While we are moving to cloud native modern management to enable remote work, there is still need to get Windows devices to join enterprise local domain remotely.
WSO UEM has made this easier by introducing offline domain join. Now we can get a device to join a local domain during staging provisioning. The device will be first prepared by a staging user. Once the staging is done, the device is domain joined even without line-of-sight to domain controller.
After the final user login with his AD account credential, the whole registration process is done. A device is domain joined and is owned by a user. Please note that line-of-sight to domain is required to allow user to connect to domain.
Now enterprises can enjoy both modern management benefits such as OS update and application management on the cloud and also keep their remote devices connected to enterprise domain.
So how do we get a device domain joint without line-of-sight to a domain controller? For example, a device is unpackaged in remote office or in user’s home office.
WSO uses ACC to get the job done. It is a very natural as ACC is already connected to an AD for account synchronization and user authentication. Offline domain join is another added account management feature to ACC.
There are things we need to change on both ACC and AD to have offline domain join enabled.
Here is the official document to enable offline domain join:
There are another good video you can refer to:
The above video walkthroughs the whole process all the way from AD and ACC configurations to offline domain join assignment on UEM console to finally get a Windows10 device provisioned and enrolled with domain join.
No line-of-site to domain controller is required until the end user login to domain through per-app VPN tunnel.
The video also explains clearly how WSO UEM gets offline domain join working.
@1:50 in the video, you will see AD and ACC configuration for offline domain join.
@5:30 is the domain join assignment screen.
@6:00 Command line was used to enroll a device. So this is an alternative of using HUB GUI. The second highlight is that the provisioning tool was used in the video to track the device enrollment and domain join progress. No PPKG nor unattended xml were processed in this case.
Device was rebooted. When the device was on again, it was domain joint and awaiting for user to login.
Device must be connected to enterprise network to allow user to login to domain. The device owner was switched from staging user to the final user and the enrollment process was completed successfully.
@7:30 You can check if domain join is completed as expected by examining the device windows registry.
So what if we want it done totally without a line-of-site to domain controller? For example, device was staged, shipped to user‘s home and user log in from home office.
The answer is to use WSO tunnel per-app-VPN. There is yet another demo video you can watch and follow: https://youtu.be/KC8YuSlP_3c
This video shows you how to setup UAG as well as device traffic rules to enable domain connectivity via per-app VPN.
Tunnel deployment https://techzone.vmware.com/deploying-vmware-workspace-one-tunnel-workspace-one-operational-tutorial
VPN tunnel must be available for user login. There is a custom setting to get VPN kicked start for login screen.
Here are the applications need to connect to domain controller.
1. We need Explorer to access resources like mapped network drives.
2. lsass is for domain logon.
3. System is required to access shared network resources.
4. To keep GPOs continue to work, SVCHost is also listed.
We also need to specify the enterprise network domain to trusted network. With this setting, when a device is on enterprise network, domain traffic will go direct. You can use ”ipconfig“ to identify the enterprise network name and use it in to populate trusted network field.
You can check the registry to examine the VPN and domain join configurstions
VPN registry
Domain join registry
In case you need to look at VPN client log for troubleshooting.
So what about doing offline domain join using drop ship PPKG? UEM does not support offline domain join natively. It only supports online domain join out of the box.
To get around this, we can make it happens by using workgroup with a twist.
We need to modify the attended XML generated by UEM to run a powershell script to help us to get a device domain joined. The powershell is distributed as an application in a zip format.
Here is the download link of the application
Here is the step by step guide
And this is the demo video of the above step by step guide: https://youtu.be/HZVZVRiyzGwIt
You will find the video a very great complement to the step by step guide. I highly recommend you go through the blog as well as the video to fully understand the workflow.
Please note that the author assumed the offline domain join assignment is in place. Again, you can assign the domain join to a staging user or an assignment group.
Comments