WS1 UEM Installation

Articles in section

Installation

❗️All Windows systems, which will be used to deploy AirWatch / Workspace One UEM, in localization settings, there should be language = US-EN.

❗️Special attention to Regional Settings on floating point identifier: it must be a dot, not a comma!

❗️All Windows systems, which will be used to deploy AirWatch / Workspace One UEM, should have all current patches applied. For example, early versions of Win2012R2 have broken ASP.NET and break AirWatch installation.

Legend

  • BE - (BackEnd server) WS1 UEM Admin Console
  • FE - (FrontEnd server) WS1 UEM Device Services
  • SQL - Microsoft SQL Database Server
  • UEM - AirWatch / Workspace One UEM

Database Deployment

❗️See first SQL Recommendations page before production or semi-production deployment.

  • Install SQL
  • Login to the SQL server, launch SQL Management Studio;
  • Create a new database. In database settings apply General → Autogrowth / Maximize → File Growth → In Megabytes = 128;
  • Choose collation: Options → Collation → SQL_Latin1_General_CP1_CI_AS;
  • SQL 2008 and MS SQL 2008R2 are not supported anymore. For MS SQL 2016 choose Options → Compatibility Level = 2014

❗️Issues currently detected with installing Workspace ONE UEM up to version 1909 in Microsoft SQL 2017. Services do not start after install, console does not launch. As recommended by Microsoft for SQL 2017, services should use the element to improve startup performance. Using this element can also help avoid delays that can cause a time-out and the cancellation of the service startup. See Microsoft KB article.

  • Create a user in Mixed-mode SQL (non-domain), with sysadmin permissions for server and db_owner for database. Gice the user permissions for msdb: SQLAgentUserRole, SQLAgentReaderRole, db_datareader roles. Do not forget to cancel password expiration for this user;
  • If there is not Internet on DB server - download Microsoft .NET Framework 4.6.2 from Microsoft website for English Windows on separate computer and copy to this server (during setup WorkspaceONE_UEM_DB_XX.YY.Z.K_Setup tries to download the framework itself, with no Internet it may hang the installation process for some time);
  • Copy WorkspaceONE_UEM_DB_XX.YY.Z.K_Setup files to the server, launch it. Copy to **C:\Distr**;

❗️Do NOT launch installer from C:\Users\Documents and Settings\Downloads etc folders - long path may cause unpacking error.

  • Enter “localhost” in install wizard, login and password of the SQL user, and choose the UEM database;
  • ❓️ If the database is created on AlwaysOn Cluster - turn on Using SQL AlwaysON Availability Groups option;
  • Wait for installer to end (10-15min). Install progress can be seen as log file growth in c:\AirWatch\AirWatch 1811\Database\AWDatabaseLog.txt* (the log will grow up to 2.3Mb when the installation will finish);
  • Check the installation, use SQL Management Studio to launch a script:

select * from dbo.DatabaseVersion;

The answer should be the UEM version number.

❓️ For AlwaysOn cluster - do not forget to clone the database Jobs on the other cluster nodes!

Device Services Front-End (FE) Server

  • Enter Windows Server Manager and check the following roles/features (double-check official doc for feature list):
    • Web Server (IIS)
    • Web Server (IIS) → Web Server → Common → Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Redirection
    • Web Server (IIS) → Web Server → Performance → Dynamic Content Compression
    • Web Server (IIS) → Web Server → ASP
    • Web Server (IIS) → Web Server → ASP.NET 4.5
    • Web Server (IIS) → Web Server → Security → IP & Domain Restrictions
    • Web Server (IIS) → Web Server → Health & Diagnostics → Request Monitor
    • Web Server (IIS) → Web Server → Application Development → Server Side Includes
    • .NET Framework 4.5 → WCF → HTTP Activation
    • Message Queuing
    • Telnet Client

❗️ DON NOT turn on Web Server (IIS) → Web Server → Common → WebDav Publishing - this will lead to multiple bugs in managing iOS devices

  • ❓️ If there is not Internet on FE server - download and install NET Framework 4.6.2 (Microsoft .NET Framework 4.6.2 (Offline Installer) for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2). Reboot server;

  • ❓️ If there is not Internet on FE server - download and install URL Rewrite Module 2.0 (https://go.microsoft.com/?linkid=9722532) for IIS. Old version of Rewrite Module 2.0 provided on this page as attachment in case of need;

  • Upload an external certificate in PFX format with private key. Password used to protect the certificate MUST be 6+ characters long. Short password will lead to problems with AWCM Java keystore! Install the certificate into Local Machine account, leaving Automatic Detect option for certificate type. Also install any root and intermediate certificates of the certificate trust chain. Subject Alternative Name of the certificate MUST contain the external DNS name of the server!

  • Check correct start config of IIS - use browser to go to http://127.0.0.1/ (start page of IIS must be present)

  • Go to IIS admin console, bind the certificate: in sites tree choose Default Web Site → Bindings menu → Add.., choose https, in SSL Certificates list choose the certificate from previous step. Enter the external DNS name of the server, which is written in the certificate. 

❗️Port binding is needed ONLY for Device Service and Console Service.

  • Launch installer WorkspaceONE_UEM_Application_X.X.X.X_Full_Install. Choose Continue setup without importing/exporting config file;
  • In modules selection choose only Device Services, select This feature will not be available for Admin Console, continue installation;

❗️For AirWatch 9.2.2+: during installation, AirWatch installer deploys SQL Native Client, which may not have enough time to initialize during the work of the wizard. During SQL check, an error may be generated, that SQL is not found. Press Cancel and reboot the server, then re-launch the setup process.

  • Enter SQL data: in full database name, only enter the server name, do not enter SQL Instance name;
  • Specify the DNS name for reaching the server by HTTPS from outside and inside. Do not choose SSL Offload - it is much easier to make all connections as HTTPS and then edit configuration;

⭐️ Instead of choosing different DNS names and then have issues with AWCM, I recommend to enter the same external name for Device Services and Web Console (check Same as above? option). After this, make an alias on the local DNS server, or use the hosts file on Admin Console/BE server to alias the external name of Directory Services/FE to an internal IP address.

  • Choose Default Web Site as install target;
  • Leave AWCM listening IP as 0.0.0.0 since it is installed locally, and port 2001 for connection. Install the PFX certificate and enter its’ password; 

❗️The PFX certificate MUST be created with Export All Properties option! Or the Java keytool will not be able to import it into awcm.keystore, and it will not give errors in the log! But AWCM will not work!

  • Choose Implicit Clustering (do not cluster AWCM);
  • Wait for install completion. AirWatch Certificate Installation Wizard will open, click Next and choose SQL Authentication. If Internet is accessible, a code must be entered. For offline installation, click Get File and save the *.plist fiel on disk;
  • Go to my.workspaceone.com: My Workspace One menu → My Company → Certificate Signing Portal → Authorize Install → Generate a token (for Internet access); OR
  • My Workspace One menu → My Company → Certificate Signing Portal → Authorize Install → Upload Your File (for offline), and upload *.plist file.
  • Save the certs.plist answer file and upload it in the installation wizard, thus ending the installation.

❗️AirWatch (WOne UEM 1909) services may not start due to timeout error on Windows 2008-2012. Increase Timeout time in Windows registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control → ServicesPipeTimeout=180000 External link: https://kb.vmware.com/s/article/50105044?lang=en_US

Admin Console Back-End (BE) Server

  • Enter Windows Server Manager and check the following roles/features (double-check official doc for feature list):
    • Web Server (IIS)
    • Web Server (IIS) → Web Server → Common → Static Content, Default Document, Directory Browsing, HTTP Errors, HTTP Redirection
    • Web Server (IIS) → Web Server → Performance → Dynamic Content Compression
    • Web Server (IIS) → Web Server → ASP
    • Web Server (IIS) → Web Server → ASP.NET 4.5
    • Web Server (IIS) → Web Server → Security → IP & Domain Restrictions
    • Web Server (IIS) → Web Server → Health & Diagnostics → Request Monitor
    • Web Server (IIS) → Web Server → Application Development → Server Side Includes
    • .NET Framework 4.5 → WCF → HTTP Activation
    • Message Queuing
    • Telnet Client

❗️ DON NOT turn on Web Server (IIS) → Web Server → Common → WebDav Publishing - this will lead to multiple bugs in managing iOS devices

  • ❓️ If there is not Internet on FE server - download and install NET Framework 4.6.2 (Microsoft .NET Framework 4.6.2 (Offline Installer) for Windows 7 SP1, Windows 8.1, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2). Reboot server;
  • ❓️ If there is not Internet on FE server - download and install URL Rewrite Module 2.0 (https://go.microsoft.com/?linkid=9722532) for IIS. Old version of Rewrite Module 2.0 provided on this page as attachment in case of need;
  • Check correct start config of IIS - use browser to go to http://127.0.0.1/ (start page of IIS must be present)
  • Configure the certificate on IIS - for Admin Console on BE a self-signed certificate may be used:
    • Enter IIS Admin Console, choose Server Certificates, and in the right column menu choose Create Self-Signed Certificate;
    • Enter a name for the certificate, type = Web Hosting, click ОК;
    • Go to IIS admin console, bind the certificate: in sites tree choose Default Web Site → Bindings menu → Add.., choose https, in SSL Certificates list choose the certificate from previous step.

❗️Port binding is needed ONLY for Device Service and Console Service.

  • Launch installer WorkspaceONE_UEM_Application_18.11.0.3_Full_Install. Choose Continue setup without importing/exporting config file;
  • In modules selection choose only the Admin Console, choose This feature will not be available for Device Services, continue the installation;

❗️For AirWatch 9.2.2+: during installation, AirWatch installer deploys SQL Native Client, which may not have enough time to initialize during the work of the wizard. During SQL check, an error may be generated, that SQL is not found. Press Cancel and reboot the server, then re-launch the setup process.

  • Enter SQL data: in full database name, only enter the server name, do not enter SQL Instance name;
  • Specify the FQDN name for HTTPS access on Admin Console from the inside. Do NOT use a short name of DNS alias. Choose an External DNS name for access via HTTPS on Device Services server. Check the absence of space characters before or after the names. An error in this form may be corrected only by re-installing UEM!
  • Choose Default Web Site as the install target;
  • In Company Profile choose the company name and installation type = Production;

❗️AirWatch (WS1 UEM 1909+) services may not start due to timeout error on Windows 2012R2+. Increase Timeout time in Windows registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control → New 32-Bit DWORD: ServicesPipeTimeout, Decimal=200000 (Decimal=60000 too small, put more!)

External link: https://support.microsoft.com/en-us/kb/922918

Manually running services: under Supplemental Software → QueueSetup locate and run the InstallQueues.Bat file.

  • Check the installation:
  • Enter the UEM console. Use Login: administrator, Password: airwatch. Choose a new password, choose a PIN-code and secret questions/answers pairs.

⭐️ Hardening of the IIS web-server for AirWatch/UEM Device Services is described in this article.

Subsections of WS1 UEM Installation

WS1 First Time Config

GroupID

  • Switch to tenant - Company
  • Switch to Groups & Settings → Groups → Organization Groups → Organization Groups Detail
  • Set the company name, set GroupID, country and time zone

iOS Agent

  • Switch to Groups & Settings → All Settings → Devices & Users → Apple → Apple iOS → Intelligent Hub Settings, click Override
  • Set Background App Refresh - for the AirWatch Agent works in the background and does not interfere with other apps
  • Turn on Collect Location Data - collection of data from GPS (Location Services)
  • Do not touch SDK profiles, leave settings as is currently

AWCM

  • Launch the Admin Console on the exact server, where AWCM is installed (FE) and go to Groups & Settings > All Settings > Device & Users > Android > Intelligent Hub Settings

  • Switch Use AWCM Instead of C2DM as Push Notification Service - if you have Android devices with no Google Apps/Services, no Google Account, or want to restrict PUSH notifications to MDM-direct

  • Switch AWCM Client Deployment Type to Always Running, click Save

  • Go to Groups & Settings > All Settings > System > Advanced > Secure Channel Certificate

  • Check/configure the Windows environment variable JAVA_HOME - it must point to the last version installed c:\Program Files\jre-<номер версии>

  • Click Download AWCM Secure Channel Certificate Installer and launch the cert installer

  • Check the cert install: open cmd as Administrator and enter command such as:

    c:\Program Files\Java\jre1.8.0_131\bin>keytool.exe -list -v -keystore “C:\AirWatch\AirWatch 1811\AWCM\config\awcm.truststore”

    Enter password as the password for the keystore, and check there are 2 certificates entered, including the secure channel certificate Switch to tenant = Global, go to Groups & Settings > All Settings > System > Advanced > Site URLs, click Enable AWCM Server button at the end of the page

  • Check AWCM settings: internal and external DNS names (they MUST be exactly those used in the corp certificate!) and port number (TCP2001).

Port TCP 2001 MUST be open FROM the outside to server with AWCM (Device Services - FE) in order for direct PUSH to work with Android, and Windows Phone/Desktop devices.

If the external DNS name is published on an external proxy or load balancer, and the inner servers do not know this, use hosts file on Admin Console (BE) server and AirWatch Cloud Connector (ACC) / Enterprise Systems Connector (ESC) to make an alias of external DNS name and internal IP of Device Services (FE) server.

AWCM Troubleshooting - see article.

APNs certificate for Apple and SSL for Apple profiles

  • Launch Admin Console using Firefox, Safari or Chrome (IE not supported!). Go to Groups & Settings → All Settings → Devices & Users → AppleAPNs for MDM
  • Download plist file.
  • Prepare an AppleID account, click Go to Apple
  • On Apple website click Create certificate, accept the terms, upload the plist file, download the corresponding PEM file on local disk
  • Return to the Admin Console - click Next, upload the PEM file and enter the corresponding AppleID click Save. Enter the PIN code of the console administrator
  • Go to Groups & Settings → All Settings → Devices & Users → AppleProfiles
  • Click Upload and choose the PFX file of the corp certificate enter the password of the PFX container

Google Play Registration and Android for Enterprise/Legacy Enrollment

  • Launch Admin Console using Firefox, Safari or Chrome (IE not supported!). Switch to Groups & Settings → All Settings → Devices & Users → Android → Android EMM Registration
  • Click Register with Google
  • Proceed with steps on Google website, entering the GMail Account (each GMail Account may only be used ONCE for 1 ЕММ system (any))

For old AirWatch Console 9.0.1 and earlier, if upgraded to latest version of UEM, the Enable Play Store button should be clicked.

  • Open Enrollment Restrictions tab: choose Define the enrollment method for this organization group. Default is Always use Android, which means to always use Android for Enterprise of type = Device Work Profile (duplication of software into BYOD/Corp containers). If devices with potential AfE support in current group are to be enrolled and managed using Android Legacy ELM/POEM drivers, then choose Always use Android (Legacy) in list, or choose hybrid mode by defining user groups for AfE: Define Assignment Groups that use Android.

After choosing the EMM registration method, DO NOT CHANGE IT with many devices enrolled. Consequences:

  • Profiles can still be installed on the device as they’re being installed directly from Workspace ONE;
  • Communication is maintained between the device and Workspace ONE UEM;
  • You will be unable to leverage any Play store services;
  • No new apps added to Workspace ONE will be visible on the device managed play store;
  • Previously added applications in Workspace ONE will no longer be deployable from the console.

Source - https://blog.eucse.com/things-not-to-do-workspace-one-changing-android-emm-registration/

AirWatch Cloud Connector (ACC) / Enterprise Systems Connector

  • Launch the Admin Console on the exact server, where ACC is to be installed and switch to a non-Global Tenant

You cannot download the ACC distrib on one server, then copy and launch on another!

  • Go to Groups & Settings > All Settings > System > Enterprise Integration > Cloud Connector, turn on Override, switch Enable AirWatch Cloud Connector and Enable Auto Update

It is strongly recommended to configure ACC on non-Global level

  • Switch to Advanced tab, click Generate Certificate button to create the connection certificate to AWCM
  • Choose Use Internal AWCM URL - if the connector is in LAN, and AWCM - in DMZ
  • Use buttons to switch ON services/components, which will talk to the connector (the usual minimum is LDAP, CA, SCEP, Syslog, )
  • Switch back to General tab, choose Download Enterprise Systems Connector Installer link, enter password
  • Install .NET Framework 4.6.2 on server
  • Launch the downloaded installer
  • Enter the password for certificate

Check the installation

  • Go to Groups & Settings > All Settings > System > Enterprise Integration > Cloud Connector
  • Click Test Connection and check that the connector is available

“Error : Reached AWCM but VMware Enterprise Systems Connector is not active” is resolved by server reboot and opening TCP2001 port from Cloud Connector to AWCM.

Active Directory

  • Use Company tenant, go to Groups & Settings > All Settings > System > Enterprise Integration > Directory Services
  • Choose Skip wizard and configure manually (alternative path Accounts > Administrators > Settings > Directory Services)
  • Enter domain data:
    • Directory Type = Active Directory
    • Server - domain controller name
    • Encryption Type = None
    • Bind Authentication Type - connection type = GSS-Negotiate is recommended, which means choose automatically Kerberos or NTLM depending on what is available
    • Bind Username - enter the service account user for reading the domain as <user>
    • Bind Password - enter the domain service account password
    • In Domain - Server fields enter the suffix of the domain and the name of the domain controller
  • Click Test Connection, check there is network access to the domain controller
  • Choose the User tab, DN field - choose the topmost level from the list
  • Choose the Group tab, DN field - choose the topmost level from the list
  • Click Save

Troubleshooting connection to Active Directory - see article.

Self-enrollment of Active Directory Users

  • In Company tenant go to **Groups & Settings > All Settings > Device & Users > General > Enrollment **
  • In Authentication Mode(s) choose Directory checkbox
  • Go to Restrictions, make sure that Restrict Enrollment To Known Users and Restrict Enrollment To Configured Groups are disabled.

Batch Import and Message Templates

To Batch Import users in an AirWatch group, this group needs a Group ID, which allows Enrollment into it.

During user import, a connection token can be distributed via EMail. The template language depends on the localization configuration of the specific Organization Group.

When defining localization on the topmost level, the sub-groups of the lower level may have a strange setting like “Select*”. It is recommended to specify the localization settings on each group and sub-group, so there is no obscurity in the settings.

Configure SDK default profiles

  • Switch to Groups & Settings → All Settings → Apps → Settings & policies → Security Policies, click Override
  • Leave Passcode turned on
  • Activate Single Sign-On
  • Activate Integrated Authentication to auto-enter apps and websites, put Enrollment Credentials and write star symbol ( * ) in mask = all websites

WS1 Installation Problems

Failed to extract custom package message

Console installer needs to be extracted to the *root disk C:*

AirWatch Services are not started before timeout

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
  3. In the right pane, locate the ServicesPipeTimeout entry.

Note: If the ServicesPipeTimeout entry does not exist, you must create it. To do this, follow these steps:

 - On the Edit menu, point to New, and then click DWORD Value.

 - Type ServicesPipeTimeout, and then press ENTER.

  1. Right-click ServicesPipeTimeout, and then click Modify.

  2. Click Decimal, type 60000 (default is 30000, use numbers from 60000 to 125000), and then click OK.

 - This value represents the time in milliseconds before a service times out.

  1. Restart the computer.

Database is not getting updated on upgrade of WS1 UEM

Error detected on upgrade to WS1 UEM 2108+

SQL update fails with error:

Only members of sysadmin role are allowed to update or delete jobs owned by a different login.

⭐️ Give account used for WS1 UEM db the MSSQL server role of sysadmin.

AirWatch Self-Service Portal gives error

“HTTP error 503: The service is unavailable”

The Self Service Portal has an associated App Pool in IIS. If the App Pool is not started we see this error.

Ensure that the SSP App Pool is started in IIS.

Log collection

See AirWatch Services and Devices log collection page

App Catalog not seen after successful enroll

Problem: App Catalog does not automatically appear after device enrollment. Solution:

  1. In AirWatch Admin Console go to Groups & Settings > All Settings > Apps > Catalog > General > Publishing > repeat SAVE procedure
  2. Alternative: create separate webclip profile for all devices with URL: https://{DS_URL}/Catalog/ViewCatalog/{SecureDeviceUdid}/{DevicePlatform} External link: https://kb.vmware.com/s/article/50100220?lang=en_US

WS1 Verify Installation

Verify Installation

  • Open AirWatch Console
  • Choose About Airwatch - check the version
  • Check the Site Links: open Groups & Settings > All Settings > System > Advanced > Site URLs and look through the links
  • Check the connection with Device Services server with a defined in the install phase external URL, signed with external certificate (type of link: https://<DS_URL>/DeviceManagement/Enrollment  )
  • Check the AWCM component, using link https://<DS_URL>:2001/awcm/status*
  • Check AirWatch services - launch services.msc in Windows Server and check that AirWatch services are Started
  • Check the GEM Inventory Service: go to the AirWatch Console server, in the folder C:\AirWatch\Logs\Services\ and delete the file AirWatchGemAgent.log; open services.msc and restart GEM Inventory Service. New log will either NOT show up, or show up without errors.