In partnership with Dell Configuration Services, VMware Workspace ONE UEM supports creating provisioning packages to install applications and configurations on Dell Windows desktop devices prior to factory shipping.
The following guide outlines TestDrive's Workspace ONE UEM Factory Provisioning process in both the configured environment, wsuem.vmtestdrive.com, and the sandbox experience.
Before You Begin
You need the following before you begin:
- TestDrive account in portal.vmtestdrive.com
- Either the Workspace ONE UEM service (configured environment) or Workspace ONE UEM Sandbox Experience service enabled in portal.vmtestdrive.com
- A VMware Fusion/VMware Workstation Windows 10 Pro VM or a supported Dell machine (contact your Dell Configuration Services representative). This guide presumes the device is a VM.
- Windows 10 Pro 1803 VM OVA (temporarily unavailable) or download Windows 10 ISO from MSDN or Microsoft Volume License site.
- A USB drive to transfer provisioning package files and the tool to the VM.
- Admin role:
- Workspace ONE UEM Configured Environment: Intelligence & Tenant Administrator at TestDrive
- Workspace ONE UEM Sandbox Experience: Console Administrator at <sandbox>
- Documentation at docs.vmware.com.
Dell Provisioning for VMware Workspace ONE UEM allows both Dell and VMware customers to have virtually zero IT touch and virtually zero user downtime.
Windows has a feature to create provisioning packages (configuration containers for device settings) that lets admins quickly and efficiently configure a device without having to install a new image. Now VMware Workspace ONE UEM customers can use small PPKG files for capturing desired customizations. Dell Provisioning eliminates the need for customers to send an entire Windows image containing all of their Win32 apps to the factory, Dell (For more information see MSDN.).
Dell Provisioning is valuable to enterprises as it allows the device to ship directly from Dell to the user, removing costly distributor, integrator, and IT touch steps. Furthermore, the provisioning package can be reapplied automatically after a factory reset (device wipe) keeping the computer in a production-ready state.
1 - Set up apps
- Setting up your apps is the foundation to package (PPKG) creation.
- Internal apps, uploaded in the console's Apps & Books section, are eligible for export to PPKG.
App setup follows the Workspace ONE UEM console's friendly and familiar internal app management flow.
- App deployments are currently supported for device context, not user.
- Apps with MSTs or MSPs will fail to deploy as those additional patches are for SG-specific deployment. Re-package or zip the app with the MST/MSP already included.
- Using your sandbox's Console Administrator admin role, at your "customer" OG level, navigate to Apps & Books > Native > click add application.
- Upload MSI, EXE, and ZIP files. Configure the required fields for Win32 app deployments like installation command, uninstall command, and detection. For more information on Win32 app configuration requirements, consult docs.vmware.com.
- Save and assign.
2 - Create Configuration File (unattend.xml) and PPKG
This video (5:46) shows the entire process, from creating the package all the way to using the Workspace ONE app on the enrolled Windows 10 machine! Also, the following troubleshooting steps are demonstrated: profile troubleshooting, user cert verification via the MMC, and running mdmagent.exe.
Obviously, the video is edited. Actual time is about 15-18 minutes, depending on machine resources, handiness with the USB drive, network performance, and general provisioning time.
- Packages are, simply put, a collection of the Win32 applications with configurations that you require in your machine image.
- PPKG file creation is streamlined by Workspace ONE UEM's innovative Factory Provisioning Service.
- The configuration file (unattend.xml) creation screen contains helpful tool-tips for each available parameter.
- Workspace ONE UEM provides a convenient dashboard listing the provisioning package's configuration file (unattend.xml) and PPKG status and download links.
Windows factory provisioning needs a pair of files, the PPKG and the unattend.xml, which, first, install the image's apps and, second, instruct the Sysprep process. Workspace ONE UEM contains an innovative UI wizard that guides the admin through creating both the PPKG and the configuration file (unattend.xml).
Create a provisioning package. Give it a name and description.
Next, set your parameters for the unattend.xml. If you already have a known-good unattend.xml, you may turn off this step and proceed to creating your app PPKG.
The screenshots herein show a typical workgroup configuration. Workgroup join is the current supported configuration in wsuem.vmtestdrive.com.
The configuration UI contains informative tool tips for each parameter. In the UI, click a for details. In the screenshots below, the Remove Windows 10 Consumer Apps tool tip is active.
In the configured environment, the staging and provisioning system settings for Windows are not accessible due to restrictions in the admin role. These bulk provisioning settings are provided below for your convenience:
Enrollment Server: wsuemds.vmtestdrive.com
Enrollment OG: corp
Staging Account: email@example.com
Staging Account Password: ?PPov4
Proceed to the applications window. Select the apps needed in your package (PPKG).
- Dell Command | Monitor is provided for users with supported Dell hardware. If you are not using supported Dell hardware, do not select it.
- Office 365 Pro Plus is a large app (2GB). Because of its size, it's not suitable for a live demo.
Click next to proceed to the summary screen. Review your configurations.
Then save and export.
Note: If you see a Factory Provisioning Service error in your sandbox like the one pictured below, it's an environment issue. Please send a ticket to Workspace ONE Support. TestDrive user sandboxes are in VMware Shared SaaS environments.
Your completed provisioning package will show up on the dashboard. View its status.
After a few minutes (wait time increases as PPKG size increases), check back in the console for the unattend.xml and PPKG files. You'll need to refresh the page for the PPKG download link to update. When ready, you'll see each available for download.
3 - Image Simulation & Sysprep
Now is the time when the IT admin would send the organization's PPKGs and unattend.xml files to Dell for imaging devices before they ship from the factory. The following section simulates the image process in a virtual machine.
To use Dell Provisioning for VMware Workspace ONE in production, not as simulated herein, your organization must participate in Dell Configuration Services. For more information, see https://www.dell.com/en-us/work/learn/system-configuration.
The Workspace ONE Provisioning Tool is a an experimental testing tool that's used to simulate what happens at the factory. This tool sets up the VM with the PPKG and runs Sysprep which follows the unattend.xml's parameters. Follow the below link to for tool requirements, terms acceptance, and download.
Use a Windows 10 Pro x64 VM. If you build your own Windows 10 Pro VM, you'll need to enable audit mode. To enter audit mode, during Windows setup, when Windows enters the OOBE phase, do one of the following:
- Fusion: SHIFT+FN+CONTROL+F3
- Workstation: CTRL+SHIFT+F3 or CTRL+SHIFT+FN+F3 (on some laptops)
After successfully initiated, the machine will reboot into audit mode. The System Preparation Tool (Sysprep) will be running: ignore it.
Stage the following on the desktop. Here's where you need a USB drive.
- Provisioning Tool ZIP (extracted)
Remove USB drive after copying files.
Run VMwareWS1ProvisioningTool.exe (within the extracted ZIP).
Select the PPKG and unattend.xml. You have a couple of options to run:
- Apply Apps Only
- Apply Full Process
The second option is what you'll want to do for a typical demo, as it will set up the machine (image) just as the OEM would do and also initiate a Sysprep with OOBE process for a hands free system configuration with Workspace ONE UEM enrollment.
The tool will display its progress in the side status area.
After restart, the machine will read the unattend.xml configuration, setting the device's system configuration and proceeding through enrollment with Workspace ONE UEM. Depending on your unattend.xml file's parameters, your login experience will vary.
With workgroup, log in with your user. Note the desktop wallpaper change, indicating the device's provisioning is underway. Soon after login, you should be presented with Hub authentication. Log in with your user in order to finalize device registration with Workspace ONE UEM (If you don't log in, the device will remain with the staging user.).
After a successful Hub login, before proceeding to Workspace ONE demo, check for the user cert profile on the device, which, among the many other managed profiles, may not have landed on the device yet:
- In the console, check your device's profiles view for the installed user cert profile:
WWE - Windows - User Cert
- On the machine, open MMC, add certificates for user context, and look in the personal store. Verify if your user cert has been installed by Workspace ONE UEM. If it has not, wait. You can run the mdmagent command to sync the machine to console's device services.
For a deeper demo on your managed device, reference the Windows Desktop - Endpoint Management guide.
- Delete your device record.
When you're finished, be sure to delete your device record, as re-enrolling into a old device record may produce undesirable results.
In device details, click more actions > delete device.
- When troubleshooting PPKG installation, on the device the following two (2) locations should be viewed:
- Primary Log: C:\ProgramData\Airwatch\UnifiedAgent\Logs\PPKGFinalSummary.log
- Registry: HKEY_LOCAL_MACHINE\SOFTWARE\AIRWATCHMDM\AppDeploymentAgent
- Troubleshooting Sysprep:
- C:\Windows\System32\Sysprep\Panther\setuperr.log and Setupact.log.
- C:\Windows\Panther\setuperr.log and Setupact.log
- C:\Windows\Panther\Unattendgc\setuperr.log and Setupact.log