Configure a Relay Server Cloud Connector for product provisioning by selecting an FTP, Explicit FTPS, Implicit FTPS (Pull only), SFTP file server, or HTTPS (pull only) protocol and integrating it with Workspace ONE UEM powered by AirWatch.

Important: If you use the pull service to create a pull-based relay server, you must give the home directory SYSTEM full access. This configuration means the pull service stores and removes files from the directory.

Client-server applications such as Workspace ONE UEM use the transport layer security (TLS) cryptographic protocol to communicate across a network. Three transfer protocols support TLS. The file transfer protocol (FTP), the file transfer protocol over SSL (FTPS), and the SSH file transfer protocol (SFTP).

These file transfer protocols only secure those parts of the process where data is in transit between the client and the server. Because of this limitation, use an OS-level disk encryption. There are several operating system-specific tools available (for example BitLocker for Windows, GnuPG for Linux).

As an alternative to traditional push or pull relay service, Workspace ONE UEM supports the creation of a Relay Server Cloud Connection (RSCC). An RSCC is a hybrid solution that pulls content (products only) from a content service endpoint and distributes that content (products only) to your relay servers. This design can bring performance improvements over a traditional pull relay server. This Relay Server workflow includes RSCC options.

Prerequisites

  • You need an FTP, Explicit FTPS, Implicit FTPS in Pull configuration (Android only), SFTP, or HTTPS (Pull only) file server.
    • Implicit FTPS relay servers are only supported in a pull configuration and can only be used with Android devices.
    • Pull service bandwidth needs and minimum hardware requirements are negligible when compared to pushing products to devices. Such needs are entirely dependent upon 1) the number of products you are pushing, 2) how often they are pushed, and 3) the size of the products in MBs.
    • When assessing hardware and bandwidth needs for FTP servers, consider following general guidelines and adjust their specifications as your needs change.
    • General FTP Server Guidelines: 2 GHz x86 or x64 processor and 4 GB RAM.
  • You must create an FTP user with a home directory. This user must have read/write/delete permissions for both the directory and the files used in the relay server. This FTP user must have a user name and password for authentication.
  • Workspace ONE UEM supports SFTP servers, however, the supported staging clients, Stage Now (Android), and Rapid Deployment, do not support SFTP servers for use with barcode staging.
  • If selecting an HTTPS protocol (pull configuration only), you must configure the HTTPS endpoint using the web server configuration tool of choice (for example, IIS). The root directory you opt in the web server config must be the same as the Pull Local Directory of the relay server.
  • FTP and FTPS servers must be compliant with RFC 959 and RFC 2228 set by the Internet Engineering Task Force.

Procedure

  1. Navigate to Groups & Settings > All Settings > Admin > Product Provisioning and set the Relay Server Cloud Connector option to Enabled.
  2. Navigate to Devices > Provisioning > Relay Servers > List View and select the Add button, followed by Add Relay Server.
  3. Complete all applicable settings in the tabs that are displayed.
    Table 1. General Tab
    Setting Description
    Name Enter a name for the relay server.
    Description Enter a description for the relay server.
    Relay Server Type

    Select either Push or Cloud Relay as the relay server method.

    Push – This method is typically used in on-premises deployments. The console pushes content and applications contained in the product or staging to the relay server.

    Cloud Relay – Designed for SaaS deployments, the Relay Server Cloud Connector (RSCC) pulls content (products only) from a content service endpoint and distributes that content (products only) to your relay servers.

    Log Level

    This option is available only for Cloud Relay server types.

    Select the level of detail you want the log to capture as your relay server operates. Error to log only when things go wrong or Debug to capture all available detail.

    Restrict Content Delivery Window

    Enable limits the content delivery to a specific time window. Provide a Start Time and End Time to restrict the delivery of content.

    The start time and end time of the restriction window is based on Coordinated Universal Time (UTC), which the system obtains by converting the console server time into Greenwich Mean Time (GMT).

    Set the system time on the console server accurately to ensure that your content is delivered on time.

    Table 2. Assignment Tab
    Setting Description
    Managed By

    Select the organization group that manages the relay server.

    Android and Windows Rugged Only: If you want to use the FTPS server for Barcode Enrollment only and not for Product Provisioning, remove all assigned organization groups under the Production Server section.

    Staging Server Assigned Organization Groups

    This option is available only for Push server types.

    Assign the organization groups that use the relay server as a staging server.

    A staging server only works for the staging process involving the supported staging clients, Stage Now (Android), and Rapid Deployment.

    Production Server Assigned Organization Groups

    This option is available only for Push server types.

    Assign the organization groups that use the relay server as a production server.

    A production server works with any device with the proper Workspace ONE Intelligent Hub installed on it.


    • If you selected Push as your Relay Server Type in the General tab, then complete the Device Connection tab that follows.
    • Otherwise, for Relay Server selections, skip this step and proceed to step 5.
    Table 3. Device Connection Tab (only available for Push Relay Server Selections)
    Setting Description
    Protocol

    The information the device uses to authenticate with the FTP server when downloading applications and content.

    Select between FTP, Explicit FTPS, Implicit FTPS in Pull configuration (Android only), SFTP, or HTTPS (Pull only) as the Protocol for the relay server.

    Only Android supports Implicit FTPS relay servers instead of Explicit FTPS relay servers and only in a pull configuration.

    If using Explicit FTPS, your Explicit FTPS server must have a valid SSL certificate. Configure the SSL certificate on the Explicit FTPS server.

    If selecting an HTTPS protocol, you must configure the HTTPS endpoint using the web server configuration tool of choice (for example, IIS).

    Hostname Enter the name of the server that hosts the device connection.
    Port

    Select the port established for your server.

    Important: The ports you configure when you create your FTP, Explicit FTPS, Implicit FTPS in Pull configuration (Android only), SFTP, or HTTPS (Pull only) server must be the same ports you enter when creating a relay server in the Workspace ONE UEM console.
    User Enter the server user name.
    Password Enter the server password. Passwords may not contain the colon : special character.
    Path

    Enter the path for the server.

    This path must match the home directory path of the ftp user. For example, if the ftp user's home directory is c:\ftp\home\jdoe, the path entered into this text box must be c:\ftp\home\jdoe.

    Passive Mode

    Passive Mode forces the server to select the data port on behalf of the device. Select Enabled for this option.

    Conversely, Active Mode directs both the server and the device to use pre-defined ports for transfer. Select Disabled for this option.

    Verify Server

    This setting is only visible when Protocol is set to FTPS.

    Enable to ensure that the connection is trusted and there are no SSL errors.

    If left deselected, then the certificate used to encrypt the data can be untrusted and data can still be sent.

    1. Next, select the Cloud Relay Connection Tab and complete the settings.

      The Cloud Relay Connection tab contains information that the console uses to authenticate with the FTP(S) server when pushing applications and content. The settings are typically identical to the Device Connection tab. Select the Copy Values From Device Connection button to save yourself from having to enter values from the Device Connection tab manually.

      Go directly to step 6.

  4. If you selected Cloud Relay as your Relay Server Type in the General tab, then select the Pull Connection Tab and complete the settings.
    Setting Description
    Pull Local Directory.

    Enter the local directory path for the server.

    The directory you enter here must be the same as the root directory you opt when configuring an HTTPS endpoint on the webserver. For example, if you have configured an HTTPS endpoint and selected c:\rootfolder as your root directory in IIS, then you must use c:\rootfolder for your Pull Local Directory.

    Pull Discovery Text.

    Enter the IP addresses or the MAC addresses of the server. Separate each address with commas.

    IP addresses use periods as normal but MAC addresses do not use any punctuation in this form.

    Pull Frequency. Enter the frequency in minutes that the pull server monitors with the UEM console for changes in the product.
    Max Pull Connections Modify this value to throttle the maximum number of simultaneous connections used to pull content from the Workspace ONE Cloud. The default value is 2.
    Max Push Connections Modify this value to throttle the maximum number of simultaneous connections used to push content to Relay Servers. The default value is 50.
    Report Status Batch Size As content is distributed to targets Relay Servers, Cloud Relay reports the transfer status of each Relay Server to the Workspace ONE Cloud. Modify this value to throttle the number of Relay Server statuses to include in each batch. The default value is 100 statuses per batch.
  5. Select Save.