Workflows (formerly Automations) in Workspace ONE Intelligence let you automate actions across your Workspace ONE deployment. To use workflows, ensure you meet the needed requirements. Set up workflows by configuring communication with APIs, registering third-party services, and configuring workflows. View a list of available Workspace ONE UEM actions you can automate, and see how you can add Workspace ONE UEM components to your workflows. Finally, use custom connectors so you can automate your internal services.
The automation capabilities in Workspace ONE Intelligence use numerous parameters that trigger a workflow. You can customize the workflow to act on unique scenarios in your Workspace ONE environment. Automation is a robust feature but it is not intended to replace compliance policies.
A Workflow consists of triggers caused by a state change or trend that cause the engine to use a set action through Workspace ONE or an integrated third-party service. You can create your own workflows or you can use preset workflow templates.
Workflows monitor incoming and existing data. They act on states that reflect their configured triggers immediately after you save them. Workflows then monitor data for state changes and act as configured. Configure triggers in workflows to recognize the trigger that represents what you want remedied.
Workflows offer many actions that help solve problems related to compliance, however, the compliance engine still serves an important purpose.
The NIST Special Publication 800-47 Rev.1: Managing the Security of Information Exchanges defines a system interconnection as the direct connection of two or more IT systems for the purpose of sharing data and other information resources.
Connecting IT systems is a customer configured capability. Before you connect IT systems in Workspace ONE Intelligence, discuss the risks of connecting non-FedRAMP accredited information systems with your Authorizing Official. Workspace ONE on AWS GovCloud, and by extension, Workspace ONE Intelligence is a FedRAMP Moderate, accredited information system. When you connect information systems to other systems with different security requirements and controls, carefully consider the risks.
Contact the Federal Support line (877-869-2730 OPTION 2) or submit a support request using My Workspace ONE for more details and to enable customer-controlled third party connections to other systems.
To use the automation features in your Workspace ONE Intelligence environment, install the reports service and connect to the Workspace ONE UEM API server.
Workspace ONE Intelligence uses the data in the reports data warehouse to display analytics from your Workspace ONE deployment. Reports are available in the Workspace ONE UEM console.
Before using Workspace ONE Intelligence features, you must install the Workspace ONE Intelligence Connector service (also known as the ETL installer) onto a separate server in your Workspace ONE UEM environment.
Each feature uses the Workspace ONE Intelligence Connector Service installed from the Workspace ONE Intelligence Connector Installer. The Workspace ONE Intelligence Connector service gathers the data from your Workspace ONE UEM console server and pushes it to the reports cloud service.
Use OAuth 2.0, where available, for API communication. If your Workspace ONE UEM environment does not support OAuth 2.0, skip to the Basic Authentication section.
To use workflows, set up communication with APIs, register third-party services used for remediation, and configure workflows to carry out remediation actions.
If you do not follow these steps, Automation Workflows do not work.
For on-premises deployments that put the Workspace ONE UEM server behind a firewall, you can use workflows and API functionality. However, these deployments must use the VMware Unified Access Gateway (UAG) and it must be set as a reverse proxy.
(https://)
in the entry. You can find this URL in your browser with an instance of the Workspace ONE UEM console open. It often ends in .com
. For example, if you saw the listed URL in your browser example.company.com/AirWatch/Login
when you had the browser pointed to your console, you would enter https://example.company.com/
as the Base URL. If you have separate API servers, you can find the API URL in Workspace ONE UEM in Groups and Settings > All Settings > System > Advanced > Site URLs > REST API URL. Add the base URL without the trailing /API
.(https://)
in the entry. You can find this URL in your browser with an instance of the Workspace ONE UEM console open. It often ends in .com
. For example, if you saw the listed URL in your browser example.company.com/AirWatch/Login
when you had the browser pointed to your console, you would enter https://example.company.com/
as the Base URL.Configure filters in workflows to recognize the desired state change and configure actions to remediate the filtered state changes.
Use a template or create your own workflow with this task.
After you save your settings, the workflow immediately scans data and acts on filters that match the configured criteria. It then continues to monitor data for the criteria and continues to execute actions accordingly.
To decide which Workspace ONE UEM actions to use in your Workspace ONE Intelligence automation workflows, review action descriptions.
Before you can use the profile and application automation actions, you must configure them in Workspace ONE UEM with the listed settings and configurations.
If you do not assign and deploy applications and profiles before configuring the automation, there is no data for Workspace ONE Intelligence to pull and the system cannot run the applicable automation.
Action | Description |
---|---|
Add Tag to Device | Adds a tag to the selected device in the Workspace ONE UEM console. |
Approve Patch | Approves an individual Windows patch for installation. Enter the title or the knowledge base number of the patch. You can enter the Revision ID of the patch. |
Change Device Organization Group | Moves an enrolled device to another organization group. Consider the resource assignments the device loses and gains after it moves from its original group to the new group. |
Change Ownership Type | Updates the device ownership to Corporate-Dedicated, Corporate-Shared, or Employee Owned. |
Clear Passcode | Removes a passcode requirement off a device so that a user can authenticate without it. Anyone can use this device after you automate this action. |
Data Roaming | Activates or deactivates data roaming on iOS devices. |
Delete Device | Deletes a Device record from Workspace ONE UEM. |
Enterprise Wipe Device | Removes management and corporate settings from an enrolled device. |
Install Internal Application | Installs an internal application on a device that is uploaded and managed in Workspace ONE UEM. |
Install Profile | Installs a Workspace ONE UEM profile to a device. |
Install Public Application | Installs a public application on a device that is uploaded and managed in Workspace ONE UEM. |
Install Purchased Application | Installs a purchased application on a device that is uploaded and managed in Workspace ONE UEM. |
Lock Device | Forces a device to return to its lock screen. |
Personal Hotspot | Activates or deactivates personal hot spot settings on iOS devices. |
Query Device | Requests updated data from a device. |
Remove Internal Application | Removes an internal application on a device that is uploaded and managed in Workspace ONE UEM. |
Remove Profile | Removes a Workspace ONE UEM profile off a device. |
Remove Public Application | Removes a public application on a device that is uploaded and managed in Workspace ONE UEM. |
Remove Purchased Application | Removes a public application on a device that is uploaded and managed in Workspace ONE UEM. |
Remove Tag from Device | Removes a Tag from the selected device in the Workspace ONE UEM console. |
Reprocess Product | Initiates a reprocessing of a Product Provisioning product job by the policy engine. Supports a reprocess and force reprocess. |
Schedule OS Update | Schedules an OS update and forces an iOS device that is supervised and that is on 10.3 or later (depending on configurations) to update to the latest OS version. DownloadOnly - Configures the action to download only the update to make it available for installation. InstallASAP - Installs the downloaded OS update. This action only works if the OS update is downloaded to the device. |
Send Email | Sends an email to a user with the SMTP server configured in the Workspace ONE UEM environment. |
Send Push Notification | Sends a push notification to a managed application, either the Workspace ONE Intelligent Hub or VMware Content Locker. |
Send SMS | Sends a notification to a device with the SMS gateway configured in the Workspace ONE UEM environment. |
Stop AirPlay | Stops an AirPlay session on iOS devices. |
Sync Device | Evaluates applications currently installed on a device and compares that state to the required applications configured in the Workspace ONE UEM console. The action prompts an installation command for any required applications that are missing from the device. |
Voice Roaming | Activates or deactivates the ability to use voice roaming settings on iOS devices. |