Solution

  • Workspace ONE

Type

  • Document

Level

  • Advanced

Category

  • Operational Tutorial

Product

  • AirLift
  • Workspace ONE UEM

OS/Platform

  • Windows 10

Phase

  • Design

Use-Case

  • Modern Management

Modernizing Windows 10 Management: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 1903 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. 

This tutorial consists of a series of exercises that walk through transforming (replacing) Microsoft Endpoint Configuration Manager (ConfigMgr) to VMware Workspace ONE® UEM (Unified Endpoint Management).

Audience

This operational tutorial is for PC life cycle management (PCLM) administrators and Workspace ONE IT administrators. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Workspace ONE® Access (formerly VMware Identity Manager) and VMware Workspace ONE® UEM and Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager or SCCM) is useful.

Understanding MDM Co-management VS Coexistence

As you navigate through this tutorial, it is essential to understand the difference between co-management and coexistence, when it comes to the authoritative MDM solution to manage devices.

Co-management

Co-management is when a device is managed by Configuration Manager AND Intune.

Coexistence

Coexistence is a term frequently used in this tutorial. Coexistence is when a device is managed by ConfigMgr and then enrolled in an MDM Service that is not owned by Microsoft.

When devices are under coexistence, ConfigMgr functionality such as application distribution, compliance rules, software updates, and many other workloads may not work.

Architecture and Installation

Introduction

In this exercise, set up VMware Workspace ONE® AirLiftTM, a tool that simplifies the transition from traditional PC Lifecycle Management to modern management with Workspace ONE UEM.

Workspace ONE AirLift communicates with Microsoft Active Directory for group policy rationalization and migration to Modern Management. AirLift can also interact with Microsoft Endpoint Configuration Manager (ConfigMgr) for application rationalization and migration to Workspace ONE UEM.

Workspace ONE AirLift provides the following features and functionality:

  • Monitors enrollment progress and modern management activity
  • Syncs ConfigMgr and Workspace ONE UEM
  • Enables mapping between ConfigMgr device collections and Workspace ONE UEM smart groups
  • Facilitates application rationalization and migration from ConfigMgr to Workspace ONE
  • Facilitates Windows 10 Group Policy rationalization and migration from Active Directory to Workspace ONE UEM
  • Creates ConfigMgr deployments to enable Workspace ONE device enrollment
  • Provides detailed logs

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements.

Workspace ONE AirLift Requirements

Workspace ONE AirLift must communicate with different services depending on the features you plan to use.

  • To use collection mapping, app export, and enrollment, you must configure Workspace ONE AirLift to communicate with ConfigMgr.
  • To use policy mapping, you must configure Workspace ONE AirLift to communicate with your Active Directory.

In this tutorial, we connect to both ConfigMgr and Active Directory.

Tip: Complete the Workspace ONE AirLift Environmental Details Cheat Sheet.

 Completing this spreadsheet helps to keep track of details required to configure Workspace ONE AirLift after installation.

Hardware Requirements

VM or Physical Server

  • 2 CPU Core (2.0+ GHz).
  • 4 GB RAM or more.
  • 1 GB disk space for the Workspace ONE AirLift application, operating system, and .NET Core run time. Consider having 5 GB of disk space.

Software Requirements

Browser

  • Workspace ONE AirLift supports the most recent versions of Chrome, Firefox, and Edge. Internet Explorer is NOT supported.

Operating System

  • Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, or Windows 10.

Remote Server Administration Tools

  • This requirement applies if you plan on using Group Policy mapping.
  • You must install Remote Server Administration Tools (RSAT) on the Workspace ONE AirLift server.

Network Requirements

Domains

  • Microsoft Endpoint Center Configuration Manager (ConfigMgr) and Workspace ONE AirLift must be on the same domain.

Workspace ONE AirLift to SCCM communication 

  • You must allow Workspace ONE AirLift the following access to the ConfigMgr server:
    • WinRM port (typically 5985).
    • Port 443 or the specified TLS port if Secure Connection is enabled.

Workspace ONE AirLift to Workspace ONE UEM console

  • Access to the Console/API server using Port 443.

Workspace ONE AirLift to Active Directory

  • This requirement applies if you plan to use policy mapping.
  • You must allow Workspace ONE AirLift access to the SYSVOL directory. The directory must contain the PolicyDefinitions folder. To map third-party ADMX settings, you must include those ADMX files in the PolicyDefinitions folder.

Workspace ONE UEM Requirements

  • Workspace ONE UEM 1903 and later.
  • Admin Account
    • Admin account with API-level permissions.
    • For on-premises customers, the admin account cannot be a Global-level admin. Only use an admin account located at the Customer organization group type.
    • Directory Services configured.
    • VMware Enterprise Systems Connector that can reach the AirWatch Cloud Messaging (AWCM) server
    • (If SAML enabled) Staging Organization Group and account with standard single-user devices enabled.

ConfigMgr Requirements

  • Microsoft Endpoint Configuration Manager 2012 R2 or later.
  • Admin Account
    • Workspace ONE AirLift requires an admin account with a minimum level of permissions. You must create an admin account with the following permissions in ConfigMgr:
      • Application - Read
      • Collection - Read, Read Resource
      • Distribution Point - Read
      • Distribution Point Group - Read
      • Package - Read
    • To enroll devices - Collection - Distribute Applications
    • To create an enrollment app - Application - Create, Modify
    • To manage distribution - Distribution - Copy to Distribution Point
  • Content-Location
    • Workspace ONE AirLift requires an admin account with 'read' access to the ConfigMgr content location. If you plan to create a Workspace ONE enrollment application, Workspace ONE AirLift requires write access to the content location.

Active Directory Requirements

  • Read permissions for group policy processing and policy definitions location.

Workspace ONE AirLift Architecture

Workspace ONE AirLift can be configured to connect to Active Directory or ConfigMgr, or both.

We recommended installing Workspace ONE AirLift on a small dedicated VM with functional ConfigMgr connectivity for application migrations. The Workspace ONE AirLift installer downloads and installs SQL Express and MongoDB and creates two services that run under ‘Network Service’ on the machine. Workspace ONE AirLift uses Windows Remote Management (WinRM) and Configuration Manager Cmdlets for connectivity to ConfigMgr and Windows Remote Server Administration Tools (RSAT) for Policy Analysis and Migration.

Requirements: Workspace ONE AirLift Environmental Details Cheat Sheet

The exercises in this operational tutorial require the entry of several environmental details. To simplify configuration, and minimize the potential for error, complete the Workspace ONE AirLift Environmental Details Cheat Sheet.

Note: The examples in the worksheet are the values used in this operational tutorial and are based on a test environment. Your environment details will differ.

For more details, see Workspace ONE AirLift Requirements in VMware Docs.

Workspace ONE AirLift Environmental Details Cheat Sheet Download

Click the following link to download a local copy of the AirLift Environmental Details Cheat Sheet.

You can also download this cheat sheet by clicking the More button at the top of this page.

Workspace ONE AirLift Environmental Details Cheat Sheet

Workspace ONE AirLift Set Up Cheat Sheet
Connect Workspace ONE UEM (Mandatory)
Field Description Example Your Entry
WS1 API URL URL for your Workspace ONE UEM environment https://company.workspaceone.com
AirwatchAPIKey API Key copied from the Workspace ONE UEM Console i7z1BjjEE7rxxxxAIRLIFTDEMOLAY3sVA=
Username Admin username AirLiftAdmin
Password Admin password Password
Connect Microsoft Endpoint Configuration Manager 
Field Description Example Your Entry
ConfigMgr Server ConfigMgr server address sccm.company.com
ConfigMgr Site Code Three-character alphanumeric site code for the ConfigMgr environment DWT
ConfigMgr Domain Active Directory Domain integrated with ConfigMgr  company.com
ConfigMgr Username Admin username svc_sccm
ConfigMgr Password Admin password Password
Connect Active Directory
Field Description Example Your Entry
Domain Name Directory Name for Policy Integration domain.com
Workspace ONE Enrollment Details
Field Description Example Your Entry
Organization Group Workspace ONE UEM group Windows 10 device enrolls into Company
Staging User User used to stage Workspace ONE UEM enrollment staging@company.com
Staging User Password Password used for the staging user Password
Enrollment URL URL for your Workspace ONE UEM environment https://company.workspaceone.com/DeviceServices
Group ID Group ID value from the UEM console Company

The next steps will show where to find these Workspace ONE UEM details.

Gathering Requirements: Workspace ONE UEM

In this activity, retrieve the following Workspace ONE UEM details and document them in the Workspace ONE AirLift Environmental Details Cheat Sheet.

  • Workspace ONE Admin Username
  • Workspace ONE Admin Password
  • Workspace ONE API URL
  • AirwatchAPIKey
  • Organization Group ID

 

1. Create a Workspace ONE Admin Account

Create an Admin account with API-level permissions. For on-premises customers, the admin account cannot be a Global-level admin. Only use a child customer organization group admin account.

For more information, see Admin Accounts in VMware Docs.

Record these details in the Workspace ONE AirLift Environmental Details Cheat Sheet.

3. Retrieve the API Key

  1. Select System.
  2. Select Advanced.
  3. Select API.
  4. Select the REST API.
  5. Right-click the AirLift API Key.
  6. Click Copy.
  7. Record the API Key in the Workspace ONE AirLift Environmental Details Cheat Sheet.

Tip: It is recommended to generate a new API key for the AirLift admin service in your production environments.

Note: Your details will differ from the ones listed in this example.

4. Retrieve Organization Group ID

UEM Group ID

In the Workspace ONE UEM Console:

  1. Hover your mouse over the Organization Group name.
  2. Copy your Group ID value. In this example, the value is techzone. Record this value in the Workspace ONE AirLift Environmental Details Cheat Sheet.

Gathering Requirements: ConfigMgr

In this activity, gather the required ConfigMgr details.

Review ConfigMgr Admin Role

Review the ConfigMgr role formerly known as Microsoft SCCM

In the SCCM Admin Console:

  1. Click Administration.
  2. Expand Overview > Security > Administrative Users.
  3. Ensure the Admin User has the appropriate permissions. For example, to Auto-Enroll devices into Workspace ONE UEM, ensure the User has the appropriate Application permissions.

Retrieve ConfigMgr Site Code

Review ConfigMgr site code formerly known as Microsoft SCCM

In the SCCM Console:

  1. Click Administration.
  2. Expand Overview > Site Configuration > Sites.
  3. Copy your Site Code value. In this example, the value is DWT. Record this value in the Environment Details Worksheet.

Downloading the Workspace ONE AirLift Installer

In this activity, you download the Workspace ONE AirLift installer.

Note: Ensure all Prerequisites are met for the Workspace ONE AirLift server.

1. Download the Workspace ONE AirLift Installer

 Download the  Workspace ONE Tunnel Desktop Application exe Installer
  1. Navigate to https://my.workspaceone.com/ and log in with your MyVMware credentials.
  2. Navigate to Products.
  3. Click All Products.

Tip: You can also navigate directly to https://my.workspaceone.com/products.

2. Select Workspace ONE AirLift

Select Workspace ONE AirLift
  1. Scroll down to the bottom of the page.
  2. Select Workspace ONE AirLift.

3. Select Platform and Version

 Select Platform and Version
  1. Select Windows as the platform.
  2. Select the Latest version for the Workspace ONE AirLift Installer.
  3. Filter by console version.
  4. Select Install and Upgrades tab for a link to the download.
  5. Click Link to Download the Installer.

After you have Accepted the Terms of Use, the download begins immediately.

Installing Workspace ONE AirLift

In this section, you install Workspace ONE AirLift. This can be either on a Windows 10 or Windows Server Operating System.

1. Launch VMware AirLift Setup

Install Workspace ONEN AirLift and launch AirLift Setup

Click Install to begin the process.

2. Accept User Account Control Prompt

Install Workspace ONE AirLift and confirm User Account Control

Accept any User Account Control (UAC) prompts.

3. Continue the AirLift Setup Wizard

Install Workspace ONE AirLift and begin the AirLift Setup Wizard

Select Next to begin the process.

4. Accept License Agreement

Step 4 - Accept License Agreement
  1. Accept License Agreement.
  2. Select Next to begin the process.

5. Join the Customer Experience Program

 Step 5 - Join the Customer Experience Program
  1. Select the check box to Join the Customer Experience Program (Optional).
  2. Click Next.

6. Begin Installation

AirLift Step 1 -Launch AirLift Setup

Click Install and the installation progress begins.

7. Review Setup Progress

Note the different screens while the setup progresses.

AirLift - Set Up Progress 1
AirLift - Set Up Progress 2
AirLift - Set Up Progress 3
AirLift - Set Up Progress 4

8. Complete the AirLift SetUp Wizard

Complete the AirLift SetUp

Click Finish.

9. Confirm Setup Successful

 Launch AirLift

Click Launch to Open up the AirLift Web application.


Tip: You can also navigate to http://localhost:5000/start to open the AirLift Web Application.

Getting Started with Workspace ONE AirLift

Introduction

Now that you have installed Workspace ONE Airlift, you must configure the required integration settings.

Workspace ONE AirLift can be configured to migrate applications and packages from ConfigMgr, or Group Policies from Active Directory, or both.

In this section, you will complete the following:

  1. Configure Integration Settings with Workspace ONE UEM (UEM).
  2. Configure Integration Settings with Microsoft Endpoint Configuration Manager (ConfigMgr).
  3. Configure Integration Settings with Microsoft Active Directory (AD).

The following table details the integration settings, configuration options, and purpose.

Integration Setting Configuration Option
Purpose

Workspace ONE UEM

MANDATORY
API Integration for Applications and/or Group Policy Objects to be imported into Workspace ONE UEM

Microsoft Endpoint Configuration Manager (ConfigMgr)

OPTIONAL Allows ConfigMgr Application Export to Workspace ONE UEM
Allows ConfigMgr Packages Export to Workspace ONE UEM
Allows Mapping of ConfigMgr Device Collections to Workspace ONE UEM

Microsoft Active Directory (AD)

OPTIONAL
Allows Group Policy Export Workspace ONE UEM

Configuring Integration with Workspace ONE UEM

This configuration item is mandatory. These settings configure REST API integration into Workspace ONE UEM for migration of ConfigMgr Device Collections, Applications, or Group Policy Objects from Active Directory.

Enter Workspace ONE Connection Details

Note: The examples in the screenshot are values based on a test environment. Your environment details will differ.

AirLift - Connect Workspace ONE Example
  1. API URL -
    • Enter the REST API URL from your Workspace ONE tenant.
    • In the Workspace ONE UEM console, navigate to Settings > System > Advanced > Site URLs.
  2. Console Address - 
    • The Workspace ONE tenant URL.
    • In the Workspace ONE UEM console, navigate to Settings > System > Advanced > Site URLs.
    • Click No to enter a different URL.
  3. API Key - 
    • Enter the API key from your Workspace ONE tenant for a service with admin account type.
    • In the Workspace ONE UEM console, navigate to Settings > System > Advanced > API > REST API.
  4. Username - 
    • Enter the API username from your Workspace ONE tenant for a service with admin account type.
    • In the Workspace ONE UEM console, navigate to Settings > System > Advanced > API > REST API.
  5. Password  - 
    • Enter the password for the API username from your Workspace ONE tenant for a service with admin account type.
    • In the Workspace ONE UEM console, navigate to Settings > System > Advanced > API > REST API.
  6. Proxy Server (OPTIONAL)
    • HTTP web proxy server for communicating with the Workspace ONE API URL only. This does not apply to the Console URL which will use the web browser proxy server settings.

In this tutorial, you do not configure a proxy. If you need to configure a Proxy, enable the Proxy Server (step 6) and complete the options, as shown in the next exercise, Enter Proxy Server Settings.

(Optional) Enter Proxy Server Settings

AirLift - Connect Workspace ONE Proxy Settings
  1. Proxy Settings 
    • Use operating System Settings or Custom Settings.
    • For Custom, make sure you enter in the next details.
  2. Proxy Host
    • Enter the proxy server address or host name.
  3. Proxy Port
    • Enter the proxy server port number.
  4. Proxy Authentication (optional)
    • For proxy servers that require authentication, enter the required credentials.
      • Proxy User name
        • Enter the proxy server username.
      • Proxy Password 
        • Enter the proxy server password.

You have now configured the integration for Workspace ONE AirLift to communicate with Workspace ONE UEM.

Configuring Integration with Microsoft Endpoint Configuration Manager

The next step is to connect Workspace ONE AirLift to Microsoft Endpoint Configuration Manager.

This configuration enables:

  • ConfigMgr Collection Mapping to Workspace ONE UEM.
  • Simplified enrollment with Workspace ONE AirLift.
  • Streamlined application rationalization and migration.

Enter Microsoft Endpoint Configuration Manager Connection Details

Note: The examples in the screen shot are the values based on a test environment. Your environment details will differ.

 Connect to ConfigMgr or Microsoft System Center Configuration Manager

Enter the following details:

  1. SCCM Server
    • Enter the FQDN or computer name of the SCCM Server.
  2. Site Code
    • Enter the SCCM site code for the SCCM environment.
  3. Secure Connection
    • Enable secure connection if the SCCM Server is using a secured connection.
    • Note: This is an option enabled by default. Unless you have set up ConfigMgr to accept secure connections, you will de-selected this option.
  4. Domain
    • Enter the domain name of the user account that AirLift will use to interact with the SCCM environment.
  5. Username
    • Enter the username for the account that AirLift will use to interact with the SCCM environment. Read-only access is required. Additional access to create the enrollment application in SCCM is optional.
  6. Password
    • Enter the password for the account that AirLift will use to interact with the SCCM environment.

Pro Tip: Ensure the Account entered here has the appropriate permissions on Microsoft Endpoint Configuration Manager for Application distribution, primarily to enable activation of the Auto-Enroll feature.

You have now configured the integration for Workspace ONE AirLift to communicate with Microsoft Endpoint Configuration Manager.

Configuring Integration with Microsoft Active Directory

The next step is to connect Workspace ONE AirLift to Microsoft Active Directory (AD). This configuration enables Group Policy mapping and conversion to current Windows 10 policies.

Note: The examples in this section are values based on a test environment. Your environment details will differ.

Enter Active Directory Connection Details

In Workspace ONE AirLift, connect to Active Directory
  1. Enter the FQDN of the Active Directory domain without the trailing period character.
  2. Click Submit.

You have now configured the integration for Workspace ONE AirLift to communicate to Workspace ONE UEM, Microsoft Endpoint Configuration Manager, and Active Directory.

Getting Started - Plan, Perform, and Monitor

You have now successfully linked Workspace ONE with ConfigMgr and Active Directory.

The wizard guides you through three phases to getting started with Workspace ONE AirLift.

The phases are:

  1. Plan.
  2. perform.
  3. Monitor.

Plan

During the Plan phase, you will:

  1. Map Device Collections into Workspace ONE UEM.
  2. Validate Applications for Export to Workspace ONE UEM.
  3. Validate Policies for Export to Workspace ONE UEM.

Perform

During the Perform phase, you will:

  1. Export Applications to Workspace ONE UEM.
  2. Export Policies to Workspace ONE UEM.
  3. Streamline device onboarding with accelerated enrollment.

Monitor

During the Monitor phase, you will track progress with the Dashboard and explore:

  1. Activity log.
  2. Account settings.
  3. Enrollment settings.
  4. Synchronization settings.
  5. Role-based access control.
  6. How to generate a support bundle.

Plan: Migration Validation and Planning

Introduction

Now that you have installed Workspace ONE AirLift, and configured ConfigMgr and Active Directory integration, you can begin the planning phase.

For this tutorial, you have configured ConfigMgr and Active Directory integration in Workspace ONE AirLift. In your own environment, you can either integrate Active Directory only for Group Policy rationalization and migration or ConfigMgr for export of applications and device collections.

The PLANNING phase consists of three exercises:

  1. Mapping device collections into Workspace ONE UEM.
  2. Validating applications for export to Workspace ONE UEM.
  3. Validating policies for export to Workspace ONE UEM.

Mapping ConfigMgr Device Collections to Workspace ONE UEM

In this activity, you map a Device Collection in Workspace ONE AirLift to Workspace ONE UEM.

Workspace ONE AirLift connects your ConfigMgr collections to Workspace ONE UEM smart groups. This connection allows you to map devices from your existing collections into Workspace ONE UEM.

The mapping honors the dynamic nature of device collections by adding and removing devices in the mapped Workspace ONE UEM smart group.

When you map ConfigMgr collections, you can add to existing Workspace ONE UEM smart groups, or create new ones.

AirLift communicates with Microsoft Endpoint ConfigMgr using Windows Remote Management (WinRM) API Commands.

Note: Only collections and devices that match the following criteria are displayed:

  • The collections contain at least one Windows 10 device.
  • The devices have a ConfigMgr client installed.
  • The devices are not marked as obsolete.

1. Map Device Collections

In Workspace ONE AirLift, map ConfigMgr (formerly Microsoft SCCM) Device Collections

In Workspace ONE AirLift:

  1. Navigate to Collections.
  2. Select the Collection you want to map over.
  3. Click Map.

2. Select Workspace ONE Organization Group

AirLift Mapping Device Collections

Select the appropriate Workspace ONE Organization Group or leave as is.

3. Select Workspace ONE Group

AirLift Mapping Device Collections
  1. Next, select a Workspace ONE Group or create a new Workspace ONE Group.
  2. Click Save.

4. Review SCCM Collection Mapping

In Workspace ONE AirLift, review ConfigMgr (formerly SCCM) Device Collections

Now, you can see the SCCM Collection mapping to Workspace ONE UEM.

5. Confirm Mapping in Workspace ONE UEM

Click the Workspace Mapping option for the collection. This should take you to the smart groups page in Workspace ONE UEM. Select the smart group in Workspace ONE UEM.

 Confirming mapping in Workspace ONE UEM

When you create a new Smart Group with AirLift, it creates a smart group in Workspace ONE UEM with tags associated.

6. Review Workspace ONE Smart Group for Windows 10 OEM Devices

Workspace ONE UEM supports Smart Group creation for Windows 10 OEM makes and models. This means you don't have to run complex scripts to retrieve the data.

 Mapping Device OEM make and Model Collections

In this screenshot, you can see the model numbers for corresponding Dell machines.

Validating Applications for Export to Workspace ONE UEM

Before you export ConfigMgr applications to Workspace ONE UEM, it is essential to validate the applications to ensure they will operate the same way in Workspace ONE UEM as they did in ConfigMgr.

This export simplifies the process of migrating applications to Workspace ONE UEM without the need for repackaging.

Workspace ONE AirLift uses Windows Remote Management and ConfigMgr cmdlets to extract the metadata of applications.

Application export supports:

  • MSI installer files.
  • EXE files - Using the script installer deployment type.
  • Supports hybrid script/MSI payload - MST and MSP files.
  • Supports uninstall scripts and install exit codes.
  • Supports multiple deployment type and detection methods.

Note: Application Export is not:

  • An Application rationalization offering.
  • Automated packaging.

1. Review Applications Dashboard

Review applications dashboard in Workspace ONE AirLift before migrating applications
  1. The Dashboard provides a quick overview of how many applications are exportable to Workspace ONE UEM.
  2. Click Applications on the left menu to see the detailed view for the applications menu pane.

2. Review Application Validations

Under the applications menu, you can download a validations report and also choose to ignore common validation warnings or errors you may encounter.

Review application validations in Workspace ONE AirLift prior to migrating applications
  1. Note the percentage of applications exportable.
  2. Click Validations to see the validation warnings.
Review Application validations prior to migrating applications

Selecting Validations allows you to toggle some of the validation messages. You can choose to ignore common messages such as Warnings if required.

  1. Select Ignore to ignore the message
  2. Click OK.

3. Generate Validation Report

Generate validation report in Workspace ONE AirLift prior to migrating applications

Workspace ONE AirLift also allows you to export a validation report. For environments with a large amount of applications, this is very useful. You can investigate the level of effort to export applications to Workspace ONE UEM, see how many applications are not exportable, and what actions are required to ensure they can be exported.

Click Report. This downloads a CSV file containing the report.

The following screenshot is an example validation report.

Name Description Number of Devices with App
Number of Devices with Failures
Validation Message
Validation
Workspace ONE Assist


0 Validation successful.
Ok
Microsoft Teams


0 Validation successful.
Ok
Notepad Plus plus


0 Validation successful.
Ok
Office Package - NO Teams
Office ProPlus Installer  Outlook, word, powerpoint, excel. no teams, project visio

0 Application with script deployment type is missing uninstall command line. Uninstall command line must be manually configured in the Workspace ONE UEM console.
Warning
Office Package - NO Teams
Office ProPlus Installer  Outlook, word, powerpoint, excel. no teams, project visio

0 The application is exportable but the detection method will not be migrated. Deployment options must be manually configured in the Workspace ONE UEM console.
Warning
Google Chrome


1 Validation successful.
Ok
Cisco Jabber


0 Validation successful.
Ok

4. Review Validation Remediation

Validation Remediation

The Validation report and the AirLift console displays one of the following validations.

  1. Warning: Yellow warning sign - Check Workspace ONE for any required fields that may be missing.
  2. Error: Red error sign - Application cannot be exported.
  3. Success: Green tick - Ready to migrate; all fields required in Workspace ONE UEM are extracted from ConfigMgr.
 Review Validation Remediation

Hover your cursor over the application validation warning to see the recommended remediation steps. These remediation steps are also listed in the validations report.

In the example validations report, the application named Office Package - NO Teams is listed in two lines of the report. This is because there are 2 warnings for that application.

The warnings for application Office Package - NO Teams are:

  1. Application with script deployment type is missing uninstall command line. Uninstall command line must be manually configured in the Workspace ONE UEM console.
  2. The application is exportable but the detection method will not be migrated. Deployment options must be manually configured in the Workspace ONE UEM console.

Tip: Use the Validate messages to remediate or accept any changes to applications before exporting to Workspace ONE UEM.

Validating Group Policy Objects for Export to Workspace ONE UEM

In this activity, you validate group policy objects (GPOs) for export from AirLift to Workspace ONE UEM. Before you export polices to Workspace ONE UEM, it is essential to validate the compatibility to ensure that they can be modernized to MDM-based policies.

Workspace ONE AirLift simplifies the validation and conversion of traditional GPOs to MDM-based policies (CSPs).

Workspace ONE AirLift uses Windows Remote Server administrative tools and you must allow Workspace ONE AirLift access to the SYSVOL directory. The directory must contain the PolicyDefinitions folder. To map third-party ADMX settings, you must include those ADMX files in the PolicyDefinitions folder.

If there is no PolicyDefinitions folder in the SYSVOL location:

  1. Log in to your AD server.
  2. Copy the local PolicyDefinitions folder located in C:\Windows in the AD server.
  3. Paste the folder to the Active Directory SYSVOL location.
    For example: \\[company].com\SYSVOL\[company].com\Policies\PolicyDefinitions

Note: To continue, ensure that you have set up the domain configuration so Workspace ONE AirLift can communicate to the domain controller.

For more information, see Workspace ONE AirLift Policies.

1. Review Workspace ONE AirLift Policies Dashboard

Review Workspace ONE AirLift Policies Dashboard

The Policies Dashboard provides an overview of how many GPO policies Workspace ONE AirLift has validated and shows how many can be exported to MDM policies. This status reflects if the GPO policy has a corresponding MDM policy.

Policies that do not map to MDM policies take a look at Workspace ONE Baselines.

After policies have been exported, you must perform all editing, deleting, assigning, and publishing of profiles in the Workspace ONE UEM console.

2. Review Policies Menu

Under the Policies menu, you can download a validations report and also choose to hide policies that you do not want to migrate, or that are already natively configured in Workspace ONE UEM.

  1. Review the number of policies and percentage of policies exportable.
    • In the above example, 63% of policies are exportable of the 230 policies.
  2. Select the Target version of Windows 10.
AirLift Policies Migration export

If you change the target export to Windows 10 1903 or later, as shown in this example, you can see the percentage of policies exportable has changed.

  1. The target filter has been updated to Exportable to Windows 10 1903 or later.
  2. Note that 150 Policies have been evaluated and 97% exportable to MDM Policies.
    • By changing the target version of Windows 10, can significantly change the amount of policies exportable
  3. You can run the applications report, to get further details.

3. Review Policy Validation Status

Review Workspace ONE AirLift Policy Validations

The Validation column displays some of the validation statuses.

  • Success - The GPO policy maps to a valid MDM policy. You can export policy with a successful validation.
  • Error - The GPO policy does not map to a valid MDM policy. You cannot export policy with an error.
  • Warning - The GPO policy maps to a valid MDM policy but has some additional information. This information can include warning you about limited support for policies based on the OS version. You can export policy with a warning.
 Review Policy Validation Status

Hover your cursor over the application validation warning to see recommended remediation steps. These remediation steps are also listed in the validations report.

4. Hide Policies

Hiding Policies category

You can sort the polices by validation status. In this example, the filter is set to only show Exportable to Windows 10 1903 or later and the validation column is sorted.

  1. Hover your cursor over the Validation status to see the reason why this policy can not be exported.
  2. Use the category filter to understand what category the Policy falls under.
    • This example is a Firewall Configuration.
  3. Select Hide to hide to Policy from being exported.

Now, you can see 147 Policies evaluated, 99% exportable to MDM as compared to the previous 150 Policies evaluated, 97% exportable to MDM Policies.

Note: Some legacy GPO settings may have a newer MDM-based policy, but might not map configurations directly from a legacy GPO.

In this example, some Firewall GPO Settings can not be exported directly. This policy can be configured in Workspace ONE UEM for various Windows 10 versions as an MDM-based policy using Microsoft CSP.

5. Review Policy Validation Report

Workspace ONE AirLift allows you to export a validation report. For environments with a large number of GPOs, this is very useful. It can also help when investigating the level of effort required to modernize your Windows 10 policies.

AirLift Application Validations

Click Report to download a CSV file.

The Policy Validation report includes the following fields:

  • GPO Name
  • Path
  • Names
  • Values
  • SubValues
  • Scope Of Management 
  • Bound Workspace ONE Profiles
  • AirLift Legacy ID
  • Hidden
  • Minimum Windows 10 Version
  • Maximum Windows 10 Version
  • Created Time in UTC
  • Modified Time in UTC
  • Validation Message
  • Validation

To download a sample report, click the following:

You can also download this report by clicking the More button at the top of this page.

6. Organize Policies to Migrate to Workspace ONE UEM

It's not uncommon to have thousands of policies to sort through. Workspace ONE Airlift can sort through policies in many ways to gain visibility on policies that apply to Windows 10.

You can take the following steps with AirLift to help rationalize policies and decide which policies to export and which policies you want to configure natively inside Workspace ONE UEM.

  1. Select Target Version Of Windows.
    • This removes any policies that do not apply to specific Windows 10 versions, potentially increasing the percentage of policies that can be exported.
  2. Filter by the Organizational Unit for the GPO.
    • This determines which users you can migrate first. For example, the Marketing and Sales OU might have a different policy set. Or, the Sydney Users OU and Melbourne Users OU might have a separate policy set.
  3. Analyze the Validations of that policy.
    • Success - The GPO policy maps to a valid MDM policy. You can export policy with a successful validation.
    • Error - The GPO policy does not map to a valid MDM policy. You cannot export policy.
    • Warning - The GPO policy maps to a valid MDM policy but has some additional information. This information can include warning you about limited support for policies based on the OS version. You can export policy with a warning.
  4. Hide any Successful policy export that can be configured natively in the Workspace ONE UEM Console.
  5. Add any Polices using VMware Policy Builder.
  6. Verify if VMware Baselines solves any MDM vs. GPO policy gaps.
  7. The remaining policies should mainly be third-party, ADMX based policies.

Tip: Use the Validate messages to remediate or accept any changes to applications before exporting to Workspace ONE UEM.

For More information on Windows 10 Policy Management with Workspace ONE UEM, see Understanding Windows 10 Group Policies: VMware Workspace ONE Operational Tutorial.

Perform: Migrating Applications from ConfigMgr to Workspace ONE UEM

Introduction

Workspace ONE AirLift imports metadata from ConfigMgr applications and allows these applications to be exported via REST APIs to Workspace ONE UEM. AirLift dramatically simplifies the process of migrating applications to Workspace ONE without the need for repackaging and uploading multiple applications.

In this section, you migrate an application from ConfigMgr to Workspace ONE UEM. You will be guided through various examples to migrate the following application types:

  • MSI
  • EXE or ZIP
  • Apps with MST or MSP
  • ConfigMgr packages

Organization Groups

Workspace ONE UEM identifies users and establishes permissions using organization groups (OG). Although any organization method delivers content to devices, use OGs to establish an MDM hierarchy identical to your organizational hierarchy. You can also create OGs based on Workspace ONE UEM features and content or by geographic region, for example.

Prerequisites

Before you continue, ensure that you have completed the previous steps listed in this tutorial. 

At this point, you should have:

  • Installed AirLift.
  • Configured integration with ConfigMgr.
  • Remediated any application export errors.

Migrating MSI Applications - Chrome

This activity walks through migrating MSI apps using Chrome MSI as an example. You begin in the AirLift Admin Console and export the app. Then, in the Workspace ONE UEM Admin Console, you configure the application details.

1. Select the Application to Export

In the Workspace ONE AirLift Console:

  1. Select the check box next to Google Chrome.
  2. Click Export to export the application from ConfigMgr to Workspace ONE UEM.
  3. Select the Workspace ONE UEM Organization Group.

2. Export to Organization Group

After the Organization Group has been selected, click Export.

3. Review Export Progress in AirLift

The Export process begins. You can monitor the progress in the Status column.

4. Open Imported App in Workspace ONE UEM

  1. Confirm that the application Status shows as Exported.
  2. Click Google Chrome under the Workspace Application column to open the application in the Workspace ONE UEM console for further configuration options.

5. Confirm Application in Workspace ONE UEM

Migrating applications in Workspace ONE UEM console
  1. Before you Assign the application to devices and users, review the configuration settings in Workspace ONE UEM.
  2. Click the edit icon.

6. Review Application Deployment Options

  1. Select Deployment Options.
  2. Review the Install command. This should match the command in ConfigMgr.
  3. Review When To Call Install Complete.
  4. Click Save and Assign.

7. Upload Image Icon

  1. Select Images.
  2. Select Icon.
  3. Click to upload an icon. This icon will appear in the Intelligent Hub for Windows 10.
  4. Click Save and Assign.

8. Add Application Assignment

Click Add Assignment.

9. Configure Application Distribution Options

  1. Configure Application Distribution options.
  2. Click Create.

10. Configure Application Restriction Options

  1. Configure Application Restrictions options.
  2. Click Create.

11. Review Application Assignments

  1. Review the Application Assignment configuration. Add more if required.
  2. Click Save.

12. Preview Assigned Devices and Publish

  1. Review the devices that will receive the application. Devices must be enrolled. In this example, there are no devices listed because we have not yet enrolled any devices.
  2. Click Publish to start the deployment of the application.

Review Application in Workspace ONE UEM

You can review the application details and assignments in Workspace ONE UEM.

Migrating EXE or ZIP Applications - MS Office 365

In this activity, you learn how to migrate an EXE or ZIP application using MS Office 365 as an example. You begin in the Workspace ONE AirLift console and export the app. Then, you configure the application details in the Workspace ONE UEM Admin Console.

1. Select the Application to Export

In the Workspace ONE AirLift Console:

  1. Review any validation warnings or errors - This will inform you of any command lines and/or validations that must be added to Workspace ONE UEM after migration.
  2. Select the check box next to Office Package.
  3. Click Export to export the application from ConfigMgr to Workspace ONE UEM.

2. Export to Organization Group

  1. Select the Organization Group.
  2. Click Export.

3. Review Export Progress in AirLift

The Export process begins. You can monitor the progress in the Status column.

4. Open Imported App in Workspace ONE UEM

  1. Confirm that the application status is Exported.
  2. Click Office Package - No Teams under the Workspace Application column to open the application in the Workspace ONE UEM console for further configuration options.

5. Confirm Application in Workspace ONE UEM

  1. Before you Assign the application to devices and users, review the configuration settings in Workspace ONE UEM.
  2. Click the edit icon.

6. Review Application Deployment Files

  1. Select Files.
  2. Review the Application File. Because multiple files were exported, they are automatically compressed into a ZIP file.
  3. Scroll down to App Uninstall Process.
  4. Select Input for the Custom Script Type.
  5. Enter setup.exe /CONFIGURE uninstall.xml in the Uninstall Command text box. For Office Click to run, ensure that the uninstall.xml file is located within the exported ZIP files.
  6. Click Save & Assign.

7. Review Application Deployment Options

  1. Select Deployment Options.
  2. Review the Install command. The install command should match the command in ConfigMgr.
  3. Review When To Call Install Complete. 
    Note
    : If the app had a warning in AirLift, you must edit this and provide a value.
  4. Click the edit icon to add values to When to Call Install Complete.
  5. Click Save and Assign.

Tip: MSI applications will auto-populate the When to Call Install Complete field. For ZIP and EXE files, you must add a value.

8. Upload Image Icon

  1. Select Images.
  2. Select Icon.
  3. Click to upload an icon. This icon will appear in the Intelligent Hub for Windows 10.
  4. Click Save and Assign.

9. Add Application Assignment

Click Add Assignment.

10. Configure Application Distribution Options

  1. Configure Application Distribution options.
  2. Click Create.

11. Configure Application Restriction Options

  1. Configure Application Restriction options.
  2. Click Create.

12. Review Application Assignments

  1. Review the Application Assignment configuration. Add more if required.
  2. Click Save.

13. Preview Assigned Devices and Publish

  1. Review the devices that will receive the application. Devices must be enrolled. In this example, there are no devices listed because we have not enrolled any devices yet.
  2. Click Publish to start the deployment of the application.

14. Review Assignments in Workspace ONE UEM

You can review the application details and assignments in Workspace ONE UEM.

  1. Review the newly created Assignments in the Workspace ONE UEM Admin Console.
  2. Click Native to return to the application home page to see the added applications.

15. Review Applications in Workspace ONE UEM

  1. Under Applications, ensure that you have selected Native.
  2. Change the filter to Windows Desktop to see only Windows Desktop Applications if required.
  3. Review the applications exported from ConfigMgr to Workspace ONE UEM.

Migrating Applications with MST or MSP - Cisco Jabber with MST

In this activity, you export an MSI application file that needs to be installed together with a Microsoft Software Transform (MST) file. Cisco Jabber with MST is used in this example.

For more information about Microsoft Software Transform Files, see Microsoft Docs: About Transforms.

1. Select the Application to Export

In the Workspace ONE AirLift Console:

  1. Select the check box next to Cisco Jabber.
  2. Click Export to export the application from ConfigMgr to Workspace ONE UEM.

2. Export to Organization Group

Migrating Applications from Workspace ONE AirLift
  1. Select the Organization Group.
  2. Click Export.

3. Review Export Progress in AirLift

The Export process begins. You can monitor the progress in the Status column.

4. Open Imported App in Workspace ONE UEM

  1. Confirm that the application status is Exported.
  2. Click Cisco Jabber under the Workspace Application column to open the application in the Workspace ONE UEM console for further configuration options.

5. Confirm Application in Workspace ONE UEM

  1. Before you Assign the application to devices and users, review the configuration settings in Workspace ONE UEM.
  2. Click the edit icon.

6. Review Application Deployment Files

  1. Select Files.
  2. Review the Application File. Because multiple files were exported, they are automatically compressed into a ZIP file. (In this case the MSI/EXE and the MST files).
  3. Add more Transform files if required.
  4. Review the App Uninstall Process.

7. Review Application Deployment Options

  1. Select Deployment Options.
  2. Review the Install command. This should match the command in ConfigMgr.
    Important: This command should include the transform command.
    • In this example the install command is msiexec /i "CiscoJabberSetup.msi" TRANSFORMS=CiscoJabber.mst /q
  3. Scroll down to review When To Call Install Complete.
  4. Review When To Call Install Complete.
  5. Click Save and Assign.

8. Upload Image Icon

  1. Select Images.
  2. Select Icon.
  3. Click to upload an icon. This icon will appear in the Intelligent Hub for Windows 10.
  4. Click Save and Assign.

Add Application Assignment

Click Add Assignment.

9. Configure Application Distribution Options

  1. Configure Application Distribution options.
  2. Click Create.

10. Configure Application Restriction Options

  1. Configure Application Restriction options.
  2. Click Create.

11. Review Application Assignments

  1. Review the Application Assignment configuration. Add more if required.
  2. Click Save.

12. Preview Assigned Devices and Publish

  1. Review the devices that will receive the application. Devices must be enrolled. In this example, there are no devices listed because we have not enrolled any devices yet.
  2. Click Publish to start the deployment of the application.

13. Review Application in Workspace ONE UEM

Review the application details and assignments in Workspace ONE UEM.

Migrating ConfigMgr Packages - 7-Zip

In this activity, you migrate a ConfigMgr package using 7-Zip as an example.

Migrating ConfigMgr Packages with Program(s)

A package in ConfigMgr can contain one or more programs and these program(s) are exported to Workspace ONE UEM as an application(s). In ConfigMgr, when a package is deployed, the administrator must select one single program from this package to use. Therefore each program will be exported to Workspace ONE UEM as one individual application. Similar to Application export, AirLift bindings of Package export will be created between the program and Workspace ONE UEM application.

Packages with Duplicate Package Names

Unlike ConfigMgr applications where the name is unique, ConfigMgr packages are allowed to have duplicate names. It is also possible to create duplicate application names in Workspace ONE UEM. As a result, when AirLift generates the application name for a program, besides using <program name>~~~<package name>, it should also add the <package id>~~~<package name> in the Comment field to make this program uniquely identifiable.

Packages with Unique Program Names

ConfigMgr allows the programs in different packages to use the same name but doesn't allow duplicate program names within one package. Therefore each program is identified uniquely by the combination of PackageID and ProgramName in MongoDB.

Packages for Programs with Dependencies

AirLift does not support the export of programs with dependencies. Dependencies can be created in the Workspace ONE UEM console under the application configuration settings.

1. Select the Application to Export

Migrating Applications from ConfigMgr in Workspace ONE AirLift

In the Workspace ONE AirLift Console:

  1. Review any validation warnings or errors - This will inform you of any command lines and or validations that need to be added to Workspace ONE UEM after migration.
  2. Select the check box next to 7-Zip.
  3. Click Export to export the application from ConfigMgr to Workspace ONE UEM.

2. Export to Organization Group

 Migrating Applications to Organization Group in Workspace ONE AirLift
  1. Select the Organization Group.
  2. Click Export.

3. Review Export Progress in AirLift

 Review Export Progress from ConfigMgr using Workspace ONE AirLift

The Export process begins. You can monitor the progress in the Status column.

4. Open Imported App in Workspace ONE UEM

 Review Export Progress in AirLift
  1. Confirm that the application status is Exported.
  2. Click 7-Zip exe under the Workspace Application column to open the application in the Workspace ONE UEM console for further configuration options.

5. Confirm Application in Workspace ONE UEM

  1. Before you Assign the application to devices and users, review the configuration settings in Workspace ONE UEM.
  2. Click the edit icon.

6. Review Application Deployment Details

 Review application deployment details
  1. Select Details.
  2. Review the Application Name. This name appears in the Workspace ONE Intelligent Hub Catalog.

7. Review Application Deployment Files

 Review application deployment Files
  1. Select Files.
  2. Scroll down to the App Uninstall Process section.
  3. Select Input for the Custom Script Type.
  4. Enter the Uninstall Command in the text box.
  5. Click Save and Assign.

8. Review Application Deployment Options

 Review application deployment options
  1. Select Deployment Options.
  2. Review the Install command. This should match the command in ConfigMgr.
  3. Review When To Call Install Complete.
    NOTE
    : Because this application had a warning in AirLift, you must edit the When To Call Install Complete section and provide a value.
  4. Click edit to add a value to When to Call Install Complete.

9. Upload Image Icon

 Review application deployment options
  1. Select Images.
  2. Select Icon.
  3. Click to upload an icon. This icon will appear in the Intelligent Hub for Windows 10.
  4. Click Save and Assign.

10. Add Application Assignment

 Add Assignment

Click Add Assignment.

11. Configure Application Distribution options

 Configure Application Distribution options
  1. Configure Application Distribution options.
  2. Click Restrictions.

12. Configure Application Restriction Options

 Configure Application Restriction options
  1. Configure Application Restriction options.
  2. Click Create.

13. Review Application Assignments

 Review Application Assignments
  1. Review the Application Assignment configuration. Add more if required.
  2. Click Save.

14. Preview Assigned Devices and Publish

  1. Review the devices that will receive the application. Devices must be enrolled. In this example, there are no devices listed because we have not yet enrolled any devices.
  2. Click Publish to start the deployment of the application.

15. Review Application in Workspace ONE UEM

 Review Application in Workspace ONE UEM

You can review the application details and assignments in Workspace ONE UEM.

Migrating Applications Conclusion

This section reviewed how to use AirLift to quickly migrate your desired applications and packages from ConfigMgr to Workspace ONE UEM and how to deploy this application to your devices and users.

Review Application Migration Dashboard

Migrating Applications in the Workspace ONE AirLift admin console.

In the Workspace ONE AirLift Admin Console:

  1. Click Dashboard.
  2. Review the application migration progress.

Perform: Migrating Windows 10 Group Policies

Introduction

Now that you have exported applications and packages from ConfigMgr to Workspace ONE UEM, the next step is to export Group Policy Objects.

In this section, you migrate Group Policies Objects from Active Directory to Workspace ONE UEM.

Organization Groups

Workspace ONE UEM identifies users and establishes permissions using organization groups (OG). Although any organization method delivers content to devices, use OGs to establish an MDM hierarchy identical to your organizational hierarchy. You can also create OGs based on Workspace ONE UEM features and content or by geographic region, for example.

Prerequisites

Before you continue, ensure that you have completed the previous steps listed in this tutorial.

At this point, you should have:

  • Installed AirLift.
  • Configured Integration with Active Directory.
  • Remediated any Group Policy Objects export errors.

Migrating Windows 10 Group Policy Objects to Workspace ONE UEM

Workspace ONE AirLift connects your Active Directory policies to Workspace ONE UEM profiles. This connection allows you to create profiles based on existing policies your business uses.

In this section, you select the Chrome ADMX backed policy and export this into Workspace ONE UEM.

1. Select the Group Policy Objects to Export

In Workspace ONE AirLift Admin Console, select the Group Policy Objects to export.

In the Workspace ONE AirLift Console:

  1. You can filter policies by Windows 10 Version. For this example, select Windows 10 1903 as the target.
  2. Enter Chrome in the search box to bring up the Chrome Policies.
  3. Select the Group Policy Objects that you want to export to Workspace ONE UEM.
  4. Click Add to Export.
In Workspace ONE AirLift Admin Console, select the Group Policy Objects to export
  1. After the Group Policy Objects have been added, a notification appears: 3 policies added to export.
  2. Notice that Ready to Export now shows three policies.

2. Hide Group Policy Objects from Export

 Hiding Group Policy Objects from Export

Following the previous steps, you can also hide Group Policy Objects. This helps to clean up any Group Policy Objects that you may already have configured in Workspace ONE UEM.

3. Export Group Policy Objects to Workspace ONE UEM Organization Group

In Workspace ONE AirLift Admin Console, export policies to Workspace ONE UEM Organization Group
  1. Select the Group Policy Objects that you want to export.
    • In this example, you migrate a Chrome ADMX Template to Workspace ONE UEM. As this is one ADMX file, you configure the three selected policies to be migrated over into a single Windows 10 Policy, or CSP.
  2. Click Export All.

Enter a Profile Name for the GPO. For example, Chrome ADMX.

 Export Group Policy Objects to Workspace ONE UEM Organization Group
  1. Select which Organization Group the policy will be migrated to.
  2. Click Export.

4. Review Export Progress in AirLift

Review the status of the Group Policy Object. After a successful export, the Status displays the exported Workspace ONE UEM Policy Name, for example, Chrome ADMX.

 Review Export Progress in AirLift

You can repeat the steps to export a policy.

  • In this example, the Configuration Item Configure the Home Page has been exported to 2 different Workspace ONE UEM Policies.
  • Click this Group Policy Object link to view the Policy in Workspace ONE UEM.

Tip: Remember, you can export individual Group Policy Objects to multiple Workspace ONE UEM Policies. AirLift will display the Workspace ONE UEM policy name for each Group Policy Object that you export.

5. Confirm Policy Export in Workspace ONE UEM Admin Console

 Confirm Group Policy Object export in Workspace ONE UEM

AirLift indicates when a Group Policy Object has been exported, then displays a link under the Status Column in the AirLift Console. Clicking this link brings you directly to the Workspace ONE UEM Console to the Confirm Group Policy Object you selected.

 Before you Assign the policy, review the configuration settings in Workspace ONE UEM. Click the edit icon.

6. Review Policy Settings in Workspace ONE UEM

 Review Group Policy Object settings in Workspace ONE UEM
  1. Click General.
  2. Note the Name and description of the policy.
  3. Select Auto for Assignment type - This ensures that the Group Policy Object is automatically installed upon enrollment.
  4. Note the Managed By value. When exporting the Group Policy Object, in this example, we selected Australia.
  5. To assign this policy to a Workspace ONE UEM smart group, proceed to the next exercise.

7. Select Smart Group in Workspace ONE UEM

 Assign Group Policy Object export in Workspace ONE UEM
  1. Click into the Smart Groups text box to add a smart group.
  2. Select an existing Smart Group or Create a New Smart Group. If you have exported any Device Collections from ConfigMgr, you can see them here.

8. Review Custom CSP in Workspace ONE UEM

 Confirm Group Policy Object export in Workspace ONE UEM
  1. Scroll down to Custom Settings.
  2. Review the Custom CSP created by AirLift.
  3. Click Save and Publish. Then, preview the Device Assignment list and click Publish.

9. Confirm Group Policy Object Export in Workspace ONE UEM

 Confirm Group Policy Object export in Workspace ONE UEM
  1. Review the Policy in Workspace ONE UEM.
  2. Review the Assigned Groups for the Policy.

Tip: Repeat the above steps to export additional Group Policy Objects into Workspace ONE UEM

Note: For More information on Windows 10 Policy Management with Workspace ONE UEM, see Understanding Windows 10 Group Policies: VMware Workspace ONE Operational Tutorial

Perform: Onboarding Devices with Accelerated Enrollment

Introduction

You have now completed two steps in the Perform Phase:

  • Export Applications to Workspace ONE UEM
  • Export Policies to Workspace ONE UEM

The final step in the Perform Phase is to:

  • Streamline device onboarding with accelerated enrollment

In this section, you create and perform the enrollment package to a chosen device collection.

After the device has been onboarded, you verify application and policy installation via Workspace ONE UEM.

Device Onboarding for Windows 10 Considerations

Before you enroll a device, it is vital to ensure that any critical Application workloads or Group Policy Objects have been migrated over to Workspace ONE UEM or have been re-configured in Workspace ONE UEM.

After a device has been onboarded to Workspace ONE UEM, ConfigMgr will limit functionality. These functions should be configured and delivered from Workspace ONE UEM.

For more information, see Understanding MDM Co-management VS Coexistence.

Creating an Enrollment Package for Workspace ONE UEM

Now that you have exported Device Collections, applications, and GPOs into Workspace ONE UEM, you are ready to create an enrollment package. This enrollment package streamlines device onboarding with accelerated enrollment from ConfigMgr to Workspace ONE UEM.

The configuration settings required for this section should be recorded in your Workspace ONE AirLift Environmental Details Cheat Sheet. Otherwise, you can find these values in the Workspace ONE UEM Admin Console.

Getting Started - Perform

There are a few ways to navigate to the enrollment settings in the Workspace ONE AirLift admin console.

Locate Enrollment Settings

The Execure phase in Getting Started with Workspace ONE AirLift
  1. From the menu on the left, select Getting Started.
  2. Under perform, Select Getting Started.
Locate Enrollment settings in Workspace ONE AirLift.
  1. In the AirLift admin Console, navigate to Settings.
  2. Select Enrollment.

1. Use Existing Enrollment Application

In Workspae ONE AirLift admin console, use Existing Enrollment Application
  1. Select Yes to use an existing Workspace ONE enrollment app in ConfigMgr or select No to create one.
  2. Select an existing Workspace ONE enrollment application in ConfigMgr​.

Tip: You can manually add the Installer file for the Windows 10 Intelligent Hub as an application in ConfigMgr. If you manually add it, you must ensure that the Agent Install Command Line is correct. There's an example of the Agent Install Command Line in the next screenshot.

To simplify the process, the next example shows how to configure an enrollment package and confirm the Installation commands in Microsoft Endpoint Configuration Manager.

2. Create a New Enrollment Application

AirLift Creating a new Enrollment Application

The following configuration settings will automatically enroll the device into Workspace ONE UEM after the Workspace ONE Intelligent Hub has been installed.

  1. Use Existing Enrollment Application
    • Select No.
  2. Application Name
    • Enter the name of the Workspace ONE enrollment app that will appear in ConfigMgr.
    • For example, Workspace ONE enrollment.
  3. Organizational Group
    • Select the Organizational Group (OG) where your devices will enroll. The OG must have SAML authentication turned off. If your primary OG has SAML turned on, you must make a staging OG with SAML turned off.
    • In this example, the OG is Australia.
  4. Staging User
    • Enter the staging user for the enrollment OG (All Settings > Devices & Users > Windows > Windows Desktop > Staging & Provisioning > UPN)
    • This value should be in the Workspace ONE AirLift Environmental Details Cheat Sheet.
  5. Staging User Password
    • Enter the staging user password.
    • This value should be in the Workspace ONE AirLift Environmental Details Cheat Sheet.
  6. Enrollment Server URL
    • Enter the enrollment server URL in the format server.awmdm.com (All Settings > System > Advanced > Site URLs > Device Services URL).
    • This value should be in the Workspace ONE AirLift Environmental Details Cheat Sheet.
  7. Include Workspace ONE App
    • Select to enable automatic installation of the Workspace ONE app that is used to display available applications to the end-user.
    • As we are using the Workspace ONE Intelligent Hub as our Windows 10 Application Catalog, we have selected NO.
  8. Include SCCM Integration Client
    • Select to enable the SCCM integration client as a dependent application. This client allows SCCM and Workspace ONE management to coexist on older versions of SCCM and Windows 10. If your SCCM version is before 1710 the SCCM integration client is required for all versions of Windows 10. If your SCCM is 1710 and above you only need the SCCM integration client to support Windows 10 version 1703 or earlier.
    • This is a legacy setting. The version of ConfigMgr used in this tutorial is Microsoft Endpoint Configuration Manager 1906, so this option is not required.
  9. Agent Install Command Line
    • The command line is used to deploy the application in ConfigMgr. You can also use this command line to build your own enrollment app.
    • Review the following installation parameters:
    • msiexec.exe /i AirWatchAgent.msi /qn ENROLL=Y IMAGE=N SERVER=company.workspaceone.com/DeviceServices LGNAME=Australia USERNAME="staging@AirLift.com" PASSWORD="-X###3" DOWNLOADWSBUNDLE=false ASSIGNTOLOGGEDINUSER=Y /log %TEMP%\AWAgent.log
    • For more information, see Onboarding Windows 10 Using Command-Line Enrollment: VMware Workspace ONE Operational Tutorial.
  10. Content-Location
    • Enter the content location of the enrollment app on your ConfigMgr server in the UNC path format.
    • Ensure you have moved the Intelligent Hub to the specified folder for ConfigMgr so the application can be created.
    • A local copy of the files can be found in the AirLift install location under the "Workspace ONE Enrollment Application" folder
    • C:\Program Files\VMware\VMware AirLift\Workspace ONE Enrollment Application
    • You can download the latest version of the Intelligent Hub for Windows 10 from https://www.getwsone.com/
  11. Distribution Selection
    • Select Auto to automatically distribute the enrollment application to all of your Distribution Points. Select Manual to distribute content manually in the ConfigMgr console.

3. Copy the Intelligent Hub Agent to ConfigMgr for Distribution

 Copying the Intelligent Hub over to SCCM

Before continuing to create the Workspace ONE Enrollment application, ensure you have the Intelligent Hub in the Application Directory of ConfigMgr.

You can find the Agent in C:\Program Files\VMware\VMware AirLift\Workspace ONE Enrollment Application or download the latest version of the Intelligent Hub for Windows 10 from https://www.getwsone.com/.

  1. Navigate to C:\Program Files\VMware\VMware AirLift\Workspace ONE Enrollment Application.
  2. Copy the AirWatch Agent (Intelligent Hub for Windows 10) to ConfigMgr.
 Copying the Intelligent Hub Agent over to ConfigMgr for Distribution

Confirm the Agent files reside on the ConfigMgr application share.

  1. Navigate to the Network file path for ConfigMgr applications \\SCCM-DW\SCCMApps\Workspace ONE
  2. Confirm the AirWatch Agent (Workspace ONE Intelligent Hub for Windows 10) exists.

4. Submit Enrollment Application

 Submitting Enrollment Application
  1. When you have confirmed that the Intelligent Hub is in the ConfigMgr application repository, click Create.
  2. Confirm that you have copied the Enrollment application files to the specified path. Click Proceed to confirm.
 Submitting Enrollment Application

You should see a message confirming the enrollment package creation: Workspace ONE Enrollment Application "Workspace ONE Enrollment" is currently being created.

Reviewing Enrollment Application in Microsoft Endpoint Configuration Manager

Now that you have the enrollment Application created, review the application settings in the Microsoft Endpoint Configuration Manager Console.

1. Review Enrollment Application Properties

Review Enrollment Application Settings in ConfigMgr formerly known as Microsoft SCCM
  1. Open the Microsoft Endpoint Configuration Manager Console and select Software Library.
  2. Expand Application Management and select Applications.
  3. Right-click the Workspace ONE Enrollment application.
  4. Select Properties.
Review Enrollment Application Settings in ConfigMgr formerly known as Microsoft SCCM

Select Deployment Types.

2. Edit the Workspace ONE Enrollment MSI

Review Enrollment Application Settings in ConfigMgr formerly known as Microsoft SCCM
  1. Select the Workspace ONE Enrollment MSI.
  2. Click Edit.

3. Review Installation Program

 Review Enrollment Application Settings in ConfigMgr
  1. Select Programs.
  2. Review the Installation Program command - This should be the same command as listed in the AirLift console.

Onboarding Device with Accelerated Enrollment

Now that you have:

  • Mapped Windows 10 device collections from ConfigMgr to Workspace ONE UEM and
  • Created the Workspace ONE Enrollment app for onboarding;

You will use AirLift to automatically onboard your Windows 10 collection devices into Workspace ONE UEM.

In this activity, you onboard (or enroll) a device into Workspace ONE UEM. While the device is being onboarded, you force a policy evaluation from the ConfigMgr client on the Windows 10 device and confirm enrollment into Workspace ONE UEM. Upon completion, you will review the AirLift Dashboard.

1. Select Windows 10 Collections to Enroll into Workspace ONE UEM

In Workspace ONE AirLift admin console, begin device on-boarding with accelerated enrollment

In the Workspace ONE AirLift Console:

  1. Click Collections.
  2. Select the checkbox next to the Windows 10 collection you want to migrate. For example, Windows 10 - 1903 Device Collection.
  3. Click Enroll.

2. Confirm Device Enrollment to Workspace ONE

 Confirm Device Enrollment with Workspace ONE
  1. Review how many devices will be affected. In this example, 1 device will be affected.
  2. Click Enroll to confirm the enrollment.

3. Review Device Enrollment Progress in AirLift

In the Workspace ONE AirLift admin console, review Device Enrollment Progress in AirLift
  1. In the AirLift admin console, click Collections.
  2. Review the Enrollment in Progress column which displays the enrollment progress.

4. Confirm Device Management Mode in AirLift Devices Dashboard

After the device has been onboarded, the Management status column in the AirLift console will change. Devices under management by Workspace ONE should be managed only from Workspace ONE after they have been onboarded.

  1. In the AirLift admin console, select Devices.
  2. Review the Management column. This column displays if the machine is managed by SCCM or Workspace ONE.
  3. Note that the device Name can be selected. Selecting the device name takes you to the device record in Workspace ONE UEM - you will review this in a later step.

5. Open Configuration Manager on Windows 10 Client

Now, you confirm the Workspace ONE enrollment status on your Windows 10 client.

 Force ConfigMgr policy evaluation on Windows 10 client

On the Windows 10 client, open Control Panel.

  1. Change the View By option to icons.
  2. Select Configuration Manager.

6. Configuration Manager Client Properties

Review Configuration Manager Client Properties

The next step is to force a policy retrieval cycle on the ConfigMgr client. This will speed up the process of receiving the deployment and enrolling the device into Workspace ONE UEM.

  1. Navigate to the Actions tab.
  2. Select Machine Policy Retrieval and Evaluation Cycle.
  3. Select Run Now.

7. Confirm Workspace ONE Enrollment Application in Software Center

 Confirm Workspace ONE Enrollment Application in Software Center

On the Windows 10 client, open Software Center.

  1. Select Applications.
  2. Unless this has been hidden, you should see the Workspace ONE Enrollment Application.

8. Confirm Intelligent Hub Launch on Device

 Confirm Intelligent Hub launch
 Confirm Intelligent Hub launch on device

When the device has finished onboarding, the Intelligent Hub automatically launches.

Click Done to complete the process.

9. Review Intelligent Hub for Windows 10 Application Catalog

 Review Intelligent Hub for Windows 10 Application Catalog

In this example, we have configured the Windows 10 Intelligent Hub to display the application catalog. When the Windows 10 Intelligent Hub App catalog us enabled, the user(s) will see their assigned applications.

When applications have been reported as installed, the users' catalog will also reflect this information.

In this example, Chrome was set to auto-install so you can see the installation status almost immediately. EXE and ZIP applications will report the installation status on the next device query. You can force a Device Query from the Workspace ONE UEM console.

10. Review Enrollment Status in Microsoft Endpoint Configuration Manager

You can also review the Workspace ONE Enrollment application status in Microsoft Endpoint Configuration Manager.

Review Workspace ONE Enrollment Application Status in Microsoft Endpoint Configuration Manager formerly known as SCCM

Open the Microsoft Endpoint Configuration Manager Console:

  1. Select Software Library.
  2. Expand Application Management and select Applications.
  3. Select the Workspace ONE Enrollment app.
  4. Select the Deployments tab.
  5. Review the Compliance Status and other deployment settings of the Workspace ONE Enrollment application.

11. Review Migration Status in Workspace ONE AirLift Console

 Review Migration Status in Workspace ONE AirLift Console

In the Workspace ONE AirLift Console:

  1. Select Dashboard.
  2. Review the Management by Collection dashboard. Notice that the device migrated is part of two collections (AirLift Demo and Windows 10 - 1903). The blue and green colors on the dashboard reflect the Management Mode state of the Windows 10 device. In this example, our device is marked in blue which means it is Workspace ONE managed.

Confirming Application Installation on Windows 10 Device

In the previous exercise, you confirmed that the user has access to the Workspace ONE Intelligent Hub Application Catalog. In this activity, you review the application Installation Progress in the Workspace ONE UEM Console.

1. Select Device from AirLift Console

 Select Device from Workspace ONE AirLift Console
  1. In the Workspace ONE AirLift admin console, select Devices.
  2. Click the device name (for example, WIN10-1903-DJ) to open the Device settings in Workspace ONE UEM.

2. Confirm Application Installation Status in Workspace ONE UEM

 Confirm Application Installation status in Workspace ONE UEM

Confirm that you are now in the Workspace ONE UEM admin console.

  1. Select Applications.
  2. Confirm the Applications have been installed and that the Installation status is Managed.

3. Confirm Application Status in Workspace ONE Catalog

 Confirm Application status in Workspace ONE Catalog
  1. Open the Workspace ONE Intelligent Hub and select Windows Apps.
  2. Notice the status of the applications. Users can re-install installed applications, or install new apps that are set to On-Demand in the Workspace ONE UEM console.

You have now successfully exported applications and packages from Microsoft Endpoint Configuration Manager and confirmed successful application installation on a device enrolled in Workspace ONE UEM.

Confirming Policy Installation on Windows 10 Device

In this activity, you confirm that the policy was installed on your Windows 10 device from the Workspace ONE UEM Console. From the Windows 10 device, you also confirm the policy installation and review which policies are applied to the device.

1. Select Device from Workspace ONE AirLift Console

 Select Device from Workspace ONE AirLift Console
  1. In the Workspace ONE AirLift admin console, select Devices.
  2. Click the device name (for example,WIN10-1903-DJ) to open the Device settings in Workspace ONE UEM.

2. Confirm Policy Installation in Workspace ONE UEM

Confirm that you are now in the Workspace ONE UEM admin console.

  1. Select Profiles.
  2. Confirm that the Chrome ADMX policy has been installed.

3. Confirm Chrome Policy Settings on Windows 10 Device

You can also confirm policy installation on the Windows 10 device.

 Confirm Chrome Home Page

Open a Chrome Browser on your Windows 10 device.

  1. Click the three dots to open the Settings menu.
  2. Confirm that you can see Managed by your Organization at the bottom.

4. Review Chrome Password Settings

 Confirm Chrome Home Page UPDATE
  1. In the Chrome browser, navigate to chrome://settings/passwords. This displays the Chrome password settings.
  2. Notice that the option can not be selected or changed. The building icon next to the option indicates this restriction. This setting can not be changed because this policy is coming from Workspace ONE UEM.

5. Open Accounts on Windows 10 Device

 Confirm Policy Status on Device

Open Settings on the Windows 10 Device and select Accounts.

6. Select Workspace ONE MDM Option

 Confirm Policy Status on Device
  1. Select Access work or School.
  2. Select the Connected to Workspace ONE MDM option. If your Windows machine is domain joined, like the example shown, you will also see this domain join here.

7. Review MDM Policies

 Confirm Policy Status on Device

Click Info to show details about the MDM policies that are applied to the device.

 Confirm Policy Status on Device
  1. Review the MDM Policies. AMDX Templates can include multiple configurations. The Google Chrome ADMX Policy contains three configuration options. The Google Chrome ADMX Policy is configured to set configurations for Password Manager Settings, Content Settings, and the Home page configurations.

This confirms that you were able to successfully export a Group Policy Object from Active Directory and confirm installation on a device enrolled in Workspace ONE UEM.

Monitor: Reviewing Administrator Functions for Workspace ONE AirLift

Introduction

Now that you have learned how to migrate applications and packages from Microsoft Endpoint Configuration Manager to Workspace ONE UEM, the next step is to review Administration Functions for Workspace ONE AirLift.
In this section, you learn about day-to-day tasks you might undertake as an administrator. AirLift is a tool to enable a seamless transition to modern management with Windows 10. AirLift is a temporary addition to IT infrastructure while you migrate to Modern Management.

 

Reviewing the Activity Log

The Activity Log in the AirLift console keeps records of any changes to the environment. These can be changes made by the AirLift Service or changes made by an administrator.

The Activity Log includes fields such as:

  • Time Stamp
    • Time of Activity
  • Action
    • The action that was taken such as 
    • Sync Schedule
    • Mapping of Device Collections
    • Exporting of Applications or 
    • Exporting of Group Policies
  • Status
    • Displays Success or Failure Status
  • Actor
    • The Admin User of the system

Review Activity Log

Review AirLift Activity Log in Workspace ONE AirLift console.
  1. In the Workspace ONE AirLift console, navigate to Activity Log.
  2. Review the Activity log and the Activity Log field values.

Reviewing Workspace ONE AirLift Account Settings

The Account tab in Settings shows the connection information for Workspace ONE AirLift to communicate to Workspace ONE UEM, Microsoft Active Directory, and Microsoft Endpoint Configuration Manager (formerly System Center Configuration Manager / SCCM).

Enter Workspace ONE Connection Information

 Enter Workspace ONE connection information

In the Workspace ONE AirLift admin console:

  1. Navigate to Settings.
  2. Select Account.
  3. Review the Workspace ONE connection Information.
    • If you need to make any changes, you can make the changes here and click Save.

Enter Connection Information for System Center Configuration Manager

Enter connection information for System Center Configuration Manager now known as ConfigMgr
  1. Scroll down to Connection Information for System Center Configuration Manager.
  2. Review the Connection Information for System Center Configuration Manager.
    • If you need to make any changes, you can make the changes here and click Save.

Enter Connection Information for Active Directory

 Enter connection information for Active Directory
  1. Scroll down to Connection Information for Active Directory.
  2. Review the Connection Information for Active Directory.
    • If you need to make any changes, you can make the changes here and click Save.

Locating Workspace ONE UEM Enrollment Settings

The enrollment package streamlines device onboarding with accelerated enrollment from ConfigMgr to Workspace ONE UEM.

Migrating applications from ConfigMgr and reviewing Workspace ONE UEM Enrollment Settings

To locate Enrollment settings, in the Workspace ONE AirLift admin console:

  1. Navigate to Settings.
  2. Select Enrollment.

Scheduling Workspace ONE AirLift Sync

The Schedule Sync option allows you to schedule when Workspace ONE AirLift syncs with ConfigMgr and Active Directory for updates and changes. You can set the schedule for the specific time and day you want.

Review Workspace ONE AirLift Sync Settings

Scheduling AirLift Sync with AD and ConfigMgr formerly known as SCCM
  1. Initiate Full Synchronization - Select this -ption to Initiate a full synchronization. A complete synchronization initiates communication to Workspace ONE UEM, Microsoft Endpoint Configuration Manager (ConfigMgr), and Active Directory for Group Policy Objects.
  2. Schedule Synchronization - By Default, AirLift synchronizes daily. You can set the synchronization interval to hourly, for example, when a migration project is underway or set the synchronization less frequently if you don't require up-to-date information.

 

Reviewing Role Based Access

The Permissions settings allow you to grant additional users either View Only or Admin permissions for Workspace ONE AirLift.

1. Review AirLift Role Based Access Control

Review Workspace ONE AirLift Role Based Access Control

In the Workspace ONE AirLift console:

  1. Navigate to Settings.
  2. Select Permissions.
  3. Review the Named administrators.
  4. Review the administrators access Role.
  5. To add administrators, click Add.

2. Add Additional Admin to Workspace ONE AirLift

 Add Additional Admin to AirLift

Enter the domain name of the Administrator in format Domain\Username.

3. Assign Admin Access Role

 Assign Admin Access Role
  1. Select the Access Role for the administrator.
    • This Role can be a Viewer or Administrator.
  2. Click Save to add the admin account.

Generating a Support Bundle in Workspace ONE AirLift

Occasionally, you need to troubleshoot your Workspace ONE AirLift deployment. Issues can arise with the communication between services, transitions to modern management, and other areas. Follow the steps in this activity to generate a support bundle that gathers required environment information. The Support Bundle can be sent to the Workspace ONE support teams to expedite troubleshooting.

1. Generate a Support Bundle

 How to Generate a Support Bundle in AirLift

In the Workspace ONE AirLift console:

  1. Navigate to Settings.
  2. Select Support.
  3. Click Generate Support Bundle.

2. Confirm Support Bundle Generation in Progress

 How to Generate a Support Bundle in AirLift

When you generate a support bundle, AirLift creates a ZIP file containing MongoDB data, AirLift logs, configuration, and environment details.

The ZIP file is created in the following directory: %ALLUSERSPROFILE%\VMware\VMware AirLift\Support

Review the content of the file and ensure that it does not contain any confidential, sensitive, or personal information before sending it to Customer Support.

For more information on AirLift Troubleshooting, see the AirLift section in Troubleshooting Windows 10: VMware Workspace ONE Operational Tutorial.


Reviewing Workspace ONE AirLift Feedback Settings

Select Join the VMware Customer Experience Improvement Program to contribute technical information related to the performance, configuration, and use of Workspace ONE AirLift. Your participation improves and benchmarks our products and services, fixes problems, and helps us to advise customers on the use of our software.

The data is used by VMware and its service providers strictly on an aggregated basis.

Join the AirLift Customer Experience Improvement Program

Join the AirLift Customer Experience Improvement Program

In the Workspace ONE AirLift console:

  1. Navigate to Settings.
  2. Select Feedback.
  3. Select the check box to opt-in or opt-out.

Summary and Additional Resources

Conclusion

This operational tutorial provided the steps to enhance Windows 10 with modern management capabilities using Workspace ONE UEM and Workspace ONE AirLift. 

These procedures included:

  • Monitoring enrollment progress and modern management activity.
  • Syncing ConfigMgr and Workspace ONE UEM.
  • Syncing Active Directory and Workspace ONE UEM.
  • Mapping ConfigMgr device collections to Workspace ONE UEM smart groups.
  • Expediting application rationalization and migration from ConfigMgr to Workspace ONE.
  • Expediting Windows 10 Group Policy rationalization and migration from Active Directory to Workspace ONE UEM.
  • Creating a ConfigMgr deployment to enable Workspace ONE device enrollment.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

ConfigMgr / SCCM Microsoft Endpoint Configuration Manager (Formally System Center Configuration Manager)
AD Microsoft Active Directory
application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud The asset of securely accessed, network-based services, and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as Workspace ONE Access (formerly VMware Identity Manager).
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
Service provider (SP)
A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

For more information on Windows 10 with Workspace ONE, explore the Understand Windows 10 Activity path.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

 

Change Log

The following updates were made to this guide:

Date Change
2020/07/23
  • Replace "execute" to "perform"
  • Added Associated Assets:
    • Sample_AirLift_PolicyValidationsReport
    • AirLift_Environmental_Details_Cheat_Sheet
2020/06/16
  • Updated SCCM to Microsoft Endpoint Configuration Manager
  • Added Policy rationalization 
  • Added Policy migration
  • Added examples of MSI with MST Application export
  • Added examples of packages export

About the Authors and Contributors

This tutorial was written by:

  • Darren Weatherly, End-User-Computing Senior Architect, Technical Marketing, VMware.

Appreciation and acknowledgment for considerable contributions from the following subject matter experts:

  • Chris Halstead, End-User-Computing Staff Architect, Technical Marketing, VMware.
  • Criselda Abarquez, Senior Systems Engineer, Systems Engineering, VMware.
  • Josue Negron, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

  • Workspace ONE
  • Advanced
  • Operational Tutorial
  • Document
  • AirLift
  • Workspace ONE UEM
  • Windows 10
  • Design
  • Modern Management