Quantcast
Channel: VMware Communities : Blog List - All Communities
Viewing all 3157 articles
Browse latest View live

VMware TAM Source 11.04

March 19, 2019, 9:38 am
$
0
0



FROM THE EDITORS VIRTUAL DESK
Hi everyone, it has been a while since our last newsletter and of course there has been so much news in the past few weeks. One of the major topics that is progressing at a rapid rate is the VMware Cloud on AWS (VMC) solution that we have touched on in the past. I would encourage you to check out as many resources as you can and try to keep track of the ever changing landscape in this area which is moving forward at a rapid speed. One of my best resources is the VMware Cloud on AWS Roadmap which we publish and keep updated online. You can check it out here!

I wish you all a fantastic week ahead!

Virtually Yours
VMware TAM Team
Twitter | Facebook | Archive
-
NEXT TAM WEBINAR
March 2019 – VMware IT’s Journey with Horizon: Windows Virtual Desktop
Date: Thursday, March 21st
Time: 11:00am EST/ 10:00am CST/ 8:00am PST
Duration: 1.5 Hour

Synopsis:
VMware IT transformed the way they deliver and manage the virtual desktop environments and published application platforms. In this session we will share our journey of Windows virtual delivery and lifecycle management in an enterprise environment. We will discuss challenges and lessons learned during the migrations as well as the benefits that we achieved. We will discuss the persistent desktop experience in a non-persistent virtual desktop platform in Horizon 7.

Guest speaker:
Aju Sukumaran is an Information Systems Sr. Manager in VMware’s Colleague Experience & Technology Group. Currently he is working on deploying VMWare's End User Computing products in VMware IT’s environments.

Registration Link:
https://vmware.zoom.us/webinar/register/WN_04nKXeG0SwyOUdnxBuHQ9A

NEWS AND DEVELOPMENTS FROM VMWARE

Open Source Blog

Network Virtualization Blog

vSphere Blog

Cloud management Blog

Cloud Native Blog

EUC Blog

vCloud Foundation Blog

EXTERNAL NEWS FROM 3RD PARTY BLOGGERS

Virtually Ghetto

ESX Virtualization

Cormac Hogan

Scott's Weblog

vSphere-land

NTPRO.NL

Virten.net

vinfrastructure

  • VMware vExpert 2019
    Reading Time: 3 minutes This year the vExpert 2019 announce has taken much time compared with the vExpert 2018 ann...
  • March 2019 IT events
    Reading Time: 1 minute Interesting European IT events: Gartner CIO Leadership Forum – London (Mar 4-6) Gartner Data  ...
  • Introducing VMware Essential PKS
    Reading Time: 3 minutes Kubernetes (k8s) is an open-source system for automating deployment, scaling, and management of...
  • Veeam Backup & Replication 10th birthday!
    Reading Time: 2 minutes Ten years ago, on Feb. 26, Veeam Backup & Replication 1.0 was introduced at VMworld Europe ...
  • Veeam ONE Community Edition
    Reading Time: 2 minutes With the new Veeam Availability Suite 9.5 Update 4, not only the Veeam Backup&Replication F...

Nukescloud

vSwitchZero

vNinja

VMExplorer


DISCLAIMER
While I do my best to publish unbiased information specifically related to VMware solutions there is always the possibility of blog posts that are unrelated, competitive or potentially conflicting that may creep into the newsletter. I apologize for this in advance if I offend anyone and do my best to ensure this does not happen. Please get in touch if you feel any inappropriate material has been published. All information in this newsletter is copyright of the original author. If you are an author and wish to no longer be used in this newsletter please get in touch.

© 2018 VMware Inc. All rights reserved.

Search

Troubleshooting checklist for VRA adapter configuration failure in vROps

March 28, 2019, 3:28 am
$
0
0

vRealize Operations is an efficient monitoring tool which enables integration of many endpoints such as: Vcenter , VSAN , Network devices , VRA , Database etc...

 

vROps helps in monitoring entire Infrastructure that you integrate , enables to configure alerts and provide recommendations as a precautionary measure.

For any such endpoint to be monitored from vROps, we would have to perform below steps "

 

1.Download Management pack .

2.Install management pack on vROps.

3.configure it and vROps will start monitoring .

 

Lets know the  tips to check VRA adapter issue.

 

1.Do we have compatible VRA adapter version used and installed

Find your management pack and doc here: VMware Solution Exchange

Search for the pack name --> click on support --> you find docs and list of compatible version with respective pack.

 

2.vRealize Automation Appliance URL used :

Simple deployment use VRA appliance NAME /URL

Distributed set up with LB : Use your LB NAME /URL

NOTE: Prefer DNS name always instead of IP

 

3.Tenant :

Here you can give specific Tenant name / use * symbol to include all tenants.

 

4.Credentials provided while configuring VRA adapter.

*Sysadmin : basically who installs VRA should have System wide role as well as Tenant admin role

*The super user must have the following privileges in VRA :

  • Infrastructure administrator rights for all tenants.
  • Infrastructure architect rights for all tenants.
  • Tenant administrator rights for all tenants.
  • Software architect roles for all tenants.
  • Fabric group administrator rights for all fabric groups, in all tenants.

This should take care of your VRA adapter configuration part, There is another interesting part and thats connectivity .

 

5.Connectivity/Communication between VRA and vROps node

 

If VRA is deployed in Simple Set up then its  very simple :

*vROps node which has VRA solution installed should have connectivity to IAAS web node mainly.

*vROps node which has VRA solution installed should have connectivity to IAAS Manager Node and VRA appliance .

 

If VRA is deployed in Distributed set up with LB below are the checks :

 

*vROps node which has VRA solution installed should have connectivity to LB used between VRA appliances

*vROps node which has VRA solution installed should have connectivity to LB used between IAAS windows servers.

 

*Internally LB should have connectivity to VRA appliances

*LB used between IAAS nodes should have connectivity to IAAS nodes used ( Web and manager)

 

Simple command to check and validate this is:
Curl -v https://<FQDN>

 

This should resolve most of the issues that we hit with VRA adapter failure on vROps and as always Never forget to check logs

 

Mainly analytics and adapter logs .

 

Happy Learning.....

 

 

 

 

 

PowerCLI で ポリシーを考慮した vSAN 空き容量を確認してみる。

March 30, 2019, 11:51 pm
$
0
0

vSAN 6.7 U1 では、「仮想マシン ストレージ ポリシー」を考慮した

データストア空き容量の確認ができるようになっています。

 

下記のように、vSAN データストアの「容量の概要」画面の

「ポリシーで使用可能な容量」で仮想マシンが利用できる空き容量を確認できます。

スクリーンショットでは、デフォルトのポリシー「vSAN Default Storage Policy」で算出されています。

vsan-usage-01.png

 

そこで、別の仮想マシンストレージポリシーで使用可能容量を確認してみます。

デフォルトのポリシーでは「許容される障害の数:1 件の障害 - RAID-1(ミラーリング)」なので、

あえて、「policy-vsan-raid0」という名前で「データの冗長性なし」のポリシーを作成しました。

vsan-usage-02.png

 

「容量の概要」画面でこのポリシーを指定すると、このポリシーを利用した場合に

ポリシーで使用可能な容量が 2倍になることがわかります。(ただし冗長性はありません)

vsan-usage-03.png

 

実は、この情報は PowerCLI でも確認できるようになりました。

PowerCLI 11.2 Released, with more goodness for vSAN!

 

そこで、PowerCLI でも 同様の空き容量確認をしてみます。

 

今回は、PowerCLI 11.2 を利用しています。vCenter には既に接続ずみです。

PowerCLI> Import-Module VMware.PowerCLI

PowerCLI> Get-Module VMware.PowerCLI | select Name,Version

 

Name            Version

----            -------

VMware.PowerCLI 11.2.0.12483598

 

 

PowerCLI では、Get-VsanSpaceUsage で vSAN の容量情報を確認できます。

※ infra-cluster-01 は、vSAN クラスタの名前を指定しています。

 

ただし、下記にあるような FreeSpaceGB や CapacityGB には、

今回確認しているポリシーをもとにした空き容量が反映されません。

そこで、VsanWhatIfCapacity プロパティを確認します。

PowerCLI> Get-VsanSpaceUsage -Cluster infra-cluster-01

 

Cluster              FreeSpaceGB     CapacityGB

-------              -----------     ----------

infra-cluster-01     2,911.358       4,657.552

 

 

特に仮想マシン ストレージ ポリシーを指定していない場合、

VsanWhatIfCapacity は情報を持ちません。

PowerCLI> Get-VsanSpaceUsage -Cluster infra-cluster-01 | select -ExpandProperty VsanWhatIfCapacity

PowerCLI>

 

デフォルトのポリシーを指定した場合です。

PowerCLI> Get-VsanSpaceUsage -Cluster infra-cluster-01 -StoragePolicy "vSAN Default Storage Policy" | select -ExpandProperty VsanWhatIfCapacity | Format-List

 

StoragePolicy         : vSAN Default Storage Policy

TotalWhatIfCapacityGB : 2328.77610206604

FreeWhatIfCapacityGB  : 1455.28823816683

 

 

今回作成した「policy-vsan-raid0」を指定すると、結果に反映されます。

PowerCLI> Get-VsanSpaceUsage -Cluster infra-cluster-01 -StoragePolicy "policy-vsan-raid0" | select -ExpandProperty VsanWhatIfCapacity | Format-List

 

StoragePolicy         : policy-vsan-raid0

TotalWhatIfCapacityGB : 4657.55220413208

FreeWhatIfCapacityGB  : 2910.5833046427

 

 

独自の仮想マシン ストレージ ポリシーを作成した時などに

確認手順に取り込んでおくと便利かもしれないと思いました。

 

以上、vSAN データストアの空き容量確認についての話でした。

vRA Custom Forms Enter Memory in GB rather then MB

March 31, 2019, 9:46 am
$
0
0

Hi all,

so...i figured something out and wanted to share it with you guys. vRA 7.5 (Hotfix4 VMware Knowledge Base ) has come a long way in regards of custom forms. However there are still some things that are annoying, such as that one must imput Memory in MB. I undertsand that that is a left over from the vCenter API...but seriously...its 2019!

 

So I finaly came up with a workaround (requires custom forms, vRA 7.5 Hotfix >=4)

1) create a vRO action (I call it memGB2MB) that looks like this:

Header 1Header 2Header 3
InputmemGBNumber
OutputNumber
Scriptreturn memGB*1024;

 

2) Create an custom form of your  blueprint and drag at least CPU and Mem on it.

3) Add a new Integer field and call it Memory (GB). Then assign it all the restrictions that the blueprint has in regards of Memory.
(If you havent noticed yet. The blueprint restrictions are transfered ONLY once, when creating a custom form. If you update the Mem or CPU limits in the blueprint later, they are not passed dynamically to the custom form.)

4) Now click on the field Memory (MB) field and go to values. Select external source and then the vRO action you have created and Field Memory GB as the input.

5) You can give the whole thing a go now..or just directy set the Memory (MB) fields Visibility to false.

Well..there is more.

 

The method would allow you to use a Array/String to display a dropdown menu for CPU and/or Memory. You just need a new action that has as an input a string, as the output a number and the following script:

return parseInt(memGB*1024,10);

 

have Fun!

Enabling Risk-Based Identity Assurance: VMware Workspace ONE + RSA SecurID Access

April 15, 2019, 2:25 pm
$
0
0

VMware's Workspace ONE provides a digital workspace platform with a seamless user experience across any application on any device. Users can access a platform native catalog to download and install applications regardless of whether its an IOS, Android, Win10 or MacOS device. They can access both Web and SaaS applications as well as their Virtualized applications including Horizon and Citrix.  Workspace ONE is designed to keep the user experience "Consumer Simple" while keeping the platform "Enterprise Secure".

 

VMware promotes the "Zero-Trust" approach when accessing corporate applications. Workspace ONE Unified Endpoint Management is a critical element to achieve a zero-trust model to ensure the device itself is secure enough to access your corporate data.  However, to achieve a zero-trust model we need to include both the Device Trust and the Identity Context.  This is where the Risk-Based Identity Assurance offered by RSA SecurID Access becomes the perfect compliment to Workspace ONE.

 

RSA SecurID Access makes access decisions based on sophisticated machine learning algorithms that take into consideration both risk and behavioral analytics. RSA SecurID Access offers a broad range of authentication methods including modern mobile multi-factor authenticators (e.g., push notification, one-time password, SMS and biometrics) as well as traditional hard and soft tokens.

 

I'm pretty excited about the integration between Workspace ONE and RSA SecurID Access because its offers extreme flexibility to control when and how multi-factor authentication will be used. After the initial setup, it also allows me to control everything from Workspace ONE.

 

RSA SecurID Access provides 3 levels of assurance that you can leverage within your access policies. You have full control to modify the authenticators into the appropriate levels based on your licensing from RSA.

 

Screen Shot 04-15-19 at 02.09 PM.PNG

 

You can create Access Policies in RSA SecurID Access that will map to the appropriate assurance levels:

 

Screen Shot 04-15-19 at 02.14 PM.PNG

 

In my environment, I've created 3 policies:

Screen Shot 04-15-19 at 03.09 PM.PNG

Once you've completed your access polices you can then add your Workspace ONE tenant as an relying party.

 

Screen Shot 04-15-19 at 05.11 PM.PNG

 

Now this is where things get really interesting and you'll see why i'm excited about this integration. Its fairly common for a digital workspace or web portal to call out to an MFA provider to perform the necessary authentication and return the response. The problem that typically comes into play is whether the authenticators being used for MFA are too much or too little for the application being accessed.  In most cases, the MFA provider is not aware of what application is being accessed and is only responding the call from the relying party.  Keep in mind that "User Experience" is at the forefront of the Workspace ONE solution.

 

The integration between Workspace ONE and RSA SecurID Access allows us to control which Access Policy (or level of assurance) will be used from within Workspace ONE.

 

In Workspace ONE, we can create the same policies that we did in RSA SecurID Access:

Screen Shot 04-15-19 at 02.46 PM.PNG

 

In Workspace ONE we can directly assign Web, SaaS or Virtual applications that require High Assurance into the "High Assurance" access policy and apps that require "Medium or Low Assurance" into the appropriate policy. When applications are accessed in Workspace ONE, it will automatically send the request to RSA SecurID Access with the requested policy to use for authentication.

 

So how does Workspace ONE specify which policy RSA SecurID should use for authentication? Its actually quite simple.  The integration between Workspace ONE and RSA SecurID Access is based on SAML.

 

Initial authentication into Workspace ONE will typically come from Mobile SSO or Certificate Based Authentication (although other forms of authentication are available). After the initial authentication or once the user clicks on a specific application, Workspace ONE will send a SAML Authentication Request which will include the subject who needs additional verification:

 

<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">steve</saml:NameID>

</saml:Subject><samlp:NameIDPolicy AllowCreate="false"

 

When the SAML Request is sent from Workspace ONE, it will also include the access policy as part of the SAML AuthnContextClassRef:

 

<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:rsa:names:tc:SAML:2.0:ac:classes:spec::LowWS1</saml:AuthnContextClassRef>

</samlp:RequestedAuthnContext>

 

You can see in the AuthnContextClassRef we are specifying the specific policy that RSA SecurID Access should use for authentication. 

 

When you create a 3rd Party IDP for RSA SecurID Access, you can specify the AuthnContextClassRef when defining the authentication methods:

Screen Shot 04-15-19 at 05.02 PM 001.PNG

Screen Shot 04-15-19 at 05.03 PM.PNG

 

I've actually left out a key element of the RSA SecurID Access solution, which is the Risk Level. Even though we've specifically called out the Low Assurance Policy, we can have RSA dynamically change that to High based on the user's risk score. RSA SecurID Access can use an "Identity Confidence" score to choose the appropriate assurance level. This is configured in the access policy:

 

Screen Shot 04-15-19 at 05.17 PM.PNG

 

By leveraging RSA SecurID Access with VMware Workspace ONE we can now have risk-based identity assurance on a per app level within Workspace ONE. For current Workspace ONE customers, this integration is based on SAML so it does not require radius and has no dependency on the VIDM Connector.

 

Together this keeps the user experience great on apps that might not need a high level of assurance and keeps the enterprise secure on the apps that require the high level of assurance.

3V0-624 VMware VCAP6.5-DCV Design Exam Quality Preparation Material

April 17, 2019, 2:39 am
$
0
0

Want To Pass (Updated-2019) VMware VCAP6.5-DCV Design 3V0-624 Exam Immediately?

If you are someone who is planning to attempt the VMware VCAP6.5-DCV Design 3V0-624 certification exam, how important is it for you to pass the VCAP6.5-DCV Design exam in the first attempt? Now when it comes to preparing for the VMware VCAP6.5-DCV Design 3V0-624 Exam Questions there are many factors which play a huge role in the outcome of the exam.

 

Some of the factors are listed and discussed below:

  • Willingness to prepare
  • Planning the preparation
  • Gathering the preparation material

Willingness To Prepare VMware VCAP6.5-DCV Design 3V0-624 Certification Exam

This is probably one of the most critical factors in the preparation of the VMware VCAP6.5-DCV Design 3V0-624 certification exam. No one will push you to prepare for the exam except yourself.Since passing the 3V0-624 exam in the first attempt is a priority for you, you should be looking to go the extra mile and show great willingness to be prepared at your best.

Planning For The VMware VCAP6.5-DCV Design 3V0-624 Exam Preparation

So when you have the willingness to prepare for the VMware VCAP6.5-DCV Design 3V0-624 exam, the next step which you have to take is to plan your preparation. You should plan about how many hours daily or weekly you should allot to your preparation and what areas and topics to cover. While you can plan your preparation according to what you think is the right way, but there are programs available which can guide you on how to plan your preparations in the best way possible.

 

3V0-624 EXAM? It's Easy If You Do It Smart

Certs2pass are offering their preparation material which mostly consists of questions and answers which are the most relevant and similar to the actual VMware 3V0-624 exam questions in PDF format.If you think why the PDF format then there are multiple reasons behind it. Certs2pass decided to choose the PDF format by keeping in mind the rising demands of their clients.

First of all, the PDF format provides great and easy accessibility to the users because it is mobile phones and tablets friendly.You can view the VMware preparation material anytime you want to on your mobile phones or tablets which you carry with you almost throughout the day.

VMware VCAP6.5-DCV Design 3V0-624 Mock Exam To Improve Your 3V0-624 Test Score

Well as the name suggests, the software is designed to allow the candidates to do as much practice of the real exam as they should to make sure that they pass VMware VCAP6.5-DCV Design 3V0-624 The Exam In the First Attempt.So what other better way to do it then offering them a mock exam which is designed to be very similar and relevant to the actual exam.The mock exam will simulate real exam environment which could be an important factor in preparation for the exam.It will have the same type of questions, format and time allowed to make it as close to the similar exam as possible.

How to Configure SAML Single Logout in WS1 for Okta

April 17, 2019, 8:27 am
$
0
0

If you have configured Okta as a 3rd Party IDP in Workspace ONE you might have noticed that the "Logout" function in Workspace ONE doesn't log you out of your Okta session. The reason for this is that Okta does not include the "SingleLogoutService" by default in the metadata that is used when creating the 3rd Party IDP in Workspace ONE.

 

There are a couple extra steps that you need to do to enable this functionality. Before you begin, please make sure you download your signing certificate from Workspace ONE.

 

  1. Log into Workspace ONE
  2. Click on Catalog -> Settings (Note: Don't click the down arrow and settings)
    Screen Shot 04-17-19 at 10.55 AM.PNG
  3. Click on SAML Metadata
  4. Scroll down to the Signing Certificate and Click Download
    Screen Shot 04-17-19 at 11.01 AM.PNG

Now you will need to log into your Okta Administration Console.

  1. .Under Applications -> Click on the Workspace ONE application that you previously created
    Screen Shot 04-17-19 at 11.04 AM.PNG
  2. Click on the General Tab
  3. Under SAML Settings -> Click Edit
  4. Click Next
  5. Click on "Show Advanced Settings"
    Screen Shot 04-17-19 at 11.06 AM.PNG
  6. Enable the Checkbox that says "Enable Single Logout"
    Screen Shot 04-17-19 at 11.07 AM.PNG
  7. Under "Single Logout URL", enter:  "https://[WS1Tenant]/SAAS/auth/saml/slo/response"
    Screen Shot 04-17-19 at 11.09 AM.PNG
  8. Under SP Issuer, copy the value you have configured for Audience URI (SP Entity ID). This value should be: "https://[WS1Tenant]/SAAS/API/1.0/GET/metadata/sp.xml"
    Screen Shot 04-17-19 at 11.12 AM.PNG
  9. Under "Signature Certificate", browse to the location you downloaded the Workspace ONE certificate in the previous steps.
  10. Click Upload Certificate
  11. Click Next
  12. Click Finish
  13. Click on the "Sign On" tab
  14. Click on Identity Provider Metadata
    Screen Shot 04-17-19 at 11.15 AM.PNG
  15. You will notice that your Identity Provider Metadata now includes the SingleLogoutService:
    Screen Shot 04-17-19 at 11.19 AM.PNG
  16. Copy this metadata.

 

Now switch back to Workspace ONE

 

  1. Go to Identity & Access Management
  2. Click on Identity Providers
  3. Click on your Okta 3rd Party IDP you previously created
  4. Paste your new Okta Metadata and click "Process IdP Metadata"
    Screen Shot 04-17-19 at 11.22 AM.PNG
  5. Scroll down to "Single Sign-out Configuration" and check "Enable". (Note: Make sure the other two values are left blank)
    Screen Shot 04-17-19 at 11.24 AM.PNG

Now you should be able to logout from Workspace ONE and be signed out of both solutions.

 

Screen Shot 04-17-19 at 11.25 AM.PNG

Using Workspace ONE with Microsoft Authenticator

April 17, 2019, 3:21 pm
$
0
0

We come across the scenario quite often when customers want to leverage Microsoft Authenticator when using Workspace ONE UEM and/or Horizon.

 

In this blog, I'd like to go through the various options and outline the user experience with each of the options.

 

The  main uses case we see are:

 

  • Microsoft MFA for Horizon Desktop
  • Microsoft MFA for SaaS Applications federated directly with Workspace ONE.
  • Microsoft MFA for Device Enrollment in Workspace ONE UEM
  • Microsoft MFA for SaaS Applications federated with Azure AD.

 

There are 3 integration options that you can consider to integrate Microsoft Authenticator with Workspace ONE.

 

Azure AD as a 3rd Party IdP in Workspace ONE

 

In this option, the following needs to be configured:

  • Azure AD configured as a 3rd Party IdP in Workspace ONE
  • Workspace ONE configured as an enterprise app in Azure
  • Conditional Access Policy Configured in Azure AD to require Microsoft Authenticator for the Workspace ONE Application.

 

Screen Shot 04-17-19 at 03.11 PM.PNG

Lets walk through the authentication flow in this option:

  1. The user will access their Horizon Desktop (or any application that is federated directly with Workspace ONE).
    Note: Office 365 can NOT be federated with Workspace ONE in this scenario
  2. The application will send a SAML Authentication Request to Workspace ONE
  3. Assuming the access policy in Workspace ONE is configured for Azure Authentication, the user will be redirected to Azure AD.
  4. The user will enter their email address.
  5. Assuming the domain is not currently federated with another IdP, Azure will prompt the user to enter their password.
  6. Azure conditional access policies will then trigger for Microsoft MFA.
  7. The user will be returned to Workspace ONE and subsequently authenticated to Horizon. (Note: Horizon should be configured with TrueSSO for optimal user experience).

 

Workspace ONE as a Federated Domain in Azure AD

 

In this option, the following needs to be configured:

  • Azure domain must be federated to Workspace ONE
  • Conditional Access Policy Configured in Azure AD to require Microsoft Authenticator for the Workspace ONE Application.
  • Mobile SSO/Certificate Authentication Configured in Workspace ONE

Screen Shot 04-17-19 at 05.29 PM.PNG

Lets walk through the authentication flow in this option:

  1. The user will access Office 365 (or any application federated with Azure AD).
  2. The user will enter their email address.
  3. The user will be redirected to Workspace ONE
  4. Workspace ONE will authenticate the user using Mobile SSO, Certificate or some other authentication mechanism (as well as checking device compliance).
  5. Workspace ONE will respond with a successful response back to Azure AD.
  6. Azure conditional access policies will then trigger for Microsoft MFA.
  7. The user will be successfully authenticated into Office 365 (other other Azure federated application).

 

Workspace ONE with Microsoft Azure MFA Server

 

In this option, the following needs to be configured:

  • Azure MFA Server downloaded and installed on premises.
  • Workspace ONE Connector installed on premise.
  • Workspace ONE configured as a radius client in Azure MFA Server

 

Screen Shot 04-17-19 at 05.41 PM.PNG

Lets walk through the authentication flow in this option:

  1. The user will access any application federated with Workspace (or Horizon/Citrix application).
  2. Workspace ONE will prompt for their username/password
  3. After clicking "Sign-In", a radius call via the connector will be made to the Microsoft Azure MFA Server
  4. The MFA server will push a notification to the device to approve the request:
Search

VMware TAM Source 10.15

September 20, 2018, 12:28 pm
$
0
0

 

FROM THE EDITORS VIRTUAL DESK
Hi VMware TAM Newsletter Readers and welcome to the latest edition of the VMware TAM Newsletter. This week I would like to focus on a topic that is very close to us as TAMs, Customer Satisfaction. This is something that many organizations speak about and many groups include in their charter but none I believe are as relevant as how we consider Customer Satisfaction as the core tenet of the VMware TAM program. As a TAM this is 100% my focus day in and day out. And to ensure that I measure up, every 6 months my customer get to evaluate me, the results sent to our leadership team for review on each individual for each of our accounts that we work with.

 

Saying that we are customer centric, or customer first is one thing, but when your MBOs are aligned 100% to customer satisfaction, and your customers get to do the evaluation on a regular basis, means that we, as VMware TAMs, take this very seriously, which is why our TAM program is like no other in the industry, as we really do put our customers at the head of everything that we do.

 

I wish you all a fantastic rest of your week and look forward to speaking to you again soon.

 

Virtually Yours
VMware TAM Team
Latest News | Twitter | Facebook | LinkedIn | Blog | Newsletter | Archive
-

 

VMWARE TAM WEBINARS
When: July 12th @ 11AM EDT / 8AM PDT
Abstract: During our July TAM Customer Webinar, John Dias will show us What’s New in with vRealize Operations 6.7. The session will also cover upgrade considerations and provide an introduction to how Wavefront can enable monitoring for DevOps use cases.  John Dias is a Sr. Technical Marketing Architect with VMware specializing in Cloud Management solutions.Register

Also, we would like your input on what you would like to see going forward with the webinar series: Here is the survey link.

 


NEWS AND DEVELOPMENTS FROM VMWARE

VMware Radius

  • 7 Artificial Intelligence Revelations from The Economist Innovation Summit
    “What is artificial intelligence (AI), and what is it not?” At The Economist Events’ Innovation Summit, I joined author and University of Washington professor Pedro Domingos, Walmart’s head of AI and Customer Technology Fiona Tan, and moderator and The Economist technology editor Alexandra Bass. We...
  • STEM Career Advice from a Women in Tech Hall of Famer
    Yanbing Li cannot believe she became a Women in Technology International (WITI) Hall of Fame inductee this week. With a long list of academic accreditation, including a Ph.D. from Princeton University, and a pivotal leadership position at the helm of VMware’s fastest growing technology business, Yan...
  • Agents of Change: Gideon Kay, a CIO who Thrives on Disruption and Change
    VMware’s Agents of Change initiative celebrates smart CIOs who challenge the status quo. By harnessing the transformative power of technology, they are creating unlimited possibilities for their businesses. Here’s the next individual in the Agents of Change Series: Gideon Kay, EMEA CIO for Dentsu A...

VMware Open Source Blog

  • OpenFaaS Mid-Year Recap
    Here’s some vital information you should know: You can package anything as a serverless function with OpenFaaS. The open source project, founded by VMware’s Alex Ellis, makes serverless functions simple for Docker and Kubernetes so that you can build a scalable, fault-tolerant, event-driven se...
  • Reflections on Running a Development Sprint at PyCon
    By Nisha Kumar, open source engineer, VMware I’m a longtime Python developer, but until this year I had never been to PyCon, the largest international conference for Python users. I went this year because I wanted to run a development sprint for Tern, the open source project that I maintain. PyCon’s...
  • The Minimum Viable Open Source Project – Inspiration from VMware’s OSTC
    By Nisha Kumar, open source engineer, VMware At minimum, what should go into an open source project to give it the best chance of success? We’ve been asking ourselves this question lately at VMware’s Open Source Technology Center (OSTC). In this post, I’ll share some pointers we’ve come up with on h...

VMware vSphere Blog

  • Upgrade Considerations for VMware vSphere 6.7
    Upgrading to VMware vSphere 6.7 With the recent excitement of vSphere 6.7 being released to the public, it’s only natural that a lot of discussion has revolved around upgrades. How do we upgrade, or even why should we upgrade have been the most popular questions recently. In this post I will cover ...
  • vSphere and VMware Cloud on AWS at Dell Technologies World 2018
    Are you planning to attend Dell Technologies World this year? So is the vSphere team! We’re excited to be part of the show, and to talk about all the ways the latest version of vSphere can help you support the demands of your business customers. Do you have questions? We would love to meet with you ...
  • Introducing VMware vSphere 6.7!
    We are excited to share that today VMware is announcing vSphere 6.7, the latest release of the industry-leading virtualization and cloud platform. vSphere 6.7 is the efficient and secure platform for hybrid clouds, fueling digital transformation by delivering simple and efficient management at scale...

Network Virtualization

  • Boston Medical Center Secures Electronic Patient Records with VMware NSX
      Boston City Hospital and Boston University Medical Center Hospital merged in 1996 to form Boston Medical Center (BMC).  This 497-bed teaching hospital in the South End of Boston provides primary and critical care to a diverse population and houses the largest Level 1 trauma center in New Englan...
  • Micro-segmentation Starter Kit
    Traditional security solutions are designed to protect the perimeter.  As applications and data are becoming increasingly distributed, they are often spanning not only multiple sites, but also multiple clouds.  This is making it harder to identify where the perimeter actually is in order to secure i...
  • Two-Factor Authentication with VMware NSX-T
    In a previous post, I covered how to integrate NSX-T with VMware Identity Manager (vIDM) to achieve remote user authentication and role-based access control (RBAC) for users registered with a corporate Active Directory (AD).   On this post, I’m showing how add two-factor authentication (2FA) for N...

VMware Cloud Management

  • vRealize Log Insight and VMware Log Intelligence: Better Together
    Credit to NICO GUERRERA for blog content (Bio Below)!   vRealize Log Insight 1.0 was released for general availability in 2013, and since then it has steadily grown in features, scale, and customer adoption. I have worked with customers who have deployed up to sixty nodes of Log Insight across mul...
  • May 16th Webinar: More Usability Improvements of vRealize Automation and vRealize Life Cycle Manager
    On May 16th, we will be hosting another Getting More Out of VMware webinar. The webinar is designed for Cloud Administrators and VI Administrators who leverage vRealize Suite products, such as vRealize Automation,  to run their virtual infrastructure and cloud environment. It will be a great opportu...
  • Decision Driven Provisioning with Anything as a Service (XaaS)
    Decision Driven Provisioning with XaaS To me, the power of vRealize Automation has always been how easy it is to take square pegs and fit them into round holes. Generally this capability comes in the form of leveraging “Anything as a Service”, also known as XaaS. XaaS allows you to take any vRealiz...

Cloud-Native Apps

VMware End-User Computing Blog

  • Augmented World Expo 2018: Go XR or Go Extinct
    “Now is the time to go XR or go extinct.” – Ori Inbar, Co-Founder of AWE and Super Ventures Last week’s Augmented World Expo (AWE) USA in Santa Clara, California was AWEsome! With nearly 6,000 attendees and hundreds of breakout sessions and exhibitors, the event was full of new technologies and ins...
  • The Smart Store
    The Boston Consulting Group expects spending on IoT in the retail sector to reach $12.9b in 2020, quadruple the figure for 2015. As the industry looks to maximize profits and market share in an interconnected, competitive environment IoT continues to take center stage. Challenges for these organizat...
  • VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture
    The VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture is now available and is a must read for anyone considering, designing, or undertaking a VMware Workspace ONE or VMware Horizon 7–based project. This reference architecture provides guidance, an exampl...

The Support Insider

  • New KB articles published for week ending 10th June 2018
    VMware Cloud on AWS Failed to add groups to the “CloudAdminGroup” during HLM Date Published: 6/5/2018 Authenticity of the host’s ssl certificate is not verified Date Published: 6/5/2018 VMware Horizon Unable to login to Horizon Console or View Administrator using IP address Date Published: 6/6/2018 ...
  • Top 20 vSAN articles for May 2018
    Component metadata health check fails with invalid state error “Host cannot communicate with all other nodes in vSAN enabled cluster” error vCenter Server 6.0 Update 2 displays on non-vSAN enabled ESXi hosts displays the message: Retrieve a ticket to register the vSAN VASA Provider Status of TLSv1....
  • Top 20 NSX articles for May 2018
    Virtual machine in ESXi is unresponsive with a non-paged pool memory leak VMs running on ESXi 5.5 with vShield endpoint activated fails during snapshot operations Performing vMotion or powering on a virtual machine being protected by vShield Endpoint fails When using VMware vShield App Firewall, vi...
  • Top 20 vSphere articles for May 2018
    “The transaction log for database ‘VIM_VCDB’ is full” error on a Microsoft SQL DB server ESXi 5.5 Update 3b and later hosts are not manageable after an upgrade “Host IPMI system event log status” alarm in vCenter Server Determining where growth is occurring in the vCenter Server database ESXi host ...
  • New KB articles published for week ending 3rd June 2018
    Skyline Collector Appliance VC_EVENTS endpoint failure in Skyline Collector version 1.0.x and 1.1.x Date Published: 6/1/2018 VMware Application Proxy Unable to activate plugins in VMware Application Proxy 1.0 installed after May 20th Date Published: 5/28/2018 Unable to activate plugins in VMware App...

Cloud Foundation

  • Patching Made Easy with VMware Cloud Foundation
    A common challenge faced by every IT department is keeping up with the inevitable and never-ending flow of software updates. This becomes even more critical in a modern Software-Defined Data Center (SDDC), where compute, network and storage virtualization are interwoven into a unified data center fa...
  • VMware Cloud Foundation Architecture Poster 2.3
    VMware is pleased to release the latest VMware Cloud Foundation (VCF) architecture poster. VCF is a fully automated, hyper-converged software stack that includes compute, storage, networking and cloud management. Because VCF has so many tightly integrated products, it is important to understand the ...
  • HPE Synergy and VMware Cloud Foundation – now certified
    Author Bhumik Patel – Technical Alliances, VMware @bhumikp   Introduction: As customers leverage VMware Cloud Foundation (VCF) to provide integrated Software Defined Data Center (SDDC) & cloud management services for running enterprise applications, it becomes critical to rely on an underlying pl...

 

EXTERNAL NEWS FROM 3RD PARTY BLOGGERS VMGuru

  • New Lab Stuff
    Some time ago, back in December of 2015, I started a three-part story on how to have a supported SMB or lab environment. It consisted of a couple of Hewlett Packard Enterprise Microserver Gen 8’s and a NAS by QNAP. Check out the three part... The post New Lab Stuff appeared first on VMGuru. ...
  • Running OTNSX in a Docker container
    In march of this year we released a whitepaper on automating security using a helpdesk system. For the whitepaper we where using VMware NSX and OTRS. The middleware we created to service it all was given the name OTNSX. More recently I have started playing... The post Running OTNSX in a Docker cont...
  • What is the VMware Virtual Cloud Network?
    A couple of weeks ago, VMware launched the Virtual Cloud Network (VCN). It’s kind of obvious that this is a marketing term and not a specific product or service. However, it’s not all fluff and there is actually some good meat behind this announcement and... The post What is the VMware Virtual Clou...
  • Upgrade vRealize Suite using vRealize Lifecycle Manager
    Recently VMware updated their entire vRealize Suite. It’s always nice to receive a new suite of products with new shiny functionality but it also means a lot of work for you sysadmins, upgrading your entire environment. Well, not any more! With vRealize Lifecycle Manager it... The post Upgrad...
  • A first look at vRealize Content Management
    In my last blogpost I wrote about managing your Puppet code using a Source Control repository. This post is an extension on that one where I will talk about managing your vRealize content with VMware vRealize Suite Lifecycle Manager (vRSLCM) plus bring it under source... The post A first look at vR...

virtuallyGhetto

  • vGhetto Automated Pivotal Container Service (PKS) Lab Deployment
    While working on my Getting started with VMware Pivotal Container Service (PKS) blog series awhile back, one of the things I was also working on was some automation to help build out the required infrastructure NSX-T (Manager, Controller & Edge), Nested ESXi hosts configured with VSAN for the Co...
  • Feedback on default behavior for VM Storage Policy
    Today, the vCenter REST (vSphere Automation) APIs currently does not support the use of VM Storage Policies when relocating (vMotion, Cross Datacenter vMotion & Storage vMotion) or cloning an existing Virtual Machine. Customers have provided feedback that this is something that they would like t...
  • How do you "log a reason" using PowerCLI when rebooting or shutting down ESXi host?
    I am sure many of you have seen this UI prompt asking you to specify a reason before issuing a reboot or shutdown of an ESXi host and I assume most of you spend a few seconds to type in a useful message and not just random characters, right?    Have you ever tried performing […]...
  • Quick Tip - OVFTool 4.3 now supports vCPU & memory customization during deployment
    In addition to adding vSphere 6.7 support and a few security enhancements (more details in the release notes), the latest OVFTool 4.3 release has also been enhanced to support customizing either vCPU and/or Memory from the default configurations when deploying an OVF/OVA. Historically, it was only p...
  • How to simulate Persistent Memory (PMem) in vSphere 6.7 for educational purposes?
    A really cool new capability that was introduced in vSphere 6.7 is the support for the extremely fast memory technology known as non-volatile memory (NVM), also known as persistent memory (PMem). Customers can now benefit from the high data transfer rate of volatile memory with the persistence and r...

ESX Virtualization

  • How-to Upgrade ESXi 6.x to 6.7 via vSphere Update Manager (VUM)
    We previously posted about upgrading VMware ESXi 6.x to 6.7 via ISO image and many readers liked the simple approach it brings. However, in enterprise scenarios, we have to deal with more than a couple of hosts so it would not be very time effective to do that for dozens or hundreds of hosts. VMware...
  • Windows Server 2019 What’s New – Insider Preview Build 17666
    About a week ago, Microsoft has released Windows Server 2019 Insider preview build 17666. We’ll have a look at this build and check what’s new in this release. We have already reported on Windows Server 2019 here and also we have reported on Microsoft has released the new build of the Windows Server...
  • How To do a Dry Run of an esxcli Installation or Upgrade on VMware ESXi
    The upgrade season is here. VMware has released vSphere 6.7 and soon first backup/monitoring products will be compatible. Time to learn some tricks before Installation or upgrade on VMware ESXi. You know that with VMware ESXi hypervisor you can test an upgrade. I mean run the upgrade without actuall...
  • Top 3 Free Tools To Create ESXi 6.7 Installer USB Flash Drive
    With every release of VMware ESXi hypervisor, we need to update our USB stick which we’ll use to clean installation or upgrade of ESXi hypervisor. Today we’ll show Top 3 Free Tools To Create ESXi 6.7 Installer USB Flash Drive. (Well, after long search, only two…). I’m sure that there are many others...
  • StarWind and Highly Available NFS
    Compared to traditional NFS architecture configured for high availability, the solution is most often costly as the need for additional dedicated hardware is necessary. But there are other ways to do that and today we’ll show you how StarWind and Highly Available NFS share is configured and what’s t...

CormacHogan.com

  • A deeper-dive into Fault Tolerant VMs running on vSAN
    After receiving a number of queries about vSphere Fault Tolerance on vSAN over the past couple of weeks, I decided to take a closer look at how Fault Tolerant VMs behave with different vSAN policies. I wanted to take a look at two different policies. The first is when the “failures to tolerate” (com...
  • Integrating NSX-T and Pivotal Container Services (PKS)
    If you’ve been following along my recent blog posts, you’ll have seen that I have been spending some time ramping up on NSX-T and Pivotal Container Services (PKS). My long term goal was to see how these two products integrate together and to figure out the various moving parts. As I was very unfamil...
  • Next steps with NSX-T Edge – Routing and BGP
    If you’ve been following along on my NSX-T adventures, you’ll be aware that at this point we have our overlay network deployed, and our NSX-T edge has been setup to with DHCP servers attached to my logical switch, which in turn provides IP addresses to my virtual machines. This is all fine and well,...
  • Performance Checklist now available for vSAN benchmarking
    Hot on the heels of the vSAN 6.7 release, a new performance checklist for vSAN benchmarking has now been published on our StorageHub site. This is the result of a project that I started a few months back with my colleague, Paudie O’Riordan. It builds upon a huge amount of groundwork that was already...
  • My highlights from KubeCon and CloudNativeCon, Europe 2018
    This week I attended KubeCon and CloudNativeCon 2018 in Copenhagen. I had two primary goals during this visit: (a) find out what was happening with storage in the world of Kubernetes (K8s), and (b) look at how people were doing day 2 operations, monitoring, logging, etc, as well as the challenges on...

Scott's Weblog

  • Examining X.509 Certificates Embedded in Kubeconfig Files
    While exploring some of the intricacies around the use of X.509v3 certificates in Kubernetes, I found myself wanting to be able to view the details of a certificate embedded in a kubeconfig file. (See this page if you’re unfamiliar with what a kubeconfig file is.) In this post, I’ll shar...
  • Using Variables in AWS Tags with Terraform
    I’ve been working to deepen my Terraform skills recently, and one avenue I’ve been using to help in this area is expanding my use of Terraform modules. If you’re unfamiliar with the idea of Terraform modules, you can liken them to Ansible roles: a re-usable abstraction/function tha...
  • A Quadruple-Provider Vagrant Environment
    In October 2016 I wrote about a triple-provider Vagrant environment I’d created that worked with VirtualBox, AWS, and the VMware provider (tested with VMware Fusion). Since that time, I’ve incorporated Linux (Fedora, specifically) into my computing landscape, and I started using the Libv...
  • Technology Short Take 101
    Welcome to Technology Short Take #101! I have (hopefully) crafted an interesting and varied collection of links for you today, spanning all the major areas of modern data center technology. Now you have some reading material for this weekend! Networking Kirk Byers discusses the direct TextFSM int...
  • Exploring Kubernetes with Kubeadm, Part 1: Introduction
    I recently started using kubeadm more extensively than I had in the past to serve as the primary tool by which I stand up Kubernetes clusters. As part of this process, I also discovered the kubeadm alpha phase subcommand, which exposes different sections (phases) of the process that kubeadm init fol...

Welcome to vSphere-land!

  • Top vBlog 2018 starting soon, make sure your site is included
    I’ll be kicking off Top vBlog 2018 very soon and my vLaunchPad website is the source for the blogs included in the Top vBlog voting each year so please take a moment and make sure your blog is listed.  Every year I get emails from bloggers after the voting starts wanting to be added but … Con...
  • Configuration maximum changes in vSphere 6.7
    A comparison using the Configuration Maximum tool for vSphere shows the following changes between vSphere 6.5 & 6.7. [[ This is a content summary only. Visit my website for full links, other content, and more! ]]...
  • Important information to know before upgrading to vSphere 6.7
    vSphere 6.7 is here and with support for vSphere 5.5 ending soon (Sept.) many people will be considering upgrading to it. Before you rush in though there is some important information about this release that you should be aware of. First let’s talk upgrade paths, you can’t just upgrade f...
  • vSphere 6.7 Link-O-Rama
    Your complete guide to all the essential vSphere 6.7 links from all over the VMware universe. Bookmark this page and keep checking back as it will continue to grow as new links are added everyday. Also be sure and check out the Planet vSphere-land feed for all the latest blog posts from the Top 100 ...
  • Summary of What’s New in vSphere 6.7
    Today VMware announced vSphere 6.7 coming almost a year and a half after the release of vSphere 6.5. Doesn’t look like the download is quite available yet but it should be shortly. Below is the What’s New document from the Release Candidate that summarizes most of the big things new in t...

Virtual Geek

  • Its time for change, and change = renewed invention, renewed vigor, renewed discovery.
    I’m going to make this a two-part post. Part 1 = what is in the rear-view window? Part 2 = what’s out the front windshield? Part 1: CPSD and Dell EMC are in my rear-view window. First, while want to close the chapter behind me - it’s a flawed analogy, because it suggests some sort of “finality”. ...
  • The best athletes (and VxBlock 1000) = faster, higher, stronger!
    In watching the Olympics, it’s amazing to see athletes doing amazing things – frankly it’s inspiring. Sometimes it’s a new star rising – something new (amazing Chloe Kim!) .   Sometimes it’s a veteran pulling a “Michael Phelps” – producing every 4 years (see Dutch speed skater Sven Kramer). I’m not...
  • What a start to the year...
    It's been a crazy couple days on a couple fronts, but the most material front has certainly been Spectre and Meltdown. There are lots of sources, and the trick is that while distinctly the root cause lies in the CPU domain and with the CPU manufacturers- the impact touches nearly everything. It's b...
  • To allTHANK YOU for 2017, and lets dream of 2018!
    To all my readers, all our customers and partners, all my colleagues, all my friends – heck my competitors, thank you for everything in 2017.   It was a year filled with change for me in the middle of a massive integration through the Dell acquisition – with a ton of learning, a ton of personal d...
  • Looking forward to 2018: Vertical Stack Wars are upon us.
    This is part 3 of a 3-part blog series on things that I’m thinking about going into 2018. Warning – remember, Virtual Geek post are my musings, not an official company position.   They are officially my opinions – which means they aren’t worth more than 2 cents.  They aren’t authored by anyone...

Eric Sloof - NTPRO.NL

  • vSAN HCL viewer
    Harald Ruppert, a vSAN Escalation Engineer at VMware has created a great tool to check if your vSAN harware is supported. The vSAN HCL viewer is  based on the VMware vSAN HCL in JSON format for online use of vSAN health checks. If you would like to build your own vSAN, then you can do so usi...
  • New Technical White Paper - NSX Distributed Firewalling Policy Rules Configuration Guide
    This document covers how one can create security policy rules in VMware NSX. This will cover the different options of configuring security rules either through the Distributed Firewall or via the Service Composer User Interface. It will cover all the unique options NSX offers to create dynamic ...
  • VMware User Environment Manager 9.4 Technical What's New
    See What's New in User Environment Manager version 9.4. Includes a demo of the new argument based Privilege Elevation feature. ...
  • Latest Fling from VMware Labs - DRS Entitlement Viewer
    DRS Entitlement Viewer is installed as a plugin to the vSphere client. It is currently only supported for the HTML5 based vSphere client. Once installed, it gives the hierarchical view of vCenter DRS cluster inventory with entitled CPU and memory resources for each resource pool and VM in the c...
  • New Technical White Paper - What's New in Performance? VMware vSphere 6.7
    Underlying each release of VMware vSphere are many performance and scalability improvements. The vSphere 6.7 platform continues to provide industry-leading performance and features to ensure the successful virtualization and management of your entire software-defined datacenter. This paper d...

Virten.net

  • 7th Gen NUC Remote Management with KVM using vPro AMT
    Intel's latest 7th Gen Dawson Canyon NUCs are equipped with AMT vPro Technology. Intel AMT (Active Management Technology) allows remote management including a KVM Console. vPro is available in NUCs with i7 and i5 CPUs. NUCs with i3 CPUs do …Read more »...
  • ESXi on 7th Gen Intel NUC (Kaby Lake - Dawson Canyon)
    Intel launched a commercial version of their 7th Gen NUCs. The new Dawson Canyon named NUCs are available with vPro technology which allows you to manage NUCs remotely. NUCs are not officially supported by VMware but they are very widespread in many …Read more »...
  • vCenter Service Appliance 6.7 Tips and Tricks
    VMware is moving their vCenter Server from Windows to the Linux based Photon OS. The following tips and tricks might come handy when working with the vCenter Service Appliance 6.7: Enable SSH File Transfer with SCP/SFTP Public Key Authentication Disable …Read more »...
  • Free ESXi 6.7 - How to Download and get License Keys
    vSphere 6.7 has been released and as known from previous versions, VMware provides a free version of their Hypervisor ESXi for everyone again. The license key can be created for free at VMware's website. It has no expiration date. The …Read more »...
  • VMware ESXi 6.7 - IO Devices not certified for upgrade
    Beside Server Hardware, also double check if your IO Devices (eg. NIC, HBA,..) are supported when updating ESXi hosts from VMware vSphere 6.5 to 6.7. The following devices were supported in vSphere 6.5 but are according to VMware's HCL not (yet) …Read more »...

vInfrastructure Blog

  • #SFD16 – Storage Field Day 16
    I’m very proud and honored to be invited to the next Storage Field Day in Boston. It will be the 16th edition of Storage Field Day (#SFD16), and seems to be very interestning both for the presenters and the delegates lists. I’m very excited for this event, that remains a must for all techie-people: ...
  • Hitachi is reshaping its IT division
    Hitachi it’s a huge company with a lot of products, solutions, technologies in different verticals (including automotive, energy, healtcare, …) but also spreading from the consumer part to the business and research part. But on September 2017, has launched Hitachi Vantara, a new business...
  • VMware vExpert vSAN 2018
    The vExpert vSAN program is a specific VMware vExpert (sub)programs focused on the vSAN product. The idea to have specialized groups of vExpert was to bring again (like at the origins) the vExpert program as an “elite” program. After the vExpert vSAN 2016 and 2017 lists, now VMware has j...
  • NSX-T Data Center 2.2.0
    VMware has announced the general availability of NSX-T Data Center 2.2.0. VMware NSX-T Data Center is the next generation product that provides a scalable network virtualization and micro-segmentation platform for multi-hypervisor environments, container deployments and native workloads running in p...
  • Packt Summer Skill Up campaign
    Packt has stated a new BID opportunity called Summer Skill Up campaign. Based on findings from their new Skill Up Industry report (that you can read here), the sale will help more tech professionals around the world learn the skills that matter. Every single eBook and video is available for just $10...

 

 

DISCLAIMER
While I do my best to publish unbiased information specifically related to VMware solutions there is always the possibility of blog posts that are unrelated, competitive or potentially conflicting that may creep into the newsletter. I apologize for this in advance if I offend anyone and do my best to ensure this does not happen. Please get in touch if you feel any inappropriate material has been published. All information in this newsletter is copyright of the original author. If you are an author and wish to no longer be used in this newsletter please get in touch.

© 2018 VMware Inc. All rights reserved.

Share RDMs with PowerCLI

April 22, 2019, 12:19 am
$
0
0

I recently came across a customer who had many applications running in clusters which required RDM’s and wanted to automate the process of attaching and sharing the RDM’s between multiple Virtual Machines. PowerCLI being the preferred method for the customer to automate anything, I started out by mapping the steps which had to be performed to successfully attach and share an RDM.

  • Find the available free ports on the SCSI Controller and add a new SCSI Controller if required.
  • Create a custom object to hold all the information about the virtual machine, RDM and SCSI Controller Bus and Port Numbers being used.
  • Use the information captured to attach the RDM on the first Virtual Machine.
  • Capture the new Disk information and share the same device to other Virtual Machines.

(Note : All the functions mentioned below have been written with the assumption that all Virtual Machines are identical in terms of existing storage mapped.)

 

  • First thing first – Setup the parameters for the script call.
    1. PrimaryVirtualMachineName – VM on which the RDM will be added initially.
    2. SecondaryVirtualMachinesName – Comma separated virtual machine names of VM’s with which RDM is to be shared.
    3. PathtoRDMfile – Path to the file containing list of RDM WWN’s.

 

param(

        $PrimaryVirtualMachineName,

        $SecondaryVirtualMachinesName = @(),

        $PathtoRDMfile

)

 

  • Now we will create a function which will create a custom RDM object to hold all the information which is required to successfully attach and share an RDM. This is not actually required, but makes if easier to hold all the required information in a single place and makes it easier to retrieve it when required.

 

functionGetVMCustomObject {

param (

        $VirtualMachine,

        $RDMS

)  

$ESXCLI = $VirtualMachine | get-vmhost | Get-EsxCli -V2

$devobject = @()

foreach($RDMin$RDMS)

{

       

        $RDM = 'naa.'+$RDM

        $Parameters = $ESXCLI.storage.core.device.list.CreateArgs()

        $Parameters.device = $RDM.ToLower()

        try{

        $naa=$ESXCLI.storage.core.device.list.Invoke($Parameters)

        write-host found device $naa.device

        $device = New-Object psobject

        $device | add-member -MemberType NoteProperty -name "NAAID" -Value $naa.Device

        $device | add-member -MemberType NoteProperty -name "SizeMB" -Value $naa.Size

        $device | add-member -MemberType NoteProperty -name "DeviceName" -Value $naa.devfspath

        $device | Add-Member -MemberType NoteProperty -name "BusNumber" -Value $null

        $device | add-member -MemberType NoteProperty -name "UnitNumber" -value $null

        #$device | Add-Member -MemberType NoteProperty -Name "Device Key" -Value $null

        $device | add-member -MemberType NoteProperty -name "FileName" -Value $null

        $devobject += $device

 

}

catch

    {

        Write-host$RDM does not exist on host (get-vmhost -vm $VirtualMachine)

        Read-Host"Press any key to exit the Script."

        Exit

}

}

return$devobject

}

 

  • Next up is the function to create a new SCSI controller if required.

 

functionCreateScSiController {

param (

        [int]$BusNumber,

        $VirtualMachine

)

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.DeviceChange = @()

$spec.DeviceChange += New-Object VMware.Vim.VirtualDeviceConfigSpec

$spec.DeviceChange[0].Device = New-Object VMware.Vim.ParaVirtualSCSIController

$spec.DeviceChange[0].Device.SharedBus = 'physicalSharing'

$spec.DeviceChange[0].Device.ScsiCtlrUnitNumber = 7

$spec.DeviceChange[0].Device.DeviceInfo = New-Object VMware.Vim.Description

$spec.DeviceChange[0].Device.DeviceInfo.Summary = 'New SCSI controller'

$spec.DeviceChange[0].Device.DeviceInfo.Label = 'New SCSI controller'

$spec.DeviceChange[0].Device.Key = -106

$spec.DeviceChange[0].Device.BusNumber = $BusNumber

$spec.DeviceChange[0].Operation = 'add'

$VirtualMachine.ExtensionData.ReconfigVM($spec)

}

 

 

  • Next we will query the existing SCSI controller attached and find the available free ports on the existing SCSI controller and use the function last created to add a new SCSI controller if required.

Note : This function has been written to always start with SCSI controller with highest Bus Number but could be easily modified to use any of the existing controllers.

 

functionSCSiFreePorts {

param (

        #Required ports is RDMS.count

$RequiredPorts,

        $PrimaryVirtualMachine,

        $SecondaryVirtualMachines

)

 

$ControllertoUse = @()

$FreePorts = 0;

$AvailablePorts = @()

while ($FreePorts -lt $RequiredPorts) {

        $ControllerNumber = @()

        $Controllers = Get-ScsiController -vm $PrimaryVirtualMachine? {$_.BusSharingMode -eq 'Physical' -and $_.Type -eq 'paravirtual'}

        $LatestControllerNumber = $null

if ($Controllers) {

            foreach ($Controllerin$Controllers) {

$ControllerNumber += $Controller.ExtensionData.BusNumber

            }

            $LatestControllerNumber = ($ControllerNumber | measure -Maximum).Maximum

$RecentController = $Controllers | ? {$_.ExtensionData.BusNumber -eq $LatestControllerNumber}

            $FreePorts += 15 - $RecentController.ExtensionData.Device.count

            $ControllertoUse += $RecentController

        }

        if (($FreePorts -lt $RequiredPorts) -and ($LatestControllerNumber -eq 3)) {

            Write-Host"SCSI controller Limit has been exhausted and can not accomodate all RDM's. Exiting the Script."

            Exit

        }

        if (($FreePorts -lt $RequiredPorts) -or !$Controllers) {

            CreateScSiController -BusNumber ($LatestControllerNumber+1) -VirtualMachine $PrimaryVirtualMachine

            foreach($Virtualmachinein$SecondaryVirtualMachines)

            {

                CreateScSiController -BusNumber ($LatestControllerNumber+1) -VirtualMachine $Virtualmachine

            }

}

}

foreach ($CurrentControllerin$ControllertoUse) {

        $ConnectedDevices = $CurrentController.ExtensionData.Device

        $UsedPort = @()

        foreach ($Devicein$ConnectedDevices) {

            $DevObj = $PrimaryVirtualMachine.ExtensionData.Config.Hardware.Device | ? {$_.Key -eq $Device}

            $UsedPort += $DevObj.UnitNumber

        }

        for ($i = 0; $i -le 15; $i++) {

            if (($i -ne 7) -and ($UsedPort -notcontains $i)) {

                $PortInfo = New-Object -TypeName PSObject

                $PortInfo | Add-Member -MemberType NoteProperty -name "BusNumber" -Value $CurrentController.ExtensionData.BusNumber

                $PortInfo | add-member -MemberType NoteProperty -name "PortNumber" -value $i

                $AvailablePorts += $PortInfo

            }

        }

}

return$AvailablePorts

}

 

  • Now the function to add the RDM to the shared machine.

 

functionAddRDM {

param (

        $VirtualMachine,

        [String]$DeviceName,

[Int]$ControllerKey,

        [Int]$UnitNumber,

        [Int]$Size

)

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.DeviceChange = @()

$spec.DeviceChange += New-Object VMware.Vim.VirtualDeviceConfigSpec

$spec.DeviceChange[0].FileOperation = 'create'

$spec.DeviceChange[0].Device = New-Object VMware.Vim.VirtualDisk

# $SIZE is available in objects returned by GetVMCustomObject, size will be in MB

$spec.DeviceChange[0].Device.CapacityInBytes = $Size*1204*1024

$spec.DeviceChange[0].Device.StorageIOAllocation = New-Object VMware.Vim.StorageIOAllocationInfo

$spec.DeviceChange[0].Device.StorageIOAllocation.Shares = New-Object VMware.Vim.SharesInfo

$spec.DeviceChange[0].Device.StorageIOAllocation.Shares.Shares = 1000

$spec.DeviceChange[0].Device.StorageIOAllocation.Shares.Level = 'normal'

$spec.DeviceChange[0].Device.StorageIOAllocation.Limit = -1

$spec.DeviceChange[0].Device.Backing = New-Object VMware.Vim.VirtualDiskRawDiskMappingVer1BackingInfo

$spec.DeviceChange[0].Device.Backing.CompatibilityMode = 'physicalMode'

$spec.DeviceChange[0].Device.Backing.FileName = ''

$spec.DeviceChange[0].Device.Backing.DiskMode = 'independent_persistent'

$spec.DeviceChange[0].Device.Backing.Sharing = 'sharingMultiWriter'

#Device name is in the format /vmfs/devices/disks/naa.<LUN ID>

$spec.DeviceChange[0].Device.Backing.DeviceName = $DeviceName

#Controller key to be retrieved at run time using controller bus number

$spec.DeviceChange[0].Device.ControllerKey = $ControllerKey

#Unit number is the controller port and will be provided by SCSiFreePorts function

$spec.DeviceChange[0].Device.UnitNumber = $UnitNumber

# $SIZE is available in objects returned by GetVMCustomObject, size will be in MB

$spec.DeviceChange[0].Device.CapacityInKB = $Size*1204

$spec.DeviceChange[0].Device.DeviceInfo = New-Object VMware.Vim.Description

$spec.DeviceChange[0].Device.DeviceInfo.Summary = 'New Hard disk'

$spec.DeviceChange[0].Device.DeviceInfo.Label = 'New Hard disk'

$spec.DeviceChange[0].Device.Key = -101

$spec.DeviceChange[0].Operation = 'add'

return$VirtualMachine.ExtensionData.ReconfigVM_Task($spec)

}

 

  • To share the RDM between Virtual Machines, we will use below function.

 

functionShareRDM {

param (

        $VirtualMachine,

        [String]$FileName,

        [Int]$ControllerKey,

        [Int]$UnitNumber,

        [Int]$Size

)

$spec = New-Object VMware.Vim.VirtualMachineConfigSpec

$spec.DeviceChange = @()

$spec.DeviceChange += New-Object VMware.Vim.VirtualDeviceConfigSpec

$spec.DeviceChange[0] = New-Object VMware.Vim.VirtualDeviceConfigSpec

$spec.DeviceChange[0].Device = New-Object VMware.Vim.VirtualDisk

# $SIZE is available in objects returned by GetVMCustomObject, size will be in MB

$spec.DeviceChange[0].Device.CapacityInBytes = $Size*1204*1024*1024

$spec.DeviceChange[0].Device.StorageIOAllocation = New-Object VMware.Vim.StorageIOAllocationInfo

$spec.DeviceChange[0].Device.StorageIOAllocation.Shares = New-Object VMware.Vim.SharesInfo

$spec.DeviceChange[0].Device.StorageIOAllocation.Shares.Shares = 1000

$spec.DeviceChange[0].Device.StorageIOAllocation.Shares.Level = 'normal'

$spec.DeviceChange[0].Device.StorageIOAllocation.Limit = -1

$spec.DeviceChange[0].Device.Backing = New-Object VMware.Vim.VirtualDiskRawDiskMappingVer1BackingInfo

#FileName is the disk filename to be shared in [<Datastore name>] VM Name/disk name.vmdk, to be retrieved at runtime using vm view and device bus number and Unit number

$spec.DeviceChange[0].Device.Backing.FileName = $FileName

$spec.DeviceChange[0].Device.Backing.DiskMode = 'persistent'

$spec.DeviceChange[0].Device.Backing.Sharing = 'sharingMultiWriter'

#Controller key to be retrieved at run time using controller bus number

$spec.DeviceChange[0].Device.ControllerKey = $ControllerKey

#Unit number is the controller port and will be provided by SCSiFreePorts function

$spec.DeviceChange[0].Device.UnitNumber = $UnitNumber

# $SIZE is available in objects returned by GetVMCustomObject, size will be in MB

$spec.DeviceChange[0].Device.CapacityInKB = $Size*1204*1024

$spec.DeviceChange[0].Device.DeviceInfo = New-Object VMware.Vim.Description

$spec.DeviceChange[0].Device.DeviceInfo.Summary = 'New Hard disk'

$spec.DeviceChange[0].Device.DeviceInfo.Label = 'New Hard disk'

$spec.DeviceChange[0].Device.Key = -101

$spec.DeviceChange[0].Operation = 'add'

return$VirtualMachine.ExtensionData.ReconfigVM_Task($spec)

}

 

To stitch it all together we just have to call the created functions as and when required, but a little pre-checks first.

Note : These pre-checks are not exhaustive, these were built in to satisfy customer specific requirements, more checks and balances could be added.

 

Now we do not want to just start modifying things without making sure that the virtual machines are powered off, do we?

 

$PrimaryVirtualMachine = Get-VM -Name $PrimaryVirtualMachineName

if($PrimaryVirtualMachine.PowerState -ne 'PoweredOff')

{

Read-Host -Prompt $PrimaryVirtualMachineName' is not Powered Off. Make sure all the Virtual Machines are Powered Off before running the script again. Press any key to exit.'

Exit

}

$SecondaryVirtualMachines = @()

foreach($VMin$SecondaryVirtualMachinesName)

{

$SecondaryVM = Get-VM -name $VM

if($SecondaryVM.PowerState -ne 'PoweredOff')

{

Read-Host -Prompt $VM' is not Powered Off. Make sure all the Virtual Machines are Powered Off before running the script again. Press any key to exit.'

Exit

}

$SecondaryVirtualMachines += $SecondaryVM

}

 

We also know that Virtual Machines support a total of 64  disks out of which 4 are IDE’s, so we will check if we have enough ports available to successfully attach all the given RDM’s.

$RDMS = Get-Content -path $PathtoRDMfile

$AttachedDisks = $PrimaryVirtualMachine | Get-HardDisk

if(($AttachedDisks.Count+$RDMS.count) -gt 60)

{

Read-Host -Prompt 'Configuration maximum for disks reached. Can not attach all provided disks. Press any key to exit.'

exit

}

 

Lets find out the Bus Numbers and Port Number that we will use to attach the RDM’s

 

$DeviceObjects = GetVMCustomObject -VirtualMachine $PrimaryVirtualMachine -RDMS $RDMS

$PortsAvailable = SCSiFreePorts -RequiredPorts $RDMS.Count -PrimaryVirtualMachine $PrimaryVirtualMachine -SecondaryVirtualMachines $SecondaryVirtualMachines

 

for($i = 0; $i -lt $RDMS.Count; $i++)

{

$CurrentObject = $DeviceObjects[$i]

$PorttoUse = $PortsAvailable[$i]

$CurrentObject.UnitNumber = $PorttoUse.PortNumber

$CurrentObject.BusNumber = $PorttoUse.BusNumber

}

 

Now we will use all this collected information and finish the job.

 

foreach($DiskObjectin$DeviceObjects)

{

$Controller = Get-ScsiController -VM $PrimaryVirtualMachine | ? {$_.ExtensionData.BusNumber -eq $DiskObject.BusNumber}

$task = AddRDM -VirtualMachine $PrimaryVirtualMachine -DeviceName $DiskObject.DeviceName -ControllerKey $Controller.ExtensionData.Key -UnitNumber $DiskObject.UnitNumber -Size $DiskObject.SizeMB

Start-Sleep -Seconds 5

$PVM = Get-VM -Name $PrimaryVirtualMachineName

$Disk = $PVM.ExtensionData.Config.Hardware.Device | ? {($_.UnitNumber -eq $DiskObject.UnitNumber) -and ($_.ControllerKey -eq $Controller.ExtensionData.Key)}

$DiskObject.FileName = $Disk.Backing.FileName

foreach($VMin$SecondaryVirtualMachines)

{

        $SController = Get-ScsiController -VM $PrimaryVirtualMachine | ? {$_.ExtensionData.BusNumber -eq $DiskObject.BusNumber}

        ShareRDM -VirtualMachine $VM -FileName $Disk.Backing.FileName -ControllerKey $SController.ExtensionData.Key -UnitNumber $DiskObject.UnitNumber -Size $DiskObject.SizeMB

 

}

 

}

Write-Host"RDM's have been added on All VirtualMachines with Below Details"

Write-Host$DeviceObjects | Select NAAID,BusNumber,UnitNumber

 

Now just save the file and run is as below -

 

<path the script><scriptname.ps1> -PrimaryVirtualMachineName <VM Name> -SecondaryVirtualMachinesName  <VM Name>,<VM Name>,<VM Name> -PathtoRDMfile  <RDM File Path>

 

This script has been tested in Lab with 1 Primary and 2 Secondary Virtual Machines and upto 10 RDM devices. Below are the specific use cases tested.

 

  • RDM attachment with no existing Physical mode SCSI Controller.
  • RDM attachment with existing Physical mode SCSI Controller with no existing RDM.
  • RDM attachment with existing Physical mode SCSI controller with serially attached RDM.
  • RDM attachment with existing Physical mode SCSI controller with randomly attached RDM.
  • RDM attachment across multiple Physical mode SCSI controllers if the existing controller does not have enough ports available.

 

I understand there could be better and/or easier ways to do so, the script might also be modified to be more efficient, any suggestion is welcome, I have attached the completed script to the post, feel free to use/modify as deemed fit.

Workspace ONE - How to Configure IOS Mobile SSO

April 22, 2019, 2:09 pm
$
0
0

In this blog post, we will walk through the steps to configure IOS Mobile SSO.

 

I will be assuming that your Workspace ONE UEM and Workspace ONE Identity Manager environments have not been previously integrated.

 

This blog will assume that you already have an Enterprise Cloud Connector installed and syncing with Workspace ONE UEM.

 

In this blog, we'll cover:

  1. Configure Workspace ONE Identity in the UEM Console
  2. Enable Active Directory Basic
  3. Enable Mobile SSO
  4. Basic Troubleshooting

 

Validation of Pre-requisites

 

  1. Log into Workspace ONE UEM -> Global Settings -> All Settings -> System -> Enterprise Integration -> Cloud Connector
  2. Ensure AirWatch Cloud Connector is enabled
  3. Perform a Test Connection. Make sure the connection is active
    Screen Shot 04-22-19 at 01.33 PM.PNG
  4. Click on Directory Services from the left menu
  5. Ensure your directory has been configured and you can perform a successful test connection
    Screen Shot 04-22-19 at 01.39 PM.PNG
  6. Close from Settings and go to accounts on the main left in Workspace ONE UEM.
  7. Make sure you have users being synchronized into Workspace ONE UEM
    Screen Shot 04-22-19 at 01.42 PM.PNG

 

Step 1: Configure Workspace ONE Identity in the UEM Console

Although this step is not absolutely required to get Mobile SSO working, I highly recommend you configure this as its required for Device Compliance, Unified Catalog and UEM Password Authentication.

In previous versions of Workspace ONE UEM, there was a lot of manual configuration required to enable Workspace ONE Identity.  Using the wizard in Workspace ONE UEM we can automate a lot of these tasks.

 

Click on Getting Started

  1. Under Workspace ONE -> Begin Setup
    Screen Shot 04-22-19 at 01.56 PM.PNG
  2. Under Identity and Access Management -> Click Configure for "Connect to VMware Identity Manager"
    Screen Shot 04-22-19 at 01.58 PM.PNG
  3. Click Continue
    Screen Shot 04-22-19 at 02.01 PM.PNG
  4. Enter your Tenant URL, User name, and Password
    Screen Shot 04-22-19 at 02.03 PM 001.PNG
  5. Click Save
  6. If you check your Workspace ONE Identity tenant, you will see that AirWatch configuration as been completed: Identity & Access Management -> Setup -> AirWatch

 

Step 2: Enable Active Directory Basic

VMware recommends you download and install the VMware Identity Manager connector to synchronize users from your Active Directory to Workspace ONE Identity. However, for the purpose of this blog we are going to leverage to built-in capabilities of Workspace UEM to provision users directly into Workspace ONE Identity.

 

  1. In Workspace ONE UEM, Groups & Settings -> All Settings -> System -> Enterprise Integration -> VMware Identity Manager -> Configuration
  2. You will see under the server settings that "Active Directory Basic" is disabled
    Screen Shot 04-22-19 at 02.18 PM.PNG
  3. Click "Enabled" beside Active Directory Basic
  4. You will be prompted to enter your password
    Screen Shot 04-22-19 at 02.19 PM.PNG
  5. Click Next
  6. Enter a name for your directory (This will be name of the directory in Workspace ONE Identity). You can leave Enable Custom Mapping to standard
    Screen Shot 04-22-19 at 02.21 PM.PNG
  7. Click Save
  8. If everything worked successfully, you should see your a new directory appear in Workspace ONE Identity with your synchronized users:
    Screen Shot 04-22-19 at 02.22 PM.PNG

 

Step 3: Enable Mobile SSO

  1. Lets go back to the "Getting Started Section" of Workspace ONE UEM
  2. Under Workspace ONE -> Continue
  3. Under Identity & Access Management -> Mobile Single-Sign-On, click Configure
    Screen Shot 04-22-19 at 02.33 PM.PNG
  4. Click "Get Started"
    Screen Shot 04-22-19 at 02.35 PM.PNG
  5. Click Configure to use the AirWatch Certificate Authority
    Screen Shot 04-22-19 at 02.38 PM.PNG
  6. Click Start Configuration
    Screen Shot 04-22-19 at 02.40 PM.PNG
  7. Click Finish when complete
    Screen Shot 04-22-19 at 02.41 PM.PNG
  8. Click Close

Basic Troubleshooting

There are a variety of reasons that Mobile SSO can fail. Lets go over a few of the common reasons.

 

  1. You are prompted for a username/password or the Workspace ONE Domain chooser when doing Mobile SSO
    The problem here is that Mobile SSO has failed and Workspace ONE Identity is triggering the fallback authentication mechanism. For the purpose of troubleshooting, I recommend removing the fallback mechanism. In the IOS  Policy, remove Certificate Authentication and Password (Local Directory). When you test again you will be prompted with an error message instead.
    Screen Shot 04-22-19 at 03.22 PM.PNG
  2. You are prompted with an error  message "Access denied as no valid authentication methods were found"
    a) Check to make sure the "Ios_Sso" profile was pushed to the device. By default, when the profile is created it does not have an assignment group. If not, create an smart group and assign the profile and publish.
  3. You received the error "The required field “Keysize” is missing" when deploying the IOS Mobile SSO Profiless
    Something went wrong with the import of the KDC Certificate from Workspace ONE Identity to UEM.
    a)Log into Workspace ONE Identity -> Identity & Access Management -> Identity Providers -> Built-In and download the KDC Certificate:
    Screen Shot 04-22-19 at 04.20 PM.PNG
    b) Now switch back to UEM, Devices -> Profiles & Resources -> Profiles
    c) Edit the IOS Profile
    d) Click Credentials and re-upload the KDC Certificate.

  4. You received the message "Kerberos NEGOTIATE failed or was cancelled by the user"

    Unfortunately this is a catch all error message for mobile sso failures can could be many things. I'll try to cover some of the common reason here:

    a) In Workspace ONE UEM, check your IOS Mobile SSO profile -> Single Sign-on. Verify the Realm is correct. For production it should be "VMWAREIDENTITY.COM". However if you have localized cloud tenant this can be different (VMWAREIDENTITY.EU, VMWAREIDENTITY.ASIA,  VMWAREIDENTITY.CO.UK, VMWAREIDENTITY,COM.AU, VMWAREIDENTITY.CA, VMWAREIDENITY.DE).  For non-production, you might be on the vidmpreview.com domain. If this is the case, it should be "VIDMPREVIEW.COM"

    b) When you use the wizard to create the Mobile SSO configuration, it will automatically add the application bundle id's where Mobile SSO is allowed. You will need to either enter all your application bundle id's into the profile or optionally delete them all. If you don't specify the bundle id's, it will allow them all.  I recommend for a POC, you leave this blank.

    c) Mobile SSO on IOS is based on Kerberos. The kerberos negotiation works of Port 88 on UDP. Ensure that your firewall is not blocking this port.

    d)The built-in AirWatch Certificate Authority uses the username (usually sAMAccountName) as the principal name on the certificate provisioned to the device. The kerberos negotiation will use the username to formulate a user principle name which needs to match in Workspace ONE Identity. A problem can occur when organizations define their UPN with a different prefix than the sAMAcountName. So if my my username is "jdoe" but my UPN is "john.doe@domain.com". In this scenario, Mobile SSO will fail. In this scenario, we can:

    i) Sync the correct UPN prefix as a customer attribute into Workspace UEM and provision that on the certificate
    ii) Sync sAMAccountName as the UPN in Workspace ONE Identity (Note: This can have potential issues with downstream applications but you can always pull the UPN as a custom attribute as well)
    iii) Use a custom certificate authority in Workspace ONE UEM and configure a kerberos template with the correct values.

Common Problems That Occur In A Bug Tracking Software

April 23, 2019, 1:58 am
$
0
0

bug tracking software.jpg

Henry Ford once said, “Don’t find fault, find a remedy”. This fits perfectly in-line with software development as well. Testing is not only a component of software development, but it is an important process that defines how products function. Each software development project encounters issues or problems, and quality assurance experts find solutions for these problems. No matter how hard the development teams work on quality assurance, it is true that bugs and errors are common in any software. However, experts use bug tracking software to track down errors, resolve them, and provide solutions to avoid them from reoccurring.

 

A bug tracking software helps in identifying, recording, reporting, and managing bugs that occur in an application. It is designed to ensure quality and provide bug tracking tools to assist the development teams. Errors and bugs commonly appear in any software, not that anyone should be blamed for that. But it is true that there is no error-free software and that bugs cost huge losses to businesses. However, companies work diligently to earn and maintain their reputation for quality software.

 

Experts say that as they keeping adding features to an application, their functions become more complex. Testers require time to identify and resolve problems that have a direct impact on product quality. Following are a few challenges that testers encounter when using bug tracking software:

 

Bug-logging Process

A bug tracking software should be able to describe a bug properly. It should allow developers to get a clear understanding of the bug. But if an error is not reported or required fields are incomplete, it has a negative effect on the software development process.

 

Bug Tracking Template

Development team members work together on a similar bug tracking template as using different platforms can cause discrepancies. Thus, to avoid this confusion, all developers use the same templates so that reporting is simplified.

 

Priority Levels

Testing and development teams assign priority levels to each bug that appears in an application. It allows working on high priority issues first, followed by attending to less important bugs. Issue tracking software works efficiently only when teams prioritize these tasks efficiently.

 

Bug Tracking Tools

Defect management system introduces bug tracking tools that allow testers to perform their work efficiently. Testers require bug tracking tools for their projects to release quality software.

  • Companies invest in bug tracking software to analyze repetitive bugs and to channelize them to release quality software. Bug tracking is not just about tracking defects, it is also a proactive approach to ensure that companies meet software requirements and achieve customer satisfaction.

Workspace ONE - AirWatch Provisioning App

April 25, 2019, 11:29 am
$
0
0

The AirWatch Provisioning App within Workspace ONE is still relatively new and although it has it quirks, it can still be useful in certain use cases.

 

So what is the AirWatch Provisioning App used for?

 

The app is designed for the use cases where there is no on premise ldap server that can be used with the Workspace ONE UEM Cloud Connector to synchronize users.  This app can be used when users are created in Workspace ONE Identity via SCIM or JIT. Workspace ONE Identity will then create the users in Workspace ONE UEM.

 

Lets first discuss some important information about using the AirWatch Provisioning App in Workspace ONE:

 

  • Currently, Workspace ONE will only provision at the top level (Customer) Organization Group (OG) in Workspace UEM.
  • An LDAP Server can NOT be configured at the top level OG in Workspace ONE UEM (unless the users exist in the directory that will be created - but if this is the case, you shouldn't be using the provisioning adapter)
  • Workspace ONE Identity needs to be configured as a SAML Provider at the top level OG.
  • If you are using JIT to create users in Workspace ONE Identity, you MUST send a valid GUID to Workspace ONE has part of the SAML attributes. This is required if you plan on using the Workspace ONE Hub native application to enroll your device. This GUID will be mapped to the External ID and provisioned to Workspace ONE UEM.
  • If you are using JIT to create users in Workspace ONE Identity, you need to use a web browser to log into Workspace ONE initially before using the Workspace ONE Hub native app. This limitation is because the user needs to exist in UEM at the time of enrollment.

 

Step 1: Export your Workspace ONE IDP Metadata

  1. Log into Workspace ONE Identity and go to Catalog -> Settings
  2. Click on SAML Metadata
  3. Download your "Identity Provider (IdP) metadata"
    Screen Shot 04-25-19 at 01.13 PM.PNG

 

Step 2: Configure UEM to use SAML Authentication

  1. Log into Workspace ONE UEM
  2. Go to Group & Settings -> All Settings -> System -> Enterprise Integration -> Directory Services
  3. Ensure Directory Type is set to "None"
  4. Enable "Use SAML for Authentication"
  5. Under Enable SAML Authentication for*, check Self-Service Portal and Enrollment.
  6. Enable "Use New SAML Authentication Endpoint"
    Screen Shot 04-25-19 at 01.19 PM.PNG
    Note: This step might be a bit confusing as to why we have to configure UEM in this manner. It was confusing to me at first.  The provisioning adapter in Workspace ONE Identity will leverage the REST API to create accounts in UEM. To create user accounts in UEM (of Directory Type), it requires that either a Directory is configured or SAML is enabled. As mentioned earlier, we can not enable a directory so we essentially have to configure SAML. 


  7. In the SAML 2.0 section, click upload to Import Identity Provider Settings
  8. Select the metadata you downloaded in Step 1.
  9. Scroll down and click save.

 

Step 3: Add AirWatch Provision App in Workspace ONE Identity

  1. In Workspace ONE Identity, go to Catalog-> New
  2. Browse from the Catalog and select "AirWatch Provisioning"
    Screen Shot 04-23-19 at 02.47 PM 002.PNG
  3. Click Next
  4. Edit the Single Sign-On URL and Recipient URL with your UEM server
    Screen Shot 04-25-19 at 02.13 PM.PNG
  5. Keep the "default_access_policy_set" and Click Next
  6. Click Save
    Screen Shot 04-23-19 at 02.49 PM 001.PNG
  7. Select the AirWatch Provisioning App and Click Edit
  8. Click Next
  9. On the Configuration Tab, enable "Setup Provisioning"
    Screen Shot 04-25-19 at 02.13 PM 001.PNG
  10. Click Next
  11. Enter your AirWatch Device Services URL
  12. Enter your Admin Username
  13. Enter your Admin Password
    Note: Whenever you edit this application be very careful of Chrome's password auto-fill. It will update the password if you have one saved in chrome. After you hit test connection it will revert back to your saved password in Chrome.
  14. Enter your AirWatch API Key
    Note: If you don't have an API Key, in UEM, go to Groups & Settings -> All Settings -> System -> Advanced -> API -> REST API
    Click Override -> Add
    Provide a Service Name with the account type of Admin.  Copy the API Key.
  15. Enter your top level OG Group ID
  16. Click Test Connection and validate connectivity.
  17. Click Enable Provisioning
    Screen Shot 04-25-19 at 01.39 PM.PNG
  18. Verify the mapping are correct. If you are using JIT, make sure all these attributes have come over in the SAML assertion.
    Screen Shot 04-23-19 at 02.53 PM 001.PNG
  19. Under Group Provisioning, add any groups you want to provision to UEM.
    Screen Shot 04-23-19 at 02.53 PM 004.PNG
  20. Click Next
  21. Click Save

 

Note: If you get an error when saving, please see the note earlier about chrome's auto password fill.

 

Step 4: Entitle Users to the AirWatch Provisioning App

You have the option of entitling users individually or using a group. If you are using JIT you might want to consider using a dynamic group.

 

  1. Click the Assign button on the AirWatch Provisioning App
  2. Search for the user and/or group
  3. Under "Deployment Type" you MUST Select Automatic. If you leave the default "User Activated" it will never get provisioned to the user.

Screen Shot 04-23-19 at 02.55 PM 001.PNG

 

Step 5: Create a Dynamic Group (Optional)

If you are using JIT to create users into Workspace ONE, it easier to create a dynamic group and assign that group to the provisioning adapter.

  1. Click on "Users & Groups"
  2. Click on Groups
  3. Click Add Group
  4. Provide a group name and Click Next
  5. Do not select any users and Click Next
  6. Under Group Rules, you can either choose based on the JIT Directory that was created or the domain you chose for the JIT Users
  7. Click Next
  8. Click Next to exclude users
  9. Click Create Group

vROps 7.5 で vSAN キャッシュ ディスクの推奨サイズを見てみる。

April 29, 2019, 2:27 pm
$
0
0

自宅ラボの vSAN のキャッシュ ディスク容量について考える機会があり、

ためしに、vROps(vRealize Operations Manager)で、vSAN を見てみました。

今回は、vROps 7.5 で、vSAN 6.7 U1 を表示しています。

 

vROps では、vSAN アダプタを設定ずみです。

vrops-vsan-cache-size-00.png

 

vROps では vSAN のモニタリングも可能で、

よく話題になる、ディスク グループの書き込みバッファの空き容量(%)が確認できたりします。

vrops-vsan-cache-size-01.png

 

それでは、キャッシュ ディスクの推奨サイズを確認してみます。

「環境」→「すべてのオブジェクト」を開きます。

vrops-vsan-cache-size-02.png

 

「すべてのオブジェクト」→「vSAN アダプタ」→「キャッシュ ディスク」配下の

キャッシュ ディスクを選択します。

ESXi ホストに 128GB のキャッシュ用SSDが搭載されていることがわかります。

vrops-vsan-cache-size-03.png

 

キャッシュ ディスクを選択した状態で、

「すべてのメトリック」→「キャパシティ分析が生成されました」→「ディスク容量」

を開いて、「推奨サイズ(GB)」をダブルクリックすると、推奨サイズのグラフが表示されます。

この環境だと 59.62GB が推奨のようなので、キャッシュ ディスクの容量は十分なようです。

vrops-vsan-cache-size-04.png

 

ちなみにキャッシュ ディスクの情報は、下記のように「vSAN およびストレージ デバイス」

からでも表示できます。しかしキャッシュ ディスクだけを見る場合は、今回のように

「すべてのオブジェクト」からのツリーのほうが確認しやすいかなと思います。

vrops-vsan-cache-size-05.png

 

ちなみに、ドキュメントにも一応 vSAN のメトリックが記載されています。

(ただ、実機と一致はしていないような気も・・・)

vSAN のメトリック

 

まだ vROps をデプロイ&情報収集を開始してまもない状態の情報なので、

令和になったらまた見てみようと思います。

 

以上、vROps で vSAN キャッシュ ディスクの推奨サイズを見てみる話でした。

Enabling Risk-Based Identity Assurance: VMware Workspace ONE + RSA SecurID Access

April 15, 2019, 2:25 pm
$
0
0

VMware's Workspace ONE provides a digital workspace platform with a seamless user experience across any application on any device. Users can access a platform native catalog to download and install applications regardless of whether its an IOS, Android, Win10 or MacOS device. They can access both Web and SaaS applications as well as their Virtualized applications including Horizon and Citrix.  Workspace ONE is designed to keep the user experience "Consumer Simple" while keeping the platform "Enterprise Secure".

 

VMware promotes the "Zero-Trust" approach when accessing corporate applications. Workspace ONE Unified Endpoint Management is a critical element to achieve a zero-trust model to ensure the device itself is secure enough to access your corporate data.  However, to achieve a zero-trust model we need to include both the Device Trust and the Identity Context.  This is where the Risk-Based Identity Assurance offered by RSA SecurID Access becomes the perfect complement to Workspace ONE.

 

RSA SecurID Access makes access decisions based on sophisticated machine learning algorithms that take into consideration both risk and behavioral analytics. RSA SecurID Access offers a broad range of authentication methods including modern mobile multi-factor authenticators (e.g., push notification, one-time password, SMS and biometrics) as well as traditional hard and soft tokens.

 

I'm pretty excited about the integration between Workspace ONE and RSA SecurID Access because its offers extreme flexibility to control when and how multi-factor authentication will be used. After the initial setup, it also allows me to control everything from Workspace ONE.

 

RSA SecurID Access provides 3 levels of assurance that you can leverage within your access policies. You have full control to modify the authenticators into the appropriate levels based on your licensing from RSA.

 

Screen Shot 04-15-19 at 02.09 PM.PNG

 

You can create Access Policies in RSA SecurID Access that will map to the appropriate assurance levels:

 

Screen Shot 04-15-19 at 02.14 PM.PNG

 

In my environment, I've created 3 policies:

Screen Shot 04-15-19 at 03.09 PM.PNG

Once you've completed your access polices you can then add your Workspace ONE tenant as an relying party.

 

Screen Shot 04-15-19 at 05.11 PM.PNG

 

Now this is where things get really interesting and you'll see why i'm excited about this integration. Its fairly common for a digital workspace or web portal to call out to an MFA provider to perform the necessary authentication and return the response. The problem that typically comes into play is whether the authenticators being used for MFA are too much or too little for the application being accessed.  In most cases, the MFA provider is not aware of what application is being accessed and is only responding the call from the relying party.  Keep in mind that "User Experience" is at the forefront of the Workspace ONE solution.

 

The integration between Workspace ONE and RSA SecurID Access allows us to control which Access Policy (or level of assurance) will be used from within Workspace ONE.

 

In Workspace ONE, we can create the same policies that we did in RSA SecurID Access:

Screen Shot 04-15-19 at 02.46 PM.PNG

 

In Workspace ONE we can directly assign Web, SaaS or Virtual applications that require High Assurance into the "High Assurance" access policy and apps that require "Medium or Low Assurance" into the appropriate policy. When applications are accessed in Workspace ONE, it will automatically send the request to RSA SecurID Access with the requested policy to use for authentication.

 

So how does Workspace ONE specify which policy RSA SecurID should use for authentication? Its actually quite simple.  The integration between Workspace ONE and RSA SecurID Access is based on SAML.

 

Initial authentication into Workspace ONE will typically come from Mobile SSO or Certificate Based Authentication (although other forms of authentication are available). After the initial authentication or once the user clicks on a specific application, Workspace ONE will send a SAML Authentication Request which will include the subject who needs additional verification:

 

<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

        <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">steve</saml:NameID>

</saml:Subject><samlp:NameIDPolicy AllowCreate="false"

 

When the SAML Request is sent from Workspace ONE, it will also include the access policy as part of the SAML AuthnContextClassRef:

 

<saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:rsa:names:tc:SAML:2.0:ac:classes:spec::LowWS1</saml:AuthnContextClassRef>

</samlp:RequestedAuthnContext>

 

You can see in the AuthnContextClassRef we are specifying the specific policy that RSA SecurID Access should use for authentication. 

 

When you create a 3rd Party IDP for RSA SecurID Access, you can specify the AuthnContextClassRef when defining the authentication methods:

Screen Shot 04-15-19 at 05.02 PM 001.PNG

Screen Shot 04-15-19 at 05.03 PM.PNG

 

I've actually left out a key element of the RSA SecurID Access solution, which is the Risk Level. Even though we've specifically called out the Low Assurance Policy, we can have RSA dynamically change that to High based on the user's risk score. RSA SecurID Access can use an "Identity Confidence" score to choose the appropriate assurance level. This is configured in the access policy:

 

Screen Shot 04-17-19 at 01.45 PM.PNG

 

By leveraging RSA SecurID Access with VMware Workspace ONE we can now have risk-based identity assurance on a per app level within Workspace ONE. For current Workspace ONE customers, this integration is based on SAML so it does not require radius and has no dependency on the VIDM Connector.

 

Together this keeps the user experience great on apps that might not need a high level of assurance and keeps the enterprise secure on the apps that require the high level of assurance.

Search

How to Configure SAML Single Logout in WS1 for Okta

April 17, 2019, 8:27 am
$
0
0

If you have configured Okta as a 3rd Party IDP in Workspace ONE you might have noticed that the "Logout" function in Workspace ONE doesn't log you out of your Okta session. The reason for this is that Okta does not include the "SingleLogoutService" by default in the metadata that is used when creating the 3rd Party IDP in Workspace ONE.

 

There are a couple extra steps that you need to do to enable this functionality. Before you begin, please make sure you download your signing certificate from Workspace ONE.

 

  1. Log into Workspace ONE
  2. Click on Catalog -> Settings (Note: Don't click the down arrow and settings)
    Screen Shot 04-17-19 at 10.55 AM.PNG
  3. Click on SAML Metadata
  4. Scroll down to the Signing Certificate and Click Download
    Screen Shot 04-17-19 at 11.01 AM.PNG

Now you will need to log into your Okta Administration Console.

  1. .Under Applications -> Click on the Workspace ONE application that you previously created
    Screen Shot 04-17-19 at 11.04 AM.PNG
  2. Click on the General Tab
  3. Under SAML Settings -> Click Edit
  4. Click Next
  5. Click on "Show Advanced Settings"
    Screen Shot 04-17-19 at 11.06 AM.PNG
  6. Enable the Checkbox that says "Enable Single Logout"
    Screen Shot 04-17-19 at 11.07 AM.PNG
  7. Under "Single Logout URL", enter:  "https://[WS1Tenant]/SAAS/auth/saml/slo/response"
    Screen Shot 04-17-19 at 11.09 AM.PNG
  8. Under SP Issuer, copy the value you have configured for Audience URI (SP Entity ID). This value should be: "https://[WS1Tenant]/SAAS/API/1.0/GET/metadata/sp.xml"
    Screen Shot 04-17-19 at 11.12 AM.PNG
  9. Under "Signature Certificate", browse to the location you downloaded the Workspace ONE certificate in the previous steps.
  10. Click Upload Certificate
  11. Click Next
  12. Click Finish
  13. Click on the "Sign On" tab
  14. Click on Identity Provider Metadata
    Screen Shot 04-17-19 at 11.15 AM.PNG
  15. You will notice that your Identity Provider Metadata now includes the SingleLogoutService:
    Screen Shot 04-17-19 at 11.19 AM.PNG
  16. Copy this metadata.

 

Now switch back to Workspace ONE

 

  1. Go to Identity & Access Management
  2. Click on Identity Providers
  3. Click on your Okta 3rd Party IDP you previously created
  4. Paste your new Okta Metadata and click "Process IdP Metadata"
    Screen Shot 04-17-19 at 11.22 AM.PNG
  5. Scroll down to "Single Sign-out Configuration" and check "Enable". (Note: Make sure the other two values are left blank)
    Screen Shot 04-17-19 at 11.24 AM.PNG

Now you should be able to logout from Workspace ONE and be signed out of both solutions.

 

Screen Shot 04-17-19 at 11.25 AM.PNG

Using Workspace ONE with Microsoft Authenticator

April 17, 2019, 3:21 pm
$
0
0

We come across the scenario quite often when customers want to leverage Microsoft Authenticator when using Workspace ONE UEM and/or Horizon.

 

In this blog, I'd like to go through the various options and outline the user experience with each of the options.

 

The  main uses case we see are:

 

  • Microsoft MFA for Horizon Desktop
  • Microsoft MFA for SaaS Applications federated directly with Workspace ONE.
  • Microsoft MFA for Device Enrollment in Workspace ONE UEM
  • Microsoft MFA for SaaS Applications federated with Azure AD. (Including Office 365)

 

There are 3 integration options that you can consider to integrate Microsoft Authenticator with Workspace ONE. The use cases previously mentioned can fit into one ore more of the following integration options.

 

1. Azure AD as a 3rd Party IdP in Workspace ONE

 

Use Cases:

  • Microsoft MFA for Horizon Desktop
  • Microsoft MFA for SaaS Applications federated directly with Workspace ONE.
  • Microsoft MFA for Device Enrollment in Workspace ONE UEM

 

Use Cases not Supported:

  • Microsoft MFA for SaaS Applications federated with Azure AD. (Including Office 365)

 

 

In this option, the following needs to be configured:

  • Azure AD configured as a 3rd Party IdP in Workspace ONE
  • Workspace ONE configured as an enterprise app in Azure
  • Conditional Access Policy Configured in Azure AD to require Microsoft Authenticator for the Workspace ONE Application.

 

Screen Shot 04-17-19 at 03.11 PM.PNG

Lets walk through the authentication flow in this option:

  1. The user will access their Horizon Desktop (or any application that is federated directly with Workspace ONE).

  2. The application will send a SAML Authentication Request to Workspace ONE
  3. Assuming the access policy in Workspace ONE is configured for Azure Authentication, the user will be redirected to Azure AD.
  4. The user will enter their email address.
  5. Assuming the domain is not currently federated with another IdP, Azure will prompt the user to enter their password.
  6. Azure conditional access policies will then trigger for Microsoft MFA.
  7. The user will be returned to Workspace ONE and subsequently authenticated to Horizon. (Note: Horizon should be configured with TrueSSO for optimal user experience).

 

2. Workspace ONE as a Federated Domain in Azure AD

 

Use Cases:

  • Microsoft MFA for SaaS Applications federated with Azure AD. (Including Office 365)

 

 

Use Cases not supported:

  • Microsoft MFA for Horizon Desktop
  • Microsoft MFA for SaaS Applications federated directly with Workspace ONE.
  • Microsoft MFA for Device Enrollment in Workspace ONE UEM

 

 

 

In this option, the following needs to be configured:

  • Azure domain must be federated to Workspace ONE
  • Conditional Access Policy Configured in Azure AD to require Microsoft Authenticator for the Workspace ONE Application.
  • Mobile SSO/Certificate Authentication Configured in Workspace ONE

Screen Shot 04-17-19 at 05.29 PM.PNG

Lets walk through the authentication flow in this option:

  1. The user will access Office 365 (or any application federated with Azure AD).
  2. The user will enter their email address.
  3. The user will be redirected to Workspace ONE
  4. Workspace ONE will authenticate the user using Mobile SSO, Certificate or some other authentication mechanism (as well as checking device compliance).
  5. Workspace ONE will respond with a successful response back to Azure AD.
  6. Azure conditional access policies will then trigger for Microsoft MFA.
  7. The user will be successfully authenticated into Office 365 (other other Azure federated application).

 

3. Workspace ONE with Microsoft Azure MFA Server

 

Use Cases:

  • Microsoft MFA for Horizon Desktop
  • Microsoft MFA for SaaS Applications federated directly with Workspace ONE.
  • Microsoft MFA for Device Enrollment in Workspace ONE UEM
  • Microsoft MFA for SaaS Applications federated with Azure AD. (Including Office 365)*

          *For Office 365 (and other apps federated with Azure), the Azure domain must be federated with Workspace ONE.

 

Use Cases not supported:

  • N/A

 

In this option, the following needs to be configured:

  • Azure MFA Server downloaded and installed on premises.
  • Workspace ONE Connector installed on premise.
  • Workspace ONE configured as a radius client in Azure MFA Server

 

 

Screen Shot 04-17-19 at 05.41 PM.PNG

Lets walk through the authentication flow in this option:

  1. The user will access any application federated with Workspace (or Horizon/Citrix application).
  2. Workspace ONE will prompt for their username/password
  3. After clicking "Sign-In", a radius call via the connector will be made to the Microsoft Azure MFA Server
  4. The MFA server will push a notification to the device to approve the request:

Workspace ONE - How to Configure IOS Mobile SSO

April 22, 2019, 2:09 pm
$
0
0

In this blog post, we will walk through the steps to configure IOS Mobile SSO.

 

I will be assuming that your Workspace ONE UEM and Workspace ONE Identity Manager environments have not been previously integrated.

 

This blog will assume that you already have an Enterprise Cloud Connector installed and syncing with Workspace ONE UEM.

 

In this blog, we'll cover:

  1. Configure Workspace ONE Identity in the UEM Console
  2. Enable Active Directory Basic
  3. Enable Mobile SSO
  4. Basic Troubleshooting

 

Validation of Pre-requisites

 

  1. Log into Workspace ONE UEM -> Global Settings -> All Settings -> System -> Enterprise Integration -> Cloud Connector
  2. Ensure AirWatch Cloud Connector is enabled
  3. Perform a Test Connection. Make sure the connection is active
    Screen Shot 04-22-19 at 01.33 PM.PNG
  4. Click on Directory Services from the left menu
  5. Ensure your directory has been configured and you can perform a successful test connection
    Screen Shot 04-22-19 at 01.39 PM.PNG
  6. Close from Settings and go to accounts on the main left in Workspace ONE UEM.
  7. Make sure you have users being synchronized into Workspace ONE UEM
    Screen Shot 04-22-19 at 01.42 PM.PNG

 

Step 1: Configure Workspace ONE Identity in the UEM Console

Although this step is not absolutely required to get Mobile SSO working, I highly recommend you configure this as its required for Device Compliance, Unified Catalog and UEM Password Authentication.

In previous versions of Workspace ONE UEM, there was a lot of manual configuration required to enable Workspace ONE Identity.  Using the wizard in Workspace ONE UEM we can automate a lot of these tasks.

 

Click on Getting Started

  1. Under Workspace ONE -> Begin Setup
    Screen Shot 04-22-19 at 01.56 PM.PNG
  2. Under Identity and Access Management -> Click Configure for "Connect to VMware Identity Manager"
    Screen Shot 04-22-19 at 01.58 PM.PNG
  3. Click Continue
    Screen Shot 04-22-19 at 02.01 PM.PNG
  4. Enter your Tenant URL, User name, and Password
    Screen Shot 04-22-19 at 02.03 PM 001.PNG
  5. Click Save
  6. If you check your Workspace ONE Identity tenant, you will see that AirWatch configuration as been completed: Identity & Access Management -> Setup -> AirWatch

 

Step 2: Enable Active Directory Basic

VMware recommends you download and install the VMware Identity Manager connector to synchronize users from your Active Directory to Workspace ONE Identity. However, for the purpose of this blog we are going to leverage to built-in capabilities of Workspace UEM to provision users directly into Workspace ONE Identity.

 

  1. In Workspace ONE UEM, Groups & Settings -> All Settings -> System -> Enterprise Integration -> VMware Identity Manager -> Configuration
  2. You will see under the server settings that "Active Directory Basic" is disabled
    Screen Shot 04-22-19 at 02.18 PM.PNG
  3. Click "Enabled" beside Active Directory Basic
  4. You will be prompted to enter your password
    Screen Shot 04-22-19 at 02.19 PM.PNG
  5. Click Next
  6. Enter a name for your directory (This will be name of the directory in Workspace ONE Identity). You can leave Enable Custom Mapping to standard
    Screen Shot 04-22-19 at 02.21 PM.PNG
  7. Click Save
  8. If everything worked successfully, you should see your a new directory appear in Workspace ONE Identity with your synchronized users:
    Screen Shot 04-22-19 at 02.22 PM.PNG

 

Step 3: Enable Mobile SSO

  1. Lets go back to the "Getting Started Section" of Workspace ONE UEM
  2. Under Workspace ONE -> Continue
  3. Under Identity & Access Management -> Mobile Single-Sign-On, click Configure
    Screen Shot 04-22-19 at 02.33 PM.PNG
  4. Click "Get Started"
    Screen Shot 04-22-19 at 02.35 PM.PNG
  5. Click Configure to use the AirWatch Certificate Authority
    Screen Shot 04-22-19 at 02.38 PM.PNG
  6. Click Start Configuration
    Screen Shot 04-22-19 at 02.40 PM.PNG
  7. Click Finish when complete
    Screen Shot 04-22-19 at 02.41 PM.PNG
  8. Click Close

Basic Troubleshooting

There are a variety of reasons that Mobile SSO can fail. Lets go over a few of the common reasons.

 

  1. You are prompted for a username/password or the Workspace ONE Domain chooser when doing Mobile SSO
    The problem here is that Mobile SSO has failed and Workspace ONE Identity is triggering the fallback authentication mechanism. For the purpose of troubleshooting, I recommend removing the fallback mechanism. In the IOS  Policy, remove Certificate Authentication and Password (Local Directory). When you test again you will be prompted with an error message instead.
    Screen Shot 04-22-19 at 03.22 PM.PNG
  2. You are prompted with an error  message "Access denied as no valid authentication methods were found"
    a) Check to make sure the "Ios_Sso" profile was pushed to the device. By default, when the profile is created it does not have an assignment group. If not, create an smart group and assign the profile and publish.
  3. You received the error "The required field “Keysize” is missing" when deploying the IOS Mobile SSO Profiless
    Something went wrong with the import of the KDC Certificate from Workspace ONE Identity to UEM.
    a)Log into Workspace ONE Identity -> Identity & Access Management -> Identity Providers -> Built-In and download the KDC Certificate:
    Screen Shot 04-22-19 at 04.20 PM.PNG
    b) Now switch back to UEM, Devices -> Profiles & Resources -> Profiles
    c) Edit the IOS Profile
    d) Click Credentials and re-upload the KDC Certificate.

  4. You received the message "Kerberos NEGOTIATE failed or was cancelled by the user"

    Unfortunately this is a catch all error message for mobile sso failures can could be many things. I'll try to cover some of the common reason here:

    a) In Workspace ONE UEM, check your IOS Mobile SSO profile -> Single Sign-on. Verify the Realm is correct. For production it should be "VMWAREIDENTITY.COM". However if you have localized cloud tenant this can be different (VMWAREIDENTITY.EU, VMWAREIDENTITY.ASIA,  VMWAREIDENTITY.CO.UK, VMWAREIDENTITY,COM.AU, VMWAREIDENTITY.CA, VMWAREIDENITY.DE).  For non-production, you might be on the vidmpreview.com domain. If this is the case, it should be "VIDMPREVIEW.COM"

    b) When you use the wizard to create the Mobile SSO configuration, it will automatically add the application bundle id's where Mobile SSO is allowed. You will need to either enter all your application bundle id's into the profile or optionally delete them all. If you don't specify the bundle id's, it will allow them all.  I recommend for a POC, you leave this blank.

    c) Mobile SSO on IOS is based on Kerberos. The kerberos negotiation works of Port 88 on UDP. Ensure that your firewall is not blocking this port.

    d)The built-in AirWatch Certificate Authority uses the username (usually sAMAccountName) as the principal name on the certificate provisioned to the device. The kerberos negotiation will use the username to formulate a user principle name which needs to match in Workspace ONE Identity. A problem can occur when organizations define their UPN with a different prefix than the sAMAcountName. So if my my username is "jdoe" but my UPN is "john.doe@domain.com". In this scenario, Mobile SSO will fail. In this scenario, we can:

    i) Sync the correct UPN prefix as a customer attribute into Workspace UEM and provision that on the certificate
    ii) Sync sAMAccountName as the UPN in Workspace ONE Identity (Note: This can have potential issues with downstream applications but you can always pull the UPN as a custom attribute as well)
    iii) Use a custom certificate authority in Workspace ONE UEM and configure a kerberos template with the correct values.

Workspace ONE - AirWatch Provisioning App

April 25, 2019, 11:29 am
$
0
0

The AirWatch Provisioning App within Workspace ONE is still relatively new and although it has it quirks, it can still be useful in certain use cases.

 

So what is the AirWatch Provisioning App used for?

 

The app is designed for the use cases where there is no on premise ldap server that can be used with the Workspace ONE UEM Cloud Connector to synchronize users.  This app can be used when users are created in Workspace ONE Identity via SCIM or JIT. Workspace ONE Identity will then create the users in Workspace ONE UEM.

 

Lets first discuss some important information about using the AirWatch Provisioning App in Workspace ONE:

 

  • Currently, Workspace ONE will only provision at the top level (Customer) Organization Group (OG) in Workspace UEM.
  • An LDAP Server can NOT be configured at the top level OG in Workspace ONE UEM (unless the users exist in the directory that will be created - but if this is the case, you shouldn't be using the provisioning adapter)
  • Workspace ONE Identity needs to be configured as a SAML Provider at the top level OG.
  • If you are using JIT to create users in Workspace ONE Identity, you MUST send a valid GUID to Workspace ONE has part of the SAML attributes. This is required if you plan on using the Workspace ONE Hub native application to enroll your device. This GUID will be mapped to the External ID and provisioned to Workspace ONE UEM.
  • If you are using JIT to create users in Workspace ONE Identity, you need to use a web browser to log into Workspace ONE initially before using the Workspace ONE Hub native app. This limitation is because the user needs to exist in UEM at the time of enrollment.

 

Step 1: Export your Workspace ONE IDP Metadata

  1. Log into Workspace ONE Identity and go to Catalog -> Settings
  2. Click on SAML Metadata
  3. Download your "Identity Provider (IdP) metadata"
    Screen Shot 04-25-19 at 01.13 PM.PNG

 

Step 2: Configure UEM to use SAML Authentication

  1. Log into Workspace ONE UEM
  2. Go to Group & Settings -> All Settings -> System -> Enterprise Integration -> Directory Services
  3. Ensure Directory Type is set to "None"
  4. Enable "Use SAML for Authentication"
  5. Under Enable SAML Authentication for*, check Self-Service Portal and Enrollment.
  6. Enable "Use New SAML Authentication Endpoint"
    Screen Shot 04-25-19 at 01.19 PM.PNG
    Note: This step might be a bit confusing as to why we have to configure UEM in this manner. It was confusing to me at first.  The provisioning adapter in Workspace ONE Identity will leverage the REST API to create accounts in UEM. To create user accounts in UEM (of Directory Type), it requires that either a Directory is configured or SAML is enabled. As mentioned earlier, we can not enable a directory so we essentially have to configure SAML. 


  7. In the SAML 2.0 section, click upload to Import Identity Provider Settings
  8. Select the metadata you downloaded in Step 1.
  9. Scroll down and click save.

 

Step 3: Add AirWatch Provision App in Workspace ONE Identity

  1. In Workspace ONE Identity, go to Catalog-> New
  2. Browse from the Catalog and select "AirWatch Provisioning"
    Screen Shot 04-23-19 at 02.47 PM 002.PNG
  3. Click Next
  4. Edit the Single Sign-On URL and Recipient URL with your UEM server
    Screen Shot 04-25-19 at 02.13 PM.PNG
  5. Keep the "default_access_policy_set" and Click Next
  6. Click Save
    Screen Shot 04-23-19 at 02.49 PM 001.PNG
  7. Select the AirWatch Provisioning App and Click Edit
  8. Click Next
  9. On the Configuration Tab, enable "Setup Provisioning"
    Screen Shot 04-25-19 at 02.13 PM 001.PNG
  10. Click Next
  11. Enter your AirWatch Device Services URL
  12. Enter your Admin Username
  13. Enter your Admin Password
    Note: Whenever you edit this application be very careful of Chrome's password auto-fill. It will update the password if you have one saved in chrome. After you hit test connection it will revert back to your saved password in Chrome.
  14. Enter your AirWatch API Key
    Note: If you don't have an API Key, in UEM, go to Groups & Settings -> All Settings -> System -> Advanced -> API -> REST API
    Click Override -> Add
    Provide a Service Name with the account type of Admin.  Copy the API Key.
  15. Enter your top level OG Group ID
  16. Click Test Connection and validate connectivity.
  17. Click Enable Provisioning
    Screen Shot 04-25-19 at 01.39 PM.PNG
  18. Verify the mapping are correct. If you are using JIT, make sure all these attributes have come over in the SAML assertion.
    Screen Shot 04-23-19 at 02.53 PM 001.PNG
  19. Under Group Provisioning, add any groups you want to provision to UEM.
    Screen Shot 04-23-19 at 02.53 PM 004.PNG
  20. Click Next
  21. Click Save

 

Note: If you get an error when saving, please see the note earlier about chrome's auto password fill.

 

Step 4: Entitle Users to the AirWatch Provisioning App

You have the option of entitling users individually or using a group. If you are using JIT you might want to consider using a dynamic group.

 

  1. Click the Assign button on the AirWatch Provisioning App
  2. Search for the user and/or group
  3. Under "Deployment Type" you MUST Select Automatic. If you leave the default "User Activated" it will never get provisioned to the user.

Screen Shot 04-23-19 at 02.55 PM 001.PNG

 

Step 5: Create a Dynamic Group (Optional)

If you are using JIT to create users into Workspace ONE, it easier to create a dynamic group and assign that group to the provisioning adapter.

  1. Click on "Users & Groups"
  2. Click on Groups
  3. Click Add Group
  4. Provide a group name and Click Next
  5. Do not select any users and Click Next
  6. Under Group Rules, you can either choose based on the JIT Directory that was created or the domain you chose for the JIT Users
  7. Click Next
  8. Click Next to exclude users
  9. Click Create Group

 

Troubleshooting

  1. If you receive the error "Error not provisioned" in the assignment screen and you hover over the error message and see "Failed to validate attributes while trying to provision user" this means that the values for the attributes you used in Attribute Mappings of the provisioning adapter configuration are either null or missing. Please make sure you create the user in Workspace ONE Identity with all the necessary attributes to create the account in Workspace ONE UEM. This includes the External ID. Please see the note at the beginning of the blog regarding the External ID
    Screen Shot 05-01-19 at 09.16 AM.PNG
  2. While trying to enroll your device with the HUB application application you receive a generic error like "An Error has occurred". See the note about External ID.
  3. When trying to provision the Mobile SSO profile you receive an error that the PrincipalName contains an invalid value.
    Screen Shot 05-01-19 at 09.04 AM.PNG
    This means that you have probably created the Workspace ONE UEM account with an email as the Username. When the Mobile SSO certificate payload was created, it uses the username as the principal name on the certificate. Unfortunately IOS does not support the "@" character in the principle name. You have two choices to resolve this issue:
    a) In the AIrWatch Provisioning Adapter mappings, use another attribute to represent the username that does not contain the @ sign. You might need to adjust the values being imported into Workspace ONE identity (whether by JIT or via the connector).
    b) Use a lookup in Workspace ONE UEM to parse the prefix of the email address and use that in the certificate payload:
    Group & Settings -> All Settings -> Devices & Users -> General -> Lookup Fields
    Add Custom Field
    Create a Name such as EmailNickName and use a regex such as ".+?(?=@)"
    Screen Shot 05-01-19 at 09.14 AM.PNG
    You can then use "EmailNickName" in your Certificate Payload
    Screen Shot 05-01-19 at 09.12 AM.PNG









VMware Photon OS 3.0 で簡易 DNS サーバ構築。(dnsmasq)

May 2, 2019, 6:13 am
$
0
0

VMware Photon OS 3.0 で、簡易的な DNS サーバを構築してみます。

今回は、Photon OS の RPM リポジトリに登録されている dnsmasq を利用します。

 

Photon OS の準備。

VMware から提供されている、Photon OS の OVA をデプロイします。

今回は、「OVA with virtual hardware v13 (UEFI Secure Boot)」を利用しました。

Downloading Photon OS · vmware/photon Wiki · GitHub

 

OVA ファイルをデプロイ→パワーオンします。

そして、root / changeme で初期パスワードを変更してログインします。

root@photon-machine [ ~ ]# cat /etc/photon-release

VMware Photon OS 3.0

PHOTON_BUILD_NUMBER=26156e2

 

ホスト名を、わかりやすいもの(今回は lab-dns-01)に変更しておきます。

ログインしなおすと、bash のプロンプトにもホスト名が反映されます。

root@photon-machine [ ~ ]# hostnamectl set-hostname lab-dns-01

 

ネットワーク設定は、DHCP を利用しています。

 

DNS サーバの構築。(dnsmasq)

まず、dnsmasq をインストールします。

root@lab-dns-01 [ ~ ]# tdnf install -y dnsmasq

root@lab-dns-01 [ ~ ]# rpm -q dnsmasq

dnsmasq-2.79-2.ph3.x86_64

 

dnsmasq では、hosts ファイルのエントリを DNS レコードとして利用できます。

/etc/hosts ファイルに、DNS レコードの情報を記入します。

root@lab-dns-01 [ ~ ]# echo '192.168.1.20 base-esxi-01.go-lab.jp' >> /etc/hosts

root@lab-dns-01 [ ~ ]# echo '192.168.1.30 lab-vcsa-01.go-lab.jp' >> /etc/hosts

root@lab-dns-01 [ ~ ]# tail -n 2 /etc/hosts

192.168.1.20 base-esxi-01.go-lab.jp

192.168.1.30 lab-vcsa-01.go-lab.jp

 

dnsmasq を起動します。

root@lab-dns-01 [ ~ ]# systemctl start dnsmasq

root@lab-dns-01 [ ~ ]# systemctl is-active dnsmasq

active

root@lab-dns-01 [ ~ ]# systemctl enable dnsmasq

Created symlink /etc/systemd/system/multi-user.target.wants/dnsmasq.service → /lib/systemd/system/dnsmasq.service.

 

hosts ファイルを編集した場合は、dnsmasq サービスを再起動しておきます。

root@lab-dns-01 [ ~ ]# systemctl restart dnsmasq

 

iptables で、DNS のポートを開放しておきます。

iptables-save コマンドを利用するかわりに、/etc/systemd/scripts/ip4save ファイルへの

「-A INPUT -p udp -m udp --dport 53 -j ACCEPT」直接追記でも、同様に iptables の設定を永続化できます。

root@lab-dns-01 [ ~ ]# iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT

root@lab-dns-01 [ ~ ]# iptables-save > /etc/systemd/scripts/ip4save

root@lab-dns-01 [ ~ ]# systemctl restart iptables

 

名前解決の確認。

別の Photon OS 3.0 に、bindutils をインストールします。

root@photon-machine [ ~ ]# tdnf install -y bindutils

 

bindutils には、nslookup や dig コマンドが含まれます。

root@photon-machine [ ~ ]# rpm -ql bindutils

/etc/named.conf

/usr/bin/dig

/usr/bin/host

/usr/bin/nslookup

/usr/lib/tmpfiles.d/named.conf

/usr/share/man/man1/dig.1.gz

/usr/share/man/man1/host.1.gz

/usr/share/man/man1/nslookup.1.gz

 

登録したレコードの名前解決ができることを確認します。

ここでは、「lab-vcsa-01.go-lab.jp」と「192.168.1.30」を正引き / 逆引きで確認してみます。

「192.168.1.15」は、dnsmasq をインストールした DNS サーバのアドレスです。

root@photon-machine [ ~ ]# nslookup lab-vcsa-01.go-lab.jp 192.168.1.15

Server:         192.168.1.15

Address:        192.168.1.15#53

 

Name:   lab-vcsa-01.go-lab.jp

Address: 192.168.1.30

 

root@photon-machine [ ~ ]# nslookup 192.168.1.30 192.168.1.15

30.1.168.192.in-addr.arpa       name = lab-vcsa-01.go-lab.jp.

 

 

これで、ラボなどで利用する DNS サーバが用意できます。

 

以上、Photon OS 3.0 を DNS サーバにしてみる話でした。

Viewing all 3157 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>