Updated 7/27/20 – Several recent release have added support for more features:
- 2006 – Adds support for WS1 Access as an authentication source. This is required for the full “unified” catalog: Web Apps, SaaS Apps, Win32, and Horizon.
- 2005 – Hub services branding support
After much waiting, the 20.03 console version of Workspace ONE finally adds support for the new Intelligent Hub catalog for Windows 10! While there are still some missing features (we’ll get to that later) this finally aligns the Windows 10 catalog with the other platforms, namely Mac, iOS, and Android.
Hub Pre-Requisites
A few pre-reqs are required in order to enable this new catalog:
- Console must be upgraded to 20.03 or newer
- Intelligent Hub must be upgraded to 20.03 or newer
- Hub Services must be turned on (which also requires a Workspace ONE Access instance setup)
- Enable the “Intelligent Hub Catalog (Windows Desktop)” under Settings > Apps > Workspace ONE > Airwatch Catalog > General > Publishing Tab.
- “Source of Authentication for Intelligent Hub” must be set to either “Workspace ONE UEM” or “WS1 Access”
Let’s dive into the details on each of these.
Getting the correct console and client versions
First, ensure that your console is in fact on 20.03.0.0 or later. Click “About” in bottom left of your UEM console.
Next, we need to make sure the the hub versions on Windows 10 are also updated. If you have “Intelligent Hub Automatic Updates” checked, this should go out automatically to clients. But we still want to verify. On a client, load up “Apps & features” from the settings menu and find Workspace One. You’ll noticed 2 entries:
Workspace ONE Intelligent Hub – This is the new Hub UI components that show the catalog and hub information page. This is UWP (Universal Windows Platform) based. Click on “Advanced Options” to see the version. It should be 20.3.1.0 or later.
Workspace ONE Intelligent Hub Installer – This is the regular “agent” and handles the normal agent stuff like inventory, profiles, Bitlocker, etc. This should also be 20.3.1.0 or later.
Enable Hub Services
Enabling Hub Services “unlocks” the actual feature. You may have this already turned on if you are using this for iOS/Android. To check go to Settings > Configurations > Intelligent Hub.
If you go here and see a “Get Started” button, then you know that hub services is not turned on at all. Clicking “Get Started” will bring up a page to enter your Workspace ONE Access (which used to be called vIDM) URL and username and password.
If you are in a shared SaaS environment, you can even request a cloud-tenant of Workspace ONE Access right there and walk through a short wizard to get it enabled.
Once Workspace ONE Access is setup and linked, you should see a page like this:
Enable New Hub Catalog
Now we need to “enable” the new catalog. To do so, click on the “Configure” button under “Catalog Settings” in bottom right
Select “Enabled” under “Intelligent Hub Catalog (Windows Desktop)”
Don’t forget to hit Save at the bottom.
Set Source of Authentication
Finally, we need to set the source of authentication for the Intelligent Hub. Go to Settings > Device & Users > General > Enrollment Tab. Setting it to “Workspace ONE UEM” means that the user directly authenticates with UEM and thus only UEM based items (win32 apps, Store Apps) will be visible. UEM is not aware of SaaS or Horizon apps since those are set in WS1 Access. In order to get the full catalog where all entitled apps are visible, set this to “Workspace ONE Access”.
Load the Catalog and Install some apps!
After all of these settings are saved, the catalog should now be enabled. To launch it, simple double-click the icon in the system tray.
Find your favorite apps and install away!
Just a reminder that some features aren’t fully implemented yet:
- SaaS Apps – Available in 2006 if you use WS1 Access
- Horizon Apps – Available in 2006 if you use WS1 Access
- Uninstall Apps – Roadmap
- Branding – Available in 2005
- Notifications – Hub Notifications aren’t fully implemented yet either.
Enjoy!
Thank you for another excellent write-up.
Can you please clarify, if it’s enough to just do the WS1 Access config from within the UEM console to enable HUB services on any OS (without any config like AD integration, user and group import inside the WS1 Access UI), or do we need to have a “full” Access configuration, like we need for SaaS apps?
I hope I understand your question, but setting auth to WS1 Access isn’t required, per se, but is is required to show SaaS/Horizon apps as those don’t live in UEM console. WS1 Access is what gives access to those things and so that is required in order to see them. If you only want to see native/internal UEM Apps, then Intelligent Hub Authentication can be set to UEM.
Thank you for your blog!
We don’t utilize SaaS/Horizon apps, so we have the setting to Intelligent Hub Authentication “Workspace One UEM”. However the Workspace ONE access app gets installed on the Windows machine and it displays the logon window once the user is inside windows. The user can of course just click it away but would be better to have it not appearing at all or even better not being installed at all since it’s not needed. Can we set it to not install?
What version of the Hub and console are you on? I believe in 2008 it is configured by default to NOT automatically install the old WS1 app. Before that there is no way to stop it from coming down unless you were doing command line enrollment. In that case there is a switch you can remove (don’t include downloadwsbundle=true) so that it doesn’t come down. But if you are doing agent based (with GUI) or Azure AD enrollment it will still come down until you are on 2008.
Hi Brooks,
Could you please clarify a few points…
There is a screen capture showing SaaS and Horizon apps, but just below that comment you mention
Just a reminder that some features aren’t fully implemented yet:
SaaS Apps
Horizon Apps
Uninstall Apps
I’ve set this up, and when I launch hub from win10, I can only see the apps pushed from UEM. (When I access Access from a browser, I can see all apps).
Also I enabled Workspace ONE UEM as the source of authentication, however it does appear in the settings (by settings, I mean the capture under the following)
Enable New Hub Catalog
Now we need to “enable” the new catalog. To do so, click on the “Configure” button under “Catalog Settings” in bottom right
Thank you
George,
The screenshot I show are only win32 apps. Which ones are you that that are horizon or saas apps? The horizon client listed there is just the installer for the win32 horizon client.
Great Post, like always – thanks Brooks!!
Having the option to Uninstall Apps (in control by the admin) would be awesome, is this already planned or do you hope it is coming to Hub?
Have raised a feature request on ideas.aha.io exactly on this plus launch capability, maybe readers of this article like to support it (click my name to get there).
Definitely a great and well written Aha! item. I know that the uninstall from Hub is a planned feature but not sure about launch capability.
i can see in publishing for windows only ” Legacy Catalog ( windows Desktop ) ” there is no intelligent hub catalog in my console..please help how to get the option
What version of the console are you on? I would recommend waiting until the 2008 version to fully enable as they have fixed a lot of issues and matched feature parity with the other app catalog.
Hi Brooks,
Thanks for a great post. Re the source of authentication, what happens to our existing enrolled devices if we switch from UEM to Access? Does it have impact on the intelligent hub installed on managed devices?
I’m on 20.11.0.4 and can only see the Legacy Catalog as an option. UEM and Access are integrated, Hub Services are enabled. Not sure what to do 🙂
Aay – Hmm that is a bit odd as it should show up since you enabled the pre-requisites? Maybe check which OG you are at to ensure you are at the same OG or lower from where Hub services is enabled.
Hi Brooks,
Does this source of auth switch to Access have any impact on existing managed devices that were enrolled with source of authentication set to UEM?
Also, when you launch the an Access app from the Hub, does it require additional auth/access?
Yes, the hub will need to re-auth after you make this switch. We recommend setting up WS1 Access rules to support Single sign-on. You can use kerb auth or CBA (cert-based auth) to make it fairly seamless.
Okay great, thanks Brooks . We plan on testing this outside business hours on a few devices and then switch the source of auth back to Uem, while we plan the next steps. Hoping this would be okay and would have no impact on existing enrolments?
Sorry, one last query – if this is no impact on existing enrolments, I am guessing these devices would need to be re-enrolled for them to use access as the source of auth, and to show the virtual desktops and saas apps?
Thank you
So if you do this in prod it will affect all devices since you can’t do this at sub OGs. I’d recommend testing it out in a UAT environment. no need to re-enroll, then would just re-auth. So the user would see a popup of WS1 access and it would attempt to authenticate.
Great, thank you. Yeah, we did notice that it’s a setting at the top-level and not something we could test at child OGs. We are operating with just the one environment, so I guess if we run our tests and switch the source back to UEM, we should have no impact on existing enrolments.
Then, like you mentioned, since existing devices do not need to re-enrol we can advise the users to re-auth once we change it back to Access at a later date.
Hi Brooks,
The re-auth part worked a treat after the change. I was able to reverse the change, sync & restart the Hub and it took the virtual and saas apps away as well. One strange thing I noticed was that on Windows, MacOS and iPad, initially the virtual desktops opened directly from the Hub -> Horizon. However, after some time, the desktops didn’t open directly. Instead, it redirected me to the browser, and then after authenticating with SSO/Certs, it asked me to launch the desktop in Horizon. Any ideas what could be causing this?
Thanks
Yep that is due to switching it back to the source of Auth=UEM. You may also want to double-check under preferences that the preference for Horizon Remote apps isn’t set to Browser.
Is there a way to deploy applications that looks to see if the applications have already been deployed.
We have been seeing a spike in the performance with applications trying to be re-installed again that have already been installed.
Is there a way in Workspace One UEM that does a check and moves on to the next app in the queue
I found the answer here
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/GUID-AWT-FREESTYLE-ORCHESTRATOR/GUID-define-action-on-resources-using-condition.html
Thank you
Ah so you guys have a Freestyle tech preview enabled and the workflow is what is reinstalling apps?
No was looking for an alternative until this is released to General Public Release
On Android with Launcher (using basic auth for Launcher, and prior to this basic staging a/c) will it have an impact with the switch Auth to Access other than the MS auth which is already added as a SAML IdP. Thanks