Using Product Provisioning to Deliver Files to Windows 10: VMware Workspace ONE Operational Tutorial

Overview

Introduction

This Using Product Provisioning to Deliver Files to Windows 10: VMware Workspace ONE UEM Operational Tutorial provides you with practical information to help you set up product provisioning in your Windows ONE UEM management solution to address the unique circumstances of your use cases.

Purpose

This operational tutorial provides you with discussions and  exercises to help with your existing VMware Workspace ONE® production environment. VMware provides operational tutorials to help you with

  • Common procedures or best practices
  • Complex manual procedures
  • Troubleshooting

Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM (unified endpoint management), powered by VMware AirWatch, is also helpful.

Delivering Files Using Product Provisioning

Introduction

You can use product provisioning functionality to create an ordered installation of profiles, applications, and files/actions into a single product. This product controls when content is pushed to devices, as well as the order of installation of the product.

You can target your products to devices by establishing a set of conditions that indicate when a product is downloaded and when it is installed. Then you push that product out to devices, based on the conditions you set. You can further target your products to devices by setting up smart groups that control which devices get which products.

A common use for product provisioning is pushing a PowerShell script that changes the device background (wallpaper). After the script is provisioned to devices, the wallpaper is updated on enrolled devices and is removed from unenrolled devices.

Prerequisites

Before you can perform the procedures in this exercise, verify that you have Workspace ONE UEM 1810 or later installed and configured with administrative credentials.

For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Creating a Files/Actions Component

To use product provisioning, you first create the files to install and actions to take on your devices.

1. Download Sample Code

  1. Download the sample code from VMware Samples Exchange.
  2. Save the file in a local, accessible location.

2. Log In

  1. To log in to Workspace ONE UEM, enter your username.
  2. Enter your password.
  3. Click Log In.
  1. In the far left of the Workspace ONE UEM Console, click Devices.
  2. In the middle navigation bar, click Staging & Provisioning.
  3. In the expanded list, click Components.
  4. In the expanded sub-list, click Files/Actions.
  5. In the Files/Actions window, click Add Files/Actions.

4. Select the OS

  • In the Add Files/Actions window, click Windows.

5. Select the Device Type

  • In the Device Type window, select Windows Desktop.

6. Enter the Name

  1. On the General tab, enter a files/actions name.
  2. You can also enter an optional description.

7. Add File

  1. Select the Files tab.
  2. Click Add Files.

8. Upload the PowerShell Script

  1. In the Add Files window, select Choose Files and browse for the script file to upload.
  2. Click Save to upload the files.

9. Store the PowerShell Script

  1. In the Add Files window, define the download path the device uses to store the file group in a specific device folder. In this example, the download path was defined as C:\Temp\AirWatch, based on the sample provided earlier, and the rest of the path was added automatically.
  2. Click Save.

10. Verify and Save

  1. In each newly added row, verify the file name and download path.
  2. Select the Manifest tab.

11. Add an Install Manifest Action

  • On the Manifest tab, underneath Install Manifest, click Add Action.

12. Choose the Run Action

  1. In the Add Manifest window, click the down arrow to expand the Action(s) to Perform menu.
  2. From the menu, select Run.
    Note: You can use the manifest to run a script or application using command lines. The Run command must use the syntax of \[full file path]. For example, \path\script.ps1. You must also select the context of the command to indicate whether it should run at the system level, current user level, or admin account level.

13. Finish Defining the Install Manifest Action

  1. Provide the following information:
    • Action(s) To Perform: Run.
    • Execution Context: Current User.
      Note: You have the ability to perform actions such as Run or Install using System, Admin, or Current User context. Choose the correct context depending on your script. For example, if the current user does not have admin access and the script requires admin privileges, then choose Admin or System. If the script has Environment Variables such as %USERNAME% or $HOMEPATH%, then you must run in Current User context to avoid your variables returning information for the System account.
    • Command Line and Argument to run:  "C:\Temp\AirWatch\ChangeDesktop.psl"
    • TimeOut: Accept the default of 0.
  2. In the Add Manifest window, click Save.

14. Add an Uninstall Manifest Action

  • On the Manifest tab, scroll down to the Uninstall Manifest section, and click Add Action.

15. Choose the Run Action

  1. From the Action(s) to Perform drop-down menu, select Run.
  2. In the lower right, click Save.

16. Define the Uninstall Manifest Action

  1. Provide the following information:
    • Action(s) To Perform: Run.
    • Execution Context: Current User.
    • Command Line and Argument to run: Enter: "C:\Temp\AirWatch\ChangeDesktopBack.ps1"
    • TimeOut: Accept the default of 0.
      Note
      : The uninstall manifest only runs when the Uninstall action is added to the product. Also, if nothing is added to the Uninstall Manifest, uninstalling the file/action will not do anything. If you plan to remove the configurations your scripts make, you will need to revert settings using the Uninstall Manifest option.
  2. In the Add Manifest window, click Save.

17. Save the Uninstall Manifest Action

  • In the Add Files/Actions window, click Save to upload the files and actions to Workspace ONE UEM.

Creating a Product

After creating the files/actions component that contains the content you want to push to devices, you create a product that controls when the content is pushed and the order of installation.

Note: To edit a product, you must first deactivate it in the list view.

  1. In the far left of the Workspace ONE UEM Console, click Devices.
  2. In the middle navigation bar, click Staging & Provisioning.
  3. In the expanded list, click Product List View.
  4. In the Product List View window, click Add Product.

2. Select the OS

  • Select the Windows OS.

3. Select the Windows Desktop

  • In the Select Device Type window, select Windows Desktop.

4. Provide General Product Data

On the General tab, provide the basic product information:

  1. Name: Enter the name Change Desktop for Win10.
  2. Assignment Group(s): Select an assignment group that contains the devices or users to receive this product.

5. Add Manifest

  1. Navigate to the Manifest tab.
  2. In the upper left, click Add.

6. Provide Manifest Data

  1. In the Add Manifest window, click the down arrow to expand the Action(s) to Perform menu.
  2. From the drop-down menu, select Install Files / Actions.

7. Save the Configuration

  1. In the Files/Actions field, select the Install Manifest action that you created earlier for changing the wallpaper.
  2. Click Save.

8. Verify and Activate

  1. Verify.
  2. In the lower right, select Activate to deploy the actions to the devices.

Important: The VMware Workspace ONE™ Intelligent Hub (formerly called AirWatch Protection Agent) must be installed on devices to use product provisioning. You can enable Workspace ONE Intelligent Hub to automatically deploy by navigating to Settings > Devices & Users > Windows > Windows Desktop > Hub Application.

9. Additional Configuration Options

You can add additional manifest items if desired, such as the Uninstall Manifest action. You can adjust the order of the manifest steps using the up and down arrows and edit or delete a step in the Manifest list view. To completely automate the manifest, you can also create a sequence of actions to execute on the device.

You can also add configurations from the Conditions, Deployment, and Dependencies tabs. These configurations are optional and unnecessary when creating the Change Desktop product:

  • On the Conditions tab, you can configure Download Conditions settings, Install Conditions settings, or both.
  • On the Deployment tab, configure times and dates to activate and deactivate the product.
  • On the Dependencies tab, configure the order in which products apply to devices.

Appendix: PowerShell and Batch Details

Introduction

Questions often arise about when to use PowerShell scripts or BATCH scripts. This section provides detailed information about the use of these scripts in both standard and administrative accounts.

About Standard Accounts

When pushing products to standard users (local accounts without admin rights) you must disable UAC or the end-user receives UAC prompts asking for admin credentials. You can disable UAC via group policies on your domain, or via the restrictions payload in the Workspace ONE UEM console.

For information about administrative users, see About Administrative Accounts.

Recommendations

When pushing scripts to standard accounts, it is recommended that you use the following contexts:

To Push This Script Use This Context
PowerShell Admin
BATCH System

Warning Prompts

UAC prompts are displayed if you push products using non-recommended contexts.

Example of a PowerShell Prompt

Example of a BATCH Prompt

About Administrative Accounts

To push products successfully to devices, it is recommended that you use the syntax formats described below for PowerShell and BATCH scripts. The syntax holds true for any account type, but the recommendations apply to a device with admin user and UAC-enabled.

For information about standard users, see About Standard Accounts.

Syntax Formats for PowerShell Scripts

You can have administrative users, UAC on, with or without parameters.

PowerShell with Admin User, UAC On, Without Parameters

Example: "C:\Users\Demo\AppData\Local\Temp\WorkspaceONEUEM\ChangeDesktop.ps1"

Manifest Action: RUN: “<path>\filename.ps1”

Context:

  • Admin – UAC Prompts but works; Do you want to allow AW.ProtextionAgent.PowershellExecutor
  • System – Executes but does not work (used change wallpaper)
  • Current User – Works without UAC prompting – Recommended

Device Runs: “C:\Program Files (x86)\AirWatch\AgentUI\AW.ProtectionAgent.PowershellExecutor.exe” ProductPsScriptExecution <path>\filename.ps1

PowerShell with Admin User, UAC On, With Parameters

Example: “%temp%\WorkspaceONEUEM\set-wallpaper.ps1” Colour Blue

Manifest Action: RUN: “<path>\filename.ps1” Parameter1 Parameter2

Context:

  • Admin – UAC Prompts but works; Do you want to allow AW.ProtextionAgent.PowershellExecutor?
  • System – Executes but does not work (used change wallpaper)
  • Current User – Works without UAC prompting – Recommended

Device Runs: “C:\Program Files (x86)\AirWatch\AgentUI\AW.ProtectionAgent.PowershellExecutor.exe” ProductPsScriptExecution <path>\filename.ps1 parameters

Syntax Formats for BATCH Scripts

You can push BATCH with or without parameters.

BATCH with Admin User, UAC On, Without Parameters

Example: “%temp%\WorkspaceONEUEM\CreateUser.bat”

Manifest Action: RUN: “<path>\filename.bat”

Context:

  • Admin – UAC Prompted and Worked – Recommended
  • System – Does not work
  • Current User – Works but access denied for creating user thus failed on the device

Device Runs: "C:\Windows\SysWow64\cmd.exe" /C "C:\Windows\system32\cmd.exe" then opens the new CMD and runs "C:\Windows\system32\cmd.exe" /C <path>\filename.bat

BATCH with Admin User, UAC On, With Parameters

Example: “%temp%\WorkspaceONEUEM\CreateUser.bat” Demo P@ssw0rd

Manifest Action: RUN: “<path>\filename.bat” parameter1 parameter2

Context:

  • Admin – UAC Prompted and Worked – Recommended
  • System – Does not work
  • Current User – Works but access denied for creating user thus failed on the device

Device Runs: "C:\Windows\SysWow64\cmd.exe" /C "C:\Windows\system32\cmd.exe" then opens the new CMD and runs "C:\Windows\system32\cmd.exe" /C <path>\filename.bat parameter1 parameter2

Summary and Additional Resources

Conclusion

This tutorial introduces you to the product provisioning functionality of Workspace ONE UEM, and how to use this functionality to modify device content. A set of exercises describe the process of creating a files/action component to contain the content to push to devices, and then of creating a product that controls when that content is pushed. The final result is the ability to manage the content options of devices through product provisioning.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

Term Description
adaptive access The ability to control access and authentication methods to sensitive apps based on a device’s managed status.
additive Includes only changes developed after the latest version of the application or the last additive patch.
app dependencies Applications required by the environment and devices to run the Win32 application.
app patches Files that apply additive or cumulative fixes, updates, or new features to applications.
app transforms Files that control application installation and can add or prevent components, configurations, and processes during the process.
app uninstall process Scripts that instruct the system to uninstall an application under specific circumstances.
application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
BitLocker Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices.
bring your own device (BYOD) The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data, apps, or content.
business mobility The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
conditional access To provision access to a resource or service, based on user entitlements or roles.
container The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invading employee privacy or personal apps and content.
cumulative Includes the entire application, including any changes since the latest version of the application, or the last patches.
data leakage protection Software-controlled policies that determine how and where data can be transferred or shared to.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
Device Health Attestation Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation.
enrollment The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider.
enterprise mobility management The concept of using software and policies to both secure and provide access controls for mobile devices.
files and actions The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assign files and actions to a product, which then provisions to devices.
Health Attestation Services Cloud service that evaluates health measurements from the device to determine the health state.
identity-as-a-service Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile application management The concept of managing access, deployment, and restrictions of mobile applications using software and services.
mobile device management
(MDM) agent
The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
multi-factor authentication Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) and something the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
per-app VPN Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection.
public app stores Portals where users can access and obtain publically published applications, such as the iOS App Store and Google Play Store.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
smart groups Groups that control which devices get which product, based on how the group is created.
step-up authentication Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource.
unified endpoint management A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.
Windows Information Protection Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience.

Searching for More Information

When looking for more VMware documentation, you can focus the search using the Advanced Search option.

  1. In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
  2. Enter words or phrases to start the search.
    Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
  3. Narrow the results by selecting specific criteria.
    Example: The search is limited to the specific product and version.
  4. Click Advanced Search.
  5. In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.

Additional Resources

About the Authors

This tutorial written by Josué Negrón, Sr. Solutions Architect, End-User-Computing Technical Marketing, VMware, and Hannah Jernigan, Technical Writer, End-User-Computing Technical Marketing, VMware, with appreciation and acknowledgment for considerable contributions from the following subject matter experts:

  • Varun Murthy, Product Line Manager, VMware
  • Nigitha Alugubelli, Sr. Product Manager, VMware
  • Jason Roszak, Director Product Management, VMware
  • Darren Weatherly, Specialist Systems Engineer, VMware
  • Robert Terakedis, Sr. Technical Marketing Manager, EUC Technical Marketing, VMware
  • Aditya Kunduri, Sr. Product Marketing Manager, EUC Mobile Marketing, VMware
  • Ajay Padmakumar, VMware alumni
  • Pedro Bravo, VMware alumni

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.