Aerion Training:     Aerion offers AirWatch custom training at your location, online and in our classroom.  

          
    Next classroom trainings: 01/2018 and 02/2018 - Click here for more information.          

This article gives tips and best practises for AirWatch on-premise and AirWatch SaaS implementations.

I have divided this article into the sections of security and usability. First a quick list of all the topics covered. Just scroll down to go into the details.

Security

  1. Harden your internet facing servers
  2. Enable two-factor authentication for administrators
  3. Enable enrollment restrictions
  4. Configure appropriate access to the Self-Service Portal with custom security roles
  5. Require an enrollment registration token

Usability

  1. Utilize QR code based enrollment e-mails
  2. Review the "Friendly Name Setup"
  3. Setup Friendly Names for AirWatch Browser Bookmarks
  4. Create user accounts for external collaboration partners
  5. Take advantage of the Apple Volume Purchase Program (VPP) and Apple Device Enrollment Program (DEP)

 

Security

1. Harden your internet facing servers

To ensure that your AirWatch environment is safe from the SSL v3 alias POODLE vulnerability, SSL v3 should be disabled, along with all related ciphers.

This is not only for on-premise customers, but also SaaS customers and everybody who has installed the AirWatch Secure E-mail Gateway (SEG), Mobile Access Gateway (MAG) or Remote File Storage (RFS) should not forget about those servers.

Microsoft documents the needed steps as follows: http://support.microsoft.com/kb/245030

While there is different approaches available on how to disable SSL v3, I find the following method to work fastest and easiest, as it provides an easy to use interface which does the same settings as the above Microsoft article references.

First, test if your internet facing servers are vulnerable by putting their public DNS name into the following test page: https://www.ssllabs.com/ssltest/

The test will not only check for SSL v3 vulnerability, but also provides valuable information about certificates and device compatibility.

If the server is still vulnerable, download the IIS Crypto Tool from the following page: https://www.nartac.com/Products/IISCrypto/Default.aspx/

For AirWatch servers, you should get the IIS Crypto GUI version for .NET v.4.

Just run the tool and click on the button for the template: FIPS 140-2

Reboot the server and run the SSL test again.

NOTICE: There should not be any compatibility issues with any AirWatch components, except for Windows Mobile / CE Agents, if they are not upgraded. Anyway after upgrade those should only use TLS, as documented by Airwatch in here: https://resources.air-watch.com/save/bthbchsxsfmx3x9hnn3y/en

 

2. Enable two-factor authentication for administrators

AirWatch has added SMS Gateway configurations to the AirWatch shared SaaS environments (at least at cn503 and cn556), allowing customers to send enrollment SMS messages to users but also to send the authentication token via SMS to administrators.

To enable two-factor authentication for administrators, edit an admin account, enable the checkbox "Require Two-Factor Authentication" and select "SMS" as the "Delivery Method". Make sure to Save the changes.

 

3. Enable enrollment restrictions

With default settings, everybody who has a valid user account (AirWatch User accounts for AD integrated environments are generated automatically, whenever a user enrolls) in an AirWatch environment, can enroll any amount of devices. While this might be good for evaluation time, this is not a wanted scenario in a production environment.

Enrollment restrictions allow to specify that only users which are members of certain AirWatch groups (which can be mapped to Active Directory Groups) can enroll devices.

Additionally they allow to specify that only MDM or Workspace enrollment is possible, how many devices of which ownership users can enroll and which device operating systems are allowed.

Enrollment restrictions are setup in the AirWatch Admin Console from SETTINGS > Devices & Users > General > Enrollment > Restrictions.

 

4. Configure appropriate access to the Self-Service Portal with custom security roles

By default AirWatch comes with two security roles for users: Full and Basic.

I consider the "Full" role to be way to powerful, as users can even delete their own devices from AirWatch and the Basic role too restrictive, as users cannot even reset their own passcode.

New security roles for users can be created in the AirWatch Administrator console at > Accounts > Users > Roles.

Once a new security role has been setup, it can be tested on a single user first, by editing the user account and assigning the user to this role. If it is working as expected, it can be applied to all users in a certain user group via

SETTINGS >  Devices & Users > General > Enrollment > Grouping > Enable Directory Group-Based Mapping.

 

5. Require an enrollment registration token

The enrollment registration token adds an additional layer of security to the authentication of users during the enrollment process, by requiring a one time token for each enrolled device. Tokens can be automatically generated by enrollment e-mail messages or by users through the self-service portal, if they have the according permission.

The token requirement can be enabled in the AirWatch Admin console by selecting the option "Registered Devices Only" and enabling "Require Registration Token" from SETTINGS > Devices & Users > General > Enrollment > Authentication.

Using the option "Two-Factor" will require the token and a user name and password, which lifts up security.

Using the option "Single-Factor" simplifies the enrollment process, as users can enroll just with the token, which can be automatically passed into the enrollment process through QR based enrollment (see below).

 

Usability

6. Utilize QR code based enrollment e-mails

Enrollment "invitations" can be sent directly from the AirWatch admin console to users. The default templates contain a QR code, which users can scan with their device, to download the correct agent from the according app store. Additionally the QR Code will also contain the enrollment registration token, if it has been enabled. 

During enrollment time users first scan the QR code with any QR code reader on the device to download the AirWatch Agent and then scan the QR code again to pass enrollment information automatically into the MDM Agent.

More details on enrollment e-mail templates can be found in our following blog article:

http://aerion.fi/en/blog/69-simplied-ios-and-android-enrollment

 

7. Review the "Friendly Name Setup"

The default Friendly Name pattern includes the variable "DeviceOperatingSystem".

While this might be nice initially, it will quickly become an irritating value, once the device operating system has been updated.

The friendly name is only generated during device enrollment and does not change automatically afterwards. So if a user has updated their iPad (after they enrolled to AirWatch) from iOS 7.1.2 to iOS 8.1, you'll still have a friendly name of "username iPad iOS 7.1.2 WXYZ".

To avoid this confusion, remove the "DeviceOperatingSystem" value from the Friendly Name configuration which can be found at  SETTINGS > Devices & Users > General > Friendly Name

 

8. Setup Friendly Names for AirWatch Browser Bookmarks

AirWatch added the possibility to give AirWatch Browser Bookmarks user friendly names/descriptions, instead of just seeing the URL.

This can be setup at SETTINGS > Apps > Browser > Bookmarks

 

9. Create user accounts for external collaboration partners

With the AirWatch Secure Content Locker Collaboration edition, it is easy to collaborate on files and folders, while secure sharing to externals is only available on a file by file basis.

In contract negotiations it is often needed to collaborate on multiple files or folders with external partners.

This can be achieved in different ways, like allowing Stand-Alone Secure Content Locker (SCL) to be installed by the partner to sync the documents or by even enforcing MDM enrollment and SCL. In any case this will require a license and some commitment from the partner it install the apps, but will be the most secure way to collaborate on entire folders.

Another way (but less secure, as the content is not secured in a container) is to just create the user account for the partner, secure it with a custom user role, prevent device enrollment for that user (or group) and send them the URL to the self-service portal.

The partner will now have access to the documents which have been shared with him through the web interface. As long as he does not install the AirWatch Secure Content Locker (SCL) or the Content Locker Sync Agent on his PC, no additional collaboration license is required.

 

10. Take advantage of the Apple Volume Purchase Program (VPP) and Apple Device Enrollment Program (DEP)

With the VPP and DEP program organizations can streamline the management of iOS devices. Both programs are nicely integrated into the AirWatch console and can be setup within minutes.

We have more detailed articles and videos available for both of the programs at the links below.

Apple Volume Purchase Program (VPP) and AirWatch - Aerion Blog Article

Apple Device Enrollment Program (DEP) and AirWatch - Aerion Blog Article

 

Questions?

To get help with any implementation questions, please CONTACT US.

 

About the author
Peter Giesa is AirWatch Certified Technical Post-Sales On-Prem Expert and works as Solution Architect & Senior Consultant for Aerion Solutions.

About Aerion Solutions
Aerion Solutions is AirWatch Elite Partner and VMware Enterprise Solution Provider in Finland with certified consultants and provides consulting and training services for AirWatch and VMware on-premise and SaaS implementations.