-
Tutorial 1 - 11 min activityCloud-Based VMware Workspace ONE Overview
-
Tutorial 2 - 15 min activityInstallation and Setup
-
Tutorial 3 - 21 min activityInitial Configuration
-
Tutorial 4 - 30 min activityConfiguring Mobile Single Sign-On for iOS
-
Tutorial 5 - 12 min activityConfiguring Adaptive Management for iOS
-
Tutorial 6 - 22 min activityManaging Windows 10 Devices
-
Tutorial 7 - 19 min activityManaging Bring-Your-Own Android Devices
-
Tutorial 8 - 10 min activityManaging Android Devices
-
Tutorial 9 - 15 min activityManaging Chrome OS Devices
-
Tutorial 10 - 22 min activityConfiguring Mobile Flows
-
Tutorial 11 - 42 min activityImplementing Workspace ONE Intelligence
-
Tutorial 12 - 23 min activityConfiguring Workspace ONE Tunnel
-
Tutorial 13 - 5 min activitySummary and Next Steps
Implementing Workspace ONE Intelligence
Implementing Workspace ONE Intelligence
Introduction
With so much data available to IT admins managing modern, mobile workstyles—and no single tool to make sense of it—IT is faced with a huge challenge to manage the digital workspace. The lack of unified visibility across devices, applications and users makes it particularly hard to make data-driven decisions. As a result, manual processes become the norm, and IT is cornered into being reactive to employee demands and external events instead of being proactive.
Deep insights empower IT admins to better plan and optimize their app and policy deployments based on network performance, resource entitlement and deployment risk. And with the ability to automate processes, IT admins can proactively increase their level of security hygiene and meet compliance requirements, while improving user experiences.
With the new rules engine at the heart of Workspace ONE Intelligence, IT admins can automate processes across their environments by defining rules that take actions based on a rich set of parameters. This allows IT to create contextual workflowsthat take automated remediation actions based on security threats, and meet compliance requirements through automated access control. And because Workspace ONE Intelligence provides extensibility with an API layer for third parties, IT admins can build workflows that leverage their unique environment to meet their needs.
With automation, Workspace ONE Intelligence helps IT meet compliance requirements and increase security through automated remediation.
Prerequisites
Before you can perform the procedures in this exercise, you must complete the following tutorials:
You must also satisfy the following requirements:
- Workspace ONE UEM Console v9.2 and later.
- Customer-level Organization Group.
- For shared and dedicated SaaS, contact your support representative to set up Custom Reports and Workspace ONE Intelligence.
- Internal network access to the Workspace ONE UEM Database. The port used is based on your Workspace ONE UEM deployment.
- Admin role with Custom Reports and Intelligence permissions. For information about admin roles and how to access, create, and compare them, see Admin Roles in the VMware AirWatch Mobile Device Management Guide in VMware Workspace ONE UEM Documentation.
- Unenrolled Windows 10 device or virtual machine.
This exercise requires certain account credentials. Note the account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.
Workspace ONE UEM Credentials | |
---|---|
Base URL |
https://labs.awmdm.com |
API Username |
<Your VLP Email> |
API Password |
VMware1! |
Intelligence Opt-in Process
The first step to start using Workspace ONE Intelligence is to authorize the data synchronization between Workspace ONE UEM and Intelligence Cloud Service, this is done through the Opt-in Process that needs to performed by some one with administrator privilege at Workspace ONE UEM.
1. Access to Intelligence

In the Workspace ONE UEM Console,
- Click HUB.
- Click Intelligence.
2. Getting Started

Click GET STARTED to initiate the Opt-in process
3. Authorizing Intelligence to collect and replicate the data (Opt-In)

- You may need to scroll down to find the Opt In button.
- Enable the Opt In checkbox.
- Click Next.
4. Complete the Terms of Service
This is the final step on the opt-in Process, where you will be providing your information and accept the VMware Cloud Services TERMS OF SERVICE
- Enter your Name
- Enter your Email Address
- Enter your Title
- Enter your Company Name
- Enter your Company Address
- Click Accept
After the accepting you will be redirect to the Workspace ONE Intelligence Console.
6. Enter the details for 30 Day trial
- Enter your Name.
- Enter your Email Address.
- Enter your Job Title.
- Enter your Company Name.
- Enter your Phone Number.
- Click Accept.
7. Returning to Workspace ONE UEM Console
In order to execute this lab properly, you need to setup the Workspace ONE UEM Automation Connector between Workspace ONE UEM and Intelligence.
Let's return to the Workspace ONE UEM Console where the first setup needs to be made.
- Click on the Square menu
- Click on Workspace ONE UEM Console
Enrolling Your Windows 10 Device with a Basic Account
Next, enroll your Windows 10 device in Workspace ONE UEM. First, download the Workspace ONE Intelligent Hub. You also need a Group ID to complete enrollment. See Retrieving the Group ID from Workspace ONE UEM Console.
1. Download the Workspace ONE Intelligent Hub on the Windows 10 Device

From a new tab in the browser,
- Enter
https://www.getwsone.com
in the navigation bar and pressEnter
. - Click Download Hub for Windows 10.
NOTE: Wait until the Workspace ONE Intelligent Hub installer finishes downloading. - Click Keep when warned about the
AirWatchAgent.msi
download.
NOTE: If you do not see the warning about the AirWatchAgent.msi
file, continue to the next step.
2. Launch the Workspace ONE Intelligent Hub Installer

Click the AirWatchAgent.msi file in your download bar.
NOTE: The installer may take a few seconds to launch, be patient after clicking the AirWatchAgent.msi
file.
3. Click Run

Click Run to proceed with the installation.
3.1. Accept the Default Install Location

Leave the default install location and click Next.
NOTE: The Next button may take several seconds to enable while the required additional features are installed.
3.2. Accept the License Agreement

- Select I accept the terms of the license agreement.
- Click Next.
3.3. Start the Workspace ONE Intelligent Hub Install

Click Install to start the installer.
3.4. Allow the Workspace ONE Intelligent Hub Installer to Run (IF NEEDED)

If prompted to allow the app to make changes on your device, click Yes.
3.5. Complete the Workspace ONE Intelligent Hub Installer

Click Finish to complete the Workspace ONE Intelligent Hub installer.
NOTE: After you click finish, the Native Enrollment application launches to guide you through enrolling into Workspace ONE UEM. It will take around 45-60 seconds to launch the agent.
4. Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

Click Server Detail.
4.1. Enter the Server Details

- Enter the Server Name, for example,
labs.awmdm.com
. - Enter Your Group ID for the Group ID field. See Retrieving the Group ID from Workspace ONE UEM Console.
4.2. Enter Your User Credentials

- Enter your Username, for example,
testuser
. - Enter the Password, for example,
VMware1!
. - Click Next.
NOTE: Wait while the server checks your enrollment details.
4.3. Workspace ONE Application Launch
If your Workspace ONE UEM and VMware Identity Manager environments are linked, the Workspace ONE Application automatically opens after enrollment is complete. Click Close.
4.4. Finish the Workspace ONE UEM Enrollment Process

Click Finish to end the Enrollment process. Your Windows 10 device is now successfully enrolled into Workspace ONE UEM.
Data Visualization through Dashboards
Dashboard is a powerfull tool in Workspace ONE Intelligence that allow IT Administrators to build a rich data visualization of the data available, most of the time reports are the primary source of data representation and provide helpfull information, however using charts or graphs to visualize large amounts of complex data is easier than over spreadsheets or reports.
Data Visualization can also:
- Identify areas that need attention or improvement.
- Clarify which factors influence employee adoption of specific applications.
- Help you understand how secure your environment it's based on OS Updates applied to the machine and new patches available out there.
- Predict hardware failures
- Etc..
Workspace ONE Intelligence brings out of the box on Dashboard, that includes nine Widgets and you can customize as your want.
For this chapter you will be adding a new widget based on Historical information showing enrollment over the 14 days, different from current widget on the standard dashboard that only show amount of enrollment today and total overtime.
1. Launch Intelligence Console

- Click HUB
- Click Intelligence
- Click Launch
2. Add Widget

- Click on My Dashboard
- Click on Add Widget
3. Selecting Category
When adding widgets, the first step is to select from each category you want to obtain data, which can be a snapshot of most recent data or historical that you can look into the data overtime and represent that into the charts.
Each category comes with a set of templates that can be customized as you create the widget, you can use start from scratch using Starter/blank template.
- Click Devices
- Select Total Enrollments template
- Select Next
4. Using Total Enrollments Template

The default template show the amount of devices enrollment today.
Based on that template you will learn how to make changes that will show the enrollment overtime, looking at the historical data.
5. Creating Total Enrollments Over time Widget

- Scroll down until you see the option for Data Visualization
- Enter
Total Enrollments Over time
for Chart Title - Click Historical
- Click Line for Chart Type
- Enter
Platform
for by Group - Set
Last 14 Days
to Date Range - Click Save
Note: The above chart is an chart example with certain amount of data, your chart will be presented based on the current amount of devices and results will differ from that.
6. Setting Widget location and sizing on the Dashboard

The Widget has been added to the bottom of your dashboard.
- You can move the widget around, clicking and holding on the Chart tile
- Also you resize the widget selecting the edges and dragging.
Getting Insights through Reports
Report is a powerful tools in Workspace ONE Intelligence that allows IT Administrator to get easy access and visibility into devices, applications and OS update data. It's a scalable and won't impact on the performance of the entire solution because you have a lot of data or are running too many reports daily.
All the data synced by the Workspace ONE Intelligence Connector (ETL service) is available through reports, after opt-in on Intelligence, ETL service will push all the available on AirWatch database and after that just the delta, the delta is based on device samples sent to Workspace ONE UEM.
In this chapter you will learn how to create reports that can drive business decisions, help to mitigate issues and automatically share information with other departments.
1. Creating Device Report

- Click Reports
- Click Add Report
2. Selecting Report Category
When creating reports, the first step is to select from each category you want to obtain data, the columns to display and to be used as filter on the report relays on that information.
The categories available today are:
- Apps
- Devices
- OS Updates
Each category comes with a set of templates that can be customized as you create the report, you can use start from scratch using Starter/blank template.

Feel free to click on each category and check the templates available to each, in this module we will create two reports, one based on Device Category and the other based on OS Updates.
- Click Devices
- Select Enrolled Devices
- Click Next
3. Customizing Report Filter
The Enrolled Devices template creates a report with pre-defined columns and filtering only enrolled devices, right after you can see a preview of the report based on live data.

- Click
+
to add a new filter - Enter
Platform
for the field - Select
Includes
for the filter type - Enter
WinRT, Android and Apple
for the value field
The Report Preview will show the number of Windows devices enrolled at this point.
Note: The report preview results is an example based on certain amount of data, your report results will be presented based on the current amount of devices and results will differ from that.
4. Customizing Report Columns

You can easily add or remove columns from the report, to start:
- Scroll down until you see the option Report Preview
- Click Edit Columns
5. Selecting Columns
- Select the following columns: Available Capacity, Available Physical Memory, BIOS Version and Battery Percent
- Click ADD
6. Changing Columns Order
- Select the four columns you just added, clicking on each one
- Click Down button four times
- Click Save
7. Preview with new columns

- New columns has been added to the report and are available on the Report Preview.
- Click Next
8. Saving the Report
- Enter
Windows, Android and Apple Enrolled Devices
for the Report name - Enter
All enrolled Windows, Android and Apple devices with details
for the Description - Check the Run Report now - that will generata CSV file and make available for download - we will review that later in this chapter
- Click Save
9. Report Preview
Click Overview
A preview of the report will show up based on the conditions previous defined, this report is part of the list of reports available. The EDIT option allow you to make changes on the report
10. Downloading Report

- Click Downloads
- Click on the Refresh Icon
- Validate that the status is now Completed
- Click Download link to download the report in CSV format
- Validate that report gets downloaded in the CSV format.
11. Adding Schedule Report
Requests for reports is something quite common in every organizations, most of the time marketing, purchased, HR and other departments request some type of report regarding their Digital Workspace to be send on weekly, monthly or sometime other time period. Workspace ONE Intelligence allow Reports to be schedule, which runs the report and send via e-mail to a list of people or distribution list defined by the IT Administrator.

- Click Schedules
- Click ADD
12. Configuring Report Schedule

- Enter
Windows, Android and Apple Enrolled Devices
for Schedule Name - Select
Monthly
for Recurrence - Select
1
for Day of the Month - Enter
08:00 AM
for Starts At - Set
12/31/2018
as the End date - Enter
your company e-mail
and pressENTER
- Enter
Windows, Android and Apple Enrolled Devices
for Subject - Enter
Monthly report containing the list of Windows Desktop, Android and Apple devices managed by Workspace ONE UEM
for Message - Click SCHEDULE
Integrating Automation and Workspace ONE UEM API
1. Returning to Workspace ONE UEM Console
- Click on the Square menu
- Click on Workspace ONE UEM Console
2. Access All Settings

- Click Groups & Settings
- Click All Settings
3. Enable Workspace ONE UEM API
In this step you will obtain the API Key for your Tentant and later use on Workspace ONE Intelligence Console, to keep that information we recommend you to open Notepad on your Windows Desktop
and copy/paste the API Key there, you can also just copy using CTRL+C, but reminder that right after this step you will be using the API Key value, see below the steps on how to obtain the API Key.
5. Save API Key

- Click the Windows button.
- Type
Notepad
to search. - Click Notepad from the list of results.
5.1. Enable Word Wrap

- Click Format.
- Click Word Wrap.
5.2. Paste the Session Token

Right-click and click Paste.
If you need to refer back to your API for future steps, open your Notepad file and copy the sessionToken that is pasted here.
6. Return to Workspace ONE Intelligence Console

- Click HUB
- Click Intelligence
- Click Launch
9. Provide Credentials for Workspace ONE UEM Connector

- Click Provide Credentials
-
Enter
https://labs.awmdm.com
for Base URL -
Enter
YOUR VLP E-MAIL
for API User Name -
Enter
VMware1!
for API User Password - Enter the API Key that you just saved on your Notepad for Workspace ONE UEM Tenant Code API Key
- Click Connect
Predicting Windows 10 Dell Battery Failures and Automate Replacement
Employees are using Windows devices that no longer last a full work day without charging. It disrupts their workday, reduces mobility, increases dissatisfaction and employees either seek remediation via helpdesk or do nothing and end up plugging their laptops at all times.
How Workspace ONE Intelligence can help:
- Monitor Windows 10 Dell devices with poor battery health (overall remaining life of the battery) Reports or Dashboards
- Create visualization that proactively highlight users who are experiencing poor battery life
- As the battery life decreases, so does its maximum charge capacity
- Create automation to tag devices with poor battery life in Workspace ONE UEM to help with reporting and assignment, create Service Now ticket with device info to order new battery and notify employees via Slack or email that a battery replacement is on its way
Key benefits: Reduce costs linked to user-generated support tickets or calls, increase employee experience and productivity. Increase lifespan of devices.
1. Creating Automation

Click Add Automation
3. Defining the conditions to Trigger the automation
- Under Filter, Enter
Dell Battery Replacement
for Name - Enter
Dell Battery Health
for the filter field - Enter
Less Than
for the Condition - Enter
25
for the field value
4. Adding Workspace ONE UEM Action
- Scroll down until you see the section Add Action
- Click on + sign to expand the options
- Click on Workspace ONE UEM API
- Click on Add Tag to Device
5. Configuring Action

- Enter
257
for Tag ID - that will tag the device on Workspace ONE UEM Console as Needs battery replacement - Turn ON for Enable this automation after saving
- Click Save
6. Saving and Enabling Automation

- Click Save & Enable
7. Access to Automation Logs

The automation that will always be looking for Dell Devices that needs battery replacement has been created, the View Logs shows the logs for each time this automation is triggered.
8. Viewing Automation Logs

For this Lab you will see the log Empty, as we enrolled a Windows VM and not a physical Windows 10 Dell device.
The above image shows you a log example of multiple actions taking on different Services.
For this example that you just created, in a real world you could also setup a Service Now integration, and create a Helpdesk ticket that includes the user and devices information, requesting to ship a new battery to the user home.
Identifying Windows Devices Missing Critical OS Patches
InfoSec is requesting a list of devices without specific KBs installed that are the most at risk (Severe Security or Critical Windows Updates)
How Workspace ONE Intelligence will help:
- Create a Dashboard that shows in real time - all current devices that do not have each Critical KB installed
- Segment the data by model or OS version to see if there are certain models or OS versions that are most at risk
- Use automation to notify users to update their devices
- Monitor how many devices have been patched or upgraded across all Windows 10 devices
1. Adding Widget

- Click My Dashboard
- Click Add Widget
2. Creating Security Update Status Widget based on Template
- Click OS Updates
- Select Security Update Status
- Click Next
3. Defining the parameters for the Filters
On the first filter change the values as below:
- Change the field to Windows Patch KB Number
- Change the Equals
- Set the KB Number to 890830
- Click + to add a second filter
- Set the field to Windows Patch Update Status
- Change to Does Not Include
- Select Installed
4. Configuring the Data Visualization
- Enter Windows Models without Spectre/Meltdown Patch
- Select Table as Chart Type
- Set the By Group to Model
- Click Add subgroup and set to OS Version
Feel free to change the Chart Type and play with different types of visualization, depending on the Chart Type you may need to reenter the Group fields.
The result shows the amount of Devices grouped by Model and OS version that doesn't have installed the KB required to patch Spectre/Meltdown - IT administrator now can identify through this widget devices at risk.
5. Click Save to add the Widget to your Dashboard
5. Pushing Patches through Automation
Now that you have identified the devices at risk, we need to create an automated process tha will remediate that pushing the correct patches to the devices.
5.1. Creating Automation

- Click Automation
- Click Add Automation
5.2. Selecting the Automation Category
- Click OS Updates
- Click Use Template
That steps create a new automation based on a empty template
5.3. Configuration the Conditions
On the first filter change the values as below:
- Enter Windows Patch Remediation (Spectre/Meltdown) for the Name of the Automation
- Change the field to Windows Patch KB Number
- Change the Equals
- Set the KB Number to 890830
- Click + to add a second filter
- Set the field to Windows Patch Update Status
- Change to Does Not Include
- Select Installed
- Scroll down
5.7. Save and Enable Action

Increasing Compliance Across Devices
In your organization, InfoSec and IT teams have to work together to quickly identify what their entire device basic policies is at any moment. Today, IT has to report if all devices are in compliance with the recent policies defined by Governance.
How Workspace ONE Intelligence can help:
- Only one agent needed to gather and report on all of the numerous device states that InfoSec team cares about and understand devices at high risk
- Query entire environment to identify most at risk devices: compromised devices, no passcode, unencrypted devices and other top risks.
- Sort and segment these devices by OS
- Create rules that automatically quarantine “high risk” devices and remove access to sensitive data sources
- Use automation to enforce compliance by re-pushing down security policies: remove access to VPN/Wi-Fi, move the device to an org group with less entitlements and app access
Key benefits: Save time, no need to aggregate multiple reports from different sources, increase compliance across the environment, increase IT Ops efficiencies
1. Security Risk Dashboard

1. Click Security Risk under dashboards
2. Identifying Compromised Devices overtime
This dashboard shows the number of Devices that became compromised during the past 30 days, that can happen because IT administrator defined compliance policies like Apps blacklist, device not seen in the past 24 hours, no passcode, etc..
3. Identifying Devices without passcode overtime
The Passcode Risk dashboard, shows specific the number of devices without passcode during the past 30 days. IT Administrator can identify these devices and take actions through Intelligence Automation, like move the device to quarantine, remove access to corporate data, etc..
4. Identifying Devices unencrypted overtime
Devices without encryption represents a significant security risk, as many contain corporate files and without encryption confidential information can land on wrong hands compromising the organization and their plans.
The Encryption Status dashboard shows the number of identified devices without encryption on the last 30 days, that information allows IT to review their policies and take several actions, like enforce encryption, block corporate access until the device is encrypted through Workspace ONE UEM in all devices and others.