Products

Think of products as an ordered installation of device profiles, applications, and files/actions to be either published to the relay server or pushed to devices based on the conditions you create. Products are the main feature of the Product Provisioning system in Workspace ONE UEM.

Product Basics

Products are made of individual components which include Hub/Agent Packages, Applications, Conditions, Event Actions, Files/Actions, and Profiles. Not every Product has each of these types of components. No matter how many or how few components your product has, you must create each individual component BEFORE you can make and provision a product.

Product Push to Device

After you create and activate products, you push them to devices based on conditions you define. Conditions determine when a product is downloaded and when it is installed. Content in products is pushed to devices through optional relay servers or content delivery networks (CDN). Applications (Android only) provisioned by way of products can be optionally run through a tunnel.

You push products to devices by way of smart group assignments. These groups control which devices get which product based on how you create the group, including software qualifiers like build version, currently installed apps, and hardware qualifiers like model number. You can also use Assignment Rules to match products and devices.

Note: In addition, you can ensure the product you provision from the console or from an API call is the exact same product that gets received by the device. This product verification is built into the provisioning process. If the product status is Compliant, then the product on the device matches the product provisioned. If validation discovers a mismatch, the console pushes the content to the device again to ensure compliance between the product and the device. In this way, the product ensures that your devices remain up-to-date.

Products in SaaS Environments Default to CDN Delivery

As a SaaS administrator, you can configure all products to be delivered to devices using the default content delivery network (CDN). Opting for CDN delivery frees significant resources in the console and ensures optimal performance.

By default, the setting for the organization group that hosts devices to be provisioned is set to Enabled. You can check this setting by navigating to Groups & Settings > All Settings > Admin > Product Provisioning and review the option Product Downloads Through CDN.

Product List View

Navigate to Devices > Provisioning > Product List View and see a full listing of all products in your environment.

You can download an XLSX or CSV (comma-separated values) file of the entire Product List View. You can then view and analyze this file with MS Excel. Select the Export button and select a download location.

Publish Product to Relay Server

You can publish products to the relay server even if there are no devices in the organization group (OG) associated with it. Publishing content directly to the relay server is ideal for when you have a complex product and you want to stage the server before device enrollment.

Navigate to Groups & Settings > All Settings > Admin > Product Provisioning and select the Enable slider for Queue Contents on Relay Servers without Assigned Devices.
Move into the appropriate OG that is associated with the relay server onto which you intend to publish the product.
Navigate to Devices > Provisioning > Product List View and select the product you want to publish to the relay server by selecting the radio button above the edit icon.
Select the Publish on Relay Servers button. The Organization Group screen displays with a drop-down menu. The drop-down menu contains a list of all child OGs and their parent, which you are currently in based on the move you made in step 2.
Select the specific OG which you intend to be the enrollment OG for devices. These devices are the future recipient of the product you are staging the server with.
Select the Publish button to publish the product to the relay server. If you select the parent OG in step 5, then any device that enrolls in any of its child OGs receives this product upon enrollment. If you want to select individual child OGs, you must repeat steps 4 through 6 for each OG.

Active and inactive products remain on the relay server. Active products are pushed immediately to devices once they enroll in the OG selected in step 5.

You can check the relay server file listing for the product. See View Remote Files on Relay Server.

Prioritize Your Product With Expedited Deployment

You can give priority to selected products while uploading them to relay servers ahead of other products. Expedited deployment prioritizes products in two different ways.

Products with the expedited deployment option are uploaded to the relay server or content delivery network ahead of other products.
Those prioritized products are deployed and installed on devices ahead of other products.

Expedited Role Permission Required

Your administrator account must have a role assigned that includes the resource / permission called Expedited Provisioning Policy Edit.

For more information about applying this permission to a role and adding to or editing a role in an admin account, see View or Edit the Resources of an Admin Role and Assign a Role or Edit the Role Loadout of an Admin.

Expedited Product List View

You can identify expedited products in the Products List View by looking for the This partial screenshot is the Expedited label that gets attached to products in the Product List View that have the Expedited Deployment option enabled. tag in the listing.

For more information about Expedited Deployment, see Create a Product.

Product Verification

Workspace ONE UEM lets you ensure the product you provision from the console or from an API call is the exact same product that gets received by the device. This product verification is built into the product provisioning process.

Verification happens on the device Hub side but both the device end user and the administrator on the console side is made aware of the product's status.

You can review each product status by navigating to Devices > Provisioning > Products List View. The policy engine re-evaluates this compliance status whenever the device reports a change in the state of the applications, profiles, and other content on the device.

Product Persistence, Android and WinRugg

Workspace ONE UEM lets you direct profiles, files-actions, and applications to remain on a device even after an enterprise reset. Content marked to persist is reinstalled after 1) an enterprise reset, 2) the Workspace ONE Intelligent Hub installs, and 3) the device restarts.

The help desk benefits the most from Product Persistence since it reinstalls required products and applications even after an enterprise reset.

Supported Devices

Product Persistence for Windows Rugged only applies to Motorola, Honeywell, Psion, Pideon, and Intermec devices running Windows Mobile.
Product Persistence for Android applies to the following.
- Zebra devices (Android Legacy and Android Enterprise Work Managed)
  For details about enabling Workspace ONE Intelligent Hub persistence on your Zebra Android device with the correct APF file, see Upload a Workspace ONE Intelligent Hub APF File, Upgrade File-Action.
- Honeywell devices (Android Legacy)
- Motorola rugged devices (Android Legacy)

How Persistence Works

A device must contain a staging configuration so that the Workspace ONE Intelligent Hub and enrollment reinstall following the enterprise reset. Staging configurations persist on a device.
Set to persist any profiles, files-actions, or applications that you want to remain on the device after the enterprise reset.
The device resets when the Enterprise Reset command is sent (see Product Management). After resetting, the restore process begins.
The Workspace ONE Intelligent Hub for the device reinstalls during the restore process.
After the Workspace ONE Intelligent Hub is installed, any persisted profiles, such as Wi-Fi, reinstall.
Any persisted files-actions or applications are reinstalled.

Operator Reference


Operator	Meaning	Syntax	Description	Example
=	equal, returns an identical match	expression = value	The expression can be any attribute reported by the device or the application. The value can be an integer, number, or a string.	`identity.ipAddress = '10.4.124.51'`
<>	not equal, used to return non matches	expression <> value	The expression can be any attribute reported by the device or the application. The value can be an integer or number.	`memory.totalExternalMemory <> '510'`
>	greater than	expression > value	The expression can be any attribute reported by the device. The value can be an integer or number.	`memory.totalExternalMemory > '510'`
<	less than	expression < value	The expression can be any attribute reported by the device. The value can be an integer or number.	`memory.totalExternalMemory < '510'`
>=	greater than or equal	expression >= value	The expression can be any attribute reported by the device. The value can be an integer or number.	`memory.totalExternalMemory >= '510'`
<=	less than or equal	expression <= value	The expression can be any attribute reported by the device. The value can be an integer or number.	`memory.totalExternalMemory <= '510'`
LIKE	returns matches of the pattern you specify in your value	expression LIKE value	The expression can be any attribute reported by the device or the application. The value can be an integer, number, or a string.	`identity.macAddress LIKE '02:15:b2:00:00:00'` For pattern, you can specify the complete value (for example, LIKE “02:15:b2:00:00:00”), or you can use wildcard characters to find a range of values (for example, LIKE “02:15%”).
NOT LIKE	returns non matches of the pattern you specify in your value	expression NOT LIKE value	The expression can be any attribute reported by the device or the application. The value can be an integer, number, or a string.	`identity.macAddress NOT LIKE '02:15:b2:00:00:00'` For pattern, you can specify the complete value (for example, NOT LIKE “02:15:b2:00:00:00”), or you can use wildcard characters to find a range of values (for example, NOT LIKE “02:15%”).
IN	returns true or false when the expression is found or not found	expression IN (list of custom attributes reported by device)	The expression can be any attribute reported by the device or the application. The custom attribute is a placeholder representing additional device info collected. For more information, see Custom Attributes.	`AgentVersion IN ('6.5.13.1','6.5.14.1', '6.6.12.1')` The IN operator works like a shorthand for multiple OR combined with = conditions. For example, `AgentVersion = 6.5.13.1` `OR AgentVersion = 6.5.14.1` `OR AgentVersion = 6.6.12.1`
NOT IN	returns the inverse of IN	expression NOT IN (list of custom attributes reported by device)	The expression can be any attribute reported by the device or the application. The custom attribute is a placeholder representing additional device info collected. For more information, see Custom Attributes.	`AgentVersion NOT IN ('6.5.13.1','6.5.14.1','6.6.12.1')` The NOT IN operator works like a shorthand for multiple AND combined with <> conditions. For example, `AgentVersion <> 6.5.13.1` `AND AgentVersion <> 6.5.14.1` `AND AgentVersion <> 6.6.12.1`
BETWEEN	returns values within a given range, inclusively (meaning the end values are included)	expression BETWEEN (any two values reported by the device)	The expression can be any attribute reported by the device. The value can be an integer or number.	`memory.totalInternalMemory BETWEEN '512' AND '1024'` The BETWEEN operator is shorthand for <=, an ajoining >=, combined with an AND logical operator. For example, `memory.totalInternalMemory >= 512` `AND memory.totalInternalMemory <= 1024`
AND	logical operator used to combine multiple assignment rules	assignment rule AND assignment rule	Both assignment rules apply.
OR	logical operator used to combine multiple assignment rules	assignment rule OR assignment rule	Either one assignment rule or the other (or both) applies.
NOT	logical operator used to invert an assignment rule	NOT assignment rule	allows you to express inverted conditions. If a condition is true, then the logical NOT operator makes it false, and vice-versa.