Dynamic Environment Manager Integration with ONE Drive

Introduction
In our previous Lab we saw the Integration and delivery of  Configuration settings via Workspace ONE UEM. That is only half of what Dynamic Environment Manager requires to be fully functional. The other half is the setting up and managing the Users Archive.

In this lab we will be using Microsoft ONE Drive as the source Cloud Platform for the Users Archive.

This the first and at present the only Cloud based storage platform to support this with Dynamic Environment Manager.

1. Part 1: Performing Workspace ONE Access setup requirements for Dynamic Environment Manager to work with Microsoft OneDrive

Overview

Section 1

For OneDrive Integration to work with Dynamic Environment Manager, we need an integrated authentication method that is seemless. At present Kerberos is the only authentication protocol that offers this. We will now move on with the configuration

Section 2

Dynamic Environment Manager also requires OneDrive authentication to be seemless. The user should not and cannot be prompted for authentication. If the user is prompted, the authentication will timeout and the OneDrive integration fails. We will perform one step in Workspace ONE Access to ensure the authentication is seemless. We will do configuration in Microsoft Active Directory to ensure seemless authentication of OneDrive

Section 3

We will configure Workspace ONE Access to facilitate seemless authentication of OneDrive

1.1. Section 1 : Configuring Kerberos Authentication in Workspace ONE Access for Dynamic Environment Manager to work with ONE Drive
  1. On your ControlCenter Server
    • Open your Site 1 Browser
    • Login to  your Workspace ONE Access Tenant
      • to System Domain
    • select Next
  1. In the Workspace ONE login
    • Under Username
      • enter Administrator
    • Under Password
      • enter VMware1!
    • select Sign in
  1. In the Web Intelligent Hub
    • In the right corner
      • select the TA icon
        • from the dropdown
          • select Workspace ONE Access Console
  1. In the Workspace ONE Access console
    • select the Integrations tab
      • select Connectors
      • Under Enterprise Service
        • Note that the Kerberos Auth adapter
          • Status = Active
          • Health = Green
  1. In the Workspace ONE Access console
    • Under Integrations
      • select Connector Authentication Methods
  1. In the Connector Authentication Methods area
    • select NEW
    • select Kerberos
  1. In the New Kerberos Authentication Method window
    1. Directory and Hosts area
      • Accept the defaults
        • Select NEXT
  1. In the New Kerberos Authentication Method window
    1. Configuration area
      • Accept the defaults
        • Select NEXT
  1. In the New Kerberos Authentication Method window
    1. Summary area
      • Review the Configurations
        • Select SAVE
  1. In the Workspace ONE Access console
    • Under Integrations
      • select Identity Providers
  1. In the Identity Providers area
    • In the top right-corner
      • select Add Identity Provider
      • In the Add Identity Provider dropdown
        • select Create Workspace IDP
  1. In the New Identity Provider console
    • Select or Enter the following next to: -
      • Identity Provider Name: Kerberos Auth
      • Users: euc-livefire.com
      • Authentication Method: Kerberos
      • Network: checkbox next to ALL RANGES
      • IdP Hostname: WS1-Connector.euc-livefire.com
    • Select Add

 

  1. In the Workspace ONE Access Admin Console
    • select the Resources tab
      • select Policies
  1. In the Policies interface
    • Next to default_access_policy_set
      • Select the radio button
    • Above default_access_policy_set
      • Select EDIT
  1. In the Edit Policy window,
    • In the left column
      • Select Configuration
  1. In the Edit Policy window,
    1. Configuration area
      • Next to Windows 10
        • Select ALL RANGES
  1. In the Edit Policy Rule window
    • At the bottom of the page select :
      • + ADD FALLBACK METHOD
    • At the top of the Edit Policy Rule window
    • Next to : - and the user accessing content from*
      • validate Windows 10 is selected
    • Next to : - then the user may authenticate using *
      • select Kerberos
    • Next to if preceding method fails or is not applicable,  then
      • select Certificate (cloud deployment)
    • Next to if preceding method fails or is not applicable,  then
      • select Password (cloud deployment) ,
    • Next to if preceding method fails or is not applicable,  then
      • select Password (Local Directory)
    • Select SAVE at the bottom of the window
  1. In the Edit Policy window,
    1. Configuration area
      • Next to Web Browser
        • Select ALL RANGES
  1. In the Edit Policy Rule window
    • At the bottom of the page select :
      • + ADD FALLBACK METHOD
    • At the top of the Edit Policy Rule window
    • Next to : - and the user accessing content from*
      • validate Web Browser is selected
    • Next to : - then the user may authenticate using *
      • select Kerberos
    • Next to if preceding method fails or is not applicable,  then
      • select Certificate (cloud deployment)
    • Next to if preceding method fails or is not applicable,  then
      • select Password (cloud deployment) ,
    • Next to if preceding method fails or is not applicable,  then
      • select Password (Local Directory)
    • Select SAVE at the bottom of the window
  1. In the Edit Policy window,
    1. Configuration area
      • Next to Workspace ONE App
        • Select ALL RANGES
  1. In the Edit Policy Rule window
    • At the bottom of the page select :
      • + ADD FALLBACK METHOD
    • At the top of the Edit Policy Rule window
    • Next to : - and the user accessing content from*
      • validate Workspace ONE App or Hub App is selected
    • Next to : - then the user may authenticate using *
      • select Kerberos
    • Next to if preceding method fails or is not applicable,  then
      • select Certificate (cloud deployment)
    • Next to if preceding method fails or is not applicable,  then
      • select Password (cloud deployment) ,
    • Next to if preceding method fails or is not applicable,  then
      • select Password (Local Directory)
    • Select SAVE at the bottom of the window
  1. In the Edit Policy window
    • Ensure your Device Type is in the following order
      • Select the 6 DOTS and drag to the top or down
        • Order as follows:-
          • Workspace ONE APP
          • Windows 10
          • Android
          • Web Browser
    • On the Edit Policy Page
      • select NEXT

 

  1. On the Edit Policy Page.
    • Summary tab
      • Select SAVE
  1. In the Workspace ONE Access Admin Console
    • select the Settings tab
    • select Login Preferences
      • under Login Preferences
        • select EDIT
  1. In the Login Preferences area
    • Next to Show the System Domain on Login Page
      • unselect the checkbox
    • Next to Hide "Change to a different domain" Link on Login Page
      • select the checkbox
    • To the bottom right of the page
      • Select SAVE

Save an equivalent URL, with your Workspace ONE Access URL and append /SAAS/auth/0 to the end

  • For example:-
    • https://aw-livefirernpod27.vidmpreview.com/SAAS/auth/0

Henceforth you will need to use this if you are going to login as sysadmin

  1. On your Chrome browser
    • In the top-right corner
      1. Select the 3 Dotted ICON
        • From the dropdown
      2. Select Bookmarks
      3. Select Bookmark manager
  1. On your Chrome browser
    • In the Bookmarks area
      • In the top-right corner
        • Select the 3-dotted Icon
  1. In the Bookmark dropdown
    • Select Add new bookmark
  1. In the Add bookmark window
    • Under Name
      • enter SysAdmin Access
    • Under URL
      • Enter Your Workspace ONE Access Url & append /SAAS/auth/0
    • Select Save
1.2. Section 2 : Configuring Seamless Authentication for OneDrive
  1. On your ControlCenter Server
    • Select and right-click the START button
    • Select Run
  1. In the Run window
    • Next to Open:
      • Enter gpmc.msc
    • Select OK
  1. In the Group Policy Management console
    • Select and right-click the Corp OU
    • Select Create a GPO in this domain, and Link it here...
  1. In the New GPO window
    • Under Name:
      • Enter OneDrive
    • Select OK
  1. In the Group Policy Management window
    • Directly under Corp
      • Select and right-click the OneDrive link
      • Select Edit...
  1. In the Group Policy Management Editor
    • Expand User configuration > Policies > Administrative templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
    • In the right pain, scroll down
      • select  and open Site to Zone Assignment List
  1. In the Site to Zone Assignment List window
    • Next to Enabled
      • Select the radio button
    • Under Options:
      • Next to :-
        • Enter the zone assignments here.
          • Select Show...
  1. In the Show Contents window
    • Under Value name
      • enter https://corpXXX.euc-livefire.com
        • replace XXX with your Domain ID
      • enter https://*.euc-livefire.com
    • Under Value enter 1 in line with your previous entries twice
    • To close the Show Contents window
      • Select OK
    • To close the Site to Zone Assignment List window
      • Select OK
    • To close the Group Policy Management Editor window
      • Select X
    • To close the Group Policy Management  window
      • Select X

Note! Please follow the naming convention in the notes , not the screenshot

2. Part 2: Integrating on-premises Configuration with Workspace ONE UEM and enabling for OneDrive in the XML configuration

For both internal and "external" devices to be in a position to share the same OneDrive archive, they have to use the same configurations.

In this section

  1. we will ensure on configurations in both environments are the same
  2. We configure the NoAD mode .XML file for OneDrive Integration.
  3. We will update Workspace ONE UEM Device Profile configuration
2.1. Section 1: Configuring the NOAD Workspace ONE UEM xml file

This section assumes that you Dynamic Environment Manager - MMC has in no way been shut down from previous lab.

If it has please reach out to your Instructor for advice

  1. On your ControlCenter server
    • Select and Open your Software shortcut
      • Browse to the: -
        • DEM\VMware-DEM-Enterprise-2206-10.6-GA\Agent Configuration Examples\FlexRepository\NoAD Folder
  1. In your NoAD folder
    • Select and Copy the NoAD Workspace ONE UEM Sample.xml file
      • Paste the NoAD Workspace ONE UEM Sample.xml file
        • You should now have a backup of your Sample
  1. In your NoAD folder
    • Select and right-click the NoAD Workspace ONE UEM Sample.xml file
    • Select Edit with Notepad++
  1. In the NoAD Workspace ONE UEM Sample.xml file
    • After EventLogAsync="1"
      • Append the following configurations: -
        • OneDriveEnabled="1"
        • OneDriveLogDirectory="%LOCALAPPDATA%\OneDriveLog"
        • MaxOneDriveLogFileSize="5000"
        • AllowAdmxInSession="1"
        • IsIWA="0"
        • DomainHint="corpXXX.euc-livefire.com"
          • Where XXX is your Domain ID

Ensure you use a 3-digit domain identifier e.g. corp25a.euc-livefire.com

  1. In the NoAD Workspace ONE UEM Sample.xml file
    • Review your configuration with the above Sample Screenshot
  1. In the NoAD Workspace ONE UEM Sample.xml file
    • Select File > Save As
    • In the Save As window
      • In the Address bar
        • enter :
          • C:\UEMConfig\general\FlexRepository\NoAD
      • at the bottom, next to Save as type:
        • from the dropdown
          • select All Files (*.*)
      • In the Name Area
        • Select NoAD.xml
    • In the bottom right-corner
      • Select Save
    • In the Confirm Save As window
      • Select Yes
  1. On your ControlCenter server
    • Switch to the VMware Dynamic Environment Manager - Management Console
    • Under the Personalization tab
      • Select Configure
  1. In the Settings window
    • select the Integration tab
  1. In the Settings window
    • Integration tab
      • Notice your VMware Dynamic Environment Manager - Management Console is still in Workspace ONE UEM Integration
      • To close the Settings window
        • Select Cancel
  1. In the VMware Dynamic Environment Manager - Management Console
    • In the top left-hand corner
      • Select the STAR icon
      • From the menu
        • select Import NoAD.xml
  1. In the Select NoAD.xml configuration file to install window
    • browse to C:\UEMConfig\general\FlexRepository\NoAD
    • Under Name
      • select NoAD.xml
      • Select Open
  1. In the VMware Dynamic Environment Manager Console
    • In the top left corner
      • select the STAR dropdown
      • select License
  1. In the License window
    • Select Manage

If you have  a licence configured. There is no problem and you can move on to step 17

  1. In the Manage License window
    • next to Install
      • Select the License file radio button
  1. In the File Explorer window
    • Browse to \\horizon-01a.euc-livefire.com\software\DEM
    • Select DEM-Exp-2022-12-31 FlexEngine.lic
    • Select Open
  1. In the License file window
    • Select OK
  1. In the VMware Dynamic Environment Manager - Management Console
    • In the Personalization tab
      • check that you do have your EUC Livefire Wallpaper configurations
      • If you dont, reach out to your instructor
2.2. Section 2: Preparing for an Update to Workspace ONE UEM
  1. On the VMware Dynamic Environment Manager - Management Console
    • Select and right-click the STAR Icon
    • Select Save As
  1. In the Save As window
    • Next to File name: > enter the following:
      • \\horizon-01a.euc-livefire.com\software\DEM
      • Select Save
    • Under Name
      • Select the Existing LivefireVS1.DEMConfig file
        • Next to File name:
          • edit the following:-
            • LivefireVS1.DEMConfig
              • to
            • LivefireVS2
    • In the bottom right-corner
      • select Save
  1. In the VMware Dynamic Environment Manager - Management Console
    • Wait for the creation to complete
    • To close the Create DEM Config Profile window
      • Select OK
2.3. Section 3: Uploading DEMConfig files into Workspace ONE UEM
  1. On your ControlCenter Server
    • Open your Chrome Browser
      • In the address bar
        • enter dw-livefire.awmdm.com
    • In the Workspace ONE UEM login
      • Under Username,
        • enter your Custom username
      • Select Next
        • Under Password,
          • enter  VMware1!
      • Select Log In
  1. On the ControlCenter Server
    • In the Workspace ONE UEM Admin Console
      • Select Devices
        • Select Profiles & Resources
  1. In the Workspace ONE UEM Admin Console
    • Under Profiles & Resources
      • Select Profiles
  1. In the Profiles interface
    • Select Windows 10 Device Profile
  1. In the Windows 10 Desktop Profile window
    • In the Inventory area,
      • Select Dynamic Environment Manager
  1. In the Dynamic Environment Manager pane
    • At the bottom of the window
      • Select ADD VERSION
  1. In the Dynamic Environment Manager pane
    • At the Top of the window
      • Select CHANGE
  1. In the Add window
    • Select Choose File
  1. In the Open window
    • Next to File name,
      • Enter \\horizon-01a.euc-livefire.com\software\DEM
        • Select Open
    • Next to File name,
      • Select the LivefireVS2.DEMConfig file
        • Select Open
  1. In the Add window
    • Select SAVE
  1. In the Dynamic Environment Manager area
    • Select SAVE AND PUBLISH
  1. In View Device Assignment
    • Select PUBLISH

3. Part 3: Configuring Microsoft Azure to integrate with Dynamic Environment Manager

A key element in the configuration is registering Dynamic Environment Manager as an Enterprise Application in Azure. This will give Dynamic Environment Manager the ability to write into the OneDrive container on the users desktop

3.1. Configuring Microsoft Azure to integrate with Dynamic Environment Manager
  1. On you ControlCenter server
    • On your Site 1 Browser
      • Open a new tab
        • In the Address bar
          • enter portal.azure.com
  1. In the Sign in window
    • In the Email area
      • enter YOUR cloudadmin account
        • Select Next
  1. In the Enter password area
    • Enter your cloudadmin password
    • Select Sign in
  1. In the Help us protect your account
    • Select Skip for now (14 days until this is required)

This is only for those that have just created trial accounts

Good news! We will be disabling this shortly

  1. In the Stay signed in? page
    • Select Yes
  1. On the Welcome to Microsoft Azure page
    • Select Maybe later
  1. In the Microsoft Azure admin Portal
    • In the top left corner next to Microsoft Azure
      • select the 3 Bars, to the Show portal menu
  1. In the Microsoft Azure admin Portal
    • Select Azure Active Directory
  1. In the Microsoft Azure admin Portal
    • Under User settings
      • Select Properties
  1. In the Tenant properties window
    • Under Tenant ID
      • Select and copy the Tenant ID
  1. On your Controlcenter server
    • Open Notepad++
      • In Notepad++
        • Open a new tab
        • Paste YOUR Tenant ID
  1. In this Paragraph
    • Select and Copy the below line of Green code
      • https://login.microsoftonline.com/{customer tenant-id}/adminconsent?client_id=c504654f-97ac-4e31-ba2c-d8cb284bb948 
    • On your ControlCenter server
      • In Notepad++
        • In the existing tab you pasted your Tenant ID
          • On a line below your Tenant ID
            • Paste the above copied,  line of code
  1. In the Notepad++ application
    • In the command line you have just pasted
      • Replace the customer tenant-id portion of your code
        • With your Tenant ID
    • Copy the Updated Command line code with your Tenant ID
  1. On your ControlCenter server
    • Switch back to your existing portal.azure.com session
      • In the browser, open a New Tab
  1. In the New Tab of your Site 1 Browser
    • In the Address bar
      • Paste your copied code
    • With your keyboard
      • Select Enter
  1. In the Pick an account window
    • Select your Cloudadmin account
  1. In the Help us protect your account window
    • Select Skip for now (XX days until is required)
      • XX being what you see in your screen

You will only see this if you have a newly created Developer Account

Good News, we will be disabling this feature shortly

  1. In the Permissions requested Review for your organization page
    • Review the information.
      • Note you are about to give Dynamic Environment Manager Permission to write to One Drive
    • Select Accept
      • This will take up to a minute to initialize
      • You do not get any feedback after running this script
  1. On your Chrome Browser
    • Switch back to the TAB with your AZURE admin portal
      • In the top left corner next to Microsoft Azure
        • select the 3 Bars, to the Show portal menu
  1. In the Microsoft Azure admin Portal
    • In the Menu Portal
      • Select Azure Active Directory
  1. In the Microsoft Azure admin Portal
    • In the Azure Active Directory area
      • Select Enterprise applications
  1. In the Microsoft Azure admin Portal
    • In the Enterprise Applications area
      • Note that Dynamic Environment Manager is now seen as an Enterprise Application
      • It therefore has permission to write to Microsoft OneDrive GRAPH API

We will now move on and disable the default MFA feature in Azure. As this interferes with SSO of One Drive when the user logs in

Steps 23 to 26 need only be completed by attendees that have their own newly created Developer Accounts

If we have issued you with an Account, skip step23 to 26 and move onto Part 4

  1. In the Microsoft Azure admin Portal
    • In the top-left corner
      • Next to Home
        • select your Domain
  1. In the Microsoft Azure admin Portal
    • In the Overview menu
      • select Properties
  1. In the Microsoft Azure admin Portal
    • In the Tenant properties area
    • At the bottom, below Access management for Azure resources
      • Select Manage Security defaults
  1. In the Enable Security defaults area
    • Below Enable Security defaults
      • Change the toggle from Yes to No
    • At the bottom of this area
      • select Save

4. Part 4: Testing Dynamic Environment Manager integration with Microsoft ONE Drive

In this test we will test the integration of both Horizon Desktop working in sync with what could be seen as external desktops

4.1. Testing Dynamic Environment Manager integration with Microsoft ONE Drive
  1. On your ControlCenter Server desktop
    • Open the Remote Desktops folder
    • Open Site1
    • Launch the W10Client-01a.RDP shortcut

W10Client-01a represents a physical laptop enrolled into Workspace ONE UEM

  • At present the  Desktop configuration is already configured in the previous lab.
  • We are now going to demonstrate the using Microsoft OneDrive as a location for the users Archive instead of an SMB share
  • If there any existing Windows 10 External Client sessions open, please sign out from these sessions

If you already have an RDP session to W10Client-01a and you are logged in with [email protected] move to step 3

  1. In the Windows Security page
    • Login as [email protected]
      • XX being your assigned POD ID
      • In the Password area
        • enter VMware1!
      • Select OK
  1. On your W10Client.RDP desktop
    • select Start > Run
    • In the Run window
      • next to Open:
        • enter %localappdata%
      • Select OK
  1. In the File Explorer window
    • In the %localappdata% folder path:-
      • Note the following:
        • If your folder structure is identical  
          • There is NO Onedrive.log folder
            • proceed with step 5
        • If there is a Onedrive.log folder
          • proceed to step 11 and validate your folder looks the same
            • then proceed to step 12
  1. In the W10Client-01a client
    • Select the Start Menu
      • under Top apps
        • Select Workspace ONE Intelligent Hub
  1. In Workspace ONE Intelligent hub application
    • Select the Mark Debio icon
    • In the middle of the console
      • select Sync Device

Make sure you observe the sync process and it shows as Sync has Completed before signing out

  1. On the W10Client-01a desktop
    • Select the Start button
      • select Shut down down or sign out > Sign out
  1. On your Controlcenter server
    • Revert back to your Remote Desktops > Site1 folder
      • In the Site1 folder
        • Launch W10Client-01a.RDP
  1. In the Windows Security window
  1. On your W10Client-01a desktop
    • select Start > Run
      • In the Run window
        • next to Open:
          • enter %localappdata%
        • Select OK
  1. In the %LocalAppData% folder
    • Note you now have a OneDriveLog folder
      • We can now proceed with testing process
  1. On your Controlcenter server
    • On your Site 1 Browser, Launch a New Incognito session
    • Either use your regular Access URL or use Access shortcut from your favourites bar
  1. On your Incognito browser session
    • You will be prompted for Kerberos auth
      • In the Username area, enter:-
      • In the Password area, enter:-
        • VMware1!
      • Select Sign In
  1. On your ControlCenter server
    • In the Web Intelligent Hub console
      • Select the Apps tab
        • Launch Office 365 with Provisioning

We are about to launch an SP-Init auth flow against Microsoft 365. This is required to work for Office 365 integration to work with Dynamic Environment Manager

So if your auth works in an IDP-init flow but not a SP-init flow your Integration will not work.

  1. In the Microsoft Stay signed in? window
    • select Yes
  1. In the Microsoft 365 window
    • In the top-left corner
      • select the 9 dot block
  1. In the Microsoft 365 window
    • Under Apps
      • Select OneDrive
  1. In the Microsoft 365 window
    • Under My files
      • Select and open Apps
    • Under Apps
      • Select Dynamic Environment Manager - OneDrive for Business Integration
    • Note that at the moment this not populated
    • Switch back to your W10Client-01a RDP session
  1. On the W10Client-01a Desktop
    • On the Taskbar
      • Select the folder icon
  1. In the File Explorer window
    • In the Quick access bar
      • Select This PC
    • Under Network locations
      • Open the desktopbackground drive mapping
  1. In the Desktopbackgrounds drive mapping window
    • Select and right-click the 35812 JPG file
    • In the Menu,
      • select Set as desktop background
    • To close the Desktopbackgrounds drive mapping window
      • In the top right-corner
        • Select X
  1. On the W10Client-01a Desktop
    • Select and right-click the START button
      • Select Shut down or sign out
      • Select Sign out
    • Switch back to your Saas OneDrive folder (Incognito Browser session)
  1. In your OneDrive folder
    • Under My Files > Apps > Dynamic Environment Manager - OneDrive for Business Integration
    • Notice you now have a DEMRoot folder
    • Open the DEMRoot folder
      • Under the DEMRoot folder
        • Open Archives > Windows Settings
      • Under Windows Settings
        • Note you have a Wallpaper archive
          • This archive can be downloaded, but cannot be opened and viewed from this location
  1. In the Workspace ONE Access Web Intelligent Hub
    • Under the Apps tab
      • Select and Launch the  Horizon Desktop assignment
        • When prompted select Launch
        • In the Open VMware Horizon Client? window
          • select Open VMware Horizon Client
  1. In your Horizon client session
    • Notice you now have wallpaper that you just configured
  1. In your Horizon client session
    • Open your DesktopBackground drive mapping
    • Select an alternative Desktop Background
      • the screenshot has wallpaper 35809 selected
  1. In your Horizon client session
    • In the top-right corner
      • Next to Fullscreen
        • Select the 3 DOTS
      • In the Menu
        • Select Logoff Desktop
    • In the Disconnect and log off desktop? window
      • Select OK
    • Switch back to your OneDrive Folder
  1. In your OneDrive folder
    • Under My Files > Apps > Dynamic Environment Manager - OneDrive for Business Integration >  DEMRoot > Archives > Windows Settings
    • Under Windows Settings
      • Note your Archives included Wallpaper has just been updated
  1. On your ControlCenter server
    • In the Remote Desktops > Site 1 folder
      • Launch W10Client-01a.RDP
  1. In the Windows Security window
  1. In the W10Client-01a RDP session
    • Note you now have the updated desktop background
    • This has demonstrated the integration working between Dynamic Environment Manager and the Microsoft 365 OneDrive Graph API

Acknowledgements

A big thank you to Pim van de Vis for his support and guidance, Pim is a EMEA Enterprise SE at VMware

About the Author

About the Author Reinhart Nel

https://www.livefire.solutions/meet-the-team/reinhartnel/

For any questions please email Reinhart at [email protected]

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.