WS1 UEM Samples
Code Samples¶
This is an index of Code Samples within the UEM-Samples area.
Workspace ONE Scripts samples can be found here with Workspace ONE Sensors samples found here.
Workspace ONE UEM Samples¶
| Sample Name | Summary | Link |
|---|---|---|
| Adobe Products | When deploying Adobe Creative Cloud (CC) products with Workspace ONE UEM, admins should strongly consider using the integrated munki functionality built into "Internal Apps." By using Internal Apps, admins gain the benefit of code which already understands the unique nature of the Creative Cloud app packages and handles them appropriately. That said, as a macOS administrator, there is still some manual work which must be done to deliver these Adobe CC packages successfully. | Link |
| AppBlocker_WS1 | The included .pkg and .plist files can be uploaded directly to the Workspace ONE Adminsitrator Console, and pre-install and post-uninstall scripts can be configured to easily specify which applications (identified by their Bundle IDs) should not be launched. If a specified application is launched, the user will receive an alert and the application process will be killed. | Link |
| Arctic Wolf Agent | Deploying Arctic Wolf Agent for macOS with Workspace ONE UEM | Link |
| Example-DEPNotify | Link | |
| Example-Santa_BlockChess | Link | |
| Example-SetWallpaper | Link | |
| WS1-DEPNotify-Standard | Link | |
| Bootstrap Package | The Bootstrap Package feature gives admins the ability to have their installer pkgs deployed to devices immediately after enrollment has completed. | Link |
| Carbon-Black-Defense | Install the Carbon Black Defense agent via unattended installation using Workspace ONE UEM. | Link |
| CreateHubLogs | Deploy this pkg to a device through WS1 UEM in order to gather and send relevant WS1 Hub and MDM logs to the WS1 UEM Admin Console. The logs will be stored in the Content section of the Admin Console, stored under a category named macOS Logs and under an Organization Group that you specify. This pkg leverages preinstall and postinstall scripts in order to encrypt API credentials and pass them to the device without saving them locally in plaintext. | Link |
| CrowdStrike Falcon | Deploying CrowdStrike Falcon Agent for macOS with Workspace ONE UEM | Link |
| Forescout | Deploying Forescout SecureConnector for macOS with Workspace ONE UEM | Link |
| Google Chrome | Manage Google Chrome Settings as Supported by Google via Workspace ONE: | Link |
| Legacy App Catalog Webclip For All Docks | The App Catalog webclip is comprised of just a specific url for the device to retrieve the list of available applications. This package dynamically creates this url, and the webclip (.webloc file) and saves it to /Users/Shared/VMware with permissions readable by all users. It also places a global LaunchAgent to load on every user's next login, to run another script to place the webclip on the user's dock. Once the webclip is added to the dock, a runonce file is created at ~/.appcatalog_runonce to prevent the script from running again and creating duplicate webclips on the dock. |
Link |
| Microsoft Edge | Manage Microsoft Edge Preferences/Settings via Workspace ONE: | Link |
| Microsoft Office 2016 Product Install Script | A script that downloads Microsoft Office 2016 for Mac installers from the Microsoft Office CDN and performs installation of each installer. The script is a modified version of another publicly available script as attributed in the script source. Cross-posted from the original sample posted to code.vmware.com. | Link |
| Microsoft Office for Mac | Microsoft Office for Mac can be distributed in one of two ways: App Store and non-Store (via Office.com downloads). In general, VMware recommends deploying Microsoft Office from the Mac App Store (via device-based licensing through Apple Business Manager) unless any of the following apply: | Link |
| Microsoft-Defender-ATP | If you want to distribute Microsoft Defender ATP for macOS via WorkspaceOne in an enterprise environment you need 2 plist at the end which you distribute via the custom settings in WS1 and which are located in the /Libray/Managed Preferences/. On the one hand you need the onboarding info, which contains the license for Defender ATP, on the other hand you need the configuration settings. In addition you have to define the system extension policy, kernel extension policy and the privacy preferences. | Link |
| Mozilla Firefox | Firefox for Enterprise allows administrators to manage certain settings within the browser. It also provides the flexibility for admins to better control the browser release cadence within their organization by adopting either the rapid release or the extended support release. One item to note is that policy availability does differ between the two releases. Policies for macOS are now deployed via a mobileconfig file (or via profile payloads in your MDM). Be mindful of which policies you wish to deploy, as some are only available for the Extended Support Release (ESR) version of Firefox. | Link |
| Nessus Agent | Deploying Nessus Agent for macOS with Workspace ONE UEM | Link |
| Netskope | Deploying Netskope Client for macOS with Workspace ONE UEM | Link |
| Pulse Secure | Deploying Pulse Secure for macOS with Workspace ONE UEM | Link |
| SentinelOne | Install the SentinelOne agent via unattended installation using Workspace ONE UEM. | Link |
| SetScreenSaver | More granular configuration of screen saver settings can be done on macOS through scripting. This script can be setup as a login script, which will reapply every time the end user logs into their device. Alternatively, if you are looking to deploy one or more images to the device to configure as the screen saver, you can create a PKG file that will deploy the files and apply the configuration all in one go. | Link |
| Torii Browser Extension | Deploy the Torii Extension for various browsers on macOS. | Link |
| Xcode | Script to Configure/Setup xCode for Initial Run without needing Admin Credentials. Stores Local User as a Variable. | Link |
| ChangeUser | DEP/ABM provides a mechanism for automatically creating a local macOS user account, based on enrollment user. However, no such mechanism exists for enrollment taking place outside of DEP/ABM. ChangeUser is a collection of scripts used for automatically renaming the local macOS user account, when DEP/ABM enrollment is not possible. | Link |
| Creating_Lookup_Values_through_Custom_Attributes | When deploying any type of macOS script (ie: preinstall, postinstall, or a standalone script) through Workspace ONE, there may be situations where you need to programmatically reference user- or device-specific informations within the script itself. Custom Attributes can be created to define this information in a way that can be looked up on each device within the script itself. | Link |
| Kernel Extensions Custom Attributes | This shell script (kext-ca.sh) generates an array of 3rd-party loaded Kernel Extensions and writes each kernel extension ID as a Custom Attribute in the local macOS CustomAttributes plist. This information is posted by the agent back to the AirWatch console. Admins can then view the list of custom attributes at Devices > Staging & Provisioning > Custom Attributes > List View. Additionally, admins can filter for the kernel extensions ("com.") and export the list for use in populating the Kernel Extensions payload. | Link |
| McAfee | These custom attributes can be used to retrieve information from clients running McAfee Endpoint Security/Protection. | Link |
| Application-Update-with-a-deferral-screen | This is a sample workflow to target application updates to enrolled devices with a deferral screen. This also includes a sensor to target newly enrolled devices and a script to Create Deferral screen. Import this file on UEM Freestyle List view and allow scripts & sensors while importing. | Link |
| testing | Link | |
| product_app_deployment_automation | The tool provides an example of how the product deployment APIs of Workspace ONE UEM can be used for Android app deployment. | Link |
| Apple Enterprise Connect | Link | |
| Block macOS Major Update | Link | |
| CIS Benchmarks | Link | |
| Microsoft Office 2016 | Link | |
| macOS | This section of the EUC-samples repository contains samples relating to profile snippets which can be used in the "Custom Settings" or "Custom XML" payload in Workspace ONE UEM for macOS management. Custom XML samples are typically used to manage key-value pairs in macOS preference domains. For more information on Custom XML, refer to Custom XML Preferences - VMware EUC Blog and the Custom XML Template. | |
| x | Link | |
| AirWatch Service Lockdown | Prevent end users from changing the AirWatch service properties on their devices with a Windows Desktop Custom Settings Profile. For devices that already have local changes, the profile resets the device to the default values and locks those settings from further changes. | Link |
| Chrome ADMX | ADMX-backed policies were introduced starting in Windows 10 version 1703, however you should stick to the latest version in order to have support for all of the policies. Microsoft allowed ADMX-backed policies to be deployed using CSPs, this sample will show you how to deploy the Chrome ADMX template (easily be modified to support any other ADMX template). As well as push out ADMX-backed Chrome policies to the device once the ADMX template is installed. Please reference the resources below to figure out what value (format) needs to go inside of the data tag. This varies depending on the element type such as: text, List, Enum, MultiText, No Elements, etc. | Link |
| Clean PC | The CleanPC CSP is used to remove usr-installed and pre-installed apps, with the ability to either retain user data or completely remove user data. This CSP was added in Windows 10 1703. | Link |
| Firewall Examples | This folder has a sample configurations that will apply a firewall profile or custom firewall rules for an application or service on a Windows 10 Desktop for versions 1709 and above. | Link |
| Internet Explorer | This is a sample of some of the Internet Explorer CSPs which you can deploy to your devices. To deploy this sample, navigate to Devices & User > Profile > Add > Windows > Desktop > Device > Custom Settings, then copy and paste the SyncML into the box and publish the profile. | Link |
| Kiosk Mode | The AssignedAccess CSP is used to enable single app kiosk mode on Windows 10 devices for Universal Windows Platform (UWP) apps. For Win32 apps you can use Shell Launcher; more information can be found in the Additional Resources section below. | Link |
| MDM over GPO | This policy allows IT admins to control which policy will be used when both MDM policy and the equivalent Group Policy are set on the device. | Link |
| Microsoft Office | The Office CSP is used to install the Office on a device via the Office Deployment Tool. This CSP was added in Windows 10 1703. | Link |
| Network Proxy | This folder has a sample configuration that will apply a machine wide network proxy on a Windows 10 Desktop for versions 1703 (Creators update) and above using an Auto-config PAC Script URL. | Link |
| Power | The Power CSP and other ADMX-backed policies were introduced starting in Windows 10 version 1709, however you should stick to the latest version in order to have support for all of the policies. Microsoft allowed ADMX-backed policies to be deployed using CSPs and have added built-in support for Internet Explorer. | Link |
| Start Menu Layout | The StartLayout CSP is used to customized the Start Menu Layout of a device for a uniform look and feel for all of your corporate devices. Once customized users cannot modify the Start Menu. | Link |
| Surface Hub | This folder has mutiple configurations that can be applied to SurfaceHubs that will help manage them through OMA-DM via AirWatch. | Link |
| Telemetry | The Telemetry CSP is used to set the level of telemetry data sent. | Link |
| Unified Write Filter | The Unified Write Filter feature is a powerful feature on Windows which is designed to protect the drives on a system by reducing the number of write cycles that the drive goes through during use. | Link |
| Windows Update for Business | These sample configuration files are to be used together, deploying one Quality Update (QU) Ring profile, one Feature Update (FU) Ring profile and one Delivery Optimization profile. | Link |
| Scripts | Link | |
| Sensors | Link | |
| App Upload | This script is a basic example of using uploadchunk apis to upload larger apps to the Workspace ONE UEM console. | Link |
| Bulk Device Commands | This Powershell script allows you to issue commands to groups of devices in bulk that are available via API but not currently in the console. Commands such as Device Lock or Enterprise Reset can be issued against a targeted group of devices to speed up Admin tasks. | Link |
| Create Smart Group | This script can be used to create a smart group from a CSV file in Workspace ONE UEM. There is one way the script is designed to be executed, and that is by directly calling the script and entering environment and smart group details when prompted. | Link |
| Device Details | Sample script for VMware Workspace ONE UEM REST API | Link |
| Device Query | This script is useful for initiating a query from the client application to the Workspace ONE UEM application server (Device Services). There are two ways in which the script can be executed; ad-hoc with a menu, and on a recurring schedule without a menu. | Link |
| Email Templates | These email templates can be used as a starting point to create custom email notifications in Workspace ONE UEM. Where the basic ones provide the users with alot of information, it might be a better idea to incorporate your own company styling and languague. By doing this, the users will recognize and understand the emails. Whereas the default emails templates might come across as spam and/or phishing to some users. Included are templates for iOS Update Notifications and Compliancy Violations. | Link |
| simple_node_api | Link | |
| Excel Add-In | This Add-In allows you to access your Workspace ONE UEM API from within Excel | Link |
| testing | Link | |
| Mobile CICD Script | The tool provides an example of how the application deployment APIs of Workspace ONE UEM can be used for iOS and Android apps. | Link |
| Pagination Recursion Sample | This sample shows how you can use recursion to query all records in paginated Workspace ONE UEM APIs | Link |
| Sync Devices | This script is useful for initiating a sync from the client application to the Workspace ONE UEM application server (Device Services). There are two ways in which the script can be executed; ad-hoc with a menu, and on a recurring schedule without a menu. | Link |
| UEM API Event Notifications | Example c# app calling Workspace ONE UEM APIs. | Link |
| UEM Content Sample | This script shows how to use the Workspace ONE REST API calls to download content from Content repositories. This can be used as an example of the information required to dowload content. | Link |
| UEM Maintenence Script | This script connects to your VMware Workspace ONE UEM environment and can get and delete duplicate devices, stale devices, or problematic devices (devices with invalid serials). It can also get duplicate user accounts. | Link |
| Bulk e-Sim Activation for iOS | Cellular devices from Apple traditionally required a small, physical Subscriber Identity Module (SIM) card to enable service on a cellular carrier. The SIM was typically pre-inserted by the carrier, but could be physically swapped if necessary. Modern devices now include an eSIM, which is a chip built into the device that performs the same function but consumes less internal space. eSIMs are also more flexible, as it supports any carrier supporting the eSIM standard and eliminates the need for physically touching/modifying the device. | Link |
| app_and_process_details | This is a helper for the Workspace ONE Intelligent Hub for macOS feature for blocking apps and processes. | Link |
| Baselines | Utilizing the macOS Security Compliance Project (mSCP) to enforce baselines on macOS devices using Workspace ONE. We will review briefly how to use the mSCP to generate the desired baseline and then detail the procedure to deploy this configuration using Workspace ONE. We will close by reviewing deployment options for Freestyle-enabled and non-Freestyle-enabled environments. Here is a high level overview: | Link |
| CustomAttributesToSensorsMigration | This script can be used to migrate existing Custom Attributes profiles that are configured in a Workspace ONE UEM environment to a Sensor configured in the same environment. | Link |
| Sensors for Reporting | Link | |
| macOS Updater Utility | The macOS Updater Utility (mUU) keeps your Mac device fleet up to date by prompting users to update to your specified version of macOS. If necessary, mUU will force users to update their OS. mUU utilizes Apple's MDM Commands to download and install updates via the Workspace ONE UEM API. mUU will allow you to specify max number of deferrals, deferral grace period, and more! | Link |
| macOS_Update_Helper | This package can be used to provide more flexibility around deploying macOS updates to devices through Workspace ONE UEM, as well as to provide information and feedback to the user regarding the progress of the update. The package can be customized through the use of a Custom Settings profile in Workspace ONE UEM. It leverages DEPNotify to act as a UI for the end user. | Link |
| Archive | Link | |
| Migration-Tool | This tool provides a better user experience when migrating macOS devices to Workspace ONE. | Link |
| Workspace ONE macOS App Analyzer | The Workspace ONE macOS App Analyzer will determine any Privacy Permissions, Kernel Extensions, or System Extensions needed by an installed macOS application, and can be used to automatically create profiles in Workspace ONE UEM to whitelist those same settings when deploying apps to managed devices. | Link |
| Workspace ONE mobileconfig Importer | The Workspace ONE mobileconfig Importer gives you the ability to import existing mobileconfig files directly into a Workspace ONE UEM environment as a Custom Settings profile, import app preference plist files in order to created managed preference profiles, and to create new Custom Settings profiles from scratch. When importing existing configuration profiles, the tool will attempt to separate each PayloadContent dictionary into a separate payload for the Workspace ONE profile. | Link |
| Create, Delete, Modify Device User or Admin Accounts | These sets of sample BATCH files will add and delete users and create and downgrade admins. | Link |
| Deploy LGPO.exe | This Powershell script allows you to download LGPO.exe from the MSFT website and upload it as a Managed App to a specified WS1 Organization Group. | Link |
| Drop Ship Provisioning | These Drop Ship Provisioning for VMware Workspace ONE samples contain PowerShell command lines or Batch scripts that can be used in the configuration file (unattend.xml) generation step in the Workspace ONE UEM Console. Navigate to Devices > Lifecycle > Staging > Windows, select New and you can leverage these samples in the Additional Synchronous Commands OR First Logon Commands fields. | Link |
| Enable Kerberos and Add Sites to Trusted Zone | This sample BATCH script will enable Kerberos on a Windows device, enable sending authentication (domain credentials) to trusted sites which you have added into the trusted zones in this script. | Link |
| Enrollment Troubleshooting Script | This Powershell script allows you to quickly check a device for the required services and network connections required for MDM enrollment. | Link |
| Import Group Policy | This set of scripts will guide you on how to export and import group policy configurations from devices into AirWatch to push out to managed devices using AirWatch's Product Provisioning. | Link |
| Maintain Workspace ONE Co-existence with SCCM Compliance Rule | How you can use an SCCM compliance baseline to check for valid enrollment and if it fails, run a script to remove old agent, repair WMI, re-enroll automatically. | Link |
| UEM Migration | Link | |
| Removable Drive Encryption Policy | This script disables writes to removable drives on a Windows 10 Desktop. | Link |
| Software Distribution Templates | A running list of validated apps (Win32) deployed using Software Distribution in the AirWatch console. We will update this list weekly with new entries. If you would like to have an app added please send jnegron@vmware.com all of the app's information, it will be validated then added. | Link |
| UEM Managed VDI Gold Master | This powershell script allows you to easily use Workspace ONE Unified Endpoint Management (UEM) to bring a Gold Master image up the required state. | Link |
| Windows 10 Automated Setup Media | This script creates automated Windows 10 setup on bootable USB media. It takes any Windows 10 ISO, formats USB to support UEFI NTFS booting, and places autounattend.xml in the root of the drive in order to make it a zero touch setup process. | Link |