RSS
 

Automations for Workspace ONE Intelligence

Automations in Workspace ONE Intelligence let you automate actions across your Workspace ONE deployment. To use automations, ensure you meet the needed requirements. Set up automations by configuring communication with APIs, registering third-party services, and configuring workflows. View a list of available Workspace ONE UEM actions you can automate, and see how you can add Workspace ONE UEM components to your workflows. Finally, use custom connectors so you can automate your internal services.

Workflows, Automations, and Compliance Policies

The automation capabilities in Workspace ONE Intelligence use numerous parameters that trigger a workflow. You can customize the workflow to act on unique scenarios in your Workspace ONE environment. Automation is a robust feature but it is not intended to replace compliance policies.

Automations use workflows. A workflow consists of triggers caused by a state change or trend that cause the engine to use a set action through Workspace ONE or an integrated third-party service. You can create your own workflows or you can use preset workflow templates.

Workflows monitor incoming and existing data. They act on states that reflect their configured triggers immediately after you save them. Workflows then monitor data for state changes and act as configured. Configure triggers in workflows to recognize the trigger that represents what you want remedied.

Automation offers many actions that help solve problems related to compliance, however, the compliance engine still serves an important purpose.

  • Automations - Its decision engine acts on triggers from devices and applications to automate actions across the digital workspace environment. You can extend the decision engine to third-party services. Use the automation feature to define work flows for device-category scenarios like battery percent and ownership and to install applications and other resources in your Workspace ONE deployment. You can also use in scenarios that encompass various facets of your Workspace ONE deployment. Use it to install or remove applications and profiles for security, notify interested teams about workflows, and extend these capabilities to third-party solutions.
  • Compliance - Its engine acts on closed-loop workflows where a user can have resources returned after becoming compliant again. Use compliance in scenarios focused on remediation and device state. Use it to force devices to comply with mandated security policies. Remove resources until devices comply with set compliance rules that return them to a working state.

FedRAMP Consideration

The NIST Special Publication 800-47 Rev.1: Managing the Security of Information Exchanges defines a system interconnection as the direct connection of two or more IT systems for the purpose of sharing data and other information resources.

Connecting IT systems is a customer configured capability. Before you connect IT systems in Workspace ONE Intelligence, discuss the risks of connecting non-FedRAMP accredited information systems with your Authorizing Official. Workspace ONE on AWS GovCloud, and by extension, Workspace ONE Intelligence is a FedRAMP Moderate, accredited information system. When you connect information systems to other systems with different security requirements and controls, carefully consider the risks.

Contact the Federal Support line (877-869-2730 OPTION 2) or submit a support request using My Workspace ONE for more details and to enable customer-controlled third party connections to other systems.

Requirements for Automations

To use the automation features in your Workspace ONE Intelligence environment, install the reports service and connect to the Workspace ONE UEM API server.

Reporting

Workspace ONE Intelligence uses the data in the reports data warehouse to display analytics from your Workspace ONE deployment. Reports are available in the Workspace ONE UEM console.

Install the Workspace ONE Intelligence Connector Service

Before using Workspace ONE Intelligence features, you must install the Workspace ONE Intelligence Connector service (also known as the ETL installer) onto a separate server in your Workspace ONE UEM environment.

Each feature uses the Workspace ONE Intelligence Connector Service installed from the Workspace ONE Intelligence Connector Installer. The Workspace ONE Intelligence Connector service gathers the data from your Workspace ONE UEM console server and pushes it to the reports cloud service.

  • Shared SaaS - No installation is required. This deployment has access to reports. No action is required.
  • Dedicated SaaS - Contact your support representative or their SAM to set up Reports and Workspace ONE Intelligence.
  • On-premises - You must install the Workspace ONE Intelligence Connector for communication between the Reports infrastructure and Dashboards. For on-premises deployments that put the Workspace ONE UEM server behind a firewall, you can use automations and API functionality. However, these deployments must use the Unified Access Gateway and set it as a reverse proxy. For details, access Configure Reverse Proxy With VMware Workspace ONE UEM API.

Admin Roles

  • Existing admin roles that have permissions for reports, have access to Workspace ONE Intelligence roles.
  • For new admin roles, include permissions for Workspace ONE Intelligence so that admins can access settings.

Requirements to Connect to the API Server and to Use APIs for Communication

Use OAuth 2.0, where available, for API communication. If your Workspace ONE UEM environment does not support OAuth 2.0, skip to the Basic Authentication section

OAuth 2.0 Setup

Basic Authentication

  • Create an AirWatch Administrator account for the specific purpose of working with the automation feature. To use APIs, grant the admin account permissions.
  • Configure the admin account to use the Basic Authentication for API communications because Directory accounts do not work. Find the API authentication items on the API tab in the Add or Edit Admin area.
  • Configure Automation Connections.

Getting Started with Automations

To use Automations, set up communication with APIs, register third-party services used for remediation, and configure workflows to carry out remediation actions.

If you do not follow these steps, Automation Workflows do not work.

Prerequisites

For on-premises deployments that put the Workspace ONE UEM server behind a firewall, you can use automations and API functionality. However, these deployments must use the VMware Unified Access Gateway (UAG) and it must be set as a reverse proxy.

OAuth 2.0 Authentication Procedure

  1. Retrieve required credential details from UEM
    1. Create an OAuth client to use with Workspace ONE UEM APIs as described in Using UEM Functionality With a REST API > Create an OAuth Client to Use for API Commands.
      • Ensure you create the OAuth client at the Organization Group used to launch Workspace ONE Intelligence and provide a sufficient role to prevent API access issues.
    2. Find your supported Workspace ONE UEM Region and copy the Token URL as described in Using UEM Functionality With a REST API > Datacenter and Token URLs for OAuth 2.0 Support.
  2. Register Workspace ONE UEM with Workspace ONE Intelligence by entering the authentication details from Workspace ONE UEM to Workspace ONE Intelligence.
    1. In Workspace ONE Intelligence, go to Integrations > Workflow Connectors.
    2. Select Set Up for Workspace ONE UEM.
    3. Select Provide Credentials and configure the settings.
      • Base URL: Enter your Workspace ONE UEM console URL and include the protocol (https://) in the entry. You can find this URL in your browser with an instance of the Workspace ONE UEM console open. It often ends in .com. For example, if you saw the listed URL in your browser example.company.com/AirWatch/Login when you had the browser pointed to your console, you would enter https://example.company.com/ as the Base URL. If you have separate API servers, you can find the API URL in Workspace ONE UEM in Groups and Settings > All Settings > System > Advanced > Site URLs > REST API URL. Add the base URL without the trailing /API.
      • Auth Type: Select the OAuth2 Authentication.
      • Client ID: Enter the Client ID retrieved from the OAuth Client setup process.
      • Client Authentication Location: Select Send client credentials in body.
      • Grant Type: Select Client Credentials.
      • OAuth2 Token URL: Enter the Token URL from the supported region defined in the Using UEM Functionality with a REST API article.
      • Client Secret: Enter the Client Secret retrieved from the OAuth Client setup process.
      • Scope: Optional, so leave it blank.
      • Workspace ONE UEM API Key: Enter the API key that the Workspace ONE UEM console generated when you enabled REST API communications. Find this key in Workspace ONE UEM under Groups and Settings > All Settings > System > Advanced > API > REST API.
  3. Register third-party services with Workspace ONE Intelligence.
  4. Configure workflows for remediation and reporting.

Basic Authentication Procedure

  1. In the Workspace ONE UEM console, create and use a Workspace ONE UEM Administrator account specific for automation with API permissions.
  2. Generate an API key in Workspace ONE UEM so that Workspace ONE Intelligence can use it to connect to any third-party service.
    1. In Workspace ONE UEM, select the organization group where you want to connect to third-party services.
    2. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > API > REST API.
    3. Configure the settings on the General tab.
      • Enable API Access: Permits you to generate an API key for the service.
      • Add: Select Add to generate an API Key. Record this value and enter it in the Intelligence environment as the Workspace ONE UEM API Key.
      • Service: Enter a descriptive name for the service, such as Automation.
      • Account Type: Select Admin.
    4. Configure the settings on the Authentication tab.
      • Basic: Select Basic authentication if you want to use credentials for an admin that is not in a directory.
      • Certificates: Not applicable.
      • Directory: Select Directory authentication if you want to use credentials for an admin that is part of a directory.
  3. Register Workspace ONE UEM with Intelligence by entering the API key and authentication credentials from Workspace ONE UEM to Workspace ONE Intelligence.
    1. In Workspace ONE Intelligence, go to Integrations > Workflow Connectors.
    2. Select Set Up for Workspace ONE UEM.
    3. Select Provide Credentials and configure the settings.
      • Base URL: Enter your Workspace ONE UEM console URL, and include the protocol (https://) in the entry. You can find this URL in your browser with an instance of the Workspace ONE UEM console open. It often ends in .com. For example, if you saw the listed URL in your browser example.company.com/AirWatch/Login when you had the browser pointed to your console, you would enter https://example.company.com/ as the Base URL.
      • Auth Type: Select the Basic Authentication
      • User Name: Enter the user name for the specific admin you created for automation.
      • Password: Enter the password for the admin.
      • Workspace ONE UEM API Key: Enter the API key that the Workspace ONE UEM console generated when you enabled REST API communications. Find this key in Workspace ONE UEM under Groups and Settings > All Settings > System > Advanced > API > REST API.
  4. Register third-party services with Workspace ONE Intelligence.
  5. Configure workflows for remediation and reporting.

Configure Workflows

Configure filters in workflows to recognize the desired state change and configure actions to remediate the filtered state changes. Filters identify IF something happens (state change). When the system identifies the IF, actions THEN execute to fix or report the change.

Use a template or create your own workflow with this task.

Procedure

  1. In the Workspace ONE Intelligence console, navigate to Automations > Add Automation.
  2. Select a category and Create Your Own workflow for the category by selecting Get Started.
  3. In the Add Automation procedure, configure the settings.
    1. Name - Enter a name for the automation.
    2. Trigger (When) - Support is based on the category.
      • Automatic - Automatically execute the workflow when incoming events match the filter. This also provides support to select whether this trigger should execute on existing data upon save or only on new incoming data. Supported for all integration types.
      • Schedule - Define when the filtered results should execute. Supported for data categories with Snapshot data (such as Workspace ONE UEM).
      • Manual - Execute the workflow On-Demand (good for one-time actions). Supported for data categories with Snapshot data (such as Workspace ONE UEM).
        • Note - When Manual or Schedule trigger types are used, a Run button becomes available on the Automation Overview page to allow manual execution as needed. Note that due to throttling limits, this action cannot be performed more than once per hour for the same Workflow.
    3. Filter (If) - Create an If statement to refine the trigger the engine monitors for a state change.
    4. Action (Then) - Create a Then statement that the automation engine does when it identifies the If or trigger. Choices for Action (Then) include the listed services. You can select one or all of them and create as many actions as needed.
      • Workspace ONE UEM: Select an action for Workspace ONE UEM to perform.
      • Slack-To: Decide whether the message is sent to a channel or a user. If you enter nothing, messages are sent to the default channel. For Channel, enter the channel name beginning with # (example #channel). You can send messages to public and private channels. For Users, enter the Slack user name beginning with @ (example @user) to send direct messages.
      • Slack-From: Enter the name that this automated Slack message is posted from. If you enter nothing, messages are posted from Slack's default sender.
      • Slack-Message: Enter the message. This text box supports dynamic values.
      • Slack-Avatar Icon: Enter the Slack emoji code to add a Slack icon to this automated message or a URL to add an image from the Internet. If you enter nothing, the system uses the default Slack icon.
      • ServiceNow: Configure the menu items for Create Incident or Create Ticket. For either action, enter a Caller ID entry of a first and last name that exists in your ServiceNow instance. If you add a non-existent name, the text box remains blank.
  4. If you use a third-party service for actions, authorize them to act.
    1. Select Authorize to permit the service to perform actions.
    2. Select Connection Permissions and review them.
    3. Select Provide Credentials.
      • Slack Incoming Webhook URL: Enter the Webhook you configured in Slack.
      • ServiceNow-Base URL: Enter https://instance.service-now.com.
      • ServiceNow-API User Name: Enter the user name you configured in ServiceNow.
      • ServiceNow-API User Password: Enter the password for the user name.

After you save your settings, the workflow immediately scans data and acts on filters that match the configured criteria. It then continues to monitor data for the criteria and continues to execute actions accordingly.

Workspace ONE UEM Actions

To decide which Workspace ONE UEM actions to use in your Workspace ONE Intelligence automation workflows, review action descriptions.

Before you can use the profile and application automation actions, you must configure them in Workspace ONE UEM with the listed settings and configurations.

  • Configure a profile with an Assignment Type (Optional or Auto) in the profile's General payload.
  • You must configure and add an Assignment to an application.
  • You must deploy profiles and applications in Workspace ONE UEM to devices in a smart group. This deployment to smart groups is part of the assignment process for both applications and profiles.

If you do not assign and deploy applications and profiles before configuring the automation, there is no data for Workspace ONE Intelligence to pull and the system cannot run the applicable automation.

Descriptions of Workspace ONE UEM Actions

Action Description
Add Tag to Device Adds a tag to the selected device in the Workspace ONE UEM console.
Approve Patch Approves an individual Windows patch for installation. Enter the title or the knowledge base number of the patch. You can enter the Revision ID of the patch.
Change Device Organization Group Moves an enrolled device to another organization group. Consider the resource assignments the device loses and gains after it moves from its original group to the new group. For instructions on how to get the organization group ID number, see Find the ID Number for Organization Groups.
Change Ownership Type Updates the device ownership to Corporate-Dedicated, Corporate-Shared, or Employee Owned.
Clear Passcode Removes a passcode requirement off a device so that a user can authenticate without it. Anyone can use this device after you automate this action.
Data Roaming Enables or disables data roaming on iOS devices.
Delete Device Deletes a Device record from Workspace ONE UEM.
Enterprise Wipe Device Removes management and corporate settings from an enrolled device.
Install Internal Application Installs an internal application on a device that is uploaded and managed in Workspace ONE UEM. For instructions on how to get an application ID for internal and public applications, see Find the ID Number of Internal and Public Applications.
Install Profile Installs a Workspace ONE UEM profile to a device. For instructions on how to get the profile ID, see Find the ID Number of Profiles.
Install Public Application Installs a public application on a device that is uploaded and managed in Workspace ONE UEM. For instructions on how to get an application ID for internal and public applications, see Find the ID Number of Internal and Public Applications.
Install Purchased Application Installs a purchased application on a device that is uploaded and managed in Workspace ONE UEM. For instructions on how to get an application ID for purchased applications, see Find the ID Number of Purchased Applications.
Lock Device Forces a device to return to its lock screen.
Personal Hotspot Enables or disables personal hotspot settings on iOS devices.
Query Device Requests updated data from a device.
Remove Internal Application Removes an internal application on a device that is uploaded and managed in Workspace ONE UEM. For instructions on how to get an application ID for internal and public applications, see Find the ID Number of Internal and Public Applications.
Remove Profile Removes a Workspace ONE UEM profile off a device. For instructions on how to get the profile ID, see Find the ID Number of Profiles.
Remove Public Application Removes a public application on a device that is uploaded and managed in Workspace ONE UEM. For instructions on how to get an application ID for internal and public applications, see Find the ID Number of Internal and Public Applications.
Remove Purchased Application Removes a public application on a device that is uploaded and managed in Workspace ONE UEM. For instructions on how to get an application ID for purchased applications, see Find the ID Number of Purchased Applications.
Remove Tag from Device Removes a Tag from the selected device in the Workspace ONE UEM console. For instructions on how to get the tag ID number, see Find the ID Number of Tags.
Reprocess Product Initiates a reprocessing of a Product Provisioning product job by the policy engine. Supports a reprocess and force reprocess.
Schedule OS Update Schedules an OS update and forces an iOS device that is supervised and that is on 10.3 or later (depending on configurations) to update to the latest OS version. DownloadOnly - Configure the action to download only the update to make it available for installation. InstallASAP - Installs the downloaded OS update. This action only works if the OS update is downloaded to the device.
Send Email Sends an email to a user with the SMTP server configured in the Workspace ONE UEM environment.
Send Push Notification Sends a push notification to a managed application, either the Workspace ONE Intelligent Hub or VMware Content Locker.
Send SMS Sends a notification to a device with the SMS gateway configured in the Workspace ONE UEM environment.
Stop AirPlay Stops an AirPlay session on iOS devices.
Sync Device Evaluates applications currently installed on a device and compares that state to the required applications configured in the Workspace ONE UEM console. The action prompts an installation command for any required applications that are missing from the device.
Voice Roaming Enables or disables the ability to use voice roaming settings on iOS devices.

How Do You Add Workspace ONE UEM Components to Workflows?

When you configure a workflow in Workspace ONE Intelligence to perform an action in Workspace ONE UEM, you can add the Workspace ONE UEM component in two ways. You can search for it or you can enter its ID number.

How Do You Search for the Workspace ONE UEM Component?

While configuring the action for an automation workflow, you can search for the Workspace ONE UEM component in the Workspace ONE Intelligence UI. For example, if you were configuring a workflow with the Workspace ONE UEM action Add Tag to Device, you select the Search for existing values menu item and search for the Tag Name you want the workflow to add to devices.

Search for the UEM component

How Do You Enter the ID Numbers for Workspace ONE UEM Components?

While configuring the action for an automation workflow, you can enter the ID number for the Workspace ONE UEM component. For example, if you were configuring a workflow with the Workspace ONE UEM action Add Tag to Device, you select the Enter custom value menu item and enter the Tag ID of the tag you want the workflow to add to devices.

Enter custom value field

You can find the ID number for organization groups, profiles, applications, and tags using the listed steps.

Note: These procedures use Google Chrome as the browser. Steps vary depending on the browser used to access the Workspace ONE UEM console.

Find the ID Number of Organization Groups

You need the ID number of the organization group to which you want to move a device in the Workspace ONE UEM console. You use the ID number to configure the Change Device Organization Group action in the Workspace ONE Intelligence workflow.

  1. In the Workspace ONE UEM console, select the applicable organization group.
  2. Go to Groups & Settings > Groups > Organization Groups > Details.
  3. Find the ID number at the end of the URL string in the browser. An example of the string is: https://<Workspace_ONE_UEM>/AirWatch/#/AirWatch/OrganizationGroup/Details/Index/859. The 859 at the end of the string is the organization group ID.

Find the ID Number of Profiles

You need the ID number of the tag from the Workspace ONE UEM console to configure profile-related actions for workflows.

  1. In the Workspace ONE UEM console, select the applicable organization group.
  2. Go to Devices > Profiles & Resources > Profiles.
  3. Point to the applicable profile in the Profiles List View to display the item's URL in the bottom left of the browser.
  4. Find the ID number located in the middle of the string. An example of the string is: https://<Workspace_ONE_UEM>/AirWatch/Profiles/DeviceProfileEdit/85?isReadOnlyProfileView=x. The 85 in the middle of the string is the profile ID.

Find the ID Number of Purchased Applications

The ID number of the application is a number the Workspace ONE UEM system assigns to the application. It is different than the Application ID.

  1. In the Workspace ONE UEM console, select the applicable organization group.
  2. Go to Apps & Books > Applications > Native > Purchased.
  3. Point to the application in the List View to display the item's URL in the bottom left of the browser.
  4. Find the ID number at the end of the string. https://<Workspace_ONE_UEM>/AirWatch/Orders/EditAssignment?AppLicensePollId=0&VppLicenseCountId=2448&ApplicationId=9193. The 9193 at the end of the string is the ID of the application.

Find the ID Number of Tags

You need the ID number of the tag from the Workspace ONE UEM console to configure tag-related actions for workflows.

  1. In the Workspace ONE UEM console, select the applicable organization group.
  2. Go to Groups & Settings > All Settings > Devices & Users > Advanced > Tags.
  3. Point to the applicable profile tag in the Tags List View to display the item's URL in the bottom left of the browser.
  4. Find the ID number at the end of the string. https://<Workspace_ONE_UEM>/AirWatch/Tags/Actions/View/10028. The 10028 at the end of the string is the tag ID.

Find the ID Number of Internal and Public Applications

The ID number of the application is a number the Workspace ONE UEM system assigns to the application. It is different than the Application ID.

  1. In the Workspace ONE UEM console, select the applicable organization group.
  2. Go to Apps & Books > Applications > Native.
  3. Select the Internal or Public tab depending on the type of application.
  4. Select the application to see the Details View.
  5. Find the ID number located in the middle of the string. https://<Workspace_ONE_UEM>/AirWatch/#/AirWatch/Apps/Details/Internal/246/Summary?isDependencyFile=False. The 246 in the middle of the string is the ID number of the application.
check-circle-line exclamation-circle-line close-line
Scroll to top icon