This one was a doozy to get figured out. There is some documentation on the VMware Connector for Teams but not how to configure the azure side and some connector specifics for teams are not what you would expect… Tried a gazillion options, lobbied on VMware slack channels, ripped open the GitHub package, went full-on rage monkey but eventually we won! Thanks again to my RawWorks Azure Guru, Gerjon Kunst, to help me out on the Azure side and Sidney Laan on the UEM side. We wrote this gem together!
So what is VMware Mobile Flows?
Mobile flows is a framework designed for enterprise companies to bring the micro applications on their employee’s devices to surface contextual information and perform actions on various business systems. It helps the device users to perform tasks across multiple business backend systems within VMware applications enabling users to be more productive while maintaining enterprise security and organization compliance regulations on the cloud and on the edge. Mobile flows eliminates the need to visit multiple websites to perform different business tasks. Provides user-specific micro applications that streamline the data flow such as quick data entry, data retrieval, approvals, and making business decisions.
Components of mobile flows
The mobile flows architecture has three primary components:
-
- The mobile flows server – Is the heart of the entire system that is responsible for logic, connector discovery, and returning data to the requesting client.
- The connector – Is used to connect to the business system, request the data, perform the interactions as requested by the client, and contains the logic for how the card must appear on the client. For example, a Salesforce card might be displayed in the Workspace ONE Boxer application where users can see important information and also take required action on Salesforce right from the mobile flow card. You can create your own connectors or customize the open-source pre-built connectors. You can also use the out-of-the-box (OOTB) connectors such as SalesForce and ServiceNow which are hosted on the VMware’s servers.
- The client-side framework – Is responsible for rendering the card on the client to display the contextual information, along with the required input to take the required action.
Use Cases
You can build connectors to address a variety of needs within an organization. You can provide different types of notifications, bring up contextual cards within the Workspace ONE Boxer application, or make actions available to users to perform operations from the Workspace ONE Intelligent Hub.
So let’s Configure this for Microsoft Teams!
So what do we need? We need on the Azure side an App Registration to use as an API endpoint. We need to configure Workspace ONE Access and we need to configure Workspace ONE UEM Mobile Flows connector for Teams.
Azure
Log into Azure with an admin account and go to App registrations. Click no New registration.
Name the application, Select Multitenant, and set the Redirect URI to https://prod.hero.vmwservices.com/token-exchange/oauth2/callback
Now go to Authentication and add the logout URL of your Workspace ONE Access environment. https://{your access URL}/SAAS/auth/logout and save the config.
Then go to Certificated & Secrets. We need to create a Client secret to exchange tokens.
Click on New client secret, Name it, and select the expire time. I chose Never.
Now write down that client secret, we need it later to configure the Workspace ONE UEM Teams connector!
Next, we need to set the API permissions for Microsoft Graph. Go to API Permissions and click on Add permission.
Now click on Microsoft Graph.
Now click on Delegated permissions.
We need to set permission for:
- offline_access
- user.read
- user.read.all
- MailboxSettings.Read
- Group.ReadWrite.All
For each of the above permissions, you need to add them. Search for the name in the search box and tick the permission.
When done, click on the add permissions button. When done you will see the permission like below.
Now click on Grant admin consent for “your domain” otherwise your users will be faced with an admin approval flow when requesting the token. When granted, green checkboxes appear.
If you do not grant permission you will get the following message later on and will annoy your end-users!:
Go back to the Overview and write down your Application (client) ID. We also need this later for the connector configuration.
Ok, were done on the Azure side now. We have created an App registration for Teams, created a client secret, and set the correct API rights. If done correctly you have written down 2 things we need later on. Application (client) ID and client secret. Let’s move on to Workspace ONE Access.
Workspace ONE Access
Login to the admin interface of Workspace ONE Access and go to Catalog > Settings
Now go to Remote App Access and click on Templates
Now click on Create Template.
We need to fill it with the following settings:
Template ID: MobileFlows_Server_Template
Application: Workspace ONE Access
scope: email, profile, user, openid
Redirect URI: https://prod.hero.vmwservices.com/token-exchange/oauth2/callback
Token Type: Bearer
Token Length: 64
Issue Refresh Token: Yes
Access Token Time-To-Live (TTL): 1 month(s) (1 month is 30 days)
Refresh Token Time-To-Live(TTL): 1 year(s)
Idle Token Time-to-Live (TTL): 10 day(s)
And click on Add. You will end up with a new OAuth 2 Template. This is needed so Workspace ONE Access can exchange tokens with Mobile Flows.
We are done on VMware Workspace ONE Access now and we can move on to VMware Workspace ONE UEM.
VMware Workspace ONE UEM
Log in to Workspace ONE UEM admin and go to Content > Mobile Flows.
Either use the connector supplied by VMware or host your own. or this guide I will show you how to configure the VMware hosted connector. Be aware that the VMware hosted connectors only are able to poll requests every 60 minutes and no push option. If you need a direct notification and push support you will need to host your own connector. You can get the connector’s sources here to build your own in a docker container. Ok, moving on with the VMware hosted connector. Click catalog and add the Teams connector.
The base URL was where I hit a roadblock. What Base URL does one need? With the information provided one would guess that that URL would be https://teams.microsoft.com/ or https://teams.microsoft.com/?whr=domain but no… I spend hours searching for the correct eventually, with trial and error I found out that the URL should be https://graph.microsoft.com/beta…
Tried https://graph.microsoft.com/v1.0 but that seems only to work for the Microsoft Planner connector and not Teams.
So fill the base URL with https://graph.microsoft.com/beta and click next. Leave the default categories and click Next.
Remember that Application (client) ID and client secret you wrote down? Fill them in here and click Next.
See here that the Type is fixed to Poll only. Want push, host your own connector. Click Next.
See what you just configured and click Submit to finish. Now you have created a Mobile Flows connector for Teams! When all is good, you will see green checkboxes.
Alright, you are done to see the magic happen!
Run your own connector?
You can do this by pulling the docker image and setting it up with the code below. The bold part is the version you want to set up. Tested and works on a CentOS 7 Docker Host, it fails on CentOS 8.
docker run –name hub-ms-teams-connector \
-p 8080:8080 \
ws1connectors/hub-ms-teams-connector:1b3d2bd1f026e4276af1b751fc4000ac30ebee12 \
–server.port=8080 \
–security.oauth2.resource.jwt.key-uri=”https://prod.hero.vmwservices.com/security/public-key”
Now you need to expose this docker container to the internet with a public URL and use it to set up your connector. The Discovery URL is the URL to your docker container.
Final configuration
Log in to Workspace ONE Access as a user and go to Account
Pingback: The future of VMware Mobile Flows continues in Workspace ONE Experience Workflows – vDrone
Pingback: De toekomst van VMware Mobile Flows gaat verder met Workspace ONE Experience Workflows – RawWorks