Boxer and SCL Restrictions

What needs to be checked to restrict transfer of mail attachments and files transmission between Boxer and SCL for iOS and Android:

1.  To restrict transfer of documents in specific controlled apps, on Organization Group level: a. Allow DLP – SCL-step2 functionality

b.  Search for and add Boxer for iOS/Android – SCL-step3

2. Next step for devices in Organization Group: a.  Create a new profile for all devices of a group – SLC-step4.

b.  Turn off “Allow documents from managed sources in unmanaged destinations”  – SCL-step5

1.  To restrict transfer of files from SCL into Boxer the file share, connected to SCL, has to be configured in the Security tab - SCL-step6:

a.  Allow Open in Email = OFF b.  Allow Opent in Third Party Apps = ON

2.  Check that in the security profile properties, Enable Composing Email = No (SCL-step7).

Boxer and SSL for PoC

Boxer has 2 types of accounts:

• main – is being added on install, is usually configured with policies. Cannot be deleted.
• additional – is added by users if this is allowed by policies. Can be configured manually.

Variant 1 (recommended): server is signed by a cert, which was given by a inner CA (issued by =/= issued to)

Solution: on all devices in the test, you have to manually deploy the certificate chain in the trusted section:

iOS: http://longwhiteclouds.com/2013/01/03/installing-corporate-ca-certificates-on-iphone-or-ipad-for-use-with-vmware-view/

Android: https://support.google.com/nexus/answer/2844832?hl=en

Variant 2: server is signed by a self-signed cert (issued by == issued to)

Solution: use the first account to distribute policies from any public EMail. For example, Office365 from our VMTestDrive

1. After Boxer installation connect to the account provided by policies (VMTestDrive)
2. Choose Add Account (“Добавить аккаунт”) in Boxer left menu (IMG_1455.jpg)
3. Insert an address (IMG_1456.jpg) and later choose Manual configuration (“Ручная настройка”). Type -> Exchange Server.
4. See config in IGM_1457.jpg ang IGM_1458.jpg as an example of such a connection. It is important to choose SSL (Accept any certificates / “принимать любые сертификаты”).

5. Choose the default account (IMG_1459.jpg)

Boxer Copy-Paste

Boxer Copy&Paste restrictions in two ways

Unlike all other WS1 SDK-enabled Apps, Boxer has two different approaches to restrict Copy&Paste:

At the Assignment stage in App Policies, there is a Copy Paste setting. As a result, copy&paste functions will be denied in ANY directions

❗️Unrestricted personal mail accounts in Boxer still can be troublmakers in this case. Recommend to disable it

If you need to do more granular restriction you need to implement this on SDK profile

• Recommended to set Native Boxer DLP capability to Unrestricted. It can be Restricted for potential more secure way, but SDK settings must be enabled after this settings
• The Boxer App must be published with SDK-profile enable. We use the Default profile, but it should work with Custom SDK-profile as well
• Before actual install Apps on devices, you need setup SDK-profile: Authentication Type =/= Disable; SSO must be enabled
• In DLP section (Security Policies) you may enable Copy&Paste Into to get user possibility to copy from unmanaged messengers/notes/etc into Boxer emails

As a result, copy&paste functions will be denied only in the desired way: into or out from managed Apps

Boxer for Android Fingerprint

• VMware Boxer v 4.5+ for Android 
• AirWatch Console 9.0.5+

Following are the steps for fingerprint authentication on the Android Boxer app:

• In the Apps SDK settings (Groups & Settings > All Settings > Apps > Settings and Polices > Security Polices), enable the Biometric Mode.
• While deploying the Boxer app, enable the Application to use AirWatch SDK and Select the Global SDK for Android.
• In the Email settings, enable the Application Configuration and enter “AppForceActivateSSO” (without the quotes) under Configuration Key and Value Type as Boolean and Configuration Type as True.
• Make sure passcode is set as None 
• Push the boxer app to the device and download it from the Play Store

Boxer via Fiddler

From time to time it may be useful to troubleshoot Boxer, Inbox, and native mail issues using Fiddler. Fiddler will let you log all of the traffic between the device and the email server/SEG, etc, end-point. This is useful in proving that communication is happening and that some errors are being generated externally from the device (401, 403, etc…).

Configure the Windows 10 computer (which will act as the proxy) and an example Android device.

• Set your Windows 10 computer up as a mobile hotspot. On Windows 10, click on the start menu and type in “Mobile Hotspot”.
• Select “Change mobile hotspot settings”

• Configure your hotsptot settings and turn on the hotspot.

• Download and install Fiddler from https://www.telerik.com/fiddler

• In Fiddler, go to Tools\Options make these changes. See HTTPS sub-option

• Make these changes on the Connections sub-heading

• You will need your Proxy servers IP address to enter on the mobile device for later. To get this hover over the “online” option and view the list of IP addresses. In this example, I’ll be using 10.84.145.96.

Android

• On the mobile device, go to your wireless settings and long tap the right-hand side of the connection you want to connect to. This will by the wireless connection you set up on your computer. On Android, click on “Modify Network”.

• Enter the proxy hostname and proxy port information. The port will be 8888 if you kept the default settings for Fiddler.

iOS

On iOS use the following process to set the proxy

How to configure your iPad/iPhone proxy settings

1. Start the iPhone/iPad.
2. Tap on the Settings app. …
3. Tap on the Wi-Fi settings category. …
4. You will now be at the Wi-Fi network settings screen for the connected network. … 5. Tap on the Manual button. …
5. When you are done setting up your proxy server, tap on the Wi-Fi Networks button.

On the mobile device, go to the IP address of the proxy followed by :8888/fiddler. See the example below. Click on “FiddlerRoot Certificate” to download and install the certificate.

• In the Fiddler application, click on Tools\WinNet Options.

• Click on “Lan settings” and uncheck the “Use a proxy server…” from the following window.

• Click OK and OK. This will show a yellow bar on the Fiddler application indicating that it’s not collecting any traffic from the local computer in the logs. For your test, you will only want device traffic.

• You can clear the current logs by doing a CTRL-A and selecting everything.

• Now you can begin your replication testing.

ENS Basic Troubleshooting

Alive Check

Cloud-hosted ENS: https://ens-eu.getboxer.com/api/ens https://ens-eu.getboxer.com/api/ens/alive

Steps:

1. publickey request
   a. The device requests a public key to encrypt the account credentials with. It sends a hash of the email address as the userid. This helps identify the user and link together all user devices

2. subscribe
   a. device sends encrypted creds, user id (server created) and device apns token so ENS server has all the necessary pieces to subscribe and get notifications of new emails

3. push subscription
   a. ENS discovers endpoint based on creds and subscribes to exchange using a webhook link that contains the encrypted credentials ie: ens.airwatch.com/notify?id=&creds=<Base64(RSAEncrypted(username:password))>

4. new email notification
   a. Exchange sends notification of changes to the provided url.
   b. ENS extracts and decrypt creds and prepares call to fetch email

5. email fetch
   a. ENS performs a fetch for the email

6. push email
   a. ENS finds user devices with the user id and pushes email details to CNS for delivery to all user devices

On-prem ENS: https://_ENS_HOST/MailNotifications/api/ens https://_ENS_HOST/MailNotifications/api/ens/alive

Registration Interaction

The following diagram shows in more detail a registration/new email interaction between the client, ENSv2 and the exchange server. This diagram shows in more detail how we can use credentials without keeping them saved inside the ENSv2 environment.

ENSv2 Database Details - see Article

Locale

Boxer - Add Assingment

Network

ENSLINKAddress On-Premise, should point to the externally accessible hostname pointed to ENS service. A support ticket has to be made with VMware Airwatch to request API token (internally the support reaches out to Boxer product manager and requests API key).

MS Exchange Server

User agent is configured for ENSv2 on MS Exchange Server CAS role. User agent must have access to receive data from MS Exchange, or ENS will not be able to receive PUSH notifications.

Troubleshooting

ENSLINKAddress for On-Premise installation should point it correctly to the customer’s externally accessible hostname pointed to ENS service.

Autodiscovery errors showing on logs.

• Make sure that the EWSUrl key is configured in the console with a correct value for the EWS url for their exchange environments.
  Test it out by opening it on the browser and making sure you are prompted for credentials.
  Tip

  Alternatively they can just turn ON autodiscovery on their environment.

Authentication errors (401s)

• Check what type of authentication is enabled in EWS? Make sure it has parity with whatever they are using for ActiveSync (Basic, OAuth, CBA) as Boxer will be the one to pass whatever type of credentials it has to ENS to use against EWS.
• Verify the EWSUrl is correct and resolves to Exchange environment and test the credentials used by navigating to the EWS URL and testing them there.
• Run “Outlook Connectivity Tests” on https://testconnectivity.microsoft.com
  Tip

  Try the Exchange Server or Office 365 tabs accordingly

ENSv2 not sending notifications but no logs found on help portal.

• Verify the ENSAPIToken key is correct in the console configuration.

• Verify the ENSLinkAddress key is correct in the console configuration

  Tip

  Try appending the “alive” endpoint for the environment and make sure it responds.

• Verify the EWSUrl is correctly configured with a valid EWS value.

• Verify that ENSv2 servers have inbound access to their EWS environment (firewall may be blocking access, they need to open the corresponding IPs)

• Verify that EWS can send outbound traffic to the corresponding ENSv2 domain (https://.getboxer.com/api/ens)

General FAQ

• **How are credentials or authentications tokens handled?
  **
  • Although the client does share the credentials/tokens with the ENSv2 environment upon registration, they are not kept (saved anywhere) by AirWatch servers. Rather, the Exchange server passes them back to AirWatch, encrypted, as part of a notification it sends whenever a new email is available. From that notification (Exchange -> ENSv2), ENS decrypts the credentials and uses them to make any requests necessary to the Exchange server. After performing any necessary requests, the credentials are once again discarded.

• If credentials are not persisted, is there any data persistent at all by ENS? How is it secured?
  • There is a secure database that keeps a list of devices and a list of public private key pairs used to unencrypt the credentials when they come from Exchange;
  • Logs are also kept to aide in debugging issues and monitoring the system. These don’t contain any customer’s private information and access to them is also tightly secured via account permissions.
• What data is transmitted through the ENS server without being persisted? How is it secured?
  • User credentials (encrypted with RSA encryption)
  • Email subject and sender (sent via HTTPS)
  • All communication is done via HTTPS
• What additional cloud services does ENS depend on?
  • AWS Simple Notification Service (SNS) for push notification handling.
  • Apple Push Notification Service (APNS) as it is the only way to pass notifications to Apple devices.
  • AWS Relational database service (RDS) for data persistence.
• What is the user agent used by ENSv2 when sending requests to Exchange?
  • MailNotificationService/v2 (ExchangeServicesClient/15.00.0913.015+ (will change as new libraries from Microsoft are released)
• What email folders does ENSv2 monitor for incoming messages and actions?
  • Currently, ENSv2 only monitors each user’s Inbox folder.

Load Balancing ENSv2

For HA, it is recommended to load balance several ENS web servers as needed following the Hardware Requirements. All web servers should point to the same database server as this will be their shared source of state for each of the clients.

Since the ENS web application itself is stateless there are no requirements to configure any session handling (stickiness) in the loadbalancer so a straightforward configuration should suffice.

Integration - Microsoft IRM-RMS

RMS features in Boxer

According to Boxer User Guide for iOS 4.5.1, Boxer User Guide for Android 4.5.0

Main features

• Edit
• Reply
• Reply All
• Forward
• Copy-Paste
• Modify recipients
• Extract
• Print
• Export
• Content Expiry Date

Other Features

• Press and hold an email message to copy and paste it into the application.
• You cannot copy data from the Boxer application and paste anywhere outside the application. However, you can copy data from outside the application and paste into the Boxer application.
• If your email message has contact number details, tap hold on the number to immediately dial it.
• If restricted by your administrator, attachments may open through the VMware Content Locker and other AirWatch approved apps. Hyperlinks may open only through the VMware Browser.
• If configured by your administrator, you can preview emails and their attachments within Boxer (See Boxer supported files’ types).
• On the attachment preview screen, the Share icon will be unavailable. When tapped on Share icon, you are presented with a toast message “Disabled by your admin”.
• After performing an action on an email while viewing it, you can have Boxer either advance to the next message, the previous message, or return to the conversation list. This setting can be configured from Mail settings (navigate to Settings > Mail > More mail settings > Auto Advance).

RMS Attachments

Boxer does not open RMS-restricted attachments - it transmits them to Content Locker. To use Content Locker on iOS device, the following has to be done:

1. Root certificate must be placed on device

2. In new iOS version the root Trust has to be ACTIVATED in a special menu option

3. In order for Content Locker to access RMS attachments, it must be registered on the ADFS server with this command:

Add-AdfsClient -Name "<App name>" -ClientId "<ID name>" -RedirectUri "<RedirectUri>"

Example: Client ID for VMware Content Locker for iOS is e9fcfce0-a20b-4d34-b580-909332723090

Powershell for MEM

Linked Articles

• Allowlist and Blacklist

  Powershell Allowlist and Blacklist

• Mailbox sync

  Powershell Mailbox Sync

• Run Compliance

  Powershell Run Compliance

EMail Architectures

Common Powershell Commands

Initializing a Session

This command is used for AirWatch to initialize a session. The two parameters required as the $creds and the PowerShell endpoint.

> $cred = Get-Credential

> $session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri “https://<mailserver>/powershell” –Credential  
$cred –Authentication Basic –AllowRedirection

> Import-PSSession $session

Look at a user’s basic mailbox information

This command pulls basic information about a mailbox using an email address as the identity.

> Get-CASMailbox –identity “userguy” | fl

Viewing a user’s list of devices

This command will list each device partnered with the CasMailbox.

> Get-ActiveSyncDevice –mailbox “userguy” | fl (2010)  
> Get-MobileDevice –mailbox “userguy” | fl (2013+)  

Additional device information

WS1 UEM does not pull from this listing, however, you can find some additional details (ex: when the device last synced) from this table.

> Get-ActiveSyncDeviceStatistics –mailbox “userguy” | fl

Setting ActiveSync Devices to Allowed/Blocked

This is the form of a cmdlet used to issue an Allow/Block command to Exchange. This will insert “DeviceIDX” into the appropriate list.

> Set-CasMailbox –identity “userguy” –ActiveSyncAllowedDeviceIDs @{Add = “DeviceId1”} 
> Set-CasMailbox –identity “userguy” –ActiveSyncBlockedDeviceIDs @{Add = “DeviceId2”}

Selecting specific information or exporting data

This command is helpful when comparing AirWatch data to Exchange data.

> Get-ActiveSyncDevice –ResultSize Unlimited | Select-Object  
DeviceID, DistinguishedName, DeviceType | Export-CSV  
ASD_selection.csv

WS1 UEM with Office 365

Disable the native access in O365 -> redirect to WS1 UEM First-time access will be denied, PowerShell command will be sent to O365 to whitelist the device, 2-3min later the email will flow

Set WS1 UEM as IDP to control other ways of accessing (Exchange Web Access, OWA etc)

This lacks some features (encrypt attachments, strip attachments etc), but can be mitigated using Boxer Needs ESC between Cloud AW and On-Prem Exchange

AW-PS Service Account
Remote Shell access to the Exchange Server associated mailbox on the server to issue remote commands

Required PowerShell roles: Mail Recipients Organization Client Access Recipient Policies Settings –> Email –> Email Settings Configure - Direct

Features:

• Configure email over-the-air
• Block unmanaged devices
• Discover existing unmanaged devices
• Require device encryption
• Prevent compromised devices
• Block mail client, user, device model or OS
• Integrate or revoke certificates

SEG on Windows Proxy

External Link

SEG Guide - VMware AirWatch SEG Guide

Prevent usage of Native EMail on enrolled devices

Problem: Users can gain access to Exchange ActiveSync from uncontrolled devices and mail clients on them. Usage of SEG solves the problem of uncontrolled devices access.

You can enforce using Boxer/Inbox by creating an email compliance policy from the AirWatch console:

Email> Compliance Polices > General Email Policies > Mail Client

SEG as MS Exchange OWA Proxy

You can restrict mobile traffic to seg.company.com by installing IP and Domain restrictions on the IIS on the Exchange server, and then enable IP filtering to deny everyone but the SEG on the ActiveSync endpoint on IIS. This will ensure all enrolled mobile devices will access email through SEG. You can also implement email policies to ensure that unmanaged devices do not access the SEG.

AirWatch cannot block access to OWA for unenrolled mobile devices since SEG does not manage OWA. The only way to do so would be checking through the AD for unenrolled users and preventing them from webmail access from there.

SEG Java Keystore

Default password for SEG Java Key store = changeit

SEG on Windows Java Memory

Resolution

• Upgrade to latest version of SEG (2.18+);
• Set the max heap size to 5Gb;
• Use Shenandoah as the garbage collection method.

Follow these steps to apply the settings:

1. Stop SEG service;
2. Go to SEG install directory and edit file SecureEmailGateway-2.18/service/conf/segServiceWrapper.conf
3. Update max heap to 5Gb, look for “Xmx” and update the property to: 

wrapper.java.additional.3=-Xmx5120m

4. Use Shenandoah GC, look for “#wrapper.java.additional.38” and in the next line add: 

wrapper.java.additional.39=-XX:+UseShenandoahGC
wrapper.java.additional.40=-Xlog:gc=debug:file=tmp/gc-%p-%t.log:time,level,tags:filecount=10,filesize=50m*

5. Save file and start the SEG service. 

• Observe the system resources once this change is placed + enable GC logs in the above settings.

If no issue is seen, then remove the GC logging setting by following these steps: 

1. Stop SEG service. 
2. Go to SEG install directory and edit file SecureEmailGateway-2.18/service/conf/segServiceWrapper.conf
3. Remove line: 

wrapper.java.additional.40=-Xlog:gc=debug:file=tmp/gc-%p-%t.log:time,level,tags:filecount=10,filesize=50m*

4. Save and start SEG service.

SEG Clustering

If multiple SEG servers are load balanced, single policy broadcast messages apply to only one SEG. This includes the messages sent from the AirWatch Console to SEG upon enrollment, compliance violation, or correction. Use Delta Sync with a refresh interval of ten minutes to facilitate newly enrolled or compliant devices. These devices experience a waiting period of maximum ten minutes before email begins to sync. Benefits of this approach include:

•  Updated policies from the same API source for all SEG servers. 
• Smaller performance impact on API server.  
• Reduced implementation or maintenance complexity compared to the SEG clustering model.   
• Fewer failure points as each SEG is responsible for its own policy sets.
•  Improved user experience. 
   

 SEG Clustering is also available to facilitate the sharing of single policy updates to all nodes of a SEG cluster.

SEG TLSv1

Please go through the following instructions in order to enable TLSv1.0 on SEG V2:

• Go to SEG installation directory -> {SEG_DIRECTORTY}/service/conf
• Edit file conf
• Look for following properties:

Property 1

wrapper.java.additional.9=-Djdk.tls.disabledAlgorithms=MD5\, RC4\, TLSv1\, SSLv2Hello\, SSLv3\, DSA\, DESede\, DES\, 3DES\, DES40_CBC\, RC4_40\, MD5withRSA\, DH\, 3DES_EDE_CBC\, DHE\, DH keySize < 1024\, EC keySize < 224

set this property as: (Removing TLSv1 from the disabled list):

wrapper.java.additional.9=-Djdk.tls.disabledAlgorithms=MD5\, RC4\, SSLv2Hello\, SSLv3\, DSA\, DESede\, DES\, 3DES\, DES40_CBC\, RC4_40\, MD5withRSA\, DH\, 3DES_EDE_CBC\, DHE\, DH keySize < 1024\, EC keySize < 224

Property 2

wrapper.java.additional.12=-Dhttps.protocols=TLSv1.1\,TLSv1.2

set this property as:

wrapper.java.additional.12=-Dhttps.protocols= TLSv1\,TLSv1.1\,TLSv1.2

• Restart SEG Service.

IBM ISAM

Notes on integration:

• Change the attribute where Distinguished Name in the AW Console is ‘distinguishedName’ to ’entryDN’ (see attached screenshot)
• This is Accessible from the AW Console from Groups & Settings > All Settings > System > Enterprise Integration > Directory Services

Microsoft Active Directory

nc -v LDAP-SERVER-IP 636
nc -v LDAP-SERVER-IP 3269

Integration

Go to Configuration > System Configuration > System > Enterprise Integration  > Directory Services

• Directory Type: Directory platform being utilized
• Server: Address of the directory services server
• Port: TCP Port for communication with directory services
• Protocol Version: Version of LDAP being used
• Bind Authentication Type: Protocol used to authenticate the LDAP session (GSS-NEGOTIATE recommended, gives auto-choice of Kerberos/NTLM)

Advanced config

• Search Subdomains: Search subdomains by LDAP chase referrals
• Connection/Request Timeout: Timeout setting per connection/request in seconds
• Search without Base DN: Enable to search without sending a base DN
• Use Recursive OID at Enrollment/Group Sync : Only supported by AD; used to obtain group membership during enrollment and not rely on the scheduler to run
• Object Identifier Data Type: Set the object ID type to string or binary. AD is binary by default while most other LDAPs are strings.
  Note

  In AirWatch 7.3+, the AD group structure itself is stored in the sync table, and if the user is shown to be a member of a nested group whose External ID is already stored in the table, the group membership will be reflected. The only flow unaccounted for is the group structure itself changes between scheduler iterations, in which at most there will be up to a 12 hour delay from when the user enrolls and is associated with the group after the group structure has changed.

Directory users mapping

• From Directory Services, navigate to User

• Specify the Base DN AirWatch uses to find users in the directory

• For User Search Filter, enter the parameters used to associate AirWatch user accounts with AD/LDAP accounts (&(objectCategory=person)(sAMAccountName={EnrollmentUser}))

• Select Show Advanced to display additional options

• Enable Auto Merge to consolidate changes made in the directory with AirWatch automatically

• Use Attributes to assign directory services information to the correct AirWatch fields

• Click Save

  Note

  All members of the Group or Organizational Unit from the directory are first synced into the dbo.UserGroupEnrollmentUserMapSync table by running the below LDAP query (for AD).

• Another query is run for all of the DN’s in the sync table to pull the actual user information from the directory: (&(objectCategory=person)(sAMAccountName=*)(|(distinguishedName={UserDN1})(distinguishedName={UserDN2})))

• When we sync User attributes, we query the directory for the users based on their ExternalID:
  (&(objectCategory=person)(sAMAccountName=*)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))

• The User Group Membership Sync is the process by which we sync up the group membership for users from the directory. This will happen during a scheduler iteration if the Auto Sync option is enabled on the User Group and can be performed manually by clicking the Sync button on the User Group in the List View: (&(objectClass=group)(|(objectGUID={ExternalID1}) (objectGUID={ExternalID2}))

Sync interval

There are three primary scheduler jobs that sync up the group membership and user attributes:

1. LDAP Sync – the LDAP Sync job will sync the User Group membership.
2. Sync Directory Users – this job will sync up user attributes.
3. Sync Admin Users – this job will sync up admin attributes.

Auto sync

In production all LDAP based scheduler jobs are set to fire every 12 hours. It is not recommended to lower these values for On-Premise or Dedicated SaaS customers as setting the scheduler interval too low may cause performance issues in versions older than 7.1. If a customer requires a lower interval, it is recommended to run at least one sync, and pull the LastSyncTimeInMinutes column from the dbo.LDAPDefinition table to determine how long it takes to sync the Organization Group.

Manual sync

The Add Missing Users, User Group Membership Sync, and Sync User Attributes processes can all be triggered manually by clicking a button in the console.

User enrollment

The mobileManagement.EnrollmentUser table contains information on all of the enrollment users in the environment:

select ExternalID, SecurityTypeID, * from mobileManagement.EnrollmentUser EU
join dbo.LocationGroup LG
on LG.LocationGroupID = EU.LocationGroupID
where LG.Name = 'ams'

• ExternalID – the ExternalID column contains a hashed value of the attribute configured for Object Identifier. This value is used to match the AirWatch user with the customer’s directory user. If for whatever reason this value is null or incorrect, the AirWatch user will not sync.
• SecurityTypeID – this column determines the type of user. 1 denotes a directory user, 2 denotes a basic user, and 3 denotes an authentication proxy user.
• LocationGroupID – the Organization Group ID where the user is imported. Note that all directory users will always reside at the same level Directory Services is configured, even if imported or added at a child.
• LDAPDefinitionID – the ID of the LDAP Definition the user is associated with.

dbo.LDAPDefinition table contains all of the configuration information from the Directory Services for an Organization Group

select LD.UserSearchFilter, LD. * from dbo.LDAPDefinition LD
join dbo.LocationGroup LG
on LG.LocationGroupID = EU.LocationGroupID
where LG.Name = 'ams'

• LastSyncDurationInMinutes – this column contains the time it took to sync the entire Organization Group in minutes.
• LastSyncedOn – last date the Organization Group synced with the directory.
• MemberPageSize – the MemberPageSize value can be configured, but should not exceed 5000 if the customer is using EIS. This value determines the chunk size of information being sent back and forth between ACC\EIS
• IsSortControlSupported – determines if the directory type supports sorting results at the directory server before the response is sent.

The dbo.UserGroupEnrollmentUserMapSync table will contain only the ExternalIDs of both the users and the groups that are members of the AirWatch group that was added

select MAP. * from dbo.UserGroupEnrollment(Core)UserMapSync MAP
join dbo.UserGroup UG
on UG.UserGroupSyncID = MAP.UserGroupSyncID
where UG.FriendlyName = 'ams'

The dbo.UserGroup table contains information about the configured User Groups in AirWatch.

select UG. * from dbo.UserGroup UG
join dbo.LocationGroup LG
on UG.RootLocationGroupID = LG.LocationGroupID
where LG.Name = 'ams'

The dbo.UserGroupSync table contains syncing information for directory User and Admin groups. It provides a few more columns of information that contain the settings you have configured per group in the console.

select UGS. * from dbo.UserGroupSync UGS
join dbo.LocationGroup LG
on UGS.RootLocationGroupID = LG.LocationGroupID
where LG.Name = 'ams'

Query Troubleshooting

With some issues, AirWatch is not able to find certain users and/or groups. This is often due to an incorrect filter or lack of permissions in the directory. If we are unable to find the user and group objects with the LDAP Admin tool using the same settings from the console, we will be unable to find them using AirWatch. It will be necessary to test queries during troubleshooting. To run a custom query, click the magnifying glass icon in the toolbar, select the Custom tab in the window that appears, type the Base DN in the Path field, and type the query in the Filter field.

Connection Troubleshooting

Test connection failures are usually due to one of two error codes, either 49 or 81. An 81 error code indicates the console cannot find the directory server, which can happen if the hostname was entered incorrectly, ACC\EIS is not functioning properly, the directory server is firewalled, or there is no route to the directory server from the console server.

When an administrator encounters a 49 error it is important to note that this error is generated by the directory server, not AirWatch. In 99% of cases this is because the bind authentication type is not supported, or the account and passwords are incorrect. To verify that the console is not sending a bad username or password, SSL must be turned off and the authentication type must be set to basic so the bind request can be sniffed off the network in plaintext. Use Wireshark!

Optimization

Common LDAP Queries

Search Group: (&(objectClass=group)(|(CN={inputName})(distinguishedName={inputName})))

Sync Group: (&(objectClass=group)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))

Search User: (&(objectCategory=person)(sAMAccountName={InputUserName}))

Sync User: (&(objectCategory=person)(sAMAccountName=*)(|(objectGUID={ExternalID1})(objectGUID={ExternalID2})))

Add Missing Users: (&(objectCategory=person)(sAMAccountName=*)(|(distinguishedName={UserDN1})(distinguishedName={UserDN2})))

Novell eDirectory

Server Settings

User Settings

Advanced User Settings

Group Settings

Advanced Group Settings

SCEP and DCOM

SCEP

SCEP vs DCOM: SCEP does NOT support certificate revokation, unlike DCOM, so DCOM integration is the preferred method.

SCEP Workflow

Manual Revocation

Manual Renewal

EOBO

Question: We trying to integrate AirWatch with CA authority (ADCS). Instead of creating the certificate for the user that enrolled his device, every certificate is created for the service account we used in the integration. Any config we missed?

Answer: This is expected behavior. If you need the certificate created for the user object you need to leverage Enrollement On Behalf Of(Eobo). Just be aware that you lose flexibility with the cert template and values you can use.

This is done in the template settings in Airwatch. The template in ADCS is configured with Subject Name = “supply in request”. So whatever you set up for the template in Airwatch will be requested from the CA. Including SN (can be username/email/serial number and so on) and SAN (again all kinds of values available in AW)

That is also the main difference to EOBO where you configure SN/SAN in the ADCS template and can only use attributes from the user object in AD.

Apps Deployment

AirWatch has 2,5 mechanisms to deploy apps:

1. Apps & Books → Internal. You can only deploy 3 versions of an application called “Alpha”, “Beta”, “Production”;
2. Devices → Staging & Provisioning →****Product List View → Add Product. Add Manifest → Install Application. Difference between this method and the one below is not clear, except slightly easier config;
3. Devices → Staging & Provisioning → Components → Files/Actions. Add Files/Actions → Add Manifest → Install Unmanaged Application.

I recommend the 3rd method as the most descriptive and stable if several versions of an application are needed in one Organization Group.

Things to check in application deployment

Application ID

Check if there is a modification of the Application ID while uploading the application in the Console via Staging & Provisioning → Components → Applications or check while uploading the Application, is it fetching the Application ID and populating the same name in the Application ID field.

Application Metadata

Once the app gets uploaded, AirWatch SQL writes down its’ metadata to SQL. Parsing the data:

SELECT a.name, a.versionhash, * FROM INTERROGATOR.APPLICATIONLIST AL
JOIN interrogator.Application A ON AL.ApplicationID=A.ApplicationID
WHERE DEVICEID in (1473) and isinstalled=1

See more on SQL querying apps

Application Deployment Logs

• Device receives command to install application
• Device is directed to app destination for download via Manifest.plist file - so search for “manifest” in the logs:

• Device is redirected to Manifest.plist URL
• Device locates Blobhandler.pblob URL:

• Device is redirected Blobhandler.pblob URL
• Application download begins

macOS Apps Deployment

External link:

• Troubleshooting macOS - https://github.com/micromdm/micromdm/wiki/Troubleshooting-MDM

You are able to deploy apps on Mac OSX devices either from Apps & Books or from Product & Provisioning method. If you have a pkg or dmg file, then you could simply use Apps & Books. However, if you have multiple files to be executed or scripts to run then you could use Product & Provisioning. In AirWatch 9.3+, all macOS application file types (.dmg, .pkg, .mpkg, .app) can be managed through the Internal Applications section. This new framework leverages the popular Mac Admin community tool, Munki.

Provisioning with Munki

Enabling Software Management

• Navigate to Settings > Devices & Users > Apple > Apple macOS > Software Management
• Enable Software Management , there is a check in place to verify if File Storage is enabled at this page. If there is no File Storage, the admin will be requested to enable File Storage.
• On-Prem deployments will need to enable CDN.

Before uploading macOS File to AirWatch

All primary macOS software file types will now be uploaded through Internal Applications (.pkg, .dmg, .mpkg). A .pkg file can be a Bootstrap Package or can be managed through full lifecycle management (this feature). In order to configure Advanced Management options for macOS software and for effective desired state management, which is achieved through the integrated Open-Source Munki library in the AirWatch Agent, a metadata file must be generated for the file separately before uploading it to the AirWatch Console. Munki’s deployment logic is built on the concept of pkginfo files, which are xml/plist files that contain metadata, configuration information, and more for a given application file. AirWatch requires this pkginfo file along with the application file to manage the deployment in the Console.

The pkginfo file is genetrated with VMware AirWatch Admin Assistant (see tools page for download). This is a GUI wrapper for a Munki command-line utility and is used to generate the pkginfo metadata file for a given application file.

Generating a pkginfo metadata file using VMware AirWatch Admin Assistant

1. Download and install the Admin Assistant tool to a macOS device or VM.

2. Open the Assistant. The Assistant dialog will ask for the application installer files to parse.

3. Upload an application installer file by dragging & dropping a .pkg, .dmg, .mpkg, .app file into the labeled field, or browse the local files on the machine in order to find an installer file.

   Note

   If the file is .app, it will be converted into a .dmg for deployment

4. Once the file is selected and uploaded, the Assistant will automatically start parsing process the process. Additional files can be added during this time if needed.

5. Once the parsing is complete, the tool will prompt to reveal the parsed metadata files in Finder. Store the metadata files in a local folder where they can be easily retrieved during the Software Distribution procedure.

Generating a pkginfo metadata file using Autopkg

There are multiple ways to obtain the metadata/pkginfo file aside from using the Admin Assistant. One of them is to use Autopkg and its’ GUI tool Autopkgr.

Uploading a macOS Application to the AW Console:

1. Navigate to Apps & Books > Applications > Native > Internal
2. Click Add Application
3. Upload app/software file (.pkg, .mpkg, .dmg)
4. Continue to the next screen and Upload the pkginfo .plist file
5. Continue to customize the app deployment. The proceeding screens will display any available configurations present in the pkginfo file (for example, a pkginfo from AutoPkg may contain an install_check script). Additional deployment configurations can be defined, and will be merged with the existing configurations
   • If the pkginfo file has one or more key and configuration that are not exposed in the UI, they will not be affected. This feature is important as it allows administrators to upload pkginfo files with keys that would be supported by the Munki client but would not be configurable in the UI. Any changes in the UI will be merged with the existing keys.

Pre/Post Install Scripts

A common reason to repackage software is to perform additional configuration tasks or to install additional items. A technique to avoid repackaging is to add pre-install scripts and/or post-install scripts to the configuration of an item. These scripts can take care of some of the tasks which previously may have required repackaging to implement.

An Exit Code of 0 will define the script as successfully executed in order to allow Munki to continue.

Uninstall Methods

There are multiple options available for uninstallation of software. The appropriate option will be selected by default by the VMware Admin Assistant tool based on the software’s file type. If needed options to override the default values are available in the AirWatch Console.

Remove Copied Items
Used primarily for software installed from a .dmg

• Pulls from items_to_copy array[dicts] in the pkginfo file
  • All file paths in this array will be deleted
• Future Console release will show the paths in the items_to_copy array in the UI

Remove App

• Pulls from installs array[dicts] in the pkginfo file
  • All file paths in this array will be deleted
• Future Console release will show the paths in the installs array in the UI

Remove Packages 
Used primarily for software installed from a .pkg

• Uses receipts and analyzes the packages to remove
  • Tries to determine what files were installed via the Bom file
  • Deletes receipt
• Will only remove if package is not associated with any other files or programs
• Future Console releases will show the receipts that Munki check for in the UI

Uninstall Script 
Can be used for any installer type

• Written in shell script
• Used to perform custom uninstall operations if needed
  • If the Admin has a customized deployment of an app, they will need to also write a corresponding uninstall script to remove their custom configurations

Install or Uninstall Verification

With some software, the Admin needs to configure what exactly defines a Successful Install or Uninstall. Munki allows this through setting an Install or Uninstall Check Script

Install Check Script - If present, this script is executed to determine if an item needs to be installed. A return code of 0 means install is needed; any other return code causes install to be skipped.

Uninstall Check Script - If present, this script is executed to determine if an item needs to be uninstalled. A return code of 0 means uninstall is needed; any other return code causes uninstall to be skipped.

Conditions

Conditions can defined on a per-application level so that they are evaluated prior to the download and installation of a software.

Built-in Conditions Currently available built-in attributes for conditional comparison:

Example:

machine_type == “laptop” AND os_vers BEGINSWITH “10.7”

date > CAST(“2016-03-02T00:00:00Z”, “NSDate”)

Dates in conditions:

The date string must be written in UTC format, this format is interpreted as a local date/time. The condition date > CAST("2013-01-02T00:00:00Z", "NSDate") is True if the local time is after midnight local time on 02 Jan 2013.

Literal types in comparisons

• Strings are delimited by either single or double-quotes: os_vers BEGINSWITH "10.7"

• Integers have no quotes: os_vers_major == 10

• Booleans are indicated as TRUE or FALSE (and have no quotes, or they’d be strings!): some_custom_condition == TRUE

• Dates are possible, but they must be cast from ISO 8601 strings: date > CAST("2013-01-02T00:00:00Z", "NSDate")

Updates

Updates can be managed similarly to the other platforms in the AirWatch Console. If a new version of the file needs to be added, perform the following:

1. Navigate to Apps & Books > Native
2. Click on the App that requires an update. Clicking the app will navigate to the Details View page.
3. In the top right side, click “Add Version”
4. Upload the new installer for the new app version
5. Upload the new pkginfo file for the new version
6. Make any additional changes and then save the configuration

Troubleshooting

The AirWatch Console will show report macOS app installation data from a device in several  locations:

• Apps & Books > Applications > Native > Internal. Click onto the Application to drill into Application Details > Devices Tab. The grid in this tab will display installation statuses for each device.
• Devices & Users > Devices > List View. Click on a device to drill into Device Details > Troubleshooting Tab. The grid on this tab will show activity on the device and provides filtering options to show information relating to Software Distribution.

Munki Logs can also be directly accessed on the device: /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log

tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log

Munki Known Issues

• Once software has been published and installed on a few devices, if any of the configuration options such as “install script”, “uninstall script” etc.. are changed, devices which already have the application installed successfully will not receive the updated options as these can only be updated when an “InstallApplication” command. This is the only command that can update the locally cached PKGInfo files on the device. In order to update the scripts, administrators will have to manually select all of the devices which have the software installed and repush the command. Repushing the command will update the respective cached PKGinfo file with the latest information.
  Note: Repushing the command will NOT reinstall the application unless there is a change in the software version. Munki is has mechanisms in place to not reinstall software when the application is already installed.
• If a package has a dependency on another package or software then an administrator will have to manually provide a required key in the pkginfo of the package with a dependency. Providing the key in the pkginfo is the only way for Munki to recognize if there are any dependencies, and determine the sequence of installation steps for such dependent packages. Unless otherwise specified, packages are installed in random order. Such package installation will fail if a package dependency is not met during the installation. 
  Example: Netbeans requires that Java be present and installed on the machine. Netbeans will not implicitly install Java while installing the Netbeans software package. Even if administrators attempt to install Netbeans without utilizing M****unki or using standalone Munki, the installation will fail and will prompt the administrator to first install Java before installing Netbeans.
• For packages which have the same receipts array with same version even on an upgraded package, Munki will not be able to detect that a new package is an upgraded package. The reason is that the receipt array has the same version as the previous package. The impact of duplicated receipts arrays is that the packages will not be installed on User machines as Munki cannot determine that a new version needs to be installed.
  Note: The best solution for packages with duplicate versions in the Receipts Array is to use an Autopkg Recipe, which adds an installs array in the pkginfo. This method allows Munki to detect upgraded packages; alternatively an administrator can manually add an installs array into the pkginfo.

Example: Wireshark is an example of a package which has identical receipts which contain the same version, thus Munki cannot detect the when upgraded packages are deployed.

Legacy methods (AirWatch 9.2 & older)

Apps & Books

• Go to Groups & Settings > All Settings > Devices and Users > Apple > MAC OS > Software Distribution.
• Enable Software distribution.
• Now go to Apps and Books > Native > Internal > Add Application.
• Upload the .pkg or .dmg file.
• Once uploaded, click on Continue. You will get an option to download VMware AirWatch Admin Assistance tool.
• Download the tool.
• Upload the .pkg or .dmg file there.
• You will see that it will open the package into .dmg file, .plist file and .png file.
• Go back to the Console and upload the .plist file for metadata.
• Click on upload and you will see the application description.
• You will get an option to upload the image. Upload .png file there.
• Now assign the application to the required Smart Group.
• Click on Save and Publish.

Product provisioning

It allows you to create, through AirWatch, products containing profiles, applications, and files/actions (depending on the platform you use). These products follow a set of rules, schedules, and dependencies as guidelines for ensuring your devices remain up to date with the content they need.

• Navigate to Devices > Staging & Provisioning > Components > Files/Actions
• Click on Add > General
• Navigate to Files > Add Files and enter the specific path
• Navigate to Manifest. Under Install Manifest, click Add Action. Choose the action type Install and provide the specific path. 
• Under Uninstall Manifest, click Add Action and set the action type as Install, again providing the specific path. 
• Under Uninstall Manifest, click on Add Action and choose the action type Uninstall, and provide the exact application name with the extension as ‘.app’.
• Select Save
• Navigate to Staging & Provisioning > Product List View and select Add Product.
• Under General, verify the details and assignment group are filled in.
• Navigate to the Manifest tab and click on Add. Choose the created component after selecting Install/Action.

With this configuration, the application will first be downloaded to the Downloads folder on the Mac. You can then install the application, which will be available in the Applications folder. If you want only to uninstall the application which was previously installed, you may choose the Delete Files option while creating files and actions.

Recipes

Script recipies

TextWrangler Post Install Script Implement a post-install script that copies the command-line tools from the TextWrangler bundle to their intended locations.

After uploading the appropriate files to AirWatch, pre/post install scripts can be configured for the app in the Scripts tab of the Application Details. Simply paste the script into the appropriate field and AirWatch will format it to be used by Munki.

App recipes

Manifest recipies

Quick fix for root user login bug (https://techcrunch.com/2017/11/28/astonishing-os-x-bug-lets-anyone-log-into-a-high-sierra-machine/ )

Enable root user with random password

Below are steps to fix the issue via  Product Provisioning -

A. Create a File

1. Go to Devices > Staging & Provisioning > Components > Files /Actions.
   2.  Add Files / Actions > macOS
2. Manifest > Install Manifest > Run > Command Line and Arguments to run /usr/bin/dscl . -passwd /Users/root $(/usr/bin/openssl rand -base64 20)
3. Click Save

B. Create a Product to include above File

1. Go to Devices > Staging & Provisioning > Products List View  > Add Product > macOS
   2.  Click on Manifest > Add Manifest > Actions to Perform > Install Files / Actions > Files/Actions (Enter the saved file).
2. Save & Activate the product

Unsigned application launch bypassing Security & Privacy

Use above recipe with command Manifest > Install Manifest > Run > Command Line and Arguments to run:

sudo xattr -rd com.apple.quarantine /Applications/@cursor # where '/Applications/@cursor' is the target app