Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Workspace ONE UEM Integration

Follow these steps to link a Workspace ONE account to a Juniper Mist organization, and understand how Mist Access Assurance leverages the enrolled device compliance status for policy rule creation.

Juniper Mist Access Assurance supports native integration with Workspace ONE® UEM, enabling comprehensive evaluation of endpoint compliance across devices such as laptops and mobile phones. Using predefined policies, Workspace ONE assesses device compliance based on security parameters such as antivirus presence, firewall status, and OS patch levels. Juniper Mist Access Assurance retrieves the latest device compliance status from Workspace ONE and applies it to authentication policies to enforce access control decisions.

Device Compliance Status Data Retrieval from Workspace ONE

Juniper Mist Access Assurance uses an API-based polling mechanism to query Workspace ONE every two hours for each managed client that has been authenticated. The compliance status information is cached for quick retrieval.

To prevent any additional delays, the compliance information is retrieved after the authentication process is complete. After the initial onboarding of a device is complete, its compliance status is refreshed every 2 hours.

If a device’s compliance state changes, Juniper Mist Access Assurance automatically triggers a Change of Authorization (CoA) to re-evaluate the policy and enforce the appropriate access control measures. This automatic triggering of CoA ensures that compliance changes are promptly addressed, maintaining security and policy adherence without requiring manual intervention.

Figure 1 illustrates how Juniper Mist Access Assurance retrieves Workspace ONE-managed device compliance data for authentication.

Figure 1: Authentication and Authorization Process for Workspace ONE

Note:

To support the CoA functionality, APs must run firmware version 0.14 or later

Juniper Mist Access Assurance uses the following information during client authentication to match a client with a device record in Workspace ONE:

Note:

Some of the screenshots included in this topic are sourced from third-party applications. Be aware that these screenshots might change over time and might not always match the current version of the applications.

  • Non-randomized MAC address—For authentication using EAP-TTLS or EAP-TLS, the MAC address of the client device is matched against a managed device record in Workspace ONE. To ensure accurate MAC-based device matching, you must disable MAC address randomization in the Wi-Fi configuration profiles on client devices.

  • Workspace ONE UDID encoded in SAN:DNS certificate attribute—In Workspace ONE Certificate templates, use the {DeviceUid} variable to encode the Device UDID in the SAN:DNS certificate field.

Configure Client ID and Client Secret in Workspace ONE

To integrate Workspace ONE with Juniper Mist Access Assurance, you'll need to set up a Workspace ONE API Client ID and Client Secret.

Note:

The screenshots from third-party applications are correct at the time of publishing. We have no way to know when or if the screenshots will be accurate at any future time. Please refer to the third-party website for guidance about changes to these screens or the workflows involved.
  1. In the Workspace ONE portal, navigate to Groups & Settings> Configurations>OAuth Client Management, then click Add.
  2. Enter the required details to create a Client ID. Ensure that the role is set to Read Only and the status is Enabled, as shown in the following example. Click Save.
  3. Copy the generated Client ID and Client Secret. These credentials are required to link your Mist organization with Workspace ONE.

Link Workspace ONE to the Mist Portal

To link Workspace ONE with the Mist Portal:

  1. From the left menu of the Juniper Mist portal, select Organization> Access>Identity Providers.
  2. In the Linked Accounts section, click Link Account.
  3. Select VMware Workspace ONE UEM.
  4. In the Link Account page, provide the Instance URL (for example, https://ABC.awmdm.com OR https://ABC.airwatchportals.com), Client ID and Client Secret. Then, click Link Account.

    After you link the Workspace ONE account, you can see the account status on the Identity Providers page. You can click the account to view the details of the last sync.

Verify Client Connection and Device Lookup Status

The initial MDM lookup for a new client occurs after the device has been authenticated for the first time. To facilitate this lookup, you'll need to create an auth rule that allows first-time device connections and assigns the devices to a quarantine VLAN.

Note: Do not include the Compliant or Non-Compliant MDM compliance labels in the match conditions for this rule. You can optionally use the Unknown Compliant label as a match criterion. Ensure this rule is placed at a lower priority than your standard access policies.

When the client is connected, you'll see the NAC Client Access Allowed event on the Insights page.

After the client connects, Juniper Mist Access Assurance:

  1. Retrieves the device's compliance status from Workspace ONE.

  2. Triggers a Change of Authorization (CoA) to reauthenticate the client.

  3. On re-authentication, the client is matched against the appropriate policy based on its updated compliance status.

For all subsequent authentications, Juniper Mist Access Assurance uses the cached MDM data, which is automatically refreshed every two hours to capture any compliance changes.