Workspace ONE UEM Integration

Authorize Workspace ONE Intelligence to connect and share data with your Workspace ONE UEM deployment so that you can use Workspace ONE UEM data in dashboards, workflows, and reports. You set up Workspace ONE UEM as a Data Source and as a Workflow Connector.

Workspace ONE UEM as a Data Source

Set up Workspace ONE UEM as a Data Source so the reports data warehouse can ingest UEM data for use in dashboards and reports Intelligence.

Requirements

Have the listed information to configure Workspace ONE UEM as a Data Source. If you have an on-premises deployment, ensure to meet the listed requirements.

  • Have your Workspace ONE UEM console URL.
  • Have your Workspace ONE UEM credentials.
  • On-premises deployments
    • On-premises deployments must install the Workspace ONE Intelligence Connector for communication between the reports infrastructure and dashboards. See the content for On-premises requirements for details.
    • For on-premises deployments that put the Workspace ONE UEM server behind a firewall, you can use workflows and API functionality. However, these deployments must use the Unified Access Gateway and set it as a reverse proxy. For details, access Configure Reverse Proxy With VMware Workspace ONE UEM API.

Procedure

  1. In Workspace ONE Intelligence, go to Integrations > Data Sources.
  2. Select Set Up on the Workspace ONE UEM card. Authorize Workspace ONE UEM to share data with Intelligence.
  3. Select Get Started. Workspace ONE UEM managed endpoints and resources on these endpoints. After you authorize communication, you can use device and app data in your dashboards and reports.
  4. On the Authorization Details tab, enter your Workspace ONE UEM console URL in the Authorized URI text field, and select Connect to Workspace ONE UEM. Add your UEM console URL. The wizard adds https:// for you.
  5. The wizard directs you to your Workspace ONE UEM instance where you enter your Workspace ONE UEM credentials.
  6. For successful integration, you must Accept to share Workspace ONE UEM data with Intelligence. You can accept or decline sharing UEM data with Intelligence. Either scenario takes you back to Intelligence.

Results: The system returns you to Workspace ONE Intelligence. The Workspace ONE UEM card in Data Sources displays View instead of Set Up.

Workspace ONE UEM as a Workflow Connector

Set up Workspace ONE UEM as a Workflow Connector so that UEM actions are available for use in workflows.

Requirements

Requirements depend on the type of authentication you use and if you have an on-premises deployment.

  • Have your Workspace ONE UEM REST API URL found in the UEM console at Groups & Settings > All Settings > System > Advanced > API > REST API and select the General tab.
    Copy the REST API URL but remove the /API so you can enter the string when you configure UEM as a workflow connector
    • Remove /API from the end of the string because you only need the base URL.
    • For example, if the REST API URL is https://asxxx.xxxx.com/API, remove /API. You only need https://asxxx.xxxx.com.
  • Decide if you are using OAuth2 authentication or basic authentication for the workflow connector section. Perform the listed steps based on your decision. If you are not using authentication, you can skip this requirement.
    • OAuth2 Authentication (SaaS only)
    • Basic Authentication
      • Use a Workspace ONE UEM administrator account specific for workflows with API permissions.
      • For details on how to configure admin accounts in Workspace ONE UEM, see Admin Accounts.
      • Configure an admin account in Workspace ONE UEM that manages workflows.
        • Give this admin the Monitor > Intelligence role.
        • Give this admin the API > REST role.
        • Configure this admin to use Basic Authentication for API communications.
  • On-premises deployments
    • On-premises deployments must install the Workspace ONE Intelligence Connector for communication between the reports infrastructure and dashboards. See the content for Installing the Intelligence Connector Service for details.
    • For on-premises deployments that put the Workspace ONE UEM server behind a firewall, you can use workflows and API functionality. However, these deployments must use the Unified Access Gateway and set it as a reverse proxy. For details, access Configure Reverse Proxy With VMware Workspace ONE UEM API.

Procedure

  1. Create a Workspace ONE UEM API Key in UEM so that UEM can communicate with Workspace ONE Intelligence. This step activates REST API communications, and you must do this step no matter what authentication type you use, OAuth 2.0, Basic Authentication, or No Authentication.
    1. In Workspace ONE UEM, select the organization group where you want to launch Intelligence.
    2. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > API > REST API.
    3. Configure the settings on the General tab.
      • Select Enabled for Enable API Access to generate an API key for the service.
      • Select Add to generate an API Key.
      • Scroll down to the Service option that is empty but has a new string in the API Key field.
      • Record the API Key value. You enter it in Intelligence as the Workspace ONE UEM API Key.
      • Enter a descriptive name for the Service, such as Workflows.
      • Select Admin for the Account Type.
    4. Select the Authentication tab and select Enabled for the Basic authentication type.
    5. Save your settings.
  2. Add UEM as a Workflow Connector in Intelligence
    1. In Workspace ONE Intelligence, go to Integrations > Workflow Connectors
    2. Select Add.
    3. In the Add New Workflow Connector wizard, select Set Up Workspace ONE UEM. Set up UEM as a workflow connector so you can use UEM actions in workflows.
    4. Complete the configuration wizard.
      • Enter the REST API URL from the UEM console and remove /API from the base URL as outlined in the Requirements section. This URL is different from the Workspace ONE UEM API Key you created to activate REST API communications earlier in this process.
      • Select the Auth Type.
        • OAuth2 Authentication: Complete the settings using your OAuth Client information and your UEM API key you created earlier.
          • Enter the Client ID retrieved from the OAuth Client setup process.
          • For the Client Authentication Location, the option Send client credentials in body is selected by default.
          • For Grant Type, the option Client Credentials is selected by default.
          • Enter the OAuth2 Token URL. Enter the Token URL from the supported region defined in the Using UEM Functionality with a REST API article.
          • For Client Secret, enter the secret retrieved from the OAuth Client setup process.
          • Scope is optional, and you can leave this menu item blank. Scope is a restricting mechanism to control access to data and operations.
          • Workspace ONE UEM API Key: Enter the API key that the Workspace ONE UEM console generated when you activated REST API communications.
        • Basic: Complete the settings using your UEM administrator account and your UEM API key.
          • Enter the UEM User Name for the Workspace ONE UEM administrator account you created specific for workflows with API permissions.
          • Enter the Password for the UEM administrator.
          • Workspace ONE UEM API Key: Enter the API key that the Workspace ONE UEM console generated when you activated REST API communications.
        • No Authentication: This menu option requires no other settings except for your UEM API key.
          • Workspace ONE UEM API Key: Enter the API key that the Workspace ONE UEM console generated when you activated REST API communications.
    5. Save the settings.

Workspace ONE UEM actions for workflows

To decide which Workspace ONE UEM actions to use in your Workspace ONE Intelligence workflows, review action descriptions.

Requirements for using UEM actions

Before you can use the profile and application actions, you must configure them in Workspace ONE UEM with the listed settings and configurations.

  • Configure a profile with an Assignment Type (Optional or Auto) in the profile’s General payload.
  • You must configure and add an Assignment to an application.
  • You must deploy profiles and applications in Workspace ONE UEM to devices in a smart group. This deployment to smart groups is part of the assignment process for both applications and profiles.

If you do not assign and deploy applications and profiles before configuring the workflow, there is no data for Workspace ONE Intelligence to pull and the system cannot run the applicable workflow.

Descriptions of actions

Action Description
Add Tag to Device Adds a tag to the selected device in the Workspace ONE UEM console.
Approve Patch Approves an individual Windows patch for installation. Enter the title or the knowledge base number of the patch.

You can enter the Revision ID of the patch.
Change Device Organization Group Moves an enrolled device to another organization group.

Consider the resource assignments the device loses and gains after it moves from its original group to the new group.
Change Ownership Type Updates the device ownership to Corporate-Dedicated, Corporate-Shared, or Employee Owned.
Clear Passcode Removes a passcode requirement off a device so that a user can authenticate without it. Anyone can use this device after you automate this action.
Data Roaming Activates or deactivates data roaming on iOS devices.
Delete Device Deletes a Device record from Workspace ONE UEM.
Enterprise Wipe Device Removes management and corporate settings from an enrolled device.
Install Internal Application Installs an internal application on a device that is uploaded and managed in Workspace ONE UEM.
Install Profile Installs a Workspace ONE UEM profile to a device.
Install Public Application Installs a public application on a device that is uploaded and managed in Workspace ONE UEM.
Install Purchased Application Installs a purchased application on a device that is uploaded and managed in Workspace ONE UEM.
Lock Device Forces a device to return to its lock screen.
Personal Hotspot Activates or deactivates personal hot spot settings on iOS devices.
Query Device Requests updated data from a device.
Remove Internal Application Removes an internal application on a device that is uploaded and managed in Workspace ONE UEM.
Remove Profile Removes a Workspace ONE UEM profile off a device.
Remove Public Application Removes a public application on a device that is uploaded and managed in Workspace ONE UEM.
Remove Purchased Application Removes a public application on a device that is uploaded and managed in Workspace ONE UEM.
Remove Tag from Device Removes a Tag from the selected device in the Workspace ONE UEM console.
Reprocess Product Initiates a reprocessing of a Product Provisioning product job by the policy engine. Supports a reprocess and force reprocess.
Run Script Runs a script on a device.

Associate your trigger with a UEM data source or with an Intelligence data source such as App Activity, Device Activity, or Device Experience Score.

To test this action, set up a manual workflow with Run Script that targets a single device. Execute the workflow, and then check that the script ran successfully.
Schedule OS Update Schedules an OS update and forces an iOS device that is supervised and that is on 10.3 or later (depending on configurations) to update to the latest OS version.

DownloadOnly - Configures the action to download only the update to make it available for installation.

InstallASAP - Installs the downloaded OS update. This action only works if the OS update is downloaded to the device.
Send Email Sends an email to a user with the SMTP server configured in the Workspace ONE UEM environment.
Send Push Notification Sends a push notification to a managed application, either the Workspace ONE Intelligent Hub or VMware Content Locker.
Send SMS Sends a notification to a device with the SMS gateway configured in the Workspace ONE UEM environment.
Stop AirPlay Stops an AirPlay session on iOS devices.
Sync Device Evaluates applications currently installed on a device and compares that state to the required applications configured in the Workspace ONE UEM console.

The action prompts an installation command for any required applications that are missing from the device.
Voice Roaming Activates or deactivates the ability to use voice roaming settings on iOS devices.
check-circle-line exclamation-circle-line close-line
Scroll to top icon