A little over a year ago, I wrote an introduction into Freestyle Orchestrator. With my upcoming session at EUC Day, “Conducting a UEM Symphony Powered by Freestyle Orchestrator” coming up on February 17th at 11 EST, I thought it was time to update everyone on things. Let’s cover a few of the use cases that I will be highlighting in my session and catch everyone up on Freestyle Orchestrator.
A Short Reminder on What Freestyle Orchestrator Can Be
With Freestyle Orchestrator, we can deploy apps, scripts, or profiles based on criteria. One of the things that I love is you can now make them App Catalog magic buttons:
As a reminder, we use the following criteria as shown in this table below:
| Platform | Resources | Conditions | |
| Windows | Apps, Profiles, Scripts (PowerShell) | Apps, Attributes, File, Registry, Sensor, Time Window | |
| MacOS | Apps, Profiles, Scripts (Bash, Python, Zsh) | Sensor | |
Types of Conditions in Freestyle Orchestrator
Real quick, we can cover the condition types. Its good to point out you can also use and/or and if/then conditions along with them.
| Condition | Examples | |
| Application | App Exists or Doesn’t along with version. | |
| Attributes | Software attributes like OS, installed Services, Installed Patches etc. System attributes like Hardware vendor, Domain, Local Time Zone, Firmware, TPM, etc. Security attributes based on Bitlocker characteristics like MAC addresses, protection status | |
| File | Files exist or don’t based on file path, version numbers, and modified dates. | |
| Registry | Registry keys exist or don’t. | |
| Sensor | Leverage any of your sensors for FSO. Read Sam’s article on that. | |
| Time Window | Leverage business or maintenance hours to make sure your stuff runs when you want. |
A basic example of a flow can be seen below:
MacOS User Experience Issues Around Certificates
On MacOS, we have a few issues with certificates and how they relate. Let’s start by checking out a short video showing a horrific user experience.
As you saw, a few different things contribute to a poor user experience. Let’s cover them real quick.
MacOS Keychain Struggles for Non-Admins
The MacOS keychain can be very challenging because unlike PCs, you don’t get unfettered access to the “Login” keychain where all of the user certificates are stored.
When you aren’t an administrator you run into that lovely keychain prompts that look like this in the video:
The reason you see that pop-up, is Chrome cannot access the login keychain for a non-admin user, which sucks frankly. You can see what the keychain looks like below:
The keychain is quickly becoming a larger source of frustration for enterprise as a whole. The latest thing being that you can no longer force trusts for intermediate certificates, but I digress. It can be very challenging, but you will learn shortly that Freestyle Orchestrator has got you!
Browser Policies and their Fun
Another area that is full of fun are Chrome Settings. If you have been reading me for awhile, you will know by now that I am all about using Scripts over Profiles. I just think it’s more manageable and robust personally.
You can manage Chrome in a few different ways:
One other issue to mention, which we will need to fix is identity preference. We see this pop-up below because we haven’t taught browsers what to do yet. We solve this via Chrome Policies for Chrome/Edge AND identity preference for Safari.
Identity Preference will map a certificate to an endpoint like this:
The Magic Script to Solve Our MacOS Problems
Let’s check out my latest script, which I will use with Freestyle Orchestrator to configure Chrome to handle those silly cert prompts and set identity preference:
#!/bin/sh
# Variables
loggedInUser="$(defaults read '/Library/Application Support/AirWatch/Data/CustomAttributes/CustomAttributes' 'EnrollmentUser')"
## Script
/bin/echo "*** Enable single sign-on in Google Chrome for $loggedInUser ***"
/bin/echo "Quit all Chrome-related processes"
/usr/bin/pkill -l -U ${loggedInUser} Chrome
if [ -f "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" ]; then
# backup current file
/bin/cp "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist" "/Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"
/bin/echo "Preference archived as: /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist.backup"
security set-identity-preference -c $loggedInUser -s *.vidmpreview.com
/usr/bin/defaults write /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist AutoSelectCertificateForUrls -array -string "{\"pattern\":\"https://cas.vidmpreview.com\",\"filter\":{}}"
/usr/sbin/chown $loggedInUser /Users/$loggedInUser/Library/Preferences/com.google.Chrome.plist
# Respawn cfprefsd to load new preferences
/usr/bin/killall cfprefsd
else
/bin/echo "Google preference not found for $loggedInUser"
fiFreestyle Orchestrator Demo for MacOS
Now, we can check out a cool little demo that shows how Freestyle Orchestrator makes the magic happen.
Is it called Dell Command Suckdate?!
If you read my stuff, you will know that I’m a big fan of Dell Command Update aka DCU. I wrote a super popular article on it a few weeks ago. The main challenges that we have with DCU is getting it configured/deployed in the right fashion.
It can be super challenging to work with as most of the configuration you do with it requires command line shenanigans. I won’t waste much time, since you can pull the recipe for this out of my article. You can reference the script itself below:
cmd /c "C:\Program Files\Dell\CommandUpdate\dcu-cli.exe" /configure -importSettings=C:\Temp\settings.xml
cmd /c "C:\Program Files\Dell\CommandUpdate\dcu-cli.exe" /configure -autoSuspendBitLocker=enable -biosPassword="Password1"
cmd /c "C:\Program Files\Dell\CommandUpdate\dcu-cli.exe" /scan
cmd /c "C:\Program Files\Dell\CommandUpdate\dcu-cli.exe" /applyUpdates -silent -reboot=enableAnyways, let;s check out a video of the finsihing experience after Freestyle works some magic:
Final Thoughts
I am beyond excited that EUC Day has returned in 2022. None of us like that the sessions are pre-recorded, but I look forward to joining the chat at least. I think Freestyle Orchestrator has the potential to be a game-changing for VMware this year as part of their entire push on user experience.
Let’s be creative and find ways to solve problems! I would bet that many of us will come up with problems that can be solved via FSO. Inevitably, technology is only as good as the person using it. IT people can be creative. Just look at all of those Star Wars Lego Sets that littered by Twitter feed in late December/Early January. This is a big year for user experience so let’s start things with a bang!
2 thoughts on “Real-World Examples of Freestyle Orchestrator Solutions in the Field”
Pingback: Service – Week 06-2022 Workspace ONE Updates – Julius Lienemann
Pingback: How to Secure Local Administrators with Workspace ONE