VMware AirWatch PowerShell Integration Guide .Title: VMware AirWatch PowerShell Integration Guide

  • View
    243

  • Download
    0

Embed Size (px)

Text of VMware AirWatch PowerShell Integration Guide .Title: VMware AirWatch PowerShell Integration Guide

  • VMware AirWatch PowerShell IntegrationGuideSecuring your email infrastructureWorkspace ONEUEM v9.5

    Have documentation feedback?Submit a Documentation Feedback support ticket using the Support Wizard onsupport.air-watch.com.Copyright2018 VMware, Inc. All rights reserved. This product is protected by copyright and intellectual property laws in the United States and other countries as well as byinternational treaties. VMware products are covered by one ormore patents listed at http://www.vmware.com/go/patents.

    VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All othermarks and names mentioned hereinmay be trademarks of theirrespective companies.

    VMware AirWatch PowerShell IntegrationGuide | v.2018.06 | June 2018

    Copyright2018 VMware, Inc. All rights reserved.

    1

    http://support.air-watch.com/

  • Table of ContentsChapter 1: Overview 3

    PowerShell Integration with VMware AirWatch 4PowerShell Requirements 4PowerShell Architecture 4

    Chapter 2: PowerShell Implementation Prerequisites 7

    Set up the PowerShell Admin User 8Configure PowerShell Endpoint in IIS 11Configure Windows PowerShell OnWorkspace ONEUEM Server 12

    Chapter 3: PowerShell Implementation 13

    Enable PowerShell Integration inWorkspace ONEUEM 14Configure Exchange to Block or Quarantine Devices 20

    Chapter 4: Server-Side Session 21

    Server-Side Session Commands 22

    Chapter 5: Email Management 24

    Manage Emails Through PowerShell 25Email Security Policies for PowerShell Integration 25Device Discovery 26Email Dashboard 28Email List View 28

    Chapter 6: Cmdlets Executed by AirWatch 32

    Cmdlets 33

    Chapter 7: Multiple PowerShell Deployments 35

    Multiple PowerShell Deployments 36

    2

    VMware AirWatch PowerShell IntegrationGuide | v.2018.06 | June 2018

    Copyright2018 VMware, Inc. All rights reserved.

  • Chapter 1:OverviewPowerShell Integration with VMware AirWatch 4

    PowerShell Requirements 4

    PowerShell Architecture 4

    3

    VMware AirWatch PowerShell IntegrationGuide | v.2018.06 | June 2018

    Copyright2018 VMware, Inc. All rights reserved.

  • PowerShell Integration with VMware AirWatchThe PowerShell integrated deployment is a direct model of integration that requires a simple setup with minimalinfrastructure. In the PowerShell model, Workspace ONE UEM uses a PowerShell administrator role and issuescommands to the Exchange ActiveSync (EAS) infrastructure to permit or deny mobile access based on the policies definedin theWorkspace ONE UEM console. PowerShell deployments do not require a separate email proxy server and theconfiguration process is simple.

    PowerShell RequirementsThis section explains the requirements for using the PowerShell with Workspace ONE UEM.

    l A service account that has Remote Shell access to Exchange Server and theminimum roles to integrate withPowerShell:

    o Organization Client Access Role

    o Mail Recipients Role

    o Recipient Policies Role (only needed when managing Windows Phone 7 and BlackBerry devices)

    l PowerShell minimum version of 3.0. Note, this minimum version of PowerShell is for the application servers and notthe Exchange servers. To download an updated version of PowerShell, seeMicrosofts download center. To knowthe command used to check the version of PowerShell installed, see Server-Side Session Commands on page 22.

    Note: Selecting the roles enables all required resources or permissions needed for Workspace ONE UEM to operate.Create a custom role group with these roles.

    For Office 365 implementations, you must have an Exchange Admin role with the three relevant management rolesmentioned earlier.

    l Access to the server-side session for Workspace ONE UEM to run Exchange commands.

    l Port 443 over which the PowerShell commands are issued from the UEM console directly to the Exchange server orthrough the VMware Enterprise Systems Connector.

    Disclaimer: Integration with a third-party product is not guaranteed and dependent upon the proper functioning ofthose third-party solutions.

    PowerShell ArchitectureIn the PowerShell model of deployment, Workspace ONE UEM adopts a PowerShell administrator role. Workspace ONEUEM issues commands to the Exchange ActiveSync (EAS) infrastructure to permit or deny email access based on thesettings defined in the UEM console.

    PowerShell deployments do not require a separate email proxy server, and the installation process is simple. Onceinstalled, Workspace ONE UEM sends commands to PowerShell in accordance with the established email policies, and

    Chapter 1: Overview

    4

    VMware AirWatch PowerShell IntegrationGuide | v.2018.06 | June 2018

    Copyright2018 VMware, Inc. All rights reserved.

    http://technet.microsoft.com/en-us/library/dd876962.aspxhttp://technet.microsoft.com/en-us/library/dd876911.aspxhttp://technet.microsoft.com/en-us/library/dd876916.aspx

  • PowerShell runs the actions. The PowerShell model is for organizations using Microsoft Exchange 2010,2013, 2016, orOffice 365 environments.

    Office 365

    The diagram highlights the communications flow for an implementation with Office 365. For Office 365 implementation,Workspace ONE UEM does not recommend routing the PowerShell traffic through the VMware Enterprise SystemsConnector.

    Exchange 2010/2013/2016 for Workspace ONE UEM Cloud-Based Deployments

    The following diagram highlights the communications flow for a cloud-based implementation with hosted Exchange2010/2013/2016 deployments. Workspace ONE UEM recommends installation of one VMware Enterprise SystemsConnector per MEGQ server to avoid processing delays.

    Chapter 1: Overview

    5

    VMware AirWatch PowerShell IntegrationGuide | v.2018.06 | June 2018

    Copyright2018 VMware, Inc. All rights reserved.

  • Exchange 2010/2013/2016 for Workspace ONE UEM On-Premises Deployments

    The following diagram highlights the communications flow for an on-premises implementation with hosted Exchange2010/2013/2016 deployments.

    Note: If you want to enable PowerShell with an outbound proxy, then you must configureWinHTTP on theWorkspace ONE UEM server to use the proxy. Workspace ONE UEM automatically uses WinHTTP proxy configurationto establish a PowerShell session.

    Chapter 1: Overview

    6

    VMware AirWatch PowerShell IntegrationGuide | v.2018.06 | June 2018

    Copyright2018 VMware, Inc. All rights reserved.

  • Chapter 2:PowerShell Implementation Prerequisites

    Set up the PowerShell Admin User 8

    Configure PowerShell Endpoint in IIS 11

    Configure Windows PowerShell OnWorkspace ONEUEMServer 12

    7

    VMware AirWatch PowerShell IntegrationGuide | v.2018.06 | June 2018

    Copyright2018 VMware, Inc. All rights reserved.

  • Set up the PowerShell Admin UserFor theWorkspace ONE UEM server to start issuing the PowerShell commands, you must set up a PowerShell AdminUser account on Office 365 or the Exchange Server. This user account is a service account that must also have specificroles associated to it for Workspace ONE UEM to operate.

    Create an Office 365 Service Account

    You must create the service account to associate with the service account all your user mailbox accounts that requireprotection.

    Note: To create user mailboxes in Exchange 2016, refer https://technet.microsoft.com/en-us/library/jj991919(v=exchg.160).aspx.To create user mailboxes in Exchange 2013, refer https://technet.microsoft.com/en-IN/library/jj991919(v=exchg.150).aspx.

    To create a service account in Office 365:

    1. Log in to your Office 365 as an administrator.

    2. Navigate to Office 365 admin center > USERS > Active Users.

    3. To add a new user, select the "+" icon. The create new user account page appears.

    4. On the create new user account page:

    a. Enter the first name, last name, display name, user name, and your email domain.

    b. Select Type password and enter the password for the service account.

    c. Deselect theMake this person change their password the next time they sign in check box.

    d. Enter the email address of the recipient to whom the password must be sent. Select Create.

    e. Select Close.

    An Office 365 license is assigned to the service account. The service account does not require an Office 365 license tobe assigned to it. You can remove the assigned license by editing the license.

    5. Select your service account from the Active users list.

    6. Select Edit next to the Assigned License. The Assigned License page appears.

    7. Deselect the check box for the assigned license. Select Save.

    Assign Roles to the Office 365 Service Account

    After you create a service account, use the Exchange Admin Center to create specialized roles for the service account.These roles provideWorkspace ONE UEM all the permissions required to operate.

    Note: You can also create custom roles for Exchange 2013 and Exchange 2016 service accounts using the ExchangeAdmin Center.

    Chapter 2: PowerShell Implementation Prerequisites

    8

    VMware AirWatch PowerShell IntegrationGuide | v.2018.06 | June 2018

    Copyright2018 VMware, Inc. All rights reserved.

    https://technet.microsoft.com/en-us/library/jj991919(v=exchg.160).aspxhttps://technet.microsoft.com/en-us/library/jj991919(v=exchg.160).aspxhttps://technet.microsoft.com/en-IN/library/jj991919(v=exchg.150).aspxhttps://technet.microsoft.com/en-IN/library/jj991919(v=exchg.150).aspx

  • To assign roles to the service account:

    1. Navigate to Exchange Admin Center > Permissions> admin roles.

    2. To create a new role group, select the "+" icon. The new role group page appears.

    3. Enter the