August 11, 2020

Recently, I wrote a very popular article here, which covered how to build a UAG focused on all 3 Workspace ONE UEM components. At the moment, we have a small challenging dependency. The VMware Tunnel cannot be built for multiple sites at the top-level. This makes us need to be creative and thoughtful when building our environment.

This can be a challenge if you already have a full environment deployed, but inevitably it is essential to capitalize on the powerful VMware Tunnel. The Tunnel is popular because of the huge cost savings over traditional VPNs. Let’s take a nice journey, which starts on building the framework in WS1 UEM, ventures into Apple Business Manager, and much more!

A Short Introduction

When you building multiple UAG clusters for Workspace ONE UEM, you are trying to solve a specific issue. We have users in different geographical areas with bandwidth requirements or a bunch of latency between the corporate office and these remote sites. Multiple clusters fixes this issue similar to AWS and their US-East-1 and US-West-1 availability zones.

We will be building organizational groups in WS1 UEM, building the VPP behind those groups, and allocating the right apps to ensure a clean and powerful design. You must do this correctly or risk a major user revolt later on…

Scared Shark Tank GIF by

Building the Structure in Workspace ONE UEM

The initial part in WS1 UEM is simple enough. We will create regional containers to split our users/apps/and tunnels up. You will go to Groups > Organization Groups > Details > Add Child Organization Group. From there, you just fill in the fields and create those containers one by one. I personally like to setup the Time Zone, Locale, etc correctly, but this is just a PoC of the functionality.

In my example, I will be creating Boston, London, and Tokyo Org Groups to split things up nicely. After you create a child organization group, you will need to navigate back to the top OG so you create these correctly.

Setting up Apple Business Manager

Many of us don’t have a ton of experience with Apple Business Manager. One of the lesser known abilities are “locations.” You can use locations for a few different things, such as assigning apps specifically to that location or performing role-based access for administering that location. I strongly recommend this article to learn a bit more about ABM locations here.

Creating ABM Locations

Our focus is going to be on the application assignment/deploying components. First, we will start by going into the Location section and clicking the plus icon, fill out the info, and clicking “Save”.

We will proceed to do the same for our other two sites, so it matches what we built in WS1 UEM. You will notice that my stuff looks weird in ABM because my ABM is not setup for a global entity which isn’t a huge deal for this situation.

Typically, you want to wait 10-15m to proceed after creating locations so Apple finishes the work in the back end. Now, you go to Settings > Apps and Books to find all of your VPP tokens.

You will download these tokens, and we will implement them later on after we go shopping! WOOO!!!

jingle all the way dancing GIF

Buying and Assigning ABM Apps

So why do we use Apple’s VPP (Volume Purchasing Program) for this design? The answer is pretty simple. We get the following amazing features by using VPP for free apps at our company:

  • Automatic App Updates
  • Device-Based Assignment (You don’t need an Apple ID to receive apps yay!)

Any UEM admin/engineer will tell you this is a HUGE benefit that makes life so much easier. It’s pretty simple to do this in ABM. You will select Apps and Books > Search for the App > Select the Application.

You’ve done all of that before right? Here’s what’s different below. You now select which location you want to assign the licenses to. We’re going to do this in an interesting way for simplicity:

Now, you wait 5 minutes or so and then refresh your screen. You will see that it shows the apps you own and the license count:

We will now use the “Transfer” section below to pass some licenses to our different offices. You “could” buy the licenses individually for each office, but this is much easier and quicker:

All you have to do is click “Transfer”, select the quantity, the office, and click “Transfer” again to move the licenses around.

Don’t worry when it says “Processing” for a few minutes. It will finish soon:

Setting up VPP in Workspace ONE UEM

Setting up VPP is pretty simple. You will upload the VPP tokens you downloaded earlier at each Org Group. You navigate to Settings > Devices & Users > Apple > VPP Managed Distribution. Once there, you will upload the token and give it a name in the description field. Notice that I did not check the “Automatically send invites” as no email is always a good thing! Do not forget to drop down to your office location before uploading!

You could see a few errors, which are good to point out. This unable to save is just a nonsense error. Just re-click save:

If you didn’t set things up properly originally, you will see this prompt below. It’s VERY IMPORTANT to be aware that if you DO need to fix things, you will pull ALL VPP apps off those devices. The good news is they will come back, but you could cause some serious heart palpitations for users if you did not communicate:

Afterwards, you can go to your Purchased Tabs in WS1 UEM and do a sync to pull in your new VPP apps. Don’t forget to do this at each location just to get things healthy:

Configuring the Tunnel aka WHY WE DID ALL THIS?!

I’m sure you have been wondering why in the holy hell did we do all of this to begin with?

disgusted steve carell GIF

The reason you need to do all of this is a direct result of the design of VMware tunnel. We have two main issues, which we will solve below:

  1. You can only configure one Tunnel config per Org Group
  2. You MUST deploy apps at the same level as the Tunnel config or you cannot tunnel them

Creating the VPN Profile in Workspace ONE UEM

First, we need to create the Tunnel VPN Profile. We create these much to my dismay at the child Org group level. That way, it pulls in the right tunnel endpoint.

The brilliance is the simplicity of this part. You just go into Profiles > New and create a VPN profile. Once you select Workspace ONE Tunnel, it will automatically populate everything you need. A simple save and publish and you are good to go! One side note, if you NEED to use Safari for VMware Tunnel which I don’t recommend, you can configure those settings also.

Configuring the Application Assignment in Workspace ONE UEM

When you create the assignment for your new Jira app, you just specify the new Tunnel profile you created and save and publish the application as you can see below. I’m not going to cover the nuances of building app assignments, but if you need help reach out:

Setting up the Tunnel Traffic Rules

Now, we can finally configure the tunnel traffic rules to tunnel the connections for your Jira mobile application. We start by clicking on “Edit”:

Simply, when you force an application to be tunneled in the application assignment it becomes eligible to be forced down the VMware tunnel. You can see below that I created a device traffic rule. I configured my rule to tunnel Jira traffic to the Jira destination only. Once I have done so, I will “Save and Publish” which deploys the rule out to every device in this organization group:

It’s good to point out that publishing will re-deploy the tunnel profile you created earlier. This is semantics since it’s a relatively transparent change.

Circling Back on the Fun

I felt this was a really good article to write on its own because it wasn’t simple. Luckily my best friend has a ton of experience in Apple Education, which helped me come up with this brilliant idea to deliver a global design seamlessly. I definitely think VMware Tunnel’s implementation in the WS1 UEM console needs some major work to be more usable for administrators.

The number of moving parts this needs to make it work is why people pay people like me to build their environments. It doesn’t need to be this complicated and I hope that the great advanced they made on the SEG and Content Gateway will make their way to the Tunnel very soon.

With all of that said, I hope this helps people avoid some early mistakes that can leave a poor taste in the mouth of users and cause your deployment to crash and burn!

monty python i fart in your general direction GIF
%d bloggers like this: