In the PowerShell deployment model, the Workspace ONE UEM powered by AirWatch uses a PowerShell administrator role and issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny mobile access based on the policies defined in the Workspace ONE UEM console.
PowerShell Integration with VMware Workspace ONE UEM
The PowerShell integrated deployment is a direct model of integration that requires a simple setup with minimal infrastructure. PowerShell deployments do not require a separate email proxy server and the configuration process is simple.
This section details the requirements for using PowerShell with Workspace ONE UEM.
- A service account that has Remote Shell access to Exchange Server and the minimum roles to integrate with PowerShell:
PowerShell minimum version of 5.1. Note, this minimum version of PowerShell is for the application servers and not the Exchange servers. To download an updated version of PowerShell, see Microsoft’s download center. To know the command used to check the version of PowerShell installed, see Server Side Session Commands section.Note: Selecting the roles enables all required resources or permissions needed for Workspace ONE UEM to operate. Create a custom role group with these roles.For Office 365 implementations, you must have an Exchange Admin role with the three relevant management roles mentioned earlier.
- Access to the server-side session for Workspace ONE UEM to run Exchange commands.
- Port 443 over which the PowerShell commands are issued from the UEM console directly to the Exchange server or through the VMware AirWatch Cloud Connector (ACC).
In the PowerShell model of deployment, Workspace ONE UEM adopts a PowerShell administrator role. Workspace ONE UEM issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny email access based on the settings defined in the UEM console.
PowerShell deployments do not require a separate email proxy server, and the installation process is simple. Once installed, Workspace ONE UEM sends commands to PowerShell in accordance with the established email policies, and PowerShell runs the actions. The PowerShell model is for organizations using Microsoft Exchange 2010, 2013, 2016, 2019, or Office 365 environments.
Office 365 Environment
The diagram highlights the communications flow for an implementation with Office 365. For Office 365 implementation, VMware does not recommend routing the PowerShell traffic through the AirWatch Cloud Connector.
Exchange 2010/2013/2016/2019 for Workspace ONE UEM Cloud-Based Deployments
The following diagram highlights the communications flow for a cloud-based implementation with hosted Exchange 2010/2013/2016/2019 deployments. VMware recommends the installation of one AirWatch Cloud Connector per MEG Queue service to avoid processing delays.
Exchange 2010/2013/2016/2019 for Workspace ONE UEM On-Premises Deployments
The following diagram highlights the communications flow for an on-premises implementation with hosted Exchange 2010/2013/2016/2019 deployments.
Enable Modern Authentication for PowerShell Integrated Deployment
To initiate a PowerShell session using modern authentication Workspace ONE UEM uses non-interactive scripts. For a non-interactive session, the admin must not be a federated user, that is, if you have a third-party identity provider then the admin must not be a part of the federated domain.
Use the following code snippet to check if a non-interactive session is successfully initialized with the Modern authentication. If your VMware AirWatch Cloud Connector is configured then run this script from the AirWatch Cloud Connector else run the script from Workspace ONE UEM Console or the Meg Queue service box.
[String] $cmdsToImport ="Get-CASMailbox" $pass = convertto-securestring -String password -AsPlainText -Force $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist "firstname.lastname@example.org",$pass $session = Connect-ExchangeOnline -UserPrincipalName "email@example.com" -Credential $cred -ConnectionUri "https://outlook.office365.com/powershell" -CommandName $cmdsToImport