3rd Party ADMX Settings with Workspace ONE and Dynamic Environment Manager

The Slim

If you’ve made the move to Windows modern management, or you’re considering it, you’ve likely spent a lot of time evaluating existing Group Policy Objects (GPOs) and determining which ones will continue to be enforced.

It’s very common that you need to manage machine policies for third party applications like Microsoft Office and Google Chrome. Fortunately, Microsoft has provided a configuration service provider (CSP) for third party ADMX settings to allow you to continue to manage these settings over the air and for devices that aren’t joined to an on-premises Active Directory.

Unfortunately, this is a two step process that requires a device first ingesting the ADMX template and then creating custom syncml to set the policies. If you’re like me and you don’t enjoy reading or writing xml, this shift from the graphical user interface provided by group policy manager might seem daunting at first but VMware offers different tools to make this easier.

The Workspace ONE UEM 21.09 release introduces a built in integration with VMware Dynamic Environment Manager (DEM) that allows you to create DEM policies through the DEM management console, export them, and distribute them through Workspace ONE.

With ADMX settings and GPOs in general, policies can be scoped as machine policies and/or user policies. Many of the commonly applied ADMX settings for applications like Office and Chrome are machine settings. These settings are supported by DEM and can be exported and applied through Workspace ONE but this must be enabled in the DEM console and also enabled for the DEM agent on the device. This post will cover what additional steps need to be taken so that machine settings, like the control of Microsoft Office Updates, can be exported from DEM and distributed through Workspace ONE UEM.

The integration with Workspace ONE and the policy configuration options in DEM are well documented. This post does not cover those two topics in depth, nor does it cover the installation of the DEM management console. You can read more on those topics in a Techzone article by DEM field expert Pim van de Vis.

Important: Please note the versioning requirements in the Techzone article. This requires Workspace ONE UEM 21.09.

Creating Machine Policies in DEM

After you’ve installed the DEM management console and enabled the Workspace ONE integration, you need to also enable computer environment settings in the console so that this option will appear. You can enable this option by clicking Configure.

Then select Computer Environment under General > Additional Features and click Ok.

You’ll now see the Computer Environment tab located at the top of the management console.

Once you’ve enabled computer environment settings. Next you must import the .ADMX files for the settings you want to apply.

  1. Click on Manage Templates ADMX under the Computer Environment tab.
  2. You then select your .admx files to upload by clicking Add Folder or Add File. Add folder allows you to upload a folder of different .admx files. In this example I’ll be uploading .admx files for Microsoft Office applications.

After you’ve added all of the .admx files you need based on the settings you plan to apply, you can click Ok and Close.

Next you’ll want to create the policy that will ultimately be exported as a .DEMConfig file and uploaded into the UEM console for assignment.

From the computer environment tab:

  1. Click Create.
  2. Click Select Categories..

    Don’t forget to give these settings a name.

The categories displayed here will depend on the .admx files that you uploaded in the previous step. Keep in mind, your .admx files may also contain user settings but those must be set under the User Environment tab. Here you’ll only see machine based settings. The policy tree shown here will be similar to what’s seen in group policy management editor.

Since I’ll only be setting Office Update settings in this example, I’ll select Microsoft Office 2016 (Machine) > Updates. Selecting this category will allow me to configure the settings in this category in the next step.

After selecting your categories and clicking OK. It’s now time to modify the policies within the selected categories. This is done by clicking Edit Policies.

In this example I’ll set the update channel to Enterprise Monthly, enable automatic updates for Office, hide update notifications and set an update deadline of 7 days. These setting’s will be different based on your organizations requirements.

Next you’ll close this window and then save.

Now I’ll save the policy as a .DEMConfig file to prepare to upload the file in Workspace ONE. Save and export the policy by clicking the star in the upper left hand corner of the DEM console and click Save As.

Important note: Before saving, make sure you’ve imported a NoAD.xml file and a valid license file.

Deploying Through Workspace ONE

The Profile

Once you’ve saved the settings you wish to apply, the next step is to deploy the settings and the Dynamic Environment Agent to devices through Workspace ONE UEM. The settings are deployed in the form of a profile. Please note this requires UEM console version 21.09 and above.

Sign into your UEM console, go to Devices > Profiles & Resources > Profiles. Select Add > Add Profile.

This will be a standard Windows > Windows Desktop > Device Profile. You’ll need to provide a name and assignement in the General section of the profile like any other profile. If you’re on console version 21.09, you’ll have a Dynamic Environment Manager payload available to you.

Select this payload and then select Configure. From here you’ll be able to upload your .DEMConfig file that you exported from the DEM management console. After you’ve uploaded it, click save and publish to publish to devices.

Once you’ve saved and published the profile, you can later return to this payload and download the existing .DEMConfig file. This file can then be uploaded again into the DEM management console, modified, saved and republished through Workspace ONE.

The Agent

Now that the policy has been deployed, the Dynamic Environment Manager agent needs to be deployed so that the policies will be applied. The agent is a standard .MSI and can be uploaded directly into Workspace ONE Apps & Books and deployed without any additional configuration. However, there are settings that need to be applied so that computer environment settings are honored, like the machine based ADMX settings we just deployed.

I recommend doing this during the agent installation by passing in a MSI property in the installation command. This will enable the computer settings and then there are additional settings that can be set in the registry to control things like logging and refresh interval for these same settings.

I’ll be using the following command line for the install command of the DEM agent.

msiexec /i "VMware Dynamic Environment Manager Enterprise 2106 10.3 x64.msi" /qn INTEGRATION_ENABLED=1 COMPENVCONFIGFILEPATH=C:\ProgramData\AirWatch\DEM\UserProfile\Agent\general

Integration_Enabled=1 is needed to install the agent in NoAD mode which is the mode used when policies are applied through Workspace ONE. This step is outlined in the TechZone article at the beginning of this post. You can read more about NoAD mode on VMware Docs.

The next MSI property is critical for the application of computer environment settings. By including COMPENVCONFIGFILEPATH, the registry key below is created.

HKLM\SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration

Within this registry key, the following values get created and it allows for the agent to apply the machine based ADMX settings we deployed through Workspace ONE.

Enabled (REG_DWORD) to 1
ConfigFilePath (REG_EXPAND_SZ) to C:\ProgramData\AirWatch\DEM\UserProfile\Agent\general

Note: These registry values get set during the installation of the agent but can optionally be set by modifying the registry.

The config file path is required and points to a directory located under C:\ProgramData\AirWatch\DEM. This location gets created once a Dynamic Environment Manager profile is applied through Workspace ONE. The UserProfile is where all of the DEM related settings and ADMX information is stored and this is where the agent will pull this information from.

Under

C:\ProgramData\Airwatch\DEM\UserProfile\Management\general\FlexRepository\ADMX Templates

you’ll find the ADMX files that were previously uploaded into the DEM console.

While under

C:\ProgramData\Airwatch\DEM\UserProfile\Agent\general

you’ll be able to find information like the license file and NoAD.xml file that are added into the DEM console prior to exporting the settings. This is where the config file path property for computer environment settings points to.

With this information, I’ll now add the Dynamic Environment Manager Agent into the Workspace ONE console to be deployed.

I’ll go to Apps & Books > Applications > Native > Internal > Add > Application File. I’ll select upload and upload the DEM agent MSI and then hit Continue.

Next, I need to modify my install command to include the MSI properties for NoAD mode and computer environment settings. This is done under Deployment Options > Install Command. Again, the install command being used here is:

msiexec /i "VMware Dynamic Environment Manager Enterprise 2106 10.3 x64.msi" /qn INTEGRATION_ENABLED=1 COMPENVCONFIGFILEPATH=C:\ProgramData\AirWatch\DEM\UserProfile\Agent\general

Make sure to substitute the version of the DEM agent you’re installing into your install command.

I’ll now save and assign the deployment.

At this point the DEM profile is applied and installed through Workspace ONE and the agent is installed. I can see that the computer environment settings are configured properly on the endpoint. However, I don’t see the office registry key located under HKLM\Software\Policies\Microsoft which means that my ADMX settings didn’t apply.

The DEM agent only applies computer environment settings at startup which is problematic for rolling out these configurations on existing devices. Relying on the settings to apply only at startup would require either forcing a reboot or waiting until the next restart for the settings to apply. When you install the DEM agent, there is an executable that gets installed called FlexEngine.exe. This executable is located under C:\Program Files\Immidio\Flex Profiles. Flexenginge.exe offers command line arguments that can be used to refresh settings without requiring a logon/logoff (for user settings) or a reboot (for computer settings).

By running Flexengine.exe with the argument -UEMRefreshADMXComputerPolicy, I’m able to refresh the computer settings without requiring a reboot. This can be run as the current logged on user or with administrative privileges.

Now after refreshing the registry, I can see that my ADMX settings that I created for Office have been applied.

I’ll also plan to set two additional registry values under HKLM\SOFTWARE\VMware, Inc.\VMware UEM\Agent\​Computer Configuration.

These values are RefreshInterval (DWORD) and ContinueRefreshAfterLogon (DWORD). When set together, these control the interval in seconds for the amount of time in which computer settings are reapplied. The agent offers other configuration for computer environment settings.

Tying the Pieces Together

These steps need to happen when the agent is deployed in a particular order so that they apply correctly. If you have Freestyle Orchestrator enabled in your environment, this is a simple workflow that is deployed to devices that will sequence the installation of the profile, the DEM agent, and a script to set the additional computer configuration registry values and run Flexengine.exe -UEMRefreshADMXComputerPolicy.

However, at the time of this writing, Freestyle Orchestrator may not yet been deployed to your environment. For this reason, you might consider adding a Powershell wrapper to your DEM agent installation by combining a .ps1 script and the .msi into a zip file. The .ps1 script would install the agent with the correct MSI properties and then run the additional commands. Your install command for this application would be to call the Powershell script included in the zip file.

Profile Lifecycle

Managing Multiple Groups of Settings

Currently Workspace ONE only supports having one profile with a Dynamic Environment Manager payload applied.

What this means is if multiple profiles are applied, the last one applied will take precedence when the next policy refresh occurs. For example, if policy 1 is applied and then policy 2 is applied, everything that was set in policy 1 will be removed at the time of refresh and the settings set in policy 2 will be applied. This happens regardless of whether or not there are conflicting settings.

So if there are any settings being applied through the DEM profile, including settings outside of 3rd party ADMX settings, they will all have to be included in 1 profile. That makes any one setting that has common exclusions or variations not an ideal candidate. For example, the update deadline in the Office updates settings that were configured might vary across the enterprise while the rest of the settings for Office updates would be the same.

Targeting Devices Using DEM Conditions

That being said, if there is a particular setting within the larger group that will change depending on a particular condition, DEM has a feature included called conditions that could be used to achieve the same result. Sticking with the same example, let’s assume there was a Workspace ONE sensor that was used to determine the update deadline in the Office ADMX settings. From there you would use something like tags to tag devices based on this value and break the devices into different assignment groups within Workspace ONE. Those assignment groups would then be assigned different profiles.

Using conditions within DEM, one profile can be assigned and the individual settings will be applied based on the conditions created for that setting. This is done by clicking on the Conditions tab when creating or editing a setting in the DEM console and then clicking Add to add a condition.

The result allows for you to have different and conflicting settings that apply differently based on the created conditions.

Updating the Profile

The profile can be updated by downloading the .DEMConfig file from the profile in Workspace ONE UEM and then opened with the DEM management console. Alternatively, if you have the file saved locally, you can skip the step of downloading from Workspace ONE UEM.

Conclusion

The recently added DEM integration with Workspace ONE can do much more than just manage 3rd party ADMX settings. But if you’re creating and applying 3rd party ADMX settings in the form of custom settings profiles within UEM, this might help to ease the management of those policies.

Just keep in mind there are some operational caveats when it comes to managing the lifecycle of these settings and it may not be a good fit for all policies — like specific policies that have many different values/exclusions. For policies that are common across the environment, I think using the Dynamic Environment Manager integration makes a lot of sense over custom settings.

Lastly, If you’ve moved away from GPO all together this integration also introduces some ways to configure certain policies that don’t map to modern management and introduce other capabilities through Workspace ONE like privilege elevation and printer/drive mapping (which can also be applied based on conditions like location).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s