Run the Workspace ONE UEM executable file on your application servers to install the Workspace ONE UEM console and Device Services features.

For the following procedure, if you are planning to use Windows authentication, then you must be logged in as the account you want to use or you must shift+right-click when you run the installer EXE file and select Run as different user.

  1. On the application server (which is either your Console or DS), open the 9.4 Application folder and run the Workspace ONE UEM Application 9.4.X Full Install.exe.

    Execute the Workspace ONE UEM installer from an account with administrator privileges. If you do not have administrative privileges, right-click and choose Run as Administrator to run the installer.

    The installer stops all the services on the App server automatically.

  2. The installer installs pending server prerequisites, if any.

    Certain software components you might be prompted to download, such as .NET and TLS, require a reboot. Reboot when prompted. The Workspace ONE UEM Installer automatically resumes after the prerequisites install.

  3. Click Next once the Workspace ONE UEM installer begins. The End User License Agreement (EULA) appears.
  4. Accept the EULA and select Next.

  5. Next, specify if you are importing or exporting any Workspace ONE UEM Setup Configurations from or to any other identically configured Workspace ONE UEM servers.
    • Disregard this setting if you are deploying Workspace ONE UEM without any load balanced High Availability (HA) or Disaster Recovery (DR) servers.

    • If you have multiple load-balanced Device Services servers, then you can export settings from the first Device Services server to use on any of the additional Device Services servers and increase install speed or import settings that you have previously exported. For more information, see (Optional) Run the Installer on Additional Device Services Servers.

  6. Select the Workspace ONE UEM features that you want to install on the specific server.
    • In a standard, multi-server environment, enable only the UEM console features or the Workspace ONE UEM Device Services features for the respective server type.

    • If you want to enable Remote Management v3.0 capabilities to provide remote management capabilities to your supported devices, then refer to the Workspace ONE UEM Remote Management v3.0 Guide, available at, which provides steps to enable this functionality through a standalone installer.
  7. The Workspace ONE UEM Prerequisites screen displays to ensure that you meet the requirements. At this point, the installer checks for modules that are required for a successful deployment of Workspace ONE UEM. You are prompted to install any missing components. Select Next.

  8. Choose the directory to install Workspace ONE UEM, and then select Next

  9. Enter information about the Workspace ONE UEM Database.


    • Select Browse next to the Database server text box and select your Workspace ONE UEM database from the list of options. If you are using a custom port, do not select Browse. Instead, use the following syntax:  DBHostName,<customPortNumber>, and then select Browse to select the Database server.
      • i.e.,8043
    • Select one of the following authentication methods:
      • Choose Windows Authentication mode to connect to the database, and then select Next. You are prompted to enter the service account that you want to use. This service account is used to run all the application pools and Workspace ONE UEM related services. This account must be an account that has Workspace ONE UEM Database access.

      • Choose SQL Server Authentication mode to connect to the database. You are prompted to enter the user name and password.
    • Enter the name of the Workspace ONE UEM database or browse the SQL server to select it from a list.
  10. Enter the Internal DNS URL or FQDN of the Console Server in the UEM console DNS/IP Address text box for the Web Console. Enter the External DNS for the Device Services External DNS name text box for the Device Services server.

    Ensure that you are entering the full internal DNS URL or FQDN of the Console Server in the UEM console DNS/IP Address text box. Do not enter the shortname for the server. For example, if the Console server is, do not simply enter awconsole for your URL.

    Ensure that the DNS names are correct and there are no spaces after the end of each. If an error is made, the whole installation must be removed and reinstalled.

    Select whether to enable support for the SOAP API endpoints to be SSL Offloaded by selecting API Server SSL Offloaded?


  11. If the Global Enterprise Manager screen displays, then verify your Company name.

    • Enter your Company Name, which is your organization's SalesForce name provided by Workspace ONE UEM.
    • Select your Environment Type from the drop-down menu.
    • Enter your Installation Token from myAirWatch.
  12. Choose whether you want to participate in the VMware User Experience Improvement Program.

    This program collects and uses technical information related to the performance, configuration and use of Workspace ONE UEM to improve and benchmark its products and services, fix problems, and to advise customers on how to use its products and services.

  13. Choose the Workspace ONE UEM used Web site. By default, the ‘Default Web Site’ is selected.
  14. If you choose to install the AirWatch Cloud Messaging component (selected by default for the Device Services server), you receive a prompt to enter the AWCM settings:
    • Enter for the value of the listening address, which is a wildcard value that tells AWCM to listen on all available interfaces on the server.

      The value for listening address might be a specific IP address matching an interface on the server if this is needed per your network deployment.

      Use 2001 as the AWCM Services Port. Consult your Workspace ONE UEM account services representative before using another port.

    • To automatically use a Workspace ONE UEM certificate without any additional configuration, ensure Use custom SSL Certificate instead of built-in Workspace ONE UEM certificate? is disabled. Otherwise, select the Use custom SSL Certificate instead of built-in Workspace ONE UEM Certificate check box and locate the PFX file of your SSL certificate.

      If you are using your own certificate, ensure that you extract the full chain as part of the PFX file before uploading it.

    • If using SSL offloading through your load balancer, enable AWCM Server SSL Offloaded? and enter in the load balancer hostname.  If you are not SSL Offloading AWCM, then you must upload your Device Services certificate for AWCM.


  15. When deploying AWCM node(s), select a clustering mode.

    • Implicit Clustering – The default, recommended method. Requires load balancer-based persistence.
    • Explicit Clustering – An alternative method for deploying multiple AWCM Nodes that does not use load balancer-based persistence – data is shared in memory across all nodes. For more information, see the Workspace ONE UEM Cloud Messaging Guide.

    If the SQL accounts used for Workspace ONE UEM are created with minimal permissions, you may need to script the SQL account creation on the secondary nodes.

    You will need to query the system table on the primary node to get the hexadecimalSID for the login. Use the following query:

    USE [master]


    Once you get the SID, the script below can be used to create the login on secondary nodes.

    USE [master]


    CREATE LOGIN [SqlLogin] WITH PASSWORD=N'[Password]’, SID=[HexadecimalSID], DEFAULT_DATABASE=[myDatabase], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=[setting], CHECK_POLICY=[setting]

  16. Click Install when prompted.

    If you install using Windows Server 2016, a dialog box prompts you to disable HTTP2 support. Disable and continue.

  17. Click Finish once all the files are copied to the server to complete the Workspace ONE UEM installation.

    The installation log file can be viewed by selecting a check box before Finish is selected.

    Internet Explorer auto-launches and may fail, since IIS has not yet fully refreshed the Web sites.

  18. Close Internet Explorer and run Chrome.

    For the Console: Type https://localhost/airwatch to verify that the UEM console renders successfully.

    For Device Services: Type https://localhost/devicemanagement/enrollment to verify that the device Group ID prompt is shown.

    Since the SSL certificate is not bound to the localhost session, an error displays. Select Proceed to view the site. The first time the Web site displays, it may take up to minute to resolve.

  19. If necessary, reset IIS using the Command Prompt to bring the site online: iisreset

As part of the standard, multi-server installation, you must now go through the procedure again, this time for the other app servers. If you have extra device services servers, then you must run the installer on each additional Device Services server.

If you are enabling SQL AlwaysOn, you must replicate the SQL Agent Jobs on the any additional database servers. For more information, see Replicating SQL Agent Jobs on the Secondary Database Server.