Configure Workspace ONE UEM Integration with Akamai CDN by setting up Akamai for use in a production environment.

To learn more about configuring Akamai integration, see Akamai product documentation at https://www.akamai.com.

To configure Akamai to integrate with Workspace ONE UEM, complete the following settings:

  1. At the time of configuration, select AirWatch as your client name.
  2. After you set up properties that control Akamai's edge server traffic, add behaviors to the property as per your requirements. Currently, Workspace ONE UEM requires you to configure the following two behaviors:
    1. Edge Server Identification: Include a known cookie value that can be verified at the origin server before serving requests back to the edge server.

      Setting Description
      AW-AUTH-KEY.
      Cookie Value Use a hash generator to create the hash key generated value. CDN server uses the key to connect to the origin server. Retain a copy of the hash key for use while installing the origin server.
      Cookie Domain Enter the Origin Server URL. For example, enter origin.acme.com.
    2. Advanced Override: Use the Advanced Override option to specify the parameter to use for tokens that are passed to the URL. Also, specify the expected shared-secret/salt that is used to generate the HMAC token when validating the file requests to the edge server. Advanced Override is only available by request from Akamai Support, and requires an extra fee. This feature is required to enter the Token key in the Console configuration.

Configure your Origin Server to integrate Workspace ONE UEM with Akamai CDN

An origin server is the physical location from which content is retrieved. It is required in all configurations that retrieve content from an origin. You can set up the Origin Server to integrate Akamai CDN with Workspace ONE UEM.

To set up the Origin Server, complete the following steps:

  1. Install the Web Server Role (IIS). he Internet. It is possible to set up the DNS to do routing internally to the proper servers as necessary. For storage, multiply the average file size by the average number of files, then multiply by two to avoid full disk issues that prevent the caching of files.

    Enable the following features:

    1. Request Filtering
    2. Window Authentication
    3. URL Authorization
    4. IP and Domain Restrictions
  2. Install URL Rewrite IIS from the Microsoft website.
  3. Add the following extensions to Default Website MIME Types.
    Extension Content Type
    .app

    application/vnd.android.package-archive

    .appx application/vns.ms-appx
    .appxbundle application/octet-stream
    .ipa application/octet-stream
    .lic text/plain (For BSP)
    .msi* .msi* application/octet-stream
    .msp application/octet-stream
    .mst application/octet-stream
    .pkg application/octet-stream
    .xap* application/x-silverlight-app
    .xbap* application/x-ms-xbap
    .ppkg application/octet-stream
    .dmg application/octet-stream
    .mpkg application/octet-stream
    .plist text/xml
    .apk application/vnd.android.package-archive
    Note: MIME Types already exist in Windows 2012 R2.
  4. Navigate to the CDN content storage location.

  5. Create a shared folder named CDN. The folder that is configured for the web server must be mapped to a file with both read, write permission that is available to the Workspace ONE UEM console and Device Services.
  6. In the CDN folder, create a file named monitor.txt. Enter some random text into the document so that you can validate the connection at a later stage.

  7. Set up the user account credentials for accessing the CDN using a UNC/SMB path. The UNC/SMB path is used during the configuration of the UEM console. The user name and password are used for connecting to the UNC/SMB folder and are also entered into the UEM console.

  8. Configure the security setup for accessing the folder from the IIS website.

    1. Add the application pool user account to the CDNfolder of the shared drive.

    2. Add the following usernts:

      1. ISUR (All but Full control)
      2. IIS_IUSRS (All but Full control)
      3. NetworkService (Full Control)
      4. UNC/SMB Service Account (All but Full control)
  9. Under Application Pools, right-click DefaultAppPool and select Advanced Settings. Set the App Pool Identity to NetworkService.

  10. Right-click Default Website, select Manage Website, and select Advanced Settings.
  11. Change the Physical Path to the configured drive for the CDN content.

  12. After Akamai is configured, you can set up the request filtering for the cookie that is used for authentication of the URL.
    1. Obtain the CDN Configuration Tool installer.

    2. Run the CDN installation and enter the secret key (SHA256 Hash Key) that is configured with your Akamai account for Edge Server Identification.
  13. Make a note of the Network Path for the UEM console configuration.

Configure Akamai CDN in the Workspace ONE UEM Console

You can configure Akamai CDN in Workspace ONE UEM console. During the configuration, the values that you enter in the configuration page can be retrieved by logging in to your CDN provider portal and locating the values. If you are an on-premises customer who requires additional assistance, contact Workspace ONE UEM Support.

  • Current Setting – Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the parent OG if the current organization group, Override enables the settings for editing so you can modify the current OG settings directly.

Complete the Akamai configuration in the UEM console:

  1. In the UEM console, ensure that you are in the Global OG.
  2. Navigate to Groups & Settings > All Settings > System > Enterprise Integration > CDN.
  3. Complete the Akamai configuration settings:
    Setting Description
    Enabled

    Select Enabled to route all the application downloads through the CDN for all the devices that are the managed at the current organization group.

    Select Disabled to route all the application downloads through Workspace ONE UEM server.

    Directory

    Enter the server name and the directory. The Directory name is the Network Path that is used while configuring the origin server.

    User name Enter a dedicated Service Account user name that is placed on the Origin Server side.
    Password Enter the dedicated Service Account password that is placed on the Origin Server side.
    Content Server Enter the DNS of the CNAME that is as per the data center (for example, CDN.acme.com).
    Token Parameter For Akamai, it is the token as per the Advanced Override.

    Salt Value

     

    Enter the token that your CDN provides. For Akamai, it is done by enabling the Advanced Override code.
    Destination Enter the destination name of the CDN.

    Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.

    Test Connection – Select this button to test the connection between Workspace ONE UEM and Akamai. A status message is displayed to confirm the connection.

Disable CDN System Settings for the Child Organization Group

If the child organization group has devices with IP whitelisting and restricts the application downloads to be routed through the CDN, you can disable the CDN routing. To disable CDN System Settings for the Child Organization Group, navigate to the child organization, select Override, and disable Allow App downloads through CDN. u choose to override the settings, you can only disable Allow App downloads through CDN. However, the system restricts you from editing the Child Permission.

Validate Your Workspace ONE UEM Integration with Akamai CDN

Complete the following steps to validate Workspace ONE UEM integration with CDN:

  1. In a web browser, navigate to your CDN DNS. For example, CDN.acme.com/monitor.txt), which results in an error. The reason is because the connection to the Origin server from the CDN requires authentication.
  2. In a web browser, navigate to your Origin DNS. For example, origin.acme.com/monitor.txt), which succeeds. Accessing the origin server directly only works for the monitor.txt file, which is used to validate the connection.