Lab 3: Automated Device Enrollment and application distribution

Introduction

This lab comprises two modules that delve into two integration points between Workspace ONE UEM and Apple Business Manager. The first module concentrates on Automated Device Enrollment, while the second module explores Apple’s Volume Purchase Program. A third optional module explores the distribution of public and internal applications.

Due to the requirement for student access to Apple Business Manager, the initial configuration of Automated Device Enrollment has already been completed in your lab. The configuration consists of a key / token exchange between Workspace ONE UEM and Apple Business Manager. 

To learn more about the integration process, please view this video on Omnissa's Tech Zone: Integrating Apple's Automated Device Enrollment into Workspace ONE UEM.

Objectives and Tasks

Module 1: Automated Device Enrollment

  1. Review the default enrollment profile in the Workspace ONE console.

  2. Create a new Automated Device Enrollment profile.

Module 2: Volume Purchase Program (VPP)

  1. Configure Volume Purchase Program (VPP) integration in Workspace ONE.

  2. Sync apps from Apple Business Manager.

  3. Change app licensing to Device-based licensing.

  4. Assign an app to an assignment group.

Module 3: Public and Internal Apps (optional)

  1. Add a public app for distribution (optional).

  2. Importing a packaged internal app for distribution (optional).

In this module, you will review the existing default device enrollment profile configured in your lab environment, and then create a new device enrollment profile.

Module 1: Automated Device Enrollment

Task 1: Review the default enrollment profile in the Workspace ONE console

To review the existing default enrollment profile:

  1. In the Workspace ONE console, click Groups & Settings.

  2. Select All Settings.

  3. Expand Devices & Users and then expand Apple.

  4. Click on Automated Device Enrollment.

  5. The Default Enrollment Profile has been configured in a parent OG, and is therefore not editable by you in your lab environment. However, you can view the profile by clicking on the View button.

  1. Scroll through the profile settings. Note the MDM features that are enabled, such as Supervision and Lock MDM Profile. Also review the Setup Assistant options that have been configured.

  2. Click Close.

Task 2: Create a new Automated Device Enrollment profile

To create a new Automated Device Enrollment profile:

  1. On the Automated Device Enrollment screen, click the Add Profile button.

  2. Custom enrollment delivers a fully customized experience to users during enrollment. Set Custom Enrollment to Off.

  3. Set Authentication to On.

  4. From the dropdown, select Corporate - Dedicated for Device Ownership Type.

  5. Ensure that your OG is listed in Device Organization Group. Your OG name will be student{labid}.

  6. For Profile Name, enter New Enrollment Profile.

  7. Enter IT for Department, and 123-456-7890 for Phone Number.

  8. Leave all other settings at the defaults.

  9. Click Save.

  10. You will notice that the new enrollment profile is now listed on the Automated Device Enrollment screen. Unlike the default enrollment profile, the new profile you just created is editable.

Module 2: Volume Purchase Program (VPP)

An Apple Business Manager (or Apple School Manager) location is a container that ties a set of books and apps to one or more content managers. Each location has a token that can be uploaded to Workspace ONE to allow App and Book management within the Workspace ONE UEM organization group. The token provides the credentials by which Workspace ONE authenticates to Apple Business Manager to sync assets and manage license assignments.

Due to the requirement for student access to Apple Business Manager, a location for your lab has already been created and the token downloaded in preparation of configuring Workspace ONE UEM. In the first task of this module, you will upload the token into your Workspace ONE UEM lab environment. An sToken for each lab has been created. Click the link below and download the token that corresponds with your lab ID. For example, if your lab ID is 01, you will download the file called sToken_for_PSTE-Enablement-Lab-01.vpptoken.

Apple sTokens

Task 1: Configure Volume Purchase Program (VPP) integration in Workspace ONE

In this exercise, you will upload the above mentioned token into your Workspace ONE lab environment to configure Apple's Volume Purchase Program.

To configure Volume Purchase Program:

  1. In the Workspace ONE console, click Groups & Settings.

  2. Select All Settings.

  3. Expand Devices & Users and then expand Apple.

  4. Click on VPP Managed Distribution.

  5. Select Override.

  6. For Description, enter Volume Purchase Program.

  7. If you have not done so yet, download the above linked token file to your desktop device.

  8. Click the Upload button.

  9. Select Choose File and browse to the downloaded token file.

  10. Select the token file and click Open.

  11. Click Save.

  12. On the VPP Managed Distribution screen, click Save.

  1. The integration between Workspace ONE UEM and Volume Purchase Program is complete.

Task 2: Sync apps from Apple Business Manager

By default, Workspace ONE synchronizes managed distribution licenses for custom applications and volume-licensed public applications daily. This automatic synchronization process enables Workspace ONE to reconcile newly acquired licenses and update metadata (descriptions and images). However, you can expedite this process by manually initiating a license sync when uploading a location token.

Due to the requirement for student access to Apple Business Manager, apps have already been assigned to the location token you added to Workspace ONE UEM.

To sync apps from Volume Purchase Program:

  1. In the Workspace ONE console, click Resources.

  2. Select Native Apps.

  3. In the List View, select the Purchased tab.

  4. Click the Sync Assets button.

  1. At the prompt, click Ok.

  2. If you do not see your apps immediately, click the Refresh button, which is next to the Layout menu in the Workspace ONE console.

  3. Once the sync has completed, you should see apps for iOS and macOS in the List View.

Task 3: Change app licensing to Device-based licensing

Device-based licensing assigns an application or content to a device serial number, necessitating a license for each device. Licensing for most applications can be transitioned from user-based licensing to device-based licensing with a few simple mouse clicks. Unlike user-based licensing, end users are not required to acknowledge the Volume Purchase Program terms of acceptance.

There are multiple ways to enable device-based licensing for an application. This task will demostrate the two most common methods.

Once an application is enabled for device-based licensing in the Omnissa Workspace ONE UEM console, you cannot reverse it back to user-based licensing.

To transition an app to device-based licensing:

  1. In the Workspace ONE console, click Resources.

  2. Select Native Apps.

  3. In the List View, select the Purchased tab.

  4. Select the iOS app, Keynote.

  1. From the More Actions dropdown menu, select Enable Device Assignment.

  2. When prompted to confirm the action, click Ok.

  3. Click on the name for the iOS app, Numbers.

  1. On the License Info tab, click the Enable Device Assignment button.

  2. When prompted to confirm the action, click Ok.

  3. Click Save & Assign.

  4. You will assign the app to an assignment group in the next task. Click Cancel, and then click Save.

Task 4: Assigning an app to an assignment group

The distribution of applications and content is managed through Assignment Groups, enabling organizations to include or exclude devices from receiving assigned apps and content. Assignment Groups within Workspace ONE UEM are customizable entities that define which platforms, devices, and users are assigned specific applications, books, compliance policies, or device profiles.

To assign an app to an assignment group:

  1. In the Workspace ONE console, click Resources.

  2. Select Native Apps.

  3. In the List View, select the Purchased tab.

  4. Select the iOS app, Keynote.

  5. Click the Assign button.

  1. Enter iOS Keynote App in the Name field.

  2. Click the assignment group dropdown and select Corporate-owned iOS Devices.

  3. Enter 10 in the Allocated field.

  4. Set App Delivery Method to Auto.

  5. In the left column, click Restrictions.

  6. Ensure that Remove on Unenroll and Prevent Application Backup are both enabled.

  1. Click Create.

  2. Click Save.

  3. Click Publish.

  4. A notification might appear on your device about the pending app installation. Click Install.

Module 3: Public and Internal Apps (optional)

Workspace ONE UEM categorizes applications into three types: Internal, Public, and Purchased. We’ve already discussed purchased applications from the VPP. Internal applications are internally developed and can be directly uploaded to the Workspace ONE UEM console or imported from an external app repository. Public applications are available on the respective app stores of the platforms, such as the App Store, Play Store, Windows Store, and so on.

Task 1: Add a public app for distribution (optional)

Apps from the Apple App Store are examples of public apps. The provider of a store app maintains and provides updates to the app. You select the app in the store list and add it by using Workspace ONE UEM as an available app for your users. Workspace ONE UEM allows you to upload paid public iOS applications and distribute them in those scenarios where it is not feasible to use Apple’s Volume Purchase Program (VPP).

To add a public app to Workspace ONE:

  1. In the Workspace ONE console, navigate to Resources. Click Native Apps.

  2. Select Public.

  3. Click Add Application.

  4. From the Platform dropdown menu, select Apple iOS.

  5. Type firefox in the Name field. Click Next.

  1. From the search results, click the Select button next to the entry for Firefox: Private, Safe Browser.

  2. Click Save & Assign.

  3. Enter Corporate-owned iOS Devices for the Assignment Name.

  4. From the Assignments Group dropdown menu, select Corporate-owned iOS Devices.

  5. Select On Demand for the App Delivery Method.

  6. Click Create.

  7. Click Save.

  8. Click Publish.

Task 2: Import a packaged internal app for distribution (optional)

Apps that are created in-house or downloaded from the Internet are internal apps. Your organization creates and provides you with updates as a separate file. You provide updates of the app to users by adding and deploying the updates using Workspace ONE UEM.

Due to limitations of the Omnissa Workspace ONE UEM server to natively process the macOS software metadata, the Workspace ONE Admin Assistant app was created to help administrators generate the required metadata to upload to Workspace ONE UEM. The Admin Assistant app extracts metadata from macOS software installers into a plist file, sometimes referred to as a metadata file or pkginfo file.

This exercise is optional as it requires you to download and install the Workspace ONE Admin Assistant on a macOS device. It also requires a Omnissa Customer Connect account to access the download file for the Admin Assistant application.

In this exercise, you will download the Workspace ONE Admin Assistant Tool and prepare the Omnissa Horizon Client for deployment through Workspace ONE UEM. Then, you will import the Horizon Client application into Workspace ONE UEM.

For this exercise, you will need to download the latest Omnissa Horizon Client for macOS. The Omnissa Horizon Client for macOS is available for download here

To get the desired result, perform the following steps:

  1. On a macOS device, launch a web browser (i.e. Safari, Google Chrome, Firefox).

  2. Click here to navigate to the Omnissa Workspace ONE Admin Assistant Tool download website.

  3. Click Go To Downloads. Then, select Download Now.

  4. If you are not already logged into Omnissa Customer Connect, you will be prompted for your username and password.

  5. If prompted, accept the Omnissa General Terms.

  6. The download will proceed.

  7. Launch the downloaded DMG file and double-click on the Omnissa Workspace ONE Admin Assistant package file.

  8. Accept the default options for installation and install the application on your macOS device.

  9. When the installation is complete, launch the Workspace ONE Admin Assistant located in your Applications folder.

  10. Drag and drop the DMG file for the Horizon Client into the Admin Assistant tool. When the tool has finished parsing, click the folder icon next to the listed DMG file.

The folder will contain three or more files: a PLIST file, a DMG file, and one or more PNG files.

  1. In the Workspace ONE console, select Resources. Then select Native Apps.

  2. Click Internal.

  3. From the Add dropdown menu, select Application File.

  4. Click Upload and select Choose File. Navigate to the folder that was created by the Workspace ONE Admin Assistant. Choose the DMG file and click Upload.

  5. Click Save.

  6. After the upload has been completed, click Continue.

  7. You will upload the Metadata file (PLIST) by clicking Upload and choosing the PLIST file from the same folder. Click Save.

  8. After the upload has been completed, click Continue.

  9. Click Images and then select Click or drag files here to add the PNG file from the same folder as the other files.

  1. Click Save & Assign.

  2. Enter a name for the assignment. For example, All macOS Devices.

  3. Click in the Assignment Group section and select an assignment group. The selected group appears underneath the text box.

  4. Select a time and date to begin the deployment if you do not want to begin immediately.

  5. Select Auto to deliver the app automatically or On Demand (to deliver the app when requested by the user from the catalog).

  6. Enable Display in App Catalog if you want to display the app in the user's app catalog.

  1. Click Create.

  2. Click Publish.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.