Enable PowerShell Integration in Workspace ONE UEM

To control and manage a remote Exchange instance, enable PowerShell integration through MEM on the UEM console after configuring the PowerShell on the Workspace ONE UEM server.

To enable PowerShell integration:

  1. Navigate to Email > Settingsin the UEM console and select Configure. The Add Email Configuration wizard form displays.

  2. In the Platform wizard form:

    • Select Direct as the Deployment Model.
    • Select Exchange as the Email Type and Exchange 2010/2013/2016 or Office 365 as the Exchange Version. Select Next.
  3. In the Deployment wizard form:

    Setting Description
    Friendly name Enter a friendly name for the PowerShell deployment. This name gets displayed on the MEM dashboard screen for devices managed by PowerShell.
    PowerShell Settings
    PowerShell URL Enter the PowerShell URL which is the PowerShell instance on the email server in relation to the Workspace ONE UEM Server. Typically, the PowerShell URL is in the form of https://<emailserver>/powershell.
    Ignore SSL errors between AirWatch and Exchange server

    To Ignore SSL Errors to allow devices to ignore Secure Socket Layer (SSL) certificate errors between Workspace ONE UEM and Exchange server, select Enable.

    A valid SSL trust must always be established between Workspace ONE UEM and Exchange server using valid certificates.

    PowerShell Authentication
    Use Service Account Credentials Select Enable to use the credentials from the Cloud Connector Application Pool as the Service Account for PowerShell connections.
    Authentication Type

    Select the authentication type based on the Exchange Server settings. The options available are:

    • Basic – Workspace ONE UEM connects to the remote PowerShell endpoint using the basic authentication type.
    • NTLM (Negotiate) – Workspace ONE UEM connects to the remote PowerShell endpoint using the negotiate authentication type.
    • Kerberos – The email server uses Kerberos to authenticate a domain account and NTLM for a local computer account.

    Admin Username

    Enter the user name of the PowerShell Service Account if the Use Service Account Credentials option is not enabled.

    • Domain users must specify the user name in the form of domain\username.
    • Local users on a server computer must specify the user name in the form of servername\username.
    Admin Password

    Enter the password of the PowerShell Service Account if the Use Service Account Credentials option is not enabled.

    Sync Settings
    One time sync after configuration Select Enable to enable this option to sync with PowerShell soon after configuration.
    Limit sync results by

    You can restrict the sync action to certain filtered groups by selecting the options:

    • None – Syncs the devices retrieved by the PowerShell queries.
    • Organization Unit Configuration – Organization Unit Configuration limits the sync results to devices whose users are in the selected Organization Unit in Active Directory. The Organization Unit Base DN is fetched from the Directory Services configuration and the Group Search Filter is the Organization Unit name.
    • Group – Group configuration limits the sync results to specific groups defined in Office 365. You can define these groups by navigating to Exchange Control Panel > Recipients > Groups.

      The Group sync option is available only for Office 365 implementations. The service account must have the privileges to the Get-Group cmdlet.

    • Custom – Custom configuration limits the sync results to devices whose users belong to the specified Custom DN. The Custom DN can be an Organization Unit or specific users' Distinguished Name.

      Custom configuration is useful for piloting PowerShell integration against a small subset of users.
  4. Select Next. The Profiles wizard form displays.
  5. (Optional) If you plan to migrate the users from an existing MEM configuration, then associate a profile with the MEM configuration.
  6. Select Next. The MEM Config Summary form provides a quick overview of the basic configuration you have just created for the PowerShell deployment. Save the settings.
  7. You can select the Add option from the Mobile Email Management Configuration main page to configure more deployments.
  8. Optionally, you can configure the Advanced Settings. To configure, navigate to Email > Settingspage and then select the With_SEG_advanced icon.:
    Setting Description
    PowerShell Sync Batch Size

    The batch size determines the number of CasMailbox and ActiveSyncDevice/MobileDevice objects returned per PowerShell session when using the Sync Mailboxes or Run Compliance features.

     

    The batch size depends on whether VMware Enterprise Systems Connector or Enterprise Integration Service (EIS) is being used. For VMware Enterprise Systems Connector and direct connection, the number of devices is 25000 and for EIS 2500 devices. The PowerShell MEM config detects these conditions and sets the batch size accordingly.

    Manage Active Sync for Mailbox

    Select to enable control of Active Sync at the Mailbox Identity level.

    In proper deployments, it is not necessary as a Global Access State of Block or Quarantine is in use.

    Remove ActiveSync Partnership on Unenroll

    Select to remove partnership of the unenrolled device from Exchange.

    This setting removes unenrolled devices from Exchange when they are removed from AirWatch.

    Sync with entire forest in AD

    Select to add the viewEntireForest option to the PowerShell session.

    This option might be helpful depending on how your company’s Organization Groups are structured.