ToolBox Guide to
AirWatch has the ability to silently enroll Windows 10 systems using command line parameters on the AirWatch Agent msi. You can use SCCM to deploy the AirWatch msi to your Windows 10 systems to automatically enroll them into AirWatch without any user interaction. AirWatch just needs a bulk-import template uploaded to the console and then a staging account setup which will be used in our command line switch. The basic steps for this process are:
1. Setup a staging account setup in the AirWatch console
2. Run SQL query on your SCCM SQL server to output username and serial number information for each device into the correct AirWatch bulk-import template
3. Import the devices into AirWatch
4. Deploy the AirWatch agent to those systems with SCCM
Setup Staging Account
If you use VMware Workspace One (WS1) for identity management and authentication you will need to do a couple extra steps to setup the staging account. This is because the staging account can't use WS1 for authentication and instead must use a simple username/password.
1. Create a Staging Organization Group (OG) as a "Sibling" to your production OG
2. As you can see in my instance, we have "Production" and "Staging"
3. Once the OG is created, simply create a "Basic" user account with the following settings:
Note: If you look at the dropdown by "Single User Devices" setting, it might make sense to change it to "Advanced", but this actually needs to stay as "Standard". I'm not 100% why on this but this is what the Product team has told me.
4. Click save and this account is ready to go.
Run SQL Query to export serials
1. On your SCCM SQL server, open SQL Server Management Studio.
2. Go to Tools-->Options and make sure you have the "Include column headers when copying or saving results" checked. If it's not set, set it and then close and reopen SQL Management Studio.
3. Create a new query on your primary SCCM database
4. This query will output device information into the correct format that AirWatch needs to do a bulk import. The keys components are the serial number and username. These devices will become "prestaged" so that when you push out the MSI it will automatically enroll the device based on this information. I've also added a line so you can lookup a single collection as well as excluding usernames such as Administrator.
sys.User_Name0 as 'Username*',
'' as 'Password',
'1' as 'Active',
'Directory' as 'Security Type*',
'' as 'Security Type*',
'' as 'Enable Device Staging',
'' as 'Pre Register for Vpp',
'' as 'Email Username',
vru.User_Principal_Name0 as 'Email Address*',
'' as 'Email Password',
'' as 'User Principal Name',
vru.givenName0 as 'First Name*',
'' as 'Middle Name',
vru.sn0 as 'Last Name*',
'VMware' as 'GroupID*',
'' as 'Authorized GroupIDs',
'' as 'Enrollment Organization Group',
'' as 'Domain',
'' as 'Phone Number',
'' as 'Mobile Phone',
'' as 'Department',
'' as 'User Category',
'' as 'User Role',
'' as 'User Message Type',
'' as 'User Message Subject',
'' as 'User Message Body',
'' as 'Employee Identifier',
'' as 'Cost Center',
'' as 'Manager DN',
'VMWprod' as 'Device GroupID',
'' as 'Device Friendly Name',
'c' as 'Device Ownership(C/E/S/None)',
'' as 'Device Message Type',
'' as 'Device UDID(No special Characters)',
'' as 'Device IMEI',
'' as 'Device SIM',
'' as 'Device Asset Number',
v_GS_PC_BIOS.SerialNumber0 as 'Device Serial Number',
'' as 'Device Platform',
'' as 'Device Model',
'' as 'Device OS',
'' as 'DeviceOem',
'' as 'Tags',
'' as 'Custom Attribute Name 1',
'' as 'Custom Attribute Name 2',
'' as 'Custom Attribute Name 3'
FROM v_R_System sys JOIN v_GS_PC_BIOS on sys.ResourceID = v_GS_PC_BIOS.ResourceID JOIN v_GS_COMPUTER_SYSTEM on sys.ResourceID = v_GS_COMPUTER_SYSTEM.ResourceID
join v_FullCollectionMembership FCM on FCM.ResourceID = v_GS_COMPUTER_SYSTEM.ResourceID
v_GS_COMPUTER_SYSTEM cs on sys.resourceID = cs.resourceID
V_GS_Operating_system os on sys.resourceID = os.resourceID
v_R_User vru ON sys.User_Name0 = vru.User_Name0
Where FCM.CollectionID = 'PAL00088'
and sys.User_Name0 != 'Null'
and sys.User_Name0 != 'Administrator'
and vru.User_Principal_Name0 != 'Null'
and vru.givenName0 != 'Null'
and vru.sn0 != 'Null'
and v_GS_PC_BIOS.SerialNumber0 not like '%vmware%'
5. After running, right-click anywhere in the results and click "Save output as", name the file, and save it.
Bulk Import into AirWatch
Now that we have all of our device information exported, we will now import them into AirWatch.
(Note: My console version is 220.127.116.11)
1. Login to your AirWatch console and go to Devices-->Lifecycle and then click on Enrollment Status
2. On that page, click on the "Add" dropdown and click on "Batch Import.
3. Fill out the required fields:
Batch Name: Name it accordingly
Batch Description: Describe the upload accordingly (i.e. the site or group you are uploading)
Batch Type: Users and/or Devices
Batch file: Select the csv file you created earlier.
4. Click on Import
Note: It can take some time to upload depending on how many devices you have in your csv. To check the status of it, go to Hub-->Reports and Analytics--> Events--> Console Events.
Deploy AirWatch Agent with SCCM
Now that your devices are pre-staged, it's time to deploy the AirWatch agent MSI to those same devices.
1. Download the latest AirWatch agent from https://awagent.com/Home/Welcome
2. Create a standard SCCM MSI Application using default values. Just change the following things when creating it:
You will need to use your staging account information here.
msiexec.exe /i AirwatchAgent.msi /quiet ENROLL=Y IMAGE=N SERVER=yourserver.awmdm.com LGName=Staging USERNAME=StagingWin10 PASSWORD=1234
Under User Experience, configure the following:
Installation Behavior: Install for User
Logon Requirement: Only when a user is logged on
Installation program visibility: Hidden
The important part here is that you are doing the install as the logged on user. This is because AirWatch enrollment is entirely user based and the agent isn't built to be installed using the SYSTEM account. This also means that your end users need to be local administrators. Hopefully the product team will remove these limitations in the future.
3. Distribute this application to your distribution points and deploy to your collection. I highly recommend you deploy first to a test collection with only a few devices to ensure the automatic enrollment happens.
Once it successfully deploys to a device, go to the Access Work or School area and check the enrollment status. It should have your AirWatch server information and the correct email address. Sometimes the enrollment can show the staging account for a short period before flipping over to the correct user. Keep clicking out of the UI and back in to see if it switches properly.
I'm Brooks Peppin and I love God, my family, AirWatch, VMware, EUC products, all things systems management, Windows 10, Powershell, and operating system deployment.