ToolBox Guide to
This blog post will detail how to automatically enroll a Windows 10 system into AirWatch WorkspaceONE that has been newly imaged with MDT. This solution will work with though any imaging solution as well as in-place upgrades task sequences.
First, enable REST API in the AirWatch console and setup an API user per the steps in this post. I recommend creating an API admin role that is locked down to only a few functions so it reduces the risk of anything happening if the credentials get discovered somehow.
Update Feb 2018
- Added additional variables at the top of script used in AWAgent command line for easier configuration
- Added additional screenshots and considerations about some SCCM attributes in the SQL script
Update Jan 2018
- Included a more robust deployment with a powershell script.
AirWatch has the ability to silently enroll Windows 10 systems using command line parameters on the AirWatch Agent msi. You can use SCCM to deploy the AirWatch msi to your Windows 10 systems to automatically enroll them into AirWatch without any user interaction. AirWatch just needs a bulk-import template uploaded to the console and then a staging account setup which will be used in our command line switch. The basic steps for this process are:
1. Setup a staging account setup in the AirWatch console
2. Run SQL query on your SCCM SQL server to output username and serial number information for each device into the correct AirWatch bulk-import template
3. Import the devices into AirWatch
4. Deploy the AirWatch agent to those systems with SCCM
- Script must be run as the current logged in user
- This user must have administrative rights
- Domain membership NOT required (Although it makes it a lot easier to do serial/username mapping)
Setup Staging Account
If you use VMware Workspace One (WS1) for identity management and authentication you will need to do a couple extra steps to setup the staging account. This is because the staging account can't use WS1 for authentication and instead must use a simple username/password.
1. Create a Staging Organization Group (OG) as a "Sibling" to your production OG
2. As you can see in my instance, we have "Production" and "Staging"
3. Once the OG is created, simply create a "Basic" user account with the following settings:
Note: If you look at the dropdown by "Single User Devices" setting, it might make sense to change it to "Advanced", but this actually needs to stay as "Standard". I'm not 100% why on this but this is what the Product team has told me.
4. Click save and this account is ready to go.
In my previous post I detailed how you could use an SQL query on the SCCM database to pre-register airwatch devices into the console. While this works, it has several drawbacks:
My script has the following features:
I'm Brooks Peppin and I love God, my family, AirWatch, VMware, EUC products, all things systems management, Windows 10, Powershell, and operating system deployment.