Bulk Provisioning Tool FAQs

Frequently asked questions about Bulk Provisioning Tool.

  • How does a user setup the bulk provisioning tool?
    Follow these steps to setup the bulk provisioning tool.
    1. From the IBM® MaaS360® Portal, go to Devices > Enrollments > Other enrollment options > Windows > Windows Bulk Provisioning Tool.
    2. Select Bulk Deploy and click Download option for Bulk Provisioning Tool package.
    3. Install the Bulk Provisioning Tool msi package and start the BulkProvisioningConfigure.exe file.
    4. Enter the login credentials of the customer administrator.
      Note: The login credential of the partner administrator is not supported.
    5. Apply the right settings and generate the SelfExtractingOA.exe file.
  • How can customer admin decide on the Imaging or Executable option to enroll Windows devices?

    IBM MaaS360 provides the Windows Bulk Provisioning Tool that enables administrators to automatically enroll a large quantity of Windows devices into the IBM MaaS360 Portal. Following are the conditions to select the suitable option to enroll the Windows device.

    For Imaging option
    • The administrator wants to setup fresh device and enrolls out-of-box device setup.
    • The administrator prefers a seamless, automated onboarding process for Windows devices onto MaaS360, minimizing the need for manual user interaction.
    • The administrator aims to restrict administrative privileges for users.
    For Executable option
    • The administrator aims to enroll devices that are used by the users.
  • What is the process by which users distribute the SelfExtractingOA.exe file to the target devices?

    For optimal distribution, consider hosting the generated OA in a private Content Delivery Network (CDN) or a shared File Transfer Protocol (FTP) server. Later, the administrator can then share the link with the users, enabling them to download the file and proceed with the enrollment process.

  • What is the procedure for associating an enrolled device with a specific MaaS360 user account?

    During the setup of the Bulk Provisioning Tool, ensure that the user Authentication checkbox is checked. This configuration prompts the endpoint to request user details and credentials during enrollment. Upon successful authentication, the device automatically links to the authenticated user's account.

    For a silent onboarding process without user authentication, the MaaS360 administrator can follow these steps.
    1. Go to Devices > Enrollments > Other enrollment options > Windows > Windows Bulk Provisioning Tool.
    2. Select the Associate Users tab. Follow the provided instructions to map the devices to the respective users.
    This method allows for seamless device enrollment without requiring user authentication.
    For more information, see Associating users with bulk enrolled Windows devices.
  • What is the process for enrolling Home edition Windows devices?

    MaaS360 offers an administrative feature that enables the inclusion of a shared file web link. To get the link, go to Setup > Branding > Unified Enrollment Configuration > Windows Home setup link. After adding the link, the administrator can send out an enrollment request to the users. When the user accesses the enrollment/activation URL in their browser, they must click the Windows Home button. This action directs them to the subsequent page, where they can proceed to download the required application.

  • Can Customer Admin use the same device to enroll by utilizing the SelfExtractingOA.exe file that they generated?

    Each Windows device is uniquely identified by its hardware ID. The user cannot use the same device to enroll by utilizing the SelfExtractingOA.exe file that they generated. When the SelfExtractingOA.exe (OA) file is created, the hardware ID is backed up. MaaS360 assigns a new device ID for each unique hardware that is enrolled. If the OA is executed on the same device from which it was generated, the hardware ID remains unchanged, resulting in a blocked enrollment.

  • Why are users unable to onboard devices in MaaS360 by using the SelfExtractingOA.exe file?
    Following are the conditions to be checked when the user is unable to onboard devices in MaaS360 using the SelfExtractingOA.exe file.
    • Check for the device that is already enrolled in MaaS360. Following are the steps to check for MDM device enrollment.
      1. From Windows settings, open Settings.
      2. Go to Accounts > Access work or school. If the device is enrolled in In tune, the Connected to a work or school organization message is displayed or a specific MDM account is listed. Go to the work or school account and then click Info to see more details, including device sync status.
    • Check for the current user that is running the device with administrator privileges.
    • Check for the user that has sufficient licenses available in MaaS360 or enable over-age.
    • Check for the different error codes. Following are the potential list of error code.
      • Provisioning failing with Error code - 0x80180026

        Solution: HKLM\software\Microsoft\Enrollments\ExternallyManaged registry needs to be set to 0.

      • Provisioning failing with Error code - 0x801900CA.

        Solution: Check for licenses available in MaaS360 or enable over-age.

      • Provisioning failing with error code -0x80180001

        Solution - Ensure the device is not MDM enrolled and MDM enrollment registry is clean. Delete the following registry hive - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments \xxxxxxxxxxxxx. Delete all registry subkeys that contain UPN. Another possible solution is to set Enable automatic MDM enrollment using Azure AD credential GPO setting to user credential.

      • If previous instance of BulkProvisioningService is still running on end point. You can run the following cleanup commands to clear the instances.
        C:\Windows\System32\sc.exe stop BulkProvisioningService
        C:\Windows\System32\sc.exe delete BulkProvisioningService
        C:\Windows\System32\reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\IBM
        MaaS360\OA" /f>null
        C:\Windows\System32\taskkill.exe /f /im "InstallProvisioningPackage.exe"
        C:\Windows\System32\taskkill.exe /f /im "BulkProvisioningService.exe"
        C:\Windows\System32\taskkill.exe /f /im "AuthHelper.exe"
        @RD /S /Q "C:\Program Files (x86)\IBM MaaS360\Deployment Agent"
        @RD /S /Q "C:\ProgramData\IBM MaaS360\Deployment Agent"
  • Why users are unable to onboard SelfExtractingOA.exe without administrator rights?
    Following are the conditions that the user can check while onboarding SelfExtractingOA.ex file.
    • User with no administrator access: For local OS users, grant administrator permissions to execute SelfExtractingOA.exe, which can then be withdrawn through the MDM policy. To implement this, go to Windows MDM Policy > Device Settings > User Accounts > Configure User Accounts Settings > Enforce removal of local Bulk Provisioning Tool administrator privileges on enrolled user account. For domain OS users, the domain administrator can remotely access the device and run the executable that uses their domain credentials.
    • In the bulk provisioning tool, choose End User Authentication and set the End User Account Type to Current User. Establish an administrator user for each device, who logs in and executes SelfExtractingOA.exe. Upon an authentication prompt, the admin user closes it. The user then authenticates themselves, allowing the device to enroll under their account, even without admin privileges.
  • What steps can be taken to examine and interpret the SelfExtractingOA.exe run logs, with a focus on understanding the configuration, setup, runner, and provisioning package creation/installation processes?
    The SelfExtractingOA.exe logs are available at C:\ProgramData\IBM MaaS360\Deployment Agent\logs. Following are the different logs to examine the package creation or installation process.
    • ConfigureLog_1.log: Check this file during the failures in Bulk Provisioning Tool configuration.
    • SetupLog: Once SelfExtractingOA.exe is started on the device, windows service that is named Runner is installed. Any failure related to this service is available in this file.
    • RunnerLog_<X>.log: Device unique ID checks failures, network connectivity logs.
    • InstallProvisioningPackage_1.log: Failures with MDM enrollment are captured in this file.
    • Logs.<YYYYMMDD>.<HHMMSS>.zip: MDM enrollment failure error codes are available here.
  • Why are the devices not enrolling in the MaaS360 portal after the simultaneous execution of SelfExtractorOA.exe on multiple devices?

    When enrolling multiple devices concurrently, it is crucial to set the correct device count for simultaneous enrollment. This configuration can be managed in the BulkProvisioning tool by adjusting the Number of devices for enrollment setting. By properly setting this parameter, you prevent an excessive number of devices from simultaneously requesting MaaS360 enrollment, thereby avoiding potential system overload or delays.

  • What are all the execution command for silent install to distribute exe through other app distribution tool like gpo, sccm?

    The silent execution command for SelfExtractorOA.exe installation is -o.

  • What are the steps to verify whether a device is enrolled through bulk provisioning in both the MaaS360 portal and on the device itself?
    Follow these steps to verify whether a device is enrolled through bulk provisioning in both the MaaS360 portal and on the device.
    1. In the IBM MaaS360 portal, go to Device > Device Enrollment Mode. Check whether the Device Enrollment Mode is set to Windows Bulk Provisioning.
    2. On device, go to C:\ProgramData\IBM MaaS360\MDM Extender Agent\logs and check for the compressed file folder of the Deployment agent log.
  • Which operating system user context does a device get enrolled after executing the exe in system context?
    During configuration of Bulk Provisioning Tool, select any of the following options to choose the user computer account type for enrollment.
    • Existing User: Any logged-in OS user who executes SelfExtractorOA.exe is considered as enrolled MDM OS user.
    • New Local User / New Domain User: When the SelfExtractorOA.exe is executed, the tool takes snapshot of existing OS users and waits for new OS user to login and when device is logged-in with new OS user, device later enrolls under the new OS user and later new OS user will be considered as enrolled MDM OS user. • What is the duration and
  • What is the duration and frequency of enrollment retry attempts?

    The maximum number of enrollment retry is set to 90. It follows an exponential retrial concept where retrial happens 15, 30, 60, 120 minutes.

  • What are the functions of the Bulk Provisioning Tool MSI package and the SelfExtractorOA.exe utility?

    Bulk Provisioning Tool msi package is for the customer administrator for configuring Bulk Onboarding process of Windows devices. The SelfExtractingOA.exe is the OA file which is the output file generated from BulkProvisioning tool.

  • What steps must be taken if SelfExtractorOA.exe is flagged as untrusted during manual execution?

    The extracted SelfExtractorOA.exe must be self-signed with the valid certificate.

  • What measures can be implemented to ensure that SelfExtractorOA.exe is exclusively used by an authorized employee of the company?

    By enabling the End User Authentication option within the Bulk Provisioning Tool configuration, users are required to input their credentials after running SelfExtractorOA.exe on their device. The authenticated user is now automatically associated with the enrolled device, simplifying the enrollment procedure.

  • What methods can be employed to prevent mass user assignment through .CSV files?

    By enabling the End User Authentication option within the Bulk Provisioning Tool configuration, users are required to input their credentials after running SelfExtractorOA.exe on their device. The authenticated user is now automatically associated with the enrolled device, simplifying the enrollment procedure.

  • How to identify and troubleshoot failed associations between Windows Bulk Provisioning devices and IBM MaaS360 users?

    The Customer administrator is promptly alerted through email if any association fails after successfully uploading the device-to-user association CSV file. The notification encompasses a detailed .CSV file attachment, outlining the precise reasons for the failure.

  • How to set device ownership for the devices onboarded using SelfExtractingOA.exe file?

    You can update the ownership for individual device from Devices > Inventory > View > Summary page.

    To update in bulk device, see Managing device attributes in the IBM MaaS360 Portal.