Getting Started with Workspace ONE UEM Workflows for Desktop Devices
Overview
Introduction
Device management is continuously evolving, and this rapid evolution has directly impacted the IT administrator experience. Omnissa Workspace ONE® UEM has been following every step of this journey, evolving and innovating with every release, allowing administrators to manage cross-platform devices to enable a true Digital Workspace experience. Workspace ONE UEM provides a comprehensive management solution for Windows, macOS, Android, iOS, Linux, IoT, rugged, and other device types. With the ability to manage corporate-dedicated, corporate owned or employee owned (BYOD) devices, Workspace ONE UEM offers enterprises the flexibility to meet their employees’ needs at any level.
Freestyle Orchestrator and Workflows
Freestyle Orchestrator, a workflow orchestration service integrated into Workspace ONE UEM and Intelligence, enables administrators to create complex workflows that fit specific requirements with flexibility and speed using a low code approach through Freestyle Canvas User Interface (UI). Freestyle workflows can be used to set up resources such as applications, profiles, sensors, and scripts. These workflows use conditions to apply resources to devices based on granular criteria. The workflow design and execution depends on the engine associated to the workflow.
Purpose of This Tutorial
This tutorial will provide an overview on the use of Freestyle Orchestrator specifically in Workspace ONE UEM to create workflows for desktops devices, as well as provide some examples of workflows you can create for Windows and macOS devices. The exercises included in this tutorial are meant to emulate simple operations to give you a basic understanding of what is possible with Freestyle Orchestrator. For more information, see the Freestyle Orchestrator product documentation.
To learn more about Workspace ONE Intelligence workflows with Freestyle, see the Tech Zone Tutorial Getting Started with Workspace ONE Intelligence.To learn more about Workspace ONE Intelligence workflows with Freestyle, see the Tech Zone Tutorial Getting Started with Workspace ONE Intelligence.
Audience
This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments.
Both current and new administrators can benefit from using this tutorial. Familiarity with Windows, macOS, XML, and basic scripting is assumed.
Knowledge of additional technologies such as Workspace ONE® Intelligence and Workspace ONE® UEM is also helpful.
Introduction to Freestyle Orchestrator
Freestyle Orchestrator
Freestyle Orchestrator is a workflow orchestration service integrated into Workspace ONE UEM that allows IT administrators to create low-code workflows for handling resource deployments that have complex conditions or sequencing. Utilizing a canvas UI, administrators can drag and drop resources, such as applications, profiles, and scripts into a workflow, and control the deployment of those resources through conditional requirements and logic from sources such as sensors, application inventory, and more.
Among other things, IT administrators can use Freestyle Orchestrator to:
- Create complex workflows for onboarding of Windows and macOS device, including the deployment of applications, baseline profiles, and other configurations.
- Maintain the state of endpoint devices based on a specific condition, such as a sensor value.
- Manage complex app deployment sequencing to ensure that applications and configurations are applied in a certain order.
What Problem does Freestyle Orchestrator Solve?
The current method to provision resources (profiles, applications, content, scripts, and so on) over-the-air based on MDM APIs started with mobile platforms and later extended to desktops, such as Windows, macOS, and Chrome OS. The management experience on each platform has specific needs; overall, administrators want to control the provisioning process, such as control of the sequence in which resources are deployed on the device, and define conditions based on the current resource state and external conditions that require specialized scripts.
There is a lot of complexity behind the scenes to deliver the desired management experience on desktop platforms, and the provisioning process requires knowledge across Workspace ONE and external tools, such as coding. Freestyle Orchestrator simplifies this process and allows administrators to visually define complex workflows in a very effective way.
Freestyle Orchestrator Requirements
Freestyle Orchestrator is supported on Windows and macOS, and requires the following components to be installed and configured:
- Workspace ONE UEM 2207 (or later) console.
- For Windows 10/11 devices:
- Workspace ONE Intelligent Hub 2207 (or later).
- For macOS devices:
- Workspace ONE Intelligent Hub 2207 (or later).
- Workflow Engine (WFE) 2207 (or later). Available from the Resource Portal.
Components of a Freestyle Workflow in Workspace ONE UEM
A workflow in Freestyle Orchestrator consists of three key components. Each component is described below.
Resources
In a workflow, resources include applications, profiles, and scripts. All resources that you want to use in Freestyle Orchestrator must be added to the system inventory prior to using them in workflows. When a resource is added to a workflow, you define the actions to be taken for each resource, such as installing an application or running a script on the device assigned to the workflow. Actions on a resource are executed in order as defined in the workflow.
The following resources are available per platform to be used as part of a workflow:
| Resources | Windows 10/11 | macOS | Available Actions | |
| Applications (only internal apps) | ✓ | ✓ | Install / Remove (Windows) Install (macOS) | |
| Profiles | ✓ | ✓ | Install/Remove (Windows) Install (macOS) | |
| Scripts | ✓ | ✓ |
| |
Conditions
A condition defines the specified criteria on which actions are taken for resources. IT administrators can specify conditions based on sensors, application, file, extended device inventory attributes data, and others. Conditions have set properties using conditional operators and values to determine if the condition is met. Conditions can be complex using the And or Or operators, as well as include multiple branches and nested conditions. You can also specify whether the condition should be re-evaluated. If enabled, the condition will be re-evaluated every four hours.
The following conditions are available per platform to be used as part of a workflow:
| Condition | Windows 10/11 | macOS | Available Options |
| Application | ✓ | ✓ | Exists / Does Not Exist |
| Attributes | ✓ |
| Software / System / Security |
| Device Status | ✓ |
| Compromised / Not Compromised |
| Sensor | ✓ | ✓ |
|
| File | ✓ | ✓ | Exists / Does Not Exist |
| Registry | ✓ | N/A | Exists / Does Not Exist |
| Time Window | ✓ |
|
|
Groups
A group allows IT administrators to bundle resources that can be executed in parallel on devices. Applications, resources, and scripts can be added to a group. Like with resources, conditions can be configured to determine if a group is executed based on specified criteria.
Understanding the use of Sensors vs Scripts in workflow
Sensors
Sensors is a feature available for Windows and macOS devices. It allows administrators to automate data collection for desktop endpoints using common scripting languages. For example, administrators can push a sensor to a set of devices to obtain the latest printer connectivity status, report the current device hostname, retrieve a specific version identifier of a component, and so on. You can use Sensors in reports, dashboards, and automations in Workspace ONE Intelligence.
With Freestyle Orchestrator, you can use Sensors as a condition in workflow creation. Using conditions, administrators can create complex criteria rules using sensor values to determine which resource actions to take on devices. You can configure Sensors to run periodically or based on system events and trigger workflow re-evaluations if the condition state changes. With Sensor conditions in Freestyle, administrators can automate configuration drift detection and remediation workflows across desktop endpoints.
Scripts
Scripts is a Workspace ONE UEM feature that allows administrators to automate endpoint configurations on Windows and macOS devices. For example, administrators can push a script to a set of devices to set the hostname of the device, configure driver mapping automatically, set up complex printer configurations, and so on.
Scripts differ from Sensors in that they do not return a specific value, rather they return an execution status. Scripts should be used for configuration or state-change use cases, and Sensors should be used for collecting information without making changes to the device state.
Scripts can be executed in many different ways:
- Individually as a separate resource directly assigned to devices through a Smart Group.
- Silently as part of an associated Freestyle Workflow, with a condition to perform additional steps based on the success or failure of the script.
- On-demand through the Intelligent Hub Catalog.
Scripts can run in the System or Current User context, and are available for Windows and macOS using the following languages:
- PowerShell for Windows.
- Python 3, Bash, and Zsh for macOS.
Scripts also allow the use of variables to securely pass information to the script environment. Variables can be defined with custom names, and include either static information or use console lookup values populated on the server-side. Scripts status is measured based on the exit/error/return code.
Consider the following best practices when writing scripts:
- Add error handling within the script to catch exceptions.
- Write scripts that do final validation and then explicitly end the script with 0 exit code to ensure a successful status change.
- Example: A script that is copying files or directories. Add lines to the script to validate that the copies were successful, then explicitly end the script with the 0 exit code.
A Scripts tab is available under the Device details page to allow the administrator to identify the script details, including last execution time, status, log, and output.
The Workflow Lifecycle
Freestyle workflows in Workspace ONE UEM are sent to the device in the form of a manifest file to be processed locally, minimizing the round trip between Workspace ONE Intelligent Hub and UEM API Servers in operations like identification of an application or profile deployed to a device. The workflow engine (WFE) in Intelligent Hub is responsible for processing each workflow manifest received from UEM when the device syncs.
Each workflow has a workflow UUID. A new workflow version is created and deployed to devices when changes are made to any of its steps. A new version of a workflow is created behind the scenes even when a resource linked to the workflow is updated.
Administrators have the option to save their progress in workflow creation before they publish the workflow to their end users. After the workflow is published, the save option is no longer available and all subsequent changes are published to end-user devices as a new workflow version. Workflows can be paused, allowing administrators to make the necessary changes and resume the deployment of the workflow to the devices.
Administrators can create workflows containing resources that are managed at or above the organization group (OG) where the workflow is created. Administrators cannot add resources to a workflow that is managed at a child OG of the group where the workflow is created.
To summarize, when a workflow is published, a manifest is sent to all devices that are part of the assigned smart group when the devices check-in. The workflow engine processes each workflow step locally and does not rely on server-side timing and execution to provision the resources.
Getting Started with Workspace ONE UEM Workflows
The process to create workflows is organized into four phases:
- Define the use case
- Stage resources
- Create a workflow
- Deploy and monitor
Define the Use Case
A better understanding of the use case and requirements will help to organize the resources in Workspace ONE UEM and define the workflow. The workflow becomes a logical way to achieve a goal, which can evolve as new use cases emerge from business needs.
Consider a Windows 10 device-onboarding use case where you must provision resources in a specific order; where security-related resources must be deployed first, before applications and tools required for the end user to perform their job. The applications and tools that access corporate resources cannot be provisioned unless the secure resources are available.
The business requirements look simple; however, when we translate them into technical requirements, they map to profiles with different types of payloads (restrictions, certificates, custom settings, and so on), applications, specialized scripts, conditions to validate the resource state, and more.
Stage Workflow Resources
Before you begin creating workflows, you must add the required resources to your inventory. However, you need not assign the resources to the devices during resource creation.
You must configure the Profiles and Applications resources in advance and as per the following list to be used as part of the workflow:
- Set Applications to on-demand deployment. Resources set as automatic are provisioned outside the workflow.
- Application resources must contain at least one assignment rule for default policy. However, resources provisioned by the workflow use the smart group assigned to the workflow.
- If a profile resource contains direct assignments, it is best practice to set the resource as optional to avoid overlaps in direct and workflow assignments.
If a resource such as an application or a profile is assigned to a device and configured for automatic deployment, in addition to being assigned to the device as part of a workflow, the resource will be installed based on whichever command is processed by the device.
When you add applications, ensure that the metadata is accurate and add a default application policy. For applications, it is mandatory to create a default policy. The application policies are responsible for in-app behavior and the default policy will be applied to all devices that receive an app from workflows unless the default policy is overridden by a specific policy for users.
When you add a script or sensor resource, identify the trigger and stage your script or sensor.
The resources can be staged at your organizational group (OG) or the parent OG.
Create a Workflow
After the required resources are added to the inventory, you can start creating the workflows. First, provide a name for the workflow, select the platform, and select a smart group for the workflow. All devices in the smart group to which the workflow is assigned, perform the actions specified in the workflow upon publishing. The workflows can be deployed on-demand through the Hub App Catalog or Auto Deploy configuration.
Before the workflow is published to end-user devices, administrators have the option to save an incomplete workflow to resume editing at a later point. However, after the workflow is published, subsequent edits are always published.
Manage the Workflow Behavior
Administrators manage the workflow behavior based on customizable settings that you can override, such as:
- Maximum time to wait for a workflow step to complete.
- Number of retries for workflow steps with errors.
The workflow settings in Workspace ONE UEM are available only for the Windows platform.
Additional settings are available when creating workflow steps, such as:
- Error handling to decide if a workflow should skip to the next step or stop in case of errors.
This setting is available only when creating a workflow step.
- Re-install if removed, when a resource is removed from the device.
Time Windows (Business vs Maintenance Hours)
Time Windows allow you to schedule updates and content delivery in Workspace ONE UEM and takes into account your business and maintenance hours. Make your Time Window by scheduling start and end dates, duration, and repeat options.
Time Windows is integrated with Freestyle, it can be used as part of a resource condition allowing the administrator to specify that some steps can be only executed during maintenance or business hours.
Common scheduling use cases are:
- As a banker, I do not want to get interrupted with app updates in front of the customer.
- As an admin, I want to schedule application installs only during specific maintenance windows.
- As an admin, I want to work on my own time and not worry about local time on devices, customer work hours, and so on.
- As an end user, I want to set up a time window where I am not bothered by any updates or installations ("Do not Disturb mode").
- As a customer, I want to utilize the application installation time to download files for the next installation.
In the above workflow, a reboot is required at the end of the execution. However, this will only happen if the device time is on the range that matches the maintenance hours, otherwise, a script will be executed to notify the user to reboot the device later. The reboot and notify_user steps execute a PowerShell script previously defined in Workspace ONE UEM by the administrator.
Monitor the Workflow
After you create and assign workflows to the devices, you can monitor the progress of the workflow deployment.
You can view the workflow progress for all assigned devices, or you can view the workflow progress for individual devices. Navigate to the Device details page and check the workflow section for details of individually targeted validations.
You also have the event logs for devices which detail how the device is responding to the workflow.
Example Workflows for Windows
The exercises outlined in this section offer examples of how Freestyle Orchestrator can be used to manage Windows devices. Each exercise includes instructions on creating the required resources for each workflow.
The exercises in this section are:
- Installing Application Updates with User Deferrals
- Creating a Kiosk Device Onboarding Workflow
Exercise #1: Installing Application Updates with User Deferrals
This exercise will show you how to use a Freestyle Orchestrator workflow to target application updates to enrolled devices and provide the end user with the option to defer that update. For this example workflow, you will be deploying the latest version of 7-Zip, which is version 23.10 at the time of writing this document.
The purpose of this exercise is to provide an example of how you can use Freestyle Orchestrator to deploy an application update to Windows devices. Although this exercise focuses on 7-Zip, the steps described can be used for other software packages.
Note: This exercise assumes that you have already uploaded the 7-Zip installer package into your Workspace ONE instance.
There are four parts to this exercise as outlined here. You will:
- Create a Sensor to Detect if the Device is Newly Enrolled.
- Create Script to Present Deferral Screen to Users.
- Create Script to Cleanup Deferrals After Application Update.
- Create a Workflow for Updating 7-Zip on Windows Devices.
Note: The process described in this section can be accomplished in several ways, including as a single script that negates the need for sensors. However, the process has been broken into separate components in this tutorial to demonstrate the capabilities of Freestyle Orchestrator.
Prerequisites
Before you can perform the exercises in this tutorial, you must meet the following requirements.
- Uploaded 7-Zip installer package into your Workspace ONE application inventory.
Note: This exercise uses sensors to gather specific data from the Windows devices. Due to privacy concerns, sensors will not collect data from employee-owned devices. To complete this exercise, you must use a corporate-owned Windows device.
Create a Sensor to Detect if the Device is Newly Enrolled
In this exercise, you will create a sensor that will detect if the Omnissa Horizon Client is installed on a macOS device.
- In the Workspace ONE UEM console, select Resources. Then, select Sensors.
- Click Add and select Windows from the drop-down menu.
- Enter new_enrolled for the sensor name. Click Next.
- For Language, select Powershell.
- Select System for Execution Context.
- For Response Data Type, select Boolean.
- Enter the following into the Code textbox:
$Event = Get-WinEvent -LogName Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin | Where-Object {$_.ID -eq "72"} | select -Last 1
if($Event)
{
$currentdate = Get-Date
if($currentdate.AddDays(-7) -le $Event.TimeCreated)
{
$NewEnrollment = $true
}
else{$NewEnrollment = $false}
}
else{$NewEnrollment = $false}
return $NewEnrollment
- Click Next.
- Click Save.
Create Script to Present Deferral Screen to Users
In this exercise, you will create a script that will present the user with the option to defer the update.
- In the Workspace ONE UEM console, select Resources. Then, select Scripts.
- Click Add and select Windows from the drop-down menu.
- Enter create_deferral_screen for the script name. Click Next.
- For Language, select Powershell.
- Select User Context without Admin Privileges for Execution Context & Privileges.
- Activate End-User Interaction.
- Set the Execution Architecture to Auto.
- Configure the Timeout to use 3600.
- Enter the following into the Code textbox:
Add-Type -AssemblyName PresentationFramework
$DeferralPath = "C:\ProgramData\Airwatch\Deferral"
if((Test-Path "$($DeferralPath)\workflow.txt") -eq $true)
{
Get-Date -Format s | Out-File -FilePath "$($DeferralPath)\workflow.txt" -Append
}
else
{
New-Item -Path $DeferralPath -Name "workflow.txt" -ItemType File -Force
Get-Date -Format s | Out-File -FilePath "$($DeferralPath)\workflow.txt" -Append
}
[xml]$XAML = @"
<Window xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
Title="Workflow deferral" Height="600" Width="600" WindowStartupLocation="CenterScreen" ResizeMode="NoResize" WindowStyle="None">
<Grid Background="#FFEEEEEE">
<TextBlock FontSize="24" HorizontalAlignment="center" TextWrapping="Wrap" Text="Hi $($env:text)" VerticalAlignment="Top" Height="80" Width="460" Margin="20,10,0,0"/>
<TextBlock FontSize="24" HorizontalAlignment="center" TextWrapping="Wrap" Text="There is a pending workflow for your device." VerticalAlignment="Top" Height="80" Width="460" Margin="20,100,0,0"/>
<TextBlock FontSize="24" HorizontalAlignment="Center" TextWrapping="Wrap" Text="During this time your work is might affected." VerticalAlignment="Top" Height="64" Width="460" Margin="20,180,0,0"/>
<TextBlock FontSize="24" HorizontalAlignment="Center" TextWrapping="Wrap" Text="You have the option to defer the workflow for 3 times. After that, the workflow will be forced to run." VerticalAlignment="Top" Height="100" Width="460" Margin="20,260,0,0"/>
<Button x:Name="StartButton" Foreground="White" Content="Start the workflow" FontWeight="Bold" HorizontalAlignment="Left" Margin="20,435,0,0" VerticalAlignment="Top" Width="232" Height="49" AutomationProperties.Name="Start" Background="#FF0F912C"/>
<Button x:Name="StopButton" Foreground="White" Content="Defer the workflow" FontWeight="Bold" HorizontalAlignment="Right" Margin="20,435,20,20" VerticalAlignment="Top" Width="232" Height="49" Background="#FFD60909"/>
</Grid>
</Window>
"@
$LineCount = (Get-Content "$($DeferralPath)\workflow.txt").count
if($LineCount -eq 4)
{
[xml]$XAML = @"
<Window xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
Title="Workflow deferral" Height="600" Width="600" WindowStartupLocation="CenterScreen" ResizeMode="NoResize" WindowStyle="None">
<Grid Background="#FFEEEEEE">
<TextBlock FontSize="24" HorizontalAlignment="center" TextWrapping="Wrap" Text="Hi $($env:text)" VerticalAlignment="Top" Height="80" Width="460" Margin="20,10,0,0"/>
<TextBlock FontSize="24" HorizontalAlignment="center" TextWrapping="Wrap" Text="There is a pending workflow for your device." VerticalAlignment="Top" Height="80" Width="460" Margin="20,100,0,0"/>
<TextBlock FontSize="24" HorizontalAlignment="Center" TextWrapping="Wrap" Text="During this time your work is might affected." VerticalAlignment="Top" Height="64" Width="460" Margin="20,180,0,0"/>
<TextBlock FontSize="24" HorizontalAlignment="Center" TextWrapping="Wrap" Text="The workflow will be started now!" VerticalAlignment="Top" Height="100" Width="460" Margin="20,260,0,0"/>
<Button x:Name="StartButton" Foreground="White" Content="Start the workflow" FontWeight="Bold" HorizontalAlignment="Center" Margin="0,435,0,0" VerticalAlignment="Top" Width="232" Height="49" AutomationProperties.Name="Start" Background="#FF0F912C"/>
</Grid>
</Window>
"@
Remove-Item -Path "$($DeferralPath)\workflow.txt" -Force
New-Item -Path $DeferralPath -Name "start.txt" -ItemType File -Force
New-Item -Path $DeferralPath -Name "installed.txt" -ItemType File -Force
Start-Sleep -Seconds 5
}
$reader=(New-Object System.Xml.XmlNodeReader $xaml)
$d=[Windows.Markup.XamlReader]::Load( $reader )
#Connect to Control
$d.FindName("StopButton").add_click({
$d.Close()
})
$d.FindName("StartButton").add_click({
if($LineCount)
{
Remove-Item -Path "$($DeferralPath)\workflow.txt" -Force
}
New-Item -Path $DeferralPath -Name "start.txt" -ItemType File -Force
Start-Sleep -Seconds 5
$d.Close()
})
$d.ShowDialog() | out-null
- Click Next.
- Click Save.
Create Script to Cleanup Deferrals After Application Update
In this exercise, you will create a script that will clean up the files used for the deferral data on the device after the application update has completed.
- In the Workspace ONE UEM console, select Resources. Then, select Scripts.
- Click Add and select Windows from the drop-down menu.
- Enter deferral_cleanup for the script name. Click Next.
- For Language, select Powershell.
- Select System Context for Execution Context & Privileges.
- Set the Execution Architecture to Auto.
- Configure the Timeout to use 60.
- Enter the following into the Code textbox:
Remove-Item -Path "C:\ProgramData\Airwatch\Deferral\start.txt" -Force
New-Item -Path "C:\ProgramData\Airwatch\Deferral" -Name "installed.txt" -ItemType File -Force
- Click Next.
- Click Save.
Create a Workflow for Updating 7-Zip on Windows Devices
- In the Workspace ONE UEM console, select Freestyle. Then, select New.
Note: If this is the first time you are using Freestyle Orchestrator, you will click Get Started on the Getting Started with Workflows screen.
- Name the new workflow 7-Zip Application Update.
- Select Windows as the platform.
- Next to Smart Groups, click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Windows Devices (your@email.shown.here).
- In the workflow UI, click the plus sign (+) and select Condition. Name the condition check_enrollment_status.
- From the Select drop-down menu, choose Sensor. Search for the sensor you created earlier called new_enrolled. Select Equals and enter TRUE. Click Then.
- Click Add. Select Action.
- From the Action drop-down menu, choose Install Application. Search for the application called 7-Zip. Click Select to add the application to the workflow.
- Select the Then operator for the condition you created earlier called check_enrollment_status.
- In the Admin Panel, click Else.
- Click Add. Select Action and then click Script.
- Search for the script you created earlier called create_deferral_screen. Click Select.
- Click Add. Select Condition and name the condition check_deferral_status.
- From the Select drop-down menu, choose File and then File exists. For File Path, select Equals and enter the following file path:
C:\ProgramData\Airwatch\Deferral\start.txt. - Click Then.
- Click Add. Select Action.
- From the Action drop-down menu, choose Install Application. Search for the application called 7-Zip. Click Select to add the application to the workflow.
- Click Add. Select Action and then click Script.
- Search for the script you created earlier called deferral_cleanup. Click Select.
- Click Add and select Proceed to next step.
- With your workflow complete, click Publish.
Exercise #2: Managing Windows Application Installation Dependencies
This exercise will show you how to use a Freestyle Orchestrator workflow to manage application installations when there are required dependencies involved. In some cases, such as plug-ins, a dependency may exist that additional applications be available on the device prior to the plug-in being installed.
The purpose of this exercise is to provide an example of how you can use Freestyle Orchestrator to validate application dependencies prior to installation. Although this example is basic, it shows the potential power of workflows to manage application installations, particularly when dependencies must be validated prior to install.
Note: This exercise assumes that you have already uploaded the Zoom Windows Client and Zoom Plug-in for Outlook installer packages into your Workspace ONE instance.
There are one parts to this exercise as outlined here. You will:
- Create a Workflow to Validate Application Dependencies Before Installing the Zoom Plug-in for Outlook.
Prerequisites
Before you can perform the exercises in this tutorial, you must meet the following requirements.
- Uploaded Zoom for Meetings installer package into your Workspace ONE application inventory.
- Uploaded Zoom Plugin for Outlook installer package into your Workspace ONE application inventory.
Create a Workflow to Validate Application Dependencies Before Installing the Zoom Plug-in for Outlook
In this exercise, you will create a workflow that validates that Microsoft Outlook and the Zoom Windows Client are installed on a Windows device, and then installs the Zoom Plug-in for Outlook. If Outlook is installed, but the Zoom Windows Client is not installed, the workflow will install the Zoom Windows Client prior to installing the plug-in.
- In the Workspace ONE UEM console, select Freestyle. Then, select New.
- Name the new workflow Zoom Plug-in for Outlook.
- Select Windows as the platform.
- Next to Smart Groups, click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Windows Devices (your@email.shown.here).
- In the workflow UI, click the plus sign (+) and select Condition. Name the condition is_outlook_installed.
- From the Select drop-down menu, choose File and then File Exists. Set the File Path field to Equals and enter the file path to the
OUTLOOK.EXEfile. Click Then.
NOTE: This path could be different depending on where you have installed Microsoft Office. In this example, the default installation path was used.
C:\Program Files\Microsoft Office\root\Office 16\OUTLOOK.EXE
- Click Add and select Condition.
- Name the new condition is_zoom_installed.
- Click Select and from the dropdown menu, choose Application Exists. For Application Name, select Equals and enter Zoom. Click Then.
- Click Add and select Action and then Install Application.
- From the Action drop-down menu, choose Install Application. Search for the application called Zoom Outlook Plugin. Click Select to add the application to the workflow.
- Select the Then operator for the condition you created earlier called is_zoom_installed.
- In the Admin Panel, click Else.
- Click Add and select Action and then Install Application.
- From the Action drop-down menu, choose Install Application. Search for the application called Zoom Client for Meetings. Click Select to add the application to the workflow.
- Click Add. Select Action, and then Install Application.
- From the Action drop-down menu, choose Install Application. Search for the application called Zoom Outlook Plugin. Click Select to add the application to the workflow.
- With your workflow complete, click Publish.
Example Workflows for macOS
The exercises outlined in this section offer examples of how Freestyle Orchestrator can be used to manage macOS devices. Each exercise includes instructions on creating the required resources for each workflow.
The exercises in this section are:
- Installing and Configuring the Horizon Client
- Installing Software Based on macOS CPU Type
Exercise #1: Installing and Configuring the Horizon Client
This exercise will show you how to use a Freestyle Orchestrator workflow to install the Omnissa Horizon Client if necessary and deploy a device profile that will configure the client. For this workflow, you will be deploying the latest version of the Horizon Client, which is version 8.6.0.0 at the time of writing this document.
The purpose of this exercise is to provide an example of how you can use Freestyle Orchestrator to deploy and configure software to macOS devices. Although this exercise focuses on the Horizon Client, the steps described can be used for other software packages.
There are four parts to this exercise as outlined here. You will:
- Create a native app for the Horizon Client in Workspace ONE UEM.
- Configure a sensor to determine if the Horizon Client is installed on managed macOS devices.
- Create a device profile to configure the Horizon Client.
- Create a workflow that will install the Horizon Client if necessary and apply the previously created profile.
Note: The process described in this section can be accomplished in several ways, including as a single script that negates the need for sensors. However, the process has been broken into separate components in this tutorial to demonstrate the capabilities of Freestyle Orchestrator.
Prerequisites
Before you can perform the exercises in this tutorial, you must meet the following requirements.
- Download the latest version of the Horizon Client from the Omnissa website
- Local macOS account with administrator permissions
Note: This exercise uses sensors to gather specific data from the macOS devices. Due to privacy concerns, sensors will not collect data from employee-owned devices. To complete this exercise, you must use a corporate-owned macOS device.
Add the Horizon Client to Workspace ONE UEM
In this exercise, you will download the Workspace ONE Admin Assistant Tool and prepare the Horizon Client for deployment through Workspace ONE UEM. Then, you will import the Horizon Client application into Workspace ONE UEM.
To get the desired result, perform the following steps:
- On a macOS device, double-click the Google Chrome icon.
- Go to the Workspace ONE Admin Assistant Tool download website.
At the time of this document’s creation, the URL for the website was: https://my.workspaceone.com/products/Workspace-ONE-Admin-Assistant-Tool. - Select macOS for the platform. Select the latest version listed on the App Version drop-down menu. And select All to filter by console version.
- Click Installs and Upgrades.
- Click the latest version listed.
- Read and accept the End-User License Agreement.
- Launch the downloaded DMG file and double-click the Workspace ONE Admin Assistant package file.
- Accept the default options for installation and install the application on your macOS device.
- When the installation is complete, launch the Workspace ONE Admin Assistant located in your Applications folder.
- Drag and drop the DMG file for the Horizon Client into the Admin Assistant tool. When the tool has finished parsing, click the folder icon next to the listed DMG file.
Note: The folder will contain three files: a PLIST file, a PNG file, and a DMG file.
- In the Workspace ONE UEM console, select Resources. Then, select Apps.
- Select Native, and then click Internal.
- From the Add drop-down menu, select Application File.
- Click Upload and select Choose File. Navigate to the folder that was created by the Workspace ONE Admin Assistant. Choose the DMG file and click Upload.
- Click Save.
- After the upload has completed, click Continue.
- You will upload the Metadata file by clicking Upload and choose the PLIST file from the same folder. Click Save.
- After the upload has completed, click Continue.
- Click Images and then select Click or drag files here to add the PNG file from the same folder as the other files.
- Click Save & Assign.
- Enter All macOS Devices for the Assignment Name.
- Next to Select Smart Groups, click in the search box. From the list of Assignment Groups, select the appropriate group. For example, select All macOS Devices (your@email.shown.here).
- Click Create. Then click Save.
Create a Sensor to Detect if the Horizon Client is Installed
In this exercise, you will create a sensor that will detect if the Horizon Client is installed on a macOS device.
- In the Workspace ONE UEM console, select Resources. Then, select Sensors.
- Click Add and select macOS from the drop-down menu.
- Enter is_horizon_installed for the sensor name. Click Next.
- For Language, select Bash.
- Select System for Execution Context.
- Enter the following into the Code textbox:
#!/bin/bash
IS_HORIZON_INSTALLED=$(mdfind "kMDItemFSName == 'Omnissa Horizon Client.app'" -onlyin /Volumes/Macintosh\ HD/Applications)
if [ "$IS_HORIZON_INSTALLED" = "/Applications/Omnissa Horizon Client.app" ]; then
echo "TRUE"
else
echo "FALSE"
fi
- Click Next.
- Click Save & Assign.
- Click New Assignment.
- Enter All macOS Devices for the Assignment Name.
- Next to Select Smart Groups, click in the search box. From the list of Assignment Groups, select the appropriate group. For example, select All macOS Devices (your@email.shown.here). Click Next.
- Select the Login from the list of triggers. Then, click Save.
- Click Close.
Create a Sensor to Detect the Version of Horizon Client Installed
In this exercise, you will create a sensor that will detect if the Horizon Client is installed on a macOS device.
- In the Workspace ONE UEM console, select Resources. Then, select Sensors.
- Click Add and select macOS from the drop-down menu.
- Enter horizon_client_version for the sensor name. Click Next.
- For Language, select Bash.
- Select System for Execution Context.
- Enter the following into the Code textbox:
#!/bin/bash
if [ -f "/Applications/Omnissa Horizon Client.app/Contents/Info.plist" ] ; then
/usr/bin/defaults read /Applications/Omnissa\ Horizon\ Client.app/Contents/Info.plist CFBundleShortVersionString ;
else
echo "0" ;
fi
- Click Next.
- Click Save & Assign.
- Click New Assignment.
- Enter All macOS Devices for the Assignment Name.
- Next to Select Smart Groups, click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All macOS Devices (your@email.shown.here). Click Next.
- Select the Login from the list of triggers. Then, click Save.
- Click Close.
Create a Device Profile to Configure the Horizon Client
In this exercise, you will create a macOS device profile with a custom settings payload to configure the Horizon Client with specific settings.
Note: The XML included in this exercise uses example Omnissa Test Drive Horizon Connection Servers. If you wish to use your own Horizon Connection Servers, you will need to modify the XML prior to creating the device profile.
To get the desired result, perform the following steps:
- In the Workspace ONE UEM console, select Resources. Then select Profiles & Baselines.
- Select Profiles.
- From the Add drop-down menu, select Add Profile.
- Select Profile Platform by selecting macOS.
- For the Context, select Device Profile.
- Enter macOS Horizon Client Configs for the profile name.
- Scroll down the list of payloads until you find Custom Settings. Click Add.
- In the Custom Settings textbox, paste the following XML:
<dict>
<key>PayloadUUID</key>
<string>35E4D9F0-6C02-4B54-B60D-5E8E9D799419</string>
<key>PayloadType</key>
<string>com.apple.ManagedClient.preferences</string>
<key>PayloadOrganization</key>
<string>Workspace ONE</string>
<key>PayloadIdentifier</key>
<string>com.omnissa.horizon.35E4D9F0-6C02-4B54-B60D-5E8E9D799419</string>
<key>PayloadDisplayName</key>
<string>Omnissa Horizon Settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadContent</key>
<dict>
<key>com.omnissa.horizon</key>
<dict>
<key>Forced</key>
<array>
<dict>
<key>mcx_preference_settings</key>
<dict>
<key>defaultBroker</key>
<string>https://horizon.td.omnissa.com:443/broker/xml</string>
<key>promptedUSBPrintingServicesInstall</key>
<true/>
<key>broker-history</key>
<array>
<string>https://horizon.td.omnissa.com:443/broker/xml</string>
</array>
<key>trustedServers</key>
<array>
<string>https://horizon.td.omnissa.com:443/broker/xml</string>
</array>
<key>kAutoCheckForUpdates</key>
<false/>
<key>kAutoDownloadForUpdates</key>
<false/>
<key>kAllowDataSharing</key>
<false/>
<key>kAllowRemovableStorage</key>
<false/>
</dict>
</dict>
</array>
</dict>
</dict>
<key>PayloadDescription</key>
<string>Created by WS1 mobileConfig Importer</string>
</dict>
- Click Next.
- For this exercise, you will not assign this device profile to any Assignment Groups. Click Save & Publish.
You should now see your macOS Horizon Client Configs Device Profile within the list of the Profiles window.
Note: If you need to edit the profile, this is where you would do so.
Create a Workflow for Installing and Configuring the Horizon Client
- In the Workspace ONE UEM console, select Freestyle. Then, select New.
Note: If this is the first time you are using Freestyle Orchestrator, you will click Get Started on the Getting Started with Workflows screen.
- Name the new workflow macOS Horizon Client Install.
- Select macOS as the platform.
- Next to Smart Groups, click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All macOS Devices (your@email.shown.here).
- In the workflow UI, click the plus sign (+) and select Condition. Name the condition check_for_horizon.
- From the Select drop-down menu, choose Sensor. Search for the sensor you created earlier called is_horizon_installed. Select Equals and enter TRUE. Click Then.
- Click Add. Select Condition. Name the condition check_horizon_version.
- From the Select drop-down menu, choose Sensor. Search for the sensor you created earlier called horizon_client_version. Select Does Not Include and enter 8.6. Click Then.
- Click Add. Select Resource and then click Application.
- Search for the application you created earlier called Omnissa Horizon Client. Click Select.
- In the workflow UI, click the plus sign (+) and select Resource and then click Profile.
- Search for the profile you created earlier called macOS Horizon Client Configs. Click Select.
- Select the Then operator for the condition you created earlier called check_for_horizon.
- In the Admin Panel, click Else.
- Click Add. Select Resource and then click Application.
- Search for the application you created earlier called Omnissa Horizon Client. Click Select.
- Select the Then operator for the condition you created earlier called check_horizon_version. Click Else.
- Click Add and select Proceed to next step.
- With your workflow complete, click Publish.
- To verify the results of this exercise, log in to a managed macOS device and check the Applications folder to see if the Horizon Client has been installed. Launch the Horizon Client. The server name will be populated with https://horizon.td.omnissa.com.
Exercise #2: Installing Software Based on macOS CPU Type
This exercise will show you how to use a Freestyle Orchestrator workflow to deploy software to a macOS device based on the type of CPU in the device. In this example, you will use Microsoft’s .NET SDK, which comes with separate installers for Intel and Apple silicon devices. You will create a sensor to detect the type of CPU in a macOS device and use the appropriate installer to deploy the .NET SDK to the device.
There are three parts to this exercise; you will:
- Create two native apps for the Microsoft .NET SDK, one using the Intel installer and one with the Apple silicon installer.
- Configure a sensor to determine the CPU type on a macOS device.
- Create a workflow that will check the CPU type on a macOS device and use the appropriate installer to deploy the .NET SDK.
Prerequisites
Before you can perform the exercises in this tutorial, you must meet the following requirements.
- One macOS device using an Apple silicon processor with Intelligent Hub version 22.07 or later installed
- One macOS device using an Intel processor with Intelligent Hub version 22.07 or later installed (optional if you wish to test both processor platforms)
- Local macOS account with administrator permissions
Add the .NET SDK to Workspace ONE UEM
In this exercise, you will utilize the Workspace ONE Admin Assistant Tool that you downloaded earlier. If you did not download the Workspace ONE Admin Assistant Tool, please review steps 1 through 10 in the section of this document entitled, Add the Horizon Client to Workspace ONE UEM.
To get the desired result, perform the following steps:
- On a macOS device, double-click the Google Chrome icon.
- Go to the Microsoft .NET website. At the time that this tutorial was created, the downloads were available at: https://dotnet.microsoft.com/en-us/download.
- Download the .NET SDK package for x64 processors and the package for Arm64 processors.
- Launch the Workspace ONE Admin Assistant Tool. Drag and drop x64 PKG file for the .NET SDK into the Admin Assistant tool. When the tool has finished parsing, click the folder icon next to the listed PKG file.
- Append _x64 to the folder name. Right-click the PLIST file and select Open With and click TextEdit.
- Search the XML for the line that contains the following:
<string>dotnet-sdk</string> - Append
-x64so that the line reads:<string>dotnet-sdk-x64</string> - Save the file.
- Drag and drop arm64 PKG file for the .NET SDK into the Admin Assistant tool. When the tool has finished parsing, click the folder icon next to the listed PKG file.
- Append _arm64 to the folder name. Right-click the PLIST file and select Open With and click TextEdit.
- Search the XML for the line that contains the following:
<string>dotnet-sdk</string> - Append
-x64so that the line reads:<string>dotnet-sdk-arm64</string> - Save the file.
- In the Workspace ONE UEM console, select Resources. Then select Apps.
- Select Native, and then click Internal.
- From the Add drop-down menu, select Application File.
- Click Upload and select Choose File. Navigate to the folder that was created by the Workspace ONE Admin Assistant. Choose the x64 PKG file and click Upload.
- Click Save.
- After the upload has completed, click Continue.
- You will upload the Metadata file by clicking Upload and choose the PLIST file from the same folder. Click Upload. Then click Save.
- After the upload has completed, click Continue.
- Click Save & Assign.
- Enter All macOS Devices for the Assignment Name.
- Next to Select Smart Groups, click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All macOS Devices (your@email.shown.here).
- Click the button to disable Display in App Catalog.
- Click Create. Then click Save.
- Click Publish.
- In the Workspace ONE UEM console, select Resources. Then select Apps.
- Select Native, and then click Internal.
- From the Add drop-down menu, select Application File.
- Click Upload and select Choose File. Navigate to the folder that was created by the Workspace ONE Admin Assistant. Choose the arm64 PKG file and click Upload.
- Click Save.
- After the upload has completed, click Continue.
- You will upload the Metadata file by clicking Upload and choose the PLIST file from the same folder. Click Save.
- After the upload has completed, click Continue.
- Click Save & Assign.
- Enter All macOS Devices for the Assignment Name.
- Next to Select Smart Groups, click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All macOS Devices (your@email.shown.here).
- Click the button to disable Display in App Catalog.
- Click Create. Then click Save.
- Click Publish.
- You will see both apps in the List View for Internal apps.
Create Sensor to Detect CPU Type of macOS Devices
In this exercise, you will create a sensor that will detect the active IP address on a macOS device.
- In the Workspace ONE UEM console, select Resources. Then select Sensors.
- Click Add and select macOS from the drop-down menu.
- Enter macos_cpu_arch for the sensor name. Click Next.
- For Language, select Bash.
- Select System for Execution Context.
- Enter the following into the Code textbox:
#!/bin/zsh
PROC=$(/usr/bin/uname -m)
echo $PROC
- Click Next.
- Click Save & Assign.
- Click New Assignment.
- Enter All macOS Devices for the Assignment Name.
- Next to Select Smart Groups, click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All macOS Devices (your@email.shown.here).
- Click Next.
- Select the Login from the list of triggers. Then, click Save.
- Click Close.
Create a Workflow to Deploy the .NET SDK
- In the Workspace ONE UEM console, select Freestyle. Then select New.
- Name the new workflow macOS .NET SDK.
- Select macOS as the platform.
- Next to Smart Groups, click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All macOS Devices (your@email.shown.here).
- In the workflow UI, click the plus sign (+) and select Condition. Name the Condition cpu_type.
- From the Select drop-down menu, choose Sensor. Search for the sensor you created earlier called macos_cpu_arch. Select Equals and enter arm64. Click Then.
- Click Add. select Resource and then click Application.
- Search for dotnet-sdk-arm64. Click Select.
- Select the Then operator for the condition you created earlier called cpu_type. Click Else.
- Click Add. Select Resource and then click Application.
- Search for dotnet-sdk-x64. Click Select.
- With your workflow complete, click Publish.
- You can verify the results of the exercise by logging into your macOS device. This will trigger the sensor to collect the latest CPU architecture from the device.
- In the Workspace ONE UEM console, click Devices.
- Select List View and click the macOS device you used for this exercise.
- Click Sensors. Search for the sensor you created earlier called macos_cpu_arch. Confirm the CPU architecture for the device.
- Click Apps. Confirm that the correct version of the .NET SDK is installed.
Troubleshooting the Freestyle Workflow
Administrators can troubleshoot the workflow using the Workspace ONE UEM console, server, and device logs. It is recommended to start with Workspace ONE UEM console as this will define the next steps in the troubleshooting process.
In addition to the Monitoring page, administrators can navigate to Devices > List View > Troubleshooting to obtain additional logs related to the workflow execution and resources. They can also filter and search for logs only related to workflows.
Server-Side Troubleshooting
After the workflow is published, check the following to troubleshoot on the server.
- Device Workflow Sync: These details are generated after the workflow is published and the device syncs within 4 hours to receive Workflows.
- Server-side log entries are generated in the
DevicesGateway.logandAW_MDM_API.log. - Report Status: Immediately reports status as
in-progress. - Server-side log entries are generated in the
InterrogatorQueueService.log.
- Server-side log entries are generated in the
- Workflow Execution: When the Workflow execution is finalized, it reports as Completed, Failed, Blocked, or Completed with exceptions state.
- Report Status: Final status report based on sample interval.
Device-Side Troubleshooting
The workflow engine execution generates new logs (DSM.log, Workflow.log) on the device which are located under:
- Windows: C:\ProgramData\Airwatch\UnifiedAgent\Logs
- macOS:
/Library/Logs/Workflow
For additional details on the workflow execution and real-time information check the following:
For Windows:
- If the workflow is not getting pulled by the device, administrators can refer to the
workflow.log,DSM.log, andTaskScheduler.logto find out if there is any issue with respect to sync. - If the workflow is getting blocked due to the reason "App Deployment Agent" not present on the device, then verify if the AirWatchMDM registry is available under the path
(HKEY_LOCAL_MACHINE\SOFTWARE\AirWatchMDM). - If a particular App installation step fails to result in workflow failure, refer to the
DSM.logfor issues with queuing of app install and theworkflow.logfor the exact step failure reason. - If a condition step is failing, check the
DSM.logfor issues while querying the device state and the workflow.log for the exact failure reason. - Blocked workflows are re-triggered every 4 hours, from the blocked step. Currently, the workflow status will be blocked only when Software Distribution (SFD) is not present on the device.
- Failed workflows are re-triggered every 24 hours, from the failed step. The workflow sample is reported according to the agent data sample schedule configured on the console. (Data Sample Interval is configured under Settings > Windows > Windows Desktop > Intelligent Hub Settings. The default data sample interval configured is 6 hours).
- If the workflow step to install OMADM-targeted profiles is in progress, check the profile status on the server and check the
profile-uuidentry in the registryComputer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Provisioning\NodeCache\CSP. Also, verify in theTaskScheduler.logthat the Profile Status Monitor is running. - For a failed Profile installation, check the
workflow.log.
For macOS:
- Every time the workflow engine Host (WFE) starts/restarts, it waits for the Agent to send a setup message. WFE proceeds with pulling workflow mutations from the server only after receiving this message. You can investigate the Agent logs using the console to check if the agent sent the setup message to WFE.
- If the workflow is not getting pulled by the device, administrators can refer to the
workflow.logto find out if there are any sync issues. This log file is created under(/Library/Logs/Workflow/Workflows.log). - If a particular app installation step fails to result in workflow failure, refer to the workflow engine host logs and Agent logs for issues with queuing of app install and workflow log for exact step failure reason.
- Blocked workflows are re-triggered every 4 hours, from the blocked step.
- Failed workflows are re-triggered every 24 hours, from the failed step.
- Blocked/Failed workflows are re-triggered on manual agent sync and on querying workflows from the console.
- Workflow status is reported when the workflow execution begins on the device and workflow reaches a terminal state (Failed/Blocked/Completed).
- For a failed Profile installation, check the workflow logs.
- When communicating with the Device Gateway service, if the HMAC token has expired, WFE requests the Agent to send the new HMAC token. Hub sends the new HMAC token within the Setup message.
- WFE tries to update itself every 24 hours. It checks with the device gateway endpoint to see if a greater version is available and then upgrades itself.
Summary and Additional Resources
This tutorial provided an overview on Freestyle Orchestrator, as well as provide some examples of workflows you can create for Windows and macOS devices. The exercises included in this tutorial were meant to emulate simple operations to give you a basic understanding of what is possible with Freestyle Orchestrator.
Topics Discussed included:
- An overview of Freestyle Orchestrator.
- A discussion on the components of a workflow.
- An overview of the process for creating a workflow.
- Example workflows for Windows and macOS devices.
Additional Resources
For additional information on Freestyle Orchestrator, visit the Automation tab on the Workspace ONE UEM page on Tech Zone.
Additionally, you can check out the Omnissa Freestyle Orchestrator documentation at Omnissa docs.
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| 10/17/2024 | Guide was published. |
About the Author and Contributors
- Andreano Lanusse, Staff Architect, Technical Marketing, Omnissa.
- Michael Bradley, Senior Technical Marketing Architect, Omnissa.
Considerable contributions were made by the following subject matter experts:
- Matthew Zaske, Solution Engineer, UEM – macOS/iOS, Omnissa.
- Paul Evans, Omnissa Alumni.
Feedback
Your feedback is valuable.
To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.