Configure GlobalProtect to Retrieve Host Information
Follow these instructions to configure GlobalProtect to retrieve host information from devices managed by AirWatch.
- Install and configure the Windows-based User-ID
agent. The User-ID agent must be in a location that enables secure
connections to the VMware AirWatch Mobile Device Management (MDM)
system.For more information, see Install the User-ID Agent. The AirWatch MDM integration service is included with the PAN-OS Windows-based User-ID agent.
- Configure SSL authentication between the Windows-based
User-ID agent and the GlobalProtect gateway.When you configure SSL authentication, make sure:
- The server certificate configured on the Windows-based User-ID Agent has the same Common Name (CN) as the hostname/IP address of the User-ID Agent host.
- The server certificate is trusted by the firewall (included in the trusted CA list in the MDM configuration on the firewall).
- The root certificate authority (CA) certificate of the MDM client certificate configured on the firewall must be imported into Windows trust store of the Windows server.
- Obtain a server certificate and private key for authentication between the Windows-based User-ID agent and the GlobalProtect gateway. The certificate bundle must be in PEM format that contains a PEM certificate, full certificate chain, and private key.
- Open the Windows-based User-ID agent and select Server Certificate.
- Add the server certificate.
The agent verifies the certificate is valid and stores the encryption password of the private key in the host machine’s Windows credential store.If installation is successful, detailed information about the certificate (including common name, expiration date, and issuer) appears on the Server Certificate tab.
- Browse to the certificate file and Open the file to upload the certificate to the Windows-based User-ID agent.
- Enter a Private Key Password for the certificate.
- Click OK.
- Restart the Windows-based User-ID agent.
- Configure the MDM integration service on the Windows-based
- Select MDM Integration in the Windows-based User-ID agent.
- In Gateway Connection TCP Port, specify a port for TCP communications. The Windows-based User-ID agent listens at this port for all MDM-related messages. The default port is 5008. To change the port, specify a number from 1 to 65535.
- On the Setup tab, click Edit.
- Choose AirWatch for the MDM Vendor.
- Specify the MDM Event Notification settings
to monitor and collect AirWatch events (for example, device enrollment,
device wipe, and compliance changes). When an event occurs, the
MDM integration service fetches the updated device information from
the AirWatch API and pushes this information to all configured GlobalProtect
gateways.For MDM Event Notification, make sure the values you enter here are also configured in the AirWatch console under Groups & SettingsAll SettingsSystemAdvancedAPIEvent Notifications.
- Set the TCP Port for communicating with the event notification service. Use this format: http://<external_hostname>/<ip_address>:<port> where <ip-address> is the IP address for the MDM integration service. The default port is 5011. To change the port, specify a number from 1 to 65535.
- For event notification, enter the Username and Password credentials needed to authenticate incoming requests.
- Enter the Permitted IP addresses to access MDM events. This is a comma-separated list of IP addresses from where MDM events are posted. For example, the IP address of the AirWatch server. Contact your AirWatch Support team for guidance on which IP addresses to specify.
- Add MDM API Authentication settings
to connect with the AirWatch API.
- Enter the Server Address of the AirWatch MDM server to which the Windows-based User-ID agent will connect. For example, api.awmdm.com.
- Enter the Username and Password credentials needed to access the AirWatch MDM API.
- Enter the Tenant Code.This is a unique hexadecimal code number required to access the AirWatch MDM API. On the AirWatch console, you can find the tenant code at SystemAdvancedAPIREST APIAPI Key.
- Enter the Mobile Device State Retrieval Interval. This setting controls how often host information is retrieved from devices managed by AirWatch. The default is 30 minutes. To change the interval, specify a number from 1 to 600.
- Commit your changes.
- Click Test Connection to make sure the Windows-based User-ID agent can connect to the AirWatch API.
- Configure the GlobalProtect gateway to communicate with
the MDM integration service to retrieve the HIP reports for the
devices managed by AirWatch.
- In the PAN-OS web interface, select NetworkGlobalProtectMDM.
- Add the following information about the MDM integration service.
The root certificate authority (CA) certificate of the client certificate must be imported into the Windows trust store of the Windows server where the User-ID Agent is installed.
- Name—Enter a name for the MDM integration service (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
- (Optional) Select the virtual system to which the gateway belongs.
- Server—Enter the IP address or FQDN of the interface on the Airwatch MDM integration service where the gateway connects to retrieve HIP reports. Ensure that you have a service route to this interface.
- Connection Port—Enter the connection port where the MDM integration service listens for HIP report requests. The default port is 5008. To change the port, specify a number from 1 to 65535.
- Client Certificate—Choose the client certificate for the gateway to present to the MDM integration service when it establishes an HTTPS connection. You can choose a client certificate from the drop down, or import a new client certificate. The Certificate Purpose must indicate that it is a client authentication certificate.
- Add the root CA certificate associated with the server certificate installed on the MDM integration service host. You need both the root CA certificate and the server certificate to establish a secure connection between the gateway and the MDM integration service. You can choose a root CA certificate from the drop down, or Import a new certificate.
- Click OK.
- Commit your changes.
- Check your connection to make sure AirWatch device data
is transferred to GlobalProtect.
- Open the Windows-based User-ID agent and select MDM IntegrationMobile Devices. You should see a list of unique device IDs and user names for all the devices managed by AirWatch.
- (Optional) You can Filter the list to find a specific Mobile Device.
- (Optional). Select a device in the list of device IDs and click Retrieve Device State to extract the latest information about the device and see how it maps to host information profiles on the GlobalProtect gateway.
AirWatch MDM Integration
AirWatch MDM Integration The Windows-based User-ID agent has been extended to support a new AirWatch MDM integration service. This service enables GlobalProtect to use the ...
Features Introduced in User-ID Agent 8.0
Review the new feature introduced in the Windows User-ID™ agent 8.0 release. ...
Configure Windows User-ID Agent to Collect Host Information
Configure Windows User-ID Agent to Collect Host Information The Windows-based User-ID agent has been extended to support a new AirWatch MDM integration service. This service ...
MDM Integration Overview
MDM Integration Overview MDM integration service included with the Windows-based User-ID agent does a full HIP query to the AirWatch MDM server to get the ...
Want to know if there are any issues related to the Windows User-ID™ agent 8.0 release that have been addressed? ...
Troubleshoot the MDM Integration Service
Troubleshoot the MDM Integration Service Follow these instructions if you have trouble with event notifications or trouble authenticating to the AirWatch REST API. Event notifications ...
System Requirements AirWatch MDM integration service requires the following software: Software Minimum Supported Version User-ID Agent 8.0.1 PAN-OS 7.0 GlobalProtect App for Android 4.0 GlobalProtect ...
Configure the Windows-Based User-ID Agent for User Mapping
Configure the Windows-Based User-ID Agent for User Mapping The Palo Alto Networks User-ID agent is a Windows service that connects to servers on your network—for ...