check-circle-line exclamation-circle-line close-line

<

You can control the cost of your application licenses with the integration of the app approvals workflow in Workspace ONE Intelligence.

Many Win32 applications have expensive licenses. You can use app approvals to restrict who can install these applications and to control the cost to manage these resources.

The integration brings several systems together to process app approval requests.

  • Workspace ONE UEM - Manages the application and distributes it to the Workspace ONE Intelligent Hub catalog on devices.
  • VMware Workspace ONE Intelligence - Communicates between your ServiceNow environment and your Workspace ONE UEM deployment.
  • ServiceNow - Manages the request and the approval process.

Process for App Approvals

App approvals start with a user requesting to install an app on a Windows 10 device.

  1. Users request to install applications through the Workspace ONE Intelligent Hub app on their devices.
  2. VMware Workspace ONE Intelligence sends requests to ServiceNow. The requests contain information about users, devices, and requested applications.
  3. ServiceNow processes requests according to workflows (configured in ServiceNow) and according to company policies.
  4. ServiceNow sends responses back to VMware Workspace ONE Intelligence. Responses include approvals or rejections.
    • Approvals result in the automatic installation of applications.
    • Rejections result in returns to Request states in the Workspace ONE Intelligent Hub.
  5. If approved, Workspace ONE UEM sends the app to Workspace ONE Intelligent Hub for installing on the device.

Configure App Approvals

Use Workspace ONE Intelligence and your ServiceNow service to request and approve the installation of applications. Start configuring in ServiceNow, then add information to your ServiceNow connection in Workspace ONE Intelligence, and end with editing the app assignment in Workspace ONE UEM.

Prerequisites

Have the listed integrations, systems, and settings configured before using app approvals.

  • Use Workspace ONE UEM v1910 or later.
  • Register Workspace ONE UEM with Workspace ONE Intelligence.
  • Have a ServiceNow instance with the ServiceNow Integration Hub plugin, and Register ServiceNow with Workspace ONE Intelligence.
  • Use Hub Services and use the Intelligent Hub app as your app catalog.
  • Use Windows 10 devices.
  • Use native apps managed in Workspace ONE UEM (internal, public, and purchased).
  • Know about app assignments in Workspace ONE UEM. Access Add Assignments and Exclusions to Applications for information on app assignments.

1. Set up ServiceNow to Handle Incoming, App Requests

Set up ServiceNow to handle incoming, app requests so that you can customize your instance and approval policies. This process uses the ServiceNow's Scripted REST API capability.

To start the request process, Workspace ONE Intelligence sends a request like the sample code to ServiceNow. Requests include details about users, devices, and applications requested for installation.

{
  "RequestId": "bffb4469-56fb-4141-9ab0-0897f65143ba",
  "RequestFor": {
    "UserId": "15",
    "UserAttributes": {
      "user_name": "username",
      "last_name": "user",
      "first_name": "name",
      "email": "username@example.com"
    }
  },
  "Domain": "${domain}",
  "DeviceId": 123,
  "DeviceProperties": {
    "name": "Device Name",
    "device_udid": "F11C43E8307092418D7D5B0D9B48F235",
    "platform": "Windows 10"
  },
  "Notes": "Notes",
  "CatalogItem": {
    "Id": "267",
    "Name": "App Name",
    "Categories": null,
    "Properties": {
      "package_id": "{12345A78-40C1-2702-0000-000004000000}",
      "version": "9.20.0",
      "platform": "WinRT"
    }
  },
  "DueDate": 1568989813956,
  "Links": {
    "ApprovalNotify": {
      "Url": "<CallbackURL>"
    }
  }
}
  1. Log in to ServiceNow and search for Scripted REST APIs.
  2. Add a Scripted REST API.
  3. Enter a descriptive name, like Workspace ONE App Approval, in the Name text box.
  4. Enter the API ID as appapproval, and record your API namespace because you enter it in Workspace ONE Intelligence later in this process. Enter API ID
  5. Go to the Resources section and add a Resource.
  6. Enter the Resource Name as Request.
  7. Use POST for the HTTP Method.
  8. Check that the Relative Path is /request. The resource path displays as /api/<namespace>/appapproval/request. If the path is not in this format, the request fails. To fix, check that the Scripted REST API and resource have the correct names.
  9. Configure the script to match your environment. Store values as part of the ServiceNow Request. Storing the values compiles the outgoing API request after the request ticket is approved or rejected. You can customize the sample code for your deployment. You can create a cart item within a request or link the user name to your system's SYSID.
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
    var RequestID = request.body.data.RequestId;
    var CallbackURL = request.body.data.Links.ApprovalNotify.Url;
    var DeviceID = request.body.data.DeviceId;
    var Notes = request.body.data.Notes;
    var AppName = request.body.data.CatalogItem.Name;
    var UserID = request.body.data.RequestFor.UserId;
    var UserName = request.body.data.RequestFor.UserAttributes.user_name;
    var FirstName = request.body.data.RequestFor.UserAttributes.first_name;
    var LastName = request.body.data.RequestFor.UserAttributes.last_name;
    gs.info("Request Recieved");
    var create = new GlideRecord('sc_request');
    create.initialize();
    create.setValue('short_description',"Request for Installation of " + AppName);
    create.setValue('description',FirstName + " " + LastName + " Requests Installation of " + AppName);
    create.setValue('u_uem_callback_url',CallbackURL);
    create.setValue('u_uem_notes',Notes);
    create.setValue('u_uem_device_id',DeviceID);
    create.setValue('u_uem_request_id',RequestID);
    create.setValue('u_uem_user_id',UserID);
    create.setValue('u_requesting_user',UserName);
     
    create.insert();
     
    response.setStatus(200);
})(request, response);

2. Add Custom Fields to the Request Ticket ServiceNow

Add custom fields to the Request ticket with tables in ServiceNow. Custom fields help to compile the outgoing approval and rejection API requests to Workspace ONE Intelligence.

  1. Search Tables in the ServiceNow navigation bar and select System Definition > Tables.
  2. Search for the Table Name sc_request and open to view column details. If you search on the table label, the table's label is request.
    1. Add columns by adding required values the system returns to Workspace ONE Intelligence, and add their respective value in the API request.
    2. ApprovalNotify.URL = UEM Callback URL
    3. DeviceId = UEM Deivce ID
    4. RequestId = UEM Request ID
  3. Add optional values. If you change the default Column Name, update your script to use the updated column name.

    • UserId = UEM User ID
    • user_name = Requesting User
    • Notes = UEM Notes
    Type Column Label Column Name Max Length
    String UEM Callback URL u_uem_callback_url 2048
    Integer UEM Device ID u_uem_device_id NA
    String UEM Request ID u_uem_request_id 40
    Integer UEM User ID u_uem_user_id NA
    String Requesting User u_requesting_user 40
    String UEM Notes u_uem_notes 4000
  4. Select Update and save the table.

  5. Optionally, you can use Form Sections in the System UI to hide columns and values from the UI. Hiding columns and values sets them to be used only in API requests.

3. Configure an Action in ServiceNow

  1. In ServiceNow, go to Flow Designer > New > Action to configure an action for a workflow. ServiceNow workflows send an approval or rejection response to Workspace ONE Intelligence.
  2. Enter a name and metadata in Action Properties. Action Properties
  3. Define Inputs for the action.
    • Request ID
    • Device ID
    • Updated By
    • Notes
    • Updated At
    • Callback URL
    • Approval Inputs
  4. Add a Script step by selecting the plus sign (+) in the Action Outline section. Then, got to Utilities > Script Step. The script step converts the approval status string to uppercase to prepare for the API call.
    1. Define the input variable as approval_status and drag it into the approval value.
    2. Add this sample code that converts the approval status to uppercase.
(function execute(inputs, outputs) {
var  approval_lc = inputs.approval_status;
 
outputs.ApprovalStatus = approval_lc.toUpperCase();
})(inputs, outputs);
1. Define the output variable as `ApprovalStatus`.
![Script Step](images/images-WS1_Intelligence_appapprovals_script_step.png)
  1. Add a REST step to the action.
    1. Use the Callback URL variable as the Base URL value.
    2. Use POST as the HTTP Method.
    3. Add the header Content-Type =application/json.
    4. Define the Request Type as Text.
    5. Enter the Request Body payload like the sample code. Replace values in the sample code with your data variables.
{
"data":{
    "request_id": "action-Request ID", 
    "device_id": "action-Device ID", 
    "approval_status": "step-Script step-ApprovalStatus", 
    "updated_by": "action-Updated By", 
    "notes" : "action-Notes", 
    "updated_at" : "action-Updated At"
    }
}

REST Step 1. Save the action.

4. Create a Workflow in ServiceNow

  1. In ServiceNow, create a workflow with the approval action, depending on your organization's approval policies.
  2. In the Flow Designer, select New.
  3. Populate metadata that includes properties for Flow, Application, and Run As. Flow Properties
  4. To create a trigger, use Updated to find changes in the ticket statuses. Updated
  5. Select Request[sc_request] as the Table.
  6. Define a Condition as [Approval - is one of - Approved, Rejected] and [UEM Callback URL - is not empty].
  7. Select Once for Run Trigger. Run Trigger
  8. Add the AppApproval action. Add Action
  9. Add appropriate values from the request table that match the required action inputs. Add Values
  10. Save and activate the workflow.

5. Add Scripted REST API Namespace to Intelligence

  1. In Workspace ONE Intelligence, go to Integrations > Automation Connectors > ServiceNow.
  2. Edit the connection to include the API Namespace. You recorded this value while adding the Scripted REST API to ServiceNow. Edit Connection

6. Require Approval

  1. To require approval, edit the app assignment in Workspace ONE UEM. Editing an app assignment to require approval enables users to request to install apps with the Workspace ONE Intelligent Hub on Windows 10 devices.
  2. In the Workspace ONE UEM console, navigate to the appropriate app and edit the assignment.
  3. Enable Require Approval To Install. Require Approval