Update 4/17/18: This process does NOT require the end user to be local admin as I orginally thought. You can deploy via SCCM in the system context.
AirWatch 9.3 brings a number of new features to the WorkspaceONE UEM platform on Windows 10 including improved silent enrollment features. This will greatly simplify enrollment over the previous method. The new 9.3 agent brings the following updates to silent enrollment:
- On domain joined systems, it will automatically enroll as the “logged in user”, regardless of whether they are an admin or not. It does this by matching the UPN of the logged in user to one in the AW console (this is assuming you’ve synced your AD users into AirWatch).
- If the enroll-as-logged-in user fails, it will fall back to use username and password and prompts the end user to input this information. This is also useful for non-domain systems or for when the logged-in user doesn’t have a valid AirWatch username. See below:
The primary use cases for this process are:
- Win10 client is joined to the domain (completely silent)
- Win10 client is NOT joined to the domain and you want to use the fall back to username and password popup
- If you want to silently enroll non-domain systems with no user interaction, device registration is required. For steps on that, check out my other blog.
- AirWatch agent and console 9.3 or higher
- Deploy Application with SCCM in system context
- User Group Mapping should be turned on at the highest OG in order for the end user to not have to type in GroupID, otherwise you’ll see this:
- Client must be joined to the domain and end-user profile must be a domain user for the “ASSIGNTOLOGGEDINUSER” switch to work. If the client is in a workgroup and/or the user is a local account the “ASSIGNTOLOGGEDINUSER” will fail (since it can’t find matching username in AirWatch console) and will prompt for username and password.
The procedure involves 3 primary steps:
- If SAML is enabled on your environment, you must setup a “Staging” Organization Group (OG) and an “staging” account (basic account) to facilitate enrollment. If you don’t have SAML enabled, you can skip Staging OG setup and use the built in staging credentials located by going to All Settings –> Devices & Users –> Windows –> Windows Desktop –> Staging and Provisioning.
- Setup AirWatch agent application in SCCM with correct command line parameters that will automatically enroll the “current logged on domain user”
- Deploy Application to device
Step 1 – Setup “Staging” OG and “Staging” account
2. Click on “Add Child Organization” group. Fill out details and click Save.
5. Then click Add –> Add User
6. Configure the Staging account with the following settings:
Click save and this account is ready to go.
Step 2 – Setup SCCM Application
– Checks the client device for registry keys associated with enrollment. If they are null or still “staging” then it will remove agent from client and try again
– Application “Detection” is configured in the same way so that SCCM will only report “installed” if the agent is installed AND it has a valid enrollment. This also means the application will keep running until it has a proper enrollment as long as you deploy it as a required application.
– Optionally send email based on results.
1. Download the latest AirWatch agent from https://awagent.com/Home/Welcome
2. Download latest SCCM integration client from here
3. Download latest script from GitHub and update the top section of the script (Variables section) with the correct values for your environment. You can also un-comment out the section at the bottom to enable emailing results (whether success or fail). I’ve also included an AirWatch jpg for you to use as the Application icon in Software Center.
7. On “Deployment Types”, click the “Add” button and then select “Script Installer”. Next.
8. On “General Information” tab, fill out as needed. Next.
9. On “Content” Tab:
- Put UNC path of content location you created above
- Installation Program: powershell -executionpolicy bypass -file AirwatchEnrollment.ps1
11. On “User Experience” tab, complete as follows:
- Installation behavior: Install for System
- Logon requirement: Only when a user is logged on
- Installation program visibility: Hidden
Step 3 – Deploy Application to Device
On the client, wait a few min for content distribution to complete, and then run “Application Deployment Evaluation Cylcle” from the Configuration Manager control panel applet, and then actions tab.