In partnership with Dell Configuration Services, VMware Workspace ONE UEM supports creating provisioning packages to install applications and configurations on Dell Windows desktop devices prior to factory shipping.
The following guide outlines TestDrive's Workspace ONE UEM Factory Provisioning process in both the configured environment, testdrive.awmdm.com and the sandbox experience.
Before You Begin
You need the following before you begin:
- TestDrive account in portal.vmtestdrive.com
- Either the Workspace ONE UEM service (configured environment) or Workspace ONE UEM Sandbox Experience service enabled in portal.vmtestdrive.com
- A VMware Fusion/VMware Workstation Windows 10 Pro VM or a supported Dell machine (contact your Dell Configuration Services representative). This guide presumes the device is a VM.
- Windows 10 Pro 1803 VM OVA (temporarily unavailable) or download Windows 10 ISO from MSDN or Microsoft Volume License site.
- A USB drive to transfer provisioning package files and the tool to the VM.
- Windows machine must be connected to the Internet.
- Workspace ONE UEM administrator roles*:
- Intelligence & Tenant Administrator at TestDrive - Use for provisioning package management.
- Device Administrator at World Wide Enterprises - Use for device management.
*Due to provisioning functionality design and requisite admin access restrictions, two admin roles must be utilized in testdrive.awmdm.com.
- Dell Provisioning: VMware Workspace ONE Operational Tutorial
- Dell Provisioning product documentation
Dell Provisioning for VMware Workspace ONE UEM allows both Dell and VMware customers to have virtually zero IT touch and virtually zero user downtime.
Windows has a feature to create provisioning packages (configuration containers for device settings) that lets admins quickly and efficiently configure a device without having to install a new image. Now VMware Workspace ONE UEM customers can use small PPKG files for capturing desired customizations. Dell Provisioning eliminates the need for customers to send an entire Windows image containing all of their Win32 apps to the factory, Dell (For more information see MSDN.).
Dell Provisioning is valuable to enterprises as it allows the device to ship directly from Dell to the user, removing costly distributor, integrator, and IT touch steps. Furthermore, the provisioning package can be reapplied automatically after a factory reset (device wipe) keeping the computer in a production-ready state.
1 - Set up apps
- App setup follows the Workspace ONE UEM console's friendly and familiar internal app management flow.
- Internal apps, uploaded in the console's Apps & Books section, are eligible for export to PPKG.
App setup is the foundation to package (PPKG) creation.
- App deployments are currently supported for device context, not user.
- Apps with MSTs or MSPs will fail to deploy as those additional patches are for SG-specific deployment. Re-package or zip the app with the MST/MSP already included.
- Using your sandbox's Console Administrator admin role, at your "customer" OG level, navigate to Apps & Books > Native > click add application.
- Upload MSI, EXE, and ZIP files. Configure the required fields for Win32 app deployments like installation command, uninstall command, and detection. For more information on Win32 app configuration requirements, consult docs.vmware.com.
- Save and assign.
2 - Create Configuration File (unattend.xml) and PPKG
This video (5:46 min) shows the entire process, starting with creating the provisioning package to simulating the imaging process to the user working in Windows within Workspace ONE app! Additionally, the following troubleshooting steps are demonstrated in the video: profile troubleshooting, user cert verification via the MMC, and running mdmagent.exe.
Obviously, the linked video is edited. The process takes about between 15-18 minutes real time. Your results will vary, depending on machine resources, PPKG size, handiness with the USB drive, network performance, etc.
- Packages are, simply put, a collection of the Win32 applications with configurations that you require in your machine image.
- PPKG file creation is streamlined by Workspace ONE UEM's innovative Factory Provisioning Service.
- The configuration file (unattend.xml) creation screen contains helpful tool-tips for each available parameter.
- Workspace ONE UEM provides a convenient dashboard listing the provisioning package's configuration file (unattend.xml) and PPKG status and download links.
Dell Factory provisioning requires a pair of files, the PPKG and the unattend.xml. The PPKG contains the image's apps and the unattend.xml instructs the Sysprep process. Workspace ONE UEM contains an innovative UI wizard that guides the admin through creating both the PPKG and the unattend.xml files.
First, name the provisioning package. Description is optional.
Next, select your on-boarding type, Dell Factory Provisioning.
Next, on configurations, you'll set the parameters for the unattend.xml. The screenshots herein show a typical workgroup configuration. Testdrive.awmdm.com, being on the Internet, does not support AD domain join, therefore, Workgroup join is the current supported flow.
The configuration UI contains informative tool tips for each parameter. In the UI, click a for details. In the screenshots below, the Remove Windows 10 Consumer Apps tool tip is active.
In the configured environment, the Windows staging and provisioning system settings for Workspace ONE Enrollment are not accessible due to restrictions in the admin role. Use the Windows staging information provided below:
Enrollment Server: testdriveds.awmdm.com
Enrollment OG: corp
Staging Account: email@example.com
Staging Account Password: EN;1Uk
Proceed to the applications window. Select the apps needed in your package (PPKG).
TestDrive PPKG Creation Notes:
- Dell Command | Monitor is provided for users with supported Dell hardware. If you attempt to apply a PPKG with Dell Command | Monitor on something other than Dell hardware, e.g., a VM, the PPKG installation will fail.
- Keep the PPKG small for a live demo. For example, Office 365 Pro Plus is a large app (2 GB). Needles to say, because of its size, it's not recommended to put in a PPKG for a live demo.
Click next to proceed to the summary screen. Review your configurations.
Then save and export.
Note: If you see a Factory Provisioning Service error in your sandbox like the one pictured below, it's an environment issue. Please send a ticket to Workspace ONE Support. TestDrive user sandboxes are in VMware Shared SaaS environments.
Your completed provisioning package will show up on the dashboard. View its status.
After a few minutes (wait time increases as PPKG size increases), check back in the console for the unattend.xml and PPKG files. You'll need to refresh the page for the PPKG download link to update. When ready, you'll see each available for download.
3 - Image Simulation & Sysprep
Now is the time when the IT admin would send the organization's PPKGs and unattend.xml files to Dell for imaging devices before they ship from the factory. The following section simulates the image process in a virtual machine.
To use Dell Provisioning for VMware Workspace ONE in production, not as simulated herein, your organization must participate in Dell Configuration Services. For more information, see https://www.dell.com/en-us/work/learn/system-configuration.
The VMware Workspace ONE Provisioning Tool for Windows is a testing tool that's used to simulate what happens at the factory. This tool sets up the VM with the PPKG and runs Sysprep which follows the unattend.xml's parameters. Follow the below link to download the VMware Workspace ONE Provisioning Tool for Windows from My Workspace ONE:
Use a Windows 10 Pro x64 VM. If you build your own Windows 10 Pro VM, you'll need to enable audit mode. To enter audit mode, during Windows setup, when Windows enters the OOBE phase, do one of the following:
- Fusion: SHIFT+FN+CONTROL+F3
- Workstation: CTRL+SHIFT+F3 or CTRL+SHIFT+FN+F3 (on some laptops)
After successfully initiated, the machine will reboot into audit mode. The System Preparation Tool (Sysprep) will be running: ignore it.
Stage the following on the desktop. Here's where you need a USB drive.
- Provisioning Tool ZIP (extracted)
Remove USB drive after copying files.
Run VMwareWS1ProvisioningTool.exe (within the extracted ZIP).
Select the PPKG and unattend.xml. You have a couple of options to run:
- Apply Apps Only
- Apply Full Process
The second option is what you'll want to do for a typical demo, as it will set up the machine (image) just as the OEM would do and also initiate a Sysprep with OOBE process for a hands free system configuration with Workspace ONE UEM enrollment.
The tool will display its progress in the side status area.
After restart, the machine will read the unattend.xml configuration, setting the device's system configuration and proceeding through enrollment with Workspace ONE UEM. Depending on your unattend.xml file's parameters, your login experience will vary.
With workgroup, log in with your user. The device's Workspace ONE provisioning is already underway. Soon after login, you should be presented with Hub authentication. Log in with your user in order to finalize device registration with Workspace ONE UEM (If you don't log in, the device will remain with the staging user.).
After a successful Hub login, before proceeding to Workspace ONE demo, check for the user cert profile on the device, which, among the many other managed profiles, may not have landed on the device yet:
- In the console, check your device's profiles view for the installed user cert profile:
WWE - Windows - User Cert
- On the machine, open MMC, add certificates for user context, and look in the personal store. Verify if your user cert has been installed by Workspace ONE UEM. If it has not, wait. You can run the mdmagent command to sync the machine to console's device services.
Now the device is under Workspace ONE UEM management. For a deeper demo on your managed device, reference the Windows Desktop - Endpoint Management guide.
- Delete your device record.
When you're finished, be sure to delete your device record, as re-enrolling into the old device record may produce undesirable initial results for your demo.
In device details, click more actions > delete device.
- PPKG installation:
- Primary Log: C:\ProgramData\Airwatch\UnifiedAgent\Logs\PPKGFinalSummary.log
- Registry: HKEY_LOCAL_MACHINE\SOFTWARE\AIRWATCHMDM\AppDeploymentAgent
- Sysprep process:
- C:\Windows\System32\Sysprep\Panther\setuperr.log and Setupact.log.
- C:\Windows\Panther\setuperr.log and Setupact.log
- C:\Windows\Panther\Unattendgc\setuperr.log and Setupact.log