Authorize Workspace ONE Intelligence to connect and share data with third-party services in the Integrations area. Services include connecting to other systems in your Workspace ONE deployment, automation services, and trust network services. Find information about Workspace ONE UEM, Slack, ServiceNow, App Approvals, Custom Connectors, and Microsoft Azure.

Workspace ONE UEM

Enter Workspace ONE UEM API communication credentials in Workspace ONE Intelligence so that it can use the Workspace ONE UEM API server for communication with other third-party services for Automations.

Prerequisites

Generate an API key in Workspace ONE UEM console. This process is outlined in the Automations section.

Procedure

  1. Access the Workspace ONE Intelligence UI.
  2. Navigate to Integrations > Automation Connectors.
  3. Select Set Up for the Workspace ONE UEM process.
  4. Select Provide Credentials and configure the settings.
    • Base URL - Enter your Workspace ONE UEM REST API URL, and include the protocol (https://) in the entry.
    • API User Name - Enter the user name for the specific admin you created for automation.
    • API User Password - Enter the password for the admin.
    • Workspace ONE UEM Tenant Code - Enter the API key that the Workspace ONE UEM console generated when you enabled REST API communications.

Slack

Configure Slack for API communication so that you can register it with Workspace ONE Intelligence and use Slack Automation Actions.

Procedure

  1. In Slack Help, search for Incoming WebHooks.
  2. In Slack, configure an Incoming Webhook Integration so that you can connect to Slack API and send messages.
  3. Define a default channel for messages. You can override this channel when you create a message.
  4. In Workspace ONE Intelligence, navigate to Integrations > Automation Connectors > Slack > Set Up.
  5. On the Provide Credentials tab, enter the Slack WebHook URL in the Base URL field.
  6. Select No Authentication as the Authentication Type.

ServiceNow

Configure your ServiceNow account for API communication so that you can register ServiceNow with Workspace ONE Intelligence and use ServiceNow Automation Actions.

Follow the steps in the article REST API roles.

Procedure

  1. In your ServiceNow account, add the snc_platform_rest_api_access role to the ServiceNow account. This API controls the Table API for Inbound REST operations.
  2. In Workspace ONE Intelligence, navigate to Integrations > Automation Connectors > ServiceNow > Set Up.
  3. On the Provide Credentials tab, enter authentication credentials and enter https://instance.service-now.com for the Base URL.

App Approvals

You can control the cost of your application licenses with the integration of the app approvals workflow in Workspace ONE Intelligence.

Many Win32 applications have expensive licenses. You can use app approvals to restrict who can install these applications and to control the cost to manage these resources.

The integration brings several systems together to process app approval requests.

  • Workspace ONE UEM - Manages the application and distributes it to the Workspace ONE Intelligent Hub catalog on devices.
  • VMware Workspace ONE Intelligence - Communicates between your ServiceNow environment and your Workspace ONE UEM deployment.
  • ServiceNow - Manages the request and the approval process.

Process for App Approvals

App approvals start with a user requesting to install an app on a Windows 10 device.

  1. Users request to install applications through the Workspace ONE Intelligent Hub app on their devices. They use the Request menu item in the catalog. If needed, users can enter a justification to initiate the app request process.
  2. VMware Workspace ONE Intelligence sends requests to ServiceNow. The requests contain information about users, devices, and requested applications.
  3. ServiceNow processes requests according to workflows (configured in ServiceNow) and according to company policies.
  4. ServiceNow sends responses back to VMware Workspace ONE Intelligence. Responses include approvals or rejections.
    • Approvals result in the automatic installation of applications.
    • Rejections result in returns to Request states in the Workspace ONE Intelligent Hub.
  5. If approved, Workspace ONE UEM sends the app to Workspace ONE Intelligent Hub for installing on the device.

Configure App Approvals

Use Workspace ONE Intelligence and your ServiceNow service to request and approve the installation of applications. Start configuring in ServiceNow, then add information to your ServiceNow connection in Workspace ONE Intelligence, and end with editing the app assignment in Workspace ONE UEM.

Prerequisites

Have the listed integrations, systems, and settings configured before using app approvals.

  • Use Workspace ONE UEM version required for Workspace ONE Intelligence.
  • Register Workspace ONE UEM with Workspace ONE Intelligence.
  • Have a ServiceNow instance with the ServiceNow Integration Hub plugin, and Register ServiceNow with Workspace ONE Intelligence.
  • Use Hub Services and use the Intelligent Hub app as your app catalog.
  • Use Windows 10 devices.
  • Use native apps managed in Workspace ONE UEM (internal, public, and purchased).
  • Know about app assignments in Workspace ONE UEM. Access Add Assignments and Exclusions to Applications for information on app assignments.

Set up ServiceNow to Handle Incoming App Requests

Set up ServiceNow to handle incoming, app requests so that you can customize your instance and approval policies. This process uses the ServiceNow's Scripted REST API capability.

To start the request process, Workspace ONE Intelligence sends a request like the sample code to ServiceNow. Requests include details about users, devices, and applications requested for installation.

{
  "RequestId": "bffb4469-56fb-4141-9ab0-0897f65143ba",
  "RequestFor": {
    "UserId": "15",
    "UserAttributes": {
      "user_name": "username",
      "last_name": "user",
      "first_name": "name",
      "email": "username@example.com"
    }
  },
  "Domain": "${domain}",
  "DeviceId": 123,
  "DeviceProperties": {
    "name": "Device Name",
    "device_udid": "F11C43E8307092418D7D5B0D9B48F235",
    "platform": "Windows 10"
  },
  "Notes": "Notes",
  "CatalogItem": {
    "Id": "267",
    "Name": "App Name",
    "Categories": null,
    "Properties": {
      "package_id": "{12345A78-40C1-2702-0000-000004000000}",
      "version": "9.20.0",
      "platform": "WinRT"
    }
  },
  "DueDate": 1568989813956,
  "Links": {
    "ApprovalNotify": {
      "Url": "<CallbackURL>"
    }
  }
}
  1. Log in to ServiceNow and search for Scripted REST APIs.
  2. Add a Scripted REST API.
  3. Enter a descriptive name, like Workspace ONE App Approval, in the Name text box.
  4. Enter the API ID as appapproval, and record your API namespace because you enter it in Workspace ONE Intelligence later in this process. Enter API ID
  5. Go to the Resources section and add a Resource.
  6. Enter the Resource Name as Request.
  7. Use POST for the HTTP Method.
  8. Check that the Relative Path is /request. The resource path displays as /api/<namespace>/appapproval/request. If the path is not in this format, the request fails. To fix, check that the Scripted REST API and resource have the correct names.
  9. Configure the script to match your environment. Store values as part of the ServiceNow Request. Storing the values compiles the outgoing API request after the request ticket is approved or rejected. You can customize the sample code for your deployment. You can create a cart item within a request or link the user name to your system's SYSID.
(function process(/*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {
    var RequestID = request.body.data.RequestId;
    var CallbackURL = request.body.data.Links.ApprovalNotify.Url;
    var DeviceID = request.body.data.DeviceId;
    var Notes = request.body.data.Notes;
    var AppName = request.body.data.CatalogItem.Name;
    var UserID = request.body.data.RequestFor.UserId;
    var UserName = request.body.data.RequestFor.UserAttributes.user_name;
    var FirstName = request.body.data.RequestFor.UserAttributes.first_name;
    var LastName = request.body.data.RequestFor.UserAttributes.last_name;
    gs.info("Request Recieved");
    var create = new GlideRecord('sc_request');
    create.initialize();
    create.setValue('short_description',"Request for Installation of " + AppName);
    create.setValue('description',FirstName + " " + LastName + " Requests Installation of " + AppName);
    create.setValue('u_uem_callback_url',CallbackURL);
    create.setValue('u_uem_notes',Notes);
    create.setValue('u_uem_device_id',DeviceID);
    create.setValue('u_uem_request_id',RequestID);
    create.setValue('u_uem_user_id',UserID);
    create.setValue('u_requesting_user',UserName);
     
    create.insert();
     
    response.setStatus(200);
})(request, response);

Add Custom Fields to the Request Ticket ServiceNow

Add custom fields to the Request ticket with tables in ServiceNow. Custom fields help to compile the outgoing approval and rejection API requests to Workspace ONE Intelligence.

  1. Search Tables in the ServiceNow navigation bar and select System Definition > Tables.
  2. Search for the Table Name sc_request and open to view column details. If you search on the table label, the table's label is request.
    1. Add columns by adding required values the system returns to Workspace ONE Intelligence, and add their respective value in the API request.
    2. ApprovalNotify.URL = UEM Callback URL
    3. DeviceId = UEM Device ID
    4. RequestId = UEM Request ID
  3. Add optional values. If you change the default Column Name, update your script to use the updated column name.

    • UserId = UEM User ID
    • user_name = Requesting User
    • Notes = UEM Notes
    Type Column Label Column Name Max Length
    String UEM Callback URL u_uem_callback_url 2048
    Integer UEM Device ID u_uem_device_id NA
    String UEM Request ID u_uem_request_id 40
    Integer UEM User ID u_uem_user_id NA
    String Requesting User u_requesting_user 40
    String UEM Notes u_uem_notes 4000
  4. Select Update and save the table.

  5. Optionally, you can use Form Sections in the System UI to hide columns and values from the UI. Hiding columns and values sets them to be used only in API requests.

Configure an Action in ServiceNow

  1. In ServiceNow, go to Flow Designer > New > Action to configure an action for a workflow. ServiceNow workflows send an approval or rejection response to Workspace ONE Intelligence.
  2. Enter a name and metadata in Action Properties. Action Properties
  3. Define Inputs for the action.
    • Request ID
    • Device ID
    • Updated By
    • Notes
    • Updated At
    • Callback URL
    • Approval Inputs
  4. Add a Script step by selecting the plus sign (+) in the Action Outline section. Then, got to Utilities > Script Step. The script step converts the approval status string to uppercase to prepare for the API call.
    • Define the input variable as approval_status and drag it into the approval value.
    • Add the sample code that converts the approval status to uppercase.
    • Define the output variable as ApprovalStatus.
(function execute(inputs, outputs) {
var  approval_lc = inputs.approval_status;
 
outputs.ApprovalStatus = approval_lc.toUpperCase();
})(inputs, outputs);

Script_Step 5. Add a REST step to the action. - Use the Callback URL variable as the Base URL value. - Use POST as the HTTP Method. - Add the header Content-Type =application/json. - Define the Request Type as Text. - Enter the Request Body payload like the sample code. Replace values in the sample code with your data variables. - Save the action.

{
"data":{
    "request_id": "action-Request ID", 
    "device_id": "action-Device ID", 
    "approval_status": "step-Script step-ApprovalStatus", 
    "updated_by": "action-Updated By", 
    "notes" : "action-Notes", 
    "updated_at" : "action-Updated At"
    }
}

REST Step

Create a Workflow in ServiceNow

  1. In ServiceNow, create a workflow with the approval action, depending on your organization's approval policies.
  2. In the Flow Designer, select New.
  3. Populate metadata that includes properties for Flow, Application, and Run As. Flow Properties
  4. To create a trigger, use Updated to find changes in the ticket statuses. Updated
  5. Select Request[sc_request] as the Table.
  6. Define a Condition as [Approval - is one of - Approved, Rejected] and [UEM Callback URL - is not empty].
  7. Select Once for Run Trigger. Run Trigger
  8. Add the AppApproval action. Add Action
  9. Add appropriate values from the request table that match the required action inputs. Add Values
  10. Save and activate the workflow.

Add Scripted REST API Namespace to Intelligence

  1. In Workspace ONE Intelligence, go to Integrations > Automation Connectors > ServiceNow.
  2. Edit the connection to include the API Namespace. You recorded this value while adding the Scripted REST API to ServiceNow. Edit Connection

Require Approval

  1. To require approval, edit the app assignment in Workspace ONE UEM. Editing an app assignment to require approval enables users to request to install apps with the Workspace ONE Intelligent Hub on Windows 10 devices.
  2. In the Workspace ONE UEM console, navigate to the appropriate app and edit the assignment.
  3. Enable Require Approval To Install. Require Approval
    In the Workspace ONE Intelligent Hub on the device, users select the Request menu item in the catalog. Users can enter a justification to initiate the app request process. After the request is approved by the appropriate individual through ServiceNow, the app is installed.

App Approval Statuses

Statuses in the Workspace ONE UEM console and in the Workspace ONE Intelligent Hub on devices represent specific steps in the request and approval process for app approvals.

Workspace ONE UEM App Approval Statuses

Admins can view the status of an app approval in the Workspace ONE UEM console, in Apps & Books and in Device Details > Apps tab.

Status Description
Pending Approval The user requested to install an application. Through Workspace ONE Intelligence, ServiceNow created a ticket for the admin to approve the installation. The ticket awaits approval in the ServiceNow system.
Install Command Dispatched The admin approved installation. Through Workspace ONE Intelligence, Workspace ONE UEM sent an installation command to the database. The device consumed the command.
Installed The device reported to Workspace ONE UEM that the application installed successfully.
Rejected The admin rejected the ServiceNow ticket for installation. The user must request to install the application again.
Expired The admin did not approve or reject the ServiceNow ticket within 14 days. The user must request to install the application again.
Error The app approval system encountered an error somewhere in the process. The error stopped the process. The user must request to install the application again.

Workspace ONE Intelligent Hub App Approval Statuses

Users access the app through the Workspace ONE Intelligent Hub. They select Request to initiate an installation. After initiating a request, the Workspace ONE Intelligent Hub displays a status to identify where in the process the request for installation exists.

Status Description
Request The admin uploaded the application and enabled Require Approval to Install in the app assignment.
Pending Workspace ONE Intelligence received a reqest from Workspace ONE UEM and sent the request to ServiceNow. ServiceNow created a ticket for approval of installation. The system awaits the admin approval.
Installing The admin approved the ServiceNow ticket for installation and the Workspace ONE UEM database has initiated an installation command.
Installed The device reported back to Workspace ONE UEM that the application successfully installed.

Microsoft Azure Active Directory

To use Azure Active Directory (AD) groups in the roles based access control (RBAC) feature, authorize Workspace ONE Intelligence to connect with your Azure AD environment.

Workspace ONE Intelligence uses the Microsoft Graph API to communicate with your Azure environment.

Prerequisites

You must have the permissions to configure a public Azure AD account. Use your Azure AD admin account credentials for registration. If you do not have admin permissions to set up Azure AD, have an Azure AD admin register your environment with Workspace ONE Intelligence.

Procedure

  1. In the Workspace ONE Intelligence console, go to Integrations > Microsoft Azure Active Directory > Set Up. The system directs you to your organization's Microsoft area. If you have Azure AD admin permissions, the system prompts you to enter your Azure AD credentials.
  2. Select Accept in the Microsoft window to give Workspace ONE Intelligence permissions to access data in Azure. If the system accepts the permissions, the Microsoft Azure Active Directory integration displays as Status: Authorized.
    • Give permission to sign in and read user profiles in Azure.
    • Give permission to read all groups in Azure.
    • Give permission to read the full profiles of all users in Azure.

Results

When you add an admin or group in Workspace ONE Intelligence, you can select from users and groups in your Azure Active Directory environment.

What to do next

Add and edit admins in Settings > Administrators. For information on the different roles and their permissions, access RBAC Role Descriptions.

check-circle-line exclamation-circle-line close-line
Scroll to top icon