Define Actions on Resources Using Conditions

An end user can install any software apart from the managed applications that are deployed through the Software Distribution client. For example, the end user can be an administrator or a standard user and can install applications such as iTunes, Chrome, on the user’s device without triggering the User Account Control (UAC) prompt.

After the application is installed on the device, a newer version of the application might be released, and the old application versions are vulnerable to attacks. Sometimes, a zero-day vulnerability can occur without any ways to identify and remediate the application with an upgrade.

To mitigate such issues, administrators can create workflows to act on the resources based on certain conditions defined in the workflow. Various workflows can be defined based on the requirement. Workflows can be created based on the following criteria:

• Identify systems with a specific version of the software installed and provide a method of distributing a specific version of the software.
• Upgrade software without taking management of the affected software.
• Conditions based on the value of a sensor, whether a file exists at a specific path, or the values in a defined registry path.
• Schedule updates and deliver resources at a specific time for your business during which apps, profiles, and scripts are downloaded and installed.
• Configure workflow with conditions based on extended device inventory attributes.

Create Workflow with the Application Name and Application Version Condition

As an administrator, you can create a workflow to apply conditions that filter an application based on the application name and application version. You can select the Apps Exists or Apps Does Not Exist values in a condition to preview the applications that match the condition. The applications that are present in the application inventory across devices are displayed.

Note: An administrator can create a condition to check if an application name and a specific application version are installed on a device. When the condition is run on a device, the device first checks if the application is installed on the device and populates the results. In the results populated, the device checks if the specific application version is installed. There is no accurate versioning syntax for the applications. So, applying criteria like greater than or less than for alphanumeric application versions might not provide accurate results. However, when the actual workflow runs on the devices the system performs a more accurate search and populates the results.

This example demonstrates a scenario where an admin creates a workflow and adds a condition to the workflow. The condition checks if the latest version of the Zoom application is installed on the devices in a smart group. The admin first checks the existing version of the Zoom application on the device. If the latest version of the Zoom application is not installed, then the admin creates a step in the workflow to install the latest version of the Zoom application.

Prerequisites

Before you begin creating a workflow, you must add the latest version of the Zoom application to your system inventory. To add the required applications to the system inventory, navigate to your organization group (OG), and follow the procedure described in the Deploy Applications to devices topic of the Application Lifecycle Management guide.

Procedure

The following procedure describes the steps to create a workflow that checks the existing Zoom application version on the device and install the latest version of the Zoom application on the device.

1. Log in to the Workspace ONE UEM console.
2. Click Freestyle > Freestyle Orchestrator and click New.
3. Enter a name for the workflow in the New Freestyle Workflow. You can add an optional description to your workflow.
4. In the right admin panel Workflow Settings, select the Platform from the drop-down menu, and select Smart Groups that you want to assign this workflow.
5. In the left panel, click + > Condition.
6. In the right Admin Panel, under Check Condition 1, enter a name for the condition.
7. Click If > Application > Application Exists.
8. In the Filter (if) screen, select Application Exists.

9. In the Application name, select Contains, enter the Zoom as the application name, and in the Application version, select Less than or equal to, and enter 5.0.2 as the application version.

   Note: In this example, the admin defines a condition to check whether the Zoom application exists, and if the application exists, check whether the application version is earlier than or equal to 5.0.2.

10. Click Then > Add > Action > Application.

11. In the Install Application screen, search for the application and select the Zoom application from the list that is auto populated and, in the Version drop-down menu, select Latest.
12. Click the + Then and select Else.
13. In the right Admin Panel, click Install Application, and click Else.
14. On the Else screen, click Add to select Proceed to next step.

Note: If you want to change the action for the Else, then click the Change Action option in the Admin panel Else Proceed to next step screen.

1. Click Save to save your workflow.
2. Select your workflow from the Freestyle Orchestrator dashboard and click Publish to publish your workflow.

Results

You can view the workflow created in the Freestyle Orchestrator dashboard. When the devices check-in and the workflow are assigned to the devices, the device checks if the latest version of the Zoom application installed. If the version of the Zoom application installed is earlier than or equal to 5.0.2, then the device installs the latest version of the Zoom application.

Create Workflow with the File Exists Condition

You can use the condition feature of the workflow to check whether a specific file exists or does not exist on the device. In this example, the administrator creates a workflow to check if certain files in a specific path exist on the device. In case the file exists, then the admin can specify the actions to be taken for the file.

Prerequisites

Before you begin creating a workflow, you must add the latest version of the Excel application, that is, 11.0.0 to your system inventory. After you add the application, you can refer to the application resource in a workflow. To add the required applications to the system inventory, navigate to your organization group (OG), and follow the procedure described in the Deploy Applications to devices topic of the Application Lifecycle Management guide.

Procedure

The following procedure describes the steps to create a workflow that checks whether a file in a location exists on a device. If the file exists, then the version of the application installed on the device is checked. If an earlier version of the application exists on the device, then the admin creates a step to install the latest version of the application.

1. Log in to the Workspace ONE UEM console.
2. Click Freestyle > Freestyle Orchestrator and click New.
3. Enter a name for the workflow in the New Freestyle Workflow. You can add an optional description to your workflow.
4. In the right admin panel Workflow Settings, select the Platform from the drop-down, and select Smart Groups to which you want to assign this workflow.
5. In the left panel, click +, and select Condition.
6. In the right Admin Panel, under Check Condition 1, enter a name for the condition.
7. Click Select > File > File Exists.
8. Enter the following details in the File Exists condition. a. In File Path, select Equals, and enter C:\program files (x86)\microsoft\office\root\office15\excel.exe. b. In Version Number, select Less than or equal to, and enter 15.0. c. In Modified, select Before, and enter a date to filter the files modified before a particular date.
9. In the Filter (If) screen, click + Then > Add > Resource > Application.
10. In the Install Application screen, click on the Search and select, and enter Excel. Select the Excel application from the auto populated list.
11. In version, select 16.0.0 to be installed on the device.
12. Click Save to save your workflow. Workflow is saved and you can view the saved workflow in the Freestyle Orchestrator dashboard.
13. Select your workflow from the Freestyle Orchestrator dashboard and click Publish to publish your workflow.

Results

You can view the workflow created in the Freestyle Orchestrator dashboard. A workflow is created to check if the Excel file version 11.0.0 is available and if a lower version of the Excel is available then install the latest version.

Create Workflow with the Registry Exists Condition

You can use the condition feature of the workflow to check whether a specific registry key exists or does not exist on the device. In this example, the administrator creates a workflow to check if a registry key exists on the device, and if the registry key exists then the admin specifies an action to be taken for the registry key.

Note: The registry condition is only supported on Windows devices. You cannot add a registry condition for macOS devices.

Prerequisites

Before you begin creating a workflow, the Excel application must be added to the system inventory. To add the required applications to the system inventory, navigate to your organization group (OG), and follow the procedure described in the Deploy Applications to devices topic of the Application Lifecycle Management guide.

Procedure

The following procedure describes the steps to create a workflow to check whether a specific registry key exists on a device. If the registry key exists, then the admin creates a step to install the Excel application on the device.

1. Log in to the Workspace ONE UEM console.
2. Click Freestyle > Freestyle Orchestrator and click New.
3. Enter a name for the workflow in the New Freestyle Workflow. You can add an optional description to your workflow.
4. In the right Admin Panel Workflow settings, select the Platform from the drop-down menu, and select Smart Groups to which you want to assign this workflow.
5. In the left panel, click +, and select Condition.
6. In the right Admin Panel, under Check Condition 1, enter a name for the condition.
7. Click If > Registry, and select Exists.

8. Enter the following details in the Registry option.

   a. In the Registry Path, select Equals, and enter HKEY_LOCAL_MACHINE\SOFTWARE\Airwatch\Feature.

   b. In the Value Name option enter workflows, in Value type option select string, and in the Value data option select Equals and enter True.

9. Click + > Then > Add > Action > Application.

10. In Install Application, search for the Excel application, and select the application from the search results.
11. Select the Version to be installed from the drop-down menu.
12. Click Save to save your workflow. Workflow is saved and you can view the saved workflow in the Freestyle Orchestrator dashboard.
13. Select your workflow from the Freestyle Orchestrator dashboard and click Publish to publish your workflow.

Results

You can view the workflow created in the Freestyle Orchestrator dashboard. A workflow is created to check whether the HKEY_LOCAL_MACHINE\SOFTWARE\AIRWATCH\Feature\workflows registry exists on the devices, and if the value is true, then the system installs the Excel application on the devices.

Create Workflow with the Sensor Value Condition

The following procedure shows the steps to create an example workflow to use a sensor condition to determine if a device’s printer access is enabled. If the printer access is not enabled, the procedure provides steps to run a script on the device to refresh the printer configuration.

For more information about creating sensors, see the Collect Data with Sensors for macOS Devices topic in the macOS Device Management guide and the Collect Data with Sensors for Windows Desktop Devices topic in the Windows Desktop Documentation guide.

Prerequisites

Before creating a workflow, you must first create the sensor to check the printer access.

In this example, the macOS Bash sensor to check for printer access is named printer_status and the response data type is string.

/usr/bin/lpstat -p 2>/dev/null | awk '{print $5}' | sed '/^$/d' 

If the printer is configured correctly, this sensor must return the string enabled.

Next, create a script to refresh the printer service. For more information about creating scripts, see the * Create a Script for macOS Devices* topic in the macOS Device Management guide and the Create a Script for Windows Desktop Devices topic in the Windows Desktop Documentation guide.

In this example, the macOS Bash script to refresh the printer service is named refresh_printer.

do
	/usr/bin/cancel -ax
	/usr/sbin/cupsdisable $printer
	/usr/sbin/cupsenable $printer
	echo "Refreshed $printer"
done 

If this script runs successfully the script must complete with an exit (return) code of 0, in which the workflow updates the status as successful.

Procedure

The following procedure describes the steps to create a workflow with a sensor condition to check the printer status on all devices in the assigned smart group and then run a script on devices that cannot access the printer to refresh the configuration.

1. Log in to the Workspace ONE UEM console.
2. Click Freestyle > Freestyle Orchestrator and click New.
3. Enter a name for the workflow in the New Freestyle Workflow. You can add an optional description to your workflow.
4. In the right Admin Panel Workflow Settings, select the Platform from the drop-down, and select Smart Groups to which you want to assign this workflow.
5. In the left panel, click +, and select Condition.
6. In the right Admin Panel, under Check Condition 1 enter a name for the condition. For example, Check Printer Status.

7. Click Select > Sensor and click search in the Sensor screen. Note: In the Filter (If) screen, you can click the Additional Settings tab and enable the Re-evaluate Condition option. If the Re-evaluate Condition option is enabled, and the sensor value is modified or the workflow itself is modified, then if required, the condition is re-evaluated, and the workflow steps are retriggered.

8. Enter the sensor name printer_status and Does Not Include from the drop-down and enter enabled in the required information field.

9. Click + Then > Add > Action > Script.
10. In the right Admin Panel, click Search and Select under the Run Script > Script. All the available scripts are auto populated.
11. In the Results list, search for the refresh_printer script and click Select.
12. Click Save to save your workflow.
13. Click Publish to publish the workflow to all the selected devices upon device check-in.

Results

You can view the saved workflow in the Freestyle Orchestrator dashboard. When the workflow is assigned to the device, as per the order specified in the workflow, first the sensor to check for the printer status printer_status is run and then if needed, the script to refresh the printer configuration refresh_printer is run.

Create Workflow with the Time Window Condition

As an administrator, you can use the time window condition to schedule updates and deliver resources at a specific time for your business. You can define one-time, daily, weekly recurring time windows during which apps, profiles, and scripts are downloaded and installed. You can select a time window category such as business hours or maintenance hours and choose to take actions when the device is In or Not In time window.

The Time window condition re-evaluates every 30 minutes until the device meets the criteria. If there are multiple actions within a Time window condition, the condition is evaluated before each step. To apply the time window resource to a device, you must reference the time window resource as a condition in a workflow.

Prerequisites

Before you begin creating a workflow to apply the time window condition to a device, navigate to your organization group (OG) and create a time window resource. To create a time window resource, see the Make a Time Window and Apply it to Devices section in the Managing Devices guide. The Skype and Zoom applications must be added to the system inventory before adding the application resources in a condition.

Procedure

The following procedure describes the steps to create a workflow with a time window condition to check if the devices in the assigned smart group are in their respective maintenance window and then install the Skype and Zoom applications.

1. Log in to the Workspace ONE UEM console.
2. Click Freestyle > Freestyle Orchestrator and click New.
3. Enter a name for the workflow in the New Freestyle Workflow. You can add an optional description to your workflow.
4. In the right Admin Panel Workflow Settings, select the Platform from the drop-down, and select Smart Groups to which you want to assign this workflow. Note: Time window condition is only supported for Windows devices.
5. In the left panel, click +, and select Condition.
6. In the right Admin Panel, under Check Condition 1 enter a name for the condition. For example, Time window condition.
7. Click Select > Time Window and enter the following details:

8. Enter the following details in the **Time Window".

   a. Select In from the drop-down menu.

   b. Select Maintenance Hours from the drop-down menu.

   c. Click Then > Add > Action > Application.

   d. Search and select the Skype application to be installed on the device during the defined device maintenance hour.

   e. Search and select the Zoom application to be installed on the device during the defined device maintenance hour.

9. Click Save to save your workflow.

10. Click Publish to publish the workflow to all the selected devices upon device check-in.

Results

You can view the saved workflow in the Freestyle Orchestrator dashboard. When the workflow is run, the Skype and Zoom applications are installed when the devices are in their respective maintenance window.

Create Workflow with the Attributes Condition

As an administrator, you can use the attributes condition in a workflow to filter and review any incoming extended device inventory data on the individual devices.

In a scenario, where a problematic Bios Version has been identified on some devices, you can create a workflow to get a list of all the impacted devices where the specific Bios Version is present. For example, an OEM update application has upgraded some devices to Bios Version 6.0 which has an issue, and this Bios Version was applied to some devices. The following procedure shows the steps to create an example workflow to use the attributes condition to get a list of all the impacted devices with the problematic Bios Version and install an updated version of the Bios on the devices.

Prerequisites

Before you begin creating a workflow you must add the updated Bios Version 6.1 to your system inventory.

Procedure

The following procedure describes the steps to create a workflow and use the attributes condition in a workflow to obtain a list of all devices in a smart group with a specific version of the Bios Version installed.

1. Log in to the Workspace ONE UEM console.
2. Click Freestyle > Freestyle Orchestrator and click New.
3. Enter a name for the workflow in the New Freestyle Workflow. You can add an optional description to your workflow.
4. In the right Admin Panel Workflow Settings, select the Platform from the drop-down, and select Smart Groups to which you want to assign this workflow. Note: The software, system, and security device attribute condition are supported on Windows devices and the software and system attribute condition are supported on macOS devices.
5. In the left panel, click +, and select Condition.
6. In the right Admin Panel, under Check Condition 1 enter a name for the condition. For example, Bios Version check condition.
7. Click Select > Attributes > Software.

8. Enter the following details in the Software screen:

   a. Click the Select Attribute > System > Compute > *Bios > Bios Version and enter 6.0.

   b. Click Add > Application.

   d. Search and select the Bios Version 6.1 application to be installed on the device

   Note: The Bios application version 6.1 must be available in the system inventory for the application to be added in a workflow.

9. Click Save to save your workflow.

10. Click Publish to publish the workflow to all the selected devices upon device check-in.

Results

You can view the saved workflow in the Freestyle Orchestrator dashboard. When the workflow is run all the devices with the problematic Bios version are fetched and the updated version of the Bios application is installed.