ToolBox Guide to
Update March 2018
Check out my new blog which includes AirWatch 9.3 agent enhancements as that is the preferred way to do enrollment on Windows 10. If that method doesn't work or you prefer to statically assign Windows 10 devices to an OG, then continue reading.
AirWatch has the ability to silently enroll Windows 10 systems using command line parameters on the AirWatch Agent msi. You can use SCCM to deploy the AirWatch msi to your Windows 10 systems to automatically enroll them into AirWatch without any user interaction.
1 - Setup Staging OG and Staging Account
If you have SAML enabled you will need to do a couple extra steps to setup a staging OG and staging account. This is because the staging account can't use SAML for authentication and instead must use a simple username/password.
Follow the detailed steps outlined in my other blog on how to setup these things.
Note: If you look at the dropdown by "Single User Devices" setting, it might make sense to change it to "Advanced", but this actually needs to stay as "Standard". I'm not 100% why on this but this is what the Product team has told me.
4. Click save and this account is ready to go.
2 - Pre-Register Devices
The best and easiest method to pre-register devices is to use this open source Powershell script. This script parses and SCCM collection for device and user information and then directly pre-registers them in the AirWatch console via REST APIs. If for whatever reason this method doesn't work for you, you can also use this SQL script method outlined below:
1. On your SCCM SQL server, open SQL Server Management Studio.
2. Go to Tools-->Options and make sure you have the "Include column headers when copying or saving results" checked. If it's not set, set it and then close and reopen SQL Management Studio.
3. Create a new query on your primary SCCM database
4. This query will output device information into the correct format that AirWatch needs to do a bulk import. The keys components are the serial number and username. These devices will become "prestaged" so that when you push out the MSI it will automatically enroll the device based on this information. I've also added a line so you can lookup a single collection as well as excluding usernames such as Administrator.
sys.User_Name0 as 'Username*',
'' as 'Password',
'1' as 'Active',
'Directory' as 'Security Type*',
'' as 'Enable Device Staging',
'' as 'Pre Register for Vpp',
'' as 'Email Username',
vru.User_Principal_Name0 as 'Email Address*',
'' as 'Email Password',
'' as 'User Principal Name',
vru.givenName0 as 'First Name*',
'' as 'Middle Name',
vru.sn0 as 'Last Name*',
'VMware' as 'GroupID*',
'' as 'Authorized GroupIDs',
'' as 'Enrollment Organization Group',
'' as 'Domain',
'' as 'Phone Number',
'' as 'Mobile Phone',
'' as 'Department',
'' as 'User Category',
'' as 'User Role',
'' as 'User Message Type',
'' as 'User Message Subject',
'' as 'User Message Body',
'' as 'Employee Identifier',
'' as 'Cost Center',
'' as 'Manager DN',
'EnterDeviceEnrollmentGroupID' as 'Device GroupID',
'' as 'Device Friendly Name',
'c' as 'Device Ownership(C/E/S/None)',
'' as 'Device Message Type',
'' as 'Device UDID(No special Characters)',
'' as 'Device IMEI',
'' as 'Device SIM',
'' as 'Device Asset Number',
v_GS_PC_BIOS.SerialNumber0 as 'Device Serial Number',
'WinRT' as 'Device Platform',
'' as 'Device Model',
'' as 'Device OS',
'' as 'DeviceOem',
'' as 'Tags',
'' as 'Custom Attribute Name 1',
'' as 'Custom Attribute Name 2',
'' as 'Custom Attribute Name 3'
FROM v_R_System sys
v_GS_PC_BIOS on sys.ResourceID = v_GS_PC_BIOS.ResourceID
v_GS_COMPUTER_SYSTEM cs on sys.resourceID = cs.resourceID
v_FullCollectionMembership FCM on FCM.ResourceID = cs.ResourceID
v_R_User vru ON sys.User_Name0 = vru.User_Name0
Where FCM.CollectionID = 'PAL002DD'
and sys.User_Name0 != 'Null'
and sys.User_Name0 != 'Administrator'
and vru.User_Principal_Name0 != 'Null'
and vru.givenName0 != 'Null'
and vru.sn0 != 'Null'
and v_GS_PC_BIOS.SerialNumber0 not like '%vmware%'
A couple notes about this SQL query:
1. givenName and sn are not default attributes and must be manually added to the Active Directory User Discovery properties section in SCCM. Then make sure to re-run User Discovery in SCCM (right click User Discovery and click "Run Full Discovery now". If you don't add these you will get an error in the SQL script.
2. User_Principal_Name0 might not match the UPN (email address) of your users in AirWatch. You can try using the mail0 attribute instead. Update the script line vru.User_Principal_Name0 to vru.Mail0.
5. After running the script, right-click anywhere in the results and click "Save output as", name the file, and save it.
2b - Bulk Import into AirWatch (if using SQL method)
Now that we have all of our device information exported, we will now import them into AirWatch.
1. Login to your AirWatch console and go to Devices-->Lifecycle and then click on Enrollment Status
2. On that page, click on the "Add" dropdown and click on "Batch Import.
3. Fill out the required fields:
Batch Name: Name it accordingly
Batch Description: Describe the upload accordingly (i.e. the site or group you are uploading)
Batch Type: Users and/or Devices
Batch file: Select the csv file you created earlier.
4. Click on Import
Note: It can take some time to upload depending on how many devices you have in your csv. To check the status of it, go to Accounts --> Users --> Batch Status
You can also validate the registrations are valid by going to Devices --> Lifecyle --> Enrollment Status. Ensure the the usernames and serial numbers are matched correctly.
3- Deploy AirWatch Agent with SCCM
lyNow that your devices are pre-staged, it's time to deploy the AirWatch agent MSI via a powershell script to those same devices. This script adds additional logic to make the deployment more robust:
- Checks the client device for registry keys associated with enrollment. If they are null or still "staging" then it will remove agent from client and try again
- Application "Detection" is configured in the same way so that SCCM will only report "installed" if the agent is installed AND it has a valid enrollment. This also means the application will keep running until it has a proper enrollment.
- Optionally send email based on results.
1. Download the latest AirWatch agent from https://awagent.com/Home/Welcome
2. Download latest SCCM integration client from here
3. Download latest script from GitHub and update the top section of the script (Variables section) with the correct values for your environment. You can also un-comment out the section at the bottom to enable emailing results (whether success or fail). I've also included an AirWatch jpg for you to use as the Application icon in Software Center.
4. Create folder on your SCCM server that includes all 3 of those files
6. On the "General Information" and "Application Catalog" fill out the information per your preference.
7. On "Deployment Types", click "Add" and then select "Script Installer"
8. On "General Information" tab, fill out as needed.
9. On "Content" Tab:
10. On "Detection Method", click "Use a custom script to detect presence..." and then "Edit". Select PowerShell and then use this script:
#Checking first for Airwatch Enrollment
$PATH = "HKLM:\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\*"
$val = (Get-ItemProperty -Path $PATH -ErrorAction SilentlyContinue).PSChildname
#Now checking whether enrollment is with a real user or the staging user
$path2 = "HKLM:\SOFTWARE\Microsoft\Enrollments\$val"
$val2 = (Get-ItemProperty -Path $PATH2 -ErrorAction SilentlyContinue).UPN
if (!($val2 -eq "StagingWin10@Staging.com" -or $val2 -eq "email@example.com" -or $val2 -eq $null))
11. On "User Experience" tab, complete as follows:
12. For "Requirements" and "Dependencies" page, leave blank. Note: You can setup the SCCM integration client as a separate application and then create that as a dependency. I've chosen to just include with the deployment of this script.
13. Distribute this application to your distribution points and deploy to your collection. I highly recommend you deploy first to a test collection with only a few devices to ensure the automatic enrollment happens. Make sure you deploy is as a "required" application.
Once it successfully deploys to a device, go to the Access Work or School area and check the enrollment status. It should have your AirWatch server information and the correct email address. Sometimes the enrollment can show the staging account for a short period before flipping over to the correct user. Keep clicking out of the UI and back in to see if it switches properly.
I'm Brooks Peppin and I love God, my family, AirWatch, VMware, EUC products, all things systems management, Windows 10, Powershell, and operating system deployment.