In the PowerShell deployment model, the Workspace ONE UEM powered by AirWatch uses a PowerShell administrator role and issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny mobile access based on the policies defined in the Workspace ONE UEM console.

PowerShell Integration with VMware Workspace ONE UEM

The PowerShell integrated deployment is a direct model of integration that requires a simple setup with minimal infrastructure. PowerShell deployments do not require a separate email proxy server and the configuration process is simple.

PowerShell Requirements

This section details the requirements for using PowerShell with Workspace ONE UEM.

  • A service account that has Remote Shell access to Exchange Server and the minimum roles to integrate with PowerShell:
  • PowerShell minimum version of 5.1. Note, this minimum version of PowerShell is for the application servers and not the Exchange servers. To download an updated version of PowerShell, see Microsoft’s download center. To know the command used to check the version of PowerShell installed, see Server Side Session Commands section.

    Note: Selecting the roles enables all required resources or permissions needed for Workspace ONE UEM to operate. Create a custom role group with these roles.For Office 365 implementations, you must have an Exchange Admin role with the three relevant management roles mentioned earlier.
  • Access to the server-side session for Workspace ONE UEM to run Exchange commands.
  • Port 443 over which the PowerShell commands are issued from the UEM console directly to the Exchange server or through the VMware AirWatch Cloud Connector (ACC).

PowerShell Architecture

In the PowerShell model of deployment, Workspace ONE UEM adopts a PowerShell administrator role. Workspace ONE UEM issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny email access based on the settings defined in the UEM console.

PowerShell deployments do not require a separate email proxy server, and the installation process is simple. Once installed, Workspace ONE UEM sends commands to PowerShell in accordance with the established email policies, and PowerShell runs the actions. The PowerShell model is for organizations using Microsoft Exchange 2010, 2013, 2016, 2019, or Office 365 environments.

Office 365 Environment

The diagram highlights the communications flow for an implementation with Office 365. For Office 365 implementation, VMware does not recommend routing the PowerShell traffic through the AirWatch Cloud Connector.

PowerShell Office365 Deployment

Exchange 2010/2013/2016/2019 for Workspace ONE UEM Cloud-Based Deployments

The following diagram highlights the communications flow for a cloud-based implementation with hosted Exchange 2010/2013/2016/2019 deployments. VMware recommends the installation of one AirWatch Cloud Connector per MEG Queue service to avoid processing delays.

PowerShell Cloud Deployment

Exchange 2010/2013/2016/2019 for Workspace ONE UEM On-Premises Deployments

The following diagram highlights the communications flow for an on-premises implementation with hosted Exchange 2010/2013/2016/2019 deployments.

PowerShell On_Premises Deployment

Note: If you want to enable PowerShell with an outbound proxy, then you must configure WinHTTP on the Workspace ONE UEM server to use the proxy. Workspace ONE UEM automatically uses WinHTTP proxy configuration to establish a PowerShell session.