Re-Enable Admin Preview of Enrollment Messages in UEM

Update 18th Oct. 2022: Added 22.06.0.10 to the List of Supported Versions


If you are using Token Based Authentication for Enrollment to UEM , you may have seen that the Messages send out to the Users can not be seen by an Admin anymore starting with 21.09 UEM. This was removed due to Security Concerns of using a single factor , but having the while there are valid Use-Cases where the User is has no option to get that message there is now a possibility to have the Feature back. It requires a Feature Flag to be enabled and also a specific minimum Version.
Note: For SaaS Environments please reach out to VMware Support , this is just covering On-Premise in the Blog article

Requirements:

Here the details of the Requirements:

– 22.03.0.20 / 22.06.0.10 UEM / 22.09 UEM or higher Patch Version (no Support for 22.04)
– Feature Flag “AdminTokenPreviewFeatureFlag” Enabled per Customer OG

Note: This is only for On-Premise as Documented here , if you want this feature for SaaS , please reach out to the VMware support and ask for the activation of the “AdminTokenPreviewFeatureFlag”.

Note: Please be aware that this enables a Activation Token to be visible in UEM to Administrator. Even through it is a Valid Use-Case it is highly recommended to keep the default settings and not change it as described here.

Steps to Enable the Feature Flag

Before we enable the Feature Flag let us see in the console what we see. We see in the Lifecycle / Message that a Mail was sent to the User with the email that was used. but we do not see a Preview of the Token / the Mail itself.

No before we enable the Feature , go to the Customer OG to the “Groups and Settings” , “Groups” , “Organization Groups” , “Details” and note down the Number at the end of the Browsers Adress bar.

Note: This has to be the Customer OG, not global , not an other OG.

No, let´s use the API to geht the Group UUDI with the Group ID we just noted down. You can reuse the script in PowerShell , just update the Base64 encoded Credentials , AirWatch tenantcode , URL of the API server and the Group ID (Numeric ) as marked in Red here.
Note: You need “System Administrator” Permission of “Global” to execute that API Calls

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", "Basic BASE64ENCODED")
$headers.Add("Content-Type", "application/json")
$headers.Add("aw-tenant-code", "TENANTCODEFROMUEM")
Invoke-RestMethod 'https://UEMURL.one/API/system/groups/GroupID' -Method 'GET' -Headers $headers

in the Result you see the UUID of the OG, so note it down as we need it for the next API Calls as well.

To get the Status of the Feature Flag you can use the Following Script , just update the fields and ensure you use for UUIDOFTHEOG the Value from the past API Cal.

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", "Basic BASE64ENCODED")
$headers.Add("Content-Type", "application/json")
$headers.Add("aw-tenant-code", "TENANTCODEFROMUEM")
Invoke-RestMethod 'https://UEMURL.one/api/system/featureflag/AdminTokenPreviewFeatureFlag/UUIDOFTHEOG' -Method 'get' -Headers $headers 

As result you should see the following , which means it is not enabled:

Now, let us enable the Feature Flag , with the following API Call (also here, please update the values also here)

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", "Basic BASE64ENCODED")
$headers.Add("Content-Type", "application/json")
$headers.Add("aw-tenant-code", "TENANTCODEFROMUEM")
Invoke-RestMethod 'https://UEMURL.one/api/system/featureflag/AdminTokenPreviewFeatureFlag/UUIDOFTHEOG/true' -Method 'post' -Headers $headers

To ensure we changed the correct things successfully, let us check with the API Call to get the Status of the Feature flag:

$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization", "Basic BASE64ENCODED")
$headers.Add("Content-Type", "application/json")
$headers.Add("aw-tenant-code", "TENANTCODEFROMUEM")
Invoke-RestMethod 'https://UEMURL.one/api/system/featureflag/AdminTokenPreviewFeatureFlag/UUIDOFTHEOG' -Method 'get' -Headers $headers 

As Result you see it is now Enabled :

Checking the Result in the Console

if you go back to the Messages that have been sent you see a Field now with Messages :

If you click it you have access to the Mail send out to the User , it it is using token Based Enrollment with UEM you can see the Token.

Conclusion

This process is describing how to enable a Feature Flag , especially the one for the Enrollment message. This change should not be done without Consulting Services of VMware and understanding the potential risk of Admins seeing the Enrollment token. Also a Backup of the SQL is recommended before Changing anything here. If you have questions on this please comment here or consult with VMware Support .

Written by
Website | + posts

vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.

Leave a Reply

Your email address will not be published. Required fields are marked *.

*
*
You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

BCF Shop Theme By aThemeArt.
BACK TO TOP