Jo Harder

Have you ever configured a new Windows device and found that a prerequisite process such as Domain join or certificate installation caused issues later in the deployment because these processes were invoked out of sequence? The new onboarding deployment option within Freestyle Orchestrator enables greater control over workflow prioritization. What is the new Onboarding Deployment Option?Freestyle Orchestrator, which is the canvas-based Workspace ONE UEM configuration tool, now provides an Onboarding option to ensure that all prerequisite steps are completed once for newly enrolled devices before the deployment of resources commences on the device. Figure 1: New Onboarding workflow deployment option The Onboarding workflow will only execute once, and it is purposely sandwiched between enrollment and resource deployment. Figure 2: New post-enrollment device Onboarding state This new feature enables administrators to sequence initial onboarding steps to immediately follow enrollment and enables one or more specific workflows to run prior to other steps such as installing applications. For example, Offline Domain join may be executed and/or certificates may be installed while the device is in an Onboarding state to ensure that subsequent tasks are executed properly. In addition, reboots can be specifically sequenced. Steps defined within Onboarding workflows can be configured to halt upon failure or continue with exceptions for greater control. In addition, the Onboarding state further ensures that direct resource assignments such as apps, profiles, and scripts are delayed until after prerequisites defined within the Onboarding workflow are complete. This unique functionality enables administrators to employ greater control over newly enrolled Windows devices. Try it!If you’re not already using Freestyle Orchestrator, we encourage you to become familiar with it. To access Freestyle Orchestrator within the Workspace ONE UEM console, go to Orchestration > Freestyle Orchestrator. If it’s your first time accessing, select Get Started. After naming your new workflow, select the platform as Windows, designate one or more Smart Groups, and then you can enable the Onboarding deployment option.

Provisioning Windows devices allows Workspace ONE users to become immediately productive with secure new Windows devices, including configuration settings, Windows Updates, and applications. This article explores the various packaging options and files, as well as which to use when. If you’re experienced with provisioning Windows devices and just need to know that the new Provisioning Tool v3.8 is available for download via Omnissa Connect, you’re good to go. The newly released provisioning package (PPKG) file includes updated settings to enable you to streamline Windows provisioning. However, if you’re uncertain as to which resource(s) you need for which scenario, read on. Windows Provisioning options Looking at the Workspace ONE UEM console, there are two key configuration settings that are used when provisioning new Windows devices, i.e., Devices > Drop Ship Provisioning and Desktop Staging. Figure 1: Workspace ONE UEM Provisioning options When Desktop Staging is selected, two onboarding options are presented: Drop Ship Provisioning Offline Encrypted Package Figure 2: Desktop Staging onboarding options Which provisioning option should I choose? At a high level, the various provisioning options and the related files needed from Omnissa Connect are detailed below: Figure 3: Provisioning options and related Omnissa Connect tools *Due to the transitions that have occurred within Omnissa over the past year, legal and functional agreements with Windows hardware vendors are currently being finalized. Please be on the lookout for a subsequent blog announcing availability. Drop Ship Online Drop Ship Online implies designating minimal settings and ordering devices based on coordination with the fulfillment party, which could be the hardware manufacturer, a systems integrator/partner, or even a downstream internal department. Rather than providing full configuration details and app files directly, the provisioning of the new Windows device is based on online communications that align device serial numbers and tags with the respective configuration, resources, Smart Group(s), and assignment(s). Figure 4: Drop Ship Online Drop Ship Offline Drop Ship Offline relies on self-contained package files that include all resources necessary to provision the new Windows device; this option requires no online connectivity. Because all resources are included in the provisioning package, these files can be very large. An Encrypted Package adds a password to the Drop Ship Offline files and is most commonly used by downstream internal departments in physical proximity. Both types of Drop Ship Offline packages add AAD / Entra ID as a domain join option. Figure 5: Drop Ship Offline Which file(s) do I need from Omnissa Connect? Additional files are necessary for all options. After logging into Omnissa Connect and selecting Downloads, choose the applicable file(s): Figure 6: Omnissa Connect downloads If you select Omnissa Workspace ONE Provisioning Tool, note that both the offline and online tools are presented as shown below: Figure 7: Provisioning tool options: offline and online The Drop Ship Online ZIP file contains the following files: Figure 8: Provisioning Tool for Drop Ship Online ZIP file contents If you need help with Windows Provisioning, please reference Omnissa Docs or TechZone. In addition, be on the lookout for an upcoming technical webinar that will cover all aspects of provisioning Windows devices.

Managing and securing your Windows Servers and new Administrative (ADMX) Profiles with Workspace ONE UEM is getting closer. The anxiously awaited beta is now available, and full details for participation are provided below. Windows Server As was announced in the Omnissa Community webinar on January 23rd, Windows Server is being appended to the vast list of supported device types. For administrators that are accustomed to managing Windows Desktop devices via Workspace ONE UEM, the admin interface will be familiar, and the learning curve will be minimal. Figure 1: List view showing Windows Server subset of devices Windows Server support will include the following: • Provision and manage any Windows Server from 2016 onwards • Note that Core will be supported at General Availability but not during beta • Full inventory of installed Server Roles and Features • Software distribution • Server-specific Baselines (released post beta) • Profiles Figure 2: Software distribution can be based on Windows Desktop and/or Windows Server Speaking of Profiles, the new Windows Server functionality will also include a thoroughly revamped profile type called ADMX profiles. This new profile type not only streamlines configuration but also manages Windows Servers entirely via Intelligent Hub rather than OMA-DM. Figure 3: New ADMX Profiles Note that ADMX Profiles can also be used to manage Windows Desktop devices. But before the Workspace ONE Windows team releases Windows Server and ADMX Profiles into production, it will be thoroughly vetted by customers like you to ensure that these new capabilities hit the mark. Beta process The Workspace ONE Windows Product team is welcoming a select number of Workspace ONE customers to try out Windows Server and ADMX Profiles. There are a few prerequisites for Windows Server beta participation: · Must have a tenant in one of the shared SaaS UAT environments: CN135, CN137, or CN138 (no exceptions!) · After signup, must agree to EULA and requirements, and validation can take up to three days · Commitment to provide feedback Once you’re “in,” you’ll be provided with startup documentation focused on how to install Intelligent Hub on your Windows Servers. The beta will run for approximately 90 days. During that time, you can manage and secure Windows Servers that are housed in a test or lab environment. A critical aspect of the Windows Server beta is getting your expert input, especially for any unique use cases. Register for Windows Server/ADMX Profile beta To sign up for the Windows Server/ADMX Profile beta, access the Omnissa beta site. Here you will find information about not only this beta, but also others that are in progress or will be running soon. Figure 4: Omnissa Beta Program site On the Getting Started tab select “Create a Beta user profile” and provide the required information. We will use that to entitle you to the beta and provide instructions on accessing the relevant information including how to provide feedback, ask questions or log bugs. Once your profile is entitled to the beta, your UAT tenant will need to be enabled. Please follow the instructions on the beta page. Thank you for your participation and we hope you find the experience and capabilities valuable. - The Windows Server Management beta team

Have you ever started deploying a new version of a Windows application and learned that issues arose? Rather than telling your spouse or kid that you can’t attend a long-anticipated event this evening because of work, a new feature of Workspace ONE makes it easy to roll back the new version of the application and reinstall the previous version with just a few clicks. Application Rollback is a new feature of Workspace ONE UEM Intelligent Hub 24.10. The only requirements are Workspace ONE UEM 24.10 and Modern SaaS enablement. Although it probably won’t be used for daily Windows software deployment, it’s especially useful when needed. Application Rollback Application Rollback allows administrators to seamlessly remove a new application version and revert back to a previous version. While this functionality is available within the Workspace ONE console by means of numerous administrative actions, the new Application Rollback functionality cuts it down to just two key administrative steps, as we’ll walk through below. Behind the scenes, the process works like this: Figure 1: Application Rollback process When you learn that there’s an issue with the newer version of the application and that “Oh no!” moment hits, you can remedy the situation quickly and easily. Configuration Let’s walk through the configuration steps to roll back a newer version of a Windows application. Before attempting Application Rollback, note that there must be at least two versions of the application that have been configured as Workspace ONE Windows Native Apps. An earlier version must already be deployed, with installation of the newer version initiated. Step 1: Select the application and choose Retire under More Actions. Figure 2: Click Retire to roll back the application version Step 2: When presented with the Retire Application confirmation screen, click Retire. Figure 3: Click Retire again to confirm That’s it! At this point, the uninstallation of the newer version can initiate and then the reinstallation of the older version configuration can complete. If you have the application enabled for automatic deployment, the downgrade will occur without user action. Next steps? Of course, you’ll want to delve into the application upgrade version issue, but chances are that can wait until tomorrow. After successfully rolling back a troublesome new version of a new application, get ready for that long-anticipated family event this evening.

Baselines are an integral aspect of managing and securing Windows Desktops, and Omnissa is announcing the availability of the newest template of the Windows Security Baseline. For Windows 11, the Windows Security Baseline for Feature Release 24H2 can now be accessed and configured from the Workspace ONE UEM console. Workspace ONE UEM Baseline options As you’ll recall, there are two types of preconfigured templates available: Windows Security Baseline and CIS Windows Benchmarks. At this time, the Windows Security Baseline dropdown now includes the option for the Windows 11 Feature Release 24H2. Note that the last Feature Release from Microsoft for Windows 10 was version 22H2, so there will be no equivalent option for Windows 10. Figure 1: New Windows Security Baseline for Windows 11 Feature Release 24H2 Configuration Please keep in mind that an existing baseline cannot simply be upgraded to a new template. It’s necessary to configure a new baseline and assign it to the appropriate Smart Group(s). Of course, when making this change, coordinate with your Security team to ensure that the new security baseline settings align with your enterprise requirements. If you’re in the process of upgrading Windows 11 devices to Feature Release 24H2, note that the corresponding build number is referenced as 10.0.26100. When creating the Smart Group assignments, ensure that the Platform and Operating System tab includes this build number as “Greater than or equal to” or “Equal to”, as well as any other pertinent criteria. Figure 2: Smart Group platform and operating system selection What’s next? The CIS Windows Benchmarks for Windows 11 Feature Release 24H2 is not quite ready for release, so please stay tuned for that announcement.