Migrating Devices and Users from SCCM

Migrating Devices and Users from SCCM

Introduction

In this exercise, migrate devices from Microsoft System Center Configuration Manager (SCCM) to VMware Workspace ONE using Workspace ONE AirLift.

Prerequisites

 

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires a user to enrol their device into Workspace  ONE UEM. Note the user account information in the following table. The  details provided in this table are based on a test environment. Your  user account details will differ.

Setup a Profile in Workspace ONE UEM

In this exercise, you will create a profile in the Workspace ONE UEM Console to configure BitLocker. These policies will be deployed to our AirLift Co-Managed devices and will be reported to our AirLift Dashboard. This allows us to co-manage the devices in this SCCM collection with AirLift and Workspace ONE UEM.

1. Create Windows 10 Profile for Devices

In the Workspace ONE UEM Console,

  1. Click Devices.
  2. Expand Profiles & Resources.
  3. Click Profiles.
  4. Click Add.
  5. Click Add Profile.

1.1. Select the Windows Platform

Select Windows.

1.2. Select the Device Type

Select Windows Desktop.

1.3. Select the Context

Select Device Profile.

1.4. Configure the Profile General Payload

  1. Enter BitLocker as the name of the profile.
  2. Select AirLift (your@email.shown.here) for the Assigned Groups.

1.5. Enable the Encryption Payload

  1. Select Encryption.
  2. Click Configure.

1.6. Configure the Encryption Payload

  1. Select System Partition for Encrypted Volume.
  2. Select System Default for Encrypted Method.
  3. Click the checkbox next to Only encrypt used space during initial encryption.
  4. Select Password for the Authentication Mode.
  5. Enter 8 for the Minimum Password Length.
  6. Click Save & Publish.

1.7. Publish the Encryption Profile

Click Publish.

1.8. Confirm the BitLocker Profile

View the BitLocker profile you just created, and make sure it is assigned to the AirLift group.

Enroll SCCM Devices in Workspace ONE UEM with AirLift

In this exercise, you will configure a SCCM Enrollment application for your Workspace ONE UEM tenant and then deploy the application to the AirLift Collection that you have enabled for Co-Management.

1. Create Enrollment Application in AirLift

In the AirLift Console in Chrome,

  1. Click Settings.
  2. Click Enrollment.
  3. Select No for Use Exiting Enrollment Application.
  4. Enter Workspace ONE Enrollment.
  5. Select your VLP email address from the Organization Group dropdown.
  6. Enter StagingUser
  7. Enter VMware1!
  8. Enter labs.awmdm.com
  9. Check the Include Workspace ONE App option.  This option will automatically install the Workspace ONE app if it is not present on the device.
  10. Un-check the Include SCCM Integration Client option, this client is only needed when using pre-1709 Windows 10 and pre-1710 SCCM.
  11. Click Show.

1.1. Copy the Agent Install Command Line

  1. Click and drag and highlight the Agent Install Command Line.
  2. Right-click the highlighted text and click Copy.

You will modify and use this copied text in an upcoming step.

1.2. Enter the Enrollment Application Content Location

  1. Enter \\SCCM-01A\SCCMPackages\WS1 for Content Location. The needed files have been pre-staged at this location for your convenience.
  2. Click Create.

1.3. Confirm Application Creation

Click Proceed.

2. Review and Modify Workspace ONE Enrollment Application

The following steps involving modifying the Workspace ONE Enrollment app are not needed in production. However, you will need to update the install command-line for this lab.

2.1. Update Install Command Line

  1. Right-Click the Windows button.
  2. Click Search.
  3. Enter Notepad for the search.
  4. Click the Notepad application.

2.2. Paste the Copied Install Command Line Text

  1. Click Edit.
  2. Click Paste.
  3. Click Format.
  4. Click Word Wrap to enable wrapping.

2.3. Locate the LGName property

You will need to update the LGNAME value in our copied install command line to match your Group ID from the Workspace ONE UEM Console.  Continue to the next step to find the Group ID value to use here.

2.4. Update the LGNAME Value

Update the LGNAME value with your Group ID from the Workspace ONE UEM Console.  DO NOT use yourid1234 as shown, be sure to use your own Group ID.

2.5. Copy the Updated Install Command Line Text

  1. Click Edit.
  2. Click Select All.
  3. Click Edit.
  4. Click Copy.

3. Review and Modify Properties of Workspace ONE Enrollment Application

  1. Click the SCCM Console icon from the task bar.
  2. Click Software Library.
  3. Expand Application Management.
  4. Click Applications.
  5. If you do not see the Workspace ONE Enrollment application in the list, you may need to click the Refresh button.
  6. Right-Click the Workspace ONE Enrollment application.
  7. Click Properties.

3.1. Edit the Workspace ONE Enrollment Windows Installer

  1. Click the Deployment Types tab.
  2. Select the Workspace ONE Enrollment - Windows Installer x64 (*.msi file).
  3. Click the Edit button.

3.2. Replace the Installation Program Command

  1. Click the Programs tab.
  2. In the Installation program text box, remove ALL existing text and paste your copied install command.
  3. Click OK.

3.3. Save the Deployment Types Changes

Click OK again to save your changes.

4. Enroll Members of the Win10 Collection into Workspace ONE UEM

Now that we have create the Workspace ONE Enrollment app using AirLift and mapped our Win10 device collection to the AirLift Smart Group, we will leverage AirLift to automatically onboard our Win10 collection devices into Workspace ONE UEM.

4.1. Enroll the Win10 Collection into Workspace ONE UEM

In the AirLift Console in Chrome,

  1. Click Collections.
  2. Click the checkbox next to the Win10 collection.
  3. Click the Enroll button.

4.2. Confirm Devices Affected

Click the Enroll button to confirm the enrollment - notice 1 Device will be affected.

4.3. Review Enrollment Confirmation

Review enrollment confirmation, the devices in the Win10 collection have begun enrollment.

5. Review Enrollment Application Deployment in SCCM

Back in the SCCM Console, ensure the Workspace ONE Enrollment app is selected.

  1. Click on the SCCM Console icon on the task bar.
  2. Ensure the Workspace ONE Enrollment app is still selected.
  3. Click on the Deployments tab.
  4. Notice there is a deployment which was created by AirLift.  This deployment is mandatory and automatic and targets the Win10 collection.

6. Return to the Main Console

Click the Close (X) button to return to the Main Console.

7. Connect to Windows 10 Device

Double-click the Win10-01a.rdp shortcut on the desktop of the Main Console.

7.1. Launch Configuration Manager

Double-click the Configuration Manager shortcut on the desktop of the Windows 10 device.

7.2. Force policy update on SCCM Client

We will now force a policy retrieval cycle on the SCCM client in order to speed up the process of receiving the deployment and enrolling the device into Workspace ONE UEM.

  1. Click the Actions tab.
  2. Select Machine Policy Retrieval & Evaluation Cycle.
  3. Click the Run Now button.

7.3. Confirm the Cycle Prompt

Click OK to confirm the cycle may take several minutes to complete.

8. Monitor Enrollment into Workspace ONE

Watch for the AirWatch Enrollment icon on the desktop of the Windows 10 system.

The deployment will run automatically and should happen fairly quickly.  If you watch the desktop of the Windows 10 client, you will see the AirWatch Enrollment icon appear on the desktop.  This means the enrollment process is is running.  This process should only take a few minutes at most to complete.

9. Verify via Software Center

Click the icon shortcut on the taskbar of the Windows 10 device to launch the SCCM Software Center.

9.1. Software Center

We can also verify that the deployment has been received on the Windows 10 client by reviewing the SCCM Software Center

  1. Click the Applications tab.
  2. Notice the Workspace ONE Enrollment deployment has been received on the Windows 10 client.

You don't need to run the deployment manually.  It will execute automatically.

Review and Validate the Enrolled Windows 10 Device

You will now review the enrolled Windows 10 device in the Workspace ONE UEM Console and AirLift Console to see how to confirm that the enrollment was successful.  You will also verify that the BitLocker profile you configured was delivered to the device.

1. Return to the Main Console

Click the Close (X) button on the Remote Desktop Connection to return to the Main Console.

2. Connect to the SCCM Server

Launch sccm-01a.rdp from the main desktop.

3. Initiate Full Sync for AirLift

We will want to perform a real-time sync between AirLift and Workspace ONE UEM to see an updated dashboard.

In the AirLift Console in Chrome,

  1. Click Settings.
  2. Scroll down to the bottom of the Account tab.
  3. Click Sync.

3.1. Review AirLift Dashboard

  1. Click on the Dashboard link on the left pane of AirLift.
  2. Notice on the Top Workloads section, you see there is a client with Encryption and Compliance Enabled.

4. Return to the Main Console

Click the Close (X) button to return to the Main Console.

5. Connect to Windows 10 Device

Double-click the Win10-01a.rdp shortcut on the desktop of the Main Console.

6. Review Enrolled Client in Workspace ONE UEM Console

In the Workspace ONE UEM Console,

  1. Click Devices.
  2. Click List View.
  3. If you navigate to the Workspace ONE UEM Console quickly enough, you may see that the device is enrolled to the StagingUser account.  Shortly after enrolling your user credentials for aduser, the device will show it is enrolled for aduser instead.  Click the device link to view the Device Details View.

6.1. Review Device Details

  1. Notice the device is a member of the AirLift Workspace ONE Smart Group, due to enabling Co-Management.
  2. Review the computer name, this matches what we seen earlier in the SCCM and AirLift console.
  3. Notice the device has had the Co-Management tag added to it.   This is the same tag that was added to the Workspace ONE AirLift Smart Group.   This is what enables synchronization between SCCM and Workspace ONE during Co-Management.

7. Verify BitLocker Profile is Pushed via AirLift Co-Management

The BitLocker Encryption dialog will pop up, indicating the device was enrolled into Workspace ONE UEM and that it is properly enabled for Co-Management.

  1. Enter VMware1! for the password.
  2. Enter VMware1! for the password confirmation.
  3. Click the Encrypt button to start BitLocker encryption.

8. Close the VMware Workspace ONE App

The Workspace ONE Application will open automatically after enrollment.  

Click the X to close the application.  We don't use it during this exercise.  

9. Validation Completed

Congratulations!  You have successfully enrolled your Windows 10 device into Workspace ONE UEM using AirLift and validated a successful enrollment after pushing a BitLocker profile to the device!

Conclusion

In this module you have learned how to setup and use VMware Workspace ONE AirLIft to setup Co-Management between SCCM and Workpace ONE.  You have also learned how to automatically enroll SCCM devices into Workspace ONE using AirLift.