by: VMware Information Systems Manager Dan Sanford
VMware actively supports more than 13,000 Macs for both onsite and remote colleagues (our term for end users). Before managing the Macs with VMware Workspace ONE®, VMware IT didn’t have a great management solution in place. The Macs were being individually imaged by a thumb-drive to provide a base layer of software, and then were being bound to Active Directory (AD) to manage the password on the device. This caused many issues, including keychain login prompts, FileVault passwords not updating and login, and DNS timeout issues. Combined, these problems created substantial frustration for colleagues and IT teams.
The solution was to switch to Workspace ONE UEM. This change represented significant advantages, including same-day support for Apple’s latest macOS releases, a better password management solution, and a superior colleague experience.
VMware unbound the Macs from the domain manually and changed the account from Mobile/Network admins to local admin accounts. This solved the DNS timeout, keychain and FileVault issues, but we still wanted to manage the password experience, so our team employed Apple’s Enterprise Connect. Enterprise Connect provided an easy solution to syncing the AD password with a Mac’s local account, and provided a Kerberos ticket to the Mac that could be used for authentication.
As part of the VMware on VMware (VoV) initiative, extensive internal testing was done—involving both R&D and IT—to ensure any and all products deployed are both VMware and customer ready the first time out.
Welcome to Workspace ONE UEM—provisioning rules!
Key to this migration was changing from an imaging to a provisioning approach by deploying apps through Workspace ONE UEM. With provisioning, IT teams can automatically push the latest applications to colleagues via Workspace ONE. This eliminates much of the unnecessary IT burden common to imaging in the past. Likewise, custom scripts can be pushed down to the Mac level for various tasks. These include setting the background and default WiFi, as well as creating a custom folder with VMware corporate templates.
DEP on up
The migration also involved using the Apple Device Enrollment Program (DEP). DEP offers a zero-touch solution that ensures IT has unparalleled control over every aspect of Mac management, in addition to state-of-the-art security. Plus, colleagues realize a seamless ‘open and enjoy’ experience that makes adoption a remarkably painless process.
Using DEP, VMware was able to deliver the devices from the factory directly to colleagues, allowing them to get the devices quicker and start working right away. Previously, devices were shipped from the factory to a deployment team to be configured and then would be shipped to the colleagues.
Did it work?
Today, VMware IT manages 100% of our Macs with Workspace ONE. Before Workspace ONE, there were roughly 3,000 Macs in circulation that were unmanaged. Those colleagues ultimately self-enrolled into Workspace ONE once they started seeing the benefits their fellow colleagues enjoyed, such as Single Sign-On (SSO) with certificate, always-on VPN, and/or a self-service portal full of applications. In addition, feedback from colleagues who choose a Mac for work is consistently positive regarding their experience.
Stay tuned for further updates.
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.