Implementing Workspace ONE Intelligence

In the Workspace ONE UEM Console,

1. Click HUB.
2. Click Intelligence.

Click GET STARTED to initiate the Opt-in process

1. You may need to scroll down to find the Opt In button.
2. Enable the Opt In checkbox.
3. Click Next.

This is the final step on the opt-in Process, where you will be providing your information and accept the VMware Cloud Services TERMS OF SERVICE

1. Enter your Name
2. Enter your Email Address
3. Enter your Title
4. Enter your Company Name
5. Enter your Company Address
6. Click Accept

After the accepting you will be redirect to the Workspace ONE Intelligence Console.

Click Start 30 Day Trial in the bottom-right corner.

1. Enter your Name.
2. Enter your Email Address.
3. Enter your Job Title.
4. Enter your Company Name.
5. Enter your Phone Number.
6. Click Accept.

In order to execute this lab properly, you need to setup the Workspace ONE UEM Automation Connector between Workspace ONE UEM and Intelligence.

Let's return to the Workspace ONE UEM Console where the first setup needs to be made.

1. Click on the Square menu
2. Click on Workspace ONE UEM Console

From a new tab in the browser,

1. Enter https://www.getwsone.com in the navigation bar and press Enter.
2. Click Download Hub for Windows 10.
   NOTE: Wait until the Workspace ONE Intelligent Hub installer finishes downloading.  
3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE: If you do not see the warning about the AirWatchAgent.msi file, continue to the next step.

Click the AirWatchAgent.msi file in your download bar.

NOTE: The installer may take a few seconds to launch, be patient after clicking the AirWatchAgent.msi file.

Click Run to proceed with the installation.

Click Server Detail.

1. Click HUB
2. Click Intelligence
3. Click Launch

1. Click on My Dashboard
2. Click on Add Widget

When adding widgets, the first step is to select from each category you want to obtain data, which can be a snapshot of most recent data or historical that you can look into the data overtime and represent that into the charts.

Each category comes with a set of templates that can be customized as you create the widget, you can use start from scratch using Starter/blank template.

1. Click Devices
2. Select Total Enrollments template
3. Select Next

The default template show the amount of devices enrollment today.

Based on that template you will learn how to make changes that will show the enrollment overtime, looking at the historical data.

1. Scroll down until you see the option for Data Visualization
2. Enter Total Enrollments Over time for Chart Title
3. Click Historical
4. Click Line for Chart Type
5. Enter Platform for by Group
6. Set Last 14 Days to Date Range
7. Click Save

The Widget has been added to the bottom of your dashboard.

1. You can move the widget around, clicking and holding on the Chart tile
2. Also you resize the widget selecting the edges and dragging.

1. Click Reports
2. Click Add Report

When creating reports, the first step is to select from each category you want to obtain data, the columns to display and to be used as filter on the  report relays on that information.

The categories available today are:

• Apps
• Devices
• OS Updates

Each category comes with a set of templates that can be customized as you create the report, you can use start from scratch using Starter/blank template.

Feel free to click on each category and check the templates available to each, in this module we will create two reports, one based on Device Category and the other based on OS Updates.

1. Click Devices
2. Select Enrolled Devices
3. Click Next

The Enrolled Devices template creates a report with pre-defined columns and filtering only enrolled devices, right after you can see a preview of the report based on live data.

1. Click + to add a new filter
2. Enter Platform for the field
3. Select Includes for the filter type
4. Enter WinRT, Android and Apple for the value field

The Report Preview will show the number of Windows devices enrolled at this point.

You can easily add or remove columns from the report, to start:

1. Scroll down until you see the option Report Preview
2. Click Edit Columns

1. Select the following columns: Available Capacity, Available Physical Memory, BIOS Version and Battery Percent
2. Click ADD

1. Select the four columns you just added, clicking on each one
2. Click Down button four times
3. Click Save

1. New columns has been added to the report and are available on the Report Preview.
2. Click Next

1. Enter Windows, Android and Apple Enrolled Devices for the Report name
2. Enter All enrolled Windows, Android and Apple devices with details for the Description
3. Check the Run Report now - that will generata CSV file and make available for download - we will review that later in this chapter
4. Click Save

Click Overview

A preview of the report will show up based on the conditions previous defined, this report is part of the list of reports available. The EDIT option allow you to make changes on the report

1. Click Downloads
2. Click on the Refresh Icon
3. Validate that the status is now Completed
4. Click Download link to download the report in CSV format
5. Validate that report gets downloaded in the CSV format.

Requests for reports is something quite common in every organizations, most of the time marketing, purchased, HR and other departments request some type of report regarding their Digital Workspace to be send on weekly, monthly or sometime other time period. Workspace ONE Intelligence allow Reports to be schedule, which runs the report and send via e-mail to a list of people or distribution list defined by the IT Administrator.

1. Click Schedules
2. Click ADD

1. Enter Windows, Android and Apple Enrolled Devices for Schedule Name
2. Select Monthly for Recurrence
3. Select 1 for Day of the Month
4. Enter 08:00 AM for Starts At
5. Set 12/31/2018 as the End date
6. Enter your company e-mail and press ENTER
7. Enter Windows, Android and Apple Enrolled Devices for Subject
8. Enter Monthly report containing the list of Windows Desktop, Android and Apple devices managed by Workspace ONE UEM for Message
9. Click SCHEDULE

1. Click on Schedules
2. Confirm that your schedule has been added based on the parameters previous defined.

1. Click on the Square menu
2. Click on Workspace ONE UEM Console

1. Click Groups & Settings
2. Click All Settings

In this step you will obtain the API Key for your Tentant and later use on Workspace ONE Intelligence Console, to keep that information we recommend you to open Notepad on your Windows Desktop and copy/paste the API Key there, you can also just copy using CTRL+C, but reminder that right after this step you will be using the API Key value, see below the steps on how to obtain the API Key.

1. Click on System
2. Click on Advanced
3. Click on API
4. Click on REST API
5. Click Override, that will generate a new API Key and is required to Override the Customer OG when integrating with Workspace ONE Intelligence
6. Select the API Key for AirWatchAPI Service and right click Copy, switch to Notepad and right click to paste the API Key
7. Click Save
8. Click X to close the pop-up window

1. Click the Windows button.
2. Type Notepad to search.
3. Click Notepad from the list of results.

1. Click HUB
2. Click Intelligence
3. Click Launch

1. Under Reporting, click on Settings
2. For the option Automation Connection, select VIEW

Click Authorize for Workspace ONE UEM API

1. Click Provide Credentials
2. Enter https://labs.awmdm.com for Base URL
3. Enter YOUR VLP E-MAIL for API User Name
4. Enter VMware1! for API User Password
5. Enter the API Key that you just saved on your Notepad for Workspace ONE UEM Tenant Code  API Key
6. Click Connect

You should see DEAUTHORIZE on the Workspace ONE UEM Card, that confirms the integration was done successfully.

Click Add Automation

1. Click on Create a custom automation
2. Click Next

1. Under Filter, Enter Dell Battery Replacement for Name
2. Enter Dell Battery Health for the filter field
3. Enter Less Than for the Condition
4. Enter 25 for the field value

1. Scroll down until you see the section Add Action
2. Click on + sign to expand the options
3. Click on Workspace ONE UEM API
4. Click on Add Tag to Device

1. Enter 257 for Tag ID - that will tag the device on Workspace ONE UEM Console as Needs battery replacement
2. Turn ON for Enable this automation after saving
3. Click Save

1. Click Save & Enable

The automation that will always be looking for Dell Devices that needs battery replacement has been created, the View Logs shows the logs for each time this automation is triggered. 

For this Lab you will see the log Empty, as we enrolled a Windows VM and not a physical Windows 10 Dell device.

The above image shows you a log example of multiple actions taking on different Services.

For this example that you just created, in a real world you could also setup a Service Now integration, and create a Helpdesk ticket that includes the user and devices information, requesting to ship a new battery to the user home.

1. Click My Dashboard
2. Click Add Widget

1. Click OS Updates
2. Select Security Update Status
3. Click Next

On the first filter change the values as below:

1. Change the field to Windows Patch KB Number
2. Change the Equals
3. Set the KB Number to 890830
4. Click + to add a second filter
5. Set the field to Windows Patch Update Status
6. Change to Does Not Include
7. Select Installed

1. Enter Windows Models without Spectre/Meltdown Patch
2. Select Table as Chart Type
3. Set the By Group to Model
4. Click Add subgroup and set to OS Version

Feel free to change the Chart Type and play with different types of visualization, depending on the Chart Type you may need to reenter the Group fields.

The result shows the amount of Devices grouped by Model and OS version that doesn't have installed the KB required to patch Spectre/Meltdown - IT administrator now can identify through this widget devices at risk.

5. Click Save to add the Widget to your Dashboard

Now that you have identified the devices at risk, we need to create an automated process tha will remediate that pushing the correct patches to the devices.

You can monitor the execution of this action through the Workspace ONE Intelligence Console.

1. Click on "..." for the Automation you just created
2. Click View Logs

The Automation Log screen will show up with the list of devices targeted by this automation. 

1. Click Security Risk under dashboards

This dashboard shows the number of Devices that became compromised during the past 30 days, that can happen because IT administrator defined compliance policies like Apps blacklist, device not seen in the past 24 hours, no passcode, etc..

The Passcode Risk dashboard, shows specific the number of devices without passcode during the past 30 days. IT Administrator can identify these devices and take actions through Intelligence Automation, like move the device to quarantine, remove access to corporate data, etc..

Devices without encryption represents a significant security risk, as many contain corporate files and without encryption confidential information can land on wrong hands compromising the organization and their plans.

The Encryption Status dashboard shows the number of identified devices without encryption on the last 30 days, that information allows IT to review their policies and take several actions, like enforce encryption, block corporate access until the device is encrypted through Workspace ONE UEM in all devices and others.

The Top Risks dashboard presents the number of devices at Risks because they are not in compliance with one or more of the following policies.

• Anti-Virus disable (Windows 10)
• iCloud Enable (iOS)