AirWatch Hands-on LabsInternal HOLsTM-HOL-W10-1802Windows 10 TroubleshootingTroubleshooting Windows Desktop Native OMA-DM (Access Work or School) Enrollments

Troubleshooting Windows Desktop Native OMA-DM (Access Work or School) Enrollments

This exercise walks through troubleshooting Windows 10 native/built-in OMA-DM enrollment into Workspace ONE UEM. For this exercise, you do not need the Workspace ONE Intelligent Hub.

What is Windows 10 Enrollment into Workspace ONE UEM?

Device enrollment establishes the initial communication with Workspace ONE UEM to enable Mobile Device Management (MDM). The enrollment methods for Windows Desktop focus on adding features and functionality depending on how devices are enrolled. 

All Windows Desktop enrollments use the native OMA-DM protocol to complete the enrollment process in the background. Windows Auto-Discovery Service is an optional method of enrolling devices that only requires the end-users email address to begin the enrollment process. 

Enrollment can also require the downloading of the Workspace ONE Intelligent Hub. This Intelligent Hub adds endpoint security to your Windows Desktop devices to ensure your data and devices remain secure wherever the device may go. The Intelligent Hub for Windows Desktop co-opts the native Windows Desktop functionality such as BitLocker encryption, Windows Firewall, and Windows Automatic Updates to keep devices secure and up-to-date. 

It is recommended to only use native OMA-DM enrollment when required. This is required due to some limitations with various operating systems not supporting x32/x64 apps. For more information on selecting the most appropriate onboarding method for your use case(s), refer to Selecting an Onboarding Workflow.

1. Find your Group ID

Finding your Group ID

The first step is to retrieve your Organization's Group ID.

  1. In Workspace ONE UEM Console, hover your mouse over the Organization Group tab at the top of the screen.
  2. Your Group ID is displayed at the bottom of the Organization Group pop-up window. The Group ID is required when enrolling your device.

2. Capture Access Work Enrollment Traffic

Note: Ensure that you have Fiddler in capture mode to capture all the network traffic during device enrollment. To learn how to get started with Fiddler, refer to Using Fiddler for Troubleshooting Windows 10.

2.1. Launch Settings

Launching Settings
  1. Click the Start Menu icon.
  2. Click the Settings icon.

2.2. Access Accounts

Accessing Accounts

Select Accounts.

2.3. Access Work Enrollment

Accessing Workplace Enrollment
  1. Click Access work or school.
  2. Click Enroll only in device management.

2.4. Connect to Windows Auto Discovery Service

Connecting to Windows Auto Discovery Service

For this step, use a static or local email address. This is not the email address that you used to log in to your environment. Normally, your user community would enter their corporate email address which would then point their device to your Workspace ONE UEM environment. If you choose not to use a WADS server then the user would be forced to enter the enrollment URL manually. This is no longer the recommended enrollment method; end-users should enroll by navigating to https://getwsone.com.

  1. Enter the email address, for example, [email protected].
  2. Click Next.
  3. Enter the management endpoint URL (Device Services hostname), for example, hol.awmdm.com.
  4. Click Next.

Note: To verify if an email domain is registered with Workspace ONE UEM Auto-Discovery, navigate to  https://discovery.awmdm.com/Autodiscovery/awcredentials.aws/v2/domainlookup/domain/{domain}

To verify if Windows Auto-Discovery is set up for a domain, navigate to https://EnterpriseEnrollment.{domain}/EnrollmentServer/Discovery.aws

2.5. Enter Group ID

Group ID
  1. Enter your Group ID.
  2. Click Next.

2.6. Enter Username and Password

Username and Password
  1. Enter the testuser in the Username field.
  2. Enter the VMware1! in the Password field.
  3. Click Next.

2.7. Remember Sign-In Info

Remember Workspace ONE UEM Sign-In Info

Click Skip to not remember sign-in info

2.8. Complete Enrollment

Complete Workspace ONE UEM Enrollment

Click Got it.

Note: If you are prompted by User Account Control (UAC) to allow the app to make changes to your PC, click Yes.

2.9. Validate Successful Enrollment

Close Settings

Validate that you now see a new enrollment account under Access work or school.

3. Check Enrollment Traffic

Allowing Application to Make Changes

Now, return to the Fiddler application. The most important sessions which deal with enrollment are the Policy.aws and Enrollment.aws endpoints and the authentication traffic which leads up to these endpoints. Explore some of the entries and inspect the traffic to the right. Complete a successful enrollment and save your results—this will be helpful for troubleshooting at a later stage. Again, Fiddler can be used to see if some of the endpoints are not accessible. In this example, you can see 117 and 119 where the network is blocking access to watson.telemetry.microsoft.com.

Note: For more information, see the Microsoft article Federated Authenticate Device Enrollment

3.1. Check Enrollment Information

Allowing Application to Make Changes

Click your enrollment account, then click Info. 

3.2. Sync Device

Allowing Application to Make Changes

The device sync status shows the last attempted sync time, and whether the last sync with Workspace ONE UEM was successful or unsuccessful.

3.3. Check Sync Traffic

Allowing Application to Make Changes

Again, when you click Sync, you will notice traffic in Fiddler. Return to the console, find your device and attempt several actions such as Lock, Query, or Query each category individually to see the differences. Fiddler can help to determine if the device can communicate with Workspace ONE UEM, check the contents of profiles being pushed, and return error codes that Workspace ONE UEM might not always display.

You can also check the logs related to enrollment to find potential issues. For details on logging locations, refer to the Locating Log Files and Registry Keys section.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.