Troubleshooting Windows Desktop Native OMA-DM (Access Work or School) Enrollments
This exercise walks through troubleshooting Windows 10 native/built-in OMA-DM enrollment into Workspace ONE UEM. For this exercise, you do not need the Workspace ONE Intelligent Hub.
What is Windows 10 Enrollment into Workspace ONE UEM?
Device enrollment establishes the initial communication with Workspace ONE UEM to enable Mobile Device Management (MDM). The enrollment methods for Windows Desktop focus on adding features and functionality depending on how devices are enrolled.
All Windows Desktop enrollments use the native OMA-DM protocol to complete the enrollment process in the background. Windows Auto-Discovery Service is an optional method of enrolling devices that only requires the end-users email address to begin the enrollment process.
Enrollment can also require the downloading of the Workspace ONE Intelligent Hub. This Intelligent Hub adds endpoint security to your Windows Desktop devices to ensure your data and devices remain secure wherever the device may go. The Intelligent Hub for Windows Desktop co-opts the native Windows Desktop functionality such as BitLocker encryption, Windows Firewall, and Windows Automatic Updates to keep devices secure and up-to-date.
It is recommended to only use native OMA-DM enrollment when required. This is required due to some limitations with various operating systems not supporting x32/x64 apps. For more information on selecting the most appropriate onboarding method for your use case(s), refer to Selecting an Onboarding Workflow.
1. Find your Group ID
The first step is to retrieve your Organization's Group ID.
- In Workspace ONE UEM Console, hover your mouse over the Organization Group tab at the top of the screen.
- Your Group ID is displayed at the bottom of the Organization Group pop-up window. The Group ID is required when enrolling your device.
2. Capture Access Work Enrollment Traffic
Note: Ensure that you have Fiddler in capture mode to capture all the network traffic during device enrollment. To learn how to get started with Fiddler, refer to Using Fiddler for Troubleshooting Windows 10.
2.1. Launch Settings
- Click the Start Menu icon.
- Click the Settings icon.
2.2. Access Accounts
Select Accounts.
2.3. Access Work Enrollment
- Click Access work or school.
- Click Enroll only in device management.
2.4. Connect to Windows Auto Discovery Service
For this step, use a static or local email address. This is not the email address that you used to log in to your environment. Normally, your user community would enter their corporate email address which would then point their device to your Workspace ONE UEM environment. If you choose not to use a WADS server then the user would be forced to enter the enrollment URL manually. This is no longer the recommended enrollment method; end-users should enroll by navigating to https://getwsone.com.
- Enter the email address, for example,
[email protected]
. - Click Next.
- Enter the management endpoint URL (Device Services hostname), for example,
hol.awmdm.com
. - Click Next.
Note: To verify if an email domain is registered with Workspace ONE UEM Auto-Discovery, navigate to https://discovery.awmdm.com/Autodiscovery/awcredentials.aws/v2/domainlookup/domain/{domain}
To verify if Windows Auto-Discovery is set up for a domain, navigate to https://EnterpriseEnrollment.{domain}/EnrollmentServer/Discovery.aws
2.5. Enter Group ID
- Enter your Group ID.
- Click Next.
2.6. Enter Username and Password
- Enter the
testuser
in the Username field. - Enter the
VMware1!
in the Password field. - Click Next.
2.7. Remember Sign-In Info
Click Skip to not remember sign-in info
2.8. Complete Enrollment
Click Got it.
Note: If you are prompted by User Account Control (UAC) to allow the app to make changes to your PC, click Yes.
2.9. Validate Successful Enrollment
Validate that you now see a new enrollment account under Access work or school.
3. Check Enrollment Traffic
Now, return to the Fiddler application. The most important sessions which deal with enrollment are the Policy.aws and Enrollment.aws endpoints and the authentication traffic which leads up to these endpoints. Explore some of the entries and inspect the traffic to the right. Complete a successful enrollment and save your results—this will be helpful for troubleshooting at a later stage. Again, Fiddler can be used to see if some of the endpoints are not accessible. In this example, you can see 117 and 119 where the network is blocking access to watson.telemetry.microsoft.com.
Note: For more information, see the Microsoft article Federated Authenticate Device Enrollment.
3.1. Check Enrollment Information
Click your enrollment account, then click Info.
3.2. Sync Device
The device sync status shows the last attempted sync time, and whether the last sync with Workspace ONE UEM was successful or unsuccessful.
3.3. Check Sync Traffic
Again, when you click Sync, you will notice traffic in Fiddler. Return to the console, find your device and attempt several actions such as Lock, Query, or Query each category individually to see the differences. Fiddler can help to determine if the device can communicate with Workspace ONE UEM, check the contents of profiles being pushed, and return error codes that Workspace ONE UEM might not always display.
You can also check the logs related to enrollment to find potential issues. For details on logging locations, refer to the Locating Log Files and Registry Keys section.
0 Comments
Add your comment