Workspace ONE Access Console

Workspace One Access Console helps the admin to set up and manage authentication and access policies, manage users and groups, manage entitlements to those resources, and add resources to the catalog on a centralized management console.

Workspace One Access Console

To entitle users to the resources, manage user authentication, and access policies are examples of the admin’s key tasks from the Workspace ONE Access console. By providing the admin with entitlement to which resources under which conditions over which users or groups provides more detailed control are other tasks to support the key task.

When Workspace ONE Access is integrated with Workspace ONE Hub Services, end-users in a browser or from the Workspace ONE Intelligent Hub app on their devices can access their work resources from their user web portal. The admin can access the Hub Services console from the Workspace ONE Access console to set up how employees use Workspace ONE Intelligent Hub to receive notifications, access apps and search for people.

Navigating in the Workspace ONE Access Console

  • Tabs are used to organize the tasks in the Workspace ONE Access console.
  • Sign in to the Workspace ONE Access console if the user has administrator privileges from the user portal page. Click the profile on the right to open the console pages, and the Administration Console is selected.
  • Enter the Workspace ONE Access URL to access the Workspace ONE Access console directly, as HTTPS://<exampleFQDN.com>/SAAS/admin. When the log-in page shows, click the domain, if requested, sign in with the Active Directory user name and password, or click on System Domain and sign in as the Workspace Access admin. Now let us understand the options of tabs.

Options of Tabs

Dashboard: To monitor user activity and resources, the User Engagement dashboard can be used. This dashboard shows information about who logs in, which applications are being utilized, and how often they are being used.

A System Diagnostics dashboard for on-premises deployment shows a detailed overview of the health of the service in the environment and other details about the services. The admin can also manage the configuration of the appliance, including changing the services admin and system passwords and configuring SSL certificates for the appliance. You can create reports to track resource and device use, users’ and groups’ activities, and audit events by the user.

Users and Groups: Manage and monitor users and groups in the Users and Groups tab. The admin imported from the Active Directory or LDAP directory entitles the users and groups to resources and creates local users and groups. In the User and Groups Settings page, the password restriction policy for local users is controlled.

Catalog: For all the resources that the admin can entitle to users, the catalog is the repository. The admin can manage existing resources and add Web applications in the Catalog tab. The admin can manage Horizon Cloud, Horizon, Citrix, ThinApp application and desktop integrations in the Virtual Apps Collection page.

The admin can access information about each resource and group applications into categories.

The admin can manage resources and download SAML certificates configurations on the Catalog Settings page.

Navigate to the catalog, go to the Hub Configuration page, click to access the Hub Service console. to access the catalog, search for people they work with, receive notifications, and use support services, the admin can design and set up how users use Workspace ONE Intelligent Hub from the Hub Services console

Identity and Access Management: The admin sets up and manages the directory service, access policies, authentication methods, and preferences with the Identity and Access Management tab. The admin can define Workspace ONE UEM and Okta settings to integrate with Workspace ONE Access.

Roles: The admin can manage administrator roles in the roles tab. Custom administrator roles can be created that give limited permissions to specific services, and users can be assigned as admins for the three pre-defined administrator roles in the Workspace ONE Access console.

Appliance Setting: The Appliance Settings tab is shown for the on-premises deployments. The admin can configure SMTP settings and manage the license settings.

To Access the Workspace ONE Access Console Supported Web Browsers

The Workspace ONE Access console is used to manage the Workspace ONE Access service and is a web-based application. From the latest versions of Mozilla Firefox, Safari, Google Chrome, and Microsoft Edge, the admin can access the Workspace ONE Access console.

Workspace ONE Intelligent Hub for End Users

Using the Workspace ONE Intelligent Hub app or from the Intelligent Hub portal in web browsers, the end-users can access entitled resources on their devices. When users use their entitled resources and users access with a browser, the Intelligent Hub portal is the default interface used.

When Workspace ONE Access is integrated with Workspace ONE UEM, end users can view all applications that they are entitled to. Native applications that are publicly available in app stores or internally developed can be made available to the end-users from the Hub portal.

Directory Integration with VMware Workspace ONE Access

To sync the Workspace ONE Access service to users and groups, the admin can integrate the enterprise directory with VMware Workspace ONE Access. Integration with LDAP directories and Active Directory such as OpenLDAP are supported by Workspace ONE Access.

A finite number of user and group attributes are synced to the Workspace ONE Access service when the admin integrates a directory, as specified by the administrator. Other than the ones designated by the administrator, user passwords and any attributes are not synced.

For directory integration, the Directory Sync service is required. Install the Directory Sync service beginning with version 20.01 before using this document, which is available as a part of the Workspace ONE Access connector.

System Directory

When it is first set up in the service, the System Directory is a local directory that is automatically created. A domain called System Domain is used by this domain. The admin cannot add new domains to it or change the directory or domain name of the System Directory. The admin cannot delete the System Domain or the System Directory.

A local administrator user is formed in the System Domain for Workspace ONE Access cloud deployments of the System Directory when the tenant is first configured. When the admin gets a new tenant, the credentials received belong to this local administrator user.

When the admin first sets up the Workspace ONE Access appliance, the local administrator user that is created is created in the System Domain of the System Directory.

To configure a few local administrator users to manage the service, the System Directory is typically used. Creating a new local directory is recommended to entitle end users to applications and provide end-users and additional administrators.

Local Directories

Other local directories can be created besides the System Directory. For each local directory, there can be one or more domains. Specify the directory and domain for users when the admin creates local users.

For the local users, the admin can select required user attributes. User attributes such as userName, firstName, lastName, and email are specified in the Workspace ONE Access service at the global level and are required. In the service, Global user attributes apply to all directories. The admin can select other attributes at the local directory level required for the directory. The admin can create a custom set of attributes by selecting other attributes for each local directory.

Creating local directories with customized mapped attributes is useful in scenarios such as the following.

  • The admin can create a local directory for a specific type of user that is not part of the enterprise. For example, Provide partners access to only the specific applications they need by creating a local directory for partners.
  • Create different local directories if the admin wants to use different authentication methods or user attributes for different sets of users. For example, for distributors with user attributes such as region and market size, the admin can create a local directory and another local directory for suppliers with user attributes such as product category and supplier type.

Identity Provider for System Directory and Local Directories

By default, System Identity Provider is the System Directory that is associated with an identity provider. The Password (Local Directory) authentication method is enabled on this identity provider. Set up this password authentication for the ALL RANGES network range with the default_access_policy_set policy rule for the Web Browser device type. The admin can configure the policy rules with additional authentication methods.

When the admin creates a new local directory, this local directory is not linked with an identity provider. After creating the local directory, create a new built-in identity provider of type Embedded. Enable the Password and Associate the local directory with the identity provider(Local Directory) authentication method. With the same identity provider, Multiple local directories can be associated.

For either the System Directory or for local directories, the admin creates The Workspace ONE Access connector is not required.

Password Management for Local Directory Users

By default, all users configured in local directories can change their passwords from the Intelligent Hub app or in the user portal. The admin can define a password policy for local users. As needed, the admin can also reset local user passwords.

Users click their name in the top-right corner to change their passwords when they are signed into their user portal. From the drop-down menu, navigate to Account and click the Change Password link. Users can change their passwords in the Intelligent Hub app by clicking their profile and selecting Change password.

Configuring Active Directory Connection and the Workspace ONE Access Service

Choose the users and groups to sync to the Workspace ONE Access directory and Enter the information required to connect to the Active Directory in the Workspace ONE Access console. The Active Directory connection alternatives are Active Directory over Integrated Windows Authentication or Active Directory over LDAP. DNS Service Location lookup is supported by Active Directory over LDAP connection

Prerequisites

  • The Directory Sync service is installed, which is available beginning with version 20.01.0.0 as a part of the Workspace ONE Access connector .
    Also, install the User Auth service component if the admin wants to use the User Auth service to authenticate users of the directory,
  • Add additional attributes and select which user attributes are required, if necessary, in the Workspace ONE Access console on the Identity & Access Management, navigate to Setup, go to the User Attributes page. The following considerations are kept in mind:

The user attributes value must be set for all the users if a user attribute is required that the admin wants to sync. Users are not synced that do not have a value set.

Attributes are applied to all directories.

In the Workspace ONE Access service, attributes can longer be marked required after one or more directories are configured.

  • To sync from Active Directory, make a list of the Active Directory users and groups. Group names are synced to the directory instantly. Contributors of a group do not sync until added to a policy rule or the group is entitled to resources. Before group entitlements are configured, users who need to authenticate should be added during the initial configuration.
    Note: The / and $ characters in a group’s name or distinguishedName attribute are not supported in 19.03 and older versions of Workspace ONE Access connector version . This limitation applies to groups that the admin adds to groups that are not directly included to group DN but are synced as they are a part of a parent group when nested group memberships are allowed as well as to the group DN.
    If the enterprise is using connector version 19.03 or older versions, .in a group’s name or distinguishedName attribute, do not use the / or $ character if the admin plans to sync the group to VMware Identity Manager.
  • In the Workspace ONE Access tenant, The admin must ensure that no other directories sync users from similar domains as the Global Catalog directory. Creating a directory of type Active Directory over LDAP using the Global Catalog option. Sync failures can be caused by conflict.
  • The admin needs the Base DN for Active Directory over LDAP and the Bind user DN and password. In Active Directory, the Bind user must have the following permissions to allow access to users and groups objects:
    • Read
    • Read Permissions
    • Read All Properties
      Note: With a non-expiring password using a Bind user account is recommended.
  • The admin needs the user name and password of the bind user for Active Directory over Integrated Windows Authentication, who has permission to query users and groups for the required domains. Within Active Directory, to grant access to users and groups objects, the Bind user must have the following permissions:
    • Read Permissions
    • Read All Properties
    • Read
      Note: With a non-expiring password using a Bind user account is recommended.
  • The Root CA and Intermediate (if used) certificates of the domain controllers for all relevant Active Directory domains are needed if the Active Directory requires access over SSL/TLS. Each one of the Intermediate and Root CA certificates are needed if the domain controllers have certificates from Root and multiple Intermediate Certificate Authorities.
    Note: SASL Kerberos binding is used for encryption automatically for directories of type Active Directory over Integrated Windows Authentication. A certificate is not required.
  • When the Domain Local group contains members from domains in different forests, and the admin has a multi-forest Active Directory configured for Active Directory over Integrated Windows Authentication, ensure that the Bind user is included with the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members will be missing from the Domain Local group.
  • For Active Directory over Integrated Windows Authentication:

For all domain controllers listed in hidden RODCs and SRV records, nslookup of IP address and hostname should work.

In terms of network connectivity, all the domain controllers must be reachable.

Procedure

  1. Go to Identity & Access Management, navigate to Manage, click on Directories.
  2. Click Add Directory and select Active Directory in the Workspace ONE Access console.
  3. Provide a name for the Workspace ONE Access directory. The type of Active Directory, the admin, is integrating is chosen as either, Active Directory over Integrated Windows Authentication or Active Directory over LDAP.
  4. Follow these steps if the admin is integrating Active Directory over LDAP, otherwise proceed to step 6
  5. Make the following selections in the Directory Sync and Authentication section.
    Directory Sync Hosts: To sync this directory, choose one or more Directory Sync service instances to use. All Directory Sync service instances are listed that are registered with the tenant. The admin can only choose instances that are in an Active state.
    Workspace ONE access utilizes the first selected instance if the admin selects multiple instances in the list to sync the directory. It uses the next selected instance if the first instance is unavailable, and so on. After creating the directory, the admin can reorder the list from the directory’s Sync Settings page.
  6. Authentication: Choose Yes if the admin wants to authenticate users of this directory with the User Auth service. The User Auth service must be installed beforehand. If the admin selects Yes, an identity provider named IDP for directoryName of type Embedded and the password (cloud deployment) authentication method is automatically created for the directory.
    If the admin does not want to authenticate users of this directory with the User Auth service, select No. Create the Password (cloud deployment) authentication method if the admin decides to use the User Auth service later and an identity provider for the directory manually. Create a new identity provider when the admin does so for the directory by navigating to Add Identity Provider, clicking on Create Built-in IDP within the Identity & Access Management, and click on the Identity Providers page. Using the pre-created identity provider by the name of Built-in is not recommended.

    1. User Auth Hosts: When Authentication is set to Yes, this option appears. To authenticate users of this directory, select one or more User Auth service instances. All User Auth service instances that are in an Active state and registered with the tenant are listed. Workspace ONE access sends authentication requests if the admin selects multiple instances to the selected instances in round-robin order.
    2. User name: The account attribute that contains username is selected.
    3. External ID: For users in the Workspace ONE Access directory, the attribute that the admin wants to use as the unique identifier whose default value is objectGUID.

The admin can toggle External ID to any of the following attributes:

  • Any string attribute such as distinguishedName or sAMAccountName
  • The binary attributes objectSid, objectGUID, or mS-DS-ConsistencyGuid
  • The External ID setting is only for users in Workspace ONE Access. External ID is always set to objectGUID for groups and cannot be changed.
  • A unique and non-empty value must be defined for the attribute. Across the Workspace ONE Access tenant, the value must be unique. The directory will not be synced if any users do not have a value for the attribute.
  • while setting the External ID Keep the following considerations in mind :
  • Make sure that the admin sets the External ID to the same attribute in both products if the admin is integrating Workspace ONE Access with Workspace ONE UEM,
  • After creating the directory, the admin can change the External ID. However, before syncing users to Workspace ONE Access, the best practice is to set the External ID. users to be recreated when the admin changes the External ID. As a result, all users will be signed out and will have to sign in again. For Web apps and ThinApps, the admin will also have to reconfigure user entitlements. Entitlements will be deleted and then recreated at the next entitlements sync for Horizon, Citrix, and Horizon Cloud.

The External ID option is available with Workspace ONE Access connectors 19.03.0.1 and 20.10. All connectors must be version 20.10, or they must all be version 19.03.0.1 associated with the Workspace ONE Access service. The External ID option does not show if different connector versions are associated with the service.

  1. Make the following selections if the admin wants to use DNS Service Location lookup for Active Directory.
  2. Navigate to the This Directory supports DNS Service Location check box in the Server Location section.
  3. Workspace ONE access searches for and utilizes optimal domain controllers. Follow step c. instead if the admin doesn’t want to use optimized domain controller selection.
  4. Select the STARTTLS. If the enterprise Active Directory requires access over SSL/TLS, required for all connections, check the box in the Encryption section.
    Note: STARTTLS is used for encryption over port 389 if This Directory supports the DNS Service Location option. LDAPS is used for encryption over port 636 if This Directory supports the DNS Service Location option deselected.
  5. Also, copy and paste Root CA certificates and the domain controllers’ Intermediate (if used) into the SSL Certificate(s) text box. First, provide the Intermediate CA certificate; next, the Root CA certificate. Ensure that each certificate includes the BEGIN CERTIFICATE and END CERTIFICATE lines and is in the PEM format.
  6. If the domain controllers have certificates from Root Certificate Authorities and multiple Intermediate, provide all the Intermediate-Root CA certificate chains.
    Note: If the enterprise Active Directory is not provided the certificates required for access over SSL/TLS and, the admin cannot create the directory.
  7. Make the following selections if the admin does not want to use DNS Service Location lookup for Active Directory.
    1. Provide the Active Directory server hostname and port number. Within the Server Location section, verify that the This Directory supports DNS Service Location check box is not selected.
    2. Choose the LDAPS required for all connections check box if the Active Directory requires access over SSL/TLS in the Encryption section.
      Note: STARTTLS is used for encryption over port 389 if the This Directory supports DNS Service Location option is selected. LDAPS is utilized for encryption over port 636 if the This Directory supports DNS Service Location option is deselected. Also, copy and paste the Root CA certificate and the domain controller’s Intermediate (if used) into the SSL Certificate(s) text box. First, provide the Intermediate CA certificate first, then the Root CA certificate. Ensure that the certificate includes the BEGIN CERTIFICATE and END CERTIFICATE lines and is in the PEM format. If the enterprise Active Directory is not provided with the certificates required for access over SSL/TLS, the admin cannot create the directory.
  8. Provide the following information in the Bind User Details section:
    1. Base DN: Provide the DN from where to start account searches. For instance, OU=myUnit,DC=myCorp,DC=com.
      Note: For Authentication, the Base DN will be utilized. Under the Base DN, only users will be able to authenticate. Make sure that the user DNS and group DNS that the admin specifies later for sync fall under this Base DN.
    2. Bind user DN: Provide the Account that can look for users. For instance, CN=binduser,OU=myUnit,DC=myCorp,DC=com.
      Note: With a non-expiring password using a Bind user account is recommended
    3. Bind User Password: Use the Bind User Password
  9. Follow these steps if the admin is integrating Active Directory over Integrated Windows Authentication.
    1. Make the following selections in the Directory Sync and Authentication section.
    2. Directory Sync Hosts: To sync this directory, choose one or more Directory Sync service instances to use. All Directory Sync service instances that are in Active state and that are registered with the tenant and are listed.
  10. Workspace ONE access utilizes the first selected instance if the admin selects multiple instances in the list to sync the directory. It uses the next selected instance, if the first instance is unavailable, and so on. After creating the directory, the admin can reorder the list from the directory’s Sync Settings page.
    1. Authentication: With the User Auth service, if the admin wants to authenticate users of this directory, Select Yes. The User Auth service must be installed beforehand. If you select Yes, an identity provider named IDP for the directory of type Embedded and the Password (cloud deployment) authentication method is automatically created for the directory.
    2. With the User Auth service, if the admin does not want to authenticate users of this directory, select No. The admin can manually create the password (cloud deployment) authentication method and identity provider for the directory if they change their mind later. When the admin does so, a new identity provider has to be created for the directory by navigating to Add Identity Provider, going to Create Built-in IDP within the Identity & Access Management, go to Identity Providers page. It is not recommended to use the pre-configured identity provider named Built-in.
    3. User Auth Hosts: When Authentication is set to Yes, this option appears. Use to authorize users of this directory, choose one or more User Auth service instances. All User Auth service instances in an Active state and registered with the tenant are listed.
  11. Workspace ONE access transmits authentication requests to the selected instances if the admin selects multiple instances in round-robin order.
    1. User name: Navigate to the account attribute that contains the username.
    2. External ID: in the Workspace ONE Access directory, the attribute that the admin wants to use as the unique identifier for users. objectGUID is the default value.
  12. To any of the following attributes, the admin can set External ID:
    1. Any distinguishedName or string attribute such as sAMAccountName
    2. The binary attributes objectSid, mS-DS-ConsistencyGuid, or objectGUID.
    3. In Workspace ONE Access, The External ID setting only applies to users. External ID is always set to objectGUID for groups and cannot be changed.
    4. Important: All users must have a unique value defined for the attribute. Across the Workspace ONE Access tenant, the value must be unique. While setting the External ID, keep the following considerations in mind:
    5. Ensure that the admin sets the External ID to the same attribute in both products. If integrating Workspace ONE UEM with Workspace ONE Access.
  13. After creating the directory, the admin can change the External ID. However, before syncing users to Workspace ONE Access, the best practice is to set the External ID. Users are recreated when the admin changes the External ID. As a result, all users will be signed out and will have to sign in again. The admin will also have to reconfigure user entitlements for ThinApps and Web apps. Entitlements for Citrix, Horizon, Horizon Cloud and will be deleted and then, at the next entitlements sync, recreated.
  14. Using Workspace ONE Access connector 20.10 and 19.03.0.1, the External ID option is available. All connectors must be version 20.10, or they must all be version 19.03.0.1 associated with the Workspace ONE Access service. The External ID option does not show if different versions of the connector are associated with the service.
    1. In the Encryption section, no action is required. Directories of type Active Directory do not require the admin to enable LDAPS or STARTTLS and are over Integrated Windows Authentication using SASL Kerberos binding automatically.
    2. Provide the user name and password of the bind user in the Bind User Details section, who has permission to query groups and users for the required domains. Provide, where the domain is the fully-qualified domain name, the user name as sAMAccountName@domain. For instance, jdoe@example.com.
      Note: With a non-expiring password using a Bind user account is recommended.
    3. Click on save and next.
    4. In the Select the Domains page, select domains if applicable, then click Next.
      1. The domains are already selected and listed for a directory of type Active Directory over LDAP.
      2. With this Active Directory connection for a directory of type Active Directory select the domains that should be associated over Integrated Windows Authentication. With a two-way trust relationship, all the domains with the base domain are listed.
  15. Afterwards, the Workspace ONE Access directory is created. If domains with a two-way trust relationship with the base domain are included with Active Directory, the admin can add them by navigating to the directory’s Sync Settings, clicking on the Domains page, selecting the refresh icon to get the latest list.
  16. With the Global Catalog option selected, If the admin creates an Active Directory over the LDAP directory, the Domains tab does not appear.
  17. Verify that the Workspace ONE Access directory attribute names are mapped, in the Map User Attributes page, to the correct Active Directory attributes and configure changes, if necessary, then click on Next.
  18. From Active Directory, in the Select the groups, select the groups the admin wants to sync to the Workspace ONE Access directory and sync page.
  19. While adding groups, keep the following considerations in mind.
    1. As a best practice, while creating the directory, add and sync a small number of groups., The admin can add more groups after the Initial Setup.
    2. Until the group name is added to an access policy rule or the group is entitled to an application, Group names are synced to the directory when groups are added and synced. Users are not synced to the directory that is members of the group.
      Note: By enabling the Sync Group Members to the directory, the admin can override this restriction when Adding the Group option in the Identity & Access Management, navigate to Setup, and click on the Preferences page.
    3. In Active Directory, any users that do not have Domain Users as their primary group, then the admin syncs a group, are not synced.
    4. Specify one or more group DNS to select groups, and select the groups under them.
      1. Click + in the Specify the top-level group row, and the top-level group DN is specified. For instance, CN=users,DC=example,DC=company,DC=com.
        Note: In the Add Directory page, under the Base DN, specify group DNS that the admin entered in the Base DN text box. Users from that DN will be synced if a group DN is outside the Base DN but will not be able to sign in.
      2. Under the group DN the admin added, to select all the groups, click on the Select All check box.
    5. Within Active Directory, after the directory is created, the changes are reflected in subsequent syncs if groups are added or deleted to the group DN.
      1. Under the group DN, if the admin wants to select specific groups instead of selecting all of them, click on Select Groups, configure the selections, and click Save.
    6. All the groups established in the DN are listed when the admin clicks on Select Groups. The admin can narrow the results or search for specific groups by entering a search term in the search box.
    7. Deselect or select the Sync nested group members option, as per requirement.
  20. By default, the Sync nested group members setting is enabled. When this option is enabled, the users that belong to nested groups and all the users linked directly to the group the admin selects all under it are synced when the group is entitled.
    Note: Only the users that belong to the nested groups are synced, and that the nested groups are not synced.
    Such users will be members of the parent group in the Workspace ONE Access directory that the admin selected for Sync.
  21. When the admin specifies a group to sync, if the Sync nested group members option is disabled, all the users are synced that belong directly to that group. Users are not synced that belong to nested groups under it. Disabling this option for large Active Directory configurations is useful where traversing a group tree is resource and time-intensive. Ensure that the admin selects all the groups whose users they want to sync if this option is disabled.
  22. Click on next
  23. The users to Sync are selected. While adding users, keep the following considerations in mind:
    1. Add all users who need to authorize before group entitlements are configured because group members do not sync to the directory until added to an access policy rule or the group is entitled to applications.
    2. In the Bind Details section, the Bind user that the admin specified is not synced to the Workspace ONE Access service. Enter the user DN on this tab to sync the Bind user. Configure the role for the Bind User if required after the directory is synced.
    3. Click + in the Specify the user DNS row, and enter the user DNS
      Note: In the Add Directory page, Under the Base DN, specify user DNS that the admin entered in the Base DN text box. Users from that DN will be synced if a user DN is outside the Base DN but will not be able to sign in.
    4. From the DNS, specify filters to include or exclude users, if needed.
    5. Click on Next.
    6. If the admin does not want to set a schedule, select Manually in the Sync Frequency drop-down list or set up a sync schedule on the Sync Frequency page to sync users and groups at regular intervals
    7. Set time in UTC.
    8. The admin must click the Sync button If they select Manually on the directory page whenever they want to sync the directory.
    9. Select Sync Directory to create the directory and initiate syncing it or Save to create the directory.

Result

From Active Directory, users and group names are synced to the Workspace ONE Access directory if the admin clicks Sync Directory and the connection to Active Directory is established.

Access Identity and Access Management Settings in Workspace ONE Overview

The Identity and Access Management tab in the Workspace One Access console allows the admin to configure and manage the authentication methods, directory service, and access policies and integrate with Workspace ONE UEM.

In the Identity and Access Management tab, the following is a description of the setup settings:

Identity and Access Management Set Up Settings

  1. Connectors: Inside the enterprise network, the Connectors page lists the deployed connectors. An on-premises component of Workspace ONE Access called Workspace ONE Access connector integrates with the on-premises infrastructure. On a connector, the following enterprise services can be installed.
    1. From Active Directory or LDAP directories to the Workspace ONE Access service Directory Sync service that syncs users.
    2. User Auth service that allows connector-based authentication methods, including RADIUS (cloud deployment) and Password (cloud deployment, RSA SecurID (cloud deployment).
    3. Kerberos Authentication is provided by the Kerberos Auth service for internal users.
  2. Branding: Customize the appearance in the Custom Branding page of the Workspace ONE Access console header and log-in screen.
    Note: The admin can add a logo that displays and customize the look and in the Workspace ONE Intelligent Hub portal or Hub app view from the Hub Services console, Branding page

    1. User Attributes: The default user attributes are listed by the User Attributes page lists that sync in the directory. The admin can add other attributes that can be mapped to Active Directory attributes.
    2. Autodiscovery: When Workspace ONE Access and Workspace ONE UEM are integrated for on-premises deployment, the admin can integrate the Windows Autodiscovery service deployed within the Workspace ONE UEM configuration with the Workspace ONE Access service.
      Register the email domain to use the auto-discovery service for cloud deployments, and the admin can make it effortless for users to access their apps portal using Workspace ONE Intelligent Hub. Instead of the organization’s URL, End users can provide their email addresses when accessing their apps portal through Workspace ONE Intelligent Hub.
  3. Okta: On this page, to connect Workspace ONE Access to the Okta tenant and retrieve apps from Okta, the admin can provide Okta tenant information.
  4. VMWare Workspace One UEM: Set up integration with Workspace ONE UEM on this page. With UEM, enable compliance check, the admin can enable user password authentication through the AirWatch Cloud Connector (ACC) and enable the catalog settings to verify that managed devices adhere to Workspace ONE UEM compliance policies.
  5. Preferences: The admin can enable features shown on The Preferences page. The following preferences are shown.
    1. The System Domain on Login Page with Enable Show.
    2. Enable persistent cookies. Enabling persistent cookies eliminates the need for users to reenter their user credentials when accessing their managed resources from their iOS or Android mobile devices. The persistent cookie stores users’ sign-in session details.
    3. When the admin does not want to require users to select their domain, Enable Hide Domain Drop-Down Menu before users sign in.
    4. Select the User Sign-in Unique Identifier option to display the identifier-based log-in page.
    5. To configure the prompt in the user text box, Customize the Sign-in Input Prompt can be used on the sign-in screen.
    6. When Adding Groups to sync the members, Enable Sync Group Members to the directory in the groups from Active Directory. Names are synced when this is disabled, but group members are not.
    7. To hide the domain request page, Enable User Sign-in Unique Identifier.
  6. Terms of use: Set up Workspace ONE terms on this page of use and ensure that end-users accept these terms of use before working with the Workspace ONE Intelligent Hub portal.

Identity and Access Management Manage Settings

  1. Directories: The admin created lists of directories are shown on the Directories page. Create and sync one or more directories with the enterprise directory deployment. The admin can view the number of users and groups that are synced to the directory and the last sync time on this page. To start the directory sync, click Sync Now.
    Edit the sync settings by clicking a directory name, and view the sync log by navigating the Identity Providers page.
    The admin can manage the following from the directories sync settings page,

    1. The sync frequency can be scheduled.
    2. See the list of domains linked with this directory.
    3. The mapped attributes list can be changed.
    4. The user and groups list can be updated that syncs.
    5. The safeguard targets are set.
  2. Identity Providers: The admin can configure and manage the following identity provider types on this page.
    1. For Kerberos authentication, Workspace ONE Access identity provider
    2. For authentication methods managed by Workspace ONE Access for User Auth authentication methods- Built-in identity provider
    3. Third-party identity providers
  3. Password Recovery Assistant: Change the default behaviour on the Password Recovery Assistant page when “Forgot password” is clicked in the log-in screen by the end-user.
  4. Authentication Methods: The Authentication Methods page is used to configure cloud authentication methods associated with the Workspace ONE Access service. With the built-in identity providers, these authentication methods are then associated.
  5. Policies: The Policies page lists any other Web application access policies and the admin’s default access policy. To use this page, the admin can also configure the network ranges.
    For users to access their Workspace ONE Intelligent Hub portal or to launch Web applications, Policies are a set of configurations that specify criteria that must be met that are enabled for them. The default policy can be edited. Create new policies to control access to these Web applications if Web applications are added to the catalog.
  6. Enterprise Authentication Methods: The Kerberos Auth service and User Auth service authentication methods are configured and managed from this page.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.