Lab 12: Omnissa Access

Objective and Tasks

Create a directory services integration using Workspace ONE on-premises connectors:

  1. Navigate the Omnissa Access console
  2. Customize the Omnissa Access log-in page branding
  3. Review the Enterprise Integration Configurations in Workspace ONE UEM
  4. Install and Configure the Omnissa Access Connector
  5. Configure Directory Services in Omnissa Access
  6. Review the Authentication Methods in the Identity Provider Settings
  7. Configure Access Policy Settings

Task 1: Navigate the Omnissa Access console

You use the menu bar to navigate through all available settings in the Omnissa Access console.

  1. On the ControlCenter VM, click the Google Chrome icon.

  2. You can also enter https://{labid}.us0.wss.workspaceone.com in the address bar to access the Omnissa Access administration console.

  3. Log in to the Omnissa Access console.

    • User name: admin

    • Password: Pa$$w0rd

  4. In the Omnissa Access console, click each tab in the menu bar and review the available controls.

  5. In the upper-right corner of the page, click the catalog menu (looks like a 3x3 grid) and review the available controls.

  • User Portal: Changes to the User Portal view.

If you change to the user portal, you can click the TA user account icon in the top-right of the page and select Access Console to bring up a Workspace ONE Access administration console.

  1. In the upper-right corner of the page, click the Tenant Admin drop-down menu and review the available controls.

    • Profile: Review the administrator account details.

    • Logout: Logs the current user account out of the Omnissa Access console.

  2. From the navigation pane, click Accounts and review the available controls. You explore and configure some of these settings later in this course.

    • Users

    • User Groups

    • Roles

Do not edit any of these items.

  1. In the navigation pane, across the top, click Resources and review the available controls. You explore and configure some of these settings later in this course.

    • Web Apps

    • Virtual Apps

    • Horizon Cloud Services Next-Gen

    • Virtual Apps Collections

    • Policies

    • Global Launcher Preferences

Do not edit any of these items.

  1. From the navigation pane, across the top, click Integrations and review the available controls. You explore and configure some of these settings later in this course.

    • Authentication Methods

    • Connectors

    • Directories

    • Connector Authentication Methods

    • Hub Configuration

    • Identity Providers

    • Magic Link

    • Okta Catalog

    • People Search

    • UEM Integration

    • SIEM

Do not edit any of these items.

  1. From the navigation pane, across the top, click Settings and review the available controls. You explore and configure some of these settings later in this course.

    • Branding

    • Login Preferences

    • OAuth 2.0 Management

    • Password Policy

    • Password Recovery

    • User Attributes

    • Support Access

Do not edit any of these items.

Task 2: Customize the Omnissa Access sign-in page branding

You configure the appearance, names, colors, and other settings related to the Omnissa Access sign-in page.

  1. From the Omnissa Access console menu bar, select Settings > Branding.

  2. Under the Workspace ONE Browser Tab section, you can customize the sign-in page browser tab display preference.

    • Company Name: Enter the text that appears in the web browser page title.

    • Product Name: Enter the text that appears in the web browser page title after your company name.

  3. Under the Sign-In Screen section, you can customize the UI preference for the login screen.

    • Logo: Upload the logo that is displayed on your login page.

    • Screen Background: Select a background image for your login page.

    • Sign-in dialog background: Select the background color of your login page.

    • Sign-in button background: Select the background color of your login button.

    • Sign-in Button Text: Select the color of the login button text.

The color customization uses HEX values. To customize the color, you enter an appropriate HEX value into the respective text box.  You can also click on the Color Box next to the HEX values to select from a palette of colors, and then click outside the box to apply the color and generate the HEX code.

You can use the preview box to determine if you are satisfied with the changes.

  1. Click Save to store your custom branding.

  2. Open a new Incognito window in Google Chrome.

  3. Log in to the Omnissa Access console.

    • You should see the Omnissa Access sign-in page with the new branding scheme if you changed any branding element in the previous steps.

  4. Close the Incognito window.

  5. Return to the Omnissa Access console. Keep the Workspace ONE UEM and Omnissa Access consoles open for later labs.

Task 3: Review the Enterprise Integration Configurations in Workspace ONE UEM

You review the AirWatch Cloud Connector and Directory Services configurations we did in a previous lab in the Workspace ONE UEM console.

  1. If the Workspace ONE UEM console is logged out due to inactivity, log in to the Workspace ONE UEM administration console.
    1. From the ControlCenter VM, click the Google Chrome icon and open a new tab.
    2. From the bookmarks bar, select Workspace ONE UEM. You can also enter https://omnissatraining.com/Airwatch in the address bar to access the console page.
  2. Log in to Workspace ONE UEM.
    • User name: studentadmin{labid}
    • Password: Pa$$w0rd
  3. In the navigation pane at the top, select Groups & Settings. Then, select All Settings and expand System > Enterprise Integration > Cloud Connector.
    • You should see that AirWatch Cloud Connector is enabled.
  4. Click Test Connection to validate connectivity.
    • A "Reached Cloud Connector running version 25.#.#.# at WS1-Connector (192.168.110.95)" message appears.
  5. In the navigation pane on the left, select System > Enterprise Integration > Directory Services.
    • You should that see Directory Services integration is configured.
  6. Click Test Connection to validate connectivity.
    • A test connection dialog box opens, and you should see a message, saying, "Connection successful with the given server name, bind username, and password."
  7. Close the Test Connection dialog box.
  8. Select Devices & Users and then expand General > Enrollment.
  9. On the Authentication tab, click Override next to Current Setting.
  10. Next to Authentication Mode(s), select the Basic and Directory check boxes.
  11. Next to Source of Authentication for Intelligent Hub, click WORKSPACE ONE ACCESS.

In a previous lab this was set to UEM. Now you will see the effects of having ACCESS as the source of authentication.

  1. Click Save.

Task 4: Install and Configure the Omnissa Access Connector

You install the Omnissa Access connector on the WS1-Connector VM and connect it to your Omnissa Access environment.

  1. Using the VM Swticher menu, switch to the WS1-Connector VM.
  2. On the WS1-Connector VM desktop, open Google Chrome. If an Enhanced ad Privacy in Chrome window opens, click More, and then Got it.
  3. Enter https://{labid}.us0.wss.workspaceone.com/ in the address bar.
  4. Log in to the Omnissa Access console.
    • User name: admin
    • Password: Pa$$w0rd
  5. Click in the top right TA button and click Access Console.
  6. From the Omnissa Access console navigation bar, click the Integrations tab, and in the left pane, click Connectors.
  7. If the Add New Connector screen does not appear automatically, click New.
  8. On the Download Installer screen, click Next.
  9. Enter Pa$$w0rdPa$$w0rd in the Password text box.
  10. Enter Pa$$w0rdPa$$w0rd in the Reenter password text box.
  11. Click Download Configuration File.
    • The es-config.json file downloads to the Downloads folder of the WS1-Connector VM.
  12. Click Next and then click Close.

The Access Connector installer has already been downloaded for you.

  1. From WS1-Connector VM desktop taskbar, click the File Explorer icon, and navigate to the Desktop\Software\Access folder.
  2. In the Access folder, Right-click the Workspace-ONE-Access- Connector-Installer-24.12.1.0.exe file and select Copy.
  3. Navigate to the WS1-Connector VM's Downloads folder.
  4. Right-click inside the folder, and select Paste.
    • The Omnissa Access Connector installer is copied to the VM's Downloads folder.
  5. In the Downloads folder, right-click the Workspace-ONE-Access-Connector-Installer-24.12.1.0.exe file and select Run as administrator.
  6. Click Next. If you are prompted with a security warning, click Run to proceed with the installation.
  7. If you are prompted to install Microsoft .NET Framework 4.8 Web, click Install to complete that installation.

The Omnissa Access connector installation wizard appears.

If you are prompted to restart the server, click Yes and wait for the Connector VM restart process to finish. If you are disconnected from the WS1-Connector VM after accepting the server restart, you must reconnect to the WS1-Connector VM from the Remote Desktop Connection Manager application. The server restart might take up to 10 minutes to complete.

After you log in to the WS1-Connector VM after restart, the installation wizard should automatically start, click Run to continue the Omnissa Access Connector installation process.

  1. Select I accept the terms in the license agreement and then click Next.
  2. Click Next to accept the service selection and default install path.
  3. If you are prompted to update the Java Runtime Environment (JRE) version, click Yes.
  4. On the Specify Configuration File page, click Browse.
  5. Navigate to the Downloads folder and select the es-config.json configuration file.
  6. Click Open.
  7. Enter Pa$$w0rdPa$$w0rd as the configuration file password. Ensure that Enable FIPS is NOT selected.
  8. Click Next.
  9. On the Select Default or Custom Installation page, select Default and then click Next.
  10. On the Specify Service Account page, enter the service account information.
    • User name: omnissatraining.com\WS1Access
    • Password: 0Mnissa1!
  11. Click Next.
  12. Click Install.

The Omnissa Access connector installation begins. The installation takes up to 15 minutes to complete.

  1. On the Installation Wizard Completed page, click Finish.
  2. If you are prompted to restart the server, click Yes and wait for the WS1-Connector VM restart process to finish.

If you are disconnected from the WS1-Connector VM after accepting the server restart, you must reconnect to the WS1-Connector VM from the Remote Desktop Connection Manager application. The server restart might take up to 10 minutes to complete.

  1. In the Omnissa Access console, select Integrations > Connectors from the navigation.

You see a Omnissa Access connector entry with the ws1-connector.omnissalearninglabs.com host name. The following services should be running on the WS1-Connector VM:

  • Directory Sync
  • Kerberos Auth
  • User Auth
  • Virtual Apps Sync

If you do not see the Omnissa Access connector entry, try to refresh the webpage or click the refresh button on the Connectors page.

If your lab environment was suspended or restarted at any point during this lab, log in to the Omnissa Access environment and select Integrations > Connectors in the menu bar to check if all Omnissa Access connector services are running. If any service failed to start, connect to the WS1-Connector VM and restart the Omnissa Access connector services.

Task 5: Configure Directory Services in Omnissa Access

You use Omnissa Access to configure Directory Services.

  1. On the ControlCenter VM, log into the Omnissa Access administration console.
    • User name: admin
    • Password: Pa$$w0rd
  2. Click in the top right TA button and click Access Console.
  3. From the navigation bar, across the top, click the Settings tab and then from the left-hand side of the page, click User Attributes.
  4. Verify that the email check box is selected as a required attribute.

When an attribute is marked as required, Omnissa Access checks whether a user account from the Directory has a value for this attribute.

If the required value is present, Omnissa Access imports the user account. Otherwise, Access will not import the user account.

  1. Click Save.
  2. From the navigation bar, across the top, click the Integrations tab and then from the left-hand side of the page, Click Directories.
  3. Click Add Directory and select Active Directory. The Add Active Directory dialog box appears.
  4. Enter omnissatraining in the Directory Name text box.
  5. Click Next.
  6. Next to Directory Sync Hosts, verify that the WS1-connector.omnissalearninglabs.com (Active) check box is selected.
  7. Next to User Auth Hosts, verify that the WS1-connector.omnissalearninglabs.com (Active) check box is selected.
  8. From the User Name drop-down menu, verify that sAMAccountName is selected.
  9. Under Server Location, verify that the This Directory supports DNS Service Location check box is selected.
  10. Under Encryption, verify that the STARTTLS required for all connections check box is not selected.
  11. Under Bind User Details enter:
    • Base DN: dc=omnissatraining,dc=com
    • Bind User DN: cn=administrator,ou=corp,dc=omnissatraining,dc=com
    • Bind User Password: Pa$$w0rd
  12. Click Save.
  13. On the Select Domain(s) page, click omnissatraining.com check box is selected.
  14. Click Save.
  15. The Map User Attributes dialog box appears.
  16. From the email drop-down menu, verify that mail is selected.
  17. From the firstName drop-down menu, verify that givenName is selected.
  18. From the userName drop-down menu, verify that sAMAccountName is selected.
  19. Leave the default values for all other user attribute mappings.
  20. Click Save.
  21. Click +ADD in the Select the group you want to sync page.
  22. In the Name field type dc=omnissatraining,dc=com and click Add.
  23. Scroll down and click SAVE.
  24. In the the Select the Users you would like to sync page, edit the syntax so it reads: ou=corp,dc=omnissatraining,dc=com.
  25. Click Test.
  26. Click SAVE.

You control which users and groups to import into Omnissa Access by manually entering the appropriate DNs. You can also use the exclusion filters to exclude certain users and groups from being imported into Omnissa Access.

Keep the pre-added administrator account.

  1. In the Sync Frequency page click Every hour.
  2. Click Save & Sync to finish the directory synchronization.

You are returned to the Directories page in the Omnissa Access console.

  1. Refresh the browser page to reflect the directory synchronization result.
  2. From the Navigation bar, across the top, click the Accounts tab and make sure the Users section is selected. Then, verify that the new user accounts are imported from Active Directory. (This may take a few minutes.)

Task 6: Review the Authentication Methods in the Identity Provider Settings

You review the authentication methods enabled for the Techseals identity provider (IdP) in Omnissa Access.

  1. From the Omnissa Access console navigation bar, across the top, click the Integrations tab, and in the left pane, click Identity Providers.
  2. To edit the settings for the IdP, click IDP for Omnissatraining.com.
  3. You see the sections, General Information, Users, Connector Authentication Methods, Authentication Methods, Network, and KDC Certificate Export.  Password (cloud deployment) is selected. Leave all settings at their default values.
  4. Click Save.

Task 7: Configure Access Policy Settings

You locate, modify, and review the Omnissa Access policy settings.

  1. From the Omnissa Access console navigation bar, click the Resources tab, and in the left pane, click Policies.

The Policies page lists the default access policy set and any other policies that you create. Policies are sets of rules that list criteria that must be met before an authentication decision is made.

  1. Click Edit on the Default Policy.
  2. Click Next.
  3. The Configuration page appears.  To edit the access policy rule, click ALL RANGES next to the Workspace ONE App or Hub App device type policy rule.
    • The browser might obscure the values. You can point to a value to see the full text.
  4. Verify the configuration of the rule. The correct configuration should be, as follows:
    • If a user’s Network Range is: ALL RANGES
    • and the user accessing content from: Apps on Workspace ONE Intelligent Hub
    • Then perform this action: Authenticate using
    • then the user may authenticate using: Password (cloud deployment)
    • If the preceding method fails or is not applicable, then: Password (Local Directory)

Do not change this value on the Edit Policy Rule page.

  1. Leave the default values for the other settings and click Save.
  2. Repeat the same steps for the Web Browser policy rule to ensure that Password (cloud deployment) authentication is set as the primary authentication method.

For the and the user accessing content from: policy rule parameter, verify that Web Browser is selected before you click Save.

  1. On the Configuration page of the Edit Policy, click +Add Policy Rule.
  2. Configure a new policy rule as follows.
OptionAction
If a user’s Network Range is:Select ALL RANGES from the drop-down menu.
and the user accessing content from:Select macOS from the drop-down menu.
Then perform this action:Select Authenticate using from the drop- down menu.
Then the user may authenticate using:Select Password (cloud deployment) from the drop-down menu.
If the preceding method fails or is not applicable, then:Click on Add Fallback Method, and select Password (Local Directory) from the drop-down menu.
Reauthenticate after:Leave the default setting of 8 Hours.

Adding this access policy does not affect your deployment.

  1. Click Save.
  2. Drag the vertical 6-dot icons to reorder the policy rules.
  3. Drag the macOS rule to the bottom.
  4. Drag the Workspace ONE App or Hub App rule to the middle.
  5. Drag the Web Browser rule to the bottom.  Their order, from top to bottom, should be macOS, Workspace ONE App, then Web Browser.
  6. To view the Summary page, click Next.
  7. Click Save to commit your changes to default_access_policy_set.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.