AirWatch implementation procedure in small steps

AirWatch implementation procedure  for less than 5000 users, considering the design with below configuration

1. The implementation On-Premises NOT SaaS
2. Database installed in Separate Server
3. Console role hosted in separate Servers (local or DMZ) :
4. Device Service /AWCM /API hosted in same servers

The procedure as below:  

1. Settings before setup
2. Database : first step is to install the database
3. Console Role
4. AWCM Role\DS\API Server

1. Prerequisites
2. That need to be prepared in the server and need to be ready in advance include firewall roles , certificates ,load balancers and SQl server (mandatory)
3. In addition all server need :
   1. Windows server x64 2008-2016 (2019 is not supported yet )
   2. to have .Net framework 4.62 and above
   3. to have .Net core
   4. all other staff the installation media can install it include IIS (IIS configuration manually is a must)
4. Console setup :
   1. from the media start the installation
   2. Fill the database and URLs
   3. Select from roles Console only (remove API &DS )
   4. When the installation done go to IIS and bind the certificate (in case of SSL off-loading you may not do this step as certificate will be in load balancer)
   5. In case of multiple, Console servers , go to services and disable the below services in the (Second node)
      1. AirWatch Device Scheduler
      1. AirWatch GEM Inventory Service
      1. AirWatch Directory Sync
      1. AirWatch Content Delivery Service
   6. Configure the proxy (outbound connection incase it used for outbound connection)—in Global
   7. Create OGs and be sure the include OG-ID  for each OG(However its also preferred to keep it to last to avoid confession when configuring components )
5. AWCM Role\DS\API Server:
   1. from the media start the installation
   2. Fill the database and URLs
   3. Select from roles (AWCM& API &DS )
   4.  (For API)When the installation done go to IIS and bind the certificate (in case of SSL off-loading you may not do this step as certificate will be in load balancer) note that it will be port 80 by default in case of load balancer with SSl-offloading and restart the server after that
   5. Go to console and do the below:
      1. From Sites URl verify the  URl of API/DS/AWCM….all of them are same and should be
      1. Enable AWCM under site url …be sure that local port is 2001 and external port is 443
      1. From Groups & Settings > All Settings > System > Advanced > Secure Channel Certificate, Install secure channel certificate in order to activate the token  
      1. Enable AWCM to Communicate with Devices,
         1. Navigate to Groups & Settings > All Settings > Device & Users > Android > Intelligent Hub Settings and scroll down to the AirWatch Cloud Messaging section.
         1. Select the Use AWCM Instead of C2DM/GCM as Push Notification Service check box to enable AWCM in the profile.
         1. The AWCM Client Deployment Type drop-down menu is automatically changed to Always Running and can no longer be modified.
      1. Generate Device Certificate
      1. Configure APN certificate
      1. Configure the Android EMM account
   6. After this we can go to configure connector then AD integration
   7. Restart the server

Verification phase

• Open AirWatch Console
• Choose About Airwatch – check the version
• Check the Site Links: open Groups & Settings > All Settings > System > Advanced > Site URLs and look through the links
  
  • Only Peripheral Service URL should be “localhost”
  • Google Play has a defined port
  • Change SOAP and REST API URL links, instead of AirWatch Console URL put AirWatch Devices Services сервер – for example, instead of https://acme-console.com/AirWatchServices put https://acme-ds.com/AirWatchServices and instead of https://acme-console.com/API put https://acme-ds.com/API.
• Check the connection with Device Services server with a defined in the install phase external URL, signed with external certificate (type of link: https://<DS_URL>/DeviceManagement/Enrollment  )
• Check the AWCM component, using link https://<DS_URL>:2001/awcm/status*
• Check AirWatch services – launch services.msc in Windows Server and check that AirWatch services are Started
• Check the GEM Inventory Service: go to the AirWatch Console server, in the folder C:\AirWatch\Logs\Services\ and delete the file AirWatchGemAgent.log; open services.msc and restart GEM Inventory Service. New log will either NOT show up, or show up without errors.  

you can go deep in verification using the below URLS

Device Services

Description	URL Endpoint	Status code
Device Services Enrollment	/DeviceManagement/enrollment	HTTP 200
App Catalog	/DeviceManagement/appcatalog?uid=0	HTTP 200
Device Services WinMo Tracker	/DeviceServices/tracker.aspx?id=0	HTTP 302

Console

Description	URL Endpoint	Status code
Web Console v9.2+	/AirWatch/login	HTTP 200
Web Console (pre-9.1)	/AirWatch/login	HTTP 401

API

Description	URL Endpoint	Status code
API	/api/help/#!/apis	HTTP 200

AWCM

Description	URL Endpoint	Status code
AWCM	/AWCM/Status	HTTP 200

Secure Email Gateway

Description	URL Endpoint	Status code
ActiveSync Connectivity	/Microsoft-Server-Activesync	HTTP/1.1 401

VMware Tunnel – Proxy Component or Unified Access Gateway (Tunnel)

Description	URL Endpoint	Status code
HTTPS	https://<TUNNEL_URL>:<HTTPS_Port>	HTTP 407

Content Gateway or Unified Access Gateway (Content Gateway)

Description	URL Endpoint	Status code
Content	https://<Content_Gateway_URL>/content/systeminfo	HTTP 403

ENS V2

Description	URL Endpoint	Status code
ENS V2	/MailNotificationService/api/ens/alive	HTTP 200