Continuous Delivery for VMware AirWatch with Jenkins

Introduction

• What are Continuous Integration, Continuous Delivery, and Continuous Deployment?
  Before going into the topic, let's try to understand what CI and CD are. These are two acronyms frequently used in modern software development practices where CI stands for continuous integration, a fundamental DevOps best practice where developers frequently merge code changes into a central repository where automated builds and tests run. But CD can either mean continuous delivery or continuous deployment. Continuous Delivery is an extension of Continuous Integration since it enables automation to deploy all the code changes to an environment (dev, QA, stage, prod, etc.) after the changes have been merged. So after Continuous Integration, the developers can deploy their changes at any time by clicking a button. Continuous Deployment takes the process one step further than continuous delivery. Here, all changes that pass the verification steps at each stage in the pipeline are released to production, and it is fully automated. Only a failed verification step will prevent pushing the changes to production. In this article, I have discussed the continuous delivery of an application using a Jenkins job that will be deployed into a set of devices with the help of VMware AirWatch.
• What is VMware AirWatch?
  VMware AirWatch is an enterprise mobility software provider based in Atlanta which provides technologies that help IT administrators deploy, secure, and manage mobile devices, applications, and data, as well as Windows 10 and Apple Mac computers. For IT Admins, the world has never been more complex as they have so many different types of devices, applications, and end-users. The most common question is how do you enable secure access to company resources while also making it simple for the end-user. That’s where the workspace one comes in.

In simple terms, VMware Workspace One is a digital workspace platform that makes it easy for the end-users to access the corporate resources that they need without sacrificing security.

Overview

• Setting up Jenkins to fetch the artifacts from Github.
  Using Jenkins, the relevant application can be fetched from Github. In this example, I’m going to use an android application. First of all, you need to create a Github PAT(Personal Access Token), which will be discussed in the prerequisites section. Using the Github API, you can fetch the APK from Github Releases. Also, there are so many Python Libraries out there that can be used to fetch releases from Github.
• Setting up VMware Workspace ONE
  The next step is to set up the Workspace ONE UEM AirWatch console. One of Workspace ONE UEM's is the ability to manage different versions of the same application within the console. Because of this, we can upgrade as well downgrade the application to different versions depending on our needs. Probably setting up Workspace ONE would be a whole new article as there are multiple things we need to follow to set up the console. Mainly if you are from an organization or a company, there will be multiple environments where your console is up and running. (QA/Production). It is highly recommended that you need to test this workflow in a QA or a Test environment first before going into production.
• Understanding SmartGroups, Organizational Groups, and Products
  Most people have trouble understanding the purpose of these groups and what they are. So I will try to explain each of these in simple terms. To elaborate more on these, think of an organization that has different types of warehouses all over the world and uses various types of devices within these warehouses to manage their work. Suppose there are three types of devices ( Type_A, Type_B, Type_C) and multiple warehouses within a country (WH_1, WH_2, WH_3, and so on).
• Organizational Groups(OG): These groups do exactly as they sound, which helps to organize all the devices. Also, you can create sub-OGs inside the main OG. In the above scenario, we can use organizational groups to organize different devices within a single warehouse or multiple warehouses.
  ex: Type_A devices within a single warehouse, Type_B devices within multiple warehouses, etc
  Navigate to Groups & Settings > Groups > Organization Groups > List View or through the organization group drop-down menu.

• Smart Groups (SG): These are similar to assignment sheets. You can assign the devices as well as the applications to this assignment sheet. Specially you can assign multiple Organizational Groups to Smart Groups, which makes Smart Groups more powerful.
  Navigate to Groups & Settings > Groups > Assignment Groups.

figure 3 — Ways how OGs and applications can be assigned to SGs

As shown in the figure, multiple applications (if multiple versions of the same applications were assigned to an SG, only the latest version would be installed on all the devices assigned to that SG) and multiple OGs can be assigned to an SG in different ways. Accordingly, you can assign
— Multiple OGs to an SG
— Multiple OGs + Devices to an SG
— Only Devices to an SG

• Products: Products are similar to a package that has ordered the installation of device profiles, applications, and files/actions to be either published to the relay server or pushed to devices based on the conditions you create. Products are the main feature of the Product Provisioning system in Workspace ONE UEM.
  Navigate to Devices > Provisioning > Product List View.

— Can add multiple Smart Groups to a Product
— Can add various actions to the Manifest area (ex: Install an application, Uninstall an application, install a profile, etc.)
— Can add conditions to install or download the application
— Can add another product as a dependency (this dependency product will execute before executing the main product)
— Can add multiple dependencies and adjust their order of execution

Prerequisites

• Github-related credentials — Github Access Token
  
  A personal access token(PAT) is an alternative to using passwords for authentication to GitHub when creating a release and uploading build artifacts using Github API. Follow the below procedure to configure a PAT.
  — Verify the email associated with the Github account if it hasn’t been verified yet.
  — Click Profile Photo → Settings → Developer settings →Personal access tokens →Generate new token
  — Give the token a descriptive name and an expiration date
  — Select the scopes of permissions you’d like to grant to this token.
  (I would suggest only giving the most needed permissions to get the job done)

— Then, Generate the token and save it somewhere as it won’t show again after the popup is closed.
— To use your token to authenticate to an organization that uses SAML single sign-on, authorize the token. For more info: Authorizing a personal access token for use with SAML single sign-on

• Jenkins Instance
  You need to have a Jenkins instance up and running in your local machine or hosted somewhere.
• AirWatch related credentials
  Below are the important credentials related to AirWatch.
  If the AirWatch API is not enabled, enable API access in the AirWatch Console as below.
  Groups & Settings> All Settings > System > Advanced > API > REST API.
  Rest API URL: https://host.awmdm.com/API

Two-Factor Authentication — Along with the standard headers, AirWatch REST API server authentication requires the following headers:

• Authorization — Authorization header with base 64 encoding of API admin credentials. There are several authentication methods supported by VMware AirWatch. (Basic Authentication, Directory Authentication, Certificate Authentication)
  The easiest way is to use basic authentication. To get the basic credential, you need to encode the admin credentials(the form should be “username: password”) using Base64. This can be easily done using python as follows. (replace the user and password with the appropriate credentials)

$ python -c "import base64; print base64.b64encode('user:password')"
dXNlcjpwYXNzd29yZA==

• aw-tenant-code — Header value same as API key randomly generated in the AirWatch Console.
  As mentioned in the above figure, a newer API key can be made from the REST API section.

Finally, the AirWatch API can be accessed as follows,

• Using CURL

curl -X "GET" "https://host.awmdm.com/API/v1/help" \ -H "Authorization: Basic dXNlcjpwYXNzd29yZA==" \ -H "aw-tenant-code: bG9naW46cGFzc3dvcmFzZG/2FmYXNkZmFkc2Zhc2Zk="

• Using Python

import requests
response = requests.get(
            url="https://host.awmdm.com/API/v1/help",
            headers={
                "Authorization": "Basic dXNlcjpwYXNzd29yZA==",
                "aw-tenant-code": "bG9naW46cGFzc3dvcmFzZG/2FmYXNkZmFkc2Zhc2Zk=",
            },
        )

Procedure

In this first example, I’m going to install an android application on a group of devices. Here I’m fetching the APK from the Github Repository release.
Below is the summary of the entire process.

1. Fetch the APK from Github to Jenkins using Github API

Here first, we need to get the release details from Github. I’m using a python script to get the release from Github to Jenkins. Also, I’m going to execute the python script within the Jenkinsfile Stage.

So within the Jenkinsfile, we can execute this as a normal shell command. The environment variables must be set on the Jenksinfile. (In this case, Personal_Access_Token and Release_Tag). You can get them from the parameters from the Jenkins Job itself and set them as environment variables afterward.

node {
   sh 'python get_release_apk.py'
}

2. Send the APK to VMware AirWatch using AirWatch REST API
3. Install the APK as an Internal Application inside the AirWatch Console
4. Assign the installed application to the smart group, which contains all the devices

This is a simple example of a Continous Delivery workflow of an android application from its release state in Github to the AirWatch Console internal application. Further, this can be extended to the following use cases with necessary adjustments.

• Advanced AirWatch Console Management with Products
  With products, we have more flexibility over the application instead of assigning it to a smart group directly.
• Application Downgrading
  Normally application upgrades when we upload a newer version of the same application to the AirWatch Console. Specifically, the versionCode must be incremented up. But when downgrading, there is no direct option to downgrade the application. (Downgrading version is not supported in AirWatch) But this can be achieved using product provisioning by uninstalling the newer versions and resyncing the older versions.

Conclusion

Overall, VMware AirWatch can be used for the following things,

• Mobile device management (MDM) — for configuring, securing, and enforcing policies on devices.
• Mobile application management (MAM) — for deploying, securing, and enforcing policies on devices.

These tasks can be automated using Jenkins as Continous Integration/Continous Delivery pipelines. This can be done using the AirWatch API, which provides endpoints for most of the things within the console. (But keep in mind to update the workflows since the API has many deprecated endpoints). Ultimately AirWatch Products can be used to do some advanced management activities.

Happy Coding! 😃