FAQ: Content Delivery Networks (CDN) and VMware AirWatch


The AirWatch Console is able to integrate with Content Delivery Network (CDN) servers to assist with the downloading of large files, in particular when deploying internal apps.  Normally, when an internal app is deployed to a device, the device downloads the app directly from the AirWatch environment's database or from a configured file server.  However, in large environments, especially during large deployments of internal apps, this can lead to bandwidth issues and significant performance degradation.

By integrating an AirWatch environment with a CDN server, available bandwidth is greatly expanded and the risk of performance degradation due to file downloads is minimal. The process flow is as follows:

  1. An AirWatch environment enables the use of a CDN at an environment-wide level.
  2. Whenever a device requests to download an internal app from AirWatch, the request is redirected to the CDN server.
  3. If this is the very first time this app has been downloaded, the CDN will stream the download request from the AirWatch database/file server, while caching the file locally for subsequent downloads.
  4. All subsequent downloads are performed from the CDN server, requiring minimum bandwidth from the AirWatch server.

CDN integration can additionally be used for apps deployed through the Windows Business Store Portal (BSP).  With this system, customers can purchase apps from the Microsoft app store and then distribute them to devices through AirWatch in the same manner that internal apps are distributed.  This process allows for CDN to be leveraged when deploying public apps to Windows devices.

Network requirements for SaaS environments

The Cloud Operations team is able to enable CDN for SaaS environments when necessary using an AirWatch-owned CDN account.  If CDN is enabled for a SaaS environment, then devices must be able to connect to the CDN servers to download internal applications through AirWatch.  Due to the distributed nature of the CDN architecture, companies must not block outbound traffic from enrolled devices in order for these downloads to complete successfully. If the AirWatch system is unable to connect to the Akamai CDN server, devices will be directed to download the app directly from AirWatch as it has done in previous versions.


Is the Content Delivery Network (CDN) feature supported everywhere?

The CDN offering is supported in all continents and countries except for The People’s Republic of China.


Is the CDN useful for all deployments?
A CDN is useful for environments that deploy large applications. However, the current architecture of CDN integration does not support deployments that whitelist AirWatch servers to enable application rollouts.


What is the benefit of using a CDN? 
You receive a significant performance increase in the distribution of internal applications.


What types of deployments (On-Premises, shared SaaS, or dedicated SaaS) can use the CDN? 
AirWatch is currently offering the CDN for all environments.

  • On-Premises: On-Premises environments enable this feature. For additional information and guidelines, please refer to the VMware AirWatch CDN Integration Guide.
  • Shared SaaS: AirWatch enables this feature by default.
  • Dedicated SaaS: AirWatch automatically enables this feature by default. Customers have the option to "opt out" if they choose by contacting AirWatch Support.


Can you disable the CDN in the AirWatch Console? 
Yes. Speak with a VMware AirWatch Representative to disable the CDN at a specific organization group.


Does the CDN have any passive storage capabilities (is the data stored statically outside of AirWatch) or is it just a pass through?  
The third-party vendor AirWatch uses, Akamai, caches the data securely for 100 days.


Internal applications often contain sensitive or proprietary information. AirWatch uses a third-party vendor, Akamai, to offer the CDN feature. To ensure information is safe, please list the security certifications in place to protect data. 
Akamai and AirWatch use a SHA256 authentication method to protect data.


How does the CDN ensure data integrity?
Akamai uses HMAC tokens and pre-shared keys to ensure data integrity.
· To transfer data, the system uses specific HMAC tokens for each device. Devices do not know each other’s HMAC tokens that reside on the generated URL query string.
· Servers in the network cannot access the origin server where the application resides unless they have the pre-shared key.
· Akamai passes the pre-shared key to the origin server using cookies. The pre-shared key is not in the URL. Without the pre-shared key, a request for access fails.


How does the CDN encrypt data?
For information on how Akamai encrypts data, please refer to the Akamai PDF on Secure Content Delivery Network.


What protocol does the CDN use to transfer data?  
All communication uses SSL, both for uploading and downloading.


Can you configure the use of the CDN or the use of the AirWatch Software Distribution system per application?  
No. The CDN and the Software Distribution systems are entire environment solutions. However, an AirWatch representative can disable either solution by Organization Group.
Note: When you enable the use of the CDN, only newly uploaded internal applications use the CDN method.


Can you deploy other large files, like product provisioning files or content in the Content Locker, through the CDN? 
No. The only large files distributed through the CDN are internal applications at this time.


What is the difference between File Storage, External Application Repositories, and CDNs?
The difference in these offerings is the service that facilitates the connection to send and receive internal applications.

  • File Storage: Acts as an extension of the AirWatch database. Use this option when you deploy large applications.  The app packages are stored in the file storage instead of AirWatch database. Device services handles the deployment of the application to devices.
  • External App Repository: This option is an alternative to uploading your proprietary applications to the AirWatch database or to file storage. Add these applications with a link in the console. This link can navigate to one of your internal repositories. Configure the authentication for your internal network repositories with ‘External App Repository’. The devices would download applications from the internal network repository using the Content Gateway.
    Note: CDN deployment would not impact applications added as a link to an external repository.
  • CDN: When internal application packages are uploaded to the AirWatch database or the file storage with the CDN enabled, devices receive the application packages from the CDN node instead of AirWatch device services. The CDN nodes are geographically dispersed and are selected to act as a source based on the location of the device.
Have more questions? Submit a request


Article is closed for comments.