VMware AirWatch Integration with SecureAuth PKI Guide

Similar documents
VMware AirWatch Integration with RSA PKI Guide

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

AirWatch Mobile Device Management

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

VMware AirWatch Integration with OpenTrust CMS Mobile 2.0

VMware AirWatch Integration with Microsoft ADCS via DCOM

VMware AirWatch Certificate Authentication for EAS with ADCS

VMware AirWatch On-Premises Certificate Authority Guide

Workspace ONE UEM Integration with OpenTrust CMS Mobile 2. VMware Workspace ONE UEM 1811

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

VMware AirWatch tvos Platform Guide Deploying and managing tvos devices

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

VMware Enterprise Systems Connector Guide for SaaS Customers ACC Installation and Integration for SaaS

VMware PIV-D Manager Deployment Guide

VMware AirWatch Integration with Apple Configurator 2 Guide Using Apple Configurator 2 and AirWatch to simplify mass deployments

VMware AirWatch Content Gateway Guide for Windows

VMware AirWatch Content Gateway Guide for Windows

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Integrating AirWatch and VMware Identity Manager

VMware AirWatch Content Gateway Guide for Windows

VMware AirWatch Symbian Platform Guide Deploying and managing Symbian devices

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

VMware AirWatch Product Provisioning and Staging for Windows Rugged Guide Using Product Provisioning for managing Windows Rugged devices.

VMware AirWatch Books Deployment Guide Distribute and deploy books

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

VMware AirWatch Integration with F5 Guide Enabling secure connections between mobile applications and your backend resources

Certificate Management

VMware AirWatch Content Gateway Guide for Windows

VMware Avery Dennison Printer Integration Guide Integration with Workspace ONE UEM

VMware AirWatch Integration with Apple School Manager Integrate with Apple's School Manager to automatically enroll devices and manage classes

VMware AirWatch Tizen Guide

VMware AirWatch Content Gateway Guide For Linux

VMware AirWatch File Storage Setup Guide Setting up file storage for AirWatch functionality

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

VMware Content Gateway to Unified Access Gateway Migration Guide

VMware AirWatch: Directory and Certificate Authority

VMware AirWatch Workspace ONE Send Admin Guide Configuring and deploying Workspace ONE Send

VMware AirWatch Content Gateway Guide for Linux For Linux

VMware Tunnel Guide for Windows Installing the VMware Tunnel for your AirWatch environment

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

VMware AirWatch Database Migration Guide A sample procedure for migrating your AirWatch database

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

VMware AirWatch Epson Printer Integration Guide Using Epson printers with Workspace ONE UEM

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com.

VMware Tunnel Guide for Windows

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

Workspace ONE UEM Upgrade Guide

VMware Tunnel Guide for Windows

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENSv2 for cloud and on-premises deployments

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

VMware AirWatch Epson Printer Integration Guide Using Epson printers with Workspace ONE UEM

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

INSTALLATION AND SETUP VMware Workspace ONE

VMware AirWatch Google Sync Integration Guide Securing Your Infrastructure

VMware Notification Service v2.0 Installation and Configuration Guide Configure ENS2 for cloud and on-premises deployments

CONFIGURING BASIC MACOS MANAGEMENT: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

VMware AirWatch Windows Autodiscovery Service Installation Guide Installing and configuring Windows Autodiscovery with AirWatch

VMware AirWatch and Office 365 Application Data Loss Prevention Policies

VMware Boxer Comparison Matrix for IBM Notes Traveler Compare the features supported by VMware Boxer and AirWatch Inbox

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

VMware AirWatch Self-Service Portal End User Guide

VMware AirWatch Product Provisioning and Staging for QNX Guide Using Product Provisioning for managing QNX devices.

VMware Enterprise Systems Connector Installation and Configuration. JULY 2018 VMware Identity Manager 3.2 VMware Identity Manager VMware AirWatch 9.

Setting Up Resources in VMware Identity Manager

VMware AirWatch Datamax-O Neil Integration Guide

VMware AirWatch Reports Guide

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

VMware AirWatch Android Platform Guide

VMware AirWatch Product Provisioning and Staging for Android Guide Using Product Provisioning for managing Android devices.

VMware AirWatch Datamax-O Neil Integration Guide

Step-by-step installation guide for monitoring untrusted servers using Operations Manager

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

Implementing Cross-Domain Kerberos Constrained Delegation Authentication An AirWatch How-To Guide

VMware Enterprise Systems Connector Installation and Configuration. Modified 29 SEP 2017 VMware AirWatch VMware Identity Manager 2.9.

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

VMware Enterprise Systems Connector Installation and Configuration

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

VMware AirWatch Mobile Application Management Guide Enable access to public and enterprise apps

VMware Browser Admin Guide Configuring and deploying the VMware Browser

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

VMware Workspace ONE UEM Apple tvos Device Management. VMware Workspace ONE UEM 1811 VMware AirWatch

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

VMware Workspace ONE UEM Integration with Apple School Manager

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Transcription:

VMware AirWatch Integration with SecureAuth PKI Guide For VMware AirWatch Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard on support.air-watch.com. This product is protected by copyright and intellectual property laws in the United States and other countries as well as by international treaties. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. 1

Table of Contents AirWatch Integration with SecureAuth PKI Guide 3 High Level Design 3 Chapter 1: Installation, Setup, and Configuration 5 Overview 6 System Requirements 6 Retrieve Certificate from SecureAuth Certificate Authority 6 Set Up Certificate Template for SecureAuth CA Type 7 Deploy a Certificate Profile to a Device 7 Chapter 2: Testing and Troubleshooting 9 Overview 10 Verify Ability to Perform Certificate Authentication without AirWatch 10 Verify Ability to Perform Certificate Authentication with AirWatch 10 Appendix: Configure ACC to Trust the SecureAuth Appliance 11 Accessing Other Documents 12 2

AirWatch Integration with SecureAuth PKI Guide AirWatch is flexible with PKI integration by being able to request certificates from either internal or external certificate authorities (CA). This document explains how to integrate with SecureAuth PKI services to issue certificates for your AirWatch MDM solution. High Level Design In order for AirWatch to communicate with SecureAuth for certificate distribution, you must have a SecureAuth instance configured and ready to issue certificates. You can then configure AirWatch to communicate with SecureAuth using basic authentication. Once communication is successfully established, you can define how to deploy certificates to devices. Below are some of the examples of how SecureAuth and AirWatch can be deployed. 3

4

Chapter 1: Installation, Setup, and Configuration Overview 6 System Requirements 6 Retrieve Certificate from SecureAuth Certificate Authority 6 Set Up Certificate Template for SecureAuth CA Type 7 Deploy a Certificate Profile to a Device 7 5

Chapter 1: Installation, Setup, and Configuration Overview Use the following requirements and steps to configure certificate integration. System Requirements A SecureAuth instance that is configured for certificate deployment. AirWatch Console version 7.2 or higher. If your SecureAuth appliance is public-facing, it must be protected with a Public SSL Certificate. If you are using AirWatch Cloud Connector (ACC) for enterprise integration, then ACC needs to be configured to trust the root certificate installed on your SecureAuth appliance. Retrieve Certificate from SecureAuth Certificate Authority After you generate a SecureAuth MPKI RA certificate, AirWatch can be configured to communicate with SecureAuth. 1. Navigate to Devices > Certificates > Certificate Authorities. 2. Click Add. 3. Select SecureAuth from the Authority Type drop-down menu. 4. Enter a unique name and description that identifies the SecureAuth certificate authority in the Certificate Authority and Description fields. 5. In the Server URL field enter https://<secureauth_ FQDN>/SecureAuthX/webservice/certificateissuerws.svc, where <SecureAuth_FQDN> is the URL of your SecureAuth instance and the X in SecureAuthX is the realm instance number that is configured for certificates. This is the web endpoint that AirWatch will use to submit requests and issue certificates. 6. Enter the Company GUID, which at the time of this writing can be found by logging in to your SecureAuth admin portal, navigating to the System Information tab, and scrolling down to the License Info section where you can view your Company GUID. 7. Enter the Username and Password fields, which can be found by logging in to your SecureAuth admin portal, navigating to the Workflow tab, and scrolling down to the FBA WebService section. 8. Click Save. 9. Click Test Connection when complete to verify the test is successful. An error message appears indicating the problem if the connection fails. 10. Click Save. 6

Chapter 1: Installation, Setup, and Configuration Set Up Certificate Template for SecureAuth CA Type Now that you have completed Retrieve Certificate from SecureAuth Certificate Authority on page 6, AirWatch is able to communicate with SecureAuth. The next step is to define which certificate will be deployed to devices by setting up a certificate template in AirWatch. Use the following steps whether you are setting up a template for PKI or SCEP. 1. Navigate to Devices > Certificates > Certificate Authorities. 2. Select the Request Templates tab. 3. Click Add. 4. Select SecureAuth from the Certificate Authority drop-down menu. 5. Enter the Name for the SecureAuth Request Template. 6. Enter a Description to help you identify the SecureAuth certificate template. 7. Enter the Subject Name, which is the identity bound to the certificate. 8. Select the Key Pair Generation Location, which can be either AirWatch or SecureAuth. This is where the key pair is generated either on the SecureAuth side or on the AirWatch side. AirWatch recommends selecting SecureAuth because it is the simpler configuration. When you select SecureAuth, it will generate the certificate and the private key and return it back to AirWatch with its root certificate. The root certificate and user certificate are combined into a single cert and sent to the device to install. When you select AirWatch, you have a few more fields to configure: the Certificate Validity Period, which is the length of time the certificate is valid for in days (AirWatch recommends the value 365), and the Private Key Length, which is how secure you want the keys to be (AirWatch recommends 2048 as the key length). 9. For Private Key Type, select if the certificate can be used for signing and encryption operations or both. 10. Select the Automatic Certificate Renewal checkbox if AirWatch is going to automatically request the certificate to be renewed by SecureAuth when it expires. If you select this option, enter the number of days prior to expiration before AirWatch automatically requests SecureAuth to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on SecureAuth to have the Duplicated Certificates setting enabled. 11. Select the Enable Certificate Revocation checkbox if you want AirWatch to be able to revoke certificates. 12. Click Save. Deploy a Certificate Profile to a Device Now that the SecureAuth certificate authority and certificate template settings have been properly configured in AirWatch, the final step is to configure AirWatch profiles (payloads) for either PKI or SCEP. If in Retrieving Certificate from SecureAuth certificate authority, you chose PKI then you only need to configure a Credentials profile. Once either of these profiles are created, you can create additional payloads that the SecureAuth certificate can use, such as Exchange ActiveSync (EAS), VPN, or Wi-Fi services. 7

Chapter 1: Installation, Setup, and Configuration Configure a PKI Credential Payload 1. Navigate to Devices > Profiles > List View. 2. Click Add. 3. Select the applicable platform for the device type. 4. Specify all General profile parameters for organization group, deployment type, etc. 5. Select Credentials from the payload options. 6. Click Configure. 7. Select Defined Certificate Authority from the Credential Source drop-down menu. 8. Select the external SecureAuth CA you created previously in Retrieve Certificate from SecureAuth Certificate Authority on page 6 from the Certificate Authority drop-down menu. 9. Select the certificate template for SecureAuth you created previously in Set Up Certificate Template for SecureAuth CA Type on page 7 from the Certificate Template drop-down menu. At this point, Saving and Publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed. For step-by-step instructions on configuring these payloads, refer to the applicable Platform Guides. 8

Chapter 2: Testing and Troubleshooting Overview 10 Verify Ability to Perform Certificate Authentication without AirWatch 10 Verify Ability to Perform Certificate Authentication with AirWatch 10 9

Chapter 2: Testing and Troubleshooting Overview These testing and troubleshooting techniques are for SaaS, rather than on-premises deployments. Verify Ability to Perform Certificate Authentication without AirWatch Remove AirWatch from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of AirWatch and until this works properly, AirWatch will not be able to configure a device to connect with a certificate. Verify Ability to Perform Certificate Authentication with AirWatch You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks. If SSL TLS errors are received while creating a template This error can occur when you attempt to: Create an AirWatch certificate template byselecting the Retrieve Profiles button or Retrieve a certificate from the AirWatch console from the SecureAuth certificate authority. The troubleshooting technique that usually resolves this problem is: Adding the required server certificate chain in the console servers trusted root key store. If the AirWatch Certificate Profile fails to install on the device Inform AirWatch Professional Services of the error and request they: o o Turn On Verbose Mode to capture additional data. Retrieve web console log. AirWatch analyzes the log and works with customer to resolve the problem. If the certificate is not populated in the View XML option of the profile Confirm that lookup values configured on the SecureAuth certificate profile match the look up values in the AirWatch console s Request Template. Confirm that lookup values in AirWatch Request Template are actually populated in the user information being pulled from AD. Confirm you are pointing to the right profile in SecureAuth. 10

Appendix: Configure ACC to Trust the SecureAuth Appliance Appendix: Configure ACC to Trust the SecureAuth Appliance If you are using ACC and the SecureAuth appliance is not public-facing, then you need follow the instructions below to ensure it trusts the appliance. 1. Open MMC by searching for it using Windows Search and launching the mmc.exe file. 2. Navigate to File > Add/Remove Snap-in. The Add or Remove Snap-ins screen displays. 3. Select the Certificates snap-in in the left pane and select Add. 4. Select Computer account as Snap in source. Select Next. 5. Select Local computer. Select Finish. 6. Select OK. 7. Expand the newly added Certificates tree. 8. Expand the Trusted Root Certification Authorities folder. 9. Right-click the Certificates folder here and select All Tasks > Import. 10. Proceed through the Certificate Import Wizard. You will be prompted to Browse and select the file of the root certificate used to generate the SecureAuth SSL certificate. Select Next. 11. Select Place all certs in the following store. Select Next. 12. Click Finish. The import completes and the Certificate Store displays, where you can see the certificate you just installed. 11

Accessing Other Documents Accessing Other Documents While reading this documentation you may encounter references to documents that are not included here. The quickest and easiest way to find a particular document is to navigate to https://support.airwatch.com/articles/115001659088 and search for the document you need. Each release-specific document has a link to its PDF copy on AirWatch Resources. Alternatively, you can navigate to AirWatch Resources (https://resources.air-watch.com) on myairwatch and search. When searching for documentation on Resources, be sure to select your AirWatch version from the drop-down menu and to select the Documentation category on the left. 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback