Workspace ONE Intelligence Requirements

Workspace ONE Intelligence requires certain Workspace ONE components and systems in order to work. What components are required depend on your deployment, on-premises or SaaS.

For the components to move data in an on-premises deployment, you must trust listed URL destinations depending on your deployment region. You also need the Workspace ONE Intelligence Connector Service.

If you want to configure high availability and disaster recovery, there are some caveats to review before setting up the Connectors in these on-premises environments.

Pertaining to SaaS deployments, find the regions for your Intelligence and other Workspace ONE products so that you can check the status of Workspace ONE in your area.

Encryption of communications

In GovCloud instances, Workspace ONE Intelligence sends system generated emails using Forced TLS. Forced TLS means that if your email server does not support encryption, you do not receive system generated emails. If your SMTP (email) server already supports encryption, then you do not need to make changes in your environment. If your SMTP server does not support encryption, then you must make changes to receive system generated emails.

Workspace ONE Intelligence is configured to use Opportunistic TLS in non GovCloud instances. Opportunistic TLS means that the VMware email server used by Workspace ONE Intelligence initially tries to communicate with your email server using strong encryption. If your server does not support encryption, then Workspace ONE Intelligence sends the communication in clear text. However, if your SMTP server does not support encryption, then consider activating TLS to increase the overall security of your email notifications. Emails can contain sensitive information, so it is beneficial to increase security.

Workspace ONE Intelligence is working to send all system generated emails using Forced TLS in all environments.

General requirements

Before you can use Workspace ONE Intelligence features, you must turn on reports powered by Workspace ONE Intelligence (different from Workspace ONE UEM reporting). You must then install the Workspace ONE Intelligence Connector service (also known as the ETL installer).

How to access reports

  • Shared SaaS customers work with their account representatives to access reports powered by Workspace ONE Intelligence. These deployments do not need to install their own Workspace ONE Intelligence Connector server.
  • Dedicated SaaS customers work with their account representatives to access reports powered by Workspace ONE Intelligence. These deployments do not need to install their own Workspace ONE Intelligence Connector server.
  • On-premises customers work with their account representative to access reports powered by Workspace ONE Intelligence. These deployments must install their own Workspace ONE Intelligence Connector server.

Required Workspace ONE UEM console version

Workspace ONE Intelligence requires the minimum supported version of the Workspace ONE UEM console. For general availability, end of availability, and the end of support dates for all Workspace ONE UEM console releases, see the knowledge base article Workspace ONE (WS1) UEM Console Release and End of General Support Matrix.

Required database permissions

To install the Workspace ONE Intelligence Connector, the person installing needs permissions for the following roles for the console and directory services servers.

  • DBOwner for the Workspace ONE UEM database
  • DBDatareader for the MSDB
  • SQLAgentUserRole for the MSDB

Workspace ONE Intelligence Connector server requirements for on-premises

You must install the Workspace ONE Intelligence Connector service on its own server before you can use Workspace ONE Intelligence features.

Hardware requirements

Component Requirement
Server 1
CPUs 4 (2 GHz Intel processor)
Memory 8 GB
Storage 25 GB

Software requirements

Component Requirement
Java Java 8
OS Windows Server 2012 R2, 2016, and 2019
SQL-based database for Workspace ONE UEM Microsoft SQL Server, Standard and Enterprise, 2016 SP1 or later

Network requirements

Component Requirement
Outbound traffic from the Workspace ONE Intelligence Connector service Port 443
Protocol for outbound traffic from the Workspace ONE Intelligence Connector service HTTPS
Internal network access to the Workspace ONE UEM Database The port used is based on your Workspace ONE UEM deployment.

Configure trust for Cloud Services destinations for on-premises

For successful communication in your on-premises Workspace ONE Intelligence deployment, either between your region's VMware cloud-based reports service and your on-premises Workspace ONE UEM database or between your proxy server used with the Workspace ONE Intelligence Connector, you must trust specific URLs.

Compatibility between UEM and Intelligence

For the most current information on the compatible versions between the two systems, access the KB article on VMware KB Workspace ONE Intelligence - Compatibility with Workspace ONE UEM.

Trust URLs by region

Trust the applicable URL destinations because they represent cloud service regions and are needed for communication between the Workspace ONE UEM database and the cloud-based reports service.

Trust the api.sandbox.data.vmwservices.com, artifactrepo.data.vmwservices.com, and discovery.awmdm.com URLs for all regions. The installer calls these endpoints for a list of all supported regions.

Select your region to find the destinations to configure trust for your region.

All Regions

URL Destination Protocol Port
api.na1.region.data.vmwservices.com/v1/about/deployments HTTPS 443
api.sandbox.data.vmwservices.com HTTPS 443
artifactrepo.data.vmwservices.com HTTPS 443
discovery.awmdm.com HTTPS 443

Canada

URL Destination Protocol Port
api.ca1.data.vmwservices.com HTTPS 443
auth.ca1.data.vmwservices.com HTTPS 443
ca1.data.vmwservices.com HTTPS 443
config.ca1.data.vmwservices.com HTTPS 443
eventproxy.ca1.data.vmwservices.com HTTPS 443

Frankfurt

URL Destination Protocol Port
api.eu1.data.vmwservices.com HTTPS 443
auth.eu1.data.vmwservices.com HTTPS 443
config.eu1.data.vmwservices.com HTTPS 443
eu1.data.vmwservices.com HTTPS 443
eventproxy.eu1.data.vmwservices.com HTTPS 443

Ireland

URL Destination Protocol Port
api.eu2.data.vmwservices.com HTTPS 443
auth.eu2.data.vmwservices.com HTTPS 443
config.eu2.data.vmwservices.com HTTPS 443
eu2.data.vmwservices.com HTTPS 443
eventproxy.eu2.data.vmwservices.com HTTPS 443

Sydney

URL Destination Protocol Port
api.au1.data.vmwservices.com HTTPS 443
au1.data.vmwservices.com HTTPS 443
auth.au1.data.vmwservices.com HTTPS 443
config.au1.data.vmwservices.com HTTPS 443
eventproxy.au1.data.vmwservices.com HTTPS 443

Tokyo

URL Destination Protocol Port
ap1.data.vmwservices.com HTTPS 443
api.ap1.data.vmwservices.com HTTPS 443
auth.ap1.data.vmwservices.com HTTPS 443
config.ap1.data.vmwservices.com HTTPS 443
eventproxy.ap1.data.vmwservices.com HTTPS 443

United Kingdom

URL Destination Protocol Port
api.uk1.data.vmwservices.com HTTPS 443
auth.uk1.data.vmwservices.com HTTPS 443
config.uk1.data.vmwservices.com HTTPS 443
eventproxy.uk1.data.vmwservices.com HTTPS 443
uk1.data.vmwservices.com HTTPS 443

United States

UAT

URL Destination Protocol Port
auth.sandbox.data.vmwservices.com HTTPS 443
config.sandbox.data.vmwservices.com HTTPS 443
eventproxy.sandbox.data.vmwservices.com HTTPS 443
sandbox.data.vmwareservices.com HTTPS 443

Production

URL Destination Protocol Port
api.na1.data.vmwservices.com HTTPS 443
auth.na1.data.vmwservices.com HTTPS 443
config.na1.data.vmwservices.com HTTPS 443
eventproxy.na1.data.vmwservices.com HTTPS 443
na1.data.vmwservices.com HTTPS 443

Trust URLs for proxy server use

If you configure to use a proxy with the Workspace ONE Intelligence Connector in an on-premises deployment, you must configure trust for specific URLs on the proxy server or the installation fails.

Where to get proxy configurations in the Workspace ONE UEM console

If you already have a proxy configured in the Workspace ONE UEM console, you can enable to use the proxy when you install the Workspace ONE Intelligence Connector. Get the configurations from the Workspace ONE UEM console in Groups & Settings > All Settings > Installation > Proxy > Console Proxy Settings.

Trust these URLs to install the Workspace ONE Intelligence Connector with proxy settings.

Destination Protocol Port
api.sandbox.data.vmwservices.com HTTPS 443
artifactrepo.data.vmwservices.com HTTPS 443
discovery.awmdm.com HTTPS 443

Outbound Connector trusted IP addresses

If you use an Outbound Connector, including a Custom Connector, requests originate from the listed IPs based on region. If you use allow and deny lists in your firewall for your Outbound Connector destinations, allow the listed IPs.

Note: These static IP addresses are for requests coming from Workspace ONE Intelligence to your network.

Region IP Addresses
Canada 35.182.84.243
35.182.84.210
Frankfurt 18.194.235.124
35.156.127.8
18.195.111.228
Ireland 52.50.246.37
54.76.120.187
52.214.71.240
Sydney 52.63.121.101
13.54.94.114
13.236.27.201
Tokyo 54.64.134.5
13.114.203.203
United Kingdom 3.11.151.5
52.56.79.2
3.10.120.236
United States Production 52.41.14.207
34.212.69.126
34.211.153.193
United States UAT 50.112.69.240
52.10.157.26
52.89.177.218

Install the Intelligence Connector Service for on-premises

The VMware Workspace ONE Intelligence Connector Service collects data from your Workspace ONE UEM database and pushes it to the cloud service.

Download the VMware Workspace ONE Intelligence Connector and use it for better performance on data import between your Workspace ONE UEM database and the cloud service.

If you have not already enabled this workflow, notice that the installer downloads a file on your desktop, cdc_enable_script.sql, and then stops. Open the cdc_enable_script.sql file and run the script manually on your Workspace ONE UEM database with db_owner permissions to enable the improved performance workflow. After the script runs successfully, rerun the Workspace ONE Intelligence Connector installer.

This workflow uses Change Data Capture (CDC), which is supported on SQL Server. CDC enhances the performance of data extraction by the Workspace ONE Intelligence Connector. For details about Microsoft SQL Server and the Workspace ONE Intelligence Connector, access the Software Requirements table in the Workspace ONE Intelligence Requirements topic.

As the Workspace ONE Intelligence Connector starts importing new data entities into Workspace ONE Intelligence, the CDC workflow becomes a prerequisite. The workflow is applicable to newly added data entities like device tags, device custom attributes, users, and product provisioning.

If you already have the Workspace ONE Intelligence Connector Service configured, reinstall the latest installer to unlock the CDC features. You must install the Workspace ONE Intelligence Connector on its own server. For additional information about the installation process of other Workspace ONE UEM application servers, refer to the VMware Workspace ONE UEM Installation Guide.

Important

  • If you upgrade the Workspace ONE UEM database as part of the upgrade process, you must stop the Workspace ONE Intelligence Connector Service during the Workspace ONE UEM database upgrade. You must then restart the service after finishing the upgrade process.
  • If you must change the setting for Deployment Region, do not run the installer again.

Connector installer troubleshooting tip - deactivate unblock in properties

If the Workspace ONE Intelligence Connector installer does not launch, check the installer's properties. In the properties attributes for the Workspace ONE Intelligence Connector installer, to to the General tab, Security section, and deactivate the Unblock check box.

Prerequisites

  • Ensure you have configured trust for the applicable URLs so the connector installation process can communicate with the correct cloud-based reports service.
  • If you use a proxy server and want to use it with the Workspace ONE Intelligence Connector, make sure you have configured trust for specific destinations. If you do not trust the listed destinations, the installation can fail.
  • Meet the hardware, software, and network requirements needed to install, configure, and use VMware Workspace ONE Intelligence.

Procedure

  1. Download the Workspace ONE Intelligence Connector installer on to the server you configured for the service.
  2. Run the installer.
  3. Accept the Terms of Use.
  4. Ensure that the Workspace ONE Intelligence Connector Service is selected as a feature to install. The installer detects the version of Java installed on the application server. If the installer does not detect the required version, the required version installs.
  5. Select the Destination Folder in which to install the Workspace ONE Intelligence Connector Service.
  6. Enter the database server settings.
    • Database server that you are installing to: Select Browse next to the Database server text box and select your Workspace ONE UEM database from the list.
      • If you use a custom port, do not select Browse. Instead, use the following syntax: DBHostName,<customPortNumber>, then select Browse to select the database server.
      • For example, enter db.acme.com, 8043.
      • If you use a custom port for database connections, you must manually update the separator between the host and the port in the installation directory. To make this update, follow the listed steps.
        1. After the Workspace ONE Intelligence Connector is successfully installed, stop the Workspace ONE Intelligence Connector Service.
        2. Update the JDBC_URL JVM parameter in the WDPETLService.etl.parameters file in the installation directory.
          • Replace the comma (,) separator between the host and port with a colon (:).
          • Example: vmware.workspaceone.sql:6521.
        3. Restart the Workspace ONE Intelligence Connector Service.
          Note: We are working to automate the replacement of the comma with the colon so you do not have to perform this manual step.
      • If your Workspace ONE UEM database name has a space, you must perform extra steps.
        • Open the WDPETLService.exe.parameters in the service folder of the Workspace ONE Intelligence Connector installation in administrator mode.
        • Update the parameter to ensure the databaseName value is enclosed in quotes. Here is an example, JVM_ARG=-DJDBC_URL=jdbc:sqlserver://SQLSERVERNAME;databaseName="Workspace ONE UEM Database Name".
    • Connect using: Select one of the following authentication methods.
      • Windows Authentication uses a service account on the Windows server to authenticate. You are prompted to enter the service account that you want to use. This service account is used to run all the application pools and Workspace ONE UEM-related services. The service account must have Workspace ONE UEM database access.
      • SQL Server Authentication uses the SQL server authentication method. You are prompted to enter the user name and password.
    • Name of database catalog: Enter the name of the Workspace ONE UEM database or browse the SQL server and select it from a list.
  7. (Optional) Enter proxy information. Find this information in the Workspace ONE UEM console in Groups & Settings > All Settings > Installation > Proxy > Console Proxy Settings.
  8. Configure the Workspace ONE Intelligence Connector Service settings.
    1. Select the deployment region for your cloud service. Ensure that the right region is selected. Do not run the installer again if you must change this region in the future. If you upgrade your Workspace ONE Intelligence Connector Service from a previous version, this screen does not display because you cannot change your region during an upgrade.
    2. Enter your Workspace ONE UEM Installation Token. This token is created as part of the Workspace ONE UEM Installation process.
  9. Select Install to install the Workspace ONE Intelligence Connector Service. After the installation finishes, select Finish.

High availability and disaster recovery support with the Workspace ONE Intelligence Connector

You can use the Workspace ONE Intelligence Connector in high availability (HA) deployments and for disaster recovery.

High availability

For HA, you need at least two connectors and you must set them for continuous access.

For HA to work with the Workspace ONE Intelligence Connector, use the supported version of Workspace ONE UEM required by Workspace ONE Intelligence.

A generalized example of how to set up at least two Workspace ONE Intelligence Connectors in a single Workspace ONE Intelligence environment for high availability coverage.

General high availability setup

Install and enable at least two Workspace ONE Intelligence Connectors for a single Workspace ONE Intelligence environment. Configure the connection between the Workspace ONE Intelligence Connector and the Workspace ONE UEM Database server.

When you configure HA for the Workspace ONE UEM Database, configure the Workspace ONE Intelligence Connector to connect to the SQL Server Always ON Listener.

Although all Workspace ONE Intelligence Connectors listen, only one is active and pushes data from the database to Workspace ONE Intelligence. If the active Workspace ONE Intelligence Connector fails, one of the other connectors activates and pushes data to Intelligence.

Find the active Workspace ONE Intelligence Connector

You can find the active Workspace ONE Intelligence Connector in an HA setup in the Workspace ONE Intelligence console at Reports > Sync Status > Workspace ONE Intelligence Connector Server > Server name.

Disaster recovery

For disaster recovery, set at least two Connectors within each recovery site to help you resume work when something happens to your Workspace ONE deployment.

For disaster recovery to work, use the supported version of Workspace ONE UEM required by Workspace ONE Intelligence.

A generalized example of how to set up at least two Workspace ONE Intelligence Connectors within each recovery site to prepare for when something happens to your Workspace ONE deployment.

General disaster recovery setup

Install at least two Workspace ONE Intelligence Connectors in each disaster recovery site. Depending on your disaster recovery strategy, you can enable all the connectors across all sites or leave them deactivated on the passive sites until an incident occurs. When a disaster recovery site becomes active, one of the Workspace ONE Intelligence Connectors becomes active and starts pulling data from the Workspace ONE UEM Database server to Workspace ONE Intelligence. If the active connector fails, the other connector remains available to push data.

Note: If your disaster recovery strategy does not have a recovery server cluster always listening, the Workspace ONE Intelligence Connector still connects to the cluster during an event. However, it cannot support a comprehensive disaster recovery scenario because the cluster might have missed data from not listening.

Find the active Workspace ONE Intelligence Connector

You can find the active Workspace ONE Intelligence Connector in a disaster recovery setup in the Workspace ONE Intelligence console at Reports > Sync Status > Workspace ONE Intelligence Connector Server > Server name.

Workspace ONE SaaS environments mapped to Intelligence regions

Your Workspace ONE Intelligence region is assigned based on the locations of your Workspace ONE SaaS environments.

Find mappings of Workspace ONE Intelligence regions for the listed Workspace ONE products.

  • Workspace ONE Access
  • Workspace ONE UEM

Workspace ONE Intelligence region by Workspace ONE product

Workspace ONE Intelligence Region Workspace ONE UEM SaaS Deployment Location Workspace ONE Access SaaS URL
Canada Canada vmwareidentity.ca
Frankfurt Germany vmwareidentity.de
Ireland United Kingdom vmwareidentity.co.uk
Sydney Australia vmwareidentity.com.au
Tokyo India vmwareidentity.asia
Tokyo Japan vmwareidentity.asia
Tokyo Singapore vmwareidentity.asia
United Kingdom United Kingdom vmwareidentity.co.uk
United States Canada vmwareidentity.com
United States United States vmwareidentity.com
check-circle-line exclamation-circle-line close-line
Scroll to top icon