USING PRODUCT PROVISIONING TO DELIVER FILES TO WINDOWS 10: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

GUIDE OCTOBER 2018 PRINTED 4 MARCH 2019 USING PRODUCT PROVISIONING TO DELIVER FILES TO WINDOWS 10: VMWARE WORKSPACE ONE VMware Workspace ONE

Table of Contents Overview Introduction Purpose Audience Delivering Files Using Product Provisioning Introduction Prerequisites Creating a Files/Actions Component Creating a Product Appendix: PowerShell and Batch Details Introduction About Standard Accounts About Administrative Accounts Summary and Additional Resources Conclusion Terminology Used in This Tutorial Searching for More Information Additional Resources About the Authors Feedback GUIDE 2

Using Product Provisioning to Deliver Files to Windows 10: VMware Workspace ONE Operational Tutorial Overview Introduction This Using Product Provisioning to Deliver Files to Windows 10: VMware Workspace ONE UEM Operational Tutorial provides you with practical information to help you set up product provisioning in your Windows ONE UEM management solution to address the unique circumstances of your use cases. Purpose This operational tutorial provides you with discussions and exercises to help with your existing VMware Workspace ONE production environment. VMware provides operational tutorials to help you with Common procedures or best practices Complex manual procedures Troubleshooting Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation. Audience This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager and VMware Workspace ONE UEM (unified endpoint management), powered by VMware AirWatch, is also helpful. Delivering Files Using Product Provisioning Introduction You can use product provisioning functionality to create an ordered installation of profiles, applications, and files/actions into a single product. This product controls when content is pushed to devices, as well as the order of installation of the product. You can target your products to devices by establishing a set of conditions that indicate when a product is downloaded and when it is installed. Then you push that product out to devices, based on the conditions you set. You can further target your products to devices by setting up smart groups that control which devices get which products. A common use for product provisioning is pushing a PowerShell script that changes the device background (wallpaper). After the script is provisioned to devices, the wallpaper is updated on enrolled devices and is removed from unenrolled devices. Prerequisites Before you can perform the procedures in this exercise, verify that you have Workspace ONE UEM 1810 or later installed and configured with administrative credentials. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation. GUIDE 3

Creating a Files/Actions Component To use product provisioning, you first create the files to install and actions to take on your devices. 1. Download Sample Code 1. Download the sample code from VMware Samples Exchange. 2. Save the file in a local, accessible location. 2. Log In GUIDE 4

1. To log in to Workspace ONE UEM, enter your username. 2. Enter your password. 3. Click Log In. 3. Navigate to the Files/Actions Window GUIDE 5

1. 2. 3. 4. 5. In the far left of the Workspace ONE UEM Console, click Devices. In the middle navigation bar, click Staging & Provisioning. In the expanded list, click Components. In the expanded sub-list, click Files/Actions. In the Files/Actions window, click Add Files/Actions. 4. Select the OS In the Add Files/Actions window, click Windows. 5. Select the Device Type GUIDE 6

In the Device Type window, select Windows Desktop. 6. Enter the Name 1. On the General tab, enter a files/actions name. 2. You can also enter an optional description. 7. Add File GUIDE 7

1. Select the Files tab. 2. Click Add Files. 8. Upload the PowerShell Script 1. In the Add Files window, select Choose Files and browse for the script file to upload. 2. Click Save to upload the files. 9. Store the PowerShell Script GUIDE 8

1. In the Add Files window, define the download path the device uses to store the file group in a specific device folder. In this example, the download path was defined as C:\Temp\AirWatch, based on the sample provided earlier, and the rest of the path was added automatically. 2. Click Save. GUIDE 9

10. Verify and Save 1. In each newly added row, verify the file name and download path. 2. Select the Manifest tab. 11. Add an Install Manifest Action On the Manifest tab, underneath Install Manifest, click Add Action. 12. Choose the Run Action GUIDE 10

1. In the Add Manifest window, click the down arrow to expand the Action(s) to Perform menu. 2. From the menu, select Run. Note: You can use the manifest to run a script or application using command lines. The Run command must use the syntax of \[full file path]. For example, \path\script.ps1. You must also select the context of the command to indicate whether it should run at the system level, current user level, or admin account level. 13. Finish Defining the Install Manifest Action 1. Provide the following information: Action(s) To Perform: Run. Execution Context: Current User. Note: You have the ability to perform actions such as Run or Install using System, Admin, or Current User context. Choose the correct context depending on your script. For example, if the current user does not have admin access and GUIDE 11

the script requires admin privileges, then choose Admin or System. If the script has Environment Variables such as %USERNAME% or $HOMEPATH%, then you must run in Current User context to avoid your variables returning information for the System account. Command Line and Argument to run: "C:\Temp\AirWatch\ChangeDesktop.psl" TimeOut: Accept the default of. 2. In the Add Manifest window, click Save. 14. Add an Uninstall Manifest Action On the Manifest tab, scroll down to the Uninstall Manifest section, and click Add Action. 15. Choose the Run Action 1. From the Action(s) to Perform drop-down menu, select Run. 2. In the lower right, click Save. GUIDE 12

16. Define the Uninstall Manifest Action 1. Provide the following information: Action(s) To Perform: Run. Execution Context: Current User. Command Line and Argument to run: Enter: "C:\Temp\AirWatch\ChangeDesktopBack.ps1" TimeOut: Accept the default of. Note: The uninstall manifest only runs when the Uninstall action is added to the product. Also, if nothing is added to the Uninstall Manifest, uninstalling the file/action will not do anything. If you plan to remove the configurations your scripts make, you will need to revert settings using the Uninstall Manifest option. 2. In the Add Manifest window, click Save. 17. Save the Uninstall Manifest Action In the Add Files/Actions window, click Save to upload the files and actions to Workspace ONE UEM. Creating a Product After creating the files/actions component that contains the content you want to push to devices, you create a product that controls when the content is pushed and the order of installation. Note: To edit a product, you must first deactivate it in the list view. 1. Navigate to Add Product GUIDE 13

1. 2. 3. 4. In the far left of the Workspace ONE UEM Console, click Devices. In the middle navigation bar, click Staging & Provisioning. In the expanded list, click Product List View. In the Product List View window, click Add Product. 2. Select the OS Select the Windows OS. 3. Select the Windows Desktop GUIDE 14

In the Select Device Type window, select Windows Desktop. 4. Provide General Product Data On the General tab, provide the basic product information: GUIDE 15

1. Name: Enter the name Change Desktop for Win10. 2. Assignment Group(s): Select an assignment group that contains the devices or users to receive this product. 5. Add Manifest 1. Navigate to the Manifest tab. 2. In the upper left, click Add. 6. Provide Manifest Data 1. In the Add Manifest window, click the down arrow to expand the Action(s) to Perform menu. 2. From the drop-down menu, select Install Files / Actions. GUIDE 16

7. Save the Configuration 1. In the Files/Actions field, select the Install Manifest action that you created earlier for changing the wallpaper. 2. Click Save. 8. Verify and Activate 1. Verify. GUIDE 17

2. In the lower right, select Activate to deploy the actions to the devices. Important: The VMware Workspace ONE Intelligent Hub (formerly called AirWatch Protection Agent) must be installed on devices to use product provisioning. You can enable Workspace ONE Intelligent Hub to automatically deploy by navigating to Settings > Devices & Users > Windows > Windows Desktop > Hub Application. 9. Additional Configuration Options You can add additional manifest items if desired, such as the Uninstall Manifest action. You can adjust the order of the manifest steps using the up and down arrows and edit or delete a step in the Manifest list view. To completely automate the manifest, you can also create a sequence of actions to execute on the device. You can also add configurations from the Conditions, Deployment, and Dependencies tabs. These configurations are optional and unnecessary when creating the Change Desktop product: On the Conditions tab, you can configure Download Conditions settings, Install Conditions settings, or both. On the Deployment tab, configure times and dates to activate and deactivate the product. On the Dependencies tab, configure the order in which products apply to devices. Appendix: PowerShell and Batch Details Introduction Questions often arise about when to use PowerShell scripts or BATCH scripts. This section provides detailed information about the use of these scripts in both standard and administrative accounts. About Standard Accounts When pushing products to standard users (local accounts without admin rights) you must disable UAC or the end-user receives UAC prompts asking for admin credentials. You can disable UAC via group policies on your domain, or via the restrictions payload in the Workspace ONE UEM console. For information about administrative users, see About Administrative Accounts. Recommendations When pushing scripts to standard accounts, it is recommended that you use the following contexts: To Push This Script Use This Context PowerShell Admin BATCH System Warning Prompts UAC prompts are displayed if you push products using non-recommended contexts. Example of a PowerShell Prompt GUIDE 18

Example of a BATCH Prompt GUIDE 19

About Administrative Accounts To push products successfully to devices, it is recommended that you use the syntax formats described below for PowerShell and BATCH scripts. The syntax holds true for any account type, but the recommendations apply to a device with admin user and UACenabled. For information about standard users, see About Standard Accounts. Syntax Formats for PowerShell Scripts You can have administrative users, UAC on, with or without parameters. PowerShell with Admin User, UAC On, Without Parameters Example: "C:\Users\Demo\AppData\Local\Temp\WorkspaceONEUEM\ChangeDesktop.ps1" Manifest Action: RUN: <path>\filename.ps1 Context: Admin UAC Prompts but works; Do you want to allow AW.ProtextionAgent.PowershellExecutor System Executes but does not work (used change wallpaper) Current User Works without UAC prompting Recommended Device Runs: C:\Program Files (x86)\airwatch\agentui\aw.protectionagent.powershellexecutor.exe ProductPsScriptExecution <path>\filename.ps1 PowerShell with Admin User, UAC On, With Parameters Example: %temp%\workspaceoneuem\set-wallpaper.ps1 Colour Blue GUIDE 20

Manifest Action: RUN: <path>\filename.ps1 Parameter1 Parameter2 Context: Admin UAC Prompts but works; Do you want to allow AW.ProtextionAgent.PowershellExecutor? System Executes but does not work (used change wallpaper) Current User Works without UAC prompting Recommended Device Runs: C:\Program Files (x86)\airwatch\agentui\aw.protectionagent.powershellexecutor.exe ProductPsScriptExecution <path>\filename.ps1 parameters Syntax Formats for BATCH Scripts You can push BATCH with or without parameters. BATCH with Admin User, UAC On, Without Parameters Example: %temp%\workspaceoneuem\createuser.bat Manifest Action: RUN: <path>\filename.bat Context: Admin UAC Prompted and Worked Recommended System Does not work Current User Works but access denied for creating user thus failed on the device Device Runs: "C:\Windows\SysWow64\cmd.exe" /C "C:\Windows\system32\cmd.exe" then opens the new CMD and runs "C:\Windows\system32\cmd.exe" /C <path>\filename.bat BATCH with Admin User, UAC On, With Parameters Example: %temp%\workspaceoneuem\createuser.bat Demo P@ssw0rd Manifest Action: RUN: <path>\filename.bat parameter1 parameter2 Context: Admin UAC Prompted and Worked Recommended System Does not work Current User Works but access denied for creating user thus failed on the device Device Runs: "C:\Windows\SysWow64\cmd.exe" /C "C:\Windows\system32\cmd.exe" then opens the new CMD and runs "C:\Windows\system32\cmd.exe" /C <path>\filename.bat parameter1 parameter2 Summary and Additional Resources Conclusion This tutorial introduces you to the product provisioning functionality of Workspace ONE UEM, and how to use this functionality to modify device content. A set of exercises describe the process of creating a files/action component to contain the content to push to devices, and then of creating a product that controls when that content is pushed. The final result is the ability to manage the content options of devices through product provisioning. Terminology Used in This Tutorial The following terms are used in this tutorial: GUIDE 21

Term Description adaptive access The ability to control access and authentication methods to sensitive apps based on a device s managed status. additive Includes only changes developed after the latest version of the application or the last additive patch. app dependencies Applications required by the environment and devices to run the Win32 application. app patches Files that apply additive or cumulative fixes, updates, or new features to applications. app transforms Files that control application installation and can add or prevent components, configurations, and processes during the process. app uninstall process Scripts that instruct the system to uninstall an application under specific circumstances. application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store. auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience. BitLocker Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices. bring your own device (BYOD) The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data, apps, or content. business mobility The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely. catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection. cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public. conditional access To provision access to a resource or service, based on user entitlements or roles. container The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invading employee privacy or personal apps and content. cumulative Includes the entire application, including any changes since the latest version of the application, or the last patches. data leakage protection Software-controlled policies that determine how and where data can be transferred or shared to. device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager. Device Health Attestation Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation. enrollment The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider. enterprise mobility management The concept of using software and policies to both secure and provide access controls for mobile devices. files and actions The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assign files and actions to a product, which then provisions to devices. Health Attestation Services Cloud service that evaluates health measurements from the device to determine the health state. identity-as-a-service Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning. identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource. mobile application management The concept of managing access, deployment, and restrictions of mobile applications using software and services. mobile device management (MDM) agent The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources. multi-factor authentication Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) and something the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina. one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources. per-app VPN Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection. public app stores Portals where users can access and obtain publically published applications, such as the ios App Store and Google Play Store. service provider (SP) A host that offers resources, tools, and applications to users and devices. smart groups Groups that control which devices get which product, based on how the group is created. step-up authentication Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource. unified endpoint management A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases. virtual desktop The user interface of a virtual machine that is made available to an end user. virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer. Windows Information Protection Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience. For more information, see the VMware My Workspace ONE Glossary or the VMware Technical Publications Glossary. GUIDE 22

Searching for More Information When looking for more VMware documentation, you can focus the search using the Advanced Search option. 1. In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search. 2. Enter words or phrases to start the search. Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name. 3. Narrow the results by selecting specific criteria. Example: The search is limited to the specific product and version. 4. Click Advanced Search. 5. In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search. Additional Resources For more information about Workspace ONE, you can explore the following resources: VMware Workspace ONE Action Path VMware Workspace ONE product page VMware Workspace ONE Documentation VMware Identity Manager product page VMware Identity Manager Documentation VMware Workspace ONE UEM, powered by VMware AirWatch product page VMware AirWatch Documentation VMware Workspace ONE free trial VMware Workspace ONE Cloud-Based Reference Architecture VMware Workspace ONE and VMware Horizon 7 Enterprise Edition On-premises Reference Architecture VMware End-User-Computing Blogs GUIDE 23

Workspace ONE UEM Hands-On Lab About the Authors This tutorial written by: Josué Negrón, EUC Staff Architect, End-User-Computing Technical Marketing, VMware Hannah Horton, EUC Technical Marketing Manager, End-User-Computing Technical Marketing, VMware Considerable contributions were made by the following subject matter experts: Varun Murthy, Product Line Manager, VMware Nigitha Alugubelli, Sr. Product Manager, VMware Jason Roszak, Sr. Director Product Management, VMware Darren Weatherly, Specialist Systems Engineer, VMware Robert Terakedis, Sr. Technical Marketing Manager, EUC Technical Marketing, VMware Aditya Kunduri, Group Product Marketing Manager, EUC Mobile Marketing, VMware Ajay Padmakumar, VMware alumni Pedro Bravo, VMware alumni Feedback The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-UserComputing Technical Marketing at euc_tech_content_feedback@vmware.com. GUIDE 24

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2017 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.