Enrolling Windows 10 Devices Using Azure AD: VMware Workspace ONE UEM Operational Tutorial

VMware Workspace ONE UEM 1810

Overview

Introduction

This Enrolling Windows 10 Devices Using Azure AD: VMware Workspace ONE UEM Operational Tutorial provides you with practical information and exercises to help you set up device enrollment in your Windows ONE UEM management solution in conjunction with Microsoft Azure Active Directory, and to address the unique circumstances of your use cases.

Purpose

This operational tutorial provides you with discussions and  exercises to help with your existing VMware Workspace ONE® production environment. VMware provides operational tutorials to help you with

  • Common procedures or best practices
  • Complex manual procedures
  • Troubleshooting

Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM (unified endpoint management), powered by VMware AirWatch, is also helpful.

Enrolling Windows 10 Using Microsoft Azure AD

Introduction

VMware Workspace ONE UEM integrates with Microsoft Azure Active Directory (AD), providing a robust selection of onboarding workflows that apply to a wide range of Windows 10 use cases. However, Azure licensing requirements stipulate that you must purchase an additional Azure AD Premium license to complete this integration.

Enterprises that are leveraging Azure AD typically use one of the following onboarding options:

Note: The Azure AD Premium license supports onboarding capabilities. If you want only Windows Store for Business (Business Store Portal) integration, this step is not required.

Prerequisites

Microsoft Azure is generally used for new devices, and co-management for existing SCCM-managed devices. Most organizations maintain both for new and existing devices.

Before you can perform the procedures in this tutorial, verify that your system meets the following prerequisites:

  • Workspace ONE UEM 1810 or later
  • Workspace ONE UEM Admin Account
  • Microsoft Azure AD Premium license
  • Microsoft Azure AD Admin Account to add the AirWatch by VMware app

Note: The Azure AD Premium license supports onboarding capabilities. If you want only Windows Store for Business (Business Store Portal) integration, this step is not required. See Business Store Portal Integration for Automated Delivery in Planning Your Windows 10 Deployment: VMware Workspace ONE UEM Operational Tutorial.

Planning Your Implementation

Azure AD supports many configurations including managed (password hash sync or Pass-through Authentication) or federated (using an identity provider which supports both WS-Trust and WS-Fed protocols). To simplify these options, we will focus on how you add your users into Azure AD. If you create your users directly in Azure AD, we will call this pure Azure AD. If you create users in on-premises AD or another third-party user source, we will call this hybrid Azure AD. Because users are synced into Azure AD in the Hybrid model, users will obtain an Immutable ID attribute. This Immutable ID attribute is required in later steps.

Azure AD Onboarding Workflow

Figure: Pure Azure AD Model

Figure: Hybrid Azure AD Model using Azure AD Connect

  1. Administrator configures the integration between Azure AD and Workspace ONE UEM.
  2. End-users begins one of the Azure AD-based onboarding flows. Based on the users email/UPN, Azure AD retrieves the authentication endpoint (managed/federated) and redirects users to authenticate and provide MFA if configured.
  3. After the user is successfully authenticated, Azure AD sends the JWT token along with the Terms of Use and Enrollment URLs to the device.
  4. Device redirects to Workspace ONE UEM and enrollment restrictions are checked, if enabled. Workspace ONE UEM parses the JWT token to obtain Azure AD directory ID (TID), Object ID (OID), and the UPN for the user. Workspace ONE UEM uses these attributes to query Azure AD for the user’s attributes, including the Immutable ID if present.
  5. If there is no Immutable ID, then we follow the Pure Azure AD model and the user is created in Workspace ONE UEM using the obtained attributes from Azure AD. If there is an Immutable ID, then Workspace ONE UEM attempts to match this attribute with the Immutable ID Mapping Attribute configured in the Workspace ONE UEM Console.
  6. After a successful match, Workspace ONE UEM prompts for any optional enrollment prompts or terms of use if configured.
  7. Azure AD sends Access Token to device which is forwarded to Workspace ONE UEM. Workspace ONE UEM parses token and saves the device into the database, keeping track of the Azure AD Device ID.
  8. Lastly, Workspace ONE UEM performs any additional configured enrollment restrictions. If triggered the device is wiped, if not the device has successfully joined Azure AD and enrolled into Workspace ONE UEM.

Integrating Azure AD with Workspace ONE UEM

This exercise walks you through the procedures for configuring enrollment for both SaaS and On-Premises applications.  Screenshots are from the Microsoft Azure tenant available at the time this document was written.

1. Log in to the Workspace ONE UEM Console

  1. In the Workspace ONE UEM Console login window, enter your user name and password.
  2. At the bottom of the window, click Log In.

4. Enable Azure AD

  1. Scroll down to the Advanced options.
  2. Click Use Azure AD For Identity Services.

5. Copy URLs

  1. In the organization group configured to enroll Windows 10 devices, copy the following:
    • MDM Enrollment URL
    • Terms of Use URL
  2. Save the URLs to a text file.

6. Navigate to Azure Active Directory

  1. Log in to the Microsoft Azure tenant, and in the navigation bar on the left, click Azure Active Directory.
  2. Click Mobility (MDM and MAM).
  3. Click Add application.
    Note: Make sure that you do not assign the same users to both Workspace ONE and other third-party MDM providers.

8. Assign the SaaS App MDM

  1. Assign the proper MDM user scope. You can select All or Some and choose a group of users.
  2. Complete the following:
    • Paste your MDM Terms of Use URL from the Workspace ONE console into the MDM terms of use URL field in Azure.
    • Paste your MDM Enrollment URL from the Workspace ONE console into the MDM discovery URL field in Azure.
  3. Click Save.

9. Add an On-Premises Application

Click Add application.

Note: Generally, you need to add the on-premises app only if you have a custom host name. This means you have a dedicated SaaS or on-premises. However, adding the app causes no harm to your setup. It also enables you to avoid the need to troubleshoot Azure enrollment errors when enrolling devices.

10. Select the On-Premises Application

  1. Select the On-premises MDM application.
  2. Click Add.

Click On-premises MDM application which was just added, to begin configuration.

11. Assign the On-Premises App MDM

  1. Assign the proper MDM user scope. You can select All or Some and choose a group of users.
  2. Complete the following:
    • Paste your MDM Terms of Use URL from the Workspace ONE console into the MDM terms of use URL field in Azure.
    • Paste your MDM Enrollment URL from the Workspace ONE console into the MDM discovery URL field in Azure.
  3. Click On-premises MDM application settings.
  4. Under Settings, click Properties.
  5. Enter your Device Services URL (hostname of the other URLs) into the App ID URI field.
  6. Complete the following:
    • Under Properties, click Save.
    • Under Configure, click Save.
  1. Click Required Permissions.
  2. Click Windows Azure Active Directory.
  3. Enable the following permissions under Application Permissions:
    • Select Read and write devices.
    • Select Read and write directory data.
  4. Enable the following permissions under Delegated Permissions:
    • Select Sign in and read user profile.
    • Select Read directory data.
    • Select Access the directory as the signed-in user.
  5. Click Save.

12. Navigate to Licenses

  1. Click Azure Active Directory.
  2. Click Licenses.

13. Select Premium Licenses

  1. Click All Products.
  2. Select the proper license (onboarding requires Azure AD Premium P1 or later, or any bundle which includes this license).

14. Assign Premium Licenses

  1. Click Assign.
  2. Choose the users or groups to add, and click Save.

15. Copy Directory Data

To find the Directory ID,

  1. Click Properties.
  2. To the right of Directory ID, click the copy icon and copy to a text file for later.

16. Copy Domain Name

  1. Click Custom domain names.
  2. Copy the Name which is listed as the primary domain and paste into a text file for later.

17. Paste the Tenant Data

Return to the Workspace ONE UEM Console.

  1. Paste the copied directory ID into the Directory ID text box.
  2. Paste the copied domain name into the Tenant Name text box.
  3. Update the Immutable ID Mapping Attribute if needed.
    • Specify the AD attribute Source Anchor in Azure AD Connect. The Source Anchor is mapped to the Immutable ID in Azure AD. Workspace ONE UEM uses this to assign devices to AD users during enrollment through Azure AD.
  4. Click Save.

Note: By default, objectGUID is used for the Immutable ID Mapping Attribute. However, in some cases this value will differ if the sourceAnchor attribute was changed when setting up Azure AD Connect or if using a third-party user source. You must match the sourceAnchor attribute being sent to Azure AD with the Immtuable ID Mapping Attrbutie in the Workspace ONE UEM Console. The most common attribute used after the default objectGUID is mS-DS-ConsistencyGuid. For more details about sourceAnchor attributes, see Azure AD Connect: Design Concepts.

Leveraging the Workspace ONE First-time Launch Experience for Windows 10

Enhance the end user experience while onboarding into Workspace ONE UEM by enabling and customizing the Workspace ONE first-time launch experience. Workspace ONE first-time launch works with any onboarding method if the Workspace ONE app is installed before or during enrollment, including using the DOWNLOADWSBUNDLE=True command line parameter. Shortly after enrollment completes, the Workspace ONE app automatically launches and displays a fully customizable welcome message to end users. For more information, see Enabling the Out of Box Experience for Workspace ONE on Windows 10 Devices in VMware Workspace ONE documentation.

You must have VMware Identity Manager integrated with Workspace ONE UEM and must also enable and assign the External Access Token as an Authentication Method in the VMware Identity Manger console.

Enrolling using Out-of-Box-Experience

This enrollment option is used primarily for new company-owned devices that are not domain joined, and is triggered the first time an end user powers on a device. The user joins the device to the Azure cloud domain as part of the initial setup process. This workflow does not require end users to have admin privileges.

Note: If you are leveraging Microsoft Windows Autopilot, end-user configuration is simplified and streamlined, but requires having the original equipment manufacturer (OEM) of your device preregister these devices with Microsoft.

When end users power on a device for the first time, they respond to the following device prompts:

  1. Enter corporate credentials.
  2. Set up multi-factor authentication.

    Note: In most cases, end users are prompted to provide a phone number for a call or text. However, Windows Hello for Business provides more advanced options, such as facial recognition, retinal scanning, or creating a unique PIN.

Devices then join the Azure cloud domain, and register with VMware Workspace ONE UEM for management.

Enrolling with Autopilot

You can use Windows Autopilot to simplify device enrollment, and to set up and pre-configure new devices for productive use, or to reset, repurpose, or recover devices. You can avoid the need to build, maintain, and apply custom operating system images to the devices.

With every Autopilot deployment, devices do the following by default (you can create deployment profiles to customize additional options):

  • Skip Cortana, OneDrive, and OEM registration setup pages
  • Automatically set up for work or school
  • Sign in experience with company or school brand

Enrolling using Azure AD Join

This enrollment option is triggered from the device settings. Also referred to as cloud-domain join, this workflow is typically used for existing company-owned devices that are not already joined to an on-premises domain. End users must have admin privileges and use their corporate credentials to join the device to the Azure cloud domain.

  1. From System Settings, users complete the following tasks:
    1. Enter corporate credentials.
    2. First-time Azure account users are prompted to provide a phone number for account recovery.
    3. Register for Windows Hello for Business by creating a unique PIN.
      Note: Configure a Passport for Work profile to specify this PIN’s complexity.
  2. Devices join the Azure cloud domain, and register with Workspace ONE UEM for management.

Enrolling Using On-Premises Active Directory Domain

This enrollment option allows domain-joined devices to automatically register with Azure AD and then automatically enroll into Workspace ONE UEM. This enrollment option works with Hybrid Azure AD meaning you connect to your on-premises AD with your Azure AD environment using Azure AD Connect. Ensure your devices are Azure AD registered, then you can auto-enroll into Workspace ONE UEM.

If your devices are not already Azure AD registered, you can control which devices automatically register with Azure AD by setting the Register domain-join computers as devices GPO. Be sure to properly scope your new GPO.

Note: To check if the device is Azure AD registered, run dsregcmd /status from the command line locally on the device.

After your on-premises domain-joined devices are Azure AD registered, you can leverage the Auto MDM Enrollment with AAD Token GPO to have the device attempt to get an AAD token and enroll into Workspace ONE UEM. This GPO is supported only on Windows 10 version 1709+. Be sure to properly scope your new GPO.

Enrolling using Azure Connect

This enrollment option is primarily used for existing company-owned or personal-owned devices that are not domain-joined, and is triggered when end users open a Microsoft Office app for the first time. End users must have admin privileges, and connect their Azure accounts to the device. Use this workflow if you already have Azure AD Premium licenses and do not want to join the device to the Azure cloud domain.

  1. End users open a Universal Windows Platform version of any Office 365 app, which connects their Azure account to the device.
  2. Enrollment begins.

Summary and Additional Resources

Conclusion

This tutorial introduces you to the device enrollment functionality of Workspace ONE UEM, and explains how to use this functionality to enroll Windows 10 devices. A set of exercises describe the process of configuring the Microsoft Azure onboarding method, including the procedures for configuring enrollment for both SaaS and On-Premises applications, and how to select the best enrollment option to meet your business needs. The end result is your ability to manage the Windows 10 device enrollment through the Azure AD.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

Term Description
adaptive access
The ability to control access and authentication methods to sensitive apps based on a device’s managed status.
additive
Includes only changes developed after the latest version of the application or the last additive patch.
app dependencies
Applications required by the environment and devices to run the Win32 application.
app patches
Files that apply additive or cumulative fixes, updates, or new features to applications.
app transforms
Files that control application installation and can add or prevent components, configurations, and processes during the process.
app uninstall process
Scripts that instruct the system to uninstall an application under specific circumstances.
application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
BitLocker Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices.
bring your own device (BYOD) The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data, apps, or content.
business mobility The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
conditional access To provision access to a resource or service, based on user entitlements or roles.
container The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invading employee privacy or personal apps and content.
cumulative Includes the entire application, including any changes since the latest version of the application, or the last patches.
data leakage protection Software-controlled policies that determine how and where data can be transferred or shared to.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
Device Health Attestation Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation.
enrollment The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider.
enterprise mobility management The concept of using software and policies to both secure and provide access controls for mobile devices.
files and actions The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assign files and actions to a product, which then provisions to devices.
Health Attestation Services Cloud service that evaluates health measurements from the device to determine the health state.
identity-as-a-service Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile application management The concept of managing access, deployment, and restrictions of mobile applications using software and services.
mobile device management
(MDM) agent
The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
multi-factor authentication Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) and something the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
per-app VPN Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection.
public app stores Portals where users can access and obtain publically published applications, such as the iOS App Store and Google Play Store.
service provider (SP)
A host that offers resources, tools, and applications to users and devices.
smart groups Groups that control which devices get which product, based on how the group is created.
step-up authentication Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource.
unified endpoint management A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.
Windows Information Protection Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience.

Additional Resources

Searching for More Information

When looking for more VMware documentation, you can focus the search using the Advanced Search option.

  1. In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
  2. Enter words or phrases to start the search.
    Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
  3. Narrow the results by selecting specific criteria.
    Example: The search is limited to the specific product and version.
  4. Click Advanced Search.
  5. In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.

About the Authors

This tutorial written by Josué Negrón, Sr. Solutions Architect, End-User-Computing Technical Marketing, VMware, and Hannah Jernigan, Technical Writer, End-User-Computing Technical Marketing, VMware, with appreciation and acknowledgment for considerable contributions from the following subject matter experts:

  • Varun Murthy, Product Line Manager, VMware
  • Nigitha Alugubelli, Sr. Product Manager, VMware
  • Jason Roszak, Director Product Management, VMware
  • Darren Weatherly, Specialist Systems Engineer, VMware
  • Robert Terakedis, Sr. Technical Marketing Manager, EUC Technical Marketing, VMware
  • Aditya Kunduri, Sr. Product Marketing Manager, EUC Mobile Marketing, VMware
  • Ajay Padmakumar, VMware alumni
  • Pedro Bravo, VMware alumni

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.