Workflows

Workflows (formerly Automations) in Workspace ONE Intelligence let you automate actions across your Workspace ONE deployment. To use workflows, ensure you meet the needed requirements. Set up workflows by configuring communication with APIs, registering third-party services, and configuring workflows. View a list of available Workspace ONE UEM actions you can automate, and see how you can add Workspace ONE UEM components to your workflows. Finally, use custom connectors so you can automate your internal services.

Workflows and compliance policies

The automation capabilities in Workspace ONE Intelligence use numerous parameters that trigger a workflow. You can customize the workflow to act on unique scenarios in your Workspace ONE environment. Automation is a robust feature but it is not intended to replace compliance policies.

A Workflow consists of triggers caused by a state change or trend that cause the engine to use a set action through Workspace ONE or an integrated third-party service. You can create your own workflows or you can use preset workflow templates.

Workflows monitor incoming and existing data. They act on states that reflect their configured triggers immediately after you save them. Workflows then monitor data for state changes and act as configured. Configure triggers in workflows to recognize the trigger that represents what you want remedied.

Workflows offer many actions that help solve problems related to compliance, however, the compliance engine still serves an important purpose.

  • Workflows - Its decision engine acts on triggers from devices and applications to automate actions across the digital workspace environment. You can extend the decision engine to third-party services. Use the automation feature to define work flows for device-category scenarios like battery percent and ownership and to install applications and other resources in your Workspace ONE deployment. You can also use in scenarios that encompass various facets of your Workspace ONE deployment. Use it to install or remove applications and profiles for security, notify interested teams about workflows, and extend these capabilities to third-party solutions.
  • Compliance - Its engine acts on closed-loop workflows where a user can have resources returned after becoming compliant again. Use compliance in scenarios focused on remediation and device state. Use it to force devices to comply with mandated security policies. Remove resources until devices comply with set compliance rules that return them to a working state.

FedRAMP consideration

The NIST Special Publication 800-47 Rev.1: Managing the Security of Information Exchanges defines a system interconnection as the direct connection of two or more IT systems for the purpose of sharing data and other information resources.

Connecting IT systems is a customer configured capability. Before you connect IT systems in Workspace ONE Intelligence, discuss the risks of connecting non-FedRAMP accredited information systems with your Authorizing Official. Workspace ONE on AWS GovCloud, and by extension, Workspace ONE Intelligence is a FedRAMP Moderate, accredited information system. When you connect information systems to other systems with different security requirements and controls, carefully consider the risks.

Contact the Federal Support line (877-869-2730 OPTION 2) or submit a support request using My Workspace ONE for more details and to enable customer-controlled third party connections to other systems.

Requirements

To use the automation features in your Workspace ONE Intelligence environment, install the reports service and connect to the Workspace ONE UEM API server.

Reporting

Workspace ONE Intelligence uses the data in the reports data warehouse to display analytics from your Workspace ONE deployment. Reports are available in the Workspace ONE UEM console.

Install the Workspace ONE Intelligence Connector Service - on-premises

Before using Workspace ONE Intelligence features, you must install the Workspace ONE Intelligence Connector service (also known as the ETL installer) onto a separate server in your Workspace ONE UEM environment.

Each feature uses the Workspace ONE Intelligence Connector Service installed from the Workspace ONE Intelligence Connector Installer. The Workspace ONE Intelligence Connector service gathers the data from your Workspace ONE UEM console server and pushes it to the reports cloud service.

  • Shared SaaS - No installation is required. This deployment has access to reports. No action is required.
  • Dedicated SaaS - Contact your support representative or their SAM to set up Reports and Workspace ONE Intelligence.
  • On-premises - You must install the Workspace ONE Intelligence Connector for communication between the Reports infrastructure and dashboards. For on-premises deployments that put the Workspace ONE UEM server behind a firewall, you can use workflows and API functionality. However, these deployments must use the Unified Access Gateway and set it as a reverse proxy. For details, access Configure Reverse Proxy With VMware Workspace ONE UEM API.

Admin roles

  • Existing admin roles that have permissions for reports, have access to Workspace ONE Intelligence roles.
  • For new admin roles, include permissions for Workspace ONE Intelligence so that admins can access settings.

Requirements to connect to the API Server and to use APIs for communication

Use OAuth 2.0, where available, for API communication. If your Workspace ONE UEM environment does not support OAuth 2.0, skip to the Basic Authentication section.

OAuth 2.0 setup

Basic authentication

  • Create an AirWatch Administrator account for the specific purpose of working with the automation feature. To use APIs, grant the admin account permissions.
  • Configure the admin account to use the Basic Authentication for API communications because Directory accounts do not work. Find the API authentication items on the API tab in the Add or Edit Admin area.
  • Configure Automation Connections.

Getting started

To use workflows, set up communication with APIs, register third-party services used for remediation, and configure workflows to carry out remediation actions.

If you do not follow these steps, Automation Workflows do not work.

Prerequisites

For on-premises deployments that put the Workspace ONE UEM server behind a firewall, you can use workflows and API functionality. However, these deployments must use the VMware Unified Access Gateway (UAG) and it must be set as a reverse proxy.

OAuth 2.0 authentication procedure

  1. Retrieve required credential details from UEM
    1. Create an OAuth client to use with Workspace ONE UEM APIs.
      • Ensure you create the OAuth client at the Organization Group used to launch Workspace ONE Intelligence and provide a sufficient role to prevent API access issues.
    2. Find your supported Workspace ONE UEM Region and copy the Token URL.
  2. Register Workspace ONE UEM with Workspace ONE Intelligence by entering the authentication details from Workspace ONE UEM to Workspace ONE Intelligence.
    1. In Workspace ONE Intelligence, go to Integrations > Data Sources.
    2. Select Set Up for Workspace ONE UEM.
    3. Select Provide Credentials and configure the settings.
      • Base URL: Enter your Workspace ONE UEM console URL and include the protocol (https://) in the entry. You can find this URL in your browser with an instance of the Workspace ONE UEM console open. It often ends in .com. For example, if you saw the listed URL in your browser example.company.com/AirWatch/Login when you had the browser pointed to your console, you would enter https://example.company.com/ as the Base URL. If you have separate API servers, you can find the API URL in Workspace ONE UEM in Groups and Settings > All Settings > System > Advanced > Site URLs > REST API URL. Add the base URL without the trailing /API.
      • Auth Type: Select the OAuth2 Authentication.
      • Client ID: Enter the Client ID retrieved from the OAuth Client setup process.
      • Client Authentication Location: Select Send client credentials in body.
      • Grant Type: Select Client Credentials.
      • OAuth2 Token URL: Enter the Token URL from the supported region defined in the Using UEM Functionality with a REST API article.
      • Client Secret: Enter the Client Secret retrieved from the OAuth Client setup process.
      • Scope: You can leave this menu item blank.
      • Workspace ONE UEM API Key: Enter the API key that the Workspace ONE UEM console generated when you enabled REST API communications. Find this key in Workspace ONE UEM under Groups and Settings > All Settings > System > Advanced > API > REST API.
  3. Register third-party services with Workspace ONE Intelligence.
  4. Configure workflows for remediation and reporting.

Basic authentication procedure

  1. In the Workspace ONE UEM console, create and use a Workspace ONE UEM Administrator account specific for automation with API permissions.
  2. Generate an API key in Workspace ONE UEM so that Workspace ONE Intelligence can use it to connect to any third-party service.
    1. In Workspace ONE UEM, select the organization group where you want to connect to third-party services.
    2. In the Workspace ONE UEM console, go to Groups & Settings > All Settings > System > Advanced > API > REST API.
    3. Configure the settings on the General tab.
      • Enable API Access: Permits you to generate an API key for the service.
      • Add: Select Add to generate an API Key. Record this value and enter it in the Intelligence environment as the Workspace ONE UEM API Key.
      • Service: Enter a descriptive name for the service, such as Automation.
      • Account Type: Select Admin.
    4. Configure the settings on the Authentication tab.
      • Basic: Select Basic authentication if you want to use credentials for an admin that is not in a directory.
      • Certificates: Not applicable.
      • Directory: Select Directory authentication if you want to use credentials for an admin that is part of a directory.
  3. Register Workspace ONE UEM with Intelligence by entering the API key and authentication credentials from Workspace ONE UEM to Workspace ONE Intelligence.
    1. In Workspace ONE Intelligence, go to Integrations > Data Sources.
    2. Select Set Up for Workspace ONE UEM.
    3. Select Provide Credentials and configure the settings.
      • Base URL: Enter your Workspace ONE UEM console URL, and include the protocol (https://) in the entry. You can find this URL in your browser with an instance of the Workspace ONE UEM console open. It often ends in .com. For example, if you saw the listed URL in your browser example.company.com/AirWatch/Login when you had the browser pointed to your console, you would enter https://example.company.com/ as the Base URL.
      • Auth Type: Select the Basic Authentication
      • User Name: Enter the user name for the specific admin you created for automation.
      • Password: Enter the password for the admin.
      • Workspace ONE UEM API Key: Enter the API key that the Workspace ONE UEM console generated when you enabled REST API communications. Find this key in Workspace ONE UEM under Groups and Settings > All Settings > System > Advanced > API > REST API.
  4. Register third-party services with Workspace ONE Intelligence.
  5. Configure workflows for remediation and reporting.

Configure workflows

Configure filters in workflows to recognize the desired state change and configure actions to remediate the filtered state changes.

Use a template or create your own workflow with this task.

Procedure

  1. In Workspace ONE Intelligence, navigate to Workspace > Workflows > Add.
  2. Select to Start From a Template or Start Custom Workflow.
  3. If starting from a template, select a template. For example, you can select Device > Battery.
    1. Select the template from the results list.
    2. View the Trigger Rules for the selected template and select the type of trigger.
      • Automatic - Automatically execute the workflow when incoming events match the filter. This also provides support to select whether this trigger should execute on existing data upon save or only on new incoming data. Supported for all integration types.
      • Schedule - Define when the filtered results should execute. Supported for data categories with Snapshot data (such as Workspace ONE UEM).
      • Manual - Execute the workflow On-Demand (good for one-time actions). Supported for data categories with Snapshot data (such as Workspace ONE UEM).
        • Note - When Manual or Schedule trigger types are used, a Run button becomes available on the Automation Overview page to allow manual execution as needed. Note that due to throttling limits, this action cannot be performed more than once per hour for the same Workflow.
    3. Add an Action using the + icon. The Workflow performs this action when it identifies the trigger.
    4. Select a Connector and choose an available action from that connector.
    5. Save the workflow.
  4. If starting from a custom workflow, select the connector (the data source) and the category. For example, you can select Workspace ONE UEM > Apps Data.
    1. Select a Trigger Type, Automatic, Schedule, or Manual.
    2. Add Trigger Rules by selecting Empty Rule.
    3. Select the category attribute, the operator, and the rule value.
    4. Add an Action using the + icon. The Workflow performs this action when it identifies the trigger.
    5. Select a Connector and choose an available action from that connector.
    6. Save the workflow.

After you save your settings, the workflow immediately scans data and acts on filters that match the configured criteria. It then continues to monitor data for the criteria and continues to execute actions accordingly.

Workspace ONE UEM actions

To decide which Workspace ONE UEM actions to use in your Workspace ONE Intelligence automation workflows, review action descriptions.

Before you can use the profile and application automation actions, you must configure them in Workspace ONE UEM with the listed settings and configurations.

  • Configure a profile with an Assignment Type (Optional or Auto) in the profile's General payload.
  • You must configure and add an Assignment to an application.
  • You must deploy profiles and applications in Workspace ONE UEM to devices in a smart group. This deployment to smart groups is part of the assignment process for both applications and profiles.

If you do not assign and deploy applications and profiles before configuring the automation, there is no data for Workspace ONE Intelligence to pull and the system cannot run the applicable automation.

Descriptions of Workspace ONE UEM actions

Action Description
Add Tag to Device Adds a tag to the selected device in the Workspace ONE UEM console.
Approve Patch Approves an individual Windows patch for installation. Enter the title or the knowledge base number of the patch.

You can enter the Revision ID of the patch.
Change Device Organization Group Moves an enrolled device to another organization group.

Consider the resource assignments the device loses and gains after it moves from its original group to the new group.
Change Ownership Type Updates the device ownership to Corporate-Dedicated, Corporate-Shared, or Employee Owned.
Clear Passcode Removes a passcode requirement off a device so that a user can authenticate without it. Anyone can use this device after you automate this action.
Data Roaming Activates or deactivates data roaming on iOS devices.
Delete Device Deletes a Device record from Workspace ONE UEM.
Enterprise Wipe Device Removes management and corporate settings from an enrolled device.
Install Internal Application Installs an internal application on a device that is uploaded and managed in Workspace ONE UEM.
Install Profile Installs a Workspace ONE UEM profile to a device.
Install Public Application Installs a public application on a device that is uploaded and managed in Workspace ONE UEM.
Install Purchased Application Installs a purchased application on a device that is uploaded and managed in Workspace ONE UEM.
Lock Device Forces a device to return to its lock screen.
Personal Hotspot Activates or deactivates personal hot spot settings on iOS devices.
Query Device Requests updated data from a device.
Remove Internal Application Removes an internal application on a device that is uploaded and managed in Workspace ONE UEM.
Remove Profile Removes a Workspace ONE UEM profile off a device.
Remove Public Application Removes a public application on a device that is uploaded and managed in Workspace ONE UEM.
Remove Purchased Application Removes a public application on a device that is uploaded and managed in Workspace ONE UEM.
Remove Tag from Device Removes a Tag from the selected device in the Workspace ONE UEM console.
Reprocess Product Initiates a reprocessing of a Product Provisioning product job by the policy engine. Supports a reprocess and force reprocess.
Schedule OS Update Schedules an OS update and forces an iOS device that is supervised and that is on 10.3 or later (depending on configurations) to update to the latest OS version.

DownloadOnly - Configures the action to download only the update to make it available for installation.

InstallASAP - Installs the downloaded OS update. This action only works if the OS update is downloaded to the device.
Send Email Sends an email to a user with the SMTP server configured in the Workspace ONE UEM environment.
Send Push Notification Sends a push notification to a managed application, either the Workspace ONE Intelligent Hub or VMware Content Locker.
Send SMS Sends a notification to a device with the SMS gateway configured in the Workspace ONE UEM environment.
Stop AirPlay Stops an AirPlay session on iOS devices.
Sync Device Evaluates applications currently installed on a device and compares that state to the required applications configured in the Workspace ONE UEM console.

The action prompts an installation command for any required applications that are missing from the device.
Voice Roaming Activates or deactivates the ability to use voice roaming settings on iOS devices.
check-circle-line exclamation-circle-line close-line
Scroll to top icon