24x7x365 Entisys360 Client Technical Support: Call (877) 368-4797 opt 9, or

The idea of Modern Management has been around for quite some time. Using modern tools to manage Windows 10 in a manner similar to other mobile devices can offer a lot of flexibility and enhance both user experience and security.

Last year, more of our clients began asking about how to enhance their mobility platforms to better manage not just mobile devices, but Windows 10 devices as well. Workspace ONE is an excellent tool for doing just that, but many customers require tighter integration with the Microsoft stack, including Azure AD and the Windows Store.

I started on this path to test the automatic delivery of Windows Store applications to enrolled Windows 10 devices. Although some pretty good documentation already exists, I learned that certain key steps were a little ambiguous. The intent of this blog is to clarify and consolidate these steps to make deployment an easier exercise.

The procedure outlined below will walk you through the setup needed to support enrollment in Workspace ONE for a Bring Your Own (BYO) Windows 10 device, leveraging Azure AD integration and allowing for the automated deployment of Windows Store apps (as well as native Windows apps).

Although this blog only focuses on Windows 10 BYO in a pure Azure AD environment, next steps could introduce Autopilot, with out of the box enrollment capabilities, as well as leveraging conditional access policies for Office 365 applications.

Prerequisites and Requirements

  • Workspace ONE UEM 1810 or later (this blog is based on the Shared SaaS model—dedicated or named instances will require additional configuration)
  • Microsoft Azure AD Premium P1 or greater license – be sure license is assigned to users in Azure AD
  • Administrative access to both Workspace ONE UEM, Azure AD, and the Microsoft Store for Business console
  • A Windows 10 device or virtual machine used to test enrollment

Integrating Azure AD with Workspace ONE

To get started, we will need to configure integration between Microsoft Azure AD and Workspace ONE. This is started from the Workspace ONE console.

1. Login to Workspace ONE management console and navigate to Groups and Settings. Click on All Settings.

2. Click on Enterprise Integration.

3. Expand Enterprise Integration and select Directory Services. Since we are using pure Azure AD, we will leave Directory Type to None.

4. To select Enable under both Azure AD Integration and Use Azure AD For Identity Services. The Directory ID will be provided in a following step after obtaining from Azure.

5. Capture the MDM discovery URL and the MDM Terms of Use URL. Both will be used to configure the “Airwatch” mobility application in Azure AD. The Tenant Name will be configured later, when Directory ID is configured. Since this is a pure Azure AD deployment, I will leave the Immutable ID Mapping Attribute at objectGUID. If using Azure AD Connect, and the sourceAnchor attribute was changed, please update this value to the sourceAnchor value used.

6. Head to your Microsoft 365 admin portal and sign in. Navigate to the Azure Active Directory admin center.

7. Select Azure Active Directory, then Mobility (MDM and MAM). Click on Add Application.

8. Select AirWatch by VMware.

9. Review the App details and click Add.

10. Return to the Mobility (MDM and MAM) screen and select AirWatch by VMware to edit the application.

11. Using the information gathered in step 5, type in the MDM terms of use URL and MDM discovery URL. Change the MDM user scope to Some to configure specific user groups in which this MDM app will be made available. Click on No groups selected.

Note: optionally All can be selected if all users will require the ability to enroll through Workspace ONE.

12. Select the applicable group(s) to add to the user scope and click Select.

13. Return to the application settings page and click Save.

14. Next, we need to ensure the Microsoft Intune MDM app does not attempt to supersede Workspace ONE. From the Mobility (MDM and MAM) screen, click Microsoft Intune.

15. Ensure both MDM user scope and MAM user scope are set to none.

16. To continue the Workspace ONE integration, we’ll need to obtain the Directory ID and the Domain Name. Navigate to Properties and copy down the Tenant ID value.

18. Return to the Workspace ONE UEM Console, under Directory Services. Type in the Tenant ID into Directory ID. Scroll down and

Configure Microsoft Store for Business Integration

The next phase in Windows 10 BYO integration ties in the ability to deploy Microsoft Store Apps. Without this integration, Microsoft Store Apps are only available on-demand and cannot be automatically deployed to enrolled devices.

Microsoft Store applications can be licensed and deployed ‘offline’. This allows for additional flexibility in deployment, including the ability to directly deploy offline apps from Workspace ONE, without requiring connectivity to the Microsoft Store. It is recommended to enable this feature when integrating with MDM solutions. See here for more details.

1. Login to the Microsoft Store for Business admin console here, and click Manage.

2. Navigate to Settings, then click on Distribute. Click on the Active action to ensure AirWatch by VMware MDM tool is activated.

3. While still under settings, click on Shop and click to enable Show offline apps.

4. Next, an app must be added to made available within the Microsoft Store for Business, so that it can be deployed from Workspace ONE. For this example, we’ll use VMware Tunnel. Navigate to Shop for my group, type in VMware Tunnel and click on the search icon. Click on the VMware Tunnel app.

5. Select the appropriate license type, in this case Online, and click Get the app.

Add Microsoft Store Applications to Workspace ONE

Now that the Microsoft Store for Business is integrated with Workspace ONE, we can import all apps and configure the desired assignments.

1. Head to the Workspace ONE admin console and login. From the main page, select APPS & BOOKS, then click on Native, and select Public. Click on ADD APPLICATION.

2. Select the Windows Desktop as the Platform and select IMPORT FROM BSP as the Click Next to continue.

Note: if the IMPORT FROM BSP option is not available, you will need to contact VMware support  to have it enabled on your Workspace ONE UEM environment.

3. The import will bring in all applications currently available on the Microsoft Store for Business account. Note that VMware Tunnel is available. Click FINISH to continue.

4. Click OK after reviewing the notification regarding assignments.

5. Your apps will now appear in the Public Applications pane. Return to the Public Apps pane by selecting APPS & BOOKS, Native, then Locate the recently added VMware Tunnel app and click Assign.

6. Assignments will need to be adjusted to configure device/user assignment as well as Auto or On Demand deployment. Provide the Name for the Assignment and click into the field to assign devices or users based on Smart Groups. I selected All Devices for simplicity. Change the App Delivery Method to Auto so that all devices receive this application automatically. Click Create.

7. Review the Assignment created and click Save. No devices will show up yet unless you already have Windows 10 devices enrolled. We are now ready to move onto enrolling Windows 10 BYO devices.

Enroll the Windows 10 Device in Azure AD and Workspace ONE

Now we take what was configured above and put it to the test. This is the final phase of preparing Windows 10 BYO devices for Workspace ONE enrollment leveraging Azure AD integration.

1. Since this is a BYO device, we will need to start by installing the Workspace ONE agent. This can be obtained from https://getwsone.com. Once downloaded launch the installer and click Next.

2. On the next page, accept the EULA and click Next.

3. Click Install to install the Workspace ONE Intelligent Hub.

4. Click Finish to complete the install and restart the computer.

5. Next, the device will need to be joined to the Azure AD domain. To do so, navigate to Access work or school settings. This can be found by clicking on the Windows logo and typing in “work or school”. From the settings page, click Connect.

6. At the Microsoft account screen, provide the enrollment user’s email address / UPN. Click Next.

7. Type in the enrollment user’s password and click Sign in.

8. Select the correct Group ID and click Next.

9. Click OK to accept the notification that a Windows Hello Face, Fingerprint, or PIN will need to be created. This was already performed for this virtual machine.

10. The enrollment is now complete! Apps and profiles will begin their setup on the device. Click Done.

11. Verify Power BI has now been installed by logging into Windows and searching for VMware Tunnel. You will see that VMware Tunnel is available on this system.

12. We can also review the Workspace ONE console to see that VMware Tunnel has been successfully deployed to the device. From within the console, select Devices, then List View, and click on the recently added device.

13. Click on Apps and see that VMware Tunnel shows an App Status of Installed.

Note: it may take several minutes for this information to refresh.

Now as additional users elect to join Azure AD, they will receive configured applications and profiles automatically. Your Workspace ONE environment is now ready to onboard additional BYO users!

Our Expertise

Security and Cyber Risk Services

Creating a strategy for managing risk and compliance, while helping to filter the noise of myriad cybersecurity technologies.

Automation and Cloud

Accelerating IT service delivery for our clients through the adoption of agile methodologies that are all part of a systems-oriented approach.

End User Computing

Helping businesses keep infrastructure uptodate, minimizing security risks, and maintaining compliance

Software Defined Data Center

Empowering your enterprise to achieve its full potentialand greatest efficiencyby keeping IT infrastructure operational, available and secure.

Core Infrastructure Services

Offering design, implementation, licensing optimization, and environmental services to ensure the use of Microsoft’s best practices and configurations.

Microsoft Expertise

Helping set goals and establishing benchmarks for the journey toward the successful deployment of Microsoft solutions.

Our Services

Professional
Services

Enjoy a stressfree implementation that comes through the knowledge and experience of our professional services team.

Enterprise
Managed Services

Align your business initiatives with evolving industry trends to obtain a clear understanding of the impact of future technologies.

Cloud Strategy
and Services

Meeting a diverse range of business requirements through deployments that are flexible, scalable, and have the right mix of elements.

Contract
Management

Never miss another maintenance or warranty contract renewal date or pay for unused maintenance contracts or warranties.

Project
Management

Through this service, our project management team takes the lead role in planning, executing, monitoring and closing projects.

Our Markets and Market Support Vehicles

Business

Professional services and nationallyrecognized expertise that align perfectly with the trends and challenges facing a variety of industries.

Healthcare

Recognizing the unique challenges faced by healthcare IT organizations, and offering understanding, capabilities, and trusted relationships.

Public Sector

Helping organizations contain costs maintain high availability while finding new ways to increase security, compliance and more.

Group Purchasing

Industryleading IT consulting services and technology solutionsaccessed through a streamlined contracting process.

Resources

Events

Learn about our upcoming events and webinars.

Solutions Literature

Accesstodownloadable assets with information on solutions and services offerings.

Blog

Gain expert technical insights around today’s leading enterprise technologies and solutions.

Press Releases

Read news and updates from the Entisys360 team.

News Stories

Learn about new developments with Entisys360 and our team.

About Entisys360

About Entisys360

Our mission, vision, leadership and team

Accolades

Notable industry awards and recognition

Privacy

Entisys360’s and its commitment to privacy

Community

Our commitment to the community

Careers

Entisys360 Career opportunities

Contact Us

Entisys360 locations and contact resources