techiecheng

Manual enrollment into both Apple DEP and VMware Workspace ONE UEM by AirWatch

This is the 3rd and final post on the use of Apple Configurator. You may check out my first two posts via the links below.

Before we proceed further, I had a lengthy discussion with VMware Workspace ONE technical support on this use case:

  • This enrollment method should not be necessary or followed once you get a non-DEP device added to Apple DEP. As you go through the setup assistant which prompts you to download and apply a remote management profile over the air, it already contains details of the MDM profile (OG, staging user, etc.) and thus it will be enrolled in a pre-defined OG once the initial setup completes. This is recommended to enrolling the device as a true DEP supervised device.
  • Perhaps this is good for devices running iOS 10 and below that cannot be added to Apple DEP through Apple Configurator. Admins can still utilize this program to supervise such devices and manage additional features with MDM such as VMware Workspace ONE UEM.
  • Unlike a DEP device, however, the drawback with this approach is that the device will need to be supervised once again with Apple Configurator if it’s ever device-wiped resulting in the loss of supervision.

Similar to Over-The-Air (OTA) enrollment that deploys both a DEP and MDM profiles from your MDM server to an existing DEP device, you can add a non-DEP device into Apple DEP and push both the DEP and MDM profiles in the same sequence with two (or one if you prefer) different blueprints with manual enrollment.

  • 1st blueprint: Add the device into Apple DEP.
  • 2nd blueprint: Enroll the device into VMware Workspace ONE UEM.

To start, we need to set up and export the configuration from the VMware Workspace ONE web console. Go to GROUPS & SETTINGS -> All Settings -> Devices & Users -> Apple -> Automated Enrollment (or Apple Configurator in older console version.)

ManualEnrollment1.jpg

* You may need to select Override next to Current Setting before proceeding further.

Go ahead and enable Enable Automated Enrollment. Then select the applicable fields. For Default Staging User, I selected an account configured for Single User.

ManualEnrollment2

At the bottom of the page, click SAVE to save the setting. From here, you can either export the setting as .mobileconfig for the 2nd blueprint in Apple Configurator which we will create shortly. Depending on your objective, you can also copy the enrollment URL and create a separate blueprint to enroll the device without adding it to DEP.

Let’s take a look at what’s inside the device management profile (.mobileconfig file.)

ManualEnrollment3.jpg

Screen Shot 2018-11-07 at 9.44.49 AM.png

Click Show Profile.

Screen Shot 2018-11-07 at 9.45.35 AM.png

ManualEnrollment4.jpg

ManualEnrollment5.jpg

Let’s return to Apple Configurator and create the blueprints.

For the 1st blueprint which we will rename as Prepare, follow the screenshots below and change as you see fit.

Screen Shot 2018-11-07 at 9.09.08 AM.png

Screen Shot 2018-11-07 at 9.09.38 AM.png

Screen Shot 2018-11-07 at 9.10.28 AM.png

The confusion comes with both steps 8 and 9 in chapter 4 under the section Prepare a Blueprint to Enroll with an MDM Profile of this guide. It actually assumes you have already set up both an MDM server and a supervision identity. Refer to my 1st post here for the steps required.

Screen Shot 2018-11-08 at 1.14.48 PM.png

ManualEnrollment6.jpg

Screen Shot 2018-11-08 at 1.15.08 PM.png

ManualEnrollment7.jpg

For the 2nd blueprint which we will rename as Enroll, do not click Prepare. Instead, import the device management profile (.mobileconfig file) which contains unique info about the MDM server, group ID and username to be assigned to the device. This is the additional step that’s not taken after adding the non-DEP device into Apple DEP in my first blog post on this subject.

Screen Shot 2018-11-07 at 9.44.00 AM.png

Screen Shot 2018-11-07 at 9.44.10 AM.png

ManualEnrollment8.jpg

The profile can be viewed separately in the Profiles section within the blueprint.

Screen Shot 2018-11-08 at 1.19.06 PM.png

Screen Shot 2018-11-08 at 1.19.11 PM.png

As mentioned earlier, you can also copy the enrollment URL instead of exporting and importing the .mobileconfig file to finish enrolling your device. The steps for creating this blueprint are the same as the 1st blueprint except you will create a new MDM server with the specific enrollment URL.

However, you may be surprised to know that this enrollment method is no longer supported per VMware Workspace ONE technical support. You will see why in just a moment.

Screen Shot 2018-11-08 at 1.35.27 PM.png

ManualEnrollment9.jpg

I then came across the error below, but I was able to keep going after. Per technical support, it turns out the enrollment URL method is no longer supported.

Screen Shot 2018-11-08 at 1.37.34 PM.png

ManualEnrollment10.jpg

From here on, the steps to apply the blueprint to the device are the same as the ones outlined in my first post of this subject. In this case, however, we will apply the 1st blueprint and repeat the same steps to apply the 2nd blueprint.

Screen Shot 2018-11-09 at 9.14.18 AM.png

Screen Shot 2018-11-09 at 9.14.33 AM.png

Upon completion of the steps above, we should see a newly added DEP device which is also enrolled in VMware Workspace ONE UEM.

As always, stay mobile!

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.