Workspace ONE UEM Prerequisites

In order to complete this exercise successfully a Organization Group Exercise 02 has been create and set as Customer Type, all the configuration to be performed on this exercise must be done on this Organization Group.

Before enabling the VMware Tunnel, there are a few settings that must be enabled in the Workspace ONE UEM Console, as already mentioned that Organization Group must be set as Customer Type, in addition to that a Device Root Certificate must be issued and a REST API Key generated at the Organization Group where VMware Tunnel will be enabled.

The next steps shows you how to find these settings and ensure they are enabled before configuring the VMware Tunnel settings.

1. Switch Organization Group to Exercise 02

Create OG
  1. Click on the Organization Group tab
  2. Click Exercise 02

2. Finding Your Group ID

  1. After selecting the Exercise 01 organization group, hover your mouse over the organization group tab.
  2. Note the Group ID value.

3. Open All Settings

  1. Click Groups & Settings.
  2. Click All Settings.

4. Validating Device Root Certificate

Device Root Certificate

Device Root Certificate must be generated prior to enabling VMware Tunnel, you can validate that by following the steps below:

  1. Click System.
  2. Click Advanced.
  3. Click Device Root Certificate.

You should see a similar screen showing the certificate generated, when certificate has not been create yet a Generate Certificate button will be presented.

5. Enabling REST API

REST API

It's also required to enable the Workspace ONE REST API, which allows the communication of Workspace ONE UEM with Unified Access Gateway and VMware Tunnel using REST APIs.

After configuring VMware Tunnel settings in the Workspace ONE UEM Console, the OVF template is setup during deployment to point to the REST API endpoint of your Workspace ONE UEM environment to retrieve the VMware Tunnel settings. The VMware Tunnel Edge Service on the Unified Access Gateway Appliance pulls the appropriate settings from the Workspace ONE REST API based on the VMware Tunnel hostname provided during configuration.

  1. Click API
  2. Click REST API

For this exercise, the API Access is already ENABLED and is Inheriting the key - In a production scenario is recommended to override when you have a Customer Type Organization Group, that will ensure you have your exclusive key for this Organization Group and any organization group children.

3. Click X to close

6. API Admin Account

A Workspace ONE Administrator type account is required to establish the communication through REST API between VMware Tunnel Edge Service and Workspace ONE UEM. This integration will allow the  appliance to obtain the VMware Tunnel configuration and start the service based on the configuration defined by you in the Workspace ONE UEM Console.

The Workspace ONE Administrator account you used to sign into the Workspace ONE UEM Console in previous steps (Your VLP Email Address) has sufficient privileges.  There is also an administrator account created a higher level organization group named apiuser which can be used as well.