Workspace ONE UEM – On-Premise to SaaS Migration

Thinking of moving your On-Premise Workspace ONE Environment to SaaS? Read below for some best practices. Also, for latest information always follow https://docs.vmware.com

1. Introduction

In order to move to SaaS from On-Premise, it is important to know and understand the process. VMware Professional Services team can help you migrate to the cloud without any impact to the existing enrolled devices, provided the best practices conditions are met.

Also, this blog covers the overall information and strategy aspect of the migration. For a detailed inspection of your environment, please reach out to your Account Manager and engage VMware Professional Services.

2. The Process

It is important to know which components get moved to the cloud and which remain On-Premise. First, let’s talk about a general On-Premise UEM Architecture

Primary Components

• Workspace ONE Database Server
• Workspace ONE Console Server
• Device Services Server

Auxiliary Components

• AirWatch Cloud Connectors
• Unified Access Gateways – Tunnel and Content Gateway
• Secure Email Gateways (Windows/UAGs)
• Push/Pull Relay
• Intelligence Connector

During the migration, all the Primary components get moved to the cloud and all the Auxiliary Components stay On-Premise to interact with your internal resources.

Now, let’s talk about the Auxiliary components and how are they affected during a migration.

AirWatch Cloud Connector (ACC) – This is the most important component and must be configured in your environment. Once you move to the cloud, your UEM console is moved as a part of the migration and you would need the ACCs to communicate outbound to the SaaS IP ranges as well as to the internal resources.

Unified Access Gateway (UAG) for Tunnel and Content Gateway – Once you migrate, the UAGs would have to be reconfigured with the new SaaS API URL. The old API URL will no longer work.

Secure Email Gateway (SEG): On a Windows SEG v2 configuration, you’d have to re-install the component with the updated SaaS URL. For SEG on UAGs, you’d have to reconfigure them on the 9443 admin page by updating the SaaS API URL

Push/Pull Relay: It is mandatory to reconfigure your Push Relay servers to Pull. Push Relays are typically used in an On-Premise environment, whereas Pull, is used and preferred for Cloud Environments.

Intelligence Connector – This will no longer be used once you migrate to the cloud.

3. Best Practices

It is always recommended not to have configurations setup at the GLOBAL Organization Group irrespective of the fact that a migration is in the works or not.  Some of them are

• Directory Services (AD)
• AirWatch Cloud Connectors
• SMTP
• APNS (Apple Push Notification Service)
• VPP (Volume Purchase Program) & DEP (Device Enrollment Program)
• Users/Admins
• API
• Enrollment/Autodiscovery Settings

If any of the above is setup at Global, then it’ll have to be moved down to the target OG. This step is mandatory as you’ll no longer have access to Global post migration.

NOTE:

Workspace ONE Access is NOT a part of the migration and the Access Connector will remain untouched.

Workspace ONE Assist Data will NOT be migrated. The customer has to purchase licenses for SaaS Assist environment prior to the day of actual migration. Post UEM migration the devices will connect to a SaaS Assist with no data from the on-premise Assist, as it is not need for Assist to function.

4. Conclusion

This blog should help you understand the overall process and components involved during a migration.

Also, On-Premise to SaaS migration is strictly for Workspace ONE UEM. For Workspace ONE Access and Workspace ONE Assist please reach out to your Technical Account Manager and VMware Professional Services team for assistance.

Hope this helps!