On-premises customers must install and configure the Workspace ONE Assist server(s).

There are two types of installations of Workspace ONE Assist.

  • Standard (Basic), for all-in-one single server installations.
  • Advanced (Custom), for medium installations where there is a separate CP server and a separate CAP server, or multiple server installations where the CP, Core, Application, and Portal services reside on separate servers. See On-Premises Hardware Scaling Requirements.

Prior to running the installer on the server(s), you must first Generate the Workspace ONE Assist T10 API Certificate.

Generate the Workspace ONE Assist T10 API Certificate

You must generate the T10 API root and intermediate certificates used during an on-premises installation whether you are performing a Standard (Basic) or Advanced (Custom) installation. These certificates are also required for an on-premises build of Workspace ONE UEM while using Workspace ONE Assist in a SaaS environment.

Download the installer package, titled VMware Workspace ONE ™ UEM Remote Management Installer, from the myWorkspaceONE portal (https://myworkspaceone.com).

The certificate generator is called RemoteManagementCertificateGenerator_9_2. This installer must be run on a machine with the same locale settings as the database server to ensure that the same date format is set in the SQL script. You must run this certificate generator as an administrator.
  1. Extract all contents from the installer package ZIP file into c:\temp of the Workspace ONE Assist server. Do not move the files around inside the temp folder as the installer needs all the files in their extracted locations. Do not rename or move the temp folder.
  2. Run the Remote Management Certificate Generator which is included in the installer package.
  3. In the UEM console, switch to your primary organization group (OG). The OG you select must be of a 'customer' type.
  4. Navigate to Groups & Settings > All Settings > System > Advanced > Site URLs, scroll down to the Workspace ONE Assist section, and copy the string in the Remote Management CN text box. You are not able to see a Remote Management CN option unless you are in a 'customer' type OG.
    Note: If the Remote Management CN text box is blank, then you must manually Create the Common Name from the Workspace ONE UEM Database.
  5. Set the following values.
    Table 1.
    Setting Value
    Certificate Type Remote Management
    Deployment On-premises
    Certificate Common Name Paste the Remote Management CN copied from the preceding step (Step 4). Ensure the string you paste has 'CN'.
  6. Select Generate Certificates.
  7. Set Password for the certificates when prompted. Store this password for future use.
  8. Navigate to the folder holding the Remote Management Certificate Generator.
  9. Find the generated certificates file in the Artifacts\private folder called root_intermediate_chain.p7b. This is the T10 Certificate pair file that contains two major certificates that enable Workspace ONE UEM to communicate with the T10 portal. These certificates are the Workspace ONE UEM portal Root and Intermediate certificates.
  10. Perform the action based on your environment.
    • For On-Premises Environments – Copy the p7b file generated in step 10 to the c:\temp\certs folder on the Workspace ONE Assist Server and proceed to step 12.
    • For SaaS Environments – Zip up the p7b file and email it to your account team or professional services team member. They will create a ticket for the Assist team with the certificate you provided. Internal Account Teams and Professional Services Teams, refer to the following knowledgebase article for further instructions. https://ikb.vmware.com/s/article/79459.
  11. In the Artifacts folder, find the "Certificate Seed Script.sql". Run this script against the Workspace ONE UEM Database to seed the generated certificates into the Workspace ONE UEM database.

    If you receive the error message "The conversion of a varchar data type to a datetime data type resulted in an out-of-range value," then see Troubleshooting Workspace ONE Assist. Support for multiple Workspace ONE UEM environments is available. For details, see Configure Multi-Workspace ONE UEM Environment Support.

Install Site SSL Certificate, Assist On-Premises Only

You must incorporate a secure sockets layer (SSL) certificate into the Workspace ONE Assist on-premises installation process whether you are performing a Standard (Basic) or Advanced (Custom) installation.

SSL certificates provide secure, encrypted communications between a website and an Internet browser. The SSL certificate secures HTTPS binding for the management website for port 443 and allows a secure connection. This secure connection is between the admin and Web services. Also, the SSL certificate secures the connection to the Connection Proctor on port 8443 (or port 443 when the Connection Proctor (CP) Service runs on a separate server). You must provide the SSL certificate as a wildcard or SAN certificate.

If you are installing Workspace ONE Assist for the first time or upgrading to a newer version, you do not need to bind the SSL certificate to a website or renew the site thumbprint. However, if you are renewing an expired SSL certificate in between Workspace ONE Assist releases, you must bind the SSL certificate to a website and update the renewed site Thumbprint using AdminWebPortal. A link to each of those tasks appears directly after the following steps.

This process applies only to the SSL certificate. This process does not apply to the T10 API root and intermediate certificates.

  1. Run the Microsoft Management Console (MMC).

    Locate this application by typing 'mmc' into the search box found in the Start button.

  2. In the File menu of the MMC application, select Add/Remove Snap-in.... The Add or Remove Snap-ins dialog box displays.
  3. Under Available snap-ins on the left panel, select Certificates and then select the Addbutton in the middle. The Certificates snap-in dialog box displays.
  4. Select Computer Account and then select the Next button.
  5. Select Local Computer and then select the Finish button.

    Now the Add or Remove Snap-ins screen displays Certificates (Local Computer) under the Console Root on the right panel.

  6. Select OK to finish. The main MMC window displays.
  7. Expand the Certificates (Local Computer) on the left panel by selecting the Greater Than symbol. Select Personal > Certificates.
    1. If you do not have a Certificates folder to select, select the Personal folder and a Certificates folder will be created automatically.
  8. In the Action menu of the MMC application, select All Tasks followed by Import.... The Certificate Import Wizard displays.
  9. Select Next to begin the Wizard.
  10. Select Browse... to locate the SSL certificate in the PFX file format. You should familiarize yourself with the name of this file, since you must identify it by name in the future. Once located, select Open to import it.
  11. Enter the certificate's Password when prompted. Add check marks to the two boxes labeled Mark this key as exportable and Include all extended properties.
  12. Select Next.
  13. Select Place all certificates in the following store and set the Certificate store to 'Personal'.
  14. Select Next.
  15. Confirm all the presented information is correct and then select Finish.

    A new SSL certificate has been installed.

    If you are installing Workspace ONE Assist, then you must decide whether you are running a Standard (Basic) Installation of Workspace ONE Assist or an Advanced (Custom) Installation of Workspace ONE Assist.
    • Standard (Basic), for all-in-one single server installations.
    • Advanced (Custom), for installations with advanced options such as multiple servers to accommodate high availability and horizontal scaling.

    If you are not installing Workspace ONE Assist but rather just updating an expired SSL certificate, then you must Bind the SSL Certificate to a Management Site followed by Update the Renewed Site Thumbprint Using AdminWebPortal.

Bind the SSL Certificate to a Management Site

If you are renewing an expired SSL certificate in between Workspace ONE Assist releases, you must bind the renewed SSL certificate to the website and update the renewed site Thumbprint using AdminWebPortal. This task binds the SSL certificate.

You do not need to manually bind the SSL certificate each time you install it. During the normal course of installing or upgrading the Workspace ONE Assist server, you must also install the SSL certificate. But the Workspace ONE Assist installation or upgrade process takes care of binding the SSL certificate to the website for you. You only need to follow these steps to bind the SSL certificate if you are manually renewing an expired SSL certificate in between Workspace ONE Assist installations or upgrades.

If you are installing or upgrading the Workspace ONE Assist server, do not take these steps.
  1. Open Internet Information Services (IIS) on the Workspace ONE Assist server.
  2. In the Connection pane on the left, expand the node of the server by selecting the triangle in front of the server name.
  3. Expand the node of the Sites folder.
  4. Right-click Mgmt Web Site and select Edit Bindings.... The Site Bindings screen displays.
  5. Select https and then select the Edit button.The Edit Site Binding screen displays.
  6. Select the updated SSL certificate in the drop-down menu and then select OK.

    The new SSL Certificate is now bound to the website.

Update the Renewed Site Thumbprint Using AdminWebPortal

If you are renewing an expired SSL certificate in between Workspace ONE Assist releases, you must update the renewed site Thumbprint. This task updates the Thumbprint with AdminWebPortal.

During the normal course of installing or upgrading the Workspace ONE Assist server, you must also update the site thumbprint. But the Workspace ONE Assist installation or upgrade process takes care of updating the site thumbprint.

You only need to follow these steps to update the site thumbprint with AdminWebPortal if you are manually renewing an expired SSL certificate in between Workspace ONE Assist installations or upgrades and have already bound it to the website.

If you are installing or upgrading the Workspace ONE Assist server, do not take these steps.

  1. Start the MMC console from the Workspace ONE Assist server.
  2. In the left-side panel, navigate to Console Root > Certificates (Local Computer) > Personal > Certificates and locate, by name, the SSL certificate you installed or updated recently.
  3. Double-click this SSL certificate. The Certificate screen displays.
  4. Select Details tab at the top.
  5. In the Show drop-down menu, select Properties Only.
  6. Click once on the text box Thumbprint. A series of number and letter pairs appears in the panel beneath the Show panel.
  7. Select all these pairs of characters and copy them to the clipboard. Close the MMC console.
  8. Open Notepad from the server desktop.
  9. Paste the clipboard contents into the empty notepad screen.
    Note: The new thumbprint when you copy from the certificate is in lowercase. Ensure you change it to uppercase before pasting it in the AdminWebPortal. If unchanged, it can cause errors.
  10. In Notepad, enter the keyboard shortcut Ctrl-H. The Replace screen displays.
  11. Enter a single space in the Find what text box.
  12. Click the Replace All button and then close the Replace screen by clicking the X.

    All the spaces in between the number/letter pairs have been removed. Using notepad also takes the ANSI text copied from the MMC console and converts it to ASCII text, which is the format we want when we go to paste that thumbprint in the AdminWebPortal.

  13. In Notepad, select the newly formatted thumbprint and copy it to clipboard with Ctrl-C. Close Notepad.
  14. Open your browser and log into the AdminWebPortal using your credentials.

    For example,https://yourdomain.com/AdminWebPortal/login.aspx

  15. Select the Default Service Configurations.
  16. In the Search bar, enter certid.

    To display the search results properly, you might need to scroll down to the page size modifier and maximize the number of pages it can display. Doing this sets a large enough playing field to display any search result.

  17. Identify the certid in the Parameter Name column. :ctl.svc.cnp.tch/certid. In the Options column of the same line, select the Edit () icon.

    Upon clicking the Edit icon, you might need to search for certid once again. Locate the certid Parameter Name and notice that the Parameter Value is now editable.

  18. Select the existing string of characters in the Parameter Value for :ctl.svc.cnp.tch/certid and replace it with the new Thumbprint string you have stored in your clipboard by applying the Ctrl-V keyboard shortcut.
    Note: Before you paste the new thumbprint, ensure you change the thumbprint from lowercase to uppercase; if unchanged, it can cause errors.
  19. Select the Save () icon.
  20. Select Service Configuration.
  21. Search for ConnectionProctorService and review its Status column.
  22. For both Active status and Inactive status for ConnectionProctorService, select the Edit () icon and update the :ctl.svc.cnp.tch/certid Parameter Value with the new Thumbprint string (Ctrl-V).
  23. Select the Save () icon for each, as applicable.
  24. Select the Update button at the bottom of the page.
  25. Restart all services (Core and IIS services). Select the Start menu and enter run on your keyboard. In the Open text box, enter services.msc The Services application displays.
  26. Locate all services that are labeled Aetherpal.
  27. Stop all these Aetherpal services.
  28. Start all Aetherpal services.

    The site Thumbprint has been updated.

Standard (Basic) Installation of Workspace ONE Assist

The Standard (Basic) method of installing the Workspace ONE Assist server, for on-premises environments that use all-in-one single servers, is a process that is composed of a single phase.
  1. Download, extract, and save the Workspace ONE Assist installer into a temporary directory on the Workspace ONE Assist server. You can download the installer from the repository at https://my.workspaceone.com.
  2. Right-click the installer file and select Run as administrator.
  3. At the Welcome screen, select Next.
  4. Enter the directory where you want to install the Workspace ONE Assist application and select Install.
    Note: The default installation directory can be customized to any location on the server.
  5. Select Standard Installation (Basic) and then select Next.
  6. If SQL Server is already installed on the server or on another server where Assist databases are deployed, select Connect to existing SQL Server and enter the required parameters.
    Setting Description
    SQL server name Define the SQL Server instance running on the server (such as \\SQLEXPRESS, (local), and so on).
    Authentication Select either Windows authentication to authenticate to SQL Server as current Windows user OR select SQL Server Authentication to select a SQL server account, such as SA.
    User name If SQL Server Authentication was used, type in the user name that is used to authenticate against the SQL server.
    Password Type in the password for the user name selected.
    1. Select the …More button and enter additional details.

      The installer creates two user accounts to access and maintain SQL databases. They are apadminuser and apdbuser.

    2. Specify passwords for these accounts.When making user names and passwords, do not use the following special characters:
      • Ampersand - &
      • Less Than - <
      • Greater Than - >
      • Single Quote - '
      • Double Quotes - "
      • Semicolon - ;
    3. Enter in the path for database MDF, LDF, and NDF files.
    4. Select Save to proceed.

      You are taken back to the previous screen.

    5. Select Next to proceed.
  7. In the Tenant FQDN text box, type in the FQDN for portal (web) services.

    A Fully Qualified Domain Name is the complete domain name for a specific computer, or host, on the Internet. It consists of two parts: the host and the domain. For example, myhost.thedomain.edu.

  8. In the SSL Certificate text box, select the folder button or the pull-down arrow to select the SSL certificate for the Workspace ONE Assist system that corresponds to the FQDN.

    The certificate is installed in the local system personal certificate store.

  9. Select the certificate and then select OK.
  10. Deselect the Apply Default Settings check box and select the folder icon to attach the T10 certificate.
  11. Browse for the T10 certificate (created while running the Certificate Generator tool in the artifacts folder), select the P7B certificate file, and then select Open.
  12. Select the …More button to select additional settings for the Workspace ONE Assist system. Verify the parameters.
    Settings Description
    HTTP Port Defines the internal HTTP port used by portal services. By default, port 80 is selected. You can use a different port if port 80 is being used, such as 8080.
    IIS Site Binding IP address Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to enable all interfaces/IPs.
    HTTPS port Defines the HTTPS port used by portal services for access from outside the network. By default, port 443 is selected. If port 443 is already being used in your environment for another purpose, then you can use a different port, such as 7443.
    SSL Enable Enables SSL/TLS protocol for portal services. By default, this check box is enabled so that the portal services use SSL/TLS. Leave this check box enabled.
    T10 user name and Auto Generated Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is enabled, the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box enabled for the Installer to create the T10 API user. If you want to define the user, disable the check box and type in the T10 user name you want to use.
    CP FQDN/Port Defines the FQDN and port on which CP services can be reached. Enter in the FQDN, which must be the same as the FQDN assigned for portal services. Enter port 8443, which is the default port for CP services. If port 8443 cannot be used, you can enter any other port. Be sure that network/security teams use this assigned port when assigning translation rules from the firewall/router to the RM Server for CP services.
  13. Select Save to continue.You are taken to the previous screen.
  14. Select Next to continue.

    The installer performs multiple pre-requisite checks to ensure that the product can be installed. After the installer performs the prerequisites check, a summary report displays.

  15. If any of the prerequisites are missing and the check fails, do NOT select Install.
    1. Select Detailed Report link to see which prerequisites are missing.
    2. To install missing prerequisite components, select the Install Components link. The installer installs the missing components.

      You might need to reboot the server after the prerequisites are installed.

    3. After the reboot, relaunch the installer.

      The installer pre-populates with your previous selections.

  16. If the initial prerequisite check comes back with all components passing, select Install.

    Once the Install button is selected, the installation process begins.

    Note: Database execution might take an extended period.
  17. When the installation finishes, select Next to continue.
  18. When prompted to run the Resource Pack that loads all available device profiles onto the Workspace ONE Assist system, leave the Execute Resource pack check box selected (enabled) and then select the Finish button.

    By default, the Resource Pack utility imports all device profiles by using a command-line window. After Resource Pack utility completes, the command-line window closes. For information about importing device profiles, see Import Device Profiles with Resource Pack Utility.

    Next, proceed to Configure Workspace ONE UEM Console with Assist On-Premises.

Advanced (Custom) Installation of Workspace ONE Assist

The Advanced (Custom) method of installing the Workspace ONE Assist server for on-premises environments is a multiple phase process. The Advanced (Custom) installation features advanced options such as multiple servers to accommodate high availability and horizontal scaling. This installation allows for individual Assist components to be installed on separate servers which allow achieving the horizontal scaling.

Take the following steps and install Workspace ONE Assist with its advanced (custom) configuration.

  1. Download, extract, and save the Workspace ONE Assist installer into a temporary directory on the Core, Application, and Portal (CAP) server. You can download the installer from the repository at https://my.workspaceone.com.
  2. Right-click the installer file, and select Run as administrator.
  3. At the Welcome screen, select Next.
  4. Enter the directory where you want to install the Workspace ONE Assist application and select Install.

    The default installation directory can be customized to any location on the server.

  5. Select Advanced Installation (Custom) and then select Next.
  6. Select all components for installation on the server.
    • Database
    • Core Services
    • Portal Services
    • Application Services
  7. Select Next.
  8. Configure the Database settings. Select Connect to existing SQL Server and complete the following settings.
    Settings Description
    SQL Server Name Enter the database server hostname.
    Authentication Select the database account authentication. The authentication can be either Windows Authentication or SQL Authentication.
    User name Enter the user name of the database account. This user name is used by the installer to create all the databases required to install Workspace ONE Assist.
    Password Enter the password of the database account.
    Note: When making user names and passwords, do not use the following special characters:
    • Ampersand - &
    • Less Than - <
    • Greater Than - >
    • Single Quote - '
    • Double Quotes - "
    • Semicolon - ;
  9. Select the ...More button and complete the Database Advanced Settings.
    Important: If you are upgrading an existing installation, you must reenter your user name passwords. You must also reenter the paths of your MDF, LDF, and NDF file locations.
    Note: When making user names and passwords, do not use the following special characters:
    • Ampersand - &
    • Less Than - <
    • Greater Than - >
    • Single Quote - '
    • Double Quotes - "
    • Semicolon - ;
    Settings Description
    DB Owner User name/ Password

    Set the user name and password for the Workspace ONE Assist database owner SQL account. This account does not have system-wide permissions. The account only has permissions within the Workspace ONE Assist databases.

    This user name is apadminuser.

    DB Application User name/ Password

    Set the user name and password for the Workspace ONE Assist database application account.

    This user name is apdbuser.

    MDF Path Enter the path of the primary data file (MDF).
    LDF Path Enter the path of the transaction log file (LDF).
    NDF Path Enter the path of the secondary data file (NDF).
  10. Select Save followed by Next.
  11. Configure the Portal settings.
    Settings Description
    Tenant FQDN Enter the server fully qualified domain name. For example, "rmstage01.awmdm.com"
    SSL Certificate

    Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate.

    SQL Server Name Enter the database server hostname from the previous step.
    Apply Default Settings. Enable this check box to pre-populate the additional settings Enrollment Certificate, T10 Certificate, and License.
    Apply Default Enrollment Certificate If required, select a different Enrollment Certificate provided by the Assist support team.
    Apply Default T10 Certificate Deselect this check box and select the folder button to browse for and load the T10 certificate.
  12. Select the ...More button and complete the Custom Portal Advanced Settings.
    Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.
    Settings Description
    DB Application User name/ Password

    Enter the user name and password for the Workspace ONE Assist database application account.

    This user name is apdbuser.

    HTTP Port Enter the internal HTTP port used by portal services. The default is 80 but you can enter an alternate port number, such as 8080.
    IIS Site Binding IP Address Defines from which interfaces/IP addresses portal services can be reached. By default, the setting is ‘All Unassigned’ to enable all interfaces/IPs.
    HTTPS Port Enter the HTTPS port number. The default is 443 but you can enter your preferred port number.
    SSL Enable Enables SSL/TLS protocol for portal services. By default, this check box is enabled so that the portal services use SSL/TLS. Leave this check box enabled.

    T10 user name And Auto Generated

    Defines T10 API user for connectivity between AirWatch portal and Workspace ONE Assist system. By default, if ‘Auto Generated’ check box is enabled, the installer assigns a random user name to be created locally on the server. Leave this text box defaulted and the check box enabled for the Installer to create the T10 API user. If you want to define the user, disable the check box and type in the T10 user name you want to use.
  13. Select Save followed by Next.
  14. Review your selections at the Selected Components screen, then select Install and wait for the installer to complete. Once the installer has finished, select Next.
  15. Ensure that the check box Execute Resource Pack is selected and select the Finish button.
  16. Download, extract, and save the Workspace ONE Assist installer into a temporary directory on the Connection Proctor (CP) server, right-click the installer file, and select Run as administrator.
  17. At the Welcome screen, select Next.
  18. Enter the directory where you want to install the Workspace ONE Assist application and select Install.

    The default installation directory can be customized to any location on the server.

  19. Select Advanced Installation (Custom) and then select Next.
  20. Select the 'Connection Proctor' component for installation on the server.
  21. Configure the Connection Proctor settings.
    Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter these non-default port numbers here.
    Settings Description
    Connection Proctor FQDN Defines the Fully Qualified Domain Name (FQDN) on which CP services can be reached. Enter in the FQDN, which must be the same as the FQDN assigned for portal services.
    Port

    Enter the port number for CP services. The default is 443 in multiple server environments but you can enter your preferred port number.

    Whatever port you select, ensure that network/security teams use this port when assigning translation rules from the firewall/router to the Workspace ONE Assist Server for CP services.

    SSL Certificate

    Select the folder icon and browse for the SSL Certificate already installed. For details, see Install an SSL Certificate.

    SAN (subject alternative name) certificates are supported. The implementation of SAN certificates depends upon your server arrangement.

    • The SAN certificate must have an FQDN defined for each connection proctor server and Workspace ONE Assist server.
      • For example, presume you have 2 connection proctor servers and 2 Workspace ONE Assist servers. The 2 Workspace ONE Assist servers host portal services, which require TLS/SSL traffic terminated at the load balancer. The FQDN for the SAN certificate must reflect the fully qualified domain name, for instance, "rmstage01.awmdm.com".
      • Meanwhile, for each of the 2 CP servers, TLS/SSL traffic terminates at the connection proctor, and therefore, you must have 2 FQDNs defined in the SAN certificate, for instance, "rmstage01.awmdm.com' and "rmstage02.awmdm.com'.
    SQL Server Name Enter the database server hostname from the previous step.
    Apply Default Settings Enable this check box to pre-populate the additional setting Enrollment Certificate.
    Apply Default Enrollment Certificate If required, select a different Enrollment Certificate provided by the Assist support team.
  22. Select the ...More button and complete the Custom Connection Proctor Advanced Settings.
    Important: If you are using port numbers other than the defaults referenced in Network and Security Requirements, you must enter the non-default port numbers here.
    Settings Description
    DB Application User name / Password

    Enter the user name and password for the Workspace ONE Assist database application account.

    This user name is apdbuser.

    CP Internal IP Address/Port

    Defines from which internal IP addresses the connection proctor can be reached. By default, the setting is ‘All Unassigned’ to enable all addresses.

    Enter the port number for the Connection Proctor component. The default is 8443 but you can enter your preferred port number.

    Forward Lookup Zone

    Under the CP Internal IP Address/Port drop-down menu, enable this check box and enter your forward lookup zone here. You can also enter a custom lookup zone.

    The Forward Lookup Zone setting is optional in a multi-server environment.

  23. Select Save followed by Next.
  24. At the Selected Components screen, review your selections. Once you have verified your configuration, select Install.

    Proceed to Configure the Workspace ONE UEM Console with Assist On-Premises.

Configure the Workspace ONE UEM console with Assist On-Premises

After installing the Workspace ONE Assist server and all its components, configure the UEM console to communicate with the Workspace ONE Assist server.

  1. In the UEM console, ensure that you are in the Global OG.
  2. Navigate to Settings > System > Advanced > Site URLs > Workspace ONE Assist.
  3. Complete the Workspace ONE Assist settings.
    Settings Description
    Console Connection Hostname

    Enter the Workspace ONE Assist server fully qualified domain name (FQDN) plus "/t10".

    For example:

    https://rmstage01.awmdm.com/t10
    Device Connection Name

    Enter the Workspace ONE Assist server fully qualified domain name (FQDN).

    For example:

    https://rmstage01.awmdm.com
  4. Select Save.

    The Workspace ONE Assist server is now ready to handle remote management sessions with end-user devices.

Integrate Deployment Model, On-Prem UEM With SaaS Assist

You can integrate an on-premises Workspace ONE UEM environment with a SaaS build of Workspace ONE Assist, in either single customer and multi-customer deployments.

You must have a working on-prem Workspace ONE UEM installation in order to integrate it with a Workspace ONE Assist SaaS environment.

The typical use case is that a partner with multiple on-premises Workspace ONE UEM environments (with single customer or multi-customer deployments) wants to add Workspace ONE Assist service. It is simple to integrate a SaaS build of Workspace ONE Assist to your on-prem Workspace ONE UEM build.

  1. Update the Site URL of the External Remote Management in Settings.
    1. In the UEM console, ensure that you are in the Global OG.
    2. Navigate to Settings > System > Advanced > Site URLs > Workspace ONE Assist.
    3. Complete the Workspace ONE Assist settings.
      Locale Console Connection / Device Connection
      USA

      Console Connection Hostname:

      https://rm01.awmdm.com/t10

      Device Connection Name:

      https://rm01.awmdm.com/
      Canada

      Console Connection Hostname:

      https://rmca01.awmdm.com/t10

      Device Connection Name:

      https://rmca01.awmdm.com/
      Germany

      Console Connection Hostname:

      https://rmde01.awmdm.com/t10

      Device Connection Name:

      https://rmde01.awmdm.com/
      United Kingdom

      Console Connection Hostname:

      https://rmde01.awmdm.com/t10

      Device Connection Name:

      https://rmde01.awmdm.com/
      Australia

      Console Connection Hostname:

      https://rmau01.awmdm.com/t10

      Device Connection Name:

      https://rmau01.awmdm.com/
      Japan

      Console Connection Hostname:

      https://rmjp01.awmdm.com/t10

      Device Connection Name:

      https://rmjp01.awmdm.com/

      The Workspace ONE Assist server can now communicate with Workspace ONE UEM.

  2. Generate the Workspace ONE Assist T10 API Certificate. This step must be finished no matter what deployment model you are using, but it is the first set of certificates you generate for multi-Workspace ONE UEM environments. See Generate the Workspace ONE Assist T10 API Certificate and Supported Deployment Models.
    • If you are deploying a single customer Workspace ONE UEMWorkspace ONE UEM environment, then proceed to step 3.
    • If you are deploying a multi-customer Workspace ONE UEMWorkspace ONE UEM environment, then you must .
  3. Select Save.

    The Workspace ONE Assist is now ready to handle remote management sessions with end-user devices.

  4. Configure End-User Devices
  5. While logged into the Workspace ONE UEM console, navigate to Devices > List View and locate a suitable device to remotely manage. See Supported Platforms.
  6. Select that device's Friendly Name to display Device Details.
  7. Initiate a Workspace ONE Assist session on this device by selecting the More Actions button and then selecting Remote Management.

    The single customer or multi-customer on-premises deployment of Workspace ONE UEM is now connected to the Shared SaaS build of Workspace ONE Assist.

Migrate Workspace ONE Assist from On-Premises to SaaS

When you are faced with migrating your on-prem installation of Workspace ONE Assist to a SaaS environment, you can follow these steps without having to uninstall and reinstall the Assist app on all devices.

Before you can migrate your Workspace ONE Assist to a SaaS environment, Workspace ONE UEM must already be in a dedicated SaaS environment. This Workspace ONE Assist migration cannot be applied to an on-premises build of Workspace ONE UEM.
  1. Follow the instructions for Step 1 Only of Integrate Deployment Model, On-Prem UEM With SaaS Assist to configure the site URLs. Then return to this task to commence migration.
  2. You must re-push the Intelligent Hub settings to all enrolled devices per the following substeps.
    1. Android – Navigate to Groups & Settings > All Settings > Devices & Users > Android > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
    2. iOS – Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple iOS > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
    3. macOS – Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple macOS > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.
    4. Windows CE & Mobile – Navigate to Groups & Settings > All Settings > Devices & Users > Windows > Windows Rugged > Agent Settings. No changes need to be made to this settings page, just select Save.
    5. Windows 10 – Navigate to Groups & Settings > All Settings > Devices & Users > Windows Desktop > Intelligent Hub Settings. No changes need to be made to this settings page, just select Save.

      The device is silently re-enrolled into Workspace ONE Assist. The device end user is not prompted.

Configure Multi-Workspace ONE UEM Environment Support

If you want to operate the Workspace ONE Assist server across multiple Workspace ONE UEM environments (not multiple organization groups), then take the following steps.

You must have already completed all the steps in Generate the Workspace ONE Assist T10 API Certificate.

Do not follow this procedure if you want Workspace ONE Assist to work with a single Workspace ONE UEM environment.

  1. Log in to the secondary or other Workspace ONE UEM environment.

    Do not log into the same environment you selected in Step 4 of the topic Generate the Workspace ONE Assist T10 API Certificate.

  2. In the UEM console of this secondary environment, switch to your primary OG.

    The OG you select must be of a 'customer' type. For more information about organization groups, see the topic Organization Group Type Functions from the VMware Workspace ONE UEM Console Basics Documentation.

  3. Navigate to Groups & Settings > All Settings > System > Advanced > Site URLs, scroll down to the External Remote Management section, and copy the string in the Remote Management CN text box.
    Note: If this text box is blank, then you must manually Create the Remote Management CN from the Workspace ONE UEM Database.
  4. Switch back to the Workspace ONE Assist server. Run the Remote Management Certificate Generator, which includes the Remote Management Installer, using the following values.
    Setting Value
    Certificate Type Remote Management
    Deployment Upload Intermediate
    Certificate Common Name Paste the Remote Management CN from Step 3 preceding
  5. Select the Generate Certificates button.
  6. When prompted, you must select the intermediate private cert.

    This certificate and password is the same one you originally generated in Step 8 of Generate the Workspace ONE Assist T10 API Certificate. This certificate is located in c:\temp\certs of the Workspace ONE Assist server.

  7. On the Workspace ONE Assist server, locate the 'artifacts' folder, and run the SQL script file "Certificate Seed Script.sql" against the Workspace ONE UEM Database to seed the generated certificates into the Workspace ONE UEM database.
  8. Repeat this entire task for each additional Workspace ONE UEM environment you want Workspace ONE Assist to work with.

    Example: If you want to add two additional environments to the environment you configured originally, then you must follow the steps of this task twice.

After you have finished installing the client certificate for each Workspace ONE UEM environment, proceed to Configure the Workspace ONE UEM console with Assist On-Premises.

Upgrade to a New Version

Upgrading to a new version of Workspace ONE Assist is simple. Install a new version of Workspace ONE Assist on top of an existing, older version by taking the following steps.

Read through this entire section BEFORE you begin the installation process.
  1. To ensure that you do not run the old installer file in error, replace the previous version of the installer with the new version in the same folder. All certificates and the install.config file remain the same.
  2. Right-click the installer file and select Run as administrator. The installer prompts you to remove the currently installed components, excluding the database.
  3. Select OK and allow the installer to remove the installed components.

    The AirWatch Remote Management Uninstall Components screen appears.

  4. Select Next and proceed with the uninstall process.

    The Uninstall Components dialog box displays, listing each component it finds of the old version. Each of these components is selected with a green check mark. Notice that the Database or DB does not appear on this screen. This absence is because the old database is used during the upgrade process, which means everything on the database is kept intact in the new version of Workspace ONE Assist.

  5. Select Uninstall and commence uninstalling the old components.

    The uninstallation begins in earnest, displaying each component as it is removed.

  6. Once all the old components are uninstalled, the AirWatch Remote Management Setup prompts you to install new versions of the same components. Select Next to begin.
  7. The Choose Install Location prompt appears. The default installation location appears prepopulated in the text box, which it got from the install.config file. Proceed by selecting Install.
  8. The Get Started with AirWatch screen displays, prompting you to select between Standard Installation (Basic) and Advanced Installation (Custom).

    For details about each installation method, including all steps, screens, text boxes, and options, see Standard (Basic) Installation of Workspace ONE Assist or Advanced (Custom) Installation of Workspace ONE Assist.

  9. The installer reads from the install.config file, applying all the original configurations it finds to the options screens, including SQL server details, user names, Tenant FQDN, certificates, database configurations, and many other configurations. You might not need to modify any of the settings it pulls from this install.config file with the possible exceptions below.
    • Check Database Accounts - Depending upon your configuration and the existing permissions in your environment, the install.config settings might not be populated correctly. For this reason, review the database accounts to ensure that they are correct. Do this review at the first screen, Installer - Basic - Database (Step 1 / 2) by clicking the ...More button which displays the Database Advanced Settings dialog box. Review the apadminuser and apdbuser accounts and respective passwords for accuracy and select Save. Ensuring these accounts are correct now saves you trouble later.
    • SSL Certificate - If you installed a new SSL certificate before running this upgrade, ensure that you integrate it with the upgrade. Review the certificate at the second screen, Installer - Basic - Application (Step 2 / 2) by selecting the SSL Certificate drop-down menu and reviewing the name of the new SSL Certificate. If you have not installed a new SSL certificate before running this upgrade, then just ensure that the existing SSL cert is selected.
    • T10 Certificate - When upgrading from an older version of ARM to a newer version, review the T10 certificate to make sure it is the correct one. If you are in doubt about this certificate's validity, on the Installer - Basic - Application (Step 2 / 2) screen, deselect the check box Apply Default Settings, select the folder button that corresponds to the T10 Certificate, and select the correct certificate file in P7B format.
    • Check the Ports - At the Installer - Basic - Application (Step 2 / 2) screen, select the ...More button which displays the Portal Advanced Settings screen.
      • Ensure all the ports it pulls from install.config are correct for your environment. You should know whether your environment is using port 8443, which is the default connection proctor port for Workspace ONE Assist.
      • If 8443 is not used by your environment, then ensure the CP Port text box is 8443.
      • If 8443 is being used by your environment, then you must select another CP Port in order for Workspace ONE Assist to function. Consider using port 8446 in such a case.
      • Select Save if you have made changes.
  10. After you have reviewed all the settings above and made all applicable adjustments, proceed with the remainder of the installation by selecting the Next button.

    The Installer - Selected Components screen displays.

  11. The Installer - Selected Components page confirms all the installer settings it plans to use for the upgrade. If you want to make changes, you can use the < Prev button to revisit config pages. Otherwise, select Install to begin the upgrade. The installer prompts you again for the installation location. Select Install.
    • The database account is validated against the apdbuser and apadminuser accounts. During the upgrade, the Installing Database process displays "Error Message: DBAlreadyExists". This simply means it found the existing database and it has begun to upgrade it.
  12. When the installation finishes, select Next.
  13. The last step is to run the resource pack which consists of configuration files for hundreds of different devices. Ensure the Execute Resource pack check box is selected and click Finish.

The Workspace ONE Assist server has been upgraded.

Create the Remote Management CN from the Workspace ONE UEM Database

If the Remote Management CN text box is empty from step 5 of Generate Workspace ONE Assist Certificates or step 3 of Configure Multi- Workspace ONE UEM Environment Support, you can run an SQL script against the database to create the Remote Management CN manually.
  1. Open the Remote Management Certificate Generator.

    You must run this generator as an administrator.

  2. Select the Question Mark button.
  3. Copy the displayed text.

    This text is the SQL script to run against the Workspace ONE UEM Database.

  4. Switch to the Workspace ONE UEM Database server and open SQL Server Management Studio.
  5. Create a query with the copied text.
  6. On the first line of the query, replace the NULL value with the GroupID for the customer type OG that you want to use.

    The OG you select must be a customer type, it cannot be of any other type including global, partner, container, and so on.

    DECLARE @GroupID NVARCHAR(20) = NULL;

    becomes

    DECLARE @GroupID NVARCHAR(20) = 'RemoteManagement';
  7. In the Results, copy the created Remote Management CN.

    The Remote Management CN is used to generate the root and intermediate certificates for Remote Management. Return to Step 5 of Generate the Workspace ONE Assist T10 API Certificates or Step 3 of Configure Multi-Workspace ONE UEM Environment Support.

Import Device Profiles with Resource Pack Utility

Device profiles contain the key mapping, device skin, and Workspace ONE Assist service signatures for full remote control. You can perform a bulk import of these device profiles onto your Workspace ONE Assist Server.
  1. Run the Resource Pack Utility file provided. The file is called "AW RM Resource Pack Version - v0xx.exe"
  2. Complete the Authentication step.
    1. Enter the Target Tenant URL specific to your environment. For example, https://rmstage01.awmdm.com
    2. Enter the user name and password. If new credentials have not been defined, use the default credentials.
      • User name: admin
      • Password: admin
    3. Enter the Admin URL of
      http://admin.controlplane.aetherpal.internal:80

      If you have not used the WBC portal yet and have not reset your default password, the Resource Pack Utility prompts you at this point to reset the password. Enter your new password and select the Update Password button to continue.

  3. Complete the Resource Import step.

    You can select one or more device profiles from the list or you can enable the Select All check box to initiate a full importation of all available device profiles.

  4. Select the Import button to continue. The log panel on the right side fills up with confirmation messages which you can review.

    The device profiles you selected are installed onto the Workspace ONE Assist server.

  5. When finished importing device profiles, select the Exit button.