Lab 15: Configure Enterprise Integrations

Objective and Tasks

Create a directory services integration using Workspace ONE on-premises connectors:

  1. Review the Enterprise Integration Configurations in Workspace ONE UEM
  2. Install and Configure the Omnissa Access Connector
  3. Configure Directory Services in Omnissa Access
  4. Review the Authentication Methods in the Identity Provider Settings
  5. Configure Access Policy Settings

Task 1: Review the Enterprise Integration Configurations in Workspace ONE UEM

You will review the AirWatch Cloud Connector and Directory Services configurations we did in a previous lab in the Workspace ONE UEM console.

  1. Ensure that you are on the ControlCenter VM.
  2. If the Workspace ONE UEM console is logged out due to inactivity, log in to the Workspace ONE UEM administration console.
    1. From the ControlCenter Windows taskbar, click the Google Chrome icon and open a new tab.
    2. From the bookmarks bar, select Workspace ONE UEM.
      • You can also enter https://techseals.awmdm.com/AirWatch in the address bar to access the Workspace ONE UEM console page.
  3. Log in to Workspace ONE UEM.
    • User name: studentadmin{labid}
    • Password: Pa$$w0rd
  4. In the navigation pane on the left, select Groups & Settings > All Settings > System > Enterprise Integration > Cloud Connector.
    • You should see that AirWatch Cloud Connector is enabled.
  5. Click Test Connection to validate connectivity.
    • A Reached Cloud Connector running version 24.6.0.16 at WS1-Connector (192.168.110.95) message appears.
  6. In the navigation pane on the left, select System > Enterprise Integration > Directory Services.
    • You should that see Directory Services integration is configured.
  7. Click Test Connection to validate connectivity.
    • A test connection dialog box opens, and you should see a Connection successful with the given server name, bind username, and password. message.
  8. Close the Test Connection dialog box

 

  1. In the navigation pane on the left All Settings > Devices & Users > General > Enrollment.
  2. On the Authentication tab, click Override next to Current Setting.
  3. Next to Authentication Modes(s), select the Basic and Directory check boxes.
  4. Next to Source of Authentication for Intelligent Hub, click WORKSPACE ONE ACCESS.
    1. Note: In a previous lab this was set to UEM, now we will see the effects of having ACCESS as the source of authentication.
  5. Click Save.

Task 2: Install and Configure the Omnissa Access Connector

You install the Omnissa Access connector on the WS1-Connector VM and connect it to your Omnissa Access environment.

  1. On the ControlCenter desktop, double-click the Remote Desktops folder
  2. Double-click WS1-Connector VM.RDP
    • You are now connected to the WS1-Connector VM.
  3. On the WS1-Connector VM desktop, open Google Chrome.
  4. Enter https://{labid}.vidmpreview.com/ in the address bar.
  5. Log in to the Omnissa Access console.
    • User name: admin
    • Password: Pa$$w0rd
  6. Click in the top right TA button and click Access Console
  7. From the Omnissa Access console menu bar, select Integrations > Connectors.
  8. Click New.
    1. The Select the Connector page appears.
  9. Make sure the Latest Omnissa Access Connector radio button is selected.
  10. Click OK.
  11. Click Confirm.
    • The Add New Connector dialog box appears.
  12. Download the Omnissa Access Connector configuration file.
  13. Click Next.
  14. Enter Pa$$w0rdPa$$w0rd in the Password text box.
  15. Enter Pa$$w0rdPa$$w0rd in the Reenter password text box.
  16. Click Download Configuration File.
    • The es-config.json file downloads to the Downloads folder of the WS1-Connector VM.
  17. Click Next and then click Close.
  18. From WS1-Connector VM desktop taskbar, click the File Explorer icon.
    • Navigate to the Desktop\Software\ACCESS folder.
  19. Copy the Omnissa Access Connector installer from the shared network folder to the local VM:
  20. In the ACCESS folder, Right-click the Workspace-ONE-Access- Connector-Installer-24.12.0.0.exe file and select Copy.
  21. Navigate to the WS1-Connector VM's Downloads folder.
  22. Right-click inside the folder, and select Paste.
    • The Omnissa Access Connector installer is copied to the VM's Downloads folder.
  23. In the Downloads folder, right-click the Workspace-ONE-Access-Connector- Installer-24.12.0.0.exe file and select Run as administrator.
  24. If you are prompted with a security warning, click Run to proceed with the installation.
  25. If you are prompted to install Microsoft .NET Framework 4.8 Web, click Install to complete that installation.

The Omnissa Access connector installation wizard appears.

NOTE
If you are prompted to restart the server, click Yes and wait for the Connector VM restart process to finish. If you are disconnected from the WS1-Connector VM after accepting the server restart, you must reconnect to the WS1-Connector VM from the Remote Desktop Connection Manager application. The server restart might take up to 10 minutes to complete.
After you log in to the WS1-Connector VM after restart, the installation wizard should automatically start, click Run to continue the Omnissa Access Connector installation process.
  1. Click Next.
  2. Select I accept the terms in the license agreement and then click Next.
  3. Click Next to accept the service selection and default install path.
  4. If you are prompted to update the Java Runtime Environment (JRE) version, click Yes.
  5. Insert the Omnissa Access Connector configuration file into the installer.
  6. On the Specify Configuration File page, click Browse.
  7. Navigate to the Downloads folder and select the es-config.json configuration file.
  8. Click Open.
  9. Enter Pa$$w0rdPa$$w0rd as the configuration file password. Ensure that Enable FIPS is NOT selected.
  10. Click Next.
  11. On the Select Default or Custom Installation page, select Default and then click Next.
  12. On the Specify Service Account page, enter the service account information.
    • User name: techseals\WS1Access
    • Password: 0Mnissa1!
  13. Click Next.
  14. Click Install.

The Omnissa Access connector installation begins. The installation takes up to 15 minutes to complete.

  1. On the Installation Wizard Completed page, click Finish.
  2. If you are prompted to restart the server, click Yes and wait for the WS1-Connector VM restart process to finish.

NOTE: If you are disconnected from the WS1-Connector VM after accepting the server restart, you must reconnect to the WS1-Connector VM from the Remote Desktop Connection Manager application. The server restart might take up to 10 minutes to complete.

  1. In the Omnissa Access console, select Integrations > Connectors from the navigation.

You see a Omnissa Access connector entry with the ws1-connector.techseal.co host name. The following services should be running on the WS1-Connector VM:

  • Directory Sync
  • Kerberos Auth
  • User Auth
  • Virtual Apps Sync
NOTE
If you do not see the Omnissa Access connector entry, try to refresh the webpage or click the refresh button on the Connectors page.
IMPORTANT
If your lab environment was suspended or restarted at any point during this lab, log in to the Omnissa Access environment and select Integrations > Connectors in the menu bar to check if all Omnissa Access connector services are running. If any service failed to start, connect to the WS1-Connector VM and restart the Omnissa Access connector services.

Task 3: Configure Directory Services in Omnissa Access

You use Omnissa Access to configure Directory Services.

  1. Return to the ControlCenter VM. If the Omnissa Access console is logged out due to inactivity, open the Omnissa Access administration console.
  2. Open Google Chrome
    1. Enter https://{labid}.vidmpreview.com in the address bar.
    2. Log in to the Omnissa Access console.
    3. User name: admin
    4. Password: Pa$$w0rd
  3. Click in the top right TA button and click Access Console
  4. From the menu bar, select Settings > User Attributes.
  5. Verify that the email check box is selected as a required attribute.
NOTE
When an attribute is marked as required, Omnissa Access checks whether a user account from the Directory has a value for this attribute.
If the required value is present, Omnissa Access imports the user account. Otherwise, Access will not import the user account.
  1. Click Save.
  2. From the menu bar, select Integrations > Directories.
  3. Click Add Directory and select Active Directory. The Add Directory dialog box appears.
  4. Configure the Active Directory settings.
    1. Enter TechSeals in the Directory Name text box.
    2. Click NEXT.
    3. Next to Directory Sync Hosts, verify that the WS1-connector.techseals.co (Active) check box is selected.
    4. Next to User Auth Hosts, verify that the WS1-connector.techseals.co (Active) check box is selected.
    5. From the User Name drop-down menu, verify that sAMAccountName is selected.
    6. Under Server Location, verify that the This Directory supports DNS Service Locationcheck box is selected.
  5. Under Encryption, verify that the STARTTLS required for all connections check box is deselected.
  6. Under Bind User Details Enter:
    1. Base DN: dc=techseals,dc=co
    2. Bind User DN: cn=administrator,ou=corp,dc=techseals,dc=co
    3. Bind User Password: Pa$$w0rd
  7. Click SAVE.
  8. On the Select the Domains page, click techseals.co check box is selected.
  9. Click SAVE.
  10. The Map User Attributes dialog box appears.
  11. Configure the necessary user attribute mapping.
    1. From the email drop-down menu, verify that mail is selected.
    2. From the firstName drop-down menu, verify that givenName is selected.
    3. From the userName drop-down menu, verify that sAMAccountName is selected.
    4. Leave the default values for all other user attribute mappings.
    5. Click SAVE.
  12. Click +ADD in the Select the group you want to sync page
  13. In the Name field type dc=techseals,dc=co Click Add
  14. Scroll down and click SAVE.
  15. In the The Select the Users you would like to sync page edit the syntax so it reads
    • ou=corp,dc=techseals,dc=co
  16. Click TEST
  17. Click SAVE
NOTE
You control which users and groups to import into Omnissa Access by manually entering the appropriate DNs. You can also use the exclusion filters to exclude certain users and groups from being imported into Omnissa Access.
Keep the pre-added administrator account.
  1. In the Sync Frequency page click Every hour.
  2. Click SAVE & SYNC to finish the directory synchronization.

You are returned to the Directories page in the Omnissa Access console.

  1. Refresh the browser page to reflect the directory synchronization result.
  2. From the menu bar, select Accounts > Users and verify that the new user accounts are imported from the Active Directory. (This may take a few minutes)

Task 4: Review the Authentication Methods in the Identity Provider Settings

You review the authentication methods enabled for the Techseals identity provider (IdP) in Omnissa Access.

  1. From the Omnissa Access console menu bar, select Integrations > Identity Providers.
  2. To edit the settings for the IdP, click IDP for Techseals.co.
  3. You see the Connector Authentication Method, Password (cloud deployment) is selected. Leave all settings at their default values.
  4. Click Save.

Task 5: Configure Access Policy Settings

You locate, modify, and review the Omnissa Access policy settings.

  1. From the menu bar, select Resources > Policies.
NOTE
The Policies page lists the default access policy set and any other policies that you create. Policies are sets of rules that list criteria that must be met before an authentication decision is made.
  1. Click EDIT  on the Default Policy
    • The Edit Policy wizard appears.
  2. Click NEXT.
  3. To edit the access policy rule, click ALL RANGES next to the Workspace ONE App or Hub App device type policy rule.
    • The browser might obscure the values. You can point to a value to see the full text.
  4. Verify the configuration of the rule. The correct configuration is as follows:
    • If a user’s Network Range is: ALL RANGES
    • and the user accessing content from: Apps on Workspace ONE Intelligent Hub
NOTE
Do not change this value on the Edit Policy Rule page.
  • Then perform this action: Authenticate using
  • then the user may authenticate using: Password (cloud deployment)
  • If the preceding method fails or is not applicable, then: Password (Local Directory)
  1. Leave the default values for the other settings and click Save.
  2. Repeat the same steps for the Web Browser policy rule to ensure that Password (cloud deployment) authentication is set as the primary authentication method.
NOTE
For the and the user accessing content from: policy rule parameter, verify that Web Browser is selected before you click Save.
  1. On the Configuration page of the Edit Policy wizard, click +Add Policy Rule.
  2. Configure a new policy rule.
Option Action
If a user’s Network Range is: Select ALL RANGES from the drop-down menu.
and the user accessing content from: Select macOS from the drop-down menu.
Then perform this action: Select Authenticate using from the drop- down menu.
Then the user may authenticate using: Select Password (cloud deployment) from the drop-down menu.
If the preceding method fails or is not applicable, then: Select Password (Local Directory) from the drop-down menu.
Reauthenticate after: Leave the default setting of 8 Hours.
NOTE
Adding this access policy does not affect your deployment.
  1. Click Save.
  2. Drag the vertical 6-dot icons to reorder the policy rules.
  3. Drag the macOS rule to the bottom.
  4. Drag the Workspace ONE App or Hub App rule to the middle.
  5. Drag the Web Browser rule to the bottom.
  6. To view the Summary page, click NEXT.
  7. Click SAVE to commit your changes to default_access_policy_set.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.