Can VMware ‘AirLift’ me into modern management?
Jon Towles gives an overview of VMware AirLift and how it works with Workspace ONE and Microsoft SCCM
Have you ever attended a conference? The answer is probably yes, which means you have been inundated with more C-level buzzwords than you can stomach. I’ve written about it so many times! One common term is “modern management.” They love saying “modern management blah blah.” So, how do we actually get there?
VMware has developed new technology that helps ease the transition to modern management. Many of you are familiar with the concept of hybrid from your transition to Office 365. Simply, VMware AirLift delivers a nice hybrid experience between SCCM and Workspace ONE. We are going to discuss a brief overview and some of the benefits you get from this new service.
I should be clear that Dell Provisioning is the answer for brand-new PCs. The goal of AirLfit is to simplify the transition of existing PCs from SCCM to VMware Workspace ONE.
What is AirLift? AirLift as you can see below, connects to your existing SCCM environment and pulls your device collections, applications, and devices to a visually pleasing pane of glass to deliver a smooth transition.
AirLift delivers the concept of Co-Management where SCCM and Workspace ONE co-exist nicely together without being a burden on the PC. This is crucial if you want to eventually move to a single platform for managing devices.
How does AirLift connect to SCCM?
The SCCM connection is straightforward:
- AirLift uses remote PowerShell to connect to SCCM via WinRM.
- SCCM WMI provider grants access to SCCM, based on roles assigned to your service account.
- WMI queries are made to SCCM objects to extract data.
But there are a few more things that you should be aware of:
- WMI implements some access control to secure the connection.
- This uses HTTP/5985 or HTTPs/5986.
- You need to be on the same domain.
- Make sure your SSL trust is intact for this to work.
What are the requirements?
The requirements are pretty simple for AirLift to ensure it can work properly:
- Workspace ONE Admin Account with API Permissions
- SCCM 2012 R2 or greater
- Admin account with the following permissions:
- Basic permissions:
- Cannot create an enrollment app or enroll devices
- Application: Read
- Collection: Read, Read Resource
- Distribution Point: Read
- Package: Read
- To enroll devices:
- Collection: Distribute Applications
- To create an enrollment app:
- Application: Create, Modify
- To manage distribution:
- Distribution: Copy to Distribution Point
- Basic permissions:
A deeper dive into AirLift
For us to better understand how VMware AirLift works we should look at each aspect and how it delivers value.
The Dashboard inside of AirLift is very useful. It gives you a nice view into your overall environment. It provides a breakdown of your co-managed devices. You can also see how many applications have been exported to Workspace ONE, types of profiles, and enrollment information.
The relationship between device collections and Workspace ONE
After you sync for the first time, you will see your device collections appear in the AirLift console. This is the lifeblood of AirLift; you get insight into the device collection and the devices within that collection.
The value proposition here is that you can map the collection to a Workspace ONE smart group and silently enroll devices into Workspace ONE. You configure the Workspace ONE client over to your SCCM server and configure the settings for your SCCM package like you see below:
Once the client has been created in SCCM, you can map device collections to smart groups and automatically enroll the entire device collection into Workspace ONE silently and automatically.
The vital part to this is mapping the device collection to a smart group that will deliver the experience you cultivate via Workspace ONE (e.g., mapping applications, profiles, and packages). This helps further provide a more seamless experience.
It goes without saying that you want to make sure that you test this on a device collection with a small subset of users to test/validate the experience. You only get one chance to make it right.
Bringing SCCM Applications to Workspace ONE
One of the most challenging things is perfecting application deployments via SCCM. Between getting devices to check in for machine policies and getting applications to download properly, it can be very daunting. AirLift does nicely to help you transition these applications from SCCM into VMware Workspace ONE UEM.
Simply, you can select an application and click Export to automatically add and set up the application cleanly. Sometimes, they may fail or you might need to input certain information, but I have found, overall, that it works very nicely.
The beautiful thing about AirLift is how nicely it integrates with your Workspace ONE UEM environment. You click on the blue link under Workspace Application and it will take you directly to your console into the application you exported after being authenticated. These small nuances that you do not often see in applications make it a product worth using. I’ve seen many times where products fail to do “the little things” like this.
Troubleshooting AirLift issues can be a bit challenging. You can access the activity log, which gives you basic information as you can see below:
You can access regular logs from this path %PROGRAMDATA%\VMware\VMware Airlift\logs, which isn’t very transparent in the documentation. This will be vital to your success when working with issues with application exports or just integration of SCCM in general.
The gist of VMware AirLift is that it is a really useful service, but documentation and troubleshooting can be challenging. As I mentioned, the transition to Windows 10 in Workspace ONE UEM is two-fold: Dell Provisioning for new devices and AirLift for existing ones. It’s not meant to be a long-term solution, but a way to move toward a single platform for endpoint management. SCCM is a great product and has been for a long time, but Microsoft is moving toward Intune as SCCM still has some gaps that you just can’t solve without modern management.
I believe as technologists we must be more progressive and realistic about technologies. Some products are very difficult to concede are becoming legacy like WSUS and SCCM, but that is what happens when technology evolves. We can do things better and it doesn’t matter what you use as long as you deliver a great user experience.