Exporting Apps and Creating Configuration Files

As of Workspace ONE UEM 1811, the IT administrator can leverage the provisioning wizard in the console to create the configuration file and export the apps. The IT administrator can configure OOBE, domain join and MDM enrollment from the wizard. Additionally, with a Windows 10 Enterprise license, the IT administrator can also choose to set the provisioning configuration for removal of consumer applications bundled with Windows 10. The active directory types that are supported for provisioning configuration are: on-premises domain join, Azure Active Directory Premium, Azure Active Directory - No Premium and local user/workgroup.

The provisioning configuration is exported in Windows unattend XML file format. This file follows the standard unattend XML schema, with some additional configuration for MDM enrollment into Workspace ONE UEM. The configuration is applied when the end user logs into the device.

Now that the enterprise applications are uploaded or imported using Workspace ONE AirLift (from SCCM) into Workspace ONE, the administrator is ready to export the applications into a provisioning package to share with Dell. The container used for this provisioning package is a Windows Provisioning Package (.ppkg) recognized natively by Windows 10. A custom mechanism is used in the PPKGs generated by Workspace ONE to install the applications, so it is not recommended for a customer to treat these PPKGs as generic PPKGs.

To export the enterprise applications, the IT administrator opens the Workspace ONE UEM console, and navigates to the Native Applications under the Apps & Books section. In the export dropdown, there is a new option to export PPKG. Selecting that option brings up a new dialog box with a list of applications to pick from. Currently, Windows classic desktop applications and Universal Windows Platform (UWP) apps which install in device or user context are supported.

Once the IT administrator initiates the PPKG export process, a confirmation is shown. On completion of PPKG export, a notification is sent to the Workspace ONE UEM console with a link to download the PPKG. A console administrator can have one PPKG export in progress at a time. To start a new PPKG export, the administrator needs to wait for the existing PPKG export to complete. A new PPKG export request overwrites any previously exported PPKG for that administrator. Multiple console administrators can concurrently request PPKGs to be exported though.

Lets take a look at how to export apps to provisioning packages and create the configuration file in the Workspace ONE UEM Console.

The above diagram shows the process of uploading, exporting and leveraging factory provisioning to load the apps and deliver the device to the end user.

  1. Workspace ONE UEM admin uploads apps to Workspace ONE UEM manually or using Workspace ONE AirLift.
  2. Workspace ONE UEM admin exports selected apps as a provisioning package (.ppkg).
  3. Admin provides the provisioning package, along with a configuration file to Dell.
  4. Dell performs factory provisioning using the exported apps and configuration file.
  5. Devices are shipped directly to end users or IT.
  6. End users boot device and device onboard into Workspace ONE UEM and receive app updates and other policies over-the-air.

1. Retrieve the Workspace ONE Enrollment Details

Before configuring the Windows Provisioning Package, you will need to retrieve the Workspace ONE Enrollment settings that you will need to provide during the Windows Provisioning Package configuration.  Follow the next steps to retrieve this information.

1.1. Open Notepad

You will need to record values from different sections of the Workspace ONE UEM Console for the upcoming exercise.  You will utilize Notepad to record these values to copy and paste them later.

  1. Click the Search button next to the Start button.
  2. Enter notepad.
  3. Click the Notepad Desktop app result.

1.2. Find Your Group ID

In the Workspace ONE UEM Console,

  1. Click the Organization Group tab at the top of the console.
  2. Click and drag the Group ID value to highlight your group id.
  3. Right-Click and select Copy.

1.2.1. Record your Group ID in Notepad

  1. Click the Notepad icon.
  2. Enter Group ID: in Notepad.
  3. Click Edit.
  4. Click Paste to insert your copied Group ID.

1.3. Find your Workspace ONE Enrollment Details

  1. Click Groups & Settings.
  2. Click All Settings.

1.3.1. Navigate to the Staging & Provisioning Settings

  1. Click Devices & Users
  2. Click Windows
  3. Click Windows Desktop
  4. Click Staging & Provisioning

1.3.2. Find Your Enrollment User UPN

  1. You may need to scroll down to find the Enrollment Details
  2. Click and drag to highlight the UPN value.
  3. Right-click and click Copy.

1.3.3. Record the UPN in Notepad

  1. Click the Notepad icon.
  2. Enter UPN: in Notepad.
  3. Click Edit.
  4. Click Paste to insert your copied UPN.

1.3.4. Find the Enrollment Secret

Back in the Workspace ONE UEM Console,

  1. Click and drag to highlight the Secret value.
  2. Right-click and click Copy.

1.3.5. Record the Enrollment Secret

  1. Click the Notepad icon.
  2. Enter Secret: in Notepad.
  3. Click Edit.
  4. Click Paste to insert your copied Secret.

1.4. Close the Staging & Provisioning Settings

Click Close.

2. New Provisioning Package

Navigate to the Windows Provisioning Package screen to build a new provisioning package.

  1. Click Devices.
  2. Click Lifecycle.
  3. Click Staging.
  4. Click Windows.

2.1. Create a New Windows Provisioning Package

Click New.

2.2. Enter the General Provisioning Package Details

  1. Enter corp.local package for the Provisioning Package Name.
  2. Click Next.

2.3. Configure Provisioning Package for On-Premises Active Directory

You will configure the Provisioning Package to join the lab corp.local domain when the package is applied.

  1. Select On-premises Active Directory Join from the Active Directory Type dropdown.
  2. Enter corp.local for the Domain Name.
  3. Enter CORP\administrator for the Domain User Name.
  4. Enter VMware1! for the Domain Password.
  5. Scroll down to continue configuring the Provisioning Package.

The following screens will be leveraging the On-premises Active Directory Join Type, reference the table with all options for more information and explanations of all required fields.

2.4. Configurations Details

The following table details all of the options for the configuration file. Leverage the below table for a detail explanation of each field.

Settings Description
Select AD Type

Select the type of Active Directory to use.

The settings below change based on your AD type.
Select Language Ensure the language of the operating system matches what you selected with Dell
OOBE Configuration
Show EULA Page Select Yes/No to show the EULA page during the OOBE.
Show Privacy Page Select Yes/No to show hide the privacy page during the OOBE.
Show Region and Keyboard Settings Select Yes/No to show the region and keyboard settings during the OOBE.
Language If No is selected (and thus hidden from OOBE), select the language below to pre-configure the system to that locale.
System Configuration
Domain Name

Enter the name of the domain you want the device to join.

This setting displays when you set the AD type to On-Prem AD Join.
Domain Username

Enter the username that has Domain Join privileges.

This setting displays when you set the AD type to On-Prem AD Join.

Note: This information is saved in plain text in the XML file. Please ensure this file is always secured and not sent over insecure transports.
Domain Password

Enter the password for the Domain Join user.

This setting displays when you set the AD type to On-Prem AD Join.

Note: This information is saved in plain text in the XML file. Please ensure this file is always secured and not sent over insecure transports.
AD Organization Unit (OU)

Enter the organization unit for the AD.

Th OU must follow the correct formatting:

OU=,OU=,DC=Company,DC=com

This setting displays when you set the AD type to On-Prem AD Join.
Workgroup

Enter the workgroup you want the device to join.

This setting displays when you set the AD type to Workgroup.
Registered Owner Enter the registered owner for the device.
Registered Organization Enter the registered organization for the device.
Remove Windows 10 Consumer Apps

Select Yes to prevent consumer apps from appearing in Windows 10.

This setting is only supported for Windows 10 Enterprise or Education. Entering a Windows 10 Enterprise or Education key is required.
Product Key

Enter the Windows 10 product key.

You must follow the correct format:

12345-54CDE-XYZ78-ONM98-456TY
Create Local User

Select Yes to create a local user account.

If you select No, the user is prompted during OOBE.

This setting displays when you set the AD type to Workgroup or Azure AD.
Local Username

Enter the username for creating an additional local user account.

This setting displays when you set the AD type to Workgroup or Azure AD.
Local User Password

Enter the password for the local user account.

This setting displays when you set the AD type to Workgroup or Azure AD.
Make Administrator?

Select to make the local account an administrator.

You must make the local user account an administrator to start Workspace ONE enrollment automatically.

During OOBE, the device prompts the user to enter their enrollment credentials.

This setting displays when you set the AD type to Workgroup or Azure AD.
Computer Name Computer name will be randomized by default so that every system coming from the factory is unique. To create a naming convention, use the Registered Owner and Registered Organization fields. The computer name will take  the first 7 characters from Registered Org or Registered Owner as the  prefix and then randomize the rest up to the max of 15 characters. For example, setting both of those fields to be "VMWARE-" (without quotes), will yield a computer name of VMWARE-8QJJCTJB where the last 8 characters are randomized for every system. See Microsoft documentation for more info.
Enable Administrator Account

You must enable the built-in administrator account to facilitate Workspace ONE enrollment.

You can later disable this account after enrollment is complete.
Administrator Password Enter a password for the administrator account.
Auto Admin Login A one-time auto login of the admin account is required for Workspace ONE enrollment when selecting On-prem AD use case.
User Account Control Select the level of User Account Control (UAC).
Additional Synchronous Commands Add commands that automatically run at the end of the Windows setup process but before any user logs in.
First Logon Commands

Add commands that automatically run the first time a user logs in.

This setting requires the user have local admin privileges.
Workspace ONE Enrollment
Enrollment Server

Enter your Workspace ONE UEM enrollment server URL.

Find the enrollment URL by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > System > Advanced > Site URLS.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.
Enrollment OG

Enter the devices organization group.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.
Staging Account

Enter the username for the staging account.

Find this username by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > Devices & Users > Windows  > Windows Desktop > Staging & Provisioning .

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.
Staging Account Password

Enter the password for the staging account.

This setting displays when you set the AD type to On-Prem AD Join or Workgroup.
Device Services URL

Enter your device services URL.

Find the device services URL by navigating in the Workspace ONE UEM console to Groups & Settings > All Settings > System > Advanced > Site URLs.

This setting only displays when you set the AD type to Azure AD - No Premium.

2.5. Setup the built-in Administrator Account

You must enable the built-in administrator account to facilitate Workspace ONE enrollment. You can later disable this account after enrollment is complete.

  1. Select Yes for Enable Administrator Account.
  2. Enter VMware1! for the Administrator Password.
  3. Scroll down to continue setting up the Provisioning Package.

2.6. Enter the Workspace ONE Enrollment Details

  1. Enter hol.awmdm.com for the Enrollment Server.
  2. Copy the Group ID value you saved in Notepad and paste it in Enrollment OG.
  3. Copy the UPN value you saved in Notepad and paste it in Staging Account.
  4. Copy the Secret value you saved in Notepad and paste it in Staging Password.
  5. Click Next.

2.7. Selecting Applications

  1. Click the checkbox at the top to select all apps.
  2. Click Next.

NOTE: Apps with MSTs or MSPs will fail to deploy as those additional configurations are smart group specific, as a workaround re-package or ZIP the app with the MST/MSP already included then deploy and export.

2.8. Summary

Click Save and Export.

2.9. Success Message

Notice the Success message.

Depending on how many apps you have chosen to export will determine how long the export takes. The Unattend XML configuration file will be ready to download right away. In this lab, it may take a few minutes to process the request, then you can refresh the page.

Continue to the next step once you see the Status change from Queued to Download.

2.10. Confirm Unattend and Provisioning Package Download

  1. Click the PPKG link to download the file.
  2. Click the Unattend XML link to download the file.
  3. If prompted about keeping the unattend.xml file, click Keep.

Wait for both files to finish downloading.  You will use this exported provisioning package and unattend.xml in a future step.

NOTE: These are the files which need to be sent to the Dell Factory for Provisioning, however you will first want to test and validate that these apps and configuration work on a test device. The next steps will walk you through how to validate on a virtual machine (VM). You will want to log back into the Workspace ONE UEM Console from the test VM to download these files.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.