Workspace ONE Intelligence requires certain Workspace ONE components and processes in order to work. What components and processes are required depend on your deployment, on-premises or SaaS.
In GovCloud instances, Workspace ONE Intelligence sends system generated emails using Forced TLS. Forced TLS means that if your email server does not support encryption, you do not receive system generated emails. If your SMTP (email) server already supports encryption, then you do not need to make changes in your environment. If your SMTP server does not support encryption, then you must make changes to receive system generated emails.
Workspace ONE Intelligence is configured to use Opportunistic TLS in non GovCloud instances. Opportunistic TLS means that the VMware email server used by Workspace ONE Intelligence initially tries to communicate with your email server using strong encryption. If your server does not support encryption, then Workspace ONE Intelligence sends the communication in clear text. However, if your SMTP server does not support encryption, then consider activating TLS to increase the overall security of your email notifications. Emails can contain sensitive information, so it is beneficial to increase security.
Workspace ONE Intelligence is working to send all system generated emails using Forced TLS in all environments.
There are general requirements that all deployments (on-premises and SaaS) must meet to use Workspace ONE Intelligence.
Before you can use Workspace ONE Intelligence features, you must turn on reports powered by Workspace ONE Intelligence. Reports powered by Workspace ONE Intelligence is different from Workspace ONE UEM reporting.
Workspace ONE Intelligence requires the minimum supported version of the Workspace ONE UEM console. For general availability, end of availability, and the end of support dates for all Workspace ONE UEM console releases, see the knowledge base article Workspace ONE (WS1) UEM Console Release and End of General Support Matrix.
For the most current information on the compatible versions between the two systems, access the KB article on VMware KB Workspace ONE Intelligence - Compatibility with Workspace ONE UEM.
Workspace ONE SaaS environments are mapped to Intelligence regions and your Workspace ONE Intelligence region is assigned based on the locations of your Workspace ONE SaaS environments.
Find mappings of Workspace ONE Intelligence regions for the listed Workspace ONE products.
Workspace ONE Intelligence Region | Workspace ONE UEM SaaS Deployment Location | Workspace ONE Access SaaS URL |
---|---|---|
Canada | Canada | vmwareidentity.ca |
Frankfurt | Germany | vmwareidentity.de |
Ireland | United Kingdom | vmwareidentity.co.uk |
Sydney | Australia | vmwareidentity.com.au |
Tokyo | India | vmwareidentity.asia |
Tokyo | Japan | vmwareidentity.asia |
Tokyo | Singapore | vmwareidentity.asia |
United Kingdom | United Kingdom | vmwareidentity.co.uk |
United States | Canada | vmwareidentity.com |
United States | United States | vmwareidentity.com |
For on-premises deployments, you must install the Workspace ONE Intelligence Connector service on its own server before you can use Workspace ONE Intelligence features. You must also allowlist Cloud Services destinations depending on your region for successful communication in your on-premises deployment.
For successful communication in your on-premises deployment, you must trust specific URLs depending on your region. Configure these allowlists on your applicable on-premises components, for example configure allowlists so communication flows successfully between your region’s VMware cloud-based reports service and your on-premises Workspace ONE UEM database, or on your proxy server that you use with the Workspace ONE Intelligence Connector.
Trust the applicable URL destinations because they represent cloud service regions and are needed for communication between the Workspace ONE UEM console server, the Workspace ONE Intelligence Connector, and the VMware cloud-based reports service.
Trust the api.sandbox.data.vmwservices.com
, artifactrepo.data.vmwservices.com
, and discovery.awmdm.com
URLs for all regions. The Workspace ONE Intelligence Connector installer calls these endpoints for a list of all supported regions.
Select your region to get the destinations for your allowlists.
URL Destination | Protocol | Port |
---|---|---|
api.sandbox.data.vmwservices.com |
HTTPS | 443 |
artifactrepo.data.vmwservices.com |
HTTPS | 443 |
discovery.awmdm.com |
HTTPS | 443 |
URL Destination | Protocol | Port |
---|---|---|
api.ca1.data.vmwservices.com |
HTTPS | 443 |
auth.ca1.data.vmwservices.com |
HTTPS | 443 |
ca1.data.vmwservices.com |
HTTPS | 443 |
config.ca1.data.vmwservices.com |
HTTPS | 443 |
eventproxy.ca1.data.vmwservices.com |
HTTPS | 443 |
URL Destination | Protocol | Port |
---|---|---|
api.eu1.data.vmwservices.com |
HTTPS | 443 |
auth.eu1.data.vmwservices.com |
HTTPS | 443 |
config.eu1.data.vmwservices.com |
HTTPS | 443 |
eu1.data.vmwservices.com |
HTTPS | 443 |
eventproxy.eu1.data.vmwservices.com |
HTTPS | 443 |
URL Destination | Protocol | Port |
---|---|---|
api.eu2.data.vmwservices.com |
HTTPS | 443 |
auth.eu2.data.vmwservices.com |
HTTPS | 443 |
config.eu2.data.vmwservices.com |
HTTPS | 443 |
eu2.data.vmwservices.com |
HTTPS | 443 |
eventproxy.eu2.data.vmwservices.com |
HTTPS | 443 |
URL Destination | Protocol | Port |
---|---|---|
api.au1.data.vmwservices.com |
HTTPS | 443 |
au1.data.vmwservices.com |
HTTPS | 443 |
auth.au1.data.vmwservices.com |
HTTPS | 443 |
config.au1.data.vmwservices.com |
HTTPS | 443 |
eventproxy.au1.data.vmwservices.com |
HTTPS | 443 |
URL Destination | Protocol | Port |
---|---|---|
ap1.data.vmwservices.com |
HTTPS | 443 |
api.ap1.data.vmwservices.com |
HTTPS | 443 |
auth.ap1.data.vmwservices.com |
HTTPS | 443 |
config.ap1.data.vmwservices.com |
HTTPS | 443 |
eventproxy.ap1.data.vmwservices.com |
HTTPS | 443 |
URL Destination | Protocol | Port |
---|---|---|
api.uk1.data.vmwservices.com |
HTTPS | 443 |
auth.uk1.data.vmwservices.com |
HTTPS | 443 |
config.uk1.data.vmwservices.com |
HTTPS | 443 |
eventproxy.uk1.data.vmwservices.com |
HTTPS | 443 |
uk1.data.vmwservices.com |
HTTPS | 443 |
UAT
URL Destination | Protocol | Port |
---|---|---|
auth.sandbox.data.vmwservices.com |
HTTPS | 443 |
config.sandbox.data.vmwservices.com |
HTTPS | 443 |
eventproxy.sandbox.data.vmwservices.com |
HTTPS | 443 |
sandbox.data.vmwareservices.com |
HTTPS | 443 |
Production
URL Destination | Protocol | Port |
---|---|---|
api.na1.data.vmwservices.com |
HTTPS | 443 |
auth.na1.data.vmwservices.com |
HTTPS | 443 |
config.na1.data.vmwservices.com |
HTTPS | 443 |
eventproxy.na1.data.vmwservices.com |
HTTPS | 443 |
na1.data.vmwservices.com |
HTTPS | 443 |
If you use a proxy server with the Workspace ONE Intelligence Connector in an on-premises deployment, you must allowlist (trust) specific URLs on the proxy server or the Workspace ONE Intelligence Connector installation fails.
Trust these URLs to install the Workspace ONE Intelligence Connector with proxy settings.
Destination | Protocol | Port |
---|---|---|
api.sandbox.data.vmwservices.com |
HTTPS | 443 |
artifactrepo.data.vmwservices.com |
HTTPS | 443 |
discovery.awmdm.com |
HTTPS | 443 |
If you use a Workflow Connector, including a Custom Connector, requests originate from the listed IPs based on region. If you use allow and deny lists in your firewall for your Workflow Connector destinations, allow the listed IPs for your region.
Note: These static IP addresses are for requests coming from Workspace ONE Intelligence to your network.
Region | IP Addresses |
---|---|
Canada | 35.182.84.243 35.182.84.210 |
Frankfurt | 18.194.235.124 35.156.127.8 18.195.111.228 |
Ireland | 52.50.246.37 54.76.120.187 52.214.71.240 |
Sydney | 52.63.121.101 13.54.94.114 13.236.27.201 |
Tokyo | 54.64.134.5 13.114.203.203 |
United Kingdom | 3.11.151.5 52.56.79.2 3.10.120.236 |
United States Production | 52.41.14.207 34.212.69.126 34.211.153.193 |
United States UAT | 50.112.69.240 52.10.157.26 52.89.177.218 |
The VMware Workspace ONE Intelligence Connector Service in an on-premises deployment collects data from your Workspace ONE UEM database and pushes it to the cloud service.
To install and use the Workspace ONE Intelligence Connector in your on-premises deployment, you must meet the listed hardware, software, and network requirements.
Component | Requirement |
---|---|
Server | 1 |
CPUs | 4 (2 GHz Intel processor) |
Memory | 8 GB |
Storage | 25 GB |
Important: The Workspace One Intelligence connector based on Oracle JDK 8 will reach end-of-support in the future and will no longer receive feature upgrades. Follow the steps in the Upgrading the Connector - moving from Oracle JDK 8 to OpenJDK 11 section to move from JDK 8 to OpenJDK 11 on this page.
Component | Requirement |
---|---|
Java | Java 8 (Connector support to end in the future) OpenJDK 11 |
OS | Windows Server 2012 R2, 2016, and 2019 |
SQL-based database for Workspace ONE UEM | Microsoft SQL Server, Standard and Enterprise, 2016 SP1 or later |
Source | Target | Protocol | Port |
---|---|---|---|
Workspace ONE Intelligence Connector | Applicable Trusted URLs | HTTPS | 443 |
Workspace ONE Intelligence Connector | Workspace ONE UEM Database | TCP | Use ports configured for secure communication in your individual Workspace ONE UEM on-premises deployment. For example, if you use Port 1433 for all internal network communication in your Workspace ONE UEM on-premises deployment, you can use port 1433 to communicate with the Workspace ONE UEM database. |
Workspace ONE UEM Console Server | api.{regionID}.data.vmwservices.com auth.{regionID}.data.vmwservices.com For example, the target URLs for a console server located in Canada are api.ca1.data.vmwservices.com and auth.ca1.data.vmwservices.com . |
HTTPS | 443 |
Workspace ONE UEM Device Services Server | api.{regionID}.data.vmwservices.com |
HTTPS | 443 |
To install the Workspace ONE Intelligence Connector, the person installing needs permissions for the following roles for the console and directory services servers.
Download the VMware Workspace ONE Intelligence Connector and use it for better performance on data import between your Workspace ONE UEM database and the cloud service.
If you have not already enabled this workflow, notice that the installer downloads a file on your desktop, cdc_enable_script.sql, and then stops. Open the cdc_enable_script.sql file and run the script manually on your Workspace ONE UEM database with db_owner permissions to enable the improved performance workflow. After the script runs successfully, rerun the Workspace ONE Intelligence Connector installer.
This workflow uses Change Data Capture (CDC), which is supported on SQL Server. CDC enhances the performance of data extraction by the Workspace ONE Intelligence Connector. For details about Microsoft SQL Server and the Workspace ONE Intelligence Connector, review the Software Requirements table.
As the Workspace ONE Intelligence Connector starts importing new data entities into Workspace ONE Intelligence, the CDC workflow becomes a prerequisite. The workflow is applicable to newly added data entities like device tags, device custom attributes, users, and product provisioning.
If you already have the Workspace ONE Intelligence Connector Service configured, reinstall the latest installer to unlock the CDC features. You must install the Workspace ONE Intelligence Connector on its own server. For additional information about the installation process of other Workspace ONE UEM application servers, refer to Workspace ONE UEM Installation.
Important
DBHostName,<customPortNumber>
, then select Browse to select the database server.db.acme.com, 8043
.vmware.workspaceone.sql:6521
.JVM_ARG=-DJDBC_URL=jdbc:sqlserver://SQLSERVERNAME;databaseName="Workspace ONE UEM Database Name"
.If the Workspace ONE Intelligence Connector installer does not launch, check the installer’s properties. In the properties attributes for the Workspace ONE Intelligence Connector installer, to to the General tab, Security section, and deactivate the Unblock check box.
The Workspace One Intelligence Connector based on Oracle JDK 8 will reach end-of-life (EOL) and will no longer be supported after December 18, 2023. It will no longer receive feature upgrades.
If you are unsure which Connector you are currently using, follow the procedure to see if you have the JDK 8-based Connector or the OpenJDK 11-based Connector.
{Connector Installation folder}/service directory
and locate the WDPETLService.exe.parameters file. JVM={Java Installation directory}/ Java/Jre1.8.0_301/bin/server/jvm.dll
. JVW={ETL Installation directory}/OpenJDK/bin/server/jvm.dll
. Upgrade your Intelligence Connector to OpenJDK 11 to receive the latest features. Follow the listed process to upgrade your existing Connector instances.
DBHostName,<customPortNumber>
, then select Browse to select the database server.db.acme.com, 8043
.vmware.workspaceone.sql:6521
.JVM_ARG=-DJDBC_URL=jdbc:sqlserver://SQLSERVERNAME;databaseName="Workspace ONE UEM Database Name"
.You can use the Workspace ONE Intelligence Connector in high availability (HA) deployments and for disaster recovery.
For HA, you need at least two connectors and you must set them for continuous access.
For HA to work with the Workspace ONE Intelligence Connector, use the supported version of Workspace ONE UEM required by Workspace ONE Intelligence.
Install and enable at least two Workspace ONE Intelligence Connectors for a single Workspace ONE Intelligence environment. Configure the connection between the Workspace ONE Intelligence Connector and the Workspace ONE UEM Database server.
When you configure HA for the Workspace ONE UEM Database, configure the Workspace ONE Intelligence Connector to connect to the SQL Server Always ON Listener.
Although all Workspace ONE Intelligence Connectors listen, only one is active and pushes data from the database to Workspace ONE Intelligence. If the active Workspace ONE Intelligence Connector fails, one of the other connectors activates and pushes data to Intelligence.
For disaster recovery, set at least two Connectors within each recovery site to help you resume work when something happens to your Workspace ONE deployment.
For disaster recovery to work, use the supported version of Workspace ONE UEM required by Workspace ONE Intelligence.
Install at least two Workspace ONE Intelligence Connectors in each disaster recovery site. Depending on your disaster recovery strategy, you can enable all the connectors across all sites or leave them deactivated on the passive sites until an incident occurs. When a disaster recovery site becomes active, one of the Workspace ONE Intelligence Connectors becomes active and starts pulling data from the Workspace ONE UEM Database server to Workspace ONE Intelligence. If the active connector fails, the other connector remains available to push data.
Note: If your disaster recovery strategy does not have a recovery server cluster always listening, the Workspace ONE Intelligence Connector still connects to the cluster during an event. However, it cannot support a comprehensive disaster recovery scenario because the cluster might have missed data from not listening.