• Alex

How-To: VMware Verify Enrollment

Had an interesting requirement recently to allow Verify Enrollment which shall require Username and Password to authorise the enrollment but not to ask for a password for subsequent authentications once enrollment was successfully verified :-) . In order to achieve this goal a little “operation" in the VMware Workspace ONE Access database was required.


This is obvious but required to be mentioned: Please be aware that editing the WS1 Access database is not supported, you need to undo such modifications if support is required by VMware. Make sure you have a working backup.


We will achieve this goal in 3 simple steps:


1. Create "the" Group

Create a new System Directory Group in Access which will contain all your Verfiy Users; lets call it "ALL VERIFY USERS"


Go to Users & Groups and Hit the "Add Group" Button

Give your group a name and a description

Skip the "Add Users to Group" dialog by clicking "Next"


In the "Group Rules" dialog choose TelephoneNumber & Starts With & "+" as criteria (this will be altered later in the database

Skip the "Exclude Users from Group" dialog by clicking "Next" again


You end up with a group containing zero to some or a lot of users which we will modify on Step 2

2. Modify "the" Group


Open SQL Management Studio where your Workspace ONE Access data is stored.

In case you cannot remember the location of your database, consult your "System Diagnostic Dashboard"; here you can find Servername and DatabaseName.


With SQL Studio navigate in your database (in my case “vidmdb”) to the table saas.Groups and find the newly created "ALL VERIFY USERS" group, I used a simple "Criteria Pane" to filter all groups.

Copy the "compositionRules" value of your group ...


... to a Editor of you choice; now search and replace the name of the attribute PhoneNumber with mfaPhoneNumber ...

{"addedUserIds":[],"excludedUserIds":[],"addedUsers":[],"excludedUsers":[],"groupName":"ALL VERIFY USERS","rule":{"rules":[{"type":"attribute","condition":"is","value":"+","attribute":"mfaPhoneNumber","matchingRule":"startsWith"}],"composition":"any","type":"any"},"isDirty":false,"groupType":"DYNAMIC"}

... then Paste the full-text back into the "compositionRules" field. Close SQL Management Studio. Check the result by Edit the group in Workspace ONE Access, the attribute field does not match any "known" dropdown value therefor is blank, which is the intended state.

Click through all steps in the Edit Group Wizard till you see your “Total Number of Users” result, click "Save" to finish this step.


3. Creation of Rules

We finally need to create two access rules. The first only apply if the user is already enrolled into Verify (-> MemberOf ALL VERIFY USERS) plus Fallback to Password in case the Verify service is not available

The second group comes direct after the first rule as it catches the user in case he is not already enrolled into Verify, this time we need to prompt the user for Password & VMware Verify which will initiate the enrollment process after the user successfully authenticates


Mission accomplished.

24 views

© 2020 by Alexander Askin