Airwatch

AirWatch, now known as VMware Workspace ONE UEM, is a leading Unified Endpoint Management (UEM) platform. Its primary function is to securely manage the organization's mobile devices and computers, enforcing essential security policies like data encryption and remote wipe. By enrolling, employees gain secure access to corporate resources (email, Wi-Fi, internal apps) while ensuring separation and protection of business data on the device.

AirWatch sends security events (logs) using the Syslog protocol.

Conkit Installation:

To receive and process these logs, follow these steps for the connector installation and configuration:

1. Download Conkit: Download the Conkit.

2. Open Port: Open the following port to receive the incoming Syslog events:

   • Port: 10517

   • Protocol: UDP

3. Install Conkit: Install the downloaded Conkit via Cygent.

4. Verification: After installation, check that the connector is successfully receiving events from the Airwatch system.

Monitoring Requirements

Firewall and Configuration Update

"To ensure proper log aggregation, a firewall exception must be created to open UDP port 10517 from the AirWatch Server (UEM Console) to the Connector Server. This port setting must also be explicitly configured within the product's administration interface. Once these steps are completed, logging data will successfully flow to our designated server."

• Audit admin monitoring

• Successful logins/failed logins after working hours 

Unknown