For the Workspace ONE UEM server to start issuing the PowerShell commands, you must set up a PowerShell Admin User account on Office 365 or the Exchange Server. This user account is a service account that must also have specific roles associated to it for Workspace ONE UEM to operate.

Create an Office 365 Service Account

You must create the service account to associate with the service account all your user mailbox accounts that require protection.

For optimal performance and stability, use one MEM configuration per Organization or Exchange instance. can add a MEM configuration when migrating to Exchange Online or when additional (or new) organizations are configured in Workspace ONE.

Note: To create user mailboxes in Exchange 2016, refer create user mailboxes in Exchange 2013, refer
  1. Enter the first name, last name, display name, user name, and your email domain.
  2. Navigate to Office 365 admin center > USERS > Active Users.
  3. To add a new user, select the "+" icon. The create new user account page appears.
  4. On the create new user account page, complete the required information.
    1. Enter the first name, last name, display name, user name, and your email domain.
    2. Select Type password and enter the password for the service account.
    3. Deselect the Make this person change their password the next time they sign in check box.
    4. Enter the email address of the recipient to whom the password must be sent. Select Create.
    5. Select Close.

      Result: An Office 365 license is assigned to the service account. The service account does not require an Office 365 license to be assigned to it. You can remove the assigned license by editing the license.

  5. Select your service account from the Active users list.
  6. Select Edit next to the Assigned License. The Assigned License page appears.
  7. Deselect the check box for the assigned license. Select Save.

Assign Roles to the Office 365 Service Account

After you create a service account, use the Exchange Admin Center to create specialized roles for the service account. These roles provide Workspace ONE UEM all the permissions required to operate.

Note: You can also create custom roles for Exchange 2013 and Exchange 2016 service accounts using the Exchange Admin Center.
  1. Navigate to Exchange Admin Center > Permissions > admin roles.
  2. To create a new role group, select the "+" icon. The new role group page appears.
  3. Enter the Group Page Settings.
    Setting Description
    Name Enter the name for the role.
    Description Enter the description for the role.
    Write Scope Select Default from the drop-down menu.
    Roles Add Mail recipients, Organization Client Access, and Recipient Policiesas the roles.
    Members Select the Service Account you have created.
  4. Save the settings.
Note: If you are a Workspace ONE UEM SaaS and an Office 365 user, your configuration is complete. The remaining steps are applicable for on-premises Exchange and Workspace ONE UEM configurations.

Assign Roles to the Exchange 2010 Service Account

For Exchange 2010, you can set up a PowerShell Admin User on Exchange Management console through the Administration tab. Use permissions that can set up the PowerShell Admin user roles.

  1. Navigate to Toolbox and access the Role Based Access Control User Editor in the Exchange Management console.
  2. Once the Internet browser opens, enter in the credentials (domain or user and password) of the Exchange administrator with relevant permissions.

    Results: Signing in as the Exchange administrator creates a test role group and the roles associated to this group.

    Test role groups screen

  3. Select New to create a new role group.
  4. Add the relevant roles, Mail Recipients, Organization Client Access, and Recipient Policies. Add the Service Account you created under the Members section and then select Save to create a new role group specific to ONE UEM PowerShell Integration.

    New role group parameters screen

Configure PowerShell Endpoint in IIS

You can configure the PowerShell endpoint in IIS. The IIS acts as a gateway between the web browser and the devices that you can connect to in your environment.

Ensure that the PowerShell endpoint in IIS on the Exchange Server is configured to accept either Basic Authentication or Windows Authentication credentials.

Note: Configuring of authentication details in the IIS manager is only for Exchange 2010, 2013, 2016, and 2019. For Office 365 implementations, the Office 365 support team configures the authentication settings.
  1. In the IIS manager, expand Default Web Site and select PowerShell.
  2. Select either Basic Authentication or Windows Authentication.

    Configure authentication settings

  3. To configure the PowerShell endpoint, enter the following command on the Exchange Management Shell on the Exchange Server and on the Remote Shell on the UEM console Server.
    PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned

Configure Windows PowerShell On Workspace ONE UEM Server

To issue remote Shell commands from the UEM Console server, Windows environment must be installed and configured with PowerShell. By default the execution policy on Windows 2008 is set to the Restricted script run mode.

Note: If your deployment consists of an on-premises Workspace ONE UEM server with Office 365, you must configure the Set-ExecutionPolicy on the Workspace ONE UEM server.

If VMware AirWatch Cloud Connector is not in use, then, both the UEM console and the Device Services server requires PowerShell connectivity to the Exchange server.

  1. Change the script run mode from Restricted to RemoteSigned using the following Set-ExecutionPolicy command.
    PS C:\Windows\system32> Set-ExecutionPolicy RemoteSigned
  2. Test the configured PowerShell by connecting to the server-side session.