Accepted Solutions
The best way to troubleshoot pending hub (basically Hub is not installed yet) is to navigate to Registry Editor -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI\ then find the folder GUID for the Hub. There should be two; one is for the software deployment agent and one is for the hub, and check the status. 70 is successful. More details can be found in the Windows 10 Troubleshooting Tutorial. The most common issue is download failed and it's normally due to the network (e.g. proxy, mismatched time causing SSL failures, etc.).
We don't currently support pure cloud directories as an available directory configuration. However, I do know that this feature is coming very soon so keep an eye out!
What’s available today
- JIT (just in time provisioniong) of user accounts
- https://communities.vmware.com/blogs/steveIDM/2019/04/25/workspace-one-airwatch-provisioning-app
- vIDM (WS1 Access) is primary IDP and then we federate with azure ad as third party idm
- This blog is older but may also work too http://blog.tbwfdu.com/2018/11/using-jit-to-provision-user-accounts.html
- Or Fling (not officially supported, but still works)
- https://blog.virtualprivateer.com/ws1-uem-scim-adapter/
- Not supported by vmware but built by vmware employee
- Coming in product in soon (I think the next release or two)
Outside of that, in terms of the configuration between Azure and WS1, here is an example:
objectGUID is default but you can also use MS-DS-Consistency-Guid. All this is is an anchor attribute between the Azure user and WS1 UEM user.
Good morning,
first of all thank you for your comments. I will have a look at the provided links, but initially we don´t want to include WS1 Access in that picture.
I´ve been further investigating this issue and made some progress. Thats what I´ve found out:
as mentioned, our Azure AD is integrated with OKTA and we don´t have a local Active Directory. Users are created in OKTA and then synchronized with Azure AD. I think the problem is that this federation with OKTA generates an immutable ID that is sent to the device in the JWT Token. When WS1 receives this token with an immutable ID he tries to validate the user against a local Active Directory that does not exists
As said in this link :
So what I have done is to create a local user in Azure AD instead of in OKTA (since users are created in OKTA I can not create a user with @mydomain.com but with @mydomain.onmicrosoft.com). Then I have used this user to enroll my win10 virtual machine via Azure AD using the option "Join to Azure AD" in the Setup Work or school account section. The Airwatch app is configured with the MDM & Terms of Use URLs copied from WS1 and Azure Identity Services with the tenant name mydomain.com.
I don´t have added the on-premise App in Azure AD. This is not supposed to be used in dedicated SaaS or on-premise environments?
Now I can see the device in WS1, the user is also created but the enrollment does not complete, it stucks with the status "Pending Hub" If I manually install de Hub the enrollment completes after some minutes and apps&configs are deployed to the machine. The same situation occours if I choose the option of registering in Azure AD instead of joining. So now I´m trying to find out why the intelligent Hub does not get installed automatically. This would solve my problem.
What I can also confirm is that before we federated our Azure AD with OKTA ( a pure Azure AD picture) we could enroll win10 machines with autopilot without any problem
Again, thank you for your comments sirs
regards
The best way to troubleshoot pending hub (basically Hub is not installed yet) is to navigate to Registry Editor -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement\S-0-0-00-0000000000-0000000000-000000000-000\MSI\ then find the folder GUID for the Hub. There should be two; one is for the software deployment agent and one is for the hub, and check the status. 70 is successful. More details can be found in the Windows 10 Troubleshooting Tutorial. The most common issue is download failed and it's normally due to the network (e.g. proxy, mismatched time causing SSL failures, etc.).
Hi Josue,
thank you for your response.
This is like it looks like in my case
the status is "30". As you mention in your post this means "Download Failure" but I don know the cause yet. I´ve tried to enroll via Ethernet, Wi-FI or 4G and I get always the same result. At least I know a bit more about the problem. I´m also looking for the cause in the troubleshooting guide, but what is odd for me is the value in the "CurrentDownloadURL" key. It´s very different than the one you show me. You know where is this value taken from or how is it generated.
Thnank you and regards
