Since the start of the the year I’ve been mulling over what upgrades to my Home Lab are in order. I’m doing a lot more VMware Horizon learning/testing and I’m prepping to take VCP-DCV, so I needed some capacity to make some cool things happen.
I was planning on buying a new NUC to get some extra capacity, but I decided to invest in a RAM upgrade instead. Considerably less cost outlay, less extra initial power consumption and theres a good possibly this extra headroom will be enough.
I’m going to do another post on my home lab setup, but for today I went successfully from 32 to 64GB RAM in my NUC7I7DNHE primary node.
WWDC 2019 brought with it a whole host of new enterprise features for Apple’s OS’s, including macOS 10.15 Catalina. One of the most importnat in my opinion is called ‘Enrolment Customisation’. This is essentially a page during the DEP process where an MDM can present any web content. In our case, this was a perfect place to put a SAML authentication page.
Personally, this is something which I’ve seen holding up a more broad rollout of DEP across enterprise customers. Mainly for one, MFA is leveraged in many organisations today and the existing DEP authentication relied on an LDAP connection, meaning Username / Password only.
Also, any organisation who are leveraging Smart Cards or certificates for authentication require the use of a Single Factor Token which can be generated from the UEM Self Service Portal. The UX downside to this was the Token needed to be input in the username AND password box, a slightly confusing process for many colleagues.
So, now Apple has delivered us this feature and VMware has released the to code to on-premise and SaaS customers, let’s have a look at how to deploy it.
In our case here, we are performing Certificate auth with Access (Seamless SSO), and if we don’t have a cert yet (unenrolled), then we are sending our authentication to Okta.
As you can see, we can do more than just Okta with Access, we can hook into any SAML compliant Identity provider. We have other Access tenants, and AzureAD, we could also add Ping, JumpCloud and more into one tenant. This means IT has total flexibility over the ecosystem, and end users have a one stop catalog for ALL applications regardless of where they are federated.
The best way to validate your config is to authenticate to your SSP from a Mac. Head to https://yourds.awmdm.com/MyDevice/?gid=OGID
OPTIONAL: We can now pre-fill the Computer Account Full Name and Username based on account fields within UEM, based on lookups. You can also then prevent users from changing these details using ‘Allow Editing’.
Once this is complete, any new devices assigned to this DEP profile which are switched on after this change will be presented with the new experience.
See the following video for an example of the experience with Workspace ONE Access and with Okta Verify.
Today I was accepted into the VMware vExpert 2019 list! I’ve been included in this due to, in part, this blog and the blog.eucse.com site, along with talks I’ve run at conferences and events this year.
If you’ve upgraded to Workspace ONE UEM 18.10 and you have anybody enrolled with the AirWatch Agent, you wont fail to see the new Intelligent Hub app and Hub Services configuration.
Intelligent Hub is an overhaul of the AirWatch Agent to deliver a full Unified App Catalog features, allowing the Hub to be the one stop shop for users to access any app on any device. The app also allows Administrators to deliver notifications to end users.
If you are an end to end Workspace ONE user, integrating UEM (Unified Endpoint Management, powered by AirWatch) with VMware Identity Manager, you’ll probably want to deliver your SaaS Apps as well as Native applications.
I set up VCSA (vCenter Server Appliance) running on a vSAN datastore, then wanted to move things around. I disconnected my ESXI hosts and deleted the VCSA appliance. Proper SDDC experts are probably crying at that statement not, but you learn by doing! I then had the issue where I was unable to delete the vSAN datastore.
To resolve this, I had to run thr following:
First enable SSH on your ESXI host. SSH into it and run:
esxcli vsan cluster leave
Once this was done, I was still unable to re-claim the disks back into regular datastores. I couldn’t remove the partitions via ESXi Web Client either, so resorted back to Google.
Providing access to applications as easy as possible is one of the primary goals of Workspace ONE. While Workspace ONE can enable Single Sign On to Office 365, I see most setups just deploying the main portal to Office 365. One massive improvement we can make is to provide users with links directly to O365 services, such as OneDrive, Outlook and Excel Online by enabling one click links into these services.
Below is a step by step guide to get each service within Office 365 presented to end users via the Workspace ONE Catalog.