Workspace ONE Intelligence requires certain Workspace ONE components and systems in order to work. What components are required depend on your deployment, on-premises or SaaS. For the components to move data in an on-premises deployment, you must trust listed URL destinations depending on your deployment region. You also need the Workspace ONE Intelligence Connector Service. If you want to configure high availability and disaster recovery, there are some caveats to review before setting up the Connectors in these on-premises environments. Pertaining to SaaS deployments, find the regions for your Intelligence and other Workspace ONE products so that you can check the status of Workspace ONE in your area.

General Requirements

Before you can use Workspace ONE Intelligence features, you must turn on reports powered by Workspace ONE Intelligence (different from Workspace ONE UEM reporting). You must then install the Workspace ONE Intelligence Connector service (also known as the ETL installer).

How to Access Reports

  • Shared SaaS customers work with their account representatives to access reports powered by Workspace ONE Intelligence. These deployments do not need to install their own Workspace ONE Intelligence Connector server.
  • Dedicated SaaS customers work with their account representatives to access reports powered by Workspace ONE Intelligence. These deployments do not need to install their own Workspace ONE Intelligence Connector server.
  • On-premises customers work with their account representative to access reports powered by Workspace ONE Intelligence. These deployments must install their own Workspace ONE Intelligence Connector server.

Required Workspace ONE UEM Console Version

Workspace ONE Intelligence requires Workspace ONE UEM console v2004 or later.

Required Database Permissions

To install the Workspace ONE Intelligence Connector, the person installing needs permissions for the following roles for the console and directory services servers.

  • DBOwner for the Workspace ONE UEM database
  • DBDatareader for the MSDB
  • SQLAgentUserRole for the MSDB

Workspace ONE Intelligence Connector Server Requirements for On-Premises

You must install the Workspace ONE Intelligence Connector service on its own server before you can use Workspace ONE Intelligence features.

Hardware Requirements

Component Requirement
Server 1
CPUs 4 (2 GHz Intel processor)
Memory 8 GB
Storage 25 GB

Software Requirements

Component Requirement
Java Java 8
OS Windows Server 2012 R2, 2016, and 2019
SQL-based database for Workspace ONE UEM Microsoft SQL Server, Standard and Enterprise, 2016 SP1 or later

Network Requirements

Component Requirement
Outbound traffic from the Workspace ONE Intelligence Connector service Port 443
Protocol for outbound traffic from the Workspace ONE Intelligence Connector service HTTPS
Internal network access to the Workspace ONE UEM Database The port used is based on your Workspace ONE UEM deployment.

Trust Regions of the Cloud Service for On-Premises

On the server for the Workspace ONE Intelligence Connector, configure trust for specific URL destinations so that the connector installer can call the endpoints for a list of all supported regions. Also, trust other URL destinations depending on your region.

Proxy

If you use a proxy server and want to use it with the Workspace ONE Intelligence Connector, make sure your specific destinations are trusted. If you do not configure trust for the listed destinations, the installation can fail.

Compatibility Between UEM and Intelligence

For the most current information on the compatible versions between the two systems, access the KB article on VMware iKB Workspace ONE Intelligence - Compatibility with Workspace ONE UEM.

Trust Cloud Services Destinations for On-Premises

For successful communication in your on-premises Workspace ONE Intelligence deployment, either between your region's VMware cloud-based reports service and your on-premises Workspace ONE UEM database or between your proxy server used with the Workspace ONE Intelligence Connector, you must trust specific URLs.

Trust URLs by Region

Trust the applicable URL destinations because they represent cloud service regions and are needed for communication between the Workspace ONE UEM database and the cloud-based reports service.

Trust the api.sandbox.data.vmwservices.com, artifactrepo.data.vmwservices.com, and discovery.awmdm.com URLs for all regions. The installer calls these endpoints for a list of all supported regions.

Select your region to find the destinations to configure trust for your region.

All Regions

URL Destination Protocol Port
api.na1.region.data.vmwservices.com/v1/about/deployments HTTPS 443
api.sandbox.data.vmwservices.com HTTPS 443
artifactrepo.data.vmwservices.com HTTPS 443
discovery.awmdm.com HTTPS 443

Canada

URL Destination Protocol Port
api.ca1.data.vmwservices.com HTTPS 443
auth.ca1.data.vmwservices.com HTTPS 443
ca1.data.vmwservices.com HTTPS 443
config.ca1.data.vmwservices.com HTTPS 443
eventproxy.ca1.data.vmwservices.com HTTPS 443

Frankfurt

URL Destination Protocol Port
api.eu1.data.vmwservices.com HTTPS 443
auth.eu1.data.vmwservices.com HTTPS 443
config.eu1.data.vmwservices.com HTTPS 443
eu1.data.vmwservices.com HTTPS 443
eventproxy.eu1.data.vmwservices.com HTTPS 443

Ireland

URL Destination Protocol Port
api.eu2.data.vmwservices.com HTTPS 443
auth.eu2.data.vmwservices.com HTTPS 443
config.eu2.data.vmwservices.com HTTPS 443
eu2.data.vmwservices.com HTTPS 443
eventproxy.eu2.data.vmwservices.com HTTPS 443

Sydney

URL Destination Protocol Port
api.au1.data.vmwservices.com HTTPS 443
au1.data.vmwservices.com HTTPS 443
auth.au1.data.vmwservices.com HTTPS 443
config.au1.data.vmwservices.com HTTPS 443
eventproxy.au1.data.vmwservices.com HTTPS 443

Tokyo

URL Destination Protocol Port
ap1.data.vmwservices.com HTTPS 443
api.ap1.data.vmwservices.com HTTPS 443
auth.ap1.data.vmwservices.com HTTPS 443
config.ap1.data.vmwservices.com HTTPS 443
eventproxy.ap1.data.vmwservices.com HTTPS 443

United Kingdom

URL Destination Protocol Port
api.uk1.data.vmwservices.com HTTPS 443
auth.uk1.data.vmwservices.com HTTPS 443
config.uk1.data.vmwservices.com HTTPS 443
eventproxy.uk1.data.vmwservices.com HTTPS 443
uk1.data.vmwservices.com HTTPS 443

United States

UAT

URL Destination Protocol Port
auth.sandbox.data.vmwservices.com HTTPS 443
config.sandbox.data.vmwservices.com HTTPS 443
eventproxy.sandbox.data.vmwservices.com HTTPS 443
sandbox.data.vmwareservices.com HTTPS 443

Production

URL Destination Protocol Port
api.na1.data.vmwservices.com HTTPS 443
auth.na1.data.vmwservices.com HTTPS 443
config.na1.data.vmwservices.com HTTPS 443
eventproxy.na1.data.vmwservices.com HTTPS 443
na1.data.vmwservices.com HTTPS 443

Trust URLs for Proxy Server Use

If you configure to use a proxy with the Workspace ONE Intelligence Connector in an on-premises deployment, you must configure trust for specific URLs on the proxy server or the installation fails.

Where to Get Proxy Configurations in the Workspace ONE UEM Console

If you already have a proxy configured in the Workspace ONE UEM console, you can enable to use the proxy when you install the Workspace ONE Intelligence Connector. Get the configurations from the Workspace ONE UEM console in Groups & Settings > All Settings > Installation > Proxy > Console Proxy Settings.

Trust URLs to Insatll the Workspace ONE Intelligence Connector with Proxy Settings

Destination Protocol Port
api.sandbox.data.vmwservices.com HTTPS 443
artifactrepo.data.vmwservices.com HTTPS 443
discovery.awmdm.com HTTPS 443

Install the Intelligence Connector Service for On-Premises

The VMware Workspace ONE Intelligence Connector Service collects data from your Workspace ONE UEM database and pushes it to the cloud service.

Download the VMware Workspace ONE Intelligence Connector and use it for better performance on data import between your Workspace ONE UEM database and the cloud service.

If you have not already enabled this workflow and you use Workspace ONE UEM console 1907 or later, notice that the installer downloads a file on your desktop, cdc_enable_script.sql, and then stops. Open the cdc_enable_script.sql file and run the script manually on your Workspace ONE UEM database with db_owner permissions to enable the improved performance workflow. After the script runs successfully, rerun the Workspace ONE Intelligence Connector installer.

This workflow uses Change Data Capture (CDC), which is supported on SQL Server. CDC enhances the performance of data extraction by the Workspace ONE Intelligence Connector. For details about Microsoft SQL Server and the Workspace ONE Intelligence Connector, access the Software Requirements table in the Workspace ONE Intelligence Requirements topic.

As the Workspace ONE Intelligence Connector starts importing new data entities into Workspace ONE Intelligence, the CDC workflow becomes a prerequisite. The workflow is applicable to newly added data entities like device tags, device custom attributes, users, and product provisioning.

If you already have the Workspace ONE Intelligence Connector Service configured, reinstall the latest installer to unlock the CDC features. You must install the Workspace ONE Intelligence Connector on its own server. For additional information about the installation process of other Workspace ONE UEM application servers, refer to the VMware Workspace ONE UEM Installation Guide.

Important

  • If you upgrade the Workspace ONE UEM database as part of the upgrade process, you must stop the Workspace ONE Intelligence Connector Service during the Workspace ONE UEM database upgrade. You must then restart the service after finishing the upgrade process.
  • If you must change the setting for Deployment Region, do not run the installer again.

Connector Installer Troubleshooting Tip - Disable Unblock in Properties

If the Workspace ONE Intelligence Connector installer does not launch, check the installer's properties. In the properties attributes for the Workspace ONE Intelligence Connector installer, to to the General tab, Security section, and disable the Unblock check box.

Prerequisites

  • Ensure you have configured trust for the applicable URLs so the connector installation process can communicate with the correct cloud-based reports service.
  • If you use a proxy server and want to use it with the Workspace ONE Intelligence Connector, make sure you have configured trust for specific destinations. If you do not trust the listed destinations, the installation can fail.
  • Meet the hardware, software, and network requirements needed to install, configure, and use VMware Workspace ONE Intelligence.

Procedure

  1. Download the Workspace ONE Intelligence Connector installer on to the server you configured for the service.
  2. Run the installer.
  3. Accept the Terms of Use.
  4. Ensure that the Workspace ONE Intelligence Connector Service is selected as a feature to install. The installer detects the version of Java installed on the application server. If the installer does not detect the required version, the required version installs.
  5. Select the Destination Folder in which to install the Workspace ONE Intelligence Connector Service.
  6. Enter the database server settings.
    • Database server that you are installing to: Select Browse next to the Database server text box and select your Workspace ONE UEM database from the list.
      • If you are using a custom port, do not select Browse. Instead, use the following syntax: DBHostName,<customPortNumber>, then select Browse to select the database server.
      • For example, enter db.acme.com, 8043.
      • If your Workspace ONE UEM database name has a space, you must perform extra steps.
        • Open the WDPETLService.exe.parameters in the service folder of the Workspace ONE Intelligence Connector installation in administrator mode.
        • Update the parameter to ensure the databaseName value is enclosed in quotes. Here is an example, JVM_ARG=-DJDBC_URL=jdbc:sqlserver://SQLSERVERNAME;databaseName="Workspace ONE UEM Database Name".
    • Connect using: Select one of the following authentication methods.
      • Windows Authentication uses a service account on the Windows server to authenticate. You are prompted to enter the service account that you want to use. This service account is used to run all the application pools and Workspace ONE UEM-related services. The service account must have Workspace ONE UEM database access.
      • SQL Server Authentication uses the SQL server authentication method. You are prompted to enter the user name and password.
    • Name of database catalog: Enter the name of the Workspace ONE UEM database or browse the SQL server and select it from a list.
  7. (Optional) Enter proxy information. Find this information in the Workspace ONE UEM console in Groups & Settings > All Settings > Installation > Proxy > Console Proxy Settings.
  8. Configure the Workspace ONE Intelligence Connector Service settings.
    1. Select the deployment region for your cloud service. Ensure that the right region is selected. Do not run the installer again if you must change this region in the future. If you upgrade your Workspace ONE Intelligence Connector Service from a previous version, this screen does not display because you cannot change your region during an upgrade.
    2. Enter your Workspace ONE UEM Installation Token. This token is created as part of the Workspace ONE UEM Installation process.
  9. Select Install to install the Workspace ONE Intelligence Connector Service. After the installation finishes, select Finish.

High Availability and Disaster Recovery Support with the Workspace ONE Intelligence Connector

You can use the Workspace ONE Intelligence Connector in high availability (HA) deployments and for disaster recovery.

High Availability

For HA, you need at least two connectors and you must set them for continuous access. For disaster recovery, set at least two Connectors within each recovery site to help you resume work when something happens to your Workspace ONE deployment.

For HA to work with the Workspace ONE Intelligence Connector, use the supported version of Workspace ONE UEM required by Workspace ONE Intelligence.

High Availability Example

General High Availability Setup

Install and enable at least two Workspace ONE Intelligence Connectors for a single Workspace ONE Intelligence environment. Configure the connection between the Workspace ONE Intelligence Connector and the Workspace ONE UEM Database server.

When you configure HA for the Workspace ONE UEM Database, configure the Workspace ONE Intelligence Connector to connect to the SQL Server Always ON Listener.

Although all Workspace ONE Intelligence Connectors listen, only one is active and pushes data from the database to Workspace ONE Intelligence. If the active Workspace ONE Intelligence Connector fails, one of the other connectors activates and pushes data to Intelligence.

Find the Active Workspace ONE Intelligence Connector

You can find the active Workspace ONE Intelligence Connector in an HA setup in the Workspace ONE Intelligence console at Reports > Sync Status > Workspace ONE Intelligence Connector Server > Server name.

Disaster Recovery

For disaster recovery to work with the Workspace ONE Intelligence Connector, use the supported version of Workspace ONE UEM required by Workspace ONE Intelligence.

Disaster Recovery Example

General Disaster Recovery Setup

Install at least two Workspace ONE Intelligence Connectors in each disaster recovery site. Depending on your disaster recovery strategy, you can enable all the connectors across all sites or leave them disabled on the passive sites until an incident occurs. When a disaster recovery site becomes active, one of the Workspace ONE Intelligence Connectors becomes active and starts pulling data from the Workspace ONE UEM Database server to Workspace ONE Intelligence. If the active connector fails, the other connector remains available to push data.

Note: If your disaster recovery strategy does not have a recovery server cluster always listening, the Workspace ONE Intelligence Connector still connects to the cluster during an event. However, it cannot support a comprehensive disaster recovery scenario because the cluster might have missed data from not listening.

Find the Active Workspace ONE Intelligence Connector

You can find the active Workspace ONE Intelligence Connector in a disaster recovery setup in the Workspace ONE Intelligence console at Reports > Sync Status > Workspace ONE Intelligence Connector Server > Server name.

Workspace ONE SaaS Environments Mapped to Intelligence Regions

Your Workspace ONE Intelligence region is assigned based on the locations of your Workspace ONE SaaS environments.

Find mappings of Workspace ONE Intelligence regions for the listed Workspace ONE products.

  • Workspace ONE Access
  • Workspace ONE UEM

Workspace ONE Intelligence Region by Workspace ONE Product

Workspace ONE Intelligence Region Workspace ONE UEM SaaS Deployment Location Workspace ONE Access SaaS URL
Canada Canada vmwareidentity.ca
Frankfurt Germany vmwareidentity.de
Ireland United Kingdom vmwareidentity.com.uk
Sydney Australia vmwareidentity.com.au
Tokyo India vmwareidentity.asia
Tokyo Japan vmwareidentity.asia
Tokyo Singapore vmwareidentity.asia
United Kingdom United Kingdom vmwareidentity.com.uk
United States Canada vmwareidentity.com
United States United States vmwareidentity.com
check-circle-line exclamation-circle-line close-line
Scroll to top icon