macOS Application Management (MAM)

VMware AirWatch recently announced integration with the Open-Sourced "munki" project for third-party application management on enrolled macOS devices. With this integration, administrators can now manage third-party (non-AppStore) software using the internal apps view (closer aligning the admin experience to that of other platforms). The integration allows administrators to consume a global CDN for software delivery, without requiring the administrators to fully understand munki's inner workings and configuration.

In this exercise, you will enable the application catalog and deploy an Application to your device.

Note: All Workspace ONE UEM Console work for this section should be performed on a macOS device.

Note: Workspace ONE UEM also provides a second facility for delivering software/configurations and running scripts/commands on a macOS device. This method, known as Product Provisioning, is outside the scope of this exercise.  

Administrators can deliver software to macOS devices in numerous ways. As a quick reference, VMware recommends the following methods to deliver software to macOS devices:

  • MacOS App Store Application — VMware recommends delivering any application that may be available on the macOS App Store be delivered as a "Purchased" application through the Volume Purchase Program.   Apps should be assigned via device-based licenses and set to auto-update if the application is not business-critical.
  • Non-AppStore Applications — Where possible, third-party applications which are not available through the app store should be delivered as an Internal Application (leveraging the AirWatch-Munki integration).  

2. Configure App Catalog

2.1. Open Safari Web Browser

On your macOS device, Open Safari by clicking the icon on the dock.

2.2. View All Settings

View All Settings

In the Workspace ONE UEM Console

  1. Click on Apps & Books.
  2. Click on All Apps & Books Settings.

2.3. Enable the Application Catalog

Enable the Application Catalog
  1. Click on Apps
  2. Expand Workspace ONE
  3. Expand AirWatch Catalog
  4. Click on General.
  5. Click on the Publishing tab
  6. Click Override
  7. Enter the Catalog title as App Catalog

2.4. Select Platform as macOS and Save

  1. Scroll down until you see the platform macOS.
  2. Select Enabled for macOS.
  3. Click on Save.
  4. Scroll to the top and click on X to exit the pop-up screen.

3. Enable macOS Software Management

NOTE:  The steps in this section have already been completed for you in the Hands-On Lab.  You DO NOT need to Enable Software Management as it has already been completed on your behalf.

Prior to deploying a macOS Application, VMware AirWatch administrators must enable their environments for Software Management. The following items are pre-requisites for macOS Software Management:

  1. For On-Premise Installations, "File Storage" must be enabled (Settings > Installation > File Path).
  2. "Software Management" must be enabled (Settings > Devices & Users > Apple > Apple macOS > Software Management)
  3. VMware AirWatch Agent for macOS version 3.0 (or newer)

NOTE:   The steps in the "Enable macOS Software Management" section have already been completed for you in the Hands-On Lab.  They are included here simply for reference if you need to enable this feature in your own on-premise environment.

3.1. Access All Settings

While logged in as an AirWatch Administrator and viewing the Global Organization Group:

  1. Click Groups & Settings
  2. Click All Settings

3.2. Enable File Storage

Contact VMware for assistance if you're not sure how any of the settings in this step should be configured particular to your environment.

Contact VMware for assistance if you're not sure how any of the settings should be configured particular to your environment.

  1. Ensure you are at the Global Organization Group unless your particular setup requires configuring at child Organization Groups.  
  2. Expand Installation
  3. Click File Path
  4. Scroll the file paths screen and click Enabled for File Storage Enabled
  5. Enter the path of a file share accessible from your Device Services and Console servers.
  6. Click Disabled for File Storage Caching Enabled unless you have planned and sized your Device Services server accordingly.
  7. Click Enabled for File Storage Impersonation Enabled
  8. Enter the username credentials to impersonate in order to access the file storage path
  9. Enter the password for the impersonation user
  10. Confirm the password for the impersonation user
  11. Click Test Connection and ensure you see Connection Succeeded
  12. Click Save

As noted above, contact VMware for assistance if you're not sure how any of the settings above should be configured particular to your environment.

3.3. Enable Software Management

While still in the Settings screen, perform the following:

  1. Expand Devices & Users
  2. Expand Apple
  3. Expand Apple macOS
  4. Click Software Management
  5. Click Override
  6. Click Enabled for Enable Software Management
  7. Click Save
  8. Ensure settings are Saved Successfully

 

4. Prepare macOS Applications for Deployment

In this section, you will download the VMware AirWatch Admin Assistant tool and use it to prepare another 3rd-Party application for deployment.

4.1. Open New Browser Tab

On your macOS device, Open a new Safari tab:

4.2. Download Skitch

  1. In Safari, browse to https://evernote.com/products/skitch
  2. Click Download for Mac
  3. DO NOT download the app from the Mac App Store in order to complete this exercise!

The zip file for Skitch will download to the Downloads folder.

4.3. Download VMware AirWatch Admin Assistant Tool

In the same tab as you downloaded Skitch, paste the link to the VMware AirWatch Admin Assistant tool and press Return on the keyboard:   https://awagent.com/AdminAssistant/VMwareAirWatchAdminAssistant.dmg

The DMG file will download to the Downloads folder.

4.4. Begin Installing VMware AirWatch Admin Assistant Tool

On the dock, perform the following:

  1. Click the Downloads folder (next to the Trash)
  2. Click VMwareAirWatchAdminAssistant.dmg

4.5. Launch Installer Package

Double-click the VMware AirWatch Admin Assistant.pkg file

4.6. Continue Installer

Click Continue

4.7. Review and Continue Installer

  1. Review the License Agreement and click Continue
  2. Click Agree if you agree to the license agreement

4.8. Install Admin Assistant Tool

Click Install

4.9. Enter Admin Credentials

If prompted for administrative credentials, enter the credentials required to install.

  1. Enter the Administrator as the Admin User Name on the macOS device
  2. Enter the VMware1! as the password for the admin user
  3. Click Install Software

4.10. Close the Installer

  1. Click Close when the installer completes
  2. Click Move to Trash to clean up the installer

4.11. Launch VMware Admin Assistant Tool

  1. Click the Launchpad on the Dock
  2. Click VMware AirWatch Admin Assistant

4.12. Drag and Drop Skitch

  1. Click the Downloads folder on the Dock
  2. Click and HOLD Skitch
  3. Drag and Drop Skitch onto the VMware AirWatch Admin Assistant in the box

The VMware Admin Assistant Tool begins parsing the file to extract information necessary to deploy the software.

4.13. Monitor Process and Reveal Files

  1. Monitor the progress of the parsing.  When complete the wheel changes to a green checkmark.
  2. In the pop-up window, click Reveal in Finder

4.14. Review Generated Files

In the Finder window:

  1. Change to Column view
  2. Note the Path of the Output for the Skitch files:  ~/Documents/VMware AirWatch Admin Assistant/Skitch-2.8.1
  3. Note the output from the Assistant tool as described below:
Skitch-2.8.1.dmg -- The Application has been packaged into a DMG file.   (Note: MPKG and PKG files will not be modified)
Skitch-2.8.1.plist -- A metadata file (referenced as the pkginfo.plist in munki documentation) which contains information used by the munki framework to determine how to install/uninstall the software
Skitch.png -- An icon image extracted from the app used for user-friendly display in the console and Workspace ONE app for macOS

All output for the Admin Assistant tool follows the convention ~/Documents/VMware AirWatch Admin Assistant/{AppName-Version}.  At the time this lab was created, Skitch was at version 2.8.1 but may be different depending on when you take this lab.

5. Deploy a macOS Application

5.1. Return to Workspace ONE UEM Console

In Safari, Click on the tab labeled Devices > Dashboard

5.2. View Native Internal Apps

  1. Click on Apps & Books
  2. Expand Applications
  3. Click Native
  4. Click Internal
  5. Click Add Application

5.3. Begin Application File Upload

Click Upload

5.4. Choose File

Click Choose File

5.5. Browse and Select Application File

  1. Choose the Documents folder
  2. Select VMware AirWatch Admin Assistant
  3. Select Skitch-{version} (e.g. Skitch-2.8.1)
  4. Select Skitch-{version}.dmg
  5. Click Choose

5.6. Save Local File

Click Save

5.7. Continue Adding Application

Click Continue

5.8. Upload Metadata File

  1. Note the link to directly download the VMware AirWatch Assistant (in case you forgot to generate the metadata file and are working from a computer where the VMware AirWatch Assistant is not installed).
  2. Click Upload

5.9. Choose File

Click Choose File

5.10. Browse and Select Plist File

  1. Choose the Documents folder
  2. Select VMware AirWatch Admin Assistant
  3. Select Skitch-{version} (e.g. Skitch-2.8.1)
  4. Select Skitch-{version}.plist
  5. Click Choose

5.11. Save Plist File

Click Save

5.12. Continue Adding Application

  1. Note the Application File is shown
  2. Note the Plist File is shown
  3. Click Continue

5.13. Add Image File

  1. Click on the Images tab
  2. Click on Click or Drag Files Here

5.14. Browse and Select Image File

  1. Choose the Documents folder
  2. Select VMware AirWatch Admin Assistant
  3. Select Skitch-{version} (e.g. Skitch-2.8.1)
  4. Select {App Name}.png  (e.g. Skitch.png)
  5. Click Choose

5.15. Review Scripts Tab

  1. Click the Scripts tab
  2. The Pre-Install Script runs BEFORE the AirWatch Agent executes the dmg/pkg/mpkg file that installs the Application and can be used to set-up pre-requisite items before the installer runs.  The Pre-install Script must have an exit code of zero (0) in order for the install to proceed.
  3. The Post-Install Script runs AFTER the AirWatch Agent executes the dmg/pkg/mpkg file.   This can be useful for applying configurations after the software completes the installation.
  4. The Pre-Uninstall Script runs BEFORE the AirWatch Agent initiates the uninstall.  The Pre-Uninstall script must have an exit code of zero (0) in order for the uninstall to proceed.
  5. The Uninstall Method defines how the AirWatch Agent uninstalls software.  Typically, "Remove Copied Items" is used for a DMG installer, and "Remove Packages" is used for a PKG installer.  
  6. The Post-Uninstall Script provides a method to validate an uninstall was completed and potentially handle any cleanup for the uninstall.
  7. The Install Check script assists the AirWatch Agent with determining whether an install needs to happen.  This script can be useful for "desired state" purposes and ensuring that a software install remains intact on a user's machine.   If the script has an exit code of zero (0), the agent assumes an Install is needed.
  8. The Uninstall Check Script validates whether an uninstall has occurred.  If the script has an exit code of zero (0), the airwatch agent determines an uninstall is (or is still) required.

Use the pre and post install scripts to avoid repackaging installers.   By including scripts, you can automate tasks that would normally be prompted for the user to resolve before/after an install.   More info can be found in the munki Wiki:   https://github.com/munki/munki/wiki/Pre-And-Postinstall-Scripts

Scripts must include the shebang (#!) statement on the first line.  Examples include the following:

#!/bin/bash
#!/bin/sh
#!/usr/bin/python

5.16. Review Deployment Tab

  1. Click the Deployment tab
  2. Note the different Restart actions
  3. Note the section to include conditions which can further constrain the deployment.

For more information about Conditions, refer to the munki wiki:  https://github.com/munki/munki/wiki/Conditional-Items

5.17. Review Terms of Use and Save Application

  1. Click Terms of Use
  2. Review the ability to add terms of use to a software title.  
  3. Click Save & Assign

5.18. Add Assignment

Click Add Assignment

5.19. Select Assignment Group and Add

  1. Select the assignment group tied to your organization group (formatted like your email address).
  2. Click Auto for App Delivery Method
  3. Click Enabled for Remove on Unenroll
  4. Click Add

5.20. Save and Publish

  1. Ensure your recently added Assignment shows in the list of Assignments
  2. Click Save & Publish

5.21. Publish the Application

Click Publish

5.22. Review Published Application Information

Review the newly published application.

6. Validate Application Install

With the macOS device enrolled, the published application should begin downloading and installing immediately.  This sections shows how you can manually validate the application is installing and/or installed.

6.1. Check the Agent Status

  1. Click the Workspace ONE shield in the menubar.
  2. As the agent processes application installs, you will see a note about "Handling Application Updates."   Depending on the speed of your connection, the agent may finish processing the install before you have a chance to see the status on the menubar applet.

In a Workspace ONE UEM environment integrated with VMware Identity Manager, the end-user will see more verbose installation feedback from within the macOS native Workspace ONE application.   Feedback using this method is outside the scope of this lab.

6.2. Launch Terminal

  1. Click the LaunchPad on the Dock
  2. Begin typing terminal to filter the LaunchPad apps
  3. Click Terminal

6.3. Review ManagedSoftwareUpdate Log

  1. Tail the ManagedSoftwareUpdate.log file by running the command line below.  Note - the "-F" parameter means the tail command will continually monitor the file for updates (displaying progress as the software installation continues).
  2. Look for a line in the results stating Skitch version [version] (or newer) is already installed.   This indicates the software has been installed.
tail -n 20 -F /Library/Application\ Support/AirWatch/Data/Munki/Managed\ Installs/Logs/ManagedSoftwareUpdate.log 

The VMware agent initiates a Managed Software Update within the munki framework multiple times.  Depending on where the agent is within the process of the install the tail command may output lines similar to the following:

[Date/Time]    Need to install Skitch

[Date/Time]    Downloading Skitch-2.8.1.dmg from Skitch-2.8.1.dmg

[Date/Time]     The following items will be installed or upgraded:

[Date/Time]         + Skitch-2.8.1

[Date/Time]      Processing installs

[Date/Time]      Installing Skitch (1 of 1)

[Date/Time]     Mounting disk image Skitch-2.8.1.dmg

[Date/Time]     The software was successfully installed.

6.4. Check for App in the Launchpad

  1. Click the Launchpad icon on the Dock
  2. Check for the existence of the Skitch application

6.5. View the Application Status in the AirWatch Application Catalog

  1. Click on the Application Catalog weblink on the Dock
  2. Note the Installation Status for Skitch

7. Key Takeaways

  • macOS Applications can be deployed using the munki framework (Internal Application) or a detailed manifest of scripts and packages (Product Provisioning -- not covered in this lab).
  • Detailed status on installation progress is delivered to the end-user via the Workspace ONE native application for macOS (not covered in this lab)
  • AirWatch provides an Application Catalog to allow user and device specific self-service requests for application installation.

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.