The idea of Modern Management has been around for quite some time. Using modern tools to manage Windows 10 in a manner similar to other mobile devices can offer a lot of flexibility and enhance both user experience and security.
Last year, more of our clients began asking about how to enhance their mobility platforms to better manage not just mobile devices, but Windows 10 devices as well. Workspace ONE is an excellent tool for doing just that, but many customers require tighter integration with the Microsoft stack, including Azure AD and the Windows Store.
I started on this path to test the automatic delivery of Windows Store applications to enrolled Windows 10 devices. Although some pretty good documentation already exists, I learned that certain key steps were a little ambiguous. The intent of this blog is to clarify and consolidate these steps to make deployment an easier exercise.
The procedure outlined below will walk you through the setup needed to support enrollment in Workspace ONE for a Bring Your Own (BYO) Windows 10 device, leveraging Azure AD integration and allowing for the automated deployment of Windows Store apps (as well as native Windows apps).
Although this blog only focuses on Windows 10 BYO in a pure Azure AD environment, next steps could introduce Autopilot, with out of the box enrollment capabilities, as well as leveraging conditional access policies for Office 365 applications.
Prerequisites and Requirements
- Workspace ONE UEM 1810 or later (this blog is based on the Shared SaaS model—dedicated or named instances will require additional configuration)
- Microsoft Azure AD Premium P1 or greater license – be sure license is assigned to users in Azure AD
- Administrative access to both Workspace ONE UEM, Azure AD, and the Microsoft Store for Business console
- A Windows 10 device or virtual machine used to test enrollment
Integrating Azure AD with Workspace ONE
To get started, we will need to configure integration between Microsoft Azure AD and Workspace ONE. This is started from the Workspace ONE console.
2. Click on Enterprise Integration.
3. Expand Enterprise Integration and select Directory Services. Since we are using pure Azure AD, we will leave Directory Type to None.
4. To select Enable under both Azure AD Integration and Use Azure AD For Identity Services. The Directory ID will be provided in a following step after obtaining from Azure.
5. Capture the MDM discovery URL and the MDM Terms of Use URL. Both will be used to configure the “Airwatch” mobility application in Azure AD. The Tenant Name will be configured later, when Directory ID is configured. Since this is a pure Azure AD deployment, I will leave the Immutable ID Mapping Attribute at objectGUID. If using Azure AD Connect, and the sourceAnchor attribute was changed, please update this value to the sourceAnchor value used.
6. Head to your Microsoft 365 admin portal and sign in. Navigate to the Azure Active Directory admin center.
7. Select Azure Active Directory, then Mobility (MDM and MAM). Click on Add Application.
8. Select AirWatch by VMware.
9. Review the App details and click Add.
10. Return to the Mobility (MDM and MAM) screen and select AirWatch by VMware to edit the application.
11. Using the information gathered in step 5, type in the MDM terms of use URL and MDM discovery URL. Change the MDM user scope to Some to configure specific user groups in which this MDM app will be made available. Click on No groups selected.
Note: optionally All can be selected if all users will require the ability to enroll through Workspace ONE.
12. Select the applicable group(s) to add to the user scope and click Select.
13. Return to the application settings page and click Save.
14. Next, we need to ensure the Microsoft Intune MDM app does not attempt to supersede Workspace ONE. From the Mobility (MDM and MAM) screen, click Microsoft Intune.
15. Ensure both MDM user scope and MAM user scope are set to none.
16. To continue the Workspace ONE integration, we’ll need to obtain the Directory ID and the Domain Name. Navigate to Properties and copy down the Tenant ID value.
18. Return to the Workspace ONE UEM Console, under Directory Services. Type in the Tenant ID into Directory ID. Scroll down and
Configure Microsoft Store for Business Integration
The next phase in Windows 10 BYO integration ties in the ability to deploy Microsoft Store Apps. Without this integration, Microsoft Store Apps are only available on-demand and cannot be automatically deployed to enrolled devices.
Microsoft Store applications can be licensed and deployed ‘offline’. This allows for additional flexibility in deployment, including the ability to directly deploy offline apps from Workspace ONE, without requiring connectivity to the Microsoft Store. It is recommended to enable this feature when integrating with MDM solutions. See here for more details.
1. Login to the Microsoft Store for Business admin console here, and click Manage.
2. Navigate to Settings, then click on Distribute. Click on the Active action to ensure AirWatch by VMware MDM tool is activated.
3. While still under settings, click on Shop and click to enable Show offline apps.
4. Next, an app must be added to made available within the Microsoft Store for Business, so that it can be deployed from Workspace ONE. For this example, we’ll use VMware Tunnel. Navigate to Shop for my group, type in VMware Tunnel and click on the search icon. Click on the VMware Tunnel app.
5. Select the appropriate license type, in this case Online, and click Get the app.
Add Microsoft Store Applications to Workspace ONE
Now that the Microsoft Store for Business is integrated with Workspace ONE, we can import all apps and configure the desired assignments.
1. Head to the Workspace ONE admin console and login. From the main page, select APPS & BOOKS, then click on Native, and select Public. Click on ADD APPLICATION.
2. Select the Windows Desktop as the Platform and select IMPORT FROM BSP as the Click Next to continue.
Note: if the IMPORT FROM BSP option is not available, you will need to contact VMware support to have it enabled on your Workspace ONE UEM environment.
3. The import will bring in all applications currently available on the Microsoft Store for Business account. Note that VMware Tunnel is available. Click FINISH to continue.
4. Click OK after reviewing the notification regarding assignments.
5. Your apps will now appear in the Public Applications pane. Return to the Public Apps pane by selecting APPS & BOOKS, Native, then Locate the recently added VMware Tunnel app and click Assign.
6. Assignments will need to be adjusted to configure device/user assignment as well as Auto or On Demand deployment. Provide the Name for the Assignment and click into the field to assign devices or users based on Smart Groups. I selected All Devices for simplicity. Change the App Delivery Method to Auto so that all devices receive this application automatically. Click Create.
7. Review the Assignment created and click Save. No devices will show up yet unless you already have Windows 10 devices enrolled. We are now ready to move onto enrolling Windows 10 BYO devices.
Enroll the Windows 10 Device in Azure AD and Workspace ONE
Now we take what was configured above and put it to the test. This is the final phase of preparing Windows 10 BYO devices for Workspace ONE enrollment leveraging Azure AD integration.
1. Since this is a BYO device, we will need to start by installing the Workspace ONE agent. This can be obtained from https://getwsone.com. Once downloaded launch the installer and click Next.
2. On the next page, accept the EULA and click Next.
3. Click Install to install the Workspace ONE Intelligent Hub.
4. Click Finish to complete the install and restart the computer.
5. Next, the device will need to be joined to the Azure AD domain. To do so, navigate to Access work or school settings. This can be found by clicking on the Windows logo and typing in “work or school”. From the settings page, click Connect.
6. At the Microsoft account screen, provide the enrollment user’s email address / UPN. Click Next.
7. Type in the enrollment user’s password and click Sign in.
8. Select the correct Group ID and click Next.
9. Click OK to accept the notification that a Windows Hello Face, Fingerprint, or PIN will need to be created. This was already performed for this virtual machine.
10. The enrollment is now complete! Apps and profiles will begin their setup on the device. Click Done.
11. Verify Power BI has now been installed by logging into Windows and searching for VMware Tunnel. You will see that VMware Tunnel is available on this system.
12. We can also review the Workspace ONE console to see that VMware Tunnel has been successfully deployed to the device. From within the console, select Devices, then List View, and click on the recently added device.
13. Click on Apps and see that VMware Tunnel shows an App Status of Installed.
Note: it may take several minutes for this information to refresh.