Modelling the organization in AirWatch

  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/views/modules/user/views_handler_field_user_name.inc on line 61.
mrxx2001's picture

mrxx2001

Joined: Mar 28, 2012
No votes yet

Hi folks,

we have just started a trial period with AirWatch and I'm currently thinking about how to utilize the location groups / child groups / locations concept in order to reflect our enterprise's organization.

We are a global company, so just we have at least 2 dimensions, which are organizational hierarchy and geographie. We also have organizational structures spanning mulitlple locations and countries, which conflicts with the traditional organizational hierarchy.

Of course every enterprise is different, so I'm asking here for best-practice approaches on how to find the best solution for each individual enterprise. What are the key questions which might support finding the right way? Or should we just start with one group and then grow?

It's difficult as I can not oversee what might easily be adjustable in the future (given you have hundreds of devices enrolled and several policies in place) and what might not.

Talking about AirWatch - The 'acivitation code' assigned to each location group seems to have a key role. My first idea was to think about which are devices having the same requirements on policies etc (e.g. not personal devices being used on fairs or exhibitions), then create a location group for those devices, so the owners can easily enroll them just be using the correct activation code for the "fairs" location group... But I'm still not sure. The AW documentation is not very sophisticated, missing all the conceptual considerations...

Any comments from your side?

Top
EllisZ's picture

EllisZ

Joined: Oct 17, 2011

Suggestions / ideas

Your rating: None

Hi!

You've raised some great questions that are certainly the right questions to consider when building out a major MDM implementation for your organization.

Starting with the end of your inquiry first: Creating a separate location group for fairs, and demo units is precisely the correct approach here and you appear to understand the concept of activation codes. Yes, you can use activation codes to direct devices to enroll into predefined organizational groups.

One approach that might work for you is to look at what global policies you feel should apply to your entire organization. Security is often a major consideration, so password policies often come in to play at this level. For example: If you know that every device in your organization is required to have a passcode applied, regardless of location, then this would be a good policy to apply at the top level. By doing so, the policy will be inherited by all subordinate location groups. Another policy that might be applied at this level would be one to encrypt backups.

From here you can begin to look at location group specific policies. Many times (but not always) this will mirror the structure of your Active Directory tree. Some location group specific policies might include wi-fi or VPN configurations. If you are using our Secure Content Locker, you might want to use a location group to send down location or job specific documents to devices in that group.

Please feel free to reach out to me and we can discuss specific implementation scenarios. I'm always happy to help with this sort of planning.

Regards,
Ellis Zsoldos Jr.
Professional Services
Air-Watch

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

Personally, I've found that I

Your rating: None

Personally, I've found that I start out one way, then reorganize the hierarchy another way after I get my feet wet. Also, as more features are added to the MDM spec, you may want more granularity in your divisions, and more "dimensions" as you put it clearly.

The smart groups in Casper Suite are unmatched for this sort of organizational flexibility. But you can also probably find what you want by using the "Device Ownership" key in AirWatch, and similar tags or keys in other systems. These live outside the main hierarchy and offer at least a hint of another diminution.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
mrxx2001's picture

mrxx2001

Joined: Oct 15, 2011

FIndings / more integration....

Your rating: None

Thank you guys for sharing your thoughts,

in the meantime we have identified some more challenging issues (see below), so the organizational model is not my top priority any longer , hehe Wink

However I have decided not to model the whole organisation in terms of geographical locations and/or organizational units, because both are no relevant criteria for differantiation. I will start now with the subsidaries on the first hierarchie level (different subsidaries might need different admins and the legal situation might be different), and the _ownership_ on the second level (most important because of different data / privacy protection policies for employee owned and company owned devices. On the third level I have some functional units, but that might be subject to ongoing change...

OK, next challenge:

We have a quite complex and huge infrastructure, including MS Active Directory (global user repository) and Lotus Notus (email, calendar). We have been toying around before with the Notes Traveller Server for bringing corporate emails to private iPads. In our bright MDM future we wanna switch to client certificate based authentification against the Notes / Traveller infrastructure, requiring to create the clients certs somewhere (??? Don't have a PKI or CA in place, yet) and bringing them onto the devices via the MDM solution.

So what is the best-practice for this situation? What kind of CA do we have to set up? How to bring all componentes (MDM / CA / Notes Traveller) together? How to customize the relevant iOS configuration profile parts? What's the role of SCEP...

The AW documentation explains some integration scenarios (including Notes Traveller) but not on a sufficient level of detail, particularly does not focus on the CA stuff...

Any comments? Best practices? Examples?

Regards

Top
AirWatch's picture

AirWatch

Joined: Feb 23, 2011
WWW

AirWatch provides a robust

Your rating: None

AirWatch provides a robust Certificate Management engine to leverage your existing PKI for comprehensive Mobile Device security. In choosing the Certificate Authority for your deployment you should consider the devices, machines, and users that will receive these certificates and for what types of authentication. AirWatch can integrate with your onsite SCEP server, or Microsoft CA as well as offsite CAs.

Based on your requirements above, a typical deployment may look like the following:
The AirWatch server would be configured to requests certificates directly from your certificate authority on behalf of the devices or users. Those certificates would then be deployed and installed on the devices to use for mail authentication – specifically with your Lotus Notes server. An important piece to consider Is configuring the CA template to match the certificate type that the Lotus server is looking for. AirWatch offers a range of Professional Services to help design and deploy a mobile device PKI behind your firewall.

The AirWatch Team

Top
mrxx2001's picture

mrxx2001

Joined: Oct 15, 2011

Sure...

Your rating: None

Sure. I have read all documents about AW's general capabilites and I also do understand how the integration scenario looks like from a top-level perspective. I'm also convinced that AW's professional service would do a good job and get it running.

The issue for me as a trial user is that it's nearly impossible to understand the details of all of this just by reading the AW documentation. It's not too bad, for sure, but not detailed enough for me as an admin. Even if we wouldn't do it all ourselves (don't have the internal capacity at all), I wanna understand it and, what's more important, for me a high quality in-depth documentation is the most impoertant quality criterium of every software.

Do you think that an IT professional would be able to setup a complex AW scenario if the only help he has was the provided documentation? I don't....

Top
Aintgotnodukes's picture

Aintgotnodukes

Joined: Dec 20, 2011

So true Mrx

Your rating: None

The answer is no, you can not set it up with the documentation provided. And you will never see a manual, you do not get any documentation that has details, it's all very frustrating. And then you start to ask questions about best practices and structuring and they want more money to help you. If you are lucky you might get some pdf's that are really no help. Or a very friendly pro services rep who will get back to you on that. I understand that in this fast paced environment things change and documentation falls out of date quickly, but throw an IT person a bone with proper documentation of your software. What does what and where to find it.
Also what is not mentioned anywhere is the user interaction. The app calls for your attention on the device, then when you open it it just says 're-enroll'? (You really do not need to do anything, it's the device checking in or the app updating) But the end user who is not used to this type of notification is confused, so they call you and ask why, and want to know what to do and when will it happen again?. And you don't know! it's not in the app it's not in the pdf's. This is just one little user. Imagine 5000 of them calling and asking the exact same thing. And if you change any profile it might call for more user interaction. It 'might', you don't know till you try it, because it's not in the invisible manual you did not get.
Ok, I like the product but just need more on understanding what's going on behind the scenes.

Top
Aintgotnodukes's picture

Aintgotnodukes

Joined: Dec 20, 2011

So true Mrx

Your rating: None

.

Top
mrxx2001's picture

mrxx2001

Joined: Oct 15, 2011

Same experience, @Aintgotnodukes

Your rating: None (1 vote)

Still toying around with Airwatch here.... the deeper I get into it the more the software impresses me. Really good, but they don't make one's life easy. Documentation (both PDF and online) is good at first sight, but poor when it comes to the details. User administration, AD / LDAP integration, enrollment methods (token vs. user/pass) ... everything seems to work, but you have to figure it out on your own.

The problem is not paying for consulting, the problem is to GET consulting. Maybe it's better if you're located in in the US, but I'm not. And, I agree with @Aintgotnodukes, I'd like to pay for consulting but also I want to understand the mechanisms and look behind the scenes.

In contrast the documentation of MDM monster Afaria is really impressive, e.g. explaning even the details of configuring a Windows based CA. Go and check the AW docs for configuring the CA and the Certificate Template... ridiciulous.

And, where the f* ist the Secure Content Locker in 5.16 ???

Hope it's getting significantly better before our final decision round starts...

Top
Asha's picture

Asha

Joined: Feb 28, 2014

Suggestions / Ideas

Your rating: None

We are using Airwatch & set up 500 users with general location groups & sub groups as with various device platforms & the policies are tagged correspondingly. No we have done the AD integration, now we need some guidance on the integration and how it can work with our current AD infrastructure and the existing groups.
Do we require changes in our Airwatch grouping structure, or do we need additional implementation in AD, I have already created an OU in AD for Airwatch, is this the right way to do this based upon the flat structure of our AD?

I am really looking to you to come up with some options on how this should be done and with what benefits each provide, along with any disadvantages if any.

Any comments? Best practices? Examples?

Top

Who is online?

There are currently 0 admins, 0 users and 296 guests online. Connected users: .

Recent Activity