Quick-Start Tutorial Series for Cloud-Based VMware Workspace ONE

IT can use mobile OS management interfaces to preconfigure laptops, smartphones, and tablets. Workspace ONE UEM device management uses enterprise mobile management APIs to provision, configure, and secure applications and devices. This level of control allows IT to adopt a flexible BYOD program by giving users device choice while securing data.

Workspace ONE provides users access to cloud, mobile, and Windows applications using a unified application catalog. The application catalog contains applications published to VMware Identity Manager and Workspace ONE UEM. Supported application types include internal web, SaaS, native mobile, internally developed mobile, legacy and modern Windows, VMware Horizon® 7, VMware Horizon Cloud Service™, Citrix published, and VMware ThinApp®. The catalog also supports virtualized desktops.

A Workspace ONE implementation can interoperate with other identity providers, like Ping, Okta, and Microsoft Azure, through integration with VMware Identity Manager and still present a common catalog interface for all applications.

Workspace ONE services are built on the integration of VMware Workspace ONE UEM, VMware Identity Manager, and VMware Horizon.

You can deploy Workspace ONE in many different configurations including:

• On-premises deployments of VMware Identity Manager and Workspace ONE UEM
• Cloud-based deployments of VMware Identity Manager and Workspace ONE UEM
• Hybrid deployments with different components available either on-premises or in the cloud

This guide describes how to build a proof-of-concept for a cloud-based deployment of VMware Identity Manager and Workspace ONE UEM.

Workspace ONE consists of a number of key components that work together to provide the product's capabilities.

The previous components work together to provide the functionality of Workspace ONE. A basic Workspace ONE configuration consists of VMware Identity Manager and Workspace ONE UEM (formerly VMware AirWatch). VMware AirWatch Cloud Connector securely transmits requests from Workspace ONE UEM to the back-end infrastructure. Administrators define user groups, policy settings, and device configurations. Users access Workspace ONE and their applications based on the defined settings and configurations.

Figure: Major Components of a Workspace ONE Deployment with Network Ports

1. Navigate to http://www.air-watch.com and click 30 Day Free Trial.
2. Enter the required information and click Start Your Free Trial.
3. Allow 24 hours for your request to process.

Check your email for two activation email messages that contain environment details and access credentials. Note this information in the following tables.

Now that you have signed-up for a cloud-based Workspace ONE trial and noted your environment details, you are ready to log in to the Workspace ONE UEM Console and launch the Getting Started wizard.

On your desktop, double-click the Google Chrome icon.

For example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.

1. Enter your Username. For example, administrator.
2. Click Next. After you click Next, the Password text box is displayed.

1. Enter your Password. For example, VMware1!
2. Click Login.

Note: If you see a Captcha, be aware that it is case sensitive.

Review the End User License Agreement, and click Accept. 

Configure the settings for the Password Recovery Question:

1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
2. For Password Recovery Question, keep the default question selected.
3. Enter the Password Recovery Answer. For example, VMware1!
4. Reenter the password for Confirm Password Recovery Answer. For example, VMware1!

Configure the Security Pin, which protects certain administrative functions in the Workspace ONE UEM Console.  

5. Enter the Security PIN. For example, 1234.
6. Reenter the PIN for Confirm Security PIN. For example, 1234. 
7. Click Save.

After completing the Security Settings, you are presented with the Workspace ONE UEM Console Highlights pop-up box.

1. Select the Don't show this message on login check box.
2. Close the pop-up by clicking on the X in the upper-right corner.

Navigate to Getting Started > Workspace ONE to open the Workspace ONE module.

Note the following buttons and icons:

1. Incomplete – Displays next to steps that have not been configured.
2. Configure – Click to begin defining settings.
3. Complete – Displays next to a completed step.
4. Edit – Click to review or change a completed step’s settings.
5. Scroll down and open the remaining modules to review their sections and steps.
6. Use the percentage counter in the upper-right corner to track your configuration progress.

In Workspace ONE UEM Console, navigate to the Workspace ONE Getting Started wizard.

1. Click Getting Started.
2. Click Workspace ONE.
3. Navigate to Apple Push Notification Service (APNs).
4. Click Configure.

1. Under Download Certificate Request, click MDM_APNsRequest.plist.
2. Click Continue.

Enter your Corporate Apple ID email address that you will use to manage all Apple devices for your organization.
If you do not have a Corporate Apple ID, Create an Account with Apple.

Navigate to the Apple Push Certificates Portal and use your Corporate Apple ID credentials to authenticate.

Complete the following steps to create the APNs certificate.

1. Enter your corporate Apple ID.
2. Enter your Apple ID password.
3. Click Sign In.
4. Click Create a Certificate.

1. Click Choose File and select the MDM_APNsRequest.plist file you previously downloaded.
2. Click Upload.

Click Download.

Return to the Getting Started wizard in the Workspace ONE UEM Console, and click Next.

1. Enter your Apple ID. For example, appleid@vmware.com.
2. Click Save.

In the Workspace ONE UEM Console, in the appropriate Organization Group:

1. Click Getting Started.
2. Click Workspace ONE.
3. Navigate to Android EMM Registration.
4. Click Configure.

Click Register with Google.

1. Confirm you are logged into your Google Admin Account that you want to associate with your Android for Work configuration.
   
   Note: After you register a Google Admin Account to Android for Work, you cannot disassociate your Google Admin Account from that Organization. Ensure the Google Admin Account shown is the account you want to associate with your Organization.
   
   
2. Click Get Started.

1. Enter your Organization name.
2. Select the Google Play agreement check box.
3. Click Confirm.

Click Complete Registration to return to the Android for Work configuration.

1. On the Android for Work Settings page, scroll down until you see the Google Admin Console Settings and Google API Settings sections.
2. Under Google Admin Console Settings, note that the account information you provided during the Android for Work configuration step is displayed here.
3. Confirm that Android for Work Registration Status is shown as Successful.

Note that the Client ID and Google Service Account Email Address have been created and configured for you automatically. No additional configurations with Android for Work or the Google Developers Console are required.

In Workspace ONE UEM Console, navigate to the Workspace ONE Getting Started wizard.

1. Click Getting Started.
2. Click Workspace ONE.
3. Navigate to Employee Email Template.
4. Click Download.

1. Select a category from the drop-down menu. For example, Enrollment.
2. Select a message template. For example, User Activation.
3. Click View to see the email template.

You can edit the email template and Save for later use, or copy the email template.

When you are finished, the Employee Email Template section should be marked as Complete.

1. Click Getting Started.
2. Click Workspace ONE.
3. Navigate to Connect to VMware Identity Manager.
4. Click Configure.

Provide the VMware Identity Manager details.

1. Enter the Tenant URL for VMware Identity Manager.
2. Enter the Username for the VMware Identity Manager tenant.
3. Enter the Password.
4. Click Test Connection. If successful, you see the message Test connection successful!
5. Click Save.

After you have finished, the Connect to VMware Identity Manager section should be marked as Complete.

1. Click Getting Started.
2. Click Workspace ONE.
3. Navigate to AirWatch Cloud Connector (ACC) and Directory.
4. Click Configure.

Read the details in the Overview section, then click Continue.

1. Enter a password for the ACC certificate. For example, VMware1!.
2. Re-enter the password.
3. Click Download ACC-Installer.exe and save the file in an accessible location.

Click Continue after downloading the AirWatch Cloud Connector (ACC) Installer to proceed.

Enter the following Active Directory information.

1. For Directory Type, select Active Directory from the drop-down menu.
2. For Server, enter the FQDN of the Active Directory server.
3. For Encryption Type, select the encryption type for your environment. This example uses None.
4. For Port, keep the default value.
5. For Protocol Version, keep the default value.
6. For Bind Authentication Type, select Gss-Negotiate.
7. For Bind Username, enter the user name that has permission to access the domain controller.
8. For Bind Password, enter the password.
9. Click Save.

1. Click Test Connection. If successful, you see the message Connection successful with the given server name, bind username and password.
2. Click Continue.

1. In Workspace ONE UEM Console, select Accounts.
2. Select User Groups > List View.

1. Click Add.
2. Click Add User Group.

1. Select Directory for the Type.
2. Select Organizational Unit for the External type.
3. Enter the group name. For example, Users.
4. Click Search.

1. Select the Group Name. For example, Users.
2. Confirm that the Distinguished Name is correct. For example, CN=Users,DC=corp,DC=local.

To ensure the Sync operation will complete based on your selected Group, modify the User Group settings.

1. Select Custom for User Group Settings.
2. Select Enabled for Auto Merge Changes.
3. Enter a Maximum Allowable Changes, such as 100. This limits the number of changes that can occur on each sync.
4. Select Enabled for Add Group Members Automatically to import users into the Workspace ONE UEM Console.
5. Click Save.

1. Select the User Group you created. In this case, Users.
2. Click Sync.
3. Click OK when prompted if you wish to continue.
4. After the sync completes, confirm that the Users column updates to show the number of synced users from your group.

In the Workspace ONE UEM Console:

1. Click Groups & Settings.
2. Click All Settings.

1. Click System.
2. Click Enterprise Integration.
3. Click VMware Identity Manager.
4. Click Configuration.
5. Select Enabled for Active Directory Basic.

1. Enter the Admin User Name. For example, Administrator.
2. Enter the Admin Password. For example, VMware1!.
3. Click Test Connection and confirm that the Connection successful with the given URL, Username and Password prompt displays.
4. Click Next.

1. Enter the Directory name. For example, corp.local.
2. Click Save.

No custom attribute mappings are required for this setup. If you require custom mappings, you would configure the settings here.

1. Confirm that the Directory Sync started and shows User Sync Succeeded.
2. Click Close (X) to exit the VMware Identity Manager Configuration settings.

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

Enter the VMware Identity Manager tenant into the navigation bar and press Enter to continue.  

Note: Check the activation emails received in Sign Up for a Free Trial of Cloud-Based Workspace ONE for your VMware Identity Manager tenant details.

1. Enter the administrator user name.
2. Enter the administrator password.
3. Click Sign In.

If you see the User Portal, navigate to the Administrator Console.

1. Click the user drop-down icon.
2. Select Administration Console.

This opens the Administration Console in a separate tab in your browser.

1. Click the Users & Groups tab.
2. Click Groups.
3. Verify that the Workspace ONE UEM user group is listed and that it has synced the users.

If the users do not appear in VMware Identity Manager, you can force a sync from the Workspace ONE UEM Console.

On your desktop, double-click the Google Chrome icon.

For example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.

1. Enter your Username. This is the name provided in the activation email.
2. Click Next. After you click Next, the Password text box is displayed.

1. Enter your Password. This is the password provided in the activation email.
2. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

1. Select Getting Started.
2. Select Workspace ONE.
3. Navigate to Mobile Single Sign-On.
4. Click Configure.

Click Get Started.

Click Continue.

Click Start Configuration.

When the auto-configure checklist completes, click Finish.

Click Close.

1. Select Devices.
2. Select Profiles & Resources.
3. Select Profiles.
4. Click the iOS device profile.

1. Select Single Sign-On.
2. Click Add Version.

1. In the Applications section, click Add.
2. Enter com.salesforce.chatter.
3. Click Save & Publish.
4. Click Publish.

1. In Workspace ONE UEM Console, select Devices.
2. Select Profiles & Resources.
3. Select Profiles.
4. Click the iOS device profile.

1. Select the General tab.
2. Click the Smart Groups text box to open the drop-down menu.
3. Select Create Smart Group.

1. Enter a Name for the smart group. This exercise uses iOS Smart Group.
2. For Platform and Operating System, select the following options from the drop-down menus: Apple iOS, Greater Than or Equal To, iOS 11.0.0.
3. Click Save.
4. Click Save & Publish.
5. Click Publish.

1. In Workspace ONE UEM Console, select Apps & Books.
2. Select Applications.
3. Select Web.
4. Select SaaS.

Click Settings.

1. Select SAML Metadata.
2. Select Download SAML Metadata.
3. Right-click Identity Provider (IdP) metadata, and select Save Link As.
4. Save the metadata file in an accessible location.

1. In a web browser, navigate to https://login.salesforce.com.
2. Enter your Salesforce user name.
3. Enter your Salesforce password.
4. Click Login.

1. In the search panel on the left, enter single to locate SSO settings.
2. Click Single Sign-On Settings.

Click Edit.

1. Select SAML Enabled to enable SSO using SAML.
2. Click Save.

1. Click New from Metadata File.
2. Click Choose File, and select the metadata file saved in the previous exercise.
3. Click Create to populate the SAML SSO settings.

1. In the search box on the left, enter my domain
2. Click My Domain.

1. Under Choose Your Domain Name, enter a domain name in the text box.
2. To confirm that your domain name is not being used, click Check Availability.
3. Click Register Domain.

It can take a few minutes for Salesforce to complete the process. When the domain is registered, you receive an email. After you receive the email, you can edit the authentication configuration in My Domain.

Next to Authentication Configuration, click Edit.

1. To enable the authentication service, select your Identity Manager user name in the Authentication Service section.
2. Click Save.

1. In the search box on the left, enter users.
2. Click Users.

Next to the user name used for the trial account, select the check box and click Edit.

1. In the Single Sign-On Information section, enter the federation ID as the UPN of the AD user account. For example, testuser@company.com.
2. Click Save.

1. In Workspace ONE UEM Console, select Apps & Books.
2. Select Applications.
3. Select Web.
4. Select SaaS.
5. Click New.

1. In the Search text box, enter Salesforce.
2. Select Salesforce from the list. The remaining options are auto-filled.
3. Click Next.

Select URL/XML.

Open the previously saved metadata file (see Update the SAML Settings in Salesforce) using Notepad or TextEdit.

1. Copy the data, and paste it into the URL/XML text box.
2. Click Next.

Click Next.

Click Save.

The Salesforce application has been added to the Catalog and configured for SSO.

If Google Chrome is not already open, launch Google Chrome by double-clicking the icon from the desktop.

Enter the VMware Identity Manager tenant into the navigation bar and press Enter to continue.  

Note: Check the activation emails received in Sign Up for a Free Trial of Cloud-Based Workspace ONE for your VMware Identity Manager tenant details.

1. Enter the administrator user name.
2. Enter the administrator password.
3. Click Sign In.

If you see the User Portal, navigate to the Administrator Console.

1. Click the user drop-down icon.
2. Select Administration Console.

This opens the Administration Console in a separate tab in your browser.

1. In the VMware Identity Manager administration console, click the Catalog tab.
2. Click the Salesforce icon from the application list.

Click Assign.

1. Enter a user name in the search field.
2. Select the user name.

1. Select Automatic from the drop-down menu.
2. Click Save to complete the assignment process.

From your device, launch Google Chrome by double-clicking the icon.

Enter the VMware Identity Manager tenant into the navigation bar and press Enter to continue.  

Note: Check the activation emails received in Sign Up for a Free Trial of Cloud-Based Workspace ONE for your VMware Identity Manager tenant details.

Enter the credentials for a user entitled to the Salesforce application.

1. Enter the user name, for example testuser.
2. Enter the password, for example VMware1!.
3. Click Sign In.

NOTE: Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does not have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

Launch the Hub app on the device.  

NOTE: If you have your own iOS device and would like to test, you must download the Workspace ONE Intelligent Hub app first. 

1. Enter the Server URL for your Workspace ONE UEM environment.
2. Click Next.

Click the Server Details button.

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

1. Enter your Group ID for your Organization Group for the Group ID field.
2. Tap the Next button.

NOTE: If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

You now provide user credentials to authenticate to Workspace ONE UEM.

1. Enter testuser in the Username field.
2. Enter VMware1! in the Password field.
3. Tap the Next button.

The Workspace ONE Intelligent Hub prompts you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

If you are prompted to allow the website to open Settings, tap Allow.

NOTE: If you do not see this prompt, ignore this and continue to the next step. This prompt occurs only for iOS devices on iOS 10.3.3 or later.

Tap Install in the upper-right corner of the Install Profile dialog box.

Tap Install when prompted on the Install Profile dialog.

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper-right corner of the prompt.

Your enrollment is now complete. Tap Open to navigate to the Workspace ONE Intelligent Hub.

Tap Done to confirm the notice and continue.

Tap Allow if you get a prompt to allow notifications for the Hub app.

You may be prompted to install a series of applications. If prompted, tap Install to accept the application installation.

Tap I Understand when shown the Privacy policy.

Tap I Agree for the Data Sharing policy.

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM. Continue to the next step.

On your iOS device, tap the Salesforce application.

Confirm redirection to Workspace ONE.

Validate SSO. Authentication completes, and the application starts without requiring a user name and password.

Now that you have tested the Salesforce SSO configuration on your mobile device, the Salesforce Mobile Single Sign-On section is complete.

On your desktop, double-click the Google Chrome icon.

For example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.

1. Enter your Username. This is the name provided in the activation email.
2. Click Next. After you click Next, the Password text box is displayed.

1. Enter your Password. This is the password provided in the activation email.
2. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

1. In Workspace ONE UEM Console, click Getting Started.
2. Click Workspace ONE.
3. Navigate to Apps > Introduction to Adaptive Management.
4. Click Configure.

Click Add Public Apps.

Click Add Application.

1. For Platform, select Apple iOS.
2. For Name, enter Slack.
3. Click Next.

Click Select next to Slack.

Click Save & Assign.

Click Add Assignment.

1. For Selected Assignment Groups, select the iOS smart group that you created in Assign a VMware Device Profile. For example, iOS Smart Group.
2. For App Delivery Method, select On Demand.
3. For Managed Access, select Enabled.
4. Click Add.

1. Click Save & Publish.
2. Click Publish.

On your iOS device, tap the App Store icon.

1. Enter workspace one in the search field.
2. Tap the cloud icon to install the Workspace ONE application.

Tap Open to launch VMware Workspace ONE application.

Enter the VMware Identity Manager tenant address.

1. Select the domain you synced to VMware Identity Manager from Workspace ONE UEM.
2. Tap Next.

1. Enter the username. (This user is part of the domain that you synced VMware Identity Manager from Workspace ONE UEM.)
2. Enter the password.
3. Tap Sign in.

Tap I Understand.

Tap I agree.

Tap Enter to load your workspace.

Note the star icon on the Slack app. Starred apps require device enrollment.

To install Slack, tap Install.

Tap Enable Workspace Services.

Tap Install in the upper-right corner of the Install Profile dialog box.

If a PIN is requested, enter your device PIN.

Tap Install when prompted at the Install Profile dialog box.

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

You should now see the iOS Profile successfully installed.

Tap Done in the upper right corner of the prompt.

Tap Install.

Tap Install.

After the Slack installation completes, the application is available on your device. Tap the application to launch it.

You have successfully completed Adaptive Management Configuration for iOS.

On your desktop, double-click the Google Chrome icon.

For example, navigate to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.

1. Enter your Username. This is the name provided in the activation email.
2. Click Next. After you click Next, the Password text box is displayed.

1. Enter your Password. This is the password provided in the activation email.
2. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

In the upper-right corner of Workspace ONE UEM Console:

1. Select Add.
2. Select Profile.

Select the Windows icon.

Note: Make sure that you select Windows and not Windows Rugged.

Select Windows Desktop.

Select Device Profile.

1. Select General if it is not already selected.
2. Enter a profile name such as Windows Restrictions in the Name text box.
3. Copy the profile name into the Description field.
4. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Select the All Devices Assignment Group.
   Note: You may need to scroll down to view the Assigned Groups field.

Note: You do not need to click Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

Note: When initially setting a payload, a Configure button will show to reduce the risk of accidentally setting a payload configuration.

1. Select the Restrictions payload in the Payload section on the left.
2. Click the Configure button to continue setting the Restrictions payload.

1. Using the scroll bar on the right, scroll down to the Device Functionality section.
2. Select Don't Allow for Cortana.
3. Notice the 10 on the right side of the Restrictions window. These are all the restrictions that Workspace ONE UEM can apply to a Windows 10 computer.
4. Click Save & Publish.

Click Publish.

1. Select Devices.
2. Select Profiles & Resources.
3. Select Profiles.

You should now see your Restrictions Profile within the List View of the Devices Profiles window.

Note: If you need to edit the Restrictions Profile, this is where you would do so. To edit the profile, click the profile name, then select Add Version. Update the profile and click Save & Publish to push the new settings to the assigned devices.

In the upper-right corner of Workspace ONE UEM Console:

1. Select Add.
2. Select Internal Application.

Click Upload.

Click the Browse... button.

Navigate to your installation file. The 7-zip installation file has been downloaded to the server and placed in the Documents folder.

1. Select Documents.
2. Expand HOL.
3. Select the Windows 10 folder.
4. Select your installation file, for example, 7z1604-x64.exe.
5. Click Open.

Click Save.

1. Select No for Is this a dependency app?
2. Click Continue.

1. Enter a name for your application, for example, 7-Zip.
2. Select 64-bit for the Supported Processor Architecture.

1. Select the Files tab.
2. Scroll down to find the App Uninstall Process section.
3. Select Input for the Custom Script Type.
4. Enter the following for Uninstall Command:

Note: For information about copying text from the manual, see the Guidance section.

1. Select Deployment Options.
2. Scroll down until you see the option for Install Command.
3. Enter Install Command as:

Note: For information about copying text from the manual, see the Guidance section.

1. Scroll down to find the When To Call Install Complete section.
2. Select Defining Criteria for Identity Application By.
3. Click Add.

1. Select File Exists for the Criteria Type.
2. Enter C:\Program Files\7-Zip\7zFM.exe for the Path.
3. Click Add.

Note: For information about copying text from the manual, see the Guidance section.

Click Save & Assign.

Click Add Assignment.

1. Click the Select Assignment Groups search box and select All Devices (your.email@shown.here).
2. Select Auto for the App Delivery Method.
3. Select Show for Display in App Catalog.
4. Select Enabled for Make App MDM Managed if User Installed.
5. Click Add.

Click Save & Publish.

Click Publish.

From a new tab in the browser,

1. Enter https://www.getwsone.com in the navigation bar and press Enter.
2. Click Download Hub for Windows 10.
   NOTE: Wait until the Workspace ONE Intelligent Hub installer finishes downloading.  
3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE: If you do not see the warning about the AirWatchAgent.msi file, continue to the next step.

Click the AirWatchAgent.msi file in your download bar.

NOTE: The installer may take a few seconds to launch, be patient after clicking the AirWatchAgent.msi file.

Click Run to proceed with the installation.

Click Server Detail.

1. On the enrolled Windows 10 machine, open the Start menu.
2. From the apps list, select Cortana.

Note: The following screenshots show a before and after view of Cortana settings. Your screen should look like the one on the right (After: Cortana Disabled).

1. Confirm Cortana no longer displays a greeting.
2. Confirm Device only provides basic search capabilities.

From the bottom toolbar, open File Explorer.

1. Select Local Disk (C:).
2. Select Program Files.
3. Confirm that the 7-Zip folder exists. Select 7-Zip.
4. Double-click 7zFM.exe to launch the 7-Zip File Manager.

Note: If you do not see the 7-Zip folder, your application may still be downloading. This can take several minutes to finish.

Now that you have confirmed enrollment, the Windows 10 Management section is complete.