An area that is largely uncharted territory in Workspace ONE and many other UEM platforms is Linux Management. In recent months, VMware has extended their Linux Management to include Puppet as a gateway to push commands and invoke all sorts of things on devices. My foray into this is similar to my MacOS deep dives from the past. Today, we will cover what the Linux enrollment is like, discuss the basics of Puppet, and cover the process to deploy Puppet manifests to Linux devices on Workspace ONE. One disclaimer: Everything I do will be on Ubuntu, which is my favorite flavor. Let’s get started!
All About Linux Enrollments on Workspace ONE
Workspace ONE has a decent article on their enrollment processes here. We basically have two paths for enrollment:
- Web-based Enrollment (What most people will be using)
- Hub-based Enrollment
These options are fairly typical for Workspace ONE platforms and you should all be fairly familiar with them.
Let’s start with Web-based Enrollment!
Linux Web-based Enrollments on Workspace ONE
Basically, you leverage the browser to hit the enrollment web URL, which starts the flow. An example URL is:
https://cn1688.awmdm.com/enroll/welcome
From there, you follow the prompts until a little wrinkle!! It will prompt you to select your installer, which you will download and then open terminal and run a single command to finish your enrollment:
$ sudo apt install "./Downloads/com.airwatch.linux.agent.amd64.deb"
The only criticism that I have is it’s a bit confusing after your enrollment finishes. You don’t actually know that it’s done, but then magically apps will start hitting. It’s not a huge deal, but it’s something to be aware of. Check out the demo below:
Hub-based Linux Enrollment
The Hub-based enrollment comes in two phases. First, you install the app, then you do a nice little command line enrollment:
The code for install and enrollment looks like this:
##Install the Hub with Root##
$ sudo apt install “/tmp/workspaceone-intelligent-hub-amd64-21.10.0.1.deb”
##Change to the Hub Util Folder##
cd /opt/vmware/ws1-hub/bin
##Enroll##
$ sudo ./ws1HubUtil enroll –server https://host.com –user synuser –password SynterexIsFun! –group synterex
It’s nice to mention that the ws1HubUtil has other commands you can use too, but feel free to read more about it here, but I won’t be covering it.
What is this Puppet Thing?
There are a number of configuration items you can use with Workspace ONE like Wi-Fi, credentials, and even sensors. The one that ACTUALLY matters are custom configurations. Workspace ONE installs Puppet on the device and the custom configurations are Puppet manifests used to do all sorts of magical things. Let’s talk about Puppet Manifests now.
Puppet Resource Types
As you can read about in the Puppet documentation, the main building blocks of manifests are resource types like:
- exec (executes external commands)
- file (manages files and stuff about them)
- filebucket (repo for storing and retrieving file content)
- group (manages groups)
- notify (sends messages)
- package (package management, like Apt or Yum commands)
- resources (metatype that manages other resource types)
- schedule (defines schedules in Puppet)
- service (manages running services)
- stage (creates run stages)
- tidy (cleans things up like unwanted files)
- user (manages users)
For what I’ve done so far, there are a few key resource types we use. Specifically:
- File
- Exec
- Package
- Service
How Puppet Manifests Come Together
If we check out the example from the VMware documentation:
file { 'google-chrome-stable_current_amd64.deb': source => 'https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb', path => '/tmp/google-chrome-stable_current_amd64.deb', ensure => present, } exec { 'install-chrome': command => '/usr/bin/dpkg -i /tmp/google-chrome-stable_current_amd64.deb', logoutput => true, }So, let’s break it down appropriately. Let’s check out the components of the file resource type first.
How the File Resource Type is Being Used
So, if we break it down piece by piece, let’s see how it works.
Install Command:
file
##The Source command aka source => is telling the machine where it will get the file, which will be placed on the system##
{ 'google-chrome-stable_current_amd64.deb': source => 'https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb',
##Path is the path that the file will be dropped to##
path => '/tmp/google-chrome-stable_current_amd64.deb',
##Ensure basically says "it should be there, another option for this you will see below##
ensure => present, }
Removal Command:
##Package is basically saying use stuff like apt to ensure that the package is removed aka absent##
package { 'google-chrome-stable': ensure => 'absent', }
How the Exec Resource Type is Being Used
So, if we break it down piece by piece, let’s see how it works.
exec
##We label the command and then invoke the "command" you are trying to execute on the device. In this case its dpkg to install the installer. Note, that you must fully qualify it.
{ 'install-chrome': command => '/usr/bin/dpkg -i /tmp/google-chrome-stable_current_amd64.deb',
##Here we are saying to log the output, which is huge##
logoutput => true, }
As we go into the sample code that I have built, you will see more of these huge building blocks, which are vital.
How to Install Apps via APT on Workspace ONE for Linux
The deployment of the profile itself is standard. We create the profile, name the config, select “Enforce Manifest” so, we can ensure that we achieve desired state management, and specify your manifests. You can also add module dependencies. Feel free to search the repository here to see what dependencies you can add. Let’s check out some sample code.
Sample Code:
# execute 'apt-get update'
exec { 'apt-update': # exec resource named 'apt-update'
command => '/usr/bin/apt-get update' # command this resource will run
}
package { 'filezilla':
require => Exec['apt-update'], # require 'apt-update' before installing
ensure => installed,
}
Now, let’s check out the demo:
How to Download and Install Apps from Software Repositories on Workspace ONE for Linux
The software repository version of this is fairly similar. My code example below I love because Zoom gave me some issues because of dependencies. I figured out that leveraging apt-install to update the modules on my machine fixed that issue. That’s the fun in this being new. We get to learn quite a bit!
exec { 'apt-install': command => '/usr/bin/apt-get install -f'}
file { 'zoom-desktop-5.14.7.2928-amd64.deb': source => 'https://zoom.us/client/5.14.7.2928/zoom_amd64.deb', path => '/tmp/zoom-desktop-5.14.7.2928-amd64.deb', ensure => present, } exec { 'install-zoom': command => '/usr/bin/dpkg -i /tmp/zoom-desktop-5.14.7.2928-amd64.deb', logoutput => true, }My Overall Thoughts on Linux Management in Workspace ONE
This has been a long time coming. We went from basically asset management to pretty close to a full UEM experience on Linux, which is great. Intune for example can push bash scripts, but they have nothing like the Puppet integration. This is reminiscent of the Munki integration coming in MacOS, which was also a godsend.
The Linux platform is by no means perfect, but we can get a lot of the way there at this juncture. I will be working closely with product management at VMware to push them on the roadmap as I have some clients that care about these great capabilities. This is another great opportunity for UEM engineers to extend their toolset and make a name for themselves at their organizations by delivering amazing Linux experiences that aren’t that far off from what we’re doing on MacOS today.
Lastly, I welcome people to contribute to my Linux folder in my Github with any custom configs they build. I am working on building a library since nothing exists currently for this.
