Senior End User Computing Technical Marketing Architect, VMware. Josué Negrón serves as a senior solutions architect at VMware EUC for Windows 10. Currently, in his sixth year with VMware, Josué works with clients to define the best way to integrate the latest EUC technologies into their businesses to solve challenges associated with mobile device deployment, management, and security. He holds a degree in Computer Engineering from Georgia Tech.

Article Interactions

[Technical Blueprint] Windows 10 Co-Management with SCCM & Workspace ONE

April 13, 2018

For many SCCM admins, the path to modern management for Windows 10 remains unclear or appears overly complex. To demystify this path, today’s post lays out an approach known as co-management. Co-management allows Workspace ONE to co-exist alongside current PCLM tools, such as SCCM. Keep reading to learn about the co-management capabilities that exist today in Workspace ONE, and to access links to helpful resources and tools.

For information about next-gen co-management capabilities, check out the blog Accelerate and Simplify Your Transition to Modern Management for Windows 10.

Ways to Approach Co-Management

While there are many approaches to co-management, most can be broken into one of three categories: complement, transition, or transform. The image below describes each approach and their distinguishing characteristics.

All three approaches apply to current as well as popular prior versions of SCCM (pre-1710) and Windows 10 (pre-1709).

Getting Started with Co-Management

Create the foundation for co-management by migrating devices with user mappings from SCCM to Workspace ONE. Then, use VMware’s open-source toolkit to migrate workloads.

The following diagram overviews the steps involved in establishing co-management. Expand the coordinating drop-down menus for more details about each step.

SCCM Co-Management with Workspace ONE

 

User & Device Migration

To begin migrating devices to Workspace ONE, target a group of devices in SCCM and build a collection. Then, use this sample script to import your SCCM collections to the AirWatch Console using tags.

Next, evaluate the SCCM Integration Client. The SCCM Integration Client enables SCCM and Workspace ONE to co-exist on most devices. However, its optional for devices using SCCM 1710+ and Windows 10 1709+.

As a best practice, deploy the SCCM Integration Client to address cases where non-1709+ devices enter your environment.

Finally, deploy the AirWatch Agent using SCCM. For step-by-step instructions, follow the process outlined in the blog Enabling Co-Management with SCCM and AirWatch.

To see the latest enrollment enhancements, check out this feature walk-through:

Apps & Package Migration

After successfully mapping users from SCCM to the AirWatch Console, you’re ready to begin migrating workloads using VMware’s open-source toolkit.

Use the Windows – SCCM App Migration Tool to dynamically export apps from SCCM to Workspace ONE.

How the SCCM App Migration Tool Works

First, the tool parses the selected applications’ deployment details, pushing their application packages to the AirWatch Console. Then, it maps the deployment commands and settings to the AirWatch Console’s application record. The way files port in depends on their format:

  • MSIs – Port over in the same format
  • Scripts – Port over as ZIP folders containing execution commands
  • Unsupported – Fail to port over.

To import packages the tool doesn’t support, there are a few options:

OS Update Migration

In Windows 10, updates occur on a frequent and dynamic basis to ensure end users always have access to up-to-date operating system features.

[Related: Patch Management Done Right]

With co-management, Workspace ONE acts as a man-in-the-middle – delivering policies, and providing detailed reports. To grab and apply updates, Workspace ONE relies on the Windows Update for Business and the Windows Update services.

[Related: Overview of Windows as a serviceServicing Tools]

The following image + the enumerated steps explain Workspace ONE’s role in more detail:Windows 10 Co-Management

  1. Device sends a query for available updates
  2. Update service returns a list of updates in GUID format
  3. Device reports metadata (GUIDs) to Workspace ONE
  4. Workspace ONE sends metadata to the update service to obtain canonical information (update name, description, etc…)
  5. Workspace ONE determines which updates apply to the device using assigned smart groups/distribution rings to
  6. Workspace ONE sends the list of authorized updates to the device
  7. Device fetches and applies approved updates
  8. Peer-to-peer delivery optimization shares updates to other devices – decreasing network traffic across the WAN to the update service

Policy Migration

To simplify the migration process as much as possible, utilize the remove, match, map workflow and its recommended tools.

Remove

To begin, consider narrowing the scope of the migration by removing existing GPOs that do not support key use-cases. Then, use the suggested tools to match and map the remaining policies.

Match

Use the MDM Migration Analysis Tool (MMAT) to determine which Group Policies match native MDM functionality. Then, configure the equivalent settings in the AirWatch Console.

The VMware AirWatch Windows 10 Reviewer’s Guide explains how to:

  • Configure BitLocker encryption
  • Use Windows Information Protection for data loss prevention
  • Configure Health Attestation for compromised detection
  • Set up per-app tunneling

Map

Import unmatched group policies from devices into the AirWatch Console using the GPO Open-Source Migration Tool.

This tool allows you to capture and upload both new or existing GPO backups to AirWatch to easily deploy and apply policies to your managed devices.

 

 

Compliance and Remediation Policy Migration

Many SCCM compliance and remediation policies align with AirWatch profiles and compliance policies. To migrate, map each compliance and remediation policy to its matching AirWatch configuration.

Then, use organizational standards and guidelines to configure the appropriate profile or compliance policy in the AirWatch Console.

No Match, No Problem

Certain compliance and remediation policies may not have a matching profile or compliance policy in AirWatch. In these cases, use custom attributes and/or product provisioning.

(Transform Only) Remove the ConfigMgr Client

To completely transform and replace SCCM, there are multiple options for uninstalling the ConfigMgr client from Windows 10 devices.

  • Deploy a Custom Script via Product Provisioning
  • Use SCCM to uninstall the client
  • Configure a Custom Settings profile in the AirWatch Console
    1. In the AirWatch Console, navigate to Add Profile > Windows > Windows Desktop > Device
    2. Complete the General profile information
    3. Click Custom Settings, then Configure
    4. Switch the Target to the AirWatch Protection Agent
    5. Uncheck Make Commands Automatic
    6. Paste the following Powershell Script into the text box: <wap-provisioningdoc id="c14e8e45-792c-4ec3-88e1-be121d8c33dc" name="customprofile"><characteristic type="com.airwatch.winrt.powershellcommand" uuid="7957d046-7765-4422-9e39-6fd5eef38174"><parm name="PowershellCommand" value="Invoke-Command -ScriptBlock {C:\windows\ccmsetup\ccmsetup.exe /uninstall}"/></characteristic></wap-provisioningdoc>

 

The post [Technical Blueprint] Windows 10 Co-Management with SCCM & Workspace ONE appeared first on VMware End-User Computing Blog.

April 13, 2018

Senior End User Computing Technical Marketing Architect, VMware. Josué Negrón serves as a senior solutions architect at VMware EUC for Windows 10. Currently, in his sixth year with VMware, Josué works with clients to define the best way to integrate the latest EUC technologies into their businesses to solve challenges associated with mobile device deployment, management, and security. He holds a degree in Computer Engineering from Georgia Tech.

Article Tags
Article Interactions