Hands-on Workspace ONE. - Episode 02 - The one with Devices

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi thanks for watching and welcome back my name is howard dixon i'm a senior engineering specialist at vienna and i'm jorus arianza piston development manager founder today we're going to cover the following topics windows 10 enrollment ios enrollment mac os enrollment and android enrollment we're going to do that through workspace on access so we need to enable some settings there we're going to do basic branding of the environment and have everything up and running by the end of this session [Music] all right let's start with the branding so we've opened our workspace run environment in our browser to configure branding we need to go to all settings and under system there's a tab called branding there's a default workspace one uem logo already configured but we would like to change that for our company logo so first to change something in this page you need to press the button overwrite to be able to configure other settings press the upload button and with a local file you can select a logo for example so this is our company logo that we can save so when we've changed our logo we can scroll down to modify the colors these are written down the same way you would do an html page so you see the top bar is dark blue white and there's a little bit of light blue in there as well to match our logo i think we can use this color the same way at the top so i'm just going to paste this here it's also a possibility to select the color from this palette when we press save save successfully when we close this you see that we have a lighter blue on top and the fondo logo as branding we're back with workspace on access and in our previous episode we have configured directory sync so besides our system domain which we'll use to get into the product right now we also have a funnel.local however we can't use this quite yet because we still have to configure the system connector to accept authentication so that's what we'll do now i've selected system domain and i'll log on using my admin account so we're now back in the user portal i'm going to select my user profile and i'm going to select administration console so within the administration console i'm going to go to identity and access management and i'm going to select identity providers under the manage tab in this step i'm going to select the built-in identity provider and i'm going to change a couple of things so on the user side i'm going to select fondo attack so that means that using this directory users out of this directory can authenticate within the portal i'm going to make this setting for all ranges of the product within the product and the connector has already been filled in which is good and then i'm going to select cloud password this will mean that it's going it's over the system system passwords you will be able to select the the active directory passwords and use those next up i'm gonna hit save and once this setting has been applied successfully i'm gonna go to my policies tab within the policies uh tab i'm gonna select our default access policy set and i'm gonna select edit and afterwards i'm gonna click the configuration tab on the left i'll modify both values and i'm going to start with the web browser one and in this policy pane i'm gonna go down towards then the user may authenticate using and i'm gonna select instead of password gonna select cloud deployment and i'm done i'm gonna hit save i'll do the same for the wordpress one app and i'm gonna select next and save so now using the settings that yours did in wordpress one uem meaning it's going to give a pop-up during registration of a device asking you to authenticate using wordpress one access we've configured in workspace one access that will use the active directory synchronized user set and it's gonna authenticate towards the connector next up i'll test this real quick i'll log out of the environment so um back in our log on page we're gonna select our new domain hit next and enter our credentials for the active directory account next i'm going to select sign in and we're now signed in to workspace one access this means when i use this account during the enrollment of a device it will properly sign in the device into workspace one uem so the first step during enrollment is to provide a server url and group id of the environment you want to connect to so to prevent your users from needing to know that information you can do an email auto discovery to configure that we'll go to groups and settings all settings under devices and users we press the general tab there we select enrollment in this screen we need to press the override button which is something we're going to do quite often because every setting has been pre-defined and if you want to make any modifications this is your first step if you scroll down a bit you can add an email domain this will do a domain validation via your email to make sure the domain is yours to to enter so to add our email domain we'll press add email domain our organizational group has already been entered we need to have our domain extension fondo.tech which is our website and our email domain and we'll need an email address where we can receive a validation code we'll use the email from our support division or press save you can see here that the status is pending that means that a email has been sent our way but we haven't confirmed it yet as you see in my screen i've received an email with a link to verify this domain so after pressing the link on the email the domain validation is successful you can see here the status is complete next i'm going to configure the integration with google so i'm going to go into workspace run uvm and set up the configuration so i'm going to select groups and settings and click all settings next i'm going to click devices and users androids and i'm going to select android emm registration i'm going to select the big blue button saying register with google it's going to give a pop-up screen or iframe and this is where i'm going to configure it to my android or google account i'm going to select to work i'm going to give our company name and select next i need to fill in this form so next i'm going to say complete registration it's going to go back to our console and when everything went right you're going to see that our registration went successful if you're unsure you can also test the connection and then you can see that the service account setup was successful i'm gonna select save and next yours is going to integrate our uem environment with apple so i have just showed you how to register the workspace on uem environment with google this is a necessary step if you want to enroll an android device the same goes if you want to register ios and mac os and workspace on uem we need to have a connection to apple i'll show you how to set up this for that first connection and it works with some uem console we'll go to groups and settings all settings and under devices and users there's an apple tab let's select the first option apns for mdm so what you see here is a big blue button to generate a certificate this is a certificate for the apple push notification service any management tool that wants to manage mac os or ios needs to divert all their management traffic through the systems of apple for this system there's a signed certificate needed that's valid for one year and it's called the apple push notification service the following wizard will help us install this certificate we'll press the button generate new certificate and it will give us a p list file that we need to download so now that we have downloaded that file we need to press the button go to apple it will go to a website where we need to sign in with an apple id do not use your personal id in this only use something that is corporate related we have created an email address with an apple id for our company called apns at fonda.tech i'll sign in with an apple id that's right so we're now logged on to the apple push certificates portal we don't have any certificates here yet so we need to press the blue button create a certificate we need to accept the terms of use and we can add a note for this environment for example workspace 1 uem or fondo.tech here we need to upload the file we just downloaded from workspace 1 uem press open and upload it has been confirmed and a certificate has been created we'll press the download button and this download is being done to our local server we can go back to our workspace on uem environment press next upload the certificate we just generated in the apple pusher certificates portal save and enter the apple id that matches that certificate so apns and fondo dot tech we'll press save and as this is a major change to our environment we need to enter the admin pin we've created and as you can see the import has been successful and we now have a signed certificate on our own apns fondo.tech that is valid for one year 30 days before that year is up both apple and workspace 1 uem will start sending out emails to renew this certificate if you do not renew this your communication to all apple devices will come to and halt and you need to renew with this email address as well so now we press save and we should be ready to enroll an ios device so let's start with that so this is the screen of my ipad to start the enrollment we need the workspace 1 intelligenthub from vmware in this case we can open the app store to download it open the app store press search and search for intelligent hub it is the icon on the top right i will press download so now that the hub is done downloading we'll open the application so you can start the enrollment in three ways email address server or qr code we registered our fondo.tech domain so we can we should be able to use email address so i've entered my email address and let's press next here it will prompt me for my credentials these are my active directory credentials for our domain so now we already know that the validation went through and here it started an overview of information that the intelligenthub does and does not collect let's press next and allow notifications so during a manual enrollment this is what's supposed to happen a website will download a configuration profile that we need to allow press close go to settings and here you'll see a profile downloaded screen you press that button you need to install and type your access code for your ipad to install this profile when this is done we can go back to either the website or the hub and our enrollment should be successful we are asked to create a passcode for our workspace 1 intelligent hub environment so this is not a passcode for your device this is just a passcode to open the intelligent hub i'll agree to the terms and conditions and we'll see that this device is enrolled in a directory account and if we press this device it'll see that it's enrolled and normal connect normally connected so now that the device is successfully enrolled we can go to our devices tab you see that one device has been deployed go to list view you'll see my ipad or compress that you'll see some information about the ipad this means it is successfully enrolled now that we've enrolled an ipad let's also try to enroll a android device android studio is a piece of software that creates virtual android phones on your laptop i'll show you how easy it is to use them so i've started android studio and when you press configure press avd manager android virtual device press virtual device on the left side is selected a phone which is a good category for us and we'll select one that includes a play store and for example the pixel 3a i'll press next and here you can select what operating system it will run it can go from android 7 or up if you want this if you select for example android pi it will download the image in the next step in this case i've selected android q which is version 10. i can give my android virtual device a name for example fondo test and i would like to have it with a device frame when i press finish the device is being created i can press play and it will start an emulator with a virtual android device so this is a virtual android device that will react in the same way as any physical device would so it's now booting up for the first time now that the phone is started we also need the workspace one intelligent hub so in the play store we're also going to look for the intelligent hub press install and wait for the for the intelligent hub to download so now that it's done downloading i'll press open to open the intelligent help application so the same way we saw in ios here we can enter an email address server or qr code i'll do my email for auto discovery and it will see that fondo.tech is connected to the workspace on new environment uem environment that we've seen earlier i'll enter my active directory credentials to enroll the device settings will now be received from workspace on uem to this mobile device so in the background android will set up my work profile which is the way that google separates personal from corporate information so as you can see this device is successfully enrolled into workspace 1. if you press the define this device button you can see that at the enrollment tab that we're connected to the same server if we now open our workflows on uem console we got the list view so next to our ipad we also see the android device i just enrolled and we can open that to view some detailed information so during the enrollment of workspace 1 on the android device you saw a work profile that was set up so a separate container on the mobile device where all the copper data is in if you want to use a full work menace device there's a little trick you can use in android studio i will give you the details on that so to get android device work managed in android studio you first need to do a couple of things first you need to create a new virtual phone second enter your google credentials third download and install the workspace one intelligent hub so i've actually already prepared this so that's where i will start so you can see here that on my phone that i've installed the workspace one intelligent hub for now we won't enter any credentials but simply click it away and we're going to go to the settings of android we're going to go to accounts and we're going to remove the account we used to install the workstation one intelligent hub and then we're gonna click the home button again so next we're gonna go into the settings of android studio and we're gonna go to appearances and behavior system settings and android sdk so i'm going to copy the location of the sdk files next up i'm going to open a terminal window and i'm going to browse to the location of the sdk files however i'm adding one more folder which is called platform dash tools next i'm going to check if this terminal window can see that there's a device running so i'm pasting the command you cur you are currently seeing on your screen [Music] so terminal sees that my device is running and next i'm going to execute the following command [Music] this command actually sets the owner type of the device so you can see now that the active owner is set to admin make sure to reboot the phone before continuing once your phone has finished rebooting it will automatically start the workspace one intelligent hub and you can put in your email address [Music] after you click next the workspace 1 will start searching for the correct talent and you can see that now it's saying verifying group identifier next it's going to ask me for my credentials and now the enrollment is in process this might take a while so after that you're going to see the privacy privacy message i will select i understand and then i will also share my data with vmware so now it's pulling up the enrollment settings uh depending on the profiles you've created this will either become a workbench device or a corporately owned privately enabled device as we currently don't have any profile setup it will become a work account or a work managed device now i can see that this it has successfully enrolled my device so it's still setting up a couple of things and you will end up in this screen right here um this might not be the same as you've previously seen in a demo but that is due to the fact that we haven't configured hub services which we will do in the next episode so now we are done enrolling our android phone as work managed into our workspace one environment so next up is windows 10 if you want to follow along you are going to need two machines the first machine you can install and create a user everything get completely up and running make sure also to activate the machine this will allow all the api function functions to work properly and the second machine you can install but as soon as it prompts you for cortana or a license key or a account creation leave it at that screen don't do anything just pause the machine if you're using fusion um we'll pick it up later in this episode so let's dive in so right here i've got the consumer light machine so i've created a user account and everything it's completely up and running and i'm gonna go to a url it's called get ws1.com and i'm gonna download the hub for windows 10. so as soon as the airwatch agent or the workspace 1 agent has landed on the system i can execute it and start installing it for now i'm going to leave everything default so now it is finished i don't need to look at the log and as soon as it's finished i'm gonna search for the workspace one intelligenthub i'm gonna put in my email account and put in my username and password [Music] i will agree to share information with vmware to make the experience even better and that's done we've successfully enrolled our windows 10 device into our environment so here you can see overview we don't have a compliancy set enabled currently and as we don't have hub services configured there's no real end user portal to be seen yet we will do this in the next episode so for now i'm going to leave this machine and i'm actually going to go back into the console i'm going to create a factory provisioning template but first i need the enrollment details so i'm going to go to groups and settings all settings i'll choose devices i'm going to choose windows and then windows desktop and then i'm going to choose staging and provisioning here you can see the enrollment details of our environment i'll quickly make a screenshot out of this so we can use that later then i'm going to close the settings menu i'm going to go back to devices i'm going to choose lifecycle and i'm going to choose staging and then i'm going to select windows the console will quickly refresh and afterwards you are able to create a new factory provisioning template [Music] so after i've put in the description i'm going to let next optionally you can set a password on the package which will be generated at the end of this wizard but for now i'm going to keep it default and don't have a password on there next up i can modify all the settings um in my scenario i want to go with a consumer-like deployment so i'm going to select workgroup going to leave all these settings defaults i'm going to enter a workgroup name i'm gonna register a owner and a register a organization computer name you can leave that blank it will randomly choose one and as i want to have a consumer look and feel i'm not going to remove the consumer apps i am going to put in a license key and this will make sure that all the apis from windows 10 are available as soon as the system boots up for the first time as i want to have a consumer look and feel i want the end user to be able to create their own account and password so i'm going to leave this at no i am going to create an admin account for um for workspace 1 and so that we can use it later on let me see you're going to leave the user account control disabled and optionally i could add a couple of commands which i would have which i want to have executed at first boot next up i'm going to enter the enrollment details so the enrollment server is cn 1300 in our case [Music] awmdm.com [Music] let me see so i've put in our enrollment server i select the organizational group you can see this normally in the top of your console and i've added in the staging account which we searched earlier for in the settings and i'm going to select next so right now we don't have any applications installed in our in our environment so um optionally later on we can go back and edit this profile and add a couple of applications so right now i'm going to turn this off i'm going to select next and i'm going to say save and export so right now the status is queued when this is finished it will generate two files which you can download to your local local machine and then we'll jump to our second windows machine which we left untouched after installation and that's where we are going to use these two files together with a fling you can download from the my vmware website and we'll put a link in the description below for this second windows machine we're going to do something special we're going to create a factory provisioning profile which will give us a out of the box experience for the end user with workspace one so let's begin so you're going to need a windows 10 fresh installation as you can see this is the first prompt i'm getting with this version of windows windows 10 and i'm going to put in the command you are currently seeing on your screen so the machine is going to reboot and it's going to come back in audit mode audit mode is a special sysprep mode where any changes you make during that well windows is in that mode these all these jigs will be persistent uh after the syspro so while this is rebooting we're actually going to need two other things so let me get my browser if you're following along you can go to my workspace one and search while you're logged on for the provisioning tool and download the most recent one for me this is 2.3.2 i've already downloaded the most recent version of the provisioning tool so i'm going to go ahead with the next step which is the creation of the factory provisioning template i'm going to go back to the uem console and before i start creating the profile i'm going to go to groups and settings all settings devices and users i'm going to go to windows select windows desktop and then select staging and provisioning so we're actually going to stage the device on our generic account while we're enrolling the device into our environment and then the user will get a pop-up asking them to register the device for uh for their use so we're going to need a couple of things from the screen so we're going to need the password and the account for uh for getting the device into staging which is in our case staging at fundotech.com uh with a password and we need the enrollment service url so i'm gonna use a text file over here and i'm gonna leave this be so i'm gonna close the settings window and i'm gonna go to devices i'm gonna go to lifecycle and then i'm gonna go to staging and then i'm gonna go to windows the screen will quickly refresh and this is where we're going to create our factory provisioning template i'm gonna select new assign a name to the package in our case fondo tech factory profit [Music] shooting [Music] and then i'm gonna select next optionally you can also set the password on the package which will be created at the end of this wizard uh but i'm gonna keep it a default and then i'm gonna select next so right here i'm gonna make a couple of changes to get the most prettiest of the out-of-the-box experiences uh which is in my case from my point of view a out-of-the-box experience where the end user can select a a personal username and password and then later on enroll the device so i'm gonna select the word group instead of a domain join i'm gonna hide all these steps in the out of the box experience and then i'm gonna select a work group and a registered owner and of course say organization name computer name i'm to leave blank it will randomly assign a computer name i'm going to put in my registry key our product key this will make sure that all the api functions are working from the from the very first start i'm actually not going to create a local user so this is what triggers the account creation for the end user but i am gonna create a local admin account with a password i will assigned i'm going to leave user account control disabled optionally i can add some a couple of quants and this is where i'm going to put in the data i've collected earlier so i'm going to put in the account and the password and of course our enrollment server and the enrollment og stands for organization group and can be found at the top of your console in our case this is fondotec [Music] next up i'm gonna select next in our scenario we currently don't have any applications we will do this in the next episode so i'm gonna turn this off for now we can always go go back and edit this profile i'm going to select next and i'm going to select save and export so this might take some time but in the background there are two packages being created a ppkg file and a xml answer file so when these are done you can refresh the page so when these are done you're gonna go download these packages and uh we are gonna go back to our machine once your uh ppkg file and your answer are downloaded and you've also downloaded the provisioning tool you can go back to your machine you've created earlier and which we put into audit mode if everything went correctly it would have been automatically signed on using the administrator account which is totally normal our advice is to quickly create a snapshot and to install the vmware tools and then afterwards copy all the files onto the desktop so let's take a look so right here you have my machine i have copied all the files onto the desktop and i'm going to launch the vmware provisioning tool next i'm going to select the apk ppkg file and the answer file i've downloaded and obviously i can say apps only but we didn't select any apps in our in our profile um and i can choose whether to restart at the at the end shut down or quit this app we're going to go with the restart function and i'm going to select apply full process next the apkg file will be unpacked and the answer file will be checked on validity and afterwards it will run through the complete uh sequence of all the different steps and when it's finished it's actually going to send out the sysprep command so i'll fast forward this bit um and i'll show you the end result in a minute once our machine has finished rebooting it's going to prompt the end user for a username and password so create one and for a couple of security questions and it's gonna finish up selling the account asking you for a couple of questions all right once it's finished setting up you probably have to wait a while but after a uh let's say a minute a pop-up will show up asking the end user to enter his corporate credentials if you are using a machine and it is giving you a pop-up for vmware tools asking you to reboot please cancel as this might disrupt the first time workspace one setup after a successfully setting up the device it's going to ask you for the credentials for for workspace one so i'm going to enter in my username and password and group id [Music] so it's going to say device registration complete and again ask you if you want to share the experience feedback with vmware i'll choose agree and now we've also successfully enrolled the device under the staging account the device will be moved from the staging account to the personalized credentials you can see that right here and um in our next video series episode we're going to configure the hub services uh which will provide the end user with a user portal and applications to select so that's it for windows 10 if you created a snapshot you can always go back to the snapshot and demo or test the factory enrollment again we'll move ahead to mac os for our last device we're going to enroll mac os i have freshly installed oversix and we're going to actually enroll the device from a user perspective so let's type in so we're going to go to get ws1.com and we're going to download the hub we're going to click continue and install and accept i'm going to create a password all right we're getting some alerts that's good i'm going to allow that close this and move this to the bin so apparently the workspace one intelligent hub will automatically start once again i'll click allow and i'll choose my email address for auto discovery this will search for our tenants next up i'm gonna put in my username and password yes click next so it's downloading the profiles we haven't really created any but we'll do it in the next episode it's making some changes it is going to ask for the workspace services profile which is the basic mdm profile all right so that's verified i'm going to select install and put in my password yeah there we go all right that seems to be done let me go back to the hub all right so we've successfully enrolled our device so currently uh we don't have any hub experience um as we need to configure the hub services and we'll do this in the next episode here we can see that everything went fine and the device is enrolled and connected to our environment so it's ready to be managed by workspace one so that's a wrap for this episode we've successfully enrolled windows 10 mac os ios and android so if you're following at home and you have questions email them to questions at fondo.tech and in the next episode we'll start configuring the hub services and we're going to create configuration profiles see you next time you

Info

Channel: Fondo

Views: 1,553

Rating: undefined out of 5

Keywords: Fondo, VMware, Workspace ONE, Huib Dijkstra, Joris Adriaanse, dijkstrah@vmware.com, joris.adriaanse@fondo.nl, dijkstrah, Training, End Using Computing, EUC, End User Computing, Hands On, WS ONE, AirWatch, Horizon, VDI, Mobility, Apple, Google, Samsung, Windows 10, MacOS, fondo.nl, fondo.tv, Mobile Security, Mobile Enrollment, Learn, Education, How to, Single Sign On, Security, Mobile security, Intune, Fondo TV, VMware Education, LiveFire, iOS, Assist, Unified Access Gateway, UAG, Techzone, WorkspaceONE

Id: wLe_Agwpr2c

Channel Id: undefined

Length: 42min 19sec (2539 seconds)

Published: Wed Aug 12 2020