Stre fr Business and Wrkspace ONE UEM 78 71

72 Chapter 4: Public Applicatins Add Public Applicatins frm an App Stre Deply public applicatins t devices with Wrkspace ONE r the AirWatch Catalg. When yu uplad a public applicatin, fr sme platfrms yu have the ptin enable managed access. Fr infrmatin abut managed access and pen access, see Wrkspace ONE UEM Applicatins and the Wrkspace ONE Managed Access Feature n page Navigate t Apps & Bks > Applicatins > Native > Public and select Add Applicatin. 2. View the rganizatin grup frm which the applicatin uplads in Managed By. 3. Select the Platfrm. 4. Find the applicatin in an app stre by entering a search keywrd in the Name text bx. 5. Select frm where the system gets the applicatin, either Search App Stre r Enter URL. Setting Search App Stre ios Searches fr the applicatin in the app stre. Windws Desktp and Phne Searches fr the applicatin. If yu acquire applicatins this way and nt with the Micrsft Stre fr Business. The system des nt manage them. Andrid If yu have cnfigured integratin with the Ggle Play Stre, the system searches fr the applicatin in the app stre. This cnfiguratin als wrks when integrating with the Andrid fr Wrk system. See the Wrkspace ONE UEM Integratin with Andrid fr Wrk guide. Add Ggle Play URL This ptin nly displays fr Andrid applicatins, and the system displays it because Ggle Play Stres are lcalized. The stres ffer applicatins based n regins. This ptin enables yu t deply applicatins that are in a different regin frm yur Wrkspace ONE UEM server. Enter URL Adds the applicatin using a URL fr the applicatin. If yu add applicatins with this methd, the system des nt manage them. 6. Select Next and Select the desired applicatin frm the app stre result page. 7. Cnfigure ptins n the Details tab. Setting Name View in App Stre Categries Supprted Mdels View the name f the applicatin. View the stre recrd fr the applicatin where yu can dwnlad it and get infrmatin abut it. Use categries t identify the use f the applicatin. Yu can cnfigure custm applicatin categries r keep the applicatin's pre-cded categry. Select all the device mdels that yu want t run this applicatin. 72

73 Chapter 4: Public Applicatins Setting Is App Restricted t Silent Install Andrid Size Apple ios Managed By Rating Cmments Default Scheme Apple ios Windws Desktp Windws Phne Assign this applicatin t thse Andrid devices that supprt the Andrid silent uninstallatin feature. Wrkspace ONE UEM cannt silently install r uninstall public applicatins. Hwever, yu can cntrl what applicatins yu push t yur Andrid standard devices r yur Andrid enterprise devices. Andrid enterprise devices supprt silent activity. View the size f the applicatin fr strage. View the rganizatin grup (OG) that the applicatin belngs t in yur Wrkspace ONE UEM OG hierarchy. View the number f stars that represents the ppularity f the applicatin in the Wrkspace ONE UEM cnsle and in the AirWatch Catalg. Enter cmments that explain the purpse and use f the applicatin fr the rganizatin. Indicates the URL scheme fr supprted applicatins. The applicatin is packaged with the scheme, s the system parses the scheme and displays the value in this text bx. A default scheme ffers many integratin features fr yur applicatins. Use the scheme t integrate with ther platfrms and Web applicatins. Use the scheme t receive messages frm ther applicatins and t initiate specific requests. Use the scheme t run the Apple ios applicatins in the AirWatch Cntainer. 8. Assign a Required Terms f Use fr the applicatin n the Terms f Use tab. This setting is ptinal. Terms f use state specifically hw t use the applicatin. They make expectatins clear t end users. When the applicatin pushes t devices, users view the terms f use page that they must accept t use the applicatin. If users d nt accept the terms f use, they cannt access the applicatin. 9. Select the SDK tab and assign the default r custm SDK Prfile and an Applicatin Prfile t the applicatin. SDK prfiles apply advanced applicatin management features t applicatins. 10. Select Save & Assign t cnfigure flexible deplyment ptins fr the applicatin. Applicatin cnfiguratins are vendr-specific key-value pairs yu can deply with an applicatin t precnfigure the applicatin fr users. Fr resurces abut applicatin cnfiguratins, see Applicatin Cnfiguratin Infrmatin n page 9. Assign the Applicatin T assign and deply public applicatins, cnfigure the flexible deplyment ptins explained in Add Assignments and Exclusins t Applicatins n page 30. Wrkspace ONE UEM and Valid Ggle Play Stre URLs When yu add an Andrid public applicatin, yu can enter the Ggle Play Stre URL. Yu can als add a URL that yu knw t be valid but that is nt frm the Ggle Play Stre. This methd is useful t deply applicatins when Wrkspace ONE UEM cannt validate URLs with the Ggle Play Stre. 73

74 Chapter 4: Public Applicatins The AirWatch Catalg uses the entered URL as a link s end users can access the applicatin. The system can manage these applicatins depending n where yur surce the URL. Valid Ggle Play Stre URL The Wrkspace ONE UEM system can manage these applicatins but it cannt retrieve the applicatin icns. Valid URLs Frm Other Surces The Wrkspace ONE UEM system cannt manage these applicatins and it cannt return the applicatin in its results because it cannt validate the URL with the stre. Migrate Yur User Grup Exceptins t the Flexible Deplyment Feature AirWatch ffers a migratin prcess t mve yur user grups cnfigured with assignment exceptins fr public applicatins t the flexible deplyment feature. Reasn Fr Migratin Public applicatins nw use the flexible deplyment feature t assign applicatins t devices. The flexible deplyment system des nt include exceptins. In the past, yu used exceptins t deply public applicatins t special user grups with a specified device wnership type. Flexible deplyments replace exceptins and the system gives yu additinal cntrl f deplyments. The feature enables yu t assign deplyments t smart grups, t assign multiple deplyments fr an applicatin, and t priritize thse deplyments. Migratin Prcess T use the migratin wizard: 1. Navigate t Apps & Bks > Applicatins > Native > Public. 2. Edit an applicatin that yu knw had exceptins. 3. Select Assign. The system displays a warning message prmpting yu t migrate yur exceptins. 4. Select Migrate and cmplete the wizard. Fr infrmatin n flexible deplyment, see Use Flexible Deplyment t Assign Applicatins n page 30. Paid Public ios Applicatins and Wrkspace ONE UEM Wrkspace ONE UEM allws yu t uplad paid public ios applicatins and distribute them in thse scenaris where it is nt feasible t use Apple's Vlume Purchase Prgram (VPP). Wrkspace ONE UEM can distribute several OS versins, but ios 9+ management des nt require users t take extra steps. It is best t use the Apple VPP, if pssible. The VPP can manage bulk public paid applicatins efficiently and ffers several management ptins. Cmpare Paid Public App Prcedures When yu cmpare the steps necessary t push paid public ios applicatins t devices, ios has simplified the prcess. It allws Wrkspace ONE UEM t take management f an applicatin previusly installed n a device, and end users d nt have t delete applicatins. 74

75 Chapter 4: Public Applicatins Nte: Wrkspace ONE UEM cannt assume management f user-installed applicatins n ios 8 and belw. Any Supprted ios Versin 1. Enable the paid public ios applicatins prcess in the Wrkspace ONE UEM cnsle. 2. Add the public applicatin t the UEM cnsle. Add any ther management parameters like SDK features and enabling per-app VPN. 3. (User) Purchase the applicatin. If the device user des nt purchase the applicatin, the applicatin installatin frm the AirWatch Catalg fails. Apple installs the applicatin autmatically t the device after purchase. 4. (User) Delete the applicatin installed by Apple. 5. (User) Open the AirWatch Catalg and initiate the installatin frm Wrkspace ONE UEM t receive the managed versin f the applicatin. ios Enable the paid public ios applicatins prcess in the UEM cnsle. 2. Add the public applicatin t the UEM cnsle and enable Make App MDM Managed if User Installed n the Deplyment tab. Add any ther management parameters like SDK features and enabling per-app VPN. 3. (User) Purchase the applicatin. Apple installs the applicatin autmatically t the device after purchase. 4. (User) Open the AirWatch Catalg and initiate the installatin frm Wrkspace ONE UEM t receive the managed versin f the applicatin. Organizatin Grups and Paid Public Applicatins Keep yur VPP deplyment and yur paid public ios applicatins in separate rganizatin grups. Enable the paid public status ptin in an rganizatin grup where applicable devices are enrlled. Use the VPP When It Is Available D nt deply the same paid public ios applicatins in an rganizatin grup that has VPP cnfigured and that cntains a service tken (stken). If yu have the VPP cnfigured in the rganizatin grup, use licenses frm the stken, which ffers greater management and cntrl f the applicatin. Enable Paid Public Applicatins Near r Where Devices Are Enrlled Devices receive applicatin assignments frm the clsest rganizatin grup t them. Be aware f the rganizatin grup hierarchy and where yu enable paid public ios applicatins. If yu assign the applicatin in an rganizatin grup that has n effect n the device, installatins can fail r the applicatin can install n the wrng device. 75

76 Chapter 4: Public Applicatins Organizatin Grup Paid Public Status Device Enrlled Result Parent Enabled N The device des nt receive the managed paid public applicatin and the Child Disabled Yes system redirects the device t the stre t install the applicatin. Enable and Uplad Paid Public ios Apps t the Cnsle Enable the deplyment f paid public ios applicatins in the Wrkspace ONE UEM cnsle. Then uplad the paid public ios applicatin frm the app stre t the UEM cnsle t make it available in the AirWatch Catalg. Enable Prcess 1. Navigate t Grups & Settings > All Settings > Apps > Wrkspace ONE > Paid Public Applicatins. 2. Select Enabled, and then save the settings. Uplad Prcess 1. Navigate t Apps & Bks > Applicatins > Native > Public, and select Add Applicatin. 2. Select Managed By t view the rganizatin grup frm which the applicatin uplads. 3. Select the Platfrm. 4. Enter a keywrd in the Name text bx t find the applicatin in the app stre. 5. Select Next and use Select t pick the applicatin frm the app stre result page. 6. Cnfigure ptins n the Details tab. Entering data n this tab is ptinal, but yu can recrd data like the stre URL fr the applicatin, supprted mdels, and assciated categries. 7. Assign a Required Terms f Use fr the applicatin n the Terms f Use tab. This is ptinal. 8. Select Save & Assign t make the applicatin available t end users. 9. Cnfigure flexible deplyment rules fr the assignment f the applicatins. Only the n-demand push mde is available. It enables the user t initiate installatin s that the system des nt use excessive bandwidth by autmatically installing applicatins. It als gives the user time t buy the applicatin and delete the initial versin frm the device. Public Applicatin Installatin Cntrl n ios Devices The restrictin Allw App Stre n Hme screen allws yu t cntrl the installatin f free public applicatins n ios 9+ devices withut having t enable any ther restrictin in Wrkspace ONE UEM. This ptin is native t the perating system versin s it is the best restrictin f this type available fr ios 9+ devices that are supervised. Apple ios App Stre Restrictin s Yu cntrl the app stre t restrict r allw device users t access the public applicatins available therein. Wrkspace ONE UEM supprts native ios restrictins and an in-huse develped restrictin that cntrl access the app stre. 76

77 Chapter 4: Public Applicatins Find ut if yu can set the Allw App Stre icn n Hme screen as the restrictin fr yur deplyment. Restrictin Allw App Stre icn n Hme screen The best ptin fr ios 9+ devices because it uses the latest technlgies and can push applicatins thrugh several systems. Allw installing public apps An ptin fr many ios versins but des nt ffer the ability t select the system that restricts the installatin f nn-enterprise applicatins. Restricted Mde fr Public ios Applicatins Wrkspace ONE UEM develped ways t allw the installatin f enterprise-apprved free public applicatins when this ptin is enabled. When yu cnfigure this ptin, yu d nt need t cnfigure and apply a restrictin prfile with Allw installing public apps. Supprted Device Supervisin Status Cnfiguratin Supervised Disable Restrict the Apple App Stre frm being installed n the device s the device user cannt install public free applicatins using the App Stre. Supervised Unsupervised Supervised Unsupervised Enable Disable Enable Disable Enable Hwever, push public free applicatins using Wrkspace ONE UEM, itunes, r Apple Cnfiguratr. Allw the Apple App Stre n the device and the device user can install any public free applicatins using the App Stre. Restrict the device user frm using the Apple App Stre. Allw the Apple App Stre n the device and the device user can install any public free applicatins using the App Stre. Allw the Apple App Stre n the device and the device user can install any public free applicatin using the App Stre. Blck the device frm installing free public applicatins frm the Apple App Stre. Push free public applicatins using Wrkspace ONE UEM. Cnfigure the Apple App Stre Restrictin Cnfigure the Allw App Stre icn n hme screen restrictin in Wrkspace ONE UEM t allw device users t acquire public applicatins frm the App Stre. This restrictin wrks fr ios 9+ devices. 1. Navigate t Devices > Prfiles > List View > Add. Select Apple ios. 2. Cnfigure the General settings f the prfile. 3. Select Allw App Stre icn n Hme screen lcated in the Device Functinality sectin f the Restrictins paylad, t allw the device t install public free applicatins frm the app stre. 4. Select Save & Publish t push the prfile t devices. 77

78 Chapter 4: Public Applicatins Enable Restricted Mde fr Free Public ios Applicatins Older Than ios 9 Yu can cntrl frm where end users install public applicatins by enabling Restricted Mde n Apple ios devices. After enrllment, end users can access free public applicatins deplyed t their catalgs, but they are unable t dwnlad free public applicatins frm the App Stre. This restrictin is the same as the ios restrictin fund in Devices > Prfiles, labeled Allw installing public apps.wrkspace ONE UEM deplys the Restricted Mde ptin t devices and it blcks end users frm the app stre. Wrkspace ONE UEM can deply the public applicatins, which ensure that yur rganizatin apprves them. Enabling Restricted Mde This ptin restricts the device by allwing yu t install nly the assigned applicatins apprved by the rganizatin. Enabling the setting autmatically sends a restricted prfile t Apple ios devices. The presence f this restricted prfile des nt require an extra restrictin prfile with the Allw installing public apps ptin enabled t blck the app stre. T enable Restricted Mde fr Apple ios Applicatins, fllw the steps. 1. Navigate t Grups & Settings > All Settings > Apps > Wrkspace ONE > App Restrictins. 2. Enable Restricted Mde fr Public ios Applicatins. The Micrsft Stre fr Business and Wrkspace ONE UEM Micrsft's Micrsft Stre fr Business enables yu t acquire, manage, and distribute applicatins in bulk. If yu use Wrkspace ONE UEM t manage yur Windws 10+ devices, yu can integrate the tw systems. After integratin, acquire applicatins frm the Micrsft Stre fr Business and distribute the applicatins and manage their updated versins with Wrkspace ONE UEM. This tpic explains hw t deply acquired apps using Wrkspace ONE UEM. Fr infrmatin n Micrsft Stre fr Business prcesses, refer t Disclaimer Third-party URLs are subject t changes beynd the cntrl f VMware Wrkspace ONE UEM. If yu find a URL in VMware Wrkspace ONE UEM dcumentatin that is ut f date, submit a Dcumentatin Feedback supprt ticket using the Supprt Wizard n supprt.air-watch.cm. Requirements fr Micrsft Stre fr Business Integratin Wrkspace ONE UEM integrates with the Micrsft Stre fr Business. It supprts the ffline and nline licensing mdels with Windws 10+ devices that cmmunicate with yur Azure Active Directry services. Fr successful integratin, use the listed cmpnents in yur envirnment. Offline and Online License Mdel Requirements Windws 10+ Devices Deply t Windws 10+ devices because they are cmpatible with the bulk-acquirement and applicatin deplyment prcesses. Use the Windws Desktp r Windws Phne platfrms when assigning applicatins. 78

79 Chapter 4: Public Applicatins Yu can deply applicatins acquired thrugh the bulk purchase prcess t lder devices, like Windws 8 devices. The devices receive applicatins frm Wrkspace ONE UEM thrugh the regular prcess, and the system des nt manage these applicatins. Azure Active Directry Services Cnfigure Azure Active Directry services in Wrkspace ONE UEM t enable the cmmunicatin between the systems. This cnfiguratin enables Wrkspace ONE UEM t manage Windws devices and applicatins n these devices. Yu d nt need an Azure AD Premium accunt t integrate with the Micrsft Stre fr Business. This integratin is a separate prcess frm the autmatic MDM enrllment. Imprtant: Integratin nly wrks when yu cnfigure it in the same rganizatin grup where yu cnfigured Azure Active Directry Services. Micrsft Stre fr Business Admin Accunt with Glbal Permissins Acquire applicatins with a Micrsft Stre fr Business admin accunt. Glbal permissins enable admins t access all systems t acquire, manage, and distribute applicatins. Online License Mdel Requirements Azure Active Directry Device users must use Azure Active Directry t authenticate t cntent. Offline License Mdel Requirements File Strage Enabled fr n-premises Wrkspace ONE UEM stres Micrsft Stre fr Business applicatins n a secure file strage system. On-premise envirnments must enable this feature in the Wrkspace ONE UEM cnsle by adding the tenant identifier and tenant name n the Directry Services page. This requirement is part f the prcess t cnfigure Azure AD Services. Cmpare Features f the Online and Offline Mdels f the Micrsft Stre fr Business Wrkspace ONE UEM integrates with bth the nline and ffline mdels in the Micrsft Stre fr Business. Cmpare available features t see which mdel benefits yur applicatin management needs. Feature Online License Mdel Offline License Mdel License cntrl App package hst Licenses managed by the Micrsft Stre fr Business. Different Capabilities Users can receive applicatins and claim licenses utside f yur Wrkspace ONE UEM deplyment. App package hsted by the Micrsft Stre fr Business. Licenses managed by the enterprise. Use the ffline licensing mdel t cntrl applicatin packages and updates. This mdel ffers flexibility but requires attentin t ensure that applicatins stay updated and licenses get renewed. App package hsted by the Wrkspace ONE UEM file strage fr n-premises r in the Wrkspace ONE UEM SaaS envirnment. 79

80 Chapter 4: Public Applicatins Feature Online License Mdel Offline License Mdel Azure Active Directry Restrict the app stre Level where licenses are claimed License reuse Devices must use yur Azure Active Directry system t authenticate. Enable the Azure Active Directry system s Wrkspace ONE UEM and the Micrsft Stre fr Business can cmmunicate. Devices cannt install applicatins because the restrictin prevents the Micrsft Stre fr Business n the device. Licenses claimed by Wrkspace ONE UEM fr the applicatin at the user level. Admins can revke licenses thrugh Wrkspace ONE UEM and reuse them. Same Capabilities Devices d nt have t use the Azure Active Directry system t authenticate. Hwever, yu must enable the Azure Active Directry system s Wrkspace ONE UEM and the Micrsft Stre fr Business can cmmunicate. Devices can still install applicatins because the app packages are hsted in the Wrkspace ONE UEM envirnment. Licenses claimed by Wrkspace ONE UEM fr the applicatin at the user level. Admins can revke licenses thrugh Wrkspace ONE UEM and reuse them. Cnfigure Azure AD Identity Services Integratin Befre yu can use Azure AD t enrll yur Windws devices, yu must cnfigure Wrkspace ONE UEM t use Azure AD as an Identity Service. Enabling Azure AD is a tw-step prcess which requires the MDM-enrllment details t be added t Azure. Prerequisites Yu must have a Premium Azure AD P1 r P2 subscriptin t integrate Azure AD with Wrkspace ONE UEM. Azure AD integratin with Wrkspace ONE UEM must be cnfigured at the tenant where Active Directry (such as LDAP) is cnfigured. Imprtant: If yu are setting the Current Setting t Override n the Directry Services system settings page, the LDAP settings must be cnfigured and saved befre enabling Azure AD fr Identity Services. Prcedure T Cnfigure Azure AD fr Identity Services: 1. Navigate t Grups & Settings > All Settings > System > Enterprise Integratin > Directry Services. 2. Enable Use Azure AD fr Identity Services under Advanced settings. Once enabled, take nte f the MDM Enrllment and MDM Terms f Use URLs as they are needed when cnfiguring the Azure directry. 3. Lg in t the Azure Management Prtal with yur Micrsft accunt r rganizatinal accunt. 4. Select yur directry and navigate t the Mbility (MDM and MAM) tab. This tab was frmerly the Applicatins tab. 5. Select Add Applicatin and select the AirWatch by VMware applicatin. 80

81 Chapter 4: Public Applicatins Yu can use the default URLs if the user scpe is set t nne. If needed, yu can als use placehlder URLs. 6. Leave the AirWatch by VMware applicatin n the default settings. Change the MDM user scpe t Nne. 81

82 Chapter 4: Public Applicatins 7. Select Add Applicatin again and select the On Premises MDM applicatin. Yu can rename the applicatin when yu add it. 8. Cnfigure the On-Premises MDM applicatin by entering the MDM Enrllment URL and MDM Terms f Use URLs frm the Wrkspace ONE UEM Cnsle. 9. Select On-premises MDM applicatin settings then select Required Permissins > Windws Azure Active Directry. 10. Change the Permissins as fllws: Applicatin Permissins Select Read and write directry data. Select Read and write devices. Delegated Permissins Select Access the directry as the signed-in user. Select Read directry data. Select Sign in and read user prfile. 11. Select the Prperties settings and enter yur device services hst in the APP ID URI text bx. Use the same hst that yu used in the MDM Enrllment URL and MDM Terms f Use text bxes. Example frmat: <MDM DS SERVER> 12. Set MDM user scpe t All t apply these settings t all users. Yu can als limit the OOBE enrllment t selected Azure AD grups by selecting Sme and adding the preferred grups. 13. Select Save t cntinue. 14. Navigate t the Prperties tab and find the Azure Directry ID. This setting was frmerly called the Tenant ID. 82

83 Chapter 4: Public Applicatins 15. Select User Accunt Details in the tp right crner. The Azure Tenant Name is the name f yur Azure Directry. Yu can find the name under the Dmain tab. 16. Return t the UEM Cnsle and select Use Azure AD fr Identity Services t cnfigure Azure AD Integratin. 17. Enter the Azure Directry ID as the Tenant Identifier. Enter the default dmain as yur Azure Directry Tenant Name. 18. Select Save t finish the prcess. Sign up and Acquire Applicatins Frm the Micrsft Stre fr Business fr Offline and Online Licensing Fr integratin t wrk, use an Azure admin accunt t sign up with the stre and t activate the VMware Wrkspace ONE UEM management tl. 83

84 Chapter 4: Public Applicatins See the Micrsft Stre fr Business prtal fr the mst current dcumentatin n creating an Azure admin accunt. Create an Azure Admin Accunt fr VMware Wrkspace ONE UEM Cnfigure an admin accunt with glbal admin rles in yur Default Directry in Micrsft Azure. Use this accunt t acquire applicatins in the Micrsft Stre fr Business. Yu d nt need an Azure premium accunt t create an admin accunt fr the Micrsft Stre fr Business. 1. In Azure, navigate t yur Azure Active Directry. 2. Select Users and grups and + New user. Cmplete applicable fields. 3. Cnfigure the Directry rle as Glbal administratr. 4. Create a temprary passwrd s yu can lg in t the Micrsft Stre fr Business. Activate VMware Wrkspace ONE UEM in the Micrsft Stre fr Business and Acquire Apps Activate the Wrkspace ONE UEM management tl in the Micrsft Stre fr Business with yur Azure admin accunt credentials. If yu use ffline licensing, enable the acquirement f ffline license applicatins. 1. Navigate t the Micrsft Stre fr Business and lg in with yur Azure admin accunt. 2. Navigate t Manage> Settings > Distribute > Management tls and activate the Wrkspace ONE UEM by VMware tl. 3. Fr ffline licenses, g t Manage> Settings > Shp > Shpping experience and enable Shw ffline licensed apps t peple shpping in the stre. 4. In the Stre fr Business, add applicatins t yur inventry. Yu can add applicatins with either ffline r nline licenses depending n yur license management strategy. Imprt Micrsft Stre fr Business Apps Imprt public applicatins acquired frm the Micrsft Stre fr Business t the Wrkspace ONE UEM cnsle. The prcess is the same fr the nline and ffline license mdels. Fr the ffline license mdel, plan t imprt these applicatins when yur crprate netwrk is nt busy. Due t the number f applicatins cncerned, the imprt prcess can use mre bandwidth than ther Wrkspace ONE UEM systems. 1. G t the rganizatin grup where yu set yur Azure Active Directry services. 2. Navigate t Apps & Bks > Applicatins > Native > Public and select Add Applicatin. 3. Select the Platfrm, Windws Desktp r Windws Phne. 4. Select Imprt frm BSP and chse Next. 5. View a list f the applicatins that Wrkspace ONE UEM imprts frm yur Micrsft Stre fr Business accunt. Yu cannt edit this list in the UEM cnsle. 6. Select Finish. 84

85 Chapter 4: Public Applicatins Offline license mdel - The system dwnlads applicatins t the remte file strage system. Online license mdel - The system stres the applicatins in the Micrsft Stre fr Business and awaits an install cmmand. Package Dwnlads and Updates fr the Offline License Mdel Wrkspace ONE UEM imprts all the applicatin packages and disables assignment actins while the prcess is in prgress. When yu reimprt packages fr purpses such as updates, Wrkspace ONE UEM dwnlads nly thse packages that changed. If yu d nt restrict the use f the app stre n devices, then applicatin updates push t devices frm the Micrsft Stre fr Business. If yu restrict the use f the app stre n devices, then imprt updated applicatins in Wrkspace ONE UEM. Then, ntify device users t install the updated versin frm the AirWatch Catalg. Deply Micrsft Stre fr Business Apps Assign public applicatins imprted frm the Micrsft Stre fr Business t apply them t devices with the flexible deplyment feature. Assign nline and ffline licenses depending n yur license management strategy. Fr general infrmatin abut the flexible deplyment feature, hw t priritize assignments, and fr setting descriptins, see Use Flexible Deplyment t Assign Applicatins n page Navigate t Apps & Bks > Applicatins > Native > Public. 2. Select the applicatin and chse Assign. 3. Cmplete the Add Assignment ptins t add a rule. Setting Online Licenses Offline Licenses App Delivery Methd Assignment Assign grups t the applicatin with nline licenses. If devices are part f yur Azure Active Directry system and yur deplyment has nline licenses available, devices receive the applicatin. If yu assign bth nline and ffline licenses t the grup, the system gives preference t nline licenses. Assign grups t the applicatin with ffline licenses. If yur deplyment has ffline licenses available, devices receive the applicatin. If yu assign bth nline and ffline licenses t the grup, the system gives preference t nline licenses. Deplyment View the delivery methd. On demand deplys cntent t a deplyment agent and lets the device user decide if and when t install the cntent. 85

86 Chapter 4: Public Applicatins Setting DLP Cnfigure a device prfile with a Restrictins prfile t set data lss preventin plicies fr the applicatin. Select Cnfigure. The system navigates t Devices > Prfiles. Select Add > Add Prfile and the platfrm. Fr Windws Desktp, select Device Prfile > Restrictins and enable ptins that apply t the data yu want t prtect. Fr Windws Phne, select Restrictins and enable ptins that apply t the data yu want t prtect. 4. Select Add and priritize assignments if yu have mre than ne assignment rule. 5. Deply the applicatin with Save & Publish. Sync and Reclaim Licenses fr Micrsft Stre fr Business Apps Sync ffline and nline licenses with the details view f the applicatin, and view the crrespnding users f the licenses. Fr any reclaims, reassign the licenses. Sync Licenses t View Users and Claimed Licenses When yu assign Micrsft Stre fr Business applicatins t devices, the assignment prcess claims crrespnding licenses befre the system initiates the installatin f the applicatin. Use the details view t see the list f user devices and the assciated, claimed license. Navigate t Apps & Bks > Applicatins > List View > Public and select the Micrsft Stre fr the Business applicatin. This actin displays the details view. In this view, use the Sync License actin t imprt the list f users that crrespnd t claimed licenses. T see the claimed licenses, select the Licenses tab. Nte: Wrkspace ONE UEM als imprts the license assciatins when yu select the Imprt frm BSP ptin upn the initial imprt f yur Micrsft Stre fr Business applicatins. This sync is perfrmed asynchrnus t the applicatin package sync. Reclaim Licenses Yu can reclaim and reuse the licenses displayed n the Licenses tab by deleting the assignment f the applicatin t the user's device. Wrkspace ONE UEM includes several methds t delete assignments. Deletin results in the remval f the applicatin frm the device. Methd Details View Device Organizatin Grup Select the Delete Applicatin functin in the details view f the applicatin. This actin remves the applicatin ff devices in grups assigned t the applicatin. Delete the applicable device frm the cnsle. Delete the rganizatin grup. This actin impacts all assets and devices in the rganizatin grup. 86

87 Chapter 4: Public Applicatins Methd Assignment Grup User Delete the smart r user grup assigned t the applicatin. This actin impacts every device in the grup. Delete the applicable user accunt frm the cnsle. 87

88 Chapter 5: Purchased Applicatins Apple VPP Purchased Applicatins -Apple VPP Feature Overview 89 Redemptin Cde Methd Overview 90 Managed Distributin by Apple IDs Overview 94 Custm B2B Applicatins and Apple's VPP 104 Managed Distributin by Device Serial Number

89 Chapter 5: Purchased Applicatins Apple VPP Purchased Applicatins -Apple VPP Feature Overview T distribute public applicatins and custm business t business (B2B) applicatins t Apple ios and macos devices, integrate Apple's Vlume Purchase Prgram (VPP) and Wrkspace ONE UEM. The Apple VPP enables rganizatins t purchase publicly available applicatins fr distributin. Any paid applicatin frm the App Stre is available fr purchase, in vlume, at the existing App Stre price. Custm B2B applicatins can be free r purchased at a price set by the develper. If yur rganizatin uses free public applicatins cllected thrugh the Apple VPP, Wrkspace ONE UEM can distribute these applicatins, as well. See Apple's website fr the availability by cuntry and fr ther details. Apple has tw prgrams; Vlume Purchase Prgram fr Business and the Vlume Purchase Prgram fr Educatin. Deply VPP Prcess T purchase and deply cntent with Apple's Vlume Purchase Prgram (VPP), enrll and acquire cntent n the VPP site and then use Wrkspace ONE UEM t distribute cntent. Fr mre infrmatin n VPP Feature, see Purchased Applicatins -Apple VPP Feature Overview. 1. VPP Enrllment Enrll in the prgram and verify with Apple that yu are a valid rganizatin. 2. Cntent Purchase Purchase cntent in the bulk thrugh the VPP website. 3. Applicatin Deplyment Distribute the assets thrughut yur device fleet using redemptin cdes r managed distributin service tken files (stkens). Redemptin Cde Methd Overview n page 90 Managed Distributin by Apple IDs Overview n page 94 Custm B2B Applicatins and Apple's VPP n page 104 Managed Distributin by Device Serial Number n page 106 Fr mre infrmatin n the VPP prcess, see the fllwing Wrkspace ONE UEM Knwledge Base article: Supprted Cntent fr Purchased Applicatins Wrkspace ONE UEM supprts the varius cntent types in the purchased sectin. The level f management varies accrding t the methd used t get the cntent and the platfrm. View supprt by perating system, applicatin type, and acquirement methd, Managed Distributin (MD), r Redemptin Cdes (RC). The letters DB represents systems that can retrieve applicatins withut an Apple ID, and an X represents n supprt. Operating System Free Public Apps Purchased Public Apps Free Custm B2B Apps Purchased Custm B2B Apps Apple ios 7.x 8.x MD & RC MD & RC MD & RC MD & RC 89

90 Chapter 5: Purchased Applicatins Apple VPP Free Purchased Operating Free Public Purchased Public Custm B2B Custm B2B System Apps Apps Apps Apps Apple ios 9+ MD, RC, & DB MD, RC, & DB MD & RC MD & RC macos MD MD X X macos MD & DB MD & DB X X Nte: The Wrkspace ONE UEM Cntainer fr ios des nt supprt the deplyment f ios applicatins purchased thrugh Apple's Vlume Purchase Prgram (VPP). Redemptin Cde Methd Overview This methd uses redemptin cdes t allcate the cntent t devices, and it des nt supprt revking the cdes frm Apple ios devices. Once the redemptin cde is redeemed, it cannt be recycled. Als, Wrkspace ONE UEM cannt delete cntent bught using redemptin cdes ff devices. Devices lder than Apple ios 7 must use this methd fr purchasing VPP cntent because the managed distributin is nt available fr lder systems. Yu cannt use redemptin cdes fr macos systems. Redemptin Cdes and Wrkspace ONE UEM Apple's Managed Distributin system integrates with Wrkspace ONE UEM, and yu can distribute yur free and purchased Vlume Purchase Prgram (VPP) applicatins and bks. The redemptin cde mdel uses cdes frm a spreadsheet t retrieve yur VPP cntents and t distribute them t devices using the Wrkspace ONE UEM cnsle. Fr the successful distributin f the VPP cntent t end users, perfrm all steps f the deplyment prcess. In return, end users must cmplete all steps n their devices t receive the VPP cntent. Admins Send VPP cntent t end users End-Users Receive cntent 1. Purchase yu applicatins and dwnlad yur redemptin cde spreadsheet frm the Apple itunes Stre. 2. Uplad the spreadsheet t Wrkspace ONE UEM. 3. Allcate redemptin cdes t rganizatin grups and smart grups in the Wrkspace ONE UEM cnsle and save the settings. 1. Obtain a redemptin cde frm Wrkspace ONE UEM. This step ccurs autmatically when admins publish the cntent. 2. Install the cntent frm the catalg. Uplad a Redemptin Cde Spreadsheet Yu can use Wrkspace ONE UEM t manage and distribute applicatins and bks purchased thrugh the VPP t yur Apple ios devices. Apple uses Web services t manage redemptin cdes. Fr the Wrkspace ONE UEM cnsle t access Apple's Web services, yu must first uplad the redemptin cde spreadsheet. 90

91 Chapter 5: Purchased Applicatins Apple VPP 1. Navigate t either Apps & Bks > Applicatins > Orders r Apps & Bks > Bks > Orders. 2. Select Add r Order t add a redemptin cde spreadsheet. Select Purchased Public App r Purchased Custm App (Custm B2B), fr applicatins. This ptin is nt available fr bks. 3. Select Chse File t uplad the CSV r XLS file that yu dwnladed frm the Apple prtal. This actin creates the rder. 4. Select Save t cntinue t the Prduct Selectin Frm. 5. Lcate the apprpriate prduct and chse Select t finish uplading the spreadsheet. If yur spreadsheet cntains an Adam ID, Wrkspace ONE UEM des nt display this step. If yur spreadsheet cntains an Adam ID, yu d nt have t lcate the prduct. Wrkspace ONE UEM autmatically adds applicatins and bks frm the app stre when the spreadsheet cntains the Adam ID. Adam IDs are specific t itunes, are cmpnents f the Apple Search API, and are unique fr each applicatin. If the Apple VPP redemptin cde spreadsheet cntains cdes fr multiple applicatins r bks, Wrkspace ONE UEM lists several prducts n this frm. Yu can select nly ne per rder. Using itunes Adam IDs itunes uses Adam IDs, which are item identifiers, t autmate cnnectins t cntent. If yur spreadsheet cntains an Adam ID, then yu d nt have t lcate applicatins and bks in the app stre. Fr custm B2B applicatins, the Adam ID enables Wrkspace ONE UEM t update applicatin IDs in the UEM cnsle. Assign Cntent t Users Yu must enable the Wrkspace ONE UEM cnsle t assign redemptin cdes t users and devices. Select the applicable rganizatin grups and smart grups t which t assign redemptin cdes. 1. Navigate t the rganizatin grup where yu upladed the redemptin cde spreadsheet. 2. G t Apps & Bks > Applicatins > Native > Purchased. 3. Select the applicatin yu want t assign. 4. On the Orders Assignment tab, cmplete the fllwing ptins. 91

92 Chapter 5: Purchased Applicatins Apple VPP Setting Add Assignment By Assign redemptin cdes t rganizatin grups r smart grups. Organizatin Grup Allcate redemptin cdes t an rganizatin grup. Select All Users t include all users in that rganizatin grup, r chse Selected Users t display a list f users in the rganizatin grup. Use the Add and Remve buttns t chse the specific users t receive the applicatin. Smart Grup Allcate redemptin cdes t a smart grup by typing the name f the grup. Optins display and yu can select the apprpriate smart grup frm the list. Yu can create a new smart grup, if necessary. Yu can apply redemptin cdes t rganizatin grups and t smart grups simultaneusly. Hwever, yu can nly specify the users fr rganizatin grups f the Custmer type. Yu cannt specify users fr smart grups. Hwever, yu can edit the smart grup s that it cntains the necessary users. Verify the infrmatin in the fllwing clumns fr each assignment rule: Users View the number f users fr the rder. Allcated Enter the number f licenses t allcate t the selected users. D nt exceed the ttal number in the rder. Redeemed View the number f licenses that have already been redeemed, if any. Redemptin Cdes On Hld SDK Prfile Enter the number f redemptin cdes that yu want t place n hld. Use this ptin t save the redemptin cdes fr later use. If yu use AirWatch SDK functinality, assign an SDK prfile t the applicatin. 92

93 Chapter 5: Purchased Applicatins Apple VPP Setting Assignment Type Deplyment On Demand Deplys cntent t a catalg r ther deplyment agent and lets the device user decide if and when t install the cntent. This ptin is the best chice fr cntent that is nt critical t the rganizatin. Allwing users t dwnlad the cntent when they want helps cnserve bandwidth and limits unnecessary traffic. Remve On Unenrll Prevent Applicatin Backup Make App MDM Managed if User Installed Use VPN Send Applicatin Cnfiguratin Autmatic Deplys cntent t a catalg r ther deplyment agent n a device upn enrllment. After the device enrlls, the system prmpts users t install the cntent n their devices. This ptin is the best chice fr cntent that is critical t yur rganizatin and its mbile users. Yu can nly use On-Demand fr custm B2B applicatins acquired using redemptin cdes. When the Assignment Type is Aut, nly eligible Apple ios 7+ devices receive the applicatin r bk autmatically. Set the remval f the applicatin frm a device when the device unenrlls frm Wrkspace ONE UEM. Wrkspace ONE UEM enables this ptin by default. If yu chse t disable this ptin, prvisining prfiles are nt pushed alng with the installed applicatin. That is, if the prvisining prfile is updated, the new prvisining prfile is nt autmatically deplyed t devices. In such cases, a new versin f the applicatin with the new prvisining prfile is required. Remving an applicatin when a device is unenrlled des nt recver the redeemed cde. When installed, the applicatin is assciated t the app stre accunt f the user. Disable backing up the applicatin data t iclud. Hwever, the applicatin can still back up t iclud. Assume management f applicatins previusly installed by users n their devices, supervised and unsupervised. Enable this feature s that users d nt have t delete the applicatin versin installed n the device. Wrkspace ONE UEM manages the applicatin withut having t install the AirWatch Catalg versin n the device. Cnfigure a VPN at the applicatin level, and select the Per-App VPN Prfile. Users access the applicatin using a VPN, which helps ensure that applicatin access and use is trusted and secure. Send applicatin cnfiguratins t Apple ios devices, s users d nt have t cnfigure these specified values themselves. 5. Select Save when yu finish allcating cdes. Redemptin Cde Infrmatin Access infrmatin abut yur redemptin cdes s that yu can manage and track yur VPP deplyments. 93

94 Chapter 5: Purchased Applicatins Apple VPP T access rders f applicatins yu acquired using redemptin cdes, navigate t Apps & Bks > Orders > Redemptin Cdes. View the availability status f the cde. Status Available Externally Redeemed Redeemed Identifies an available key cde t use t distribute the purchased cntent. Yu can make this key cde unavailable r delete it. Identifies a key cde that was assigned and redeemed utside f the Wrkspace ONE UEM Purchased (VPP) system. Yu cannt perfrm actins fr this key cde. Identifies a key cde that was assigned and redeemed within the Wrkspace ONE UEM Purchased (VPP) system. Yu can make this key cde unavailable r delete it. Unavailable Identifies a key cde that was explicitly made unavailable fr varius reasns. Reasns include separating cdes that yu want t save fr users wh might nt be in yur Wrkspace ONE UEM deplyment. View each redemptin cde and the rder number. View the date the redemptin cde was redeemed. View t whm the cde is assigned. Delete a redemptin cde. Managed Distributin by Apple IDs Overview This methd uses service tken files, als called stkens, t authenticate assignments. It allws yu t assign license cdes t Apple IDs t allcate cntent t devices, and the methd supprts the revcatin and recycling f these license cdes. View Managed Distributin and Wrkspace ONE UEM n page 94 fr a list f all required steps fr successful deplyment. Managed Distributin and Wrkspace ONE UEM Apple's Managed Distributin system integrates with Wrkspace ONE UEM, and yu can distribute yur free and purchased Vlume Purchase Prgram (VPP) applicatins and bks. The managed distributin mdel uses service tkens (als called stkens) t retrieve yur VPP cntents and t distribute them t devices using the Wrkspace ONE UEM cnsle. Fr successful distributin f VPP cntent t end users, perfrm all steps f the deplyment prcess. In return, end users must cmplete all steps n their devices t receive VPP cntent. 94

95 Chapter 5: Purchased Applicatins Apple VPP 1. Purchase cntent and dwnlad yur stken frm the Apple itunes Stre. 2. Uplad the stken t Wrkspace ONE UEM. Admins Send VPP cntent t end users Nte: Yu can use multiple stkens within yur Wrkspace ONE UEM hierarchy but yu can nly have ne stken in each rganizatin grup. 3. Sync licenses t display the cntent in the UEM cnsle. 4. Add the bundle IDs fr custm B2B applicatins. This actin activates management. This step is unnecessary fr nn-b2b applicatins and bks. 5. Allcate licenses and assign licenses t smart grups, and enable eligible applicatins fr devicebased assignment. Then publish managed distributin cntent with the flexible deplyment feature. Publishing cntent triggers invitatins t end users whse cntent is tied t their Apple IDs. End-Users Accept invitatins and receive cntent 1. Accept the invitatin and register with the Apple VPP. This step ensures that they have the terms f agreement fr participating in the prgram. This step is nt necessary fr device-based use. 2. Obtain the license frm Wrkspace ONE UEM. This step ccurs autmatically when admins publish cntent. 3. Install cntent frm the AirWatch Catalg. Users With Multiple Devices Users that have multiple Apple ios devices must select and apply a single Apple ID t all the devices. If admins make cntent available n demand, then users can accept the invitatin and jin and register with the VPP. They install the cntent frm the catalg t any f their devices. Manage VPP stkens t Retrieve Managed Distributin Licenses and Cntent Apple uses Web services t manage license cdes. The Wrkspace ONE UEM cnsle accesses Apple's Web services with the service tken, r stken, yu uplad t the cnsle. Wrkspace ONE UEM retrieves yur VPP cntent with the license data n the stken. Keep stkens current, and if yu are nt using the licenses, clear the stkens. Uplad stkens Yu can uplad an stken at the tp Custmer level and belw. The Wrkspace ONE UEM system prmpts yu t register yur stken, s that Wrkspace ONE UEM can detect if the stken is used in ther envirnments. 1. Navigate t Grups & Settings > All Settings > Devices & Users > Apple > VPP Managed Distributin. 2. Cnfigure the fllwing settings. 95

96 Chapter 5: Purchased Applicatins Apple VPP Setting Enter yur VPP Accunt ID. Using yur VPP Accunt ID as the descriptin has several advantages. If yu use multiple stkens, it identifies the crrect accunt. Reminds yu the crrect accunt when yu renew the stken. Identifies the crrect accunt t thers in yur rganizatin wh assume management f the VPP accunt. stken Uplad Cuntry Autmatically Send Invites Message Template Select Uplad t navigate t the stken n yur netwrk. Select where Wrkspace ONE UEM validates the stken. This value reflects the regin frm where yu bught cntent and ensures Wrkspace ONE UEM uplads the crrect versins f yur purchases. When yu sync yur licenses, Wrkspace ONE UEM pulls the crrect reginal versin f the cntent. If Wrkspace ONE UEM cannt find the cntent in the app stre frm the regin entered, Wrkspace ONE UEM autmatically searches the itunes App Stre in the United States. Send invitatins t all the users immediately after yu save the tken. The invitatin request users t jin and register with Apple's VPP. Registratin gives users access t the terms f use t participate in the prgram. Use the Message Preview ptin t review the invitatin. If yur envirnment includes VPP applicatins set t the Assignment Type, Aut, then Wrkspace ONE UEM sends invitatins n matter hw yu cnfigure this ptin. This behavir facilitates quick access t applicatins upn enrllment. Wrkspace ONE UEM autmatically sends users f Apple ios v and macos an invite cmmand when yu enable this ptin. It des nt send them an message. Yu d nt have t enable this ptin immediately. Yu can leave it disabled and still uplad yur tken. Return and enable this feature t send invitatins t all the enrlled devices whse users have nt yet accepted t jin the VPP. Device-Based VPP Disable this check bx fr the device-based VPP system because invitatins are nt necessary. If yu assign a device-based VPP device t a regular VPP app (a user-based VPP app), devices still receive invitatins. Select an template fr an message invitatin fr Apple ios devices n Apple ios v7.0.0 thrugh v Save the stken and cnfirm the additin f the tken. Renew stkens Befre Expiratin Managed distributin stkens are valid fr 12 mnths. Renew yur stkens befre they expire t avid any disruptin in yur deplyment. If yur tken expires, yu cannt perfrm management tasks. 96

97 Chapter 5: Purchased Applicatins Apple VPP Sync new managed distributin licenses. Send invitatins t jin the VPP. Assign and pushing managed distributin applicatins t newly enrlled devices. Revke managed distributin licenses (the system cannt revke licenses fr bks). If a tken expires, Wrkspace ONE UEM des nt revke managed distributin licenses previusly assigned t devices already enrlled with Wrkspace ONE UEM. 1. Navigate t the crrect rganizatin grup where the stken resides. 2. Navigate t Grups & Settings > All Settings > Devices & Users > Apple > VPP Managed Distributin. 3. Select Renew and brwse t the renewed stken n yur netwrk fr uplad. 4. Save yur settings. Clear stkens Clear stkens t remve them frm the Wrkspace ONE UEM cnsle. Clear stkens if yu never used it t distribute cntent r if it has expired. 1. G t the applicable rganizatin grup. 2. Navigate t Grups & Settings > All Settings > Devices & Users > Apple > VPP Managed Distributin. 3. Select Clear and fllw the prmpts. Nte: Deleting the stken, uninstalls the applicatins purchased fr yur VPP accunt frm all the assigned devices and revke the licenses. All the applicatins that is purchased using the stken will nt be available fr assignment. Fr an utline f the supprt fr the managed distributin methd by Apple IDs, see Managed Distributin by Apple IDs Overview n page 94. Sync Managed Distributin Cntent Wrkspace ONE UEM has tw methds that sync-managed distributin cntent: By assets and by license. The assets functin syncs the metadata n an stken and claimed licenses infrmatin. The license functin syncs infrmatin fr a single asset. It is useful fr stkens that cntain thusands f licenses and yu nly want t sync the licenses applied t ne asset. Sync Assets 1. G t the rganizatin grup where yu upladed the stken. 2. Navigate t ne f the fllwing areas: Apps & Bks > Applicatins > Native > Purchased Apps & Bks > Bks > List View > Purchased 3. Select Sync Assets. 97

98 Chapter 5: Purchased Applicatins Apple VPP 4. Cnfirm t register an stken with Wrkspace ONE UEM, if applicable. The system prmpts fr registratin if it detects an stken is used in anther envirnment. 5. T select that the sync cmpleted, refresh the screen. Wrkspace ONE UEM syncs purchased asset meta data and if there are claimed licenses, the system syncs fr thse assets f the claimed licenses. Wrkspace ONE UEM makes the sync features inaccessible until recnciliatin cmpletes. Sync Licenses 1. G t the rganizatin grup where yu upladed the stken. 2. Navigate t ne f the fllwing areas: Apps & Bks > Applicatins > Native > Purchased Apps & Bks > Bks > List View > Purchased 3. Select the asset check bx and select Sync Licenses ptin frm the actins menu. Cnfigure Licenses and Assign with Flexible Deplyment T retrieve the data n the stken, Wrkspace ONE UEM syncs with Apple Web services, and then it can display cntent fr assignment and deplyment. Wrkspace ONE UEM distributes licenses by smart grup and publishes cntent when yu save an assignment rule in the flexible deplyment feature. The Enable Device Assignment ptin displays fr applicatins that are eligible fr distributin by device serial number. Fr infrmatin abut the device-based distributin methd, see Managed Distributin by Device Serial Number n page 106. Fr infrmatin n flexible deplyment and hw t priritize assignment rules, see Flexible Deplyment fr Applicatins Setting s n page 32. Assign Cntent t Grups and Publish with Flexible Deplyment Assign cntent acquired frm Apple's Vlume Purchase Prgram (VPP) with managed distributin cdes t smart grups. 1. Navigate t Apps & Bks > Applicatins > Native > Purchased 2. Select the applicatin and ptinally hld licenses and apply an SDK prfile. Setting Licenses n hld SDK Prfile Enter the number f licenses that yu want t place n hld. Use this setting t save the managed distributin cdes fr later use. Yu d nt have t enter a value. If yu use AirWatch SDK functinality, assign an SDK prfile t the applicatin. 3. Select Save & Assign t mve t the flexible deplyment sectin. Yu add assignment rules that yu can priritize. 4. On the Assignments tab, select Add Assignment and cmplete the ptins. 98

99 Chapter 5: Purchased Applicatins Apple VPP Setting Add Assignment By Select License Cdes By Smart Grup and assign managed distributin cdes. Allcate cdes t a smart grup by typing the name f the grup. Optins display, and yu can select the apprpriate smart grup frm the list. If necessary, yu can create a new smart grup. Users r Devices View the number f users fr the rder. Allcated Enter the number f licenses t allcate t the selected users. D n exceed the ttal number in the rder. Redeemed View the number f licenses that have already been redeemed, if any. Assignment Type On Demand Deplys cntent t a catalg r ther deplyment agent and lets the device user decide if and when t install the cntent. This ptin is the best chice fr cntent that is nt critical t the rganizatin. Allwing users t dwnlad the cntent when they want helps cnserve bandwidth and limits unnecessary traffic. Remve On Unenrll Prevent Applicatin Backup Make App MDM Managed if User Installed Apple ios Use VPN Autmatic Deplys cntent t a catalg r ther deplyment agent n a device upn enrllment. After the device enrlls, the system prmpts users t install the cntent n their devices. This ptin is the best chice fr cntent that is critical t yur rganizatin and its mbile users. If the Assignment Type is set t Aut when yu Publish, Wrkspace ONE UEM sends an invitatin t Apple ios and macos devices. The invitatin enables users t register with Apple's VPP. Set the applicatin t be remved frm a device when the device unenrlls frm Wrkspace ONE UEM. Wrkspace ONE UEM enables this ptin by default. If yu chse t disable this ptin, prvisining prfiles are nt pushed alng with the installed applicatin. That is, if the prvisining prfile is updated, the new prvisining prfile is nt autmatically deplyed t devices. In such cases, a new versin f the applicatin with the new prvisining prfile is required. Disallw backing up the applicatin data t iclud. Hwever, the applicatin can still back up t iclud. Assume management f applicatins previusly installed by users n their devices, whether applicatins are supervised r unsupervised. Enable this feature s that users d nt have t delete the app versin installed n the device. Wrkspace ONE UEM manages the app withut having t install the AirWatch Catalg versin n the device. Cnfigure a VPN at the applicatin level, and select the Per-App VPN Prfile. Users access the applicatin using a VPN, which helps ensure that applicatin access and use is trusted and secure. 99

100 Chapter 5: Purchased Applicatins Apple VPP Setting Send Applicatin Cnfiguratin Send applicatin cnfiguratins t devices. 5. Select Save. 6. If yu have mre than ne assignment rule, use the Mve Up and Mve Dwn ptins t rder assignments. Place critical assignments at the tp f the list. This cnfiguratin displays as the Pririty. 7. Select Save & Publish. Methds t Revke Managed Distributin Cdes Wrkspace ONE UEM ffers several ways t revke managed distributin cdes s that yu can reuse them. Yu can manually revke cdes. The system revkes cdes in respnse t yu deleting r unassigning anther system cmpnent like rganizatin grups, stkens, and smart grups. See what methds are available t yu t revke yur managed distributin cdes fr reuse. Revke Methd Organizatin Grup User Manual VPP Asset stken Unassign Smart Grup Delete an OG and Wrkspace ONE UEM makes the distributin cdes available fr reuse. Unenrll all devices frm a user. If anther device des nt use the unassigned managed distributin cde, then the Wrkspace ONE UEM cnsle revkes it s that it is available fr reuse. Revke the cde manually ff the device. Yu can use the manual methd nly fr thse cdes that are redeemed frm an external system. This methd is useful fr adpting these cdes int Wrkspace ONE UEM. Delete VPP assets frm the UEM cnsle. Once deleted, the cde is available fr reuse after the scheduler task runs. Delete the stken. Wrkspace ONE UEM makes all assciated cdes available fr reuse. Unassign an asset frm a user. If that license is nt used by anyne else, Wrkspace ONE UEM revkes the distributin cde. Delete a managed distributin device user frm a smart grup. If that license is nt used by anyne else, Wrkspace ONE UEM revkes the distributin cde. Wrkspace ONE UEM makes cdes available immediately after revking r at a scheduled interval depending n the interval yu set in the scheduler task, VPP revke licenses. Find the scheduler task in Grups & Settings > All Settings > Admin > Scheduler. Managed Distributin Infrmatin Yu can access managed distributin infrmatin frm the Device Details, Licenses, and Manage Devices pages. Each page ffers varius auditing and management actins depending n the type f asset. 100

101 Chapter 5: Purchased Applicatins Apple VPP Device Details Frm the Device Details page, audit assignments and perfrm installatins and remvals. G t Devices > List View > Apps r t Devices > List View > Mre > Bks. The system des nt supprt all management functins fr all asset types. The system des nt display unsupprted ptins. View the cntent assigned t the device. If supprted, install and remve the cntent n the specified device. Licenses Frm the Licenses page, track sync prcesses, audit licenses available fr reuse, and revke licenses if supprted. G t Apps & Bks > Applicatins > Native > Purchased > Managed Distributin r t Apps & Bks > Bks > List View > Purchased > Managed Distributin. View when assigned licenses were last synced. Filter by License Owner Type t access licenses that are available t reuse due t errr using the Nt Assigned ptin. Use the Revke actin t make licenses available fr reuse. Manage Devices Frm the Manage Devices page, install and remve cntent, send invitatins t jin the VPP if supprted, and audit applicatin installatins and VPP prgram registratins. G t Apps & Bks > Applicatins > Native > Purchased > Manage Devices r t Apps & Bks > Bks > List View > Purchased > Manage Devices t access the page. The system des nt supprt all management functins fr all asset types. The system des nt display unsupprted ptins. Install the cntent t devices. Remve the cntent frm devices, if supprted by the asset. Ntify devices cncerning the VPP. Reinvite user-based VPP members wh have nt registered their Apple IDs with the prgram. Filter data using the Status ptin and find devices that have nt installed VPP cntent. Filter data using User Invite and find thse user-based members wh have nt registered their Apple IDs with the prgram. Staging Users and Managed Distributin fr Apple's VPP Apple ffers the Apple Cnfiguratr and the Apple Device Enrllment Plan (DEP) t help IT administratrs t deply and manage large numbers f Apple ios devices. Wrkspace ONE UEM integrates with bth applicatins, and integrating with Apple's Vlume Purchase Prgram (VPP). All applicatins aim t help maintain and manage bulk device and cntent. T reduce the risk f license incnsistencies, review these suggestins and guidelines fr deplying Apple Vlume Purchase Prgram (VPP) cntent t devices that yu stage using Cnfiguratr and the DEP. Nte: This infrmatin des nt apply t VPP applicatins assigned t device serial numbers. 101

102 Chapter 5: Purchased Applicatins Apple VPP Aviding License Incnsistencies Distribute Vlume Purchase Prgram (VPP) cntent bught using the managed distributin methd: Use a service tken (stken) in ne MDM envirnment and nt in multiple envirnments. Sme examples include nt using an stken in Wrkspace ONE UEM and in anther MDM system r in a trial envirnment and in a prductin envirnment. Use an stken in ne rganizatin grup and nt in multiple rganizatin grups within Wrkspace ONE UEM. Apply ne device t ne Apple ID and d nt change the Apple ID n the device. These actins reduce the risk f lsing a license in ne envirnment because it was revked in anther envirnment. Hwever, it cannt be ecnmically pssible t have the number f licenses t cver yur staged devices using these actins. VPP deplyment in a staged envirnment is still manageable but it can take extra maintenance with special attentin paid t the Apple ID. Apple IDs Apple IDs are an imprtant part f the system Wrkspace ONE UEM uses t manage the VPP cntent fr staged users. An Apple ID is an identificatin created by users registering with Apple applicatins. Users in this scenari als have their credentials fr Wrkspace ONE UEM. The user enrlls with Wrkspace ONE UEM and then Wrkspace ONE UEM registers the user with Apple and sends an invitatin t jin the Apple VPP. The user accepts the invitatin and jins the VPP using the Apple ID. Currently, Wrkspace ONE UEM stres the assciatin f the Apple ID with the user. It is imprtant t manage the Apple ID in staged envirnments because the Apple ID cntrls access t the user's specific set f VPP cntent. When users change Apple IDs n devices withut cmmunicating the change t their admins, they might experience access difficulties. Guidelines fr Staging Use the fllwing prcesses t reduce license incnsistencies in Wrkspace ONE UEM. 102

103 Chapter 5: Purchased Applicatins Apple VPP Staging Methd Assign VPP Cntent T Accepts VPP Invitatin Installs applicatins Updates applicatins Maintenance Risks Single User, Standard (Self- Registrati n) Individual devices with unique Apple IDs Nt a staging user End users with unique Apple IDs End-users install applicatins End-users update applicatins N maintenance f Apple IDs Least risk because end users maintain their wn Apple IDs n individual devices Single User, Advanced (Pre- Cnfigured) Precnfigured devices with precnfigured Apple IDs End users with precnfigured Apple IDs End-users install applicatins End-users update applicatins Maintain precnfigure d Apple IDs Prvide precnfigure d Apple IDs t end users Endusers change Apple IDs End users d nt return devices t the precnfigure d Apple ID 103

104 Chapter 5: Purchased Applicatins Apple VPP Staging Methd Assign VPP Cntent T Accepts VPP Invitatin Installs applicatins Updates applicatins Maintenance Risks Multi Users Staging user Individu al users Admin with the staging user Apple ID End users with respectiv e unique Apple IDs Admin installs cmmn applicatins with staging user Apple ID End-users install unique applicatins with individual Apple IDs Staging user ID must update cmmn applicatins with staging user Apple ID End users update unique applicatins with their individual Apple IDs Maintain a staging user Apple ID fr a cmmn set f VPP cntent n all devices selected t staging user Maintain end-user Apple ID at device checkut All devices selected in t the staging user d nt have the same Apple ID Admins d nt change devices t the staging user Apple ID upn device check-in End users d nt change the staging user Apple ID t their unique Apple IDs upn device checkut Custm B2B Applicatins and Apple's VPP Yu can uplad custm B2B applicatins acquired thrugh Apple's Vlume Purchase Prgram (VPP) t Wrkspace ONE UEM. Wrkspace ONE UEM wrks with the redemptin cde methd and with the managed distributin methd. The ability f Wrkspace ONE UEM t manage custm B2B applicatins, depends upn the VPP system used t get the applicatins. 104

105 Chapter 5: Purchased Applicatins Apple VPP Redemptin cdes Wrkspace ONE UEM can install custm B2B applicatins bught using redemptin cdes n t devices. End users can install these applicatins n-demand, but Wrkspace ONE UEM cannt manage these applicatins. Uplad custm B2B applicatins acquired with redemptin cdes like ther applicatins acquired with redemptin cdes. G t Redemptin Cde Methd Overview n page 90 fr details. Managed distributin Wrkspace ONE UEM can install custm B2B applicatins bught using managed distributin. End users can install these applicatins n-demand r yu can push these applicatins autmatically. Wrkspace ONE UEM can manage these applicatins. Uplad custm B2B applicatins acquired with the managed distributin like ther applicatins acquired with the managed distributin. Hwever, between the sync-steps and assign-steps, activate management f the applicatins. G t Managed Distributin by Apple IDs Overview n page 94 fr details n uplading applicatins acquired with the managed distributin. G t Activate Management f Custm B2B Applicatins n page 105 fr details t activate management. VPP, Custm B2B Applicatins, and Push Mde Wrkspace ONE UEM can manage custm B2B applicatins acquired with managed distributin cdes but it cannt manage custm B2B applicatins acquired with redemptin cdes. The ability f Wrkspace ONE UEM t manage the custm B2B applicatin determines the push mdes available t distribute the applicatin. VPP Methd Management Ability Available Push Mde Managed distributin Redemptin cde Manage Wrkspace ONE UEM can manage custm B2B applicatins acquired with managed distributin cdes. Cannt manage Wrkspace ONE UEM cannt manage custm B2B applicatins acquired with redemptin cdes. Aut On-Demand On-Demand Activate Management f Custm B2B Applicatins When yu acquire applicatins frm Apple's Vlume Purchase Prgram (VPP) with managed distributin cdes, Wrkspace ONE UEM creates place hlders fr all applicatins it deems as custm B2B. The system creates the place hlders because it cannt retrieve the metadata like the icn, the name, and the bundle ID frm an app stre. Activate management by entering the missing metadata. If there is a versin f the custm B2B applicatin bught using redemptin cdes, Wrkspace ONE UEM can pull the icn and name frm the redemptin cde versin. Hwever, yu must still enter the bundle ID. Activate management f custm B2B applicatins after yu sync licenses and befre yu assign licenses t smart grups. This prcess is utlined in the tpic Managed Distributin and Wrkspace ONE UEM. 1. Uplad an stken and sync licenses. 2. Navigate t Apps & Bks > Applicatins > Native > Purchased. 3. Select the Unknwn link in the Name clumn fr the custm B2B applicatin. Use the App Type > Custm B2B filter 105

106 Chapter 5: Purchased Applicatins Apple VPP fr lcating Unknwn links. Wrkspace ONE UEM changes the status and makes actins available after yu enter the infrmatin. 4. Cmplete the fllwing ptins. Setting Applicatin Name Enter a name that the Wrkspace ONE UEM cnsle displays. Applicatin ID View the ID ppulated using the Adam ID. Bundle ID Enter the value given t yu by the develper Managed By Identifies the managing rganizatin grup. Enter a descriptin with useful infrmatin like the purpse f the applicatin. 5. Select Save. Applicatins yu d nt activate fr management display as Inactive in the Cnsle. Managed Distributin by Device Serial Number If yur VPP deplyment cnsists f ios 9+ r macos devices, cnsider enabling the assignment f Vlume Purchase Prgram (VPP) applicatins by device serial number. This methd remves the need t invite users t the VPP. Deply device-based VPP applicatins using the utlined prcesses in Managed Distributin and Wrkspace ONE UEM n page 94. Wrkspace ONE UEM des nt migrate applicatins t the device-based system. VPP applicatins already assigned t Apple IDs remain assigned as such. Benefits The device-based system ffers several advantages. Users d nt have t accept invitatins and register with the VPP. Admins with multiple stkens in their VPP deplyment d nt have t manage invitatins. Admins d nt have t manage Apple IDs. Uses Device-based assignment is the best chice fr deplyments in the fllwing scenaris. Shared devices with check-in and check-ut systems Crprate wned devices Staged envirnments with ne-device-t-ne-user ratis Devices in Wrkspace ONE UEM fr Educatin deplyment The user-based system is the best chice fr the fllwing scenaris. 106

107 Chapter 5: Purchased Applicatins Apple VPP Multiple devices assigned t a single Apple ID Need t cnserve licenses Supprted Platfrms and Operating Systems Cnfigure a supprted OS t use the device-based methd t distribute applicatins acquired thrugh Apple's Vlume Purchase Prgram (VPP). ios 9+ macos App Eligibility Develpers f VPP applicatins must enable the applicatins fr use in the device-based VPP. Invitatins With the Apple ID remved frm the prcess, the device-based methd n lnger relies n invitatins t register Apple IDs. Hwever, if a device meets the requirements, the system still sends invitatins. Device des nt use ios 9+ r macos App is nt enabled fr device-based VPP use Device receives a user-based VPP applicatin Autmatically Send Invites is enabled in Wrkspace ONE UEM Device-Based VPP Deplyment Prcess The prcess t uplad device-based (serial number) applicatins is similar t uplading user-based (Apple ID) VPP applicatins. The nly difference is that the device-based methd des nt invlve sending invitatins. Imprtant: Once an applicatin is enabled fr device-based use in the Wrkspace ONE UEM cnsle, yu cannt reverse its status and use it in the user-based system. 1. stkens Uplad r register an stken in the desired rganizatin grup in Wrkspace ONE UEM. If yu d nt want Wrkspace ONE UEM t send invitatins t devices, disable Autmatically Send Invites. 2. Syncs Start here in the prcess if yu already have stkens in Wrkspace ONE UEM. If needed, Wrkspace ONE UEM prmpts yu t register an stken with the Wrkspace ONE UEM envirnment. It sends invitatins autmatically fr user-based applicatins that have an Aut push mde. 3. Assign with Flexible Deplyment Assign and publish device-based VPP applicatins with the flexible deplyment feature. During the assignment prcess, Wrkspace ONE UEM prmpts yu t enable applicatins fr the devicebased methd with the setting Enable Device Assignment. 4. Infrmatin Access Access license and applicatin infrmatin using the Licenses page, the Device Details page, and the Manage Devices page. 107

108 Chapter 5: Purchased Applicatins Apple VPP 5. Revke and Reuse Revke licenses with varius management functins. Unenrll devices. Select the revke actin n the infrmatin pages (Licenses, Device Details, and Manage Devices pages). Deactivate and delete assignments. Remve devices frm smart grups assigned t the VPP applicatin. Fr mre infrmatin n hw t enable device-based VPP assignments, see the fllwing Wrkspace ONE UEM Knwledge Base article: Update Device-Based VPP Applicatins Manually r Autmatically Cnfigure autmatic updates r manually push updates t device-based VPP applicatins at the applicatin level. This feature ffers management f updates by Wrkspace ONE UEM r allws yu t push updates as a way t cntrl applicatin versins. This feature des nt wrk fr managed distributin by Apple ID. The VPP applicatin must be enabled fr device-based distributin, als called distributin by device serial number. Fr general infrmatin abut the managed distributin methd by device serial number, see Managed Distributin by Device Serial Number n page 106. This tpic includes supprted perating systems, benefits, and the need fr n VPP invitatins. Nte: Custm B2B applicatins and nn device-based VPP applicatins are tagged as Nt Applicable. These types f VPP applicatins are nt supprted fr this feature. System Behavir n Initial Setup The system des nt autmatically queue applicatin installatin cmmands at the time yu first cnfigure Enable Aut Updates. Initially, Wrkspace ONE UEM stres the currently available versin number frm the App Stre in the database. As this is the initial versin being recrded, it des nt autmatically trigger applicatin upgrades. When a newer versin becmes available in the future, the Wrkspace ONE UEM system that canvases the App Stre fr updates recrds that new versin in the database. At this pint, Wrkspace ONE UEM can autmatically trigger install cmmands fr devices t perfrm applicatin updates. Enable r Push an Update Enable autmatic updates r push them manually. Disabling autmatic updates and pushing them manually allws yu t cntrl what applicatin versins are n devices. 1. Navigate t Apps & Bks > Applicatins > Native > Purchased. 2. Select a device-based VPP applicatin. The system displays the Enable Aut Updates ptin. 3. Select t Enable Aut Updates. If yu disable autmatic updates, yu can select Update App t push an update t devices if there is an update available. 108

109 Chapter 5: Purchased Applicatins Apple VPP Use Filters t Find Applicatins and Perfrm Tasks in Bulk Use the Aut Update filter r the Update Status filter t find and act n applicatins. Filter Example Use these filters t enable autmatic updates n multiple applicatins. 1. Filter the Purchased tab by Aut Update > Disabled and Updated Status > Update Available. Wrkspace ONE UEM displays the applicatin results. 2. Select all listed applicatins with the bulk-selectin check bx. This actin triggers the UI t display the ptin t Enable Aut Updates. 3. Select Enable Aut Updates t enable the feature in bulk. Other bulk ptins include Manage Devices, Sync Licenses, Disable Aut Updates, Update App, Mre Actins > Ntify Devices, and Mre Actins > View Events. Update Ntificatins Cnfigure Wrkspace ONE UEM t ntify yu abut updates using the ntificatin icn and . Ntificatin Icn The Wrkspace ONE UEM cnsle sends ntificatins when it identifies an update. The bell icn in the upper right f the UI displays the number f ntificatins yu have. Select the bell icn and lk fr the App Update Available ntificatin. If yu prefer ntificatin by , select the Accunt Settings icn, which resembles a gear, at the bttm f the ntificatins windw. Edit the Ntificatin ptins. Cnvert Nn Device-Based Applicatins t Use the Feature Imprtant: Yu cannt reverse an applicatin back t the Apple ID-managed distributin system (user-based). D nt cnvert applicatins if yu need the Apple ID t manage VPP applicatins. If yu want t use this feature n nn device-based VPP applicatins, use the Enable Device Assignment ptin n the Assignment tab in the applicatin's recrd. Select it t cnvert the applicatin frm the user-based (Apple ID) managed distributin system t the device-based methd. The system checks fr updates every 24 hurs by default. Wrkspace ONE UEM identifies newly cnverted applicatins with the Pending Check status. After the system updates the applicatin, it changes the status t Update Pushed. Update Challenge fr Device-Based VPP Applicatins Device-based VPP applicatins had update issues due t their disassciatin frm the Apple ID. Wrkspace ONE UEM develped a system t help with the updates f device-based applicatins. Yu can cnfigure autmatic updates r manually push updates. 109

110 Chapter 5: Purchased Applicatins Apple VPP Challenge In the device-based VPP methd f managed distributin, the device serial number is the cnnectin between licenses and the applicatin. It replaces the Apple ID. Hwever, the update f the applicatin is still tied t the Apple ID because the Apple ID is tied t the purchase histry. Device-based applicatins can miss updates because the Apple ID is remved frm the license-assignment prcess. Slutin Wrkspace ONE UEM checks the app stre fr updates f yur device-based VPP applicatins and identifies when updates are available in the UI. Enable autmatic updates fr device-based VPP applicatins and Wrkspace ONE UEM updates these applicatins whenever it identifies an updated is available. If yu want t cntrl the versin f an applicatin, leave autmatic updates disabled and manually push updates when needed. 110

111 Chapter 6: SaaS Applicatins SaaS Applicatins in Wrkspace ONE UEM 112 Requirements t Supprt SaaS Applicatins 113 Methds t Add SaaS Applicatins 114 Client Access Plicy 121 Assign SaaS Applicatins 124 Prvisining Adapters 124 Settings fr SaaS Applicatins 126 SSO Between Wrkspace ONE UEM and VMware Identity Manager fr SaaS Apps and Access Plicies

112 Chapter 6: SaaS Applicatins SaaS Applicatins in Wrkspace ONE UEM Manage yur SaaS applicatins in the same cnsle as yur native applicatins and web links. When yu use access plicies with SaaS applicatins, yu can cntrl access t the applicatin at the pint f authenticatin. SaaS Applicatins and Web Applicatins Are the Same SaaS applicatins are called Web applicatins in VMware Identity Manager and yu can nw add, edit, and delete these applicatins in ne management cnsle. They cnsist f a URL address t the landing page f the resurce. They als include an applicatin recrd. Add SaaS applicatins t the Wrkspace ONE UEM cnsle frm yur web applicatins in the Wrkspace ONE catalg. Yu can als add new SaaS applicatins in the UEM cnsle. VMware Identity Manager Dcumentatin Fr infrmatin abut cnfiguring web applicatins in VMware Identity Manager, see Prviding Access t Web Applicatins, in VMware Identity Manager Dcumentatin. Web Links Applicatins Web links applicatins were called web applicatins in past Wrkspace ONE UEM releases. Fr infrmatin abut Web links applicatins, see Web Links Applicatin Features and Supprted Platfrms n page 136. Cntrl Access at the Time f Authenticatin SaaS applicatins and access plicies ffer cntrl f resurces at the time f authenticatin. Cmpnent Authenticatin methd Identity and Service Prviders Require the use f federatin prtcls when accessing the SaaS applicatin. Federatin prtcls use tkens t allw access and t establish trust between the resurce and the user. T cnfigure trust between yur prviders, SaaS applicatins, and users in yur netwrk, use the identity prvider and the service prvider metadata frm the Wrkspace ONE system in Wrkspace ONE UEM. 112

113 Chapter 6: SaaS Applicatins Cmpnent Certificates Users and User Grups Secured Cnnectin Sessin Access & Length T cntrl trust between users in yur Wrkspace ONE system and the SaaS applicatin, use the selfsigned certificate frm the VMware Identity Manager service r enter ne frm yur certificate authrity. Cnfigure users and user grups in VMware Identity Manager and then assign them t SaaS applicatins in the UEM cnsle. Enable trusted cnnectins with the VMware Enterprise System between the Wrkspace ONE system, SaaS applicatins, and users. Cnfigure access plicies and mbile SSO t cntrl the allwable time t access SaaS applicatins befre users must reauthenticate with Wrkspace ONE. Mre SaaS Applicatin Tpics Fr prerequisites fr the cnfiguratin f SaaS applicatins, see Requirements t Supprt SaaS Applicatins n page 113. Fr infrmatin abut cnfiguring SaaS applicatins, see Add SaaS Applicatins in the Wrkspace ONE UEM cnsle n page 114. Fr infrmatin abut adding Office 365 applicatins and assigning client access plicies t them, see Add Office 365 Applicatins with a Client Access Plicy n page 122. Fr infrmatin abut assign SaaS applicatins t users and user grups, see Assign SaaS Applicatins n page 124. Requirements t Supprt SaaS Applicatins Cnfigure the listed cmpnents and ensure that the Wrkspace ONE UEM envirnment has the crrect settings s that yu can access the cntent n the SaaS page. Required Systems Cnfigure r integrate the listed systems s that yu can access the SaaS applicatins page. Yu can find a wizard t set up these systems in the Wrkspace ONE tract f the Getting Started sectin f the Wrkspace ONE UEM cnsle. VMware Enterprise System Cnnectr - This cmpnent is the unified cnnectr fr Wrkspace ONE, Wrkspace ONE UEM, and VMware Identity Manager. Active Directry - This cmpnent integrates Wrkspace ONE UEM and VMware Identity Manager t sync users and grups frm Active Directry (AD) t the service. Yu assign SaaS applicatins t the users and grups synced frm Active Directry. Nte: With setup f the cnnectr, AD users and grups are in sync between Wrkspace ONE UEM and VMware Identity Manager. VMware Identity Manager - This cmpnent serves many functins including managing yur users and grups and managing authenticatin t resurces. Fr detailed infrmatin n the integratin f the tw systems, search fr Integrating Wrkspace ONE UEM and VMware Identity Manager, at VMware Identity Manager Dcumentatin n dcs.vmware.cm. 113

114 Chapter 6: SaaS Applicatins Mbile SSO -This cmpnent manages single sign-n (SSO) capabilities in the Wrkspace ONE prtal fr Wrkspace ONE UEM-managed Andrid and ios devices. Fr Andrid devices, mbile SSO uses certificate authenticatin. Fr ios devices, it uses the identity prvider in the identity manager service in VMware Identity Manager. G t VMware Identity Manager dcumentatin n dcs.vmware.cm and review n f the listed tpics fr infrmatin n mbile SSO. Implementing Mbile Single Sign-in Authenticatin fr Wrkspace ONE UEM-Managed ios Devices Implementing Mbile Single Sign-On Authenticatin fr Wrkspace ONE UEM-Managed Andrid Devices Nte: Mbile SSO is different frm the SSO feature fr applicatins that use the AirWatch SDK. Access Plicies - This cmpnent prvides secure access t the Wrkspace ONE apps prtal t start Web applicatins. Access plicies include rules that specify criteria that must be met t sign in t the apps prtal and t use resurces. A default plicy is available that cntrls access as a whle. This plicy is set up t allw access t all netwrk ranges, frm all device types, fr all users. Yu can create stricter access plicies that restrict users access t applicatins based n access rules yu define. Fr infrmatin, see Use Access Plicies with SaaS Applicatins n page 142. Supprted Applicatins Deply SaaS applicatins t these platfrms. Andrid Apple ios Apple macos Windws Desktp (Windws 10) Methds t Add SaaS Applicatins Select frm several ways t add r exprt SaaS applicatins in yur Wrkspace ONE envirnment. Methd Tpic Catalg r manual Cpy an existing SaaS applicatin Exprt a ZIP file Select the applicatin frm a catalg list r enter the crrespnding URL and infrmatin. Use this methd t make cpies f the same SaaS applicatin available t different business units. Use this methd t save a ZIP file f the applicatin bundle as a JSON t a lcal machine. Add SaaS Applicatins in the Wrkspace ONE UEM cnsle n page 114 Cpy SaaS Applicatins in the Wrkspace ONE UEM cnsle n page 120 Exprt SaaS Applicatins Frm the Wrkspace ONE UEM cnsle n page 121 Add SaaS Applicatins in the Wrkspace ONE UEM cnsle Yu can add SaaS applicatins in the Wrkspace ONE UEM cnsle. Brwse applicatins already added t yur Wrkspace ONE catalg r add new nes. 114

115 Chapter 6: SaaS Applicatins Fr infrmatin abut access plicies that secure SaaS applicatins, see Use Access Plicies with SaaS Applicatins n page 142. Fr infrmatin abut the Apprvals feature that activates licenses fr use, see Cnfigure Apprvals n page Navigate t Apps & Bks > Applicatins > Web > SaaS and select New. 2. Cmplete the ptins n the Definitin tab. Setting Search Name Icn Categry Yu can create an applicatin by cpying it frm glbal catalg. Enter the name f the SaaS applicatin and search fr the applicatin in the glbal catalg. Yu can als brwse the applicatin frm the glbal catalg. Enter a name fr the SaaS applicatin. (Optinal) Prvide a descriptin f the applicatin. (Optinal) Click Brwse and uplad an icn fr the applicatin. SaaS applicatins use icns in PNG, JPG, and ICON file frmats. The applicatin icns that yu uplad must be a minimum f 180 x 180 pixels. If the icn is t small, the icn des nt display. In this instance, the system displays the default icn. Assign categries t help users srt and filter the applicatin in the Wrkspace ONE catalg. Cnfigure categries in VMware Identity Manager s that they display in the categry list. 3. Cmplete the ptins n the Cnfiguratin tab. a. Authenticatin Type - Select the authenticatin type fr the SaaS applicatin. Available ptins vary depending n the type yu select. The authenticatin type determines the available settings n the user interface. There are several permutatins. SAML Select this ptin t prvide single sign-n fr applicatins that use the SAML 2.0 authenticatin. SAML The SAML 1.1 is an lder SAML authenticatin prfile. Fr better security, implement SAML 2.0. WSFed Select this ptin t prvide single sign-n t applicatins that use WS-Federatin authenticatin. Web Applicatin Link - If the applicatin des nt use a federatin prtcl, select this ptin. Enter the target URL f the applicatin. OpenID Cnnect - Select this ptin t prvide single sign-n t applicatins that use the OAuth 2.0 prtcl. G t the authenticatin type fr yur SaaS applicatin fr available cnfiguratins. 115

116 Chapter 6: SaaS Applicatins SAML 2.0 Setting Cnfiguratin URL/XML is the default ptin fr SaaS applicatins that are nt yet part f the Wrkspace ONE catalg. Manual is the default ptin fr SaaS applicatins added frm the catalg. URL/XML URL/XML Relay State URL Manual Single Sign- On URL Recipient URL Applicatin ID Username Frmat Username Value Relay State URL Enter the URL if the XML metadata is accessible n the Internet. Paste the XML in the text bx if the XML metadata is nt accessible n the Internet, but yu have it. Use manual cnfiguratin if yu d nt have the XML metadata. T Enter a URL where yu want SaaS applicatin users t land after a single sign-n prcedure in an identity prvider-initiated (IDP) scenari. Enter the Assertin Cnsumer Service (ACS) URL. Wrkspace ONE sends this URL t yur service prvider fr single sign-n. Enter the URL with the specific value required by yur service prvider that states the dmain in the SAML assertin subject. If yur service prvider des nt require a specific value fr this URL, enter the same URL as the Single Sign-On URL. Enter the ID that identifies yur service prvider tenant t Wrkspace ONE. Wrkspace ONE sends the SAML assertin t the ID. Sme service prviders use the Single Sign-On URL. Select the frmat required by the service prviders fr the SAML subject frmat. Enter the Name ID Value that Wrkspace ONE sends in the SAML assertin's subject statement. This value is a default prfile text bx value fr a username at the applicatin service prvider. Enter a URL where yu want SaaS applicatin users t land after a single sign-n prcedure in an identity prvider-initiated (IDP) scenari. SAML 1.1 Setting Target URL Single Sign- On URL Enter the URL t direct users t the SaaS applicatin n the Internet. Enter the Assertin Cnsumer Service (ACS) URL. Wrkspace ONE sends this URL t yur service prvider fr single sign-n. 116

117 Chapter 6: SaaS Applicatins Setting Recipient URL Applicatin ID Enter the URL with the specific value required by yur service prvider that states the dmain in the SAML assertin subject. If yur service prvider des nt require a specific value fr this URL, enter the same URL as the Single Sign-On URL. Enter the ID that identifies yur service prvider tenant t Wrkspace ONE. Wrkspace ONE sends the SAML assertin t the ID. Sme service prviders use the Single Sign-On URL. WSFed 1.2 Setting Target URL Single Sign- On URL Applicatin ID Username Frmat Username Value Enter the URL t direct users t the SaaS applicatin n the Internet. Enter the Assertin Cnsumer Service (ACS) URL. Wrkspace ONE sends this URL t yur service prvider fr single sign-n. Enter the ID that identifies yur service prvider tenant t Wrkspace ONE. Wrkspace ONE sends the SAML assertin t the ID. Sme service prviders use the Single Sign-On URL. Select the frmat required by the service prviders fr the SAML subject frmat. Enter the Name ID Value that Wrkspace ONE sends in the SAML assertin's subject statement. This value is a default prfile text bx value fr a username at the applicatin service prvider. Web Applicatin Link Setting Target URL Enter the URL t direct users t the SaaS applicatin n the Internet. OpenID Cnnect Setting Target URL Redirect URL Client ID Client Secret Enter the URL t direct users t the SaaS applicatin n the Internet. Enter the URL f the client that receives the authrizatin cde and access tken. Enter the unique string fr the client. Enter the secret used t authrize the client. b. Applicatin Parameters - Add values fr advanced parameters t allw the applicatin t start. This ptin is nt available fr all applicatins. c. Advanced Prperties - If yu want greater cntrl f messaging in single sign-n prcesses with Wrkspace ONE, 117

118 Chapter 6: SaaS Applicatins add ptinal parameters. The authenticatin type determines the available settings n the user interface. There are several permutatins. G t the authenticatin type fr yur SaaS applicatin. Setting SAML 2.0 Sign Respnse Sign Assertin Encrypt Assertin Include Assertin Signature Signature Algrithm Digest Algrithm Assertin Time Request Signature Encryptin Certificate Applicatin Lgin URL Prxy Cunt API Access Custm Attribute Mapping Require Wrkspace ONE t sign the respnse message t the service prvider. This signature verifies that Wrkspace ONE created the message. Require Wrkspace ONE t sign the assertin within the respnse message sent t the service prvider. Sme service prviders require this ptin. Encrypt the SAML assertin the system sends t the applicatin service prvider. Require Wrkspace ONE t include its signing certificate within the respnse message sent t the service prvider. Sme service prviders require this ptin. Select the signature algrithm that matches the digest algrithm. If yur service prvider supprts SHA256, select this algrithm. Select the digest algrithm that matches the signature algrithm. If yur service prvider supprts SHA256, select this algrithm. Enter the secnds that the assertin Wrkspace ONE sends t the service prvider fr authenticatin is valid. If yu want the service prvider t sign the SAML request it sends t Wrkspace ONE, enter the public signing certificate. Enter the public encryptin certificate that signs the SAML request frm the applicatin service prvider t Wrkspace ONE. Enter the URL fr yur service prvider's lgin page. This ptin triggers the service prvider t initiate a lgin t Wrkspace ONE. Sme service prviders require authenticatin t start frm their lgin page. Enter the allwable prxy layers between the service prvider and an authenticating identity prvider. Enable API access t the SaaS applicatin. If yur service prvider allws custm attributes ther than nes fr single sign-n, add them. If yu want add SAML Transfrmatins, see Cnfigure SAML Transfrmatin. 118

119 Chapter 6: SaaS Applicatins Setting Open in VMware Brwser Andrid and ios SAML 1.1 Signature Algrithm Digest Algrithm Assertin Time Custm Attribute Mapping Open in VMware Brwser Andrid and ios WSFed 1.2 Credential Verificatin Signature Algrithm Digest Algrithm Assertin Time Custm Attribute Mapping Require Wrkspace ONE t pen the applicatin in the VMware Brwser. If yu use VMware Brwser, pening SaaS applicatins within it adds extra security. This actin keeps access within internal resurces. Select the signature algrithm that matches the digest algrithm. If yur service prvider supprts SHA256, select this algrithm. Select the digest algrithm that matches the signature algrithm. If yur service prvider supprts SHA256, select this algrithm. Enter the secnds that the assertin Wrkspace ONE sends t the service prvider fr authenticatin is valid. If yur service prvider allws custm attributes ther than nes fr single sign-n, add them. Require Wrkspace ONE t pen the applicatin in the VMware Brwser. If yu use VMware Brwser, pening SaaS applicatins within it adds extra security. This actin keeps access within internal resurces. Select the methd fr credential verificatin. Select the signature algrithm that matches the digest algrithm. If yur service prvider supprts SHA256, select this algrithm. Select the digest algrithm that matches the signature algrithm. If yur service prvider supprts SHA256, select this algrithm. Enter the secnds that the assertin Wrkspace ONE sends t the service prvider fr authenticatin is valid. If yur service prvider allws custm attributes ther than nes fr single sign-n, add them. 119

120 Chapter 6: SaaS Applicatins Setting Open in VMware Brwser Andrid and ios Require Wrkspace ONE t pen the applicatin in the VMware Brwser. If yu use VMware Brwser, pening SaaS applicatins within it adds extra security. This actin keeps access within internal resurces. d. Access Plicies - Assign plicies t secure signing in t applicatin resurces. Setting Access Plicy License Apprval Required Select a plicy fr Wrkspace ONE t use t cntrl user authenticatin and access. The default access plicy is available if yu d nt have custm access plicies. Yu can cnfigure these plicies in the UEM cnsle. Fr this ptin t display, enable the crrespnding Apprvals in the Settings sectin f SaaS applicatins. Require apprvals befre the applicatin installs and activates a license. License Pricing - Select the pricing mdel t buy licenses fr the SaaS applicatin. License Type - Select the user mdel fr the licenses, named r cncurrent users. Cst Per License - Enter the price per license. Number f Licenses - Enter the number f licenses bught fr the SaaS applicatin. 4. View the Summary fr the SaaS applicatin and mve t the assignment prcess. Assign SaaS Applicatins Assign SaaS applicatins t users and grups cnfigured in VMware Identity Manager. See Assign SaaS Applicatins n page 124. Cnfigure SAML Transfrmatin Yu can cnfigure multiple claim transfrmatins t the SaaS applicatin. Fr mre infrmatin, see Cnfigure SAML Transfrmatin. Cpy SaaS Applicatins in the Wrkspace ONE UEM cnsle Create cpies f SaaS applicatins and assign them t different users and grups. When users lg int Wrkspace ONE and select the applicatin t which they are assigned, the Wrkspace ONE system sends them the assign applicatin versin. Using cpies f applicatins is useful if yur deplyment has different business units that use the same applicatin. T cpy a SaaS applicatin, use the Cpy feature, update cnfiguratins fr that versin, and assign the versin t the applicable users and grups. 120

121 Chapter 6: SaaS Applicatins 1. Navigate t Apps & Bks > Applicatins > Web > SaaS and select the applicatin. 2. Select Cpy. 3. Cmplete settings n the Definitin tab. T help find the cpied applicatin, enter a name in the Name field. Cmplete any ther desired settings. 4. Edit settings n the Cnfiguratin tab as needed. 5. Use the default access plicy r select an applicatin-specific access plicy n the Access Plicies tab. 6. Review the infrmatin n the Summary tab and mve t the assignment prcess. Assign SaaS Applicatins Assign cpies f SaaS applicatins t different users and grups cnfigured in VMware Identity Manager. See Assign SaaS Applicatins n page 124. Exprt SaaS Applicatins Frm the Wrkspace ONE UEM cnsle Exprt SaaS applicatins that yu want t test in a staging area r that yu want t use n a lcal machine withut the Wrkspace ONE system. Task T exprt a SaaS applicatin, use the Exprt feature and save it t a lcal machine. 1. Navigate t Apps & Bks > Applicatins > Web > SaaS and select the applicatin. 2. Select Exprt. 3. Cnfirm that yu want t exprt the applicatin. The system saves a ZIP file f the JSON applicatin bundle t the lcal machine. Client Access Plicy A client access plicy uses Office 365 client authenticatin credentials t access Office 365 applicatins in yur Wrkspace ONE deplyment. An Office 365 client, such as VMware Bxer, Micrsft Outlk, and ios and Andrid native clients, cllects credentials in their UI t authenticate. A client access plicy enables VMware Identity Manager t manage the cllected credentials fr authenticatin. Client access plicies als enable yu t set ther access parameters fr Office 365 applicatins. Plicies set in a single Office 365 applicatin apply t all Office 365 applicatins. Any edits t client access plicies impact the users' ability t access these applicatins. Order f Client Access Plicies Arrange the client access plicies in rder because the system enfrces plicies frm tp t bttm. The system uses the first plicy t authenticate a client r t deny it access. Fr example, if yu create a plicy denying access t all device types and drag it abve a plicy allwing access fr Andrid devices, the system denies all devices access that attempt the user name and passwrd. The system des nt enfrce the plicy allwing access t Andrid devices. The first plicy that denies access takes the precedent. 121

122 Chapter 6: SaaS Applicatins Add Office 365 Applicatins with a Client Access Plicy Add Office 365 applicatins t the Wrkspace ONE UEM cnsle s that yu can cntrl access with client access plicies. 1. Navigate t Apps & Bks > Applicatins > Web > SaaS and select New. 2. Cmplete the ptins n the Definitin tab. Setting Search Name Icn Categry Enter Office 365 t see a list f available applicatins. Enter r view a name fr the SaaS applicatin. (Optinal) Prvide a descriptin f the applicatin. Often, this text bx pre-ppulates. (Optinal) if an icn des nt pre-ppulate, select an icn. (Optinal) Assign categries t help users srt and filter the applicatin in the Wrkspace ONE catalg. Cnfigure categries in VMware Identity Manager s that they display in the categry list. 3. Cmplete the ptins n the Cnfiguratin tab. a. Authenticatin Type - Office 365 applicatins use WSFed 1.2 fr authenticatin type t prvide single sign-n. Setting Target URL Single Sign- On URL Applicatin ID Username Frmat Username Value Enter the URL t direct users t the SaaS applicatin n the Internet. Enter the Assertin Cnsumer Service (ACS) URL. Wrkspace ONE sends this URL t yur service prvider fr single sign-n. Enter the ID that identifies yur service prvider tenant t Wrkspace ONE. Wrkspace ONE sends the SAML assertin t the ID. Sme service prviders use the Single Sign-On URL. Select the frmat required by the service prviders fr the SAML subject frmat. Enter the Name ID Value that Wrkspace ONE sends in the SAML assertin's subject statement. This value is a default prfile text bx value fr a username at the applicatin service prvider. b. Applicatin Parameters - Add values fr advanced parameters t allw the applicatin t start. c. Advanced Prperties - If yu want greater cntrl f messaging in single sign-n prcesses with Wrkspace ONE, add ptinal parameters. Setting WSFed 1.2 Credential Verificatin Select the methd fr credential verificatin. 122

123 Chapter 6: SaaS Applicatins Setting Signature Algrithm Digest Algrithm Assertin Time Custm Attribute Mapping Select the signature algrithm that matches the digest algrithm. If yur service prvider supprts SHA256, select this algrithm. Select the digest algrithm that matches the signature algrithm. If yur service prvider supprts SHA256, select this algrithm. Enter the secnds that the assertin Wrkspace ONE sends t the service prvider fr authenticatin is valid. If yur service prvider allws custm attributes ther than nes fr single sign-n, add them. d. Access Plicies - Assign plicies t secure signing in t applicatin resurces. Setting Access Plicy Open in VMware Brwser License Apprval Required Select a plicy fr Wrkspace ONE t use t cntrl user authenticatin and access. The default access plicy is available if yu d nt have custm access plicies. Yu can cnfigure these plicies in the UEM cnsle. Require Wrkspace ONE t pen the applicatin in the VMware Brwser. If yu use VMware Brwser, pening SaaS applicatins within it adds extra security. This actin keeps access within internal resurces. Require apprvals befre the applicatin installs and activates a license. License Pricing - Select the pricing mdel t buy licenses fr the SaaS applicatin. License Type - Select the user mdel fr the licenses, named r cncurrent users. Cst Per License - Enter the price per license. Number f Licenses - Enter the number f licenses bught fr the SaaS applicatin. Cnfigure the crrespnding Apprvals in the Settings sectin f SaaS applicatins. 4. Add Client Access Plicies fr Office 365 clients. A client access plicy allws VMware Identity Manager t manage the Office 365 client UI credentials cllected fr authenticatin. Sme client examples include VMware Bxer and Micrsft Outlk. Select Add Plicy Rule and cmplete the settings. Setting If the user's client is And a user's netwrk range is And the user's device type is and user belngs t grup(s) Select an available Office 365 client. Select a netwrk range previusly cnfigured in the netwrk ranges prcess. Select the allwed device platfrm fr access. Select user grups allwed t access cntent accrding t the criteria in this plicy. If yu select n grups, the plicy applies t all users. 123

124 Chapter 6: SaaS Applicatins Setting And the client's prtcl is Then perfrm this actin Select the allwable prtcl fr the Office 365 client. Allw r deny access t Office 365 applicatins. 5. View the Summary fr the SaaS applicatin and mve t the assignment prcess. Assign SaaS Applicatins Assign SaaS applicatins t users and grups cnfigured in VMware Identity Manager. See Assign SaaS Applicatins n page 124. Assign SaaS Applicatins Deply SaaS applicatins t users and grups cnfigured frm yur Active Directry system. The system identifies users and grups by a name and a dmain. These resurces are nt the same as Wrkspace ONE UEM cnsle smart grups. Abut Users and User Grups Cnfigure users and user grups in the VMware Identity Manager administratin cnsle. Fr infrmatin, see the tpic Managing Users and Grups at the VMware Identity Manager dcumentatin site n dcs.vmware.cm. Assign Users and Grups t SaaS Applicatins Assign SaaS applicatins by giving users access and use permissins fr the applicatin. Users access the SaaS applicatin frm Wrkspace ONE. 1. Navigate t Apps & Bks > Applicatins > Web > SaaS. 2. Select the SaaS applicatin and then chse Assign. 3. Cmplete the assignment ptins. Setting Users / User Grups Deplyment Type Enter users and user grups that receive the applicatin assignment. Users and user grups are enabled t sign in t Wrkspace ONE. User-Activated - Requires users t select applicatins in the Wrkspace ONE Catalg and t add them t the Launcher t activate them. 4. Save assignment settings. Autmatic - Displays applicatins in the Launcher f Wrkspace ONE the next time users lg in t the Wrkspace ONE prtal. Prvisining Adapters Prvisining prvides autmatic applicatin user management frm a single lcatin. 124

125 Chapter 6: SaaS Applicatins Prvisining adapters allw Web applicatins t retrieve specific infrmatin frm the VMware Identity Manager service as required. If prvisining is enabled fr a Web applicatin, when yu entitle a user t the applicatin in the VMware Identity Manager service, the user is prvisined in the Web applicatin. The VMware Identity Manager service currently includes prvisining adapters fr Micrsft Office 365. Cnfiguring the Prvisining Adapter fr Office 365 The VMware Identity Manager service currently includes prvisining adapters fr Micrsft Office 365. Cmplete the fllwing steps t cnfiguring the Prvisining Adapter fr Office Navigate t Apps & Bks > Applicatins > Web > SaaS and select New. 2. In the Definitin tab brwse fr Office 365. Cmplete the Definitin tab and Select Next. Fr mre infrmatin, see Add SaaS Applicatins in the Wrkspace ONE UEM cnsle n page Cmplete the text bxes in the Cnfiguratin tab. Fr mre infrmatin, see Add SaaS Applicatins in the Wrkspace ONE UEM cnsle n page Enable Setup Prvisining. By default, the prvisining setup is disabled. Once yu select Setup Prvisining, Prvisining, User Prvisining, and Grup Prvisining tabs added t the left navigatin. 5. Add Client Access Plicies fr Office 365 clients. Fr infrmatin, see Add Office 365 Applicatins with a Client Access Plicy n page In the Prvisining tab, select Enable Prvisining, and enter the fllwing infrmatin: Setting Office 365 Dmain Applicatin Client ID Applicatin Client Secret Enter the Office 365 dmain name. Fr example, example.cm. Users are prvisined under this dmain. Enter the AppPrincipalId btained when creating the service principal user. Enter the passwrd created fr the service principal user. 7. By default, Prvisin With License is disabled. On selecting Prvisin With License, yu can enter the fllwing infrmatin: Setting SKU ID Remve License When De- Prvisined Enter the SKU infrmatin. Select the ptin if yu want t remve the license when yu deprvisin Office 365 applicatin. 8. T verify that the Office 365 tenant can be reached, Select Test Cnnectin. 9. Select Next. 10. In the User Prvisining tab, select the attributes with which t prvisin users in Office 365. Make sure that the fllwing required Active Directry attributes are cnfigured t ne f the required attribute names in the User Attributes page: 125

126 Chapter 6: SaaS Applicatins a. The Mail Nickname attribute must be unique within the directry and cannt cntain any special characters. Map the Mail Nickname attribute t user name. Once mapped, d nt change the Mail Nickname. b. The bjectguid attribute is a custm attribute that first must be added t the User Attribute list. The ObjectGUID is mapped t the GUID attribute. Select Add Mapped Value, if yu want t add an Attribute Name and Value. Nte: The UserPrincipalName (UPN) is cnstructed autmatically. Yu d nt see the mapped value. The prvisining adapter appends the Office 365 dmain t the mailnickname attribute value (user.username) t create the UPN. This is appended as, user name +@+ O365_dmainname. Fr example, jdw@ffice365example.cm 11. Select Next. 12. In the Grup Prvisining screen, yu can cmplete the Grup Prvisining task. When a grup is prvisined in Office 365, the grup is prvisined as a security grup. The members f the grup are prvisined as users, if they d nt exist in the Office 365 tenant. The grup is nt entitled t resurces when prvisined. If yu want t entitle the grup t resurces, create the grup and then entitle resurces t that grup. Select Add Grup and cmplete the fllwing steps: a. In the Select Grup text bx, search fr the grup t be prvisined in Office 365. b. In the Mail Nickname text bx, enter a name fr this grup. The nickname is used as an alias: Special characters are nt allwed in the nickname. c. Select Save. Yu can deprvisin a grup in the Office 365 applicatin. The security grup is remved frm the Office 365 tenant. Users in the grup are nt deleted. T deprvisin a grup, select the user grup and Select Deprvisin. 13. Select Next t view the Summary tab. 14. Select Save t Save the cnfiguratins r Save and Assign t deply Office 365 t users and grups cnfigured frm yur Active Directry system. Settings fr SaaS Applicatins Settings include features that apply t all SaaS applicatins in yur Wrkspace ONE envirnment. Cntrl access with cnfiguratins fr SAML authenticatin and with required apprvals. Apprvals Cnfigure SaaS applicatins t require apprval befre users can access them. Use this feature when yu have SaaS applicatins that use licenses fr access t help manage license activatins. When yu enable apprvals, cnfigure the crrespnding, License Apprval Required, in the applicable SaaS applicatin recrd. 126

127 Chapter 6: SaaS Applicatins Apprval Wrkflw Users view the applicatin in their Wrkspace ONE catalg and request use f the applicatin. VMware Identity Manager sends the apprval request message t the rganizatin's cnfigured apprval REST endpint URL. The system reviews the request and sends back an apprved r denied message t VMware Identity Manager. When an applicatin is apprved, the applicatin status turns frm Pending t Added and the applicatin displays in the user's Wrkspace ONE launcher page. Apprval Engines The system ffers tw apprval engines. REST API - The REST API apprval engine uses an external apprval tl that rutes thrugh yur Webserver REST API t perfrm the request and apprval respnses. Yu enter yur REST API URL in the VMware Identity Manager service and cnfigure yur REST APIs with the VMware Identity Manager OAuth client credential values and the callut request and respnse actin. REST API via Cnnectr - The REST API via the Cnnectr apprval engine rutes the callback calls thrugh the cnnectr using the Webscket-based cmmunicatin channel. Yu cnfigure yur REST API endpint with the callut request and respnse actin. Fr infrmatin n apprvals, see Cnfigure Apprvals n page 128. SAML Metadata Yu can use the SAML certificates frm the Settings page fr authenticatin systems like mbile single sign-n. Self-Signed Certificates r Certificates frm CAs The VMware Identity Manager service autmatically creates a self-signed certificate fr SAML signing. Hwever, sme rganizatins require certificates frm certificate authrities (CAs). T request a certificate frm yur CA, generate a certificate signing request (CSR) in Settings. Yu can use either certificate t authenticate users t SaaS applicatins. Send the certificate t relying applicatins t cnfigure authenticatin between the applicatin and the Wrkspace ONE system. Fr infrmatin n retrieving SAML metadata and certificates frm the Settings page, see SAML Metadata fr Single Sign- On with SaaS Applicatins n page 128. Applicatin Surces Yu can add third-party identity prviders t authenticate users in VMware Identity Manager. T cnfigure the prvider instance, use the identity prvider and service prvider metadata yu cpied frm the Settings sectin in the AirWatch Cnsle. Fr detailed infrmatin n hw t cnfigure third-party prviders, see Cnfigure a Third-Party Identity Prvider Instance t Authenticate Users, in VMware Identity Manager Dcumentatin. Yu can cnfigure yur Applicatin Surce by selecting the crrespnding third-party Identity prvider. After the Applicatin surce is set up, yu can then create the assciated applicatins. Fr mre infrmatin, see Cnfiguring Third-Party Identity Prviders as an Applicatin Surce n page

128 Chapter 6: SaaS Applicatins Cnfigure Apprvals Use apprvals fr SaaS applicatins that activate licenses fr use. When enabled with the crrespnding License Apprval Required ptin, users request access t applicable SaaS applicatins frm the Wrkspace ONE catalg befre installatin and license activatin. 1. Navigate t Apps & Bks > Applicatins > Web > SaaS and select Settings. 2. Select Apprvals. 3. Select Yes t enable the feature. 4. Select an Apprval Engine the system uses t request apprvals. 5. Enter the callback URI (Unifrm Resurce Identifier) f the REST resurce that listens fr the callut request. 6. Enter the Username, if the REST API requires credentials t access. 7. Enter the Passwrd fr the user name, if the REST API requires credentials t access. 8. Enter the SSL certificate in PEM (privacy-enhanced electrnic mail) frmat fr the PEM-frmat SSL Certificate ptin, if the REST resurce runs n a server that has a self-signed certificate r a certificate nt trusted by a public certificate authrity and uses HTTPS. Fr infrmatin n the crrespnding ptin License Apprval Required, see the applicable tpic: Fr Office 365 applicatins, see Add Office 365 Applicatins with a Client Access Plicy n page 122. Fr regular SaaS applicatins, see Add SaaS Applicatins in the Wrkspace ONE UEM cnsle n page 114. SAML Metadata fr Single Sign-On with SaaS Applicatins Retrieve SAML metadata and certificates frm the Settings page. Use the metadata and certificates with ther systems fr single sign-n capabilities. Befre Replacing SSL Certificates If yu replace an existing SSL certificate, this actin changes the existing SAML metadata. Imprtant: All single sign-n cnnectins that depend n the existing SAML metadata break when the CSR generatin creates the SAML metadata. Nte: If yu d replace an SSL certificate, yu must update SaaS applicatins that yu cnfigure fr mbile single sign-n with the latest certificate. Dwnlad the Self-Signed SAML Metadata r Generate a CSR Cpy the SAML signing certificate, and cpy and save the identity and service prvider metadata. Yu can als generate a certificate signing request t apply fr an SSL certificate frm yur certificate authrity. 1. Navigate t Apps & Bks > Applicatins > Web > SaaS and select Settings. 2. Select SAML Metadata > Dwnlad SAML Metadata and cmplete the tasks. 128

129 Chapter 6: SaaS Applicatins Setting SAML Metadata Signing Certificate Cpy and save the Identity Prvider metadata and the Service Prvider metadata. Select the links and pen a brwser instance with the XML data. Cnfigure yur third-party identity prvider with this infrmatin. Cpy the signing certificate that includes all the cde in the text area. Yu can als dwnlad the certificate t save it as a TXT file. 3. Select Generate CSR and cmplete the tasks fr requesting a digital identity certificate (SSL certificate) frm yur certificate authrity. This request identifies yur cmpany, dmain name, and public key. The third-party certificate authrity uses it fr issuing the SSL certificate. T update the metadata, uplad the signed certificate. Setting Enter a New Certificate Signing Request Cmmn Name Organizatin Department City State / Prvince Cuntry Key Generatin Algrithm Key Size Replace a Certificate Signing Request Certificate Signing Request Uplad SSL Certificate Enter the fully qualified dmain name fr the rganizatin's server. Enter the name f the cmpany that is legally registered. Enter the department in yur cmpany that the certificate references. Enter the city where the rganizatin is legally lcated. Enter the state r prvince where the rganizatin legally resides. Enter the legal cuntry f residence fr the rganizatin. Select an algrithm used t sign the CSR. Select the number f bits used in the key. Select 2048 r larger. RSA key sizes smaller than 2048 are cnsidered insecure. Dwnlad the certificate signing request (CSR). Send the CSR t the third-party certificate authrity. The third-party certificate authrity sends yu an SSL certificate. Uplad the SSL certificate received frm yur third-party certificate authrity. Cnfiguring Third-Party Identity Prviders as an Applicatin Surce Yu can add third-party identity prviders as an applicatin surce in the Settings fr SaaS Applicatins. Adding an identity prvider as an applicatin surce streamlines the prcess f adding individual applicatins frm that prvider t the end-user catalg. Adding an identity prvider as an applicatin surce streamlines the prcess f adding individual applicatins frm that prvider t the end-user catalg. T begin, entitle the ALL_USERS grup t the applicatin surce and select an access plicy t apply. Web applicatins that use the SAML 2.0 authenticatin prfile can be added t the catalg. The applicatin cnfiguratin is based n the settings cnfigured in the applicatin surce. Only the applicatin name and the target URL are required t be cnfigured. 129

130 Chapter 6: SaaS Applicatins When yu add applicatins, yu can entitle specific users and grups and apply an access plicy t cntrl user access t the applicatin. Users can access these applicatins frm their desktps and mbile devices. The cnfigured settings and plicies frm the third-party applicatin surce can be applied t all applicatins managed by the applicatin surce. Smetimes, third-party identity prviders send an authenticatin request withut including which applicatin a user is trying t access. If VMware Identity Manager receives an authenticatin request that des nt include the applicatin infrmatin, the backup access plicy rules cnfigured in the applicatin surce are applied. The fllwing identity prviders can be cnfigured as applicatin surces. Okta PingFederated server frm Ping Identity Active Directry Federatin Services (ADFS) Adding an Applicatin Surce Yu can cnfigure yur Applicatin Surce by selecting the third-party identity prvider. After the Applicatin Surce is set up, yu can then create the assciated applicatins and entitle the users. Fr mre infrmatin, see Add Applicatin Surce fr the Third-Party Identity Prviders n page 130. Entitling Users t the Applicatin Surce Yu can set the entitlements fr the Applicatin Surce t All Users r add Users / User Grup. Fr mre infrmatin, see Add Users t the Applicatin Surce n page 133. Adding Applicatins Managed by the Applicatin Surce After the identity prvider is cnfigured as an applicatin surce, yu can create the assciated applicatins fr each f the third-party identity prviders. Fr mre infrmatin, Add Applicatins Managed by the Applicatin Surce n page 133. Add Applicatin Surce fr the Third-Party Identity Prviders Cnfigure yur Applicatin Surce by selecting the third-party identity prvider. After the Applicatin Surce is set up, yu can then create the assciated applicatins and entitle the users. 1. Navigate t Apps & Bks > Applicatins > Web > SaaS and select Settings. 2. Select Applicatin Surces. 3. Select the third-party identity prvider. The third-party identity prvider's Applicatin Surce wizard is displayed. 4. Enter a descriptive name fr the applicatin surce and click Next. 5. Authenticatin Type is defaulted t SAML 2.0 and is read-nly. 130

131 Chapter 6: SaaS Applicatins 6. Mdify the applicatin surce Cnfiguratin. Setting Cnfiguratin URL/XML is the default ptin fr SaaS applicatins that are nt yet part f the Wrkspace ONE catalg. URL/XML Manual is the default ptin fr SaaS applicatins added frm the catalg. URL/XML Relay State URL Manual Single Sign- On URL Recipient URL Applicatin ID Username Frmat Username Value Relay State URL Enter the URL if the XML metadata is accessible n the Internet. Paste the XML in the text bx if the XML metadata is nt accessible n the Internet, but yu have it. Use manual cnfiguratin if yu d nt have the XML metadata. T Enter a URL where yu want SaaS applicatin users t land after a single sign-n prcedure in an identity prvider-initiated (IDP) scenari. Enter the Assertin Cnsumer Service (ACS) URL. Wrkspace ONE sends this URL t yur service prvider fr single sign-n. Enter the URL with the specific value required by yur service prvider that states the dmain in the SAML assertin subject. If yur service prvider des nt require a specific value fr this URL, enter the same URL as the Single Sign-On URL. Enter the ID that identifies yur service prvider tenant t Wrkspace ONE. Wrkspace ONE sends the SAML assertin t the ID. Sme service prviders use the Single Sign-On URL. Select the frmat required by the service prviders fr SAML subject frmat. Enter the Name ID Value that Wrkspace ONE sends in the SAML assertin's subject statement. This value is a default prfile field value fr a username at the applicatin service prvider. Enter a URL where yu want SaaS applicatin users t land after a single sign-n prcedure in an identity prvider-initiated (IDP) scenari. 7. Mdify the Advanced Prperties. Setting Sign Respnse Sign Assertin Enter the URL t direct users t the SaaS applicatin n the Internet. Enter the Assertin Cnsumer Service (ACS) URL. Wrkspace ONE sends this URL t yur service prvider fr single sign-n. 131

132 Chapter 6: SaaS Applicatins Setting Encrypt Assertin Include Assertin Signature Signature Algrithm Digest Algrithm Assertin Time Request Signature Encryptin Certificate Applicatin Lgin URL Prxy Cunt API Access Enter the URL with the specific value required by yur service prvider that states the dmain in the SAML assertin subject. If yur service prvider des nt require a specific value fr this URL, enter the same URL as the Single Sign-On URL. Enter the ID that identifies yur service prvider tenant t Wrkspace ONE. Wrkspace ONE sends the SAML assertin t the ID. Sme service prviders use the Single Sign-On URL. Select SHA256 with RSA as the secure encrypted hash algrithm. Select SHA256. Enter the SAML assertin time in secnds. If yu want the service prvider t sign the request it sends t Wrkspace ONE, enter the public signing certificate. Enter the public encryptin certificate if yu want the SAML request frm the applicatin service prvider t Wrkspace ONE t be signed. Enter the URL fr yur service prvider's lgin page. This ptin triggers the service prvider t initiate a lgin t Wrkspace ONE. Sme service prviders require authenticatin t start frm their lgin page. Enter the allwable prxy layers between the service prvider and an authenticating identity prvider. Allw API access t this applicatin. 8. Cnfigure Custm Attribute Mapping.If yur service prvider allws custm attributes ther than nes fr single sign-n, add them. 9. Select Open in VMware Brwserif yu want t pen the applicatin in the VMware Brwser. Hwever, it requires Wrkspace ONE t pen the applicatin in the VMware Brwser. If yu use VMware Brwser, pening SaaS applicatins within it adds extra security. This actin keeps access within internal resurces. 10. Click Next. 11. T secure signing in t applicatin resurces, select the Access plicies. Click Next t view the Summary page. 12. Click Save. Nte: If yu select Save and Assign while cnfiguring the applicatin surce, yu set the entitlements fr the applicatin surce t All Users. Hwever, yu can change the default settings and manage the user entitlements and add users r user grups. Fr mre infrmatin, see Add Users t the Applicatin Surce n page

133 Chapter 6: SaaS Applicatins Add Applicatins Managed by the Applicatin Surce After the identity prvider is cnfigured as an applicatin surce, yu can create the assciated applicatins fr each f the third-party identity prviders. Fr example, use the fllwing instructins t add applicatins fr OKTA identity prvider. 1. Navigate t Apps & Bks > Applicatins > Web > SaaS > New. 2. Cmplete the ptins n the Definitin tab. 3. In the Cnfiguratin tab, yu can select OKTA frm the Authenticatin Type drp-dwn menu. Add Users t the Applicatin Surce Yu can set the entitlements fr the applicatin surce t All Users r add Users / User Grups. By default, if yu select Save and Assign while cnfiguring the applicatin surce, yu set the entitlements fr the applicatin surce t All Users. T manage the user assignment: 1. Navigate t Apps & Bks > Applicatins > Web > SaaS and select Settings. 2. Select Applicatin Surces. 3. Click All Users fr the crrespnding Applicatin Surce if yu want t verride the settings. 4. Enter the names f the grups r users. 5. Yu can search fr users r grups by starting t type a search string and allwing the aut-cmplete feature t list the ptins, r yu can click brwse t view the entire list. 6. Click Save. SSO Between Wrkspace ONE UEM and VMware Identity Manager fr SaaS Apps and Access Plicies The Wrkspace ONE UEM cnsle and the VMware Identity Manager cnsle use an authrizatin cde wrk flw that allws access t bth cnsles with single sign-n (SSO). This feature aims t allw access t the VMware Identity Manager cnsle fr admins in the UEM cnsle t wrk n SaaS applicatin cnfiguratins. This flw is specific t SaaS applicatins and access plicies in Wrkspace ONE UEM. Additins and edits made in Wrkspace ONE UEM are reflected in Identity Manager. Register the OAuth Client During Setup When yu set up VMware Identity Manager in the UEM cnsle, yu register the OAuth client as part f the setup wizard. The OAuth client registratin is a prerequisite fr this SSO feature t wrk. Wrkflw VMware Identity Manager and Wrkspace ONE UEM wrk in the back-end t authenticate the Wrkspace ONE UEM admin t VMware Identity Manager. The VMware Identity Manager Cnsle passes an ID tken t Wrkspace ONE UEM. 133

134 Chapter 6: SaaS Applicatins This tken cntains infrmatin abut the admin and the authenticatin s that the admin can access bth cnsles. The tw cnsles fllw the depicted prcess. 134