Windows Desktop - Endpoint Management

In this comprehensive walkthrough, you'll see how to demonstrate a Windows 10 desktop and VMware Workspace ONE.

The corporate-liable device use case utilizes the most Windows 10 management functionality.  Therefore, the Enterprise EMM/Corp demo is the typical demo and the demo context of this document.  However, choosing to enroll into BYOD is also supported and is intended to show a device being under very light management without restrictions. 

Walkthrough Summary

  • Prep
  • Overivew
  • Enrollment from awagent.com
  • VMware Workspace ONE 
  • Win32 Software Distribution with CDN
  • Product provisioning
  • VMware AirWatch Console Overview
  • Windows Information Protection (Data Protection)
  • Restrictions: AppLocker and System Restrictions
  • Windows Updates
  • Per-app VPN
  • Compliance: BitLocker and Health Attestation
  • Enterprise wipe
  • Prep

    In order to complete any Windows 10 Desktop walkthrough please verify you have the following:

    • A valid VMware TestDrive account. 
    • Device: Windows 10 Enterprise, at least version 1607, is recommend for a complete Windows desktop demo. 
      • Windows 10 Enterprise - At least Version 1607 (Anniversary Edition) - Fully Updated
                                                Not on Insider Preview.
                                                For BitLocker encryption, the device must have TPM enabled and activated.
                                                Windows 10 Pro supports all described functionality, except for AppLocker. 
        • Windows 10 Enterprise 1703 ISO is available  here (TestDrive Office 365 account required).
    • Maintain either a VM snapshot or System Restore point on physical device for a fast roll back.
    • Enabled AirWatch service from the My Services tab in the VMware TestDrive Demo Portal.  Instructions are here.
    • Network access from your device and TCP ports 80 and 443 enabled on your local network.
    • Install VMware Workspace ONE from the Microsoft Store.  

    Overview

    In a traditional Windows environment, devices were managed through GPOs and complex systems management tools such as SCCM. With VMware AirWatch and Windows 10, configuration changes can be delivered in real-time, over-the-air, anywhere—not just when a system is on the corporate network. 

    VMware AirWatch brings industry leading, lightweight EMM coupled with the capabilities of traditional client management functions into a comprehensive Windows desktop management solution. 

    VMware AirWatch:

    • Provides advanced endpoint protection and security features like ensuring device compliance, protecting enterprise data and apps, setting BitLocker encryption, managing device password, controlling Windows Firewall and AntiVirus, setting device restrictions, and collecting location information. 
    • With VMware Workspace ONE delivers a unified catalog experience to not only empower users to have all apps (desktop, virtual, web, and native) in one collection, but more importantly, provide secure and streamlined access to these apps. 

    Enrollment

    VMware AirWatch supports direct Win32 agent enrollment.

    From a browser, go to https://awagent.com and initiate enrollment with the AirWatch agent.  Users no longer need search for and click through Windows Settings to enroll, enter server names, or wait for the agent to install post-enrollment. 

    Download and install the agent.  If prompted, install the Microsoft Visual C++ libraries.   

    When the agent opens, chose email enrollment, and enter your enrollment email address in the following format:

    <username>@<company>.vmtestdrive.com
    

    Proceed thru enrollment, choosing your enrollment Organization Group (OG) when prompted, either Enterprise - BYOD Demo or Enterprise - EMM Demo.  

    Enterprise - EMM Demo contains the greatest functionality showcase and is, therefore, the typical demo.  In addition to basic management, it contains wallpaper via product provisioning, Windows Information Protection (WIP), an automatically deployed Horizon Client via software distribution over CDN, system restrictions, App Locker, BitLocker, and administrator-managed Windows Updates.  As mentioned in the introduction, this document entails the EMM demo.

    Enterprise - BYOD Demo  is available to show organizations that they can support the BYO use case, which is sensitive to a user's privacy where restrictions of any type would be considered intrusive on a personal device.

    Note: Both BYOD and EMM offer optional profiles that may pushed down to your device as your demo demands. 

    Authenticate using SAML provided by VMware Identity Manager.  Input your credentials as listed below:

    User name: {TestDrive username} 
    Password: {Testdrive password}
    

    After successful authentication, click next to complete enrollment. 

    Check your device in the console and note that enrollment is complete!  In contrast, with native enrollment through Windows's Settings, the user must wait for the the agent to install.

    Admin Console Overview

    Talking Points 
    • An enrolled device will receive a set of automatically delivered profiles. Those profiles represent a baseline configuration how the PC should be set up, and additional profiles can be applied to meet specific requirements. 
    • Profiles are the settings, when combined with compliance policies, the help enforce organizational security policies. 
    • Passcode, Wi-Fi, per-app VPN, certificate issuance, app whitelist/blacklist, and device restrictions are just a few profile types that may be created for Windows 10.

    Be sure you already have https://airwatch.vmtestdrive.com open, with the nececsary console views already loaded in tabs, prior to the demo.  

    Go to profiles on the left-side console menu.  In "Search List," enter "WWE - W10 -" to quickly filter your view to only list Windows 10 desktop profiles.

    Click through individual profiles to see review its payload.  

    Use the pre-configured "optional" device profiles as needed.

    Switch to your browser tab open with the device list.  Find your device by filtering by your username.  Drill into your device details and discuss profiles, apps, content and other features your audience would find important.  

    On the profiles tab, note the installed statuses and the assignment types, automatic vs optional, using optional profiles to aid your demo. 

    Find the Troubleshooting menu off of the More tab.

    Discuss how VMware AirWatch enables the administrator to see real-time event logs—just as one would with SCCM—right in the VMware AirWatch console.  Both events and command statuses can be readily accessed in real time! 

    VMware Workspace ONE

    Talking Points

    • VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs. 
    • Unified app catalog transforms employee on-boarding.  Simply downloading the Workspace ONE app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization.
    • Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps! 
      • Internal web apps through a secured browser and seamless VPN tunnel 
      • SaaS apps with SAML-based SSO and provisioning framework 
      • Native public mobile apps through brokerage of public app stores 
      • Modern Windows apps through the Windows Business Store 
      • Legacy Windows apps through Win32 package delivery
    • Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like VMware Verify and RSA.     

    Launch Workspace ONE and enter TestDrive's VMware Identity Manager instance name:

    wsone.vmtestdrive.com

    Click Next, and then enter your TestDrive credentials. 

    After authenticated, wait for Workspace ONE to setup.

    Once inside Workspace ONE, review both the Bookmarks and Catalog areas.  From Workspace ONE's bookmarks review the simplicity of creating bookmarks to VDI, RDSH, web, and Thin Apps from the Catalog.

    Be sure the mention the Win32 apps seen within the Catalog and mention details on those are coming up.

    Go over the rapid and seamless access Workspace ONE provides for VDI, RDSH, and Thin Apps.  Choose a VDI, like the NVDIA GRID desktop for your region, and allow Horizon to open it.   You can also show bookmarking.

    Also review the support of legacy Windows apps, like Internet Explorer 6.  Many organizations still need to support legacy web apps and Workspace ONE makes it available in a snap.

    Launch the IE 6 Thin App. (Your "Bookmarks" will vary from the screenshot.)

     Discuss how users have fast and seamless access to a critical system only available thru a legacy browser.

    Win32 Software Distribution with CDN

    Talking Points

    • No longer do PCs need to be tied to local area network (LAN) computer management systems for native Win32 app management.  Both Windows 10 desktops and Windows 10 mobile devices can now have Win32 apps managed over-the-air (OTA) by VMware AirWatch.
    • AirWatch provides a variety of different application distribution options to meet the variety of installation scenarios found in an enterprise.  The application deployment framework supports MSI, EXE and ZIP based deployments, public apps from the Windows Store, and 
    • Content Delivery Network (CDN) integration globally extends your organization's app deployment for fast and secure app delivery.

    The VMware Horizon Client will be the first Win32 app that you see delivered in a corporate device enrollment.  This app was delivered by VMware AirWatch's software distribution over CDN. 

    Several Win32 apps are setup for software distribution.  From Workspace ONE's catalog, search for the apps with either MSI, EXE, or ZIP in its friendly name suffix.  These apps are your Win32 apps.

    VMware AirWatch is doing the same thing that traditional LAN-based tools, like SCCM, did with native apps—but VMware AirWatch is doing it over the air!  Devices no longer have to be tied to the organization's LAN!

    From the Workspace ONE Catalog, choose one of the MSIs or EXEs and push it to the device.  Chrome, Firefox, or FileZilla are good ones to use as their installs are relatively small-sized and place a shortcut on the desktop. The native app will silently install. 

    Tip

    You need a 64-bit Office 365 installation to demo the upcoming WIP section.  You may use either the provided Office 365 install or one on your machine, but it must be a 64-bit Office 365 install to work with the WIP profile. 

    The provided Office 365 Pro Plus ZIP is a 2 GB download/install.  Needless to say, given PC and network performance, installation can take a while.  Unless you are required to show the Office installation live, have your machine setup with Office 365 Pro Plus 64-bit before the demo. 

    Apps delivered via software delivery are setup through the familiar AW workflow.  Though with Win32 apps, comprehensive deployment, install, dependency, detection, and uninstall settings are available to suit various complex app deployment needs.   

    In the console, you can not only use the troubleshooting tab to view the status of the apps' installation command but also show that the app is being delivered from the globally-reaching CDN.

    Product Provisioning

    Talking Points

    • Product provisioning allows you to create products containing profiles, applications, and files/actions (depending on the platform). These products follow a set of rules, schedules, and dependencies as guidelines for ensuring your devices remain up to date with the content they need.  
    • Products allow for complete customization through scripting, rule sets, schedules, and dependencies for ensuring your devices remain configured and up to date.
    • Product Provisioning can be used for advanced, script-based app deployments. 

    In TestDrive, the wallpaper that sets up in the corporate demo is managed via product provisioning. 

    Note: Admin role design doesn't currently allow access to view the production file/action or product.  

    Windows Information Protection (Data Protection)

    Talking Points

    • Issue at hand: Industry estimates state up to 75% of corporate data loss is committed unintentionally.  WIP was built to address this issue. 
    • As the convergence of work and personal data on the same device accelerates, the risk of accidental data loss also increases through services that your organization does not and cannot control through traditional desktop management methods.
    • Windows Information Protection (WIP) works by whitelisting enterprise applications to give them permission to access enterprise data from protected cloud resources and networks.  
    • If end users move data to non-enterprise applications, actions and alerts can be triggered based on selected enforcement policies. 
    • The data protection profile encrypts enterprise data and restricts access to approved devices. Encryption is managed thru a certificate in the data protection profile. 

    WIP Profile Summary

    The TestDrive WIP profile has the following enterprise resources protected for demo usage.  Use them as you see fit. 

    • Native apps
      • Microsoft Office 365 Pro Plus 64-bit
      • Dropbox
    • Browsers
      • Internet Explorer (32-bit & 64-bit)
      • Edge
    • Websites
      • TestDrive Office 365 Email
      • TestDrive Office 365 SharePoint 
      • TestDrive Office 365 OneDrive
      • Dropbox.com

    On the device, open Excel.  Sign in with your Office 365 email address.  While badges no longer appear either in or on the apps, WIP functionality is present. 

    username@vmtestdrive.com
    E.g., cbabbage@vmtestdrive.com

    Certificate authentication via VMware Identity Manager should authenticate you.  Accept the prompts.  (If using the provided Office 365 Pro Plus, it will not activate but will have all desired functionality.) 

    Open the SharePoint document, CommittedSales.xlsx.  Open Other Workbooks > Site - VMware EUC - vmtsetdrive.com > Sales Workspace > Documents > CommittedSales.  

    Copy sensitive content form the spreadsheet.

    Open browser tab to a personal mail account, like Gmail, and attempt to paste the protected content.  AirWatch-managed WIP won't allow it. 

    Open Wordpad.  Attempt to paste the clipboard. 

    Notepad, on the other hand, is a protected app and content is permitted. 

    In Excel, save the document to your desktop.  Note how the file can only be saved as a "Work" document type for the protected domain. 

    Talking Point

    • Alternative WIP profiles can be configured for different user groups, where, for instance, an executive group would be granted the ability to save as either work or personal.

    Go to your desktop and show the protected document badged with the briefcase icon indicating the document is protected.

    Open either Edge or Internet Explorer. Go to   mail.office365.com and enter your Office 365 email address.

    Use the AirWatch-managed certificate when prompted.  VMware Identity Manager will sign you into your Office 365 mailbox.  

    Open an email with an attachment.  Download the attachment to your desktop.  Note the ability to only save it as a protected work document.  Not only is the file under WIP policy, the organization's Office 365 site is too.  All of the organization's Office 365 site content is protected and any organizational site can be protected just the same. 

    You can also open the Outlook native app, after a couple, quick wizard setup steps, and show that Outlook too is under the same WIP policy.  WIP protects both the organization's web and native mail! 

    No matter what enterprise resource a document comes from, since it's protected, it's encrypted and can only be opened by other protected apps. 

    Additional WIP Talking Points

    • Enforcement polices within the data protection profile allow the admin to set limits on what the user can do with protected data.  The most common and recommended enforcement polices are:  
      • Encrypt and Block Data  (What was seen in the demo.)
      • Encrypt data and allow user to move data to non-protected applications with an audit trail of any data transfer.  The user is warned that their actions will be audited.

    Restrictions

    Talking Points

    • For the corporate dedicated device, a restriction profile may be configured to prevent access to functions such as changing date/time, modifying VPN, changing user account settings, enabling Bluetooth, using Cortana, disabling VPN over cellular, unenrolling, and many other functions that may be seen as an either increased security risk, an increase in cost, or lessened productivity.   
    • Windows User Account Control (UAC) settings can be managed thru a Restrictions profile.  While this setting is an excellent safe guard to malicious app installations, in some organizations it creates a lot of unnecessary help desk calls. 
    • VMware AirWatch configures the native Windows AppLocker which prevents installation of undesirable apps by name, version, or publisher.  Conversely, apps may be whitelisted by name, version, or publisher to only allow those apps. 
    • Corporate branding can be extended to the desktop. 
    • Native security features such as Windows Firewall Updates and Windows Insider builds can be managed. 
    • With the combination of  WIP, App Locker, and restrictions profiles, a device can be fully managed and secured on the corporate network just as was done with the complex legacy tools. 

    AppLocker

    From the AirWatch console, in your device's details, push the "WWE - W10 - Block Netflix" AppLocker profile.

    After the profile installs, which should be very quickly, go to the Microsoft Store and attempt to install Netflix.  The AirWatch-managed AppLocker profile will block the installation of Netflix.  

    Organizations deploying very restrictive devices may wish to block the entire Microsoft Store.  To demo this, from the console, you can remove the 'Block Netflix' profile and push the 'Block Store' profile.  This change should be able to be demonstrated live. 

    In addition to UWP apps being able to be blocked, Windows executable, Windows installer, publisher, and script rules may also be setup with AppLocker.

    System Restrictions

    Talking Points

    • In the restrictions profile with its various possible payloads, a significant number of restrictions that might have been set via Group Policy Objects (GPOs) in the past are available to be configured.
    • Configuration Service Providers (CSPs) are made available to be configured to emulate many of the options available through GPO. 

    The "WWE - W10 - Restrictions CORP" profile automatically deploys. Open it to review its payload.  This profile contains restrictions for internet sharing, region settings, bluetooth, and Windows Updates (Check the profile's description for the payloads currently configured.).  

    On the device, search for region settings.  AirWatch-managed policy should prevent changing them. Along with a red notification, settings will be grayed out.

    From Search, enter "updates," to find the Windows Updates system setting.  Show both the configuration and restriction on the Windows Updates screen.  

    Click the link "view configured update policies" to review the AirWatch-configured policies.

    Windows Updates

    Talking Points

    • Windows updates in the enterprise can take weeks or even months to be installed on an organizations entire fleet of PCs due to on-local-network requirements to reach distribution servers.  AirWatch and Windows 10 UEM use the simplicity of the cloud and Microsoft Update Service to deliver updates regardless of device location. 
    • Updates delivered through Microsoft Update can be controlled by AirWatch UEM. Options such as which “branch” to be on, as well as the ability to defer both quality updates and features allows granular control over when PCs get updates.
    • AirWatch allows the ability to set Active Hours for when updates should be applied to prevent users from canceling reboots, or allowing prevent reboot situations, or to schedule distribution when electricity is cheaper.
    • Administrative approvals can target different groups of updates to the right groups of users or PCs, to make sure that PCs are healthy and secure. 
    • WSUS servers can also augment AirWatch and be used for PCs that are always available on the corporate network.

    In  airwatch.vmtestdrive.com, open Devices > Profiles & Resources > Profiles and search for "update." Select "WWE - W10 - Updates CORP" policy, open, and choose the Windows Updates payload.  

    Per-app VPN

    Talking Points

    • Device level VPNs are not able to distinguish between work, personal, and rogue apps on an endpoint and when active will enable traffic between the entire device and datacenter. VMware AirWatch per-app VPN capability enables app-level security so only entitled users with validated devices using authorized apps are able to access the datacenter.     
    • Embedded VMware AirWatch Tunnel eliminates the need for a third-party VPN service and licensing fee ensuring that the service is delivered at a low TCO.  

    IE uses the VMware AirWatch  Tunnel in Per app VPN.   After installing the Tunnel app, launch Internet Explorer (either IE x86 or 64-bit).  

    Accept the Windows 10 certificate prompt for the Tunnel certificate. 

    Note: The Tunnel app UI displays status. Enterprise server will not show connectivity until the enabled per app VPN app, IE, connects. 

    In IE, enter the below URL to demonstrate per-app VPN.

    Internal URL: 
    http://aapl-awmag-1.vmwdemo.int/form.html
    

    IE will then load the internal form.  

    Edge is not enabled for VPN.  Copy and paste the internal form's URL into Edge and show it fail loading. 

    Compliance

    Talking Points

    • The VMware AirWatch compliance engine can automatically monitor, notify, and take action on devices that not meet rules setup in compliance management. 
    • A Windows 10 compliance policy is capable of taking action on critical security items such as device last seen, encryption state, firewall status, automatic updates, OS version, passcode, and Windows Health Attestation. 
    • VMware AirWatch can manage Windows BitLocker Encryption on both physical and virtual machines.  A recovery key created during encryption is stored in the AirWatch Console and in the Self-Service Portal. 
    • For Windows Health Attestation, AirWatch pulls the necessary information from the device hardware and not the OS, compromised devices are detected even when the OS kernel is compromised. 

    BitLocker

    Talking Points 

    • A VMware AirWatch profile encrypts the Windows 10 desktop device via native BitLocker encryption.  After disk encryption, the BitLocker encryption key is made available in the AirWatch console. If a device is lost and then recovered, with the BitLocker key readily available to the security team in the AirWatch console, potentially lost data can be recovered easily.
    • As of VMware AirWatch 9.1, BitLocker can also be managed with a password on devices without TPM.  BitLocker managed by a password, instead of TPM, enables disk encryption on devices without TPM, like VMs running in older versions of Fusion or Workstation. 

    To demo BitLocker, from the console, push the  WWE - W10 - BitLocker-Passcode profile and follow the prompts: 

    Check the Windows notification area.  You'll need to reboot the device.

    After reboot, you'll need to set the BitLocker password...

    ...and then drive encryption will complete in the background.

    Review the PC's BitLocker status in the console...

    ...and view the recovery key.

    Health Attestation

    Alert!

    In order to demo Health Attestation, you must be using Workstation 14, Fusion 10.1, or a physical PC with the TPM enabled and Safe Boot enabled. In Workstation or Fusion, first encrypt the VM, then add a new device (Trusted Platform Module) and ensure that you have enabled UEFI and Secure Boot in Options > Advanced. 

    Talking Points 

    • It's a fact that some vulnerabilities compromise PCs prior to loading Windows, antivirus, and antimalware protections. Health attestation is able take measurements for things like Secure Boot, code integrity, BitLocker and boot manager and compare them against baselines stored in AirWatch. If a device is compromised, it can be addressed via the compliance engine. 
    • If a device falls out of compliance, notifications can alert admins, managers, and the user.  As well, customizable device actions can occur using the AirWatch compliance engine. 

    The device sends the Health Attestation report to the VMware AirWatch console for enterprise health checks and potential compliance rule triggering.  

    We can see here that Secure Boot is enabled, preventing a rootkit from compromising this PC prior to Windows booting up, and that BitLocker is seen as enabled at boot. Other security technologies that operate at boot are reported, and compliance policies can be defined to inform administrators that a PC has potentially be compromised. 

    Enterprise Wipe

    Discuss the need for both manual and automated enterprise wiping of a device.  Unlike a device wipe, an enterprise wipe will only remove the organization's data.  Any user data on the device, i.e., in teh BYO use case, in the cannot and will not be touched.  

    From the console, issue an enterprise wipe on your device.  Show the device's notification of the wipe.

    Discuss the removal of the organization's data.  Show native mail has been removed.  Or, better yet, show removal of the certificates from the MMC console certificates snap-in for a security-minded audience. 

    For support or to report issues with any of the demo systems please send an  email.