Dell Provisioning: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.7 and later VMware Workspace ONE 1811

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you export apps from the Workspace ONE UEM console as a Windows provisioning package (.ppkg), create a configuration file (unattend.xml) using the Workspace ONE Configuration Tool for Provisioning, and validate these files on a Windows 10 virtual machine. Steps are also provided for the pre-1811 Workspace ONE Console.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, is also helpful.

Dell Provisioning for VMware Workspace ONE

Dell Provisioning for VMware Workspace ONE Overview

Dell Provisioning for VMware Workspace ONE allows both Dell and VMware administrators to provide a virtually zero IT touch and virtually zero user downtime experience. Configurations, settings, and applications are preloaded at the Dell factory. Now, instead of waiting for apps and settings to download and apply, you can have a ready-to-work experience on first boot of the device. And if you need to perform a PC reset or recovery in the future, Zero Touch Restore functionality allows applications and management to persist, which minimizes downtime.

Packaging information for Dell Provisioning for VMware Workspace ONE is straightforward: just export applications from Workspace ONE UEM as a provisioning package (.ppkg) and complete a wizard to generate a configuration file (unattend.xml).

Note: To use Dell Provisioning for VMware Workspace ONE, you must participate in Dell Configuration Services. To begin the Dell Configuration Services project setup, see Configuration Services and click Contact Us.

1. Supported Use Cases

The Workspace ONE UEM Console helps you build a standard unattend.xml configuration file to be applied in the Dell factory as part of Factory Provisioning. This controls Windows setup including domain join (domain, workgroup, Azure AD, Azure AD Premium), out-of-box experience (OOBE) modification, and automatic enrollment of devices automatically on first boot. The Workspace ONE UEM Console simplifies the creation of the unattend.xml configuration file for Windows 10.

Dell Provisioning for VMware Workspace ONE supports the following Active Directory (AD) Types (use cases):

  • Active Directory Domain Join - Ability to join the on-premises active directory domain. Device needs access to the domain when booting up for the first time in order to join the domain successfully.
  • Azure Active Directory Basic - Ability to join AAD without a premium license and still enroll into Workspace ONE UEM.
  • Azure Active Directory Premium - Ability to join AAD with the option of using Autopilot as well.
  • Workgroup - Enrolls device into Workspace ONE UEM using a local account.

See the following video demo to learn more about Dell Provisioning for VMware Workspace ONE:

2. Roles and Responsibilities

This operational tutorial focuses on the technical process of how to set up, configure, and validate Dell Provisioning for Workspace ONE. However, this is just one part of the overall process. You should also note the following parties and their responsibilities:

  • Your Company - Installs Factory Provisioning Service (if on-premises), creates the configuration file (unattend.xml), and exports apps as a provisioning package (.PPKG). Verifies that these files work to satisfaction on a virtual machine or physical device, then uploads the files using Dell File Transfer.
  • VMware EUC Specialist - Interacts with Dell Sales, Dell SSE/SSR, and your company to reach readiness for Dell Factory Provisioning.
  • Dell Configuration Services - Engaged by Dell Sales applying the Dell Provisioning for Workspace ONE SKU. Validates Workspace ONE Licensing, coordinates obtaining configuration files via Dell File Transfer. Verifies that configuration files are correct, then sends the order to Dell Factory.
  • Dell Factory - Applies configurations on devices and ships them to your company or directly to end-users.
  • End User - Unboxes devices, boots device with Internet access, logs in and is ready to work!  

3. Quick Checklist

The following checklist provides an overview of the entire process and what you need to complete as part of this project.

Prerequisites for SaaS and On-premises Deployments

Before creating provisioning packages, you must meet the Dell Provisioning for VMware Workspace ONE requirements.

  • Workspace ONE UEM 9.7 and above
  • Workspace ONE UEM Admin Account
  • Install the Workspace ONE Factory Provisioning Service (Workspace ONE On-premises Deployments)
  • Validate using a Windows 10 Professional device (physical or virtual machine)
    • Note: Dell Provisioning for VMware Workspace ONE is only supported on Enterprise Dell systems such as Latitude, Precision, OptiPlex, and XPS notebooks.

Dell Provisioning for VMware Workspace ONE requires enabling some of the following components depending on your deployment type: Software Distribution, File Storage, and a CDN. Refer to the table for which components are required for your deployment.

Workspace ONE UEM Deployment Software Distribution File Storage CDN Default Storage (GB)
SaaS Shared
Enabled, if licensed N/A Enabled and Required 25 GB
SaaS Dedicated version 9.7 and above Enabled, if licensed N/A Enabled and Required 25 GB
On-premises version 9.7 Disabled by default, but required Required Disabled by default, but required Same size allocated for File Storage
On-premises version 1810 and above Enabled by default Optional but recommended Disabled by default and optional 5 GB without File Storage

1. Install the Workspace ONE Factory Provisioning Service for On-Premises Deployments

The Workspace ONE Factory Provisioning service enables exporting of applications from Workspace ONE UEM console (version 9.7 or later) into a Windows Provisioning Package (.ppkg) for offline provisioning of Windows devices. This service must be installed and configured in order to use Dell Provisioning for VMware Workspace ONE.

The Workspace ONE Factory Provisioning Service is installed by default on SaaS hosted deployments. However, for on-premises users, you must first download and install the Workspace ONE Factory Provisioning Service. Obtain the latest copy of the Workspace ONE Factory Provisioning Service on the My Workspace ONE Resources Portal.

Review the VMware Workspace ONE UEM Recommended Architecture Guide before installing the service for additional information, such as server sizing, as well as the Install the Factory Provisioning section on VMware Docs, for more information regarding networking requirements. Keep in mind that the Workspace ONE Factory Provisioning Service should be installed on a standalone server. This is due to the potentially high spike in resource for PPKG generation, especially if multiple administrators are processing these simultaneously.  

1.1. Welcome

Launch the Workspace ONE Factory Provisioning Service installer, then click Next.

1.2. License Agreement

  1. Click I accept the terms in the license agreement.
  2. Click Next.

1.3. Destination Folder

Optionally, you can change the install location, then click Next.

1.4. Ready to Install the Program

Click Install.

1.5. Successfully Completed

Click Finish.

You have successfully installed the Factory Provisioning Service. Now verify that it is running properly, and take a look at the logging locations.

2. Validating Factory Provisioning Service and Logging Locations

The installation log for the Workspace ONE Factory Provisioning Service is located in the same directory as the setup executable. If the setup fails, see this log for more details.

2.1. Validate Factory Provisioning Service is Running

  1. Right-click the taskbar.
  2. Click Task Manager.

2.2. Services

  1. Click Services.
  2. Ensure that the AirWatchFactoryProvisioningService is Running.

2.3. Factory Provisioning Service Log

Open File Explorer and browse to the install directory of Factory Provisioning Service.

  1. Expand Install Directory (such as C:\AirWatch) > AirWatch > Factory Provisioning Service > Services > logs.
  2. The AW.FactoryProvisioning.Service.log contains all of the details of the actions taken by the Factory Provisioning Service. Note the log entry which states it created the C:\AirWatch\ProvisioningPackaging directory.
  3. Close the File Explorer by clicking the red X.

3. Update the Factory Provisioning Service Site URL

Return to the Workspace ONE UEM Console, and update the Factory Provisioning Service URL by navigating to All Settings:

  1. Click System > Advanced > Site URLs.
  2. Update the Factory Provisioning Service URL. Enter https://FPS_Hostname/FactoryProvisioning/Package, where FPS_Hostname is your Factory Provisioning Service hostname.

Note: In order for the HTTPS URL to function properly, a certificate must be properly requested for the Factory Provisioning Server.

4. Factory Provisioning Service Health Check

You can check to see if the Factory Provisioning Service is properly started and running by navigating to https://[FPS_Hostname]/FactoryProvisioning/hc, where FPS_Hostname is your Factory Provisioning Service hostname. Remember that this should be accessible from the Workspace ONE UEM Console server. If successful, you should see the following response:

Hello Api: MM/DD/YYYY HH:MM:SS AM/PM

Exporting Apps and Creating Configuration Files

As of Workspace ONE UEM 1811, you as the IT administrator can leverage the provisioning wizard in the console to create the configuration file and export the apps. If you are using console version pre-1811, see Dell Provisioning Using a Pre-1811 Console. You can configure OOBE, domain join, and MDM enrollment from the wizard. Additionally, with a Windows 10 Enterprise license, you can also choose to set the provisioning configuration for removal of consumer applications bundled with Windows 10. The active directory types that are supported for provisioning configuration are: on-premises domain join, Azure Active Directory Premium, Azure Active Directory - No Premium, and local user/workgroup.

Exporting Apps

Let's take a look at how to export apps to provisioning packages and create the configuration file in the Workspace ONE UEM Console.

1. Create New Provisioning Package

  1. Click Devices.
  2. Click Lifecycle.
  3. Click Staging.
  4. Click Windows.

1.1. New Windows Provisioning Package

Click New.

1.2. Export PPKG for Windows

  1. Enter the Provisioning Package Name.
  2. Click Next.

1.3. Create Configuration File

The provisioning configuration is exported in Windows unattend XML file format. This file follows the standard unattend XML schema, with some additional configuration for MDM enrollment into Workspace ONE UEM. The configuration is applied when the device first boots.

Select your AD Type from the Active Directory Type dropdown options, then proceed to fill out the optional and required information.

Reference the following table with all options for more information and explanations of all required fields.

1.4. Configurations Details

The following table details all of the options for the configuration file and provides a detailed explanation of each field.

Settings Description
Select AD Type

Select the type of Active Directory to use.

The settings below change, based on your AD type.

Select Language Ensure the language of the operating system matches what you selected with Dell.
OOBE Configuration
Show EULA Page Select Yes/No to show the EULA page during the OOBE.
Show Privacy Page Select Yes/No to show or hide the privacy page during the OOBE.
Show Region and Keyboard Settings Select Yes/No to show the region and keyboard settings during the OOBE.
Language If No is selected (and thus hidden from OOBE), select the language below to pre-configure the system to that locale.
System Configuration
Domain Name

Enter the name of the domain you want the device to join.

This setting displays when you set the AD type to On-Prem AD Join.

Domain Username

Enter the username that has Domain Join privileges.

This setting displays when you set the AD type to On-Prem AD Join.

Note: This information is saved in plain text in the XML file. Make sure this file is always secured and not sent over insecure transports.

Domain Password

Enter the password for the Domain Join user.

This setting displays when you set the AD type to On-Prem AD Join.

Note: This information is saved in plain text in the XML file. Make sure this file is always secured and not sent over insecure transports.

AD Organization Unit (OU)

Enter the organization unit for the AD.

Th OU must follow the correct formatting:

OU=,OU=,DC=Company,DC=com

This setting displays when you set the AD type to On-Prem AD Join.

Workgroup

Enter the workgroup you want the device to join.

This setting displays when you set the AD type to Workgroup.

Registered Owner Enter the registered owner for the device.
Registered Organization Enter the registered organization for the device.
Remove Windows 10 Consumer Apps

Select Yes to prevent consumer apps from appearing in Windows 10.

This setting is only supported for Windows 10 Enterprise or Education. Entering a Windows 10 Enterprise or Education key is required.

Product Key

Enter the Windows 10 product key.

You must follow the correct format:

12345-54CDE-XYZ78-ONM98-456TY

Create Local User

Select Yes to create a local user account.

If you select No, the user is prompted during OOBE.

This setting displays when you set the AD type to Workgroup or Azure AD.

Local Username

Enter the username for creating an additional local user account.

This setting displays when you set the AD type to Workgroup or Azure AD.

Local User Password

Enter the password for the local user account.

This setting displays when you set the AD type to Workgroup or Azure AD.

Make Administrator?

Select to make the local account an administrator.

You must make the local user account an administrator to start Workspace ONE enrollment automatically.

During OOBE, the device prompts the user to enter their enrollment credentials.

This setting displays when you set the AD type to Workgroup or Azure AD.

Computer Name Computer name will be randomized by default so that every system coming from the factory is unique. To create a naming convention, use the Registered Owner and Registered Organization fields. The computer name will take  the first 7 characters from Registered Org or Registered Owner as the  prefix and then randomize the rest up to the max of 15 characters. For example, setting both of those fields to be "VMWARE-" (without quotes) yields a computer name of VMWARE-8QJJCTJB where the last 8 characters are randomized for every system. See Microsoft documentation for more information. If you require a more customized computer name using serial number or service tag, for example, please engage your Dell CS Project Manager to have that added to your order.
Enable Administrator Account

You must enable the built-in administrator account to facilitate Workspace ONE enrollment.

You can later disable this account after enrollment is complete.

Administrator Password Enter a password for the administrator account.
Auto Admin Login A one-time auto login of the admin account is required for Workspace ONE enrollment when selecting On-prem AD use case.
User Account Control Select the level of User Account Control (UAC).
Additional Synchronous Commands Add commands that automatically run at the end of the Windows setup process but before any user logs in.
First Logon Commands

Add commands that automatically run the first time a user logs in.

This setting requires the user have local admin privileges.

Workspace ONE Enrollment
Enrollment Server

Enter your Workspace ONE UEM enrollment server URL.

Find the enrollment URL by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > System > Advanced > Site URLs.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.

Enrollment OG

Enter the devices organization group.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.

Staging Account

Enter the username for the staging account.

Find this username by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > Devices & Users > Windows  > Windows Desktop > Staging & Provisioning.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.

Staging Account Password

Enter the password for the staging account.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.

Device Services URL

Enter your device services URL.

Find the device services URL by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > System > Advanced > Site URLs.

This setting only displays when you set the AD type to Azure AD - No Premium.


1.5. Workspace ONE Enrollment Details

Enter your Workspace ONE Device Services URL (for example, ds###.awmdm.com) for the Enrollment Server.

Return to the Workspace ONE UEM Console to obtain the following required information.

Check out the Dell Provisioning for VMware Workspace ONE Script samples on VMware {code} for sample commands to use for Additional Synchronous and First Logon Commands.

1.6. All Settings

In the Workspace ONE UEM Console:

  1. Click Groups & Settings.
  2. Click All Settings.

1.7. Staging & Provisioning

  1. Expand to Devices & Users > Windows > Windows Desktop > Staging & Provisioning.
  2. Copy the UPN value to be used in the next step.
  3. Copy the Secret (staging password) value to be used in the next step.
  4. Copy the Group ID by hovering over your email address. This value is used in the next step.

1.8. Workspace ONE Enrollment Details

  1. Enter your Group ID obtained from the previous step for Enrollment OG.
  2. Enter your UPN obtained from the previous step for Staging Account.
  3. Enter your Secret obtained from the previous step for Staging Account Password.
  4. Click Next.

1.9. Selecting Applications

  1. Click the checkbox at the top to select all apps.
  2. Click Next.

Important: When using Workspace ONE pre-1902, apps with MSTs or MSPs will fail to deploy as those additional configurations are smart-group specific. As a workaround, re-package or ZIP the app with the MST/MSP already included then deploy and export. This functionality was added in Workspace ONE UEM 1902.

1.10. Summary

Click Save and Export.

After you initiate the PPKG export process, a confirmation is shown. On completion of PPKG export, a notification is sent to the Workspace ONE UEM console with a link to download the PPKG. A console administrator can have one PPKG export in progress at a time. To start a new PPKG export, the console administrator needs to wait for the existing PPKG export to complete. A new PPKG export request overwrites any previously exported PPKG for that administrator. Multiple console administrators can concurrently request PPKGs to be exported though. You may need to refresh the page to see the statuses update.

1.11. Success Message

Notice the Success message. The number of apps you chose to export determines how long the export takes. The Unattend XML configuration file will be ready to download right away.

1.12. Confirm Unattend and Provisioning Package Download

  1. Click Unattend XML and PPKG to download.
  2. Confirm that the download was successful. This exported provisioning package and unattend.xml are used in a future step.

If you have CDN configured, the filename is a random string of characters. It is recommended to manually rename for easier tracking. If you do not have CDN configured, the filename matches the name of the Provisioning Package configured during the wizard.

Testing and Validating Configuration File and Apps

Now that you have both enterprise applications and provisioning configuration packaged, the two files (.ppkg and unattend.xml) are ready to be tested in your own environment. This is a critical step in the process.

1. Build and Validate on your Windows 10 Virtual Machine

  1. You will first have to obtain a Windows 10 Pro (x64) .ISO from Microsoft Volume site or MSDN. Use the latest two builds of Windows 10 as those will be the versions offered by Factory Provisioning.
  2. Install Windows 10 on a fresh virtual machine (ideally 2 CPUs, 4+ GB RAM, 60 GB Hard Drive).
  3. Once it enters OOBE, get the system into Audit Mode by pressing Ctrl+Shift+F3. (or Ctrl+Shift+Fn+F3 on some systems). You can also enter Audit Mode from an existing Windows 10 system by running Sysprep.exe (C:\Windows\System32\Sysprep\Sysprep.exe) and setting the System Cleanup Action to Enter System Audit Mode.

1.1. Windows 10 Audit Mode

You know that you have successfully entered Audit Mode when you see System Preparation Tool (Sysprep) running on the desktop.

1.2. Log In to My Workspace ONE Portal

  1. Click the Microsoft Edge icon on the taskbar.
  2. Enter https://my.workspaceone.com/products/Workspace-ONE-Provisioning-Tool into the address bar.
  3. If you are not already logged in to the My WorkspaceONE portal, click Log in and enter your credentials.
  4. Confirm that you can see the user icon after you have logged in.

1.3. Download VMware Workspace ONE Provisioning Tool for Windows

  1. Select the following options from the drop-down menu:
    1. Select a platform – Select Windows
    2. Select an app version – Select the latest version
    3. Filter by Console Version – Select All
  2. Select Installs and Upgrades.
  3. Click the Workspace ONE Provisioning Tool link to download.

Note: If you are on Workspace ONE UEM pre-1811, use the Factory Provisioning Tool located on VMware {code} Samples.

1.4. Save and Open Installer File

At the prompt, click Save to save the installer file.

Click Open to open the installer files in the Downloads folder.

1.5. Launch the VMware Workspace ONE Provisioning Tool for Windows

Click VMwareWS1ProvisioningTool to launch the VMware Workspace ONE® Provisioning Tool™ for Windows. Select the option to extract files if you are prompted.

Note: Version 2.0 introduced the ability to support advanced configuration (VMwareWS1ProvisioningTool.exe CONFIG File) to change settings such as tool timeout and report location. This version also introduced the ability to run test using command line. For more information, see VMware Workspace ONE Provisioning Tool Considerations in VMware Docs.

1.6. VMware Workspace ONE Provisioning Tool for Windows

Drag and drop (or copy/paste) your provisioning package (.ppkg) and configuration file (unattend.xml) to the desktop, then use the VMware Workspace ONE® Provisioning Tool™ for Windows to select those files.

Click one of the following buttons, depending on what you want to test:

  • Click Apply Apps Only to only install apps from the PPKG.
  • Click Apply Full Process to initiate the end-to-end process, mimicking what Dell is doing in the factory.

The right pane of the VMware Workspace ONE Provisioning Tool shows the status as each app installs and the overall process. You can also view detailed logs at C:\ProgramData\Airwatch\UnifiedAgent\Logs\PPKGFinalSummary.log.

1.7. Success: Sysprep is Working

If both your provisioning package (.ppkg) and configuration file (unattend.xml) apply successfully, the device begins the Sysprep process and restarts or shuts down automatically.

The right pane of the VMware Workspace ONE Provisioning Tool shows the status as each app installs and the overall process. You can also view detailed logs at

C:\ProgramData\Airwatch\UnifiedAgent\Logs\PPKGFinalSummary.log

1.8. Confirm Installation of Apps

The VMware Workspace ONE Provisioning Tool tracks and monitors the app install statuses automatically for you. However, if you want to check them yourself, you can  look into Registry at HKEY_LOCAL_MACHINE\SOFTWARE\AIRWATCHMDM\AppDeploymentAgent\S-1-5-18. The number of folders should match the number of apps exported and included in the provisioning package.

1.9. Successfully Provisioned Device

As the system goes through the workflow as defined in the configuration file, the expected workflows are as follows:

AD Type Description

Workgroup

OOBE prompts for username creation as well as password. After logged in, the Workspace ONE Intelligent Hub prompts for credentials (see image below). Be sure to enter the end-user's Active Directory credentials or the credentials that are synced into the Workspace ONE console.
On-Premises Domain Join
Ensure that the system is plugged into a LAN that has access to a domain controller before booting. After booting, the system joins the domain and automatically logs in as local administrator so that you can stage enrollment. After enrollment has completed to the staging user, log out and then log in using the end user's domain account. Workspace ONE enrollment automatically flips to the domain user.
Azure Active Directory Premium

Go through OOBE and authenticate with Azure Active Directory credentials. These credentials should also be synced into Workspace ONE UEM console, otherwise enrollment will fail.

Azure  Active Directory Basic
Go through OOBE and authenticate with Azure Active Directory credentials. After logged in, Workspace ONE prompts for credentials (as it does on workgroup). Be sure to enter the end-user's Active Directory credentials or the credentials that are synced into the Workspace ONE console.

2. Testing Tips

  1. Make sure your apps (especially Office) install successfully with your command line outside of Workspace ONE UEM.
  2. After imported to the console, export your PPKG in small chunks (1-3 apps) to ensure those work by themselves.
  3. After you verify that all apps install correctly via PPKG, you can export the "Full PPKG" with all of your applications.
  4. Since the factory is fully offline, disconnecting the NIC adapter on your VM during the PPKG install process ensures that every app installs fully offline. Some products reach out to internal servers during installation and might fail during offline installation.

3. Uploading File to Dell

After you have fully tested and validated the PPKG and XML in your own environment, you are now ready to send these files to Dell. A Dell Project manager should have set up a Configuration Services Project by now and sent you an email with a link to download the Dell File Transfer Tool.

3.1. Dell File Transfer

  1. Download and Install Dell File Transfer Tool.
  2. Create a new My Dell account (if you do not already have one). Sign in to Dell File Transfer tool with that account.
  3. After signing in, your account should list available projects.
  4. Select Dell Provisioning for VMware Workspace ONE.
  5. Select your PPKG and XML and click upload.

3.2. Transfer Summary

When complete, a summary screen appears. Verify that everything is correct.

Click Close to complete.

3.3. Next Steps from Dell

After the files are uploaded, the provisioning process starts at the Dell factory and enters engineering validation. They ensure that these files are free from viruses and apply successfully. If no issues are found, the Dell Project manager emails you and confirms that you can create an order with this custom SKU attached. Work with your Dell Sales Account rep to get the order place. The order should contain this line item:

After the order has been placed, the device ships and you can ensure that everything is as you tested it. If everything checks out, your Dell Representative can update your Dell Premier page or Tech Direct portal.

Tips and Tricks

The following items provide guidance and tips about common issues and questions.

1. Apps and Provisioning Packages

  • Prioritize biggest apps first and apps that need immediate access by end users (like VPN and Office)
    • This solution provides gives you the flexibility to prioritize what you include in the PPKG and what you leave to deploy and install over-the-air. The apps in the PPKG are immediately available to the user, but less dynamic. If you have a new version of the app and update it in the Workspace ONE console, the app updates itself upon enrollment, but that takes a little bit of time. Ideally, you would update the PPKG that you give to Dell no more than once a quarter. So decide on the biggest and highest priority apps, and leave the rest dynamic (over the air).
  • Make a list and note down details of your apps
    • This helps organize and ensure that you have your apps built and uploaded in the Workspace ONE UEM console if you are coming from another PCLM tool. Here are some columns that can be helpful: App Name, App Source File Repo, App Name in Workspace ONE, Command Line, Detection Criteria Method and Command Line, Admin Tech Assigned, Notes. Below is a sample screenshot of the template:
  • Do not forget about AirLift App migration!
    • Are you currently using SCCM? If so, definitely take advantage of our free AirLift product. It can automatically migrate applications from SCCM to Workspace ONE with just a few clicks. Go here for the guide and here for a quick AirLift video overview.
  • Be careful when putting apps in that cannot be used cross platform
    • The easiest way to iterate quickly on testing and validation is to create your PPKG in a way that can be deployed on any platform (including virtual machines or Dell or HP). For example, do not include VMware Tools in the PPKG, because that will fail to install if you try to deploy to a Dell. Likewise, some OEM software (like Dell Command Suite products) can fail to install on a VM since it is not a Dell.
  • Do not include apps that cannot be installed in a fully offline state
    • The Dell Factory does not have access to the Internet, so make sure that every app included in the PPKG can be fully installed with no Internet OR internal network connection. This not only applies to Internet connectivity, but intranet connectivity as well. Some apps, such as security products like McAfee, Crowdstrike, and so on, might need to communicate to their internal servers upon installation. These might even work when testing on a VM, but after you deploy in a fully offline state, they might fail. I saw this happen with Crowdstrike. It installed perfectly on a VM inside our network, but once we sent to Dell, it failed. The easiest way to ensure this is to disconnect the NIC of your test VM during PPKG installation.
  • If you need to zip up an app (like full Microsoft Office O365 ProPlus), do not zip up the parent folder
    • This is a common mistake when using Workspace ONE software distribution (SFD). SFD automatically extracts the zip and maintains the same structure it was zipped as. However, most people go to the top level folder, right-click it, and click Send to compressed folder. This creates a zip file with the parent folder and all content inside. Most do not realize this and therefore put an incorrect command line. The easiest way to fix this is to select all content inside and then zip that up.
  • When done, open up the zip to make sure you have the right structure.
  • How do I order the app installs similar to a Task Sequence?
    • WS1 Software Distribution does not have an exact task-sequence-like process, but you can still order installs pretty easily. Security products, like McAfee are a common example. Creating a simple batch file like this can accomplish sequencing in an easy manner:
@echo off
REM pushd %~dp0
ECHO Installing McAfee Agent
McAfeeAgent\FramePkg.exe /INSTALL=AGENT /SILENT
ECHO Installing ENS Common
ENS_Common\setupCC.exe
ECHO Installing Threat Prevention
ENS_Threat_Prevention\setupTP.exe
ECHO Installing Adaptive Threat Protection
ENS_Adaptive_Threat_Protection\setupATP.exe

Zip up content (keeping in mind the point about zipping apps above) and each install in the order you want.

  • HKLM instead of HKEY_LOCAL_MACHINE when using registry exists detection criteria
    • Some of the apps you upload need to be .exe or .zip and SFD does not automatically know how to tell when those app types are installed (aka Detection Criteria). MSIs has this built in to that file type and SFD automatically configures it for you. But for exe and zip, you need to specify manually. When you are editing the app on the Deployment Options tab, go all the way to the bottom to create this detection criteria. Select Registry Exists and make sure you use HKLM in the path and not the full (HKEY_LOCAL_MACHINE). Take this example for Notepad++ (which is an exe.)
      Criteria Type: Registry Exists
    • Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Notepad++
    • Value Name: DisplayVersion
    • Value Type: String
    • Value Data: 7.5.9
  • When using"File Exists" Detection criteria, do not use quotes in the path
  • If multiple admins are working on this process together, it is recommend that you put notes in the Change Log section
    • Ensuring that each admin adds notes here with their name, date, and other pertinent information helps track who is doing what. Notes put here do not show up in the Workspace ONE catalog.
  • Assign the app in Workspace ONE console to Auto to your smart groups
    • With this PPKG export process, you are not required to assign and deploy automatically to a smart group, but it is still recommended to do this for the following benefits:
      1. If someone enrolls or goes through OOBE on a system that does not come from the factory, they will still get the same apps.
      2. If these are deployed as auto, they automatically come back on PC Refresh (see Enterprise Reset on this page) process that was part of the 1811 release.
      3. Since the PPKG has applied these same apps in an offline state, after the system comes online, SFD attempts to deploy, but detects that they are already installed and moves on. They also report as Installed in the Workspace ONE Console.
  • The PPKG is larger than the files sizes of my app(s)
    • This is due to the PPKG automatically including the Workspace ONE Hub app (AirwatchAgent.msi) and the Workspace ONE store app in the 1811 release. The factory stages these files on the client and the XML uses for automatic enrollment. So if you upload a 23 MB app and wonder why the PPKG is over 100 MB, this is why.

2. Configuration File (unattend.xml) Tips

  • What is an unattend.xml and what does it do?
    • An unattend.xml file is a tried and true method of configuring first-time setup of Windows. Tools like SCCM and MDT use this, but it is hidden behind their Task Sequence wizards. The unattend.xml file includes the most commonly used settings to keep it streamlined, as well as to eliminate the need for you to build this yourself.
  • Removing consumer apps via Windows 10 Enterprise key
    • Do not forget that you can easily and quickly remove consumer apps from the generic Windows 10 image Dell is applying in the factory. These consumer apps include games like Candy Crush, but do not include other Microsoft apps such as Photos, XBox, or Calculator. To remove the consumer apps, select Remove Windows 10 Consumer Apps when configuring the XML and put in the public, Windows 10 Enterprise KMS client key (you can also use Windows 10 Education key). After the system boots for the first time, it automatically converts the system to Enterprise or Education and these apps are removed.
  • To remove ALL Windows 10 store apps, including the Microsoft productivity apps, there are a number of sample scripts you can use. But before trying them, ask yourself if it is really that bad to have some of these productivity apps on there? Many are very useful (such as Calculator and Photos). Sometimes just deploying your own start menu can solve this problem by hiding them from view so users do not realize those apps are there.
  • Domain join tips and logs
    • If you select on-premises domain join, the following tips are recommend:
      1. Create a service account that is dedicated to doing the domain join and only give it permissions to do just that.
      2. You can specify the OU in the XML, which gives you more control over where these computer objects get created. Do not forget to give permissions to that account on the OU as well. Here are a couple of blogs that might help you figure out the right permissions:
      3. Test this account by manually joining a client to the domain to see if it works.
      4. When successful, add to the XML and run through the process with the Factory Provisioning Tool.
      5. The client uses djoin.exe to do the actual join. The logs for this are found on the client after sysprep is completed
        C:\Windows\Panther\Unattendgc\setuperr.log
      6. C:\Windows\Panther\Unattendgc\setupact.log
      7. If sysprep takes a long time, this generally means a failure as the domain join process is trying and failing over and over and will eventually timeout.
  • How do I do a domain join for a system that is shipped directly to an end user at their home or somewhere off network?
    • This is a great question and one that many people ask. However, this comes down to the architecture of Active Directory. It was built when everything was on network. A more modern approach is to use Azure Active Directory. This is cloud AD (mostly - although there are a lot of significant differences) and provides the benefit of being able to do client joins from anywhere. OOBE is built to support Azure AD joins. So definitely check that out first if this is a big use case for you. You do not necessarily have to pay for Azure AD Premium, as Dell provisioning for Workspace ONE supports the non-premium version as well. If you still have to use on-premises AD, then this is technically still possible, but complicated.
    • First, you need to set up a VPN connection that automatically runs when the system is booted, to give line-of-site to your DCs to do the join. Then you also have to have VPN at login to fire so that the user can login for the first time as well. While still technically possible, it is not a great solution and very difficult to automate. You are better off spending time and resources on getting Azure AD and Windows Hello for Business setup first (when you have those, your client behaves nearly identically to a domain joined system).
  • How to use synchronous commands (time sync)
    • If the Azure join and Workspace ONE enrollment did not work, it might be because the system shipped with OOBE was not getting their times automatically synced. To solve this, you could have deployed a script in the PPKG to add additional time servers to the client ntp list. However, an easier way is to add in the commands to the XML. To set this up, add in the commands to the Additional Synchronous Commands section.
      1. cmd /c w32tm /config /update /manualpeerlist:"internalNTPserver1 internalNTPserver2 time.windows.com time.apple.com time.google.com" (note this is a space delimited list)
      2. cmd /c sc config "W32Time" start= auto 
  • You can do this for any number of one line commands (including PowerShell scripts).
  • What if I have multiple AD domains?
    • You have a few options for this.
    • The first option would be to create an XML per domain that you have and then ask Dell to create a different SKU for each. The XML itself can only support one domain.
    • The second option would be to create a script that automatically does the join itself, or has a GUI to pop up automatically in the administrator profile. In this case, you would configure the XML to call this script automatically in the First Logon Commands or Additional Synchronous Commands section, depending on how you want to deploy it.
    • PowerShell has a lot of options here and silent scripts can be created, as well as GUI-based ones that do dynamic joins.
  • Are my credentials stores in the XML?
    • Yes, they are. The local administrator password or any other local account passwords are saved as base64. This is simply obfuscation and not full encryption. The AD join username and password are saved in plain text due to Microsoft requirement. Make sure you do not send this file via email or copy/paste the content. Save in a secure place! The Dell File Transfer Application (FTA) is secure, as well as the factory itself. The XML is programmed to automatically delete itself after the system is booted so credentials are not stored on the system.
  • How do I sent a computer naming convention?
    • Computer name will be randomized by default so that every system coming from the factory is unique. To create a naming convention, use the Registered Owner and Registered Organization fields. The computer name will take  the first 7 characters from Registered Org or Registered Owner as the  prefix and then randomize the rest up to the max of 15 characters. For example, setting both of those fields to be "VMWARE-" (without quotes) yields a computer name of VMWARE-8QJJCTJB where the last 8 characters are randomized for every system. See Microsoft documentation for more information. If you require a more customized computer name using serial number or service tag, for example, please engage your Dell CS Project Manager to have that added to your order.

Dell Provisioning Using a Pre-1811 Console

Introduction

If you are working with a pre-1811 version of the Workspace ONE UEM console, the exercises in this chapter are for you.

See Exporting Apps to Provisioning Packages when you are ready to export the applications into a provisioning package to share with Dell.

See Creating Configuration Files when you are ready to export the provisioning configuration using the VMware Workspace ONE Configuration Tool for Provisioning.

Exporting Apps to Provisioning Packages

After the enterprise applications are uploaded or imported using Workspace ONE AirLift (from SCCM) into Workspace ONE, you are ready to export the applications into a provisioning package to share with Dell. The container used for this provisioning package is a Windows Provisioning Package (.ppkg) recognized natively by Windows 10. A custom mechanism is used in the PPKGs generated by Workspace ONE to install the applications, so it is recommended that you do not treat these PPKGs as generic PPKGs.

To export the enterprise applications, you open the Workspace ONE UEM console, and navigate to the Native Applications under the Apps & Books section. In the export dropdown, there is a new option to export PPKG. Selecting that option brings up a new dialog box with a list of applications to pick from. Currently, only Windows classic desktop applications which install in device context are supported for export. These applications must be uploaded to Workspace ONE after enabling software distribution. Any applications uploaded before enabling software distribution need to be uploaded again for them to be exported in the PPKG. Applications that install in user context and UWP apps are currently not supported for PPKG export.

Once you initiate the PPKG export process, a confirmation is shown. Upon completion of PPKG export, a notification is sent to the Workspace ONE UEM console with a link to download the PPKG.

Note: As console administrator, you can have only one PPKG export in progress at a time. To start a new PPKG export, you must wait for the existing PPKG export to complete. A new PPKG export request overwrites any previously exported PPKG for that administrator. However, multiple console administrators can concurrently request PPKGs to be exported.

The following diagram illustrates the process of exporting apps to provisioning packages in the Workspace ONE UEM Console:

This diagram shows the process of uploading, exporting, and leveraging factory provisioning to load the apps and deliver the device to the end user.

  1. Workspace ONE UEM admin uploads apps to Workspace ONE UEM manually or using Workspace ONE AirLift.
  2. Workspace ONE UEM admin exports selected apps as a provisioning package (.ppkg).
  3. Admin provides the provisioning package, along with a configuration file to Dell.
  4. Dell performs factory provisioning using the exported apps and configuration file.
  5. Devices are shipped directly to end users or your IT team.
  6. End users boot the device, and device onboard into Workspace ONE UEM, and receive app updates and other policies over-the-air.

1. Export PPKG

  1. Click Apps & Books.
  2. Click Native.
  3. Click the Export drop-down menu.
  4. Click Export PPKG.

1.1. Export PPKG for Windows

  1. Click the checkbox to select all of the supported apps.
  2. Click Export.

Note: Only three of the four apps were auto-selected. User Context apps are not currently supported, so only Device Context apps are selected. Apps with MSTs or MSPs fail to deploy because those additional patches are smart-group specific. As a workaround, you can re-package or ZIP the app with the MST/MSP already included, then deploy and export.

1.2. Windows Provisioning Package

Click Close.

1.3. Notifications

  1. Click the bell icon to open the notifications.
  2. Click Download.

1.4. Confirm PPKG Download

Confirm that the download was successful. This exported provisioning package is used in a future step.

Creating Configuration Files

After exporting the applications, you now need to export the provisioning configuration, using the VMware Workspace ONE Configuration Tool for Provisioning. This tool is a Windows desktop application, downloaded from the VMware Flings website. You can configure OOBE, domain join and MDM enrollment using this tool. With a Windows 10 Enterprise license, you can also set the provisioning configuration for removal of consumer applications bundled with Windows 10. The enterprise environment options supported for provisioning configuration are: on-premises domain join, Azure Active Directory Premium, Azure Active Directory Basic and local user/workgroup.

The provisioning configuration is exported in Windows unattend XML file format. This file follows the standard unattend XML schema, with some additional configuration for MDM enrollment into Workspace ONE UEM. The configuration is applied when the end user logs into the device.

To create these configuration files:

1. Installing the Workspace ONE Configuration Tool for Provisioning

  1. Open a new tab.
  2. Navigate to Workspace ONE Configuration Tool for Provisioning.
  3. Check the box to agree to the Technical Preview License.
  4. Click Download.

1.1. Open Factory Configuration Tool Zip

  1. Click the down arrow next to FactoryConfigurationTool-x.x.x.zip
  2. Click Open.

1.2. Extract Factory Configuration Tool

  1. Click Extract.
  2. Click Extract all.

1.3. Extract Compressed Folders

Click Extract.

1.4. Launch the VMware Configuration Tool for Provisioning

Click VMWareWorkspaceONEConfigurationToolforProvisioning.exe to open the tool.

1.5. Security Warning

Click Run.

1.6. Open Workspace ONE Configuration Tool

On the taskbar, launch the VMware Workspace ONE Configuration Tool for Provisioning.

2. Create the Configuration File

The VMware Workspace ONE Configuration Tool for Provisioning builds a configuration file. Leverage the following table for a detailed explanation of each field.  

Settings Description
Select AD Type

Select the type of Active Directory to use.

The settings below change based on your AD type.

Select Language Ensure the language of the operating system matches what you selected with Dell
OOBE Configuration
Show EULA Page Select Yes/No to show the EULA page during the OOBE.
Show Privacy Page Select Yes/No to show hide the privacy page during the OOBE.
Show Region and Keyboard Settings Select Yes/No to show the region and keyboard settings during the OOBE.
Language If No is selected (and thus hidden from OOBE), select the language below to pre-configure the system to that locale.
System Configuration
Domain Name

Enter the name of the domain you want the device to join.

This setting displays when you set the AD type to On-Prem AD Join.

Domain Username

Enter the username that has Domain Join privileges.

This setting displays when you set the AD type to On-Prem AD Join.

Note: This information is saved in plain text in the XML file. Please ensure this file is always secured and not sent over insecure transports.

Domain Password

Enter the password for the Domain Join user.

This setting displays when you set the AD type to On-Prem AD Join.

Note: This information is saved in plain text in the XML file. Please ensure this file is always secured and not sent over insecure transports.

AD Organization Unit (OU)

Enter the organization unit for the AD.

Th OU must follow the correct formatting:

OU=,OU=,DC=Company,DC=com

This setting displays when you set the AD type to On-Prem AD Join.

Workgroup

Enter the workgroup you want the device to join.

This setting displays when you set the AD type to Workgroup.

Registered Owner Enter the registered owner for the device.
Registered Organization Enter the registered organization for the device.
Remove Windows 10 Consumer Apps

Select Yes to prevent consumer apps from appearing in Windows 10.

This setting is only supported for Windows 10 Enterprise or Education. Entering a Windows 10 Enterprise or Education key is required.

Product Key

Enter the Windows 10 product key.

You must follow the correct format:

12345-54CDE-XYZ78-ONM98-456TY

Create Local User

Select Yes to create a local user account.

If you select No, the user is prompted during OOBE.

This setting displays when you set the AD type to Workgroup or Azure AD.

Local Username

Enter the username for creating an additional local user account.

This setting displays when you set the AD type to Workgroup or Azure AD.

Local User Password

Enter the password for the local user account.

This setting displays when you set the AD type to Workgroup or Azure AD.

Make Administrator?

Select to make the local account an administrator.

You must make the local user account an administrator to start Workspace ONE enrollment automatically.

During OOBE, the device prompts the user to enter their enrollment credentials.

This setting displays when you set the AD type to Workgroup or Azure AD.

Computer Name Computer name is randomized by default so that every system coming from the factory is unique. To create a naming convention, use the Registered Owner and Registered Organization fields. The computer name takes the first 7 characters from Registered Org or Registered Owner as the prefix and then randomizes the rest up to the maximum of 15 characters. For example, setting both of those fields to be "VMWARE-" (without quotes), yields a computer name of VMWARE-8QJJCTJB where the last 8 characters are randomized for every system. See Microsoft documentation for more information. If you require a more customized computer name using serial number or service tag, for example, please engage your Dell CS Project Manager to have that added to your order.
Enable Administrator Account

You must enable the built-in administrator account to facilitate Workspace ONE enrollment.

You can later disable this account after enrollment is complete.

Administrator Password Enter a password for the administrator account.
Auto Admin Login A one-time auto login of the admin account is required for Workspace ONE enrollment when selecting On-prem AD use case.
User Account Control Select the level of User Account Control (UAC).
Additional Synchronous Commands Add commands that automatically run at the end of the Windows setup process but before any user logs in.
First Logon Commands

Add commands that automatically run the first time a user logs in.

This setting requires the user have local admin privileges.

Workspace ONE Enrollment
Enrollment Server

Enter your Workspace ONE UEM enrollment server URL.

Find the enrollment URL by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > System > Advanced > Site URLS.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.

Enrollment OG

Enter the devices organization group.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.

Staging Account

Enter the username for the staging account.

Find this username by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > Devices & Users > Windows  > Windows Desktop > Staging & Provisioning .

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.

Staging Account Password

Enter the password for the staging account.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.

Device Services URL

Enter your device services URL.

Find the device services URL by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > System > Advanced > Site URLs.

This setting only displays when you set the AD type to Azure AD - No Premium.


2.1. Select AD Type

Select On-Prem AD Join for AD Type, or the AD Type you want to configure for your use case.

The following screens leverage the On-Prem AD Join AD type. For more information about all required fields, see the preceding table with all options.

2.2. System Configuration

  1. Scroll down until you see System Configuration.
  2. Enter the Domain Name.
  3. Enter the Domain Username.
  4. Enter the Domain Password.
  5. Enter the Registered Organization.
  6. Enter the Administrator Password.

2.3. Workspace ONE Enrollment

Enter the Enrollment Server.

2.4. All Settings

Go back to the Workspace ONE UEM Console to obtain the required information.

  1. Click Groups & Settings.
  2. Click All Settings.

2.5. Staging & Provisioning

  1. Expand to Devices & Users > Windows > Windows Desktop > Staging & Provisioning.
  2. Copy the UPN value, which is needed in the next step.
  3. Copy the Secret (staging password) value, which is needed in the next step.
  4. Copy the Group ID by hovering over your email address. This value is also needed in the next step.

2.6. Workspace ONE Enrollment

  1. Enter your Group ID obtained from the previous step for Enrollment OG.
  2. Enter your UPN obtained from the previous step for Staging Account.
  3. Enter your Secret obtained from the previous step for Staging Account Password.
  4. Click Build Config File.

2.7. Verify Success

Your configuration file has been successfully saved to C:\Users\Administrator\Downloads\unattend.xml. You use this configuration file, along with the previously exported provisioning package, in the next exercises.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to export apps from the Workspace ONE UEM console as a Windows provisioning package (.ppkg), create a configuration file (unattend.xml) using the Workspace ONE Configuration Tool for Provisioning, and validate these files on a Windows 10 virtual machine.

Dell Provisioning for VMware Workspace ONE is a service offered by Dell for provisioning Windows 10 devices, leveraging the technologies in Workspace ONE. This service enables you to provision Windows 10 devices, without having to create or maintain custom operating system images. Custom imaging is a complex and expensive process. By eliminating it, this service simplifies the provisioning process, bringing value to you and taking Windows 10 into the era of modern device provisioning, powered by Workspace ONE.

When using this service, instead of using classic operating system imaging, you can package your enterprise applications and provisioning configuration (domain join, MDM enrollment, and so on), and send it to Dell. The applications are installed, and the configuration is applied by Dell on the devices that you ordered. After that, the fully provisioned devices, with your apps installed, are shipped out, ready for use by the end users out of the box. The devices are enrolled into Workspace ONE on user login, after which the ongoing management is done through Workspace ONE.

FAQs

  1. What is Dell Provisioning for VMware Workspace ONE?
    • Dell Provisioning for VMware Workspace one is a new Dell configuration service, which enables you to ship devices preconfigured with apps and configuration in the Dell factory directly to end users or IT. The service provides users with a ready-to-work experience on first boot and minimizes downtime with Zero Touch Restore capability, which enables apps and management to persist if a device needs a PC reset or recovery.
  2. What pain or problem does this new service solve?
    • The traditional approach to prepare a PC for work is time consuming, labor intensive, and expensive. Your IT admins build, maintain, and update your organization’s golden image(s), and then apply the image manually to a new PC or when re-imaging an existing PC. This can take hours per PC. The problem of imaging only gets more complicated as organizations seek to support multiple device types with different drivers, and to support the Windows update servicing model that delivers a new version of Windows twice a year instead of every 3 to 5 years.
  3. What versions of Windows 10 can you select to apply?
    • You can select from the three latest version of Windows 10 that Microsoft supports.
  4. Does this service support Windows 10 Pro, Windows 10 Enterprise or both?
    • Both versions are supported.
  5. What Dell hardware device are supported?
    • Latitude
    • Precision
    • OptiPlex
    • XPS notebooks
  6. How is this different from Windows 10 Provisioning Powered by VMware Workspace ONE?
    • Released in October 2017, Windows 10 Provisioning powered by VMware Workspace ONE is a cloud-based provisioning service that loads the Workspace ONE agent in the Dell factory. Apps and settings are applied once the user powers on the device.
  7. How does this compete or complement Dell ProDeploy client suite?
    • Dell Provisioning will be a standalone, Dell configuration service at launch, and you can purchase complementary configuration services, such as asset tagging. If you want to continue to do traditional imaging, you can leverage Dell's standalone imaging services or ProDeploy. If you want to use imaging services and Workspace ONE for management, you can include the Workspace ONE agent in the image you provide to Dell. Dell and VMware are working to provide the option within ProDeploy suite of imaging or provisioning services.
  8. Is the Dell File Transfer Application (FTA) tool secure?
    • Yes, it is a secure file transport. However, make sure that you keep your configuration file secure because it contains username/password information. Never send this file in an unsecure way. 

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Searching for More Information

When looking for more VMware documentation, you can focus the search using the Advanced Search option.

  1. In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
  2. Enter words or phrases to start the search.
    Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
  3. Narrow the results by selecting specific criteria.
    Example: The search is limited to the specific product and version.
  4. Click Advanced Search.
  5. In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.

Additional Resources

About the Author

This tutorial was written by:

  • Josué Negrón, Staff Architect, End-User-Computing Technical Marketing, VMware


With appreciation and acknowledgment for contributions from the following subject matter experts:

  • Brooks Peppin, Product Management, Workspace ONE UEM, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.