Enabling Co-Management with WorkspaceOne UEM and SCCM – New 9.3 Features!

Update 4/17/18: This process does NOT require the end user to be local admin as I orginally thought. You can deploy via SCCM in the system context.

AirWatch 9.3 brings a number of new features to the WorkspaceONE UEM platform on Windows 10 including improved silent enrollment features. This will greatly simplify enrollment over the previous method. The new 9.3 agent brings the following updates to silent enrollment:

  • On domain joined systems, it will automatically enroll as the “logged in user”, regardless of whether they are an admin or not. It does this by matching the UPN of the logged in user to one in the AW console (this is assuming you’ve synced your AD users into AirWatch).
  • If the enroll-as-logged-in user fails, it will fall back to use username and password and prompts the end user to input this information. This is also useful for non-domain systems or for when the logged-in user doesn’t have a valid AirWatch username. See below:

Picture

Use Cases

The primary use cases for this process are:

  • Win10 client is joined to the domain (completely silent)
  • Win10 client is NOT joined to the domain and you want to use the fall back to username and password popup
  • If you want to silently enroll non-domain systems with no user interaction, device registration is required. For steps on that, check out my other blog.

Pre-Reqs

  • ​AirWatch agent and console 9.3 or higher
  • Deploy Application with SCCM  in system context
  • User Group Mapping should be turned on at the highest OG in order for the end user to not have to type in GroupID, otherwise you’ll see this:

Picture

  • Client must be joined to the domain and end-user profile must be a domain user for the “ASSIGNTOLOGGEDINUSER” switch to work. If the client is in a workgroup and/or the user is a local account the “ASSIGNTOLOGGEDINUSER” will fail (since it can’t find matching username in AirWatch console) and will prompt for username and password.

The Process

The procedure involves 3 primary steps:

  1. If SAML is enabled on your environment, you must setup a “Staging” Organization Group (OG) and an “staging” account (basic account) to facilitate enrollment. If you don’t have SAML enabled, you can skip Staging OG setup and use the built in staging credentials located by going to All Settings –> Devices & Users –> Windows –> Windows Desktop –> Staging and Provisioning.
  2. Setup AirWatch agent application in SCCM with correct command line parameters that will automatically enroll the “current logged on domain user”
  3. Deploy Application to device

Step 1 – Setup “Staging” OG and “Staging” account

1. Ensure you are located at your top level “Customer” OG and then navigate to Groups & Settings –> Groups –> Organization Groups –> Organization Group Details
2. Click on “Add Child Organization” group. Fill out details and click Save.

Picture

3. Next, navigate to the new “Staging” OG you just created by selecting it in the top dropdown.

Picture

4. Go to Accounts –> Users –> List View. 
5. Then click Add –> Add User
6. Configure the Staging account with the following settings:

Picture

Picture

Picture

Note: If you look at the dropdown by “Single User Devices” setting, it might make sense to change it to “Advanced”, but this actually needs to stay as “Standard”.
Click save and this account is ready to go.

Step 2 – Setup SCCM Application

Now it’s time to deploy the AirWatch agent MSI via a powershell script to those same devices. This script adds additional logic to make the deployment more robust:
– Checks the client device for registry keys associated with enrollment. If they are null or still “staging” then it will remove agent from client and try again
– Application “Detection” is configured in the same way so that SCCM will only report “installed” if the agent is installed AND it has a valid enrollment. This also means the application will keep running until it has a proper enrollment as long as you deploy it as a required application.
– Optionally send email based on results.

1. Download the latest AirWatch agent from https://awagent.com/Home/Welcome
2. Download latest SCCM integration client from here
3. Download latest script from GitHub and update the top section of the script (Variables section) with the correct values for your environment. You can also un-comment out the section at the bottom to enable emailing results (whether success or fail). I’ve also included an AirWatch jpg for you to use as the Application icon in Software Center. ​

4. Create folder on your SCCM server that includes all 4 of those files

  • AirwatchAgent.msi
  • installer-1.0.0.55-x64.msi (from sccm integration client download)
  • AirwatchEnrollment.ps1
  • Airwatch.jpg to add as icon to your application (optional)

Picture

5. Create an SCCM Application and select “Manually specify the application information”. Click Next.

Picture

6. On the “General Information” and “Application Catalog” sections fill out the information per your preference. Upload the Airwatch Agent icon here.  Next.
7. On “Deployment Types”, click the “Add” button and then select “Script Installer”. Next.

Picture

8. On “General Information” tab, fill out as needed. Next.
9. On “Content” Tab:

  • Put UNC path of content location you created above
  • Installation Program: powershell -executionpolicy bypass -file AirwatchEnrollment.ps1

​Next.

Picture

10. On “Detection Method” section, at the bottom click “Use a custom script to detect presence…” and then “Edit”. Select PowerShell and then use this script:
#Compliance Script#Checking first for Airwatch Enrollment$PATH = "HKLM:SOFTWAREMicrosoftProvisioningOMADMAccounts*"$val = (Get-ItemProperty -Path $PATH -ErrorAction SilentlyContinue).PSChildname#Now checking whether enrollment is with a real user or the staging user$path2 = "HKLM:SOFTWAREMicrosoftEnrollments$val"$val2 = (Get-ItemProperty -Path $PATH2 -ErrorAction SilentlyContinue).UPNif (!($val2 -eq "StagingWin10@Staging.com" -or $val2 -eq "staging@aw.com" -or $val2 -eq $null)){    Write-Host "Installed"    Exit 0}Else{    Exit 0}
NOTE: In order for this to work you will need to ensure your SCCM Agent is set to powershell “bypass” mode otherwise the application deployment will fail. Keep in mind setting this to “Bypass” does not change the Windows 10 OS powershell execution policy, it just configures SCCM so that any powershell script is automatically deployed in bypass mode.  In SCCM console, go to Administration –> Client settings –> Default Settings (or you can create a custom agent settings profile and deploy only to the collections you are deploying enrollment to). Then click on “Computer Agent” and then scroll down to “Powershell execution policy” and make sure its set to bypass.

Picture

11. On “User Experience” tab, complete as follows:

  • Installation behavior: Install for System
  • Logon requirement: Only when a user is logged on
  • Installation program visibility: Hidden

Click next

Picture

 ​12. For “Requirements” and “Dependencies” page, leave blank. Note: You can setup the SCCM integration client as a separate application and then create that as a dependency. I’ve chosen to just include with the deployment of this script. Click Close to complete wizard.

Picture

Step 3 – Deploy Application to Device

1. Right click application and click deploy. Select a test collection first with only a few devices to ensure the automatic enrollment happens. Ensure “Automatically distribute content” is checked. Click next.

Picture

2. Click “Add” and select distribution point. Next.

Picture

3. Only Deployment Settings, select “Install” and “Required”. Next.

Picture

4. On Scheduling leave default to deploy right away. Next.

Picture

5. On User Experience section, leave default. Next.

Picture

6. Use defaults for the remaining wizard sections and click close to complete deployment.

On the client, wait a few min for content distribution to complete, and then run “Application Deployment Evaluation Cylcle” from the Configuration Manager control panel applet, and then actions tab.

Picture

Once it successfully deploys to a device, go to the Access Work or School area and check the enrollment status. It should have your AirWatch server information and the correct email address. Sometimes the enrollment can show the staging account for a short period before flipping over to the correct user. Keep clicking out of the UI and back in to see if it switches properly. ​​ It will also now show this completion toast notification to the end user:

Picture

Picture

Leave a Reply