VMware AirWatch Windows 10 Unified Endpoint PDF Free Download

2y ago

54 Views

1 Downloads

3.77 MB

74 Pages

Report/dmca

Download PDF

Transcription

REVIEWER’S GUIDE – JUNE 2017VMWARE AIRWATCHWINDOWS 10UNIFIED ENDPOINTMANAGEMENTREVIEWER’S GUIDEVMware AirWatch 9.1

VMWARE AIRWATCH WINDOWS 10 UNIFIED ENDPOINT MANAGEMENT REVIEWER’S GUIDETable of ContentsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5What Is VMware AirWatch Enterprise Mobility Management?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Device Use Cases for Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7How to Use This Reviewer’s Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Editions of Windows 10 Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8VMware AirWatch Unified Endpoint Management for Windows 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9User Trust. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9AWAgent.com Onboarding Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Azure AD Enrollment Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Runtime Provisioning Enrollment Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Staged Provisioning Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13SCCM Integration Client AirWatch Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Device Posture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Conditional Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Data Loss Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Privileged Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Per-App VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Enterprise Boundaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Levels of Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Sharing Data to the Cloud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Architecture and Components of Windows 10 Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19AirWatch Protection Agent. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19AirWatch Cloud Connector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Workspace ONE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Unified Access Gateway and Tunnel Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20VPN Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20AirWatch Cloud Messaging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Windows Notification Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Certificate Authority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Windows Auto-Discovery Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20REVIEWER’S GUIDE 2

VMWARE AIRWATCH WINDOWS 10 UNIFIED ENDPOINT MANAGEMENT REVIEWER’S GUIDEFile and Application Delivery with VMware AirWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Software Distribution for Win32 Application Delivery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Business Store Portal Integration for Automated Win32 Application Delivery. . . . . . . . . . . . . . . 23VMware AirWatch Product Provisioning for Windows 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Patch Management for Windows 10 with VMware AirWatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Configuring Devices for Management with VMware AirWatch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Configuration Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26VMware AirWatch Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Windows 10 Email Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Exchange ActiveSync Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Exchange Web Services Profile for Windows 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Credentials Profile for Windows 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Wi-Fi Profile for Windows 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Restriction Profile for Windows 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configure a Passcode Profile for Windows 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Configure a Windows 10 Exchange Web Services Outlook Mail Client Profile. . . . . . . . . . . . . . . . . 31Configure a Windows 10 Restrictions Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Configure a Windows 10 Wi-Fi Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configure a Credentials Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configure Patch Management Settings with a Windows Updates Profile . . . . . . . . . . . . . . . . . . . 35Configure an Application Control Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Deliver Win32 Applications Using Software Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Deploy Office 2016. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Deploy a Standard MSI Application File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Get the Uninstall Command for Win32 Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Get the Exit Code for Win32 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Monitor Win32 Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Add Versions for Internal Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Delete Win32 Application Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Use Product Provisioning to Change the Desktop Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Create a Files/Actions Component for Changing the Desktop Background. . . . . . . . . . . . . . . . 49Create a Product That Changes the Desktop Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51REVIEWER’S GUIDE 3

VMWARE AIRWATCH WINDOWS 10 UNIFIED ENDPOINT MANAGEMENT REVIEWER’S GUIDEConfigure a VPN Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Configure Compliance Policies to Enforce Device Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Workspace ONE Configuration Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57AWAgent.com Onboarding Method. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Configure the Azure Onboarding Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Create the PPKG File to Configure Runtime Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configure Staged Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Configure the SCCM Integration Client and AirWatch Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Appendix A: Terminology Used in This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Appendix B: Windows 10 Onboarding Decision Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Command-Line Enrollment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Work Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Image-Based Provisioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Automated Agent Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72About the Authors and Contributors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73REVIEWER’S GUIDE 4

VMWARE AIRWATCH WINDOWS 10 UNIFIED ENDPOINT MANAGEMENT REVIEWER’S GUIDEIntroductionThe VMware AirWatch 9.1 Enterprise Mobility Management capabilities for Windows 10 introducesmarter ways to deploy, control, and manage an organization’s PC fleet. Traditional approaches usemultiple administrative tools to manage the PC life cycle. In contrast, VMware AirWatch unifiesenterprise mobility management in a single admin console.Staging and imagingMaintaining driversManaging OS updatesConfiguring firewall, antivirus,and encryption policiesFigure 1: Pain Points of Traditional Management SolutionsThe VMware AirWatch simplified approach to PC management promotes security. You can control andsecure devices for end users with security profiles, compliance settings, and device restrictions. Minimizethe risk of data loss by restricting internal resources to managed devices that meet company-definedcompliance polices.The VMware AirWatch Windows 10 Unified Endpoint Management Reviewer’s Guide provides exercisesto help you evaluate VMware AirWatch Windows 10 management. It describes the benefits, features,typical use cases, and best practices to configure your Windows 10 deployments.This guide is for evaluation purposes only, using the minimum required resources for a basic deployment.It does not explore all possible features. To deploy a production environment, see the VMware AirWatchdocumentation.AudienceThis guide targets existing VMware AirWatch Enterprise Mobility Management IT administrators andproduct evaluators who want to add Windows 10 devices to an existing fleet of managed devices.Review the concepts in this document, and follow the procedures to learn how to begin managingWindows 10 devices with VMware AirWatch Unified Endpoint Management.This guide can also serve as an introduction if you want to learn more about Windows 10 managementwith VMware AirWatch. If you do not have previous mobile device or enterprise mobility managementexperience, reference materials are mentioned throughout the guide. Familiarity with VMware AirWatch9.1 is assumed, as well as other technologies, including Active Directory, identity management, directoryservices, and Simple Mail Transfer Protocol.REVIEWER’S GUIDE 5

VMWARE AIRWATCH WINDOWS 10 UNIFIED ENDPOINT MANAGEMENT REVIEWER’S GUIDEWhat Is VMware AirWatch Enterprise Mobility Management?VMware AirWatch Enterprise Mobility Management enables and secures the workspace for today’smobile operating systems. The AirWatch Console aggregates mobile endpoints of every platform,operating system, and type into a single management space.Unified endpoint management with VMware AirWatch provides enterprise mobility management (EMM)functionality, such as device restrictions, platform-specific features, and application security. VMwareAirWatch also offers additional security options, including device encryption, access control forcorporate resources, and data loss prevention.VMware AirWatch Enterprise Mobility Management Secures endpoints, apps, and data on any network Provides an enterprise app storefront for all device types Streamlines deployment options Simplifies over-the-air configurations Enables an interoperable framework for enterprise security with VMware NSX integration, customeraccessible APIs, and a broad ecosystem of partner integrations through the Mobile Security AlliancePrerequisitesThe recommendations and configuration guidelines in this document apply to an implementation ofVMware AirWatch that meets the following specifications: Software-as-a-service (SaaS) VMware AirWatch deployment model AirWatch Console 9.1 or later On-premises Active Directory, with user accounts available for integration in the AirWatch Console VMware AirWatch Cloud Connector, set to auto-update Azure Active Directory tenant if you are leveraging the out-of-box experience (OOBE), AzureEnrollment, or Windows Store for Business IntegrationImportant: Using Azure-based enrollment methods might require additional licenses from Microsoft. AirWatch Protection Agent deployed (recommended to publish this agent for all use cases) VMware Workspace ONE catalog preconfigured with SaaS apps and authentication policies Third-party providers integrated into VMware AirWatch; VPN, certificate authorities, and so on whereneededREVIEWER’S GUIDE 6

VMWARE AIRWATCH WINDOWS 10 UNIFIED ENDPOINT MANAGEMENT REVIEWER’S GUIDEDevice Use Cases for Windows 10VMware AirWatch Unified Endpoint Management modernizes Windows management and securityacross any use porate BranchOffice DeploymentsFigure 2: Supported Windows 10 Unified Endpoint Management Use CasesMost use cases for a Windows 10 deployment fall into one of three areas. This guide addresses therequired components and recommended configurations for the most common Windows 10 use casesshown in Table 1.TYPE OF DEVICEUSE CASENAMEPRIMARYEND Employee-OwnedMachinesBYODVariedUser privacyNoLightNoRemote orporate Table 1: Common Windows 10 Device Use CasesREVIEWER’S GUIDE 7

VMWARE AIRWATCH WINDOWS 10 UNIFIED ENDPOINT MANAGEMENT REVIEWER’S GUIDEHow to Use This Reviewer’s GuideConfiguration requirements and recommendations vary by use case. Because this document coversdifferent use cases, some topics might not be relevant to every Windows 10 administrator. Figure 3displays the phases and recommended configurations by use case to help you determine which sectionsto focus on. For example, the Onboarding section shows that OOBE with Azure AD Join is not relevantto bring-your-own-device (BYOD) deployments, but it is relevant for the other use cases. Therefore, youcan skip this section if you have a BYOD deployment.Enterprise Knowledge WorkerRemote and Highly MobileBYODSet Up VMware AirWatchPrerequisitesOnboarding(ACC, Azure AD, Import Users)Workspace ONEAdaptiveManagementProvisioning(Staged, Image-Based,Runtime)Out-of-Box EnrollmentExperience(Azure AD Join)SCCM CoexistenceandVMware AirWatch AgentModern Management ConfigurationTraditional Management ConfigurationOS UpdatesUser ControlledDistribution Rings / BranchesApplicationsInternal Universal and Store AppsWin32 SoftwareConfigurationsSecurityBasic Security (Device Health Attestation,Compromise Detection and Remediation)(Scripts and Local Policies)(EXE, MSI, ZIP)Advanced Security(BitLocker, Device / Credential Guard, AppLocker)Figure 3: Configuration Phases and Recommendations for Each Use CaseThis figure depicts how the phases and recommendations for the Enterprise use case can be a supersetof those for the Remote use case and the BYOD use case, and the phases and recommendations for theRemote use case can be a superset of those for the BYOD use case. For example, although theonboarding method for the Remote use case often involves the OOBE workflow, for some remote users,the Workspace ONE Adaptive Management workflow might be preferred.Editions of Windows 10 DevicesWindows 10 offers a variety of editions including, but not limited to, Home, Professional, Enterprise,Education, and LTSB. VMware AirWatch supports the management of all Windows 10 editions, but referto Microsoft documentation to ensure that the chosen edition supports all the necessary functionality.REVIEWER’S GUIDE 8

VMWARE AIRWATCH WINDOWS 10 UNIFIED ENDPOINT MANAGEMENT REVIEWER’S GUIDEVMware AirWatch Unified Endpoint Management for Windows 10The release of Windows 10 introduced fundamental changes to the Windows operating system toaddress the security and data concerns of today’s digital workspace. To take advantage of VMwa

AirWatch Unified Endpoint Management’s capabilities, you can fold the Windows 10 functionality into an existing VMware AirWatch management solution. Combining traditional client requirements with modern enterprise management capabilities creates a simplif