AirWatch Topology Overview
The AirWatch software suite is composed of multiple components that work in conjunction to provide a complete mobile device solution. These sections outline each component, and give a short summary of their role to aid in the understanding of the AirWatch architecture.
Administrators use the AirWatch Console through a Web browser to secure, configure, monitor, and manage their corporate device fleet. The Admin Console also typically contains the AirWatch API, which allows external applications to interact with the MDM solution; this API provides layered security to restrict access both on an application and user level.
Device Services are the components of AirWatch that actively communicate with devices. AirWatch relies on this component for processing:
- Device enrollment.
- Application provisioning.
- Delivering device commands and receiving device data.
- Hosting the AirWatch Self-Service Portal, which device users can access (through a Web browser) to monitor and manage their devices in AirWatch.
AirWatch Cloud Messaging (AWCM)
AirWatch Cloud Messaging (AWCM) is used in conjunction with the VMware Enterprise Systems Connector to provide secure communication to your back-end systems. VMware Enterprise Systems Connector uses AWCM to communicate with the AirWatch Console.
AWCM also streamlines the delivery of messages and commands from the AirWatch Console by eliminating the need for end users to access the public Internet or utilize consumer accounts, such as Google IDs. It serves as a comprehensive substitute for Google Cloud Messaging (GCM) for Android devices and is the only option for providing Mobile Device Management (MDM) capabilities for Windows Rugged devices.
It is typically installed on the Device Services server for deployments up to 50,000 devices.
AWCM simplifies device management by offering the following benefits:
- Enabling secure communication to your back-end infrastructure through the VMware Enterprise Systems Connector.
- Enabling AirWatch Windows Protection Agent real-time communication.
- Removing the need for third party IDs.
- Delivering AirWatch Console commands directly to Android and Windows Rugged devices.
- Enabling the ability for remote control and file management on Android Samsung Approved for Enterprise (SAFE) and Windows Rugged devices.
- Enabling the ability to send remote commands such as device wipe and device lock to macOS and Windows 7 devices.
- Increasing the functionality of internal Wi-Fi only devices by enabling push notification in certain circumstances.
Additional information about AWCM requirements, setup and installation can be found in the VMware AirWatch AWCM Guide, available on AirWatch Resources.
The AirWatch API component comprises REST (Representational State Transfer) and SOAP (Simple Object Access Protocol) APIs. These APIs are used for developers creating their own applications that wish to invoke AirWatch functionality and utilize the information stored in their AirWatch environment.
When developing any new applications, AirWatch recommends the use of Version 2 of the REST API, both for ease of use and for optimal support long-term.
AirWatch stores all device and environment data in a Microsoft SQL Server database. Due to the amount of data flowing in and out of the AirWatch database, proper sizing of the database server is crucial to a successful deployment.
For more information on system configurations, see the VMware AirWatch Installation Guide, available on AirWatch Resources, or consult with your AirWatch representative.
VMware Identity Manager Service
AirWatch relies on the VMware Identity Manager Service to handle the Workspace ONE functionality including app catalog, conditional access, and Single Sign-On.
The VMware Identity Manager Service provides:
- Application provisioning
- Self-service catalog
- Conditional access controls
- Single Sign-On functionality
For more information on configuring the VMware Identity Manager service, see the VMware Identity Manager Administration Guide, available here: https://www.vmware.com/support/pubs/identitymanager-pubs.html.
VMware Enterprise Systems Connector
VMware Enterprise Systems Connector provides organizations the ability to integrate AirWatch and VMware Identity Manager with their back-end enterprise systems. VMware Enterprise Systems Connector runs in the internal network, acting as a proxy that securely transmits requests from AirWatch and VMware Identity Manager to critical enterprise infrastructure components. This allows organizations to harness the benefits of AirWatch Mobile Device Management (MDM) and VMware Identity management, together with those of their existing LDAP, certificate authority, email, and other internal systems.
VMware Enterprise Systems Connector integrates with the following internal components:
- Email Relay (SMTP)
- Directory Services (LDAP / AD)
- Microsoft Certificate Services (PKI)
- Simple Certificate Enrollment Protocol (SCEP PKI)
- Email Management Exchange 2010 (PowerShell)
- BlackBerry Enterprise Server (BES)
- Third-party Certificate Services (On-premises only)
- Lotus Domino Web Service (HTTPS)
- Syslog (Event log data)
Additional information about VMware Enterprise Systems Connector requirements, setup, and installation can be found in the VMware Enterprise Systems Connector Guide, available at https://www.vmware.com/support/pubs/workspaceone-pubs.html.
AirWatch Secure Email Gateway (Classic and V2)
Enterprises using certain types of email servers, such as Exchange 2010 or Lotus Traveler, can use the AirWatch Secure Email Gateway (SEG) server to take advantage of these advanced email management capabilities. The SEG acts as a proxy, handling all Exchange Active Sync traffic between devices and an existing ActiveSync endpoint.
AirWatch offers advanced email management capabilities:
- Detection and Remediation of rogue devices connecting to email.
- Advanced controls of Mobile Mail access.
- Advanced access control for administrators.
- Integration with the AirWatch compliance engine.
- Enhanced traffic visibility through interactive email dashboards.
- Certificate integration for advanced protection.
- Email attachment control and hyperlink transform.
Enterprises using Exchange 2010+, Office 365 BPOS, or Google Apps for Work do not necessarily require the Secure Email Gateway server. For these email infrastructures, a different deployment model can be used that does not require a proxy server, such as Microsoft PowerShell Integration or Google password management techniques.
Email attachment control functionality requires the use of the Secure Email Gateway proxy server regardless of the email server type.
Additional information about SEG requirements, setup, and installation can be found in the VMware AirWatch SEG Administration Guide, available on AirWatch Resources.
VMware Tunnel and Unified Access Gateway (Tunnel)
The VMware Tunnel provides a secure and effective method for individual applications to access corporate sites and resources. When your employees access internal content from their mobile devices, the VMware Tunnel acts as a secure relay between the device and enterprise system. The VMware Tunnel can authenticate and encrypt traffic from individual applications on compliant devices to the back-end site or resources they are trying to reach.
Use the VMware Tunnel to access:
- Internal websites and Web applications using the VMware Browser.
- Internal resources through app tunneling for iOS 8 and higher devices using the VMware Tunnel.
Additional information about AirWatch Tunnel requirements, setup, configuration, and installation can be found in the VMware Tunnel Guide, available on AirWatch Resources.
AirWatch Content Gateway and Unified Access Gateway (Content Gateway)
The AirWatch Content Gateway, together with VMware Content Locker, lets your end users securely access content from an internal repository. This means that your users can remotely access their documentation, financial documents, board books, and more directly from content repositories or internal fileshares. As files are added or updated within your existing content repository, the changes will immediately be reflected in VMware Content Locker, and users will only be granted access to their approved files and folders based on the existing access control lists defined in your internal repository. Using the AirWatch Content Gateway with VMware Content Locker allows you to provide unmatched levels of access to your corporate content without sacrificing security. Install the latest Content Gateway version to ensure compatibility with the latest AirWatch Console versions.
Additional information about AirWatch Content Gateway requirements, setup, configuration, and installation can be found in the VMware AirWatch Content Gateway Admin and Install guides, available on AirWatch Resources.
AirWatch Email Notification Service (Classic and V2)
The Email Notification Service (ENS) adds Apple Push Notification support to Exchange. On iOS, this means the VMware Boxer and VMware AirWatch Inbox email apps can get notifications utilizing either Apple’s background app refresh or Apple Push Notification Service (APNs) technologies. Background app refresh is used by default, however iOS attempts to balance the needs of all apps and the system itself. This means that each app may provide notifications at irregular periods using this method. To provide notifications quickly and consistently, Apple also provides APNs. This allows a remote server to send notifications to the user for that application, however Exchange does not natively support this. ENS adds APNs support to your deployment to allow quick and consistent notifications about new items in your end users' email inboxes.
You can download the most up-to-date versions of the VMware AirWatch Email Notification Service Installation Guides, which includes configuration and installation, from AirWatch Resources.
Workspace ONE Intelligence
Workspace ONE Intelligence gives you insights into your digital workspace. It enables enterprise mobility management (EMM) planning and offers automation. All these components help to optimize resources, to strengthen security and compliance, and to increase user experience across your entire environment.
You can download the most up-to-date version of the Workspace ONE Intelligence Guide, which includes configuration and installation, from AirWatch Resources.
AirWatch offers a peer distribution system to deploy Win32 applications to enterprise networks. Peer distribution can reduce the time to download large applications to multiple devices in deployments that use a branch office structure.
For more information, see the VMware AirWatch Mobile Application Management (MAM) Guide, which includes configuration and installation, from AirWatch Resources.
As deployments begin to scale over 5,000 devices, it is recommended that all environments have a caching solution in place. Caching solutions aid in reducing load on the database server that comes from the sheer volume of calls that need to be made to the database. Once caching is configured, the AirWatch components will first reach out to the caching solution in attempts to obtain the DB information they require. If the information that is needed does not reside on the cache server, the component will reach out to the DB and subsequently store the value on the cache server for future use.
For more information on configuring Memcached please see the Memcached Integration with AirWatch guide. If the Memcached setting is not available, please reach out to AirWatch support for assistance.