VMware Hands-on Labs - HOL-1957-05-UEM


Lab Overview - HOL-1957-05-UEM - Workspace ONE UEM - Apple Management

Lab Guidance


Note: It may take more than 90 minutes to complete this lab. You should expect to only finish 2-3 of the modules during your time.  The modules are independent of each other so you can start at the beginning of any module and proceed from there. You can use the Table of Contents to access any module of your choosing.

The Table of Contents can be accessed in the upper right-hand corner of the Lab Manual.

Discover how Workspace ONE UEM with iOS and macOS provides a wide array of management capabilities for your Apple devices.  This lab focuses on how to manage device restrictions, application distribution, and modifying aspects of the end user experience.  In addition, learn how Apple School Manager can be used to control and manage Apple devices for the classroom.  Lastly, explore how Ground Control, a partner solution, can be used with Workspace ONE UEM to for zero-touch provisioning with shared devices.

Lab Module List:

 Lab Captains:

Subject Matter Experts:

This lab manual can be downloaded from the Hands-on Labs Document site found here:

http://docs.hol.vmware.com

This lab may be available in other languages.  To set your language preference and have a localized manual deployed with your lab, you may utilize this document to help guide you through the process:

http://docs.hol.vmware.com/announcements/nee-default-language.pdf


 

Location of the Main Console

 

  1. The area in the RED box contains the Main Console.  The Lab Manual is on the tab to the Right of the Main Console.
  2. A particular lab may have additional consoles found on separate tabs in the upper left. You will be directed to open another specific console if needed.
  3. Your lab starts with 90 minutes on the timer.  The lab can not be saved.  All your work must be done during the lab session.  But you can click the EXTEND to increase your time.  If you are at a VMware event, you can extend your lab time twice, for up to 30 minutes.  Each click gives you an additional 15 minutes.  Outside of VMware events, you can extend your lab time up to 9 hours and 30 minutes. Each click gives you an additional hour.

 

 

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing it in, there are two very helpful methods of entering data which make it easier to enter complex data.

 

 

Click and Drag Lab Manual Content Into Console Active Window

 
 

You can also click and drag text and Command Line Interface (CLI) commands directly from the Lab Manual into the active window in the Main Console.  

 

 

Accessing the Online International Keyboard

 

You can also use the Online International Keyboard found in the Main Console.

  1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

 

 

Click once in active console window

 

In this example, you will use the Online Keyboard to enter the "@" sign used in email addresses. The "@" sign is Shift-2 on US keyboard layouts.

  1. Click once in the active console window.
  2. Click on the Shift key.

 

 

Click on the @ key

 

  1. Click on the "@ key".

Notice the @ sign entered in the active console window.

 

 

Activation Prompt or Watermark

 

When you first start your lab, you may notice a watermark on the desktop indicating that Windows is not activated.  

One of the major benefits of virtualization is that virtual machines can be moved and run on any platform.  The Hands-on Labs utilizes this benefit and we are able to run the labs out of multiple datacenters.  However, these datacenters may not have identical processors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoft licensing requirements.  The lab that you are using is a self-contained pod and does not have full access to the Internet, which is required for Windows to verify the activation.  Without full access to the Internet, this automated process fails and you see this watermark.

This cosmetic issue has no effect on your lab.  

 

 

Look at the lower right portion of the screen

 

Please check to see that your lab is finished all the startup routines and is ready for you to start. If you see anything other than "Ready", please wait a few minutes.  If after 5 minutes you lab has not changed to "Ready", please ask for assistance.

 

Module 1 - Introduction to Apple iOS Management

Introduction


This lab module will focus on introducing the concepts of Unified Endpoint Management (UEM) with Workspace ONE UEM, using the Workspace ONE UEM Console, and how to enroll an iOS device into Workspace ONE.  By the end of this lab, you should have a better understanding of why Unified Endpoint Management is important and how Workspace ONE UEM can manage your iOS devices.


Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Add A Basic User Account


Basic accounts are the accounts which are created locally in the AirWatch admin console, as opposed to the accounts which are imported from an active directory. In this section, we will create a Basic User account which we will use for enrollment in the following section.


 

Click on Add / User

 

In the top right corner of the AirWatch console,

  1. Click Add.
  2. Click User.

 

 

Add User information

 

In the pop-up window,

  1. Ensure that security type is Basic
  2. Enter the username as basicuser
  3. Enter the password as VMware1!
  4. Confirm the password as VMware1!
  5. Enter the first name as basic
  6. Enter the last name as user
  7. Enter the e-mail address as basicuser@corp.local
    NOTE - Use the scroll bar if you don't see the option to enter email address
  8. Click on Save

You should see a confirmation that user is created successfully. If the user is already created with the same username then you can use the existing user in the following section.

 

Create a Device Restriction Profile


In this section, we will create a restriction profile that will disable the camera on the device. We will set the profile for auto-deployment, so that the profile to disable the camera will install automatically when the device is enrolled.


 

Add A Profile

 

In the top right corner of the AirWatch console,

  1. Click Add.
  2. Click Profile.

 

 

Select Platform as Apple iOS

 

Click Apple iOS.

 

 

Configure General Payload

 

  1. Select General if not selected already.
  2. Enter iOS Restriction Profile for the Name field.
  3. Click the Assigned Groups dropdown field to view all available assignment groups.
    NOTE - You may need to scroll down to find the Assigned Groups dropdown.
  4. Select All Devices (your@email.shown.here) from the list.

 

 

Configure Restriction Payload

 

  1. Click on the Restrictions payload in the left panel.
  2. Click Configure.

 

 

Disable Allow use of camera

 

  1. Uncheck the Allow use of Camera checkbox.
  2. Click Save & Publish.

 

 

Publish the Profile

 

Click Publish.

 

 

Validate profile creation

 

  1. Click Devices.
  2. Expand Profiles & Resources.
  3. Click Profiles.
  4. Validate that you see iOS Restriction Profile in the Profiles List View.

 

Validate Device Before Restriction Profile


Before enrolling your device, confirm that the Camera app is available on your iOS device.


 

Find the Camera App

 

Press the Home button on your device and find the Camera app.  Take note of the location of the app, as we will confirm the removal of the app in a later step after enrollment.

 

 

Search for the Camera App (Optional)

 

  1. Swipe down to show the Search bar.
  2. Enter "camera" in the Search bar.
  3. Ensure the Camera app displays, confirming the app exists on the device.

 

iOS Device Enrollment using basicuser


In this section, we are going to enroll an iOS device. The upcoming steps will need to be completed from an iOS device.


 

Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

 

NOTE - Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does NOT have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To Install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

 

 

Launching the Workspace ONE Intelligent Hub

 

Launch the Hub app on the device.  

NOTE - If you have your own iOS device and would like to test you will need to download the Workspace ONE Intelligent Hub app first.

 

 

Enter the Server URL

 

  1. Enter labs.awmdm.com for the Server URL.
  2. Click Next.

Click on the Server Details button.

 

 

Find Your Group ID From the Workspace ONE UEM Console

 

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Attach the Workspace ONE Intelligent Hub to the HOL Sandbox

 

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

 

 

Enter User Credentials

 

You will now provide user credentials to authenticate to Workspace ONE UEM.

  1. Enter basicuser in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

 

 

Redirect to Safari and Enable MDM Enrollment in Settings

 

The Workspace ONE Intelligent Hub will prompt you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

 

 

Allow Website to Open Settings (IF NEEDED)

 

If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

NOTE - If you do not see this prompt, ignore this and continue to the next step.  This prompt will only occur for iOS Devices on iOS 10.3.3 or later

 

 

Install the Workspace ONE MDM Profile

 

Tap Install in the upper right corner of the Install Profile dialog box.

 

 

Enter Device Passcode (IF NEEDED)

 

If prompted, enter your device passcode to continue.

If you do NOT receive this prompt, continue to the next step.

 

 

Install and Verify the Workspace ONE MDM Profile

 

Tap Install when prompted at the Install Profile dialog.

 

 

iOS MDM Profile Warning

 

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

 

 

Trust the Remote Management Profile.

 

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

 

 

iOS Profile Installation Complete

 

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper right corner of the prompt.

 

 

Workspace ONE UEM Enrollment Success

 

Your enrollment is now completed! Tap Open to navigate to the Workspace ONE Intelligent Hub.

 

 

Accept the Workspace ONE Intelligent Hub Notice

 

Tap Done to confirm the notice and continue.

 

 

Accept Notifications for Hub (IF NEEDED)

 

Tap Allow if you get a prompt to allow notifications for the Hub app.

 

 

Accept the App Installation (IF NEEDED)

 

You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.

 

 

Confirm the Privacy Policy

 

Tap I Understand when shown the Privacy policy.

 

 

Accept the Data Sharing Policy

 

Tap I Agree for the Data Sharing policy.

 

 

Confirm the Device Enrollment in the Hub App

 

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM!  Continue to the next step.

 

Validate the Restriction Profile


Now that the device is enrolled, the restriction profile we created will be installed on the device and the Camera app will be disabled.  Continue to the next steps to verify that the Camera app is successfully disabled.


 

Return to the Camera App

If you located the Camera app on the device earlier, return to your device and navigate back to where the Camera app previously was.  Notice that the Camera app is now disabled and is no longer displayed on the device.

 

 

Search for the Camera App (Optional)

 

  1. Swipe down to show the Search bar.
  2. Enter camera in the Search bar.
  3. Notice that the Camera app is disabled and no longer displays in the search results.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


Managing your devices with Workspace ONE UEM empowers your administrators to ensure devices are operating and accessing corporate resources securely without violating user privacy.  Now that you know how to enroll a device a push a profile, consider exploring the other lab topics available in this module to further expand your Workspace ONE UE< knowledge.

This concludes the Introduction to Apple iOS Management module.  


Module 2 - Introduction to Apple macOS Management

Introduction


In this lab module, we will explore some Workspace ONE administration features and concepts available for the macOS platform.  This lab will give you a better understanding of how macOS devices are enrolled, what management options you have available, and how these options can improve and impact the user experience by configuring macOS and publishing applications.

Before you can start the lab, make sure you review the next page to ensure you can successfully complete the lab.


 

Pre-Requisites

To successfully complete this Hands-On Lab, you'll need to ensure you have the following pre-requisites:

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Retrieving the Group ID


Before enrolling your device, retrieve your Group ID from the Workspace ONE UEM Console.


 

Point to the Organization Group

 

Select the email address you used to log in to the Workspace ONE UEM Console.

 

 

Copy the Group ID

 

Copy the Group ID from the Organization Group tab.

 

Installing the Workspace ONE Intelligent Hub


In this exercise, download and install the Workspace ONE Intelligent Hub on your macOS device. 


 

Log In to the MacBook - If Needed

 

Login to the macOS device.  If you are using a VMworld provided device, the login details are below.

  1. Enter administrator for the username.
  2. Enter VMware1! for the password.
  3. Press the continue button or press ENTER.

 

 

Download the Workspace ONE Intelligent Hub

 

Click the Safari icon (blue compass) to open the Safari browser.

 

 

Install the Workspace ONE Intelligent Hub

 

  1. Click the Downloads folder in the dock (next to the Trash Bin).
  2. Click the VMwareWorkspaceONEIntelligentHub.pkg file to begin the installer.

 

 

Provide Credentials for the Installer

 

  1. Click Install.  You are now  prompted to enter the computers administrator credentials.
  2. Enter administrator in the Name field.
  3. Enter VMware1! in the Password field.
  4. Click the Install Software button.

 

Enroll a macOS Device


In this exercise, you enroll a macOS device into Workspace ONE UEM. Enrollment is the action that brings a device under management and control by Workspace ONE UEM. There are a number of ways to enroll the various platforms (macOS included), but for this exercise we cover a basic enrollment scenario.  


 

Enroll the macOS Device

This enrollment flow is considered User-Approved per the functionality introduced in macOS High Sierra.

 

 

Validate Mac Enrollment

Follow the next steps to verify that the Mac has been successfully enrolled.

 

In upper-right corner:

  1. Note the shield icon in the menu bar. Click the AirWatch Agent icon.
  2. Note the menu shows your device as Enrolled.
  3. Click Preferences and review the options available to you in the agent.

 

 

Key Takeaways

 

Creating a Device Profile for macOS


This exercise explores how to modify the macOS device behavior using Profiles.

Profiles are the mechanism by which Workspace ONE UEM manages settings on a macOS device.  macOS profile management is done in two ways: device level and enrollment-user level. You can set appropriate restrictions and apply appropriate settings regardless of the logged-on user. You can also apply settings specific to the logged-on user on the device. 

All profiles are broken down into two basic sections, the General section and the Payload section.

Every Profile must have all required fields in the General section properly filled out and at least one payload configured.

Device Profiles are typically used to control settings that apply system-wide.  Device profiles can include items such as VPN and Wi-Fi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration.   In this exercise, we create a profile that modifies the dock for all users on the machine.


 

Close System Preferences if opened

 

This section helps you to create a device profile which will change some system preferences in your Mac. However, to see those changes take place, you must first close any existing System Preference sessions if they are already open.

If System Preferences are opened, click X to close.

 

 

Add a macOS Device Profile

 

In the Workspace ONE UEM console:

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Select Add
  5. Select Add Profile.

 

 

Profile General Settings

 

Configure the device profile as follows:

  1. Select General if it is not already selected.
  2. Enter macOS Device Restrictions for the profile name.
  3. Select Auto for the Assignment Type.
  4. Scroll down to view the Assigned Groups field, and click in the search box. This will pop-up the list of created Assignment Groups. Enter All Devices and select All Devices (your@email.shown.here).

    Note: You do not need to click Save or Save & Publish at this point.  This interface allows you to move around to different payload configuration screens before saving.

 

 

Select the Restrictions Payload

 

  1. Select Restrictions.
  2. Click the Configure button.

Note: When initially setting most payloads a Configure button will show to reduce the risk of accidentally setting a payload configuration.

 

 

Publish the Device Profile

 

Click the Publish button.

 

 

Verify the Device Profile Now Exists

 

You should now see your macOS Device Restrictions Device Profile within the list of the Profiles window.

Note: If you need to edit the Profile, this is where you would return in order to do so.

 

 

Validate Applied Profiles

 

  1. Click the Apple icon in the upper-left corner
  2. Click System Preferences.
  3. If System Preferences shows you a specific subpanel, such as Time Machine, click the back button.
  4. Note you cannot modify the settings for Bluetooth and Energy Saver as those icons are grayed-out.

 

 

Key Takeaways

 

Creating a User Profile for macOS


User Profiles are typically used to control settings that apply to the enrolled user. User profiles can include items such as Email configurations, web clips (URL shortcuts), credentials (certificates), and content filtering settings.  In this exercise, we create restrictions for system preferences panes for the enrolled user on this machine.


 

Add a macOS User Profile

 

  1. Select Add.
  2. Select Add Profile.

 

 

Profile General Settings

 

Configure the profile as follows:

  1. Click on General if it is not already selected.
  2. Enter macOS User Dock in the Name text box.
  3. Ensure the assignment type is set to Auto.
  4. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Enter All Devices and select the All Devices (your@email.shown.here) Group.

Note: You do not need to click Save or Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

 

 

Select the Dock Payload

 

  1. Select Dock
  2. Click the Configure button.

 

 

Publish the User Profile

 

Select the Publish button.

 

 

Verify the User Profile

 

You should now see your macOS User Dock User Profile within the List of the Profiles window.

Note: If you need to edit the Profile, this is where you would return in order to do so.

 

 

Validate Applied Profile

 

Validate the Dock has changed size and moved to the left side of the screen.

 

Reviewing New Payloads for macOS High Sierra Profile


All profiles are broken down into two basic sections, the General section and the Payload section.

Every Profile must have all required fields in the General section properly filled out and at least one payload configured.


 

Add a macOS Device Profile

 

In the Workspace ONE UEM console:

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Select Add
  5. Select Add Profile.

 

 

Configure Security & Privacy Payload

 

  1. Select Security & Privacy
  2. Click Configure.

 

 

Review Security & Privacy Payload Settings

 

  1. Select the Delay Updates check box.
  2. Note the box where you can specify how long (1 to 90 days) to delay updates.

Note: The delay starts from the day the update is released. For example, if Apple publishes an update and the device is offline for the first 30 days the update is released, a 90-day update delay period would end 60 days later (even though technically the device has only known about the update for 60 days).  

 

 

Review the Kernel Policy Extension Payload

 

In the same profile screen:

  1. Select the Kernel Extension Policy payload.
  2. Click Configure.

 

Configuring Device Lock


Device lock for macOS devices causes the machine to reboot into a firmware-lock screen. This lock screen occurs at the firmware level prior to OS boot.


 

Open macOS Device Details

 

  1. Select Devices.
  2. Select List View. 

 

 

Select macOS Device

 

Select your enrolled macOS device.

Note: In this exercise we are using MacBooks—ensure that you are selecting your enrolled macOS device.

 

 

Lock Device

 

Click Lock in the upper-right corner of your device details view.

 

 

Enter Device Lock Code

 

  1. Enter 111111 as the firmware lock code.
  2. Click Lock Device.

 

 

Device Reboot

 

The device reboots after a short delay and the firmware will be locked.

 

 

Unlock The Device

 

  1. At the System Lock screen, enter the unlock code 111111.
  2. Click the Arrow (-->) to boot the device.

Device lock for macOS devices causes the machine to reboot into a firmware-lock screen.  This lock screen occurs at the firmware level prior to OS boot.

 

 

Key Takeaways

 

macOS Application Management (MAM)


VMware AirWatch recently announced integration with the Open-Sourced "munki" project for third-party application management on enrolled macOS devices. With this integration, administrators can now manage third-party (non-AppStore) software using the internal apps view (closer aligning the admin experience to that of other platforms). The integration allows administrators to consume a global CDN for software delivery, without requiring the administrators to fully understand munki's inner workings and configuration.

In this exercise, you will enable the application catalog and deploy an Application to your device.

Note: All Workspace ONE UEM Console work for this section should be performed on a macOS device.

Note: Workspace ONE UEM also provides a second facility for delivering software/configurations and running scripts/commands on a macOS device. This method, known as Product Provisioning, is outside the scope of this exercise.  


 

Administrators can deliver software to macOS devices in numerous ways. As a quick reference, VMware recommends the following methods to deliver software to macOS devices:

 

 

Configure App Catalog

 

On your macOS device, Open Safari by clicking the icon on the dock.

 

 

Enable macOS Software Management

NOTE:  The steps in this section have already been completed for you in the Hands-On Lab.  You DO NOT need to Enable Software Management as it has already been completed on your behalf.

Prior to deploying a macOS Application, VMware AirWatch administrators must enable their environments for Software Management. The following items are pre-requisites for macOS Software Management:

  1. For On-Premise Installations, "File Storage" must be enabled (Settings > Installation > File Path).
  2. "Software Management" must be enabled (Settings > Devices & Users > Apple > Apple macOS > Software Management)
  3. VMware AirWatch Agent for macOS version 3.0 (or newer)

 

 

Prepare macOS Applications for Deployment

In this section, you will download the VMware AirWatch Admin Assistant tool and use it to prepare another 3rd-Party application for deployment.

 

 

Deploy a macOS Application

 

In Safari, Click on the tab labeled Devices > Dashboard to return to the Workspace ONE UEM Console.

 

 

Validate Application Install

With the macOS device enrolled, the published application should begin downloading and installing immediately.  This sections shows how you can manually validate the application is installing and/or installed.

 

 

Key Takeaways

 

Managing macOS Custom Attributes


Custom attributes enable administrators to extract particular values from a managed device and return it to the Workspace ONE UEM Console.  This can be particularly useful for device configuration auditing and Product sequencing.


 

Custom Attributes

Custom attributes are key-value pairs.  These key value pairs are generated by scripting/commands which execute on the device and whose values are returned to the console through the Workspace ONE UEM Agent.  The scripts/commands are delivered to the device using a custom attributes payload in a profile.  The profile also allows scheduling of the script/command to re-occur on a schedule or based on an event.  Additionally, custom attribute payloads execute in the root context on the device, which allows you to gather information about the device without requiring the enrolled user to have Administrative permissions.

 

 

Custom Attribute Profiles

Previously, custom attributes were sent to the console by creating a shell script to write values to a specific Plist file monitored by the agent. In AirWatch 8.2 and later, this functionality is now included as a profile and adds additional features such as scheduling.

 

 

Locating Custom Attributes

After Workspace ONE UEM delivers a custom attributes profile/payload to a device, the agent will report the initial value of the Custom Attribute back to Workspace ONE UEM and begin the Schedule or Event monitoring. Custom attribute values that have been reported back to the console can be viewed in the device details.

 

Enterprise Wipe a macOS Device


An Enterprise Wipe removes corporate data that was added to the device while leaving personal data intact.


 

View Device List

 

In the Workspace ONE UEM Console:

  1. Select Devices
  2. Select List View
  3. Select your macOS device in the List View to view details.

 

 

Initiate Enterprise Wipe

 

  1. From the toolbar in the device details header, select More Actions.
  2. Select Enterprise Wipe under the Management header in the drop-down menu.

 

 

Enter Security PIN to Confirm Wipe

 

  1. Scroll down until you see the section to Enter Security PIN.
  2. Enter your security PIN 1234 to initiate the Enterprise Wipe. 

 

Validate the Enterprise Wipe on the macOS Device


 

  1. On your device, select the Apple icon in the upper-left corner.
  2. Select System Preferences.  

 

Verify Removal of System Preference Restrictions

 

Note you can now make modifications to Energy Saver and Bluetooth because the restriction created earlier has been removed.

 

 

Verify Removal of Deployed Internal Application

 

  1. Open Finder (Smiley Face) on the dock and select Go. 
  2. Select Applications
  3. Confirm that Feedly has been removed from your device.

On your device, also note that the dock preferences have been removed and the dock has returned to its original position.

Note: Due to network limitations, you may need to wait several minutes after un-enrolling before the Feedly application is removed and the dock is returned to the original position.

 

Conclusion


This lab covered basic macOS administration using AirWatch.  You enrolled your macOS device, created profiles, deployed an application, locked the device, used Custom Attributes and then enterprise wiped the content and settings from the device.  

For more information, please register for a free account at https://my.air-watch.com (My AirWatch) in order to access AirWatch Academy and our Resources page.  There you will find courses and documentation that can help you with advanced topics in macOS management, such as:

This concludes the Basic Apple macOS Management module.


Module 3 - Software Distribution with macOS

Introduction


In this lab module, we will explore Workspace ONE features and concepts related to software distribution for the macOS platform.  This lab will give you a better understanding of the software distribution options you have available, and what use cases are targeted by each deployment method.

Before you can start the lab, make sure you review the next page to ensure you can successfully complete the lab.


 

Pre-Requisites

To successfully complete this Hands-On Lab, you'll need to ensure you have the following pre-requisites:

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Installing the Workspace ONE Intelligent Hub


In this exercise, download and install the Workspace ONE Intelligent Hub on your macOS device. 


 

Log In to the MacBook - If Needed

 

Login to the macOS device.  If you are using a VMworld provided device, the login details are below.

  1. Enter administrator for the username.
  2. Enter VMware1! for the password.
  3. Press the continue button or press ENTER.

 

 

Download the Workspace ONE Intelligent Hub

 

Click the Safari icon (blue compass) to open the Safari browser.

 

 

Install the Workspace ONE Intelligent Hub

 

  1. Click the Downloads folder in the dock (next to the Trash Bin).
  2. Click the VMwareWorkspaceONEIntelligentHub.pkg file to begin the installer.

 

 

Provide Credentials for the Installer

 

  1. Click Install.  You are now  prompted to enter the computers administrator credentials.
  2. Enter administrator in the Name field.
  3. Enter VMware1! in the Password field.
  4. Click the Install Software button.

 

Enroll a macOS Device


In this exercise, you enroll a macOS device into Workspace ONE UEM. Enrollment is the action that brings a device under management and control by Workspace ONE UEM. There are a number of ways to enroll the various platforms (macOS included), but for this exercise we cover a basic enrollment scenario.  


 

Enroll the macOS Device

This enrollment flow is considered User-Approved per the functionality introduced in macOS High Sierra.

 

 

Validate Mac Enrollment

Follow the next steps to verify that the Mac has been successfully enrolled.

 

In upper-right corner:

  1. Note the shield icon in the menu bar. Click the AirWatch Agent icon.
  2. Note the menu shows your device as Enrolled.
  3. Click Preferences and review the options available to you in the agent.

 

 

Key Takeaways

 

Software Distribution Methods


Workspace ONE UEM supports a few different methods for delivering software to managed macOS devices.   The distribution method you choose is highly dependent upon the type of software you wish to choose.   This section is simply an overview of each different method and the caveats associated with each method.

Software Distribution encompasses delivery of a few different classes or types of software:  

NOTE:   Script deployment is outside the scope of this lab and will be included in a later release of the lab.


 

App Store Applications

 

Workspace ONE UEM has supported application deployment from the macOS App Store via the Volume Purchase Program (VPP) for a number of releases.   This support has also extended to VPP apps purchased through Apple School Manager (and now Apple Business Manager - shown above).  In this case, Administrators may purchase licenses for macOS App Store applications and distribute them to users via device-based licensing.  This allows administrators to deploy these apps to devices, without the need for the user to have an Apple ID.

Some applications that are commonly deployed this way include (but are not limited to):

 

 

3rd-Party Non-Store Applications

 

Workspace ONE UEM has also supported 3rd-Party Non-Store application deployment for a number of releases.  Previous to Workspace ONE UEM (or AirWatch) 9.3, the primary method of deploying non-store applications was to use the Products engine.   With the release of version 9.3 (and macOS Agent 3.0), Workspace ONE UEM included functionality to perform application install/uninstall using a built-in integration with the open-source framework Munki.   You can optionally pair the munki integration with Workspace ONE UEM's CDN integration to enable in-region delivery of these non-store apps to the endpoint.  

VMware has put considerable effort into making this integration "consumer simple" for admins which are new to Munki and/or macOS as a platform.   This ensures administrators which are not experienced with Munki do not need to learn the framework to leverage its features and functionality.  

Some applications that are commonly deployed this way include (but are not limited to):

Content Delivery Network (CDN) integration (via Akamai) is enabled by default for Workspace ONE UEM SaaS customers.

 

VIDEO: Deploying macOS Volume-Purchased Apps


Workspace ONE UEM has built-in support for Apple's Volume Purchase Program (including apps purchased in bulk via Apple School Manager and Apple Business Manager).   In this section, you can view a video that demonstrates how content managers can purchase app licenses in Apple School Manager, then assign them to enrolled devices in Workspace ONE UEM.


Deploying macOS Applications via Internal Applications (using Munki)


VMware AirWatch recently announced integration with the Open-Sourced "munki" project for 3rd-party application management on enrolled macOS devices.   With this integration, administrators can now manage 3rd-party (non-AppStore) software using the "internal apps" view (closer aligning the admin experience to that of other platforms).   The integration allows administrators to consume a global CDN for software delivery, without requiring the administrators to fully understand munki's inner workings and configuration.  

In this exercise, you will enable the application catalog and deploy an Application to your device.

NOTE - All AirWatch Management Console work for this section should be performed on a MacOS device.


 

As mentioned in the introduction to this section,  administrators can deliver software to macOS devices in numerous ways.  As a quick reference, VMware recommends using the following methods to deliver software to macOS devices:

 

 

Configure App Catalog

 

On your macOS device, Open Safari by clicking the icon on the dock.

 

 

Enable macOS Software Management

NOTE:  The steps in this section have already been completed for you in the Hands-On Lab.  You DO NOT need to Enable Software Management as it has already been completed on your behalf.

Prior to deploying a macOS Application, VMware AirWatch administrators must enable their environments for Software Management. The following items are pre-requisites for macOS Software Management:

  1. For On-Premise Installations, "File Storage" must be enabled (Settings > Installation > File Path).
  2. "Software Management" must be enabled (Settings > Devices & Users > Apple > Apple macOS > Software Management)
  3. VMware AirWatch Agent for macOS version 3.0 (or newer)

 

 

Prepare macOS Applications for Deployment

In this section, you will download the VMware AirWatch Admin Assistant tool and use it to prepare another 3rd-Party application for deployment.

 

 

Deploy a macOS Application

 

In Safari, Click on the tab labeled Devices > Dashboard to return to the Workspace ONE UEM Console.

 

 

Validate Application Install

With the macOS device enrolled, the published application should begin downloading and installing immediately.  This sections shows how you can manually validate the application is installing and/or installed.

 

 

Key Takeaways

 

Deploying macOS Applications via Product Provisioning (legacy support)


Workspace ONE UEM product provisioning is functionality that was originally created to support rugged devices but ported to provide support for macOS.   While this software deployment strategy is less preferred than using the munki framework via Internal Apps, it can still be useful in some situations (and/or for problematic software installations).   Product Provisioning can be thought of as a sequence of files and actions that together comprise the steps required to install a software package (the "product").  

This section will walk you through the basic set of steps you can use to provision software to a macOS device.

Because products are considered a legacy form of software distribution, you will miss out on a number of features/benefits gained when deploying via Internal Applications.   When deploying via Products, you will not have the following functionality:


 

Create Custom Attribute Profile

Custom Attributes are a built-in function of the VMware Workspace ONE UEM agent for macOS.  An administrator can deliver a shell script in a profile payload, and the echo result of that script is returned to the console as custom information about that device.   In the context of product provisioning, one or more custom attributes can be used to further constrain product deployment to devices within an assignment group.  

This section demonstrates how to create a custom attribute profile.

 

 

Locating Custom Attributes

Once Workspace ONE UEM delivers a Custom Attributes profile/payload to a device, the Agent will report the initial value of the Custom Attribute back to Workspace ONE UEM and begin the Schedule or Event monitoring.  Custom Attribute values that have been reported back to the console can be viewed in the device details.

 

 

Download BBEdit Installer

 

 

Create Files/Actions

A product can comprise one or more Files/Actions.  Files/Actions are the building blocks of a product, containing a set of files and a manifest of actions to take against those files.   A Files/Actions set can also contain a corresponding uninstall manifest which directs the Workspace ONE UEM agent as to how a product should be removed during an Enterprise Wipe.   This exercise illustrates how to create a basic set of files/actions in order to install and uninstall BBEdit.

 

 

Create Product from Files/Actions

 

 

Validate Product Installation

 

After activating the Product, you will be taken back to the Product List View in the Workspace ONE UEM Console, which is located under Devices > Staging & Provisioning > Product List View.

  1. You may need to click the Refresh button if the shown values are not populated.
  2. Note the number of Compliant devices (The product installed successfully).
  3. Note the number of devices where product installation is in progress.
  4. Note the number of failed product installs.

All the status counts are clickable and will display a list view of all devices with that status (e.g. Compliant, In Progress, and Failed).

 

Enterprise Wipe a macOS Device


An Enterprise Wipe removes corporate data that was added to the device while leaving personal data intact.


 

View Device List

 

In the Workspace ONE UEM Console:

  1. Select Devices
  2. Select List View
  3. Select your macOS device in the List View to view details.

 

 

Initiate Enterprise Wipe

 

  1. From the toolbar in the device details header, select More Actions.
  2. Select Enterprise Wipe under the Management header in the drop-down menu.

 

 

Enter Security PIN to Confirm Wipe

 

  1. Scroll down until you see the section to Enter Security PIN.
  2. Enter your security PIN 1234 to initiate the Enterprise Wipe. 

 

Conclusion


This lab covered basic macOS Software Distribution using Workspace ONE.  You enrolled your macOS device, deployed software and then enterprise wiped the content and settings from the device.  


Module 4 - AirWatch School Manager

Introduction


In this section we'll cover a basic introduction to AirWatch School Manager and it's requirements.


 

What is AirWatch School Manager

AirWatch School Manager is designed to let organizations leverage Apple's Classroom application in organizations that are not eligible for Apple School Manager.

 

 

Requirements

AirWatch School Manager requires the following software and hardware:

NOTE - If your iOS Devices do not meet the above requirements, you will not be able to complete this entire module!

 

 

Optional Functionality

While not required, the following optional 3rd-party software features can augment the functionality of AirWatch School Manager.  These 3rd-party features can help streamline your classroom setup and configuration:

 

 

Differences from Apple Education

While employing similar concepts and functionality, AirWatch School Manager has a few differences from Apple Education.  

  1. Apple School Manager is not required.  AirWatch School Manager can therefore be leveraged in countries where Apple School Manager is not available.  It also means AirWatch School Manager can be leveraged by entities (such as businesses) which are not eligible to enroll in Apple School Manager.
  2. Managed Apple IDs are not required.   AirWatch School Manager does not require Managed Apple IDs which can only be created via Apple School Manager.   This means you can create a class device without the need for any Apple ID (if you leverage Device-Based Licensing via the Apple Volume Purchase Program).
  3. AirWatch School Manager does not require 32GB+ iPads.   This makes AirWatch School Manager work with a greater number of devices, including older 16GB iPads.

 

 

Typical Uses for AirWatch School Manager

AirWatch School Manager is designed to let organizations leverage Apple's Classroom application in organizations that are not eligible for Apple School Manager.  Some typical use cases are as follows:

 

Login to the Workspace ONE UEM Console


To perform most of the lab, you will need to login to the Workspace ONE UEM Admin Console.


 

Launch Chrome Browser

 

Double-click the Chrome Browser on the lab desktop.

 

 

Authenticate to the Workspace ONE UEM Admin Console

 

The default home page for the browser is https://labs.awmdm.com. Enter your Workspace ONE UEM Admin Account information and click the Login button.

NOTE - If you see a Captcha, please be aware that it is case sensitive!

  1. Enter your Username. This is your email address that you have associated with your VMware Learning Platform (VLP) account.
  2. Enter VMware1! for the Password field.
  3. Click the Login button.

NOTE - Due to lab restrictions, you may need to wait here for a minute or so while the Hands On Lab contacts the Workspace ONE UEM Hands On Labs server.

 

 

Accept the End User License Agreement

 

NOTE - The following steps of logging into the Administration Console will only need to be done during the initial login to the console.

You will be presented with the Workspace ONE UEM Terms of Use. Click the Accept button.

 

 

Address the Initial Security Settings

 

After accepting the Terms of Use, you will be presented with a Security Settings pop-up.  The Password Recovery Question is in case you forget your admin password and the Security PIN is to protect certain administrative functionality in the console.  

  1. You may need to scroll down to see the Password Recovery Questions and Security PIN sections.
  2. Select a question from the Password Recovery Question drop-down (default selected question is ok here).
  3. Enter VMware1! in the Password Recovery Answer field.
  4. Enter VMware1! in the Confirm Password Recovery Answer field.
  5. Enter 1234 in the Security PIN field.
  6. Enter 1234 in the Confirm Security PIN field.
  7. Click the Save button when finished.

 

 

Close the Welcome Message

 

After completing the Security Settings, you will be presented with the Workspace ONE UEM Console Highlights pop-up.

  1. Click on the Don't show this message on login check box.
  2. Close the pop-up by clicking on the X in the upper-right corner.

 

Enabling VMware AirWatch School Manager


In this section we will enable AirWatch School Manager functionality in your AirWatch environment.


 

Enter Devices Settings

 

  1. Click Devices
  2. Click Devices Settings

 

 

Enable AirWatch School Manager

 

  1. Under Devices & Users, click Apple.
  2. Click Education.
  3. Select Override for Current Setting.
  4. Select Enabled for Enable Education Features.
  5. Select AirWatch for the Class Source.
  6. Click Save.

 

 

Enter Security PIN

 

  1. Enter the Security PIN (e.g. 1234) that you entered when first logging into your AW environment.
  2. After inputting your Security PIN, you should see the Successful confirmation appear and automatically closes the menu.

 

 

Close Device Settings

 

Click the X in the top right corner of the Settings screen to return to the Device Dashboard.

 

Creating the Class List


In this section we'll walk through the initial stages of configuring AirWatch School Manager.


 

The Education Overview Hub

 

  1. Click on Hub
  2. Expand Education
  3. Click Overview
  4. Note the Overview page that details the AirWatch School Manager Setup and Use.

 

 

The Class List Page

 

  1. Click on Class List
  2. Click on Add Class

 

 

Add a Class

 

  1. Enter a name for the class: 1st Grade - Ms Smith
  2. Click the Assigned Teachers box and select imateacher. NOTE - As you type the console will filter a list of users.  You can select the user without having to type the whole name.
  3. Click the Assigned Students box and select imastudent.
  4. Click Save

 

 

Add Another Class

 

  1. Click on Class List
  2. Note the presence of the class you just created.
  3. Click Add Class

 

 

Enter Class Information

 

  1. Enter a name for the class: 1st Grade - Mr Jones
  2. Click the Assigned Teachers box and select imateacher. NOTE - As you type the console will filter a list of users.  You can select the user without having to type the whole name.
  3. Click the Assigned Students box and select imastudent
  4. Click Save

 

Publish the Classroom Application


Next, we will publish the Classroom app so that our the Classroom functionality can be shown on devices that we will enroll in a later step.


 

Add a Public Application

 

In the top-right corner of the AirWatch Console:

  1. Click Add.
  2. Click Public Application.

 

 

Search for the Classroom App

 

  1. Select Apple iOS for the Platform.
  2. Enter Classroom for the Name.
  3. Click Next.

 

 

Select the Classroom App

 

  1. Find the Apple Classroom app in the list.  The identifier will be com.apple.classroom.

    NOTE - It may not be the first result and may require you to scroll down to find it!
  2. Click Select on the Apple Classroom app.

 

 

Review Classroom Application Information

 

Review the information about the application you've selected and click Save & Assign

 

 

Configure the Classroom Assignment Settings

 

  1. On the "Update Assignment" screen, click on the Assignments tab
  2. Click Add Assignment.

 

 

Create the Classroom Configuration.

 

Begin to fill-out your classroom configuration.  Please ensure you've met the following:

  1. Assign to your All Devices (your@email.shown.here) smart group.
  2. Set the app delivery method as AUTO
  3. Scroll down to the policies section and select Enabled for Remove On Unenroll.
  4. Click Add

 

 

Finish the Classroom Configuration and Save

 

Click Save & Publish

 

 

Publish the Classroom App

 

Click Publish

 

Enroll Class Devices


You are now going to enroll two iOS devices for use with this module.  One device will act as a teacher, the other will act as a student.


 

Download and Install Workspace ONE Intelligent Hub from App Store (IF NEEDED)

 

NOTE - Checked out devices will likely have the Workspace ONE Intelligent Hub already installed. You may skip this step if your device has the Workspace ONE Intelligent Hub installed.

At this point, if you are using your own iOS device or if the device you are using does NOT have the Workspace ONE Intelligent Hub Application installed, then install the application from the App Store.

To Install the Workspace ONE Intelligent Hub application from the App Store, open the App Store application and download the free Workspace ONE Intelligent Hub application.

 

 

Launching the Workspace ONE Intelligent Hub

 

Launch the Hub app on the device.  

NOTE - If you have your own iOS device and would like to test you will need to download the Workspace ONE Intelligent Hub app first.

 

 

Enter the Server URL

 

  1. Enter labs.awmdm.com for the Server URL.
  2. Click Next.

Click on the Server Details button.

 

 

Find Your Group ID From the Workspace ONE UEM Console

 

Return to the Workspace ONE UEM Console,

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the lab portal.
  2. Your Group ID is displayed at the bottom of the Organization Group pop up.

NOTE - The Group ID is required when enrolling your device in the following steps.

 

 

Attach the Workspace ONE Intelligent Hub to the HOL Sandbox

 

Return to the Workspace ONE Intelligent Hub application on your iOS Device,

  1. Enter your Group ID for your Organization Group for the Group ID field.  Your Group ID was noted previously in the Finding your Group ID step.
  2. Tap the Next button.

NOTE - If on an iPhone, you may have to close the keyboard by clicking Done in order to click the Next button.

 

 

Enter the Teacher User Credentials

 

You will now provide the Teacher account's user credentials to authenticate to Workspace ONE UEM on the first device.

  1. Enter imateacher in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

 

 

Redirect to Safari and Enable MDM Enrollment in Settings

 

The Workspace ONE Intelligent Hub will prompt you to enable Workspace Services to enroll your device into Workspace ONE UEM.  

Tap Next to begin.

 

 

Allow Website to Open Settings (IF NEEDED)

 

If you prompted to allow the website to open Settings to show you a configuration profile, tap Allow.

NOTE - If you do not see this prompt, ignore this and continue to the next step.  This prompt will only occur for iOS Devices on iOS 10.3.3 or later

 

 

Install the Workspace ONE MDM Profile

 

Tap Install in the upper right corner of the Install Profile dialog box.

 

 

Enter Device Passcode (IF NEEDED)

 

If prompted, enter your device passcode to continue.

If you do NOT receive this prompt, continue to the next step.

 

 

Install and Verify the Workspace ONE MDM Profile

 

Tap Install when prompted at the Install Profile dialog.

 

 

iOS MDM Profile Warning

 

You should now see the iOS Profile Installation warning explaining what this profile installation will allow on the iOS device.

Tap Install in the upper-right corner of the screen.

 

 

Trust the Remote Management Profile.

 

You should now see the iOS request to trust the source of the MDM profile.

Tap Trust when prompted at the Remote Management dialog.

 

 

iOS Profile Installation Complete

 

You should now see that the iOS Profile was successfully installed.

Tap Done in the upper right corner of the prompt.

 

 

Workspace ONE UEM Enrollment Success

 

Your enrollment is now completed! Tap Open to navigate to the Workspace ONE Intelligent Hub.

 

 

Accept the Workspace ONE Intelligent Hub Notice

 

Tap Done to confirm the notice and continue.

 

 

Accept Notifications for Hub (IF NEEDED)

 

Tap Allow if you get a prompt to allow notifications for the Hub app.

 

 

Accept the App Installation (IF NEEDED)

 

You may be prompted to install a series of applications depending on which Module you are taking. If prompted, tap Install to accept the application installation.

 

 

Confirm the Privacy Policy

 

Tap I Understand when shown the Privacy policy.

 

 

Accept the Data Sharing Policy

 

Tap I Agree for the Data Sharing policy.

 

 

Confirm the Device Enrollment in the Hub App

 

Confirm that the Hub app shows the user account that you enrolled with.

You have now successfully enrolled your iOS device with Workspace ONE UEM!  Continue to the next step.

 

 

REMINDER - Enroll TWO Devices

 

REMINDER - You will need to enroll one device as imateacher and another device as imastudent in order to complete the lab.

Please ensure you have completed the "ENROLL CLASS DEVICES" section twice and have a device enrolled as the teacher and another enrolled as the student!

  1. Enter imastudent in the Username field.
  2. Enter VMware1! in the Password field.
  3. Tap the Next button.

 

Control Student Devices with Classroom App


This section is meant to give you a brief introduction to the Classroom application and its use within AirWatch School Manager.  More details on the Classroom app can be found on Apple's support website:  https://help.apple.com/classroom/ipad/1.1


 

Open Classroom App

 

Return to the Teacher iPad. On the Teacher iPad:

Tap the Classroom app to open it and click Continue at the Welcome Screen.

 

 

OPTIONAL: Configuration Invalid Error

 

If you receive a Configuration Invalid error message, you most likely have tried to open the Classroom application on the Student iPad.

  1. Click OK
  2. Swap iPads and restart this section at Open Classroom App from the TEACHER iPad.

 

 

Click Continue

 

Click Continue to launch the Classroom app.

 

 

Accept Notification Prompt (IF NEEDED)

 

You may see a prompt to allow notifications from Classroom app. Tap Allow if you get a prompt for Notifications.

 

 

Choose Class

 

Click on 1st Grade - Mr Jones

 

 

Explore Classroom Interface

 

Note the following areas of the Classroom app interface:

  1. Select -- allows you to select multiple devices (#5) in order to apply commands (#3) to simultaneously.
  2. Action Buttons -- The actions you can take against a group of devices (#4) or individual devices (#5)
  3. Device Groups -- Groupings of devices (can be one or more).   Classroom includes an All group by default.
  4. Individual devices -- each device/user is shown in the classroom application.

 

 

Verify Student iPad Connectivity

 

  1. If your student iPad displays as Offline, click the hardware power button the iPad to power it on.
  2. You will see the status change to Home Screen (or whatever app is currently running in the foreground).
  3. Note that the iPad is now displayed on the Device Groups bar based on the currently running app.

 

 

Control Single iPad

 

  1. Click on the Student device.   Note actions that are disabled - this functionality relates to Managed Apple IDs (requires Apple School Manager)
  2. Open allows you to open an application on the student iPad.  NOTE -  The app must already exist on the iPad.
  3. Navigate allows you to open a web location in Safari on the Student device.
  4. Lock allows you to put the device into a "locked" state (such as for "eyes up front").
  5. AirPlay allows you to force a device to send its screen to an AirPlay compatible device.  You can populate the list of AirPlay destinations via an EMM Profile.
  6. Password allows you to reset the device password if one has been set.
  7. View Screen allows you to watch the screen on the device in real-time.
  8. When choosing an action, completion of the action will display a Done link to return you to main Classroom App screen.
  9. You can exit from the Actions list for a device by clicking outside the dialog screen.

 

 

Control Multiple Devices

 

  1. Select a Group from the list of Device Groups.
  2. Note that you can now take actions against the group, such as Open, Navigate, Lock, and Screen Viewing.
  3. Click Screens on the Teacher device.
  4. Note the icon for the student device in the Classroom app now displays the screen capture of the device. Also note on the student device that the status bar is now blue and there is also an airplay icon displayed.
  5. Click the Screens button to end screen viewing. Note the icon returns to normal in the Classroom app and the student device status bar returns to normal.

 

Un-enrolling Your Device


You are now going to un-enroll the iOS device from Workspace ONE UEM.

NOTE - The term "Enterprise Wipe" does not mean reset or completely wipe your device. This only removes the MDM Profiles, Policies, and content which the AirWatch MDM Agent controls.

It will NOT remove the AirWatch Agent application from the device as this was downloaded manually before Workspace ONE UEM had control of the device.


 

Enterprise Wipe (un-enroll) your iOS device

 

Enterprise Wipe will remove all the settings and content that were pushed to the device when it was enrolled.  It will not affect anything that was on the device prior to enrollment.

To Enterprise Wipe your device you will first bring up the Workspace ONE UEM Console in a web browser. You may need to re-authenticate with your credentials (VLP registered email address and VMware1! as the password).

  1. Click Devices on the left column.
  2. Click List View.
  3. Click the checkbox next to the device you want to Enterprise Wipe.

NOTE - Your Device Friendly Name will very likely be different than what is shown. It will, however, be in the same location as shown on image in this step.

 

 

Find the Enterprise Wipe Option

 

  1. Click More Actions. NOTE - If you do not see this option, ensure you have a device selected by clicking the checkbox next to the device.
  2. Click Enterprise Wipe under Management.

 

 

Enter your security PIN

 

After selecting Enterprise Wipe, you will be prompted to enter your Security PIN which you set after your logged into the console (1234).

  1. Scroll down until you see the option for entering Security PIN
  2. Enter 1234 for the Security PIN. You will not need to press enter or continue, the console will confirm your PIN showing "Successful" below the Security PIN input field to indicate that an Enterprise Wipe has been requested.  

    NOTE - If 1234 does not work, then you provided a different Security PIN when you first logged into the Workspace ONE UEM Console.  Use the value you specified for your Security PIN.

NOTE - If the Enterprise Wipe does not immediately occur, follow the below steps to force a device sync:

  1. On your device, open the AirWatch Agent application.
  2. Tap the Device section (under Status) in the middle of the screen.
  3. Tap Send Data near the top of the screen.  If this does not make the device check in and immediately un-enroll, continue to Step #4.
  4. If the above doesn't make it immediately un-enroll, then tap Connectivity [Status] under Diagnostics.
  5. Tap Test Connectivity at the top of the screen.

NOTE - Depending upon Internet connectivity of the device and responsiveness of the lab infrastructure, this could take a couple of minutes or more if there is excessive traffic occurring within the Hands On Lab environment.

Feel free to continue to the "Force the Wipe" step to manually uninstall the Workspace ONE UEM services from the device if network connectivity is failing.

 

 

Verify the Un-Enrollment

 

Press the Home button on the device to go back to the home screen. The applications pushed through Workspace ONE UEM should have been removed from the device.

NOTE - The applications and settings pushed through Workspace ONE UEM should have been removed. The Agent will still be on the device because that was downloaded manually from the App Store. Due to lab environment settings, it may take some time for the signal to traverse through the various networks out and back to your device. Continue on to the next step to force the wipe if the needed.

 

 

Force the Wipe - IF NECESSARY

 

If your device did not wipe, follow these instructions to ensure the wipe is forced immediately. Start by opening the iOS Settings app.

  1. Tap General in the left column.
  2. Scroll down to view the Device Management option.
  3. Tap Device Manager at the bottom of the list of General settings.

 

 

Force the Wipe - IF NECESSARY

 

Tap the Device Manager profile that was pushed to the device.

 

 

Force the Wipe - IF NECESSARY

 

  1. Tap Remove Management on the Device Manager profile.  
    NOTE - If prompted for a device PIN, enter it to continue.  VMware provisioned devices should not have a device PIN enabled.
  2. Tap Remove on the Remove Management prompt.

After removing the Device Manager profile, the device will be un-enrolled.  Feel free to return to the Verify the Un-Enrollment step to confirm the successful un-enrollment of the device.

 

Conclusion


This section will cover some key takeaways for you to remember before ending this lab.


 

Requirements and Optional Add-ons for AirWatch School Manager

AirWatch School Manager requires the following software and hardware:

You may also extend your AirWatch School Manager functionality by leveraging the following programs:

 

 

 

Typical Uses for AirWatch School Manager

AirWatch School Manager is designed to let organizations leverage Apple's Classroom application in organizations that are not eligible for Apple School Manager.  Some typical use cases are as follows:

 

 

For More Information

For additional information on AirWatch School Manager, please speak with your Account Executive or refer to the documentation on MyAirWatch.

 

Conclusion

Thank you for participating in the VMware Hands-on Labs. Be sure to visit http://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-1957-05-UEM

Version: 20181104-164221