In partnership with Dell Configuration Services, VMware Workspace ONE UEM supports creating provisioning packages to install applications and configurations on Dell Windows desktop devices prior to factory shipping.
The following guide outlines TestDrive's Workspace ONE UEM Factory Provisioning process in both the configured environment, wsuem.vmtestdrive.com, and the sandbox experience.
Before You Begin
You need the following before you begin:
- TestDrive account in portal.vmtestdrive.com
- A VM, running in VMware Fusion or VMware Workstation, or a supported Dell machine (contact your Dell Configuration Services representative). This guide presumes the device is a VM.
- Windows 10 Pro x64 VM in audit mode OVA or build your own VM using this ISO.
TestDrive account with an enabled Office 365 service are required for access.
- Either the Workspace ONE UEM service (configured environment) or Workspace ONE UEM Sandbox Experience service enabled in portal.vmtestdrive.com
- Admin role:
- Configured Environment: Intelligence & Tenant Administrator at TestDrive
- Sandbox Experience: Console Administrator at <sandbox>
- USB drive (not required but ideal for staging files for the Factory Provisioning Tool)
- Review documentation at docs.vmware.com.
Dell Provisioning for VMware Workspace ONE UEM allows both Dell and VMware customers to have virtually zero IT touch and virtually zero user downtime.
Windows has a feature to create provisioning packages (configuration containers for device settings) that lets admins quickly and efficiently configure a device without having to install a new image. Now VMware Workspace ONE UEM customers can use small PPKG files for capturing desired customizations. Dell Provisioning eliminates the need for customers to send an entire Windows image containing all of their Win32 apps to the factory, Dell. For more information see MSDN.
The primary benefit of Workspace ONE UEM's factory provisioning is that the PPKG can be reapplied automatically after a factory reset (device wipe) keeping this device in a production-ready state.
1 - Set up apps
- Setting up your apps is the foundation to package (PPKG) creation.
- Internal apps, uploaded in the console's Apps & Books section, are eligible for export to PPKG.
App setup follows the Workspace ONE UEM console's friendly and familiar internal app management flow.
- App deployments are currently supported for device context, not user.
- Apps with MSTs or MSPs will fail to deploy as those additional patches are for SG-specific deployment. Re-package or zip the app with the MST/MSP already included.
- Using your sandbox's Console Administrator admin role, at your "customer" OG level, navigate to Apps & Books > Native > click add application.
- Upload MSI, EXE, and ZIP files. Configure the required fields for Win32 app deployments like installation command, uninstall command, and detection. For more information on Win32 app configuration requirements, consult docs.vmware.com.
- Save and assign.
2 - Create Configuration File (unattend.xml) and PPKG
- Packages are, simply put, a collection of the Win32 applications with configurations that you require in your machine image.
- PPKG file creation is streamlined by Workspace ONE UEM's innovative Factory Provisioning Service.
- The configuration file (unattend.xml) creation screen contains helpful tool-tips for each available parameter.
- Workspace ONE UEM provides a convenient dashboard listing the provisioning package's configuration file (unattend.xml) and PPKG status and download links.
Workspace ONE UEM version 1811 introduces innovative functionality, via a wizard, that includes both creating the PPKG and the configuration file (unattend.xml). The Workspace ONE Configuration Tool for Provisioning is no longer needed.
Windows factory provisioning needs both the PPKG and the unattend.xml to install the image's apps and instruct the Sysprep process, respectively.
Create a provisioning package. Give it a name and description.
Next, set your parameters for the unattend.xml. If you already have a known-good unattend.xml, you may turn off this step (new feature) and proceed to creating your app PPKG.
The screenshots herein show a typical workgroup configuration. Workgroup join is the current supported configuration in wsuem.vmtestdrive.com. Wsuem.vmtestdrive.com will soon support Azure AD OOBE.
Restricted in the configured environment, the enrollment OG's system settings for Windows auto-enrollment is provided immediately below:
Enrollment Server: wsuemds.vmtestdrive.com
Enrollment OG: fps
Staging Account: email@example.com
Staging Account Password: 1AeSgn
Select the apps you want to export in the list of apps displayed on the dialog. Click Export and this will start exporting the PPKG. Be sure to NOT select the 2GB Microsoft Office for a demonstration.
Review your configurations.
Then save and export.
Your completed provisioning package will show up on the dashboard where status is viewed.
Note: If you see a Factory Provisioning Service error in your sandbox like the one pictured below, it's an environment issue. Please send a ticket to Workspace ONE Support. TestDrive user sandboxes are in VMware Shared SaaS environments.
After a few minutes (wait time increases as PPKG size increases), check back in the console for the unattend.xml and PPKG files. When ready, you'll see each available for download.
3 - Image Simulation & Sysprep
Now is the time when the IT admin would send the organization's PPKGs and unattend.xml files to Dell for imaging devices before they ship from the factory. The following section simulates the image process in a virtual machine.
To use Dell Provisioning for VMware Workspace ONE, you must participate in Dell Configuration Services. For more information, see https://www.dell.com/en-us/work/learn/system-configuration.
The Factory Provisioning Tool is used to simulate what happens at the factory. This tool sets up the VM with the PPKG and runs Sysprep which follows the unattend.xml's parameters. See the Factory Provisioning Tool's page for more information.
Use a Windows 10 Pro x64 VM. If you build your own Windows 10 Pro VM, you'll need enable audit mode. To enter audit mode, once Windows setup enters the OOBE phase:
- Fusion: shift+fn+control+F3
- Workstation: ctrl+alt+fn+F3
After successfully initiated, the machine will reboot into audit mode where you'll see a logged in desktop with Sysprep running.
Stage the following on the desktop (You'll need either a USB drive or VMware Tools installed in the VM.):
- Factory Provisioning Tool
Select the PPKG and unattend.xml. When running the tool, you have three (3) demo options:
- Apply PPKG Only
- Apply XML and Sysprep
- Apply PPKG, XML, and Sysprep
The third option is what most will want to do, as it will set up the machine (image) just as the OEM would do and also initiate a Sysprep with OOBE process for a hands free system configuration with Workspace ONE UEM enrollment.
The tool will display its progress in the lower bar. Note the download and installation of the Workspace ONE Hub (AirWatch Agent and the Workspace ONE app) as well as the apps you set up in the PPKG.
Next, the machine will run Sysprep and reboot.
After reboot, the machine will read the unattend.xml configuration, setting the device's system configuration and proceeding through enrollment with Workspace ONE UEM. Depending on your unattend.xml file's parameters, your login experience will vary.
With workgroup, log in with your user. Note the desktop wallpaper change, indicating the device's provisioning is underway. Soon you should be presented with an agent login. Log in one more time with your user in order to finalize device registration with Workspace ONE UEM, otherwise the device will remain with the staging user.
Due to the two below limitations, a comprehensive Workspace ONE app experience demo with SSO is not able be shown in the configured environment's factory provisioning OG at this time. Product improvements are underway.
- SAML isn't currently supported in the factory provisioning enrollment OG.
- A VMware Identity Manager improvement, pending in TestDrive, is needed to provide the Workspace ONE app's initial automatic configuration.
Now that you are enrolled, you may wish to move on to a Windows desktop endpoint demo. If so, please reference the Windows Desktop - Endpoint Management guide.
- Delete your device record.
When you're finished, be sure to delete your device record, as re-enrolling into a old device record may produce undesirable results.
In device details, click more actions > delete device.
- When troubleshooting PPKG installation, on the device the following two (2) locations should be viewed:
- Logs in C:\Dell
- Registry: HKEY_LOCAL_MACHINE\SOFTWARE\AIRWATCHMDM\AppDeploymentAgent
- Troubleshooting Sysprep:
- C:\Windows\System32\Sysprep\Panther\setuperr.log and Setupact.log.
- C:\Windows\Panther\setuperr.log and Setupact.log
- C:\Windows\Panther\Unattendgc\setuperr.log and Setupact.log
- Run services.msc and verify if the AirWatch service is running.
- Open TaskManager and verify if AwWindowslpc.exe is running.