Use the User Risk dashboard to view data collected for and identifying risk with scores. This risk analytics feature tracks user and device actions and behaviors and then calculates the potential risk. It shows this potential with risk levels and other metadata so you can quickly gauge the vulnerability of your Workspace ONE UEM deployment.

What is risk scoring?

Risk Scoring

Risk scoring in Workspace ONE Intelligence is a risk analytics feature that tracks user and device actions and behaviors. It displays scores as levels to help quicken the trust process. Certain levels imply that you can trust a user or device and others suggest an immediate mitigation. Risk scoring begins with a baseline or a "normal" level of risk. As a user or device behaves and deviates from normal, the score identifies those deviations with High, Medium, and Low.

  • High - This score indicates a great potential to introduce threats and vulnerabilities to the network and internal resources. This level is the least trustworthy.
  • Medium - This score indicates a moderate potential to introduce threats and vulnerabilities to the network and internal resources.
  • Low - This score indicates little potential to introduce threats and vulnerabilities to the network and internal resources. This level is the most trustworthy.

You can respond with various actions based on the score and your organization's security policies. For example, an organization with permissive security policies might warn users for high risk scores. However, another organization with restrictive security policies might deny privileges for medium risk scores. Other ways organizations can act with risk scores include the following list.

  • Monitor the device or user.
  • Warn the device or user with notifications.
  • Deny the device or user privileges.
  • Add authentication methods to the user or device with Workspace ONE Access integration.

What behaviors influence risk scores?

The risk score changes depending on the behaviors the system identifies for a device or user. These behaviors are also known as risk indicators. Positive behaviors lower the score or make it more trustworthy. Negative behaviors increase the score or make it less trustworthy. The system recognizes and aggregates several risk indicators to compute risk score deviations.

Identified Behaviors

Risk Indicators Description Risk
Anomalous Alert Activity A device that produces an unusual number, type, or severity of security alerts. An unusual number, type, or severity of threat alerts is an indication of a potentially compromised device.
App Collector A person who installs an unusually large number of apps. Any app can include known or unpatched vulnerabilities and these vulnerabilities can become attack vectors. The surface area for cyber-attacks increases with the number of apps on the device.
Compulsive App Download A person who installs an atypical number of apps in a short period of time. Users frenetically installing unusual apps on their devices have a greater risk of being a victim of malicious activity. Some apps disguise themselves as useful, friendly, or entertaining, when in fact they want to harm the user. Marketplace approaches to filtering unsafe content (malware) vary from vendor to vendor. A careless user can get tracked, hacked, or conned.
Excessive Critical CVEs A device with an excessive number of unpatched critical CVEs (Common Vulnerability Exposure). The greater the number of critical CVEs present on a device, the larger the device's attack surface.
Laggard Update A person who sluggishly updates the device OS or who refuses to update at all. Ignoring software updates can make a device vulnerable to attack and increases the risk of being compromised.
Persistent Critical CVEs A device with one or many critical CVEs (Common Vulnerability Exposure) remaining unpatched after the majority of eligible devices in the organization were patched. The greater the number of critical CVEs present on a device, the larger the device's attack surface.
Rare App Collector A person who installs an unusually large number of rare apps. Unlike widely used apps, rare ones are of questionable provenance and have a greater chance of having malware or security vulnerabilities.
Risky Security Setting A person who owns one or many devices and has explicitly disabled security protection features or has devices explicitly declared lost. Disabling security measures on a device increases the risk of being compromised.
Unusual App Download A person who has recently installed unusual apps. Apps can disguise themselves as useful, friendly, or entertaining, when in fact they want to harm the user. Marketplace approaches to filtering unsafe content (malware) vary from vendor to vendor. A careless user can get tracked, hacked, or conned.

What types of devices does risk scoring work on?

Risk scoring works on Android, iOS, macOS, and Windows 10 platforms. It also works on devices categorized as corporate-dedicated, corporate-shared, employee-owned (BYOD), and undefined.

Supported Risk Indicators by Platform

Device Platform Anomalous Alert Activity App Collector (Unmanaged and public apps) Compulsive App Download (Unmanaged and public apps) Excessive Critical CVEs Laggard Update Persistent Critical CVEs Rare App Collector (Unmanaged and public apps) Risky Setting Unusual App Download (Unmanaged and public apps)
Mobile (iOS and Android)
Desktop (Windows 10 and macOS) ✕^ ✕^ ✓ (Windows only) ✓ (Windows only) ✕^ ✕^

^The feature does not collect app data.

Supported Risk Indicators by Device Ownership Type

Device Ownership Type Anomalous Alert Activity App Collector (Unmanaged and public apps) Compulsive App Download (Unmanaged and public apps) Excessive Critical CVEs Laggard Update Persistent Critical CVEs Rare App Collector (Unmanaged and public apps) Risky Setting Unusual App Download (Unmanaged and public apps)
Corporate-Dedicated, Corporate-Shared, Undefined
Employee-Owned (BYOD) ✕^ ✕^ ✕^ ✕^

^Although the default Workspace ONE UEM privacy settings prevent the collection of app data on BYOD devices, admins can change the privacy settings so that Workspace ONE Intelligence can collect app data. Check your organization's privacy strategy before changing privacy configurations in Workspace ONE UEM.

What requirements are there to see risk scores?

To use risk analytics, integrate the following systems and follow the listed restrictions.

  • Register Workspace ONE UEM.
  • To display risk scores in Workspace ONE Intelligence, each Workspace ONE UEM-managed device must have a unique account in the Workspace ONE UEM console. Do not use generic accounts that are assigned to multiple devices.
  • Deploy 100 devices or more of the same platform to allow the scoring system to produce results. The risk indicator compares the device indicators against the entire device population across the organization. To provide statistically significant scores, the system needs a dataset with at least 100 devices of the same platform.
  • Users must have six or fewer devices enrolled with the same account. The system consider users with more than six devices as part of a shared device environment. It is difficult for the system to measure user and device risk accurately in a shared environment.
  • Optionally, register Workspace ONE Access so that you can configure access policies in Workspace ONE Access with user risk scores.
  • To use the Anomalous Alert Activity risk indicator, meet the listed requirements.
    • Use Carbon Black Endpoint Standard as your cloud native endpoint protection platform (EPP).
    • Ingest Carbon Black data into Workspace ONE Intelligence using the Trust Network API.

Where can you find risk scores in the console?

Workspace ONE Intelligence reports risk scores and other risk data in different dashboards.

  • User risk data is on the User Risk dashboard.
  • Device risk data is on the Security Risk Dashboard, on the Devices tab.

Risk scoring has modules you can add to My Dashboard or to your custom dashboards. Use the category Workspace ONE UEM > Device Risk Score or User Risk Score to access the modules.

You can also view pre-configured modules.

  • Trend of Risky Devices Over Last Week
    • Risky Behavior Category
    • Device Platform Category
  • Risky Behavior by Platform Over Last Week

What can you do with risk scores?

Act with automations in Workspace ONE Intelligence.

  • You can mitigate and act by selecting Automate right from the User Risk dashboard or the Security Risk > Devices tab. Create automation workflows and select from various Workspace ONE UEM Actions.
    1. Select Automate from the dashboard to configure a workflow.
    2. For the Filter (If) section, the system selects Risk Score Equals High by default but you can customize this section.
    3. For the Action (Then) section, select the plus sign (+) and the Workspace ONE UEM connection.
    4. Select from various Workspace ONE UEM actions.
  • You can create a customized automation using the Workspace ONE UEM category, either with Device Risk Score or User Risk Score.
  • You can use pre-configured automation templates.
    • Risky Device Detected - This template requires a Slack connection.
    • MTD App Deployment Prioritization
    • Update Laggard Devices - This template works only for iOS.
  • Manage access to resources with access policies in Workspace ONE Access.
    • Register your Workspace ONE Access environment with Workspace ONE Intelligence to access risk scores in the Workspace ONE Access manager console.
    • Access policies in Workspace ONE Access create and enforce authentication protocols for users with an If-Then construct. You can specify a user risk score in the If section that dictates the authentication method allowed in the Then section. If a user has a risk level of high, medium, or low, then the user can authenticate to resources using a specified method approved by your organization's security policies.
    • Depending on the user risk level, the system can enforce a restrictive access policy for high risk users to offer increased security to internal resources. Conversely, the system can enforce a permissive access policy for low or medium risk users.

What systems contribute data for risk scores?

Workspace ONE UEM integrates with Workspace ONE Intelligence for risk scoring to get data for devices managed in your Workspace ONE deployment. It uses the user's enrollment account stored in Workspace ONE UEM to recognize the user's activity on managed devices.

How often are scores calculated?

Risk scores run daily and provide an actionable metric to identify and potentially isolate users who have poor security behaviors and who introduce risk to the organization.

Risk scoring is similar to consumer credit scoring. The credit scoring system does not check a user's credit card account to see what the balance is as of today. Risk scoring works asynchronously and doesn't necessarily know the current state of devices. It runs once a day and analyzes the data reported about the device up to the moment the scoring process is run. Scoring models use historical data (for example, the past 14 days) to determine the risk of the user's behaviors.

check-circle-line exclamation-circle-line close-line
Scroll to top icon