VMware Workspace ONE AirLift is a server-side connector that simplifies and speeds your journey to modern management. Workspace ONE AirLift bridges administrative frameworks between Microsoft System Center Configuration Manager (ConfigMgr), Active Directory, and Workspace ONE UEM powered by AirWatch. Before you can use Workspace ONE AirLift to bridge ConfigMgr to Workspace ONE UEM, you must meet the prerequisites and requirements.

Important: The Workspace ONE AirLift tool reached end-of-support (EoS) and end-of-availability (EoA) as of October 31st, 2022. The Workspace ONE AirLift tool has been removed from the Workspace ONE portal. Current Airlift installations will no longer be supported and no new updates will be made available. For more information please refer to: https://kb.vmware.com/s/article/89506.

This bridge allows you to focus on moving workloads and applications to Workspace ONE UEM without redefining device and group memberships. Workspace ONE AirLift lets you export collections, apps, and policies to Workspace ONE UEM on a case-by-case basis.

The dashboard provides a visualization of the transition and shows the progress for devices and applications. The dashboard also displays top modern management workloads to show you what functionality you use on your devices. You can also see an enrollment history and percentage complete within ConfigMgr collections.

Admin Credentials in ConfigMgr

Workspace ONE AirLift communicates with ConfigMgr for collection mapping, app exporting, and enrollment. Workspace ONE AirLift requires an admin account with a minimum level of permissions in ConfigMgr.

Collections

Workspace ONE AirLift allows you to map your existing ConfigMgr device collections to Workspace ONE UEM smart groups. Workspace ONE AirLift dynamically monitors the device collections and keeps both platforms consistent. Workspace ONE AirLift uses Workspace ONE UEM tags to add devices to smart groups after enrollment. These tags use a naming scheme with the prefix co-mgt to clarify the source of the membership. This process is called ‘collection mapping’ and is accomplished in the Workspace ONE AirLift console. You can remove mappings once the transition to modern management is complete.

Enrollment

Workspace ONE AirLift allows you to enroll devices Workspace ONE UEM with a ConfigMgr enrollment application. Configure and create the enrollment application with a blueprint and the required software. Simplify and speed up the transition to modern management for proof of concepts, pilots, and production implementations using collection mapping and streamlined enrollment with Workspace ONE AirLift.

Applications

Workspace ONE AirLift also provides the means to export applications from ConfigMgr to Workspace ONE UEM. You can then deploy and manage applications from the Workspace ONE platform. Workspace ONE AirLift provides validations so you aware of any additional configuration applications might need. You can also create an app validation report for project plans that involve app rationalization or portfolio management. The CSV-format report allows you to target a specific list of apps and view and validations issues that need to be addresses before you export.

Policies

You can have a burdensome number of group policies in your current environment and want to transition some of these policies to modern management. Workspace ONE AirLift lets you map and export your existing GPO policies to the Workspace ONE UEM console. Workspace ONE UEM converts these exported policies into MDM policies with custom profiles based on Windows Configuration Service Providers.

Requirements

You must meet these requirements if you are a SaaS or on-premises customer.

Workspace ONE AirLift must communicate with different services depending on the features you plan to use.
  • If you plan to use collection mapping, app export, and enrollment, you must configure Workspace ONE AirLift to communicate with ConfigMgr.
  • If you plan to use policy mapping, you must configure Workspace ONE AirLift to communicate with your active directory.

Hardware Requirements

Ensure that your server meets the necessary hardware requirements before installing.

Hardware Requirements Details
VM or Physical Server 2 CPU Core (2.0+ GHz)

4 GB RAM or more

1 GB disk space for the Workspace ONE AirLift application, operating system, and .NET Core runtime. Consider having 5 GB of disk space.

Software Requirements

Ensure that your server meets the software requirements before installing.
Software Requirement Details
Browser Workspace ONE AirLift supports the most recent versions of Chrome, Firefox, and Edge. Internet Explorer is not supported.

To maximize automation, the Workspace ONE AirLift server must be online and able to retrieve software from Microsoft and Mongo.
Operating System Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, or Windows 10
Note: Workspace ONE AirLift does not support Windows Server 2012 R2 configured as domain controllers.
Remote Server Administration Tools This requirement only applies if you plan on using policy mapping.

You must install Remote Server Administration Tools (RSAT) on the Workspace ONE AirLift server.

  • Installing RSAT for Windows Server through Server Manager:
    • Add Features and Roles > Features > Group Policy Management
    • Add Features and Roles > Features > Remote Server Administration Tools > Role Administration Tools > AD DS and AD LDS Tools
  • Installing RSAT on Windows 10:

Network Requirements

Ensure that your server meets the network requirements before installing.

Network Requirement Details
Domains Microsoft System Center Configuration Manager (ConfigMgr) and Workspace ONE AirLift must be on the same domain.
Workspace ONE AirLift to SCCM communication You must allow Workspace ONE AirLift the following access to the ConfigMgr server:
  • WinRM port (typically 5985)
  • Port 443 or the specified TLS port if Secure Connection is configured.
  • Interactive Log in Permissions - Ensure that AD user account settings or security policy settings do not deny local log in.
Workspace ONE AirLift to Workspace ONE UEM console You must allow Workspace ONE AirLift the following access to the UEM console:
  • Access to the Console/API server using Port 443.
Workspace ONE AirLift to Active Directory This requirement only applies if you plan on using policy mapping.

You must allow Workspace ONE AirLift access to the SYSVOL directory. The directory must contain the PolicyDefinitions folder. To map third-party ADMX settings, you must include those ADMX files in the PolicyDefinitions folder.

If there is no PolicyDefinitions folder in the SYSVOL location:

  1. Log in to your AD server .
  2. Copy the local PolicyDefinitions folder located in C:\Windows in the AD server.
  3. Paste the folder to the Active Directory SYSVOL location. For example: \\[company].com\SYSVOL\[company].com\Policies\PolicyDefinitions

Workspace ONE UEM Requirements

Ensure your Workspace ONE UEM deployment meets the requirements before installing.

Workspace ONE UEM Requirements Details
Version Workspace ONE UEM 1903 or later
Admin account Admin account with API-level permissions. For on-premises customers, the admin account cannot be a Global-level admin. Only use a child customer organization group admin account.

ConfigMgr Requirements

Ensure your ConfigMgr deployment meets the requirements before installing Workspace ONE AirLift.

ConfigMrg Requirements Details
Version Microsoft Systems Center Configuration Manager 2012 R2 or later
Admin Account Workspace ONE AirLift requires an admin account with a minimum level of permissions. You must create an admin account with the listed permissions in ConfigMgr.
  •  Basic permissions - Cannot create an enrollment app or enroll devices.
    • Application - Read
    • Collection - Read, Read Resource
    • Distribution Point - Read
    • Distribution Point Group - Read
    • Package - Read
  • To enroll devices:
    • Collection - Distribute Applications
  • To create an enrollment app:
    • Application - Create, Modify
  • To manage distribution:
    • Distribution - Copy to Distribution Point
Content Location Workspace ONE AirLift requires an admin account with read access to the ConfigMgr content location. If you plan to create a Workspace ONE enrollment application, Workspace ONE AirLift needs write access to the content location.

Active Directory Requirements

Ensure that Active Directory deployment meets the requirements before installing Workspace ONE AirLift.

Active Directory Requirements Details
Read permissions for group policy processing and policy definitions location. This requirement only applies if you plan on using policy mapping.Workspace ONE AirLift requires a domain account with read permissions for any GPO you want to export.

Access Files

You can access the MongoDB MSI file at https://fastdl.mongodb.org/win32/mongodb-win32-x86_64-2008plus-ssl-3.6.5-signed.msi.

You can access the SQL Server EXE file at https://download.microsoft.com/download/E/F/2/EF23C21D-7860-4F05-88CE-39AA114B014B/SQLEXPR_x64_ENU.exe.