Moving on from Google Cloud Messaging (GCM) in VMware AirWatch

Modified on 05/13/19 with additional steps to take when troubleshooting AWCM connectivity issue.

I put this on the back burner a while back, and I couldn’t delay this any further as Google will deprecate Google Cloud Messaging (GCM) effective April 11th, 2019 per the link below:

Upcoming Changes to Cloud Messaging Services in Environments Utilizing Android Devices

With Secure Email Gateway (SEG) Classic also going away with V2, I can imagine many admins out there are scrambling to get through this new mandate as well. I hope my post will help clear some of the confusions and get you back on track with this change well before the deadline.

While I did copy most of the text below from the link, I find that breaking them down in bullet points may be easier to digest and follow.

Background

  • Android devices have two existing methods for providing immediate feedback for functionality across the VMware Workspace ONE UEM suite of products, Google Cloud Messaging (GCM) and AirWatch Cloud Messaging (AWCM). 
  • Google has announced that they are deprecating GCM effective April 11th, 2019 in favor of a new cloud-messaging platform they released called Firebase Cloud Messaging (FCM).
  • All customers are strongly encouraged to upgrade their VMware Workspace ONE UEM Console, Workspace ONE Intelligent Hub application, and Workspace ONE application to the versions that contain support for Firebase Cloud Messaging.
  • FCM compatible versions of Workspace ONE UEM and the Intelligent Hub are available as of February 2019 and a compatible version of the Workspace ONE App is currently under development.
  • Once the Workspace ONE Console has been upgraded to a version that supports FCM, it will be used automatically and there will be no way to revert to using GCM again to protect against the deprecation of the endpoints from Google.

 Customer Impact

  • Once GCM has been deprecated, customers enrolling new devices into GCM enabled environments, will begin experiencing extended delays in communication between the Workspace ONE Console and Android devices.
  • Impact on functionality includes commands such as Syncing, Device Wipe, and Enterprise wipe, as well as deploying profiles.
  • Messages generated from the UEM Console by administrators as near-real-time push notifications will no longer be received by the Workspace ONE app.
  • Commands may be delayed up to 30 minutes if GCM is unavailable.
  • Devices enrolled prior to the deprecation on GCM enabled environments will continue to work normally until their GCM token expires at re-enrollment.
  • Environments using AWCM for communication with Android devices will continue to operate as expected with no changes required (i.e. no need to upgrade Intelligent Hub app.)

Options

  • Upgrade VMware Workspace ONE UEM Console, Workspace ONE Intelligent Hub application, and Workspace ONE application to the versions that contain support for Firebase Cloud Messaging (recommended)
  • Switch to AWCM for communication with Android devices in which case no changes are required (i.e. no need to upgrade Intelligent Hub app.)

To check if AWCM is enabled, go to GROUPS & SETTINGS -> All Settings -> Devices & Users -> Android -> Intelligent Hub Settings (or Agent Settings) -> AirWatch Cloud MessagingIn my case, I noticed it was enabled in my shared SaaS environment but not my dedicated SaaS environment.

GCM2.png

GCM1.png

To enable AWCM, you must verify communication with AWCM if you choose this option. For cloud-based customers, the AWCM URL should be awcm###.awmdm.com.

Verify by browsing to https://{url}:/awcm/status for cloud-based customer, or https://{url}:2001/awcm/status for on-premises customer. GCM3

Then within the AirWatch console, click ENABLED under AirWatch Cloud Messaging and make the proper choices pertaining to your environment. You may first have to change Current Setting from Inherit to Override before making further changes.

GCM6.png

The AWCM Client Timeout Value (Mins), available under console version 9 and below, will request the Android device to check in with the AirWatch console and update the AWCM status per the value specified.

GCM7.png

In console version 19.04, there are no additional choices after AWCM is enabled. Per AirWatch, the check-in interval for AWCM is now the same set forth as the hub settings under newer console version.

GCM8.png

GCM10.png

For testing, try issuing any device command to an Android device. If you see the below, have user launch the Intelligent Hub app and perform an action such as sync device. Afterward, it should re-establish communication and report the correct result. I also had a ticket opened with VMware support to investigate this further as other customers report a similar issue, and it appeared it was caused by an issue with AWCM hosted with VMware. Even with this warning status, the command is still executed on the device.

GCM9

Additional information can be found via the link below:

AWCM Connectivity is Failing for Android devices

You can also try the steps below per VMware support to resolve AWCM connectivity issue:

  • Plug the affected device to a power supply and test if the AWCM ever disconnects.
  • Unlock the device, take away the passcode lock on the device and send a lock command to the device with the error “AWCM STATUS: DISCONNECTED” and wait on 1 hour ( heartbeat interval) and see if the device ever goes the lock.
    If it didn’t lock, check if the app is in power saving mode and background network usage is turned off. If so, turn them on and test the lock command on the device again.

Even if you choose to switch to AWCM for now and be done with, from a long term perspective I still recommend keeping both your console and hub application up-to-date to stay current with the latest changes.

Next Steps

Assuming you won’t enable AWCM, what steps you need to take then depends on your environment. In my case, I have both shared SaaS and dedicated SaaS.

Shared SaaS Environments

  • Ensure that devices can reach fcm.googleapis.com and fcm-xmpp.googleapis.com over ports TCP/443,5228-5230
    • Check to make sure you have firewall rule in place for WiFi only devices that are permitted to connect through your corporate WiFi)
  • Ensure that Android devices are running VMware Workspace ONE Intelligent Hub 9.0.2+

Dedicated SaaS Environments

  • Environments will be updated by VMware teams during corresponding regional off-hours depending on where the environment is hosted, as the patches are released.
    • Customers can submit a support ticket to request a specific maintenance window (The Workspace ONE Team will try to meet these requests as best possible).
  • Ensure that devices can reach fcm.googleapis.com and fcm-xmpp.googleapis.com over ports TCP/443,5228-5230
    • Check to make sure you have firewall rule in place for WiFi only devices that are permitted to connect through your corporate WiFi)
  • Ensure that Android devices are running VMware Workspace ONE Intelligent Hub 9.0.2+

Frequently Asked Questions

Answers to my questions from VMware are in red.

1) “Devices enrolled prior to the depreciation on GCM enabled environments will continue to work normally until their GCM token expires at re-enrollment.” – How long does a GCM token generally last? Is there any way to check in the console?

This is a Device level information and cannot be seen on the console. ADB logs would give this information ,look for gcm.register(SENDER_ID).

2) “Environments will be updated by VMware teams during corresponding regional off-hours depending on where the environment is hosted, as the patches are released.” – Do you have an approximate date/time when this will occur?

Both my cloud-based environments are updated with the patch.

3) Where do you see in our console to confirm that we are currently using GCM? Is it by default for all dedicated SaaS environments?

GROUPS & SETTINGS -> All Settings -> Devices & Users -> Android -> Intelligent Hub Settings (or Agent Settings) -> AirWatch Cloud Messaging. If AWCM is not enabled, then you are using GCM for Android Push Notification. 

4) If we do switch from GCM to AWCM, does it also mean users will not need to upgrade the Hub app? Please confirm.

No need to upgrade the Hub app if AWCM is enabled. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.