rterakedis's Posts

Yes, Volume Purchased Apps can be deployed with device-based licensing to non-DEP devices.   The difference is that with non-DEP/unsupervised devices, the user will still get a prompt that the organization wants to manage applications on the device.   With DEP/Supervised devices, the opt-in is silent and therefore the app install is automatic/silent.

sturmanc​ - can you be more specific on the troubles/issues they’re seeing? I’ve found the the SSO plugin is a bit finicky in Catalina with regards to just setting it up and getting it to synchronize the local password with AD.   I have filed some feedback to Apple with regards to this.   Thanks!

I haven’t found a good way to do this via MDM as of yet.   Safari stores the bookmarks in a non-standard location rather than reading/writing them into preferences which can be managed via Custom Settings.  One other option to consider is some type of bookmarks “homepage” which you could set as the default homepage for Safari.  I used this Custom Settings payload a back in High Sierra or Mojave I think... I haven’t tested with Catalina but it might point you in a direction that could help.    <dict> <key>PayloadContent</key> <dict> <key>com.apple.Safari</key> <dict> <key>Forced</key> <array> <dict> <key>mcx_preference_settings</key> <dict> <key>HomePage</key> <string>http://www.vmware.com/</string> <key>NewTabBehavior</key> <integer>0</integer> <key>NewWindowBehavior</key> <integer>0</integer> </dict> </dict> </array> </dict> </dict> <key>PayloadEnabled</key> <true/> <key>PayloadIdentifier</key> <string>MCXToProfile.00cf33c8-0442-449b-85fb-7c6db6c2f38e.alacarte.customsettings.1e0d5e16-e2bd-46e5-9179-efe10edc6d37</string> <key>PayloadType</key> <string>com.apple.ManagedClient.preferences</string> <key>PayloadUUID</key> <string>1e0d5e16-e2bd-46e5-9179-efe10edc6d37</string> <key>PayloadVersion</key> <integer>1</integer> </dict> You can find some of the original Custom Settings here:   euc-samples/Safari-ControlPrivateBrowsing.md at master · vmware-samples/euc-samples · GitHub

BrianPitt​ - we typically recommend folks that are migrating from another MDM to Workspace ONE leverage one of our partners: https://marketplace.vmware.com/vsx/solutions/exodus-1-0 https://ebf.com/en/emm/ebf-onboarder/ That said, a few things to note:  You can always move the device records in Apple Business Manager ahead of time.   Moving the serial numbers between MDM servers in Apple Business Manager has no effect on the current configuration of the device.   This way you're prepped and ready if any of those devices end up going through wipe/refresh before you get to it in your process. Since your end goal is to get the devices DEP enrolled, you are correct that you'll need to wipe the device and start from scratch to have an "Apple-approved" DEP enrollment on the device.   However, I've seen in the past where the MDM command to device wipe is destructive to macOS.   In other words, you end up with a non-bootable device that you then need to run through Internet Recovery.  A better method might be to send a script to the device (assuming they're on Catalina) that downloads the Catalina installer with the softwareupdate command (/usr/sbin/softwareupdate --fetch-full-installer --full-installer-version 10.15.2).  You can then initiate a device wipe using the Catalina Installer: '/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall' ‑‑eraseinstall --agreetolicense --forcequitapps ‑‑newvolumename 'Macintosh HD'. If the devices are not on Catalina, you'll most likely need to experiment with using VPP to deliver the macOS installer and/or package it up as an Internal App.    If memory serves me correctly, the "EraseInstall" option was introduced prior to Catalina.   This script may also help you down the path:   https://github.com/grahampugh/erase-install

b34ny​ --  Can you please provide some more detail as to the pain points of the home screen layout and why the layout requires a periodic refresh?   Are you adding new apps not previously included in the layout?   is someone changing the layout and you're trying to put the layout back? Also note, you can always put this in as a Feature Request:   https://wsone-uem.ideas.aha.io.

colico​ - When you say you've "added all devices s/n", did you also go to the "Device Assignments" screen in Apple Business Manager and assign those three serial numbers to the MDM server (see below).   If that completes successfully, then you should be able to sync devices in Workspace ONE and see those devices in the Enrollment Status page. The next thing to check would be the "Default Profile" assigned to newly synced devices.   Under Settings > Devices & Users > Apple > Device Enrollment Program, check that you do not have None selected as your default profile assigned to newly synced devices.     Without a DEP profile assigned to the device, it will not bring up the organization settings during the Setup Assistant.   If the device has already synced into Workspace ONE while the default profile was set to none, you'll need to select the device(s) in the Lifecycle page, click More Actions, and then click Assign Profile.   You'll be able to then choose the DEP profile to set for the device.    Refresh the Enrollment Status page, change the layout to "Custom" and then make sure the "Profile Status" field shows "Assigned."  Finally, if things still don't seem to be working, go back to the Device Enrollment Program settings page in Workspace ONE and click the Renew button.   In Apple Business Manager, you'll have to go to Settings and then find your MDM Server and click Download Token.   Immediately upload that token into the "renew" screen in Workspace ONE.  Then, retry the "Sync Devices" button.  

itrs​ - It looks like Microsoft expanded their documentation as to the appconfig keys supported by Microsoft Outlook for iOS:   https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune#configuration-keys That said, you can find more detail about what to include in the specific on-prem keys in this Microsoft article:   https://docs.microsoft.com/en-us/Exchange/clients/outlook-for-ios-and-android/account-setup?redirectedfrom=MSDN&view=exchserver-2019 Hopefully that helps!

bully79​ - I believe it depends on how old the ACC is (the log file location has been moved a few times over the years), but you'll probably find the logs in one of the following locations: C:\VMware\AirWatch\Logs\CloudConnector\ C:\AirWatch\Logs\CloudConnector C:\Program Files\AirWatch\Logs\CloudConnector\ To find your AWCM server URL and Port, go to Settings > Admin > Settings Management > Settings Summary and search for AWCM.   You'll need to look at the override value for "ACMServerExternalUrl" and "ACMPort".  At a minimum, just make sure you can telnet to that URL/Port combo and get connected.  Past that, you'll need to look into the ACC logs to determine what might be causing the issue. 

BrianPitt​ -- This type of behavior is generally caused by what the underlying framework is using to determine whether the software is installed.   A good place to determine this is to look at the contents of the plist file created by the Admin Assistant tool.   Specifically, you'll want to look at what is listed in the "Installs" or "receipts" array(s).   I'm not sure how much of this is still applicable, but I worked with one of our customers to put together some guidance awhile back:   https://github.com/vmware-samples/euc-samples/tree/master/macOS-Samples/3rd-Party_Software_Guidance/Adobe%20Products  The net result is that you need to follow the guidelines of how the underlying framework (munki) is determining whether the software is installed:   https://github.com/munki/munki/wiki/How-Munki-Decides-What-Needs-To-Be-Installed

jeromecanales​ - In a test OG or test environment, try inserting the Lookup Value in the Asset Tag text box (e.g {DeviceFriendlyName} ).   There are many places where Lookup Values work, but aren't specifically exposed in the UI.

sekharvemula​ - I made a video of this which was included in the Hands-On Lab for macOS App Management.   Please view it here:   Integrating Apple Business Manager and Workspace ONE UEM - YouTube Also, the various methods for app management are covered in the hands-on lab in Module 1 of HOL-2051-11-UEM - Desktop Management with Workspace ONE UEM, here:   VMware Learning Platform

bully79​ -- If memory serves me, it should still be running full time.   If the ACC (AirWatch Cloud Connector) isn't running, then it won't be available to authenticate users against your Active Directory DC's.  You'll need to check the logs for the ACC to see why it's stopping.   Also, make sure that the server running the ACC has outbound connectivity to AWCM (AirWatch Cloud Messaging).  

RussBurden​ - it's not necessarily WS1 reading those values from the VM, it's actually the other way around -- the VM sends those values to Workspace ONE.  More specifically, macOS generates those values based on the "hardware" presented to the OS by the hypervisor, and then those values are sent to WS1 during the authenticate step in the MDM protocol:    AuthenticateRequest - Device Management | Apple Developer Documentation​.  Hope that helps clarify what is going on behind the scenes.

RussBurden​ -- You need to edit the VMX for your VM to make it "appear" as a macOS device.   In particular, these lines should be what you modify (don't just blindly paste - I believe the board-id.reflecthost is generally set to True by default in the VMX).   hw.model = "MacBookPro11,5" hw.model.reflectHost = "FALSE" smbios.reflectHost = "FALSE" serialNumber = "SERIALNUMBER" serialNumber.reflectHost = "FALSE" board-id = "Mac-ABCDEFGHIJK01234" board-id.reflectHost = "FALSE" If you need to need to find these values, you can get them from terminal: ioreg -l | awk '/product-name/ { split($0, line, "\""); printf("%s\n", line[4]); }' ioreg -l | awk '/IOPlatformSerialNumber/ { split($0, line, "\""); printf("%s\n", line[4]); }' ioreg -lp IOService | awk '/board-id/ { split($0, line, "\""); printf("%s\n", line[4]); }'