[Deep Dive] Unified Endpoint Management in VMware AirWatch 9.2 & FP01
VMware AirWatch unified endpoint management (UEM) empowers the digital workspace to meet business needs. By unifying endpoint management into a single point of reference, the solution delivers a premium user experience that doesn’t compromise enterprise security.
What’s New in AirWatch 9.2 UEM
Today’s post covers the new AirWatch 9.2 release and feature pack (FP01) of UEM features.
Note: The green headers separate the features by platform. The features display in the relevant platform section. Each feature is listed with its own title, which specifies the release version. Where applicable, click arrows at the bottom of the feature’s section to view more information.
New! Windows 10 Management Features
AirWatch 9.2: Dell Auto Enrollment for Windows 10
Eliminate manual configuration of PCs, and drop-ship devices that auto-configure upon first boot straight to end users.
How Dell Auto-Enrollment Works
Dell Auto-Enrollment for Windows 10 Requirements
Configure Dell Auto-Enrollment for Windows 10
Troubleshoot Dell Auto-Enrollment for Windows 10
Logging Location: C:\ProgramData\Airwatch\UnifiedAgent\Logs
AirWatch 9.2: Windows 10 Local Account Password Reset
Reset local Windows account passwords to maximize employee productivity without compromising endpoint security. Password reset provides a quick solution for employees locked out of their accounts, and enables IT to reset passwords for security purposes.
AirWatch 9.2: Collect & Display Windows 10 IP & MAC Addresses
Collect and display Windows devices’ IP and MAC address in the AirWatch console. Once collected, use these values to create asset data reports, validate device data during troubleshooting and perform other key tasks.
AirWatch 9.2: BitLocker Enhancements for Windows 10
Manage the full encryption lifecycle for Windows 10 devices. To secure Windows 10 device data with BitLocker, create an Encryption profile. Then, enforce it by configuring a compliance policy that includes encryption status as part of the device’s general security posture.
Troubleshoot Bitlocker for Windows 10
To troubleshoot, check the logs from the most likely, to the least likely source of error.
AirWatch 9.2: Dell BIOS for Windows 10
Enable over-the-air configuration and modification of BIOS settings without requiring physical access to the computer.
Dell BIOS for Windows 10 Requirements
Configure a Dell BIOS Profile for Windows 10
Troubleshoot Dell BIOS for Windows 10
AirWatch 9.2 FP01: Peer-to-Peer Distribution for Windows 10 UEM
AirWatch offers a peer distribution system to deploy Win32 applications to enterprise networks. Peer distribution can reduce the time to download large applications to multiple devices in deployments that use a branch office structure.
SaaS Architecture for Windows 10 Peer Distribution
Peer-to-peer distribution (peer distribution) modernizes enterprise-wide software deployments for PCs. Here’s an overview of how it works:
Windows 10 Peer Distribution Core Components
Important Considerations for Windows 10 Peer Distribution
Windows 10 Peer Distribution Configuration Overview
The deployment of applications with the peer-to-peer distribution system requires you to set the listed configurations in the AirWatch console and on devices.
Windows 10 Peer Distribution Requirements
Activate Windows 10 Peer Distribution
After the configurations save, the system activates the peer-to-peer server and clients with a license key. During activation, existing Win32 application content publishes to the peer-to-peer server. From this point on, devices that belong to the peer distribution network begin to receive the application download.
By default, if a client fails to check in after 21 days, it is purged from the Adaptiva database and a license is reclaimed. To change the purge threshold:
Client Logs for Windows 10 Peer Distribution
Network Topology for Windows 10 Peer Distribution
Rendezvous Points (RVPs)
Representing your network as a hierarchy of offices enables the peer distribution system to deploy applications more efficiently. The hierarchy controls the clients and the order downloads occur. It uses devices called rendezvous points, or RVPs, as master clients in an office. The RVP receives downloads and disseminates the applications to peer clients.
RVP Election Process
When an RVP is shut down, a new one gets elected using the following criteria:
Offices & Subnets
Offices contain one or more subnets can retrieve content from their parent offices, and can distribute to their child offices. Office Types are designated based on the way the office shares data.
Data Transport in Offices
The system distributes content from a parent to child office once. This behavior limits data sent across wide area network (WAN) links.
AirWatch 9.2 FP01: Active Directory (AD) to Azure Active Directory (ADD) Integration for Windows 10
Configure custom Lightweight Directory Access Protocol (LDAP) attributes that map active directory users to Azure Active Directory for hybrid use cases. The LDAP attribute searches AirWatch for a match with the Azure ImmutableID. By default, this value is “ObjectGUID” and in binary format. However, this can be customized for organizations with forest domains syncing to Azure as well as other, non-standard configurations.
Configure AD to AAD Integration for Windows 10
AirWatch 9.2 FP01: Enterprise Wipe Protection for Windows 10
Protect managed and unmanaged Windows devices from unintended enterprise wipes. This provides Windows devices with the same wipe protections as iOS and Android mobile devices.
AirWatch 9.2 FP01: BitLocker Enhancements for Local Enforcement
In Windows Protection Agent 184.108.40.206 and above, BitLocker enforcement no longer depends on network connection or sample intervals. Instead, BitLocker continually enforces encryption, preventing anyone from locally disabling the encryption.
New! Chrome OS Management Features
AirWatch 9.2: UEM for Chrome OS
How UEM for Chrome OS Works
With AirWatch UEM for Chrome OS, physical communication to devices gets handled by Google’s Chrome OS device management infrastructure. This differs from other platforms, such as iOS and Android, where devices communicate directly to the AirWatch Device Services server. However, for all platforms, AirWatch manages the device.
Here’s how it works:
UEM for Chrome OS Requirements
Request a Google Service Account
Set Up Google Admin Console
Integrate Google’s Chrome OS Device Management Infrastructure with AirWatch
UEM Enrollment Workflow for Chrome OS
AirWatch Profiles for Chrome OS UEM
There are two types of profiles that apply to Chrome OS devices: device profiles and user profiles. Device profile assignment is based on the Smart Group the device belongs to. The user profiles assigned to Chrome OS devices are based on the User Group the logged on user belongs to.
The following diagram outlines the available profiles:
How User Profiles Work
User Profile assignment kicks off when a user gets added to the User Group in the AirWatch console. Adding a user triggers AirWatch APIs to send the assigned User Profiles to the appropriate user account in Google’s Chrome OS device management infrastructure.
Once sent, these profiles and settings simply exist within the device management infrastructure until that user logs into a Chrome OS device. Upon login, Google’s Chrome OS device management infrastructure applies the AirWatch user profile to the device.
BEST PRACTICE: Due to the sequence of operations, publish AirWatch User Profiles before allowing users to log into Chrome OS devices.
Application Management for Chrome OS
Application management does not get configured under Apps & Books in the AirWatch console. Instead, to add apps from the Google Play Store and Chrome Web Store, configure the Application Control profile.
AirWatch 9.2 FP01: Network Profile for Chrome OS
The Network profile determines network connection settings for all Chrome OS devices. Configure this profile to establish password-based Wi-Fi for device policies and user policies on Chrome OS devices.
To configure the Network profile:
New! Android Management Features
AirWatch 9.2: Granular Device Assignment for Android
Configure Granular Device Assignment for Android
AirWatch 9.2: Enrollment Types for Android
Configure User or Device enrollment types for Android for Work.
Configure Enrollment Types for Android
AirWatch 9.2 FP01: Samsung EFOTA
Use Samsung Enterprise Firmware Over the Air (EFOTA) to review and push Android device updates. With AirWatch UEM, the updates are managed in the AirWatch console. Here’s a quick look at how the AirWatch Console, the device, and the EFOTA server communicate:
EFOTA for Samsung Requirements
Configure EFOTA for Samsung
New! iOS Management Features
AirWatch 9.2: Support for iOS 11
AirWatch 9.2 supports iOS 11 and its features.
iOS 11 Requirements
New! macOS Management Features
AirWatch 9.2: Bootstrap Package Support for macOS
Customize the onboarding experience for macOS using bootstrap packages, which deliver installer packages immediately upon enrollment (during the setup assistant in DEP).
Requirements for macOS Bootstrap Package
Configure macOS Bootstrap Packages
New! UEM for IPC Rugged Devices
AirWatch 9.2: Support for Infinite Peripherals Corporation (IPC) Devices
AirWatch 9.2 brings support for the IPC line of rugged devices featuring integrated barcode scanners, mag stripe readers and printers. Extending unified endpoint management to IPC devices makes it possible to deploy, secure and manage IPC devices from the same pane of glass as the rest of the mobile device fleet.
How IPC Rugged Device Management Works
AirWatch communicates with IPC devices via InfineaIQ, a cloud-based service. Here’s a basic diagram that shows how IPC rugged device management works: