Configure a relay server by configuring an FTP, Explicit FTPS, Implicit FTPS (Pull only), or SFTP file server and integrating it with Workspace ONE UEM. Only Android supports Implicit FTPS relay servers instead of Explicit FTPS relay servers and only in a pull configuration. Workspace ONE UEM console is not compatible with Implicit FTPS Push Relay Servers.

Important:

If you use the pull service to create a pull-based relay server, you must give SYSTEM full access to the home directory. This configuration means the pull service stores and removes files from the directory.

Pull Relay Server Security

Client-server applications such as Workspace ONE UEM use the transport layer security (TLS) cryptographic protocol to communicate across a network. TLS is supported by the file transfer protocol (FTP), file transfer protocol over SSL (FTPS), and SSH file transfer protocol (SFTP).

These file transfer protocols only secure those parts of the process where data is in transit between the client and the server. Because of this limitation, VMware recommends the use of OS-level disk encryption. There are several operating system-specific tools available (for example BitLocker for Windows, GnuPG for Linux).

Requirements

  • An FTP, Explicit FTPS, Implicit FTPS (Pull only), or SFTP server.
    • Pull service bandwidth needs and minimum hardware requirements are negligible when compared to pushing products to devices. Such needs are entirely dependent upon 1) the number of products you are pushing, 2) how often they are pushed, and 3) the size of the products in MBs.
    • When assessing hardware and bandwidth needs for FTP servers, consider following general guidelines and adjust their specifications as your needs change.
    • General FTP Server Guidelines: 2 GHz x86 or x64 processor and 4 GB RAM.
  • You must create an FTP user with a home directory. This user must have read/write/delete permissions for both the directory and the files used in the relay server. This FTP user must have a user name and password for authentication.
  • Workspace ONE UEM supports SFTP servers, however, the supported staging clients, Stage Now (Android), and Rapid Deployment, do not support SFTP servers for use with barcode staging.

Procedure

  1. Navigate to Devices > Staging & Provisioning > Relay Servers > List View and select Add, followed by Add Relay Server.

  2. Complete all applicable settings in the tabs that are displayed.
    Setting Description
    General
    Name Enter a name for the relay server.
    Description Enter a description for the relay server.
    Relay Server Type

    Select either Push or Pull as the relay server method.

    Push – This method is typically used in on-premises deployments. The UEM console pushes content and applications contained in the product or staging to the relay server.

    Pull – This method is typically used in SaaS deployments. A web-based application stored in the relay server pulls content and applications contained in the product or staging from the UEM console through an outbound connection.

    For more information on installing a pull server, see Pull Relay Server Configuration.

    Restrict Content Delivery Window

    Enable to limit content delivery to a specific time window. Provide a Start Time and End Time to restrict the delivery of content.

    The start time and end time of the restriction window is based on Coordinated Universal Time (UTC), which the system obtains by converting the console server time into Greenwich Mean Time (GMT).

    Please set the system time on the console server accurately to ensure your content is delivered on time.

    Assignment
    Managed By

    Select the organization group that manages the relay server.

    If you want to use the FTPS server for Barcode Enrollment only and not for Product Provisioning, remove all assigned organization groups under the Production Server section.

    Staging Server

    Assign the organization groups that use the relay server as a staging server.

    A staging server only works for the staging process involving the supported staging clients, Stage Now (Android) and Rapid Deployment.

    Production Server

    Assign the organization groups that use the relay server as a production server.

    A production server works with any device with the proper agent installed on it.

    Device Connection
    Protocol

    This is the information the device uses to authenticate with the FTP(s) server when downloading apps and content.

    FTP, Explicit FTPS, Implicit FTPS (pull only), or SFTP as the Protocol for the relay server. Only Android supports Implicit FTPS relay servers instead of Explicit FTPS relay servers and only in a pull configuration.

    If using Explicit FTPS, your Explicit FTPS server must have a valid SSL certificate. Configure the SSL certificate on the Explicit FTPS server.

    Hostname Enter the name of the server that hosts the device connection.
    Port

    Select the port established for your server.

    Important:

    The ports you configure when you create your FTP, Explicit FTPS, Implicit FTPS (Android only), or SFTP server must be the same ports you enter when creating a relay server in the Workspace ONE UEM console.

    User

    Enter the server username.

    Password Enter the server password.
    Path

    Enter the path for the server.

    This path must match the home directory path of the ftp user. For example, if the ftp user's home directory is C:\ftp\home\jdoe, the path entered into this field must be C:\ftp\home\jdoe.

    Passive Mode Enable to force the client to establish both the data and command channels.
    Verify Server

    This setting is only visible when Protocol is set to FTPS.

    Enable to ensure the connection is trusted and there are no SSL errors.

    If left unchecked, then the certificate used to encrypt the data can be untrusted and data can still be sent.

  3. For a push server, select the Console Connection tab and complete the settings. This is the information that the UEM console uses to authenticate with the FTP(S) server when pushing apps and content. The settings are typically identical to the Device Connection tab.

    Press the Test Connection button to test your Console Connection to the push server. Each step of the connection is tested and the results are displayed to help with troubleshooting connection issues.

    Press the Export button on the Test Connection page to export the data from the test as a CSV file.

  4. For a pull server, select the Pull Connection tab and complete the settings.

    Settings Descriptions
    Pull Local Directory Enter the local directory path for the server.
    Pull Discovery Text

    Enter the IP addresses or the MAC addresses of the server. Separate each address with commas.

    IP addresses use periods as normal but MAC addresses do not use any punctuation in this form.

    Pull Frequency Enter the frequency in minutes that the pull server should check with the UEM console for changes in the product.
  5. Select Save.