Unified Access Gateway integrates with Workspace ONE Intelligence to provide telemetry from Unified Access Gateway edge services and to integrate Intelligence’s Device Risk Score. Currently, telemetry reporting is only available for the Tunnel edge service, and the Device Risk Score integration is limited to Horizon connections.

Prerequisites

  • Complete registering the Unified Access Gateway widget on Workspace ONE Intelligence. For more information about registering UAG with Intelligence, see Unified Access Gateway Integration.
  • Download credentials file from Workspace ONE Intelligence. The credentials file is a JSON file containing Workspace ONE Intelligence URL, access token endpoint URL, client ID, and client secret for authorizing Unified Access Gateway to communicate with Workspace ONE Intelligence.
  • Unified Access Gateway servers must have outbound access to the Intelligence endpoints. For more information about the specific endpoints, see Requirements.
  • You can use Unified Access Gateway's outbound proxy configuration for the Intelligence connections. Ensure to configure the Intelligence hostnames as a Proxy Included Host during the setup. See Configure Outbound Proxy Settings.

Procedure

  1. Under the Advanced Settings, click the Workspace ONE Intelligence Connection Settings gearbox icon.
  2. To configure the settings for a connection, click Add.
  3. Configure the following Workspace ONE Intelligence settings.
    Option Description
    Name Name of the Workspace ONE Intelligence connection setting.

    Every connection setting must have a unique name.
    Workspace ONE Intelligence Credentials file Click Select and navigate to the file location. Select the desired file to upload and click Open.
    Workspace ONE Intelligence URL Thumbprints (Optional) Enter the list of Workspace ONE Intelligence URL thumbprints.

    If you do not provide a list of thumbprints, ensure that the server certificates are issued by a trusted CA. Enter the hexadecimal thumbprint digits.

    For example, sha1= C3 89 A2 19 DC 7A 48 2B 85 1C 81 EC 5E 8F 6A 3C 33 F2 95 C3.

    Note: This UI option can be used when the connection to Workspace ONE Intelligence is through a TLS reverse proxy or a security appliance that presents a TLS server certificate, which is not issued by a trusted CA.
    Trusted Certificates (Optional) Select the trusted certificate files in PEM format, to be added to the trust store.

    By default, the alias name is the filename of the PEM certificate. To give a different name, edit the alias text box.

    Note: This UI option can be used when the connection to Workspace ONE Intelligence is through a TLS reverse proxy or a security appliance that presents a TLS server certificate, which is not issued by a trusted CA.
  4. Click Save.

What to do next

Configure the following Workspace ONE Intelligence features.
  • Risk Scoring - to track user and device actions and behaviors.
  • Telemetry Reporting - to send data to Intelligence at regular intervals to create custom reports and analyze how Unified Access Gateway and the edge services are used.

Configure Intelligence for Risk Scoring

Unified Access Gateway performs a risk check with Workspace ONE Intelligence. Based on the value, you can restrict access from risky devices.

Risk scoring is available for Horizon connections from Workspace ONE UEM managed devices. See Risk Scoring.

Prerequisites

Ensure that you have configured the Workspace ONE Intelligence connection.

Procedure

  1. Under Advance Settings, click the Endpoint Compliance Check Provider Settingsgearbox icon.
  2. Click Add.
    Note: If you have already added Workspace_ONE_Intelligence_Risk_Score as the endpoint compliance check provider, you can either edit the settings by clicking the gearbox icon or add new provider settings by deleting the existing one.
  3. Select Workspace_ONE_Intelligence_Risk_Score as the Endpoint Compliance Check Provider.
  4. Select the Workspace ONE Intelligence connection setting.
  5. Enter the Compliance Check Interval value.
    • Valid values (in minutes) - 5 to 1440
    • Valid values (in seconds) - 300 to 86400
    • Default value - 0

      0 indicates Compliance Check Interval (mins) is disabled.

    For more information about periodic compliance checks and Compliance Check Interval, see Time Interval for Periodic Endpoint Compliance Checks.

  6. To change the default value of the risk score severities and allow endpoints to access remote desktops and applications, click Show Allowed Risk Score Severities.

    Supported risk score severities: Low, Medium, High, and Others.

    By default, endpoint devices that have Low risk score are always allowed access.

  7. If you want to allow devices that have a risk score other than the default value, click to change from DENY to ALLOW.
    By default, endpoint devices with risk score severities other than LOW are denied.
  8. Click Save.

What to do next

  1. Navigate to Horizon settings, locate Endpoint compliance check provider text box, and select Workspace_ONE_Intelligence_Risk_Score from the drop-down menu.
  2. Click Save.

Configure Intelligence Data Setting to Send Telemetry Reports

Configure the Workspace ONE Intelligence Data Settings to send Unified Access Gateway-specific and edge services-related data to Workspace ONE Intelligence at regular intervals.

Administrators can use the data sent to Intelligence to understand how Unified Access Gateway and the edge services on Unified Access Gateway are used and can also create custom reports to understand the behavior of clients connected to Unified Access Gateway through the edge services.

Procedure

  1. In the Advanced Settings section, click the Workspace ONE Intelligence Data Settings gearbox icon.
  2. Turn on the Opt In/Opt Out toggle. By default, the value is OPT OUT.
  3. Select the connection name from the Workspace ONE Intelligence Connection list.
  4. In the Update Interval field, enter the maximum time period at which the data is sent from Unified Access Gateway to Workspace ONE Intelligence.
    Note: If the local cache is filled up and reaches its maximum size before the scheduled interval, Unified Access Gateway will immediately post the data to Workspace ONE Intelligence.
    • Time period is in seconds.
    • Values can be between 10 seconds and 86400 seconds.
    • Default value is 300 seconds (five minutes).
    • If value is 0, data is posted to Workspace ONE Intelligence once for every Enabled state of Workspace ONE Intelligence settings on the Unified Access Gateway.