AirWatch "Trade Floor" in Atlanta HQ
AirWatch “Trade Floor” in Atlanta HQ

How many wireless devices do you own?  Do you have a tablet?  A smart phone?  A laptop?  Or several of those devices?  If you are an organization, do you have a way to manage all of your employee’s devices?  Many of today’s workers have multiple wireless devices, and on those devices they are most  likely going to want access to their corporate email.  This poses an issue, an issue of security really.  How do you secure email and internal applications on employee owned devices?  Do you have a solid BYOD plan in place and just require employees to sign a paper saying they’ll follow it?  Or are you in need of a mobile device management platform to securely manage access to your corporate, firewall resources from employee owned devices?  If you’re shaking your head yes, then it’s time to introduce you to AirWatch, the leading mobile device management (MDM)/enterprise mobility management platform (EMM).


What is AirWatch?

AirWatch provides Mobile Device Management for your organization’s devices, whether they be Apple iOS, Android, Windows 8.1 and/or Windows Phone.  Of course, not every organization will be purchasing a fleet of devices for their employees, in that case, you can use AirWatch to help you manage your BYOD policy.  With features such as geo-fencing, AirWatch Secure Browser, AirWatch Content Locker, Mobile Access Gateway and Secure Email Gateway, AirWatch can really take your organization’s device management to the next level.  From a managerial, decision maker perspective, that’s about all you need to know and you’re sold.  From a technical perspective there is much more that you’ll want to know, so let’s get into the technical nuts and bolts.


The Components

AirWatch is made up of several components that offer varying features.  Below is a quick list of the components that go into an AirWatch on-premise deployment.


AirWatch Admin Console

The console server is equivalent to the vCenter Server where you will manage all of your devices, settings and users in one single pane of glass.  The AirWatch Console is clean, easy to navigate and makes your job as an AirWatch admin much easier.  The console server can be either physical or virtual (I’m obviously advocating for virtual), with minimums of two core CPU, 4 GB RAM and 50GB of disk space.  It’s AirWatch best practice to have at least two console servers load balanced, configured with the above minimums.  Once you are logged into your console server you can create a user account with the “Basic” option, or you can use AD integration and pull user info from your domain.  Device profiles can be created, blacklists/whitelists and device restrictions.  There is a lot that can be done which I will cover in more detail later this week.  Below is a screenshot of the console server interface.




Device Services

The Device Services Server, or DS server for short, is a crucial component of your AirWatch deployment.  The DS server is the communication gateway for all devices to communicate with the console server and the other back end components.  Device services actively communicates with the devices in your organization enabling them to be enrolled, provision applications, receive device commands, and also hosts the AirWatch Self-Service Portal which allows users to manager their own devices through a web interface.


SQL Database

With any deployment of AirWatch, you need a SQL database to go along with it. SQL server is the preferred database for AirWatch.  Your SQL database should have some high availability in the form of mirroring or clustering.  AirWatch stores your organization’s device data and environmental data in the SQL database you set up.  It’s critical to right size your SQL database depending on the amount of data that you anticipate coming in and out of your organization.  The number of devices in your organization is a good indicator of how you should size your database.  For an AirWatch environment with up to 25,000 enrolled devices, it’s best practice to size your database with 250 GB and your transaction logs at 100GB.  Below is a screenshot of database sizes depending on the number of devices in your environment.


db aw capture

AirWatch Mobile Access Gateway

A great MDM solution wouldn’t be complete without allowing your organization’s devices to access corporate intranet resources on the device.  The problem with this is obviously security, you don’t want anyone to be able to access those resources.  The solution, AirWatch Mobile Access Gateway or MAG for short.  The MAG gives your users a secure connection to access corporate “intranet” resources on their device.  The MAG is a secure relay between your device and the enterprise resources needed.  Furthermore, the MAG can encrypt data in transit and authenticate traffic to allow for this type of connection.  Use cases for the MAG would be to allow users to access internal web applications and documents through the AirWatch Content Locker.


AirWatch Secure Email Gateway

The AirWatch Secure Email Gateway, SEG for short, acts as a first line of defense for your organizations email between the Exchange environment and the employee’s device.  The SEG is awesome because it will actually detect and remove devices that are compromised and should not be allowed access to email data.  With the SEG installed in your environment it also will give your administrators greater access to administer and control email connections and mobile email security.  The SEG will also allow for certificate integration and email attachment control.  Email can be a very sensitive company asset, and if  mobile email is allowed in your organization, then you want to ensure you have a SEG installed as well.


 Ok, show me pictures…

If you are a visual learner and you love Visio, then here are two diagrams.  The first diagram depicts a basic AirWatch deployment with the components that would come into play.  The second diagram is a more scaled architecture with multiple servers and more security involved.  Both diagrams give you an idea of what you would need to install and configure in your on-premise deployment.

Diagram #1:  Basic AirWatch deployment

basic AW diagram








Diagram #2:  Advanced AirWatch deployment

advanced AW diagram









 What now?

Now that you have a good idea of what AirWatch is and most of the components necessary to build out an AirWatch environment, it’s time to do watch some AirWatch how to videos.  Every day this week there will be a new blog post on AirWatch, spanning from how to install AirWatch, to deep dives on SEG and MAG.  This information should give you a good head start on vDestination’s AirWatch Week, stay tuned for more posts and please join the conversation.  Is there a specific feature of AirWatch you would like to see discussed in-depth?

Greg W Stuart
Greg is the owner and editor of He's been a VMware vExpert every year since 2011. Greg enjoys spending time with his wife and 3 kids. He works as a Sr. Consultant at VMware and resides in Northern Virginia, 15 minutes west of Washington DC.

Leave a Reply

Your email address will not be published. Required fields are marked *