Dynamic Environment Manager Integration with ONE Drive

Introduction
In our previous Lab we saw the Integration and delivery of  Configuration settings via Workspace ONE UEM. That is only half of what Dynamic Environment Manager requires to be fully functional. The other half is the setting up and managing the Users Archive.

In this lab we will be using Microsoft ONE Drive as the source Cloud Platform for the Users Archive.

This the first and at present the only Cloud based storage platform to support this with Dynamic Environment Manager.

1. Part 1: Performing Workspace ONE Access setup requirements for Dynamic Environment Manager to work with Microsoft OneDrive

Overview

Section 1

For OneDrive Integration to work with Dynamic Environment Manager, we need an integrated authentication method that is seemless. At present Kerberos is the only authentication protocol that offers this. We will now move on with the configuration

Section 2

Dynamic Environment Manager also requires OneDrive authentication to be seemless. The user should not and cannot be prompted for authentication. If the user is prompted, the authentication will timeout and the OneDrive integration fails. We will perform one step in Workspace ONE Access to ensure the authentication is seemless. We will do configuration in Microsoft Active Directory to ensure seemless authentication of OneDrive

Section 3

We will configure Workspace ONE Access to facilitate seemless authentication of OneDrive

1.1. Section 1 : Configuring Kerberos Authentication in Workspace ONE Access for Dynamic Environment Manager to work with ONE Drive
  1. On your ControlCenter Server
    • Open your Site 1 Browser
    • Login to  your Workspace ONE Access Tenant
    • In the Workspace ONE Access admin console
      • Select the Identity & Access Management tab
  1. In the Identity & Access Management area
    • In the top right corner
      • Select Setup
  1. In the Identity & Access Management > Setup
    • Ensure you are in Connectors
      • Under Enterprise Service
        • Note that the Kerberos Auth adapter
          • Status = Active
          • Health = Green
  1. In the Identity & Access Management area
    • To the right-corner, select Manage
  1. In Identity & Access Management > Manage area
    • Select Connector Authentication Methods
  1. In Identity & Access Management > Manage
    • Connector Authentication Methods area
      • Select NEW
        • From the dropdown
          • Select Kerberos
  1. In the New Kerberos Authentication Method window
    1. Directory and Hosts area
      • Accept the defaults
        • Select NEXT
  1. In the New Kerberos Authentication Method window
    1. Configuration area
      • Accept the defaults
        • Select NEXT
  1. In the New Kerberos Authentication Method window
    1. Summary area
      • Review the Configurations
        • Select SAVE
  1. In Identity & Access Management > Manage
    • Select Identity Providers
  1. In the Identity Providers area
    • In the top right-corner
      • Select Add Identity Provider
      • In the Add Identity Provider dropdown
        • Select Create Workspace IDP
  1. In the New Identity Provider console
    • Select or Enter the following next to: -
      • Identity Provider Name: Kerberos Auth
      • Users: euc-livefire.com
      • Authentication Method: Kerberos
      • Network: checkbox next to ALL RANGES
      • IdP Hostname: WS1-Connector.euc-livefire.com
    • Select Add

 

  1. In the Workspace ONE Access Admin Console
    • Note you now have a Workspace IDP for Kerberos Authentication
    • Under Identity & Access Management,
      • Select Policies
  1. In the Policies interface
    • Next to default_access_policy_set
      • Select the radio button
    • Above default_access_policy_set
      • Select EDIT
  1. In the Edit Policy window,
    • In the left column
      • Select Configuration
  1. In the Edit Policy window,
    1. Configuration area
      • Next to Windows 10
        • Select ALL RANGES
  1. In the Edit Policy Rule window
    • At the bottom of the page select :
      • + ADD FALLBACK METHOD
    • At the top of the Edit Policy Rule window
    • Next to : - and the user accessing content from*
      • validate Windows 10 is selected
    • Next to : - then the user may authenticate using *
      • select Kerberos
    • Next to if preceding method fails or is not applicable,  then
      • select Certificate (cloud deployment)
    • Next to if preceding method fails or is not applicable,  then
      • select Password (cloud deployment) ,
    • Next to if preceding method fails or is not applicable,  then
      • select Password (Local Directory)
    • Select SAVE at the bottom of the window
  1. In the Edit Policy window,
    1. Configuration area
      • Next to Web Browser
        • Select ALL RANGES
  1. In the Edit Policy Rule window
    • At the bottom of the page select :
      • + ADD FALLBACK METHOD
    • At the top of the Edit Policy Rule window
    • Next to : - and the user accessing content from*
      • validate Web Browser is selected
    • Next to : - then the user may authenticate using *
      • select Kerberos
    • Next to if preceding method fails or is not applicable,  then
      • select Certificate (cloud deployment)
    • Next to if preceding method fails or is not applicable,  then
      • select Password (cloud deployment) ,
    • Next to if preceding method fails or is not applicable,  then
      • select Password (Local Directory)
    • Select SAVE at the bottom of the window
  1. In the Edit Policy window,
    1. Configuration area
      • Next to Workspace ONE App
        • Select ALL RANGES
  1. In the Edit Policy Rule window
    • At the bottom of the page select :
      • + ADD FALLBACK METHOD
    • At the top of the Edit Policy Rule window
    • Next to : - and the user accessing content from*
      • validate Workspace ONE App or Hub App is selected
    • Next to : - then the user may authenticate using *
      • select Kerberos
    • Next to if preceding method fails or is not applicable,  then
      • select Certificate (cloud deployment)
    • Next to if preceding method fails or is not applicable,  then
      • select Password (cloud deployment) ,
    • Next to if preceding method fails or is not applicable,  then
      • select Password (Local Directory)
    • Select SAVE at the bottom of the window
  1. In the Edit Policy window
    • Ensure your Device Type is in the following order
      • Select the 6 DOTS and drag to the top or down
        • Order as follows:-
          • Workspace ONE APP
          • Windows 10
          • Android
          • Web Browser
    • On the Edit Policy Page
      • select NEXT

 

  1. On the Edit Policy Page.
    • Summary tab
      • Select SAVE
  1. Under Identity & Access Management
    • Select Setup
  1. Under Setup
    • select Preferences
  1. In the Preferences area
    • Next to Show the System Domain on Login Page
      • unselect the checkbox
    • Next to Hide "Change to a different domain" Link on Login Page
      • select the checkbox
    • Scroll Down to the bottom of the page
    • Select Save

Please save this URL

  • https://aw-livefirernpod27.vidmpreview.com/SAAS/auth/0

Henceforth you will need to use this if you are going to login as sysadmin

1.2. Section 2 : Configuring Seamless Authentication for OneDrive
  1. On your ControCenter Server
    • Select and right-click the START button
    • Select Run
  1. In the Run window
    • Next to Open:
      • Enter gpmc.msc
    • Select OK
  1. In the Group Policy Management console
    • Select and right-click the Corp OU
    • Select Create a GPO in this domain, and Link it here...
  1. In the New GPO window
    • Under Name:
      • Enter OneDrive
    • Select OK
  1. In the Group Policy Management window
    • Directly under Corp
      • Select and right-click the OneDrive link
      • Select Edit...
  1. In the Group Policy Management Editor
    • Expand User configuration > Policies > Administrative templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
    • In the right pain, scroll down
      • select  and open Site to Zone Assignment List
  1. In the Site to Zone Assignment List window
    • Next to Enabled
      • Select the radio button
    • Under Options:
      • Next to :-
        • Enter the zone assignments here.
          • Select Show...
  1. In the Show Contents window
    • Under Value name
      • enter https://corpXXX.euc-livefire.com
        • replace XXX with your Domain ID
      • enter https://*.euc-livefire.com
    • Under Value enter 1 in line with your previous entries twice
    • To close the Show Contents window
      • Select OK
    • To close the Site to Zone Assignment List window
      • Select OK
    • To close the Group Policy Management Editor window
      • Select X
    • To close the Group Policy Management  window
      • Select X

Note! Please follow the naming convention in the notes , not the screenshot

2. Part 2: Integrating on-premises Configuration with Workspace ONE UEM and enabling for OneDrive in the XML configuration

For both internal and "external" devices to be in a position to share the same OneDrive archive, they have to use the same configurations.

In this section

  1. we will ensure on configurations in both environments are the same
  2. We configure the NoAD mode .XML file for OneDrive Integration.
  3. We will update Workspace ONE UEM Device Profile configuration
2.1. Section 1: Configuring the NOAD Workspace ONE UEM xml file
  1. On your ControlCenter server
    • Select and Open your Software shortcut
      • Browse to the: -
        • DEM\VMware-DEM-Enterprise-2203-10.5-GA\Agent Configuration Examples\FlexRepository\NoAD Folder
  1. In your NoAD folder
    • Select and Copy the NoAD Workspace ONE UEM Sample.xml file
      • Paste the NoAD Workspace ONE UEM Sample.xml file
        • You should now have a backup of your Sample
  1. In your NoAD folder
    • Select and Copy the NoAD.xml file
      • Paste the NoAD.xml file
        • You should now have a backup of this file
  1. In your NoAD folder
    • Select and right-click the NoAD Workspace ONE UEM Sample.xml file
    • Select Edit
  1. In the NoAD Workspace ONE UEM Sample.xml file
    • After EventLogAsync="1"
      • Append the following configurations: -
        • OneDriveEnabled="1"
        • OneDriveLogDirectory="%LOCALAPPDATA%\OneDriveLog"
        • MaxOneDriveLogFileSize="5000"
        • AllowAdmxInSession="1"
        • IsIWA="0"
        • DomainHint="corpXXX.euc-livefire.com"
          • Where XXX is your Domain ID

Ensure you use a 3-digit domain identifier e.g. corp001.euc-livefire.com

  1. In the NoAD Workspace ONE UEM Sample.xml file
    • Review your configuration with the above Sample Screenshot
  1. In the NoAD Workspace ONE UEM Sample.xml file
    • Select File > Save As
    • In the Save As window
      • In the Address bar
        • enter :
          • C:\UEMConfig\general\FlexRepository\NoAD
      • at the bottom, next to Save as type:
        • from the dropdown
          • select All Files (*.*)
      • In the Name Area
        • Select NoAD.xml
    • In the bottom right-corner
      • Select Save
    • In the Confirm Save As window
      • Select Yes
  1. On your ControlCenter server
    • Switch to the VMware Dynamic Environment Manager - Management Console
    • Under the Personalization tab
      • Select Configure
  1. In the Settings window
    • select the Integration tab
  1. In the Settings window
    • Integration tab
      • Notice your VMware Dynamic Environment Manager - Management Console is still in Workspace ONE UEM Integration
      • To close the Settings window
        • Select Cancel
  1. In the VMware Dynamic Environment Manager - Management Console
    • In the top left-hand corner
      • Select the STAR icon
      • From the menu
        • select Import NoAD.xml
  1. In the Select NoAD.xml configuration file to install window
    • browse to C:\UEMConfig\general\FlexRepository\NoAD
    • Under Name
      • select NoAD.xml
      • Select Open
2.2. Section 2: Preparing for an Update to Workspace ONE UEM
  1. On the VMware Dynamic Environment Manager - Management Console
    • Select and right-click the STAR Icon
    • Select Save As
  1. In the Save As window
    • Next to File name: > enter the following:
      • \\horizon-01a.euc-livefire.com\software\DEM
      • Select Save
    • Under Name
      • Select the Existing LivefireVS1.DEMConfig file
        • Next to File name:
          • edit the following:-
            • LivefireVS1.DEMConfig
              • to
            • LivefireVS2
    • In the bottom right-corner
      • select Save
  1. In the VMware Dynamic Environment Manager - Management Console
    • Wait for the creation to complete
    • To close the Create DEM Config Profile window
      • Select OK
2.3. Section 3: Uploading DEMConfig files into Workspace ONE UEM
  1. On your ControlCenter Server
    • Open your Chrome Browser
      • In the address bar
        • enter dw-livefire.awmdm.com
    • In the Workspace ONE UEM login
      • Under Username,
        • enter your Custom username
      • Select Next
        • Under Password,
          • enter  VMware1!
      • Select Log In
  1. On the ControlCenter Server
    • In the Workspace ONE UEM Admin Console
      • Select Devices
        • Select Profiles & Resources
  1. In the Workspace ONE UEM Admin Console
    • Under Profiles & Resources
      • Select Profiles
  1. In the Profiles interface
    • Select Windows 10 Device Profile
  1. In the Windows 10 Desktop Profile window
    • In the Inventory area,
      • Select Dynamic Environment Manager
  1. In the Dynamic Environment Manager pane
    • At the bottom of the window
      • Select ADD VERSION
  1. In the Dynamic Environment Manager pane
    • At the Top of the window
      • Select CHANGE
  1. In the Add window
    • Select Choose File
  1. In the Open window
    • Next to File name,
      • Enter \\horizon-01a.euc-livefire.com\software\DEM
        • Select Open
    • Next to File name,
      • Select the LivefireVS2.DEMConfig file
        • Select Open
  1. In the Add window
    • Select SAVE
  1. In the Dynamic Environment Manager area
    • Select SAVE AND PUBLISH
  1. In View Device Assignment
    • Select PUBLISH

3. Part 3: Configuring Microsoft Azure to integrate with Dynamic Environment Manager

A key element in the configuration is registering Dynamic Environment Manager as an Enterprise Application in Azure. This will give Dynamic Environment Manager the ability to write into the OneDrive container on the users desktop

3.1. Configuring Microsoft Azure to integrate with Dynamic Environment Manager
  1. On you ControlCenter server
    • On your Site 1 Browser
      • Open a new tab
        • In the Address bar
          • enter portal.azure.com
  1. In the Sign in window
    • In the Email area
      • enter YOUR cloudadmin account
        • Select Next
  1. In the Enter password area
    • Enter your cloudadmin password
    • Select Sign in
  1. In the Help us protect your account
    • Select Skip for now (14 days until this is required)
  1. In the Stay signed in? page
    • Select Yes
  1. On the Welcome to Microsoft Azure page
    • Select Maybe later
  1. In the Microsoft Azure admin Portal
    • In the top left corner next to Microsoft Azure
      • select the 3 Bars, to the Show portal menu
  1. In the Microsoft Azure admin Portal
    • Select Azure Active Directory
  1. In the Microsoft Azure admin Portal
    • Under User settings
      • Select Properties
  1. In the Tenant properties window
    • Under Tenant ID
      • Select and copy the Tenant ID
  1. On your Controlcenter server
    • Open Notepad++
      • In Notepad++
        • Open a new tab
        • Paste YOUR Tenant ID
  1. In this Paragraph
    • Select and Copy the below line of Green code
      • https://login.microsoftonline.com/{customer tenant-id}/adminconsent?client_id=c504654f-97ac-4e31-ba2c-d8cb284bb948 
    • On your ControlCenter server
      • In Notepad++
        • In the existing tab you pasted your Tenant ID
          • On a line below your Tenant ID
            • Paste the above copied,  line of code
  1. In the Notepad++ application
    • In the command line you have just pasted
      • Replace the customer tenant-id portion of your code
        • With your Tenant ID
    • Copy the Updated Command line code with your Tenant ID
  1. On your ControlCenter server
    • Switch back to your existing portal.azure.com session
      • In the browser, open a New Tab
  1. In the New Tab of your Site 1 Browser
    • In the Address bar
      • Paste your copied code
    • With your keyboard
      • Select Enter
  1. In the Pick an account window
    • Select your Cloudadmin account
  1. In the Help us protect your account window
    • Select Skip for now (XX days until is required)
      • XX being what you see in your screen
  1. In the Permissions requested Review for your organization page
    • Review the information.
      • Note you are about to give Dynamic Environment Manager Permission to write to One Drive
    • Select Accept
      • This will take up to a minute to initialize
      • You do not get any feedback after running this script
  1. On your Chrome Browser
    • Switch back to the TAB with your AZURE admin portal
      • In the top left corner next to Microsoft Azure
        • select the 3 Bars, to the Show portal menu
  1. In the Microsoft Azure admin Portal
    • In the Menu Portal
      • Select Azure Active Directory
  1. In the Microsoft Azure admin Portal
    • In the Azure Active Directory area
      • Select Enterprise applications
  1. In the Microsoft Azure admin Portal
    • In the Enterprise Applications area
      • Note that Dynamic Environment Manager is now seen as an Enterprise Application
      • It therefore has permission to write to Microsoft OneDrive GRAPH API

We will now move on and disable the default MFA feature in Azure. As this interferes with SSO of One Drive when the user logs in

  1. In the Microsoft Azure admin Portal
    • In the top-left corner
      • Next to Home
        • select your Domain
  1. In the Microsoft Azure admin Portal
    • In the Overview menu
      • select Properties
  1. In the Microsoft Azure admin Portal
    • In the Tenant properties area
    • At the bottom, below Access management for Azure resources
      • Select Manage Security defaults
  1. In the Enable Security defaults area
    • Below Enable Security defaults
      • Change the toggle from Yes to No
    • At the bottom of this area
      • select Save

4. Part 4: Testing Dynamic Environment Manager integration with Microsoft ONE Drive

In this test we will test the integration of both Horizon Desktop working in sync with what could be seen as external desktops

4.1. Testing Dynamic Environment Manager integration with Microsoft ONE Drive
  1. On your ControlCenter Server desktop
    • Open the Remote Desktops folder
    • Open Site1
    • Launch the W10Client-01a.RDP shortcut

W10Client-01a represents a physical laptop enrolled into Workspace ONE UEM

At present the  Desktop configuration is already configured in the previous lab.

We are now going to demonstrate the using Microsoft OneDrive as a location for the users Archive instead of an SMB share

  1. In the Windows Security page
    • Login as [email protected]
      • XX being your assigned POD ID
      • In the Password area
        • enter VMware1!
      • Select OK
  1. On your W10Client.RDP desktop
    • select Start > Run
    • In the Run window
      • next to Open:
        • enter %localappdata%
      • Select OK
  1. In the File Explorer window
    • In the %localappdata% folder path:-
      • Note the following:
        • If your folder structure is identical  
          • There is NO Onedrive.log folder
            • proceed with step 5
        • If there is a Onedrive.log folder
          • proceed to step 11 and validate your folder looks the same
            • then proceed to step 12
  1. In the W10Client-01a client
    • Select the Start Menu
      • under Top apps
        • Select Workspace ONE Intelligent Hub
  1. In Workspace ONE Intelligent hub application
    • Select the Mark Debio icon
    • In the middle of the console
      • select Sync Device
  1. On the W10Client-01a desktop
    • Select the Start button
      • select Shut down down or sign out > Sign out
  1. On your Controlcenter server
    • Revert back to your Remote Desktops > Site1 folder
      • In the Site1 folder
        • Launch W10Client-01a.RDP
  1. In the Windows Security window
  1. On your W10Client-01a desktop
    • select Start > Run
      • In the Run window
        • next to Open:
          • enter %localappdata%
        • Select OK
  1. In the %LocalAppData% folder
    • Note you now have a OneDriveLog folder
      • We can now proceed with testing process
  1. On your ControlCenter server
    • Switch to your Site 1 Incognito web browser session
      • In the Web Intelligent Hub console
      • Which should still be logged in as Mark Debio
        • Launch Office 365 with Provisioning
  1. In the Microsoft Stay signed in? window
    • select Yes
  1. In the Microsoft 365 window
    • In the top-left corner
      • select the 9 dot block
  1. In the Microsoft 365 window
    • Under Apps
      • Select OneDrive
  1. In the Microsoft 365 window
    • Under My files
      • Select and open Apps
    • Under Apps
      • Select Dynamic Environment Manager - OneDrive for Business Integration
    • Note that at the moment this not populated
    • Switch back to your W10Client-01a RDP session
  1. On the W10Client-01a Desktop
    • On the Taskbar
      • Select the folder icon
  1. In the File Explorer window
    • In the Quick access bar
      • Select This PC
    • Under Network locations
      • Open the desktopbackground drive mapping
  1. In the Desktopbackgrounds drive mapping window
    • Select and right-click the 35812 JPG file
    • In the Menu,
      • select Set as desktop background
    • To close the Desktopbackgrounds drive mapping window
      • In the top right-corner
        • Select X
  1. On the W10Client-01a Desktop
    • Select and right-click the START button
      • Select Shut down or sign out
      • Select Sign out
    • Switch back to your OneDrive folder
  1. In your OneDrive folder
    • Under My Files > Apps > Dynamic Environment Manager - OneDrive for Business Integration
    • Notice you now have a DEMRoot folder
    • Open the DEMRoot folder
      • Under the DEMRoot folder
        • Open Archives > Windows Settings
      • Under Windows Settings
        • Note you have a Wallpaper archive
          • This archive can be downloaded, but cannot be opened and viewed from this location
  1. In the Workspace ONE Access Web Intelligent Hub
    • Under the Apps tab
      • Select and Launch the  Horizon Desktop assignment
        • When prompted select Launch
        • In the Open VMware Horizon Client? window
          • select Open VMware Horizon Client
  1. In your Horizon client session
    • Notice you now have wallpaper that you just configured
  1. In your Horizon client session
    • Open your DesktopBackground drive mapping
    • Select an alternative Desktop Background
      • the screenshot has wallpaper 35809 selected
  1. In your Horizon client session
    • In the top-right corner
      • Next to Fullscreen
        • Select the 3 DOTS
      • In the Menu
        • Select Logoff Desktop
    • In the Disconnect and log off desktop? window
      • Select OK
    • Switch back to your OneDrive Folder
  1. In your OneDrive folder
    • Under My Files > Apps > Dynamic Environment Manager - OneDrive for Business Integration >  DEMRoot > Archives > Windows Settings
    • Under Windows Settings
      • Note your Archives included Wallpaper has just been updated
  1. On your ControlCenter server
    • In the Remote Desktops > Site 1 folder
      • Launch W10Client-01a.RDP
  1. In the Windows Security window
  1. In the W10Client-01a RDP session
    • Note you now have the updated desktop background
    • This has demonstrated the integration working between Dynamic Environment Manager and the Microsoft 365 OneDrive Graph API

Acknowledgements

A big thank you to Pim van de Vis for his support and guidance, Pim is a EMEA Enterprise SE at VMware

About the Author

About the Author Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

For any questions please email Reinhart at [email protected]

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.