2. Manual and Automated Enrollment

This lab will demonstrate how Windows clients can be enrolled into WorkspaceONE UEM manually, but also how it might be automated using a script and a staging user.

Part 1 : UEM SAML Authentication
  1. On the Control Center
    1. Navigate to your WorkspaceONE Access tenant and sign in with the Systems administrator
  1. Once logged in, click in the top right on TA and click WorkspaceONE Access Console
  1. Once in the admin console click on Resources > Web Apps and Settings
  1. In the Settings Window click on SAML Metadata and right click Identity Provider (IdP) Metadata and click Save link as...
  1. On the Save As window  click Save. Be sure the default location is the Downloads folder.
  1. In a new tab open and authenticate to the Workspace ONE UEM console. (dw-livefire.awmdm.com)
    • Navigate to Groups & Settings > All Settings
  1. Navigate to System > Enterprise Integration > Directory Services and click Override.
  1. Click Skip wizard and configure manually
  1. Click ENABLED for Use SAML For Authentication
    • Click UPLOAD for Import Identity Provider Settings
  1. Navigate to the downloads folder and select the idp.xml previously downloaded.
  1. Click SAVE at the bottom of the page. After the save you will see the page populated with the correct information.
  1. Change both Request Binding and Response Binding to POST. Click SAVE at the bottom of the window.
Part 2: Enrolling Intelligent Hub on  Windows 11

Step 1 : Enrolling W11Client-01a on Site 1  user  Craig

Steps 1 & 2 could all be done in parallel, So whilst waiting for enrollment to complete on one virtual machine, feel free to move on the next step

  1. On your  ControlCenter server
    • On the Desktop open the Remote Desktop folder.
      • Open the Site1 folder
    • Select the W11Client-01a RDP client and
      • Sign-in with
        • username: w11client-01a\craig
        • Password: VMware1!
    • To the right of the Start button
      • in the search area,
        • start typing intel
    • Select the Workspace ONE Intelligent Hub
      • Please Note! If the Workspace ONE Intelligent Hub does not load,
        • From the RUN > Services.msc > Start the Airwatch service
        • Attempt to re-launch the hub
  1. Under Email or Server Address,
    • Enter dw-livefire.awmdm.com
    • Select Next

NOTE: We have not configured domain resolution with auto-discovery so we are using Server URL and GroupID.

  1. In the WorkspaceONE UEM Console hover over your Organisation group and identify your Group ID.
  1. Back on the W11Client-01a now type in your Group ID and click Next.
  1. On the Select your Domain drop down click euc-livefire.com click Next
  1. Now type craig for the username and VMware1! for the password. Click Sign In
  1. On the Congratulations window,
    • Select I agree
    • Click Done
    • Select Get Started

Step 2 : Enrolling W11Client-02a on Site 2 with the user Jackie

  1. On your  ControlCenter server
    • On the Desktop open the Remote Desktop folder.
      • Open the Site 2 folder
    • Select the W11Client-02a.RDP client and
      • Sign-in with
        • username w11client-02a\Jackie
        • Password VMware1!
    • To the right of the Start button in the search area, start typing intel
    • Select the Workspace ONE Intelligent Hub
      • Please Note! If the Workspace ONE Intelligent Hub does not load,
        • From the RUN > Services.msc > Start the Airwatch service
        • Attempt to re-launch the hub
  1. Under Email or Server Address,
    • Enter dw-livefire.awmdm.com
    • Select Next

NOTE: We have not configured domain resolution with auto-discovery so we are using Server URL and GroupID.

  1. In the WorkspaceONE UEM Console hover over your Organisation group and identify your Group ID.
  1. Back on the W11Client-01a now type in your Group ID and click Next.
  1. On the Select your Domain drop down click euc-livefire.com click Next
  1. In the Workspace ONE Intelligent Hub
    • Select I Agree
  1. On the Congratulations window,
    • Select Done
    • Re-open the Intelligent Hub
    • Select Get Started
Part 3: Automated enrollment of persistent desktops

In order to standardize day-2 operations for specific use-cases it may be beneficial to enroll persistent desktops (VDI). As these desktops are dedicated and not floating this gives the users greater flexibility to customize their workspace.

Please note this KB for further explanation of supported virtual platforms for enrollment.  

Note: UEM does not support non-persistent desktop enrollments

In this exercise you will use  vSphere VM Customization Specifications to execute a script that will enroll the Workspace ONE Hub with UEM after a successful login to a persistent desktop. This script will include UEM server URL, GroupID, Staging user and msiexec switches. You can read further about command-line enrollment here.

  1. On the Control Center open Chrome site 1 Profile. and click on the vcenter-01a bookmark.
  1. Expand the hamburger menu on the left and click Policies and Profiles.
  1. Click on VM Customization Specifications
  1. Click on  Full Clone Developer and click EDIT...
  1. a. On the left navigation click on Administrator password and change the "number of times to logon automatically" to 2  

b. On the left navigation click on Commands to run once - now type in the below command (Make sure to change the GroupID) and click ADD

NOTE: Your group ID can be found in WorkspaceONE UEM by hovering over your Organization Group.

 

msiexec /i "C:\UEM\AirwatchAgent.msi" /quiet /l*v c:\Enrollment\Verbose.log ENROLL=Y IMAGE=N SERVER=ds1605.awmdm.com LGName=YOURGROUPID USERNAME=staginguser PASSWORD=VMware123 ASSIGNTOLOGGEDINUSER=Y

Breakdown of the above script:

/i = install

/quiet = completely silent

/l =  log levels and log paths path must be in quotes

ENROLL = Select 'Y' to enroll

IMAGE= if this flag is set to 'Y', the agent will be put into image mode.

LGName = organization group id.

USERNAME = Enter the username for the user you are enrolling or the staging username if staging the device on the behalf of a user.

ASSIGNTOLOGGEDINUSER = Select 'Y' to assign the device to the logged in domain user.

For further switches click HERE.

  1. Type logoff and click ADD
  1. Click OK at the bottom of the page.
  1. On your Site 1 browser session
    • In the Bookmarks bar
      • click on the Horizon Site 1 shortcut
      • In the VMware Horizon login
        •  In the username area
          • enter  Administrator
        • In the password area
          • enter VMware1!
      • select Sign in
  1. On the left navigate to Desktops and click W11-BLR-FC
  1. Click on Machines then click the check box to check the two existing VMs. Now click Remove
  1. Select Delete VMs from disk and click OK.
  1. This process will take some time grab a coffee and come back (up to 20 minutes).

It will first delete the existing VMs then re-build them with the customization we have set.

NOTE: Use the Status column to see what task is currently being worked on.

Part 4: Final Testing
  1. Flip back to Chrome profile Site 1 and in Horizon ensure your Machines are in the Status Available.
  1. Open the Horizon Client on your Control Center machine and connect to server horizon-01a.euc-livefire.com
  1. Now authenticate with malcolm and VMware1! click Login.
  1. Double click the W11-FC (Machine not assigned) desktop.
  1. Once the desktop has loaded click Start and type Hub. Launch the Workspace ONE Intelligent Hub.
    • You can also just wait eventually the Hub will launch on it's own.
  1. On the Select your Domain drop down click euc-livefire.com click Next
  1. Now type malcolm for the username and VMware1! for the password. Click Sign In
  1. On the Congratulations window,
    • Select I agree
    • Click Done
    • Select Get Started
  1. If you open Workspace ONE UEM you will see that the device has been enrolled to Malcolm. Device name is W11-BLR-FC-1
  1. Disconnect from this Horizon Session.
  1. Click the back arrow then you are asked if you want to log off, click OK.

This concludes the manual enrollment of device in to Workspace ONE UEM and automated enrollment of persistent VMs into Workspace ONE UEM.

Author: Simeon Frank

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.