iOS and Android/rugged Check in Check out (CICO) using third party IdP (PingFederate)
iOS and Android/rugged Check in Check out (CICO) using third party IdP (PingFederate)
check-in check-out enables simple and secure device sharing among multiple users within an organisation. CICO enables a user to check-in on a shared device to access their appropriate apps and data. Access is maintained until check-out, at which time the user and all associated data are cleared and the device is ready for the next user.
This is a fantastic option for shift workers that require personalised access to applications and data without dedicated devices.
Recently I had a customer with this specific user case. Customer like to do CICO for iOS and Android device in intelligent hub using PingFederate.
Requirements:
- MDM (Mobile device Management), in our case its Workspace ONE UEM v21.02+
- Workspace ONE Access
- Same AD domain setup done in WS1 UEM and WS1 Access
- Third Party iDP (in our case it was PingFederate but any could be used)
- Tested on iPadOS 14+
- Tested on Android 10+
- Assume you have some knowledge of device enrollment, WS1 UEM and WS1 Access
Adding PingFederate as third party IdP in WS1 Access:
There is already a VMware TechZone article and YouTube video available. We followed that article to complete this step.
VMware WS1 Access: Integration with PingFederate – Feature Walk-through Video
UEM configuration:
In WS1 UEM, Intelligent hub authentication need to be changed from WS1 UEM to WS1 Access. These settings can only be changed at customer/top level OG. Which can be done under Groups & Settings All Settings Devices & Users General Enrollment
Shared Device Settings:
Shared device settings are also available under Groups & Settings All Settings Devices & Users General Shared Device
But for our user case we are using all default settings, but these settings could be configured as per need. More info could be found from VMware documentation.
iOS devices:
We are going to enroll device as staging user. For that we added AD user account in UEM. This account exists in WS1 Access too. We are not using basic staging user account in UEM because Hub is redirecting to WS1 Access for authentication. We changed the AD user staging setting under advanced settings of user and enabled multiuser devices in WS1 UEM.
Download Intelligent Hub from app store and do the device enrollment. After successful device enrolment Hub will redirect to WS1 Access and Access will redirect to PingFederate if all settings in UEM and Access policy is set to authenticate against PingFederate.
Note: There are some combination of authentication in Access policy may fail. VMware is aware about those auth combinations and working on it.
Android/Rugged Devices:
For Android, native and Launcher both option available for CICO. These options are under user advanced settings. For our user case we used Launcher for Android Shared Device Mode.
To enrol we factory reset the Android device and used WS1 intelligent hub identifier to enroll using VMware documentation.
After successful enrollment, If the Launcher profile has been configured and pushed to the devices then Launcher get installed on device. Launcher redirect to WS1 Access and then WS1 Access redirect to PingFederate for authentication. User will be able to logout in Launcher and will redirect again to PingFederate for new user login.
Note: Auto logout settings could be setup as per business need in WS1 UEM under shared device settings.
Joined VMware in July 2015 as a consultant and worked in different BU over 7 years. Having experience in the IT industry of over 10 years with a Master's degree in IT.