Qlik Sense® integration with VMware Workspace ONE (formerly AirWatch)
This article is a comprehensive guide on the current integration of Qlik Sense with VMware Workspace ONE (formerly known as VMware AirWatch) as of 31 March 2018.
Qlik recommends that customers prove the operation of Safari and/or VMware Browser with their Digital Workspace (also known as Enterprise Mobile Management (EMM)) Infrastructure, and familiarise with the deployment and configuration of Qlik Sense Mobile without per-App VPN connectivity (AppConfig “MDM” property, QMC Security Rules). Ensure that AirWatch is iOS v11-ready1and using the VMware Tunnel server on Linux to provide per-App VPN connectivity from Browsers. The same per-App VPN connectivity is planned to be supported for Qlik Sense Mobile.
Qlik Sense requires that clients and intermediate infrastructure support websocket connectivity for retrieval of Associative datasets between the Qlik Visualisations and the Qlik Sense Proxy service. Websockets are part of the HTML5 standard, but many proxy servers fail to support it; iOS v11 has resolved previous issues with routing websocket traffic via any per-App VPN. Remaining connectivity problems are now due to configuration/limitations of EMM and other network infrastructure.
VMware lists1several minimum requirements for their support of iOS v11, particularly:
VMware Tunnel3 v2.0.3
VMware Browser4 v6.2.3
(A) Customer can register to the SaaS AirWatch Cloud, or implement the AirWatch Console onPremise (v22.214.171.124 or later)
(B) AirWatch Connector5 is installed behind the Firewalls, providing replication services from Active Directory to the SaaS Console. The software is configured and downloaded from the AirWatch Console.
(C) The VMware Tunnel is deployed on a Linux6 host in DMZ as the VPN gateway to private resources. The software is configured then downloaded from the AirWatch Console.
(D) The mobile user performs Self-Service enrolment by browsing to the AirWatch Console, and this downloads the AirWatch Agent from iTunes. The Agent is the tool which AirWatch uses to manage the device.
(E) Successful Enrolment will add the Enterprise AppStore Catalog, which is where Managed Applications can be installed from instead of the Apple App Store.
(F) The VMware Tunnel VPN client may be automatically installed by the Agent, or can be downloaded from the Catalog. This will use an SSL Client Certificate (G) to perform Device Authentication to the VMware Tunnel server and create a Tunnel through which traffic from Managed Applications can reach private resources such as Qlik Sense.
(G) Configuration details are delivered by the Agent to iOS as “profiles”. These are visible in the iOS Settings application. A profile may include Rules for which Browser uses the VPN to access which URLs, but also other features such as WebClips (URL Shortcuts), Email Configuration and SSL Certificates.
(H) Safari or a Managed Application (eg Qlik Sense Mobile or VMware Browser installed from the Catalog) will use a Profile (G) to determine whether it should have an exclusive and private (per App VPN) conversation with the VMware Tunnel (F) VPN client to access a Qlik Sense URL.
Note: VMware AirWatch includes a VPN connectivity component. On the client-side the “AirWatch Tunnel” has been superseded by “VMware Tunnel” though they both have the same functionality. On the server-side, older AirWatch implementations may still comprise the “Mobile Access Gateway” (MAG) typically running on Windows. This often operates only as an SSL Reverse Proxy, and does not support the long-duration bidirectional websocket connections that Qlik Sense uses to deliver associative data to the visualizations.
VMware states6 that the VMware Tunnel service MUST be deployed on Linux to support the per-App VPN connectivity that Safari and VMware Browser can use to interact with Qlik Sense. Neither Qlik nor VMware can support connectivity to Qlik Sense via the Windows “MAG”, and VMware customers are advised to adjust their AirWatch deployment accordingly.
A diagnostic webpage can be downloaded from branch.qlik.com7 and should be deployed into the Qlik Sense Content Library via the QMC. Access this deployed content using mobile browsers to determine if websockets are supported by the browser, VPN and other network infrastructure. Load Balancers between the Qlik Sense Proxy instances may require additional configuration8 to support websocket traffic.
Qlik Sense Mobile (iOS App)
Qlik Sense Mobile provides an online alternative to a browser, and implements our Associative Engine on iOS to also provide offline data analysis on Qlik documents that have been synchronised to the device.
Qlik Sense Mobile is already supported for deployment and configuration by AirWatch, and from 30 April 2018 is also supported for operation together with the VMware Tunnel per-App VPN.
Qlik Sense Mobile is currently available from the Apple AppStore 9 and can be added to the AirWatch App Catalog as a Managed Application.
When installed from the AirWatch App Catalog, AirWatch can supply configuration details too. A single text variable "mdm" can be specified, as documented on at help.qlik.com10, and contains a JSON array that delivers a collection of Qlik Sense Hub URLs to Qlik Sense Mobile rather than requiring that users browse to the Qlik Sense Hub and download a "Client Authentication Link".
It is clear that per-App VPN connectivity is required for Remote/Home office users who want to interact with Qlik Sense online or to sync documents to their device for offline use, and as 30 April 2018 the AirWatch per-App VPN is supported for use with Qlik Sense Mobile with some configuration adjustment described further below.
The VMwareTunnel per-App VPN also works satisfactorily with mobile browsers as described in an earler section.
Within the Qlik Sense Management Console you must configure Security Rules to permit Offline use of Qlik Sense documents. An example is provided at help.qlik.com11
Only Users with a User Access Token can use Qlik Sense Mobile offline. Login tokens may not be used to synchronise content for Offline use.
Known requirements for using Qlik Sense Mobile with VMware Workspace ONE (formerly AirWatch)
Qlik Sense Mobile contains an embedded browser that makes a http://127.0.0.1 connection to an embedded webserver (just like browsing to a remote Qlik Sense Hub). The VPN Client incorrectly attempts to route this traffic through the VPN Tunnel unless explicitly configured not to. Within AirWatch Console see the Network Traffic Rules properties of the VMware Tunnel, and configure the Device Traffic Rules to bypass the 127.0.0.1 address otherwise Qlik Sense Mobile will not operate at all when the Tunnel is active.
Note that the hostnames must be only-comma separated if specified in the same Rule.
DNS queries performed over Secure UDP are observed failing after 30 seconds. This requires reconfiguration of the VMware Tunnel Server using a Secure Shell command-prompt.
Login to the VMWare tunnel server (ssh or other means) Add “dtls_channel 0” to /opt/airwatch/tunnel/vpnd/server.conf Restart vpn server using “sudo service vpnd restart”
AirWatch has acknowledged that this is a less-than-ideal solution, and that client-side and server-side improvements to VMware Tunnel will be required.
PPAT-2636 – Improvements for bounding buffered data for flows during download
PPAT-2769 – Force TLS channel response for DNS traffic
Document Thumbnails may not sync from Qlik Sense Enterprise to Qlik Sense Mobile. Any transfer of more than 15MB appears to fail due to a bug in the VMware Tunnel. Qlik is assisting VMware with further investigations, but the VMware Tunnel v2.0.4 on iOS v11.2 appears to resolve this problem.
The VMware Tunnel client may crash when syncing Qlik Documents due to a Transfer Size limitation in the VMware Tunnel. This is being alleviated by modifying both Qlik Sense Mobile and Qlik Sense Enterprise to deliver the QVF in chunks or pages, and Qlik is assisting VMware with further investigations. Qlik Sense Enterprise should be Nov’2017 release or later.