Enrollment changes for Windows devices after Windows Anniversary update

Enrollment changes for Windows devices after Windows Anniversary update

The enrollment flow for Windows device has changed following the Windows Anniversary Update.  This article outlines the flow pre-update as well as the new flow post-update.

Pre-update enrollment flow

Prior to the Windows Anniversary update, when an end user is enrolling into AirWatch they navigate to Settings > Accounts > Work Access. This flow will take them to their MDM enrollment workflow. 

Selecting Enroll in to device management will take end users to their AirWatch Auto-Discovery server and then prompt them for their MDM server URL if discovery fails.

Picture1.pngPicture1.png

New Flow

In the Windows Anniversary update, Microsoft has:

  • Updated the UI menu item for enrollment to be Access work or school
  • Unified all workplace join flows for MDM, Domain, Azure AD / Cloud Domain and DJ++ (Domain Join ++) so that all work accounts are visible on a single screen.
  • Added an Azure AD (AAD) domain name check as a part of the discovery for all their flows.

Picture1.png

Process flow changes with Azure AD domain check

Current users who have been instructed to navigate to Work Access will select the Connect option and enter in their directory credentials. If the customer has registered their domain with O365 or with AAD, then the user will be taken into the AAD flow and their device will be joined to the cloud domain. If you have AAD premium enabled and the AirWatch MDM cloud app added, then the device will be enrolled into AirWatch. 

With the Windows Anniversary update, users navigate to Work Access and select Connect to begin enrollment as they did before. The process that follows has changed. If you have registered your domain with O365 or with AAD, selecting Connect begins the AAD flow and the device joins the cloud domain. If you have AAD premium enabled and the AirWatch MDM cloud app added, then AirWatch enrollment begins after the AAD flow completes.  

However, if you have your domain registered with O365 or AAD but do not have AAD premium with "Require Management" enabled this flow will not complete. As a result, end users will complete the Connect process and be joined to their cloud domain but will not have enrolled into AirWatch. The AirWatch enrollment flow does not automatically begin following the AAD flow.

The example below shows this incorrect flow for non-AAD Premium users. In this example,  the device connects to AAD and is authenticated using user@vmware.com because the company has an O365 account registered but no AAD premium account.

Picture1.png Picture1.png Picture1.png Picture1.png

Proper work flow created by Deep Linking to MDM

To mitigate this issue, Microsoft has provided us a deep link that can be called from any app or website, which skips the AAD discovery and navigates straight to AirWatch Auto-Discovery. 

The deep link is: ms-device-enrollment:?mode=mdm

We have updated the AirWatch Agent and Workspace ONE apps to use this deep link to take users to the correct enrollment flow.

Picture1.png Picture1.png Picture1.png Picture1.png

 

 

Implications for Customers without O365 and without Azure AD

  • Users should use the new AirWatch Agent v1.2.1 to enroll and follow the prompt to Connect to Work or School Account.
  • Users who use Workspace ONE with a step up enrollment flow should upgrade to Windows Workspace ONE v 2.0.1.
  • Users who use a web enrollment flow can go to awagent.com to enroll.
  • As a fall back option, customers can navigate to the deep link (ms-device-enrollment:?mode=mdm) from an email or by typing it into their browser window. 

Implications for Customers with O365 or AAD but without AAD Premium (Majority of customers will be in the first or second scenarios)

  • Users should use the new AirWatch Agent v1.2.1 to enroll and follow the prompt to Connect to Work or School Account.
  • Users who use Workspace ONE with a step up enrollment flow should upgrade to Windows Workspace ONE v 2.0.1.
  • Users who use a web enrollment flow can go to awagent.com to enroll.
  • As a fall back option, customers can navigate to the deep link (ms-device-enrollment:?mode=mdm) from an email or by typing it into their browser window. 

Implications for Customers with O365 and with AAD Premium and the AirWatch Cloud Application in their tenant

  • Customers should continue to enroll using the native Settings app by selecting Connect and entering their domain credentials. This process adds the device to the AAD domain and also enrolls the device into AirWatch.

Support Contact Information

To open a Support Request, please call your local AirWatch support line or submit a Support Request via myAirWatch.

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.