GlobalSign Integration Guide. GlobalSign Enterprise PKI (EPKI) and VMware Workspace ONE UEM (AirWatch)

Similar documents
GlobalSign Integration Guide

GlobalSign Integration Guide. GlobalSign Managed SSL (MSSL) and Azure KeyVault

PersonalSign 3 Pro. Certificate Enrolment and Installation Guide

GlobalSign Enterprise Solutions. Enterprise PKI. Administrator Guide. Version 2.6

Technical resources. OneClickSSL. ISPsystem Plug-in

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

AirWatch Mobile Device Management

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

VMware AirWatch Integration with RSA PKI Guide

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

VMware AirWatch Integration with Microsoft ADCS via DCOM

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

VMware AirWatch Integration with SecureAuth PKI Guide

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Integrating AirWatch and VMware Identity Manager

GlobalSign Enterprise Solutions

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

VMware AirWatch Certificate Authentication for EAS with ADCS

INSTALLATION AND SETUP VMware Workspace ONE

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

GlobalSign Enterprise Solution epki Administrator guide v1.9. GlobalSign Enterprise Solutions

VMware AirWatch: Directory and Certificate Authority

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

Enterprise Certificate Console. Simplified Control for Digital Certificates from the Cloud

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Service Description VMware Workspace ONE

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Table of Contents. VMware AirWatch: Technology Partner Integration

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

Deploying VMware Workspace ONE Intelligent Hub. October 2018 VMware Workspace ONE

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENSv2 for cloud and on-premises deployments

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

ForeScout Extended Module for VMware AirWatch MDM

VMware AirWatch Android Platform Guide

VMware AirWatch On-Premises Certificate Authority Guide

Workspace ONE UEM Directory Service Integration. VMware Workspace ONE UEM 1811

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Vodafone Secure Device Manager Administration User Guide

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

Centrify Identity Services for AWS

Table of Contents HOL-1757-MBL-6

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

VSP18 Venafi Security Professional

BRING MAC TO THE ENTERPRISE WITH A MODERN APPROACH TO MANAGEMENT

Workspace ONE UEM Notification Service 2. VMware Workspace ONE UEM 1811

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

PULSE CONNECT SECURE APPCONNECT

Speaker Introduction Who Mate Barany, VMware Manuel Mazzolin, VMware Peter Schmitt, Deutsche Bahn Systel Why VMworld 2017 Understanding the modern sec

VMware AirWatch System Settings Reference Manual for SaaS Customers A comprehensive listing of AirWatch system settings

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Pulse Workspace Appliance. Administration Guide

VMware AirWatch Directory Services Guide Integrating your Directory Services

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

Partner Center: Secure application model

CloudHealth. AWS and Azure On-Boarding

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

VMware Tunnel Guide for Windows

VMware AirWatch Content Gateway for Windows. VMware Workspace ONE UEM 1811 Unified Access Gateway

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

VMware Workspace ONE UEM Integration with Apple School Manager

USING PRODUCT PROVISIONING TO DELIVER FILES TO WINDOWS 10: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

VMware Tunnel Guide for Windows

Google Sync Integration Guide. VMware Workspace ONE UEM 1902

Workspace ONE UEM Notification Service. VMware Workspace ONE UEM 1811

VMware AirWatch System Settings Reference Manual for On-Premises Customers A comprehensive listing of AirWatch system settings

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware AirWatch System Settings Reference Manual for On-Premises Customers A comprehensive listing of AirWatch system settings. AirWatch v9.

Windows 8/RT Features Matrix

Comodo Certificate Manager Version 6.0

VMware AirWatch Content Gateway Guide for Windows

Comodo Certificate Manager

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

VMware AirWatch Symbian Platform Guide Deploying and managing Symbian devices

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Single Secure Credential to Access Facilities and IT Resources

VMware Tunnel on Windows. VMware Workspace ONE UEM 1810

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

VSP16. Venafi Security Professional 16 Course 04 April 2016

ForeScout Extended Module for MobileIron

VMware AirWatch Self-Service Portal End User Guide

Integration Guide. LoginTC

VMware AirWatch Product Provisioning and Staging for Windows Rugged Guide Using Product Provisioning for managing Windows Rugged devices.

Partner Documentation Reseller Portal Guide

ForeScout Extended Module for MaaS360

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Comodo SecureBox Management Console Software Version 1.9

Transcription:

GlobalSign Integration Guide GlobalSign Enterprise PKI (EPKI) and VMware Workspace ONE UEM (AirWatch) 1

Table of Contents Table of Contents... 2 Introduction... 3 GlobalSign Enterprise PKI (EPKI)... 3 Partner Product Information... 3 Managed PKI Architecture... 3 Setup Overview... 4 GlobalSign EPKI Account Setup... 4 Add Pre-vetted Email Domains (Optional)... 7 Adding GlobalSign as a Certificate Authority (CA)... 8 Assigning a Certificate Template... 9 Creating an Operating System (OS) Profile... 10 Distributing Profiles to a Device(s)... 12 Certificate Revocation... 13 Review Error Log... 14 About GlobalSign... 15 GlobalSign Contact Information... 15 2

Introduction This technical integration guide describes how to integrate the VMware Workspace ONE UEM platform with GlobalSign s managed Enterprise PKI (EPKI) service to automatically provision digital certificates for mobile devices from the GlobalSign SaaS CA. Digital certificates provide a secure and cost effective method to authenticate corporate and Bring Your Own Device (BYOD) devices accessing enterprise resources. Before being able to issue certificates from your GlobalSign EPKI Account, there are setup steps involving both VMware Workspace ONE UEM ( Workspace ONE UEM hereafter) and GlobalSign s EPKI consoles that need to be completed. The following guide will walk you through these steps. GlobalSign Enterprise PKI (EPKI) The GlobalSign managed Enterprise PKI (EPKI) is a cloud-based PKI service allowing organizations an easy method to issue and manage digital certificates to corporate users. The EPKI web portal and associated API, provide administrators an easyto-use solution to simplify PKI deployments and eliminate the need to host their own Certificate Authority. EPKI provides enterprises the necessary tools to maintain full control of their PKI requirements without the complexities and overhead cost of running an in-house CA. Further, with integration into Workspace ONE UEM version 8.0+, organizations can automatically provision digital certificates directly from the Workspace ONE UEM Admin console. User Principal Name, Email and Enterprise File System features in issued certificates are also supported from its version 9.6+ For more information about EPKI, see https://www.globalsign.com/en/enterprise-pki/ Partner Product Information Partner Name VMware, Inc. Website www.air-watch.com Product Name VMware Workspace ONE UEM (Former: AirWatch Enterprise MDM) v.8.0 Product Description VMware Workspace ONE UEM is an intelligence-driven digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management and multi-platform endpoint management. It is available as an annual cloud subscription or a perpetual on-premises license. Workspace ONE is built on the VMware AirWatch Unified Endpoint Management technology and integrates with virtual application delivery (VMware Horizon ) on a common identity framework. With Workspace ONE organizations can now evolve silo-ed cloud and mobile investments, enabling all employees, devices and things across the organization to accelerate their digital transformation journey with a platform-based approach. Read more at: https://www.air-watch.com/why-workspace-one-airwatch/ Managed PKI Architecture The following diagram shows a simple architecture, illustrating an integration with Workspace ONE UEM and the GlobalSign EPKI and Managed Services PKI. Note, all ports shown are the default ports. 3

443 VMware Workspace ONE UEM Setup Overview In order to establish the connection between Workspace ONE UEM and your GlobalSign EPKI account you will need to complete the following steps, outlined in this guide: Setup a GlobalSign EPKI Account In the Workspace ONE UEM Platform: o o o o Select GlobalSign as a Certificate Authority Assign GlobalSign to a Certificate Template Create an operating system (OS) profile Distribute the profile to a device To start the setup process, please proceed to the first step: GlobalSign EPKI Account Setup. GlobalSign EPKI Account Setup The following steps will walk you through establishing a pre-vetted organization profile, ordering a certificate license pack, and obtaining the information from your GlobalSign Enterprise PKI (EPKI) account, which you will need to integrate with your Workspace ONE UEM. If you do not already have an EPKI account please visit the following page to request a quote: https://www.globalsign.com/en/enterprise-pki/. You will need the following information from your GlobalSign EPKI Account: Login Credentials: Your GlobalSign User ID (i.e. PARXXXXXX_user name). You will need to remember your GlobalSign User ID and password when configuring your Workspace ONE UEM. Complete the following steps to order your EPKI Certificate License Pack: 1. Login to your GlobalSign Account. 2. Click the ENTERPRISE PKI tab. 3. Click Order Licenses on the left-hand menu. 4. Select the Enterprise PKI Lite for Personal Digital ID license pack appropriate for the number of users /devices you are planning to manage with your Workspace ONE UEM. 4

Next, complete the steps in the EPKI Administrator guide to register for a pre-vetted organization profile: https://www.globalsign.com/support/ordering-guides/globalsign-epki-admin-guide.pdf Note: the default EPKI service utilizes a shared issuing CA, issued from a GlobalSign publically trusted root. Therefore GlobalSign recommends utilizing the lock base DN feature in order to reserve an Organization and OU combination that will be restricted to the account. Dedicated private issuing CAs, either self-signed or issued from a GlobalSign trusted root, are available. Please contact your GlobalSign EPKI product specialist for details. 5

Once you ve completed the EPKI Profile registration, a GlobalSign vetting agent will begin the verification process for your organization. This may take up to three (3) business days. The profile will be assigned a Profile ID i.e. MP201211011148. After the profile has been pre-vetted and approved, complete the following steps to enable proper configuration with your Workspace ONE UEM. 1. In your EPKI account, click Profile Configuration on the left-hand menu. 2. In the API IP Address Range field, enter the IP address (range) of the server hosting gyour Workspace ONE UEM. Next you will need to disable the EPKI system generated emails because the Workspace ONE UEM service will automatically provision certificates from EPKI, so the emails are not needed: 3. Click Manage Email Templates. The following steps should be completed for the following email types: - Enrollment (invite) - Renewal reminders (all) 4. Click Disable 5. Click Next 6. Click Complete 6

Your EPKI Account is now prepared for the integration with your Workspace ONE UEM. Please continue to step: Adding GlobalSign as a Certificate Authority (CA). Add Pre-vetted Email Domains (Optional) If you wish to include email addresses in certificates, you will need to register and pre-vet email domains to your profile. 1. Click the Profile Configuration menu item. Then click Configure next to Email Domains. 2. Enter email domains to be pre-vetted and approved. 7

3. Click Email Domain List to check their vetting status and availability. 4. Check Status of the domains. Approved will be shown once verification is complete and ready for use. Adding GlobalSign as a Certificate Authority (CA) With your EPKI Account properly set up, you can now configure Workspace ONE UEM to associate certificate provisioning to mobile devices with the GlobalSign CA. 1. Log in to Workspace ONE UEM service using your Workspace ONE UEM administrator account. 2. Select Devices > Certificates > Certificate Authorities. 8

3. Click the Add button. 4. Select GlobalSign as the Authority Type from the dropdown menu. 5. Add https://system.globalsign.com/cr/ws/gasorderservice as the Server URL. 6. For User Name and Password - enter your GlobalSign User ID (i.e. PAR00001_username) and Password. 7. Click Save. You have now successfully associated your GlobalSign EPKI Account with your Workspace ONE UEM. Please continue to step: Assigning a Certificate Template. Assigning a Certificate Template The certificate template will now establish a connection between your Workspace ONE UEM and the certificate profile ID and product code that you established in your EPKI Account. 1. Select Devices > Certificates > Certificate Authorities > Request Templates 2. Click Add. 3. Enter a name and description for the user. 4. Select the GlobalSign Certificate Authority previously established. 5. Enter your EPKI Profile ID from your EPKI Account profile. Note: the Profile ID will follow this format: MP201XXXXXXXXX. 6. Enter the product code EPKIPSPersonal. 7. Enter the validity period associated with the EPKI license pack you purchased. 8. Enter the Common Name as CN= (e.g. First and Last name of the user) in the Subject Name field. Optionally also specify an organization unit as OU= and email address as E=. Subject Name example: Note: As you are the Local Registration Authority for your pre-vetted organization, you are obligated to verify the identity of the user 9

you are registering using the terms found in the EPKI Service Agreement accepted at service sign up. https://www.globalsign.com/en/repository/globalsign-epki-service-agreement.pdf 9. Click +Add at SAN Type to add User Principal Name, if needed. Choose User Principal Name from the dropdown options and fill value. Either {UserPrincipalName} or {EmailAddress} can be selected as the UPN value. Note: Only User Principal Name is available as SAN Type among all other dropdown options. If other SAN Type options are selected, they will be ignored or may fail issuing a certificate. Also note: RFC822 Name in SAN (Email Address in SAN Type) is not configurable. This will automatically be set when E= in Subject Name is specified. Please see No.8 above for E= in Subject Name. 10. Click Save. Now that you have successfully created a Certificate Authority and Certificate Template you will need to create an operating system profile. Please proceed to step: Creating an Operating System (OS) Profile. Creating an Operating System (OS) Profile The final step is creating a profile based on the OS of the devices you are looking to manage. The profile will assign the CA to the device(s). 1. Click Devices > Profiles > List View 2. Click Add - Add Profile 10

3. Click on the icon of the device OS you would like to manage. 4. Complete the General form information. Note: the only required field is the Name of the profile. 5. On the left-hand menu, click Credentials. 6. Click Configure. 7. From the Credential Source dropdown select Defined Certificate Authority. 11

8. Select the GlobalSign CA from the Certificate Authority Drop=down menu. 9. Click Save & Publish. The integration between your Workspace ONE UEM and GlobalSign EPKI account is now complete. To understand how the Workspace ONE UEM device profiles are distributed to devices please proceed to the next section, Distributing Profiles to a Device(s). Distributing Profiles to a Device(s) The integration is now complete and you have created certificate templates as well as profiles for the specific OS of the devices you are managing using your Workspace ONE UEM. The following steps explain how to assign profiles to those devices when profile distribution is set to Optional at Assignment Type in Profiles (optional). 1. Click Devices > Profiles > List View 12

2. Click the Search icon (circled in blue) to the right of the profile you are looking to distribute. 3. The devices included in the group will be listed. 4. Click the Install Profile icon (circled in blue) to the right of the device you would like to apply the profile to. The certificate and profile are distributed to the device at the same time. Please continue to review the remaining sections of this guide to understand how you can also revoke certificates through the Workspace ONE UEM interface and how to handle certificate license expirations. Certificate Revocation You will be able to revoke certificates by viewing the certificate list from Devices > Certificates > List View. Select appropriate certificates and click the REVOKE CERTIFICATE (circled in blue) to revoke them. 13

Review Error Log When the error Install Failed occurs, you can check details of the error log via the following steps. 1. Click Friendly Name of the specific device the error occurred with. 2. Click More and select TrubleShooting. 3. Look for Certificate Request Failed in the Event column and click the link under Event Data. 4. Details of the error log will be shown under the Certificate category. 14

About GlobalSign GlobalSign is the leading provider of trusted identity and security solutions enabling businesses, large enterprises, cloud service providers and IoT innovators around the world to secure online communications, manage millions of verified digital identities and automate authentication and encryption. Its high-scale PKI and identity solutions support the billions of services, devices, people and things comprising the Internet of Everything (IoE). The company has offices in the Americas, Europe and Asia. Accredited to the highest standards As a WebTrust accredited public Certificate Authority, and member of the Online Trust Alliance, CAB Forum and Anti-Phishing Working Group, our core solutions allow our thousands of enterprise customers to conduct secure online transactions and data submission, and provide tamper-proof distributable code as well as being able to bind identities to Digital Certificates for S/MIME email encryption and remote two factor authentication, such as SSL VPNs. GlobalSign Contact Information GlobalSign Americas Tel: 1-877-775-4562 www.globalsign.com sales-us@globalsign.com GlobalSign EU Tel: +32 16 891900 www.globalsign.eu sales@globalsign.com GlobalSign UK Tel: +44 1622 766766 www.globalsign.co.uk sales@globalsign.com GlobalSign FR Tel: +33 1 82 88 01 24 www.globalsign.fr ventes@globalsign.com GlobalSign DE Tel: +49 30 8878 9310 www.globalsign.de verkauf@globalsign.com GlobalSign NL Tel: +31 20 8908021 www.globalsign.nl verkoop@globalsign.com 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback