VMware AirWatch Console configuration for the SDK Sample App

In this section, we will modify the default SDK profile and assign it to the sample app. If we have more than one set of configurations then we can create custom SDK profiles and assign them individually. However, to limit the scope of this lab, we are going to change only the default profile.

The profile payloads that we are targeting for this lab are, Authentication, Custom Settings and AirWatch App Tunnel. We will examine how these payloads take effect in the app by sending the configuration over the air. We will discuss each payload and the use case in the individual steps.

1. Configure the Default SDK Profile in the AirWatch Console

Configure the Default SDK Profile in the AirWatch Console
  1. Click on Apps & Books.
  2. Click on All Apps & Books Settings.
Navigate to Security Policy
  1. Under the Apps section, expand Settings And Policies.
  2. Click Security Policies.

1.2. Authentication Type

Authentication Type

The Authentication payload enables the sample app to populate a prompt to authenticate upon launch. The sample app is already equipped with the all the code required to render the authentication box and this payload is used to specify related attributes e.g. type, timeout, allowed attempts etc. The use case here is to require the end user to authenticate in order to use app functionality and data. This restricts the exposure of sensitive resources to unmanaged/ unauthorized users.

While there are multiple combinations possible to fulfill the corporate security requirements, we are going to use the following configuration for Authentication.

  1. Change the Current Settings to Override.
  2. Select the Authentication Type as Passcode.
    NOTE - We are only enabling Authentication Type as Passcode, however, Single Sign on will be disabled.
  3. Select the Authentication Timeout to 1 minute(s).
  4. Select Minimum Passcode Length to 6.

Keep all the other options to default.

1.3. AirWatch App Tunnel

AirWatch App Tunnel

AirWatch App Tunnel will allow the application to access backend resources to gather the required data and certain functionality. The advantage of using this payload is that so we do not need to enable device level VPN which could potentially expose the internal resources to any unintended third party apps. On top of that, we can also restrict the domains for which the traffic will be tunneled to give more granular network access control.

Now, we will configure the payload to use AirWatch Tunnel already setup at a higher Organization group. We will restrict the traffic to *.airwlab.com to tunnel only.

  1. Scroll down until you see the option for AirWatch App Tunnel.
  2. Click on Enabled for AirWatch App Tunnel if it is not selected already.
  3. Ensure that Host Name is holtunnel.airwlab.com.
  4. In the section for App Tunnel URLs enter "*.airwlab.com".

NOTE - Using a Per App VPN Profile is another way of leveraging the AirWatch App Tunnel for proxying.

1.4. Save Security Policy settings

Save Security Policy settings
  1. Scroll down to the bottom.
  2. Click Save. You should see Saved Successfully at the top which confirms that configuration is saved.

1.5. Enable Custom Settings

Enable Custom Settings
  1. Click Settings under Settings And Policies.
  2. Click Override for Current Setting.
  3. Select Enabled for Custom Settings.
  4. Click Custom Settings to expand the section.

1.6. Configure Custom Settings

Configure Custom Settings

Custom settings allows the AirWatch admin to push down values which are variable across the organization group structure. e.g. the values such as username are not available before the device is enrolled. Another example would be to send down an authentication URL such as SAML auth. endpoint which may be different for different organization groups depending on the physical location.

By using Custom Settings, an AirWatch admin can send down either hardcoded values (such as a URL) or they can leverage the look up values available within AirWatch console. e.g. when we push down the look up value {EnrollmentUser}, that value will get replaced by the actual enrollment user when the app is installed on a managed device.

In this section, we are going to send one hardcoded value (URL) and one lookup value ({EnrollmentUser})

  1. Scroll down to so you can view the Custom Settings input field.
  2. Type in the following in Custom Settings input field: "URL: http://internal.airwlab.com" and "username:{EnrollmentUser}"
  3. Click Save. You should see Saved Successfully at the top which confirms that configuration is saved.
  4. Click on X at the top right to close the window.

NOTE - An app developer can define variables for the values pushed down via Custom Settings and then those variable would be replaced by actual values in runtime.

2. Configure the SDK Sample App in the AirWatch Console

Now we should have a SDK profile ready to be applied to the app. In this section, we will upload the app, assign the SDK profile we just configured and then setup the deployment option.

2.1. Add Internal Application

Add Internal Application
  1. Click on Add in top right.
  2. Click on Internal Application.

2.2. Upload the SDK Sample App to the AirWatch Admin Console

Upload the SDK Sample App to the AirWatch Admin Console

Click Upload.

2.3. Select Choose File

Click Choose File.

Navigate to AirWatch SDK Sample App
  1. From the left pane, select the folder Documents.
  2. Select the app that we signed and exported from Android studio: AirWatch SDKTest-release.apk.
  3. Click on Open.
  4. Click on Save.
  5. Click on Continue at the bottom of the Add Application window.

2.5. Save the Uploaded File

Click Save.

2.6. Continue after Uploading File

Click Continue.

2.7. Select enhancement mode as SDK

Select enhancement mode as SDK
  1. Click the More dropdown tab.Now to select the SDK profile, click on the dropdown More.
  2. Select the option enhancement mode as SDK.

2.8. Select Android Default Settings as SDK profile

Select Android Default Settings as SDK profile
  1. Since we did not create a custom profile but rather changed the default profile, from the dropdown we are going to select Android Default Settings @Global. We are not concerned with Application Profile for this lab.
  2. Click on Save & Assign.

2.9. Update Assignment

Update Assignment

Click on + Add Assignment.

2.10. Add Smart Group and Push Mode

Add Smart Group and Push Mode
  1. Select All Devices ([email protected]) for the Assignment Group.
  2. Select Auto for App Delivery Method.
  3. Click Add.

2.11. Save and Publish the App

Save and Publish the App
  1. Validate that now you the assignment contains the All Devices group.
  2. Click Save & Publish.

2.12. Confirm Device Assignment and Publish

Confirm Device Assignment and Publish

Click Publish.