VMware Hands-on Labs - HOL-1957-04-UEM


Lab Overview - HOL-1957-04-UEM - Workspace ONE UEM - Windows 10 Management

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Discover how Workspace ONE UEM with Windows 10 enables Policy Configuration, OS Patch Management, Software Distribution and Security.  Also, learn about new SCCM co-management capabilities in order to ease the transition from traditional to modern management for Windows 10.

Lab Module List:

 Lab Captains:

Subject Matter Experts:

 This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

 
 

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Introduction to Windows 10 Management

Introduction


In this lab module, you will learn how to enroll a Windows 10 device into Workspace ONE UEM and how to configure and deploy restriction profiles and applications to your enroll device.


 

Pre-Requisites

To successfully complete this Hands-On Lab, you'll need to ensure you have the following pre-requisites:

As a reminder, DO NOT access the Hands-On lab from the same machine you plan to enroll & manage as part of the HOL exercise. As part of the HOL, you will be rebooting this machine and will temporarily lose access to the lab documentation if you run the lab from the machine you enroll.

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Create Test User Account


Basic accounts are the accounts which are created locally in the AirWatch admin console, as opposed to the accounts which are imported from an active directory. In this section, we will create a Basic User account which we will use for enrollment in the following section.


 

Click on Add / User

 

In the top right corner of the AirWatch console,

  1. Click Add.
  2. Click User.

 

 

Add User information

 

In the pop-up window,

  1. Ensure that security type is Basic
  2. Enter the username as testuser
  3. Enter the password as VMware1!
  4. Confirm the password as VMware1!
  5. Enter the first name as test
  6. Enter the last name as user
  7. Enter the e-mail address as testuser@corp.local
  8. Click on Save
    NOTE - Use the scroll bar if you don't see the option to enter email address

You should see a confirmation that user is created successfully. If the user is already created with the same username then you can use the existing user in the following section.

 

Connect to the Windows 10 Virtual Machine


 

Double-click the Win10-01a.rdp shortcut from the Main Console Desktop to connect to the Windows 10 virtual machine.


Modifying Internet Options for Windows Enrollment


Before enrolling the Windows 10 Virtual Machine, we will make a modification to prevent issues with the Hands on Labs firewall causing a delay in the enrollment process.


 

Open Settings

 

  1. Click the Windows button.
  2. Click the Settings (Gear) icon.

 

 

Open Internet Options

 

  1. Type Internet Options in the search bar.
  2. Click Internet Options from the results list.

 

 

Modify the Certificate Revocation Options

 

  1. Click the Advanced tab.
  2. Scroll down to find the Security section.
  3. Uncheck the Check for publisher's certification revocation option.
  4. Uncheck the Check for server certificate revocation option.
  5. Click Apply.
  6. Click OK.

 

Enrolling Your Windows 10 Device with a Basic Account


We will now enroll our Windows 10 device in Workspace ONE UEM.  First, we will need to download the Workspace ONE Intelligent Hub.


 

Download the Workspace ONE Intelligent Hub on the Windows 10 VM

 

From a new tab in the browser, if not opened already,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download Hub for Windows 10.
    NOTE: Please wait while the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE - If you do not see the warning about the AirWatchAgent.msi file, skip this and continue to the next step.

 

 

Launch the Workspace ONE Intelligent Hub Installer

 

Click the AirWatchAgent.msi file in your download bar.

NOTE - The installer may take a few seconds to launch, please be patient after clicking the AirWatchAgent.msi file.

 

 

Click Run

 

Click Run to proceed with the installation.

 

 

Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

 

Click Server Detail.

 

Return to the Main Console


 

Click Close (X) on the Remote Desktop Connection bar at the top of the screen to return to the Main Console to finish making configurations within the Workspace ONE UEM Console.


Configuring a Device Profile for Windows 10


Profiles allow you to modify how the enrolled devices behave. This exercise helps you to configure and deploy a restrictions profile that we can verify has applied to the device later in the section.


 

Add a Profile

 

In the upper-right corner of Workspace ONE UEM Console:

  1. Select Add.
  2. Select Profile.

 

 

Navigate to Profiles List View

 

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.

 

 

Verify the Restrictions Profile Now Exists

 

You should now see your Restrictions Profile within the List View of the Devices Profiles window.

Note: If you need to edit the Restrictions Profile, this is where you would do so. To edit the profile, click the profile name, then select Add Version. Update the profile and click Save & Publish to push the new settings to the assigned devices.

 

Delivering Apps on Windows 10


You can distribute applications to Windows 10 devices, allowing for a seamless user experience. This exercise helps you to create and distribute an application to your Windows 10 device.

This exercise uses the 7-Zip installation program downloaded and stored in the Documents folder.


 

Add Internal Application

 

In the upper-right corner of Workspace ONE UEM Console:

  1. Select Add.
  2. Select Internal Application.

 

 

Upload Application

 

Click Upload.

 

 

Find the Application MSI

 

Click the Browse... button.

 

 

Upload the EXE File

 

Navigate to your installation file. The 7-zip installation file has been downloaded to the server and placed in the Documents folder.

  1. Select Documents.
  2. Expand HOL.
  3. Select the Windows 10 folder.
  4. Select your installation file, for example, 7z1604-x64.exe.
  5. Click Open.

 

 

Save the EXE File

 

Click Save.

 

 

Continue to the App Settings

 

  1. Select No for Is this a dependency app?
  2. Click Continue.

 

 

Configure App Details

 

  1. Enter a name for your application, for example, 7-Zip.
  2. Select 64-bit for the Supported Processor Architecture.

 

 

Configure Application Files

 

  1. Select the Files tab.
  2. Scroll down to find the App Uninstall Process section.
  3. Select Input for the Custom Script Type.
  4. Enter the following for Uninstall Command:
7z1604-x64.exe /Uninstall

Note: For information about copying text from the manual, see the Guidance section.

 

 

Select Deployment Options

 

  1. Select Deployment Options.
  2. Scroll down until you see the option for Install Command.
  3. Enter Install Command as:
7z1604-x64.exe /S

Note: For information about copying text from the manual, see the Guidance section.

 

 

Add Identify Application Condition

 

  1. Scroll down to find the When To Call Install Complete section.
  2. Select Defining Criteria for Identity Application By.
  3. Click Add.

 

 

Configure the Install Complete Defining Criteria

 

  1. Select File Exists for the Criteria Type.
  2. Enter C:\Program Files\7-Zip\7zFM.exe for the Path.
  3. Click Add.

Note: For information about copying text from the manual, see the Guidance section.

 

 

Save and Assign the Application

 

Click Save & Assign.

 

 

Add an Assignment

 

Click Add Assignment.

 

 

Add Assignment Group and Push Mode

 

  1. Click the Select Assignment Groups search box and select All Devices (your.email@shown.here).
  2. Select Auto for the App Delivery Method.
  3. Click Add.

 

 

Save and Publish the Application

 

Click Save & Publish.

 

 

Preview the Assigned Devices

 

Click Publish.

 

Connect to the Windows 10 Virtual Machine


 

Double-click the Win10-01a.rdp shortcut from the Main Console Desktop to connect to the Windows 10 virtual machine.


Validate Device Enrollment


Once your Windows 10 device is enrolled, the restriction profile and application you created earlier will be installed on the device.  Continue to confirm enrollment was successful and that the profile installed correctly by verifying that the restrictions took place on your device.


 

Confirm Profile

 

  1. Click on Start logo.
  2. Click on Cortana in the apps list.

 

 

Confirm Application

 

Click Explorer from the bottom toolbar.

 

Un-enrolling your Windows 10 Device


In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules. We will delete the device record from the console, which will also un-enroll the device and remove all the apps and profiles that are pushed from Workspace ONE UEM console, also known as managed content.


 

Delete Device from Workspace ONE UEM Console

 

From the Workspace ONE UEM Console,

  1. Click on Devices
  2. Click on List View
  3. Select the check box next to your device friendly name.
  4. Click on More Actions
  5. Click on Delete Device

 

 

Enter Reason and Delete

 

  1. Enter the reason as lab completed.
  2. Click on Delete

 

 

Validate DELETE IN PROGRESS...

 

  1. You may see device friendly name changing to DELETE IN PROGRESS...
  2. Click on the Refresh Icon to validate if the device deletion is successful.

 

 

Ensure that device record is deleted

 

  1. Use the Refresh Button if needed.
  2. Ensure that the device record is now deleted from the Workspace ONE UEM console and you see the message No Records Found.

 

 

 

Navigate to Windows 10 Settings

 

  1. Click on the Windows Icon
  2. Click on the gear icon to access Windows 10 Settings

 

 

 

Access Accounts Settings

 

From the Settings Menu, access Accounts

 

 

Validate That No Management Account Exists

 

 

  1. Click on Access work or school
  2. Validate that you DO NOT see any account connected to AirWatchMDM.

NOTE - The CORP AD domain is the local domain in this lab and is not controlled by AirWatch Enrollment, so you will see this connection if your device is enrolled or unenrolled.

 

Conclusion


In addition to managing mobile devices, Workspace ONE UEM can also manage your Windows 10 applications as well.  This quick look into Windows 10 management should provider a clearer picture on how you can manage your Windows 10 devices by configuring restrictions and profiles and deploying applications alongside your mobile workforce.  For a deeper dive into Windows 10 Management, consider taking the following Windows 10 modules.

This concludes the Basic Windows 10 Management module.


Module 2 - Windows 10 Software Distribution and Troubleshooting

Introduction


Many issues in PC management arise from the delivery, integration, and support of applications. As end-user demand drives organizations to adopt more applications, these issues only grow in complexity and number. Today’s sophisticated user requires control over apps on both personal and corporate-owned devices. Workspace ONE UEM on Windows 10 introduces features and tools to simplify application integration and management.


 

Software Distribution and Lifecycle Flow with Workspace ONE UEM

 

You can deploy Win32 applications from the Apps & Books section of the Workspace ONE UEM Console and, in doing so, use the application life-cycle flow that exists for all internal applications. This feature is called software distribution.

You can use the Workspace ONE UEM software distribution feature to deliver Win32 applications, track installation statuses, keep application versions current, and delete old applications.

 

 

Connect to Windows 10 VM


We have provided you a Windows 10 VM to complete the necessary steps for this lab. Let's connect to it to complete the steps in the following section.


 

Connect to the Windows 10 VM

 

Double-click the Win10-01a.rdp shortcut on the lab desktop.

If prompted, the login credentials for the Windows 10 VM are:

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Modifying Internet Options for Windows Enrollment


Before enrolling the Windows 10 Virtual Machine, we will make a modification to prevent issues with the Hands on Labs firewall causing a delay in the enrollment process.


 

Open Settings

 

  1. Click the Windows button.
  2. Click the Settings (Gear) icon.

 

 

Open Internet Options

 

  1. Type Internet Options in the search bar.
  2. Click Internet Options from the results list.

 

 

Modify the Certificate Revocation Options

 

  1. Click the Advanced tab.
  2. Scroll down to find the Security section.
  3. Uncheck the Check for publisher's certification revocation option.
  4. Uncheck the Check for server certificate revocation option.
  5. Click Apply.
  6. Click OK.

 

Enrolling Your Windows 10 Device


We will now enroll our Windows 10 device in Workspace ONE UEM.  First, we will need to download the Workspace ONE Intelligent Hub.


 

Download the Workspace ONE Intelligent Hub on the Windows 10 VM

 

From a new tab in the browser, if not opened already,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download Hub for Windows 10.
    NOTE: Please wait while the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE - If you do not see the warning about the AirWatchAgent.msi file, skip this and continue to the next step.

 

 

Launch the Workspace ONE Intelligent Hub Installer

 

Click the AirWatchAgent.msi file in your download bar.

NOTE - The installer may take a few seconds to launch, please be patient after clicking the AirWatchAgent.msi file.

 

 

Click Run

 

Click Run to proceed with the installation.

 

 

Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

 

Click Server Detail.

 

Deploying Notepad++


In this exercise, we will deploy Notepad++ to our Windows 10 device to see how to configure and deploy an application to your end users and what the end user experience is like for interacting with these applications.


 

Deploying Notepad++ In Workspace ONE UEM

 

  1. Click Apps & Books.
  2. Click Add Application.

 

Confirm the aduser Certificate Has Installed


We have configured few device profiles for you to automatically install the user certificate you will need for this lab. In this section, we are going to validate if that user certificate is installed on your Windows 10 device or not before proceeding.


 

Check the Device Details for the Certificate Profile Status

 

In the Workspace ONE UEM Console,

  1. Click Devices
  2. Click List View
  3. Click the device link for the enrolled device.

 

 

Check the aduser Certificate on the Windows 10 Device

 

  1. Click the Windows button.
  2. Type user certificates and the Search bar will populate.
  3. Click the Manage user certificates option.

 

Login to the Workspace ONE Application


 

  1. Click the Windows button.
  2. Click the Workspace ONE app icon from the start menu.

 

Enter the Workspace ONE Server Address (IF NEEDED)

 

Your Workspace ONE app may have already validated the workspace server URL.  If you are prompted to enter a username rather than a workspace server URL, you can skip this step.

  1. The server address https://hol-cn1193-ws1win.vidmpreview.com should already be set when launching the Workspace ONE app, enter the value in the Server Address field if it is not already set.
  2. Click Continue.

 

 

Enter Your Username for Workspace ONE

 

  1. Enter aduser for the username.
  2. Click Next.

 

 

Allow Access to Credentials

 

Click Allow to allow access to your private key.

NOTE - The user will only be prompted once for this permission.

NOTE - If you receive the "Access Denied. Certificate login failure." screen, please wait a few minutes and try to login again.  The device may take several minutes to receive the certificate due to scalability and lab network limitations.

 

 

Enter the Workspace

 

Once the workspace is ready, click Enter.

 

Verify Notepad++ Deployment


Now that you have published Notepad++ to your Windows 10 Devices and logged into the Workspace ONE catalog, let's review how to verify that your application was deployed successfully.


 

Confirm Deployment in the Workspace ONE Catalog

 

  1. Ensure the Notepad++ app displays and shows as Installed.
  2. If the Notepad++ app is not installed yet, you may need to wait a few minutes for it to complete.  Click the Refresh button to reload the page as needed.

As an end user, you will have access to the Notepad++ application once it is installed.  If you are able to see the Notepad++ application in the Catalog and the status displays as Installed, then the deployment was successful and our parameters for determining a successful install were correct.

INFO: The Notepad++ application began to install automatically because you set the App Delivery Method as Auto in the Workspace ONE UEM Console.  If you had applications that you did not want to deploy automatically that users could download when needed, you could set the App Delivery Method to On Demand and allow end users to initiate the Notepad++ download from the Workspace ONE catalog.

 

 

Confirm Application Installed

 

  1. Click the Windows button.
  2. Confirm Notepad++ displays in the Recently Added section, confirming the install.

 

 

Deployment Details and Troubleshooting

In most cases, a successfully deployment is easily verified by inspecting if the app was installed or deployed to your device through either the Workspace ONE Catalog or by inspecting files that you are expecting to install.  Continue through this section to see how you can inspect other details for further troubleshooting and for additional details on Software Distribution on Windows 10.

 

 

Conclusion

There are several ways to debug a failed or erroneous Software Distribution deployment, as we have reviewed.  The Workspace ONE UEM Console is a good first step for determining what is occurring, but digging into the AppDeploymentCache and AppDeploymentAgent registry files will assist in deeper troubleshooting to determine any issues.

With this knowledge in mind, we will move onto deploying Office 365.  Continue to the next step.

 

Deploying Office 365 ProPlus


In this hands on lab, you will package Office 2016 with a configuration file for click-to-run delivery to remote and enterprise worker devices. You will configure and assign the application to smart groups with the flexible deployment feature.

We have provided you with all of the files needed to complete the steps; however, in your organization you will have a customized configuration file to embed with your Office installation.


 

Preparing the Office 365 ProPlus Files

Before we can upload the ProPlus app to the Workspace ONE UEM Console, we need to prepare and zip the files.

 

 

Deploying Office 365 Pro Plus in Workspace ONE UEM

Now that you've zipped the setup.exe and configuration.xml files for your Office 365 deployment, the next step is to upload and deploy this application through the Workspace ONE UEM Console.

 

Verifying Office 365 Pro Plus Deployment


Due to the scalability of this lab, time constraints, and the size of the install size, the Office 365 Pro Plus installer WILL NOT complete on your Windows 10 device before the lab session expires.  This section will guide you through verifying that the install command was completed and how you can verify your software distribution process for scenarios outside of this lab.


 

Verify App Availability in Workspace ONE

You can confirm that the Office 365 Pro Plus application was assigned to your device and is installing within the Workspace ONE application.  

 

 

Verify Install Command Was Sent

You can retrieve details about the current install status of an application on the assigned devices.  This can be used to monitor if devices are installing the application appropriately.

 

 

Using Device Details to Track Applications & Troubleshooting

In addition to the applications details view, you can view Apps information and Troubleshooting logs, which can aid in tracking application deployments and debugging why deployments may fail.

 

 

Verify Install Was Completed (follow along)

The following steps are for instructional purposes only, as the Office 365 Pro Plus installer WILL NOT complete before the lab expires due to limited network resources and lab !  Please follow along to see how you can verify that software distribution installs are completed and successful.

NOTE - As mentioned before, the Office 365 Pro Plus installment will likely not complete before your lab expires due to limited network resources and the lab time limit!  This section will demonstrate what a successful install would look like in the Workspace ONE UEM Console in a real deployment.

 

Un-enrolling your Windows 10 Device


In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules. We will delete the device record from the console, which will also un-enroll the device and remove all the apps and profiles that are pushed from Workspace ONE UEM console, also known as managed content.


 

Delete Device from Workspace ONE UEM Console

 

From the Workspace ONE UEM Console,

  1. Click on Devices
  2. Click on List View
  3. Select the check box next to your device friendly name.
  4. Click on More Actions
  5. Click on Delete Device

 

 

Enter Reason and Delete

 

  1. Enter the reason as lab completed.
  2. Click on Delete

 

 

Validate DELETE IN PROGRESS...

 

  1. You may see device friendly name changing to DELETE IN PROGRESS...
  2. Click on the Refresh Icon to validate if the device deletion is successful.

 

 

Ensure that device record is deleted

 

  1. Use the Refresh Button if needed.
  2. Ensure that the device record is now deleted from the Workspace ONE UEM console and you see the message No Records Found.

 

 

 

Navigate to Windows 10 Settings

 

  1. Click on the Windows Icon
  2. Click on the gear icon to access Windows 10 Settings

 

 

 

Access Accounts Settings

 

From the Settings Menu, access Accounts

 

 

Validate That No Management Account Exists

 

 

  1. Click on Access work or school
  2. Validate that you DO NOT see any account connected to AirWatchMDM.

NOTE - The CORP AD domain is the local domain in this lab and is not controlled by AirWatch Enrollment, so you will see this connection if your device is enrolled or unenrolled.

 

Sign Out of the Workspace ONE Application


 

  1. Click the Workspace ONE App icon from the task bar.
  2. Click the User icon.
  3. Click Sign Out.

 

Confirm Sign Out

 

Click Sign Out

 

 

Close the Workspace ONE App

 

Click the Close button.

 

Close Chrome to Clear Session Cookies


 

  1. Return to your Chrome browser.
  2. Click the Close (X) button.

Workspace ONE saves your OAuth session details in cookies.  Closing your browser ensures your previous session cookies will be deleted and won't interfere with the any additional modules you take.


Conclusion


Software Distribution in AirWatch allows you to deliver Windows applications and adhere to the application life-cycle.  Software Distribution enables your organization to deploy applications, track the installation statuses, debug and troubleshoot installation issues, and maintain applications with ease.


Module 3 - Windows 10 Real-Time and Automated Security Protection and Compliance

Introduction


 

The release of Windows 10 introduced fundamental changes to the Windows operating system to address the security and data concerns of today’s digital workspace. To take advantage of Workspace ONE Unified Endpoint Management’s (UEM) capabilities, you can fold the Windows 10 functionality into an existing VMware AirWatch management solution. Combining traditional client requirements with modern enterprise management capabilities creates a simplified, cost-effective management solution. Use Workspace ONE UEM to establish user trust, assess the device posture, enforce conditional access, and enable data loss prevention.

In this hands on lab, we will explore how to configure many of the end-to-end security features, however, due to using VMs we will not be able to fully test all of our security configurations.

NOTE - You may need to scroll to the right to view the full screen button on the video above.


Connect to Windows 10 VM


We have provided you a Windows 10 VM to complete the necessary steps for this lab. Let's connect to it to complete the steps in the following section.


 

Connect to the Windows 10 VM

 

Double-click the Win10-01a.rdp shortcut on the lab desktop.

If prompted, the login credentials for the Windows 10 VM are:

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Device Posture and Real-Time Compliance


Workspace ONE UEM assesses device posture by evaluating, locally enforcing, and remediating devices using the compliance engine, a Workspace ONE UEM tool that ensures that all devices abide by specified policies. A policy can include basic security settings or more critical security configurations.


 

Navigate to All Settings

 

  1. Click Groups & Settings.
  2. Click All Settings.

 

 

Navigate to Windows Health Attestation

 

  1. Click Devices & Users
  2. Click Windows
  3. Click Windows Desktop
  4. Click Windows Health Attestation
  5. Select Override for the Current Setting
  6. Uncheck BitLocker Disabled under the Compromised Status Definition section.

 

 

Configure Health Attestation

 

  1. Scroll down to the bottom of the page.
  2. Click Save

 

 

Close Settings

 

  1. Ensure the Saved Successfully prompt is displayed.
  2. Click the Close (X) button to close the Setting window.

 

Conditional Access


For this lab we will be using the VMware Workspace ONE app to demonstrate the conditional access and Single Sign-On functions instead of a public 3rd party application such as the native SalesForce app.


 

Introduction

 

Conditional access to corporate resources through Workspace ONE combines Workspace ONE UEM (VMware AirWatch) management capabilities with VMware Identity Manager™. Available across all platforms and device types, conditional access provides the intelligence necessary for comprehensive unified endpoint management. While Workspace ONE UEM automatically denies access to unmanaged devices, conditional access enables a more nuanced approach by allowing managed devices to access corporate resources if they report a healthy compliance status.

For this lab several items such as Identity Manager integration and Certificate Profiles have been pre-configured for your Organization Group.

 

 

View Conditional Access Flow

We will now launch the Workspace ONE App to see how our access is affected when logging in from a device that is not enrolled.

 

Modifying Internet Options for Windows Enrollment


Before enrolling the Windows 10 Virtual Machine, we will make a modification to prevent issues with the Hands on Labs firewall causing a delay in the enrollment process.


 

Open Settings

 

  1. Click the Windows button.
  2. Click the Settings (Gear) icon.

 

 

Open Internet Options

 

  1. Type Internet Options in the search bar.
  2. Click Internet Options from the results list.

 

 

Modify the Certificate Revocation Options

 

  1. Click the Advanced tab.
  2. Scroll down to find the Security section.
  3. Uncheck the Check for publisher's certification revocation option.
  4. Uncheck the Check for server certificate revocation option.
  5. Click Apply.
  6. Click OK.

 

Enrolling Your Windows 10 Device


We will now enroll our Windows 10 device in Workspace ONE UEM.  First, we will need to download the Workspace ONE Intelligent Hub.


 

Download the Workspace ONE Intelligent Hub on the Windows 10 VM

 

From a new tab in the browser, if not opened already,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download Hub for Windows 10.
    NOTE: Please wait while the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE - If you do not see the warning about the AirWatchAgent.msi file, skip this and continue to the next step.

 

 

Launch the Workspace ONE Intelligent Hub Installer

 

Click the AirWatchAgent.msi file in your download bar.

NOTE - The installer may take a few seconds to launch, please be patient after clicking the AirWatchAgent.msi file.

 

 

Click Run

 

Click Run to proceed with the installation.

 

 

Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

 

Click Server Detail.

 

Confirm the aduser Certificate Has Installed


We have configured few device profiles for you to automatically install the user certificate you will need for this lab. In this section, we are going to validate if that user certificate is installed on your Windows 10 device or not before proceeding.


 

Check the Device Details for the Certificate Profile Status

 

In the Workspace ONE UEM Console,

  1. Click Devices
  2. Click List View
  3. Click the device link for the enrolled device.

 

 

Check the aduser Certificate on the Windows 10 Device

 

  1. Click the Windows button.
  2. Type user certificates and the Search bar will populate.
  3. Click the Manage user certificates option.

 

Compliance with Workspace ONE


In this section, we are going to create a Compliance Policy and validate both the compliant and non-compliant states on our Windows 10 device to show how you can control access to apps and services by requiring devices to remain within compliance.


 

View Conditional Access Flow After Enrollment

Now that our Windows 10 device is enrolled, let's sign in to Workspace ONE again and see how the authentication flow has changed.  We will validate that the Windows 10 device is able to login to the Workspace ONE app after enrollment but prior to adding in a Compliance Policy.

 

Login to the Workspace ONE Application


 

  1. Click the Windows button.
  2. Click the Workspace ONE app icon from the start menu.

 

Enter the Workspace ONE Server Address (IF NEEDED)

 

Your Workspace ONE app may have already validated the workspace server URL.  If you are prompted to enter a username rather than a workspace server URL, you can skip this step.

  1. The server address https://hol-cn1193-ws1win.vidmpreview.com should already be set when launching the Workspace ONE app, enter the value in the Server Address field if it is not already set.
  2. Click Continue.

 

 

Enter Your Username for Workspace ONE

 

  1. Enter aduser for the username.
  2. Click Next.

 

 

Allow Access to Credentials

 

Click Allow to allow access to your private key.

NOTE - The user will only be prompted once for this permission.

NOTE - If you receive the "Access Denied. Certificate login failure." screen, please wait a few minutes and try to login again.  The device may take several minutes to receive the certificate due to scalability and lab network limitations.

 

 

Enter the Workspace

 

Once the workspace is ready, click Enter.

 

Confirm Successful Login to the Workspace ONE App


 

Upon successfully logging in, you will see the app catalog page of the Workspace ONE app.  For this exercise, no applications have been assigned to your user, so you will not see any available applications.

Continue to the next step after confirming your login was successful.


Sign Out of the Workspace ONE Application


 

  1. Click the Workspace ONE App icon from the task bar.
  2. Click the User icon.
  3. Click Sign Out.

 

Confirm Sign Out

 

Click Sign Out

 

 

Close the Workspace ONE App

 

Click the Close button.

 

Create a Compliance Rule


We will now create another Compliance rule to cause our device to become non-compliant. This way, we can validate the flow in the scenario where device becomes non-compliant.


 

Add a Compliance Policy

 

Back to the Workspace ONE UEM console in Chrome,

  1. Click Devices.
  2. Click Compliance Policies.
  3. Click List View.
  4. Click Add.

 

 

Confirm Device is Non-Compliant

With the new Compliance Policy in place, we will now confirm that our device is showing as non-compliant.  Because our enrolled Windows 10 device is not encrypted, and our Compliance Policy requires devices to be encrypted, it will be marked as non-compliant once the policy applies.

 

 

Launch the Workspace ONE App

Now that our Windows 10 device is showing as non-compliant, let us return to the Workspace ONE app on the Windows 10 VM and see how the authentication flow has changed for our non-compliant device.

 

Data Loss Prevention


Let's take a look at how Workspace ONE UEM can help with Data Loss Prevention with your Windows 10 devices. To limit the scope of this lab, we will be going through videos, rather than actual configurations.


 

Windows Information Protection (WIP), App Control, & Per-App VPN

Workspace ONE UEM can configure the Windows Information Protection, App Control, and Per-App VPN feature that is built into Windows 10.   Please watch the video for a demonstration on configuration and it working on a device.

NOTE - You may need to scroll to the right to view the full screen button on the video above.

 

 

BitLocker Encryption

With Workspace ONE UEM you able to configure BitLocker settings, please watch the video for a demonstration on configuration and it working on a device.

NOTE - You may need to scroll to the right to view the full screen button on the video above.

 

Un-enrolling your Windows 10 Device


In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules. We will delete the device record from the console, which will also un-enroll the device and remove all the apps and profiles that are pushed from Workspace ONE UEM console, also known as managed content.


 

Delete Device from Workspace ONE UEM Console

 

From the Workspace ONE UEM Console,

  1. Click on Devices
  2. Click on List View
  3. Select the check box next to your device friendly name.
  4. Click on More Actions
  5. Click on Delete Device

 

 

Enter Reason and Delete

 

  1. Enter the reason as lab completed.
  2. Click on Delete

 

 

Validate DELETE IN PROGRESS...

 

  1. You may see device friendly name changing to DELETE IN PROGRESS...
  2. Click on the Refresh Icon to validate if the device deletion is successful.

 

 

Ensure that device record is deleted

 

  1. Use the Refresh Button if needed.
  2. Ensure that the device record is now deleted from the Workspace ONE UEM console and you see the message No Records Found.

 

 

 

Navigate to Windows 10 Settings

 

  1. Click on the Windows Icon
  2. Click on the gear icon to access Windows 10 Settings

 

 

 

Access Accounts Settings

 

From the Settings Menu, access Accounts

 

 

Validate That No Management Account Exists

 

 

  1. Click on Access work or school
  2. Validate that you DO NOT see any account connected to AirWatchMDM.

NOTE - The CORP AD domain is the local domain in this lab and is not controlled by AirWatch Enrollment, so you will see this connection if your device is enrolled or unenrolled.

 

Remove the Compliance Policy


 

In the Workspace ONE UEM Console in Chrome,

  1. Click Devices.
  2. Expand Compliance Policies.
  3. Click List View.
  4. Find the Encryption Compliance Policy and click the X button to remove it.

 

Confirm the Compliance Policy Removal

 

Click OK to delete the Compliance Policy.

 

Close Chrome to Clear Session Cookies


 

  1. Return to your Chrome browser.
  2. Click the Close (X) button.

Workspace ONE saves your OAuth session details in cookies.  Closing your browser ensures your previous session cookies will be deleted and won't interfere with the any additional modules you take.


Conclusion


In this hands on lab, we explored how to configure many of the  end-to-end security features, however, due to using VMs we were not able to fully test all of our security configurations. Thus, below you will find an end-to-end demo of Windows 10 management using Workspace ONE UEM many of the same security features we configured.

NOTE - You may need to scroll to the right to view the full screen button on the video above.


Module 4 - Manage Windows 10 Policy with Workspace ONE

Introduction


In this module, you will learn about why you should start migrating from traditional policy management to modern management of policies.  

You will do the following in this module:


Moving Policy to Modern Management


Windows 10 is essentially a mobile operating system and should be managed in a modern way.   Users are no longer tethered to physical office locations with domain joined, always on corporate network systems.  We need to be able to manage these systems over the air from anywhere, much like we do with our other mobile devices today.   We will now review how Windows was managed traditionally, and how we can manage policy in a modern way with Configuration Service Providers (CSPs).


 

Traditional Policy Management

Traditional policy management methodologies are based on Domain Joined, corporate network tethered systems.   This does not provide a lot of flexibility for the way that the mobile workforce operates today.  Microsoft Policy management has been around for over 25 years and has the following management methodologies today:

Group Policy (GPO)

Local Policy (LGPO)

 

 

Modern Policy Management

Windows 10 is essentially a mobile operating system and can be managed over the air in the same way as your other mobile devices are.   It has interfaces that allow settings which affect the registry and file system to be pushed over the air.  These

 

Policy Builder Overview


We will be using the VMware Policy Builder in this lab to set custom policy on a Windows 10 machine.  Please read about the VMware Policy Builder and watch the video demo below to understand more about how the tool works and why you should use it.  


 

VMware Policy Builder

The Policy Builder is an easy to use tool that will save time and effort throughout your journey to modernize management of Windows 10 devices.

Please watch the video demo below to understand more about the VMware Policy Builder

Why should I use Policy Builder?

The Policy Builder is an easy to use tool that will save time and effort throughout your journey to modernize management of Windows 10 devices.

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Connect to the Windows 10 VM


We have provided you a Windows 10 VM to complete necessary steps for this lab.


 

Connect to the Windows 10 VM

 

Double-click the Win10-01a.rdp shortcut on the lab desktop.

If prompted, the login credentials for the Windows 10 VM are:

 

Modifying Internet Options for Windows Enrollment


Before enrolling the Windows 10 Virtual Machine, we will make a modification to prevent issues with the Hands on Labs firewall causing a delay in the enrollment process.


 

Open Settings

 

  1. Click the Windows button.
  2. Click the Settings (Gear) icon.

 

 

Open Internet Options

 

  1. Type Internet Options in the search bar.
  2. Click Internet Options from the results list.

 

 

Modify the Certificate Revocation Options

 

  1. Click the Advanced tab.
  2. Scroll down to find the Security section.
  3. Uncheck the Check for publisher's certification revocation option.
  4. Uncheck the Check for server certificate revocation option.
  5. Click Apply.
  6. Click OK.

 

Enrolling Your Windows 10 Device


We will now enroll our Windows 10 device in Workspace ONE UEM.  First, we will need to download the Workspace ONE Intelligent Hub.


 

Download the Workspace ONE Intelligent Hub on the Windows 10 VM

 

From a new tab in the browser, if not opened already,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download Hub for Windows 10.
    NOTE: Please wait while the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE - If you do not see the warning about the AirWatchAgent.msi file, skip this and continue to the next step.

 

 

Launch the Workspace ONE Intelligent Hub Installer

 

Click the AirWatchAgent.msi file in your download bar.

NOTE - The installer may take a few seconds to launch, please be patient after clicking the AirWatchAgent.msi file.

 

 

Click Run

 

Click Run to proceed with the installation.

 

 

Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

 

Click Server Detail.

 

Return to the Main Console


 

Click the Close (X) button to return to the Main Console to complete the upcoming steps.


Review the Enrolled Device


 

Back in the Workspace ONE UEM Console,

  1. Click on Devices.
  2. Click List View.
  3. Confirm that the recently enrolled Windows 10 device is present.

Review the VMware Policy Builder


We will now open and review the VMware Policy Builder.  


 

 

On the desktop of the Main Console, double-click the Policy Builder shortcut to open the VMware Policy Builder

 

 

Sign up for a My VMware Account (Optional)

If you already have a My VMware account, please skip ahead to the Log into the VMware Policy Builder step.

If you currently don't have a My VMware account, you will need to sign up for one in order to access the Policy Builder.  

You need to sign in with a My VMware account in order to access the Policy Builder!

If you don't currently have a My VMware account, follow the next steps to sign up for one. https://my.vmware.com/web/vmware/registration

If you believe you have a VMware account, but you are not sure of the password, go to the following link to reset your password: https://my.vmware.com/web/vmware/forgot-password

Both of these options will be detailed in following optional steps.

 

 

Click the Sign up for an account link or go to: https://my.vmware.com/web/vmware/registration

 

 

Log into the VMware Policy Builder

 

If you have a My VMware account do the following to log in.

  1. Enter the email address you use for My VMware
  2. Enter the password for your My VMware account
  3. Click the Login button to log into the Policy Builder

 

 

 

Review the VMware Policy Builder

One you are logged in, take a few minutes to review the features of the VMware Policy Builder.  

 

  1. This link takes you back to the list of Configuration Service Providers which can be configured via the tool.
  2. One a CSP is selected, this link allows you to enter configuration parameters and have the SyncML generated automatically.
  3. When this link is clicked, you are taken to a page which allows you to paste in existing SyncML which can be modified graphically.
  4. This link allows you to generate a unique GUID and copy it to the clipboard.  Some CSP configurations require a GUID to be passed in.  
  5. This is the list of supported Windows 10 operating systems.  The CSPs are unique and specific to the OS version you are targeting.  
  6. This is the list of CSPs and associated DDF files.  Device Description Framework (DDF) files contain the configuration details of a CSP in XML format.

We will use the VMware Policy Builder to create custom SyncML for Windows 10 profiles in Workspace ONE UEM in the next section.  

 

Set a CSP with the VMware Policy Builder


We will now use the VMware Policy Builder to create and push custom policy to our Windows 10 device.  


 

Create a custom CSP for Desktop Background

We will now use the Personalization CSP in order to set the desktop background on your Windows 10 system over the air.  This is something that is routinely done through traditional group policy management.  

 

Do the following to find and create a policy from the Personalization CSP

  1. Click the CSPs tab.
  2. Make sure the CSP Baseline is set to Windows 10, 1709.   This is the operating system of our Windows 10 virtual machine in this lab.
  3. Enter person in the filter box, to filter on the Personalization CSP.
  4. Click the Check-Box next to Personalization to select this CSP for configuration.
  5. Click the Configure button to start the process of creating a custom policy from this CSP.

 

 

Create Windows 10 Profile in Workspace ONE UEM

We will now create a custom device profile for Windows 10 containing the SyncML we just generated.  We will push it down to our Windows 10 system and then verify the settings applied on the device.  

 

 

Validate the CSP Profile was Installed

 

Double-Click the Win10-01a.rdp file on the desktop to reconnect to the Windows 10 virtual machine to validate the CSP Profile.

 

Update an Existing CSP with VMware Policy Builder


In this exercise, you will modify an existing SyncML which enables or disables Cortana.  We will paste the SyncML into the VMware Policy Builder, modify the setting and then create a Workspace ONE Device profile to disable Cortana on your Windows 10 system.  


 

Review current search settings

 

  1. Click the Search Bar.
  2. Validate that Cortana is enabled on the device.

 

 

Return to the Main Console

 

Click the Close (X) button on the remote desktop connection bar to end the session to the Windows 10 device and return to the Main Console.

 

 

Return to the VMware Policy Builder

 

  1. Click the Google Chrome icon from the Task Bar.
  2. Click the tab you previously opened to the VMware Policy Builder.

 

 

Modify Existing SyncML

 

  1. Click the Modify tab.
  2. Drag-and-drop the below SynML into the SyncML pane.  The VMware Policy Builder will read the SyncML and show configuration information in the left pane.
  3. Expand Policy.
  4. Expand Device.
  5. Expand Config.
  6. Scroll down.
<Replace>
  <CmdID>4bfee036-2523-413e-aba3-40102dbca0f5</CmdID>
  <Item>
    <Target>
        <LocURI>./Device/Vendor/MSFT/Policy/Config/Experience/AllowCortana</LocURI>
      </Target>
    <Meta>
      <Format xmlns="syncml:metinf">int</Format>
      <Type>text/plain</Type>
    </Meta>
    <Data>1</Data>
  </Item>
</Replace>

 

 

Create Profile in Workspace ONE to Disable Cortana

 

In the Workspace ONE UEM Console,

  1. Click Devices.
  2. Expand Profiles & Resources.
  3. Click Profiles.
  4. Click Add.
  5. Click Add Profile.

 

 

Validate the Search Settings CSP

 

Double-click the Win10-01a.rdp file on the desktop of the Main Console to log back in to our Windows 10 device.  

 

Return to the Main Console


 

Click the Close (X) button to return to the Main Console to complete the upcoming steps.


Un-enrolling your Windows 10 Device


In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules. We will delete the device record from the console, which will also un-enroll the device and remove all the apps and profiles that are pushed from Workspace ONE UEM console, also known as managed content.


 

Delete Device from Workspace ONE UEM Console

 

From the Workspace ONE UEM Console,

  1. Click on Devices
  2. Click on List View
  3. Select the check box next to your device friendly name.
  4. Click on More Actions
  5. Click on Delete Device

 

 

Enter Reason and Delete

 

  1. Enter the reason as "lab completed"
  2. Click on Delete

 

 

Validate DELETE IN PROGRESS...

 

  1. You may see device friendly name changing to DELETE IN PROGRESS...
  2. Click on the Refresh Icon to validate if the device deletion is successful.

 

 

Ensure that device record is deleted

 

  1. Use the Refresh Button if needed.
  2. Ensure that the device record is now deleted from the Workspace ONE UEM console and you see the message No Records Found.

 

 

 

Navigate to Windows 10 VM

 

If you are not on Windows 10 VM, double-Click the Win10-01a.rdp file on the desktop to reconnect to the Windows 10 virtual machine

 

 

Navigate to Windows 10 Settings

 

  1. Click on the Windows Icon
  2. Click on the gear icon to access Windows 10 Settings

 

 

 

Access Accounts Settings

 

From the Settings Menu, access Accounts

 

 

Validate That No Management Account Exists

 

  1. Click on Access work or school
  2. Validate that you DO NOT see any account connected to device management or other types.

 

Conclusion


In this module you have learned about why you should start moving from Traditional to Modern Management and how you can use the VMware Policy Builder to generate custom CSPs and you pushed them to your Windows 10 device.  


Module 5 - Migrating Devices from SCCM

Introduction


In this module, you will migrate devices from Microsoft System Center Configuration Manager (SCCM) to VMware Workspace ONE using Workspace ONE AirLIft.

 


Introduction to Workspace ONE AirLift


VMware Workspace ONE AirLift is a fully supported tool to help ease the migration from traditional PCLM (PC Lifecycle Management) management with SCCM to modern management with Workspace ONE UEM.


 

Why Co-Management?

 

 

Workspace ONE AirLift

 

Workspace ONE AirLift has the following features:

Pre-Requisites for AirLift

 

 

 

 

 

Connect to the SCCM Server


We will be doing all of the AirLift configuration on the SCCM server.  

 

Launch sccm-01a.rdp from the main desktop.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Setup Workspace ONE AirLift


You will now setup Workspace ONE AirLift, connecting it to both Workspace ONE UEM and Microsoft SCCM in order to support Co-Management of Windows 10 devices.


 

Retrieve the Workspace ONE UEM API Key

 

We now need to retrieve the admin REST API key from the Workspace ONE UEM Console.  This key will be required by AirLift in order to connect to Workspace ONE UEM.  

In the Workspace ONE UEM Console,

  1. Click Groups & Settings.
  2. Click All Settings.

 

 

Launch Workspace ONE AirLift

 

Double click the AirLift shortcut on the desktop of the SCCM server.

This will be the first time we are launching AirLift, so we will be asked to configure connectivity to Workspace ONE UEM and SCCM.

 

 

Configure AirLift

We will now configure AirLift to connect to both Workspace ONE UEM and SCCM.

 

Review and Enable Co-Management in Workspace ONE AirLift


 

The first time you launch AirLift, you will be taken to a getting started page with direct links to different phases of Co-Management.  

Click on Plan to start using AirLift.   This will take us to the Collections screen.


 

Review Device Collections in AirLift and compare to SCCM

 

When AirLift connects to SCCM, it imports Device Collections from SCCM.  Let's take a look at the information which AirLift has imported and compare it to what is in our SCCM server.  

  1. Click the eye symbol to the right of Getting Started so that a \ is through it.   This will prevent Getting Started from coming up each time we refresh the page.
  2. Click on Collections, if you are not already there.
  3. Review the Collections that have already been imported into AirLift from SCCM. Notice all of the Device Collections which are imported have at least one device assigned.

 

 

Review Management of Collections in AirLift

 

Back in the AirLift Console in Chrome,

  1. Click the checkbox next to the Win10 collection.
  2. You can Map, Enroll, and Manages devices in collections from these buttons.  DO NOT interface with these yet, you will be using them in upcoming steps to view the functionality.
    Map allows you to determine a Workspace ONE UEM Smart Group for this collection to belong to in order to enable Co-Management.
    Enroll is enabled once Co-Management is enabled for a Collection, and allows you to enroll devices into Workspace ONE UEM.
    Manage is enabled once Co-Management is enabled for a Collection, and allows you to view and manage the Smart Group that your collection is mapped to in Workspace ONE UEM.
  3. Data is refreshed from SCCM and Workspace ONE UEM on a schedule.  You can click this button to initiate an immediate refresh of Collection and Smart Group data.
  4. Click the number (1) in the Devices column for the Win10 collection.  This will open a page with details on the devices in this collection.

 

 

Map the Win10 Collection

 

  1. Click the checkbox for the Win10 collection to select it.
  2. Click Map.

When you click the Map button on a Collection, a list of available Workspace ONE UEM Smart Groups will be displayed, which you can choose from to map your device collections to enable  Co-Management.

 

Review Workspace ONE AirLift


You will now review additional features and settings of AirLift to familiarize yourself with the console before upcoming exercises.


 

Review Devices in AirLift and Compare to SCCM

 

AirLift imports Windows 10 devices that are active SCCM Clients.  Let's take a look at what AirLift has imported and compare it to SCCM.  

In the AirLift Console in Chrome,

  1. Click on Devices in AirLift.
  2. Review details on the device imported into AirLift.

 

 

Review Applications in AirLift and compare to SCCM

 

AirLift imports metadata on SCCM Applications and allows these applications to be imported via APIs to Workspace ONE UEM.  This greatly simplifies the process of migrating applications to Workspace ONE without the need for repackaging.  

Back in the AirLift Console in Chrome,

  1. Click on Applications.
  2. Review the list of applications that have already been imported into AirLift.

 

 

Review the AirLift Activity Log

The activity logs shows details of actions such as exporting applications, or setting Workspace ONE or SCCM connection information.

 

In the AirLift Console in Chrome,

  1. Click on Activity Log.
  2. Review the Activity Log details.  Notice that the actions you have taken during this exercise have been logged here for review.  This section can be useful for recalling past actions and troubleshooting.

 

 

Review the AirLift Settings

 

All of the account settings that were set during the initial launch of AirLift can be modified in the Settings section.  In addition, Enrollment settings are managed here.   The enrollment section lets you build a custom enrollment package in SCCM or select an existing one.  

  1. Click on Settings in AirLift.
  2. Review the Workspace ONE settings.  These settings can be updated from here if required.
  3. Scroll down to Enter connection information for System Center Configuration Manager.

 

 

Review the AirLift Dashboard

 

The AirLift dashboard provides real-time information on your workloads which are managed by AirLift.

  1. Click Dashboard.
  2. The Devices section shows the number of devices managed by Workspace ONE UEM.
  3. The Applications section shows the number of applications managed by Workspace ONE UEM.
  4. The Top Workloads section shows the highest workloads on enrolled systems.
  5. The Co-Management by Collection section shows the breakdown of SCCM and Co-Management by collection.

Now that you are familiar with the overview of AirLift, the upcoming exercises will show how to use AirLift to manage and enroll a device.

 

Setup a Profile in Workspace ONE UEM


In this exercise, you will create a profile in the Workspace ONE UEM Console to configure BitLocker. These policies will be deployed to our AirLift Co-Managed devices and will be reported to our AirLift Dashboard. This allows us to co-manage the devices in this SCCM collection with AirLift and Workspace ONE UEM.


 

Create Windows 10 Profile for Devices

 

In the Workspace ONE UEM Console,

  1. Click Devices.
  2. Expand Profiles & Resources.
  3. Click Profiles.
  4. Click Add.
  5. Click Add Profile.

 

Enroll SCCM Devices in Workspace ONE UEM with AirLift


In this exercise, you will configure a SCCM Enrollment application for your Workspace ONE UEM tenant and then deploy the application to the AirLift Collection that you have enabled for Co-Management.


 

Create Enrollment Application in AirLift

 

In the AirLift Console in Chrome,

  1. Click Settings.
  2. Click Enrollment.
  3. Select No for Use Exiting Enrollment Application.
  4. Enter Workspace ONE Enrollment.
  5. Select your VLP email address from the Organization Group dropdown.
  6. Enter StagingUser
  7. Enter VMware1!
  8. Enter labs.awmdm.com
  9. Check the Include Workspace ONE App option.  This option will automatically install the Workspace ONE app if it is not present on the device.
  10. Un-check the Include SCCM Integration Client option, this client is only needed when using pre-1709 Windows 10 and pre-1710 SCCM.
  11. Click Show.

 

 

Review and Modify Workspace ONE Enrollment Application

The following steps involving modifying the Workspace ONE Enrollment app are not needed in production. However, you will need to update the install command-line for this lab.

 

 

Review and Modify Properties of Workspace ONE Enrollment Application

 

  1. Click the SCCM Console icon from the task bar.
  2. Click Software Library.
  3. Expand Application Management.
  4. Click Applications.
  5. If you do not see the Workspace ONE Enrollment application in the list, you may need to click the Refresh button.
  6. Right-Click the Workspace ONE Enrollment application.
  7. Click Properties.

 

 

Enroll Members of the Win10 Collection into Workspace ONE UEM

Now that we have create the Workspace ONE Enrollment app using AirLift and mapped our Win10 device collection to the AirLift Smart Group, we will leverage AirLift to automatically onboard our Win10 collection devices into Workspace ONE UEM.

 

 

Review Enrollment Application Deployment in SCCM

 

Back in the SCCM Console, ensure the Workspace ONE Enrollment app is selected.

  1. Click on the SCCM Console icon on the task bar.
  2. Ensure the Workspace ONE Enrollment app is still selected.
  3. Click on the Deployments tab.
  4. Notice there is a deployment which was created by AirLift.  This deployment is mandatory and automatic and targets the Win10 collection.

 

 

Return to the Main Console

 

Click the Close (X) button to return to the Main Console.

 

 

Connect to Windows 10 Device

 

Double-click the Win10-01a.rdp shortcut on the desktop of the Main Console.

 

 

Modify Internet Options for Windows Enrollment

Before enrolling the Windows 10 Virtual Machine, we will make a modification to prevent issues with the Hands on Labs firewall causing a delay in the enrollment process.

 

 

Launch Configuration Manager

 

Double-click the Configuration Manager shortcut on the desktop of the Windows 10 device.

 

 

Monitor Enrollment into Workspace ONE

 

Watch for the AirWatch Enrollment icon on the desktop of the Windows 10 system.

The deployment will run automatically and should happen fairly quickly.  If you watch the desktop of the Windows 10 client, you will see the AirWatch Enrollment icon appear on the desktop.  This means the enrollment process is is running.  This process should only take a few minutes at most to complete.

 

 

Verify via Software Center

 

Click the icon shortcut on the taskbar of the Windows 10 device to launch the SCCM Software Center.

 

 

Enter Agent User Credentials

 

Since the install command line was setup to use a staging user account (named StagingUser), you will now need to provide your user credentials as part of the enrollment.

  1. Enter aduser for the Username.
  2. Enter VMware1! for the Password.
  3. Click Submit.

NOTE: The user is only prompted for credentials due to the architecture of this lab.  In real deployments where the VMware Enterprise Systems Connector is installed at the Customer organization group and has access to the domain controller, the user would not need to enter credentials.

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Review and Validate the Enrolled Windows 10 Device


You will now review the enrolled Windows 10 device in the Workspace ONE UEM Console and AirLift Console to see how to confirm that the enrollment was successful.  You will also verify that the BitLocker profile you configured was delivered to the device.


 

Return to the Main Console

 

Click the Close (X) button on the Remote Desktop Connection to return to the Main Console.

 

 

Connect to the SCCM Server

 

Launch sccm-01a.rdp from the main desktop.

 

 

Initiate Full Sync for AirLift

 

We will want to perform a real-time sync between AirLift and Workspace ONE UEM to see an updated dashboard.

In the AirLift Console in Chrome,

  1. Click Settings.
  2. Scroll down to the bottom of the Account tab.
  3. Click Sync.

 

 

Return to the Main Console

 

Click the Close (X) button to return to the Main Console.

 

 

Connect to Windows 10 Device

 

Double-click the Win10-01a.rdp shortcut on the desktop of the Main Console.

 

 

Review Enrolled Client in Workspace ONE UEM Console

 

In the Workspace ONE UEM Console,

  1. Click Devices.
  2. Click List View.
  3. If you navigate to the Workspace ONE UEM Console quickly enough, you may see that the device is enrolled to the StagingUser account.  Shortly after enrolling your user credentials for aduser, the device will show it is enrolled for aduser instead.  Click the device link to view the Device Details View.

 

 

Verify BitLocker Profile is Pushed via AirLift Co-Management

 

The BitLocker Encryption dialog will pop up, indicating the device was enrolled into Workspace ONE UEM and that it is properly enabled for Co-Management.

  1. Enter VMware1! for the password.
  2. Enter VMware1! for the password confirmation.
  3. Click the Encrypt button to start BitLocker encryption.

 

 

Close the VMware Workspace ONE App

 

The Workspace ONE Application will open automatically after enrollment.  

Click the X to close the application.  We don't use it during this exercise.  

 

 

Validation Completed

Congratulations!  You have successfully enrolled your Windows 10 device into Workspace ONE UEM using AirLift and validated a successful enrollment after pushing a BitLocker profile to the device!

 

Conclusion


In this module you have learned how to setup and use VMware Workspace ONE AirLIft to setup Co-Management between SCCM and Workpace ONE.  You have also learned how to automatically enroll SCCM devices into Workspace ONE using AirLift.  


Module 6 - Migrating Applications from SCCM

Introduction


In this module, you will migrate an application from Microsoft System Center Configuration Manager (SCCM) to Workspace ONE UEM using Workspace ONE AirLift


Enrolling Your Windows 10 Device (Optional)


NOTE: You only need to perform the following steps if you did not complete the previous module (Module 5 - Migrating Devices from SCCM).   Skip to the next exercise if your Windows 10 system is already enrolled.  

You will now enroll a Windows 10 device in Workspace ONE UEM.  You will need to connect to the Windows 10 virtual machine made available as part of the lab and download and run the Workspace ONE Intelligent Hub.


 

Connect to the Windows 10 Virtual Machine

 

Double-click the Win10-01a.rdp shortcut from the Main Console Desktop to connect to the Windows 10 virtual machine.

 

 

Modify Internet Options for Windows Enrollment

Before enrolling the Windows 10 Virtual Machine, we will make a modification to prevent issues with the Hands on Labs firewall causing a delay in the enrollment process.

 

 

Download the Workspace ONE Intelligent Hub on the Windows 10 VM

 

From a new tab in the browser, if not opened already,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download.
    NOTE: Please wait while the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE - If you do not see the warning about the AirWatchAgent.msi file, skip this and continue to the next step.

 

 

Launch the Workspace ONE Intelligent Hub Installer

 

Click the AirWatchAgent.msi file in your download bar.

NOTE - The installer may take a few seconds to launch, please be patient after clicking the AirWatchAgent.msi file.

 

 

Click Run

 

Click Run to proceed with the installation.

 

 

Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

 

Click Server Detail.

 

 

Return to the Main Console

 

Click the Close (X) button on the Remote Desktop Connection bar to return to the Main Console.

 

Connect to the SCCM Server


 

Double-click the sccm-01a.rdp shortcut from the Main Console Desktop to connect to the SCCM Server.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Setup Workspace ONE AirLift


You will now setup Workspace ONE AirLift, connecting it to both Workspace ONE UEM and Microsoft SCCM in order to support Co-Management of Windows 10 devices.


 

Retrieve the Workspace ONE UEM API Key

 

We now need to retrieve the admin REST API key from the Workspace ONE UEM Console.  This key will be required by AirLift in order to connect to Workspace ONE UEM.  

In the Workspace ONE UEM Console,

  1. Click Groups & Settings.
  2. Click All Settings.

 

 

Launch Workspace ONE AirLift

 

Double click the AirLift shortcut on the desktop of the SCCM server.

This will be the first time we are launching AirLift, so we will be asked to configure connectivity to Workspace ONE UEM and SCCM.

 

 

Configure AirLift

We will now configure AirLift to connect to both Workspace ONE UEM and SCCM.

 

Review and Enable Co-Management in Workspace ONE AirLift


 

The first time you launch AirLift, you will be taken to a getting started page with direct links to different phases of Co-Management.  

Click on Plan to start using AirLift.   This will take us to the Collections screen.


 

Review Device Collections in AirLift and compare to SCCM

 

When AirLift connects to SCCM, it imports Device Collections from SCCM.  Let's take a look at the information which AirLift has imported and compare it to what is in our SCCM server.  

  1. Click the eye symbol to the right of Getting Started so that a \ is through it.   This will prevent Getting Started from coming up each time we refresh the page.
  2. Click on Collections, if you are not already there.
  3. Review the Collections that have already been imported into AirLift from SCCM. Notice all of the Device Collections which are imported have at least one device assigned.

 

 

Review Management of Collections in AirLift

 

Back in the AirLift Console in Chrome,

  1. Click the checkbox next to the Win10 collection.
  2. You can Map, Enroll, and Manages devices in collections from these buttons.  DO NOT interface with these yet, you will be using them in upcoming steps to view the functionality.
    Map allows you to determine a Workspace ONE UEM Smart Group for this collection to belong to in order to enable Co-Management.
    Enroll is enabled once Co-Management is enabled for a Collection, and allows you to enroll devices into Workspace ONE UEM.
    Manage is enabled once Co-Management is enabled for a Collection, and allows you to view and manage the Smart Group that your collection is mapped to in Workspace ONE UEM.
  3. Data is refreshed from SCCM and Workspace ONE UEM on a schedule.  You can click this button to initiate an immediate refresh of Collection and Smart Group data.
  4. Click the number (1) in the Devices column for the Win10 collection.  This will open a page with details on the devices in this collection.

 

 

Map the Win10 Collection

 

  1. Click the checkbox for the Win10 collection to select it.
  2. Click Map.

When you click the Map button on a Collection, a list of available Workspace ONE UEM Smart Groups will be displayed, which you can choose from to map your device collections to enable  Co-Management.

 

Migrate Application from SCCM to Workspace ONE UEM with AirLift



 

Review Applications in AirLift

 

AirLift imports metadata on SCCM Applications and allows these applications to be imported via APIs to Workspace ONE UEM.  This greatly simplifies the process of migrating applications to Workspace ONE without the need for repackaging.  

Back in the AirLift Console in Chrome,

  1. Click on Applications.
  2. Review the list of applications that have already been imported into AirLift.

 

 

Managing Applications in AirLift

 

In the AirLift Console in Chrome,

  1. Click the checkbox next to 7-Zip 17.01 (x64 edition).
  2. Click on the informational tooltip. Notice we receive a validation warning since our app in SCCM is set for both system/user install context. AirLift tells us it will default to using Device context when exporting to Workspace ONE UEM.
  3. Click the Export button to export an application from SCCM to Workspace ONE UEM.

 

Connect to the Windows 10 Virtual Machine


 

Click the Close (X) button to return to the Main Console.


 

Connect to Windows 10 Virtual Machine

 

Double-click the Win10-01a.rdp shortcut on the desktop of the Main Console.

 

Confirm Application Install on Windows 10 Device


 

  1. Click the Windows button.
  2. Click the dropdown next to the 7-Zip folder.
  3. Confirm the 7-Zip File Manager.exe has installed on the device.
  4. You may also notice that the 7-Zip File Manager.exe has been added to the Recently Added list at the top of the start menu.

This confirms that you were able to successfully export the application details from SCCM, import the application into Workspace ONE UEM and then assign and install the application to your devices.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Un-enrolling your Windows 10 Device


In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules. We will delete the device record from the console, which will also un-enroll the device and remove all the apps and profiles that are pushed from Workspace ONE UEM console, also known as managed content.


 

Delete Device from Workspace ONE UEM Console

 

From the Workspace ONE UEM Console,

  1. Click on Devices
  2. Click on List View
  3. Select the check box next to your device friendly name.
  4. Click on More Actions
  5. Click on Delete Device

 

 

Enter Reason and Delete

 

  1. Enter the reason as lab completed.
  2. Click on Delete

 

 

Validate DELETE IN PROGRESS...

 

  1. You may see device friendly name changing to DELETE IN PROGRESS...
  2. Click on the Refresh Icon to validate if the device deletion is successful.

 

 

Ensure that device record is deleted

 

  1. Use the Refresh Button if needed.
  2. Ensure that the device record is now deleted from the Workspace ONE UEM console and you see the message No Records Found.

 

 

 

Navigate to Windows 10 Settings

 

  1. Click on the Windows Icon
  2. Click on the gear icon to access Windows 10 Settings

 

 

 

Access Accounts Settings

 

From the Settings Menu, access Accounts

 

 

Validate That No Management Account Exists

 

 

  1. Click on Access work or school
  2. Validate that you DO NOT see any account connected to AirWatchMDM.

NOTE - The CORP AD domain is the local domain in this lab and is not controlled by AirWatch Enrollment, so you will see this connection if your device is enrolled or unenrolled.

 

Conclusion


This module reviewed how to utilize AirLift to quickly migrate your desired application from SCCM to Workspace ONE UEM and how to deploy this application to your devices and users.


Module 7 - Migrating Group Policy Objects to Workspace ONE UEM

Introduction


In this module, you will migrate your Group Policy Objects (GPOs) to VMware AirWatch and assign those GPOs to users and devices.

This module contains the following lessons:


Connect to the SCCM Server


 

Double-click sccm-01a.rdp from the Main Console desktop.

NOTE - The files and resources required to complete this lab are on the sccm-01a server!  Please ensure you connect and remain connected until instructed to change servers to complete the lab!


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Execute the AirWatch GPO Migration Tool


The bulk of this exercise will be completed from the SCCM Server, where we will utilize the AirWatch GPO Migration Tool to deploy our modified local policies to other devices.

We will now execute the GPO Migration script to to deploy our modified local policies to other devices via AirWatch.

The GPO Migration script has already been downloaded and included for you on the Desktop of your SCCM Server under the GPO Migration folder.  Outside of the lab, this script is available for download at https://code.vmware.com/samples.


 

Setup the GPO Migration PowerShell Script

 

  1. Click the File Explorer icon from the task bar.
  2. Click Documents.
  3. Click HOL.
  4. Click GPO Migration.
  5. Right-click the Migrate-GPO-AirWatch.ps1 file.
  6. Click Run with Powershell.

 

 

Copy the LGPO.exe File to the GPO Tool Folder

 

NOTE - The LGPO.exe file is only available on the sccm-01a server!  If you are not connected to the sccm-01a server, please refer to the instructions at the beginning of the lab for how to connect and continue with these steps once you have connected!

  1. Click the File Explorer icon from the task bar.
  2. Click Documents.
  3. Click HOL.
  4. Click LGPO.
  5. Right-click the LGPO.exe file.
  6. Click Copy.

 

 

Execute the GPO Migration PowerShell Script After Setup

 

  1. Confirm that the LGPO.exe file exists in the GPO Migration folder now alongside Migrate-GPO-AirWatch.ps1.
  2. Right-click the Migrate-GPO-Airwatch.ps1 file.
  3. Click Run with PowerShell.

 

 

Modify Local GPO Settings

 

Before proceeding, we will modify our local GPO so that we can capture and distribute these changes to other devices to confirm that our deploy was successful.

  1. Right-click the Windows icon.
  2. Click Run.

 

 

Capture GPO Backups

 

  1. Return to the PowerShell Terminal by clicking PowerShell icon on the task bar.
  2. At the Task prompt, enter 2 and press ENTER.
  3. Confirm that the output shows that the local GPO was captured after task finishes.

 

 

View GPO Backups

 

From the PowerShell prompt, enter 1 and press ENTER to view the list of GPO backups.

 

 

Using External GPO Backups

If you have previously captured GPO backups that you want to use with this tool, you can include these in the /GPO Backups folder of the root directory of the GPO Migration tool. Any GPO backups available in the /GPO Backups folder will display as selectable GPOs for Option 1 (Viewing GPOs) and option 3 (Uploading GPOs to AirWatch).

 

Upload GPO Package to Workspace ONE UEM


With a range of GPO backups now available, we can use the GPO migration tool to upload the package to Workspace ONE UEM for distribution.  This exercise will cover selecting a GPO package to upload to the Workspace ONE UEM Console that we can distribute to our devices.


 

Uploading GPOs to Workspace ONE UEM

 

  1. Return to the PowerShell terminal by clicking the PowerShell icon from the task bar.
  2. For the Task selection, enter 3 to Upload the GPO to AirWatch and press ENTER.
  3. Enter https://labs.awmdm.com for the awServer and press ENTER.
  4. Enter your email address for the awUsername and press ENTER.  This is the same username you used to login to the Workspace ONE UEM Console in previous steps.
  5. Enter VMware1! for the awPassword and press ENTER.

Continue to the next step for instructions on obtaining the remaining parameter values from the Workspace ONE UEM Console (awTenantAPIKey and awGroupID).

 

 

Retrieve the REST API Key

 

  1. Click System.
  2. Click Advanced.
  3. Click API.
  4. Click REST API.
  5. Click and drag or double-click to highlight the API Key text for the AirWatchAPI service.
  6. Right-click and select Copy.
  7. Click Close to exit the REST API menu.

 

 

Retrieve the Organization Group Numerical ID

 

Return to the Workspace ONE UEM Console.

  1. Click Groups & Settings.
  2. Click Groups.
  3. Click Organization Groups.
  4. Click Details.
  5. The numerical ID at the end of the URL is your Organization Group Numerical ID.  Highlight this text and right-click.
  6. Click Copy.

 

 

Wait for API Authentication

 

After inputting the connection details, a prompt will be displayed stating Confirming AirWatch API authentication... this may take a few moments.  This process will check that the API Authentication was successful and that the Group ID provided exists and can be accessed with the provided API Key.

Once this completes, you will be presented with a popup to select the GPO Backup for Upload.  Continue to the next step.

 

 

Select GPO to Upload

 

  1. Select the GPO you captured in the previous steps. This GPO is in the format GPO <machinename> <date> <time>.
  2. Click OK.

A series of loading tasks will begin to run, notated by the progress bars at the top of the PowerShell terminal.  These will inform you what step the process is currently on.

 

Assign GPO Package


After the GPO app package is uploaded using the tool, the final step is to add assignments to deploy to the users and/or devices that you designate.


 

Assign GPO App Package

 

Return to the Workspace ONE UEM Console,

  1. Click Apps & Books.
  2. Click Applications.
  3. Click Native.
  4. Click the Internal tab.
  5. Select the GPO package uploaded in the previous exercise.  The name format will be GPO <machinename> <date> <time>.zip.
  6. Click Assign.

 

Remote Desktop to your Windows 10 Device for Enrollment


 

Close the RDP session to the SCCM Server by clicking the Close button (X) on the Remote Desktop Connection tab at the top of your screen.

NOTE: If this blue tab does not appear, you may have unpinned this from displaying at the top.  Hover your mouse near the top of the screen to show the tab.


 

Connect to the Windows 10 VM

 

From the Desktop of the Main Console, double-click the Win10-01a.rdp shortcut.

This Windows 10 device will be used to enroll and test our uploaded GPO package.

 

 

Open Google Chrome

 

Double-click the Google Chrome shortcut on the desktop.

 

Modifying Internet Options for Windows Enrollment


Before enrolling the Windows 10 Virtual Machine, we will make a modification to prevent issues with the Hands on Labs firewall causing a delay in the enrollment process.


 

Open Settings

 

  1. Click the Windows button.
  2. Click the Settings (Gear) icon.

 

 

Open Internet Options

 

  1. Type Internet Options in the search bar.
  2. Click Internet Options from the results list.

 

 

Modify the Certificate Revocation Options

 

  1. Click the Advanced tab.
  2. Scroll down to find the Security section.
  3. Uncheck the Check for publisher's certification revocation option.
  4. Uncheck the Check for server certificate revocation option.
  5. Click Apply.
  6. Click OK.

 

Enrolling Your Windows 10 Device


We will now enroll our Windows 10 device in Workspace ONE UEM.  First, we will need to download the Workspace ONE Intelligent Hub.


 

Download the Workspace ONE Intelligent Hub on the Windows 10 VM

 

From a new tab in the browser, if not opened already,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download Hub for Windows 10.
    NOTE: Please wait while the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE - If you do not see the warning about the AirWatchAgent.msi file, skip this and continue to the next step.

 

 

Launch the Workspace ONE Intelligent Hub Installer

 

Click the AirWatchAgent.msi file in your download bar.

NOTE - The installer may take a few seconds to launch, please be patient after clicking the AirWatchAgent.msi file.

 

 

Click Run

 

Click Run to proceed with the installation.

 

 

Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

 

Click Server Detail.

 

Login to the Workspace ONE UEM Console (IF NEEDED)


To perform most of the lab you will need to login to the Workspace ONE UEM Management Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Administration Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

Verify GPO App Package Installed


With the application uploaded, assigned, and enrolled, we will now verify that the GPO app package is applied successfully to our enrolled device.


 

Verify the App Package Installed from the Workspace ONE UEM Console

 

  1. Click Apps & Books.
  2. Click Applications.
  3. Click Native.
  4. Click the Internal tab.
  5. Click the uploaded GPO App Package.  This will be in the name format GPO <machinename> <date> <time>.zip.

This will open the Details View page of the GPO App Package, allowing you to see additional details about the application.

 

 

Open Group Policy Editor

 

  1. In Windows Search, enter gpedit.msc.
  2. Click gpedit.msc.

 

 

Confirm Power and Sleep Settings

 

  1. Right-click the Windows button.
  2. Click Power Options.

 

Un-enrolling your Windows 10 Device


In this section, we are going to un-enroll our Windows 10 VM so that we can use it for other lab modules. We will delete the device record from the console, which will also un-enroll the device and remove all the apps and profiles that are pushed from Workspace ONE UEM console, also known as managed content.


 

Delete Device from Workspace ONE UEM Console

 

From the Workspace ONE UEM Console,

  1. Click on Devices
  2. Click on List View
  3. Select the check box next to your device friendly name.
  4. Click on More Actions
  5. Click on Delete Device

 

 

Enter Reason and Delete

 

  1. Enter the reason as lab completed.
  2. Click on Delete

 

 

Validate DELETE IN PROGRESS...

 

  1. You may see device friendly name changing to DELETE IN PROGRESS...
  2. Click on the Refresh Icon to validate if the device deletion is successful.

 

 

Ensure that device record is deleted

 

  1. Use the Refresh Button if needed.
  2. Ensure that the device record is now deleted from the Workspace ONE UEM console and you see the message No Records Found.

 

 

 

Navigate to Windows 10 Settings

 

  1. Click on the Windows Icon
  2. Click on the gear icon to access Windows 10 Settings

 

 

 

Access Accounts Settings

 

From the Settings Menu, access Accounts

 

 

Validate That No Management Account Exists

 

 

  1. Click on Access work or school
  2. Validate that you DO NOT see any account connected to AirWatchMDM.

NOTE - The CORP AD domain is the local domain in this lab and is not controlled by AirWatch Enrollment, so you will see this connection if your device is enrolled or unenrolled.

 

Conclusion



 

Lab Conclusion

You have successfully completed the SCCM Migration lab.

In this lab, we covered migrating users and devices from SCCM to AirWatch, migrating applications from SCCM to AirWatch, and using the AirWatch GPO migration tool.

This concludes the SCCM Migration hands-on lab.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1957-04-UEM

Version: 20190113-031059