VMware AirWatch – The Evolution of Enterprises Mobility Management

In just a couple of short years, the way mobile devices are utilized by employees has moved drastically. Progressively, employees are bringing their own devices to their work environments and connecting to their corporate networks. This trend comes a set of new considerations for security, connectivity, privacy and management to the enterprises. The inherent risks of a “bring your own device” (BYOD) policy has given rise to mobile device management (MDM) solutions.

Mobile Device Management (MDM) ensure the employees stay productive and they do not breach corporate policies. MDM primarily deals with corporate data segregation, securing emails, securing corporate documents on the device, enforcing corporate policies, integrating and managing mobile devices including laptops and handhelds of various categories.

VMware AirWatch is the leading enterprise mobility management provider. The AirWatch platform includes industry-leading mobile device, email, application, content and browser management solutions.

With AirWatch, your organization can easily deploy, configure, secure, manage and support smartphones, tablets, laptops and other devices across multiple mobile platforms and operating systems.

AirWatch Components:

Below are the AirWatch key components. The components will change depending upon the Hosting/Deployment preferences (on perm or SaaS).

Device Services Server – AW device server is responsible to actively communicates with the devices. AirWatch relies on device services for processing Device Enrollment, Application Provisioning, deliver commands to devices and etc.

This server has to be available on the internet. For SaaS deployments, clearly, this will be handled but for On-Prem, this will normally have located within a DMZ with SSL punched through to the internet secured with a public certificate.

Console Server – Administrators use the AirWatch Admin Console via the web browser to secure, configure, monitor and manage their corporate device fleet. The Admin Console also typically contains the AirWatch API, which allows external applications to interact with the MDM solution; this API provides layered security to restrict access both on an application and user level. This will normally be placed on the internal LAN but would be possible to combine with the Device Services Server.

Database Server – AirWatch stores all device and environment data in a Microsoft SQL Server database. Due to the amount of data flowing in and out of the AirWatch database, proper sizing of the Database server is crucial to a successful deployment. Additionally, AirWatch utilizes Microsoft SQL Reporting Services to report on data collected by the AirWatch solution.

AirWatch Secure Email Gateway (SEG):  AirWatch Secure Email Gateway acts as a proxy between devices and email infrastructure. The PowerShell model integrates with email infrastructure using Windows PowerShell APIs and secure cloud integration via AirWatch Enterprise Integration Service (EIS).

Both feature the ability to:

  • Configure email over-the-air
  • Block unmanaged devices
  • Discover existing unmanaged devices
  • Require device encryption
  • Prevent compromised devices
  • Block mail client, user, device model or OS
  • Integrate or revoke certificates (Exchange 2003/2007 for SEG and Exchange 2010 for EIS)

AirWatch Cloud Messaging (AWCM): AirWatch Cloud Messaging (AWCM)streamlines the delivery of messages and commands from the Console and eliminates the need for end users to access public Internet and procure Google IDs. AWCM also serves as a comprehensive substitute for Google Cloud Messaging (GCM)for Android devices. AWCM is the only option to provide MDM capabilities for Windows Mobile and Symbian devices. It is typically installed on the Device Services server.

AirWatch Cloud Connector (ACC) – AirWatch Cloud Connector(ACC) provides organizations the ability to integrate AirWatch with their back-end enterprise systems. AirWatch Cloud Connector runs on the internal network, acting as a proxy that securely transmits requests from AirWatch to the organization’s critical enterprise infrastructure components. This allows organizations to leverage the benefits of AirWatch MDM, running in any configuration, together with those of their existing LDAP, certificate authority, email, and other internal systems. This is normally placed on the internal LAN with a direct outbound connection to the internet so it can communicate with the AirWatch SaaS. This can be either direct (preferably) or via internal proxy.

ACC integrates with the following internal components:

  •  Email Relay (SMTP)
  •  Directory Services (LDAP / AD)
  •  Microsoft Certificate Services (PKI)
  •  Simple Certificate Enrollment Protocol(SCEP PKI)
  •  Email Management Exchange2010(PowerShell)
  •  BlackBerry Enterprise Server(BES)
  •  Third-party Certificate Services (On-premise only)
  •  Lotus Domino Web Service(HTTPS)
  •  Syslog (Event log data)

AirWatch Content Gateway, formerly Mobile Access Gateway (MAG) –  The AirWatch Content Gateway, together with VMware Content Locker, lets your end users securely access content from an internal repository. This means that your users can remotely access their documentation, financial documents, board books, and more directly from content repositories or internal file shares. As files are added or updated within your existing content repository, the changes will immediately be reflected in VMware Content Locker, and users will only be granted access to their approved files and folders based on the existing access control lists defined in your internal repository. Using the AirWatch Content Gateway with VMware Content Locker allows you to provide unmatched levels of access to your corporate content without sacrificing security.

The AirWatch Content Gateway supports deploying a basic endpoint model or a relay endpoint model. Use the deployment model that best fits your needs.

Both SaaS and on-premises AirWatch environments support the basic and relay-endpoint deployment models. The AirWatch Content Gateway must have a publicly accessible endpoint for devices to connect to when making a request. Basic deployment models have a single instance of AirWatch Content Gateway configured with a public DNS. Alternatively, for the relay endpoint deployment model, the public DNS is mapped to the relay server in the DMZ. This server communicates with your API and AWCM servers. For SaaS deployments, AirWatch hosts the API and AWCM components in the cloud. For an on-premises environment, the AWCM component is typically installed in the DMZ with the API.

AirWatch Content Gateway Relay, formerly Mobile Access Gateway (MAG) Relay:  This is designed to be placed in a DMZ and your external devices will be pointing at along with the AirWatch Cloud Messaging Service. This simplifies ongoing management in a DMZ scenario as the internal ‘MAG Endpoint’ server can be left fully open to chat to all internal resources whilst the communication remains secure with the relay handling connectivity between the devices, AWCM and the internal MAG. In the MAG configuration on the AirWatch management console it just needs to be told that’s it’s using the relay model rather than the basic endpoint.

AirWatch Tunnel – This is designed to be placed in a DMZ. The VMware Tunnel provides a secure and effective method for individual applications to access corporate resources. The VMware Tunnel authenticates and encrypts traffic from individual applications on compliant devices to the back-end system they are trying to reach. The VMware Tunnel serves as a relay between your mobile devices and enterprise systems by authenticating and encrypting traffic from individual applications to back-end systems. To accomplish this authentication and encrypting, the VMware tunnel uses unique certificates.

I hope this is informative for you. Thanks for Reading!!!. Be Social and share it in social media, if you feel worth sharing it.