Deploying Win32 Applications: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.7 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. This tutorial shows you how to use Workspace ONE UEM to manage Windows 10 Applications through a series of exercises including managing Win32 apps, deploying Microsoft Office 365 ProPlus, and reviewing additional application file samples.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM is also helpful.

Deploying a Standard MSI Application File

Introduction

This exercise introduces you to managing Win32 applications with Workspace ONE.

Understanding Installation Behavior

When deploying numerous apps to end-user devices, it can take some time to install all the device applications. After device on-boarding completes, apps queue up for the device to install per Windows operating system specifications, configured timeout values, and retry logic. Dependency files are installed prior to the main application.

Installation Behavior Variables

A few variables impact the way applications distributed from the Workspace ONE UEM Console install on devices.

  • User Type - Devices can have either admin or standard users.
  • Privileges - Applications may allow user privileges or require administrative privileges.
  • Context - Applications can install to the device or the user context.

The following table outlines how these variables impact installation behavior.

User Type Privileges Context Install Behavior
Admin User Admin
Device Install without prompt
User Install with prompt
User Device Install without prompt
User Install with prompt
Standard User
Admin
Device Install without prompt
User Install fails
User Device Install without prompt
User Install fails

Getting the Uninstall Command

In this exercise, you use command-line options to determine the uninstall command you might use when creating an uninstall script. You can then upload the script on the Files tab when deploying an app.

  1. In a command-line session, enter setup.exe /?. If the EXE contains an underlying MSI, use the msiexec uninstall command: msiexec /x setup.exe.
  2. Install the app on a reference device.
  3. When installation completes, look at the HKEYs on the device’s listed registries.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\

Getting the Exit Code

In this exercise, you determine the exit codes you might use if you select Using Custom Script on the Deployment Options tab.

Use the environmental variable %errorlevel% to get exit codes. Use it in conjunction with built-in DOS commands like ECHO, IF, and SET to preserve the existing %errorlevel% value.

  1. In a command-line session, run the install command for the Win32 application.
  2. Run ECHO %errorlevel%.
  3. If the Win32 application requires a reboot for installation, the variable returns the reboot exit code.

Deploying Win32 Applications

Deploying a Standard ZIP Application File - Example Microsoft Office Pro Plus

This exercise helps you configure and assign Microsoft Office 365  ProPlus with a configuration file for click-to-run delivery. The  procedures are sequential and build upon one another, so make sure that  you complete each section in order.

For more information on the Office Customization Tool, please see Overview of the Office Customization Tool

Disclaimer: This information may change over time

Pre-Requisites

Before we can upload the files to Workspace ONE UEM, we need to ensure a few steps are taken care of

  1. Create Configuration.xml file using the Office Customization Tool
  2. Create the Uninstall.xml
  3. Download the Office Deployment tool
  4. Office Customization Tool Tips

You must also must satisfy the following requirements:

  • Workspace ONE UEM Console
  • Windows 10 device that meets the following specifications:
    • Enrolled in Workspace ONE UEM
    • A virtual machine or spare Windows device
    • Windows 10 with the latest updates installed
    • Workspace ONE Application installed on Windows 10 device
    • Administrative rights
  • Folder containing Office365 files with the logo saved as 0365-logo.jpg.

Create Configuration.xml file using the Office Customization Tool

Create Configuration.xml file using the Office Customization Tool

Create Configuration.xml file using the Office Customization Tool
  1. Go to config.office.com
  2. Click Create under Create a new configuration
Create Configuration.xml file using the Office Customization Tool
  1. Configure the Office deployment settings
  2. Export the XML
Create Configuration.xml file using the Office Customization Tool
Create Configuration.xml file using the Office Customization Tool
  1. Select file format - Keep Current Settings
  2. Click OK
  3. Read and Accept the license agreement
  4. Ensure file name is configuration.xml

Create the Uninstall.xml

Recommended :

If you want to have an uninstall command in the Workspace ONE UEM console, create a uninstall.xml file. Paste the following text in the uninstall XML file.

 

Copy and paste the below into notepad and name the file uninstall.xml

<Configuration>
<Remove>
<Product ID=”O365ProPlusRetail”>
<Language ID=”en-us”/>
</Product>
</Remove>
<Display Level=”None” AcceptEULA=”TRUE”/>
</Configuration>

Download the Office Deployment tool

  1. Download the Office Deployment Tool 
  2. Run the exe file
  3. Export the files to a location for later

Office Customization Tool Tips

Using the Office Customization Tool, you can customize your installation of Office to meet the organizations needs.

You can select configurations such as:

  • Select which Office Edition to install
  • Configure Specific Office Applications to install
    • E.g. Outlook, Word, Excel, PowerPoint, Teams
  • Configure how Office receives Updates
  • Configure Languages and more
Configure Office Edition
Configure Office Applications
Configure Office Updates

For more information on the Office Customization Tool, please see Overview of the Office Customization Tool

Create Office Zip package

Create Office Zip package
  1. Select Configuration.xml , uninstall.xml and setup.exe
  2. Sent files to ZIP folder. 
  3. Name the file. E.g Office

Upload Office Zip in Workspace ONE UEM console

After uploading Office 365 ProPlus  to the Workspace ONE UEM Console, set its configurations, assign it to  groups, and deploy it to devices.

Upload Application into Workspace ONE UEM

Upload Application into Workspace ONE UEM
  1. In the left hand side of the Workspace ONE UEM console, select Apps and Books.
  2. Select Internal Application.
  3. Select Add Application and Upload.
  4. Browse for the Office.zip file and click Save.
  5. Select No  for Is this a dependency app?.
  6. Select Continue.

Configure the Details Tab

Configure the Office 365 Details Tab
  1. Ensure the Details tab is selected.
  2. Enter Office 365 Pro Plus for the Name.
  3. Select 64-bit for the Supported Processor Architecture. Verify which processor architecture is relevant for your device.

Note: When uploading MSI files all possible fields are  automatically pre-populated with all of the metadata, however for ZIP  packages you will have to generate a Name as well as some of the  Deployment options.

Configure the Files Tab

Configure the Files Tab for Office 365
  1. Navigate to the Files tab.
  2. Scroll down to find the App Uninstall Process  section.
  3. Select Input for the Custom Script Type.
  4. Enter setup.exe /CONFIGURE uninstall.xml in the Uninstall Command text box.

Configure the Deployment Options Tab

Define When to Install

Configure the Deployment settings for Office 365

Configure details about what requirements must be met in order to install the application.

 

  1. Select the Deployment Options tab
  2. Look for the When to Install Section
  3. Enter 3 for the Disk Space Required which specifies the amount of disk space the device must have available to install the application.
  4. Select GB for the Units of the Disk Space Required.
  5. Enter 50  for the Device Power Required which specifies the battery power, in  percentage, that the device must have to install the application.
  6. Enter 500 for the RAM Required which specifies the amount of RAM the device must have to install the application.
  7. Enter MB for the Units of the RAM Required.

Define How to Install

Define Install commands for Office 365
  1. Scroll down to find the How To Install section.
  2. Leave Install Context to Device
  3. Enter setup.exe /configure configuration.xml for the Install Command.
  4. Leave Admin Privileges as Yes
  5. Change Device Restart to specified settings. In this example we are using Restart If Required
  6. Enter for  the Retry Count, which specifies the number of times the system  attempts to install the application after an unsuccessful attempt.
  7. Enter 5  for the Retry Interval, which specifies the time (in minutes) the  system waits when it tries to install the application after an  unsuccessful attempt.
  8. Enter 60 for the Install  Timeout, which specifies the time (in minutes) the system allows the  installation process to run without success.
  9. Enter 1614 for the Installer Reboot Exit Code, which specifies the code the installer outputs to identify a reboot action.
  10. Enter for the Installer Success Exit Code, which specifies the code the installer outputs to identify a successful installation.

Define When To Call Install Complete

Define When To Call Install Complete
  1. Scroll down to find the When To Call Install Complete section
  2. Select Defining Criteria for Identity Application By
  3. Select Add
Define When To Call Install Complete
  1. In the Criteria Type drop-down , select File Exists
  2. Enter the Path C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Note: There are multiple Criteria Types to choose from,  allowing you to be flexible in determining if your deployment was  successful.  You can also add multiple Criteria configurations and link  them together logically to cover complex deployments.

Add the Application Icon

Add the Application Icon
  1. Select the Images tab.
  2. Select the Icon tab.
  3. Click the area labeled Click or drag files here
  4. Navigate to the folder containing the Office365 files and Select the file
  5. Your icon should be uploaded as below
Add the Application Icon

Set Terms of Use

Set Terms of Use
  1. Select the Terms of Use tab.
  2. If you  decide to have a Terms of Use that your users must accept before  installing applications, you can configure that here.  For this  exercise, select None.
  3. Click Save & Assign.

Assign & Publish

Assign & Publish Windows Applications
  1. Click Assignments
  2. Click Add Assignment
Assign & Publish Windows Applications
  1. Select Add Assignment to add the assignment group.      
    1. Select the Select Assignment Groups search box and select All Devices.
    2. Select On-Demand for the App Delivery Method.
    3. Select Show for Display in App Catalog.
    4. Select Enabled for Make App MDM Managed if User Installed..
    5. Select Add.
  2. Click Save and Publish.

Confirm the Application Appears in the List View

Confirm the Application Appears in the List Vie

In the Internal Applications List View, confirm that the Office 365 Pro Plus application is displayed.  

You have successfully added the Office 365 ProPlus app to Workspace ONE UEM for deployment.  

Summary

You can deploy Office 365 ProPlus with Workspace ONE UEM using software distribution.

The following use case explains  deploying Office 365 ProPlus as a light office install using software  distribution. The use case covers prerequisites such as using the Office Customization Tool to ensure only Outlook, Work, Excel, PowerPoint, and Teams are installed; Creating a Office.zip file for scripted install; and then uploading and configuring the deployment settings with Workspace ONE UEM

The VMware Workspace ONE application life cycle flow, also known as software distribution,  exists for all internal applications. Use software distribution to deliver Win32 applications, track installation statuses, keep  application versions current, and delete old applications.

Note: VMware software distribution supports MSI, EXE and ZIP files. The required application details vary by application and  file type. For more information, see Additional Application Samples. To address scripting needs, use product provisioning.

Reviewing Additional Application File Samples

Introduction

Workspace ONE UEM supports the upload and deployment of MSIs, EXEs, and packaged apps. In this exercise, review additional examples of the supported application types, and their required Workspace ONE UEM configurations.

Refer to the article Software Distribution: Tips and Troubleshooting for a list of validated use cases as well as instructions on retrieving required application information.

MSI Samples

MSI application delivery is a highly automated procedure that's ideal for remote and enterprise worker devices. In this section, review the 7-Zip and Global Protect MSI application samples.

7-Zip
Install Command msiexec /i "7z1700-x64.msi" /qn
Uninstall Command Use default setting
Install Context Device
Admin Privileges No
Success Code 0
Reboot Code 1614
When to Call Install Complete Use default setting
Global Protect
Install Command msiexec /i "GlobalProtect64.msi" /qn
Uninstall Command msiexec /x {9F062897-EF0D-405E-AF59-AED495611981} /qn
Install Context Device
Admin Privileges No
Success Code 0
Reboot Code
When to Call Install Complete Value Type String

ZIP Samples

In this section, review the PocketOE.zip and the GPO Migration Tool application samples. The PocketOE.zip shows an MSI deployed as a zip, and the GPO Migration Tool shows a zip with a PowerShell script used for installation detection.

PocketOE.zip
Install Command
msiexec /i "PocketOE.msi" /quiet
Uninstall Command
msiexec /x "PocketOE.msi" /quiet
Install Context
Device
Admin Privileges
Yes
Success Code
0
When to Call Install Complete
Type: App Exists
AppID:  {AF90D5E8-5F3E-4DD3-A57D-3EFE740F204D}
GPO Migration Tool
Install Command
powershell -executionpolicy bypass -File DeployPackage.ps1
Uninstall Command
LGPO.exe
Install Context
Device
Admin Privileges
Yes
Success Code
0
When to Call Install Complete
Upload the Custom PowerShell Script File: LGPOConfirmPackageInstall.ps1
Run Command: powershell –executionpolicy bypass –File LGPOConfirmPackageInstall.ps1

EXE Samples

In this section, review the Firefox .EXE application samples.

Firefox
Install Command
Firefox Setup 56.0.2 -ms
Uninstall Command
%ProgramFiles%\Mozilla Firefox\uninstall\helper.exe /S
Install Context
Device
Admin Privileges
Yes
Success Code
1
Reboot Code
0
When to Call Install Complete
Registry path: HKLM\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB

Summary and Additional Resources

Conclusion

This tutorial shows you how to use Workspace ONE UEM to manage Windows 10 updates through a series of exercises.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

Term Description
adaptive access
The ability to control access and authentication methods to sensitive apps based on a device’s managed status.
additive
Includes only changes developed after the latest version of the application or the last additive patch.
app dependencies
Applications required by the environment and devices to run the Win32 application.
app patches
Files that apply additive or cumulative fixes, updates, or new features to applications.
app transforms
Files that control application installation and can add or prevent components, configurations, and processes during the process.
app uninstall process
Scripts that instruct the system to uninstall an application under specific circumstances.
application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
BitLocker Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices.
bring your own device (BYOD) The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data, apps, or content.
business mobility The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
conditional access To provision access to a resource or service, based on user entitlements or roles.
container The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invading employee privacy or personal apps and content.
cumulative Includes the entire application, including any changes since the latest version of the application, or the last patches.
data leakage protection Software-controlled policies that determine how and where data can be transferred or shared to.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Workspace ONE Access (formerly VMware Identity Manager).
Device Health Attestation Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation.
enrollment The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider.
enterprise mobility management The concept of using software and policies to both secure and provide access controls for mobile devices.
files and actions The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assign files and actions to a product, which then provisions to devices.
Health Attestation Services Cloud service that evaluates health measurements from the device to determine the health state.
identity-as-a-service Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically grant the user access to a resource based on their authentication to a different resource.
mobile application management The concept of managing access, deployment, and restrictions of mobile applications using software and services.
mobile device management
(MDM) agent
The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
multi-factor authentication Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) and something the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
per-app VPN Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection.
public app stores Portals where users can access and obtain publically published applications, such as the iOS App Store and Google Play Store.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
smart groups Groups that control which devices get which product, based on how the group is created.
step-up authentication Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource.
unified endpoint management A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.
Windows Information Protection Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

About the Authors

This tutorial was written by:

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.