ToolBox Guide to
Update 4/17/18: This process does NOT require the end user to be local admin as I orginally thought. You can deploy via SCCM in the system context.
AirWatch 9.3 brings a number of new features to the WorkspaceONE UEM platform on Windows 10 including improved silent enrollment features. This will greatly simplify enrollment over the previous method. The new 9.3 agent brings the following updates to silent enrollment:
The primary use cases for this process are:
This blog post will detail how to automatically enroll a Windows 10 system into AirWatch WorkspaceONE that has been newly imaged with MDT. This solution will work with though any imaging solution as well as in-place upgrades task sequences.
First, enable REST API in the AirWatch console and setup an API user per the steps in this post. I recommend creating an API admin role that is locked down to only a few functions so it reduces the risk of anything happening if the credentials get discovered somehow.
Update March 2018
Check out my new blog which includes AirWatch 9.3 agent enhancements as that is the preferred way to do enrollment on Windows 10. If that method doesn't work or you prefer to statically assign Windows 10 devices to an OG, then continue reading.
AirWatch has the ability to silently enroll Windows 10 systems using command line parameters on the AirWatch Agent msi. You can use SCCM to deploy the AirWatch msi to your Windows 10 systems to automatically enroll them into AirWatch without any user interaction.
1 - Setup Staging OG and Staging Account
If you have SAML enabled you will need to do a couple extra steps to setup a staging OG and staging account. This is because the staging account can't use SAML for authentication and instead must use a simple username/password.
Follow the detailed steps outlined in my other blog on how to setup these things.
Note: If you look at the dropdown by "Single User Devices" setting, it might make sense to change it to "Advanced", but this actually needs to stay as "Standard". I'm not 100% why on this but this is what the Product team has told me.
4. Click save and this account is ready to go.
In my previous post I detailed how you could use an SQL query on the SCCM database to pre-register airwatch devices into the console. While this works, it has several drawbacks:
My script has the following features:
I'm Brooks Peppin and I love God, my family, AirWatch, VMware, EUC products, all things systems management, Windows 10, Powershell, and operating system deployment.