Using Product Provisioning to Deliver Files to Windows Devices: Workspace ONE Operational Tutorial

Overview

Introduction

Note: This content was created for Windows 10, but the basic principles and tasks outlined also apply to your deployment of Windows 11.

This operational tutorial provides you with practical information to help you set up product provisioning in your Windows ONE UEM management solution to address the unique circumstances of your use cases.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as network, VPN configuration,  VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Delivering Files Using Product Provisioning

Introduction

You can use product provisioning functionality to create an ordered installation of profiles, applications, and files/actions into a single product. This product controls when content is pushed to devices, as well as the order of installation of the product.

You can target your products to devices by establishing a set of conditions that indicate when a product is downloaded and when it is installed. Then you push that product out to devices, based on the conditions you set. You can further target your products to devices by setting up smart groups that control which devices get which products.

A common use for product provisioning is pushing a PowerShell script that changes the device background (wallpaper). After the script is provisioned to devices, the wallpaper is updated on enrolled devices and is removed from unenrolled devices.

Prerequisites

Before you can perform the procedures in this exercise, verify that you have Workspace ONE UEM 1810 or later installed and configured with administrative credentials.

For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Creating a Files/Actions Component

To use product provisioning, you first create the files to install and actions to take on your devices.

1. Download Sample Code

secure endpoint manager
  1. Download the sample code from VMware Samples Exchange.
  2. Save the file in a local, accessible location.

2. Log In

secure endpoint manager
  1. To log in to Workspace ONE UEM, enter your username.
  2. Enter your password.
  3. Click Log In.
secure endpoint manager
  1. In the far left of the Workspace ONE UEM Console, click Devices.
  2. In the middle navigation bar, click Staging & Provisioning.
  3. In the expanded list, click Components.
  4. In the expanded sub-list, click Files/Actions.
  5. In the Files/Actions window, click Add Files/Actions.

4. Select the OS

secure endpoint manager
  • In the Add Files/Actions window, click Windows.

5. Select the Device Type

secure endpoint manager
  • In the Device Type window, select Windows Desktop.

6. Enter the Name

secure endpoint manager
  1. On the General tab, enter a files/actions name.
  2. You can also enter an optional description.

7. Add File

secure endpoint manager
  1. Select the Files tab.
  2. Click Add Files.

8. Upload the PowerShell Script

secure endpoint manager
  1. In the Add Files window, select Choose Files and browse for the script file to upload.
  2. Click Save to upload the files.

9. Store the PowerShell Script

secure endpoint manager
  1. In the Add Files window, define the download path the device uses to store the file group in a specific device folder. In this example, the download path was defined as C:\Temp\AirWatch, based on the sample provided earlier, and the rest of the path was added automatically.
  2. Click Save.

10. Verify and Save

secure endpoint manager
  1. In each newly added row, verify the file name and download path.
  2. Select the Manifest tab.

11. Add an Install Manifest Action

secure endpoint manager
  • On the Manifest tab, underneath Install Manifest, click Add Action.

12. Choose the Run Action

secure endpoint manager
  1. In the Add Manifest window, click the down arrow to expand the Action(s) to Perform menu.
  2. From the menu, select Run.
    Note: You can use the manifest to run a script or application using command lines. The Run command must use the syntax of \[full file path]. For example, \path\script.ps1. You must also select the context of the command to indicate whether it should run at the system level, current user level, or admin account level.

13. Finish Defining the Install Manifest Action

secure endpoint manager
  1. Provide the following information:
    • Action(s) To Perform: Run.
    • Execution Context: Current User.
      Note: You have the ability to perform actions such as Run or Install using System, Admin, or Current User context. Choose the correct context depending on your script. For example, if the current user does not have admin access and the script requires admin privileges, then choose Admin or System. If the script has Environment Variables such as %USERNAME% or $HOMEPATH%, then you must run in Current User context to avoid your variables returning information for the System account.
    • Command Line and Argument to run:  "C:\Temp\AirWatch\ChangeDesktop.ps1"
    • TimeOut: Accept the default of 0.
  2. In the Add Manifest window, click Save.

14. Add an Uninstall Manifest Action

secure endpoint manager
  • On the Manifest tab, scroll down to the Uninstall Manifest section, and click Add Action.

15. Choose the Run Action

secure endpoint manager
  1. From the Action(s) to Perform drop-down menu, select Run.
  2. In the lower right, click Save.

16. Define the Uninstall Manifest Action

secure endpoint manager
  1. Provide the following information:
    • Action(s) To Perform: Run.
    • Execution Context: Current User.
    • Command Line and Argument to run: Enter: "C:\Temp\AirWatch\ChangeDesktopBack.ps1"
    • TimeOut: Accept the default of 0.
      Note
      : The uninstall manifest only runs when the Uninstall action is added to the product. Also, if nothing is added to the Uninstall Manifest, uninstalling the file/action will not do anything. If you plan to remove the configurations your scripts make, you will need to revert settings using the Uninstall Manifest option.
  2. In the Add Manifest window, click Save.

17. Save the Uninstall Manifest Action

  • In the Add Files/Actions window, click Save to upload the files and actions to Workspace ONE UEM.

Creating a Product

After creating the files/actions component that contains the content you want to push to devices, you create a product that controls when the content is pushed and the order of installation.

Note: To edit a product, you must first deactivate it in the list view.

  1. In the far left of the Workspace ONE UEM Console, click Devices.
  2. In the middle navigation bar, click Staging & Provisioning.
  3. In the expanded list, click Product List View.
  4. In the Product List View window, click Add Product.

2. Select the OS

  • Select the Windows OS.

3. Select the Windows Desktop

  • In the Select Device Type window, select Windows Desktop.

4. Provide General Product Data

On the General tab, provide the basic product information:

  1. Name: Enter the name Change Desktop for Win10.
  2. Assignment Group(s): Select an assignment group that contains the devices or users to receive this product.

5. Add Manifest

  1. Navigate to the Manifest tab.
  2. In the upper left, click Add.

6. Provide Manifest Data

  1. In the Add Manifest window, click the down arrow to expand the Action(s) to Perform menu.
  2. From the drop-down menu, select Install Files / Actions.

7. Save the Configuration

  1. In the Files/Actions field, select the Install Manifest action that you created earlier for changing the wallpaper.
  2. Click Save.

8. Verify and Activate

  1. Verify.
  2. In the lower right, select Activate to deploy the actions to the devices.

Important: The VMware Workspace ONE™ Intelligent Hub (formerly called AirWatch Protection Agent) must be installed on devices to use product provisioning. You can enable Workspace ONE Intelligent Hub to automatically deploy by navigating to Settings > Devices & Users > Windows > Windows Desktop > Hub Application.

9. Additional Configuration Options

You can add additional manifest items if desired, such as the Uninstall Manifest action. You can adjust the order of the manifest steps using the up and down arrows and edit or delete a step in the Manifest list view. To completely automate the manifest, you can also create a sequence of actions to execute on the device.

You can also add configurations from the Conditions, Deployment, and Dependencies tabs. These configurations are optional and unnecessary when creating the Change Desktop product:

  • On the Conditions tab, you can configure Download Conditions settings, Install Conditions settings, or both.
  • On the Deployment tab, configure times and dates to activate and deactivate the product.
  • On the Dependencies tab, configure the order in which products apply to devices.

Appendix: PowerShell and Batch Details

Introduction

Questions often arise about when to use PowerShell scripts or BATCH scripts. This section provides detailed information about the use of these scripts in both standard and administrative accounts.

About Standard Accounts

When pushing products to standard users (local accounts without admin rights) you must disable UAC or the end-user receives UAC prompts asking for admin credentials. You can disable UAC via group policies on your domain, or via the restrictions payload in the Workspace ONE UEM console.

For information about administrative users, see About Administrative Accounts.

Recommendations

When pushing scripts to standard accounts, it is recommended that you use the following contexts:

To Push This Script
Use This Context
PowerShell
Admin
BATCH
System

Warning Prompts

UAC prompts are displayed if you push products using non-recommended contexts.

Example of a PowerShell Prompt

Example of a BATCH Prompt

About Administrative Accounts

To push products successfully to devices, it is recommended that you use the syntax formats described below for PowerShell and BATCH scripts. The syntax holds true for any account type, but the recommendations apply to a device with admin user and UAC-enabled.

For information about standard users, see About Standard Accounts.

Syntax Formats for PowerShell Scripts

You can have administrative users, UAC on, with or without parameters.

PowerShell with Admin User, UAC On, Without Parameters

Example: "C:\Users\Demo\AppData\Local\Temp\WorkspaceONEUEM\ChangeDesktop.ps1"

Manifest Action: RUN: “<path>\filename.ps1”

Context:

  • Admin – UAC Prompts but works; Do you want to allow AW.ProtextionAgent.PowershellExecutor
  • System – Executes but does not work (used change wallpaper)
  • Current User – Works without UAC prompting – Recommended

Device Runs: “C:\Program Files (x86)\AirWatch\AgentUI\AW.ProtectionAgent.PowershellExecutor.exe” ProductPsScriptExecution <path>\filename.ps1

PowerShell with Admin User, UAC On, With Parameters

Example: “%temp%\WorkspaceONEUEM\set-wallpaper.ps1” Colour Blue

Manifest Action: RUN: “<path>\filename.ps1” Parameter1 Parameter2

Context:

  • Admin – UAC Prompts but works; Do you want to allow AW.ProtextionAgent.PowershellExecutor?
  • System – Executes but does not work (used change wallpaper)
  • Current User – Works without UAC prompting – Recommended

Device Runs: “C:\Program Files (x86)\AirWatch\AgentUI\AW.ProtectionAgent.PowershellExecutor.exe” ProductPsScriptExecution <path>\filename.ps1 parameters

Syntax Formats for BATCH Scripts

You can push BATCH with or without parameters.

BATCH with Admin User, UAC On, Without Parameters

Example: “%temp%\WorkspaceONEUEM\CreateUser.bat”

Manifest Action: RUN: “<path>\filename.bat”

Context:

  • Admin – UAC Prompted and Worked – Recommended
  • System – Does not work
  • Current User – Works but access denied for creating user thus failed on the device

Device Runs: "C:\Windows\SysWow64\cmd.exe" /C "C:\Windows\system32\cmd.exe" then opens the new CMD and runs "C:\Windows\system32\cmd.exe" /C <path>\filename.bat

BATCH with Admin User, UAC On, With Parameters

Example: “%temp%\WorkspaceONEUEM\CreateUser.bat” Demo P@ssw0rd

Manifest Action: RUN: “<path>\filename.bat” parameter1 parameter2

Context:

  • Admin – UAC Prompted and Worked – Recommended
  • System – Does not work
  • Current User – Works but access denied for creating user thus failed on the device

Device Runs: "C:\Windows\SysWow64\cmd.exe" /C "C:\Windows\system32\cmd.exe" then opens the new CMD and runs "C:\Windows\system32\cmd.exe" /C <path>\filename.bat parameter1 parameter2

Summary and Additional Resources

Conclusion

This tutorial introduces you to the product provisioning functionality of Workspace ONE UEM, and how to use this functionality to modify device content. A set of exercises describe the process of creating a files/action component to contain the content to push to devices, and then of creating a product that controls when that content is pushed. The final result is the ability to manage the content options of devices through product provisioning.

Searching for More Information

When looking for more VMware documentation, you can focus the search using the Advanced Search option.

  1. In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
  2. Enter words or phrases to start the search.
    Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
  3. Narrow the results by selecting specific criteria.
    Example: The search is limited to the specific product and version.
  4. Click Advanced Search.
  5. In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

For information about deployment, see Deploying Workspace ONE Intelligence and VMware Carbon Black Cloud: Workspace ONE Operational Tutorial.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management activity path. The content in this path helps you establish a basic understanding of Windows 10 management in the following categories:

About the Authors

This tutorial was written by:

  • Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware
  • Hannah Jernigan, EUC Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Considerable contributions were made by the following subject matter experts:

  • Darren Weatherly, Specialist Systems Engineer, VMware
  • Aditya Kunduri, Group Product Marketing Manager, EUC Mobile Marketing, VMware
  • Bryan Garmon, Sr. Solutions Engineer, VMware
  • Pete Lindley, Sr. Specialist Systems Engineer, VMware
  • Mike Nelson, Sr. Solutions Architect, VMware
  • Ameya Jambavalikar, Sr. Solutions Architect, VMware

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Advanced Windows 10 Deploy Modern Management