[OPTIONAL] Azure Active Directory Integration for OOBE Enrollment
Through integration with Microsoft Azure Active Directory, Windows 10 Desktop and Mobile devices can automatically enroll into AirWatch with minimal end user interaction. Azure AD integration enrollment allows users from Azure Active Directory to enroll devices completely by entering their email address.
Azure AD integration enrollment supports three different enrollment flows: Join Azure AD, Out of Box Experience (OOBE) Enrollment, and adding a work account (e.g. through an Office Productivity app from the store). All methods require configuring Azure AD integration with AirWatch.
In this module, we will explore the Azure Active Directory console and configure AAD with AirWatch to take advantages of the different enrollment flows.
Note: To take advantage of these AAD enrollment flows, a Azure Active Directory Premium License is required.
1. Configuring Azure AD Integration with AirWatch
Before you can enroll a device using Azure Active Directory for Identity Services, you must first configure Azure AD Identity Services. Follow the steps below to ensure your Azure AD is integrated with AirWatch.
2. (Optional) Setting up an Azure AD Trial
- Click Free Trial
Note: This page is the AirWatch by VMware Azure Application we will be integrating into AirWatch. If you scroll through the instructions you will notice all steps are listed below. If you currently do not have an Azure subscription you will need to sign up for a free trial.
Note: Microsoft has recently updated the UI to the Azure Portal. To match the follow screenshots please navigate to https://manage.windowsazure.com once you sign up for your trial.
2.2. Sign In
- Enter your Microsoft account credentials, if you do not have a Microsoft account, skip to Step 3 to create an account
- Click Sign In
- If you do not have an account, click Sign up now
2.3. Free Trial
- Fill in the About you information
- Fill in the Verification by phone information
- Fill in the Verification by card information
- Accept the Agreement
- Click Sign Up to complete the registration process
Note: Microsoft has recently updated the UI to the Azure Portal. To match the follow screenshots please navigate to https://manage.windowsazure.com once you sign up for your trial.
3. Adding Premium License
In this example I will be using the AW HOL directory, if you are using Azure for the first time you can use the default directory.
- Click on the directory you want to use for enrollment
Note: Microsoft has recently updated the UI to the Azure Portal. To match the follow screenshots please navigate to https://manage.windowsazure.com.
3.1. Try Azure AD Premium
We will now enable Azure AD Premium License in our directory.
- Click Licenses
- Click Try Azure Active Directory Premium Now
3.2. Activate Premium Trial
- Confirm the Premium license activation
3.3. Assign
- Click Assign, at the bottom of the screen to assign your admin account to have a premium license.
4. Adding & Configuring the AirWatch by VMware Application
- Click Applications
- Click Add
We will now add the AirWatch by VMware Application to our directory. We needed to add the premium license to our directory first since the premium license is required.
4.1. Add Application from the Gallery
- Click Add an application from the gallery
4.2. Add AirWatch Application
- Navigate the left-hand menu and click the Mobile Device Management category
- Click AirWatch by VMware
- Click the check mark to confirm adding the application
4.3. Configure AirWatch Application
- Click Configure, to begin configuring the AirWatch/Azure Integration
4.4. Copy AirWatch Settings to Azure
In Step 3, we will copy and paste the two MDM URLs over to the Azure console.
- Copy the MDM Enrollment & Terms of Use URL for the next steps in Azure
- Just to point out, these are the helpful screenshots that help admins know where to paste these URLs.
4.5. Paste AirWatch Settings to Azure
Using the copied URLs from the AirWatch console:
- Paste the MDM Enrollment URL in the MDM Discovery URL field
- Paste the MDM Terms of Use URL in the MDM Terms of Use URL field
- Select All, to allow all users whom enroll via Azure AD enrollment method are automatically enrolled into AirWatch.
- Click Save to commit the changes
5. Configuring AirWatch Azure Settings
We will now grab the two pieces of information needed in the AirWatch console.
- Copy the Tenant ID from the URL. This is the GUID located right after Directory in the URL.
- Copy the Tenant Name which is the name of the directory.
5.1. Tenant Name and Identifier
- Paste the Tenant ID & Name in the Tenant Identifier & Name fields
- Click Save
6. Adding an Azure Enrollment User
- Click Add User
We will now add a user to enroll into AirWatch via Azure AD enrollment options.
6.1. Add User
- Type "demo" in the User Name field
- Click the arrow to advance
6.2. User's Details
- Type "Demo" in the First Name field
- Type "User" in the Last Name field
- Type "Demo User" in the Display Name field
- Click the forward arrow to advance
Note: You can enable multi-factor authentication (MFA) for users. This requires users to authentication with their AAD username and password AND their device; either via SMS, Call, or Authenticator application.
6.3. User's Password
- Write down your temporary password as you will need it when enrolling your device.
- Click the forward arrow to advance
7. Azure AD Enrollment
We will now use our Azure account to enroll into AirWatch and join our device to the Azure AD. There are three methods: 1) Out-of-Box Experience (OOBE), 2) Office Productivity App, and 3) Settings on the Device. We will enroll via the Settings options. You can explore the other options now that you have your Azure AD account set up, after the workshop.
You can see demos of each of the methods mentioned above here: http://www.air-watch.com/solutions/windows-10-videos/
7.1. Join Azure AD
- Click Join Azure AD
7.2. What happens next
- Click Next
7.3. Work Account
- Enter your Azure AD username in the form of an email address
- Enter your Azure AD user's temporary password
- Click Sign in
7.4. Update Password
Since this is a brand new account with a temporary password, we will be asked to change our password.
- Enter a new password for your account
- Confirm your new password
- Click Sign In
7.5. Join your Organization
- Click Join
7.6. Your device is Joined to AAD
- Click Finish
7.7. Enrollment Successful
Switching back to the AirWatch console, we notice that our device is now enrolled successfully. In addition, in the Azure AD console you will now see a device record tied to our demo user.
In AirWatch, our demo user was automatically created and attributes were pulled in from AAD to create this user.
8. Azure AD Un-Enroll & Un-Join
When you enroll into AirWatch via an Azure AD Join/Enrollment you complete two steps/enrollments in just one step. This is convenient, however, it is a two step process to un-enroll and un-join.
- Click More
- Click Enterprise Wipe
When joining to Azure AD with the AAD Integration into AirWatch enabled, we successfully:
- Join Azure AD - this is essentially joining to the cloud domain
- Enroll into AirWatch - this enrollment into AirWatch is silent
8.2. OK
- Click OK
8.3. Settings
- Click Settings
8.4. Accounts
- Click Accounts
8.5. Sync
- Click Work Access
- Click AirWatch under Enroll in to device management, this is normally where we come to perform Workplace enrollment, which was automatically done via the AAD enrollment
- Click Sync
Note: We are only manually syncing to speed up the unenrollment process. Once the device checks in it would have received the unenrollment command from AirWatch automatically.
8.6. Successfully Unenrolled
Back in the AirWatch console, we notice our enrollment status is now Unenrolled
8.7. System
Moving back to our device settings windows:
- Click System
8.8. Disconnect from Organization
After successfully un-enrolling via AirWatch, we are still connected/joined to our Azure AD organization. We will need to manually disconnect from our organization.
- Click About
- Click Disconnect from organization
8.9. Confirm Disconnection
- Click Continue
8.10. Enter Alternate Account Info
Since we are disconnecting from our organization, we will not be using our Work Account (Azure Account) to log into our device. We will need to provide a local administrator account to transfer back to:
- Enter "Administrator" for your username
- Enter "VMware1!" for your password
- Click OK
8.11. Restart your PC
To complete the un-joining process, you will need to reboot. After re-booting you will see you are un-enrolled and un-joined from AirWatch and Azure AD.