The Content Management solution supports integration with your Corporate File Servers (CFS). Corporate File Servers refer to existing repositories that reside within an organization's internal network.

Features

Corporate File Server integration supports the following features:

  • Secure integration
  • Protect access to organization's internal network
  • Advanced integration options using Content Gateway

Security

The Content Management solution provides the following security options:

  • SSL encryption for data transit
  • Control access and download rights of Workspace ONE UEM administrators
  • Content stored within organization's network
  • Only metadata stored in Workspace ONE UEM database. Support for review and management of the stored metadata.

Deployment

Depending on an organization's structure, the Workspace ONE UEM administrator might or might not have administrative permissions for a CFS. After the Content Management solution is integrated with CFS, the end-user devices can sync the content from the servers using VMware Workspace ONE Content.

Support for Corporate File Servers

Workspace ONE UEM supports integration with various corporate file servers. The syncing method support and requirement of the Content Gateway component vary by repository type.

Available Sync Methods

Review the available syncing methods for repositories:

  • Admin – Refers to a repository that gets fully configured and synced by an administrator in the UEM console. Each assigned user receives the same static link to the file repository.
  • Automatic – Refers to a repository that gets configured by an administrator in the UEM console but allows the admin to use dynamic lookup values. The repository gets synced by end users on their devices. Each assigned user receives a unique or semi-unique link to a file repository. This is a useful option for link to users' home directories.
  • Manual – Refers to a repository that gets configured in the UEM console, but allows the admin to set a static and wildcard portion of a link. Each end user can manually add the repository link that complies with the format set by the admin and sync the repository on their device.

Note: Irrespective of the number of files present in the repository folders, only 1K files in any folder that are sorted alphabetically gets synced to the device.

Corporate File Server Matrix

Use the matrix to determine the supported syncing methods and Content Gateway requirements by repository type:

Available Repositories Admin Automatic Manual
Box
CMIS
Google Drive
Network Share
OneDrive
OneDrive for Business
OneDrive for Business ADFS
OneDrive for Business OAuth
SharePoint
SharePoint ADFS
SharePoint O365
SharePoint O365 ADFS
SharePoint O365 OAuth
SharePoint - Personal (My Sites)
SharePoint WebDAV
SharePoint Windows Auth
WebDAV
Access through Content Gateway
Box
CMIS ✓+ ✓+ ✓+
Google Drive
Network Share ✓+ ✓+ ✓+
OneDrive
OneDrive for Business
OneDrive for Business ADFS
SharePoint
SharePoint ADFS
SharePoint O365
SharePoint O365 ADFS
SharePoint - Personal (My Sites)
SharePoint WebDAV
SharePoint Windows Auth (Content Gateway for Linux)
SharePoint Windows Auth (Content Gateway for Windows)
WebDAV
Document Extensions
Box
CMIS
Google Drive
Network Share ✓* ✓* ✓*
OneDrive
OneDrive for Business
OneDrive for Business ADFS
OneDrive for Business OAuth
SharePoint ✓** ✓** ✓**
SharePoint ADFS ✓** ✓** ✓**
SharePoint O365 ✓** ✓** ✓**
SharePoint O365 ADFS ✓** ✓** ✓**
SharePoint O365 OAuth
SharePoint - Personal (My Sites) ✓**
SharePoint WebDAV ✓**
SharePoint Windows Auth ✓** ✓** ✓**
WebDAV ✓* ✓* ✓*
Legend:
¥ =The VMware Content Gateway on Linux servers supports only SMB v2.0 and SMB v3.0. The default supported version is SMB v2.0.
✓+ = Required
✓ = Supported
= Not Supported
✓* = Supported, with limitations. Access limited to files from repositories previously opened in the VMware Workspace ONE Content.
✓** = Supported, with limitations. Access limited to files previously downloaded in the Workspace ONE Content.

Enable End-User Access to Corporate File Server Content

Sync your network's existing corporate file servers with Workspace ONE UEM by configuring an Admin Repository, an Automatic User-Added Repository, or a Manual User-Added repository. The available configurations impact the trigger that initiates the syncing of content to devices.

Use this macro-level configuration overview to gain insight into the start-to-finish process of enabling end-users access to the Corporate File Server content.

  1. Configure a repository in the UEM console.
  2. Download and run the configured Content Gateway installer.
  3. Verify connectivity between the UEM console and Content Gateway.
  4. Evaluate your organization's need for multiple Content Gateway nodes.

    Global organizations with concerns about latencies caused by geographical separations can use this functionality.

  5. Configure an Admin repository or sync Corporate File Servers (CFS) in the UEM console.

    If configuring an Admin Repository, select Test Connection to ensure connectivity.

  6. Configure VMware Workspace ONE Content in the UEM console.

  7. Deploy Workspace ONE UEM Applications to your device fleet.

Configure an Admin Repository

Configure an Admin repository to sync your network's existing corporate file servers with Workspace ONE UEM. After the sync, end users can access the Corporate File Server content from their devices.

  1. Navigate to Content > Repositories > Admin Repositories in the UEM console.
  2. Select Add.
  3. Configure the settings that appear.

    Settings Description
    Name Label the content directory
    Type Select a Corporate File Server from the drop-down menu.
    Link Provide the full path to the directory location rather than the root domain.
    Example: http://SharePoint/Corporate/DocumentsA URL copied directly from a web browser might not have permission to access a server for certain repository types.
    Organization Group Assign Corporate File Server access to a selected group of users.
    Use PIV-D Derived Credentials This setting is available only when SharePoint is selected as the repository type. Select the check box to use the PIV-D certificate authentication to authenticate the users instead of user names and passwords. PIV-D certificate authentication is for authenticating the users who want to access the on-prem SharePoint repositories from their devices.

    Note: Enabling use of a PIV-D Derived Credential requires Kerberos configuration in the Content Gateway settings.

    For information about the certificate authentication settings on Content Gateway, see the Configure Content Gateway on the UEM Console topic in the Content Gateway documentation.
    Access via Content Gateway Use the Content Gateway if the Workspace ONE UEM server’s domain cannot access the Corporate File Server.
    Content Gateway Identify the unique name of the appropriate Content Gateway node from the drop-down menu.
    Allow Inheritance Permit child organization groups to inherit the same access permissions as their parent organization group.
    Allow Write Permit end users to create and upload files and folders, edit documents, and check in or check out files to external repositories on their devices.
    Allow File Actions This setting is available only when SharePoint O365 OAuth or OneDrive for Business OAuth is selected as the repository type. Select the check box to allow the Workspace ONE Content app users to rename, move, delete files on cloud repositories.
    Allow Delete Permits remote content delete for the Network Share repository. With this feature, the end user can delete their content permanently from the Network Share repository using the Workspace ONE Content app.
    Authentication Type Select the access level admins have to Corporate File Servers from the UEM console.

    None – Prevent administrators from viewing and downloading Corporate File Server content from the UEM console.
    User – Permit browsing of the repository file structure within the UEM console. Enter credentials into the Username and Password text boxes that appear.
    Note: If the Use PIV-D Derived Credentials check box is selected, then the password text box does not appear. Provide the User Principal Name for the user in the Username text box.
  4. Select Test Connection to verify connectivity. A successful test result indicates the corporate file server integrated successfully.

  5. Complete the details under the Security, Assignment, and Deployment tabs.

    a. On the Security tab, complete the text boxes to control how the end users share and move sensitive documents outside of corporate mediums.

    The Force Encryption setting has been removed since Workspace ONE UEM console version 9.5. The VMware Workspace ONE Content app encrypts all the files by default, whether the setting is available or not.

    Setting Description
    Document Sharing Disable the sharing settings for maximum security. You can enable them for configuring end-user collaboration.
    Access Control Set to Allow Offline Viewing to give end users the most viewing freedom for their document. Configure Allow Online Viewing Only to ensure that all devices accessing content are compliant, as Workspace ONE UEM cannot scan offline devices for compliance.
    Allow Open in Email Allow the content to open in emails. Users cannot open files that are larger than 10 MB. To allow users to open files larger than 10 MB, you must edit such files on the UEM console and enable this option. Files in user repositories cannot be edited.
    Allow Open in Third Party Apps Give the permission to open this content in other applications. You can set a list of approved apps in the SDK Profile. Disabling this option also disables the end user's permission to print the PDF documents from the iOS VMware Workspace ONE Content.
    Allow Saving to Other Repositories Select to allow your end users to save this file to their Personal Content.
    Enable Watermark Select to add a watermark overlay to the file. Configure the Overlay Text for the watermark as part of an SDK profile.
    Allow Printing Give the end users the permission to print PDF documents from the iOS VMware Workspace ONE Content using AirPrint server. Once printed, content falls out of the control of the Workspace ONE UEM administrator. Printing is supported only if Allow Open in Third Party Apps is enabled.
    Allow Edit This setting only applies to write-enabled repositories.

    b. On the Assignment tab, configure the settings to control which users have access to content.This function ensures that only authorized employees have access to confidential or sensitive material and allows you to set up a tiered hierarchy of content access.

    Settings Description
    Device Ownership Define as Any, Corporate-Dedicated, Corporate-Shared, Employee Owned or Undefined.
    Organization Groups To assign the content to a new group, start typing in the text box.
    User Groups Designate groups if you are integrating with Directory Services or custom user groups.

    c. On the Deployment tab, configure the settings to control how and when your end users access content.

    Settings Description
    Transfer Method Specify Any method or Wi-Fi Only from the drop-down menu. Restricting transfers to Wi-Fi forces devices to check in with Workspace ONE UEM to ensure compliance.
    Download While Roaming Enable to allow your end users to download the content while roaming.
    Download Type Set to deploy content one of two ways:

    Automatically – Installs on devices when content becomes available.
    On Demand – Installs on devices only at the end user's request.
    Download Priority Define to let your end users know if the content download is Normal, High, or Low priority.
    Required Select to flag the content as required in the VMware Workspace ONE Content. End users must download and review the required content in order for their devices to maintain compliance with Workspace ONE UEM.
    Effective Date Specify to configure a limited range of content availability.
    Expiration Date Specify to configure a limited range of content availability.
  6. Select Save.

Access the Correct Link

Ensure Content Gateway is configured with the correct link. This specific rule applies to SharePoint 2013, Office 365, and the later versions. Some URLs cannot be accessed using applications and services, and can only be accessed using a web browser. If a 'browser only' URL gets entered as the link when configuring Content Gateway, the connection fails.

  1. Enter the URL in the browser.
  2. Navigate to PAGE > Edit Properties > View Properties.
  3. Right click and copy the link address.
  4. Paste the address into the Link text box in the UEM console.

Enable Users to Sync Corporate File Servers

Integrate Workspace ONE UEM with existing content repositories by configuring an Automatic or Manual Template that end users sync to from their devices. After the sync, the end users can access the Corporate File Server content from their devices. Using Content Gateway with Corporate File Servers allows the end users to securely add, edit, and upload content to the Corporate File Server.

The steps can vary when configuring an Automatic or Manual Template.

  1. Navigate to the appropriate page in the UEM console.

    Corporate File Server Type Location
    Automatic Template Content > Repositories > Templates > Automatic
    Manual Template Content > Repositories > Templates > Manual
  2. Select Add.

  3. Complete the text boxes that appear.The text boxes can change when configuring an Admin Repository, an Automatic Template, or a Manual Template.

    Settings Description
    Name Label the content directory.
    User Repository Name (auto template only) Use look-up values to name the repository after the end user within the VMware Workspace ONE Content.
    Type Select a Corporate File Server from the drop-down menu.
    Link A URL copied directly from a web browser might not have permission to access a server for certain repository types.
    Link (auto template only) Use look-up values to create a repository when an end user accesses the VMware Workspace ONE Content.

    Example: https://sharepoint.acme.com/share/{EnrollmentUser}
    Link (manual template only) Provide the path to the directory location using * as a wildcard for a domain link.

    Example: http://*.sharepoint.com
    You can add a new link to an existing manual template but cannot edit or delete an existing link. Exercise caution when you add new links that are in the denylist, as you cannot edit or delete the links if there is any error. Any corrections to the links require deleting the entire template.
    Denied Link(s) Specify the values for the wildcard character (*) in the file paths. The values specified for * at the beginning and the end of the file path stops your users from creating manual repositories and sub folders using the manual template.
    Organization Group Assign Corporate File Server access to a specified group of users.
    Use Derived Credentials This setting is available only when SharePoint is selected as the repository type. Select the check box to use the PIV-D certificate authentication to authenticate the users instead of user names and passwords. PIV-D certificate authentication is for authenticating the users who want to access the on-prem SharePoint repositories from their devices.

    Note: Enabling use of a PIV-D Derived Credential requires Kerberos configuration in the Content Gateway settings.

    For information about the certificate authentication settings on Content Gateway, see the Configure Content Gateway on the UEM Console topic in the Content Gateway documentation.
    Access via Content Gateway Use the Content Gateway if the Workspace ONE UEM server’s domain cannot access the Corporate File Server.
    Allow Inheritance Allow child organization groups to inherit the same access permissions as their parent organization group.
    Allow Write Allow end users to create and upload files and folders, edit documents, and check in or check out files to external repositories on their devices.

PIV-D Certificate Authentication Support

Workspace ONE Content app users are granted access to on-prem SharePoint repositories after the users are authenticated using the PIV-D Derived Credentials. Certificate-based authentication eliminates the requirement of user name and password.

On-prem repositories such as SharePoint can be configured to use the PIV-D Derived Credentials for authentication. Configuring the SharePoint repository to use the PIV-D Derived Credential requires Kerberos configuration in the VMware Content Gateway settings.

The following prerequisites must be considered for setting up the PIV-D Certificate Authentication:

  • Kerberos Constrained Delegation (KCD) server must be set up with proper SPNs (Service Principal Names).

  • Active Directory must be synced with Workspace ONE UEM, with User Principle Name (UPN) as an attribute.

  • Service account must be available to both Workspace ONE UEM and VMware Content Gateway to use as part of the Kerberos authentication workflow.

  • Content Gateway must be provided a trusted certificate from the Certificate Authority (CA) issuing the user certificates. These certificates might be only intermediate certificates or the entire certificate chain depending on validation requirements on the CA.

Cache Performance

When the entire corporate repository is cached, memory spikes can occur on the Device Services server due to the low internal memory. Each time, the cache must be disabled to overcome the load on the Device Services server.

Note: The database script that is used to disable cache is no longer applicable from Workspace ONE UEM 1904 version. The cache can be disabled by switching the ContentCacheFeatureFlag to false in the API, https:// /api/system/featureflag/ /<OG_GUID>/false.

The just-in-time caching strategy eliminates the low memory issue by caching only those folders and content records that are accessed by the user. The unwanted folders and contents are removed from the cache.

The folders are cached individually using a folderId cache key as opposed to caching the entire repository using the RepoId cache key.

In a cache miss, the Device Services server loads only the metadata of the current folders from the database and stores it in the cache. In a cache hit, the Device Services server reads only the root level folder structure from the cache.

check-circle-line exclamation-circle-line close-line
Scroll to top icon