May 12, 2015
Posted by on
Just a short one this.
I recently came across a customer who required integration with an on-prem Certificate Authority so it could be integrated into a particular profile (maybe more on this another time). I noticed they were already using Directory integration for enrollment and assigning resources so I assumed an ACC would already be in place. I was wrong about this however as they were using the now legacy EIS component for this (I did find this out before I got there!).
A bit about EIS (Enterprise Integration Service)
According to the AirWatch EIS Guide:
The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment or a remote network zone (for example, a DMZ). This integration allows organizations to leverage the benefits of SaaS and their existing LDAP, CA, email, and other back-end systems.
Sounds just like the ACC (AirWatch Cloud Connector) huh? Well it does the same thing but the ACC is current, whereas EIS is now considered legacy. EIS is a bit more of a painful to configure than ACC though as it really requires secure DMZ placement due to it needing inbound communication from the AirWatch Console Server. ACC on the other hand only requires an outbound web connection to the AirWatch Cloud Messaging Service so can quite happily sit on the internal LAN somewhere and go out directly or via a proxy if needed. Despite this, EIS is still in support however and oddly AirWatch are still (on version 8 for example) producing 33 page integration guides fot it which have no mention of the ACC.
EIS doesn’t support quite as many integration points as the ACC does, and for Certificate Services an additional and purchasable add-on pack is required.
Move to ACC
I didn’t want to get involved in any of this nonsense so I just replaced EIS with an ACC. If one was to navigate to the ACC node in the AirWatch console whilst EIS is enabled, this message would be seen:
It’s not as daunting as it may first look, I had a new virtual server ready to run as an ACC so I went ahead and pressed the button, you then go through the ACC installation as normal.
The integration points (directory services in this case) that were previously using EIS remain just as before. These are independently configured nodes so will just carry on and the old EIS server will just be ignored and can be switched off. I then went ahead and implemented the Certificate Authority integration through the ACC so I could use it in my target device profile.