Enrolling Windows 10 Devices Using Azure AD: VMware Workspace ONE UEM Operational Tutorial

Overview

Introduction

This Enrolling Windows 10 Devices Using Azure AD: VMware Workspace ONE UEM Operational Tutorial provides you with practical information and exercises to help you set up device enrollment in your Windows ONE UEM management solution in conjunction with Microsoft Azure Active Directory, and to address the unique circumstances of your use cases.

Purpose

This operational tutorial provides you with discussions and  exercises to help with your existing VMware Workspace ONE® production environment. VMware provides operational tutorials to help you with

  • Common procedures or best practices
  • Complex manual procedures
  • Troubleshooting

Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM (unified endpoint management), powered by VMware AirWatch, is also helpful.

Enrolling Windows 10 Using Microsoft Azure AD

Introduction

VMware Workspace ONE UEM integrates with Microsoft Azure Active Directory (AD), providing a robust selection of onboarding workflows that apply to a wide range of Windows 10 use cases. However, Azure licensing requirements stipulate that you must purchase an additional Azure AD Premium license to complete this integration.

Enterprises that are leveraging Azure AD typically use one of the following onboarding options:

Note: The Azure AD Premium license supports onboarding capabilities. If you want only Windows Store for Business (Business Store Portal) integration, this step is not required. See Business Store Portal Integration for Automated Delivery in Planning Your Windows 10 Deployment: VMware Workspace ONE UEM Operational Tutorial.

Prerequisites

Microsoft Azure is generally used for new devices, and co-management for existing SCCM-managed devices. Most organizations maintain both for new and existing devices.

Before you can perform the procedures in this tutorial, verify that your system meets the following prerequisites:

  • Workspace ONE UEM 1810 or later
  • Workspace ONE UEM Admin Account
  • Microsoft Azure AD Premium license
  • Microsoft Azure AD Admin Account to add the AirWatch by VMware app

Note: The Azure AD Premium license supports onboarding capabilities. If you want only Windows Store for Business (Business Store Portal) integration, this step is not required. See Business Store Portal Integration for Automated Delivery in Planning Your Windows 10 Deployment: VMware Workspace ONE UEM Operational Tutorial.

Configuring Enrollment

This exercise walks you through the procedures for configuring enrollment for both SaaS and On-Premises applications.  Screenshots are from the Microsoft Azure tenant available at the time this document was written.

1. Log in to the Workspace ONE UEM Console

  1. In the Workspace ONE UEM Console login window, enter your user name and password.
  2. At the bottom of the window, click Log In.

4. Enable Azure AD

  1. Scroll down to the Advanced options.
  2. Click Use Azure AD For Identity Services.

5. Copy URLs

  1. In the organization group configured to enroll Windows 10 devices, copy the following:
    • MDM Enrollment URL
    • Terms of Use URL
  2. Save the URLs to a text file.

6. Navigate to Azure Active Directory

  1. Log in to the Microsoft Azure tenant, and in the navigation bar on the left, click Azure Active Directory.
  2. Click Mobility (MDM and MAM).
  3. Click Add application.
    Note: Make sure that you do not assign the same users to both Workspace ONE and other third-party MDM providers.

8. Assign the SaaS App MDM

  1. Assign the proper MDM user scope. You can select All or Some and choose a group of users.
  2. Complete the following:
    • Paste your MDM Terms of Use URL from the Workspace ONE console into the MDM terms of use URL field in Azure.
    • Paste your MDM Enrollment URL from the Workspace ONE console into the MDM discovery URL field in Azure.
  3. Click Save.

9. Add an On-Premises Application

  • Click Add application.

Note: Generally, you need to add the on-premises app only if you have a custom host name. This means you have a dedicated SaaS or on-premises. However, adding the app causes no harm to your setup. It also enables you to avoid the need to troubleshoot Azure enrollment errors when enrolling devices.

10. Select the On-Premises Application

  1. Select the On-premises MDM application.
  2. Click Add.

11. Assign the On-Premises App MDM

  1. Assign the proper MDM user scope. You can select All or Some and choose a group of users.
  2. Complete the following:
    • Paste your MDM Terms of Use URL from the Workspace ONE console into the MDM terms of use URL field in Azure.
    • Paste your MDM Enrollment URL from the Workspace ONE console into the MDM discovery URL field in Azure.
  3. Click On-premises MDM application settings.
  4. Under Settings, click Properties.
  5. Enter your Device Services URL (hostname of the other URLs) into the App ID URI field.
  6. Complete the following:
    • Under Properties, click Save.
    • Under Configure, click Save.

12. Navigate to Licenses

  1. Click Azure Active Directory.
  2. Click Licenses.

13. Select Premium Licenses

  1. Click All Products.
  2. Select the proper license (onboarding requires Azure AD Premium P1 or above or any bundle which includes this license).

14. Assign Premium Licenses

  1. Click Assign.
  2. Choose the users or groups to add, and click Save.

15. Copy Tenant Data

To find the Tenant ID (Directory ID),

  1. Click Properties.
  2. To the right of Directory ID, click the copy icon and copy to a text file for later.

16. Copy Domain Name

  1. Click Custom domain names.
  2. Copy the Name which is listed as the primary domain and paste into a text file for later.

17. Paste the Tenant Data

  1. Return to the Workspace ONE UEM Console.
    • Paste the copied tenant ID into the Tenant Identifier field.
    • Paste the copied name into the Tenant Name field.
  2. Click Save.

Enrolling using Out-of-Box-Experience

This enrollment option is used primarily for new company-owned devices that are not domain joined, and is triggered the first time an end user powers on a device. The user joins the device to the Azure cloud domain as part of the initial setup process. This workflow does not require end users to have admin privileges.

Note: If you are leveraging Microsoft Windows Autopilot, end-user configuration is simplified and streamlined, but requires having the original equipment manufacturer (OEM) of your device preregister these devices with Microsoft.

When end users power on a device for the first time, they respond to the following device prompts:

  1. Enter corporate credentials.
  2. Set up multi-factor authentication.

    Note: In most cases, end users are prompted to provide a phone number for a call or text. However, Windows Hello for Business provides more advanced options, such as facial recognition, retinal scanning, or creating a unique PIN.

Devices then join the Azure cloud domain, and register with VMware Workspace ONE UEM for management.

Enrolling with Autopilot

You can use Windows Autopilot to simplify device enrollment, as well as to set up and pre-configure new devices for productive use, or to reset, repurpose, or recover devices. You can avoid the need to build, maintain, and apply custom operating system images to the devices.

With every Autopilot deployment, devices do the following by default (you can create deployment profiles to customize additional options):

  • Skip Cortana, OneDrive, and OEM registration setup pages
  • Automatically set up for work or school
  • Sign in experience with company or school brand

For more information about creating deployment profiles and Autopilot requirements, see Manage Windows device deployment with Windows Autopilot Deployment.

Enrolling using Azure AD Join

This enrollment option is triggered from the device settings. Also referred to as cloud-domain join, this workflow is typically used for existing company-owned devices that are not already joined to an on-premises domain. End users must have admin privileges and use their corporate credentials to join the device to the Azure cloud domain.

  1. From System Settings, users complete the following tasks:
    1. Enter corporate credentials.
    2. First-time Azure account users are prompted to provide a phone number for account recovery.
    3. Register for Windows Hello for Business by creating a unique PIN.
      Note: Configure a Passport for Work profile to specify this PIN’s complexity.
  2. Devices join the Azure cloud domain, and register with Workspace ONE UEM for management.

Enrolling using Azure Connect

This enrollment option is primarily used for existing company-owned devices that are not domain joined, and is triggered when end users open a Microsoft Office app for the first time. End users must have admin privileges, and connect their Azure accounts to the device. Use this workflow if you already have Azure AD Premium licenses and do not want to join the device to the Azure cloud domain.

  1. End users open a Universal Windows Platform version of any Office 365 app, which connects their Azure account to the device.
  2. Enrollment begins.

Summary and Additional Resources

Conclusion

This tutorial introduces you to the device enrollment functionality of Workspace ONE UEM, and explains how to use this functionality to enroll Windows 10 devices. A set of exercises describe the process of configuring the Microsoft Azure onboarding method, including the procedures for configuring enrollment for both SaaS and On-Premises applications, and how to select the best enrollment option to meet your business needs. The end result is your ability to manage the Windows 10 device enrollment through the Azure AD.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

Term Description
adaptive access The ability to control access and authentication methods to sensitive apps based on a device’s managed status.
additive Includes only changes developed after the latest version of the application or the last additive patch.
app dependencies Applications required by the environment and devices to run the Win32 application.
app patches Files that apply additive or cumulative fixes, updates, or new features to applications.
app transforms Files that control application installation and can add or prevent components, configurations, and processes during the process.
app uninstall process Scripts that instruct the system to uninstall an application under specific circumstances.
application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
BitLocker Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices.
bring your own device (BYOD) The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data, apps, or content.
business mobility The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
conditional access To provision access to a resource or service, based on user entitlements or roles.
container The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invading employee privacy or personal apps and content.
cumulative Includes the entire application, including any changes since the latest version of the application, or the last patches.
data leakage protection Software-controlled policies that determine how and where data can be transferred or shared to.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
Device Health Attestation Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation.
enrollment The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider.
enterprise mobility management The concept of using software and policies to both secure and provide access controls for mobile devices.
files and actions The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assign files and actions to a product, which then provisions to devices.
Health Attestation Services Cloud service that evaluates health measurements from the device to determine the health state.
identity-as-a-service Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile application management The concept of managing access, deployment, and restrictions of mobile applications using software and services.
mobile device management
(MDM) agent
The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
multi-factor authentication Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) and something the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
per-app VPN Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection.
public app stores Portals where users can access and obtain publically published applications, such as the iOS App Store and Google Play Store.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
smart groups Groups that control which devices get which product, based on how the group is created.
step-up authentication Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource.
unified endpoint management A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.
Windows Information Protection Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience.

Additional Resources

Searching for More Information

When looking for more VMware documentation, you can focus the search using the Advanced Search option.

  1. In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
  2. Enter words or phrases to start the search.
    Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
  3. Narrow the results by selecting specific criteria.
    Example: The search is limited to the specific product and version.
  4. Click Advanced Search.
  5. In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.

About the Authors

This tutorial written by Josué Negrón, Sr. Solutions Architect, End-User-Computing Technical Marketing, VMware, and Hannah Jernigan, Technical Writer, End-User-Computing Technical Marketing, VMware, with appreciation and acknowledgment for considerable contributions from the following subject matter experts:

  • Varun Murthy, Product Line Manager, VMware
  • Nigitha Alugubelli, Sr. Product Manager, VMware
  • Jason Roszak, Director Product Management, VMware
  • Darren Weatherly, Specialist Systems Engineer, VMware
  • Robert Terakedis, Sr. Technical Marketing Manager, EUC Technical Marketing, VMware
  • Aditya Kunduri, Sr. Product Marketing Manager, EUC Mobile Marketing, VMware
  • Ajay Padmakumar, VMware alumni
  • Pedro Bravo, VMware alumni

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.