I found the guide to be horribly lacking in several key areas. I just got this to work after three weeks of trial and error, and combing all of their docs and the internet for information.
My setup:
AirWatch (SaaS), VIDM 3.1 (On-Prem), UAG 3.2
What I did:
Initial:
-Setup VIDM in the DMZ of my network. Reverse-proxying through UAG didn't work properly for the directory integration from AW to VIDM, it wanted too many URLs exposed, and I didn't feel like hunting down all of the paths necessary to make it work.
-Must have signed SSL cert on the VIDM appliance or directory integration fails, along with all kinds of other stuff.
-Setup AW to integrate the directory information with VIDM.
-Setup VIDM to connect to AW, following their guide on creating the account in AW for cert auth, making sure that the asXXX.awmdm.com URL is used in the VIDM setup (they don't specify WHICH URL to use for SAAS clients, given that there are multiple URLs, and they all perform different functions. This took a couple of weeks to determine.)
-Enabled Password Auth (Airwatch Connector), verified it worked (Step 1 - success!) If enabling it doesn't work (500 error) you have an error in your AirWatch config in VIDM.
Airwatch:
-Configured a VMware Tunnel (app-level) from AW to a UAG appliance on my network using AW certs. The "test" option on the AW portal doesn't work reliably, I had to audit the UAG logs to verify that the tunnel was indeed UP, because the green light did not always indicate the tunnel was functioning properly. UAG is smart enough to pull the API URL from the cnXXX.awmdm.com URL in the configuration, not sure why VIDM can't do the same. You can see this in the UAG logs.
-I have the AW ECC installed on a server on my LAN, so I enabled Microsoft Certificate Services, which forced me to re-download and reinstall the connector. Stupid AW.
-Followed the AW guides for creating the AW certificate types for both Android and iOS, since they are totally different, and highly specific. For Android, I ended up using EnrollmentUser as the subject CN, and Email and UPN in the SAN. The iOS cert properties are explicit, and I didn't find any deviations in their guides. Published both templates.
-Added my CA to AW, added both cert templates.
-SSH into VIDM appliance, followed steps to initialize KDC service. I initially screwed up and set the realm to my entire subdomain (vidm.myorg.org) and it didn't work in testing, so I had to blow away the appliance and reconfigure from scratch, making sure the realm was just myorg.org and I specified the --subdomain parameter as vidm.myorg.org. Created external DNS entries for Kerberos as in the guide. Went to iDM connector, exported KDC certificate.
-Created new profiles for Android and iOS, following the instructions in the guide for each type. VPN setup is the same, cert issuance is different, and iOS requires SSO to be configured as well.
-Added VMware Tunnel, VMware Browser, and Workspace ONE as Public apps, published Browser and Workspace ONE as VPN tunnel apps (IMPORTANT!) to the created profiles.
-Created a traffic rule for WSONE Android to PROXY the traffic to my VIDM server on port 5262 with a destination of my VIDM server. For the iOS WSONE app, I set it to BYPASS.
VIDM:
-SSH into appliance and run /opt/vmware/certproxy/bin/enable-cert-proxy.sh as root. This actually sets up the certproxy service, creates firewall rules, and enables the service.
-Enable MobileSSO for Android, using the AWVPNDeviceRoot certificate as the trusted root. I kept getting 'certificate not trusted' errors in the logs until I made this the trusted root (because it's coming in over a VPN tunnel.)
-I disabled OSCP and CRL, as MS CAs use LDAP for their CRL and VIDM doesn't support it. Also, VIDM could read my user name from the subject line of the certificate, but could not authenticate me. I had to set the User Identifier Search to UPN, as it refused to find email as valid, and couldn't authenticate based on the username in the cert subject line. Validate UPN Format doesn't seem to matter.
-For MobileSSO for iOS, I used the certificate for my internal root CA, although I don't know if it matters or not since it uses Kerberos, and you've already uploaded the KDC cert to the device. I disabled OSCP.
-The Workspace ONE app presents itself initially as a Web Browser to VIDM, not as the "Workspace ONE App" when setting policy rules. This took me a lot of trial and error in testing to figure out. Also, once a device has connected successfully to port 5262, traffic is now seen as coming from 127.0.0.1 and not the address of the UAG device. This makes setting access policies a bit tricky, because, well, now it's coming from somewhere else.
-I ended up setting a network range just for my UAG and 127.0.0.1 which handles Android MobileSSO, because that's where it's going to come from. I set a generic Web Browser rule to start with iOS Mobile SSO, because iOS devices are going to be coming in like normal web browser traffic. In theory, you could set AW to TUNNEL the traffic from the iOS WSONE app, and set a rule for your UAG IP to process iOS Mobile SSO first, then Android SSO (since Android will ignore the Kerberos challenge, and the cert proxy process takes much longer) but I haven't tested that yet.
With this setup above, the VMware Tunnel app is required, but once it is installed, you can use the Workspace ONE app to SSO to VIDM on both Android and iOS devices. If you add the Safari com reference in the SSO setup in your AW profile, you can SSO to VIDM through Safari as well with no problems, if your traffic rule allows access. I set my AW profiles to make the VMware Tunnel a mandatory app, and for iOS, it asks to install during enrollment. Android makes you download it manually. Tested on a Samsung S7 Edge / Android 7.0 and a iPhone 6S running iOS 10.2 and upgraded to 11.2.5.
VIDM SaaS is a different story, from what I understand, so I can only speak to on-prem VIDM. Any questions, please ask!
