Overview
VMware introduced mobile single sign-on (SSO) for native Android applications as part of VMware Identity Manager 2.7. This is achieved using the AirWatch Tunnel configuration settings in the console, and using the AirWatch Tunnel Root Certificate which is bound to the Android SSO adapter in VMware Identity Manager.
In most organizations with a significant AirWatch deployment, an AirWatch Tunnel server is already installed and being used to provide VPN access for mobile devices to internal resources. Many companies choose that AirWatch Tunnel authentication needs to be done using an Enterprise Certificate Authority, rather than the default Tunnel CA. This allows an organization to consolidate their authentication framework into a single-existing CA that is being used for a variety of application services.
The following goes through the steps needed to enable the AirWatch Tunnel to use an Enterprise CA for mobile SSO for Android devices. The steps for configuring the certificate template, AirWatch Certificate Authority settings and Tunnel configuration settings are documented below. The remaining steps for enabling Android SSO (Per-App VPN Profile and Network Traffic Rules) are unchanged, and the instructions can be found in the VMware public documentation.
Prerequisites
In order to allow Android SSO to occur using an Enterprise CA certificate, the following prerequisites must be completed.
- AirWatch Cloud Connector installed in the internal environment
- Directory Services configured in the AirWatch console
- Enterprise Certificate Authority available in the internal environment, and accessible to the AirWatch Cloud Connector. In this example, we will use in internal Microsoft Certificate Authority to issues certificates.
Procedure
Certificate Template Configuration
NOTE: If you are already issuing user certificates through AirWatch for other purposes (e.g. certificate-based authentication for email and WiFi), these steps have already been completed and do not need to be re-done.
1. Log onto the server that is running the Microsoft Certificate Authority. Launch the Certification Authority console.
2. Right-click the Certificate Templates option, and select Manage.
3. Locate the User template display name. Right-click and select Duplicate Template.
4. In the General tab of the new template, change the template display name to AirWatch-User.
5. In the Subject Name option, select the button to Supply in the request. Click OK on the warning message that appears. This will allow the certificate to be generated based upon request parameters that come from AirWatch.
6. Click OK. This will save the template.
7. Go back to the Certificate Authority console. Right-click on Certification Template, then select New --> Certificate Template to Issue.
8. Select the AirWatch-User template from the list, and click OK.
9. The AirWatch-User certificate template will now be available for use.
AirWatch Certificate Authority Configuration
NOTE: If you are already issuing user certificates through AirWatch for other purposes (e.g. certificate-based authentication for email and WiFi), steps 2-4 have already been completed, move directly to step 5.
1. In the AirWatch console, browse to Groups and Settings --> All Settings --> System --> Enterprise Integration --> Certificate Authorities --> Configuration.
2. Under Certificate Authorities, click Add.
3. Provide all of the necessary fields for configuring the Certificate Authority in AirWatch. Click Test Connection, and ensure that this comes up as successful.
Name: Friendly Name of the CA that will be displayed in the AirWatch console.
Authority Type: Microsoft ADCS will be used here.
Protocol: Since we are making a direct connection to ADCS, leave this as ADCS.
Server Hostname: Hostname (or FQDN) of the server that is running the Certificate Authority.
Authority Name: Name of the CA, found in the Certification Authority MMC snap-in.
Username: Username of administrator account that has access to issue certificates.
Password: Password for the associated administrator username.
4. Click Save.
5. Go to the Request Templates tab, and click Add.
6. Provide all of the necessary fields for configuring the Request Template in AirWatch.
Name: Friendly Name of the Request Template that will be displayed in the AirWatch console.
Certificate Authority: Select the CA from the drop-down that was configured in the above section.
Issuing Template: Name of the Certificate Template that was configured in ADCS (AirWatch-User).
Subject Name: Update this to say CN=UDID. This is needed for authentication to the AirWatch Tunnel.
Private Key Length: Leave as default, 2048 bit.
7. Click Save.
AirWatch Tunnel Configuration
1. In the AirWatch console, browse to Groups and Settings --> All Settings --> System --> Enterprise Integration --> AirWatch Tunnel --> Configuration. If required, Override the existing settings and click Configure.
2. Under the Deployment Type tab, enable the Per-App Tunnel (Linux Only) option, and set it to Basic mode. Click Next.
3. In the Details tab, provide the Hostname and the Port of the AirWatch Tunnel server. This Tunnel server and port must be accessible from the internet on the name/port that you provide in the configuration. Click Next.
4. Check the box to use a Public SSL certificate in the SSL tab. Under the option AirWatch Tunnel Certificate, upload the publicly trusted SSL certificate that will be used for the AirWatch Tunnel Server. Click Next.
5. Under the Authentication tab, select Enterprise CA as the Per-App Tunnel Authentication method. Select the configured certificate authority and request template created for use with the AirWatch Tunnel. Upload the root and intermediary certificates for the domain to the AirWatch console. Click Next.
6. Click Next on the Profile Association page.
7. Do not alter anything on the Miscellaneous page, click Next.
8. Confirm all of the settings are correct on the Summary page, and click Save.
9. A prompt will appear to install the AirWatch Tunnel server. Install the server via your preferred method, the Virtual Appliance or Linux Installer. The instructions to install the AirWatch Tunnel server can be found in the myAirWatch Resources portal.
VPN Profile and Network Traffic Rules Configuration
Follow the instructions for configuring the Per-App VPN Profile and assigning it to deployed-Android applications. The process for creating the Network Traffic Rules in the public documentation will enable the certificate proxy service and facilitate SSO.