Install Workspace ONE Assist to an On-Premises Environment

Generate the Workspace ONE Assist T10 API Certificate

You must generate the T10 API root and intermediate certificates used during an on-premises installation whether you are performing a Standard (Basic) or an Advanced (Custom) installation. These certificates are also required for an on-premises build of Workspace ONE UEM while using Workspace ONE Assist in a SaaS environment.

Download the installer package, titled VMware Workspace ONE ™ UEM Remote Management Certificate Generator, from the myWorkspaceONE portal (https://myworkspaceone.com).

The certificate generator is called RemoteManagementCertificateGenerator 22.03. This installer must be run on a machine with the same locale settings as the database server to ensure that the same date format is set in the SQL script. You must run this certificate generator as an administrator.

Note: To use RemoteManagementCertificateGenerator 22.03, your Workspace ONE UEM must be of version 9.3 or later.

Extract all contents from the installer package ZIP file into c:\temp of the Workspace ONE Assist server. Do not move the files around inside the temp folder as the installer needs all the files in their extracted locations. Do not rename or move the temp folder.
Run the Remote Management Certificate Generator which is included in the installer package.
In the UEM console, switch to your primary organization group (OG). The OG you select must be of a 'customer' type.
Navigate to Groups & Settings > All Settings > System > Advanced > Site URLs, scroll down to the Workspace ONE Assist section, and copy the string in the Remote Management CN text box. You are not able to see a Remote Management CN option unless you are in a 'customer' type OG.
Note: If the Remote Management CN text box is blank, then you must manually Create the Common Name from the Workspace ONE UEM Database.

Set the following values.

Table 1.
Setting	Value
Certificate Type	Remote Management
Deployment	On-premises The deployment type must be on-premises when using an on-premises build of Workspace ONE UEM with a Workspace ONE Assist in a SaaS enevironment.
Certificate Common Name	Paste the Remote Management CN copied from the preceding step (Step 4). Ensure the string you paste has 'CN'.

Select Generate Certificates.
Set Password for the certificates when prompted. Store this password for future use.
Navigate to the folder holding the Remote Management Certificate Generator.
Find the generated certificates file in the Artifacts\private folder called root_intermediate_chain.p7b. This is the T10 Certificate pair file that contains two major certificates that helps Workspace ONE UEM to communicate with the T10 portal. These certificates are the Workspace ONE UEM portal Root and Intermediate certificates.
Perform the action based on your environment.
- For On-Premises Environments – Copy the p7b file generated in step 9 to the c:\temp\certs folder on the Workspace ONE Assist Server and proceed to step 11.
- For SaaS Environments – Zip up the p7b file and email it to your account team or professional services team member. They will create a ticket for the Assist team with the certificate you provided. Internal Account Teams and Professional Services Teams, refer to the following knowledgebase article for further instructions. https://ikb.vmware.com/s/article/79459.
In the Artifacts folder, find the "Certificate Seed Script.sql". Run this script against the Workspace ONE UEM Database to seed the generated certificates into the Workspace ONE UEM database.
If you receive the error message "The conversion of a varchar data type to a datetime data type resulted in an out-of-range value," then see Troubleshooting Workspace ONE Assist. Support for multiple Workspace ONE UEM environments is available. For details, see Configure Multi-Workspace ONE UEM Environment Support.

Install Site SSL Certificate, Assist On-Premises Only

You must incorporate a secure sockets layer (SSL) certificate into the Workspace ONE Assist on-premises installation process whether you are performing a Standard (Basic) or Advanced (Custom) installation.

SSL certificates provide secure, encrypted communications between a website and an Internet browser. The SSL certificate secures HTTPS binding for the management website for port 443 and allows a secure connection. This secure connection is between the admin and Web services. Also, the SSL certificate secures the connection to the Connection Proctor on port 8443 (or port 443 when the Connection Proctor (CP) Service runs on a separate server). You must provide the SSL certificate as a wildcard or SAN certificate.

If you are installing Workspace ONE Assist for the first time or upgrading to a newer version, you do not need to bind the SSL certificate to a website or renew the site thumbprint. However, if you are renewing an expired SSL certificate in between Workspace ONE Assist releases, you must bind the SSL certificate to a website and update the renewed site Thumbprint using AdminWebPortal. A link to each of those tasks appears directly after the following steps.

This process applies only to the SSL certificate. This process does not apply to the T10 API root and intermediate certificates.

Run the Microsoft Management Console (MMC).
Locate this application by typing 'mmc' into the search box found in the Start button.
In the File menu of the MMC application, select Add/Remove Snap-in.... The Add or Remove Snap-ins dialog box displays.
Under Available snap-ins on the left panel, select Certificates and then select the Addbutton in the middle. The Certificates snap-in dialog box displays.
Select Computer Account and then select the Next button.
Select Local Computer and then select the Finish button.
Now the Add or Remove Snap-ins screen displays Certificates (Local Computer) under the Console Root on the right panel.
Select OK to finish. The main MMC window displays.
Expand the Certificates (Local Computer) on the left panel by selecting the Greater Than symbol. Select Personal > Certificates.
1. If you do not have a Certificates folder to select, select the Personal folder and a Certificates folder will be created automatically.
In the Action menu of the MMC application, select All Tasks followed by Import.... The Certificate Import Wizard displays.
Select Next to begin the Wizard.
Select Browse... to locate the SSL certificate in the PFX file format. You should familiarize yourself with the name of this file, since you must identify it by name in the future. Once located, select Open to import it.
Enter the certificate's Password when prompted. Select only the box labeled Include all extended properties.
Select Next.
Select Place all certificates in the following store and set the Certificate store to 'Personal'.
Select Next.
Confirm all the presented information is correct and then select Finish.
A new SSL certificate has been installed.
If you are installing Workspace ONE Assist, then you must decide whether you are running a Standard (Basic) Installation of Workspace ONE Assist or an Advanced (Custom) Installation of Workspace ONE Assist.
- Standard (Basic), for all-in-one single server installations.
- Advanced (Custom), for installations with advanced options such as multiple servers to accommodate high availability and horizontal scaling.
If you are not installing Workspace ONE Assist but rather just updating an expired SSL certificate, then you must Bind the SSL Certificate to a Management Site followed by Update the Renewed Site Thumbprint Using AdminWebPortal.

Bind the SSL Certificate to a Management Site

If you are renewing an expired SSL certificate in between Workspace ONE Assist releases, you must bind the renewed SSL certificate to the website and update the renewed site Thumbprint using AdminWebPortal. This task binds the SSL certificate.

You do not need to manually bind the SSL certificate each time you install it. During the normal course of installing or upgrading the Workspace ONE Assist server, you must also install the SSL certificate. But the Workspace ONE Assist installation or upgrade process takes care of binding the SSL certificate to the website for you. You only need to follow these steps to bind the SSL certificate if you are manually renewing an expired SSL certificate in between Workspace ONE Assist installations or upgrades.

If you are installing or upgrading the Workspace ONE Assist server, do not take these steps.

Open Internet Information Services (IIS) on the Workspace ONE Assist server.
In the Connection pane on the left, expand the node of the server by selecting the triangle in front of the server name.
Expand the node of the Sites folder.
Right-click Mgmt Web Site and select Edit Bindings.... The Site Bindings screen displays.
Select https and then select the Edit button.The Edit Site Binding screen displays.
Select the updated SSL certificate in the drop-down menu and then select OK.
The new SSL Certificate is now bound to the website.

Update the Renewed Site Thumbprint Using AdminWebPortal

If you are renewing an expired SSL certificate in between Workspace ONE Assist releases, you must update the renewed site Thumbprint. This task updates the Thumbprint with AdminWebPortal.

During the normal course of installing or upgrading the Workspace ONE Assist server, you must also update the site thumbprint. But the Workspace ONE Assist installation or upgrade process takes care of updating the site thumbprint.

You only need to follow these steps to update the site thumbprint with AdminWebPortal if you are manually renewing an expired SSL certificate in between Workspace ONE Assist installations or upgrades and have already bound it to the website.

If you are installing or upgrading the Workspace ONE Assist server, do not take these steps.

Start the MMC console from the Workspace ONE Assist server.
In the left-side panel, navigate to Console Root > Certificates (Local Computer) > Personal > Certificates and locate, by name, the SSL certificate you installed or updated recently.
Double-click this SSL certificate. The Certificate screen displays.
Select Details tab at the top.
In the Show drop-down menu, select Properties Only.
Click once on the text box Thumbprint. A series of number and letter pairs appears in the panel beneath the Show panel.
Select all these pairs of characters and copy them to the clipboard. Close the MMC console.
Open Notepad from the server desktop.
Paste the clipboard contents into the empty notepad screen.
Note: The new thumbprint when you copy from the certificate is in lowercase. Ensure you change it to uppercase before pasting it in the AdminWebPortal. If unchanged, it can cause errors.
In Notepad, enter the keyboard shortcut Ctrl-H. The Replace screen displays.
Enter a single space in the Find what text box.
Click the Replace All button and then close the Replace screen by clicking the X.
All the spaces in between the number/letter pairs have been removed. Using notepad also takes the ANSI text copied from the MMC console and converts it to ASCII text, which is the format we want when we go to paste that thumbprint in the AdminWebPortal.
In Notepad, select the newly formatted thumbprint and copy it to clipboard with Ctrl-C. Close Notepad.
Open your browser and log into the AdminWebPortal using your credentials.
For example,https://yourdomain.com/AdminWebPortal/login.aspx
Select the Default Service Configurations.
In the Search bar, enter certid.
To display the search results properly, you might need to scroll down to the page size modifier and maximize the number of pages it can display. Doing this sets a large enough playing field to display any search result.
Identify the certid in the Parameter Name column. :ctl.svc.cnp.tch/certid. In the Options column of the same line, select the Edit icon ().
Upon clicking the Edit icon, you might need to search for certid once again. Locate the certid Parameter Name and notice that the Parameter Value is now editable.
Select the existing string of characters in the Parameter Value for :ctl.svc.cnp.tch/certid and replace it with the new Thumbprint string you have stored in your clipboard by applying the Ctrl-V keyboard shortcut.
Note: Before you paste the new thumbprint, ensure you change the thumbprint from lowercase to uppercase; if unchanged, it can cause errors.
Select the Save icon () .
Select Service Configuration.
Search for ConnectionProctorService and review its Status column.
For both Active status and Inactive status for ConnectionProctorService, select the Edit icon () and update the :ctl.svc.cnp.tch/certid Parameter Value with the new Thumbprint string (Ctrl-V).
Select the Save icon () for each, as applicable.
Select the Update button at the bottom of the page.
Restart all services (Core and IIS services). Select the Start menu and enter run on your keyboard. In the Open text box, enter services.msc The Services application displays.
Locate all services that are labeled Aetherpal.
Stop all these Aetherpal services.
Start all Aetherpal services.
The site Thumbprint has been updated.

Single Server (Standard/Basic) Installation of Workspace ONE Assist

The Standard (Basic) method for installing Workspace ONE Assist in an on-premises environment involves the use of all-in-one single servers.

Figure 1. Single Server Installation

All the Assist components are installed in a single server.

Prerequisites:

Execute the RemoteManagementCertificateGenerator utility, generate a T10 certificate, and run the certificate seeding script on the Workspace ONE UEM database.
Procure and install an SSL/TLS certificate that matches with the FQDN assigned to the Assist system.
Install IIS components on the server where Assist is installed and upgrade .NET Framework to version 4.7.2.

Perform the following steps to install Workspace ONE Assist.

Download, extract, and save the Workspace ONE Assist installer into a temporary directory on the Workspace ONE Assist server. You can download the installer from the repository at https://my.workspaceone.com.
Right-click the installer file and select Run as administrator.
On the Welcome screen, select Next.
Select the installation directory for Assist and click Install.
Select Standard Installation (Basic) and then select the checkbox for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for the Assist internal services and enter the internal service port (for example 8446, 8083, and so on). Click Next.

Select Connect to Existing SQL Server and enter the required parameters.


Setting	Description
SQL server name	Define the SQL Server instance running on the server either as an IP address or a connection string.
Authentication	Select either Windows authentication to authenticate to SQL Server as current Windows user OR select SQL Server Authentication to select a SQL server account, such as SA.
User name	If SQL Server Authentication was used, type in the user name that is used to authenticate against the SQL server.
Password	Type in the password for the user name selected.

Select the …More button and enter the credentials of Assist DB system accounts. These DB accounts are created when Assist is installed and is used by Assist to authenticate against the database server.


Setting	Description
DB Owner Username/Password DB Application Username/Password	Enter the database account credentials to access and maintain SQL databases. By default, the usernames are apadminuser and apdbuser. Specify passwords for these accounts. Do not use the following special characters in passwords: Ampersand - & Less Than - < Greater Than - > Single Quote - ' Double Quotes - " Semicolon - ;
MDF Path LDF Path NDF Path	Enter the directories on the SQL server where you want to store the MDF, LDF, and NDF database files. By default, the Assist database files are stored where the SQL server keeps the SQL system databases.

Click Save and then click Next to proceed.
In the Tenant FQDN text box, type in the FQDN for the Assist system.
A Fully Qualified Domain Name is the complete domain name for a specific computer, or host, on the Internet. It consists of two parts: the host and the domain. For example, myhost.thedomain.edu.
In the SSL Certificate text box, select the folder button or the pull-down arrow to select the SSL certificate for the Workspace ONE Assist system that corresponds to the FQDN.
The certificate is installed in the local system personal certificate store.
Select the certificate and then select OK. You may also click the View Certificate button to verify that the certificate is valid, and it is the correct certificate to be used for the Assist FQDN. Click OK to proceed.
Deselect the Apply Default T10 Certificate check box. Click the folder icon next to the T10 certificate and browse for the T10 certificate that was generated and seeded in the Workspace ONE UEM database.
This certificate is in the folder where the installer file was downloaded and moved to the …\RemoteManagementCertificateGenerator 22.03 > RemoteManagementCertificateGenerator > Artifacts folder. Browse to this folder and select the certificate.
Click the Open button. The FQDN, the SSL certificate corresponding to the FQDN, and the T10 certificate that corresponds to the UEM Console are displayed. The enrollment certificate should remain untouched.

Click the More… button to select additional settings for the Workspace ONE Assist system. Verify the parameters.


Settings	Description
HTTPS Port	Defines the HTTPS port used by portal services for access from outside the network. By default, port 443 is selected. If port 443 is already being used in your environment for another purpose, then you can use a different port, such as 7443.
IIS Site Binding IP address	Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to activate all interfaces/IPs.
Internal Service HTTP (s) port	Defines the internal secure service communication port.
SSL Enable	Activates SSL/TLS protocol for portal services. By default, this check box is selected so that the portal services use SSL/TLS. You can leave the check box as is and not make changes to it.
T10 user name and Auto Generated	Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is selected, the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box selected for the Installer to create the T10 API user. If you want to define the user, deselect the check box and type in the T10 user name you want to use.
Service Username/Password	Defines the internal service username and password for Assist Services.
CP FQDN/Port	Defines the FQDN and port on which CP services can be reached. Enter in the FQDN, which must be the same as the FQDN assigned for portal services. Enter port 8443, which is the default port for CP services. If port 8443 cannot be used, you can enter any other port. Be sure that network/security teams use this assigned port when assigning translation rules from the firewall/router to the RM Server for CP services.
Culture Context	Defines the languages such as French, Spanish, and so on. For example, Italian would be IT.

Click Save to continue.You are taken to the previous screen.
Click Next to continue.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report.
If any of the prerequisites are missing and the check fails, do NOT select Install.
1. Select Detailed Report link to see which prerequisites are missing.
2. To install missing prerequisite components, select the Install Components link. The installer installs the missing components.
  You might need to reboot the server after the prerequisites are installed.
3. After the reboot, relaunch the installer.
  The installer pre-populates with your previous selections.
If the initial prerequisite check comes back with all components passing, select Install.
Once the Install button is selected, the installation process begins.
The installer first installs the database and then proceeds to install Core, Portal, Application, and CP Services.

Note: Database execution might take an extended period.
When the installation finishes, select Next to continue.
When prompted to run the Resource Pack that loads all available device profiles onto the Workspace ONE Assist system, leave the Execute Resource pack check box selected and then select the Finish button.
By default, the Resource Pack utility imports all device profiles by using a command-line window. After Resource Pack utility completes, the command-line window closes. For information about importing device profiles, see Import Device Profiles with Resource Pack Utility.
Next, proceed to Configure Workspace ONE UEM Console with Assist On-Premises.

Single Server Model (Active/Passive) with Disaster Recovery

This deployment model describes the on-premises deployment of Workspace ONE Assist in an environment with two all-in-one single Assist servers. In this deployment model, one Assist server is active, and the other Assist server is passive. A Load Balancer manages network traffic to the active Assist server. Switching Assist services from one server to another within the Assist application is managed in the Assist Admin Web Portal or the Assist APAdmin database.

Figure 2. Single Server (Active/Passive) Model

Installation method, which uses two Assist servers, one active and the other passive.

Consider a scenario where you have multiple data centers for disaster recovery purposes. One data center houses a primary active server, and the second data center houses the secondary passive server. Another scenario could be where you have two servers in one location, one server acts as the primary active server, and the second server acts as the secondary backup server. These environments are active-passive environments.

Both active and passive Assist servers share a common set of SQL databases for Assist. You can decide how to handle the database replication and SQL disaster recovery.

Prerequisites:

Before starting Assist installation, ensure the following pre-requisites have been completed on the servers where Assist services are installed:

On the primary server, execute the Remote Management Certificate Generator utility, generate a T10 certificate, and run the certificate seeding script on the Airwatch database. After the seeding script has been run, copy the Artifacts folder …\RemoteManagementCertificateGenerator 22.03\RemoteManagementCertificateGenerator\Artifacts from the primary to the secondary server. The T10 certificate in the Artifacts folder is required for the installation on the secondary server but there is no need to run the seeding script again when Assist is installed on the secondary server.
Procure and install an SSL/TLS certificate that will match the FQDN that is assigned to the Assist system. This certificate must be installed on both primary and secondary Assist servers.
Install Web Server feature/roles on the server and upgrade .NET Framework to version 4.7.2 on both Assist servers.

Load Balancer

When using two all-in-one Assist servers, use a load balancer to point all Assist traffic to the active server. Configure the load balancer to have a pool of two servers where one server is active and the other is passive. You must also configure the load balancer to allow incoming network traffic to ports 443 and 8443 and for SSL passthrough. Hence, the SSL termination is on the Assist servers on ports 443 and 8443. The Load Balancer passes all traffic to the active server.

To install Assist software on the primary active server, the secondary server must be shut down and not detected by the load balancer in the server pool. Once you install and test the Assist software on the primary server, you must set the services on the primary server as inactive. After setting up the services as inactive, you must shut down the primary server and turn on the secondary server. The secondary server now becomes the active server. When the load balancer detects the active secondary server in the server pool, you can install the Assist software on the secondary server.

Switching Assist Services from Active to Inactive

In single server environments with disaster recovery, you must set the status of services to active on the active server and inactive on the passive server for a successful installation. You can set the service statuses in the Admin Web Portal or the ApAdmin database if database access through MS SQL Studio is available.

After you install and test the services on the primary active server, you must set the services on the same active server to inactive to properly install the services on the secondary server.

To change the status of services in the Admin Web Portal:

Log into the Admin Web Portal. The FQDN to the admin portal is <Assist FQDN>/AdminWebPortal.
Select Click to Default Service Configuration and then select Click here to view Service Configuration at the top left of the page.
Notice the SERVER NAME field and the STATUS field. The Server Name field indicates the server hostname of the primary server where you installed the Assist software. The Status field shows the Active status.

To set the services to inactive on the primary server:

Select the pencil icon corresponding to the server under the Options column. A window displays.
Select the Statusdrop-down menu and then select In-active.
Select the Update button to set the status of the service to inactive. The services are now marked as in-active.
Change the status of the other services for the server with the same server name.

You can also run multiple SQL statements to set the status of the services on the primary server to inactive.

Open the SQL Management Studio on the database server where the Assist databases are located. Execute the following query on the ApAdmin database to get the server id:
```
select * from apadmin.dbo.Server
```
This query provides all the server name (hostname) and the id that were deployed when the Assist software installation ran on the primary server.
Use the id of the server and execute the following SQL statement. This sets all the services on server 1 to inactive.
```
update ApAdmin.dbo.Services
              set Active = 0 
              where ServerId=1
```

Install Assist in an environment with two All-in-one Single Servers

To install Workspace ONE Assist in an environment with two all-in-one single servers, first install Assist on the primary server, copy install.config file from the primary server to the secondary server and then install Assist on the secondary server.

The install.config is located in the Workspace ONE Assist temporary installation directory where the installer is placed.

Download, extract, and save the Workspace ONE Assist installer into a temporary directory on the Workspace ONE Assist server. You can download the installer from the repository at https://my.workspaceone.com.
Right-click the installer file and select Run as administrator.
On the Welcome screen, select Next.
Select the installation directory for Assist, for example C:\Program Files\VMware\WorkspaceOneAssist, and click Install.
Select Standard Installation (Basic) and click Next. Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on). Click Next.

Select Connect to Existing SQL Server and enter the required parameters.


Setting	Description
SQL server name	Define the SQL Server instance running on the server either as an IP address or a connection string.
Authentication	Select either Windows authentication to authenticate to SQL Server as current Windows user OR select SQL Server Authentication to select a SQL server account, such as SA.
User name	If SQL Server Authentication was used, type in the user name that is used to authenticate against the SQL server.
Password	Type in the password for the user name selected.

Select the …More button and enter the credentials of Assist DB system accounts. These DB accounts are created when Assist is installed and is used by Assist to authenticate against the database server.


Setting	Description
DB Owner Username/Password DB Application Username/Password	Enter the database account credentials to access and maintain SQL databases. By default, the usernames are apadminuser and apdbuser. Specify passwords for these accounts. Do not use the following special characters in passwords: Ampersand - & Less Than - < Greater Than - > Single Quote - ' Double Quotes - " Semicolon - ;
MDF Path LDF Path NDF Path	Enter the directories on the SQL server where you want to store the MDF, LDF, and NDF database files. By default, the Assist database files are stored where the SQL server keeps the SQL system databases.

Click Save and then click Next to proceed.
In the Tenant FQDN text box, type in the FQDN for the Assist system.
A Fully Qualified Domain Name is the complete domain name for a specific computer, or host, on the Internet. It consists of two parts: the host and the domain. For example, myhost.thedomain.edu.
In the SSL Certificate text box, select the folder button or the pull-down arrow to select the SSL certificate for the Workspace ONE Assist system that corresponds to the FQDN.
The certificate is installed in the local system personal certificate store.
Select the certificate and then select OK. You may also click the View Certificate button to verify that the certificate is valid, and it is the correct certificate to be used for the Assist FQDN. Click OK to proceed.
Deselect the Apply Default T10 Certificate check box. Click the folder icon next to the T10 certificate and browse for the T10 certificate that was generated and seeded in the Workspace ONE UEM database.
This certificate is in the folder where the installer file was downloaded and moved to the …\RemoteManagementCertificateGenerator 22.03 > RemoteManagementCertificateGenerator > Artifacts folder. Browse to this folder and select the certificate.
Click the Open button. The FQDN, the SSL certificate corresponding to the FQDN, and the T10 certificate that corresponds to the UEM Console are displayed. The enrollment certificate should remain untouched.

Click the More… button to select additional settings for the Workspace ONE Assist system. Verify the parameters.


Settings	Description
HTTPS Port	Defines the HTTPS port used by portal services for access from outside the network. By default, port 443 is selected. If port 443 is already being used in your environment for another purpose, then you can use a different port, such as 7443.
IIS Site Binding IP address	Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to activate all interfaces/IPs.
Internal Service HTTP(s) Port	Defines the internal secure service communication port.
SSL Enable	Activates SSL/TLS protocol for portal services. By default, this check box is selected so that the portal services use SSL/TLS. Leave this check box selected.
T10 user name and Auto Generated	Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is selected the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box selected for the Installer to create the T10 API user. If you want to define the user, deselect the check box and type in the T10 user name you want to use.
Service Username/Password	Defines the internal service username and password for Assist Services.
CP FQDN/Port	Defines the FQDN and port on which CP services can be reached. Enter in the FQDN, which must be the same as the FQDN assigned for portal services. It should match on an all-in-one single server deployment. Enter port 8443, which is the default port for CP services. If port 8443 cannot be used, you can enter any other port. Be sure that network/security teams use this assigned port when assigning translation rules from the firewall/router to the RM Server for CP services.
Culture Context	Defines the languages such as French, Spanish, and so on. For example, Italian would be IT.

Click Save to continue.You are taken to the previous screen.
Click Next to continue.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report.
If any of the prerequisites are missing and the check fails, do NOT select Install.
1. Select Detailed Report link to see which prerequisites are missing.
2. To install missing prerequisite components, select the Install Components link. The installer installs the missing components.
  You might need to reboot the server after the prerequisites are installed.
3. After the reboot, relaunch the installer.
  The installer pre-populates with your previous selections.
If the initial prerequisite check comes back with all components passing, select Install.
Once the Install button is selected, the installation process begins.
The installer first installs the database and then proceeds to install Core, Portal, Application, and CP Services.

Note: Database execution might take an extended period.
When the installation finishes, select Next to continue.
When prompted to run the Resource Pack that loads all available device profiles onto the Workspace ONE Assist system, leave the Execute Resource pack check box selected and then select the Finish button.
By default, the Resource Pack utility imports all device profiles by using a command-line window. After Resource Pack utility completes, the command-line window closes. For information about importing device profiles, see Import Device Profiles with Resource Pack Utility.
To install the secondary server, copy the install.config file from the primary server to the secondary server to the same corresponding location. The install.config file must be in the same temporary folder where the installation executable file is, typically C:\Temp\WorkspaceONE Assist Installer.
After you copy the file, use the installation procedure to mark the services on the primary server inactive. Then, shut down the primary server and make the appropriate changes on the load balancer, after which you can install the Assist services on the secondary server.
To know how to set the status of the services on the active and passive server, see Switching Assist Services from Active to Inactive.
Next, proceed to Configure Workspace ONE UEM Console with Assist On-Premises.

Medium Server (Advanced/Custom) Installation of Workspace ONE Assist

The Advanced (Custom) method of installing the Workspace ONE Assist server for on-premises environments is a multiple phase process.

Figure 3. Medium Server Installation

Installation method having two servers, one is the Core, Application, Portal (CAP) server and the other Connection Proctor (CP) server.

The advanced installation method involves the use of two servers for Assist services. One server is the CAP server where Core, Application, and Portal components are installed. The second server is the CP Server where the Connection Proctor services are installed. Assist databases are deployed on the database server.

The services on both servers perform service discovery. The service discovery may be done using an IP address of the CAP server or DNS entries that point to the CAP server. Use of DNS Server is OPTIONAL.

Note: A DNS forward lookup zone and respective records must be set up for using the DNS for service discovery.

Prerequisites:

Execute the RemoteManagementCertificateGenerator utility, generate a T10 certificate, and run the certificate seeding script on the Workspace ONE UEM database.
Procure and install an SSL/TLS certificate that matches with the FQDN assigned to the Assist system. This certificate must be installed on both the CAP and CP servers.
Install IIS components on the CAP server and upgrade .NET Framework to version 4.7.2. on both the CAP and the CP servers.

Install Workspace ONE Assist services on the Core, Application, and Portal (CAP) Server

Perform the following steps to install Workspace ONE Assist services on the Core, Application, and Portal (CAP) Server.

On the CAP server, execute the Workspace ONE Assist installer from the temporary directory and click Next. You can download the installer from the repository at https://my.workspaceone.com.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to help protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on.). Click Next.
Select the components that must be installed on the server and click Next.
- Database
- Core Services
- Portal Services
- Application Services

Configure the database settings. Select Connect to Existing SQL Server and complete the following settings.

Settings	Description
SQL Server Name	Define the SQL Server instance running on the server (such as \\SQLEXPRESS, (local), and so on).
Authentication	Select the database account authentication. The authentication can be either Windows Authentication or SQL Authentication. Select either Windows Authentication to authenticate to SQL Server as current Windows user OR select SQL Server Authentication to select a SQL server account, such as SA.
User name	If SQL Server Authentication was used, type in the username that is used to authenticate against the SQL server.
Password	Enter the password of the database account. Note: When making user names and passwords, do not use the following special characters: Ampersand - & Less Than - < Greater Than - > Single Quote - ' Double Quotes - " Semicolon - ;

Click the ...More button to complete the Database Advanced Settings.

Settings

Description

DB Owner User name/ Password

Set the user name and password for the Workspace ONE Assist database owner SQL account. This account does not have system-wide permissions. The account only has permissions within the Workspace ONE Assist databases.

This user name is apadminuser.

DB Application User name/ Password

Set the user name and password for the Workspace ONE Assist database application account.

This user name is apdbuser.

MDF Path

LDF Path

NDF Path

Enter the directories on the SQL server where you want to store the MDF, LDF, and NDF database files. By default, the Assist database files are stored where the SQL server keeps the SQL system databases.

Click Save and then click Next.

Configure the Core settings.

Settings	Description
SQL Server Name	The name, IP address, or connection string configured for the database server.
Service Discovery Configuration	The IP Address and Port for the database server. You also have the option to switch to Forward Lookup Zone by choosing another configuration.

Click ...More to configure the CoreAdvancedExtn settings.

Settings

Description

DB Application User name/ Password

Enter the user name and password for the Workspace ONE Assist database application account.

The user name is apdbuser.

HTTP Port

Enter the internal HTTP port used by the core services. The HTTP port indicates the port number you entered in instruction 3.

Culture Context

Define the language (for example, for Italy, use IT). By default, Culture Context is blank and uses US.

Click Save and then click Next to configure the Portal settings.

Settings	Description
Tenant FQDN	Enter the server fully qualified domain name. For example, "rmstage01.awmdm.com"
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate.
SQL Server Name	Enter the database server hostname that you have already configured.
Apply Default Enrollment Certificate	If required, select a different Enrollment Certificate provided by the Assist support team.
Apply Default T10 Certificate	Deselect this check box and select the folder button to browse for and load the T10 certificate.

Select the ...More button and complete the Custom Portal Advanced Settings.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings	Description
DB Application User name/ Password	Enter the user name and password for the Workspace ONE Assist database application account. The user name is apdbuser.
HTTP Port	Enter the internal HTTP port used by portal services. The default is 80.
IIS Site Binding IP Address	Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to activate all interfaces/IPs.
HTTPS Port	Enter the HTTPS port number. The default is 443.
SSL Enable	Activates SSL/TLS protocol for portal services. By default, this check box is selected so that the portal services use SSL/TLS. Leave this check box selected.
T10 user name And Auto Generated	Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is selected, the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box selected for the Installer to create the T10 API user. If you want to define the user, deselect the check box and type in the T10 user name you want to use.

Click Save and then click Next.
Review your selections at the Selected Components screen.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report.
If any of the prerequisites are missing and the check fails, do not select Install.
1. Select Detailed Report link to see which prerequisites are missing.
2. To install missing prerequisite components, select the Install Components link. The installer installs the missing components.
  You might need to reboot the server after the prerequisites are installed.
3. After the reboot, relaunch the installer.
  The installer pre-populates with your previous selections.
If the initial prerequisite check comes back with all components passing, select Install.
Once the Install button is selected, the installation process begins.
The installer first installs the database and then proceeds to install Core, Portal, and Application services.

Note: Database execution might take an extended period.
Click Next after the installation completes.
Ensure that the check box Execute Resource Pack is selected and select the Finish button.
The Assist installation is complete on the CAP server. However, the resource pack must run in the background. Do not close the command line window. The command line window closes automatically when the resource pack execution is complete.

Install Workspace ONE Assist services on the Connector Proctor (CP) Server

After you have installed the Core, Application, and Portal (CAP) services on the CAP server, proceed to install the Connection Proctor (CP) services on the CP server.

On the Connection Proctor (CP) server, execute the Workspace ONE Assist installer from the temporary directory and click Next.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on). Click Next.
Select Connection Proctor component for installation on the server and click Next.

Configure the Connection Proctor settings.

Settings	Description
Connection Proctor FQDN	Defines the Fully Qualified Domain Name (FQDN) on which CP services can be reached. Enter in the FQDN, which must be the same as the FQDN assigned for portal services.
Port	Enter the port number for CP services. The default is 443 in multiple server environments but you can enter your preferred port number. Whatever port you select, ensure that network/security teams use this port when assigning translation rules from the firewall/router to the Server for CP services.
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate. You may also click View Certificate to verify if the selected certificate is the one you want to use for the CP server. SAN (subject alternative name) certificates are supported. The implementation of SAN certificates depends upon your server arrangement. The SAN certificate must have an FQDN defined for each connection proctor server and Workspace ONE Assist server. For example, presume you have 2 connection proctor servers and 2 Workspace ONE Assist servers. The 2 Workspace ONE Assist servers host portal services, which require TLS/SSL traffic terminated at the load balancer. The FQDN for the SAN certificate must reflect the fully qualified domain name, for instance, "rmstage01.awmdm.com". Meanwhile, for each of the 2 CP servers, TLS/SSL traffic terminates at the connection proctor, and therefore, you must have 2 FQDNs defined in the SAN certificate, for instance, "rmstage01.awmdm.com' and "rmstage02.awmdm.com'.
SQL Server Name	Enter the database server hostname from the previous step.
Apply Default Enrollment Certificate	If required, select a different Enrollment Certificate provided by the Assist support team.

Select the ...More button and complete the Custom Connection Proctor Advanced settings.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings

Description

DB Application User name / Password

Enter the user name and password for the Workspace ONE Assist database application account.

The user name is apdbuser.

CP Internal IP Address/Port

Defines from which internal IP addresses the connection proctor can be reached. By default, the setting is ‘All Unassigned’ to allow all addresses.

Enter the port number for the Connection Proctor component. The default is 8443 but you can enter your preferred port number.

Forward Lookup Zone

Under the CP Internal IP Address/Port drop-down menu, select this check box and enter your forward lookup zone here. You can also enter a custom lookup zone.

The Forward Lookup Zone setting is optional in a multi-server environment.

Click Save and then click Next.

At the Selected Components screen, review your selections. Once you have verified your configuration, select Install.

The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report. See step 14 and step 15 of the Install Workspace ONE Assist services on the Core, Application, and Portal (CAP) Server procedure, if the report indicates of any missing parameters.

DNS Configuration

The service discovery of core services on the CAP server can be performed using the DNS parameters that point to the CAP server. The DNS parameters such as the zone, host records, and service records must be configured for this purpose.

Listed are the values for the DNS parameters.

Forward Lookup Zone	Host Record	Service Record
Zone Name: controlplane.aetherpal.internal	Name: Admin FQDN: admin.controlplane.aetherpal.internal IP Address:<IP address of the CAP server>	SVC (Service Coordinator) Record type: SRV Domain: controlplane.aetherpal.internal Service: _svc Protocol: _tcp Priority: 0 Weight: 0 Port number: 8870 Host Offering this service: admin.controlplane.aetherpal.internal DTP (Data Tier Proxy) Record type: SRV Domain: controlplane.aetherpal.internal Service: _dtp Protocol: _tcp Priority: 0 Weight: 0 Port number: 8865 Host Offering this service: admin.controlplane.aetherpal.internal

Proceed to Configure Workspace ONE UEM Console with Assist On-Premises.

Medium Server High Availability (HA) Deployment

This deployment model describes High Availability Assist installation with two redundant independent environments or control planes.

In this deployment model, there are two servers in each control plane environment for Assist services. The two servers in each environment are CAP server, where Core, Application, and Portal components are installed, and the CP server, where Connection Proctor services are installed.

Figure 4. Medium Server High Availability (HA) Installation

Installation method with two servers in two control planes.

Assist databases are deployed on the database server that is shared amongst the two control plane environments. When the Assist application is functioning, the user and device session are handled entirely by either control plane environment. So, if the Workspace ONE console admin establishes a user session to the CAP server 1 on control plane 1 through the load balancer, CP 1 handles the device sessions. If the Workspace ONE console admin establishes the connection to CAP server 2 on control plane 2, CP 2 handles the device session.

In each environment, the services on both servers perform service discovery. This discovery can be done using an IP address of the CAP server or DNS entries that point to the CAP server. The use of DNS Server is OPTIONAL.

Note: If you use DNS for service discovery, you must set up a DNS forward lookup zone and respective records. To know how to configure DNS, see DNS Configuration.

Prerequisites:

On one of the CAP servers, execute the RemoteManagementCertificateGenerator utility, generate a T10 certificate, and run the certificate seeding script on the Workspace ONE UEM database.
Procure and install an SSL/TLS certificate that matches with the FQDN assigned to the Assist system. This certificate must be installed on all the CAP and CP servers on both control planes.
Install IIS components on CAP servers in both environments and upgrade .NET Framework to version 4.7.2. on all the CAP and CP servers.

After you have the pre-requisites in place, begin the installation steps on the first control plane environment. Install the CAP server first, followed by the CP server. After installing the CAP server and CP server on the primary control plane environment, test the environment to ensure the Assist application is functioning correctly. After testing, proceed to install Assist on the second control plane environment, installing the CAP server first, followed by the CP server.

Install Workspace ONE Assist services on the Core, Application, and Portal (CAP) Server

Perform the following steps to install Workspace ONE Assist services on the Core, Application, and Portal (CAP) Server.

On the CAP server, execute the Workspace ONE Assist installer from the temporary directory and click Next. You can download the installer from the repository at https://my.workspaceone.com.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on). Click Next.
Select the components that must be installed on the server and click Next.
- Database
- Core Services
- Portal Services
- Application Services

Configure the database settings. Select Connect to Existing SQL Server and complete the following settings.

Settings	Description
SQL Server Name	Enter the SQL instance name, IP address, or connection string.
Authentication	Select the database account authentication. The authentication can be either Windows Authentication or SQL Authentication.
User name	Enter the user name of the database account. This user name is used by the installer to create all the databases required to install Workspace ONE Assist.
Password	Enter the password of the database account. Note: When making user names and passwords, do not use the following special characters: Ampersand - & Less Than - < Greater Than - > Single Quote - ' Double Quotes - " Semicolon - ;

Click the ...More button to complete the Database Advanced Settings.

Settings	Description
DB Owner User name/ Password	Set the user name and password for the Workspace ONE Assist database owner SQL account. This account does not have system-wide permissions. The account only has permissions within the Workspace ONE Assist databases. This user name is apadminuser.
DB Application User name/ Password	Set the user name and password for the Workspace ONE Assist database application account. This user name is apdbuser.
MDF Path	Enter the path of the primary data file (MDF).
LDF Path	Enter the path of the transaction log file (LDF).
NDF Path	Enter the path of the secondary data file (NDF).

Click Save and then click Next.

Configure the Core settings.

Settings	Description
SQL Server Name	The name, IP address, or connection string configured for the database server.
Service Discovery Configuration	The IP Address and Port for the database server. You also have the option to switch to Forward Lookup Zone by choosing another configuration, typically controlplane.internal.

Click ...More to configure the CoreAdvancedExtn settings.

Settings

Description

DB Application User name/ Password

Enter the user name and password for the Workspace ONE Assist database application account.

The user name is apdbuser.

HTTP Port

Enter the internal HTTP port used by the core services. The default is 80 but you can enter an alternate port number, such as 8080.

Click Save and then click Next to configure the Portal settings.

Settings	Description
Tenant FQDN	Enter the server fully qualified domain name. For example, "rmstage01.awmdm.com"
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate.
SQL Server Name	Enter the database server hostname that you have already configured.
Apply Default Enrollment Certificate	If required, select a different Enrollment Certificate provided by the Assist support team.
Apply Default T10 Certificate	Deselect this check box and select the folder button to browse for and load the T10 certificate. This certificate is in the folder where the installer file was downloaded and moved to in the …\RemoteManagementCertificateGenerator 22.03\RemoteManagementCertificateGenerator\Artifacts folder.

Select the ...More button and complete the Custom Portal Advanced Settings.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings	Description
DB Application User name/ Password	Enter the user name and password for the Workspace ONE Assist database application account. The user name is apdbuser.
HTTP Port	Enter the internal HTTP port used by portal services. The default is 80.
IIS Site Binding IP Address	Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to activate all interfaces/IPs.
HTTPS Port	Enter the HTTPS port number. The default is 443.
SSL Enable	Activates SSL/TLS protocol for portal services. By default, this check box is selected so that the portal services use SSL/TLS. Leave this check box selected.
T10 user name And Auto Generated	Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is selected, the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box selected for the Installer to create the T10 API user. If you want to define the user, deselect the check box and type in the T10 user name you want to use.

Click Save and then click Next.
Review your selections at the Selected Components screen.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report.
If any of the prerequisites are missing and the check fails, do not select Install.
1. Select Detailed Report link to see which prerequisites are missing.
2. To install missing prerequisite components, select the Install Components link. The installer installs the missing components.
  You might need to reboot the server after the prerequisites are installed.
3. After the reboot, relaunch the installer.
  The installer pre-populates with your previous selections.
If the initial prerequisite check comes back with all components passing, select Install.
Once the Install button is selected, the installation process begins.
The installer first installs the database and then proceeds to install Core, Portal, and Application services.

Note: Database execution might take an extended period.
Click Next after the installation completes.
Ensure that the check box Execute Resource Pack is selected and select the Finish button.
The Assist installation is complete on the CAP server. However, the resource pack must run in the background. Do not close the command line window. The command line window closes automatically when the resource pack execution is complete.

Install Workspace ONE Assist services on the Connector Proctor (CP) Server

After you have installed the Core, Application, and Portal (CAP) services on the CAP server, proceed to install the Connection Proctor (CP) services on the CP server.

On the Connection Proctor (CP) server, execute the Workspace ONE Assist installer from the temporary directory and click Next.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on.).Click Next.
Select Connection Proctor component for installation on the server and click Next.

Configure the Connection Proctor settings.

Settings	Description
Connection Proctor FQDN	Defines the Fully Qualified Domain Name (FQDN) on which CP services can be reached. Enter in the FQDN, which must be the same as the FQDN assigned for portal services.
Port	Enter the port number for CP services. The default is 443 in multiple server environments but you can enter your preferred port number. Whatever port you select, ensure that network/security teams use this port when assigning translation rules from the firewall/router to the Server for CP services.
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate. You may also click View Certificate to verify if the selected certificate is the one you want to use for the CP server. SAN (subject alternative name) certificates are supported. The implementation of SAN certificates depends upon your server arrangement. The SAN certificate must have an FQDN defined for each connection proctor server and Workspace ONE Assist server. For example, presume you have 2 connection proctor servers and 2 Workspace ONE Assist servers. The 2 Workspace ONE Assist servers host portal services, which require TLS/SSL traffic terminated at the load balancer. The FQDN for the SAN certificate must reflect the fully qualified domain name, for instance, "rmstage01.awmdm.com". Meanwhile, for each of the 2 CP servers, TLS/SSL traffic terminates at the connection proctor, and therefore, you must have 2 FQDNs defined in the SAN certificate, for instance, "rmstage01.awmdm.com' and "rmstage02.awmdm.com'.
SQL Server Name	Enter the database server hostname from the previous step.
Apply Default Enrollment Certificate	If required, select a different Enrollment Certificate provided by the Assist support team.

Select the ...More button and complete the Custom Connection Proctor Advanced settings.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings	Description
DB Application User name / Password	Enter the user name and password for the Workspace ONE Assist database application account. The user name is apdbuser.
CP Internal IP Address/Port	Defines from which internal IP addresses the connection proctor can be reached. By default, the setting is ‘All Unassigned’ to allow all addresses. Enter the port number for the Connection Proctor component. The default is 8443 but you can enter your preferred port number.
Forward Lookup Zone	Under the CP Internal IP Address/Port drop-down menu, select this check box and enter your forward lookup zone here. You can also enter a custom lookup zone. The Forward Lookup Zone setting is optional in a multi-server environment.
Culture Context	Define the language (for example, for Italy, use IT). By default, Culture Context is blank and uses US.

Click Save and then click Next.

At the Selected Components screen, review your selections. Once you have verified your configuration, select Install.

The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report. See step 14 and step 15 of the Install Workspace ONE Assist services on the Core, Application, and Portal (CAP) Server procedure, if the report indicates of any missing parameters.

DNS Configuration

This section covers configuration of DNS parameters if DNS is used for service discovery of core services. The zone, host record, and service records all point to the CAP server.

The following parameters need to be defined:

Listed are the values for the DNS parameters.

Forward Lookup Zone	Host Record	Service Record
Zone Name: controlplane1.internal	Name: Admin FQDN: admin.controlplane1. internal Address:<IP address of the CAP server>	SVC (Service Coordinator) Record type: SRV Domain: controlplane1.internal Service: _svc Protocol: _tcp Priority: 0 Weight: 0 Port number: 8870 Host Offering this service: admin.controlplane1.internal DTP (Data Tier Proxy) Record type: SRV Domain: controlplane1.internal Service: _dtp Protocol: _tcp Priority: 0 Weight: 0 Port number: 8865 Host Offering this service: admin.controlplane1.internal

Forward Lookup Zone

Host Record

Service Record

Zone Name:

controlplane1.internal

Name: Admin

FQDN: admin.controlplane1. internal Address:<IP address of the CAP server>

SVC (Service Coordinator)

Record type: SRV
Domain: controlplane1.internal
Service: _svc
Protocol: _tcp
Priority: 0
Weight: 0
Port number: 8870
Host Offering this service: admin.controlplane1.internal

DTP (Data Tier Proxy)

Record type: SRV
Domain: controlplane1.internal
Service: _dtp
Protocol: _tcp
Priority: 0
Weight: 0
Port number: 8865
Host Offering this service: admin.controlplane1.internal

Proceed to Configure Workspace ONE UEM Console with Assist On-Premises.

Multiple Server Installation of Workspace ONE Assist

Multiple server installation method involves installing Assist on multiple servers where there is a high number of enrollments and concurrent remote control sessions.

Figure 5. Multiple Server Installation

Installation method which uses two security zones, one public and the other private.

In this installation method, two security zones are utilized. One zone is the public/DMZ zone where public facing servers are deployed. These servers are the Portal server and Connection Proctor server. The other zone is the private zone where the core/application server is deployed. You must deploy the database in the private zone, so that the Core/Application server is able to easily communicate with it.

With this installation method, the services in the public zone on the portal and connection proctor servers can perform service discovery and communicate with the Core/Application server, which in turn communicates with the database. This discovery can be done using an IP address of the Core/Application server or the DNS entries that point to the Core/Application server. Use of DNS Server is OPTIONAL.

Note: If you are using DNS for service discovery, you must set up a DNS forward lookup zone and respective records.

Prerequisites:

Execute the RemoteManagementCertificateGenerator utility on one of the servers, generate a T10 certificate, and run the certificate seeding script on the Workspace ONE UEM database.
Procure and install an SSL/TLS certificate that matches with the FQDN assigned to the Assist system. This certificate must be installed on the Portal, Core/Application, and Connection Proctor servers.

Install IIS components on Core/Application and the Portal servers and upgrade .NET Framework to version 4.7.2. on all the servers.
If using DNS, set up the DNS entries prior to installation.

Install the Workspace ONE Assist services on the Core and Application Server

Perform the steps to install the Assist database on the database server and the core/application services on the Core and Application server.

On the Core/Application server, execute the Workspace ONE Assist installer from the temporary directory and click Next. You can download the installer from the repository at https://my.workspaceone.com.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on.).Click Next.
Select the components that must be installed on the server and click Next.
- Database
- Core Services
- Application Services

Configure the database settings. Select Connect to Existing SQL Server and complete the following settings.

Settings	Description
SQL Server Name	Enter the SQL instance name, IP address, or connection string.
Authentication	Select the database account authentication. The authentication can be either Windows Authentication or SQL Authentication.
User name	Enter the user name of the database account. This user name is used by the installer to create all the databases required to install Workspace ONE Assist.
Password	Enter the password of the database account. Note: When making user names and passwords, do not use the following special characters: Ampersand - & Less Than - < Greater Than - > Single Quote - ' Double Quotes - " Semicolon - ;

Click the ...More button to complete the Database Advanced Settings.

Settings	Description
DB Owner User name/ Password	Set the user name and password for the Workspace ONE Assist database owner SQL account. This account does not have system-wide permissions. The account only has permissions within the Workspace ONE Assist databases. This user name is apadminuser.
DB Application User name/ Password	Set the user name and password for the Workspace ONE Assist database application account. This user name is apdbuser.
MDF Path	Enter the path of the primary data file (MDF).
LDF Path	Enter the path of the transaction log file (LDF).
NDF Path	Enter the path of the secondary data file (NDF).

Click Save and then click Next.

Configure the Core settings.

Settings	Description
SQL Server Name	The name, IP address, or connection string configured for the database server.
Service Discovery Configuration	The IP Address and Port for the Core/Application server. You also have the option to switch to Forward Lookup Zone by choosing another configuration.

Click ...More to configure the CoreAdvancedExtn settings.

Settings

Description

DB Application User name/ Password

Enter the user name and password for the Workspace ONE Assist database application account.

The user name is apdbuser.

HTTP Port

Enter the internal HTTP port used by the core services. The default is 80 but you can enter an alternate port number, such as 8080.

Click Save and then click Next.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report.
If any of the prerequisites are missing and the check fails, do not select Install.
1. Select Detailed Report link to see which prerequisites are missing.
2. To install missing prerequisite components, select the Install Components link. The installer installs the missing components.
  You might need to reboot the server after the prerequisites are installed.
3. After the reboot, relaunch the installer.
  The installer pre-populates with your previous selections.
If the initial prerequisite check comes back with all components passing, select Install.
Once the Install button is selected, the installation process begins.
The installer first installs the database on the database server and then proceeds to install Core and Application services on the Core/Application server.
When the installer completes, proceed with the installation of Portal services on the Portal Server.

Install the Workspace ONE Assist portal services on the Portal Server

After you install the database and core/application services, perform the following steps to install the portal services on the Portal server.

On the Portal server, execute the Workspace ONE Assist installer from the temporary directory and click Next.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on.).Click Next.

Select Portal Services and click Next.

Settings	Description
Tenant FQDN	Enter the server fully qualified domain name. For example, "rmstage01.awmdm.com"
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate.
SQL Server Name	Enter the database server hostname that you have already configured.
Apply Default Enrollment Certificate	If required, select a different Enrollment Certificate provided by the Assist support team.
Apply Default T10 Certificate	Deselect this check box and select the folder button to browse for and load the T10 certificate.
Service Discovery Configuration	The IP Address and Port of the Core/Application server server. You also have the option to switch to Forward Lookup Zone by choosing another configuration.

Select the ...More button and complete the advanced Portal parameters.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings	Description
DB Application User name/ Password	Enter the user name and password for the Workspace ONE Assist database application account. The user name is apdbuser.
HTTP Port	Enter the internal HTTP port used by portal services. The default is 80 but you can enter an alternate port number, such as 8080.
IIS Site Binding IP Address	Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to activate all interfaces/IPs.
HTTPS Port	Enter the HTTPS port number. The default is 443 but you can enter your preferred port number.
SSL Enable	Activates SSL/TLS protocol for portal services. By default, this check box is selected so that the portal services use SSL/TLS. Leave this check box selected.
T10 user name And Auto Generated	Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is selected, the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box selected for the Installer to create the T10 API user. If you want to define the user, deselect the check box and type in the T10 user name you want to use.

Click Save and then click Next.
At the Selected Components screen, review your selections. Once you have verified your configuration, select Install. The installer installs the Portal services.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report. See step 11 and step 12 of the Install Workspace ONE Assist services on the Core and Application Server procedure, if the report indicates of any missing parameters.
Click Next after the installation completes.
Ensure that the check box Execute Resource Pack is selected and select the Finish button.
The Portal services installation is complete on the Portal server. However, the resource pack must run in the background. Do not close the command line window. The command line window closes automatically when the resource pack execution is complete.
Proceed to install the Connection Proctor Service on the Connection Proctor server.

Install Workspace ONE Assist services on the Connector Proctor (CP) Server

After you have installed the Portal services on the Portal server, proceed to install the Connection Proctor (CP) services on the CP server.

On the Connection Proctor (CP) server, execute the Workspace ONE Assist installer from the temporary directory and click Next.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on). Click Next.
Select Connection Proctor component for installation on the server and click Next.

Configure the Connection Proctor settings.

Settings	Description
Connection Proctor FQDN	Defines the Fully Qualified Domain Name (FQDN) on which CP services can be reached. Enter in the FQDN, which must be the same as the FQDN assigned for portal services.
Port	Enter the port number for CP services. The default is 443 in multiple server environments but you can enter your preferred port number. Whatever port you select, ensure that network/security teams use this port when assigning translation rules from the firewall/router to the Server for CP services.
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate. You may also click View Certificate to verify if the selected certificate is the one you want to use for the CP server. SAN (subject alternative name) certificates are supported. The implementation of SAN certificates depends upon your server arrangement. The SAN certificate must have an FQDN defined for each connection proctor server and Workspace ONE Assist server. For example, presume you have 2 connection proctor servers and 2 Workspace ONE Assist servers. The 2 Workspace ONE Assist servers host portal services, which require TLS/SSL traffic terminated at the load balancer. The FQDN for the SAN certificate must reflect the fully qualified domain name, for instance, "rmstage01.awmdm.com". Meanwhile, for each of the 2 CP servers, TLS/SSL traffic terminates at the connection proctor, and therefore, you must have 2 FQDNs defined in the SAN certificate, for instance, "rmstage01.awmdm.com' and "rmstage02.awmdm.com'.
SQL Server Name	Enter the database server hostname.
Service Discovery Configuration	The IP Address and Port of the Core/Application server. You also have the option to switch to Forward Lookup Zone by choosing another configuration.

Select the ...More button and complete the Custom Connection Proctor Advanced settings.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings

Description

DB Application User name / Password

Enter the user name and password for the Workspace ONE Assist database application account.

The user name is apdbuser.

CP Internal IP Address/Port

Defines from which internal IP addresses the connection proctor can be reached. By default, the setting is ‘All Unassigned’ to allow all addresses.

Enter the port number for the Connection Proctor component. The default is 8443 but you can enter your preferred port number.

Forward Lookup Zone

Under the CP Internal IP Address/Port drop-down menu, select this check box and enter your forward lookup zone here. You can also enter a custom lookup zone.

The Forward Lookup Zone setting is optional in a multi-server environment.

Click Save and then click Next.

At the Selected Components screen, review your selections. Once you have verified your configuration, select Install. The Connector Proctor services are installed on the CP server.

The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report. See step 11 and step 12 of the Install Workspace ONE Assist services on the Core and Application Server procedure, if the report indicates of any missing parameters.

DNS Configuration

This section covers configuration of DNS parameters if DNS is used for service discovery of core services. The zone, host record, and service records all point to the CAP server.

The following parameters need to be defined:

Listed are the values for the DNS parameters.

Forward Lookup Zone	Host Record	Service Record
Zone Name: controlplane1.internal	Name: Admin FQDN: admin.controlplane1. internal Address:<IP address of the CAP server>	SVC (Service Coordinator) Record type: SRV Domain: controlplane1.internal Service: _svc Protocol: _tcp Priority: 0 Weight: 0 Port number: 8870 Host Offering this service: admin.controlplane1.internal DTP (Data Tier Proxy) Record type: SRV Domain: controlplane1.internal Service: _dtp Protocol: _tcp Priority: 0 Weight: 0 Port number: 8865 Host Offering this service: admin.controlplane1.internal

Forward Lookup Zone

Host Record

Service Record

Zone Name:

controlplane1.internal

Name: Admin

FQDN: admin.controlplane1. internal Address:<IP address of the CAP server>

SVC (Service Coordinator)

Record type: SRV
Domain: controlplane1.internal
Service: _svc
Protocol: _tcp
Priority: 0
Weight: 0
Port number: 8870
Host Offering this service: admin.controlplane1.internal

DTP (Data Tier Proxy)

Record type: SRV
Domain: controlplane1.internal
Service: _dtp
Protocol: _tcp
Priority: 0
Weight: 0
Port number: 8865
Host Offering this service: admin.controlplane1.internal

Proceed to Configure Workspace ONE UEM Console with Assist On-Premises.

Multiple Server High Availability (HA) Deployment

This deployment model describes High Availability Assist installation on multiple servers in a fully redundant environment with multiple availability and security zones.

Figure 6. Multiple Server High Availability Deployment

Installation method with two availability zones, with each availability zone having two security zones, public and private.

In this deployment, two availability zones mirror each other. In each availability zone, there are two security zones, public and private. The public zone consists of a Portal server that hosts portal services and a CP server that hosts the CP service. The private zone consists of Core/Application server that will have access to the database server. Assist databases are deployed on the database server that is shared amongst the two availability zones. Customer handles the Database replication.

The Core/Application servers are load-balanced in HA multiple server deployments, just like the portal servers. Assist application handles CP load balancing within the Assist application itself.

Load Balancers are configured for session persistency so that once a session is established to utilize one availability zone, the session is entirely handled within that availability zone.

In each availability zone, all servers perform service discovery so that all the services on the CP, Portal, and Core/Application server may be able to resolve services on the core/application server itself. This discovery is done using an IP address of the core/application server or DNS entries that point to the core/application server. The use of a DNS Server is OPTIONAL.

Note: If you use DNS for service discovery, you must set up a DNS forward lookup zone and respective records. To know about the DNS parameters, see DNS Configuration.

Prerequisites:

Execute the RemoteManagementCertificateGenerator utility on one of the Portal servers, generate a T10 certificate, and run the certificate seeding script on the Workspace ONE UEM database.
Procure and install an SSL/TLS certificate that matches with the FQDN assigned to the Assist system. This certificate must be installed on the Portal, Core/Application, and Connection Proctor servers.

Install IIS components on Core/Application and the Portal servers and upgrade .NET Framework to version 4.7.2. on all the servers.
If using DNS, set up the DNS entries prior to installation.

After you have the pre-requisites in place, begin the installation steps on the first availability zone. Install the Assist Database, Application, and Core services first, followed by the portal services, and finally the CP server. After installing the first availability zone, test the environment with UEM and after successful testing, install the same on the second availability zone.

Load Balancer

There are two load balancers in this deployment. One load balancer is in the DMZ/Public zone, and the second is in the Private zone.

Configure the load balancer in the public zone to allow all incoming traffic on port 443 destined to each Portal server and CP server on the same port 443, respectively. Session persistency is required so that once a UEM admin establishes a session to a portal server in Availability Zone A, the Availability Zone A must contain the session.

Configure the load balancer in the private zone to allow incoming traffic on ports 8865-8870, 20879, and 80/8080 to each Core/Application server on the same ports, respectively. Session persistency is required so that once a session is established to the core/application server in Availability Zone A, the Availability Zone A must contain the session.

Install the Workspace ONE Assist services on the Core and Application Server

Follow the procedure to install Assist databases on the database server and core/application services on the Core/Application server.

On the CAP server, execute the Workspace ONE Assist installer from the temporary directory and click Next. You can download the installer from the repository at https://my.workspaceone.com.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on.).Click Next.
Select the components that must be installed on the server and click Next.
- Database
- Core Services
- Application Services

Configure the database settings. Select Connect to Existing SQL Server and complete the following settings.

Settings	Description
SQL Server Name	Enter the SQL instance name, IP address, or connection string.
Authentication	Select the database account authentication. The authentication can be either Windows Authentication or SQL Authentication.
User name	Enter the user name of the database account. This user name is used by the installer to create all the databases required to install Workspace ONE Assist.
Password	Enter the password of the database account. Note: When making user names and passwords, do not use the following special characters: Ampersand - & Less Than - < Greater Than - > Single Quote - ' Double Quotes - " Semicolon - ;

Click the ...More button to complete the Database Advanced Settings.

Settings	Description
DB Owner User name/ Password	Set the user name and password for the Workspace ONE Assist database owner SQL account. This account does not have system-wide permissions. The account only has permissions within the Workspace ONE Assist databases. This user name is apadminuser.
DB Application User name/ Password	Set the user name and password for the Workspace ONE Assist database application account. This user name is apdbuser.
MDF Path	Enter the path of the primary data file (MDF).
LDF Path	Enter the path of the transaction log file (LDF).
NDF Path	Enter the path of the secondary data file (NDF).

Click Save and then click Next.

Configure the Core settings.

Settings	Description
SQL Server Name	The name, IP address, or connection string configured for the database server.
Service Discovery Configuration	The IP Address and Port for the database server. You also have the option to switch to Forward Lookup Zone by choosing another configuration, typically `controlplane.internal`.

Click ...More to configure the CoreAdvancedExtn settings.

Settings

Description

DB Application User name/ Password

Enter the user name and password for the Workspace ONE Assist database application account.

The user name is apdbuser.

HTTP Port

Enter the internal HTTP port used by the core services. The default is 80 but you can enter an alternate port number, such as 8080.

Click Save and then click Next to configure the Portal settings.

Settings	Description
Tenant FQDN	Enter the server fully qualified domain name. For example, "rmstage01.awmdm.com"
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate.
SQL Server Name	Enter the database server hostname that you have already configured.
Apply Default Enrollment Certificate	If required, select a different Enrollment Certificate provided by the Assist support team.
Apply Default T10 Certificate	Deselect this check box and select the folder button to browse for and load the T10 certificate. This certificate is in the folder where the installer file was downloaded and moved to in the …\RemoteManagementCertificateGenerator 22.03\RemoteManagementCertificateGenerator\Artifacts folder.

Select the ...More button and complete the Custom Portal Advanced Settings.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings	Description
DB Application User name/ Password	Enter the user name and password for the Workspace ONE Assist database application account. The user name is apdbuser.
HTTP Port	Enter the internal HTTP port used by portal services. The default is 80.
IIS Site Binding IP Address	Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to activate all interfaces/IPs.
HTTPS Port	Enter the HTTPS port number. The default is 443.
SSL Enable	Activates SSL/TLS protocol for portal services. By default, this check box is selected so that the portal services use SSL/TLS. Leave this check box selected.
T10 user name And Auto Generated	Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is selected, the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box selected for the Installer to create the T10 API user. If you want to define the user, deselect the check box and type in the T10 user name you want to use.

Click Save and then click Next.
Review your selections at the Selected Components screen.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report.
If any of the prerequisites are missing and the check fails, do not select Install.
1. Select Detailed Report link to see which prerequisites are missing.
2. To install missing prerequisite components, select the Install Components link. The installer installs the missing components.
  You might need to reboot the server after the prerequisites are installed.
3. After the reboot, relaunch the installer.
  The installer pre-populates with your previous selections.
If the initial prerequisite check comes back with all components passing, select Install.
Once the Install button is selected, the installation process begins.
The installer first installs the database and then proceeds to install Core and Application services.

Note: Database execution might take an extended period.
Click Next after the installation completes.
Ensure that the check box Execute Resource Pack is selected and select the Finish button.
The Assist installation is complete on the CAP server. However, the resource pack must run in the background. Do not close the command line window. The command line window closes automatically when the resource pack execution is complete.

Install Workspace ONE Assist services on the Portal Server

After you have installed the Core and Application services on the CAP server, proceed to install the portal services on the Portal server.

On the Portal server, execute the Workspace ONE Assist installer from the temporary directory and click Next.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on.).Click Next.

Select Portal Services and click Next.

Settings	Description
Tenant FQDN	Enter the server fully qualified domain name. For example, "rmstage01.awmdm.com"
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate.
SQL Server Name	Enter the database server hostname that you have already configured.
Apply Default Enrollment Certificate	If required, select a different Enrollment Certificate provided by the Assist support team.
Apply Default T10 Certificate	Deselect this check box and select the folder button to browse for and load the T10 certificate.
Service Discovery Configuration	The IP Address and Port of the Core/Application server server. You also have the option to switch to Forward Lookup Zone by choosing another configuration.

Select the ...More button and complete the advanced Portal parameters.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings	Description
DB Application User name/ Password	Enter the user name and password for the Workspace ONE Assist database application account. The user name is apdbuser.
HTTP Port	Enter the internal HTTP port used by portal services. The default is 80 but you can enter an alternate port number, such as 8080.
IIS Site Binding IP Address	Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to activate all interfaces/IPs.
HTTPS Port	Enter the HTTPS port number. The default is 443 but you can enter your preferred port number.
SSL Enable	Activates SSL/TLS protocol for portal services. By default, this check box is selected so that the portal services use SSL/TLS. Leave this check box selected.
T10 user name And Auto Generated	Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is selected, the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box selected for the Installer to create the T10 API user. If you want to define the user, deselect the check box and type in the T10 user name you want to use.

Click Save and then click Next.
At the Selected Components screen, review your selections. Once you have verified your configuration, select Install. The installer installs the Portal services.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report. See step 11 and step 12 of the Install Workspace ONE Assist services on the Core and Application Server procedure, if the report indicates of any missing parameters.
Click Next after the installation completes.
Ensure that the check box Execute Resource Pack is selected and select the Finish button.
The Portal services installation is complete on the Portal server. However, the resource pack must run in the background. Do not close the command line window. The command line window closes automatically when the resource pack execution is complete.
Proceed to install the Connection Proctor Service on the Connection Proctor server.

Install Workspace ONE Assist services on the Connector Proctor (CP) Server

After you have installed the Portal services on the Portal server, proceed to install the Connection Proctor (CP) services on the CP server.

On the Connection Proctor (CP) server, execute the Workspace ONE Assist installer from the temporary directory and click Next.
Select the installation directory for the Assist software and click Install.
Select Advanced Installation (Custom). Select the check box for Secure Internal Service Communication. Enter a secured password to protect the certificate that is generated for Assist internal services and enter the internal service port (for example 8446, 8083, and so on.). Click Next.
Select Connection Proctor component for installation on the server and click Next.

Configure the Connection Proctor settings.

Settings	Description
Connection Proctor FQDN	Defines the Fully Qualified Domain Name (FQDN) on which CP services can be reached. Enter in the FQDN, which must be the same as the FQDN assigned for portal services.
Port	Enter the port number for CP services. The default is 443 in multiple server environments but you can enter your preferred port number. Whatever port you select, ensure that network/security teams use this port when assigning translation rules from the firewall/router to the Server for CP services.
SSL Certificate	Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate. You may also click View Certificate to verify if the selected certificate is the one you want to use for the CP server. SAN (subject alternative name) certificates are supported. The implementation of SAN certificates depends upon your server arrangement. The SAN certificate must have an FQDN defined for each connection proctor server and Workspace ONE Assist server. For example, presume you have 2 connection proctor servers and 2 Workspace ONE Assist servers. The 2 Workspace ONE Assist servers host portal services, which require TLS/SSL traffic terminated at the load balancer. The FQDN for the SAN certificate must reflect the fully qualified domain name, for instance, "rmstage01.awmdm.com". Meanwhile, for each of the 2 CP servers, TLS/SSL traffic terminates at the connection proctor, and therefore, you must have 2 FQDNs defined in the SAN certificate, for instance, "rmstage01.awmdm.com' and "rmstage02.awmdm.com'.
SQL Server Name	Enter the database server hostname.
Service Discovery Configuration	The IP Address and Port of the Core/Application server. You also have the option to switch to Forward Lookup Zone by choosing another configuration.

Select the ...More button and complete the Custom Connection Proctor Advanced settings.

Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.

Settings

Description

DB Application User name / Password

Enter the user name and password for the Workspace ONE Assist database application account.

The user name is apdbuser.

CP Internal IP Address/Port

Defines from which internal IP addresses the connection proctor can be reached. By default, the setting is ‘All Unassigned’ to activate all addresses.

Enter the port number for the Connection Proctor component. The default is 8443 but you can enter your preferred port number.

Forward Lookup Zone

Under the CP Internal IP Address/Port drop-down menu, select this check box and enter your forward lookup zone here. You can also enter a custom lookup zone.

The Forward Lookup Zone setting is optional in a multi-server environment.

Click Save and then click Next.
At the Selected Components screen, review your selections. Once you have verified your configuration, select Install. The Connector Proctor services are installed on the CP server.
The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays. Any missing installation paramaters are indicated in the report. See step 11 and step 12 of the Install Workspace ONE Assist services on the Core and Application Server procedure, if the report indicates of any missing parameters.

DNS Configuration

This section covers configuration of DNS parameters if DNS is used for service discovery of core services. The zone, host record, and service records all point to the CAP server.

The following parameters need to be defined:

Listed are the values for the DNS parameters.

Forward Lookup Zone	Host Record	Service Record
Zone Name: controlplane1.internal	Name: Admin FQDN: admin.controlplane1. internal Address:<IP address of the CAP server>	SVC (Service Coordinator) Record type: SRV Domain: controlplane1.internal Service: _svc Protocol: _tcp Priority: 0 Weight: 0 Port number: 8870 Host Offering this service: admin.controlplane1.internal DTP (Data Tier Proxy) Record type: SRV Domain: controlplane1.internal Service: _dtp Protocol: _tcp Priority: 0 Weight: 0 Port number: 8865 Host Offering this service: admin.controlplane1.internal

Forward Lookup Zone

Host Record

Service Record

Zone Name:

controlplane1.internal

Name: Admin

FQDN: admin.controlplane1. internal Address:<IP address of the CAP server>

SVC (Service Coordinator)

Record type: SRV
Domain: controlplane1.internal
Service: _svc
Protocol: _tcp
Priority: 0
Weight: 0
Port number: 8870
Host Offering this service: admin.controlplane1.internal

DTP (Data Tier Proxy)

Record type: SRV
Domain: controlplane1.internal
Service: _dtp
Protocol: _tcp
Priority: 0
Weight: 0
Port number: 8865
Host Offering this service: admin.controlplane1.internal

Proceed to Configure Workspace ONE UEM Console with Assist On-Premises.

Configure the Workspace ONE UEM console with Assist On-Premises

After installing the Workspace ONE Assist server and all its components, configure the UEM console to communicate with the Workspace ONE Assist server.

In the UEM console, ensure that you are in the Global OG.
Navigate to Settings > System > Advanced > Site URLs > Workspace ONE Assist.

Complete the Workspace ONE Assist settings.


Settings	Description
Console Connection Hostname	Enter the Workspace ONE Assist server fully qualified domain name (FQDN) plus "/t10". For example: https://rmstage01.awmdm.com/t10
Device Connection Name	Enter the Workspace ONE Assist server fully qualified domain name (FQDN). For example: https://rmstage01.awmdm.com

Select Save.
The Workspace ONE Assist server is now ready to handle remote management sessions with end-user devices.

Integrate Deployment Model, On-Prem UEM With SaaS Assist

You can integrate an on-premises Workspace ONE UEM environment with a SaaS build of Workspace ONE Assist, in either single customer and multi-customer deployments.

You must have a working on-prem Workspace ONE UEM installation in order to integrate it with a Workspace ONE Assist SaaS environment.

The typical use case is that a partner with multiple on-premises Workspace ONE UEM environments (with single customer or multi-customer deployments) wants to add Workspace ONE Assist service. It is simple to integrate a SaaS build of Workspace ONE Assist to your on-prem Workspace ONE UEM build.

Update the Site URL of the External Remote Management in Settings.

In the UEM console, ensure that you are in the Global OG.
Navigate to Settings > System > Advanced > Site URLs > Workspace ONE Assist.

Complete the Workspace ONE Assist settings.


Locale	Console Connection / Device Connection
USA	Console Connection Hostname: https://rm01.awmdm.com/t10 Device Connection Name: https://rm01.awmdm.com/
Canada	Console Connection Hostname: https://rmca01.awmdm.com/t10 Device Connection Name: https://rmca01.awmdm.com/
Germany	Console Connection Hostname: https://rmde01.awmdm.com/t10 Device Connection Name: https://rmde01.awmdm.com/
United Kingdom	Console Connection Hostname: https://rmuk01.awmdm.com/t10 Device Connection Name: https://rmuk01.awmdm.com/
Australia	Console Connection Hostname: https://rmau01.awmdm.com/t10 Device Connection Name: https://rmau01.awmdm.com/
Japan	Console Connection Hostname: https://rmjp01.awmdm.com/t10 Device Connection Name: https://rmjp01.awmdm.com/
Singapore	Console Connection Hostname: https://rmsg01.awmdm.com/t10 Device Connection Name https://rmsg01.awmdm.com

The Workspace ONE Assist server can now communicate with Workspace ONE UEM.

Generate the Workspace ONE Assist T10 API Certificate. This step must be finished no matter what deployment model you are using, but it is the first set of certificates you generate for multi-Workspace ONE UEM environments. See Generate the Workspace ONE Assist T10 API Certificate and Supported Deployment Models.
- If you are deploying a single customer Workspace ONE UEMWorkspace ONE UEM environment, then proceed to step 3.
- If you are deploying a multi-customer Workspace ONE UEMWorkspace ONE UEM environment, then you must .
Select Save.
The Workspace ONE Assist is now ready to handle remote management sessions with end-user devices.
Configure End-User Devices
While logged into the Workspace ONE UEM console, navigate to Devices > List View and locate a suitable device to remotely manage. See Supported Platforms.
Select that device's Friendly Name to display Device Details.
Initiate a Workspace ONE Assist session on this device by selecting the More Actions button and then selecting Remote Management.
The single customer or multi-customer on-premises deployment of Workspace ONE UEM is now connected to the Shared SaaS build of Workspace ONE Assist.

Migrate Workspace ONE Assist from On-Premises to SaaS

Migrating your on-prem installation of Workspace ONE Assist to a SaaS environment takes place seemlessly without having to uninstall and reinstall the Assist agent on the devices. However, for certain versions of Assist, there might be a need to uninstall and reinstall the agent.

Prerequisites:

Before you can migrate your Workspace ONE Assist to a SaaS environment, Workspace ONE UEM must already be in a dedicated SaaS environment. This Workspace ONE Assist migration cannot be applied to an on-premises build of Workspace ONE UEM.

Minimum Requirements

Make note of the minimum requirements for migrating Assist seamlessly from on-prem to SaaS.

Workspace ONE UEM console 2008
Workspace ONE Intelligent Hub 2008
Workspace ONE Assist console - N/A
Workspace ONE Assist Agent 20.11 or later

If the Assist version you want to migrate does not meet the requirements, follow the migration steps

provided in Migrate Assist versions earlier to 20.11.

Migrate Assist versions 20.11 or later

The steps to migrate Assist 20.11 or later involves updating the site URLs and re-pushing the Intelligent Hub settings to all the enrolled devices . The end users are not required to perform any actions on their devices.

Follow the instructions for Step 1 Only of Integrate Deployment Model, On-Prem UEM With SaaS Assist to configure the site URLs. Then return to this task to commence migration.
You must re-push the Intelligent Hub settings to all enrolled devices per the following substeps.
1. Android – Navigate to Groups & Settings > All Settings > Devices & Users > Android > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
2. iOS – Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple iOS > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
3. macOS – Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple macOS > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
4. Windows CE & Mobile – Navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Rugged > Agent Settings. No changes need to be made to this settings page, just select Save.
5. Windows 10 – Navigate to Groups & Settings > All Settings > Devices & Users > Windows Desktop > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
  The device is silently re-enrolled into Workspace ONE Assist. The device end user is not prompted.

Migrate Assist versions earlier to 20.11

The steps to migrate Workspace ONE Assist version earlier to 20.11 involves updating the site URLs, re-pushing the Intelligent Hub settings to all the enrolled devices, and also requires you to uninstall and reinstall the Assist agent on the devices.

Follow the instructions for Step 1 Only of Integrate Deployment Model, On-Prem UEM With SaaS Assist to configure the site URLs. Then return to this task to commence migration.
Take action on the Assist agent installed on the enrolled devices by performing the following substeps.
1. Upgrade the Assist agent version to 20.11 or later in all the enrolled Windows mobile, Android, Windows 10, and macOS devices.
2. On iOS devices, upgrade the Intelligent Hub to version 2101 or above.
3. On Android devices only, if the Assist service application version is earlier to 2.3 version, upgrade the service application to 2.3 or later versions.
After the Assist agents are upgraded to the required versions as mentioned in the previous step, re-push the Intelligent Hub settings to all the enrolled devices so that the Hub receives the updated site URLs.
1. Android - Navigate to Groups & Settings > All Settings > Devices & Users > Android > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
2. iOS - Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple iOS > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
3. macOS - Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple macOS > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
4. Windows CE & Mobile - Navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Rugged > Agent Settings. No changes need to be made to this settings page, just select Save.
5. Windows 10 – Navigate to Groups & Settings > All Settings > Devices & Users > Windows Desktop > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.

Configure Multi-Workspace ONE UEM Environment Support

If you want to operate the Workspace ONE Assist server across multiple Workspace ONE UEM environments (not multiple organization groups), then take the following steps.

You must have already completed all the steps in Generate the Workspace ONE Assist T10 API Certificate.

Do not follow this procedure if you want Workspace ONE Assist to work with a single Workspace ONE UEM environment.

Log in to the secondary or other Workspace ONE UEM environment.
Do not log into the same environment you selected in Step 4 of the topic Generate the Workspace ONE Assist T10 API Certificate.
In the UEM console of this secondary environment, switch to your primary OG.
The OG you select must be of a 'customer' type. For more information about organization groups, see the topic Organization Group Type Functions from the VMware Workspace ONE UEM Console Basics Documentation.
Navigate to Groups & Settings > All Settings > System > Advanced > Site URLs, scroll down to the External Remote Management section, and copy the string in the Remote Management CN text box.

Note: If this text box is blank, then you must manually Create the Remote Management CN from the Workspace ONE UEM Database.

Switch back to the Workspace ONE Assist server. Run the Remote Management Certificate Generator, which includes the Remote Management Installer, using the following values.

Setting	Value
Certificate Type	Remote Management
Deployment	Upload Intermediate
Certificate Common Name	Paste the Remote Management CN from Step 3 preceding

Select the Generate Certificates button.
When prompted, you must select the intermediate private cert.
This certificate and password is the same one you originally generated in Step 8 of Generate the Workspace ONE Assist T10 API Certificate. This certificate is located in c:\temp\certs of the Workspace ONE Assist server.
On the Workspace ONE Assist server, locate the 'artifacts' folder, and run the SQL script file Certificate Seed Script.sql against the Workspace ONE UEM Database to seed the generated certificates into the Workspace ONE UEM database.
Repeat this entire task for each additional Workspace ONE UEM environment you want Workspace ONE Assist to work with.
Example: If you want to add two additional environments to the environment you configured originally, then you must follow the steps of this task twice.

After you have finished installing the client certificate for each Workspace ONE UEM environment, proceed to Configure the Workspace ONE UEM console with Assist On-Premises.

Upgrade to a New Version

Upgrading to a new version of Workspace ONE Assist is simple. Install a new version of Workspace ONE Assist on top of an existing, older version by taking the following steps.

Read through this entire section BEFORE you begin the installation process.

To ensure that you do not run the old installer file in error, replace the previous version of the installer with the new version in the same folder. All certificates and the install.config file remain the same.
Right-click the installer file and select Run as administrator. The installer prompts you to remove the currently installed components, excluding the database.
Select OK and allow the installer to remove the installed components.
The AirWatch Remote Management Uninstall Components screen appears.
Select Next and proceed with the uninstall process.
The Uninstall Components dialog box displays, listing each component it finds of the old version. Each of these components is selected with a green check mark. Notice that the Database or DB does not appear on this screen. This absence is because the old database is used during the upgrade process, which means everything on the database is kept intact in the new version of Workspace ONE Assist.
Select Uninstall and commence uninstalling the old components.
The uninstallation begins in earnest, displaying each component as it is removed.
Once all the old components are uninstalled, the AirWatch Remote Management Setup prompts you to install new versions of the same components. Select Next to begin.
The Choose Install Location prompt appears. The default installation location appears prepopulated in the text box, which it got from the install.config file. Proceed by selecting Install.
The Get Started with AirWatch screen displays, prompting you to select between Standard Installation (Basic) and Advanced Installation (Custom).
For details about each installation method, including all steps, screens, text boxes, and options, see Standard (Basic) Installation of Workspace ONE Assist or Advanced (Custom) Installation of Workspace ONE Assist.
The installer reads from the install.config file, applying all the original configurations it finds to the options screens, including SQL server details, user names, Tenant FQDN, certificates, database configurations, and many other configurations. You might not need to modify any of the settings it pulls from this install.config file with the possible exceptions below.
- Check Database Accounts - Depending upon your configuration and the existing permissions in your environment, the install.config settings might not be populated correctly. For this reason, review the database accounts to ensure that they are correct. Do this review at the first screen, Installer - Basic - Database (Step 1 / 2) by clicking the ...More button which displays the Database Advanced Settings dialog box. Review the apadminuser and apdbuser accounts and respective passwords for accuracy and select Save. Ensuring these accounts are correct now saves you trouble later.
- SSL Certificate - If you installed a new SSL certificate before running this upgrade, ensure that you integrate it with the upgrade. Review the certificate at the second screen, Installer - Basic - Application (Step 2 / 2) by selecting the SSL Certificate drop-down menu and reviewing the name of the new SSL Certificate. If you have not installed a new SSL certificate before running this upgrade, then just ensure that the existing SSL cert is selected.
- T10 Certificate - When upgrading from an older version of ARM to a newer version, review the T10 certificate to make sure it is the correct one. If you are in doubt about this certificate's validity, on the Installer - Basic - Application (Step 2 / 2) screen, deselect the check box Apply Default Settings, select the folder button that corresponds to the T10 Certificate, and select the correct certificate file in P7B format.
- Check the Ports - At the Installer - Basic - Application (Step 2 / 2) screen, select the ...More button which displays the Portal Advanced Settings screen.
  - Ensure all the ports it pulls from install.config are correct for your environment. You should know whether your environment is using port 8443, which is the default connection proctor port for Workspace ONE Assist.
  - If 8443 is not used by your environment, then ensure the CP Port text box is 8443.
  - If 8443 is being used by your environment, then you must select another CP Port in order for Workspace ONE Assist to function. Consider using port 8446 in such a case.
  - Select Save if you have made changes.
After you have reviewed all the settings above and made all applicable adjustments, proceed with the remainder of the installation by selecting the Next button.
The Installer - Selected Components screen displays.
The Installer - Selected Components page confirms all the installer settings it plans to use for the upgrade. If you want to make changes, you can use the < Prev button to revisit config pages. Otherwise, select Install to begin the upgrade. The installer prompts you again for the installation location. Select Install.
- The database account is validated against the apdbuser and apadminuser accounts. During the upgrade, the Installing Database process displays "Error Message: DBAlreadyExists". This simply means it found the existing database and it has begun to upgrade it.
When the installation finishes, select Next.
The last step is to run the resource pack which consists of configuration files for hundreds of different devices. Ensure the Execute Resource pack check box is selected and click Finish.

The Workspace ONE Assist server has been upgraded.

Create the Remote Management CN from the Workspace ONE UEM Database

If the Remote Management CN text box is empty from step 5 of Generate Workspace ONE Assist Certificates or step 3 of Configure Multi- Workspace ONE UEM Environment Support, you can run an SQL script against the database to create the Remote Management CN manually.

Open the Remote Management Certificate Generator.
You must run this generator as an administrator.
Select the Question Mark button.
Copy the displayed text.
This text is the SQL script to run against the Workspace ONE UEM Database.
Switch to the Workspace ONE UEM Database server and open SQL Server Management Studio.
Create a query with the copied text.
On the first line of the query, replace the NULL value with the GroupID for the customer type OG that you want to use.
The OG you select must be a customer type, it cannot be of any other type including global, partner, container, and so on.
```
DECLARE @GroupID NVARCHAR(20) = NULL;
```
becomes
```
DECLARE @GroupID NVARCHAR(20) = 'RemoteManagement';
```
In the Results, copy the created Remote Management CN.
The Remote Management CN is used to generate the root and intermediate certificates for Remote Management. Return to Step 5 of Generate the Workspace ONE Assist T10 API Certificates or Step 3 of Configure Multi-Workspace ONE UEM Environment Support.

Import Device Profiles with Resource Pack Utility

Device profiles contain the key mapping, device skin, and Workspace ONE Assist service signatures for full remote control. You can perform a bulk import of these device profiles onto your Workspace ONE Assist Server.

Run the Resource Pack Utility file provided. The file is called AW RM Resource Pack Version - v0xx.exe.
Complete the Authentication step.
1. Enter the Target Tenant URL specific to your environment. For example, https://rmstage01.awmdm.com
2. Enter the user name and password. If new credentials have not been defined, use the default credentials.
  - User name: admin
  - Password: admin
3. Enter the Admin URL of
```
http://admin.controlplane.aetherpal.internal:80
```
  If you have not used the WBC portal yet and have not reset your default password, the Resource Pack Utility prompts you at this point to reset the password. Enter your new password and select the Update Password button to continue.
Complete the Resource Import step.
You can select one or more device profiles from the list or you can select the Select All check box to initiate a full importation of all available device profiles.
Select the Import button to continue. The log panel on the right side fills up with confirmation messages which you can review.
The device profiles you selected are installed onto the Workspace ONE Assist server.
When finished importing device profiles, select the Exit button.