Double-click the Chrome Browser on the lab desktop.

The default home page for the browser is https://hol.awmdm.com. Enter your AirWatch Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

1. Enter your Username. This is you email address that you have associated with your VMware Learning Platform (VLP) account.
2. Enter "VMware1!" for the Password field.
3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the AirWatch Hands On Labs server.

In the AirWatch console...

1. Click on “Devices” in the far left column.
2. Next click on "Profiles" to expand it.
3. Click on the "List View” option under "Profiles" in the second column.
4. Click on “Add” in the menu bar.

You will now be presented with the “Add Profile” screen.  Here you would select the operating system type of your device.

For this lab, select "Android".

After clicking on the Android icon, you will be presented with the “Add a New Android Profile”.   All profiles are broken down into two basic sections, the “General” section and the “Payload” section.

The “General” section has information about the Profile, its name and some filters on what device will get it.

The “Payload” sections define actions to be taken on the device.

Every Profile must have all required fields in the “General” section properly filled out and at least one payload configured.

NOTE: It is recommended a Profile contain only one payload.

Configure the profile as follows:

1. Click on “General” if it is not already selected.
2. Give the profile a name such as “Android Certificate” by entering the string the in the “Name” field.
3. Change the "Allow Removal" to "Never".

NOTE: You do not need to click SAVE or SAVE AND PUBLISH at this point.  This interface allows you to move around to different payload configuration screens before saving.

Click to the NEXT STEP in the lab manual to continue configuration of the profile.

NOTE: When initially setting a payload, a "Configure" button will show to reduce the risk of accidentally setting a payload configuration.

1. Click on the "Credentials" payload in the "Payload" section on the left.
2. Click the "Configure" button to continue setting the Restrictions payload.
3. Click on the first drop down to select “Defined Certificate Authority”.
4. Click on the second drop down to select "CONTROLCENTER-CA".
5. Click on the third drop down to select "MobileUser".
6. Click on the "Save & Publish" button at the bottom of the of the screen. You may need to scroll down to see the button.  

You should now see your Restrictions Profile within the List View of the Devices Profiles window.

NOTE:  If you need to edit the Restrictions Profile, this is where you would come back to in order to do so.

The first step is to make sure you know what your Organization GroupID is.  

1. To find the Group ID, hover your mouse over the GroupID tab at the top of the screen.  This may be shown in the form of the original email address used to create the sandbox.
2. The GroupID will be displayed under the Organization Group name.   The GroupID is required when enrolling your device.

NOTE:  You may also use the Group ID shown in the "VMworld AirWatch HOL Sandbox Creator" application (if left running and not closed).

This screen shot shows an example of what a Group ID is, and not what your Group ID is actually.

At this point, if the device you are using does NOT have the AirWatch MDM Agent Application installed, then install the AirWatch MDM Agent Application from the Google Play store.

To Install the AirWatch MDM Agent application from the Google Play Store, open the "Play Store" application and download the free "AirWatch MDM Agent" application.

NOTE: You will need to "Accept" the necessary access policies.

Launch the AirWatch Agent app on the device.  If you have your using your own Android device and would like to test you will need to download the agent first.

Once the Agent has launched you can enroll the device.  To do so, you must first select the AirWatch authentication method.

1. Click on the “Server Details”.

After selecting the Server authentication method, you need to supply the information to authenticate.  To do so, follow the below steps.

1. For “Server”, enter "https://hol.awmdm.com".
2. For “Group ID”, enter the Group ID for your Organization Group. This was noted previously in the "Enroll your Android Device" step.
3. Click  the “Continue” button.

NOTE:  If on an iPhone, you may have to close the keyboard by clicking "Done" in order to click the "Continue" button.

On this screen, enter the Active Directory “Username” and “Password” preconfigured in this lab (User: "IMAUSER" Password: "VMware1!").

1. Type in the Basic User Account Username.  This should be "IMAUSER".
2. Type in the Basic User Account Password. This should be "VMware1!".
3. Click the "Continue" button.

You should now see a screen stating the Authentication is complete and the following steps will be used to ensure the device is compliant with defined policies and profiles.

Tap the "Get Started" button on the device screen.

At this point, the AirWatch MDM Agent is ready to install the profile.

When the next screen appears on your device, you will need to tap the "Activate" button.

Tap the "Continue" button in the AirWatch MDM Agent wizard on your device.

You should now see the "Activate device administrator" screen on your device now be taken to the Profile installation screen.

Tap the “Activate” button.

You are now taken back to the AirWatch MDM Agent wizard and notified you will be installing the Enterprise Service.

When the next screen appears on your device, you will need to tap the "Activate" button.

Tap the "Continue" button in the AirWatch MDM Agent wizard on your device.

If you see a "Complete Action Using" pop-up on your Android device, then a specific app package installer has not been selected as default.

1. Check the Use by default for this action" box.
2. Select the Android "Package Installer".

NOTE: If you do not get this notification, ignore this step and go to the next step.

You should now see the "AirWatch [device] Service Installer" screen on your device.

NOTE: In the example here, the device used is an LG Phone. Hence, the service is the "AirWatch LG Service".

Tap the “Install” button.

You should now see the "AirWatch [device] Admin Service Installer" screen on your device.

NOTE: In the example here, the device used is an LG Phone. Hence, the service is the "AirWatch LG Admin Service".

Tap the “Activate” button.

You should now see the device screen on "Part 3: Configure" stating the authentication and securing of the device was successful.

You now would normally need to configure the enterprise resources which have been assigned to your device via AirWatch.  These are settings commonly defined by your Information Technology department - which in this case is you!

Tap the "Continue" button in the AirWatch MDM Agent configuration wizard on your device.

At the "Install Applications" configuration screen, you (as the end user) would be given the option to install applications assigned to you by your Employer's Information Technology department.

Since our "Android No Camera" profile did not include additional applications, only the basic support applications have been pushed here for the type of device.

NOTE: Not all Android devices may need specific services or applications.

Tap the "Continue" button in the AirWatch MDM Agent configuration wizard on your device.

You have now completed the AirWatch MDM Agent configuration wizard.

Tap the "Exit" button in the AirWatch MDM Agent configuration wizard on your device.

NOTE: You will be taken to the AirWatch Agent app and shown connectivity and device info.

You should be at the AirWatch Agent screen on your device.  Tap the device HOME button to return to the home screen on the Android device.

If you completed Module 1 and had previously configured an "Android No Camera", then you will notice the Camera application may still be visible on the device.  However, if you launch the camera you will see it is disabled.

If you haven't completed Module 1, use the Table of contents to note the step you are on now and browse to the "Create an Android Restriction Profile" and walk through the 7 sub steps to create a basic Android Restriction Profile which disables the Camera.

NOTE:  The "Android No Camera" restriction profile is NOT needed for the enterprise certificate deployment but is a good test of proper device enrollment.

Continue on to the next chapter, "Configure the Certificate Authority".

After clicking the “Save & Publish” button at the end of the previous chapter, the profile will push down to your device containing a certificate from the CONTROLCENTER-CA.    The speed at which the profile is installed on the device is dependent on many variables outside of the control of AirWatch.   The profile with the certificate may be installed in few seconds or it may take a few minutes.

PLEASE WAIT UNTIL THE PROFILE IS INSTALLED on the device before continuing to the next step!  For Android, if you need to force the sync, just open the AirWatch Agent application and tap the "Sync" button.

To confirm the profile is installed on the device...

1. Open the "AirWatch Agent" application on the Android device.
2. Tap to select the "Profiles" option. NOTE: You may need to scroll down on the Android device screen.  Here you will see all of the Configuration "Profiles" which have been pushed to the device.
3. When the profile is installed, you will see it listed with the name you gave it ("Android Certificate") in the previous steps leading up to this.

To view the certificate on the CA, return to the ControlCenter RDP by clicking on the minimized icon.

1. In the WIN7-W7-01 Desktop, click on the minimized ControlCenter RDP Session.
2. Within the ControlCenter RDP session, in the Certificate Authority console, expand out "CONTROLCENTER-CA" on the left column.
3. Click on the “Issued Certificates” folder in the left column.   This will display all the certificates that have been issued by this CA.
4. The last certificate with the "Requester Name" of "CORP\imaservice" will the the certificate that was just issued to your Android device.

This concludes configuring AirWatch to be used with an Enterprise Active Directory and Enterprise Certificate Authority for providing a single point of authentication and security using internal Enterprise security settings to ensure corporate data security is maintained even on end user personal devices.

Enterprise Wipe will remove all the settings and content which were pushed to the device by your company's Information Technology department 9in this case, you!) when it was enrolled.   It will not affect any applications or data which was on the device prior to enrollment.

To Enterprise Wipe your device,

1. Click on "Devices" in the left column then on
2. Click on "List View" near the top of the second column (NOTE: Not under any of the sub menus in the second column).
3. In the “List View”, click on the device friendly name to select the device and view the Device Details page.

NOTE:  Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

1. Click on the upper “More” drop down at the top right of the screen.
2. Click on “Enterprise Wipe” from under the "Management" menu.

Do not select the "Prevent Re-Enrollment" box.

1. Click the "Enterprise Wipe" button.

NOTE: If the Enterprise Wipe does not immediately occur, you can open the AirWatch Agent application and tap the "Sync" button.

When an Enterprise Wipe is requested for an Android device, any "AirWatch [device] Service" will be prompted for removal. This is something an end user would see if the Employer's Enterprise I.T. department requested an Enterprise Wipe of a personal android device.

1. Tap "OK" on the "Uninstall" screen.
2. Tap "OK" on the "Uninstall finished" screen.

When un-enrollment is complete, it will take you back to the "Welcome to AirWatch!" screen.

Press the HOME button on the device to go back to the home screen.

Note the following:

• The AirWatch delivered applications have disappeared (You may need to tap your "Apps" icon to see if there are any AirWatch [device] Service applications remaining.
• The camera should now work.

NOTE: The AirWatch Agent application will NOT be removed from the device by an "Enterprise Wipe".  You may manually delete this application from the device.

Now that the device has been un-enrolled, the certificate that was pushed down will be deleted from the device and revoked at the Certificate Authority.   To view this, return to the Remote Desktop Session for the "Control Center".    Open up the "Certificate Authority" as before.

1. Click on the "Revoked Certificates" folder.
2. In the right hand pane is the certificate that was previously issued, it now shows revoked.