EUC

3. Manual and Automated Enrollment

This lab will demonstrate how enrollment can be done manually, but also how it might be automated using a staging account.

Part 1 : UEM SAML Authentication

On the Control Center open authenticate to the Workspace ONE UEM console. (dw-livefire.awmdm.com)
- Navigate to Groups & Settings > All Settings

Navigate to System > Enterprise Integration > Directory Services and click Override.

Click Skip wizard and configure manually

Click ENABLED for Use SAML For Authentication
- Click UPLOAD for Import Identity Provider Settings

Navigate to the downloads folder and select the idp.xml previously downloaded.

Click SAVE at the bottom of the page. After the save you will see the page populated with the correct information.

Change both Request Binding and Response Binding to POST. Click SAVE at the bottom of the window.

Part 2: UEM Auto-Discovery

In the Settings page of Workspace ONE UEM click on Devices & Users > General > Enrollment and click + ADD EMAIL DOMAIN

In the Add Email Domain option fill in the following:
- Business email Domain - corpXXX.euc-livefire.com
- Confirmation email address: kim@corpXXX.euc-livefire.com
- Ensure you are filling in your unique corp identifiers in the fields. We are using Kim who is a member of the IT staff.
- Click SAVE at the bottom of the page.

Now open an Incognito window and navigate to WorkspaceONE Access. You will be re-directed to login.microsoftonline.com. Authenticate using Kim@corpXXX.euc-livefire.com and VMware1! click Sign in

In the VMware Intelligent Hub click Apps at the top now click Microsoft Outlook

Once Outlook Mail Client opens, Navigate to the email from AirWatch in your Inbox.
- Click on the link in the Email to confirm the domain registration.

You will be redirected to the confirmation webpage.

In the UEM settings page. You will see the domain Status as Complete.

Part 3: Enrolling Intelligent Hub on Microsoft Windows 11

Step 1 : Enrolling W11Client-01a on Site 1 user Craig

Steps 1 & 2 could all be done in parallel, So whilst waiting for enrollment to complete on one virtual machine, feel free to move on the next step

On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
  - Open the Site1 folder
- Select the W11Client-01a RDP client and
  - Sign-in with
    - username: w11client-01a\craig
    - Password: VMware1!
- To the right of the Start button
  - in the search area,
    - start typing intel
- Select the Workspace ONE Intelligent Hub
  - Please Note! If the Workspace ONE Intelligent Hub does not load,
    - From the RUN > Services.msc > Start the Airwatch service
    - Attempt to re-launch the hub

Under Email or Server Address,
- Enter craig@corpXXX.euc-livefire.com (replacing XXX with your unique corp ID)
- Select Next

You will be re-directed to Microsoft Azure as your identity provider for authentication. Type in your user again and click Next.

Type in the password VMware1! and click Sign in and select No .

On the Congratulations window,
- Select I agree
- Click Done
- Select Get Started

Step 2 : Enrolling W11Client-02a on Site 2 with the user Jackie

On your ControlCenter server
- On the Desktop open the Remote Desktop folder.
  - Open the Site 2 folder
- Select the W11Client-02a.RDP client and
  - Sign-in with
    - username w11client-02a\Jackie
    - Password VMware1!
- To the right of the Start button in the search area, start typing intel
- Select the Workspace ONE Intelligent Hub
  - Please Note! If the Workspace ONE Intelligent Hub does not load,
    - From the RUN > Services.msc > Start the Airwatch service
    - Attempt to re-launch the hub

Under Email or Server Address,
- Enter [email protected]
- Select Next

Fill in the same email again and click Next. Then type VMware1! for the password and click Sign in

In the Workspace ONE Intelligent Hub
- Select I Agree

On the Congratulations window,
- Select Done
- Re-open the Intelligent Hub
- Select Get Started

Part 4: Automated enrollment of persistent desktops

In order to standardize day-2 operations for specific use-cases it may be beneficial to enroll persistent desktops (VDI). As these desktops are dedicated and not floating this gives the users greater flexibility to customize their workspace.

Please note this KB for further explanation of supported virtual platforms for enrollment.

Note: UEM does not support non-persistent desktop enrollments

In this exercise you will use vSphere VM Customization Specifications to execute a script that will enroll the Workspace ONE Hub with UEM after a successful login to a persistent desktop. This script will include UEM server URL, GroupID, Staging user and msiexec switches. You can read further about command-line enrollment here.

On the Control Center open Chrome site 1 Profile. and click on the vcenter-01a bookmark.
- Click on Launch vSphere Client
- Now Authenticate with [email protected] and VMware1!

Expand the hamburger menu on the left and click Policies and Profiles.

Click on VM Customization Specifications

Click on Full Clone Developer and click EDIT...

a. On the left navigation click on Administrator password and change the "number of times to logon automatically" to 2

b. On the left navigation click on Commands to run once - now type in the below command (Make sure to change the GroupID) and click ADD

NOTE: Your group ID can be found in WorkspaceONE UEM by hovering over your Organization Group.

msiexec /i "C:\UEM\AirwatchAgent.msi" /quiet /l*v c:\Enrollment\Verbose.log ENROLL=Y IMAGE=N SERVER=ds1605.awmdm.com LGName=YOURGROUPID USERNAME=staginguser PASSWORD=VMware123 ASSIGNTOLOGGEDINUSER=Y

Breakdown of the above script:

/i = install

/quiet = completely silent

/l = log levels and log paths path must be in quotes

ENROLL = Select 'Y' to enroll

IMAGE= if this flag is set to 'Y', the agent will be put into image mode.

LGName = organization group id.

USERNAME = Enter the username for the user you are enrolling or the staging username if staging the device on the behalf of a user.

ASSIGNTOLOGGEDINUSER = Select 'Y' to assign the device to the logged in domain user.

For further switches click HERE.

Type logoff and click ADD

Click OK at the bottom of the page.

On your Site 1 browser session
- In the Bookmarks bar
  - click on the Horizon Site 1 shortcut
  - In the VMware Horizon login
    - In the username area
      - enter Administrator
    - In the password area
      - enter VMware1!
  - select Sign in

On the left navigate to Desktops and click W11-BLR-FC

Click on Machines then click the check box to check the two existing VMs. Now click Remove

Select Delete VMs from disk and click OK.

This process will take some time grab a coffee and come back (up to 20 minutes).

It will first delete the existing VMs then re-build them with the customization we have set.

NOTE: Use the Status column to see what task is currently being worked on.

Part 5: Final Testing

Flip back to Chrome profile Site 1 and in Horizon ensure your Machines are in the Status Available.

Open the Horizon Client on your Control Center machine and connect to server horizon-01a.euc-livefire.com

Now authenticate with malcolm and VMware1! click Login.

Double click the W11-FC (Machine not assigned) desktop.

Once the desktop has loaded click Start and type Hub. Launch the Workspace ONE Intelligent Hub.
- You can slo just wait eventually the Hub will launch on it's own.
- Click I Agree

If you open Workspace ONE UEM you will see that the device has been enrolled to Malcolm. Device name is W11-BLR-FC-1
- Notice I haven't had to authenticate Malcolm to the Hub it took these credentials from the signed in user as defined by the installation script.

In the Intelligent hub you will now be re-directed to Azure for authentication as we have set the authentication method.
- type Malcolm@corpXXX.euc-livefire.com and click Next.