Drop Ship Provisioning (Online): Workspace ONE Operational Tutorial

Overview

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial covers the process for VMware Workspace ONE® Drop Ship Provisioning™ (Online) via the Self-Registration method.

With Workspace ONE Drop Ship Provisioning (Online), you can dynamically assign VMware Workspace ONE® UEM payloads like profiles and applications. You can provision your Windows devices with assignments at the manufacturer (OEM) or via self-registration and ship devices directly to your end users.

Workspace ONE Drop Ship Provisioning (Online) is supported for SaaS customers only.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and Workspace ONE UEM is also helpful.

Workspace ONE Drop Ship Provisioning (Online) using Self-Registration

Workspace ONE Drop Ship Provisioning (Online) Self-Registration allows Windows desktop device OEMs and Workspace ONE administrators to provide a virtually zero IT touch onboarding experience with virtually zero user downtime. This means that users are productive as soon as they receive their Windows desktop device.

Configurations, settings, and applications are preloaded at the factory. Now, instead of waiting for apps, policies, and settings to download and apply after the users first log in, you can have a ready-to-work experience on the first boot of the device.

This exercise helps you to configure and provision Windows devices, so they are ready to ship directly to the end user, regardless of location (home or office). The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

For more information, see VMware Docs: Self-Registration for Workspace ONE Drop Ship Provisioning (Online).

Prerequisites

Before you can perform the steps in this exercise, you must ensure some requirements are met.

A full list of requirements can be found on VMware Docs: Self-Registration for Workspace ONE Drop Ship Provisioning (Online). This section contains a quick checklist for some of these requirements.

If you want to on-premises domain join the device remotely, this can also be performed. You must have the AirWatch Cloud Connector (ACC) installed and configured and make some modifications to the ACC to allow remote domain joining. For these requirements, see VMware Docs: Deploying Domain Join Configurations for Windows.

Validate application installs to ensure that all applications you assign to the device install correctly. When deploying applications to devices for Drop Ship Provisioning, these applications must be set to automatically deploy, install in the machine context, and not require any user interaction to complete the installation. If you want to test and validate on a virtual machine, see Creating a Windows Desktop Virtual Machine to Test Workspace ONE.

Devices require an internet connection when provisioning.

Publish Workspace ONE Intelligent Hub and turn on Automatic Updates

Confirm that the Workspace ONE Intelligent Hub is published. To ensure the Workspace ONE Intelligent Hub stays up to date, you must enable this in the Workspace ONE UEM console. To get the desired result, perform the following steps:

  1. Log in to the Workspace ONE UEM console and navigate to Settings.
  2. In Settings, navigate to Devices and Users > Windows > Windows Desktop > Intelligent Hub Application.
  3. Verify that Publish Workspace ONE Intelligent Hub is selected, select the device ownership types in use, and select Intelligent Hub Automatic updates.
    • Note: Always select Unknown or has not been set as a newly enrolled device may come in this way.

Verify that Software Distribution is enabled

Graphical user interface, application

Description automatically generated

  1. Log in to the Workspace ONE UEM console and navigate to Settings.
  2. In Settings, navigate to Devices and Users > Windows > Windows Desktop > App Deployments.
  3. Confirm that Software Package Deployment is Enabled.

Enable SSL Pinning-discovery

As some of these profiles and resources are provisioned at the OEM factory as well as via Self-Registration, it is important to turn on SSL pinning to enhance security.

Graphical user interface, text, application, email

Description automatically generated

To get the desired result, perform the following steps:

  1. Log in to the Workspace ONE UEM console and navigate to Settings.
  2. In Settings, navigate to System > Security > SSL Pinning.
  3. Ensure SSL Pinning is turned ON. You can also perform a sync by clicking the sync button at the bottom of the screen.

For more information, see VMware Docs: SSL Pinning.

Architecture

Devices using Drop Ship Provisioning (Online) must be registered in the Workspace ONE UEM console. The information from Workspace ONE UEM and the registration information from the manufacturer are stored in the OEM Provisioning Service. This provisioning service is a cloud service. Whether you register a device yourself, or the OEM registers the device, the records will be stored in the OEM Provisioning services. The devices registered against this service can be found in the Workspace ONE UEM console.

The following is an example of the order of operation steps when registering a device.

Drop Ship Provisioning Use cases

When provisioning a device using Drop Ship Provisioning (Online), the latest applications and policies are applied to the device. This puts the device in a ready-to-use state so the user can log in and get to work immediately.

When it comes to signing into a Windows machine, the type of domain join becomes important. Domain joining can be done in a few different ways with Drop Ship Provisioning (Online). These are:

  • Workgroup Join
  • On-Premises Domain Join

As the device is staged before the first user is logged in, you can assign applications like Workspace ONE Tunnel and the Tunnel Policy so on-premises AD users can log in remotely. This method can be used in conjunction with the domain join profile when the ACC modifications are made.

Workspace ONE Drop Ship Provisioning (Online) supports the following Active Directory (AD) types and use cases:

Table 1: Directory types and Use-Cases 

User Authentication Method

Configuration Experience

Use Cases

Workgroup

  • Automatic enrollment to MDM.
  • Device logs in with the local account.

Kiosk Devices
Purpose-Built Devices

On-Premises Active Directory

  • Automatic enrollment to MDM.
  • Ability to join the on-premises active directory domain.
  • Workspace ONE Tunnel can be used to connect to on-premises Active Directory for user login.
  • Device logs in with on-premises Active Directory user credentials.

Corporate User

Getting Started with Drop Ship Provisioning (Online) Self-Registration

Workspace ONE Drop Ship Provisioning (Online) provides a more dynamic way to assign and provision because you can add and update what you want to be provisioned over the air (OTA). Whenever a change is made, the system stores these changes—they become part of your resource’s suite for future devices. Resources are assigned to devices using Workspace ONE UEM tags. This section will walk through activating Drop Ship Provisioning (Online) and the configuration steps on how to create tags and assign resources to these tags.

Activate Drop Ship Provisioning (Online)

The following steps walk through how to activate Drop Ship Provisioning (Online):

Graphical user interface, application

Description automatically generated

To get the desired result, perform the following steps:

  1. In the Workspace ONE UEM console, navigate to Devices > Lifecycle > Drop Ship Provisioning.
  2. Click Enable Drop Ship Provisioning to enable the service.

    Graphical user interface, text, application

Description automatically generated 
  1. Select the toggle to turn on the Drop Ship Provisioning (Online) service.
  2. Review the Organization Group UUID – This is required when working with OEMs that provide this service.
  3. Select the Workspace ONE Child Organization groups where you want to use the Drop Ship Provisioning (Online) service.
  4. Click Save.

You can review these settings at any time, by navigating in the Workspace ONE UEM console to Groups and Settings > Configurations > Drop Ship Provisioning.

Create Device Tags

Next, we must create device tags. Creating device tags allows you to dynamically add and update resources that need to be applied to the device. Create as many tags as you need. For example, you might create a tag for different OEMs and Self-Registration.

Graphical user interface, application

Description automatically generated

In the Workspace ONE UEM Console, navigate to the Drop Ship Provisioning (Online) configuration page:

  1. Select Create Tags. Workspace ONE UEM tags can also be found under Settings > Devices and Users > Advanced > Tags.
  2. Click the Create Tag button to create a tag.
  3. Enter a name for the Tag and click Save.

Create Smart Groups

Smart groups are customizable groups within Workspace ONE UEM that determine which platforms, devices, and users receive an assigned application, book, compliance policy, device profile, or provision.

Graphical user interface, application

Description automatically generated

In the Workspace ONE UEM Console, navigate to the Drop Ship Provisioning (Online) configuration page:

  1. Select Create Smart Groups. Workspace ONE UEM Smart Groups can also be found under Groups and Settings > Groups > Assignment Groups.
  2. Click the Add Smart Group button.
  3. Enter a name for the Smart Group, under the criteria select Tags, and search for the tag you created.
  4. Click Save.

Assign Policies to Device Tags

Now that you have created a tag and a smart group that contains the tag data, you must assign the specific policies that you want to apply to the device before shipping directly to the user.

Ensure that policies are targeted to the Machine Context and not the User Context.

For more information on working with Windows policies, see Understanding Windows Group Policies: Workspace ONE Operational Tutorial.

After a policy has been created, ensure that the assignment of the policy is targeted to the correct smart group.

These assignments can be reviewed in the Workspace ONE UEM console.

Graphical user interface, application

Description automatically generated

In the Workspace ONE UEM console:

  1. Navigate to Resources > Profiles & Baselines.
  2. Review the Assigned Groups column. You should see the smart group created previously listed here. If you do not see this, go back and edit the policy and add the relevant smart group to the assignment.

Add On-Premises Domain Join

If you want to on-premises domain join the device remotely, you must have the AirWatch Cloud Connector (ACC) installed and configured and make some modifications to the ACC to allow remote domain joining. For these requirements, see VMware Docs: Deploying Domain Join Configurations for Windows.

The Workspace ONE Tunnel client can also be installed during the provisioning process alongside the Workspace ONE Tunnel Policy. For these steps, see Deploying VMware Workspace ONE Tunnel: Workspace ONE Operational Tutorial. Using the Tunnel client and Tunnel policy means that a device can be provisioned, on-premises domain joined, and the user can log in for the first time to the machine with on-premises Active Directory credentials, whether they are in the office, or working from home.

To create a policy to join Active Directory On-Premises, ensure that the requirements are met and then follow the steps to create a policy.

Graphical user interface, text, application, email

Description automatically generated

In the Workspace ONE UEM console:

  1. Navigate to Groups and Settings > Configurations.
  2. Search for and select Domain Join.
  3. Click Add.

    Graphical user interface, text, application, email

Description automatically generated
  4. Enter a name for the Domain Join.
  5. For Domain Join Type, select On-Premises Active Directory.
  6. Select the Domain Name and Domain friendly name – this should automatically populate when the domain details are configured correctly.
  7. Select a naming convention for the Machine Name format.
  8. Click Save and Assign. Ensure that you assign this to the smart group created for Drop Ship Provisioning.

Assign Applications to Tags

Now that you have created a tag and a smart group that contains the tag data, alongside the policies, you must assign the applications that you want to apply to the device before shipping directly to the user.

Workspace ONE Drop Ship Provisioning (Online) does not support On-Demand or User context applications. Ensure your app assignments are in the Device context and are set to Automatic deployment.

For more information on working with Windows applications, see Deploying Traditional Win32 Applications to Windows Devices: Workspace ONE Operational Tutorial

After an application has been created, ensure the assignment of that policy is targeted to the correct smart group.

To review the applications and policies assigned to a smart group, follow the next steps.

 

Graphical user interface, application

Description automatically generated

In the Workspace ONE UEM console:

  1. Navigate to Settings > Groups > Assignment Groups.
  2. You can search for the Assignment Group using the search box. Under the Assignments tab, you can see how many resources have been assigned.
  3. Select the Assignments number to view the assignments.

Graphical user interface, application

Description automatically generated

Toggle between the Profiles and Applications categories to see a full list of profiles and applications assigned to this Smart Group.

When you are satisfied with the profiles and applications assigned to the device, the next step is to prepare a device and run through the provisioning steps.

Preparing the Device

Now that you have created the tags and smart groups, and assigned the relevant resources, it’s time to prepare the device. We will cover Self-Registration in this part of the tutorial. If you are working with OEMs that provide the Drop Ship Provisioning (Online) service, then you will give the OEM the relevant information needed for them to provision the device.

Registering the device details adds these details to the OEM Provisioning Service that is part of Workspace ONE. You will need the device serial number for these next steps.

If you want to test and validate on a virtual machine, see Creating a Windows Desktop Virtual Machine to Test Workspace ONE on Tech Zone.

Get the Device Serial Number

Text

Description automatically generated

On the Windows device, from the Windows Command Prompt, enter the command:

wmic bios get serialnumber

Register Device in Workspace ONE UEM Console

Graphical user interface, application

Description automatically generated

  1. Navigate back to the Drop Ship Provisioning page: Devices > Lifecycle > Drop Ship Provisioning.
  2. Click Add Device.

    Graphical user interface

Description automatically generated 
  3. Enter a friendly name for the device.
  4. Enter the device Serial Number.
  5. Select the tag that you created previously and assigned the resources to.
  6. Review the Device Ownership and Model number if entered. The device make and model number of the machine will show in the Workspace ONE UEM console after the device has been provisioned.
  7. Click Create.

Graphical user interface, application

Description automatically generated

After the device has been registered, the Sync Status should be marked as Complete.

If the sync status isn’t complete, you can manually sync the service. A manual sync forces a sync to the OEM Provisioning service to obtain the latest devices registered.

If you force a manual sync, ensure that you update the web page, so it is displaying the latest data.

Download the Drop Ship Provisioning Online - Generic bundle

The next step is to download the Drop Ship Provisioning Online - Generic bundle.

Graphical user interface, text, application, email

Description automatically generated

The Drop Ship Provisioning Online - Generic bundle is staged on every device registered for Drop Ship Provisioning (Online). You must extract all files in audit mode and run the .bat script to stage and prep the device for the provisioning process.

The bundle contains the listed files:

  • VMware Workspace ONE Provisioning Tool
  • Generic PPKG
  • Generic answer file (unattend.xml)
  • RunPPKGandXML.bat file that contains a one-line script to orchestrate the staging process
  • License file

Boot Device into Audit Mode

To boot the operating system into audit mode, use Sysprep.

Sysprep (System Preparation) prepares a Windows installation (Windows client and Windows Server) for imaging, allowing you to capture a customized installation.

With Sysprep, you can configure the PC to boot to audit mode, where you can make additional changes or updates to your image.

For more information, see:

In the next steps, we will use the command line to reboot a machine into audit mode.

  1. Enter cmd in Windows Search.
  2. Run Command Prompt as Administrator.

TIP: Use keys SHIFT + F10 to open the command prompt during Windows setup on the Out of Box Experience (OOBE) screen.

When working with VMware Fusion or Workstation, during Windows setup when Windows enters the OOBE phase, enter audit mode using the following keys:

  • Fusion: SHIFT+FN+CONTROL+F3
  • Workstation: CTRL+SHIFT+F3 or CTRL+SHIFT+FN+F3 (on some laptops)

Text

Description automatically generated

In this example, we generalize the operating system and reboot the machine to audit mode.

Enter the following in Command Prompt:

%WINDIR%\system32\sysprep\sysprep.exe /generalize /reboot /audit

Provision the device with Workspace ONE Provisioning Tool

To test Workspace ONE Dropship Provisioning (Online) – Self-Registration, we recommend using a test device, either physical (recommended for OEM software) or a Windows virtual machine. This ensures that all applications and policies can be applied with no errors, before provisioning devices in bulk, or with the OEMs.

TIP: For best practices on virtual machines with Workspace ONE UEM, see Creating a Windows Virtual Machine to Test Workspace ONE.

On the test machine, boot the device into audit mode, then copy over the Drop Ship Provisioning (Online) – Generic bundle and extract the ZIP.

Graphical user interface, text, application, email

Description automatically generated

If the System Preparation Tool (Sysprep) window is running, ignore it.

  1. Double-click the RunPPKGandXML.bat file.
  2. The VMware Workspace ONE Provisioning Tool staging process starts zero-touch provisioning.
  3. After staging completes, the device automatically runs Sysprep and powers down, as it prepares to launch the zero-touch process.
  4. Initiate the zero-touch provisioning process by starting the device after the device completes staging and its registration steps.
  5. Results: After the process completes, the device displays a green screen that reads Workspace ONE Provisioning complete.

    Graphical user interface, text, website

Description automatically generated

    Graphical user interface, application, website

Description automatically generated 

Troubleshooting

This section covers some issues you might encounter and includes the troubleshooting steps.

If the Workspace ONE Provisioning Tool fails during the process, then you will see a red screen. From this screen, you can click Open Log to check the logs.

Graphical user interface, application

Description automatically generated

Check Event Log

The event log can be used to show any action events relating to the Drop Ship Provisioning (Online) process.

Graphical user interface, text, application

Description automatically generated

On the Windows Device, open Event viewer and navigate to Applications and Services Logs > AirWatch-Provisioning Agent.

  • If you see an event that shows a 400 error, this might mean the device is not registered in OEM Provisioning Service. To rectify, ensure that the device has been registered with the right serial number.
  • If you see an event that shows SSL transport error, this might be an issue with SSL Pinning. Ensure that SSL pinning is turned on and synced.

Check PPKGFinalSummary Log

The PPKGFinalSummary log will help determine if any applications have failed.

The log file can be found on the Windows device in %ProgramData%\Airwatch\UnifiedAgent\Logs.

Graphical user interface, application

Description automatically generated

Some common issues may be:

  • Issue: Waiting on Hub
    • Resolution: Ensure the Workspace ONE Intelligent Hub has been published and set to auto update.
    • For this item, the Workspace ONE UEM console will show Pending Hub.
  • Issue: Application deployment issue
    • Resolution: The applications might not be set to auto or silent install.
    • Applications must always be deployed automatically and set to install silently.

Summary and Additional Resources

This operational tutorial provided the steps to take advantage of Workspace ONE Drop Ship Provisioning (Online), where you can dynamically assign Workspace ONE UEM payloads like profiles and applications. This tutorial explored provisioning Windows devices with assignments at the manufacturer (OEM) or via Self-Registration and shipping devices directly to your end users. 

This service enables you to provision Windows devices without creating or maintaining custom operating system images. Custom imaging is a complex and expensive process, and by eliminating custom imaging, organizations can deploy, secure, and manage Windows devices using modern management techniques, dramatically simplifying the provisioning process.

Additional Resources

For more information about Windows Modern Management with Workspace ONE, you can explore the following resources:

Getting Started with Windows Modern Management

Windows Onboarding

Windows Security and Policy Management

Windows Application Management

Windows OS Patching

Changelog

The following updates were made to this guide:

Date

Description of Changes

2023/01/13

  • Updated guide replacing information with Drop Ship Provisioning (Online)

2021/11/25

  • Minor updates to the requirements section

2021/07/20

  • Clarified and updated information about Blast Extreme, removed the section about a deprecated feature.
  • Updated screenshots
  • Added more verbiage about Drop Ship Online and Oine
  • Renamed Factory Provisioning to Workspace ONE Drop Ship Provisioning

2020/04/29

  • Guide was published.
  • Changed references from Dell Factory Provisioning to Factory Provisioning for Workspace ONE
  • Removed Pre-1811 Workspace ONE UEM chapter

About the Author and Contributors

This tutorial was written by:

  • Darren Weatherly, Senior Architect, End-User Computing Technical Marketing, VMware

With appreciation and acknowledgment for contributions from the following subject matter experts:

  • Chris Halstead, Senior Staff Technical Product Manager, VMware
  • Saurabh Jhunjhunwala, EUC Customer Success Architect, VMware

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Advanced Win10 and Windows Desktop Deploy Modern Management