Improve your daily operations for IT management with the Workspace ONE ITSM Connector for ServiceNow. With the ITSM Connector for ServiceNow, helpdesk and support organizations face can access Workspace ONE UEM and Workspace ONE Assist actions from within the ServiceNow portal.

Before You Begin

To configure this connector, you must be able to access the API settings and create API configurations in Workspace ONE UEM at the Organization Group relevant to this setup (typically the latest parent group including all device and application data).

ITSM for ServiceNow supported versions:

  • ServiceNow - Quebec or later
  • Workspace ONE UEM - 2107 or later
  • Workspace ONE Assist - 21.03 or later

Determine your authentication connection. Before configuring the connection in the application, create an OAuth 2.0 client on Workspace ONE UEM or a new dedicated account. Create a role with the required security rights.

For information on the following, see:

Install the Workspace ONE ITSM Connector for ServiceNow

With the Workspace ONE ITSM Connector for ServiceNow, Workspace ONE UEM device actions can only performed on Workspace ONE UEM enrolled devices. While it is not mandatory, consider installing the Service Graph connector for VMware Workspace ONE UEM prior to installing the ITSM connector. The Service Graph connector ensures that all Workspace ONE UEM devices and their details are available in ServiceNow. For more information, see Integration with ServiceNow CMDB.

Note: If the Service Graph connector is not installed, then ensure the device or the configuration item's operating system information that is used in the ServiceNow database matches the following operating system values.
  • Android: The operating system value must contain "android".
  • iOS device or configuration item: The operating system value must contain "iOS".
  • macOS device or configuration item: The operating system value must contain "mac".
  • Linux machines or configuration item: The operating system value must contain "Linux".
  • Windows desktops or configuration item: The operating system value must contain "windows".

To access Workspace ONE UEM and Workspace ONE Assist functionality from the ServiceNow Incidents page, download and install the VMware Workspace ONE ITSM Connector from the ServiceNow Store.

  1. Log in to your ServiceNow instance as an administrator.
  2. Install the VMware Workspace ONE ITSM Connector plugin from the plugins directory.
  3. Continue through the Guided Setup for the connector.

Configure the Workspace ONE ITSM Connector for ServiceNow

To set up the ITSM connector, you must have the necessary credentials. Search for and select the VMware Workspace ONE ITSM Connector.

To configure the ITSM connector, follow the guided setup. The following are the core configuration actions:
  • Configure the connection - Connects your ServiceNow instance to Workspace ONE UEM.
  • Configure the actions - Configures the actions available to the ITSM agents.
  • Configure the application defaults - Sets the defaults for the application behavior.
  • Assign Roles - Assigns VMware Workspace ONE ITSM Connector roles to Groups and Users.

Configure the Connection

The Workspace ONE ITSM Connector supports authentication to Workspace ONE UEM through an OAuth 2.0 client or a Basic Auth and tenant key. OAuth 2.0 is industry standard protocol for secure authentication and authorization for REST API calls.

Option 1: Configure OAuth Details

Use this option in the ServiceNow guided setup if you are using OAuth 2.0. All details for configuration are for the Workspace ONE UEM API. To complete configuration, select and update the following details:
  1. Go to the Configure OAuth Host details tab and select Configure.
  2. Update the Host text box with the hostname for the Workspace ONE UEM API.
  3. Select the Active check box.

    A warning message might display if you are switching from Basic Auth.

    All the other details on this page are preconfigured and should not be modified.

  4. Go to the Configure OAuth Client details tab and select Configure .
  5. Enter the OAuth Client details the Client ID.
  6. Update the Client Secret.
  7. Update the Token URL.

    All the other details on this page are preconfigured and should not be modified.

Option 2: Configure Basic Auth Details

Use this section in the ServiceNow guided setup if you are using Basic Auth Details. All details for configuration are for the Workspace ONE UEM API. To complete configuration, select and update the following details.

  1. Go to the Configure Basic Auth Host tab and select Configure.
  2. Update the Host text box with the hostname for the Workspace ONE UEM API.
  3. Select the Active check box.

    A warning message might display if you are switching from OAuth.

    All the other details on this page are preconfigured and should not be modified.

  4. Go to the Configure Basic Credentials tab and select Configure.
  5. Update the User Name and the Password text boxes with credentials of the Basic Auth account you created.
  6. Select Update.

    All the other details on this page are preconfigured and should not be modified.

  7. Go to the Configure Tenant Code tab and select Configure.
  8. Update the Value text box with the Tenant Code for the Workspace ONE UEM API. The Tenant Code for your instance appears in your Workspace ONE UEMinstance under Settings > System > Advanced > API > REST API > AirWatchAPI .
  9. Select Update.

Validate Connection Details

After configuring the OAuth or the Basic Auth details, validate the connection. This section is read-only and shows the previously configured key values.

When using OAuth 2.0, select Verify OAuth Token. A message appears confirming that a token can be retrieved. If an error is reported, then verify and fix the credentials. Repeat until it succeeds.

When using OAuth 2.0 or Basic Auth, select Test Connection. The connection to Workspace ONE UEM is verified. The version of the Workspace ONE UEMplatform appears. If there is an error code and error message, then the connection failed. If necessary, verify and update credentials.

Mark each tab as complete before configuring the actions.

Configure Service Desk

Configure all the actions available to the Service Desk Administrator. By default, all actions are available. Edit to remove actions that you do not need.

Configure Actions

Configure all the actions available to the Workspace ONE UEM Administrator. By default, all actions are available.

Complete the following to remove actions that you do not need:
  1. Search for and select the VMware Workspace ONE ITSM Connector.
  2. Click Setup.
  3. Select Configure Service Desk.
  4. Click Configure Actions.
  5. Click Configure.
  6. Select the actions that are not needed and remove them.
  7. Click Save.

Assign Roles

After configuring actions, you must assign roles. To assign roles, complete the following:

  1. Go to the Assign roles to User Groups or Assign roles to User tab and select Configure.
  2. Select the User or User Group.
  3. Go to the Role tab and select Edit to add the required roles.
  4. Select Save.

The Workspace ONE ITSM Connector application has preconfigured roles.

The WS1UEMStandard and WS1UEMAdvanced roles control what actions are available to the ServiceNow ITSM agents. With the WS1UEMConsoleViewer role, you can access the Workspace ONE UEM console from the Incident form if you need further investigation or actions.

There are also enhanced roles which add flexibility. With enhanced roles, individual actions can be assigned to users and groups. While the WS1UEMStandard and the WS1UEMAdvanced roles provide the default set of actions, each action has its own associated role that can be managed individually.

The following are the available actions and roles:

Action Role
WS1UEMStandard x_vmw_ws1uem.ws1uemstandard.
WS1UEMAdvanced x_vmw_ws1uem.ws1uemadvanced.
WS1UEMConsoleViewer x_vmw_ws1uem.ws1consoleviewer
Change Passcode x_vmw_ws1uem.ws1uemchangepasscode
Lock Device x_vmw_ws1uem.ws1uemlockdevice
Remote Assist x_vmw_ws1uem.ws1uemremoteassist
Request Device Log x_vmw_ws1uem.ws1uemdevicelogs
Send Message x_vmw_ws1uem.ws1uemsendmessage
Soft Reset x_vmw_ws1uem.ws1uemsoftreset
Sync Device x_vmw_ws1uem.ws1uemsyncdevice
Find Device x_vmw_ws1uem.ws1uemfinddevice
View Encryption Recovery Key x_vmw_ws1uem.ws1uemviewencryptionkeys
Add Device x_vmw_ws1uem.ws1uemadddevice 
Device Wipe x_vmw_ws1uem.ws1uemdevicewipe
Enterprise Wipe x_vmw_ws1uem.ws1uementerprisewipe
The following represents actions that are available for WS1UEMStandard and WS1UEMAdvanced.
Action WS1UEMStandard WS1UEMAdvanced
Change Passcode Yes Yes
Lock Device Yes Yes
Remote Assist Yes Yes
Request Device Log Yes Yes
Send Message Yes Yes
Soft Reset Yes Yes
Sync Device Yes Yes
Find Device Yes Yes
View Encryption Recovery Key Yes Yes
Add Device Yes Yes
Device Wipe No Yes
Enterprise Wipe No Yes

For descriptions of each action, see Device Actions.

Access-based New User Roles

Access-based roles for a new user in Workspace ONE UEM. For a new Workspace ONE UEM user, give the user the following permissions for a proper connection between the ITSM connector and Workspace ONE:

Category Edit Read
API > REST > Devices > REST API MDM Devices Yes No
API > REST >Devices > REST API Devices Write Yes No
API > REST >Devices > REST API Devices Execute Yes No
API > REST >Devices > REST API Devices Advanced Yes No
API > REST >Devices > REST API Devices Read No Yes
Assist Yes No
Device Management > Device Details > Messaging > Device Send Message Yes No
Device Management > Device Details > Messaging > Device Send Message Yes No
Device Management > Device Details > Messaging > Device Send Message Push Notification Yes No
Device Management > Device Details > Lock > Remote Device Lock Yes No
Device Management > Device Details > Enterprise Wipe > Device Remote mdm Yes No
Device Management > Device Details > Enterprise Wipe > Enterprise Reset Yes No
Device Management > Device Details > Device Wipe > Device Wipe Yes No
Device Management > Device Details > Passcode Yes No
Device Management > Device Details > Request Check-in Yes No
Device Management > Device Details > Remote Control Yes No
Device Management > Device Details > Remote View - Device Details Yes No
API > REST > Users > REST API Users Read No Yes

Configure Self-Service Catalog

The Self-Service Catalog gives employees the ability to resolve issues and perform common actions.

To use self-service actions, complete the following VMware Workspace ONE tasks.

Configure Catalog Category

All the self-service actions are available and active in the VMware Workspace ONE category.
Note: Adding the VMware Workspace ONE category is not necessary to use self-service actions. You can add self-service actions to other categories on the home page. If you want to add self-service actions to another category, then skip this section and go to the Configure Catalog Items section.
To add the VMware Workspace ONE category:
  1. Click Configure.
  2. On the Service Catalog home page, click +.
  3. Select the VMware Workspace ONE category.
  4. Click Add Here.

Configure Catalog Items

To configure self-service actions and assign the actions to categories, complete the following:

  1. Click Configure.
  2. Select Active.
  3. On the Accessibility tab, search for and select the Category.
  4. Click Update.

Assign Roles

After configuring Catalog Items, you must assign roles. Assign VMware Workspace ONE ITSM Connector self-service roles to Groups and Users. To assign roles, complete the following:

  1. Go to the Assign Roles tab, the User Groups tab, or the Assign Roles to User tab and select Configure.
  2. Select the User or the User Group.
  3. On the Role tab, click Edit to add the required roles.
  4. Click Save.
The following are the available self-service actions and roles:
Action Role
All Actions ** x_vmw_ws1uem.WS1CatalogAdvanced
Add Device x_vmw_ws1uem.ws1catalogadddevice
Change Passcode x_vmw_ws1uem.ws1catalogchangedevicepasscode
Find Device x_vmw_ws1uem.ws1catalogfinddevice
Lock Device x_vmw_ws1uem.ws1cataloglockdevice
Sync Device x_vmw_ws1uem.ws1catalogsyncdevice
View Encryption Recovery Key x_vmw_ws1uem.ws1catalogviewencryptionkey

Configure the Application Defaults

Configure the following Workspace ONE UEM default settings:
  • Workspace ONE UEM Note - For more audit capabilities, configure this setting to add a note to a device in Workspace ONE UEM after every successful action is performed. This note details the time, action, and the ServiceNow user that performed the action.
  • Workspace ONE UEM Email Validation Check - For all Workspace ONE UEM actions triggered within an incident, the ITSM Connector validates that the email address of the caller is the same as the email address retrieved from the device in Workspace ONE UEM.
  • Exception List for Email Validation - An exception list of the email addresses where the email validation check is not carried out. Individual emails can be added, or a semicolon separated list can be used for multiple entries.