Integrating Workspace ONE UEM with Workspace ONE Access

Workspace ONE UEM can be integrated with Workspace ONE Access! Here are a couple of reasons why you want to do this:

  • It has the possibility to create a “Unified Application Catalog” – A central portal in which, in addition to the Workspace ONE Access applications, the mobile applications can also be displayed. The Unified Application Catalog portal only shows the applications that apply to the OS type of the endpoint device.
  • Single Sign-On (SSO) support on the Unified Application Catalog for enrolled Workspace ONE UEM devices. When Workspace ONE UEM and Workspace ONE Access are integrated, users from Workspace ONE UEM enrolled devices can log in to their Workspace ONE app to access their enabled applications securely without entering multiple passwords.
  • The ability to set up authentication rule(s) in Workspace ONE Access based on Device Compliance configuration(s) from Workspace ONE UEM. This gives the possibility to only allow devices to certain applications that meet this compliance.

Fortunately, the integration of the two Workspace ONE components is not too difficult. In the following chapters, the step-by-step configuration is shown.

Workspace ONE Access

First, we are going to create a (local directory) system account in Workspace ONE Access. This account is actually the service account that makes the integration possible.

In the Workspace ONE Access Admin Console, open the Users & Groups tab and click on the “Add User” button.

Fill in the account details, with a valid email address, and click Add.

You will now get an email to activate the account and supply a password.

Next, click the Roles tab, select the Super Admin group and click Assign.

Search and select the newly created service account.

The service account is now added, click SAVE.

The Workspace ONE Access configuration is now completed.

Workspace ONE UEM

VMware has created the possibility to do the integration configuration via configuration wizard. To access this wizard, click “Getting Started”, Workspace ONE and click Configure in the Identity and Access Management menu.

Note: The Getting Started menu can only be used at an Organization Group of type “Customer”

If it is not a Customer OG, you can access this wizard in Settings, System, Enterprise Integration, Workspace ONE Access, Configuration menu.

Click Configure.

Fill in the Workspace ONE Access tenant URL, the previously created Service Account and Password, and click TEST CONNECTION.
If authentication is successful, you will see the message “Test connection successful”

Click SAVE.

Next, the API keys must be generated. Click the button “Use Autogenerated API Key”

In my case, the API keys were already created.

As the last step, we will configure Workspace ONE UEM to use Workspace ONE Access for authentication. Go to Settings, System, Devices & Users, General, Enrollment

Click SAVE.

Verifying the setup

In Workspace ONE Access, you will see the Workspace ONE UEM configuration is automatically configured.

If you scroll down, make sure the “Fetch from Workspace ONE Access & UEM” check-boxes are enabled.

This completes the setup! Stay tuned for more topics, such as enabling the Unified Application Catalog, Mobile SSO and how to set up the Device Compliance Authentication Policy.