The Content Management solution supports integration with your Corporate File Servers (CFS). Corporate File Servers refer to existing repositories that reside within an organization’s internal network.
Features
Corporate File Server integration supports the following features:
Security
The Content Management solution provides the following security options:
Deployment
Depending on an organization’s structure, the Workspace ONE UEM administrator might or might not have administrative permissions for a CFS. After the Content Management solution is integrated with CFS, the end-user devices can sync the content from the servers using VMware Workspace ONE Content.
Workspace ONE UEM supports integration with various corporate file servers. The syncing method support and requirement of the Content Gateway component vary by repository type.
Available Sync Methods
Review the available syncing methods for repositories:
Note: Irrespective of the number of files present in the repository folders, only 1K files in any folder that are sorted alphabetically gets synced to the device.
Use the matrix to determine the supported syncing methods and Content Gateway requirements by repository type:
| Available Repositories | Admin | Automatic | Manual |
|---|---|---|---|
| Box | ✓ | ✓ | ✓ |
| CMIS | ✓ | ✓ | ✓ |
| Google Drive | ✓ | – | – |
| Network Share | ✓ | ✓ | ✓ |
| OneDrive | ✓ | – | – |
| OneDrive for Business | ✓ | – | – |
| OneDrive for Business ADFS | ✓ | – | – |
| OneDrive for Business OAuth | ✓ | – | – |
| SharePoint | ✓ | ✓ | ✓ |
| SharePoint ADFS | ✓ | ✓ | ✓ |
| SharePoint O365 | ✓ | ✓ | ✓ |
| SharePoint O365 ADFS | ✓ | ✓ | ✓ |
| SharePoint O365 OAuth | ✓ | – | – |
| SharePoint - Personal (My Sites) | ✓ | – | – |
| SharePoint WebDAV | ✓ | – | – |
| SharePoint Windows Auth | ✓ | ✓ | ✓ |
| WebDAV | ✓ | ✓ | ✓ |
| Access through Content Gateway | |||
| Box | – | – | – |
| CMIS | ✓+ | ✓+ | ✓+ |
| Google Drive | – | – | – |
| Network Share | ✓+ | ✓+ | ✓+ |
| OneDrive | – | – | – |
| OneDrive for Business | ✓ | – | – |
| OneDrive for Business ADFS | ✓ | – | – |
| SharePoint | ✓ | ✓ | ✓ |
| SharePoint ADFS | ✓ | ✓ | ✓ |
| SharePoint O365 | ✓ | ✓ | ✓ |
| SharePoint O365 ADFS | ✓ | ✓ | ✓ |
| SharePoint - Personal (My Sites) | ✓ | – | – |
| SharePoint WebDAV | ✓ | – | – |
| SharePoint Windows Auth (Content Gateway for Linux) | – | – | – |
| SharePoint Windows Auth (Content Gateway for Windows) | ✓ | ✓ | ✓ |
| WebDAV | ✓ | ✓ | ✓ |
| Document Extensions | |||
| Box | ✓ | ✓ | ✓ |
| CMIS | ✓ | ✓ | ✓ |
| Google Drive | ✓ | – | – |
| Network Share | ✓* | ✓* | ✓* |
| OneDrive | ✓ | – | – |
| OneDrive for Business | ✓ | – | – |
| OneDrive for Business ADFS | ✓ | – | – |
| OneDrive for Business OAuth | ✓ | – | – |
| SharePoint | ✓** | ✓** | ✓** |
| SharePoint ADFS | ✓** | ✓** | ✓** |
| SharePoint O365 | ✓** | ✓** | ✓** |
| SharePoint O365 ADFS | ✓** | ✓** | ✓** |
| SharePoint O365 OAuth | ✓ | – | – |
| SharePoint - Personal (My Sites) | ✓** | – | – |
| SharePoint WebDAV | ✓** | – | – |
| SharePoint Windows Auth | ✓** | ✓** | ✓** |
| WebDAV | ✓* | ✓* | ✓* |
| Legend: | |||
| ¥ =The VMware Content Gateway on Linux servers supports only SMB v2.0 and SMB v3.0. The default supported version is SMB v2.0. ✓+ = Required ✓ = Supported – = Not Supported ✓* = Supported, with limitations. Access limited to files from repositories previously opened in the VMware Workspace ONE Content. ✓** = Supported, with limitations. Access limited to files previously downloaded in the Workspace ONE Content. |
Sync your network’s existing corporate file servers with Workspace ONE UEM by configuring an Admin Repository, an Automatic User-Added Repository, or a Manual User-Added repository. The available configurations impact the trigger that initiates the syncing of content to devices.
Use this macro-level configuration overview to gain insight into the start-to-finish process of enabling end-users access to the Corporate File Server content.
Evaluate your organization’s need for multiple Content Gateway nodes.
Global organizations with concerns about latencies caused by geographical separations can use this functionality.
Configure an Admin repository or sync Corporate File Servers (CFS) in the UEM console.
If configuring an Admin Repository, select Test Connection to ensure connectivity.
Configure VMware Workspace ONE Content in the UEM console.
Configure an Admin repository to sync your network’s existing corporate file servers with Workspace ONE UEM. After the sync, end users can access the Corporate File Server content from their devices.
Configure the settings that appear.
| Settings | Description |
|---|---|
| Name | Label the content directory |
| Type | Select a Corporate File Server from the drop-down menu. |
| Link | Provide the full path to the directory location rather than the root domain. Example: http://SharePoint/Corporate/DocumentsA URL copied directly from a web browser might not have permission to access a server for certain repository types. Note: If the repository selected is an OAuth repository, the repository URL must contain ‘/personal.’ For example, if your repository URL is xyz.abc.com, you must add the URL as xyz.abc.com/personal. |
| Organization Group | Assign Corporate File Server access to a selected group of users. |
| Use PIV-D Derived Credentials | This setting is available only when SharePoint is selected as the repository type. Select the check box to use the PIV-D certificate authentication to authenticate the users instead of user names and passwords. PIV-D certificate authentication is for authenticating the users who want to access the on-prem SharePoint repositories from their devices. Note: Enabling use of a PIV-D Derived Credential requires Kerberos configuration in the Content Gateway settings. For information about the certificate authentication settings on Content Gateway, see the Configure Content Gateway on the UEM Console topic in the Content Gateway documentation. |
| Access via Content Gateway | Use the Content Gateway if the Workspace ONE UEM server’s domain cannot access the Corporate File Server. |
| Content Gateway | Identify the unique name of the appropriate Content Gateway node from the drop-down menu. |
| Allow Inheritance | Permit child organization groups to inherit the same access permissions as their parent organization group. |
| Allow Write | Permit end users to create and upload files and folders, edit documents, and check in or check out files to external repositories on their devices. |
| Allow File Actions | This setting is available only when SharePoint O365 OAuth or OneDrive for Business OAuth is selected as the repository type. Select the check box to allow the Workspace ONE Content app users to rename, move, delete files on cloud repositories. |
| Allow Delete | Permits remote content delete for the Network Share repository. With this feature, the end user can delete their content permanently from the Network Share repository using the Workspace ONE Content app. |
| Authentication Type | Select the access level admins have to Corporate File Servers from the UEM console. None – Prevent administrators from viewing and downloading Corporate File Server content from the UEM console. User – Permit browsing of the repository file structure within the UEM console. Enter credentials into the Username and Password text boxes that appear. Note: If the Use PIV-D Derived Credentials check box is selected, then the password text box does not appear. Provide the User Principal Name for the user in the Username text box. |
| Allow Upload From Camera Only | Select this option to allow users to upload images only from the camera of the device. |
Select Test Connection to verify connectivity. A successful test result indicates the corporate file server integrated successfully.
Complete the details under the Security, Assignment, and Deployment tabs.
a. On the Security tab, complete the text boxes to control how the end users share and move sensitive documents outside of corporate mediums.
The Force Encryption setting has been removed since Workspace ONE UEM console version 9.5. The VMware Workspace ONE Content app encrypts all the files by default, whether the setting is available or not.
| Setting | Description |
|---|---|
| Document Sharing | Disable the sharing settings for maximum security. You can enable them for configuring end-user collaboration. |
| Access Control | Set to Allow Offline Viewing to give end users the most viewing freedom for their document. Configure Allow Online Viewing Only to ensure that all devices accessing content are compliant, as Workspace ONE UEM cannot scan offline devices for compliance. |
| Allow Open in Email | Allow the content to open in emails. Users cannot open files that are larger than 10 MB. To allow users to open files larger than 10 MB, you must edit such files on the UEM console and enable this option. Files in user repositories cannot be edited. |
| Allow Open in Third Party Apps | Give the permission to open this content in other applications. You can set a list of approved apps in the SDK Profile. Disabling this option also disables the end user’s permission to print the PDF documents from the iOS VMware Workspace ONE Content. |
| Allow Saving to Other Repositories | Select to allow your end users to save this file to their Personal Content. |
| Enable Watermark | Select to add a watermark overlay to the file. Configure the Overlay Text for the watermark as part of an SDK profile. |
| Allow Printing | Give the end users the permission to print PDF documents from the iOS VMware Workspace ONE Content using AirPrint server. Once printed, content falls out of the control of the Workspace ONE UEM administrator. Printing is supported only if Allow Open in Third Party Apps is enabled. |
| Allow Edit | This setting only applies to write-enabled repositories. |
b. On the Assignment tab, configure the settings to control which users have access to content.This function ensures that only authorized employees have access to confidential or sensitive material and allows you to set up a tiered hierarchy of content access.
| Settings | Description |
|---|---|
| Device Ownership | Define as Any, Corporate-Dedicated, Corporate-Shared, Employee Owned or Undefined. |
| Organization Groups | To assign the content to a new group, start typing in the text box. |
| User Groups | Designate groups if you are integrating with Directory Services or custom user groups. |
c. On the Deployment tab, configure the settings to control how and when your end users access content.
| Settings | Description |
|---|---|
| Transfer Method | Specify Any method or Wi-Fi Only from the drop-down menu. Restricting transfers to Wi-Fi forces devices to check in with Workspace ONE UEM to ensure compliance. |
| Download While Roaming | Enable to allow your end users to download the content while roaming. |
| Download Type | Set to deploy content one of two ways: Automatically – Installs on devices when content becomes available. On Demand – Installs on devices only at the end user’s request. |
| Download Priority | Define to let your end users know if the content download is Normal, High, or Low priority. |
| Required | Select to flag the content as required in the VMware Workspace ONE Content. End users must download and review the required content in order for their devices to maintain compliance with Workspace ONE UEM. |
| Effective Date | Specify to configure a limited range of content availability. |
| Expiration Date | Specify to configure a limited range of content availability. |
Select Save.
Ensure Content Gateway is configured with the correct link. This specific rule applies to SharePoint 2013, Office 365, and the later versions. Some URLs cannot be accessed using applications and services, and can only be accessed using a web browser. If a ‘browser only’ URL gets entered as the link when configuring Content Gateway, the connection fails.
Integrate Workspace ONE UEM with existing content repositories by configuring an Automatic or Manual Template that end users sync to from their devices. After the sync, the end users can access the Corporate File Server content from their devices. Using Content Gateway with Corporate File Servers allows the end users to securely add, edit, and upload content to the Corporate File Server.
The steps can vary when configuring an Automatic or Manual Template.
Navigate to the appropriate page in the UEM console.
| Corporate File Server Type | Location |
|---|---|
| Automatic Template | Content > Repositories > Templates > Automatic |
| Manual Template | Content > Repositories > Templates > Manual |
Select Add.
Complete the text boxes that appear.The text boxes can change when configuring an Admin Repository, an Automatic Template, or a Manual Template.
| Settings | Description |
|---|---|
| Name | Label the content directory. |
| User Repository Name (auto template only) | Use look-up values to name the repository after the end user within the VMware Workspace ONE Content. |
| Type | Select a Corporate File Server from the drop-down menu. |
| Link | A URL copied directly from a web browser might not have permission to access a server for certain repository types. |
| Link (auto template only) | Use look-up values to create a repository when an end user accesses the VMware Workspace ONE Content. Example: https://sharepoint.acme.com/share/{EnrollmentUser} |
| Link (manual template only) | Provide the path to the directory location using * as a wildcard for a domain link. Example: http://*.sharepoint.com You can add a new link to an existing manual template but cannot edit or delete an existing link. Exercise caution when you add new links that are in the denylist, as you cannot edit or delete the links if there is any error. Any corrections to the links require deleting the entire template. |
| Denied Link(s) | Specify the values for the wildcard character (*) in the file paths. The values specified for * at the beginning and the end of the file path stops your users from creating manual repositories and sub folders using the manual template. |
| Organization Group | Assign Corporate File Server access to a specified group of users. |
| Use Derived Credentials | This setting is available only when SharePoint is selected as the repository type. Select the check box to use the PIV-D certificate authentication to authenticate the users instead of user names and passwords. PIV-D certificate authentication is for authenticating the users who want to access the on-prem SharePoint repositories from their devices. Note: Enabling use of a PIV-D Derived Credential requires Kerberos configuration in the Content Gateway settings. For information about the certificate authentication settings on Content Gateway, see the Configure Content Gateway on the UEM Console topic in the Content Gateway documentation. |
| Access via Content Gateway | Use the Content Gateway if the Workspace ONE UEM server’s domain cannot access the Corporate File Server. |
| Allow Inheritance | Allow child organization groups to inherit the same access permissions as their parent organization group. |
| Allow Write | Allow end users to create and upload files and folders, edit documents, and check in or check out files to external repositories on their devices. |
Workspace ONE Content app users are granted access to on-prem SharePoint and Network Share repositories after the users are authenticated using the PIV-D Derived Credentials. Certificate-based authentication eliminates the requirement of username and password.
On-prem repositories such as SharePoint and Network Share can be configured to use the PIV-D Derived Credentials for authentication. Configuring the repositories to use the PIV-D Derived Credential requires Kerberos configuration in the VMware Content Gateway settings.
The following prerequisites must be considered for setting up the PIV-D Certificate Authentication:
Kerberos Constrained Delegation (KCD) server must be set up with proper SPNs (Service Principal Names).
Active Directory must be synced with Workspace ONE UEM, with User Principle Name (UPN) as an attribute.
Service account must be available to both Workspace ONE UEM and VMware Content Gateway to use as part of the Kerberos authentication workflow.
Content Gateway must be provided a trusted certificate from the Certificate Authority (CA) issuing the user certificates. These certificates might be only intermediate certificates or the entire certificate chain depending on validation requirements on the CA.
In case of an Network Share repository, ensure that the configuration keys jcifs must be set to false and jcifsng must be set to true.
When the entire corporate repository is cached, memory spikes can occur on the Device Services server due to the low internal memory. Each time, the cache must be disabled to overcome the load on the Device Services server.
Note: The database script that is used to disable cache is no longer applicable from Workspace ONE UEM 1904 version. The cache can be disabled by switching the ContentCacheFeatureFlag to false in the API, https://
The just-in-time caching strategy eliminates the low memory issue by caching only those folders and content records that are accessed by the user. The unwanted folders and contents are removed from the cache.
The folders are cached individually using a folderId cache key as opposed to caching the entire repository using the RepoId cache key.
In a cache miss, the Device Services server loads only the metadata of the current folders from the database and stores it in the cache. In a cache hit, the Device Services server reads only the root level folder structure from the cache.
