Implementing Workspace ONE Intelligence

Implementing Workspace ONE Intelligence

Introduction

With so much data available to IT admins managing modern, mobile workstyles—and no single tool to make sense of it—IT is faced with a huge challenge to manage the digital workspace. The lack of unified visibility across devices, applications and users makes it particularly hard to make data-driven decisions. As a result, manual processes become the norm, and IT is cornered into being reactive to employee demands and external events instead of being proactive.

Deep insights empower IT admins to better plan and optimize their app and policy deployments based on network performance, resource entitlement and deployment risk. And with the ability to automate processes, IT admins can proactively increase their level of security hygiene and meet compliance requirements, while improving user experiences.

With the new rules engine at the heart of Workspace ONE Intelligence, IT admins can automate processes across their environments by defining rules that take actions based on a rich set of parameters. This allows IT to create contextual workflowsthat take automated remediation actions based on security threats, and meet compliance requirements through automated access control. And because Workspace ONE Intelligence provides extensibility with an API layer for third parties, IT admins can build workflows that leverage their unique environment to meet their needs.

With automation, Workspace ONE Intelligence helps IT meet compliance requirements and increase security through automated remediation.

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

You must also satisfy the following requirements:

  • Workspace ONE UEM Console v9.2 and later.
  • Customer-level Organization Group. 
  • For shared and dedicated SaaS, contact your support representative to set up Custom Reports and Workspace ONE Intelligence.
  • Internal network access to the Workspace ONE UEM Database. The port used is based on your Workspace ONE UEM deployment.
  • Admin role with Custom Reports and Intelligence permissions. For information about admin roles and how to access, create, and compare them, see Admin Roles in the VMware AirWatch Mobile Device Management Guide in VMware Workspace ONE UEM Documentation.
  • Unenrolled Windows 10 device or virtual machine.

This exercise requires certain account credentials. Note the account information in the following table. The details provided in this table are based on a test environment. Your user account details will differ.

Workspace ONE UEM Credentials
Base URL https://labs.awmdm.com
API Username <Your VLP Email>
 API Password VMware1!

Intelligence Opt-in Process

The first step to start using Workspace ONE Intelligence is to authorize the data synchronization between Workspace ONE UEM and Intelligence Cloud Service, this is done through the Opt-in Process that needs to performed by some one with administrator privilege at Workspace ONE UEM.

1. Access to Intelligence

Acess to Intelligence

In the Workspace ONE UEM Console,

  1. Click HUB.
  2. Click Intelligence.

2. Getting Started

Get Started step 1

Click GET STARTED to initiate the Opt-in process

3. Authorizing Intelligence to collect and replicate the data (Opt-In)

Next
  1. You may need to scroll down to find the Opt In button.
  2. Enable the Opt In checkbox.
  3. Click Next.

4. Complete the Terms of Service

This is the final step on the opt-in Process, where you will be providing your information and accept the VMware Cloud Services TERMS OF SERVICE

  1. Enter your Name
  2. Enter your Email Address
  3. Enter your Title
  4. Enter your Company Name
  5. Enter your Company Address
  6. Click Accept

After the accepting you will be redirect to the Workspace ONE Intelligence Console.

5. Start the 30 Day Trial

Click Start 30 Day Trial in the bottom-right corner.

6. Enter the details for 30 Day trial

  1. Enter your Name.
  2. Enter your Email Address.
  3. Enter your Job Title.
  4. Enter your Company Name.
  5. Enter your Phone Number.
  6. Click Accept.

7. Returning to Workspace ONE UEM Console

In order to execute this lab properly, you need to setup the Workspace ONE UEM Automation Connector between Workspace ONE UEM and Intelligence.

Let's return to the Workspace ONE UEM Console where the first setup needs to be made.

  1. Click on the Square menu
  2. Click on Workspace ONE UEM Console

Enrolling Your Windows 10 Device with a Basic Account

Next, enroll your Windows 10 device in Workspace ONE UEM.  First, download the Workspace ONE Intelligent Hub.

1. Download the Workspace ONE Intelligent Hub on the Windows 10 Device

From a new tab in the browser,

  1. Enter https://www.getwsone.com in the navigation bar and press Enter.
  2. Click Download Hub for Windows 10.
    NOTE: Wait until the Workspace ONE Intelligent Hub installer finishes downloading.  
  3. Click Keep when warned about the AirWatchAgent.msi download.

NOTE: If you do not see the warning about the AirWatchAgent.msi file, continue to the next step.

2. Launch the Workspace ONE Intelligent Hub Installer

Click the AirWatchAgent.msi file in your download bar.

NOTE: The installer may take a few seconds to launch, be patient after clicking the AirWatchAgent.msi file.

3. Click Run

Click Run to proceed with the installation.

3.1. Accept the Default Install Location

Leave the default install location and click Next.

NOTE: The Next button may take several seconds to enable while the required additional features are installed.

3.2. Accept the License Agreement

  1. Select I accept the terms of the license agreement.
  2. Click Next.

3.3. Start the Workspace ONE Intelligent Hub Install

Click Install to start the installer.

3.4. Allow the Workspace ONE Intelligent Hub Installer to Run (IF NEEDED)

If prompted to allow the app to make changes on your device, click Yes.

3.5. Complete the Workspace ONE Intelligent Hub Installer

Click Finish to complete the Workspace ONE Intelligent Hub installer.

NOTE: After you click finish, the Native Enrollment application launches to guide you through enrolling into Workspace ONE UEM.  It will take around 45-60 seconds to launch the agent.

4. Enroll Your Windows 10 Device Using the Workspace ONE Intelligent Hub

Click Server Detail.

4.1. Find your Group ID from Workspace ONE UEM Console

Finding your Group ID

The first step is to make sure you know what your Organization Group ID is.  

  1. To find the Group ID, hover your mouse over the Organization Group tab at the top of the screen. Look for the email address you used to log in to the Workspace ONE UEM Console.
  2. Your Group ID is displayed at the bottom of the Organization Group pop-up window.

4.2. Enter the Server Details

  1. Enter the Server Name, for example, labs.awmdm.com.
  2. Enter Your Group ID for the Group ID field.  If you forgot your Group ID, check the previous steps on how to retrieve it.

4.3. Enter Your User Credentials

  1. Enter your Username, for example, testuser.
  2. Enter the Password, for example, VMware1!.
  3. Click Next.

NOTE: Wait while the server checks your enrollment details.

4.4. Workspace ONE Application Launch

If your Workspace ONE UEM and VMware Identity Manager environments are linked, the Workspace ONE Application automatically opens after enrollment is complete. Click Close.

4.5. Finish the Workspace ONE UEM Enrollment Process

Click Finish to end the Enrollment process.  Your Windows 10 device is now successfully enrolled into Workspace ONE UEM.

Data Visualization through Dashboards

Dashboard is a powerfull tool in Workspace ONE Intelligence that allow IT Administrators to build a rich data visualization of the data available, most of the time reports are the primary source of data representation and provide helpfull information, however using charts or graphs to visualize large amounts of complex data is easier than over spreadsheets or reports.

Data Visualization can also:

  1. Identify areas that need attention or improvement.
  2. Clarify which factors influence employee adoption of specific applications.
  3. Help you understand how secure your environment it's based on OS Updates applied to the machine and new patches available out there.
  4. Predict hardware failures
  5. Etc..

Workspace ONE Intelligence brings out of the box on Dashboard, that includes nine Widgets and you can customize as your want.

For this chapter you will be adding a new widget based on Historical information showing enrollment over the 14 days, different from current widget on the standard dashboard that only show amount of enrollment today and total overtime.

1. Launch Intelligence Console

  1. Click HUB
  2. Click Intelligence
  3. Click Launch

2. Add Widget

Access My Dashboard
  1. Click on My Dashboard
  2. Click on Add Widget

3. Selecting Category

When adding widgets, the first step is to select from each category you want to obtain data, which can be a snapshot of most recent data or historical that you can look into the data overtime and represent that into the charts.

Each category comes with a set of templates that can be customized as you create the widget, you can use start from scratch using Starter/blank template.

  1. Click Devices
  2. Select Total Enrollments template
  3. Select Next

4. Using Total Enrollments Template

Total Enrollments template

The default template show the amount of devices enrollment today.

Based on that template you will learn how to make changes that will show the enrollment overtime, looking at the historical data.

5. Creating Total Enrollments Over time Widget

Chart Total Enrollments Over time
  1. Scroll down until you see the option for Data Visualization
  2. Enter Total Enrollments Over time for Chart Title
  3. Click Historical
  4. Click Line for Chart Type
  5. Enter Platform for by Group
  6. Set Last 14 Days to Date Range
  7. Click Save

Note: The above chart is an chart example with certain amount of data, your chart will be presented based on the current amount of devices and results will differ from that.

6. Setting Widget location and sizing on the Dashboard

Widget

The Widget has been added to the bottom of your dashboard.

  1. You can move the widget around, clicking and holding on the Chart tile
  2. Also you resize the widget selecting the edges and dragging.

Getting Insights through Reports

Report is a powerful tools in Workspace ONE Intelligence that allows IT Administrator to get easy access and visibility into devices, applications and OS update data. It's a scalable and won't  impact on the performance of the entire solution because you have a lot of data or are running too many reports daily.

All the data synced by the Workspace ONE Intelligence Connector (ETL service) is available through reports, after opt-in on Intelligence, ETL service will push all the available on AirWatch database and after that just the delta, the delta is based on device samples sent to Workspace ONE UEM.

In this chapter you will learn how to create reports that can drive business decisions, help to mitigate issues and automatically share information with other departments.

1. Creating Device Report

Reports
  1. Click Reports
  2. Click Add Report

2. Selecting Report Category

When creating reports, the first step is to select from each category you want to obtain data, the columns to display and to be used as filter on the  report relays on that information.

The categories available today are:

  • Apps
  • Devices
  • OS Updates

Each category comes with a set of templates that can be customized as you create the report, you can use start from scratch using Starter/blank template.

Select Report Category

Feel free to click on each category and check the templates available to each, in this module we will create two reports, one based on Device Category and the other based on OS Updates.

  1. Click Devices
  2. Select Enrolled Devices
  3. Click Next

3. Customizing Report Filter

The Enrolled Devices template creates a report with pre-defined columns and filtering only enrolled devices, right after you can see a preview of the report based on live data.

Adding Filters
  1. Click + to add a new filter
  2. Enter Platform for the field
  3. Select Includes for the filter type
  4. Enter WinRT, Android and Apple for the value field

The Report Preview will show the number of Windows devices enrolled at this point.

Note: The report preview results is an example based on certain amount of data, your report results will be presented based on the current amount of devices and results will differ from that.

4. Customizing Report Columns

Edit Columns

You can easily add or remove columns from the report, to start:

  1. Scroll down until you see the option Report Preview
  2. Click Edit Columns

5. Selecting Columns

  1. Select the following columns: Available Capacity, Available Physical Memory, BIOS Version and Battery Percent
  2. Click ADD

6. Changing Columns Order

  1. Select the four columns you just added, clicking on each one
  2. Click Down button four times
  3. Click Save

7. Preview with new columns

Preview new columns
  1. New columns has been added to the report and are available on the Report Preview.
  2. Click Next

8. Saving the Report

  1. Enter Windows, Android and Apple Enrolled Devices for the Report name
  2. Enter All enrolled Windows, Android and Apple devices with details for the Description
  3. Check the Run Report now - that will generata CSV file and make available for download - we will review that later in this chapter
  4. Click Save

9. Report Preview

Click Overview

A preview of the report will show up based on the conditions previous defined, this report is part of the list of reports available. The EDIT option allow you to make changes on the report

10. Downloading Report

Download Report
  1. Click Downloads
  2. Click on the Refresh Icon
  3. Validate that the status is now Completed
  4. Click Download link to download the report in CSV format
  5. Validate that report gets downloaded in the CSV format.

11. Adding Schedule Report

Requests for reports is something quite common in every organizations, most of the time marketing, purchased, HR and other departments request some type of report regarding their Digital Workspace to be send on weekly, monthly or sometime other time period. Workspace ONE Intelligence allow Reports to be schedule, which runs the report and send via e-mail to a list of people or distribution list defined by the IT Administrator.

Add Schedule
  1. Click Schedules
  2. Click ADD

12. Configuring Report Schedule

Schedule Report
  1. Enter Windows, Android and Apple Enrolled Devices for Schedule Name
  2. Select Monthly for Recurrence
  3. Select 1 for Day of the Month
  4. Enter 08:00 AM for Starts At
  5. Set 12/31/2018 as the End date
  6. Enter your company e-mail and press ENTER
  7. Enter Windows, Android and Apple Enrolled Devices for Subject
  8. Enter Monthly report containing the list of Windows Desktop, Android and Apple devices managed by Workspace ONE UEM for Message
  9. Click SCHEDULE

13. Confirming Report Schedule

  1. Click on Schedules
  2. Confirm that your schedule has been added based on the parameters previous defined.

Integrating Automation and Workspace ONE UEM API

1. Returning to Workspace ONE UEM Console

  1. Click on the Square menu
  2. Click on Workspace ONE UEM Console

2. Access All Settings

Access to settings
  1. Click Groups & Settings
  2. Click All Settings

3. Enable Workspace ONE UEM API

In this step you will obtain the API Key for your Tentant and later use on Workspace ONE Intelligence Console, to keep that information we recommend you to open Notepad on your Windows Desktop and copy/paste the API Key there, you can also just copy using CTRL+C, but reminder that right after this step you will be using the API Key value, see below the steps on how to obtain the API Key.

5. Save API Key

  1. Click the Windows button.
  2. Type Notepad to search.
  3. Click Notepad from the list of results.

5.1. Enable Word Wrap

  1. Click Format.
  2. Click Word Wrap.

5.2. Paste the Session Token

Right-click and click Paste.

If you need to refer back to your API for future steps, open your Notepad file and copy the sessionToken that is pasted here.

6. Return to Workspace ONE Intelligence Console

Return to Workspace ONE Intelligence Console
  1. Click HUB
  2. Click Intelligence
  3. Click Launch

8. Setup Workspace ONE UEM Connector

Click Authorize for Workspace ONE UEM API

9. Provide Credentials for Workspace ONE UEM Connector

Set the connector properties
  1. Click Provide Credentials
  2. Enter https://labs.awmdm.com for Base URL
  3. Enter YOUR VLP E-MAIL for API User Name
  4. Enter VMware1! for API User Password
  5. Enter the API Key that you just saved on your Notepad for Workspace ONE UEM Tenant Code  API Key
  6. Click Connect

10. Validate Successful Authorization

You should see DEAUTHORIZE on the Workspace ONE UEM Card, that confirms the integration was done successfully.

Predicting Windows 10 Dell Battery Failures and Automate Replacement

Employees are using Windows devices that no longer last a full work day without charging. It disrupts their workday, reduces mobility, increases dissatisfaction and employees either seek remediation via helpdesk or do nothing and end up plugging their laptops at all times.

How Workspace ONE Intelligence can help:

  • Monitor Windows 10 Dell devices with poor battery health (overall remaining life of the battery) Reports or Dashboards
  • Create visualization that proactively highlight users who are experiencing poor battery life
  • As the battery life decreases, so does its maximum charge capacity
  • Create automation to tag devices with poor battery life in Workspace ONE UEM to help with reporting and assignment, create Service Now ticket with device info to order new battery and notify employees via Slack or email that a battery replacement is on its way

Key benefits: Reduce costs linked to user-generated support tickets or calls, increase employee experience and productivity. Increase lifespan of devices.

1. Creating Automation

Adding Automation

Click Add Automation

2. Select Automation Template

  1. Click on Create a custom automation
  2. Click Next

3. Defining the conditions to Trigger the automation

  1. Under Filter, Enter Dell Battery Replacement for Name
  2. Enter Dell Battery Health for the filter field
  3. Enter Less Than for the Condition
  4. Enter 25 for the field value

4. Adding Workspace ONE UEM Action

  1. Scroll down until you see the section Add Action
  2. Click on + sign to expand the options
  3. Click on Workspace ONE UEM API
  4. Click on Add Tag to Device

5. Configuring Action

Config Action
  1. Enter 257 for Tag ID - that will tag the device on Workspace ONE UEM Console as Needs battery replacement
  2. Turn ON for Enable this automation after saving
  3. Click Save

6. Saving and Enabling Automation

Save
  1. Click Save & Enable

7. Access to Automation Logs

Access Logs

The automation that will always be looking for Dell Devices that needs battery replacement has been created, the View Logs shows the logs for each time this automation is triggered. 

8. Viewing Automation Logs

View Log

For this Lab you will see the log Empty, as we enrolled a Windows VM and not a physical Windows 10 Dell device.

The above image shows you a log example of multiple actions taking on different Services.

For this example that you just created, in a real world you could also setup a Service Now integration, and create a Helpdesk ticket that includes the user and devices information, requesting to ship a new battery to the user home.

Identifying Windows Devices Missing Critical OS Patches

InfoSec is requesting a list of devices without specific KBs installed that are the most at risk (Severe Security or Critical Windows Updates)

How Workspace ONE Intelligence will help:

  • Create a Dashboard that shows  in real time - all current devices that do not have each Critical KB installed
  • Segment the data by model or OS version to see if there are certain models or OS versions that are most at risk
  • Use automation to notify users to update their devices
  • Monitor how many devices have been patched or upgraded across all Windows 10 devices

1. Adding Widget

Adding Widget
  1. Click My Dashboard
  2. Click Add Widget

2. Creating Security Update Status Widget based on Template

  1. Click OS Updates
  2. Select Security Update Status
  3. Click Next

3. Defining the parameters for the Filters

On the first filter change the values as below:

  1. Change the field to Windows Patch KB Number
  2. Change the Equals
  3. Set the KB Number to 890830
  4. Click + to add a second filter
  5. Set the field to Windows Patch Update Status
  6. Change to Does Not Include
  7. Select Installed

4. Configuring the Data Visualization

  1. Enter Windows Models without Spectre/Meltdown Patch
  2. Select Table as Chart Type
  3. Set the By Group to Model
  4. Click Add subgroup and set to OS Version

Feel free to change the Chart Type and play with different types of visualization, depending on the Chart Type you may need to reenter the Group fields.

The result shows the amount of Devices grouped by Model and OS version that doesn't have installed the KB required to patch Spectre/Meltdown - IT administrator now can identify through this widget devices at risk.

5. Click Save to add the Widget to your Dashboard

5. Pushing Patches through Automation

Now that you have identified the devices at risk, we need to create an automated process tha will remediate that pushing the correct patches to the devices.

5.1. Creating Automation

Add Automation
  1. Click Automation
  2. Click Add Automation

5.2. Selecting the Automation Category

  1. Click OS Updates
  2. Click Use Template

That steps create a new automation based on a empty template

5.3. Configuration the Conditions

On the first filter change the values as below:

  1. Enter Windows Patch Remediation (Spectre/Meltdown) for the Name of the Automation
  2. Change the field to Windows Patch KB Number
  3. Change the Equals
  4. Set the KB Number to 890830
  5. Click + to add a second filter
  6. Set the field to Windows Patch Update Status
  7. Change to Does Not Include
  8. Select Installed
  9. Scroll down

5.4. Defining the Action to be executed

Select Workspace ONE UEM API

5.5. Select Approve Patch Action

Scroll down and select the action Approve Patch

5.6. Configuring the Action

  1. Enter 890830 for Revison ID
  2. Click Save

5.7. Save and Enable Action

Save & Enable

6. Monitoring

Access to View Logs

You can monitor the execution of this action through the Workspace ONE Intelligence Console.

  1. Click on "..." for the Automation you just created
  2. Click View Logs

The Automation Log screen will show up with the list of devices targeted by this automation. 

6.1. View Automation Log

Increasing Compliance Across Devices

In your organization, InfoSec and IT teams have to work together to quickly identify what their entire device basic policies is at any moment. Today, IT has to report if all devices are in compliance with the recent policies defined by Governance.

How Workspace ONE Intelligence can help:

  • Only one agent needed to gather and report on all of the numerous device states that InfoSec team cares about and understand devices at high risk
  • Query entire environment to identify most at risk devices: compromised devices, no passcode, unencrypted devices and other top risks.
  • Sort and segment these devices by OS
  • Create rules that automatically quarantine “high risk” devices and remove access to sensitive data sources
  • Use automation to enforce compliance by re-pushing down security policies: remove access to VPN/Wi-Fi,  move the device to an org group with less entitlements and app access

Key benefits: Save time, no need to aggregate multiple reports from different sources, increase compliance across the environment, increase IT Ops efficiencies

1. Security Risk Dashboard

Security Risk Dashboard access

1. Click Security Risk under dashboards

2. Identifying Compromised Devices overtime

This dashboard shows the number of Devices that became compromised during the past 30 days, that can happen because IT administrator defined compliance policies like Apps blacklist, device not seen in the past 24 hours, no passcode, etc..

3. Identifying Devices without passcode overtime

The Passcode Risk dashboard, shows specific the number of devices without passcode during the past 30 days. IT Administrator can identify these devices and take actions through Intelligence Automation, like move the device to quarantine, remove access to corporate data, etc..

4. Identifying Devices unencrypted overtime

Devices without encryption represents a significant security risk, as many contain corporate files and without encryption confidential information can land on wrong hands compromising the organization and their plans.

The Encryption Status dashboard shows the number of identified devices without encryption on the last 30 days, that information allows IT to review their policies and take several actions, like enforce encryption, block corporate access until the device is encrypted through Workspace ONE UEM in all devices and others.

5. Identifying Top Risks

The Top Risks dashboard presents the number of devices at Risks because they are not in compliance with one or more of the following policies.

  • Anti-Virus disable (Windows 10)
  • iCloud Enable (iOS)