This document is a guide on setting up Workspaces in LDMS 2016.3 SU3+ and 2017.1. Some pieces will only apply to one version or another, and will be noted as such.
This guide is assuming the reader has basic knowledge of Landesk Management Suite, and the prerequisites to Workspaces listed below have been fulfilled.
- A configured Workspaces database. More information on how to set this up can be found here
- A user with Landesk Administrator rights to the console
Configuring The Logon Policy
Your main options for logging into Workspaces are below. This document will focus mostly on Identity Server, as it supports the other 2 technologies and is the current design path for the future:
- Token Only
- This uses Active Directory to authenticate a user with the domain. As long as the logon succeeds, Workspaces will allow the user to login.
- Integrated Only
- This uses Integrated Windows Authentication to use a user's currently logged in context to authenticate.
- Identity Server
- This is a new technology with existing functions to replicate both Token and Integrated authentication. It's also compatible with OAuth and may integrate with other OAuth providers in the future.
While there are also Explicit Only and Shibboleth Only policies, Explicit Only is only used in specific situations, and configuring Shibboleth is beyond the scope of this guide
In Configuration Center, open up your instance. You should have 3 applications - Framework, BridgeIT, and IdentityServer.
Edit your Framework and BridgeIT to use the "Identity Server" logon policy.
Next, decide if you want to allow Integrated Logon. If you do, set "Use Integrated Logon" to True on your BridgeIT application.
Last, edit your Identity Server application.
- If you chose to allow Integrated Logon, you also need to change the value of "Allow Windows Logins" here.
- Set your "User Consent Expiration". This is how long a users login will last before a user must re-consent to the login.
Now that you have a logon policy, the next step is to configure your users. Workspaces uses the existing user rights information in Landesk Management Suite to determine rights. Below is a general breakdown of how LDMS roles translate to Workspaces roles. This will be updated as more mappings are verified.
Note that all users in Landesk Management Suite's user management who have logged into the Console will be Analysts, and any users not found in there will be End Users.
The format is LDMS Role > Workspaces role
- Software Licensing > Asset Manager
- Security > Security Manager
- Landesk Administrator > Workspaces Administrator
Additionally, some Workspaces actions require certain rights in LDMS. Some examples are:
Remote Control - Requires Remote Control rights
Install Software - Requires Software Distribution rights
The windows application (or "hybrid app") is a web wrapper, and displays the underlying BridgeIT web page. The main difference is that, because the application is a local program, it can read a client's policy XML to determine which software packages should be made available.
A user using the windows application will need a username, password, and the full link to the BridgeIT web page. Just supplying the LDMS core is not enough. The full link is generally in the format:
The windows application can also be configured to login automatically, as long as Windows Logins are allowed by the Identity Server.
The documents below are some good troubleshooting resources if you encounter issues.
Other Useful Documents