A cloud-based Workspace ONE Assist configuration can be enabled for on-premises Workspace ONE UEM deployments (including multiple on-prem deployments). I've hit this scenario a couple of times recently, while the process is documented here, there are a couple of minor nuances and I figured a step-by-step might be helpful for some.
A quick look at the architecture:
The US Based Workspace One Assist service is hosted on the following servers:
Console Connection Name: https://rm01.awmdm.com/t10
Device Connection Name: https://rm01.awmdm.com/
Other global locales are defined here.
Port 443, outbound, is required from Console Server, the user devices and the administrator's workstation to the Workspace One Assist services.
The Configuration:
1. Point the on-prem UEM environment at Cloud SaaS
In the UEM console, ensure that you are in the top Global OG.
Navigate to Settings > System > Advanced > Site URLs > Workspace ONE Assist.
Complete the Workspace ONE Assist settings:
Console Connection Name: https://rm01.awmdm.com/t10
Device Connection Name: https://rm01.awmdm.com/
2. Generate the Workspace ONE Assist Certificates
Customers are required to generate a certificate which then needs to be sent to VMware. This cert will link your on-prem UEM to the cloud Assist environment. VMware provides a utility to create the cert included in the workspace ONE Assist installer package available to download here.
Download the installer on any windows server/workstation. (The docs suggest to do this on your on-prem assist server, but you don't have an on-prem assist server in a cloud-based setup :-/)
Extract the installers to a \temp folder, do not move the files around inside the extracted folder location as the installer needs all the files in their extracted locations. Do not rename or move the temp folder.
In the extracted folder you will find a couple of folders named RemoteManaementCertificateGenerator_9_2 and RemoteManagementCertificateGenerator_Before_9_2, the 9_2 relates to your Workspace ONE UEM version
In that folder you will find RemoteManagementCertificateGenerator.exe, right click and "Run as Administrator"
A utility window will launch
Select the appropriate Certificate Type: Remote Management
Select the Deployment Type: On-Prem
Enter the appropriate Certificate Common Name. This can be retrieved from your UEM console.
Navigate to Groups & Settings>All Settings>System>Advanced>Site URLs, scroll down to the Workspace ONE Assist section
Copy the string in the Remote Management CN text box, paste this into the utility.
Once required items have been added, press the Generate Certificates button
A folder will be created named \Artifacts
Find the generated certificates file in the Artifacts\private folder called root_intermediate_chain.p7b. This is the Assist Certificate pair file that contains two major certificates that enable Workspace ONE UEM to communicate with the Assist
::IMPORTANT:: Zip up the p7b file and email it to your account team or professional services team member. They will create a ticket for the Assist team with the certificate you provided.
In the same /Assist folder you will find he "Certificate Seed Script.sql".
Run this script against the Workspace ONE UEM Database to seed the generated certificates into the Workspace ONE UEM database.
Your VMware account team or professional services team member will receive notification of the successful pairing and alert you.
Comments