macOS Custom Enrolment with Workspace ONE, Okta and more

Post first appeared on the EUCSE.com blog at https://blog.eucse.com/macos-custom-enrolment-workspace-one-okta/

WWDC 2019 brought with it a whole host of new enterprise features for Apple’s OS’s, including macOS 10.15 Catalina. One of the most importnat in my opinion is called ‘Enrolment Customisation’. This is essentially a page during the DEP process where an MDM can present any web content. In our case, this was a perfect place to put a SAML authentication page.

We released our support for this feature in Workspace ONE UEM 1909 (our Sept 2019 release). All Workspace ONE UEM release notes can be found here. 

Personally, this is something which I’ve seen holding up a more broad rollout of DEP across enterprise customers. Mainly for one, MFA is leveraged in many organisations today and the existing DEP authentication relied on an LDAP connection, meaning Username / Password only.

Also, any organisation who are leveraging Smart Cards or certificates for authentication require the use of a Single Factor Token which can be generated from the UEM Self Service Portal. The UX downside to this was the Token needed to be input in the username AND password box, a slightly confusing process for many colleagues.

So, now Apple has delivered us this feature and VMware has released the to code to on-premise and SaaS customers, let’s have a look at how to deploy it.

1) SAML AuthN via UEM

The first step is to configure SAML authentication within Settings / Enterprise Integration / Directory Services. You can choose how users can be authenticated, whether this is for Admins, Enrolment or the SSP or all at once.

In this example, we have integrated our UEM with Workspace ONE Access as the identity broker for our device enrolments.

Next step, we go into Access and configure the ‘default_access_policy’ for macOS. I wont go into detail in this blog, but you can follow:

In our case here, we are performing Certificate auth with Access (Seamless SSO), and if we don’t have a cert yet (unenrolled), then we are sending our authentication to Okta.

As you can see, we can do more than just Okta with Access, we can hook into any SAML compliant Identity provider. We have other Access tenants, and AzureAD, we could also add Ping, JumpCloud and more into one tenant. This means IT has total flexibility over the ecosystem, and end users have a one stop catalog for ALL applications regardless of where they are federated.

The best way to validate your config is to authenticate to your SSP from a Mac. Head to https://yourds.awmdm.com/MyDevice/?gid=OGID

2) Configure DEP Profile in UEM

Once we have our UEM SAML authentication working, we can configure our DEP profile. Head to Settings / Devices & Users / Apple / Device Enrolment Program. If you dont have DEP setup yet, follow the steps to get started. If you have an existing DEP profile, there are only 2 amends to make for 10.15.

Switch this on. Done

OPTIONAL: We can now pre-fill the Computer Account Full Name and Username based on account fields within UEM, based on lookups. You can also then prevent users from changing these details using ‘Allow Editing’.

Once this is complete, any new devices assigned to this DEP profile which are switched on after this change will be presented with the new experience.

See the following video for an example of the experience with Workspace ONE Access and with Okta Verify.

VMware vExpert 2019!

Today I was accepted into the VMware vExpert 2019 list! I’ve been included in this due to, in part, this blog and the blog.eucse.com site, along with talks I’ve run at conferences and events this year.

The full list and more details are here. I expect to be ramping up my blogging efforts in the back half of 2019 following up to VMworld Europe. https://blogs.vmware.com/vexpert/2019/07/26/vexpert-2019-second-half-award-announcement/

Web SSO for Chrome with Workspace ONE

Web SSO Workspace ONE

So, you’ve enabled Workspace ONE for your organisation, you’re on your way to End User Nirvana. Theres just one thing in your way, the Username and Password field! 

Workspace ONE is great at becoming a one stop shop for all Web, Native and Virtual Applications, leaving your users with just one password to remember. But… what if that could be a thing of the past! 

On a Workspace ONE Managed Device (macOS or Windows 10), your users can simply open their Browser of Choice (except Firefox, we’ll cover that later), et voilà . Logged in without a second thought.  

Enable Workspace ONE Intelligent Hub for SaaS and Native Apps

If you’ve upgraded to Workspace ONE UEM 18.10 and you have anybody enrolled with the AirWatch Agent, you wont fail to see the new Intelligent Hub app and Hub Services configuration.

Intelligent Hub is an overhaul of the AirWatch Agent to deliver a full Unified App Catalog features, allowing the Hub to be the one stop shop for users to access any app on any device. The app also allows Administrators to deliver notifications to end users.

If you are an end to end Workspace ONE user, integrating UEM (Unified Endpoint Management, powered by AirWatch) with VMware Identity Manager, you’ll probably want to deliver your SaaS Apps as well as Native applications.

Continue reading “Enable Workspace ONE Intelligent Hub for SaaS and Native Apps”

Deleting a vSAN Partition

I set up VCSA (vCenter Server Appliance) running on a vSAN datastore, then wanted to move things around. I disconnected my ESXI hosts and deleted the VCSA appliance. Proper SDDC experts are probably crying at that statement not, but you learn by doing! I then had the issue where I was unable to delete the vSAN datastore.
To resolve this, I had to run thr following:
First enable SSH on your ESXI host. SSH into it and run:
esxcli vsan cluster leave
Once this was done, I was still unable to re-claim the disks back into regular datastores. I couldn’t remove the partitions via ESXi Web Client either, so resorted back to Google.
Run this:
esxcli vsan storage list
Run the command and get the VSAN UUID from one of them. If theres multiple, it doesnt matter!
esxcli vsan storage remove -u uuid
Once this has been run, you’re all good!
Disclaimer: this is a Lab… anything in production please contact VMware Support!

Easy access to Office 365 Apps from Workspace ONE

Providing access to applications as easy as possible is one of the primary goals of Workspace ONE. While Workspace ONE can enable Single Sign On to Office 365, I see most setups just deploying the main portal to Office 365.  One massive improvement we can make is to provide users with links directly to O365 services, such as OneDrive, Outlook and Excel Online by enabling one click links into these services.

Below is a step by step guide to get each service within Office 365 presented to end users via the Workspace ONE Catalog.

Continue reading “Easy access to Office 365 Apps from Workspace ONE”