Fortinet black logo

Workspace ONE Deployment Guide

Home FortiClient 7.2.0 Workspace ONE Deployment Guide
7.2.0
7.2.0
7.0.0

Configuring the Workspace ONE integration in EMS

Configuring the Workspace ONE integration in EMS

To configure the Workspace ONE integration in EMS:
  1. In EMS, go to System Settings > MDM Integration.
  2. Click Enable MDM Integration.
  3. In the Site URL field, enter your site URL. Workspace ONE is a software-as-a-service deployment and each enterprise has a unique URL. The URL format is https://<unique identifier>.awmdm.com/api.
  4. In the Smart Group Name field, enter the name of the Workspace ONE assignment group that contains the mobile devices to issue zero trust network access certificates to.
  5. Do one of the following:
    1. To configure basic authentication, do the following:
      1. For Authorization Type, select Basic Auth.
      2. In the API Key field, enter the key that you copied.
      3. In the Username and Password fields, enter your Workspace ONE credentials.
    2. To configure certificate-based authentication, do the following:
      1. From the Authorization Type dropdown list, select Certificate.
      2. In the API Key field, enter the key that you copied.
      3. In the Certificate field, provide the certificate that you exported from the Workspace ONE console.
      4. In the Password field, enter the password that you configured.
    3. To configure OAuth authentication, do the following:
      1. From the Authorization Type dropdown list, select OAuth 2.0.
      2. From the Region dropdown list, select your assigned geographic region. For redundancy, VMware has set up multiple servers to generate OAuth tokens.
      3. In the Client ID and Client Secret fields, enter the values that you copied in Creating a client secret for OAuth 2.0 authentication. These values prove the EMS identity when making Workspace ONE API calls.
  6. Click Test Connection to verify that EMS can communicate with Workspace ONE. The mobile device management (MDM) proxy service uses the authentication parameters to attempt to retrieve an OAuth token. The following summarizes errors that you may see if the configuration is incorrect, and the steps that you can take:

    Error

    Steps

    HTTP Error: 400 Client Error: Bad Request for url: http://localhost:50001/vendors/airwatch/apiaccess/test. MDM Proxy Error 1002: adapter failed to retrieve access info: invalid client ID/secret or region

    HTTP Error: 400 Client Error: Bad Request for url: http://localhost:50001/vendors/airwatch/apiaccess/test. MDM Proxy Error 1002: adapter failed to retrieve access info: failed to search smart group: invalid url

    You did not enter the unique enterprise URL. Confirm that the URL format is https://<unique identifier>.awmdm.com/api.

    HTTP Error: 400 Client Error: Bad Request for url: http://localhost:50001/vendors/airwatch/apiaccess. MDM Proxy Error 1002: adapter failed to integrate: failed to create system custom attribute EMS_SCEP_FCTUID: User doesn't have sufficient permissions to perform this operation.

    Confirm that you selected the console administrator role when creating a client secret and ID on Workspace ONE. This role contains the minimum permissions necessary. See Creating a client secret for OAuth 2.0 authentication.

Previous
Next

Configuring the Workspace ONE integration in EMS

To configure the Workspace ONE integration in EMS:
  1. In EMS, go to System Settings > MDM Integration.
  2. Click Enable MDM Integration.
  3. In the Site URL field, enter your site URL. Workspace ONE is a software-as-a-service deployment and each enterprise has a unique URL. The URL format is https://<unique identifier>.awmdm.com/api.
  4. In the Smart Group Name field, enter the name of the Workspace ONE assignment group that contains the mobile devices to issue zero trust network access certificates to.
  5. Do one of the following:
    1. To configure basic authentication, do the following:
      1. For Authorization Type, select Basic Auth.
      2. In the API Key field, enter the key that you copied.
      3. In the Username and Password fields, enter your Workspace ONE credentials.
    2. To configure certificate-based authentication, do the following:
      1. From the Authorization Type dropdown list, select Certificate.
      2. In the API Key field, enter the key that you copied.
      3. In the Certificate field, provide the certificate that you exported from the Workspace ONE console.
      4. In the Password field, enter the password that you configured.
    3. To configure OAuth authentication, do the following:
      1. From the Authorization Type dropdown list, select OAuth 2.0.
      2. From the Region dropdown list, select your assigned geographic region. For redundancy, VMware has set up multiple servers to generate OAuth tokens.
      3. In the Client ID and Client Secret fields, enter the values that you copied in Creating a client secret for OAuth 2.0 authentication. These values prove the EMS identity when making Workspace ONE API calls.
  6. Click Test Connection to verify that EMS can communicate with Workspace ONE. The mobile device management (MDM) proxy service uses the authentication parameters to attempt to retrieve an OAuth token. The following summarizes errors that you may see if the configuration is incorrect, and the steps that you can take:

    Error

    Steps

    HTTP Error: 400 Client Error: Bad Request for url: http://localhost:50001/vendors/airwatch/apiaccess/test. MDM Proxy Error 1002: adapter failed to retrieve access info: invalid client ID/secret or region

    HTTP Error: 400 Client Error: Bad Request for url: http://localhost:50001/vendors/airwatch/apiaccess/test. MDM Proxy Error 1002: adapter failed to retrieve access info: failed to search smart group: invalid url

    You did not enter the unique enterprise URL. Confirm that the URL format is https://<unique identifier>.awmdm.com/api.

    HTTP Error: 400 Client Error: Bad Request for url: http://localhost:50001/vendors/airwatch/apiaccess. MDM Proxy Error 1002: adapter failed to integrate: failed to create system custom attribute EMS_SCEP_FCTUID: User doesn't have sufficient permissions to perform this operation.

    Confirm that you selected the console administrator role when creating a client secret and ID on Workspace ONE. This role contains the minimum permissions necessary. See Creating a client secret for OAuth 2.0 authentication.

Previous
Next