[Technical Blueprint] Windows 10 Co-Management with SCCM & Workspace ONE

Apr 13, 2018
Josue Negron

Author:

Josue Negron is senior technical marketing architect for VMware End-User Computing, focusing on partner integrations, identity management and the Windows platform.

Share This Post On

For many SCCM admins, the path to modern management for Windows 10 remains unclear or appears overly complex. To demystify this path, today’s post lays out an approach known as co-management. Co-management allows Workspace ONE to co-exist alongside current PCLM tools, such as SCCM. Keep reading to learn about the co-management capabilities that exist today in Workspace ONE, and to access links to helpful resources and tools.

For information about next-gen co-management capabilities, check out the blog Accelerate and Simplify Your Transition to Modern Management for Windows 10.

Ways to Approach Co-Management

While there are many approaches to co-management, most can be broken into one of three categories: complement, transition, or transform. The image below describes each approach and their distinguishing characteristics.

All three approaches apply to current as well as popular prior versions of SCCM (pre-1710) and Windows 10 (pre-1709).

Co-Management for SCCM Admins

For SCCM administrators interested in Workspace ONE’s modern management capabilities, getting started can be overwhelming. To simplify the process, we’ve provided resources tailored to SCCM admins.

SCCM Admin Resources

SCCM to Workspace ONE Translations

The following table “translates” common SCCM terms and concepts into Workspace ONE terminology.

SCCM Terms Workspace ONE Translations
WMI/MOF CSPs/Profiles
Apps & Packages Software Distribution & Product Provisioning
Distribution Points (DPs) + BranchCache CDN + Peer-to-Peer (P2P)
MDT/OSD OOBE/AutoPilot/Dell Cloud Provisioning
Software Center/App Catalog/Company Portal Workspace ONE Catalog
MBAM for Encryption BitLocker Lifecycle Management
Collections Smart Groups & Assignment Groups
Software Updates/ADRs/WSUS Windows Update Profile
Task Sequences Product Provisioning
Site Code & Assigned Site Group ID & Enrollment Group
Enrollment Point/Enrollment Proxy Point Device Services (Mobile and Mac Devices Only)
Management Point Device Services (Windows Devices)
Primary Site/Secondary Site Parent/Child Organization Group

Hands-On Labs

The best place to learn about Workspace ONE and AirWatch Unified Endpoint Management, is in an immersive hands-on lab. Since the labs are free, and don’t require additional infrastructure, they provide a low-stakes way to see what the product can do and how it works.

VMware TestDrive

Another great resource at your disposal is TestDrive. TestDrive is a fully featured, integrated and globally available demo environment provided by VMware for partners, customers and employees. Sign up for your TestDrive account and check out some awesome demos created using TestDrive.

Getting Started with Co-Management

Create the foundation for co-management by migrating devices with user mappings from SCCM to Workspace ONE. Then, use VMware’s open-source toolkit to migrate workloads.

The following diagram overviews the steps involved in establishing co-management. Expand the coordinating drop-down menus for more details about each step.

SCCM Co-Management with Workspace ONE

 

User & Device Migration

To begin migrating devices to Workspace ONE, target a group of devices in SCCM and build a collection. Then, use this sample script to import your SCCM collections to the AirWatch Console using tags.

Next, evaluate the SCCM Integration Client. The SCCM Integration Client enables SCCM and Workspace ONE to co-exist on most devices. However, its optional for devices using SCCM 1710+ and Windows 10 1709+.

As a best practice, deploy the SCCM Integration Client to address cases where non-1709+ devices enter your environment.

Finally, deploy the AirWatch Agent using SCCM. For step-by-step instructions, follow the process outlined in the blog Enabling Co-Management with SCCM and AirWatch.

To see the latest enrollment enhancements, check out this feature walk-through:

Apps & Package Migration

After successfully mapping users from SCCM to the AirWatch Console, you’re ready to begin migrating workloads using VMware’s open-source toolkit.

Use the Windows – SCCM App Migration Tool to dynamically export apps from SCCM to Workspace ONE.

How the SCCM App Migration Tool Works

First, the tool parses the selected applications’ deployment details, pushing their application packages to the AirWatch Console. Then, it maps the deployment commands and settings to the AirWatch Console’s application record. The way files port in depends on their format:

  • MSIs – Port over in the same format
  • Scripts – Port over as ZIP folders containing execution commands
  • Unsupported – Fail to port over.

To import packages the tool doesn’t support, there are a few options:

OS Update Migration

In Windows 10, updates occur on a frequent and dynamic basis to ensure end users always have access to up-to-date operating system features.

[Related: Patch Management Done Right]

With co-management, Workspace ONE acts as a man-in-the-middle – delivering policies, and providing detailed reports. To grab and apply updates, Workspace ONE relies on the Windows Update for Business and the Windows Update services.

[Related: Overview of Windows as a serviceServicing Tools]

The following image + the enumerated steps explain Workspace ONE’s role in more detail:Windows 10 Co-Management

  1. Device sends a query for available updates
  2. Update service returns a list of updates in GUID format
  3. Device reports metadata (GUIDs) to Workspace ONE
  4. Workspace ONE sends metadata to the update service to obtain canonical information (update name, description, etc…)
  5. Workspace ONE determines which updates apply to the device using assigned smart groups/distribution rings to
  6. Workspace ONE sends the list of authorized updates to the device
  7. Device fetches and applies approved updates
  8. Peer-to-peer delivery optimization shares updates to other devices – decreasing network traffic across the WAN to the update service

Policy Migration

To simplify the migration process as much as possible, utilize the remove, match, map workflow and its recommended tools.

Remove

To begin, consider narrowing the scope of the migration by removing existing GPOs that do not support key use-cases. Then, use the suggested tools to match and map the remaining policies.

Match

Use the MDM Migration Analysis Tool (MMAT) to determine which Group Policies match native MDM functionality. Then, configure the equivalent settings in the AirWatch Console.

  The VMware AirWatch Windows 10 Reviewer’s Guide explains how to:

  • Configure BitLocker encryption
  • Use Windows Information Protection for data loss prevention
  • Configure Health Attestation for compromised detection
  • Set up per-app tunneling

Map

Import unmatched group policies from devices into the AirWatch Console using the GPO Open-Source Migration Tool.

This tool allows you to capture and upload both new or existing GPO backups to AirWatch to easily deploy and apply policies to your managed devices.

Compliance and Remediation Policy Migration

Many SCCM compliance and remediation policies align with AirWatch profiles and compliance policies. To migrate, map each compliance and remediation policy to its matching AirWatch configuration.

Then, use organizational standards and guidelines to configure the appropriate profile or compliance policy in the AirWatch Console.

No Match, No Problem

Certain compliance and remediation policies may not have a matching profile or compliance policy in AirWatch. In these cases, use custom attributes and/or product provisioning.

(Transform Only) Remove the ConfigMgr Client

To completely transform and replace SCCM, there are multiple options for uninstalling the ConfigMgr client from Windows 10 devices.

  • Deploy a Custom Script via Product Provisioning
  • Use SCCM to uninstall the client
  • Configure a Custom Settings profile in the AirWatch Console
    1. In the AirWatch Console, navigate to Add Profile > Windows > Windows Desktop > Device
    2. Complete the General profile information
    3. Click Custom Settings, then Configure
    4. Switch the Target to the AirWatch Protection Agent
    5. Uncheck Make Commands Automatic
    6. Paste the following Powershell Script into the text box: <wap-provisioningdoc id="c14e8e45-792c-4ec3-88e1-be121d8c33dc" name="customprofile"><characteristic type="com.airwatch.winrt.powershellcommand" uuid="7957d046-7765-4422-9e39-6fd5eef38174"><parm name="PowershellCommand" value="Invoke-Command -ScriptBlock {C:\windows\ccmsetup\ccmsetup.exe /uninstall}"/></characteristic></wap-provisioningdoc>

468 ad