AirWatch Hands-on LabsVMworld 1857VMware AirWatch: Windows 10 Additional LabsWindows 10 Advanced[OPTIONAL] Azure Active Directory Integration for OOBE Enrollment

[OPTIONAL] Azure Active Directory Integration for OOBE Enrollment

Through integration with Microsoft Azure Active Directory, Windows 10 Desktop and Mobile devices can automatically enroll into AirWatch with minimal end user interaction. Azure AD integration enrollment allows users from Azure Active Directory to enroll devices completely by entering their email address.

Azure AD integration enrollment supports three different enrollment flows: Join Azure AD, Out of Box Experience (OOBE) Enrollment, and adding a work account (e.g. through an Office Productivity app from the store). All methods require configuring Azure AD integration with AirWatch.

In this module, we will explore the Azure Active Directory console and configure AAD with AirWatch to take advantages of the different enrollment flows.

Note: To take advantage of these AAD enrollment flows, a Azure Active Directory Premium License is required.

1. Configuring Azure AD Integration with AirWatch

Before you can enroll a device using Azure Active Directory for Identity Services, you must first configure Azure AD Identity Services. Follow the steps below to ensure your Azure AD is integrated with AirWatch.

1.1. Override Settings

Override Settings
  1. Click Skip Wizard and Configure Manually

1.2. Azure AD Settings

Azure AD Settings
  1. Click Use Azure AD for Identity Services
  2. Complete Step 1 and click Take me to the Azure Marketplace

2. (Optional) Setting up an Azure AD Trial

(Optional) Setting up an Azure AD Trial
  1. Click Free Trial

Note: This page is the AirWatch by VMware Azure Application we will be integrating into AirWatch. If you scroll through the instructions you will notice all steps are listed below. If you currently do not have an Azure subscription you will need to sign up for a free trial.

Note: Microsoft has recently updated the UI to the Azure Portal. To match the follow screenshots please navigate to https://manage.windowsazure.com once you sign up for your trial.

2.1. Try It Now

Try It Now
  1. Click Try it now >

2.2. Sign In

Sign In
  1. Enter your Microsoft account credentials, if you do not have a Microsoft account, skip to Step 3 to create an account
  2. Click Sign In
  3. If you do not have an account, click Sign up now

2.3. Free Trial

Free Trial
  1. Fill in the About you information
  2. Fill in the Verification by phone information
  3. Fill in the Verification by card information
  4. Accept the Agreement
  5. Click Sign Up to complete the registration process

Note: Microsoft has recently updated the UI to the Azure Portal. To match the follow screenshots please navigate to https://manage.windowsazure.com once you sign up for your trial.

3. Adding Premium License

Adding Premium License

In this example I will be using the AW HOL directory, if you are using Azure for the first time you can use the default directory.

  1. Click on the directory you want to use for enrollment

Note: Microsoft has recently updated the UI to the Azure Portal. To match the follow screenshots please navigate to https://manage.windowsazure.com.

3.1. Try Azure AD Premium

Try Azure AD Premium

We will now enable Azure AD Premium License in our directory.

  1. Click Licenses
  2. Click Try Azure Active Directory Premium Now

3.2. Activate Premium Trial

Activate Premium Trial
  1. Confirm the Premium license activation

3.3. Assign

Assign
  1. Click Assign, at the bottom of the screen to assign your admin account to have a premium license.

3.4. Assign Licenses

Assign Licenses
  1. Click on the check mark at the bottom right of the screen

4. Adding & Configuring the AirWatch by VMware Application

Adding & Configuring the AirWatch by VMware Application
  1. Click Applications
  2. Click Add

We will now add the AirWatch by VMware Application to our directory. We needed to add the premium license to our directory first since the premium license is required.

Add Application from the Gallery
  1. Click Add an application from the gallery

4.2. Add AirWatch Application

Add AirWatch Application
  1. Navigate the left-hand menu and click the Mobile Device Management category
  2. Click AirWatch by VMware
  3. Click the check mark to confirm adding the application

4.3. Configure AirWatch Application

Configure AirWatch Application
  1. Click Configure, to begin configuring the AirWatch/Azure Integration

4.4. Copy AirWatch Settings to Azure

Copy AirWatch Settings to Azure

In Step 3, we will copy and paste the two MDM URLs over to the Azure console.

  1. Copy the MDM Enrollment & Terms of Use URL for the next steps in Azure
  2. Just to point out, these are the helpful screenshots that help admins know where to paste these URLs.

4.5. Paste AirWatch Settings to Azure

Paste AirWatch Settings to Azure

Using the copied URLs from the AirWatch console:

  1. Paste the MDM Enrollment URL in the MDM Discovery URL field
  2. Paste the MDM Terms of Use URL in the MDM Terms of Use URL field
  3. Select All, to allow all users whom enroll via Azure AD enrollment method are automatically enrolled into AirWatch.
  4. Click Save to commit the changes

5. Configuring AirWatch Azure Settings

Configuring AirWatch Azure Settings

We will now grab the two pieces of information needed in the AirWatch console.

  1. Copy the Tenant ID from the URL. This is the GUID located right after Directory in the URL.
  2. Copy the Tenant Name which is the name of the directory.

5.1. Tenant Name and Identifier

Tenant Name and Identifier
  1. Paste the Tenant ID & Name in the Tenant Identifier & Name fields
  2. Click Save

6. Adding an Azure Enrollment User

Adding an Azure Enrollment User
  1. Click Add User

We will now add a user to enroll into AirWatch via Azure AD enrollment options.

6.1. Add User

Add User
  1. Type "demo" in the User Name field
  2. Click the arrow to advance

6.2. User's Details

User's Details
  1. Type "Demo" in the First Name field
  2. Type "User" in the Last Name field
  3. Type "Demo User" in the Display Name field
  4. Click the forward arrow to advance

Note: You can enable multi-factor authentication (MFA) for users. This requires users to authentication with their AAD username and password AND their device; either via SMS, Call, or Authenticator application.

6.3. User's Password

User's Password
  1. Write down your temporary password as you will need it when enrolling your device.
  2. Click the forward arrow to advance

7. Azure AD Enrollment

Azure AD Enrollment

We will now use our Azure account to enroll into AirWatch and join our device to the Azure AD. There are three methods: 1) Out-of-Box Experience (OOBE), 2) Office Productivity App, and 3) Settings on the Device. We will enroll via the Settings options. You can explore the other options now that you have your Azure AD account set up, after the workshop.

You can see demos of each of the methods mentioned above here: http://www.air-watch.com/solutions/windows-10-videos/

7.1. Join Azure AD

Join Azure AD
  1. Click Join Azure AD

7.2. What happens next

What happens next
  1. Click Next

7.3. Work Account

Work Account
  1. Enter your Azure AD username in the form of an email address
  2. Enter your Azure AD user's temporary password
  3. Click Sign in

7.4. Update Password

Update Password

Since this is a brand new account with a temporary password, we will be asked to change our password.

  1. Enter a new password for your account
  2. Confirm your new password
  3. Click Sign In

7.5. Join your Organization

Join your Organization
  1. Click Join

7.6. Your device is Joined to AAD

Your device is Joined to AAD
  1. Click Finish

7.7. Enrollment Successful

Enrollment Successful

Switching back to the AirWatch console, we notice that our device is now enrolled successfully. In addition, in the Azure AD console you will now see a device record tied to our demo user.

In AirWatch, our demo user was automatically created and attributes were pulled in from AAD to create this user.

8. Azure AD Un-Enroll & Un-Join

Azure AD Un-Enroll & Un-Join

When you enroll into AirWatch via an Azure AD Join/Enrollment you complete two steps/enrollments in just one step. This is convenient, however, it is a two step process to un-enroll and un-join.

  1. Click More
  2. Click Enterprise Wipe

When joining to Azure AD with the AAD Integration into AirWatch enabled, we successfully:

  • Join Azure AD - this is essentially joining to the cloud domain
  • Enroll into AirWatch - this enrollment into AirWatch is silent

8.1. Enter Security PIN

Enter Security PIN
  1. Enter your Security PIN, "1234"

8.2. OK

OK
  1. Click OK

8.3. Settings

Settings
  1. Click Settings

8.4. Accounts

Accounts
  1. Click Accounts

8.5. Sync

Sync
  1. Click Work Access
  2. Click AirWatch under Enroll in to device management, this is normally where we come to perform Workplace enrollment, which was automatically done via the AAD enrollment
  3. Click Sync

Note: We are only manually syncing to speed up the unenrollment process. Once the device checks in it would have received the unenrollment command from AirWatch automatically.

8.6. Successfully Unenrolled

Successfully Unenrolled

Back in the AirWatch console, we notice our enrollment status is now Unenrolled

8.7. System

System

Moving back to our device settings windows:

  1. Click System

8.8. Disconnect from Organization

Disconnect from Organization

After successfully un-enrolling via AirWatch, we are still connected/joined to our Azure AD organization. We will need to manually disconnect from our organization.

  1. Click About
  2. Click Disconnect from organization

8.9. Confirm Disconnection

Confirm Disconnection
  1. Click Continue

8.10. Enter Alternate Account Info

Enter Alternate Account Info

Since we are disconnecting from our organization, we will not be using our Work Account (Azure Account) to log into our device. We will need to provide a local administrator account to transfer back to:

  1. Enter "Administrator" for your username
  2. Enter "VMware1!" for your password
  3. Click OK

8.11. Restart your PC

Restart your PC

To complete the un-joining process, you will need to reboot. After re-booting you will see you are un-enrolled and un-joined from AirWatch and Azure AD.