Windows 10 auto enrollment through OOBE

With Windows 10, Microsoft has enabled auto enrollment during device start up. During initial boot device can be register into AAD and auto enrolled into WS1. There are 2 methods of doing this: Out Of the Box Experience and Autopilot. Both processes are very similar. OOBE is a basic process where user is taken through all steps and being asked for configuration input, where in Autopilot this is more automated and administrator can choose the settings for end user, therefore improving user experience. In this post I will be describing OOBE process and it’s requirements. For Autopilot, please refer to my other post.

You can find more information on OOBE under below URL on Microsoft website:

https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/customize-oobe

Requirements

  • Integration between WS1 and AAD
  • Identity Services enabled in and configured in WS1
  • MDM and MAM application configured in AAD

Integration between WS1 and AAD

First step in order to enable OODE is the integration between AAD and WS1. This can be done in System Settings => System => Enterprise Integration => Directory Services

Select Enable next to Azure AD integration and type in Directory ID from AAD

Directory ID can be found in AAD service, withing overview tab

Please also note tenant name, which we would require in next step

Once tenant ID has been put in, press save in WS1 and done! First requirements is complete.

Identity Service configuration

Second requirement for OOBE is Identity Services integration between WS1 and AAD. There are 2 parts of this. One is done in WS1, second in AAD.

In WS1 got to System Settings => System => Enterprise Integration => Directory Services, scroll down until you see “Use Azure AD for Identity Services” Select Enable. To set of URLs will be provided under point 3 which should then be used in AAD, copy that and save for next step. In point 4, type in Tenant name, which was captured in previous step while getting tenant id.

MDM and MAM configuration in AAD

Final step is configuration in AAD. In Azure, navigate to AAD => Mobility (MDM and MAM). Then select Add application

In next screen chose Airwatch by VMware and then click Add

Once this is done, you now should see new application in the list under Mobility service. Select it and paste URLs provided in earlier step in WS1 – terms of use and discovery URL. In addition please do not forget about assigning users into that application. Only users assigned to this application will be able to use OOBE process. You can either select some users or users group, or select ALL if this is what is required. In my scenario below I’m only selecting one user for testing. Note: A test user group or a single user is recommended before applying to more users.

From this point new Win10 enrollments should go through OOBE process when user who is assigned to configured MDM application types in corporate email address during initial boot up.

Enjoy!

AAD SAML integration with Workspace One

In some scenarios, especially for new companies there is no on-premise infrastructure and organisation wouldn’t be investing money to go this route. Instead they will be utilising cloud solutions which are currently available, like Microsoft Azure. One of the main services that are being used within organisation which have on-premise infrastructure is Active Directory. This is also available in Azure in a service called Azure Active Directory (AAD). However, integration between AAD and WS1 doesn’t work in the same way as with on-premise AD and requires SAML integration, rather then standard LDAP configuration. In this post I will describe how to do that.

In order to be able to enroll devices using users in AAD follow below steps to complete integration between two platforms.

Add Azure application

Navigate to https://portal.azure.com and login to your tenant. Then follow below steps:

  • Select AAD service
  • Select Enterprise applications.
  • Within Enterprise application section click new application
  • Search for AirWatch and then select Create

Configure AAD Application

Once application is added administrator needs to configure Single Sign-On and enable SAML authentication for that enterprise app.

On next page, scroll down to point 3 and select “Download” next to Federation Metadata XML. This will download xml file which we would use in WS1 console.

Configure WS1 Directory Settings

Now, leave this page open and open new tab/window and login to WS1 console. Navigate to Settings => System => Enterprise Integration => Directory Services.

Skip the Wizard option and configure directory services as below:

  • Directory type – set to none
  • Use SAML for Authentication – Enable
  • Enable SAML Authentication For – check required options (in our case I have selected enrollment and self-service portal only)
  • Use New SAML Authentication Endpoint – Enable
  • Import Identity provider settings – upload xml file downloaded earlier from Azure portal.
  • Press Save at the bottom of the page (note: settings will not be uploaded until save is completed)

Once save is completed, please make sure that all values and certificated is populated, as well as Request and Response binding type is set to “Post”

Next go to the user tab and Edit below configuration:

  • Base DN field to “WAAD”
  • Object Identifier to http://schemas.microsoft.com/identity/claims/objectidentifier
  • Username to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • Display Name to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • First Name to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • Last Name to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • Email to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Note: In order to edit the field, click the pencil icon. You will be then able to edit the field, but no visual change will be presented.

Once all required fields are completed, click save and go back to the server tab. Scroll down to the bottom of the page and click on Export Service provider Settings. An XML file will be downloaded which we can then import into Azure.

Complete configuration of AAD Application

Navigate back to open tab/window within Azure Portal and enterprise application SSO configuration setting. Click on upload metadata file, select an xml file downloaded earlier from WS1 and click Add. This will populate all required fields based on WS1 configuration. Once all settings are uploaded successfully, “SAML file upload” message with green check box will be presented

Note: If you would try to add enterprise application manually, rather then Airwatch from the list, “UID” filed will be missing in point 2. If this is the case select edit and add the new claim as per below:

UID = user.userprincipalname

Configuration is now completed and you should be able to enroll a device using AAD user.