Windows Desktop - Endpoint Management

In this comprehensive walkthrough, you'll see how to demonstrate a Windows 10 desktop and VMware Workspace ONE.

The corporate-liable device use case utilizes the most Windows 10 management functionality.  Therefore, enrolling into the Enterprise - EMM Demo is the standard and also provides the context of this document.  However, enrolling into BYOD is also supported and is intended to show a Windows 10 PC being under very light management without restrictions. 

Before You Begin 

In order to complete a Windows Desktop walkthrough, you'll need the following:

  • A valid VMware TestDrive account. 
  • Enabled AirWatch service in the VMware TestDrive Portal.
  • Device: Windows 10 Enterprise, at least version 1607. Windows 10 Enterprise 1703 ISO is available  here (TestDrive Office 365 account required).
    • Maintain either a VM snapshot, or System Restore point on physical device, for a fast roll back.
  • Network access from your device and TCP ports 80 and 443 enabled on your local network.
  • VMware Workspace ONE installed from the Microsoft Store. 
  • For the console-side discussion, be sure you already have https://airwatch.vmtestdrive.com open, with the necessary console views already loaded in your browser's tabs. 

Introduction

In a traditional Windows environment, devices were managed through GPOs and complex systems management tools such as SCCM. With VMware AirWatch and Windows 10, configuration changes can be delivered in real-time, over-the-air, anywhere—not just when a system is on the corporate network. 

VMware AirWatch brings industry leading, lightweight EMM coupled with the capabilities of traditional client management functions into a comprehensive Windows desktop management solution. 

VMware AirWatch:

  • Provides advanced endpoint protection and security features like ensuring device compliance, protecting enterprise data and apps, setting BitLocker encryption, managing device password, controlling Windows Firewall and AntiVirus, setting device restrictions, and collecting location information. 
  • With VMware Workspace ONE delivers a unified catalog experience to not only empower users to have all apps (desktop, virtual, web, and native) in one collection, but more importantly, provide secure and streamlined access to these apps. 

Enrollment

Talking Points

  • VMware AirWatch supports several admin friendly and user friendly enrollment methods including the recommended direct agent enrollment, OOBE, and native enrollment. 
  • Searching for the enrollment area in settings, entering the server name (when there's no WADS, which is administrative overhead in itself), and waiting for the agent to install post-enrollment are all things of the past. 

Agent enrollment is the recommended enrollment method and is supported in all scripted demos.  From a browser, go to https://awagent.com and initiate enrollment with the AirWatch agent.  

Download and install the agent.  If prompted, install the Microsoft Visual C++ libraries.   

When the agent opens, chose email enrollment, and enter your enrollment email address in the following format:

<username>@<company>.vmtestdrive.com

Proceed thru enrollment, choosing your enrollment Organization Group (OG) when prompted, either Enterprise - BYOD Demo or Enterprise - EMM Demo.  

Enterprise - EMM Demo contains the greatest functionality showcase and is, therefore, the standard.  In addition to basic management, it contains wallpaper via product provisioning, Windows Information Protection (WIP), an automatically deployed Horizon Client via software distribution over CDN, system restrictions, App Locker, BitLocker, and administrator-managed Windows Updates.  As mentioned in the introduction, this document entails the EMM demo.

Enterprise - BYOD Demo  is available to show organizations that they can support the BYO use case, which is sensitive to a user's privacy where restrictions of any type would be considered intrusive on a personal device.

Note: Both BYOD and EMM offer optional profiles that may be manually pushed to your device as needed.  

Authenticate using SAML provided by VMware Identity Manager.  Input your credentials as listed below:

User name: {TestDrive username}

Password: {Testdrive password}

After successful authentication, click next to complete enrollment. 

Check your device in the console and note that enrollment is complete!  In contrast, with native enrollment through Windows's Settings, the user must wait for the the agent to install.

VMware AirWatch Console Overview

Talking Points

  • An enrolled device will receive a set of automatically delivered profiles. Those profiles represent a baseline configuration how the PC should be set up, and additional profiles can be applied to meet specific requirements. 
  • Profiles are the settings, when combined with compliance policies, the help enforce organizational security policies. 
  • Passcode, Wi-Fi, per-app VPN, certificate issuance, app whitelist/blacklist, and device restrictions are just a few profile types that may be created for Windows 10. 

Go to profiles on the left-side console menu.  In "Search List," enter "WWE - W10 -" to quickly filter your view to only list Windows 10 desktop profiles.

Click through individual profiles to see review its payload.  

Use the pre-configured "optional" device profiles as needed.

Switch to your browser tab open with the device list.  Find your device by filtering by your username.  Drill into your device details and discuss profiles, apps, content and other features your audience would find important.  

On the profiles tab, note the installed statuses and the assignment types, automatic vs optional, using optional profiles to aid your discussion. 

Find the Troubleshooting menu off of the More tab.

Discuss how VMware AirWatch enables the administrator to see real-time event logs—just as one would with SCCM—right in the VMware AirWatch console.  Both events and command statuses can be readily accessed in real time! 

VMware Workspace ONE

Talking Points

  • VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs. 
  • Unified app catalog transforms employee on-boarding.  Simply downloading the Workspace ONE app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization.
  • Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps! 
    • Internal web apps through a secured browser and seamless VPN tunnel 
    • SaaS apps with SAML-based SSO and provisioning framework 
    • Native public mobile apps through brokerage of public app stores 
    • Modern Windows apps through the Windows Business Store 
    • Legacy Windows apps through Win32 package delivery
  • Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.     

Launch Workspace ONE and enter TestDrive's VMware Identity Manager instance name:

wsone.vmtestdrive.com

Click Next, and then enter your TestDrive credentials. 

After authenticated, wait for Workspace ONE to set up.

Once inside Workspace ONE, review both the Bookmarks and Catalog areas.  From Workspace ONE's bookmarks review the simplicity of creating bookmarks to VDI, RDSH, web, and Thin Apps from the Catalog.

Be sure the mention the Win32 apps seen within the Catalog and mention details on those are coming up.

Go over the rapid and seamless access Workspace ONE provides for VDI, RDSH, and Thin Apps.  Choose a VDI, like the NVDIA GRID desktop for your region, and allow Horizon to open it.   You can also show bookmarking.

Also review the support of legacy Windows apps, like Internet Explorer 6.  Many organizations still need to support legacy web apps and Workspace ONE makes it available in a snap.

Launch the IE 6 Thin App. (Your "Bookmarks" will vary from the screenshot.)

Discuss how users have fast and seamless access to a critical system only available thru a legacy browser.

Win32 Software Distribution over CDN

Talking Points

  • No longer do PCs need to be tied to local area network (LAN) computer management systems for native Win32 app management.  Both Windows 10 desktops and Windows 10 mobile devices can now have Win32 apps managed over-the-air (OTA) by VMware AirWatch.
  • AirWatch provides a variety of different application distribution options to meet the variety of installation scenarios found in an enterprise.  The application deployment framework supports MSI, EXE and ZIP based deployments, public apps from the Windows Store, as well as, complex script-based applications through product provisioning.
  • Content Delivery Network (CDN) integration globally extends your organization's app deployment for fast and secure app delivery.

Windows's native VMware Horizon Client is configured to automatically deploy.  This app is delivered by VMware AirWatch's software distribution over CDN. 

VMware AirWatch's Win32 app distribution and management is doing the same thing that traditional LAN-based tools, like SCCM, have done with native apps—but VMware AirWatch is doing it over the air.  Devices no longer have to be tied to the organization's LAN.

Several Win32 apps are set up for software distribution.  From Workspace ONE's catalog, select the Win32 category to filter out the Win32 apps:
WS1-Win32.jpg

From the Workspace ONE Catalog, choose one of the Win32 apps and push it to the device.  Chrome or Firefox are good ones to use as their installs are relatively small-sized and place a shortcut on the desktop. The native app will silently install. 

Tip

You need a 64-bit Office 365 installation to show the upcoming WIP section.  You may use either the provided Office 365 install or one on your machine, but it must be a 64-bit Office 365 install to work with the WIP profile. 

The provided Office 365 Pro Plus ZIP is a 2 GB download/install.  Needless to say, given PC and network performance, installation can take a while.  Unless you are required to show the Office installation live, have your machine set up with Office 365 Pro Plus 64-bit before the demo. 

Apps delivered via software delivery are set up through the familiar AW workflow.  Though with Win32 apps, comprehensive deployment, install, dependency, detection, and uninstall settings are available to suit various complex app deployment needs.   

In the console, you can not only use the troubleshooting tab to view the status of the apps' installation command but also show that the app is being delivered from the globally-reaching CDN.

Product Provisioning

Talking Points

  • Product provisioning allows you to create products containing profiles, applications, and files/actions (depending on the platform). These products follow a set of rules, schedules, and dependencies as guidelines for ensuring your devices remain up to date with the content they need.  
  • Products allow for complete customization through scripting, rule sets, schedules, and dependencies for ensuring your devices remain configured and up to date.
  • Product Provisioning can be used for advanced, script-based app deployments. 

In TestDrive, the wallpaper that sets up in the corporate demo is managed via product provisioning. 

Note: Admin role design doesn't currently allow access to view the production file/action or product.  

 

Windows Information Protection (Data Protection)

Talking Points

  • Issue at hand: Industry estimates state up to 75% of corporate data loss is committed unintentionally.  WIP was built to address this issue. 
  • As the convergence of work and personal data on the same device accelerates, the risk of accidental data loss also increases through services that your organization does not and cannot control through traditional desktop management methods.
  • Windows Information Protection (WIP) works by whitelisting enterprise applications to give them permission to access enterprise data from protected cloud resources and networks.  
  • If end users move data to non-enterprise applications, actions and alerts can be triggered based on selected enforcement policies. 
  • The data protection profile encrypts enterprise data and restricts access to approved devices. Encryption is managed thru a certificate in the data protection profile. 

WIP Profile Summary

The TestDrive WIP profile has the following enterprise resources protected.  Use them as you see fit.

Native apps:

  • Microsoft Office 365 Pro Plus 64-bit
  • Dropbox

 Browsers:

  • Internet Explorer (32-bit & 64-bit)
  • Edge

 Websites:

  • TestDrive Office 365 Email
  • TestDrive Office 365 SharePoint 
  • TestDrive Office 365 OneDrive
  • Dropbox.com 

On the device, open Excel.  Sign in with your Office 365 email address.  While badges no longer appear either in or on the apps, WIP functionality is present. 

username@vmtestdrive.com 
E.g., cbabbage@vmtestdrive.com

Certificate authentication via VMware Identity Manager should authenticate you.  Accept the prompts.  (If using the provided Office 365 Pro Plus, it will not activate but will have all desired functionality.) 

Open the SharePoint document, CommittedSales.xlsx.  Open Other Workbooks > Site - VMware EUC - vmtsetdrive.com > Sales Workspace > Documents > CommittedSales.  

Copy sensitive content form the spreadsheet.

Open browser tab to a personal mail account, like Gmail, and attempt to paste the protected content.  AirWatch-managed WIP won't allow it. 

Open Wordpad.  Attempt to paste the clipboard. 

Notepad, on the other hand, is a protected app and content is permitted. 

In Excel, save the document to your desktop.  Note how the file can only be saved as a "Work" document type for the protected domain. 

Talking Point

  • Alternative WIP profiles can be configured for different user groups, where, for instance, an executive group would be granted the ability to save as either work or personal.

Go to your desktop and show the protected document badged with the briefcase icon indicating the document is protected.

Open either Edge or Internet Explorer. Go to mail.office365.com and enter your Office 365 email address.

Use the AirWatch-managed certificate when prompted.  VMware Identity Manager will sign you into your Office 365 mailbox.  

Open an email with an attachment.  Download the attachment to your desktop.  Note the ability to only save it as a protected work document.  Not only is the file under WIP policy, the organization's Office 365 site is too.  All of the organization's Office 365 site content is protected and any organizational site can be protected just the same. 

You can also open the Outlook native app, after a couple, quick wizard setup steps, and show that Outlook too is under the same WIP policy.  WIP protects both the organization's web and native mail! 

No matter what enterprise resource a document comes from, since it's protected, it's encrypted and can only be opened by other protected apps. 

Additional WIP Talking Points

  • Enforcement polices within the data protection profile allow the admin to set limits on what the user can do with protected data.  The most common and recommended enforcement polices are:  
    • Encrypt and Block Data  (This is the configuration.)
    • Encrypt data and allow user to move data to non-protected applications with an audit trail of any data transfer.  The user is warned that their actions will be audited.

Restrictions

Talking Points

  • For the corporate dedicated device, a restriction profile may be configured to prevent access to functions such as changing date/time, modifying VPN, changing user account settings, enabling Bluetooth, using Cortana, disabling VPN over cellular, unenrolling, and many other functions that may be seen as an either increased security risk, an increase in cost, or lessened productivity.   
  • Windows User Account Control (UAC) settings can be managed thru a Restrictions profile.  While this setting is an excellent safe guard to malicious app installations, in some organizations it creates a lot of unnecessary help desk calls. 
  • VMware AirWatch configures the native Windows AppLocker which prevents installation of undesirable apps by name, version, or publisher.  Conversely, apps may be whitelisted by name, version, or publisher to only allow those apps. 
  • Corporate branding can be extended to the desktop. 
  • Native security features such as Windows Firewall Updates and Windows Insider builds can be managed. 
  • With the combination of  WIP, App Locker, and restrictions profiles, a device can be fully managed and secured on the corporate network just as was done with the complex legacy tools. 

AppLocker

From the AirWatch console, in your device's details, push the "WWE - W10 - Block Netflix" AppLocker profile.

After the profile installs, which should be very quickly, go to the Microsoft Store and attempt to install Netflix.  The AirWatch-managed AppLocker profile will block the installation of Netflix.  

Organizations deploying very restrictive devices may wish to block the entire Microsoft Store.  To show this, from the console, you can remove the 'Block Netflix' profile and push the 'Block Store' profile.  This change should be able to be demonstrated live. 

In addition to UWP apps being able to be blocked, Windows executable, Windows installer, publisher, and script rules may also be configured with an AppLocker profile.

System Restrictions

Talking Points

  • In the restrictions profile with its various possible payloads, a significant number of restrictions that might have been set via Group Policy Objects (GPOs) in the past are available to be configured.
  • Configuration Service Providers (CSPs) are made available to be configured to emulate many of the options available through GPO.  

The "WWE - W10 - Restrictions CORP" profile automatically deploys. Open it to review its payload.  This profile contains restrictions for internet sharing, region settings, bluetooth, and Windows Updates (Check the profile's description for the payloads currently configured.).  

On the device, search for region settings.  AirWatch-managed policy should prevent changing them. Along with a red notification, settings will be grayed out.

From Search, enter "updates," to find the Windows Updates system setting.  Show both the configuration and restriction on the Windows Updates screen.  

Click the link "view configured update policies" to review the AirWatch-configured policies.

Windows Updates

Talking Points

  • Windows updates in the enterprise can take weeks or even months to be installed on an organizations entire fleet of PCs due to on-local-network requirements to reach distribution servers.  AirWatch and Windows 10 UEM use the simplicity of the cloud and Microsoft Update Service to deliver updates regardless of device location. 
  • Updates delivered through Microsoft Update can be controlled by AirWatch UEM. Options such as which “branch” to be on, as well as the ability to defer both quality updates and features allows granular control over when PCs get updates.
  • AirWatch allows the ability to set Active Hours for when updates should be applied to prevent users from canceling reboots, or allowing prevent reboot situations, or to schedule distribution when electricity is cheaper.
  • Administrative approvals can target different groups of updates to the right groups of users or PCs, to make sure that PCs are healthy and secure. 
  • WSUS servers can also augment AirWatch and be used for PCs that are always available on the corporate network.

In  airwatch.vmtestdrive.com, open Devices > Profiles & Resources > Profiles and search for "update." Select "WWE - W10 - Updates CORP" policy, open, and choose the Windows Updates payload.  

Per-app VPN

Talking Points

  • Device level VPNs are not able to distinguish between work, personal, and rogue apps on an endpoint and when active will enable traffic between the entire device and datacenter. VMware AirWatch per-app VPN capability enables app-level security so only entitled users with validated devices using authorized apps are able to access the datacenter.
  • Embedded VMware AirWatch Tunnel eliminates the need for a third-party VPN service and licensing fee ensuring that the service is delivered at a low TCO. 

IE uses the VMware Tunnel in per-app VPN.  Install the VMware Tunnel app from the Microsoft Store.  

In Workspace ONE, find the HR Form website.  Open it.

If your default browser is not already set to Edge, at the prompt, choose Internet Explorer.  If your default browser is set to Edge, use it to open the HR form.  It will fail. But then, copy the link and paste it into Internet Explorer. Accept the Tunnel certificate provided by Workspace ONE.  After accepting, the connection should succeed.  Internet Explorer will then load the internal HR form. 

The VMware Tunnel app's UI is designed to simply display Tunnel status. Enterprise server will not show connectivity until the enabled per app VPN app (Internet Explorer) connects. 

Compliance

Talking Points

  • The VMware AirWatch compliance engine can automatically monitor, notify, and take action on devices that not meet rules set up in compliance management. 
  • A Windows 10 compliance policy is capable of taking action on critical security items such as device last seen, encryption state, firewall status, automatic updates, OS version, passcode, and Windows Health Attestation. 
  • VMware AirWatch can manage Windows BitLocker Encryption on both physical and virtual machines.  A recovery key created during encryption is stored in the AirWatch Console and in the Self-Service Portal. 
  • For Windows Health Attestation, AirWatch pulls the necessary information from the device hardware and not the OS, compromised devices are detected even when the OS kernel is compromised. 

BitLocker

Talking Points

  • A VMware AirWatch profile encrypts the Windows 10 desktop device via native BitLocker encryption.  After disk encryption, the BitLocker encryption key is made available in the AirWatch console. If a device is lost and then recovered, with the BitLocker key readily available to the security team in the AirWatch console, potentially lost data can be recovered easily.
  • As of VMware AirWatch 9.1, BitLocker can also be managed with a password on devices without TPM.  BitLocker managed by a password, instead of TPM, enables disk encryption on devices without TPM, like VMs running in older versions of Fusion or Workstation. 

To demo BitLocker, from the console, push the  WWE - W10 - BitLocker-Passcode profile and follow the prompts: 

Check the Windows notification area.  You'll need to reboot the device.

After reboot, you'll need to set the BitLocker password...

...and then drive encryption will complete in the background.

Review the PC's BitLocker status in the console...

...and view the recovery key.

 

Health Attestation

In order to show Health Attestation, you must be using Workstation 14, Fusion 10.1, or a physical PC with the TPM enabled and Safe Boot enabled. In Workstation or Fusion, first encrypt the VM, then add a new device (Trusted Platform Module) and ensure that you have enabled UEFI and Secure Boot in Options > Advanced. 

Talking Points

  • It's a fact that some vulnerabilities compromise PCs prior to loading Windows, antivirus, and antimalware protections. Health attestation is able take measurements for things like Secure Boot, code integrity, BitLocker and boot manager and compare them against baselines stored in AirWatch. If a device is compromised, it can be addressed via the compliance engine. 
  • If a device falls out of compliance, notifications can alert admins, managers, and the user.  As well, customizable device actions can occur using the AirWatch compliance engine. 

The device sends the Health Attestation report to the VMware AirWatch console for enterprise health checks and potential compliance rule triggering.  

We can see here that Secure Boot is enabled, preventing a rootkit from compromising this PC prior to Windows booting up, and that BitLocker is seen as enabled at boot. Other security technologies that operate at boot are reported, and compliance policies can be defined to inform administrators that a PC has potentially be compromised. 

Enterprise Wipe

Discuss the need for both manual and automated enterprise wiping of a device.  Unlike a device wipe, an enterprise wipe will only remove the organization's data.  Any user data on the device, i.e., in teh BYO use case, in the cannot and will not be touched.  

From the console, issue an enterprise wipe on your device.  Show the device's notification of the wipe.

Discuss the removal of the organization's data.  Show native mail has been removed.  Or, better yet, show removal of the certificates from the MMC console certificates snap-in for a security-minded audience.

For Additional Support


Review Our Knowledge Base

Submit a Ticket

 

Have more questions? Submit a request

Please sign in to leave a comment.