AirWatch is an Enterprise Mobility Management (EMM) solution with Unified Endpoint Management (UEM), Mobile Device Management (MDM), and Mobile Application Management (MAM) capabilities. Components of AirWatch have unique architectures, and each component is focused on solving a particular task.
Table of Contents
AirWatch integrates all personal and corporate-owned endpoint devices onto a single platform which can be secured, managed, and controlled remotely through a central admin console. The onboarding process is simple, user-friendly, automatic, and provides self-access. Once the devices are enrolled, the admin can deploy applications and security measures remotely. Features like Identity Management (IM), multi-step authentication, GPS-based tracking, analytics, and artificial intelligence further enhance enterprise security. Powerful collaboration tools like mail, calendar, and company social enable sharing and connectivity among employees. Single Sign-On (SSO) features help users easily log in to access app catalogue and company databases without remembering multiple passwords and connecting to VPN. AirWatch has a client-server and user server. Client-server is installed at the console and sends commands Over the Air (OTA). These commands are received and executed by user sever on endpoint devices.
Components of AirWatch
AirWatch can be deployed on-premise or cloud-based as a Software as a Service (SaaS). The cloud-based model is preferred over the in-premise model as it is inexpensive, faster, and does not require a larger server. The architectures may slightly vary, but the functions of components are the same. The different components of AirWatch are:
AirWatch Device Service Server
Device servers are at present at end-user devices and provide functions of device enrollment, receiving deployed applications, communicating sending data and receiving commands from client-server, and receiving deployed applications and device controls from the central console. The endpoint devices are usually mobile and at different locations at different times. Therefore the server should be on the internet. This is true for SaaS deployment. For on-premise deployment server is located within a DMZ secured with a public certificate with SSL punched through to the internet. The Device server communicates analytics data to a self-service portal called the UEM console, which the admin can access through a web browser.
AirWatch admin Console Server
AirWatch, the admin console server, is a client-server installed at the admin’s end. Admin console provides a centralized remote management system with all endpoint devices enrolled onto a single platform to deploy applications and security policies, manage and control devices and enterprise apps, and get user activity and behavior analytics. The admin console is a self-service portal accessed through a web app (IIS Site) for administrative control of the environment. The Console server communicates and sends commands Over the Air (OTA) to the device server. The console server is typically placed in an internal LAN but can be integrated with Device Service Server. The Admin console also manages integrations with Email infra, Content Repositories, Directory services, SQL server, Certificates, and PKI.
A database is required on AirWatch to store configuration and device information of all enrolled devices as is required with any other enterprise product. The data is stored in the Microsoft SQL Server database for on-premise deployment, which is separate from the AirWatch application database. Any existing SQL database can be used but needs to be full SQL and not express and should be separated in larger deployment plans to aid availability plans. The data flowing in and flowing out should be properly calculated to determine the size of the database.
In SaaS deployment, the databases are hosted and managed by AirWatch, but the devices must be configured on-premise or cloud-based.
AirWatch Cloud Connector (ACC)
AirWatch Cloud Connector (ACC) is used to integrate AirWatch Device Service Server, Admin console server, and database to enterprise backend systems. It can be used in both on-premise and SaaS based deployments. ACC is placed on the internal LAN with direct outbound connections only, so communication can be established with the AirWatch SaaS server, which can be done directly (preferred method) or through an internal proxy. For connecting components via a proxy, at the time of writing (v184.108.40.206), proxy PAC files are not supported in the ACC but are supported for the MAG. An inbound port is not needed to be opened for Mobile Device Management (MDM) capabilities securing all internal systems. ACC is an optional component as AirWatch Device Service Server directly connects to backend systems. In SaaS deployment, AD is locally hosted, and for features like auto-detection and enrollment of devices through mail IDs, ACC is needed. Cloud connector integrates with the following:
- Lotus Domino Web Services
- Simple Certificate Enrollment Protocol(SCEP PKI): Additional licenses required
- Email management exchange 2010
- Email Relay(SMTP)
- Directory services(LDAP/AD)
- Third-party certificate services
- Microsoft Certificate Services (PKI): Additional licenses required
AirWatch tunnel allows the creation of VPN connections to access corporate applications, databases, and intranets from mobile devices connecting from outside the corporate network. Backend systems are secured by Identity Management, end-to-end encryption, and multi-step authentication, allowing only authorized users. A secure browser called the AirWatch browser is installed on user devices to access company web and applications.
In earlier times, Linux was used as Content Gateway. Linux-based installation with a specialization in CentOS or Red Hat Enterprise is required. With Linux implementation, Content Locker Client App, Wrapped applications, and Per-App VPN capabilities were not provided to externally published content.
Now AirWatch offers both Windows and Linux to publish content using the Content Locker Client App externally, Wrapped applications, and Per-App VPN. The per-App VPN tunneling pushes down a VPN profile onto a device which establishes the corporate connection to the enterprise server whenever the app is launched. AirWatch tunnel can also be implemented as a Relay configuration like a Content gateway.
AirWatch Content Gateway
AirWatch Content Gateway was earlier known as Mobile Access Gateway Relay which is the same option as an installer but can be chosen as a relay. A secure platform is created for all content repositories such as documents, attachments, and other internal files. The admin defines access as whether a user can view, edit or delete files. All changes are reflected in real-time on the admin console. Employees can access company internal files with Single Sign-On without connecting to VPN or remembering multiple passwords. Content gateway points at AirWatch Cloud Messaging Service and is place on a local DMZ server. The internal ‘MAG Endpoint’ server can be left fully open to chatting to all internal resources whilst the communication remains secure with the relay handling connectivity between the devices, AWCM and simplifies the internal MAG and ongoing management in a DMZ scenario. AirWatch Management Console needs to be only notified it is using a relay model rather than a basic endpoint.
AirWatch Secure Email Gateway (SEG)
Mail communication forms the backbone of enterprise communications. It is also one of the most important assets of a company containing sensitive information. Email gateway provides email management in endpoint devices by building a proxy network between devices and corporate mail servers. AirWatch Email gateway is not necessary for enterprise mail framework. Still, it provides added levels of security with access control limiting user’s access to corporate mail servers as per company security policy. Users may be allowed to view only options for mail and attachments. They cannot download or forward attachments to a third-party server.URL links that may contain malicious scripts are restricted from opening. Email Notification Services (ENS) are a part of Email Gateway which promptly pushes notifications to endpoint devices. On iOS devices, mail notifications are either prompted by Apple Background app refresh or Apple Push Notifications(APN). iOS reduces Apple background app refresh, which optimises device performance by allocating resources to other applications. This provides haphazard notifications at irregular intervals. ENS connects with APNs to push notifications from remote servers, promptly showing notifications keeping employees updated at all times. ENS version 2 works in android devices to promptly push down notifications. For admin, greater control and monitoring of mail is enabled on all enrolled devices. SEG sits between Exchange ActiveSync server(s) and globally enables Active Sync on Exchange. The Active Sync can be switched off (since Exchange 2010 SP2) as per device quarantine guidelines and is not very easy to control. SEG proxies Active Sync communications and allows/blocks as per company security policy.