Skip to main content

What is Workspace ONE Intelligence?

Workspace ONE Intelligence (WS1 Intelligence) is a comprehensive digital workspace platform that provides advanced analytics, automation, and insights for IT and security teams. It delivers a unified view of the entire workspace environment, facilitating data visualization through intuitive dashboards and detailed reports while monitoring user experience to ensure optimal performance.

At the core of Workspace ONE Intelligence is its integration with the broader Workspace ONE suite, which includes three primary components:

  • Workspace ONE UEM (WS1 UEM, formerly AirWatch): This is the unified endpoint management solution, the cornerstone of the Workspace ONE solution. It manages and controls devices while housing extensive information about each managed device.
  • Workspace ONE Access (formerly VMware Identity Manager): This component is a central authentication point, granting access to all authorized services, including SaaS applications.
  • Virtual Windows Apps and Desktops: This component delivers Windows applications and desktops to users.

Workspace ONE Intelligence combines access, device, and application information into a single comprehensive source. This integration allows IT teams to create detailed reports and implement automation based on a wide range of data. Even if an administrator doesn’t utilize all of Workspace

ONE’s components, the Intelligence platform still provides valuable insights and automation for various use cases, enhancing your ability to manage and secure your digital workspace effectively.

Why use Workspace ONE Intelligence?

  1. Workspace ONE Intelligence provides visibility into your managed devices by collecting data across devices, applications, and user interactions. This allows IT teams to gain actionable insights, make data-driven decisions, and identify trends that can enhance productivity and security.
  2. WS1 Intelligence enables the automation of routine IT tasks, such as patch management, device lifecycle management and device onboarding. This reduces manual workload, minimizes errors, and ensures consistent policy application across the organization.
  3. By analyzing security events and user behaviour in real-time, Workspace ONE Intelligence helps identify potential threats and vulnerabilities before they can be exploited. This proactive approach to security management strengthens your organization’s overall security posture.
  4. Intelligence integrates with other components like Unified Endpoint Manager and Workspace ONE Access as part of the Workspace ONE suite. This unified approach ensures that all aspects of your digital workspace are managed cohesively, providing a more streamlined and effective IT management process.

Workspace One Intelligence Licensing and Availability

Workspace ONE Intelligence is included as part of the Workspace ONE Enterprise licensing tier, but for organizations with lower-tier licenses (e.g., Workspace ONE Standard or Advanced) that want to access the full capabilities of Workspace ONE Intelligence, an add-on license can be purchased separately as an add-on. This add-on license enables access to Workspace ONE Intelligence’s complete suite of analytics, automation, and security features. While Workspace One Intelligence must be purchased (either as an add-on or Enterprise licensing) to access all the automation and reporting, a demo is still available in all WS1 UEM environments, allowing the creation of some custom reports.

Workspace ONE Integration Points

WS1 Intelligence can integrate with many services and other product suites. While an administrator must manually integrate the other WS1 components, such as Unified Access Gateways (UAGs), WS1 Access, WS1 UEM, and Horizon, it can also integrate with third-party services such as ServiceNow, Slack, and Zoom.

Before WS1 administrators can leverage WS1 Intelligence to create tasks such as automation actions or reports targeting other Workspace ONE components, WS1 Intelligence must integrate with these WS1 services. This allows Intelligence to gather data and action devices in your Workspace ONE environment at the infrastructure level, whether through API, OAUTH, or console administrator accounts. For example, the WS1 UEM integration allows WS1 Intelligence to gather specific device data, like installed apps, battery health, and last sync time from managed devices. The WS1 Access integration allows WS1 Intelligence to access the WS1 Access data, such as authentication methods or device risk scores.

The WS1 UEM integration will likely be the most important integration by far. This integration allows WS1 Intelligence to communicate with WS1 UEM to perform automation actions like adding/removing profiles and tags, installing/uninstalling applications, or running device scripts. This integration also gives us access to most of the device data and even allows us to use data from custom scripts.

Solutions

An administrator can also add pre-built solutions to WS1 Intelligence. Solutions are workspaces that gather all the necessary objects for a feature into a single area in WS1 Intelligence. Solutions can include widgets and processes from dashboards, workflows, and reports so an administrator can view device health, find issues, and fix them.

I’m expecting the WS1 Intelligence Solution that offers customers the most value in their organizations irrespective of industry will be the Vulnerability Management Solution. It includes the Vulnerability management dashboard and information on specific vulnerabilities in your device fleet. Currently, it supports Windows and iOS devices. It allows an administrator to find vulnerabilities reported by the National Institute of Standards and Technology (NIST), see what CVEs (Common Vulnerabilities and Exposures) impact the devices that are managed by Workspace ONE UEM, and view lists of applicable CVEs and read the CVE explanation cards. For each CVE, the affected devices can be found, as well as the event’s CVSS (Common Vulnerability Scoring System) score, NIST articles, and Microsoft advisories.

The dashboard below shows the number of devices affected by vulnerabilities and a breakdown of which vulnerabilities affect which devices, as shown in the screenshots below. This gives actionable information that can be used to secure your devices and even create automation to remediate those vulnerabilities.

Reports and Dashboards

A common ask with any solution is for reports and analytics, especially for a solution like WS1 UEM that can manage all devices and contains a treasure trove of data on everything from apps installed to device health.  Even though reports can be generated within the WS1 UEM admin console, the functionality is limited and does not allow for custom reports. Administrators are limited to reports on what devices are in your environment and what is installed on them. WS1 Intelligence opens this up, allowing both fully customizable reports and access to much more data.

Some pre-made reports (known as a “Template”) in the WS1 Intelligence console can be helpful. These can be accessed by navigating to Workspace > Reports > Add > “From Template.” All apps are always valuable reports for mobile devices, and the reports for devices with CVE vulnerabilities are great for ensuring the environment is up to date with your security patches. One of the best parts of the WS1 Intelligence reports is the ability to customize which columns are displayed. It is recommended that customers start with a report template like All Apps and customize it from there rather than start from scratch.

To start creating reports, access Workspace ONE through your Omnissa portal (previously VMware Cloud Services) and go to Workspace > Reports > Add > From template.

From there, start the All Apps template and begin customizing the report.

On a report, choose the report’s name, historical vs. snapshot data, download format, filter and columns. The Filters option is helpful; it lets determine what devices or users will appear in the report.

The All Apps template uses all enrolled devices. However, any number of other criteria can be used for the report. In the example below, the report would only run on enrolled devices that were active or last synced after 05/01/2024.

In Manage Columns at the bottom, change which columns appear and do not appear in the report to customize it, and drag up and down under selected columns to set their order.

Example Automations

Some top use cases using Workspace ONE Intelligence will be explored, focusing on mobile device fleets.

Risk Analytics

Workspace ONE Intelligence allows us to use Risk Analytics to view device risk scores; automation can be created based on those Risk Scores. The Risk Analytics feature tracks user and device actions and behaviours and then calculates the potential risk using data from WS1 UEM and WS1 Access (optional). With WS1 UEM and Access data, administrators can proactively identify and mitigate threats to the WS1 environment and device fleet.

Risk Scoring is based on various factors. WS1 intelligence uses the data from UEM and Access to identify risky behaviours, such as a person who installs an atypical number of apps in a short period or a device with an excessive number of unpatched critical CVEs. More information on how WS1 Intelligence calculates Risk Score from Omnissa can be found here.

Automation can be created based on Risk Score data and can make some helpful automation with this data, such as:

  • Uninstall apps or remove profiles from high-risk devices.
  • Add a tag to devices in WS1 UEM to indicate high-risk devices. This tag can also be used to add a device to a smart group with additional restrictions assigned.
  • Force an OS update (supervised iOS devices) for iOS devices that have not been updated.
  • Create a notification in Slack or via email to alert the service desk/security team of high-risk devices.

In the following example, an automation that detects high-risk iPhone devices will create a profile that removes the existing restrictions and replaces them with a more restrictive one.

The Device Risk Score Data can be used as the data source since the device Risk Score is wanted. Set the filter to target devices where Risk Score = High and Device Type = iPhone and perform a remove profile action on the restrictions profile and an add profile action for a more restrictive restrictions profile. An example profile would be to replace a regular open restrictions profile with one that removed access to the Apple App Store from the device.

The Risk Score for authentication can also be used. Using the WS1 Access integration, Risk Score in our Access conditional access policies can be used. Risk Score can be used as an authentication criterion to require high-risk devices to perform additional authentication or block access entirely. Once the WS1 Access and WS1 Intelligence integration is configured, the Risk Score authentication method can be enabled by accessing the WS1 Access admin console and going to Integrations > Authentication Methods > Login Risk Score.

Next, enable Login Risk Score and configure access for each score.

When the Login Risk Score is configured for Step-Up Authentication, it can be added to any authentication policies as an additional step. This allows authentication steps, such as MFA, to be added to higher-risk devices.

The above policy shows an access policy configured with the following access flow:

  • Users with a low login risk score logging in with an iOS device can log in without entering additional credentials.
  • Users with a medium login risk score logging in with an iOS device must use the multi-factor authentication method to log in.
  • Users with a high login risk score logging in with an iOS device are denied access.

Note: Login Risk Score authentication can be applied to any policy rule, but It cannot be the first authentication method listed in the policy rule. Login Risk Score must be listed second or later in the policy rule, and the authentication methods that precede It must also be listed in the failover policy. In the above example, Mobile SSO is listed as the first authentication method, and Login Risk Score is the second. Mobile SSO and MFA are also listed in the failover policy.

Risk Analytics Dashboards and Widgets

A built-in dashboard visualizes the overall Device Risk Scoring. This can be found under the Intelligence Dashboard > Security Risk Dashboard > Devices tab, as seen in the following screenshot. This dashboard shows the historical data of the devices with a high-risk score, broken down by different risk indicators. (Note that one device can have more than one high-risk indicator.)

Risk Analytics is a low-effort, high-reward, out-of-the-box solution that adds value to your security setup without additional integration. (Workspace ONE Access integration is optional.) The risk score data has already been calculated. Administrators can fully leverage this solution through the built-in risk scoring dashboard for visualization and the defined Compliance actions for high-risk devices to mitigate potential environmental threats.

App Uninstalls

Many mobile device manufacturers add apps to devices that are out of the box that administrators may want their users to avoid having to deal with. While they could remove all system apps from Android devices with a Zero-Touch or Samsung Knox Mobile Enrollment (KME) profile, that may remove more than is liked. A WS1 UEM’s restrictions profile or Launcher configuration for Android devices could also remove access and visibility to these apps. However, if an administrator wants to remove a few apps, a WS1 Intelligence automation can provide a better way.

 

With this Trigger Rule created on the WS1 Intelligence console, Intelligence can detect if the unwanted app is installed on any enrolled device and then send an uninstall command through WS1 UEM.

In this example, any Android app named NHL or the app identifier com.nhl.gc1112.free is targeted.

When selecting the application ID, either search for existing values to pull up a list of all apps in the public apps section of your WS1 UEM environment or use a custom value. The custom value for an app can be found by going to Resources > Apps > Public and clicking on the target app. The custom value at the end of the URL will be seen when the app details are clicked on.

Note: Paradoxically, administrators must add the apps they want to remove as public apps to their WS1 UEM console. Intelligence cannot locate the app without it. 

Device Cleanup

WS1 intelligence can automate the cleanup and keep unused devices from your environment. Without WS1 Intelligence, WS1 administrators would have to manually delete stale device records in bulk or one at a time, which would introduce a high operation cost. However, with WS1 Intelligence, administrators can automatically send a device wipe command, a delete device command, and an optional command to inform administrators when devices are being removed. If integrated, the optional message could be sent through email or Slack.

In our example, WS1 Intelligence will delete devices from the console that have not checked in in 45 days; WS1 Intelligence will delete devices from the console that have not checked in in 45 days and then send an email to the service desk. Devices deleted from the console also automatically receive an enterprise wipe command.

To set up the workflow, use the Devices Data source and set Trigger Settings to automatic. Then, filter the automation workflow to apply only to devices not checked in within the last 45 days. Administrators can customize the filter and add additional filtering criteria, such as excluding kiosks or shared devices.

The actions can then be added to this automation. Send Email should be used, but if Slack or Service Now is integrated, it could alert the service desk of the device deletion. When adding the Send Email action, the email address value(s) must be added in the “To Address” and the contents within the “Subject” and “Message” fields of the email. It supports lookup values so those variables can be added to the email.

Note that when adding most actions, the PATH_VARIABLE will auto-populate, and most of them need to target the device ID anyway.

Device Onboarding

Since WS1 Intelligence collects data from multiple sources and can be configured with API access to other resources, it can be leveraged to automate device onboarding alerts and data collection. WS1 Intelligence can also automatically alert the Service Desk through an email to the Service Desk mailbox or through ticket creation.

While WS1 Intelligence has a built-in integration with ServiceNow and instructions on configuring it can be found here, it can integrate with any Service Desk solution as long as it supports ticket creation via REST API. The EUC Samples GitHub page here has some sample connectors for a few other solutions, such as Atlassian and Zendesk. Automation can send an email alert to the Service Desk if no ticket is created to advise them that a device has been onboarded.

A workflow to send an email alert and create a ticket in Service Now when a new Windows device is added to the WS1 UEM environment is shown below:

With this automation, the configured Trigger detects when a Windows device is enrolled and will only process the trigger once per enrolled device. It will then email the Service Desk, alerting them when a new device is onboarded, and create a ticket in ServiceNow. Useful variables, like the device-friendly name or serial number, can be included in the ticket or email.

General Scripting

With Workspace ONE Intelligence’s trigger and action system, countless automations can be created. Use any pre-built WS1 or UEM Access triggers to trigger any script or customize Triggers with sensor scripts. This is primarily useful in Windows or Mac contexts, as administrators can use it to run bat files and single command lines, as well as PowerShell for Windows and Bash and ZSH and Python3 for Mac.

Both triggers and actions can be scripted. Device sensors can be used as a trigger and a script as an action or combine out-of-the-box triggers and actions.

Below is a simple automation that combines a sensor and an out-of-the-box action.

In this example, the “detectgpcert” is as follows:

If(Get-ChildItem Cert:\LocalMachine\My | Where{$_.Subject -like "*DC=ExampleCompany*"}){Write-Output "Installed"}else{Write-Output "Not Installed"}

This automation detects if a certificate from “ExampleCompany” is present in the personal certificate store on the machine, and if it is present, removes a profile. This was used to remove a VPN profile if a specific local certificate was present, but this basic functionality can be used for many applications. Sensors can be created to detect anything on a Windows device, like registry keys, applications, or even the presence of specific event viewer event IDs. This allows an administrator to link a script or action (remove profile or application) to almost any trigger imaginable. A few other examples of simple triggers and actions are:

  1. A sensor to detect x days after the device is enrolled, using event IDs, could trigger adding a profile
  2. A sensor that detects the device language based on a registry key could trigger the installation of an alternate language application.
  3. A sensor to detect when an application is present could trigger an uninstall of that application.

The community maintains a fantastic repository of sensors and scripts here. This blog barely scrapes the surface of what can be done when sensors and scripts are added to a WS1 Intelligence Automation, but the sensor functionality adds many possible uses.

Conclusion

Workspace ONE Intelligence is a powerful tool for managing and optimizing your device fleet. It collects vast amounts of data on devices, users, and authentication flows and provides comprehensive dashboards and detailed summary reports, enabling better visibility and insights into your IT environment. The flexibility of the Intelligence automations allows administrators to automate tasks without requiring extensive scripting, and is supported by a passionate community.  Integrated seamlessly with Workspace ONE UEM, it will enable administrators to automate routine tasks, enhance security measures, and improve overall operational efficiency, making it an indispensable asset for modern IT management.

  • Matt Kaita
    Matt Kaita

    Matt is a seasoned expert in unified endpoint management (UEM), specializing in Workspace ONE. With extensive experience in deploying and managing devices and applications, he enhances productivity and security in digital workspaces. His hands-on expertise and strategic insights drive innovation in UEM solutions, helping businesses stay ahead in the evolving digital landscape.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Redefine Your Approach to Technology and Innovation

Schedule a call to discover how customized solutions crafted for your success can drive exceptional outcomes, with Ferroque as your strategic ally.