Knowledge BaseProcedure & FAQ: Content Delivery Networks (CDN) and Workspace ONE (WS1) UEM Console (2960984)
Last Updated: 2/27/2023Categories: InformationalTotal Views: 14359Language:
6 like this article
6 people found this helpful Please provide article feedback:
Purpose
In a world where in house applications and software are increasing in size, new sets of challenges are presented when trying to deploy applications swiftly to your device fleet. Content Delivery Networks (CDNs) help resolve those challenges.
Impact / Risks
For customers who develop in house software/applications and deploy products via product provisioning, delivering large applications to their device fleet can lead to significant performance degradation as their devices fight for resources to download the provisioned applications as well as trying to receive other commands. Bandwidth for the environment is also finite which could lead to deployment bottlenecks.
Resolution
The Workspace ONE (WS1) UEM Console can integrate with Content Delivery Network (CDN) services to provide a more efficient way to deploy your applications. The solution provides an alternative route for devices to download applications while the UEM service could push down other commands and payloads at the same time. As the CDN service is specialized in content delivery, you can also be assured to receive maximum bandwidth. Workspace ONE(WS1) UEM partners with Akamai CDN for content delivery network. For more information about Akamai CDN, please see: https://www.akamai.com/our-thinking/cdn/what-is-a-cdn
How it works:
- Device checks in with UEM device services and requests the application
- CDN URL is provided to the device for download outside of the UEM domain
- Device uses the URL to request the application, connecting to CDN directly
- A copy of the requested application is pulled from the UEM domain based on the device’s request URL and is then cached in the CDN
- Application download is served by the CDN service
- All subsequent downloads will be served by CDN service
- CDN service intelligently routes all requests to the best available and geographically closest servers to optimize end-user experience
Related Information
Frequently Asked Questions (FAQs)
Is the Content Delivery Network (CDN) feature supported everywhere?
The CDN offering is supported worldwide. Please reference Countries in which Akamai maintains Server Points of Presence from Akamai.
What is the benefit of using a CDN?
Downloads are able to use the maximum bandwidth available, and you will experience faster downloads due to requests being served by the service geographically closest to the device (or the least busy service)
Note: The CDN service will use the first download request to request a copy of the content to hydrate the cache. Until CDN service holds a copy of the content, you will not see an improvement in speed.
What types of deployments (On-Premises, Shared SaaS, or Managed Hosting SaaS) can use the CDN?
Workspace ONE is currently offering the CDN for all environments:
Can you disable the CDN in the Workspace ONE UEM Console?
For customers who have data sovereignty requirements, we can disable CDN if you are a Managed Hosting SaaS customer. CDN is enabled on all Shared SaaS environments by default and cannot be disabled per tenant.
What if CDN fails?
In case of CDN outage, UEM will fall back to distributing applications via device services. The fall back is seamless and there will be no actions required by the customer to activate the failover.
CDN Hostnames
When devices receive download commands, download will be redirected to one of the following CDN hosts:
Americas and Canada:
cdnus02.awmdm.com
cdnus04.awmdm.com
cdnus04uat.awmdm.com
cdnus08.awmdm.com
cdnus09.awmdm.com
APAC:
cdnau01.awmdm.com
cdnin02.awmdm.com
cdnjp02.awmdm.com
cdnsg01.awmdm.com
EMEA:
cdnde01.awmdm.com
cdnde02.awmdm.com
cdnuk01.awmdm.com
There are no actions required if you are on an open network. If you are behind a firewall, please see the below section with regards to IP whitelisting. If you are unsure about information with regards to the CDN hostname you are connecting to, please contact one of your account representatives.
Please note: These hostnames are for firewall whitelisting purposes only and will not pass a ping or telnet test due to the way authentication is configured.
What if my network traffic is restricted behind firewall?
Akamai’s CDN requires open network by default. Customer networks that support hostname-based access rules can use the hostnames (that correspond to the region of UEM environment hosting) to allow CDN traffic. If you are a Managed Hosted SaaS customer and your network is behind a firewall which requires IP restrictions, you can opt-into the IP Limited CDN service. Simply contact one of our account representatives to have the option enabled for your environment. Shared SaaS customers have IP Limited CDN enabled by default. For more information about IP Limited CDN, please see: https://kb.vmware.com/s/article/76872
Does the CDN have any passive storage capabilities (is the data stored statically outside of Workspace ONE) or is it just a pass through?
Akamai caches the data securely for 100 days.
Internal applications often contain sensitive or proprietary information. Workspace ONE uses a third-party vendor, Akamai, to offer the CDN feature. To ensure information is safe, please list the security certifications in place to protect data.
Akamai and Workspace ONE use a SHA256 authentication method to protect data.
How does the CDN ensure data integrity?
Akamai uses HMAC tokens and pre-shared keys to ensure data integrity.
How does the CDN encrypt data?
For information on how Akamai encrypts data, please refer to the Akamai PDF on Secure Content Delivery Network.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
What protocol does the CDN use to transfer data?
All communication uses SSL, both for uploading and downloading.
Can you configure the use of the CDN or the use of the Workspace ONE Software Distribution system per application?
No. The CDN and the Software Distribution systems are entire environment solutions.
Can you deploy other large files, like product provisioning files or content in the Content Locker, through the CDN?
Product provisioning file delivery via CDN is supported from UEM 20.03 onwards. Relay servers will pull content from CDN from UEM 22.03 onwards. Content Locker does not currently support CDN
What is the difference between File Storage, External Application Repositories, and CDNs?
The difference in these offerings is the service that facilitates the connection to send and receive internal applications.
Is the Content Delivery Network (CDN) feature supported everywhere?
The CDN offering is supported worldwide. Please reference Countries in which Akamai maintains Server Points of Presence from Akamai.
What is the benefit of using a CDN?
Downloads are able to use the maximum bandwidth available, and you will experience faster downloads due to requests being served by the service geographically closest to the device (or the least busy service)
Note: The CDN service will use the first download request to request a copy of the content to hydrate the cache. Until CDN service holds a copy of the content, you will not see an improvement in speed.
What types of deployments (On-Premises, Shared SaaS, or Managed Hosting SaaS) can use the CDN?
Workspace ONE is currently offering the CDN for all environments:
- On-Premises: On-Premise environments can enable this feature. For additional information and guidelines, please refer to the CDN Integration with Workspace ONE Guide. Active Akamai account is required in order to enable this feature.
- Shared SaaS: Workspace ONE UEM enables this feature by default.
- Managed Hosting SaaS: Workspace ONE UEM automatically enables this feature by default. Customers have the option to opt out by contacting Workspace ONE Support in case they have a privacy requirement that restricts their application from being stored outside of the country.
Can you disable the CDN in the Workspace ONE UEM Console?
For customers who have data sovereignty requirements, we can disable CDN if you are a Managed Hosting SaaS customer. CDN is enabled on all Shared SaaS environments by default and cannot be disabled per tenant.
What if CDN fails?
In case of CDN outage, UEM will fall back to distributing applications via device services. The fall back is seamless and there will be no actions required by the customer to activate the failover.
CDN Hostnames
When devices receive download commands, download will be redirected to one of the following CDN hosts:
Americas and Canada:
cdnus02.awmdm.com
cdnus04.awmdm.com
cdnus04uat.awmdm.com
cdnus08.awmdm.com
cdnus09.awmdm.com
APAC:
cdnau01.awmdm.com
cdnin02.awmdm.com
cdnjp02.awmdm.com
cdnsg01.awmdm.com
EMEA:
cdnde01.awmdm.com
cdnde02.awmdm.com
cdnuk01.awmdm.com
There are no actions required if you are on an open network. If you are behind a firewall, please see the below section with regards to IP whitelisting. If you are unsure about information with regards to the CDN hostname you are connecting to, please contact one of your account representatives.
Please note: These hostnames are for firewall whitelisting purposes only and will not pass a ping or telnet test due to the way authentication is configured.
What if my network traffic is restricted behind firewall?
Akamai’s CDN requires open network by default. Customer networks that support hostname-based access rules can use the hostnames (that correspond to the region of UEM environment hosting) to allow CDN traffic. If you are a Managed Hosted SaaS customer and your network is behind a firewall which requires IP restrictions, you can opt-into the IP Limited CDN service. Simply contact one of our account representatives to have the option enabled for your environment. Shared SaaS customers have IP Limited CDN enabled by default. For more information about IP Limited CDN, please see: https://kb.vmware.com/s/article/76872
Does the CDN have any passive storage capabilities (is the data stored statically outside of Workspace ONE) or is it just a pass through?
Akamai caches the data securely for 100 days.
Internal applications often contain sensitive or proprietary information. Workspace ONE uses a third-party vendor, Akamai, to offer the CDN feature. To ensure information is safe, please list the security certifications in place to protect data.
Akamai and Workspace ONE use a SHA256 authentication method to protect data.
How does the CDN ensure data integrity?
Akamai uses HMAC tokens and pre-shared keys to ensure data integrity.
- To transfer data, the system uses specific HMAC tokens for each device. Devices do not know each other’s HMAC tokens that reside on the generated URL query string.
- Servers in the network cannot access the origin server where the application resides unless they have the pre-shared key.
- Akamai passes the pre-shared key to the origin server using cookies. The pre-shared key is not in the URL. Without the pre-shared key, a request for access fails.
How does the CDN encrypt data?
For information on how Akamai encrypts data, please refer to the Akamai PDF on Secure Content Delivery Network.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
What protocol does the CDN use to transfer data?
All communication uses SSL, both for uploading and downloading.
Can you configure the use of the CDN or the use of the Workspace ONE Software Distribution system per application?
No. The CDN and the Software Distribution systems are entire environment solutions.
Can you deploy other large files, like product provisioning files or content in the Content Locker, through the CDN?
Product provisioning file delivery via CDN is supported from UEM 20.03 onwards. Relay servers will pull content from CDN from UEM 22.03 onwards. Content Locker does not currently support CDN
What is the difference between File Storage, External Application Repositories, and CDNs?
The difference in these offerings is the service that facilitates the connection to send and receive internal applications.
- File Storage: Acts as an extension of the Workspace ONE database. Use this option when you deploy large applications. The app packages are stored in the file storage instead of the Workspace ONE database. Device services handle the deployment of the application to devices.
- External App Repository: This option is an alternative to uploading your proprietary applications to the Workspace ONE database or to file storage. Add these applications with a link in the Console. This link can navigate to one of your internal repositories. Configure the authentication for your internal network repositories with the External App Repository. The devices will download applications from the internal network repository using the Content Gateway. Note: CDN deployment will not impact applications added as a link to an external repository.
- CDN: When internal application packages are uploaded to the Workspace ONE database or the file storage with the CDN enabled, devices receive the application packages from the CDN node instead of Workspace ONE device services. The CDN nodes are geographically dispersed and are selected to act as a source based on the location of the device.