Deploying Win32 Applications: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.7 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. This tutorial shows you how to use Workspace ONE UEM to manage Windows 10 updates through a series of exercises including managing Win32 apps, deploying Microsoft Office 365 ProPlus, and reviewing additional application file samples.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, is also helpful.

Deploying a Standard MSI Application File

Introduction

This exercise introduces you to managing Win32 applications with Workspace ONE.

Getting the Uninstall Command

In this exercise, you use command-line options to determine the uninstall command you might use when creating an uninstall script. You can then upload the script on the Files tab when deploying an app.

  1. In a command-line session, enter setup.exe /?. If the EXE contains an underlying MSI, use the msiexec uninstall command: msiexec /x setup.exe.
  2. Install the app on a reference device.
  3. When installation completes, look at the HKEYs on the device’s listed registries.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\

Getting the Exit Code

In this exercise, you determine the exit codes you might use if you select Using Custom Script on the Deployment Options tab.

Use the environmental variable %errorlevel% to get exit codes. Use it in conjunction with built-in DOS commands like ECHO, IF, and SET to preserve the existing %errorlevel% value.

  1. In a command-line session, run the install command for the Win32 application.
  2. Run ECHO %errorlevel%.
  3. If the Win32 application requires a reboot for installation, the variable returns the reboot exit code.

Understanding Installation Behavior

When deploying numerous apps to end-user devices, it can take some time to install all the device applications. After device on-boarding completes, apps queue up for the device to install per Windows operating system specifications, configured timeout values, and retry logic. Dependency files are installed prior to the main application.

Installation Behavior Variables

A few variables impact the way applications distributed from the Workspace ONE UEM Console install on devices.

  • User Type - Devices can have either admin or standard users.
  • Privileges - Applications may allow user privileges or require administrative privileges.
  • Context - Applications can install to the device or the user context.

The following table outlines how these variables impact installation behavior.

User Type Privileges Context Install Behavior
Admin User Admin
Device Install without prompt
User Install with prompt
User Device Install without prompt
User Install with prompt
Standard User
Admin
Device Install without prompt
User Install fails
User Device Install without prompt
User Install fails

Deploying Microsoft Office 365 ProPlus

Introduction

This exercise helps you configure and assign Microsoft Office 365 ProPlus with a configuration file for click-to-run delivery. The procedures are sequential and build upon one another, so make sure that you complete each section in order.

Software Distribution with Workspace ONE UEM

The VMware Workspace ONE application life cycle flow, also known as software distribution, exists for all internal applications. Use software distribution to deliver Win32 applications, track installation statuses, keep application versions current, and delete old applications.

Prerequisites

You must also must satisfy the following requirements:

  • Workspace ONE UEM Console
  • Windows 10 device that meets the following specifications:
    • Enrolled in Workspace ONE UEM
    • A virtual machine or spare Windows device
    • Windows 10 with the latest updates installed
    • Workspace ONE Application installed on Windows 10 device
    • Administrative rights
  • Folder containing Office365 files with the logo saved as 0365-logo.jpg.

Important: Do not access the Workspace ONE UEM Console from the same machine you are managing.

This exercise uses software distribution to deploy Office 365 Pro Plus, an EXE file packaged as a Zip file. This requires you to enter application information into the Workspace ONE UEM Console. To facilitate configuration, we gathered the required information in the following table.


Office 365 Pro Plus Zip
Install Command
setup.exe /Configure Configuration.xml

Uninstall Command
setup.exe /uninstall ProPlus
Install Context
Device
Admin Privileges
Yes
Success Code
0
Reboot Code
1614
When to Call Install Complete
Registry Path: HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail
Value Name: DisplayName
Value Type: String
Value Data: Microsoft Office Professional Plus 2016

Note: VMware software distribution supports MSI, EXE, and ZIP files. The required application details vary by application and file type. For more information, see Additional Application Samples. To address scripting needs, use product provisioning.

Preparing Office 365 ProPlus Files

Before we can upload the ProPlus app to the Workspace ONE UEM Console, we need to prepare and zip the files.

1. Download the Office Deployment Tool

  1. Navigate to the Microsoft website: https://www.microsoft.com/en-us/download/details.aspx?id=49117.
  2. Click Download to download the Office Deployment Tool executable.
  3. Click the .exe file.

2. Extract Files

  1. Accept the licensing terms.
  2. Click Continue.

3. Select or Create Folder to Store Files

  1. Select or create a folder in which to store the extracted files.
  2. Click OK.

4. Package the Office 365 Files as a Zip

  1. Navigate to the folder containing the extracted files, for example, Office365.
  2. Select the configuration.xml and setup.exe files (click + drag over both, or ctrl + click both files) and right-click.
  3. Hover over Send to.
  4. Select Compressed (zipped) folder.

5. Rename the Zipped Folder

Rename the zipped folder to Office365ProPlus.zip.

6. Inspect the Configuration.xml File (Optional)

  1. Select configuration.xml and right-click the file.
  2. Select Edit.
    In this example, we are using the default configuration.xml file that is provided with the Office 365 ProPlus deployment. Your organization, if it has deployed Office 365, will have a configuration.xml file already that contains organization specifics for install and licensing options. The configuration.xml file contains organization specific details that the setup.exe process uses to configure the Office 365 installation for your users.

  3. Click the Close (X) button to exit Notepad.

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Uploading Microsoft Office 365 ProPlus

Now that you have zipped the setup.exe and configuration.xml files for your Office 365 deployment, the next step is to upload and deploy this application through the Workspace ONE UEM Console.

1. Add an Internal Application

In the Workspace ONE UEM Console:

  1. Select Apps & Books.
  2. Select Add Application.

2. Upload the Application File

Click Upload.

3. Choose the File to Upload

Click Choose File.

4. Choose the Office365ProPlus.zip File

  1. Navigate to the folder containing Office365ProPlus.zip.
  2. Click to select the Office365ProPlus.zip file.
  3. Click Open.

5. Save the Uploaded File

Click Save.

6. Continue after Saving the File

  1. Select No for Is this a dependency app?
  2. Click Continue.

Note: In software distribution, dependency files are libraries and frameworks that the app requires to function, such as Java, Silverlight, or .NET libraries. Although you upload and view them like a file, they have reduced features.

To view dependency files in the Workspace ONE UEM Console, navigate to Apps & Books > Applications > Native > Internal > Filters > Platform and select Windows Desktop. Then, expand Core vs Dependency Apps, and select Dependencies.

Configuring & Deploying Microsoft Office 365 ProPlus

After uploading Office 365 ProPlus to the Workspace ONE UEM Console, set its configurations, assign it to groups, and deploy it to devices.

1. Configure the Details Tab

  1. Ensure the Details tab is selected.
  2. Enter Office 365 Pro Plus for the Name.
  3. Select 64-bit for the Supported Processor Architecture. Verify which processor architecture is relevant for your device.

Note: When uploading MSI files all possible fields are automatically pre-populated with all of the metadata, however for ZIP packages you will have to generate a Name as well as some of the Deployment options.

2. Configure the Files Tab

Select the Files tab.

2.1. Review Application File Settings

Familiarize yourself with the following settings, which enable you to configure additional application details and requirements:

  • App Dependencies: Enable the system to apply dependency files.
  • App Transforms: Apply MSI Transform (MST) files.
  • App Patches: Apply MSI Patch (MSP) files.

2.2. Configure the App Uninstall Process

  1. Scroll down to find the App Uninstall Process section.
  2. Select Input for the Custom Script Type.
  3. Enter setup.exe /uninstall ProPlus as the Uninstall Command.

3. Configure Deployment Options

Select the Deployment Options tab.

3.1. Define When to Install

Configure details about what requirements must be met in order to install the application.

  1. Enter 3 for the Disk Space Required which specifies the amount of disk space the device must have available to install the application.
  2. Select GB for the Units of the Disk Space Required.
  3. Enter 50 for the Device Power Required which specifies the battery power, in percentage, that the device must have to install the application.
  4. Enter 500 for the RAM Required which specifies the amount of RAM the device must have to install the application.
  5. Enter MB for the Units of the RAM Required.

3.2. Define How to Install

  1. Scroll down to find the How To Install section.
  2. Enter setup.exe /configure configuration.xml for the Install Command.
  3. Enter 3 for the Retry Count, which specifies the number of times the system attempts to install the application after an unsuccessful attempt.
  4. Enter 5 for the Retry Interval, which specifies the time (in minutes) the system waits when it tries to install the application after an unsuccessful attempt.
  5. Enter 30 for the Install Timeout, which specifies the time (in minutes) the system allows the installation process to run without success.
  6. Enter 1614 for the Installer Reboot Exit Code, which specifies the code the installer outputs to identify a reboot action.
  7. Enter 0 for the Installer Success Exit Code, which specifies the code the installer outputs to identify a successful installation.

3.3. Define When To Call Install Complete

  1. Scroll down to the When To Call Install Complete section.
  2. Select Defining Criteria for Identify Application By.
  3. Click + Add.

3.4. Define the Application Criteria

  1. Select Registry Exists for the Criteria Type.
  2. Enter HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office16.PROPLUS for the Path.
  3. Enter DisplayName for the Value Name.
  4. Select String for the Value Type.
  5. Enter Microsoft Office Professional Plus 2016 for the Value Data.
  6. Click Add.

Note: There are multiple Criteria Types to choose from, allowing you to be flexible in determining if your deployment was successful.  You can also add multiple Criteria configurations and link them together logically to cover complex deployments.

4. Add the Application Icon

Select the Images tab.

4.1. Open Icon Settings

  1. Select the Icon tab.
  2. Click the area labeled Click or drag files here.

4.2. Select the Icon File

  1. Navigate to the folder containing the Office365 files.
  2. Select o365-logo.jpg.
  3. Click Open.

5. Set Terms of Use

  1. Select the Terms of Use tab.
  2. If you decide to have a Terms of Use that your users must accept before installing applications, you can configure that here.  For this exercise, select None.
  3. Click Save & Assign.

6. Assign & Publish

6.1. Add Application Assignment

Click Add Assignment.

6.2. Assign Office 365 Pro Plus

  1. Select All Devices (your.email@shown.here) for the Assignment Groups.
  2. Select Auto for App Delivery Method.
  3. Click Add.

6.3. Save and Publish

Click Save & Publish.

6.4. Publish

Click Publish.

7. Confirm the Application Appears in the List View

In the Internal Applications List View, confirm that the Office 365 Pro Plus application is displayed.  

You have successfully added the Office 365 ProPlus app to Workspace ONE UEM for deployment.  

Verifying Microsoft Office 365 ProPlus Deployed

This exercise helps you to verify that the install command completed successfully and how to verify your software distribution process.

1. Verify Install Command Was Sent

You can retrieve details about the current install status of an application on the assigned devices. Use these details to confirm that devices are installing the application appropriately.

1.2. Review the Application Summary

  1. Notice that the Install Status is currently showing Not Installed for 1 device.  This verifies that 1 device is currently assigned to receive the application and the application is still reporting as Not Installed.
  2. You can also verify your Deployment Progress to ensure that the number of devices receiving this application is correct and that your Deployment Mode (Auto or On Demand) is correct.

1.3. Verify the Install Command Dispatched

  1. Select the Devices tab.  This displays the current list of Devices that are assigned to receive this application.
  2. Notice that our enrolled Windows 10 Device is marked as Not Installed, but the Reason is listed as Install Command Dispatched.  Depending on your network resources, this is expected as the install can take some time.

Note: After the Install Command is processed, the Install Status and Reason fields will update to show that the install was successful or that there were errors.

2. Track & Troubleshoot Application Installation

Use the Device Details view to track application deployments and debug deployment issues.

2.2. View App Status

  1. Select the Apps tab.
  2. Scroll down until you see the Office 365 Pro Plus app in the list.
  3. Here you can see a list of applications that are installed on the device and additional information about each of them.  Successful, pending, and failed installations will all appear here.  You can see that the Office 365 Pro Plus application is pending due to the grey checkmark.

2.3. Access Troubleshooting Logs

  1. Select the More drop-down menu.
  2. Select Troubleshooting.

2.4. View Device Events

  1. Ensure the Event Log tab is selected. Under Event Log, you can view the full list of events sent to the device.  You can use this information to verify that the Install Command was received, and details about why the install succeeded or failed.
  2. Enter Application in the search box.
  3. Scroll to the right.
  4. Find the Install Application Requested action for the Office 365 Pro Plus application to verify that the device received the command.  You may need to scroll to the right to find the necessary columns, which are:
    • Event: Install Application Confirmed
    • Event Data: Application: Office 365 Pro Plus

3. Verify Install Was Completed

The following steps help you to verify that software distribution installs are completed and successful.

3.2. Review the Application Summary

Notice that the Install Status now shows Installed for the Windows 10 device.  

3.3. Check the Install Status and Reason

Notice that Install Status updated to Installed, and  Reason to Managed.  

3.4. Verify Installation on the Windows 10 Device

  1. Click the Windows button.
  2. After the installation completes, you will notice that the Recently Added section now displays the Office 2016 suite.

Updating Microsoft Office 365 ProPlus

You can control the versions of internal applications available to end users.

  1. Navigate to Apps & Books > Applications > List View and select the Internal tab.
  2. Select the application and then select Add Version from the actions menu.
  3. Upload the updated file.
  4. On the Details tab, select Retire Previous Versions.
  5. Select Save & Assign to use the flexible deployment feature.

See Patches in Software Distribution for an explanation of the system behavior for assigning cumulative patches to applications and restrictions for patches.

Deleting Microsoft Office 365 ProPlus

VMware AirWatch includes several methods to remove applications from devices. This exercise explains how to delete an application from devices in its assigned smart groups.

2. Select Office 365 ProPlus

  1. In the search bar, type Office and press Enter.
  2. Select the appropriate application from the list that appears

3. Delete Office 365 ProPlus

Click Delete.

Reviewing Additional Application File Samples

Introduction

Workspace ONE UEM supports the upload and deployment of MSIs, EXEs, and packaged apps. In this exercise, review additional examples of the supported application types, and their required Workspace ONE UEM configurations.

Refer to the article Software Distribution: Tips and Troubleshooting for a list of validated use cases as well as instructions on retrieving required application information.

MSI Samples

MSI application delivery is a highly automated procedure that's ideal for remote and enterprise worker devices. In this section, review the 7-Zip and Global Protect MSI application samples.

7-Zip
Install Command msiexec /i "7z1700-x64.msi" /qn
Uninstall Command Use default setting
Install Context Device
Admin Privileges No
Success Code 0
Reboot Code 1614
When to Call Install Complete Use default setting
Global Protect
Install Command msiexec /i "GlobalProtect64.msi" /qn
Uninstall Command msiexec /x {9F062897-EF0D-405E-AF59-AED495611981} /qn
Install Context Device
Admin Privileges No
Success Code 0
Reboot Code
When to Call Install Complete Value Type String

ZIP Samples

In this section, review the PocketOE.zip and the GPO Migration Tool application samples. The PocketOE.zip shows an MSI deployed as a zip, and the GPO Migration Tool shows a zip with a PowerShell script used for installation detection.

PocketOE.zip
Install Command
msiexec /i "PocketOE.msi" /quiet
Uninstall Command
msiexec /x "PocketOE.msi" /quiet
Install Context
Device
Admin Privileges
Yes
Success Code
0
When to Call Install Complete
Type: App Exists
AppID:  {AF90D5E8-5F3E-4DD3-A57D-3EFE740F204D}
GPO Migration Tool
Install Command
powershell -executionpolicy bypass -File DeployPackage.ps1
Uninstall Command
LGPO.exe
Install Context
Device
Admin Privileges
Yes
Success Code
0
When to Call Install Complete
Upload the Custom PowerShell Script File: LGPOConfirmPackageInstall.ps1
Run Command: powershell –executionpolicy bypass –File LGPOConfirmPackageInstall.ps1

EXE Samples

In this section, review the Firefox .EXE application samples.

Firefox
Install Command
Firefox Setup 56.0.2 -ms
Uninstall Command
%ProgramFiles%\Mozilla Firefox\uninstall\helper.exe /S
Install Context
Device
Admin Privileges
Yes
Success Code
1
Reboot Code
0
When to Call Install Complete
Registry path: HKLM\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB

Summary and Additional Resources

Conclusion

This tutorial shows you how to use Workspace ONE UEM to manage Windows 10 updates through a series of exercises.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

Term Description
adaptive access
The ability to control access and authentication methods to sensitive apps based on a device’s managed status.
additive
Includes only changes developed after the latest version of the application or the last additive patch.
app dependencies
Applications required by the environment and devices to run the Win32 application.
app patches
Files that apply additive or cumulative fixes, updates, or new features to applications.
app transforms
Files that control application installation and can add or prevent components, configurations, and processes during the process.
app uninstall process
Scripts that instruct the system to uninstall an application under specific circumstances.
application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
BitLocker Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices.
bring your own device (BYOD) The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data, apps, or content.
business mobility The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
conditional access To provision access to a resource or service, based on user entitlements or roles.
container The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invading employee privacy or personal apps and content.
cumulative Includes the entire application, including any changes since the latest version of the application, or the last patches.
data leakage protection Software-controlled policies that determine how and where data can be transferred or shared to.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
Device Health Attestation Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation.
enrollment The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider.
enterprise mobility management The concept of using software and policies to both secure and provide access controls for mobile devices.
files and actions The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assign files and actions to a product, which then provisions to devices.
Health Attestation Services Cloud service that evaluates health measurements from the device to determine the health state.
identity-as-a-service Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile application management The concept of managing access, deployment, and restrictions of mobile applications using software and services.
mobile device management
(MDM) agent
The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
multi-factor authentication Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) and something the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
per-app VPN Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection.
public app stores Portals where users can access and obtain publically published applications, such as the iOS App Store and Google Play Store.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
smart groups Groups that control which devices get which product, based on how the group is created.
step-up authentication Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource.
unified endpoint management A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.
Windows Information Protection Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience.

For more information, see the My Workspace ONE Glossary or the VMware Glossary.

Additional Resources

About the Authors

This tutorial written by Josué Negrón, Sr. Solutions Architect, End-User-Computing Technical Marketing, VMware, and Hannah Jernigan, Technical Writer, End-User-Computing Technical Marketing, VMware, with appreciation and acknowledgement for considerable contributions from the following subject matter experts:

  • Pedro Bravo, Deployments Subject Matter Expert, VMware AirWatch
  • Ajay Padmakumar, T3 Support Subject Matter Expert, VMware AirWatch
  • Varun Murthy, Product Line Manager, VMware AirWatch
  • Nigitha Alugubelli, Sr. Product Manager, VMware AirWatch
  • Jason Roszak, Director Product Management, VMware AirWatch
  • Darren Weatherly, Sales Engineer, VMware AirWatch
  • Robert Terakedis, Sr. Solutions Architect, EUC Technical Marketing, VMware
  • Aditya Kunduri, Product Marketing Manager, EUC Mobile Marketing, VMware

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.