Requirements

Workspace ONE Intelligence requires certain Workspace ONE components and processes in order to work. What components and processes are required depend on your deployment, on-premises or SaaS.

  • On-Premises: For on-premises deployments, meet the general requirements for all deployments. For the components to move data in an on-premises deployment, you must trust listed URL destinations depending on your deployment region. You also need the Workspace ONE Intelligence Connector Service.
    • High Availability: If you want to configure high availability and disaster recovery, there are some caveats to review before setting up the connectors in these on-premises environments.
  • SaaS: For SaaS deployments, meet the general requirements for all deployments and find the regions for your Intelligence and other Workspace ONE products so that you can check the status of Workspace ONE in your area.

Encryption of communications

Workspace ONE Intelligence sends all system generated emails using Forced TLS in all environments, GovCloud and non-GovCloud.

With the use of Forced TLS, those email servers that do not support encryption do not receive system generated emails.

If your SMTP (email) server already supports encryption, then you do not need to make changes in your environment. If your SMTP server does not support encryption, then you must make changes to receive system generated emails.

General requirements

There are general requirements that all deployments (on-premises and SaaS) must meet to use Workspace ONE Intelligence.

Reports powered by Workspace ONE Intelligence

Before you can use Workspace ONE Intelligence features, you must turn on reports powered by Workspace ONE Intelligence. Reports powered by Workspace ONE Intelligence is different from Workspace ONE UEM reporting.

How to access reports

  • Shared SaaS customers work with their account representatives to access reports powered by Workspace ONE Intelligence. These deployments do not need to install their own Workspace ONE Intelligence Connector server.
  • Dedicated SaaS customers work with their account representatives to access reports powered by Workspace ONE Intelligence. These deployments do not need to install their own Workspace ONE Intelligence Connector server.
  • On-premises customers work with their account representative to access reports powered by Workspace ONE Intelligence. These deployments must install their own Workspace ONE Intelligence Connector server.

Required Workspace ONE UEM console version

Workspace ONE Intelligence requires the minimum supported version of the Workspace ONE UEM console. For general availability, end of availability, and the end of support dates for all Workspace ONE UEM console releases, see the knowledge base article Workspace ONE (WS1) UEM Console Release and End of General Support Matrix.

Compatibility between UEM and Intelligence

For the most current information on the compatible versions between the two systems, access the KB article on VMware KB Workspace ONE Intelligence - Compatibility with Workspace ONE UEM.

SaaS requirements

Workspace ONE SaaS environments are mapped to Intelligence regions and your Workspace ONE Intelligence region is assigned based on the locations of your Workspace ONE SaaS environments.

Find mappings of Workspace ONE Intelligence regions for the listed Workspace ONE products.

  • Workspace ONE Access
  • Workspace ONE UEM

Workspace ONE Intelligence region by Workspace ONE product

Workspace ONE Intelligence Region Workspace ONE UEM SaaS Deployment Location Workspace ONE Access SaaS URL
Canada Canada vmwareidentity.ca
Frankfurt Germany vmwareidentity.de
Ireland United Kingdom vmwareidentity.co.uk
vmwareidentity.eu
Sydney Australia vmwareidentity.com.au
Tokyo India vmwareidentity.asia
Tokyo Japan vmwareidentity.asia
Tokyo Singapore vmwareidentity.asia
United Kingdom United Kingdom vmwareidentity.co.uk
United States Canada vmwareidentity.com
United States United States vmwareidentity.com

On-premises requirements

For on-premises deployments, you must install the Workspace ONE Intelligence Connector service on its own server before you can use Workspace ONE Intelligence features. You must also allowlist Cloud Services destinations depending on your region for successful communication in your on-premises deployment.

Allowlisting URLs by region for Cloud Services destinations

For successful communication in your on-premises deployment, you must trust specific URLs depending on your region. Configure these allowlists on your applicable on-premises components, for example configure allowlists so communication flows successfully between your region’s VMware cloud-based reports service and your on-premises Workspace ONE UEM database, or on your proxy server that you use with the Workspace ONE Intelligence Connector.

Trust the applicable URL destinations because they represent cloud service regions and are needed for communication between the Workspace ONE UEM console server, the Workspace ONE Intelligence Connector, and the VMware cloud-based reports service.

Trust the api.sandbox.data.vmwservices.com, artifactrepo.data.vmwservices.com, and discovery.awmdm.com URLs for all regions. The Workspace ONE Intelligence Connector installer calls these endpoints for a list of all supported regions. If you use the Experience Management feature, you must also trust api.na1.region.data.vmwservices.com.

Select your region to get the destinations for your allowlists.

All Regions

URL Destination Protocol Port
api.na1.region.data.vmwservices.com

Allowlist this URL if you use Experience Management (DEEM) and mobile telemetry. If you do not use Experience Management, do not allowlist this URL.
HTTPS 443
api.sandbox.data.vmwservices.com HTTPS 443
artifactrepo.data.vmwservices.com HTTPS 443
discovery.awmdm.com HTTPS 443

Canada

URL Destination Protocol Port
api.ca1.data.vmwservices.com HTTPS 443
auth.ca1.data.vmwservices.com HTTPS 443
ca1.data.vmwservices.com HTTPS 443
config.ca1.data.vmwservices.com HTTPS 443
eventproxy.ca1.data.vmwservices.com HTTPS 443

Frankfurt

URL Destination Protocol Port
api.eu1.data.vmwservices.com HTTPS 443
auth.eu1.data.vmwservices.com HTTPS 443
config.eu1.data.vmwservices.com HTTPS 443
eu1.data.vmwservices.com HTTPS 443
eventproxy.eu1.data.vmwservices.com HTTPS 443

Ireland

URL Destination Protocol Port
api.eu2.data.vmwservices.com HTTPS 443
auth.eu2.data.vmwservices.com HTTPS 443
config.eu2.data.vmwservices.com HTTPS 443
eu2.data.vmwservices.com HTTPS 443
eventproxy.eu2.data.vmwservices.com HTTPS 443

Sydney

URL Destination Protocol Port
api.au1.data.vmwservices.com HTTPS 443
au1.data.vmwservices.com HTTPS 443
auth.au1.data.vmwservices.com HTTPS 443
config.au1.data.vmwservices.com HTTPS 443
eventproxy.au1.data.vmwservices.com HTTPS 443

Tokyo

URL Destination Protocol Port
ap1.data.vmwservices.com HTTPS 443
api.ap1.data.vmwservices.com HTTPS 443
auth.ap1.data.vmwservices.com HTTPS 443
config.ap1.data.vmwservices.com HTTPS 443
eventproxy.ap1.data.vmwservices.com HTTPS 443

United Kingdom

URL Destination Protocol Port
api.uk1.data.vmwservices.com HTTPS 443
auth.uk1.data.vmwservices.com HTTPS 443
config.uk1.data.vmwservices.com HTTPS 443
eventproxy.uk1.data.vmwservices.com HTTPS 443
uk1.data.vmwservices.com HTTPS 443

United States

UAT

URL Destination Protocol Port
auth.sandbox.data.vmwservices.com HTTPS 443
config.sandbox.data.vmwservices.com HTTPS 443
eventproxy.sandbox.data.vmwservices.com HTTPS 443
sandbox.data.vmwareservices.com HTTPS 443

Production

URL Destination Protocol Port
api.na1.data.vmwservices.com HTTPS 443
auth.na1.data.vmwservices.com HTTPS 443
config.na1.data.vmwservices.com HTTPS 443
eventproxy.na1.data.vmwservices.com HTTPS 443
na1.data.vmwservices.com HTTPS 443

Proxy servers, if used, require an allowlist

If you use a proxy server with the Workspace ONE Intelligence Connector in an on-premises deployment, you must allowlist (trust) specific URLs on the proxy server or the Workspace ONE Intelligence Connector installation fails. The URLs should include the ones listed under All Regions and your specific region (such as Canada, Frankfurt, and so forth).

Workflow Connector trusted IP addresses

If you use a Workflow Connector, including a Custom Connector, requests originate from the listed IPs based on region. If you use allow and deny lists in your firewall for your Workflow Connector destinations, allow the listed IPs for your region.

Note: These static IP addresses are for requests coming from Workspace ONE Intelligence to your network.

Region IP Addresses
Canada 35.182.84.243
35.182.84.210
Frankfurt 18.194.235.124
35.156.127.8
18.195.111.228
Ireland 52.50.246.37
54.76.120.187
52.214.71.240
Sydney 52.63.121.101
13.54.94.114
13.236.27.201
Tokyo 54.64.134.5
13.114.203.203
United Kingdom 3.11.151.5
52.56.79.2
3.10.120.236
United States Production 52.41.14.207
34.212.69.126
34.211.153.193
United States UAT 50.112.69.240
52.10.157.26
52.89.177.218

Installing the Intelligence Connector Service

The VMware Workspace ONE Intelligence Connector Service in an on-premises deployment collects data from your Workspace ONE UEM database and pushes it to the cloud service.

Hardware, software, and network requirements for the Intelligence Connector

To install and use the Workspace ONE Intelligence Connector in your on-premises deployment, you must meet the listed hardware, software, and network requirements.

Hardware requirements
Component Requirement
Server 1
CPUs 4 (2 GHz Intel processor)
Memory 8 GB
Storage 25 GB
Software requirements

Important: The Workspace One Intelligence connector based on Oracle JDK 8 will reach end-of-support in the future and will no longer receive feature upgrades. Follow the steps in the Upgrading the Connector - moving from Oracle JDK 8 to OpenJDK 11 section to move from JDK 8 to OpenJDK 11 on this page.

Component Requirement
Java Java 8 (Connector support to end in the future)

OpenJDK 11
OS Windows Server 2012 R2, 2016, and 2019
SQL-based database for Workspace ONE UEM Microsoft SQL Server, Standard and Enterprise, 2016 SP1 or later
Network requirements
Source Target Protocol Port
Workspace ONE Intelligence Connector Applicable Trusted URLs HTTPS 443
Workspace ONE Intelligence Connector Workspace ONE UEM Database TCP Use ports configured for secure communication in your individual Workspace ONE UEM on-premises deployment.

For example, if you use Port 1433 for all internal network communication in your Workspace ONE UEM on-premises deployment, you can use port 1433 to communicate with the Workspace ONE UEM database.
Workspace ONE UEM Console Server api.{regionID}.data.vmwservices.com

auth.{regionID}.data.vmwservices.com

For example, the target URLs for a console server located in Canada are api.ca1.data.vmwservices.com and auth.ca1.data.vmwservices.com.
HTTPS 443
Workspace ONE UEM Device Services Server api.{regionID}.data.vmwservices.com HTTPS 443

Required database permissions

To install the Workspace ONE Intelligence Connector, the person installing needs permissions for the following roles for the console and directory services servers.

  • DBOwner for the Workspace ONE UEM database
  • DBDatareader for the MSDB
  • SQLAgentUserRole for the MSDB

Downloading the Intelligence Connector and CDC

Download the VMware Workspace ONE Intelligence Connector and use it for better performance on data import between your Workspace ONE UEM database and the cloud service.

If you have not already enabled this workflow, notice that the installer downloads a file on your desktop, cdc_enable_script.sql, and then stops. Open the cdc_enable_script.sql file and run the script manually on your Workspace ONE UEM database with db_owner permissions to enable the improved performance workflow. After the script runs successfully, rerun the Workspace ONE Intelligence Connector installer.

This workflow uses Change Data Capture (CDC), which is supported on SQL Server. CDC enhances the performance of data extraction by the Workspace ONE Intelligence Connector. For details about Microsoft SQL Server and the Workspace ONE Intelligence Connector, review the Software Requirements table.

As the Workspace ONE Intelligence Connector starts importing new data entities into Workspace ONE Intelligence, the CDC workflow becomes a prerequisite. The workflow is applicable to newly added data entities like device tags, device custom attributes, users, and product provisioning.

If you already have the Workspace ONE Intelligence Connector Service configured, reinstall the latest installer to unlock the CDC features. You must install the Workspace ONE Intelligence Connector on its own server. For additional information about the installation process of other Workspace ONE UEM application servers, refer to Workspace ONE UEM Installation.

Important

  • If you upgrade the Workspace ONE UEM console server as part of the upgrade process, you must stop the Workspace ONE Intelligence Connector Service during the Workspace ONE UEM console server upgrade. You must then restart the service after finishing the upgrade process.
  • If you must change the setting for Deployment Region, do not run the installer again.

Prerequisites to installing the Connector

  • Ensure you have allowlisted the regional URLs so the connector installation process can communicate with the correct cloud-based reports service.
  • If you use a proxy server and want to use it with the Workspace ONE Intelligence Connector, make sure you have allowlisted the regional destinations. If you do not trust the listed destinations, the installation can fail.
  • Meet the hardware, software, and network requirements needed to install, configure, and use Workspace ONE Intelligence.

Installation Procedure

  1. Download the Workspace ONE Intelligence Connector installer on to the server you configured for the service.
  2. Run the installer.
  3. Accept the Terms of Use.
  4. Ensure that the Workspace ONE Intelligence Connector Service is selected as a feature to install. The installer detects the version of Java installed on the application server. If the installer does not detect the required version, the required version installs.
  5. Select the Destination Folder in which to install the Workspace ONE Intelligence Connector Service.
  6. Enter the database server settings.
    • Database server that you are installing to: Select Browse next to the Database server text box and select your Workspace ONE UEM database from the list.
      • If you use a custom port, do not select Browse. Instead, use the following syntax: DBHostName,<customPortNumber>, then select Browse to select the database server.
      • For example, enter db.acme.com, 8043.
      • If you use a custom port for database connections, you must manually update the separator between the host and the port in the installation directory. To make this update, follow the listed steps.
        1. After the Workspace ONE Intelligence Connector is successfully installed, stop the Workspace ONE Intelligence Connector Service.
        2. Update the JDBC_URL JVM parameter in the WDPETLService.etl.parameters file in the installation directory.
          • Replace the comma (,) separator between the host and port with a colon (:).
          • Example: vmware.workspaceone.sql:6521.
        3. Restart the Workspace ONE Intelligence Connector Service.
          Note: We are working to automate the replacement of the comma with the colon so you do not have to perform this manual step.
      • If your Workspace ONE UEM database name has a space, you must perform extra steps.
        • Open the WDPETLService.exe.parameters in the service folder of the Workspace ONE Intelligence Connector installation in administrator mode.
        • Update the parameter to ensure the databaseName value is enclosed in quotes. Here is an example, JVM_ARG=-DJDBC_URL=jdbc:sqlserver://SQLSERVERNAME;databaseName="Workspace ONE UEM Database Name".
    • Connect using: Select one of the following authentication methods.
      • Windows Authentication uses a service account on the Windows server to authenticate. You are prompted to enter the service account that you want to use. This service account is used to run all the application pools and Workspace ONE UEM-related services. The service account must have Workspace ONE UEM database access.
      • SQL Server Authentication uses the SQL server authentication method. You are prompted to enter the user name and password.
    • Name of database catalog: Enter the name of the Workspace ONE UEM database or browse the SQL server and select it from a list.
  7. (Optional) Enter proxy information. Find this information in the Workspace ONE UEM console in Groups & Settings > All Settings > Installation > Proxy > Console Proxy Settings.
  8. Configure the Workspace ONE Intelligence Connector Service settings.
    1. Select the deployment region for your cloud service. Ensure that the right region is selected. Do not run the installer again if you must change this region in the future. If you upgrade your Workspace ONE Intelligence Connector Service from a previous version, this screen does not display because you cannot change your region during an upgrade.
    2. Enter your Workspace ONE UEM Installation Token. This token is created as part of the Workspace ONE UEM Installation process.
  9. Select Install to install the Workspace ONE Intelligence Connector Service. After the installation finishes, select Finish.

Connector installer troubleshooting tip - deactivate unblock in properties

If the Workspace ONE Intelligence Connector installer does not launch, check the installer’s properties. In the properties attributes for the Workspace ONE Intelligence Connector installer, to to the General tab, Security section, and deactivate the Unblock check box.

Upgrading the Connector - moving from Oracle JDK 8 to OpenJDK 11

The Workspace One Intelligence Connector based on Oracle JDK 8 will reach end-of-life (EOL) and will no longer be supported after December 18, 2023. It will no longer receive feature upgrades.

How to check if your Connector uses JDK 8 or OpenJDK 11

If you are unsure which Connector you are currently using, follow the procedure to see if you have the JDK 8-based Connector or the OpenJDK 11-based Connector.

  1. Go to {Connector Installation folder}/service directory and locate the WDPETLService.exe.parameters file. Your parameters file is in the Intelligence Connector installation folder.
  2. Open the WDPETLService.exe.parameters file.
    • If your Intelligence Connector uses Oracle JDK 8, you see the file path JVM={Java Installation directory}/ Java/Jre1.8.0_301/bin/server/jvm.dll. If you are using the JDK 8-based Intelligence Connector, you'll see the Java, jrel.8 version in the file path.
    • If your Intelligence Connector uses OpenJDK 11, you see the file path JVW={ETL Installation directory}/OpenJDK/bin/server/jvm.dll. If you are using the OpenJDK 11-based Intelligence Connector, you'll see OpenJDK in the file path.

Upgrading Procedure

Upgrade your Intelligence Connector to OpenJDK 11 to receive the latest features. Follow the listed process to upgrade your existing Connector instances.

  1. Download the latest Workspace ONE Intelligence Connector installer on to the server you configured for the service.
  2. Run the installer.
  3. Accepts the Terms of Use.
  4. Select to Update a WS1 Intelligence Service Instance and then select next.
  5. Select the ETL Service instance that you want to update.
  6. Select the Destination Folder in which to install the Workspace ONE Intelligence Connector Service.
  7. Enter the database server settings.
    • Database server that you are installing to: Select Browse next to the Database server text box and select your Workspace ONE UEM database from the list.
      • If you use a custom port, do not select Browse. Instead, use the following syntax: DBHostName,<customPortNumber>, then select Browse to select the database server.
      • For example, enter db.acme.com, 8043.
      • If you use a custom port for database connections, you must manually update the separator between the host and the port in the installation directory. To make this update, follow the listed steps.
        1. After the Workspace ONE Intelligence Connector is successfully installed, stop the Workspace ONE Intelligence Connector Service.
        2. Update the JDBC_URL JVM parameter in the WDPETLService.etl.parameters file in the installation directory.
          • Replace the comma (,) separator between the host and port with a colon (:).
          • Example: vmware.workspaceone.sql:6521.
        3. Restart the Workspace ONE Intelligence Connector Service.
          Note: We are working to automate the replacement of the comma with the colon so you do not have to perform this manual step.
      • If your Workspace ONE UEM database name has a space, you must perform extra steps.
        • Open the WDPETLService.exe.parameters in the service folder of the Workspace ONE Intelligence Connector installation in administrator mode.
        • Update the parameter to ensure the databaseName value is enclosed in quotes. Here is an example, JVM_ARG=-DJDBC_URL=jdbc:sqlserver://SQLSERVERNAME;databaseName="Workspace ONE UEM Database Name".
    • Connect using: Select one of the following authentication methods.
      • Windows Authentication uses a service account on the Windows server to authenticate. You are prompted to enter the service account that you want to use. This service account is used to run all the application pools and Workspace ONE UEM-related services. The service account must have Workspace ONE UEM database access.
      • SQL Server Authentication uses the SQL server authentication method. You are prompted to enter the user name and password.
    • Name of database catalog: Enter the name of the Workspace ONE UEM database or browse the SQL server and select it from a list.
  8. (Optional) Enter proxy information. Find this information in the Workspace ONE UEM console in Groups & Settings > All Settings > Installation > Proxy > Console Proxy Settings.
  9. Configure the Workspace ONE Intelligence Connector Service settings.
    1. Select the deployment region for your cloud service. Ensure that the right region is selected. Do not run the installer again if you must change this region in the future. If you upgrade your Workspace ONE Intelligence Connector Service from a previous version, this screen does not display because you cannot change your region during an upgrade.
    2. Enter your Workspace ONE UEM Installation Token. This token is created as part of the Workspace ONE UEM Installation process.
  10. Select Install to install the Workspace ONE Intelligence Connector Service. After the installation finishes, select Finish.

High availability and disaster recovery support with the Workspace ONE Intelligence Connector

You can use the Workspace ONE Intelligence Connector in high availability (HA) deployments and for disaster recovery.

High availability

For HA, you need at least two connectors and you must set them for continuous access.

For HA to work with the Workspace ONE Intelligence Connector, use the supported version of Workspace ONE UEM required by Workspace ONE Intelligence.

A generalized example of how to set up at least two Workspace ONE Intelligence Connectors in a single Workspace ONE Intelligence environment for high availability coverage.

General high availability setup

Install and enable at least two Workspace ONE Intelligence Connectors for a single Workspace ONE Intelligence environment. Configure the connection between the Workspace ONE Intelligence Connector and the Workspace ONE UEM Database server.

When you configure HA for the Workspace ONE UEM Database, configure the Workspace ONE Intelligence Connector to connect to the SQL Server Always ON Listener.

Although all Workspace ONE Intelligence Connectors listen, only one is active and pushes data from the database to Workspace ONE Intelligence. If the active Workspace ONE Intelligence Connector fails, one of the other connectors activates and pushes data to Intelligence.

Disaster recovery

For disaster recovery, set at least two Connectors within each recovery site to help you resume work when something happens to your Workspace ONE deployment.

For disaster recovery to work, use the supported version of Workspace ONE UEM required by Workspace ONE Intelligence.

A generalized example of how to set up at least two Workspace ONE Intelligence Connectors within each recovery site to prepare for when something happens to your Workspace ONE deployment.

General disaster recovery setup

Install at least two Workspace ONE Intelligence Connectors in each disaster recovery site. Depending on your disaster recovery strategy, you can enable all the connectors across all sites or leave them deactivated on the passive sites until an incident occurs. When a disaster recovery site becomes active, one of the Workspace ONE Intelligence Connectors becomes active and starts pulling data from the Workspace ONE UEM Database server to Workspace ONE Intelligence. If the active connector fails, the other connector remains available to push data.

Note: If your disaster recovery strategy does not have a recovery server cluster always listening, the Workspace ONE Intelligence Connector still connects to the cluster during an event. However, it cannot support a comprehensive disaster recovery scenario because the cluster might have missed data from not listening.

check-circle-line exclamation-circle-line close-line
Scroll to top icon