I recently did a proof of concept of Windows 10 Modern Management with VMware Unified Endpoint Management at a customer. It was formerly known as VMware Airwatch. 2 years ago I also investigated what was possible to manage Windows 10 with VMware UEM but I was missing a few features. Now Windows 10 Modern Management has evolved a lot over the past 2 years.
What is Windows 10 Modern Management?
Employees want to work on their own devices, some have different devices like a Windows 10 laptop and an Ipad. Employees want to be able to work from any place and from any device. Some organizations might require deep control over devices, while others want lighter management that empowers the modern workforce. Windows 10 offers the flexibility to respond to those changing requirements. Windows 10 is developed to be managed with a mobile device management solution. VMware Unified Endpoint Management can manage all these different devices from one central console.
What are the customers challenges?
The customer has offices in many different European countries. The head office is in Belgium. All these countries connect for certain applications to the data center in Belgium trough VPN. The IT department is also located in the head office in Belgium. The Belgium IT department is responsible for installing, updating and distributing Dell laptops with Windows 10 to employees. All the Dell laptops are joined to the domain during installation. Once the laptop is shipped to an employee it’s hard to keep track of the device.
Employees don’t have to activate there VPN every time to be able to work. So employees can work off and on the domain. Some laptops only connect once a month to the domain. The IT department has no insights if the laptops have the latest Windows updates installed, what software is installed and which version, if the antivirus definitions are up to date…
When a laptop is stolen, or has been compromised there is no way to wipe the company data from the device.
Employees are not local administrators on there laptops. When they need an update of an application they have to call the IT department. Then an IT administrator takes over the laptop and installs the new update.
What was the scope of the proof of concept?
Based on the challenges above we concluded the following goals:
- Enrollment of Windows 10 laptops
- Software catalogue with Win32 applications
- Windows Update Management
- Set security policies and force encryption
- Manage firmware and driver updates
Windows 10 enrollment
There are many different ways to enroll a Windows 10 device. For most of the options, you need administrator rights. You can also install the VMware UEM agent trough command line with a staging user before you ship the device. When the employee logs in, the laptop is assigned to the current user. For all the possible commandline options checkout VMware Techzone.
For the POC we downloaded and installed the UEM HUB from https://www.getwsone.com. We registered the E-mail domain with VMware UEM for Autodiscovery. When a user wants to enroll a device he simply enters his E-mail address, and through Autodiscovery the device is enrolled in VMware UEM.
For all possible Windows 10 enrollment options checkout VMware Workspace ONE Techzone.
Software catalog with Win32 applications
With VMware UEM you can deploy Win32 applications. You can deploy MSI, EXE and ZIP files. You can assign the applications based on Smart Groups, for example, all Corporate Windows 10 devices or to a Microsoft Active Directory Group. You can assign the applications to be installed on demand or automatic. If an application is set to automatic it will be pushed down to the device when it’s enrolled. Otherwise, it will be available to install from the VMware UEM Software catalog.
You can also add any application from the Windows Store to the catalog.
So if you want to add Candy Crush to the catalog you can! If you have an existing Microsoft SCCM environment you can import your existing software packages with VMware Airlift.
The successful deployment of your applications depends on the quality of your package. Always test the deployment before uploading it to VMware UEM. You always need to add an uninstall command as well. Quick tip, if you leave the retry interval default it can take a very long time before VMware UEM retries to the install the application again. (Been there, done that.)
Windows Update Management
With VMware UEM you can also do patch management for your Windows 10 devices. You no longer need an on premise Windows Update Server and a VPN connection to keep your devices up to date. You can centrally manage Microsoft Windows Updates from the VMware UEM console from anywhere.
You can use the built-in Microsoft Update Branches to approve and install updates. You can assign the different Microsoft Update Branches to different smart groups. For example, Release Windows Insider Build to the IT department and Semi-Annual Channel to all other departments.
Security policies and encryption
Security is becoming more and more important as cyber-threats keep growing every year. With VMware UEM you can manage many different security settings in a profile like:
With VMware UEM you have a real-time monitoring of the following components:
- Is the device managed by MDM?
- Firewall Status
- Antivirus Status
- Automatic Updates
- Bitlocker Protection: On or Of
You can also set compliance rules if one or multiple of the security rules are breached. F.e. if the Antivirus is turned of you can sent an automatic mail to an employee, informing that the Antivirus is turned off. If after a few days the Antivirus is not turned on again you can set another automatic action to remove access to company resources.
With Workspace ONE Intelligence you can create automatic actions if a certain event is triggered. Like if Windows 10 devices are missing a certain security update that is used by virus exploit, you can remove access for these devices to company resources until they are patched. I will blog more about Workspace ONE Intelligence in the future. So stay tuned!
Firmware and driver updates
The customers laptops are mostly Dell Latitude devices. Workspace ONE UEM integrates with Dell Client Command Suite to improve modern management. The integration enabled the costumer to:
- Create reports on custom system properties
- Set BIOS attributes like the BIOS Administrator password
- Configure OEM Update settings
VMware recently released a detailed video about the Workspace ONE UEM integration with the Dell Client Command Suite.
The original article was posted on: maartencaus.be