Skip to content

Custom Dropship Provisioning revisited

Introduction

A little over a year ago, I published a blog about Drop Ship Provisioning where I showed an app I built that secures the device during the time the onboarding workflow is being processed. Although the app was good at locking down the device during the onboarding process, it could do much better in terms of user experience for both admins and end users.

Back then, my app was only showing information related to script execution and app installation. It was not able to show information about profile installation, what step of the workflow it was working on etc. Next to that, the app was rather dull to look at, as it was just showing a static background with a couple of lines of text.

Well guess what, I found some time for fun with Visual Studio and gave the app an update. Check the videos below to get a better idea of what I’m talking about.

0’20s: enrollment completed
0’45s: workflow starts
10’00s: workflow completed, device reboots
10’45s: end user logon

How does it work?

Not much has changed to the underlying concept since the previous version. The app is still leveraging the Windows Enterprise feature called Shell Launcher v2 to replace the default shell of Windows (explorer.exe) with my app. In simple words, it’s running in kiosk mode preventing anyone from accessing the device until you decide it’s ready. For those interested in more details, have a look at my previous blog (or read the MSFT docs).

What’s new?

A couple of things:

  • The app is now showing the Freestyle Orchestrator Onboarding Workflow status in real-time on screen, instead of showing only the logs created by my scripts. The workflow is rendered on screen in the same order as in the UEM console. Each step as well as the overall workflow shows its current status. Next to the steps, conditions and resource groups of your workflow are shown.
  • There’s a couple of interactive buttons on screen. Each of them can be shown or hidden as you please.
    • Reboot button
    • Sync button: simply syncs the native MDM client. If Omnissa ever releases some kind of Hub CLI, I will add a function that syncs the Hub the same day!
    • Admin button: the app’s main goal is trying to prevent anyone from modifying the system when you are still applying security measures, but what if things stop working as expected and the workflow fails to reach the end? The admin button is a password protected function that removes the custom shell feature, reboots the system and logs you back in using explorer.exe so you can start troubleshooting! Brute forcing the customizable password is made a bit more annoying by doubling the wait time after each failed attempt.
  • Customizable logo, font color and background image slideshow. Simply drop your own logo or images in the designated folder and the app will render them on screen
  • Customizable sentences that inform your users to have some patience while you take care of everything.
  • If you’re using a flow where the user has to log in first (e.g. AAD join), the user’s first name is shown on screen. If you’re just doing a good old domain or workplace join (using a staging account), it’s just saying Welcome to <CompanyName>.
  • The app detects when the workflow is ready and removes the custom shell feature automatically for you.
  • Enrollment status is shown on screen in real-time, as well as the device serial number (check the upper right corner during the first 25 seconds in the video above)

Wrong admin password:

correct admin password:

What do I need?

  • Workspace ONE licenses that allow you to use Drop Ship Provisioning
  • A copy of the PSADT package that installs my app. you can download it here!
  • Tweak the app’s config file to match your needs and add your own logo and background images
  • The Dropship Provisioning regulars:
    • A PPKG that includes (at least) my app
      • (un)install command: Deploy-Application.exe (uninstall)
      • detection: app exists – {9F95C63A-E041-4C2D-922D-7724CCE392BC}
    • An unattend.xml file
    • Workspace ONE provisioning tool to install the PPKG and unattend.xml
    • Shutdown the pc and ship it!

What does it cost me?

Nothing. You’re welcome!

Leave a Reply

Your email address will not be published. Required fields are marked *