Modernizing Windows 10 Management: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.5 and later VMware Identity Manager 3.2 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This tutorial consists of a series of exercises that walk through transitioning (co-managing) or transforming (replacing) Microsoft System Center Configuration Manager (SCCM) to VMware Workspace ONE®  UEM (unified endpoint management).

Audience

This operational tutorial is for PC lifecycle management (PCLM) administrators and Workspace ONE IT administrators. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM is also helpful.

Initial Configurations

Introduction

This exercise prepares you for the transition to Windows 10 Modern Management with Workspace ONE UEM. Make sure that you complete each procedure in this section before going to the next exercise.

Prerequisites

Before you can perform the procedures in this exercise, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware AirWatch Documentation.

  1. Check whether you have the following components installed and configured.
    • Workspace ONE UEM v9.5 or later, with admin credentials
      • Directory Services configured
      • VMware Enterprise Systems Connector that can reach the AirWatch Cloud Messaging (AWCM) server
      • (If SAML enabled) Staging Organization Group and account with standard single user devices enabled
    • Active Directory with users available to add to the Workspace ONE tenant
    • SCCM 2012 R2 and later that meets the following criteria:
      • Admin credentials to the SCCM Console
      • Read Only Analyst for basic functionality
      • Privilege to create and deploy SCCM applications in order to build and deploy a custom enrollment application
      • At least one SCCM Device Collection with at least one Windows 10 client
    • PowerShell with Admin rights
    • Google Chrome 42.0 or later
  2. Verify that your device meets the operating system and software requirements.
    • Windows Pro, Enterprise, or Education device.
    • Clean Windows operating systems domain-joined to the same domain as the SCCM server
    • Windows 10 and Windows Server tested
    • 2 CPU and 4 GB RAM
  3. Complete the Environmental Details Worksheet.

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username, for example, administrator.
  2. Click Next. After you click Next, the Password text box is displayed.
  1. Enter your Password, for example, VMware1!
  2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Enabling User Group Mapping

2. Enable Fixed Organization Group

  1. Select Override.
  2. Select Fixed Organization Group.

Retrieving API Details

Retrieve API details from the Workspace ONE UEM Console to facilitate the connection with SCCM.

1. Navigate to API Settings

  1. In the Workspace ONE UEM Console, select Groups & Settings.
  2. Select All Settings.

2. Retrieve the API Key

  1. Select System.
  2. Select Advanced.
  3. Select API.
  4. Select REST API.
  5. Right-click the API Key.
  6. Click Copy.
  7. Record the API Key in the Environment Details Worksheet.

Retrieving the Organization Group ID

Finding your Group ID

In the Workspace ONE UEM Console,

  1. Click on your Organization Group name.
  2. Copy your Group ID value.  For example, copy the Group ID yourid1234. Then, record this value in the Environment Details Worksheet.

Logging In to the SCCM Console

1. Launch the SCCM Server

Log in to your SCCM server.

2. Launch the Configuration Manager Console

  1. Launch the SCCM Console from the taskbar.
  2. If the Configuration Manager dialog box appears, click OK.

3. Explore the SCCM Console

Take a minute to explore the SCCM console. The main components of SCCM are as follows.

  • Assets and Compliance — View all the users and devices managed by SCCM.
  • Software Library — Deploy applications at a high-level.
  • Monitoring — Check status and log files.
  • Administration — Perform updates, migrations, update-readiness, and co-management.

Gathering Environment Details

The exercises in this operational tutorial require the entry of a number of environmental details.  To simplify configuration, and minimize the potential for error, complete the Environmental Details Worksheet.

The examples in the worksheet are the values used in the operational tutorial and are based on a test environment. Your environment details will differ.

Environment Details Worksheet
Field Description Example Entry
Workspace ONE UEM Log-In Details
Workspace ONE UEM Tenet URL for your Workspace ONE UEM environment labs.awmdm.com  
Username Admin username admin  
Password Admin password VMware1!  
AirLift Integration Details
WS1 API URL URL for your Workspace ONE UEM environment https://labs.awmdm.com    
AirwatchAPIKey API Key copied from the Workspace ONE UEM Console    
SCCM Server SCCM server address sccm-01a.corp.local  
SCCM Site Code Three-character alphanumeric site code for the SCCM environment HOL  
SCCM Domain Active Directory Domain integrated with SCCM CORP  
SCCM Username Admin username administrator  
SCCM Password Admin password VMware1!  
SCCMCollectionname Name for the Windows 10 device collection create in SCCM Win10  
Workspace ONE Enrollment Details
Organization Group Workspace ONE UEM group Windows 10 device enrolls into your@email.shown.here  
Staging User User used to stage Workspace ONE UEM enrollment StagingUser  
Staging User Password Password used for the staging user VMware1!  
Enrollment URL URL for your Workspace ONE UEM environment labs.awmdm.com  
Group ID Group ID value from the UEM console yourid1234  

Enabling Workspace ONE AirLift

Introduction

In this exercise, set up Workspace ONE AirLift, a tool that simplifies the transition from traditional PC Lifecycle Management to modern management with Workspace ONE UEM.

AirLift enables Microsoft System Center Configuration Manager (SCCM) and Workspace ONE UEM to co-manage Windows 10 devices. Co-management allows organizations to:

  • Address the challenge of using traditional PCLM tools for modern management
  • Manage legacy Windows desktop and server Operating Systems
  • Continue using SCCM policies that are deeply embedded into business systems
  • Meet SCCM requirements to upgrade Windows 7 to Windows 10
  • Enroll devices into Workspace ONE with SCCM

Workspace ONE AirLift provides the following features and functionality:

  • Monitors enrollment progress and modern management activity
  • Syncs SCCM and Workpace ONE
  • Enables mapping between SCCM device collections and Workspace ONE UEM smart groups
  • Facilitates application migration from SCCM to Workspace ONE
  • Creates SCCM deployments to enable Workspace ONE device enrollment
  • Provides detailed logs

Prerequisites

Before you can perform the procedures in this exercise, you must complete the Initial Configurations exercise.

This exercise requires a user to enroll their device into Workspace ONE UEM. Note the user account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

User Account Information  
User name aduser
Password VMware1!
Email your@email.shown.here

Setup Workspace ONE AirLift

You will now setup Workspace ONE AirLift, connecting it to both Workspace ONE UEM and Microsoft SCCM in order to support co-management of Windows 10 devices.

1. Retrieve the Workspace ONE UEM API Key

We now need to retrieve the admin REST API key from the Workspace ONE UEM Console.  This key will be required by AirLift in order to connect to Workspace ONE UEM.  

In the Workspace ONE UEM Console,

  1. Click Groups & Settings.
  2. Click All Settings.

1.1. Copy the REST API Key

  1. Expand System.
  2. Expand Advanced.
  3. Expand API.
  4. Select REST API.
  5. Select the API Key value for the AirWatchAPI service.
  6. Right-click and click Copy.

You will need this key in the upcoming steps for configuring AirLift. For production you can also add a new API key for the AirLift Service.

2. Launch Workspace ONE AirLift

Double click the AirLift shortcut on the desktop of the SCCM server.

This will be the first time we are launching AirLift, so we will be asked to configure connectivity to Workspace ONE UEM and SCCM.

3. Configure AirLift

We will now configure AirLift to connect to both Workspace ONE UEM and SCCM.

3.1. Configure AirLift for Workspace ONE

  1. Enter https://labs.awmdm.com for the API URL.
  2. Select Same as API for the Console Address.
  3. Paste the API Key from your Workspace ONE tenant that you captured in the previous step.
  4. Enter your email address that you have associated with your VMware Learning Platform (VLP) account.
  5. Enter VMware1! for the Password field.
  6. Click the Continue button.

3.2. Configure AirLift for SCCM

  1. Enter sccm-01a.corp.local for the SCCM Server
  2. Enter HOL for the Site Code
  3. Enter CORP as the Domain
  4. Enter Administrator as the Account
  5. Enter VMware1! as the Password
  6. Click the Submit button

Congratulations - you have successfully configured AirLift!

Review and Enable Co-Management in Workspace ONE AirLift

The first time you launch AirLift, you will be taken to a getting started page with direct links to different phases of Co-Management.  

Click on Plan to start using AirLift.   This will take us to the Collections screen.

1. Review Device Collections in AirLift and compare to SCCM

When AirLift connects to SCCM, it imports Device Collections from SCCM.  Let's take a look at the information which AirLift has imported and compare it to what is in our SCCM server.  

  1. Click the eye symbol to the right of Getting Started so that a \ is through it.   This will prevent Getting Started from coming up each time we refresh the page.
  2. Click on Collections, if you are not already there.
  3. Review the Collections that have already been imported into AirLift from SCCM. Notice all of the Device Collections which are imported have at least one device assigned.

1.1. Open the SCCM Console

Click the SCCM Console icon from the taskbar to return to the SCCM Console.

2. Review Management of Collections in AirLift

Back in the AirLift Console in Chrome,

  1. Click the checkbox next to the Win10 collection.
  2. You can Map, Enroll, and Manages devices in collections from these buttons.  DO NOT interface with these yet, you will be using them in upcoming steps to view the functionality.
    Map allows you to determine a Workspace ONE UEM Smart Group for this collection to belong to in order to enable Co-Management.
    Enroll is enabled once Co-Management is enabled for a Collection, and allows you to enroll devices into Workspace ONE UEM.
    Manage is enabled once Co-Management is enabled for a Collection, and allows you to view and manage the Smart Group that your collection is mapped to in Workspace ONE UEM.
  3. Data is refreshed from SCCM and Workspace ONE UEM on a schedule.  You can click this button to initiate an immediate refresh of Collection and Smart Group data.
  4. Click the number (1) in the Devices column for the Win10 collection.  This will open a page with details on the devices in this collection.

2.1. Review your Windows 10 Machine

  1. Review the machine in the Win10 collection.  This is the Win10-01a Virtual Machine that is available to you for this lab.
  2. Click the Collections link to return to the collections page.

3. Map the Win10 Collection

  1. Click the checkbox for the Win10 collection to select it.
  2. Click Map.

When you click the Map button on a Collection, a list of available Workspace ONE UEM Smart Groups will be displayed, which you can choose from to map your device collections to enable  Co-Management.

3.1. Map SCCM Collection to Workspace ONE Group

  1. Enter AirLift for Workspace ONE Group.  
    Notice that the AirLift group does not exist in the dropdown list of available Workspace ONE UEM Smart Groups.  Entering in the name manually will have the AirLift Smart Group automatically created and mapped for Co-Management in the Workspace ONE UEM Console.
    NOTE: If you had an existing Smart Group you wanted to use to map and enable Co-Management for, you could select that from the Workspace ONE Group dropdown instead.
  2. Click Save to have the Win10 Device Collection mapped to the AirLift Smart Group in Workspace ONE UEM.

3.2. Confirming AirLift Smart Group Creation

  1. After clicking save, a message from AirLift will confirm that the Smart Group creation and mapping is In Progress.  This will update to a clickable link once it is completed.
  2. Once completed, the Workspace Mapping will update to the AirLift Smart Group and the Management column will reflect that the devices in this collection are now Co-managed. Click the AirLift hyperlink, this will take you directly to the Smart Group in the Workspace ONE UEM Console.  

NOTE - This process may take a few minutes to complete.  If the page does not refresh automatically, you can click the Refresh button on the browser or the Refresh button in AirLift to check if the task has completed after a few minutes!

3.3. AirLift Smart Group in Workspace ONE UEM Console

Notice that clicking the AirLift hyperlink in AirLift will automatically take you to the AirLift Smart Group mapping in the Workspace ONE UEM Console.

Click the Edit icon next to the AirLift Smart Group.

3.4. View Smart Group

  1. Scroll down to find the Tags section.
  2. Notice that a new custom tag is created with the format Co_Mgmt:site_<SCCM_Site_Code>:<Device_Collection_ID>.  This was generated automatically from AirLift.
  3. Click on the X to close this popup.

Review Workspace ONE AirLift

You will now review additional features and settings of AirLift to familiarize yourself with the console before upcoming exercises.

1. Review Devices in AirLift and Compare to SCCM

AirLift imports Windows 10 devices that are active SCCM Clients.  Let's take a look at what AirLift has imported and compare it to SCCM.  

In the AirLift Console in Chrome,

  1. Click on Devices in AirLift.
  2. Review details on the device imported into AirLift.

1.1. Compare Imported Devices to SCCM Device List

  1. Click the SCCM Console icon from the taskbar to return to the SCCM Console.
  2. Click on Assets and Compliance.
  3. Click on Devices.
  4. Review the list of devices in SCCM.  Notice there is only one active SCCM client that is running Windows 10.  This is the system that was imported into AirLift.

2. Review Applications in AirLift and compare to SCCM

AirLift imports metadata on SCCM Applications and allows these applications to be imported via APIs to Workspace ONE UEM.  This greatly simplifies the process of migrating applications to Workspace ONE without the need for repackaging.  

Back in the AirLift Console in Chrome,

  1. Click on Applications.
  2. Review the list of applications that have already been imported into AirLift.

2.1. Review Applications in SCCM

  1. Click the SCCM Console icon from the task bar.
  2. Click on Software Library.
  3. Expand Application Management.
  4. Click Applications.
  5. Review the applications in SCCM - notice they match what was imported into AirLift.

This module will not cover managing and migrating applications using AirLift in detail.  If you wish to learn more on this subject, refer to Migrating Applications from SCCM.

3. Review the AirLift Activity Log

The activity logs shows details of actions such as exporting applications, or setting Workspace ONE or SCCM connection information.

In the AirLift Console in Chrome,

  1. Click on Activity Log.
  2. Review the Activity Log details.  Notice that the actions you have taken during this exercise have been logged here for review.  This section can be useful for recalling past actions and troubleshooting.

4. Review the AirLift Settings

All of the account settings that were set during the initial launch of AirLift can be modified in the Settings section.  In addition, Enrollment settings are managed here.   The enrollment section lets you build a custom enrollment package in SCCM or select an existing one.  

  1. Click on Settings in AirLift.
  2. Review the Workspace ONE settings.  These settings can be updated from here if required.
  3. Scroll down to Enter connection information for System Center Configuration Manager.

4.1. Review SCCM Connection Info

  1. Review the SCCM settings. These settings can be updated from here if required.
  2. Scroll back up to the very top.

4.2. Review Enrollment Application

  1. Click the Enrollment tab to manage enrollment settings.
  2. Select Yes for Use Existing Enrollment Application.
  3. You can select an existing SCCM application to use for enrollment.

DO NOT select anything for now, you will return to these settings when enrolling a device in upcoming steps.

5. Review the AirLift Dashboard

The AirLift dashboard provides real-time information on your workloads which are managed by AirLift.

  1. Click Dashboard.
  2. The Devices section shows the number of devices managed by Workspace ONE UEM.
  3. The Applications section shows the number of applications managed by Workspace ONE UEM.
  4. The Top Workloads section shows the highest workloads on enrolled systems.
  5. The Co-Management by Collection section shows the breakdown of SCCM and Co-Management by collection.

Now that you are familiar with the overview of AirLift, the upcoming exercises will show how to use AirLift to manage and enroll a device.

Migrating Devices and Users from SCCM

Introduction

In this exercise, migrate devices from Microsoft System Center Configuration Manager (SCCM) to VMware Workspace ONE using Workspace ONE AirLift.

Prerequisites

 

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enrol their device into Workspace  ONE UEM. Note the user account information in the following table. The  details provided in this table are based on a test environment. Your  user account details will differ.

Setup a Profile in Workspace ONE UEM

In this exercise, you will create a profile in the Workspace ONE UEM Console to configure BitLocker. These policies will be deployed to our AirLift Co-Managed devices and will be reported to our AirLift Dashboard. This allows us to co-manage the devices in this SCCM collection with AirLift and Workspace ONE UEM.

1. Create Windows 10 Profile for Devices

In the Workspace ONE UEM Console,

  1. Click Devices.
  2. Expand Profiles & Resources.
  3. Click Profiles.
  4. Click Add.
  5. Click Add Profile.

1.1. Select the Windows Platform

Select Windows.

1.2. Select the Device Type

Select Windows Desktop.

1.3. Select the Context

Select Device Profile.

1.4. Configure the Profile General Payload

  1. Enter BitLocker as the name of the profile.
  2. Select AirLift (your@email.shown.here) for the Assigned Groups.

1.5. Enable the Encryption Payload

  1. Select Encryption.
  2. Click Configure.

1.6. Configure the Encryption Payload

  1. Select System Partition for Encrypted Volume.
  2. Select System Default for Encrypted Method.
  3. Click the checkbox next to Only encrypt used space during initial encryption.
  4. Select Password for the Authentication Mode.
  5. Enter 8 for the Minimum Password Length.
  6. Click Save & Publish.

1.7. Publish the Encryption Profile

Click Publish.

1.8. Confirm the BitLocker Profile

View the BitLocker profile you just created, and make sure it is assigned to the AirLift group.

Enroll SCCM Devices in Workspace ONE UEM with AirLift

In this exercise, you will configure a SCCM Enrollment application for your Workspace ONE UEM tenant and then deploy the application to the AirLift Collection that you have enabled for Co-Management.

1. Create Enrollment Application in AirLift

In the AirLift Console in Chrome,

  1. Click Settings.
  2. Click Enrollment.
  3. Select No for Use Exiting Enrollment Application.
  4. Enter Workspace ONE Enrollment.
  5. Select your VLP email address from the Organization Group dropdown.
  6. Enter StagingUser
  7. Enter VMware1!
  8. Enter labs.awmdm.com
  9. Check the Include Workspace ONE App option.  This option will automatically install the Workspace ONE app if it is not present on the device.
  10. Un-check the Include SCCM Integration Client option, this client is only needed when using pre-1709 Windows 10 and pre-1710 SCCM.
  11. Click Show.

1.1. Copy the Agent Install Command Line

  1. Click and drag and highlight the Agent Install Command Line.
  2. Right-click the highlighted text and click Copy.

You will modify and use this copied text in an upcoming step.

1.2. Enter the Enrollment Application Content Location

  1. Enter \\SCCM-01A\SCCMPackages\WS1 for Content Location. The needed files have been pre-staged at this location for your convenience.
  2. Click Create.

1.3. Confirm Application Creation

Click Proceed.

2. Review and Modify Workspace ONE Enrollment Application

The following steps involving modifying the Workspace ONE Enrollment app are not needed in production. However, you will need to update the install command-line for this lab.

2.1. Update Install Command Line

  1. Right-Click the Windows button.
  2. Click Search.
  3. Enter Notepad for the search.
  4. Click the Notepad application.

2.2. Paste the Copied Install Command Line Text

  1. Click Edit.
  2. Click Paste.
  3. Click Format.
  4. Click Word Wrap to enable wrapping.

2.3. Locate the LGName property

You will need to update the LGNAME value in our copied install command line to match your Group ID from the Workspace ONE UEM Console.  Continue to the next step to find the Group ID value to use here.

2.4. Update the LGNAME Value

Update the LGNAME value with your Group ID from the Workspace ONE UEM Console.  DO NOT use yourid1234 as shown, be sure to use your own Group ID.

2.5. Copy the Updated Install Command Line Text

  1. Click Edit.
  2. Click Select All.
  3. Click Edit.
  4. Click Copy.

3. Review and Modify Properties of Workspace ONE Enrollment Application

  1. Click the SCCM Console icon from the task bar.
  2. Click Software Library.
  3. Expand Application Management.
  4. Click Applications.
  5. If you do not see the Workspace ONE Enrollment application in the list, you may need to click the Refresh button.
  6. Right-Click the Workspace ONE Enrollment application.
  7. Click Properties.

3.1. Edit the Workspace ONE Enrollment Windows Installer

  1. Click the Deployment Types tab.
  2. Select the Workspace ONE Enrollment - Windows Installer x64 (*.msi file).
  3. Click the Edit button.

3.2. Replace the Installation Program Command

  1. Click the Programs tab.
  2. In the Installation program text box, remove ALL existing text and paste your copied install command.
  3. Click OK.

3.3. Save the Deployment Types Changes

Click OK again to save your changes.

4. Enroll Members of the Win10 Collection into Workspace ONE UEM

Now that we have create the Workspace ONE Enrollment app using AirLift and mapped our Win10 device collection to the AirLift Smart Group, we will leverage AirLift to automatically onboard our Win10 collection devices into Workspace ONE UEM.

4.1. Enroll the Win10 Collection into Workspace ONE UEM

In the AirLift Console in Chrome,

  1. Click Collections.
  2. Click the checkbox next to the Win10 collection.
  3. Click the Enroll button.

4.2. Confirm Devices Affected

Click the Enroll button to confirm the enrollment - notice 1 Device will be affected.

4.3. Review Enrollment Confirmation

Review enrollment confirmation, the devices in the Win10 collection have begun enrollment.

5. Review Enrollment Application Deployment in SCCM

Back in the SCCM Console, ensure the Workspace ONE Enrollment app is selected.

  1. Click on the SCCM Console icon on the task bar.
  2. Ensure the Workspace ONE Enrollment app is still selected.
  3. Click on the Deployments tab.
  4. Notice there is a deployment which was created by AirLift.  This deployment is mandatory and automatic and targets the Win10 collection.

6. Return to the Main Console

Click the Close (X) button to return to the Main Console.

7. Connect to Windows 10 Device

Double-click the Win10-01a.rdp shortcut on the desktop of the Main Console.

7.1. Launch Configuration Manager

Double-click the Configuration Manager shortcut on the desktop of the Windows 10 device.

7.2. Force policy update on SCCM Client

We will now force a policy retrieval cycle on the SCCM client in order to speed up the process of receiving the deployment and enrolling the device into Workspace ONE UEM.

  1. Click the Actions tab.
  2. Select Machine Policy Retrieval & Evaluation Cycle.
  3. Click the Run Now button.

7.3. Confirm the Cycle Prompt

Click OK to confirm the cycle may take several minutes to complete.

8. Monitor Enrollment into Workspace ONE

Watch for the AirWatch Enrollment icon on the desktop of the Windows 10 system.

The deployment will run automatically and should happen fairly quickly.  If you watch the desktop of the Windows 10 client, you will see the AirWatch Enrollment icon appear on the desktop.  This means the enrollment process is is running.  This process should only take a few minutes at most to complete.

9. Verify via Software Center

Click the icon shortcut on the taskbar of the Windows 10 device to launch the SCCM Software Center.

9.1. Software Center

We can also verify that the deployment has been received on the Windows 10 client by reviewing the SCCM Software Center

  1. Click the Applications tab.
  2. Notice the Workspace ONE Enrollment deployment has been received on the Windows 10 client.

You don't need to run the deployment manually.  It will execute automatically.

Review and Validate the Enrolled Windows 10 Device

You will now review the enrolled Windows 10 device in the Workspace ONE UEM Console and AirLift Console to see how to confirm that the enrollment was successful.  You will also verify that the BitLocker profile you configured was delivered to the device.

1. Return to the Main Console

Click the Close (X) button on the Remote Desktop Connection to return to the Main Console.

2. Connect to the SCCM Server

Launch sccm-01a.rdp from the main desktop.

3. Initiate Full Sync for AirLift

We will want to perform a real-time sync between AirLift and Workspace ONE UEM to see an updated dashboard.

In the AirLift Console in Chrome,

  1. Click Settings.
  2. Scroll down to the bottom of the Account tab.
  3. Click Sync.

3.1. Review AirLift Dashboard

  1. Click on the Dashboard link on the left pane of AirLift.
  2. Notice on the Top Workloads section, you see there is a client with Encryption and Compliance Enabled.

4. Return to the Main Console

Click the Close (X) button to return to the Main Console.

5. Connect to Windows 10 Device

Double-click the Win10-01a.rdp shortcut on the desktop of the Main Console.

6. Review Enrolled Client in Workspace ONE UEM Console

In the Workspace ONE UEM Console,

  1. Click Devices.
  2. Click List View.
  3. If you navigate to the Workspace ONE UEM Console quickly enough, you may see that the device is enrolled to the StagingUser account.  Shortly after enrolling your user credentials for aduser, the device will show it is enrolled for aduser instead.  Click the device link to view the Device Details View.

6.1. Review Device Details

  1. Notice the device is a member of the AirLift Workspace ONE Smart Group, due to enabling Co-Management.
  2. Review the computer name, this matches what we seen earlier in the SCCM and AirLift console.
  3. Notice the device has had the Co-Management tag added to it.   This is the same tag that was added to the Workspace ONE AirLift Smart Group.   This is what enables synchronization between SCCM and Workspace ONE during Co-Management.

7. Verify BitLocker Profile is Pushed via AirLift Co-Management

The BitLocker Encryption dialog will pop up, indicating the device was enrolled into Workspace ONE UEM and that it is properly enabled for Co-Management.

  1. Enter VMware1! for the password.
  2. Enter VMware1! for the password confirmation.
  3. Click the Encrypt button to start BitLocker encryption.

8. Close the VMware Workspace ONE App

The Workspace ONE Application will open automatically after enrollment.  

Click the X to close the application.  We don't use it during this exercise.  

9. Validation Completed

Congratulations!  You have successfully enrolled your Windows 10 device into Workspace ONE UEM using AirLift and validated a successful enrollment after pushing a BitLocker profile to the device!

Conclusion

In this module you have learned how to setup and use VMware Workspace ONE AirLIft to setup Co-Management between SCCM and Workpace ONE.  You have also learned how to automatically enroll SCCM devices into Workspace ONE using AirLift.  

Migrating Applications from SCCM

Introduction

In this module, you will migrate an application from Microsoft System Center Configuration Manager (SCCM) to Workspace ONE UEM using Workspace ONE AirLift

Migrate Application from SCCM to Workspace ONE UEM with AirLift

1. Review Applications in AirLift

AirLift imports metadata on SCCM Applications and allows these applications to be imported via APIs to Workspace ONE UEM.  This greatly simplifies the process of migrating applications to Workspace ONE without the need for repackaging.  

Back in the AirLift Console in Chrome,

  1. Click on Applications.
  2. Review the list of applications that have already been imported into AirLift.

1.1. Review Applications in SCCM

  1. Click the SCCM Console icon from the task bar.
  2. Click on Software Library.
  3. Expand Application Management.
  4. Click Applications.
  5. Review the applications in SCCM - notice they match what was imported into AirLift.

1.2. Confirm Apps in SCCM are not available in Workspace ONE UEM

In the Workspace ONE UEM Console,

  1. Click Apps & Books.
  2. Expand Applications.
  3. Click Native.
  4. Click the Internal tab.
  5. Confirm that the applications seen in AirLift and SCCM are currently unavailable in the Workspace ONE UEM Console.

2. Managing Applications in AirLift

In the AirLift Console in Chrome,

  1. Click the checkbox next to 7-Zip 17.01 (x64 edition).
  2. Click on the informational tooltip. Notice we receive a validation warning since our app in SCCM is set for both system/user install context. AirLift tells us it will default to using Device context when exporting to Workspace ONE UEM.
  3. Click the Export button to export an application from SCCM to Workspace ONE UEM.

2.1. Export Applications Confirmation

Click Export to confirm.

2.2. Viewing Exported App in Workspace ONE UEM Console

AirLift indicates when an application has been exported, then displays a link under the Workspace Application column.

  1. After the Application has been exported, the Status will change from Exporting to Exported.
  2. To manually check the status of the export, click the Refresh button.
    NOTE: The application may take several minutes to finish exporting.
  3. Click the 7-Zip 17.01 (x64 edition) hyperlink, which takes you directly to the app in the Workspace ONE UEM console.

2.3. Assign 7-Zip

Click Assign.

2.4. Assign and Publish the Application

Once we export the app to the Workspace ONE UEM console, all you have to do is assign the app to devices. In this case, we will assign the app to our AirLift smart group which we mapped to our Win10 SCCM device collection.

Click Add Assignment.

2.5. Add Assignment

  1. Select the AirLift smart group for the Assignment Group.
  2. Select Auto for the App Delivery Method.

2.6. Configure Assignment Policies

  1. Scroll down to the Policies section.
  2. Select Enabled for Make App MDM Managed if User Installed.
    NOTE: This option allows Workspace ONE UEM to assume management of an application that the user has already installed, allowing you to check for installation status and manage the application as necessary.
  3. Click Add.

2.7. Update Assignment

Click Save & Publish.

2.8. Publish

Click Publish.

Connect to the Windows 10 Virtual Machine

Click the Close (X) button to return to the Main Console.

1. Connect to Windows 10 Virtual Machine

Double-click the Win10-01a.rdp shortcut on the desktop of the Main Console.

Confirm Application Install on Windows 10 Device

  1. Click the Windows button.
  2. Click the dropdown next to the 7-Zip folder.
  3. Confirm the 7-Zip File Manager.exe has installed on the device.
  4. You may also notice that the 7-Zip File Manager.exe has been added to the Recently Added list at the top of the start menu.

This confirms that you were able to successfully export the application details from SCCM, import the application into Workspace ONE UEM and then assign and install the application to your devices.

Conclusion

This module reviewed how to utilize AirLift to quickly migrate your desired application from SCCM to Workspace ONE UEM and how to deploy this application to your devices and users.

Migrating GPOs from SCCM

Introduction

This exercise helps you to migrate your Group Policy Objects (GPOs) to Workspace ONE UEM and assign those GPOs to users and devices.

This exercise contains the following procedures:

  • Download and Run AirWatch GPO Migration Tool
  • Upload GPOs to Workspace ONE UEM
  • Assign and Test GPO App Package
  • Enroll Windows 10 Device
  • Verify GPO App Package Installation

Prerequisites

In addition to the previous requirements, you must also satisfy the following:

  • Windows 10 domain-joined device
  • PowerShell with admin rights
  • API Key
  • Workspace ONE UEM Console
  • AirWatch admin account
  • LGPO.EXE

Mapping GPOs to Custom Settings Profiles

The MDM Migration Analysis Tool (MMAT) determines which Group Policies have been set for a target user/computer and cross-reference against its built-in list of supported MDM policies. MMAT then generates both XML and HTML reports indicating the level of support for each Group Policy in terms of MDM equivalents.

Use the MDM Migration Analysis Tool (MMAT) to determine which Group Policies in your current environment have a MDM equivalent.

To watch a video demonstrating this procedure, click GPOs & Custom Settings Profiles using MMAT and Workspace ONE, or click the video itself.

Deploying the GPO Migration Tool

Most of this exercise is performed on the SCCM Server, where we download the AirWatch GPO Migration Tool and deploy our modified local policies to other devices.

1. Download the AirWatch GPO Migration Tool

  1. Enter https://code.vmware.com/samples/3527/airwatch-gpo-migration-tool in the navigation bar and press Enter.
  2. Click Download.

1.1. Extract ZIP Contents

Wait for the AirWatch-samples-master.zip download to complete.

  1. Select the drop-down arrow for the AirWatch-samples-master.zip item on the download bar.
  2. Select Show in folder.

1.2. Extract the ZIP Contents

  1. Right-click the AirWatch-samples-master.zip file.
  2. Select Extract All... from the menu.

1.3. Select ZIP Contents Extraction Location

  1. Enable Show extracted files when complete.
  2. Click Browse.

1.4. Set the Extraction Location to the Desktop

  1. Select Desktop.
  2. Click OK.

1.5. Extract the ZIP Contents to the Desktop

Click Extract.

2. Run the AirWatch GPO Migration Tool

  1. Click the PowerShell icon in the task bar.
  2. Enter the below command and then press Enter to change directory to the AirWatch GPO Migration folder:
cd "C:\Users\administrator.CORP\Desktop\AirWatch-samples-master\Windows-Samples\Tools & Utilities\AirWatch GPO Migration"

Note: Right-click to paste the copied path in PowerShell from the previous step, or click and drag the above command into your PowerShell window.

2.1. Run the AirWatch GPO Migration Tool

  1. Enter .\Migrate-GPO-AirWatch.ps1 and press Enter.
  2. Notice that we receive a warning that the tool requires the Microsoft Security Compliance Toolkit.  Click and drag to highlight the link, and then hit enter to copy the text.

4. Run the AirWatch GPO Migration Tool after Setup

  1. Click the PowerShell icon from the Task bar to return to your PowerShell terminal.
  2. Run the tool again by entering .\Migrate-GPO-AirWatch.ps1 and pressing Enter.
    Note: You can press the Up Arrow on the keyboard to quickly re-enter your previous commands rather than re-typing the command.
  3. Confirm that the PowerShell console output shows that the Initialization check completed successfully and is presenting you with the Task dialog.

5. Modify Local GPO Settings

Before proceeding, modify the local GPO so that we can capture and distribute these changes to other devices to confirm that our deploy was successful.

  1. Right-click the Windows icon.
  2. Click Run.

5.1. Launch Local Group Policy Editor

To launch the Local Group Policy Editor, enter gpedit.msc and click OK.

5.3. Select Active Power Plan

  1. Select Enabled.
  2. Select High Performance as the Active Power Plan.
  3. Click OK.

Use this local GPO as a reference on our enrolled devices to ensure that our captured policies applied correctly.

6. Capture GPO Backups

  1. Return to the PowerShell Terminal by clicking PowerShell icon on the taskbar.
  2. At the Task prompt, enter 2 and press enter.
    Note: If the PowerShell script is no longer running, start it again by entering .\Migrate-GPO-AirWatch.ps1 and pressing enter first.
  3. Confirm that the output shows that the local GPO was captured after task finishes.

7. View GPO Backups

From the PowerShell prompt, enter 1 and press return to view the list of GPO backups.

Note: If the script is no longer running, enter .\Migrate-GPO-AirWatch.ps1 and press return.

7.1. Confirm Captured GPO Backup Displays

  1. Any captured or copied GPO backups placed in the expected directory (/GPO Backups) are displayed.  Notice that the GPO backup we just created is available in this list.
  2. Click OK to close the window.

8. Using External GPO Backups

If you have previously captured GPO backups that you want to use with this tool, you can include these in the /GPO Backups folder of the tool directory. Any GPO backups available in the /GPO Backups folder display as selectable GPOs for Option 1 (Viewing GPOs) and option 3 (Uploading GPOs to AirWatch).

8.2. Paste the Security GPO Backups in the GPO Backups folder

  1. Select AirWatch-samples-master.
  2. Select Windows-Samples.
  3. Select Tools & Utilities.
  4. Select AirWatch GPO Migration.
  5. Select GPO Backups.
  6. Right-click within the GPO Backups folder.
  7. Select Paste to insert the Security GPO Backup folders that were previously copied.

8.3. View GPO Backups from the Tool

  1. Return to the PowerShell Terminal by clicking PowerShell icon on the taskbar.
  2. At the Task prompt, enter 1 and press enter to view the GPO Backups.
    Note: If the PowerShell script is no longer running, start it again by entering .\Migrate-GPO-AirWatch.ps1 and pressing enter first.

8.4. Confirm the Security GPO Backups Are Listed

  1. Confirm that the four Security GPO Backups that were copied into the GPO Backups folder now display next to the local GPO capture that was taken previously for a total of five GPO Backups.
  2. Click OK to close the dialog box.

Building a GPO Package

1. (Optional) Run the Script

  1. If the script is no longer running, enter .\Migrate-GPO-AirWatch.ps1 and press Enter.  Continue to the next step if the script is already running.
  2. Enter 4 for the Task Selection and press Enter.

2. Select the Captured Local GPO Backup

  1. Select the locally captured GPO Backup, which is named "GPO <computername> <date> <time>"
  2. Click OK.

3. Confirm the Package Built Successfully

The PowerShell script shows progress as it completes the task and opens the build folder upon completion.

  1. Note the location of GPO Uploads folder, which is where the build folder is output.  We need to access this in an upcoming exercise to upload our "GPO <computername> <date> <time>.zip" package to the Workspace ONE UEM Console.
  2. Confirm that you have both a installpath.txt file as well as the GPO Package (named "GPO <computername> <date> <time>.zip") in the output folder.

Continue to the next step.

Uploading the GPO Package

1. Return to the PowerShell Terminal

Click the PowerShell icon from the task bar.

2. Establish the API Connection

Enter 3 and press return to select Upload GPO to AirWatch.
Note: If the script is no longer running, enter .\Migrate-GPO-AirWatch.ps1 and press return.

2.1. Enter Workspace ONE UEM API Authentication Details

Provide the following details and press the return key after each.

  1. Enter your Workspace ONE UEM hostname for the awServer parameter.
  2. Enter your username for the awUsername parameter.  This is the same username you used to log in to the Workspace ONE UEM Console in previous steps.
  3. Enter your password for the awPassword parameter.

2.2. Enter the API Key

Paste the API Key for the awTenantAPIKey parameter by right-clicking, then press Enter.

2.3. Enter the Organization Group Numerical ID

Paste the copied Organization Group Numerical ID for the awGroupID parameter by right-clicking, then press Enter.

3. Select the GPO to Upload

The Select GPO Backups for Upload dialog box appears.

  1. Select the GPO captured in the previous step. This GPO is in the format GPO<machine><name><date><time>.
  2. Click OK.

A series of loading tasks will run, noted by the progress bars at the top of the PowerShell terminal. These inform you what step the process is currently on.

4. Confirm the GPO Package App Uploaded Successfully

When the process has completed successfully, you should see the following text:

Successfully saved GPO package app to the AirWatch Console!

----- IMPORTANT -----
Be sure to navigate to the AirWatch Console and assign the `{filename}' to the appropriate users and devices!
----- IMPORTANT -----

Note: If you are uploading multiple GPOs in a single package, they will be applied to enrolled devices in the order in which they are selected in this UI. If the order of the GPOs matters for your deployment, ensure you select them in the intended order.

The app is now uploaded to the Workspace ONE UEM Console and is ready for assignment.  We will assign this to a device in an upcoming exercise.

Assigning the GPO Package

After the GPO app package is uploaded using the tool, the final step is to add assignments to deploy to the users and/or devices that you designate.

1. Navigate to Assignment Settings

  1. In the Workspace ONE UEM Console, select Apps & Books.
  2. Select Applications.
  3. Select Native.
  4. Select the GPO package uploaded in the previous exercise.
  5. Click Assign.

2. Add Assignment

Click Add Assignment.

3. Update the App Assignment Details

  1. For Select Assignment Groups, select All Devices.
  2. For App Delivery Method, select Auto.
  3. Click Add.

4. Save & Publish

Click Save & Publish.

5. Publish the GPO App Package

Click Publish.

Verifying GPO Package Installation

With the application uploaded, assigned, and enrolled, we will now verify that the GPO app package is applied successfully to our enrolled device.

1. Open Group Policy Editor

  1. In Windows Search, enter gpedit.msc.
  2. Click gpedit.msc.

1.1. Allow Microsoft Management Console to Make Changes to Device (IF NEEDED)

If you are prompted to allow the Microsoft Management Console to make changes to your device, click Yes.

If you do not see this prompt, continue to the next step.

1.3. Open the Active Power Plan Settings

Double-click Select an active power plan.

1.4. Confirm Policy Settings

Confirm that the policy is Enabled and that the Active Power Plan is set to High Performance.

2. Confirm Power and Sleep Settings

  1. In Windows Search, enter power & sleep settings.
  2. Click Power & sleep settings.

2.2. Confirm the Power Options Settings shows High Performance

  1. Confirm that the set plan is set to High Performance.
  2. You should also see a notification above the power plans stating Some settings are managed by your system administrator. Click this message to see that the settings are unavailable to change because they are being controlled by policies.

This exercise demonstrates how you can capture and export GPOs from one device and quickly apply the same settings to another device without the need to create profiles or policies manually.

Managing CSPs Using VMware Policy Builder

Introduction

In this exercise, learn the benefits of modern policy management, and walk-through the process of migrating from traditional to modern policy management.

Benefits of Modern Management

Traditional Windows management for domain joined devices relies on centrally managed Group Policies (GPOs), and distributed Local Policies (LGPOs) for non-domain joined machines. This approach works well for devices tethered to physical office locations with domain-joined, always-on corporate network systems.

However, when it comes to the mobile workforce, which includes Windows 10, traditional management exhibits some limitations:

  • Too Inflexible - To receive GPO updates, devices must log into the domain network.
  • Difficult to Control - No centralized management makes LGPOs  difficult to control.

In contrast, modern management uses interfaces, known as Configuration Service Providers (CSPs), to push registry and file system settings to devices over-the-air. This approach effectively addresses the primary limitations of traditional management:

Traditional Modern
Too Inflexible Over-the-air management  allows devices to receive updates in real time without logging into the domain network
Difficult to Control Workspace ONE UEM provides centralized management capabilities

Modern Management with Workspace ONE UEM

Workspace ONE UEM delivers policies to devices through profiles. Many policies are available for direct configuration within the console's UI.

If a policy is not available in the UI, use the Custom Settings profile. This profile allows you to upload XML to configure the CSP and publish its settings to devices.

To save time and effort creating the XML, use the VMware Policy Builder tool to:

  • Generate or modify XML using the form-based UI
  • Only push policies supported by the device OS
  • Configure or modify multiple CSPs
  • Dynamically generate SyncML
  • Filter through options

The following video explains how VMware Policy Builder works in more detail:

Prerequisites

Logging In To VMware Policy Builder

2. Log In to VMware Policy Builder

If you have a My VMware account do the following to log in.

  1. Enter the email address you use for My VMware
  2. Enter the password for your My VMware account
  3. Click the Login button to log into the Policy Builder

 

Reviewing VMware Policy Builder Features

Most of the steps in this exercise use the VMware Policy Builder. This section walks through the VMware Policy Builder's UI and its key features.  

  1. This link takes you back to the list of Configuration Service Providers which can be configured via the tool.
  2. One a CSP is selected, this link allows you to enter configuration parameters and have the SyncML generated automatically.
  3. When this link is clicked, you are taken to a page which allows you to paste in existing SyncML which can be modified graphically.
  4. This link allows you to generate a unique GUID and copy it to the clipboard.  Some CSP configurations require a GUID to be passed in.  
  5. This is the list of supported Windows 10 operating systems.  The CSPs are unique and specific to the OS version you are targeting.  
  6. This is the list of CSPs and associated DDF files.  Device Description Framework (DDF) files contain the configuration details of a CSP in XML format.

Creating a Custom Desktop Background CSP

In this section, use VMware Policy Builder to create a desktop background custom policy for a Windows 10 device - something that is routinely done through traditional group policy management.  

1. Open Personalization CSP Settings

  1. Set the CSP Baseline to Windows 10, 1709 - the operating system of the device used in this exercise.
  2. Type person in the filter box, to quickly find the Personalization CSP..
  3. Select the Personalization check-box.
  4. Click the Configure button to begin creating a custom policy.

2. Configure the Personalization CSP

  1. Enter c:\hol\vmware.jpg in the Desktop Image Url section.
  2. Notice the SyncML is generated for you dynamically including the configuration data you entered.
  3. Click the Copy button to copy the SyncML.  

Note: Keep track of the copied SyncML, because its required to for the Workspace ONE UEM configuration.

Creating a Desktop Background Custom Settings Profile

In this section, create a Custom Settings profile for Windows 10 that contains the SyncML generated in the policy builder. Then, use Workspace ONE UEM to push the desktop background policy to a Windows 10 device, and verify the setting applied.  

2. Select Platform

Select the Windows icon.

Note: Make sure that you select Windows and not Windows Rugged.

3. Select Device Type

Select Windows Desktop.

4. Select Context

Select Device Profile.

5. Configure General Settings

  1. Enter Background Image as the Name.
  2. Under Assigned Groups, select All Devices

6. Open Custom Settings

  1. Scroll down to the bottom on the left pane, and select Custom Settings.
  2. Click Configure.

7. Configure Custom Settings

  1. Paste the SyncML you copied earlier into the textbox next to Custom Settings, leave all other defaults.
  2. Click Save & Publish

8. Confirm Device Assignment and Publish

  1. Verify the profile is assigned to the correct device.
  2. Click Publish to push the CSP down to your Windows 10 device.

9. Verify the Desktop Background Changed

In this section, log out and then log back in to the Windows 10 machine and verify the desktop image changed.  

  1. Right-Click the start button.
  2. Choose Shut down or sign out.
  3. Select Sign out.
  4. Reconnect to the Windows 10 device.

Notice that the desktop background is now set to a VMware logo.   This was done via the Personalization CSP and pushed to your Windows 10 machine with Workspace ONE.  

Updating an Existing Cortana CSP

In this exercise, use VMware Policy Builder to update existing SyncML and disable Cortana.

1. Copy Existing SyncML

<Replace>
  <CmdID>4bfee036-2523-413e-aba3-40102dbca0f5</CmdID>
  <Item>
    <Target>
        <LocURI>./Device/Vendor/MSFT/Policy/Config/Experience/AllowCortana</LocURI>
      </Target>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
      <Type>text/plain</Type>
    </Meta>
    <Data>1</Data>
  </Item>
</Replace>

Select all of the SyncML above from <Replace> to </Replace> and copy it.  

2. Paste the SyncML text

  1. Click the Modify button.
  2. Paste the copied SyncML into the SyncML pane.  

3. View the Allow Cortana Setting

  1. Expand Policy.
  2. Expand Device.
  3. Expand Config.
  4. Scroll down and expand Experience.
  5. Notice Allow Cortana is set to 1.  That means Cortana is currently enabled.  

4. Disable Allow Cortana and copy SyncML

  1. Enter 0 under Allow Cortana
  2. Notice the SyncML dynamically updated, and it now shows a 0 for Data
  3. Click the Copy button to copy the SyncML

Creating a Disable Cortana Custom Settings Profile

2. Select the Platform

Select the Windows icon.

3. Select the Device Type

Select Windows Desktop.

4. Select Context

Select Context

Click Device Profile.

5. Define the General Settings

  1. Select General if it is not already selected.
  2. Enter a profile name, such as Disable Cortana, in the Name text box.
  3. Scroll down to Assigned Groups, click the field, and select All Devices from the list that populates.

Note: Do not click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

6. Open the Custom Settings Payload

  1. Select the Custom Settings payload from the menu on the left.
  2. Click the Configure button to begin configuring payload settings.

7. Configure Custom Settings

  1. Paste the copied "disable Cortana" SyncML to into Custom Settings text box.
  2. Click Save & Publish.

8. Review Assignment & Publish

  1. Review the device assignment.  It should be your Windows 10 desktop which you recently enrolled into Workspace ONE.
  2. Click the Publish button to push the CSP down to your Windows 10 device.

9. Restart the Device

In order to immediately see the disable Cortana policy apply on the Windows 10 device, log out and then back in.  

  1. Right-click the start menu.
  2. Choose Shut down or sign out.
  3. Select Sign out.
  4. Reconnect to the Windows 10 device.

10. Verify the Profile Applied

Click the search bar, located to the right of the start menu, and notice that Cortana is disabled.  

Configuring Custom Settings to Use Pre-released Configuration Service Providers (CSP)

The Custom Settings payload provides a way to use newly released Windows functionality in Workspace ONE UEM. When you want to use the new features supported on Windows Insider builds, you can use the Custom Settings payload and SyncML (XML) code to enable or disable certain settings manually.

1. Requirements

SyncML code must be generated to leverage the Custom Settings payload. Use one of the following methods to generate your SyncML:

Microsoft publishes a Configuration Service Provider (CSP) reference site available on their web site. https://aka.ms/CSPList

The Custom Settings profile appends the appropriate SyncML Atomic tags to the beginning and the end of the code. You must generate the appropriate code between any <Add>, <Replace>, <Delete>, or <Exec> tags. Optionally, to condense the size of the code, you can remove all whitespace and linearize the SyncML code.

1.1. Example SyncML without Atomic Tags

The following text is an example of SyncML without atomic tags.

<Replace><CmdID>2</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI></Target><Meta><Format xmlns="syncml:metinf">chr</Format></Meta><Data>
{"Account":"standard","AUMID":"AirWatchLLC.AirWatchBrowser_htcwkw4rx2gx4!App"}</Data></Item></Replace>

2. Configure Custom Payload

2.1. Add a Profile

Add a Profile

In the upper-right corner of Workspace ONE UEM Console:

  1. Select Add.
  2. Select Profile.

2.2. Add a Windows Profile

Add a Windows Profile

Select the Windows icon.

2.3. Add a Windows Desktop Profile

Add a Windows Desktop Profile

Select Windows Desktop.

2.4. Select Context – Device Profile

Select Context - Device Profile

Select User Profile or Device Profile.

Note: Refer to the LocURI to determine the correct User/Device context needed. In the SyncML example notice the LocURI begins with ./Device/ therefore we would apply to the device Device. However, if it were ./User/ then we would only apply  to that User.

Note: Policy scope is the level at which a policy can be configured. For more information, see the Microsoft Policy CSP article.

2.5. Define the General Settings

General settings determine how the profile is deployed and who receives it. For more information on General settings, see Add General Profile Settings in the VMware AirWatch Mobile Device Management Guide.

2.6. Select Custom Settings Payload

  1. Select the Custom Settings payload.
  2. Click Configure.
  1. Paste the SyncML you generated in the text box. The SyncML code you paste must contain the complete block of code, from <[characteristic]> to </[characteristic]>; where characteristic can be Add, Delete, Replace, or Exec. Do not include anything before or after these tags.
  2. Click Save & Publish.

3. Making Updates/Deleting Custom Settings Profiles

Workspace ONE UEM automatically has built-in logic when using fully integrated payloads; for instance, when removing a profile, Workspace ONE UEM sends a Delete action to remove the profile payload’s configurations. When using Custom Settings, if you want to update settings you must use the Replace tag and to remove settings you must use the Delete tag. When removing settings, do not include the Data tags; only the LocURI is needed.

3.1. Sample Removing Kiosk (Assigned Access) Configuration

<Delete><CmdID>2</CmdID><Item><Target><LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI></Target></Item></Delete>

4. Using Samples from VMware Sample Exchange

Workspace ONE UEM provides a seamless experience when using custom settings for Windows 10 devices. You can find fully tested and validated samples at the VMware Code Sample Exchange. Pay attention to the support Windows 10 Edition as some samples apply only to Surface Hub devices (Team) or require Enterprise or Education editions. For more information and to access the samples, see VMware Sample Exchange.

5. Using Existing Profiles to Create Custom Settings

Many organizations who deploy on-premises or dedicated SaaS environments cannot use the latest feature updates to keep up with Windows 10 releases. You can use your user acceptance testing (UAT) environment to create the profile and then export the generated SyncML, and paste it into your production environment. This allows you to take advantages of newly released capabilities between the time it is released and your production environment is upgraded to support these features.

5.1. Create a Windows Profile

Create a Windows profile from the Workspace ONE UEM Console using the required payloads.

5.2. Edit the Profile

  1. Select the radio button next to your new profile.
  2. Click </>XML.

5.3. Copy the SyncML

Copy the SyncML.

Remove the lines of text at the beginning and at the end; keep only the lines from <[characteristic]> to </[characteristic]>; where characteristic can be Add, Delete, Replace, or Exec. Do not include anything before or after these tags.
For example, <Atomic><CmdID>{CmdID}</CmdID> at the beginning and </Atomic> at the end.

5.4. Paste SyncML into Text Editor

Paste SyncML into a text editor and ensure all of the whitespace is removed. You may also want to linearize the SyncML.

5.5. Copy Newly Generated SyncML and Paste into Production Console

Copy your newly generated SyncML from the text editor. In your production console, create your Custom Settings profile by pasting the SyncML and publishing the profile.

6. Using Configuration Service Provider (CSP) Development Suite to Create Custom Settings

The latest Configuration Service Provider (CSP) release by Microsoft might not always be visually available in Workspace ONE UEM to configure. In this case, an admin can use Device Description Framework (DDF) to create custom settings to distribute through Workspace ONE UEM.

The DDF files are like the explanations (schemas) of how to use the CSP to leverage modern management. DDF files can be downloaded directly from Microsoft. Ensure you download the correct DDF version that correlates to the Windows 10 build version you are using.

6.1. Launch CSP Development Suite and Select Tool

If required, download CSP Development Suite.

Launch CSPDevelopmentSuite and select the SyncML Generator as the tool to be used. Note the other tools in the Development Suite. 

6.2. Import DDF

Select File > Import Ddf.

6.3. Select a DDF File

Select one of the DDF files. You can download DDF files from CSP DDF Files Download.

6.4. Expand Tree

Expand the tree on the left to see the various options. For more information about the CSP you are working with, see the Microsoft article Configuration service provider reference.

6.5. Enter Node Name

Click the [Enter node name] section and enter 0AA79349-F334-4859-96E8-B4AB43E9FEA0. Node name specifies a unique identifier that represents the ID of the Microsoft Office product to install.

6.6. Select Node to Configure

Select the node you want to configure. In this example, we select Install. From here, you can select Access and input our Access Data. For supported Access types and expected Data, see the Microsoft Configuration service provider reference article.

6.7. Generate Custom XML

The Access Data for the Office CSP expects the Office Configuration XML in serialized format. Use your pre-created XML or use the Office Click-to-Run Configuration XML Editor to quickly generate your customized XML. Copy the contents of your XML and XML Escape (xml to text) using Notepad++ (with XML Tools) or any online tool like Free Formatter.

Note: Notepad++ with XML Tools allows you to quickly edit your SyncML without a third-party site.

6.8. Remove Whitespace and Character Returns

The CSP Development Suite only supports linearized content, meaning all the whitespaces and character returns must be removed. In Notepad++, you can choose Plugins > XML Tools > Linarize XML.

6.9. Paste Formatted Data into Access Data

Copy your formatted data and paste into the Access Data field. In most cases Access Data will content a value of 0, 1, or a simple text value. Then click Insert to build your SyncML. Copy the body of your SyncML, from <Exec> to </Exec> in this case. You can also select File > Export SyncML to save your file and edit at a later stage, or send to someone.

6.10. Create Windows User Profile

In the Workspace ONE UEM Console, you create a custom settings profile by selecting Windows > Windows Desktop > User Profile (because our LocURI is ./User/ in this example).

6.11. Configure Custom Settings

  1. Select Custom Settings, then Configure.
  2. For Target, select OMA-DM Client because this is supported natively by the device.
  3. In this example, we deselect Make Commands Atomic. Exec commands do not require Atomic, but in most use cases you keep this setting checked.
  4. Paste your copied content into the Custom Settings field.
  5. Click Save & Publish.

Removing the SCCM Client

Introduction

To completely replace SCCM with Workspace ONE UEM, remove the SCCM (ConfigMgr) client from the Windows 10 device. In this exercise, use Workspace ONE UEM to remove SCCM by configuring a custom settings profile to push a PowerShell script.

In addition to configuring a custom settings profile, you can also remove SCCM by:

 

Prerequisites

In addition to the previous requirements, you must also satisfy the following:

  • Windows Pro, Enterprise, or Education device enrolled in Workspace ONE UEM. For more information, compare Windows 10 editions, or contact a Microsoft representative.

 

Configuring a Custom Settings Profile

Profiles allow you to modify how the enrolled devices behave. This section helps you remove SCCM from devices by configuring and deploying a Custom Settings profile with a PowerShell command.

Add a Profile

2. Add a Windows Profile

Select the Windows icon.

Note: Make sure that you are selecting Windows and not Windows Rugged.

3. Add a Windows Desktop Profile

Select Windows Desktop.

4. Select Context - Device Profile

Select Device Profile.

Configure a Custom Settings Profile

1. Define General Settings

  1. Select General if it is not already selected.
  2. Enter a profile name in the Name text box, for example, Remove SCCM.
  3. Copy the profile name into the Description text box.
  4. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Select the All Devices Assignment Group.
    Note: You may need to scroll down to view the Assigned Groups field.

Note: You do not need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

2. Open the Custom Settings Payload

 Note: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

  1. Select the Custom Settings payload.
  2. Click the Configure button to begin configuring the payload settings.

3. Configure Custom Settings

  1. Switch Target to AirWatch Protection Agent.
  2. Uncheck Make Commands Atomic.
  3. Then paste the following text into the Custom Settings text box:

<wap-provisioningdoc id="c14e8e45-792c-4ec3-88e1-be121d8c33dc" name="customprofile">

  <characteristic type="com.airwatch.winrt.powershellcommand" uuid="7957d046-7765-4422-9e39-6fd5eef38174">

<parm name="PowershellCommand" value="Invoke-Command -ScriptBlock {C:\windows\ccmsetup\ccmsetup.exe /uninstall}"/>

 </characteristic>

</wap-provisioningdoc>

4. Click Save & Publish.

 

4. Publish the Profile

Click Publish.

Verify the Profile Exists

2. Locate the Profile in the List View

Confirm the Profile is available in the Profile list view.

Now, when a device enrolls into Workspace ONE UEM, the profile is applied. Then, AirWatch Unified Agent runs the PowerShell command to remove SCCM.

Summary and Additional Resources

Introduction

This operational tutorial provided the steps to move Windows 10 to Modern Management using Workspace ONE UEM. These procedures included migrating devices, users, applications, and GPOs to Workspace ONE, and managing the BitLocker encryption life cycle.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Authors and Contributors

The Operational Tutorial for VMware Workspace ONE was written by

  • Josue Negron, Senior Solutions Architect, End-User-Computing Technical Marketing, VMware
  • Gina Daly, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware 
  • Hannah Jernigan, Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Appreciation and acknowledgment for considerable contributions from the following subject matter experts:

  • Chris Halstead, Staff Architect, End-User-Computing Technical Marketing, VMware
  • Brooks Peppin, Information Systems Engineer, End-User Services, VMware
     

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.