August 31, 2020

Smarter Groups - Workspace ONE Intelligence and Advanced Assignment Scoping for macOS Devices

In this post, learn how the custom attribute payload in Workspace ONE UEM together with VMware Workspace ONE Intelligence automations can help you to scope out and assign configurations in your macOS devices.

The smart group functionality built into VMware Workspace ONE® UEM contains several types of assignment criteria that you can use when scoping the deployment of an application or configuration. These assignment criteria include organization groups, user groups, device platform or model, operating system versions, enrollment category, and others. However, what if you need to include some other assignment criteria to scope one of your groups that are not ordinarily available? For macOS devices, the custom attribute profile payload together with VMware Workspace ONE® Intelligence can give you additional options when scoping out and assigning your configurations. This post will walk you through the steps required to achieve this.

Expand the drop-down menus to view the details for each step.

Create a Custom Attribute for macOS

For macOS devices in Workspace ONE, admins can deploy custom attributes as a payload in a configuration profile. A custom attribute allows you to assign a script to a device (written in Bash, Z Shell, or Python), and return a value stored in Workspace ONE as a reportable attribute about that device. To create a custom attribute for macOS, follow the next steps.

In this example, we create a custom attribute to report the version of Python installed on the device.

  1. In the Workspace ONE UEM Console, navigate to Devices > Profiles & Resources > Profiles.
  2. Select Add > Add Profile.
  3. Select Apple macOS > Device Profile.
  4. In the General payload, specify a Name, and assign the profile to the appropriate Smart Groups.
  5. Select the Custom Attributes payload on the left-sidebar and click Configure.
  6. Provide an Attribute Name, such as Python Version.
  7. Specify the Script/Command. Make sure to include the appropriate interpreter directive in the first line. For example, the following command will return the version of Python installed:
    #!/bin/bash
    /usr/bin/python -V 2>&1 | /usr/bin/awk '{print $2}'

 

  1. Set the Execution Interval. Custom Attributes can be processed at a scheduled interval or based on specified user events.
  2. Click Save and Publish.
  3. Click Publish.

 

Validate the Custom Attribute under Device Details

After the profile has successfully installed on a machine, you can validate that it is returning an expected value. Note that custom attributes created with a Schedule execution interval should report an initial value very quickly. Custom attributes with an Event execution interval will not report until after the specified event has occurred on the device.

  1. In the Workspace ONE UEM Console, navigate to Devices > List View.
  2. Select a device that has installed the Custom Attribute profile.
  3. Select More > Custom Attributes.
  4. Validate that your Custom Attribute is reporting, with an appropriate value.

Create a Device Tag

Using Workspace ONE Intelligence, you can set up an automation to automatically apply a device tag to a device based on the custom attribute value.

The first step of this process is to create the device tag.

  1. In the Workspace ONE UEM Console, navigate to Settings > Devices & Users > Advanced > Device Tags.
  2. Select Create Tag.
  3. Specify a Name, such as Good Python Version.
  4. Click Save.
  5. Right-click the name of the newly created Tag and select Copy Link.
  6. Paste the link into a text editor, and you should see a link with the form:
    https://{WORKSPACE_ONE_UEM_URL}/AirWatch/Tags/Actions/View/12345
  7. The numerical value at the end of the URL is your Tag ID. Record this number, for example, 12345.
Create a Smart Group Based on Device Tag

Next, create a smart group that uses the device tag in the assignment criteria.

  1. In the Workspace ONE UEM Console, navigate to Groups & Settings > Groups > Assignment Groups.
  2. Select Add Smart Group.
  3. Specify a Name, such as Good Python Version.
  4. Expand the Tags field.
  5. Search for the Tag created in the previous step, and select Add.
  6. Add any other filtering criteria you want to use for the Smart Group.
  7. Click Save.

Create a Workspace ONE Intelligence Automation to Apply the Device Tag

Finally, you can use the Workspace ONE Intelligence platform to create an automation to apply the device tag to devices that meet the specified criteria. Note that this step requires access to a Workspace ONE Intelligence SKU (or trial), that you have opted into Workspace ONE Intelligence in your environment, and that you have connected your Workspace ONE Intelligence environment with your Workspace ONE UEM environment.

  1. At the top Organization Group in your Workspace ONE UEM Console, navigate to Monitor > Intelligence.
  2. Click Launch.
  3. In the Workspace ONE Intelligence Console, select Automations.
  4. Click Add Automation.
  5. Select Category > Workspace ONE UEM > Device Custom Attributes.

  1. Select Device Custom Attributes: Create Your Own.
  2. Specify a Name, such as Add Good Python Version Tag.
  3. Under Filter (If):
    1. In Search, select Others and then the Custom Attribute name. Note that spaces may be replaced with underscores.
    2. Specify the filtering methodology. In this example, we use Includes.
    3. Specify the filter values. You should be able to look up values already used by devices. In this example, we use 2.7.16.
  4. Select the + button below Action (Then):
    1. Select Workspace ONE UEM.
    2. Select Add Tag to Device.
    3. Specify the Device Tag ID recorded in a previous section.
  5. Select Enable Automation.
  6. Click Save.
  7. Click Save and Enable.

Putting It All Together

In this post, we've created the following flow:

  1. A custom attribute is applied to devices, reporting the version of Python installed.
  2. If the reported version of Python matches a specified value, a device tag automatically applies to the device through an automation.
  3. When the device tag applies to the device, Workspace ONE Intelligence includes the device in the specified smart group.
  4. Any applications, profiles, or other configurations applied to that Smart Group are now assigned to the target device.

To summarize the flow; if a device reports a custom attribute with a specified value, Workspace ONE UEM assigns various applications, profiles, and other configurations to the device.

Although the flow designed in this post uses the device tag functionality, Workspace ONE Intelligence automations can take more direct actions, such as installing/removing applications, installing/removing profiles, or running specific device actions. When creating an automation, review the available actions (depending on the configured connectors), and choose the one(s) most appropriate for the flow you have in mind.

Filter Tags

Workspace ONE Workspace ONE Intelligence Workspace ONE UEM Blog Announcement Intermediate macOS Manage

Paul Evans

Read More from the Author

Paul Evans is a Product Line Manager for End-User Computing at VMware. He has over 10 years of experience in the device management space, formerly at AirWatch, and currently has a focus on modern desktop management.