Uncharted Territory: Linux Management in Workspace ONE

Uncharted Territory: Linux Management in Workspace ONE

Linux, Workspace ONE
Uncharted Territory: Linux Management in Workspace ONE

An area that is largely uncharted territory in Workspace ONE and many other UEM platforms is Linux Management. In recent months, VMware has extended their Linux Management to include Puppet as a gateway to push commands and invoke all sorts of things on devices. My foray into this is similar to my MacOS deep dives from the past. Today, we will cover what the Linux enrollment is like, discuss the basics of Puppet, and cover the process to deploy Puppet manifests to Linux devices on Workspace ONE. One disclaimer: Everything I do will be on Ubuntu, which is my favorite flavor. Let’s get started!

All About Linux Enrollments on Workspace ONE

Workspace ONE has a decent article on their enrollment processes here. We basically have two paths for enrollment:

  • Web-based Enrollment (What most people will be using)
  • Hub-based Enrollment

These options are fairly typical for Workspace ONE platforms and you should all be fairly familiar with them.

Let’s start with Web-based Enrollment!

Linux Web-based Enrollments on Workspace ONE

Basically, you leverage the browser to hit the enrollment web URL, which starts the flow. An example URL is:


From there, you follow the prompts until a little wrinkle!! It will prompt you to select your installer, which you will download and then open terminal and run a single command to finish your enrollment:

$ sudo apt install "./Downloads/com.airwatch.linux.agent.amd64.deb"

The only criticism that I have is it’s a bit confusing after your enrollment finishes. You don’t actually know that it’s done, but then magically apps will start hitting. It’s not a huge deal, but it’s something to be aware of. Check out the demo below:

Hub-based Linux Enrollment

The Hub-based enrollment comes in two phases. First, you install the app, then you do a nice little command line enrollment:

The code for install and enrollment looks like this:

##Install the Hub with Root##
$ sudo apt install “/tmp/workspaceone-intelligent-hub-amd64-”
##Change to the Hub Util Folder##
cd /opt/vmware/ws1-hub/bin
$ sudo ./ws1HubUtil enroll –server https://host.com –user synuser –password SynterexIsFun! –group synterex

It’s nice to mention that the ws1HubUtil has other commands you can use too, but feel free to read more about it here, but I won’t be covering it.

What is this Puppet Thing?

There are a number of configuration items you can use with Workspace ONE like Wi-Fi, credentials, and even sensors. The one that ACTUALLY matters are custom configurations. Workspace ONE installs Puppet on the device and the custom configurations are Puppet manifests used to do all sorts of magical things. Let’s talk about Puppet Manifests now.

Puppet Resource Types

As you can read about in the Puppet documentation, the main building blocks of manifests are resource types like:

  • exec (executes external commands)
  • file (manages files and stuff about them)
  • filebucket (repo for storing and retrieving file content)
  • group (manages groups)
  • notify (sends messages)
  • package (package management, like Apt or Yum commands)
  • resources (metatype that manages other resource types)
  • schedule (defines schedules in Puppet)
  • service (manages running services)
  • stage (creates run stages)
  • tidy (cleans things up like unwanted files)
  • user (manages users)

For what I’ve done so far, there are a few key resource types we use. Specifically:

  • File
  • Exec
  • Package
  • Service

How Puppet Manifests Come Together

If we check out the example from the VMware documentation:

file { 'google-chrome-stable_current_amd64.deb': source => 'https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb', path => '/tmp/google-chrome-stable_current_amd64.deb', ensure => present, } exec { 'install-chrome': command => '/usr/bin/dpkg -i /tmp/google-chrome-stable_current_amd64.deb', logoutput => true, }

So, let’s break it down appropriately. Let’s check out the components of the file resource type first.

How the File Resource Type is Being Used

So, if we break it down piece by piece, let’s see how it works.

Install Command:
##The Source command aka source => is telling the machine where it will get the file, which will be placed on the system##
{ 'google-chrome-stable_current_amd64.deb': source => 'https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb', 
##Path is the path that the file will be dropped to##
path => '/tmp/google-chrome-stable_current_amd64.deb', 
##Ensure basically says "it should be there, another option for this you will see below##
ensure => present, }
Removal Command:
##Package is basically saying use stuff like apt to ensure that the package is removed aka absent##
package { 'google-chrome-stable': ensure => 'absent', }

How the Exec Resource Type is Being Used

So, if we break it down piece by piece, let’s see how it works.

##We label the command and then invoke the "command" you are trying to execute on the device. In this case its dpkg to install the installer. Note, that you must fully qualify it.
{ 'install-chrome': command => '/usr/bin/dpkg -i /tmp/google-chrome-stable_current_amd64.deb', 
##Here we are saying to log the output, which is huge##
logoutput => true, }

As we go into the sample code that I have built, you will see more of these huge building blocks, which are vital.

How to Install Apps via APT on Workspace ONE for Linux

The deployment of the profile itself is standard. We create the profile, name the config, select “Enforce Manifest” so, we can ensure that we achieve desired state management, and specify your manifests. You can also add module dependencies. Feel free to search the repository here to see what dependencies you can add. Let’s check out some sample code.

Sample Code:

# execute 'apt-get update'
exec { 'apt-update':                    # exec resource named 'apt-update'
 command => '/usr/bin/apt-get update'  # command this resource will run
package { 'filezilla':
 require => Exec['apt-update'],        # require 'apt-update' before installing
 ensure => installed,

Now, let’s check out the demo:

How to Download and Install Apps from Software Repositories on Workspace ONE for Linux

The software repository version of this is fairly similar. My code example below I love because Zoom gave me some issues because of dependencies. I figured out that leveraging apt-install to update the modules on my machine fixed that issue. That’s the fun in this being new. We get to learn quite a bit!

exec { 'apt-install': command => '/usr/bin/apt-get install -f'}
file { 'zoom-desktop-': source => 'https://zoom.us/client/', path => '/tmp/zoom-desktop-', ensure => present, } exec { 'install-zoom': command => '/usr/bin/dpkg -i /tmp/zoom-desktop-', logoutput => true, }

My Overall Thoughts on Linux Management in Workspace ONE

This has been a long time coming. We went from basically asset management to pretty close to a full UEM experience on Linux, which is great. Intune for example can push bash scripts, but they have nothing like the Puppet integration. This is reminiscent of the Munki integration coming in MacOS, which was also a godsend.

The Linux platform is by no means perfect, but we can get a lot of the way there at this juncture. I will be working closely with product management at VMware to push them on the roadmap as I have some clients that care about these great capabilities. This is another great opportunity for UEM engineers to extend their toolset and make a name for themselves at their organizations by delivering amazing Linux experiences that aren’t that far off from what we’re doing on MacOS today.

Lastly, I welcome people to contribute to my Linux folder in my Github with any custom configs they build. I am working on building a library since nothing exists currently for this.



Social Media

Get The Latest Updates

Subscribe To Our Weekly Newsletter

No spam, notifications only about the latest posts and updates.