Dean Flaming

Tech Curmudgeons

Dean Flaming

These are my technical notes and blog postings on Identity, Mobility, and More...

Move or Migrate Workspace ONE Access to Another Workspace ONE Access Tenant

Migrating from one Workspace ONE Access Tenant to another (e.g. On-Premises to SAAS):
  1. Stand up second tenant
  2. Configure second tenant
    1. Branding
    2. Directories
    3. Policies
    4. Network Ranges
    5. Active Directory Integrations
    6. Virtual Resources (Citrix, Horizon, ThinApp)
    7. Other IDP Integrations (Ping, Okta, ADFS, Azure, etc.)
    8. Setup SAAS based resources in new tenant for any SAAS app which can support multiple IDPs concurrently (e.g. Salesforce).
  3. WS1 ACCESS IDP <> WS1 ACCESS IDP Trusts
    1. Create IDP Trust of new tenant in old tenant.
    2. Create IDP Trust of old tenant in new tenant.
    3. Update Policy Rules to add trust of claim from each tenant to the other.
    4. Created linked resources (apps) in new Workspace ONE Access tenant for all SAAS-based resources protected by old Workspace ONE Access tenant… and test.
  4. Migrate UEM settings in Customer OG to utilize new Access tenant
    NOTE: This done when you want users to start using the new tenant.
  5. Migrate Users (by groups or all at once).
    1. Messaging to the end users to utilize the new tenant
  6. Migrate SAAS Based Resources one at a time for any remaining resources which can only support one IDP at a time (e.g. Office, Google Suite, etc.).
    NOTE: Steps 4 and 5 may be done in either order or at the same time.
  7. Decommission old Workspace ONE Access tenant and setup a web redirect to redirect all incoming web requests to the new tenant.





NON-BULLETED FORMAT FOR COPYING
Migrating from one Workspace ONE Access Tenant to another (e.g. On-Premises to SAAS):
1. Stand up second tenant
2. Configure second tenant
a. Branding
b. Directories
c. Policies
d. Network Ranges
e. Virtual Resources (Citrix, Horizon, ThinApp)
f. Other IDP Integrations (Ping, Okta, ADFS, Azure, etc.)
g. Setup SAAS based resources in new tenant for any SAAS app which can support multiple IDPs concurrently (e.g. Salesforce).
3. IDP <> IDP Trusts
a. Create IDP Trust of new tenant in old tenant.
b. Create IDP Trust of old tenant in new tenant.
c. Created linked resources (apps) in new Workspace ONE Access tenant for all SAAS-based resources protected by old Workspace ONE Access tenant… and test.
4. Migrate UEM settings in Customer OG to utilize new Access tenant.
NOTE: This done when you want users to start using the new tenant.
5. Migrate Users (by groups or all at once).
6. Migrate SAAS Based Resources one at a time for any remaining resources which can only support one IDP at a time (e.g. Office, Google Suite, etc.).
NOTE: Steps 4 and 5 may be done in either order or at the same time.
7. Decommission old Workspace ONE Access tenant and setup a web redirect to redirect all incoming web requests to the new tenant.NOTE: A redirect cannot be added UNTIL the old tenant is decommissioned.


Published by Dean Flaming on