Getting Started with Workspace ONE Intelligence Reports and Dashboards: Workspace ONE Operational Tutorial

Overview

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, explore the basics of VMware Workspace ONE® Intelligence™. Learn how to enable Workspace ONE Intelligence, use reports to gain insights, and use dashboards to help visualize data and enforce device compliance. 

Additionally, learn how to automate patch remediation for Windows devices based on missing critical OS patches and CVEs (common vulnerabilities and exposures).

Audience

This operational tutorial is intended for IT professionals and Workspace ONE UEM administrators of existing production environments.

Knowledge of additional technologies such as device management, analytics, APIs and VMware Workspace ONE® UEM is also helpful.

Getting Started with Workspace ONE Intelligence

Workspace ONE Intelligence is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give complete visibility into the entire environment. 

In this exercise, you opt-in to Workspace ONE Intelligence, retrieve the API service key, and integrate Workspace ONE Intelligence Automation Connectors with Workspace ONE UEM.

Prerequisites

Before you can perform the procedures in this activity, ensure you have the following components installed and configured:                  

  • Workspace ONE UEM 2005 or later – contact your support representative if Workspace ONE Intelligence Reports is not enabled in your environment.
  • For Workspace ONE UEM on-premises environments, you must install the Workspace ONE Intelligence Connector.  
  • Customer-level Organization Group. 
  • Admin role with Intelligence permissions. For more information, see Admin Roles
  • Notepad ++ with word wrap enabled (In Notepad++, select View > Word wrap).

This activity requires certain account credentials. Note the account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

Workspace ONE UEM Credentials

 

Base URL

https://test.awmdm.com

API Username

<Your welcome email>

API Password

VMware1!

Username

administrator

Password

VMware1!

 

Logging in to the Workspace ONE UEM Console

To log in to the Workspace ONE UEM console, perform the following steps:

  1. Navigate to the environment URL of your Workspace ONE UEM console. For example, https://test.awmdm.com.
  2. Enter your username and password for the environment then click Log In.

For more information, see Logging in to the Console.

Accessing Workspace ONE Intelligence

After you have met the requirements, you are ready to enable Workspace ONE Intelligence.

  1. In the Workspace ONE UEM console, navigate to Monitor > Intelligence.
  2. Select Opt-in, and select Launch after installing the Workspace ONE Intelligence Connector service.

For more details, see Access Workspace ONE Intelligence.

If you already have an Intelligence environment enabled and data already flowing in, skip to the next activity.

Retrieving the Workspace ONE UEM API Key

After you have accessed Workspace ONE Intelligence, you can retrieve the Workspace ONE UEM API key.

  1. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Advanced > API > REST API.
  2. Copy the APIserver key to Notepad++.

Logging in to the Workspace ONE Intelligence Console

To perform most of the steps in this tutorial, you must log in to the Workspace ONE Intelligence console. Now that you have opted-in to the service, you can launch the Intelligence console from the Workspace ONE UEM console.

  1. From the Workspace ONE UEM console, navigate to Monitor > Intelligence and click Launch.
    Graphical user interface, application

Description automatically generated

    Note: You can launch Workspace ONE Intelligence only from a Customer type Organization Group. If you select a non-customer type Organization Group in the Workspace ONE UEM Console, the Monitor menu option will not be available.
  2. Confirm that the Workspace ONE Intelligence console is open.
    Graphical user interface, text, application, email

Description automatically generated 

Integrating Workspace ONE Intelligence Automation Connectors

After retrieving the AirWatch API service key, you are ready to integrate Workspace ONE Intelligence Automation Connectors with Workspace ONE UEM.

To take full advantage of Workspace ONE Intelligence, you need to configure at least one Automation Connector to enable Automation Actions in your environment.

Among the multiple available Connectors, the Workspace ONE UEM connector is key, as it enables Intelligence Automation to take actions against your organization's devices, apps, and OS updates.

Follow steps to set up Integrations in Workspace ONE Intelligence which will allow API communication between Workspace ONE Intelligence and Workspace ONE UEM.

Graphical user interface, text, application

Description automatically generated

Using Reports to Gain Insights

After enabling Workspace ONE Intelligence, you are ready to explore its basic capabilities. In this exercise, you learn how to create reports that can mitigate issues, drive business decisions, and automatically share information with other departments.

Prerequisites

Before you can perform the procedures in this activity, you must meet the following requirements:

Creating Reports

In this activity, explore reporting capabilities by creating a report for enrolled devices. You will use a predefined template. For complete control of the report, use the Custom Report template to define your own criteria.

  1. In the Workspace ONE Intelligence console, click Reports.
    1. If this is your first time accessing the Reports section, click Get Started.
  2. Click Add > From Template.
  3. To select the Enrolled Devices template:
    Graphical user interface, application

Description automatically generated 
    1. Select Devices and then select the Status tag.
    2. Click Start for the Enrolled Devices template. Selecting this template creates a report about enrolled devices that displays data in pre-defined columns.
  4. To add a filter, perform the following steps:

    Graphical user interface, application

Description automatically generated with medium confidence 
    1. Under Filters, click the + icon to add a new filter.
    2. Enter platform in the first search field.
    3. Select Platform under Devices from the drop-down menu that appears.
    4. Select Includes from the Search for value drop-down menu.
    5. Select Apple iOS, Android, and Windows Desktop from the final drop-down menu.

      Note: You can manually type each platform name and press Enter to add them to the list.
      The platform list is based on devices available in your environment, so you might not see all three requested platforms in this activity.
  5. Scroll down to the Report Preview section and click Refresh Preview. Observe how your currently enrolled devices automatically populate in the preview.
    Graphical user interface, table

Description automatically generated

    Note: The screenshot shown is from a test environment. Your report preview is based on your environment and will differ from the preview you see in the screenshot.
  6. To add report columns, perform the following steps:
    Graphical user interface

Description automatically generated with medium confidence 
    1. Under Report Preview, click the Edit Columns button.
    2. Scroll down to find the Devices section.
      Tip: You can click the arrows next to App Feedback and Apps to collapse these sections.
    3. Under Available Columns, select the following:
      1. Available Device Storage Capacity
      2. Available Physical Memory
      3. BIOS Version
      4. Battery Percent
    4. Click Add.
    5. Click Save.
      To change the column order on the report, use the Up and Down buttons.
  7. Click Save to save the report.
  8. After the report saves, it is added to a list of available reports. Select the report that you want to review.
     
  9. From this view, you can configure additional management settings:
    Graphical user interface, text, application

Description automatically generated 

For more details, see Reports for Workspace ONE Intelligence.

Downloading Reports

After saving a report, you can almost immediately download it as a CSV file. In this activity, you download the CSV file for the Enrolled Devices report.

  1. To access the report's available downloads, select the Downloads tab.
  2. On the Downloads tab, click the Refresh icon and verify that the status is Completed.
  3. Click Download.
    Graphical user interface, text, application

Description automatically generated 
  4. Validate that a CSV of the Enrolled Devices report is downloaded.

Scheduling Reports

After saving a report, you can use scheduling to automate data collection and collaboration. In this activity, schedule the Enrolled Devices report to run on a monthly basis.

  1. Select Schedules and click Add.
  2. Configure the report schedule.
    Graphical user interface, application

Description automatically generated
    The following is an example:
    1. Enter a Schedule Name. For example, Windows, Android, and Apple Enrolled Devices.
    2. For Recurrence, select Monthly.
    3. For Day of the Month, select 1.
    4. For Starts At, enter 08:00 AM.
    5. For Ends, select a future date such as 06/30/2028.
    6. Click Schedule.
  3. On the Schedules tab, confirm that the schedule matches the parameters you defined.
  4. To delete a report schedule, select the report and click Delete.

Using Dashboards to Visualize Data

Dashboards are a powerful tool in Workspace ONE Intelligence that supplement reporting capabilities with rich visualizations of available data. In this exercise, learn how to use dashboards to visualize data in Workspace ONE Intelligence.

Prerequisites

Before you can perform the procedures in this activity, you must meet the following requirements:

Customizing the Dashboard View

As a supplement to its reporting capabilities, the Workspace ONE Intelligence dashboard displays critical business data in an easy-to-consume visual summary. Within dashboards, the configurable widgets allow you to customize the data that displays. In this activity, add a widget that shows enrollment information from the past 14 days.

  1. In the Workspace ONE Intelligence console, select the Dashboards tab.
  2. A Getting Started page is shown the first time you access the Dashboards page. If displayed, click Get Started.
  3. Click Add > Custom Dashboard.

    Graphical user interface, text, application

Description automatically generated 
    1. Enter a dashboard name, such as My Devices.
    2. Enter an optional description for the dashboard.
    3. Click Save.
  4. Newly created dashboards, by default, have no information on them. You can add widgets to them and create custom dashboards to meet your business needs.
    Click Add Widget > From Template.

    Graphical user interface

Description automatically generated with low confidence 
    1. Explore widget categories and templates. To begin creating a widget, you can select Custom Widget or select one of built-in widgets by selecting the categories and tags. The list of categories will be based on the integrations configured on your Workspace ONE Intelligence and may differ from the image you see in this activity. The available categories can include:
    2. Apps
    3. Authentication
    4. Automations
    5. Devices
    6. Hub
    7. Platform
    8. Product
    9. Security
    10. Integration
    11. Bookmarks

When you start with Workspace ONE Intelligence for the first time, you will see multiple categories.
Then, use the tag for each category to filter the customizable templates to define the content your widget displays. For complete control of the widget's content, use the Custom Widget template to define your own criteria.
Graphical user interface, text, application, email

Description automatically generated

Feel free to click on each category to see the templates available to each.

  1. Select the Devices category and select Enrollments.
    Graphical user interface, text, application, chat or text message

Description automatically generated 
  2. Click Start for the Total Enrollments template.
    Graphical user interface, text, application, email

Description automatically generated 
  3. To create a snapshot of total enrollments over time, configure the template as follows:
    Graphical user interface, application

Description automatically generated 
    1. Update the name to Total Enrollments Over Time.
    2. Select Historical.
    3. For Chart Type, select Line.
    4. For by Group, enter Platform.
    5. Set the Date Range to Last 14 Days.
    6. Click Save.

After configuring the Total Enrollment Over Time widget, you can manage how it displays on your dashboard. In this activity, modify your dashboard view by repositioning and expanding the Total Enrollment Over Time widget.

By default, the new widget appears at the bottom of your dashboard. Because this is the first widget on this dashboard, it will be at the top.

  1. Customize the Dashboard:
    Chart, line chart

Description automatically generated 
    1. Click Total Enrollments Over Time (the chart title) and drag the widget to a new location on your dashboard.
    2. Click and drag the corners of the widget to change the width or height of the Total Enrollments Over Time widget.
    3. After you are satisfied with the position and size of the widget, click Save.
  2. Click Save to save the dashboard layout.

For more details, see Dashboards in Intelligence.

Using Dashboards to Enforce Device Compliance

In addition to its standard dashboards, Workspace ONE Intelligence also provides a set of security-focused dashboards. These dashboards query the entire environment to identify the most at-risk devices: compromised devices, passcode-less devices, unencrypted devices, and others. In this activity, learn how to Security Risk dashboards in Workspace ONE Intelligence can help you enforce device compliance and mitigate risk.

Prerequisites

Before you can perform the procedures in this activity, you must meet the following requirements:

Increasing Compliance Across Devices

The Security Risk dashboards in Workspace ONE Intelligence gather reports on numerous device states and quickly identify high-risk devices. In this activity, you explore the following Security Risk dashboards Workspace ONE Intelligence: Threats Summary, Compromised Devices, Policy Risks, and Vulnerabilities.

  1. In the Workspace ONE Intelligence console, navigate to Dashboards > Intelligence Dashboards > Security Risk.
  2. View the Threats Summary dashboard.Chart

Description automatically generated

    The Threats Summary dashboard appears by default and displays the number of threats reported by the Trust Network solutions that are integrated into your environment.

    Workspace ONE Intelligence integrates with several security endpoints solutions that report threats, such as Anomalies, malware, policy violation, suspicious network activities, and so on. The threats are reported into Intelligence by the Trust Network solutions almost immediately, and you can navigate through each data point to identify the threats and devices impacted by that threat.

    Scroll down to the Compromised Devices chart.
  3. View the Compromised Devices dashboard.
    Chart, line chart

Description automatically generated
    The Compromised Device dashboard appears by default and displays the number of devices that reported as compromised in the past 30 days. A device becomes compromised when it is in violation of the compliance policies defined by the IT administrator. Common compliance policies include deny listed apps, devices not seen in the past 24 hours, no passcode, and more.
  4. Select Policy Risks to view the number of passcode-less devices detected in the past 30 days.
    Then, after you understand the scope of the issue, use automation to mitigate the risk. For example, you can create a rule to automatically move a passcode-less device to quarantine, or remove its access to corporate data.
    Chart, line chart

Description automatically generated 
  5. Scroll down to Unencrypted Devices. This chart shows the total number of unencrypted devices identified on a daily basis by Workspace ONE Intelligence.
    Chart, line chart

Description automatically generated 
    1. Point to the data points for additional details about the number of devices per platform.
    2. Click View to obtain a detailed list of devices.
    3. Click Security Risk: Policy Risks to return.
  6. Select the Vulnerabilities tab to view the number of vulnerable devices in the last 30 days.
    Without encryption, confidential information is unprotected, and can easily land in the wrong hands. To mitigate this risk, create policies to enforce device encryption. For example, you can create a policy to block corporate access until the device is encrypted through Workspace ONE UEM.

Graphical user interface

Description automatically generated with medium confidence

For more information, see Security Risk Dashboard.

Automating Patch Remediation

Identifying security risks across all Windows devices is a challenge particularly when those devices are not managed. However, combining device management capabilities with Workspace ONE UEM allows IT administrators to report and approve patch deployment using Workspace ONE UEM.

In an environment with thousands of devices, patches being released on a weekly basis, and distributed responsibility between IT and InfoSec teams, it is crucial to provide unified visibility and real-time data to drive accurate decisions and minimize any security risk to the business.

Workspace ONE Intelligence integrates with Workspace ONE UEM to provide that unified visibility and real-time data. In addition, Intelligence brings automation workflows which allows IT to automate the patch approval process and continue monitoring the environment.

In this exercise, you identify the multiple Windows OS Versions and patches deployed across your environment, identify Windows devices that are missing critical OS patches, use automation to push the correct patches to the corresponding devices, and then monitor the remediation process.

Note: Before you begin, you must have an enrolled Windows device.

Identifying Windows Devices Missing Critical OS Patches

In this activity, use the OS Updates dashboard to view details about OS versions deployed and patch status across all managed Windows devices.

  1. In the Workspace ONE Intelligence console, navigate to Dashboards > Intelligence Dashboards > OS Updates.

    Graphical user interface, application

Description automatically generated 
  2. Click View Dashboard for one of the cards, for example, Windows Desktop.

    Graphical user interface, application

Description automatically generated
    The OS Updates dashboard shows how heterogeneous the environment is based on the number of OS versions available on your environment per platform.
    The dashboard only shows the cards based on the current devices managed in your environment. For this exercise, if you enroll only one Windows device, it only shows one card.
  3. Explore devices by OS version.
    The OS Versions dashboard includes the Number of Devices by OS Version chart, which allows you to understand number of OS versions across the Windows managed devices in your organization.

    Chart, bar chart

Description automatically generated
     
  4. Select Patches to find the Number of Patches by Update Status chart. This chart helps you to focus and prioritize which available and failed patches must be installed as soon as possible.
    Application

Description automatically generated with medium confidence
     
  5. Click the Available bar and then click View to see a list of OS updates available to install per device. This list includes all the devices and related available OS updates. The column Windows Patch Update Classification can help you to prioritize which patches must be installed first to improve device security and minimize risk for the organization.

    Graphical user interface, text, email

Description automatically generated 
  6. Filter for a specific Windows patch (KB).
    For the purpose of this exercise, use KB 4503308 to automate the deployment. If you don't have KB 4503308 in your environment, choose another available KB and use that as the reference for this exercise.

    Graphical user interface, text, application, email

Description automatically generated 
    1. Click Edit.
    2. Enter Windows Patch KB Number.
    3. Enter 4503308.
    4. Click Apply.
  7. Review devices that require a patch and its status.
    Chart

Description automatically generated

    Chart, line chart

Description automatically generated

    As a result, you can see the number of devices requiring that specific patch and the last time those devices reported an update status related to the patches.
    On the top chart, two devices report to be missing that patch. On the bottom chart, you can see when each device reports the status related to that specific patch.

Using Automation to Remediate Patches

After identifying the devices at risk, create an automated process that pushes the correct patches to the devices.

  1. Navigate to Automations > Intelligence Automations > Workflows.
  2. Click Add > Custom Workflow.

Graphical user interface, text, application

Description automatically generated

  1. Select Workspace ONE UEM > Devices.
  2. Define Automation settings:

For the purpose of this exercise, use KB4503308 to automate the deployment.
Graphical user interface, text, application, email

Description automatically generated 

  1. Enter a name for the automation. For example, Windows Patch Remediation.
  2. Under Filter (If), select Windows Patch KB Number.
  3. Select Equals.
  4. Enter the KB Number 4503308.
  5. Click + to add a second filter.
  6. Select Windows Patch Update Status.
  7. Select Includes.
  8. Select Available.

    Based on the filter conditions, Intelligence reports the number of devices where patch 4503308 is not installed. Click View to see the filter results.
  1. Add an Action.
    Graphical user interface, text, application, email

Description automatically generated 
    1. Scroll down to the Action (Then) section, and click the + icon.
    2. Select Workspace ONE UEM from the available connections.
    3. Scroll down and select the Approve Patch action.
  2. Define Action Settings:
    Graphical user interface, application

Description automatically generated 
    1. For Revision ID, enter ${airwatch.windowspatch.winpatch_revision_id}. This will automatically assume the KB number from the filter condition.
    2. Click the toggle to enable automation.
    3. Click Save.
  3. Click Save & Enable.
  4. Confirm that your automation has been created and that it has a status of Enabled.
    Graphical user interface, text, application, chat or text message

Description automatically generated 

Monitoring Patch Remediation

After you have enabled an action, you can monitor its execution in the Workspace ONE Intelligence console. In this activity, you walk-through monitoring the patch remediation action you just created.

  1. To review the logs, click View on the Windows Patch Remediation (Spectre/Meltdown) action.
  2. Select the Activity tab. The log data for automation actions is displayed in this section.
    Graphical user interface, text, application, email

Description automatically generated 
  3. Review the Activity logs - The activity list shows the log data of automation actions taken per OS update. You can click each Target Identifier link to obtain the device details on each action.
  4. Return to the Workspace ONE UEM console.
  5. On Workspace ONE UEM Console you can validate the patch status change triggered by the Workspace ONE Intelligence Automation.
    1. Click Devices.
    2. Click List View.
    3. Click the Device Name for your enrolled device.
  6. Validate patch approval status.
    Graphical user interface, text, application, email

Description automatically generated 
    1. Click Updates.
    2. Enter KB4503308 in the search box and press Enter.
    3. Look for the KB4503308, the status should be changed to Approved.
  7. Log in to the enrolled Windows device that just had a patch approved, validate if Windows Update is downloading.
    Graphical user interface, text, application, email

Description automatically generated 
    1. Navigate to Windows Start > Settings > Update & Security.
    2. From Windows Update, you can follow the status (downloading, pending restart, installed) of all approved patches. Some patches might require a machine restart.
  8. Return to the Workspace ONE UEM console to force the device to check-in and query the device OS updates data.
    Graphical user interface, application

Description automatically generated 
    1. Navigate to Devices > List View and select your Windows device.
    2. Navigate to More Actions > OS Updates.
    3. To check the logs, navigate to More > Troubleshooting.
    4. You will see logs noting Available OS Update requested when the task is triggered, and Available OS Updates confirmed when the details are reported.
    5. Click Refresh if needed to check the logs again for both events.

Automating Patch Remediation Based on CVE

Security Risk analysis provides visibility into all vulnerabilities, correlating Microsoft KBs with Common Vulnerability and Exposure (CVE) and Common Vulnerability Scoring System (CVSS) into a unified view to help you to make decisions based on real-time information. In addition, learn how to remediate those vulnerabilities through automation and create dashboards to monitor the remediation.

In this exercise, you explore the Vulnerabilities dashboard. This dashboard provides visibility into the impact of vulnerabilities that are reported through Common Vulnerabilities and Exposures (CVEs) and correlated to the existing patches on each of your managed Windows devices.

Note: Before you begin, you must have an enrolled Windows device.

Identifying Vulnerabilities on Managed Windows Devices

In this activity, you use the Vulnerabilities dashboard to view a list of vulnerabilities, retrieve details on those vulnerabilities, and search for and explore CVE details.

  1. On the Workspace ONE Intelligence console, navigate to Dashboards > Intelligence Dashboards > Security Risk > Vulnerabilities.
  2. Navigate through the vulnerabilities listed. Each vulnerability card shows the number of devices impacted by the CVE and if the patch has been installed.
    Graphical user interface, text, application, email

Description automatically generated 
  3. Identify a critical CVE that impacts a high number of devices and copy the number to Notepad++. For example, CVE-2020-0687.
  4. To obtain detailed information from NIST and Microsoft, navigate to Learn More > NIST Article or Microsoft Advisory.
    Graphical user interface

Description automatically generated with medium confidence 
  5. Review Vulnerable Devices based on CVSS Score – this chart helps to prioritize patches based on the highest number of devices impacted. On the chart, you can see that most of the vulnerable devices in this environment are associated with patches that score 9.3. Based on the current scenario, the IT administrator can decide to patch those devices, which is close to 100 and minimize the security risk on the environment.
    Graphical user interface, application

Description automatically generated 
  6. Clicking one of the KBs represented on the high score bar provides more information. As a result, you obtain a list of patches and correlated devices impacted based on the CVSS Score previously selected.
    Graphical user interface, application

Description automatically generated 
  7. You can scroll down and find the list of Vulnerabilities in a table format, which allows you to search, order the results and for each CVE see the link of detailed information on NIST and Microsoft websites.
    Table

Description automatically generated 
    1. Use the search field to located specific CVE.
    2. Click the title bar to sort results based on CVSS Score, Published date, and Impacted number of devices, in ascending or descending order.
    3. Click the dot menu and select NIST Article or Microsoft Advisory. These websites provide more information about the related CVE.

Creating Automations

Automation in Workspace ONE Intelligence uses numerous parameters that trigger a workflow. You can customize the workflow to act on unique scenarios in your Workspace ONE environment.

In this exercise, you create an automated process that pushes the patches associated with the CVE to the devices and then you monitor this process in the logs.

  1. Navigate to Automations > Intelligence Automations > Workflows.
  2. Click Add > From Template.
  3. Search for the Approve Windows Update template and click Start.
    Graphical user interface, text, application, email

Description automatically generated 
    1. Enter the name of the Automation. For example, CVE-XXX-XXXX Approval, where XXX-XXXX refers to the CVE number identified in the previous activity.
    2. Enter Failed and Available for Windows Patch Update Status.
    3. Enter the CVE-XXX-XXXX for the CVE Id, where XXX-XXXX refers to the number of the CVE identified during the previous activity.


Graphical user interface, application

Description automatically generated 

  1. Based on the defined conditions, Workspace ONE Intelligence provides real-time visibility on the impacted devices. Click View for a list of impacted devices.
  2. Explore the results.
    Graphical user interface

Description automatically generated with medium confidence 
    1. Use the drop-down arrow to change how the results are grouped.
    2. Select different chart types.
    3. Click the upper-right arrow to close the Filter Results.
  3. Based on the initial template, the Approve Patch has been defined as the first action.
    The Revision ID uses the lookup value ${airwatch.windowspatch.winpatch_revision_id}, which dynamically searches for all patches (KBs) associated to the CVE—this will generate a UEM API call to approve each KB.
  4. Save and Enable the workflow.

Monitoring Automation Execution in the Logs

After you have enabled an action, you can monitor its execution in the Workspace ONE Intelligence console. In this activity, you walk-through the logs and actions taken by the automation previously created.

  1. Click View on the automation you created and then select the Activity tab.
  2. Review the Automation Log screen that displays the list of devices targeted by this automation.
    Graphical user interface, application, table, email

Description automatically generated 
    1. A COMPLETED status shows for successful actions.
    2. An ERROR status shows for actions that reported errors during the API Intelligence call. The error details are also listed.
    3. Click the Target Identifier to view the device details.

Creating a Dashboard to Track CVE Information

After the automation has been enabled to start patching devices, you can create a dashboard to track the approval process as the automation remediates. You can track the approval progress for all devices and determine which devices are missing approvals, which devices are approved, and which devices are patched (meaning the KB is installed).

In this activity, you create a dashboard to track the progress of CVE remediation. This process includes creating and configuring a number of widgets to track vulnerable or impacted devices and patched or remediated devices.

  1. Navigate to Dashboards > Intelligence Dashboards > My Dashboards.
  2. Click Add > Custom Dashboard, enter a name for your dashboard and click Save.
  3. Click Add Widget > From Template.

    Graphical user interface, text, application, email

Description automatically generated 
    1. Search for the following template: Windows Devices Vulnerable to High CVE (CVSS >= 7).
    2. Click Start.
  4. Configure the widget as follows:
    Graphical user interface, application

Description automatically generated 
    1. Change the title to Vulnerable/Impacted Devices.
    2. Keep the default setting for Windows Patch Update Status / Does not Include / Installed, Removed. This filters only for devices missing the patch.
    3. Change the Common Vulnerability Severity Score filter to CVE Identifier List.
    4. Enter your CVE number, which is in the format CVE-XXXX-XXXX.
    5. Click Save.
  5. To adjust the widget size, click Customize, resize your widget by dragging the corners, and click Save.
  6. To duplicate a widget:
    Graphical user interface, application

Description automatically generated 
    1. Click the menu icon.
    2. Select Duplicate.
    3. Rename the widget to Vulnerable Devices Needing Patch Approval.
    4. Remove the Description.
    5. Click Save.
    6. Adjust the position and size of the new Widget and click Save on the Dashboard.
  7. On the Vulnerable Devices Needing Patch Approval widget, click the menu icon and select Edit.
  8. Configure the Vulnerable Devices Needing Patch Approval widget:
    Graphical user interface, application

Description automatically generated 
    1. Click the plus icon to add a new filter condition.
    2. Enter Windows Patch Approval Status.
    3. Enter Unapproved.
    4. Click Save.
  9. Create a widget for Vulnerable Devices Needing Patch Assignment:
    This new widget represents the count of devices that don’t have the KB patch installed and approved to remediate CVE-XXXXXXX vulnerability.
    Graphical user interface, application

Description automatically generated 
    1. Duplicate the second widget created and rename to Vulnerable Devices Needing Patch Assignment.
    2. Edit the newly created widget and change the Windows Patch Approval Status to Does Not Include Installed.
    3. Add a filter with the following condition: Windows Patch Assignment Status / Includes / Unassigned.
    4. Click Save.
  10. Create a widget for Patched/Remediated Devices:
    The Patched/Remediated Devices widget brings the count of devices that have the KB patch installed (not necessarily approved or assigned) that does remediate the CVE-XXXX-XXXX vulnerability.
    1. Duplicate the Vulnerable/Impacted Devices widget.
    2. Rename it to Patched/Remediated Devices.
    3. Edit the widget and change the values in the Windows Patch Update Status to Include Installed.
  11. Review the widgets you have created. The four widgets that you just created, should all be aligned to the left. The numbers will differ from your environment and will be updated based on the patch process.

    Graphical user interface, application, chat or text message

Description automatically generated 
  12. Add a Security Update Status widget:
    The Security Update widget is a breakdown of all the devices with a CVE-XXXX-XXXX record associated with the corresponding patch record by their OS update status. It shows which devices are patched, which devices are not and why.
    Graphical user interface, text, application, email

Description automatically generated 
    1. Click Add Widget > From Template.
    2. Search for the Security Updates Status template and click Start.
  13. Configure the Security Update Status widget:
    Graphical user interface, application

Description automatically generated 
    1. Rename the Widget to Device Update Status for CVE-XXXX-XXXX.
    2. Replace the Windows Patch Update Classification filter with CVE Identifier List / Contains All Of / CVE-XXXX-XXXX. Replace CVE-XXXX-XXXX with your CVE number.
    3. Click Save.
  14. Organize your dashboard:
    Rearrange the dashboard as shown in the image.
    Chart

Description automatically generated 
    1. Duplicate the Device Update Status for CVE-XXXX-XXXX and name the new widget Number of Devices by Update Status and Approval Status.
    2. Click Edit for the new Number of Devices by Update Status and Approval Status widget.
  15. Configure the Number of Devices by Update Status and Approval Status widget:
    Keep the default filter settings.
    Graphical user interface, text

Description automatically generated 
    1. Select Table for the chart type.
    2. Add the following in Group by:
      1. CVE Identifier List
      2. Windows Patch KB Number
      3. Windows Patch KB Title
      4. Windows Patch Update Status
    3. Click Save.
  16. Review the final dashboard. Your final dashboard will look like the example shown and over time, the dashboard will update based on the patch remediation progress initiated by Workspace ONE Intelligence.
    A picture containing chart

Description automatically generated 

Summary and Additional Resources

This operational tutorial provided basic management steps for Workspace ONE Intelligence.

Procedures included:

  • Getting started with Workspace ONE Intelligence
  • Using reports to gain insights
  • Using dashboards to visualize data and enforce device compliance
  • Automating patch remediation

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

Changelog

The following updates were made to this guide:

Date

Description of Changes

2022/03/22

  • Guide was published.

About the Author

This tutorial was written by:

  • Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.


 

Associated Content

From the action bar MORE button.

Filter Tags

Workspace ONE Workspace ONE Intelligence Document Operational Tutorial Overview Deploy