Workspace ONE UEM Prerequisites

In order to complete this exercise successfully a Organization Group Exercise 03 has been create and set as Customer Type, all the configuration to be performed on this exercise must be done on this Organization Group.

Before enabling the VMware Tunnel, there are a few settings that must be enabled in the Workspace ONE UEM Console, as already mentioned that Organization Group must be set as Customer Type, in addition to that a Device Root Certificate must be issued and a REST API Key generated at the Organization Group where VMware Tunnel will be enabled.

The next steps shows you how to find these settings and ensure they are enabled before configuring the VMware Tunnel settings.

1. Validating Organization Group and Finding your Group ID

Create OG
  1. Click on your Organization Group
  2. Select Exercise 03

The Group ID for Exercise 03 has been defined and send to you via e-mail, after Select Exercise 03 you can pass the mouse over Organization Group and obtain the Group ID

2. Open All Settings

  1. Click Groups & Settings.
  2. Click All Settings.

3. Validating Device Root Certificate

Device Root Certificate

Device Root Certificate must be generated prior to enable VMware Tunnel, you can validate that following the steps below:

  1. Click System.
  2. Click Advanced.
  3. Click Device Root Certificate.

You should see a similar screen showing the certificate generated, when certificate has not been create yet a Generate Certificate button will be presented.

4. Enabling REST API


It's also required to Enable REST API, which allows the communication of Workspace ONE UEM with Unified Access Gateway and VMware Tunnel using REST API.

After configure VMWare Tunnel settings in Workspace ONE UEM Console, the OVF template is setup during deployment to point to the REST API endpoint of your Workspace ONE UEM environment to retrieve those settings. The VMware Tunnel Edge Service on the Unified Access Gateway Appliance pulls the appropriate settings from the AirWatch API based on the VMware Tunnel hostname provided during configuration.

  1. Click API
  2. Click REST API

For this exercise, the API Access is already ENABLED and is Inheriting the key - In a production scenario is recommended to override when you have a Customer Type Organization Group, that will ensure you have your exclusive key for this Organization Group and child one.

3. Click X to close

5. Validating the API admin account

A administrator type account is required to establish the communication through REST API between VMware Tunnel Edge Service and Workspace ONE UEM, this integration will allow the Appliance to obtain the VMware Tunnel configuration and start the service based on the configuration defined by you on the Workspace ONE UEM Console.

The account apiuser is already created for you with permissions to access the API.