The appendix aggregates all design decisions of the Identity and Access Management for VMware Cloud Foundation validated solution. You can use this design decision list for reference related to the end state of the environment and potentially to track your level of adherence to the design and any justification for deviations.
Deployment Specification
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-CFG-001 |
Deploy a single-node standalone Workspace ONE Access instance in the management domain for a VMware Cloud Foundation instance. |
Supports the design objectives for users and groups scalability for Workspace ONE Access without requiring clustering support. |
|
IAM-WSA-CFG-002 |
Use the native PostgreSQL database service in the Workspace ONE Access appliance. |
|
None. |
IAM-WSA-CFG-003 |
Protect the standalone Workspace ONE Access instance using vSphere High Availability. |
Supports the design objectives for availability of Workspace ONE Access without requiring human intervention during an ESXi host failure event. |
In the event of an ESXi host failure, the services provided by the standalone Workspace ONE Access instance are temporarily unavailable during the restart of the appliance initiated by vSphere High Availability. SDDC components using Workspace ONE Access as an authentication source are interrupted (for example, vRealize Automation to NSX Manager) during the restart of the appliance. |
IAM-WSA-CFG-004 |
Place the standalone Workspace ONE Access instance in a designated virtual machine folder. |
Organizes the standalone Workspace ONE Access instance within the management domain vSphere inventory. |
You must specify the virtual machine folder placement during or after the deployment. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-CFG-005 |
When using more than one availability zone, add the standalone Workspace ONE Access instance to the primary availability zone virtual machine group. |
Ensures that, by default, the standalone Workspace ONE Access instance is powered on in the primary availability zone host group. In the event of a primary availability zone failure, vSphere High Availability will restart the Workspace ONE Access in the secondary availability zone without human intervention. |
After stretching the management domain cluster across availability zones in a region, the virtual machine group for the primary availability zone virtual machines must be updated to include the Workspace ONE Access appliance. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-CFG-006 |
Deploy the standalone Workspace ONE Access instance using the Extra Small virtual appliance configuration. |
|
None. |
Network Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-NET-001 |
Place the standalone Workspace ONE Access instance on the local-instance NSX network segment. |
|
You must use an implementation in NSX to support this networking configuration. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-NET-002 |
Allocate and assign a static IP address to the standalone Workspace ONE Access instance. |
Using assigned IP addresses removes the constraints and risks associated with providing and managing DHCP on your management networks. |
The use of static IP addresses requires precise IP address management. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-NET-003 |
Configure both forward (A) and reverse (PTR) DNS records for a standalone Workspace ONE Access instance. |
Workspace ONE Access is accessible using a fully qualified domain name. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-NET-004 |
Configure the standalone Workspace ONE Access instance to use NTP servers rather than using VMTools to synchronize with the ESXi hosts on which it is running. |
|
|
Life Cycle Management Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-LCM-001 |
Life cycle management of a standalone Workspace ONE Access instance is provided using the native command line tools in the appliance. |
|
Deployment, patching, updates, and upgrades of a standalone Workspace ONE Access instance are performed without native automation. |
Information Security and Access Design
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-SEC-001 |
Limit the use of local accounts for both interactive or API access and solution integration. |
Local accounts are not specific to user identity and do not offer complete auditing from an endpoint back to the user identity. |
You must define and manage service accounts, security groups, group membership, and security controls in Active Directory. |
IAM-WSA-SEC-002 |
Limit the scope and privileges for accounts used for both interactive or API access and solution integration. |
The principle of least privilege is a critical aspect of access management and must be part of a comprehensive defense-in-depth security strategy. |
You must define and manage custom roles and security controls to limit the scope and privileges used for interactive access or solution integration. |
IAM-WSA-SEC-003 |
Assign Active Directory user accounts to security groups following your organization's access policies. |
Allows Active Directory security groups to be assigned to roles in SDDC components for streamlined management of access and administrative privileges. |
You must define and manage security groups, group membership, and security controls in Active Directory. |
IAM-WSA-SEC-004 |
Assign Active Directory security groups to default or custom roles, as applicable, for interactive or API access to solution components based on your organization's business and security requirements.
|
|
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-ESXI-SEC-001 |
Configure the password expiration policy for each ESXi host. |
|
You must manage the local user password expiration policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client. |
IAM-ESXI-SEC-002 |
Configure the password complexity policy for each ESXi host. |
|
You must manage the local user password complexity policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client. |
IAM-ESXI-SEC-003 |
Configure the account lockout policy for each ESXi host. |
|
You must manage the local user account lockout policy on each ESXi host by using the advanced system settings in the vSphere Client or the Host Client. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-ESXI-SEC-004 |
Change the root user password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager. |
|
|
IAM-ESXI-SEC-005 |
Rotate the SERVICE account password for each ESXi host on a recurring or event-initiated schedule by using SDDC Manager. |
|
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-VCS-SEC-001 |
Configure the vCenter Server instances to use Active Directory over LDAP with SSL (LDAPS) as the identity source. |
|
|
IAM-VCS-SEC-002 |
Use an Active Directory user account with minimum read-only access as Base DN for users and groups to server as the service account for the Active Directory bind. |
Provides the following access control features:
|
You must manage the password life cycle of this Active Directory use account. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-VCS-SEC-003 |
Assign the default Administrator role in vCenter Server to an Active Directory security group. |
By assigning the Administrator role to an Active Directory security group, you can simplify and manage user access with administrative rights in vCenter Server based on your organization's personas. |
|
IAM-VCS-SEC-004 |
Assign vCenter Server global permissions for the Active Directory security groups assigned the Administrator role. |
By assigning the global permissions to an Active Directory security group with the Administrator role , you can manage user access with administrative rights across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider. |
None. |
IAM-VCS-SEC-005 |
Assign the default Read-Only role in vCenter Server to an Active Directory security group. |
By assigning the Read-only role to an Active Directory security group, you can simplify and manage user access with read-only rights in vCenter Server based on your organization's personas. |
|
IAM-VCS-SEC-006 |
Assign vCenter Server global permissions for the Active Directory security groups assigned the Read-Only role. |
By assigning global permissions to an Active Directory security group with the Read-only role, you can manage user access with read-only privileges across all management and workload domain vCenter Servers instances which participate in enhanced linked-mode and use the same identity provider. |
None. |
IAM-VCS-SEC-007 |
Add an Active Directory security group as a member of the vCenter Single Sign-On Administrators group. |
By adding an Active Directory security group as a member of the Administrators group, you can manage user access with administrative rights to the vCenter Single Sign-On built-in identity provider based on your organization's personas. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-VCS-SEC-008 |
Configure the global password expiration policy for each vCenter Server instance. |
You configure the global password expiration policy for each vCenter Server instance to align with the requirements of your organization which might be based on industry compliance standards. |
You must manage the password expiration policy on each vCenter Server instance by using the vCenter Server Management Interface. |
IAM-VCS-SEC-009 |
Configure the local user password expiration policy for each vCenter Server instance. |
|
You must manage the local user password expiration settings on each vCenter Server instance by using both the vCenter Server Management Interface and the virtual appliance console. |
IAM-VCS-SEC-010 |
Configure the local user password complexity policy for each vCenter Server instance. |
|
|
IAM-VCS-SEC-011 |
Configure the local user account lockout policy for each vCenter Server instance. |
|
You must manage the local user account lockout settings on each vCenter Server instance by using the virtual appliance console. |
IAM-VCS-SEC-012 |
Configure the password expiration policy for the vCenter Single Sign-On built-in identity provider. |
|
You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client. |
IAM-VCS-SEC-013 |
Configure the password complexity policy for the vCenter Single Sign-On built-in identity provider. |
|
|
IAM-VCS-SEC-014 |
Configure the account lockout policy for the vCenter Single Sign-On built-in identity provider. |
|
You must manage the password expiration policy for the vCenter Single Sign-On built-in identity provider by using the vSphere Client. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-VCS-SEC-015 |
For each vCenter Server instance, change the vCenter Server virtual appliance root account password on a recurring or event-initiated schedule by using SDDC Manager. |
|
You must manage the password update or an automated password rotation schedule (default) for the root account by using SDDC Manager. |
IAM-VCS-SEC-016 |
Change the vCenter Single Sign-On domain administrator SYSTEM account (for example, administrator@vsphere.local) password in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager. |
|
You must manage the password update or an automated password rotation schedule for the SYSTEM account by using SDDC Manager. |
IAM-VCS-SEC-017 |
Rotate the passwords for SDDC Manager SERVICE account types in the vCenter Single Sign-On built-in identity provider on a recurring or event-initiated schedule by using SDDC Manager. |
|
You must manage the password rotation or an automated password rotation schedule for the SERVICE account by using SDDC Manager. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-NSX-SEC-001 |
Configure the standalone Workspace ONE Access instance as the authentication source for the NSX Local Managers. |
|
|
IAM-NSX-SEC-002 |
Assign the default Enterprise Admin role in NSX Manager to an Active Directory security group. |
By assigning the Enterprise Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory. |
|
IAM-NSX-SEC-003 |
Assign the default Network Admin role in NSX Manager to an Active Directory security group. |
By assigning the Network Admin role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory. |
|
IAM-NSX-SEC-004 |
Assign the default Auditor role in NSX Manager to an Active Directory security group. |
By assigning the Auditor role to an Active Directory security group, you can simplify and manage user access to NSX by using the enterprise administrative access controls in Active Directory. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-NSX-SEC-005 |
Configure the password expiration policy for each NSX Local Manager cluster. |
|
You must manage the password expiration policy on each NSX Local Manager cluster using the CLI or an API. |
IAM-NSX-SEC-006 |
Configure the password complexity policy for each NSX Local Manager cluster node. |
You configure the password complexity policy for each NSX Local Manager cluster node to align with the requirements of your organization which might be based on industry compliance standards. |
|
IAM-NSX-SEC-007 |
Configure the account lockout policy on each NSX Local Manager cluster to configure the account lockout policy and set the lockout behavior for the API, CLI, and user interface. |
You configure the account lockout policy for each NSX Local Manager cluster to align with the requirements of your organization which might be based on industry compliance standards. |
You must manage the account lockout policy on each NSX Local Manager cluster by using the virtual appliance console. |
IAM-NSX-SEC-008 |
Configure the password expiration policy for each NSX Edge node. |
|
You must manage the password expiration policy on each NSX Edge node by using the virtual appliance console. |
IAM-NSX-SEC-009 |
Configure the password complexity policy for each NSX Edge node. |
You configure the password complexity policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards. |
|
IAM-NSX-SEC-010 |
Configure the account lockout policy on each NSX Edge node to configure the account lockout policy and set the lockout behavior for the CLI. |
You configure the account lockout policy for NSX Edge nodes to align with the requirements of your organization which might be based on industry compliance standards. |
You must manage the account lockout policy on each NSX Edge node by using the virtual appliance console. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-NSX-SEC-011 |
For the management domain NSX Local Manager cluster, change the root, admin, and audit account passwords on a recurring or event-initiated schedule by using SDDC Manager. |
|
You must manage the password change or an automated password rotation schedule for the root, admin, and audit accounts by using SDDC Manager. |
IAM-NSX-SEC-012 |
For each VI workload domain NSX Local Manager cluster, change the root and the admin account passwords on a recurring or event-initiated schedule by using SDDC Manager. |
|
|
IAM-NSX-SEC-013 |
For each VI workload domain NSX Local Manager cluster, change the audit account password on a recurring or event-initiated schedule by using the API or CLI. |
|
|
IAM-NSX-SEC-014 |
For each NSX Edge cluster deployed and managed by SDDC Manager, change the root, admin, and audit account passwords for each NSX Edge node on a recurring or event-initiated schedule by using SDDC Manager. |
|
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-SDDC-SEC-001 |
Assign the Admin role in SDDC Manager to an Active Directory security group. |
By assigning the Admin role to an Active Directory security group, you can simplify and manager user access with administrative rights to SDDC Manager. |
|
IAM-SDDC-SEC-002 |
Assign the Operator role in SDDC Manager to an Active Directory security group. |
By assigning the Operator role to an Active Directory security group, you can simplify and manage user access with operative rights to SDDC Manager. |
|
IAM-SDDC-SEC-003 |
Assign the Viewer role in SDDC Manager to an Active Directory group. |
By assigning the Viewer role to an Active Directory group, you can create user accounts that have read-only rights in SDDC Manager. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-SDDC-SEC-004 |
Configure the password expiration policy for the SDDC Manager appliance. |
|
You must manage the password expiration policy on the SDDC Manager appliance by using the virtual appliance console. |
IAM-SDDC-SEC-005 |
Configure the password complexity policy for the SDDC Manager appliance. |
|
You must manage the password complexity policy on the SDDC Manager appliance by using the virtual appliance console. |
IAM-SDDC-SEC-006 |
Configure the account lockout policy for the SDDC Manager appliance. |
|
You must manage the account lockout policy on the SDDC Manager appliance by using the virtual appliance console. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-SDDC-SEC-007 |
Change the SDDC Manager virtual appliance root, vcf, and backup account passwords on a recurring or event-initiated schedule by using the appliance shell. |
|
|
IAM-SDDC-SEC-008 |
Change the SDDC Manager local administrative admin@local account password on a recurring or event-initiated schedule by using the API. |
The password for the SDDC Manager local administrative admin@local account does not expire. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-CFG-007 |
Connect the standalone Workspace ONE Access instance to the Active Directory domain within the same region. |
You can integrate Workspace ONE Access with your organization's directory service to synchronize users and groups to a Workspace ONE Access directory. To remove any dependency between regions, a Workspace ONE Access instance connects to the organization's directory service within the region, and not across regions. |
None |
IAM-WSA-CFG-008 |
Configure Workspace ONE Access to use Active Directory over LDAP with TLS (LDAPS) for directory services connection. |
|
|
IAM-WSA-CFG-009 |
Use an Active Directory user account with the minimum of read-only access to Base DNs for users and groups, as the service account that binds to Active Directory. |
Provides the following access control features:
|
|
IAM-WSA-CFG-010 |
Configure the Workspace ONE Access directory to synchronize Active Directory security groups for assignment to Workspace ONE Access and NSX roles. |
|
|
IAM-WSA-CFG-011 |
Activate the synchronization of Active Directory security group members to the directory when a group is added to the Workspace ONE Access directory. |
Members of security groups are synchronized to Workspace ONE Access directory when adding security groups from the organization's directory services. If the feature is inactive, group names are synchronized to the Workspace ONE Access directory, but security group members are not synchronized until the group is entitled to an application or the group name is added to an access policy. |
None |
IAM-WSA-CFG-012 |
Configure Workspace ONE Access to synchronize nested group members by default. |
Allows Workspace ONE Access to update and cache the membership of security groups without querying your organization's directory services. |
Changes to group membership are not reflected until the next synchronization event. |
IAM-WSA-CFG-013 |
Add a filter to the directory settings to exclude users from the directory replication. |
Limits the number of replicated users for each Workspace ONE Access instance within the design objectives for scalability. |
To ensure that replicated user accounts are managed within the maximums, you must define a filtering schema based on your organization's directory services attributes. |
IAM-WSA-CFG-014 |
Configure the minimum required user attributes in Active Directory to synchronize with the Workspace ONE Access directory. |
Ensures successful synchronization between Active Directory and Workspace ONE Access. You configure the minimum required and extended user attributes which then synchronize directory user accounts in Workspace ONE Access. |
Active Directory accounts in your organization must have the following mapped attributes:
|
IAM-WSA-CFG-015 |
Configure the directory synchronization frequency to 15 minutes. |
Ensures that any changes to group memberships in your organization's directory services are available for integrated solutions in a timely manner. |
Schedule the synchronization interval to be longer than the time it takes to synchronize the enterprise directory. Otherwise, if the process of synchronization is still ongoing when the next synchronization start is scheduled, the new synchronization starts after the end of the previous one and the process is continuous. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-SEC-005 |
Assign the default Super Admins role in Workspace ONE Access to an Active Directory security group. |
By assigning the Super Admins role to an Active Directory security group, you can simplify and manage user access with administrative rights in Workspace ONE Access. |
|
IAM-WSA-SEC-006 |
Assign the default Directory Admins role in Workspace ONE Access to an Active Directory security group. |
By assigning the Directory Admins role to an Active Directory security group, you can simplify and manage user access with administrative rights in Workspace ONE Access. |
|
IAM-WSA-SEC-007 |
Assign the default ReadOnly role in Workspace ONE Access to an Active Directory security group. |
By assigning the ReadOnly role to an Active Directory security group, you can simplify and manage user access to Workspace ONE Access. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-SEC-008 |
Configure the local user password expiration policy for each standalone Workspace ONE Access virtual appliance. |
|
You must manage the local user password expiration settings on each standalone Workspace ONE Access virtual appliance by using the virtual appliance console. |
IAM-WSA-SEC-009 |
Configure the local user password complexity policy for each Workspace ONE Access virtual appliance. |
|
You must manage the local user password complexity settings on each standalone Workspace ONE Access virtual appliance by using the virtual appliance console. |
IAM-WSA-SEC-0010 |
Configure the local user account lockout policy for each Workspace ONE Access virtual appliance. |
|
You must manage the local user account lockout settings on each standalone Workspace ONE Access virtual appliance using the virtual appliance console. |
IAM-WSA-SEC-0011 |
Configure the password expiration policy for the Workspace ONE Access local directory (system-domain) users. |
|
The SMTP settings for the Workspace ONE Access instance must be configured to ensure notifications are operational if a user password in the local user directory is expiring, expired, or must be reset. |
IAM-WSA-SEC-0012 |
Configure the password complexity policy for the Workspace ONE Access local directory (system-domain) users. |
|
None. |
IAM-WSA-SEC-0013 |
Configure the account lockout policy for the Workspace ONE Access local directory (system-domain) users. |
|
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-SEC-014 |
Change the standalone Workspace ONE Access appliance root and sshuser account passwords on a recurring or event-initiated schedule. |
The password for the Workspace ONE Access virtual appliance root and sshuser accounts expire based on the default password expiration policy for each account. |
|
IAM-WSA-SEC-015 |
Change the standalone Workspace ONE Access local user directory admin account password for Workspace ONE Access on a recurring or event-initiated schedule. |
The password for the Workspace ONE Access application local user directory admin account does not expire. |
|
IAM-WSA-SEC-016 |
Change the standalone Workspace ONE Access application local admin account password for Workspace ONE Access on a recurring or event-initiated schedule. |
By default, the password for the Workspace ONE Access application local admin does not expire. |
|
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-SEC-017 |
Replace the default self-signed certificate with a CA-signed certificate during the deployment of the standalone Workspace ONE Access instance. |
Ensures that all communication to user interface and API endpoint of Workspace ONE Access is encrypted. |
|
IAM-WSA-SEC-018 |
Import the certificate for the Root Certificate Authority to the standalone Workspace ONE Access instance. |
Ensures that the Certificate Authority is trusted by the Workspace ONE Access instance. |
None |
IAM-WSA-SEC-019 |
Use a SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and is deprecated. |
Not all certificate authorities support SHA-2. |
IAM-WSA-SEC-020 |
Rotate the CA-signed certificate of the standalone Workspace ONE Access instance on a recurring or event-initiated schedule. |
Ensures that all communication to user interface and API endpoint of Workspace ONE Access, and between the components continues to be encrypted with a non-expired or non-compromised certificate. |
|
Solution Interoperability
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-MON-001 |
Configure vRealize Operations Manager with a VMware Identity Manager adapter for the standalone Workspace ONE Access instance. |
vRealize Operations Manager uses the adapter for the standalone Workspace ONE Access instance to collect monitoring metrics. |
None. |
IAM-WSA-MON-002 |
Configure the standalone Workspace ONE Access endpoints to use the remote collector group. |
|
None. |
IAM-WSA-MON-003 |
Add a Ping adapter for the standalone Workspace ONE Access instance. |
Provides metrics on the availability of the standalone Workspace ONE Access. |
You must add the adapter instances manually. |
IAM-WSA-MON-004 |
Configure the Ping adapter for the standalone Workspace ONE Access instance to use the remote collector group. |
|
None. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IAM-WSA-LOG-001 |
Install the vRealize Log Insight agent on the standalone Workspace ONE Access instance. |
The vRealize Log Insight agent is required to collect and transfer logs to the vRealize Log Insight instances. |
None. |
IAM-WSA-LOG-002 |
Configure the vRealize Log Insight agent to transmit logs from the standalone Workspace ONE Access instance to the adjacent vRealize Log Insight in the VMware Cloud Foundation instance using the vRealize Log Insight ingestion API, |
Ensures the transmission of logs from the standalone Workspace ONE Access instance to be forwarded to the adjacent vRealize Log Insight using the Ingestion API. |
The configuration is unencrypted. To ensure that the transmission of logs between the standalone Workspace ONE Access is encrypted using TLS, you must update the configuration for Workspace ONE Access to send logs to vRealize Log Insight using the ingestion API, |
IAM-WSA-LOG-003 |
Configure a dedicated Workspace ONE Access agent group and assign the standalone Workspace ONE Access instance FQDN. |
|
Adds minimal load to vRealize Log Insight. |
IAM-WSA-LOG-004 |
Configure a dedicated Photon OS agent group and assign the standalone Workspace ONE Access instance FQDN. |
|
Adds minimal load to vRealize Log Insight. |