VMware Workspace ONE Cloud-Based Reference Architecture

Component Design: Workspace ONE Intelligence

The shift from traditional mobile device management (MDM) and PC management to a digital workspace presents its own challenges.

  • Data overload – When incorporating identity into device management, IT departments are deluged by an overwhelming volume of data from numerous sources.
  • Visibility silos – From a visibility and management standpoint, working with multiple unintegrated modules and solutions often results in security silos.
  • Manual processes – Traditional approaches such as using spreadsheets and scripting create bottlenecks and require constant monitoring and corrections.
  • Reactive approach – The process of first examining data for security vulnerabilities and then finding solutions can introduce delays. These delays significantly reduce the effectiveness of the solution. A reactive approach is not the best long-term strategy.

VMware Workspace ONE® Intelligence is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give complete visibility into the entire environment. It produces the insights and data to make the right decisions for your Workspace ONE deployment. Workspace ONE Intelligence has a built-in automation engine that can create rules to take automatic action on security issues.

Figure: Workspace ONE Intelligence Logical Architecture

Architecture

Workspace ONE Intelligence is a cloud-only service, hosted on Amazon Web Services (AWS), that offers the following advantages:

  • Reduces the overhead of infrastructure and network management, which allows users to focus on utilizing the product.
  • Complements the continuous integration and continuous delivery approach to software development, allowing new features and functionality to be released with greater speed and frequency.
  • Helps with solution delivery by maintaining only one version of the software without any patching.

Hosting on AWS provides the following benefits:

  • AWS are industry leaders in cloud infrastructure, with a global footprint that enables the service to be hosted in different regions around the world.
  • AWS offers a variety of managed services out-of-the-box for high availability and easy monitoring.
  • Leveraging these services allows VMware to focus on product feature development and security rather than infrastructure management.

Workspace ONE Intelligence includes the following components.

Table: Components of Workspace ONE Intelligence

Component

Description

Workspace ONE

Intelligence Connector

An ETL (Extract, Transform, Load) service responsible for collecting data from the Workspace ONE database and feeding it to the Workspace ONE Intelligence cloud service.

Intelligence Cloud Service

Aggregates all the data received from Intelligence Connector and generates and schedules reports.

Populates the Workspace ONE Intelligence dashboard with different data points, in the format of your choice.

Consoles

Workspace ONE Intelligence currently leverages the following consoles.

  • Workspace ONE UEM Console
  • Workspace ONE Intelligence Console
  • Apteligent (for app analytics) Console

Data sources

VMware Workspace ONE® UEM, VMware Identity Manager, Apteligent.

Scalability and Availability

The Workspace ONE Intelligence service is currently hosted in six production regions, including Oregon (two locations), Ireland, Frankfurt, Tokyo, and Sydney. It leverages the same auto-scaling and availability principles as those described in AWS Auto Scaling and High Availability (Multi-AZ) for Amazon RDS.

Databases

Workspace ONE Intelligence uses a variety of databases, depending on the data type and purpose. These databases are preconfigured, offered out-of-the-box as per the cloud service offering, and no additional configuration is necessary.

Table: Workspace ONE Intelligence Databases

Database Type

Description

Amazon S3

  • Ultimate source of truth
  • Cold storage for all data required for database recovery if needed
  • Also used actively for scenarios such as app analytics loads and usage

Dynamo DB

  • Managed service of AWS
  • Stores arbitrary key-value pairs for different data types
  • Data resource for reports for dashboard and subscriptions

Elasticsearch – History

  • Historical charts
  • Historical graphs

Elasticsearch – Snapshot

  • Report previews
  • Current counts

Workspace ONE Intelligence Data Sources

The following figure shows how the various data sources contribute to Workspace ONE Intelligence.

Figure: Workspace ONE Intelligence Data Sources

Workspace ONE Unified Endpoint Management

After a device is enrolled with Workspace ONE UEM, it starts reporting a variety of data points to the Workspace ONE UEM database, such as device attributes, security posture, and application installation status. Along with this, Workspace ONE UEM also gathers information about device users and user attributes from local databases and from Active Directory. All this information is aggregated and correlated for display and to perform automated actions to enhance security and simplify user experience.

Figure: Workspace ONE Intelligence Components for UEM

Workspace ONE Intelligence Connector service (also known as the ETL service) is responsible for aggregating the data from Workspace ONE UEM and feeding it to Workspace ONE Intelligence. After the data is extracted, the Workspace ONE Intelligence service processes it to populate dashboards and to generate reports based on the attributes selected by the intelligence administrator.

The Workspace ONE Intelligence Connector service is preconfigured for Workspace ONE UEM cloud-based customers. No additional configuration is required to leverage Workspace ONE Intelligence. Customers can choose between the regions: United States, Ireland, Frankfurt, Tokyo, and Sidney.

The Workspace ONE Intelligence Connector service is currently not supported for high availability in an active/active mode. However, additional instances are added for redundancy and disaster recovery, and server resources are increased according to the load to handle scaling.

VMware Identity Manager

Integrating VMware Identity Manager with Workspace ONE Intelligence allows administrators to track login and logout events for applications in the Workspace ONE catalog. It also captures application launches in the Workspace ONE catalog for both Service Provider (SP)–initiated and Identity Provider (IDP)–initiated workflows. This information is available for web, native, and virtual applications and is presented in preconfigured and as well as custom dashboards.

This can offer insights into application adoption, with unique users, as well as showing failed login items from a security standpoint. It can also show application engagement and user-experience statistics for the most-used applications.

In order to add VMware Identity Manger as a data source to Workspace ONE Intelligence, navigate to Intelligence Settings in the intelligence dashboard and then select IDM. Enter the tenant URL for VMware Identity Manager and select Authorize.

Apteligent

Integrating Apteligent with Workspace ONE Intelligence provides insight into app and user behaviour analytics. Once registered with Workspace ONE Intelligence, the applications dashboard starts populating the relevant data.

The prerequisites are that enterprise applications must have the Apteligent SDK embedded in them, and the applications must be managed by Workspace ONE.

The platforms supported with Apteligent are Apple (iOS, tvOS), Android, HTML5, Unity, PhoneGap, and hybrid platforms (that is, a native platform with an HTML5 component).

The following data is captured and correlated from Apteligent and Workspace ONE UEM.

Table: App Dashboard Widgets Summary

Widget

Description

Total installs

Total number of installations of the application

Devices missing app

Number of devices that do not have a specific app

App install status

Installation status of the app; for example, installing, failed, pending removal, and managed

App version over time

Version of the app for the selected amount of time

Installs over time

Number of times the application was installed

Apteligent can be integrated with Workspace ONE by following the instructions in Register Apteligent in Settings in the INTEGRATIONS section of the Workspace ONE UEM Online Help.

In order to leverage the full capabilities of Apteligent, you can leverage the Apteligent Console. For more information, see the Apteligent documentation.

Workspace ONE Automated Decision Making

All data collected from the data sources is aggregated and correlated by the Workspace ONE Intelligence service. The data is then made available for visualization from a business, process, and security standpoint. Also, the Workspace ONE Intelligence service can perform automatic actions based on the rules defined in the Intelligence Console.

Dashboards

Dashboards represent the historical or latest snapshot of information about the selected attributes, such as devices, users, operating systems, and applications. These dashboards are populated using widgets that are fully customizable, including, for example layout tools, editing filters, and other options. Information can be displayed in the form of horizontal or vertical bar charts, donuts, and tables. You can also choose a specific date range to visualize historical data.

Following is a summary of the predefined widgets.

Table: Examples of Out-of-the-Box Dashboard Widgets

Widget Category

Metrics

Devices

Number of enrollments, Operating system breakdowns, Compromised Status

Apps

Most popular apps, Agent install by versions,

OS Updates

Top Ten KB Installs, Security Update Status

User Logins

Trend of User Logins, Login Failures by Authentication Method

App Launches

Top Five App Launched by Unique Users and Total Launches

You can extend the filters and data points for the out-of-the-box widgets or create new widgets from scratch.

Dashboards are available as a part of Workspace ONE Intelligence cloud offerings. No additional configuration is needed for this feature.

Reports

Reports are generated by fetching data immediately from Workspace ONE UEM, giving administrators real-time information about the deployment. The data is extracted from devices, applications, and user data points.

Workspace ONE Intelligence offers a set of predefined templates. Additionally, you can customize these templates or create a new template from scratch to generate reports on the specific data points. Using the reports dashboard of Workspace ONE Intelligence, you can run, subscribe to, edit, copy, delete, and download (CSV format) reports. 

Reports are available as a part of Workspace ONE Intelligence cloud offerings. No additional configuration is needed for this feature. However, reports are available only to organization groups whose organization group type is Customer.

Automation Capabilities

Automation allows administrators to specify the conditions under which automatic actions will be performed. This removes the need for constant monitoring and manual processing to react to a security vulnerability. Configuring automation involves setting up the trigger, condition, and automated action, such as sending out a notification or installing or removing a certain profile or app.

Automation is facilitated by automation connectors. These connectors leverage Workspace ONE UEM REST APIs to communicate with Workspace ONE UEM and perform automation actions. The current list of automation connectors includes VMware Workspace ONE UEM, Service Now, and Slack, but the list is growing quickly.

Automation is available as a part of Workspace ONE Intelligence. To leverage this feature, enable the AirWatch REST API key (which is used while setting up the automation connectors).

To enable this key, in the Workspace ONE UEM Console, navigate to Settings > System > Advanced > API > REST API.

Getting Started with Workspace ONE Intelligence

Workspace ONE Intelligence is offered as a 30-day free trial or can be purchased as an add-on and included with the Workspace ONE Enterprise bundle. At the very first login to the Workspace ONE Intelligence dashboard, you must opt-in to Workspace ONE Intelligence by clicking a check box.

See the VMware Workspace ONE Intelligence guide.