Requirements
Supported Instances
We currently support integration with NA instances only. (UAT, EMEA, APAC and other instances are not supported). For more information on instances, please refer to: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/UEM_ConsoleBasics/GUID-BF20C949-5065-4DCF-889D-1E0151016B5A.html
Configure Workspace ONE Integration in the Beyond Identity Administrator Console
VMWare Workspace ONE Configuration
You must create an OAuth client to use for API commands. To create an OAuth client:
- Navigate to Groups & Settings > Configurations.
- Enter OAuth in the search text box labeled ‘Enter a name or category and then select OAuth Client Management that appears in the results.
- The OAuth Client Management screen is displayed. select OAuth Client Management.
- From the OAuth Client Management screen, select Add.
- From the Register New Client dialog, enter the appropriate Name, Description, Organization Group, and Role.
- Name : Beyond Identity-Workspace ONE Integration
- Description: API Token for Beyond Identity-Workspace ONE Integration
- Organization Group- Please ensure that the Organization Group is the Top Level (Organizational Type: Customer)
- Role - Please ensure that the role specified has privileges to make api call to Workspace ONE UEM(Read only, Console Administrators or Custom Role with API permissions)
- Make sure the Status is Enabled.
- Select Save.
- The Client ID and Client Secret information is displayed. IMPORTANT: Copy the Client ID and Client Secret to the clipboard and save them before you close the screen. Select the clipboard icon to send the Client Secret to the clipboard.
- After copying and saving the Client ID and Client Secret, select Close.
Note: In a later step in this guide we’ll use the Client ID and Client Secret to configure the Workspace ONE integration via the Beyond Identity Admin Console.
Beyond Identity Configuration
- Log into your organization’s Beyond Identity Administrator Console at: https://admin.byndid.com/
- Select the Integrations from the left menu and then select ENDPOINT MANAGEMENT.
Hover over the right column associated with the VMWare Workspace ONE UEM row. The Install this service icon is displayed. Click on the icon.
- In the Install VMWare Workspace ONE UEM dialog, provide the following values:
- Token URL - Refer to Link Using UEM Functionality With a REST API
- Token URL - Refer to Link Using UEM Functionality With a REST API
-
- Host URL - Refers to the API endpoint of Workspace ONE UEM. (e.g https://yourorg.awmdm.com)or (https://asXYZ.awmdm.com) where XYZ refers to the instance number. For more information, Refer to Link Using UEM Functionality With a REST API
- Client ID
- Client Secret
- Click Save Changes when done.
- Perform a Beyond Identity authentication from a managed device by logging in into the Admin Console.
- Once your identity has been successfully verified and you have logged into the Admin Console, select the Events Tab located in the left pane of the Admin Console.
- Locate the Authentication event corresponding to the transaction that just occurred and click on the Date & Time row associated with the event.
- The Event Details are displayed in the upper-right corner of the Events page. Confirm the serial number for the device has been captured by locating the serial_number under eventData > platform_device_info > hardware that is found under the Other Info section.
Note: A matching device serial number in this step is required for the rest of the configuration guide. If it is not captured or configured, please reach out to your Workspace ONE Administrator or Beyond Identity representative for assistance.
- Once the step above is successful, Administrators can create policy rules that use the Workspace ONE integration.
For information on creating policy rules, see Defining Policy.
Deploying the Beyond Identity App to Mobile Devices via VMWare
The Beyond Identity integration pulls device info of a specific device from VMWare via hardware identifiers such as serial number and device Uid. In order to perform lookups for mobile devices, the Beyond Identity app must be pushed by VMWare to managed mobile devices along with serial number and device Uid info. See instructions below for pushing the Beyond Identity mobile application as well as hardware identifiers via VMWare.
Add Beyond Identity Android Application to Workspace ONE
Note: For mobile devices the Beyond Identity Authenticator Application must be managed by VMWare Workspace ONE UEM in order to leverage the Beyond Identity integration. Use the steps below to manage/push the Beyond Identity app using Workspace ONE UEM.
- Click on Resources > Native > Public, and under List View, click Add Application.
- In the Add Application dialog, select:
- Platform: Android
- Source: Search App Store
- Name: Beyond Identity
Click Next to continue.
- A list of applications will come up, choose the Beyond Identity Application with the Blue logo as shown below:
- Under the application details, click Approve.
Note: This step will make the application available in the Managed Play Store for users but won’t automatically install it for them. Later on in this guide we’ll cover how to automatically install the application by assigning it to users.
- The next screen will show which permissions the Beyond Identity application will acquire from users’ devices. Please review and click Approve.
- Next, Workspace ONE will ask for permission to Keep Approved state if permissions change. Review this choice per your organization’s policies and click Done.
- Review of the Application details within Workspace One. Any changes required per organization policy can be made now. Click Save and Assign once done.
- Review Assignment details. Under the Distribution tab, provide a name, assignment group and Delivery Method (Auto recommended). Click Application Configuration once done.
- Under Application Configuration:
- Make sure Managed Access is set to Off.
- Set Send Configuration to On.
- Add a Configuration with the following values as shown below:
- Configuration Key: serialNumber
- Type: String
- Value: {DeviceSerialNumber}
- Configuration Key: DeviceUid
- Type: String
- Value: {DeviceUid}
- Configuration Key: serialNumber
Note: Configuration key is case sensitive. It must match exactly as shown above.
This setting gives Beyond Identity access to the Device Serial number and UID. Click Create once done.
- Review the settings on the Assignment screen. Click Save.
- The Preview Assigned Devices screen shows a summary of which devices will receive the Managed Beyond Identity App.
Review these devices and click Publish when done.
- Depending on the deployment settings used, after a few seconds the Beyond Identity application will automatically be installed in the Work Profile section of the user’s managed devices as shown in the screenshot below.
This completes the Application configuration section of this guide.
Add Beyond Identity iOS Application to Workspace ONE
- Click on Resources > Native > Public, and under List View, click Add Application.
- Select Platform: Apple iOS, Source: AppStore, Name: Beyond Identity. Click Next.
- Click Select for the Beyond Identity Application.
- Provide a Category, then click Save and Assign.
- Review Assignment details. Under the Distribution tab, provide a name, assignment group and Delivery Method (Auto recommended). Click Application Configuration once done.
- Under Application Configuration:
- Make sure Managed Access is set to Off.
- Set Send Configuration to On.
- Add a Configuration with the following values as shown below:
- Configuration Key: serialNumber
- Type: String
- Value: {DeviceSerialNumber}
- Configuration Key: DeviceUid
- Type: String
- Value: {DeviceUid}
- Configuration Key: serialNumber
Note: Configuration key is case sensitive. It must match exactly as shown above.
This setting gives Beyond Identity access to the Device Serial number and UID. Click Create once done.
- Review the settings on the Assignment screen. Click Save.
- The Preview Assigned Devices screen shows a summary of which devices will receive the Managed Beyond Identity App.
Review these devices and click Publish when done.
- Depending on the deployment settings used, after a few seconds the Beyond Identity application will automatically be installed in the selected devices.
This completes the Application configuration section of this guide.
Comments
0 comments
Please sign in to leave a comment.