Intelligence Products
Documentation
You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
Copyright © 2021 VMware, Inc. All rights reserved. Copyright and trademark information.
1
VMware Workspace ONE Intelligence Products 10Workspace ONE Intelligence Dashboards, Automation, and Reports 10 Workspace ONE Intelligence for Consumer Apps 10
Workspace ONE Intelligence Products Data Definitions 10
2
Workspace ONE Intelligence Dashboards, Automation, and Reports 11Product and Pricing Information 11
Workspace ONE Intelligence API Documentation 11 Trial Versions 11
Storage and Sampling 12
Workspace ONE Intelligence Components 12 Access Workspace ONE Intelligence 14
3
Workspace ONE Intelligence Requirements 15How to Access Reports 15
Required Workspace ONE UEM Console Version 16 Required Database Permissions 16
Workspace ONE Intelligence Connector Server Requirements for On-Premises 16 Hardware Requirements 16
Software Requirements 16 Network Requirements 17
Trust Regions of the Cloud Service for On-Premises 17 Proxy 17
Compatibility Between UEM and Intelligence 17 Trust Cloud Services Destinations for On-Premises 17
Trust URLs by Region 17
Trust URLs for Proxy Server Use 19
Install the Workspace ONE Intelligence Connector Service for On-Premises 20 Connector Installer Troubleshooting Tip - Disable Unblock in Properties 21 Prerequisite 21
Procedure 21
High Availability and Disaster Recovery Support with the Workspace ONE Intelligence Connector 22
High Availability 23 Disaster Recovery 24
4
Requirements to Access Dashboards 26Reporting 27
Workspace ONE Intelligence Connector Service 27 Admin Roles 27
My Dashboard 27
Sharing Dashboard 28
Configure Widgets for My Dashboard 28 Security Risk Dashboard 30
Security Risk Modules 30
Time Filter Selected and Percentages 30 Number, Percentage, and Caret 31 Workspace ONE Trust Network 31
Procedure 31
Threats Summary Categories for Trust Network 31 OS Updates Dashboard 32
OS Updates Modules 32
OS-Specific Module Information 33 Patches Information 33
Windows Patch Status Descriptions 33 Apps Dashboard 34
Adoption and Engagement 34
Supported Applications by Integration 34
Apteligent by VMware Data for Workspace ONE Intelligence SDK Apps 34 How the Integration Works 34
Requirements 35 Supported Platforms 35
About Apteligent by VMware 35
Add Workspace ONE Intelligence SDK Apps 35
Workspace ONE Access and Workspace ONE Intelligence 36 User Event and Engagement Data 37
Workspace ONE Access Console URL 37
Data Collected from Workspace ONE Access for the App Launches Templates 37 Data Collected from Workspace ONE Access for the User Logins Templates 38 Devices Dashboard 38
Digital Employee Experience Management 39 What is DEEM? 39
What are the prerequisites for DEEM? 39 What can you do with DEEM telemetry? 39 What data does DEEM provide? 40
What is the DEEM footprint on your Windows 10 devices? 41 How do you enable DEEM? 41
Enable GPOs for DEEM 41
Prerequisites 42 Procedure 42 Troubleshoot DEEM 43
How do you check that the Workspace ONE Intelligent Hub is running? 43 How do you enable logging for the DEEM agent on the device? 43 What are the registry settings DEEM uses? 43
5
Automations for Workspace ONE Intelligence 44Workflows 44
Automations and Compliance Policies 45 Requirements for Automations 45
Workspace ONE UEM Console 45 Reporting 45
Install the Workspace ONE Intelligence Connector Service 45 Admin Roles 46
Requirements to Connect to the API Server and to Use APIs for Communication 46 Getting Started with Automations 46
Prerequisites 47
OAuth 2.0 Authentication Procedure 47 Basic Authentication Procedure 48 Configure Workflows 49
Procedure 49
Workspace ONE UEM Actions 51
Descriptions of Workspace ONE UEM Actions 51
How Do You Add Workspace ONE UEM Components to Workflows? 53 How Do You Search for the Workspace ONE UEM Component? 53
How Do You Enter the ID Numbers for Workspace ONE UEM Components? 53 Custom Connectors 55
Automate Your Internal Services with Custom Connectors 56 Postman to Create Standard REST APIs 56
Steps to Use Custom Connectors 56 Actions for Custom Connectors 56
6
Reports for Workspace ONE Intelligence 57Reports Service 57
Limits to the Number of Reports 57 Sharing Reports 58
Selecting Users to Share 58 Run the Reports Wizard 58
Procedure 58 Filter Descriptions 59
Apps Filters 59
What's Reported on the Sync Status Page 90 Data Import 90
Workspace ONE Intelligence Connector 91
7
Risk Scoring (Workspace ONE Intelligence Risk Analytics) 92What is Risk Scoring? 92
What behaviors influence risk scores? 93
What types of devices does risk scoring work on? 94 What requirements are there to see risk scores? 96 Where can you find risk scores in the console? 97 What can you do with risk scores? 97
What systems contribute data for risk scores? 98 How often are scores calculated? 98
What Are Login Risk Scores? 99 What is a login risk score? 99
Where can I use login risk scores? 99
8
Integrations in Workspace ONE Intelligence 100Register Workspace ONE UEM 100 Prerequisites 101 Procedure 101 Register Slack 101 Procedure 101 Register ServiceNow 101 Procedure 102
Technical Preview: App Approvals 102 Technical Previews 102
Process for App Approvals 102 Configure App Approvals 103 App Approval Statuses 112
Workspace ONE UEM App Approval Statuses 112
Workspace ONE Intelligent Hub App Approval Statuses 113 Register a Custom Connector 113
Prerequisites 113 Procedure 114
Use Postman for Custom Connectors 114 Procedure 115
Register Workspace ONE Access 116 Prerequisites 116
Procedure 116
Register BETTER Mobile 117 Prerequisites 117 Procedure 117 What to do next 117 Register Carbon Black 117
Procedure 118 What to do next 118 Register Check Point 118
Prerequisites 118 Procedure 119 What to do next 119 Register Lookout for Work 119
Prerequisites 119 Procedure 120 What to do next 120 Register Netskope 120 Prerequisites 120 Procedure 120 What to do next 121 Register Pradeo 121 Prerequisites 121 Procedure 121 What to do next 122 Register Wandera 122 Prerequisites 122 Procedure 122 What to do next 122 Register Zimperium 123 Prerequisites 123 Procedure 123 What to do next 123
Register Microsoft Azure Active Directory 123 Prerequisites 124
Procedure 124 Results 124
What to do next 124
9
Administrators with Roles Based Access Control (RBAC) in Workspace ONE Intelligence 125Configure Admins Quickly with RBAC 125
Basic and Directory Accounts in Workspace ONE UEM 125 Azure Active Directory (AD) to Use Admin Groups 126
Existing Users and RBAC Super Admins 126 Set Up Process 126
Editing RBAC Permissions 126
Add Admins for RBAC From Workspace ONE UEM 126 Procedure 127
Add Admins and Admin Groups for RBAC From Azure AD 128 Prerequisites 128
Procedure 128
RBAC Role Descriptions 128 RBAC Admin Descriptions 128
10
Workspace ONE Intelligence for Consumer Apps 130Supported Platforms 130
Workflow for Workspace ONE Intelligence for Consumer Apps 130 Workspace ONE Intelligence SDK Tracks App Analytics 131
Register Consumer Apps 131 Prerequisites 131
Procedure 131
Dashboards for Consumer Apps 132 Find Consumer Apps 132 Apps Dashboard 133
My Dashboard and Custom Dashboards 133 Apps Details View 134
11
Workspace ONE Intelligence Products Data Definitions 135Supported Data Categories by Integration 135
Employee Experience: Technical Preview in Workspace ONE Intelligence 136 Multiple Data Integrations 136
Trust Network 136
Workspace ONE Access 137 Workspace ONE Intelligence 137 Workspace ONE Intelligence SDK 137
Workspace ONE UEM 138
Workspace ONE UEM Data Definitions 139 Known Limitations 139 A 139 B 140 C 141 D 142 E 143 F 144
G 145 H 145 I 145 J 146 K 146 L 146 M 148 N 148 O 149 P 149 R 151 S 152 T 153 U 153 V 154 Z 154
Trust Network Data Definitions 154 Carbon Black Data Definitions 155
VMware Workspace ONE
Intelligence Products
1
VMware Workspace ONE Intelligence products offer insights into your digital workspaces by aggregating data from your Workspace ONE environment or from standalone deployments into one console.
This chapter includes the following topics:
n Workspace ONE Intelligence Dashboards, Automation, and Reports n Workspace ONE Intelligence for Consumer Apps
n Workspace ONE Intelligence Products Data Definitions
Workspace ONE Intelligence Dashboards, Automation, and
Reports
Use the Workspace ONE Intelligence console to access your Workspace ONE Intelligence features for enterprise mobility management (EMM) planning, automation, and to optimize resources, strengthen security and compliance, and enhance user experience across your environment.
Workspace ONE Intelligence for Consumer Apps
Use Workspace ONE Intelligence for Consumer Apps to gain insight into your Workspace ONE Intelligence SDK-integrated apps.
Workspace ONE Intelligence Products Data Definitions
Definitions for data displayed and used in Workspace ONE Intelligence products are helpful for creating automations and reports and for analyzing dashboard widgets.Dashboards, Automation, and
Reports
2
Find information about Workspace ONE Intelligence components, trials, storage, and sampling. Use the Workspace ONE Intelligence console for enterprise mobility management (EMM) planning, automation, and to optimize resources, strengthen security and compliance, and enhance user experience across your environment.
This chapter includes the following topics:
n Product and Pricing Information
n Workspace ONE Intelligence API Documentation n Trial Versions
n Storage and Sampling
n Workspace ONE Intelligence Components n Access Workspace ONE Intelligence
Product and Pricing Information
Access the VMware Workspace™ ONE™ product page for information on features and pricing.
Workspace ONE Intelligence API Documentation
Use APIs for Intelligence Reports with Service Accounts. Generate a client ID and client Secret to query and extract data for use in other business intelligence tools. For details, access the
Workspace ONE Intelligence API documentation on the Workspace ONE Intelligence Dev Center.
Trial Versions
To try licensed features of Workspace ONE Intelligence, you can activate a trial version and try them for free for 30 days. Features available to try include Dashboards and Automation.
After 30 days, access to the trial version ends unless you buy an enterprise license. However, data, connections, and automation configurations are stored. If you buy the licensed features in the future, your data, connections, and automation configurations are not lost. You can continue where your trial version ended.
To activate a trial version, enter the information associated with your Workspace ONE UEM admin credentials. The Workspace ONE team contacts you to see if you want to purchase an enterprise license.
A trial version of Workspace ONE Intelligence displays TRIAL banners on the user interface. It also notifies you of how many days you have left on your trial.
Storage and Sampling
Workspace ONE Intelligence uses deployment data to offer Dashboards, Automation, and
Reporting. All these features use the same data that streams from your Workspace ONE
deployment.
VMware stores and manages the data in its cloud services infrastructure. The reports cloud service within the services infrastructure collects and imports data at regular intervals from Workspace ONE transactional databases.
Workspace ONE Intelligence Components
Workspace ONE Intelligence aggregates data from Workspace ONE UEM, Workspace ONE Access, and Apteligent by VMware. It includes dashboards, reports, and automation to analyze data and perform actions for efficiency and remediation. It integrates with third-party services for connections, support, and security.
n The Home page reflects your Workspace ONE services in a single location. You can navigate to your Workspace ONE products or to the Workspace ONE Intelligence options. The options visible on this page depend on the services you have or if you are using a trial. If you want to purchase other Workspace ONE Intelligence or Workspace ONE services, contact your Workspace ONE account representative.
n For convenience, use Bookmarks to navigate between the Workspace ONE Intelligence home page and your dashboards. As one of the services you can manage on your home page, you can create bookmarks from Workspace ONE Intelligence dashboard widgets to display in My Bookmarks.
n Besides convenience, another advantage of bookmark use is to help save your preferences. The system saves your bookmarks to your Workspace ONE Intelligence admin account so the bookmarks are available when you are working in the system.
n Choose from multiple ways to create a bookmark. You can use the ellipses menu in the Workspace ONE Intelligence dashboard widgets. You can also use the Quick Filter >
Bookmarks menu item. After you select the Bookmarks quick filter, point to the right top
corner of the widget card and select the bookmark icon. If you use the ellipses menu, you can perform other management functions including removing and renaming bookmarks.
n Dashboards
n My Dashboard represents the latest data in the reports infrastructure. Workspace ONE
Intelligence streams data from the database in the cloud so that the analytics you see are a current picture of the state of your Workspace ONE deployment. You can also view historical data by editing widgets displayed on My Dashboard.
n The Security Risk dashboard displays data concerning the security of managed devices in your Workspace ONE deployment. See data concerning compromised devices,
passcode risk, encryption status, and top risks. The OS Updates dashboard displays data about versions of operating systems running in your environment. It also reports on application and operating system patches.
n The User Risk dashboard displays data collected for and identifying risk with scores. It tracks user and device actions and behaviors and then calculates the potential risk. It shows this potential with risk levels and other metadata so you can quickly gauge the vulnerability of your deployment.
n Use the Apps dashboard to analyze application adoption and use for managed applications in your Workspace ONE environment.
n The Devices dashboard is a technical preview that helps analyze various key indicators for mobile and desktop devices in your deployment.
n Automations can increase efficiencies and reduce the burden of manual tasks by acting for
you on problems triggered by parameters you configure. Create policies that take automated remediation actions based on context. Build contextual policies that fit your unique
environment by automating workflows that extend to third-party services with REST APIs.
n You can create reports in Reports about your Workspace ONE deployment based on your business needs with the reports feature. The feature uses cloud-based report storage to gather data and create the reports. Reports powered by Workspace ONE Intelligence provide access to critical business intelligence data and is different from the reports created in the Workspace ONE UEM console.
n Register your Workspace ONE services and other third-party services in Integrations. This area connects services with Workspace ONE Intelligence so that you can work with the applicable data in all other Workspace ONE Intelligence areas.
n Use the Settings area to configure administrators for roles based access control (RBAC) and to work with service accounts.
Access Workspace ONE Intelligence
Access the Workspace ONE Intelligence interface from the Workspace ONE UEM console. From the Workspace ONE Intelligence interface, you can use dashboards, automation, and reports (formerly custom reports). To access the Workspace ONE Intelligence interface, you must enter your credentials and opt-In to the service.
Access the reports by navigating to Monitor > Intelligence, select Opt-in, and select Launch after installing the Workspace ONE Intelligence Connector service.
To return to the Workspace ONE UEM console, follow the required steps.
Procedure
1 Select the square menu for My Services in the top right corner of the UI. 2 Select Workspace ONE UEM from the VMware Services menu.
Requirements
3
Before you can use Workspace ONE Intelligence features, you must turn on reports powered by Workspace ONE Intelligence (different from Workspace ONE UEM reporting). You must then install the Workspace ONE Intelligence Connector service (also known as the ETL installer). This chapter includes the following topics:
n How to Access Reports
n Required Workspace ONE UEM Console Version n Required Database Permissions
n Workspace ONE Intelligence Connector Server Requirements for On-Premises n Trust Regions of the Cloud Service for On-Premises
n Compatibility Between UEM and Intelligence n Trust Cloud Services Destinations for On-Premises
n Install the Workspace ONE Intelligence Connector Service for On-Premises
n High Availability and Disaster Recovery Support with the Workspace ONE Intelligence Connector
How to Access Reports
n Shared SaaS customers work with their account representatives to access reports powered
by Workspace ONE Intelligence. These deployments do not need to install their own Workspace ONE Intelligence Connector server.
n Dedicated SaaS customers work with their account representatives to access reports
powered by Workspace ONE Intelligence. These deployments do not need to install their own Workspace ONE Intelligence Connector server.
n On-premises customers work with their account representative to access reports powered
by Workspace ONE Intelligence. These deployments must install their own Workspace ONE Intelligence Connector server.
Required Workspace ONE UEM Console Version
Workspace ONE Intelligence requires Workspace ONE UEM console v2001 or later.Required Database Permissions
To install the Workspace ONE Intelligence Connector, the person installing needs permissions for the following roles for the console and directory services servers.
n DBOwner for the Workspace ONE UEM database
n DBDatareader for the MSDB
n SQLAgentUserRole for the MSDB
Workspace ONE Intelligence Connector Server
Requirements for On-Premises
You must install the Workspace ONE Intelligence Connector service on its own server before you can use Workspace ONE Intelligence features.
Hardware Requirements
Component Requirement
Server 1
CPUs 4 (2 GHz Intel processor) Memory 8 GB
Storage 25 GB
Software Requirements
Component Requirement
Java Java 8
OS Windows Server 2012 R2, 2016, and 2019
SQL-based database for Workspace ONE UEM Microsoft SQL Server, Standard and Enterprise, 2016 SP1 or later
Network Requirements
Component Requirement
Outbound traffic from the Workspace ONE Intelligence Connector service
Port 443 Protocol for outbound traffic from the Workspace ONE Intelligence
Connector service
HTTPS
Internal network access to the Workspace ONE UEM Database The port used is based on your Workspace ONE UEM deployment.
Trust Regions of the Cloud Service for On-Premises
On the server for the Workspace ONE Intelligence Connector, configure trust for specific URL destinations so that the connector installer can call the endpoints for a list of all supported regions. Also, trust other URL destinations depending on your region.
Proxy
If you use a proxy server and want to use it with the Workspace ONE Intelligence Connector, make sure your specific destinations are trusted. If you do not configure trust for the listed destinations, the installation can fail.
Compatibility Between UEM and Intelligence
For the most current information on the compatible versions between the two systems, access the KB article on VMware iKB Workspace ONE Intelligence - Compatibility with Workspace ONE UEM.
Trust Cloud Services Destinations for On-Premises
For successfull communication in your on-premises Workspace ONE Intelligence deployment, either between your region's VMware cloud-based reports service and your on-premises Workspace ONE UEM database or between your proxy server used with the Workspace ONE Intelligence Connector, you must trust specific URLs.
Trust URLs by Region
Trust the applicable URL destinations because they represent cloud service regions and are needed for communication between the Workspace ONE UEM database and the cloud-based reports service.
Trust the api.sandbox.data.vmwservices.com, artifactrepo.data.vmwservices.com, and
discovery.awmdm.com URLs for all regions. The installer calls these endpoints for a list of all supported regions.
All Regions
URL Destination Protocol Port
api.sandbox.data.vmwservices.com HTTPS 443 artifactrepo.data.vmwservices.com HTTPS 443 discovery.awmdm.com HTTPS 443
Canada
URL Destination Protocol Port
api.ca1.data.vmwservices.com HTTPS 443 auth.ca1.data.vmwservices.com HTTPS 443 ca1.data.vmwservices.com HTTPS 443 eventproxy.ca1.data.vmwservices.com HTTPS 443
Frankfurt
URL Destination Protocol Port
api.eu1.data.vmwservices.com HTTPS 443 auth.eu1.data.vmwservices.com HTTPS 443 eu1.data.vmwservices.com HTTPS 443 eventproxy.eu1.data.vmwservices.com HTTPS 443
Ireland
URL Destination Protocol Port
api.eu2.data.vmwservices.com HTTPS 443 auth.eu2.data.vmwservices.com HTTPS 443 eu2.data.vmwservices.com HTTPS 443 eventproxy.eu2.data.vmwservices.com HTTPS 443
Sydney
URL Destination Protocol Port
api.au1.data.vmwservices.com HTTPS 443 au1.data.vmwservices.com HTTPS 443 auth.au1.data.vmwservices.com HTTPS 443 eventproxy.au1.data.vmwservices.com HTTPS 443
Tokyo
URL Destination Protocol Port
ap1.data.vmwservices.com HTTPS 443 api.ap1.data.vmwservices.com HTTPS 443 auth.ap1.data.vmwservices.com HTTPS 443 eventproxy.ap1.data.vmwservices.com HTTPS 443
United Kingdom
URL Destination Protocol Port
api.uk1.data.vmwservices.com HTTPS 443 auth.uk1.data.vmwservices.com HTTPS 443 uk1.data.vmwservices.com HTTPS 443 eventproxy.uk1.data.vmwservices.com HTTPS 443
United States
UATURL Destination Protocol Port
auth.sandbox.data.vmwservices.com HTTPS 443 eventproxy.sandbox.data.vmwservices.com HTTPS 443 sandbox.data.vmwareservices.com HTTPS 443
Production
URL Destination Protocol Port
api.na1.data.vmwservices.com HTTPS 443 auth.na1.data.vmwservices.com HTTPS 443 eventproxy.na1.data.vmwservices.com HTTPS 443 na1.data.vmwservices.com HTTPS 443
Trust URLs for Proxy Server Use
If you configure to use a proxy with the Workspace ONE Intelligence Connector in an on-premises deployment, you must configure trust for specific URLs on the proxy server or the installation fails.
Where to Get Proxy Configurations in Workspace ONE UEM Console
If you already have a proxy configured in the Workspace ONE UEM console, you can enable to use the proxy when you install the Workspace ONE Intelligence Connector. Get the
configurations from the Workspace ONE UEM console in Groups & Settings > All Settings >
Installation > Proxy > Console Proxy Settings.
Trust URLs to Insatll the Workspace ONE Intelligence Connector with Proxy
Settings
Destination Protocol Port
api.sandbox.data.vmwservices.com HTTPS 443 artifactrepo.data.vmwservices.com HTTPS 443 discovery.awmdm.com HTTPS 443
Install the Workspace ONE Intelligence Connector Service
for On-Premises
The VMware Workspace ONE Intelligence Connector Service collects data from your Workspace ONE UEM database and pushes it to the cloud service.
Download the VMware Workspace ONE Intelligence Connector and use it for better performance on data import between your Workspace ONE UEM database and the cloud service.
If you have not already enabled this workflow and you use Workspace ONE UEM console 1907 or later, notice that the installer downloads a file on your desktop, cdc_enable_script.sql, and then stops. Open the cdc_enable_script.sql file and run the script manually on your Workspace ONE UEM database with db_owner permissions to enable the improved performance workflow. After the script runs successfully, rerun the Workspace ONE Intelligence Connector installer.
This workflow uses Change Data Capture (CDC), which is supported on SQL Server. CDC
enhances the performance of data extraction by the Workspace ONE Intelligence Connector. For details about Microsoft SQL Server and the Workspace ONE Intelligence Connector, access the
Software Requirements table in the Workspace ONE Intelligence Requirements topic.
As the Workspace ONE Intelligence Connector starts importing new data entities into Workspace ONE Intelligence, the CDC workflow becomes a pre-requisite. The workflow is applicable to newly added data entities like device tags, device custom attributes, users, and product provisioning.
If you already have the Workspace ONE Intelligence Connector Service configured, reinstall the latest installer to unlock the CDC features. You must install the Workspace ONE Intelligence Connector on its own server. For additional information about the installation process of other Workspace ONE UEM application servers, refer to the VMware Workspace ONE UEM Installation Guide.
Important
n If you upgrade the Workspace ONE UEM database as part of the upgrade process, you must stop the Workspace ONE Intelligence Connector Service during the Workspace ONE UEM database upgrade. You must then restart the service after finishing the upgrade process.
n If you must change the setting for Deployment Region, do not run the installer again.
Connector Installer Troubleshooting Tip - Disable Unblock in
Properties
If the Workspace ONE Intelligence Connector installer does not launch, check the installer's properties. In the properties attributes for the Workspace ONE Intelligence Connector installer, to to the General tab, Security section, and disable the Unblock checkbox.
Prerequisite
n Ensure you have configured trust for the applicable URLs so the connector installation process can communicate with the correct cloud-based reports service.
n If you use a proxy server and want to use it with the Workspace ONE Intelligence Connector, make sure you have configured trust for specific destinations. If you do not trust the listed destinations, the installation can fail.
n Meet the hardware, software, and network requirements needed to install, configure, and use VMware Workspace ONE Intelligence.
Procedure
1 Download the Workspace ONE Intelligence Connector installer on to the server you configured for the service.
2 Run the installer.
3 Accept the Terms of Use.
4 Ensure that the Workspace ONE Intelligence Connector Service is selected as a feature to install. The installer detects the version of Java installed on the application server. If the installer does not detect the required version, the required version installs.
5 Select the Destination Folder in which to install the Workspace ONE Intelligence Connector Service.
6 Enter the database server settings.
n Database server that you are installing to: Select Browse next to the Database server
text box and select your Workspace ONE UEM database from the list.
n If you are using a custom port, do not select Browse. Instead, use the following syntax: DBHostName,<customPortNumber>, then select Browse to select the database server.
n If your Workspace ONE UEM database name has a space, you must perform extra steps.
n Open the WDPETLService.exe.parameters in the service folder of the Workspace ONE Intelligence Connector installation in administrator mode.
n Update the parameter to ensure the databaseName value is enclosed in quotes. Here is an example, JVM_ARG=-DJDBC_URL=jdbc:sqlserver://
SQLSERVERNAME;databaseName="Workspace ONE UEM Database Name".
n Connect using: Select one of the following authentication methods.
n Windows Authentication uses a service account on the Windows server to
authenticate. You are prompted to enter the service account that you want to use. This service account is used to run all the application pools and Workspace ONE UEM-related services. The service account must have Workspace ONE UEM database access.
n SQL Server Authentication uses the SQL server authentication method. You are
prompted to enter the user name and password.
n Name of database catalog: Enter the name of the Workspace ONE UEM database or
browse the SQL server and select it from a list.
7 (Optional) Enter proxy information. Find this information in the Workspace ONE UEM console in Groups & Settings > All Settings > Installation > Proxy > Console Proxy Settings.
8 Configure the Workspace ONE Intelligence Connector Service settings.
a Select the deployment region for your cloud service. Ensure that the right region is selected. Do not run the installer again if you must change this region in the future. If you upgrade your Workspace ONE Intelligence Connector Service from a previous version, this screen does not display because you cannot change your region during an upgrade. b Enter your Workspace ONE UEM Installation Token. This token is created as part of the
Workspace ONE UEM Installation process.
9 Select Install to install the Workspace ONE Intelligence Connector Service. After the installation finishes, select Finish.
High Availability and Disaster Recovery Support with the
Workspace ONE Intelligence Connector
You can use the Workspace ONE Intelligence Connector in high availability (HA) deployments and for disaster recovery. For HA, you need at least two connectors and you must set them for continuous access. For disaster recovery, set at least two Connectors within each recovery site to help you resume work when something happens to your Workspace ONE deployment.
High Availability
For HA to work with the Workspace ONE Intelligence Connector, use Workspace ONE UEM v1907 or later.
General High Availability Setup
Install and enable at least two Workspace ONE Intelligence Connectors for a single Workspace ONE Intelligence environment. Configure the connection between the Workspace ONE
Intelligence Connector and the Workspace ONE UEM Database server.
When you configure HA for the Workspace ONE UEM Database, configure the Workspace ONE Intelligence Connector to connect to the SQL Server Always ON Listener.
Although all Workspace ONE Intelligence Connectors listen, only one is active and pushes data from the database to Workspace ONE Intelligence. If the active Workspace ONE Intelligence Connector fails, one of the other connectors activates and pushes data to Intelligence.
Find the Active Workspace ONE Intelligence Connector
You can find the active Workspace ONE Intelligence Connector in an HA setup in the Workspace ONE Intelligence console at Reports > Sync Status > Workspace ONE Intelligence Connector
Disaster Recovery
For disaster recovery to work with the Workspace ONE Intelligence Connector, use Workspace ONE UEM v1907 or later.
General Disaster Recovery Setup
Install at least two Workspace ONE Intelligence Connectors in each disaster recovery site. Depending on your disaster recovery strategy, you can enable all the connectors across all sites or leave them disabled on the passive sites until an incident occurs. When a disaster recovery site becomes active, one of the Workspace ONE Intelligence Connectors becomes active and starts pulling data from the Workspace ONE UEM Database server to Workspace ONE Intelligence. If the active connector fails, the other connector remains available to push data.
Note: If your disaster recovery strategy does not have a recovery server cluster always listening,
the Workspace ONE Intelligence Connector still connects to the cluster during an event. However, it cannot support a comprehensive disaster recovery scenario because the cluster might have missed data from not listening.
Find the Active Workspace ONE Intelligence Connector
You can find the active Workspace ONE Intelligence Connector in a disaster recovery setup in the Workspace ONE Intelligence console at Reports > Sync Status > Workspace ONE
Requirements to Access
Dashboards
4
To access the data in dashboards powered by Workspace ONE Intelligence, use the supported version of Workspace ONE UEM, enable Reporting, install the Workspace ONE Intelligence Connector Service, and set admin roles.
This chapter includes the following topics:
n Workspace ONE UEM n Reporting
n Workspace ONE Intelligence Connector Service n Admin Roles
n My Dashboard
n Security Risk Dashboard
n Workspace ONE Trust Network n OS Updates Dashboard
n Apps Dashboard
n Apteligent by VMware Data for Workspace ONE Intelligence SDK Apps n Workspace ONE Access and Workspace ONE Intelligence
n Devices Dashboard
n Digital Employee Experience Management n Enable GPOs for DEEM
n Troubleshoot DEEM
Workspace ONE UEM
Reporting
Workspace ONE Intelligence uses the data in the reports data warehouse to display analytics from your Workspace ONE deployment. Reports are available in the Workspace ONE UEM console v1811 and later.
Workspace ONE Intelligence Connector Service
Note: This content does not apply to Shared SaaS deployments.
Before using Workspace ONE Intelligence features, you must install the Workspace ONE
Intelligence Connector service onto a separate server in your Workspace ONE UEM environment. Each feature uses the Workspace ONE Intelligence Connector Service installed from the
Workspace ONE Intelligence Connector Installer. The Workspace ONE Intelligence Connector service gathers the data from your Workspace ONE UEM console server and pushes it to the reports cloud service.
n Shared SaaS - No installation is required. This deployment has access to reporting without installing the service.
n Dedicated SaaS - Contact your support representative or your SAM to set up Reports and Workspace ONE Intelligence.
n On-Premises - You must install the Workspace ONE Intelligence Connector for communication between the Reports infrastructure and Dashboards.
Admin Roles
Configure Admins with the Intelligence role in the Workspace ONE UEM console.
n Existing admin roles that have permissions for reports, have access to Intelligence roles.
n For new admin roles, include permissions for Intelligence so that admins can access settings.
My Dashboard
My Dashboard powered by Workspace ONE Intelligence displays data you customize with applied widgets. Display data as graphics and analyze the trends occurring in areas within your Workspace ONE platform by app, device, or operating system (OS) update. Data in this view are consolidated from other dashboards.
Sharing Dashboard
You can share My Dashboards with other Workspace ONE Intelligence users. This action is available for any dashboard that you create. The owner of the dashboard is designated with Full access, while the users who share the dashboard are designated with Read access. Users with
Read access have limited actions available to them, such as:
n View
n Add to Bookmarks
n Duplicate
Users receive an email once you share a dashboard with them. My Dashboards display the owner as well as the number of users that the dashboard has been shared with.
Selecting Users to Share
After selecting the Share action, you can source users from the following:
n UEM Admin List View
n Azure AD Admin List View
Configure Widgets for My Dashboard
My Dashboard categorizes widgets by the services integrated with Workspace ONE Intelligence. For example, if you have registered Apteligent with Workspace ONE Intelligence, you can select Apteligent widgets to display on My Dashboard.
Configure the data widgets display with filters, charts and diagrams, and parameters. Change widget configurations at any time to view data differently.
Note: Historical data is not available for all widgets.
Procedure
1 From My Dashboard, you can select a dashboard and work in that area, or select Add
Widget from a dashboard on the My Dashboard page.
2 Select the service and then the category. 3 Select the template and Next.
4 Select a Filter to define the baseline data sets for the widget. Use Add Filter and other parameters to define the data you want to see on your dashboard.
5 Configure the Data Visualization area. To preview visualizations, scroll down the user interface.
n Complete the Snapshot data, which represents data in your deployment now.
n Chart Type: Horizontal, Vertical, Donut, Metric, or Table
n Measure - Count: Sets the number of rows in a particular data set. The count is the
simplest function for verifying results.
n Measure - Distinct Count: Returns a count of unique or distinct values identified over
the data range set.
n Measure - Max: Returns the largest values in a particular data set. This setting only
works with numerical columns.
n Measure - Min: Returns the smallest values in a particular data set. This setting only
works with numerical columns.
n Measure - Average: Calculates the average of a selected group of values. This setting
only works with numerical columns.
n Of Key: Represents the data set you want aggregated by the Measure parameter.
n By Group: Separates data into groups. My Dashboard can display two groupings per
data set.
n Results per group: Reduces the results displayed. For example, use a value of 10 to
show data for a top 10 list of the most installed applications.
n Complete the Historical data, which represents data over time.
n Chart Type: Vertical, Line, or Table
n Measure - Count: Sets the number of rows in a particular data set. The count is the
simplest function for verifying results.
n Measure - Distinct Count: Returns a count of unique or distinct values identified over
the data range set.
n Measure - Max: Returns the largest values in a particular data set. This setting only
works with numerical columns.
n Measure - Min: Returns the smallest values in a particular data set. This setting only
works with numerical columns.
n Measure - Average: Calculates the average of a selected group of values. This setting
only works with numerical columns.
n Of Key: Represents the data set you want aggregated by the Measure parameter.
n Group by: Separates data into groups. My Dashboard can display two groupings per
data set.
n Date Range: Sets a range in the past from which to pull and display data.
n Results per group: Reduces the results displayed. For example, use a value of 10 to
show data for a top 10 list of the most installed applications.
If My Dashboard does not have information to display, it notifies you. However, you can change configurations to see if a different parameter, like Measure or Chart Type, can display your widget.
Security Risk Dashboard
View device security and events from your Workspace ONE UEM environment with the Security Risk dashboard.
Security Risk Modules
n Threats
n The Threats tab displays events identified by your Workspace ONE UEM compliance engine as compromised.
n It also displays and aggregates events reported by your Trust Network services in the
Threats Summary module.
n Policy Risks
n The Policy Risks tab displays events identified by your Workspace ONE UEMcompliance engine that do not comply with configured policies. Events include devices with no passcode and devices that are not encrypted.
n Vulnerabilities
n The Vulnerabilities tab combines and displays information from third-party security reporting services that report security data and Workspace ONE UEMthat manages your Windows 10 devices.
n It displays vulnerabilities reported by the National Institute of Standards and Technology (NIST).
n It also ties those applicable CVEs to impacted Windows Desktop devices managed by Workspace ONE UEM.
n Navigate through the CVE explanation cards to find out what devices are impacted, the event's CVSS score, NIST articles, and Microsoft advisories.
n Devices
n The Devices tab displays risk scores for devices managed in your Workspace ONE UEM environment.
n Select the tab to see device risk scores (reported as a level High, Medium, and Low), risk indicators, and to select single devices for analysis.
Time Filter Selected and Percentages
Select a time period for the data displayed. The time selected affects the percentages displayed beside the risk modules. For example, selecting 14 days sets the percentage to reflect a
comparison between now and 14 days ago. A negative percentage indicates that a risk has decreased, and a positive percentage indicates that a risk has increased.
Number, Percentage, and Caret
Modules represent risk using a number, a percentage, and a caret (or arrow).
n Number - The number value corresponds to a risk over the selected time. The number 10 indicates that 10 risks were reported.
n Percentage - The percentage compares the risk now to the risk earlier, depending on the time selected. It is a positive or negative number that coincides with the caret. For example, if you select to filter data by 14 days, and get a percentage of -64% with a downward pointing caret, your deployment decreased risks by 64% over the last 14 days.
n Caret - The caret represents a comparison of the risk now to a time earlier, depending on the selected time. It can point up or down depending on the status and it coincides with the percentage. For example, if you select to view data for the last 30 days and the caret points up and has a positive percentage, your deployment increased risks over the last 30 days.
Workspace ONE Trust Network
Workspace ONE Trust Network integrates threat data from security solutions including endpoint detection and response (EDR) solutions, mobile threat defense (MTD) solutions, and cloud access security brokers (CASB). This integration provides Workspace ONE Intelligence users with
insights into the risks to devices and users in their environment.
Workspace ONE Intelligence displays event data for analysis in the Threats Summary module on the Security Risk dashboard.
Note: Reporting functionality for Trust Network is planned for a future release.
Procedure
To integrate your Trust Network system, perform these tasks.
1 In Workspace ONE Intelligence, register the Trust Network supported service in Integrations. 2 View, analyze, and work with data in the Threats Summary module on the Security Risk
dashboard. Note: If you see no data identified in the Threats Summary after you have configured the service in Integrations, it does not mean that the configuration is broken. It can suggest that there have been no events reported from the Trust Network service. 3 In Automations, create a workflow using Trust Network triggers to act on threat intelligence
data with available actions.
Threats Summary Categories for Trust Network
The Threats Summary module aggregates and displays events collected from your Trust Network services. You can find specific data by dates, event counts, and threat categories. Workspace ONE Intelligence categorizes threats into several groups to help simplify analysis and remediation.
Threat Category Descriptions
Threat
Categories Descriptions
Anomaly Threats that involve an application, a device, or a network behavior that is unusual, suspicious, or abnormal. Examples include applications dropping an executable file or a privilege escalation. Credential Threats that involve the attempt to use compromised credentials in a malicious way. Examples
include the reading of credentials from a security process and a running application using system credentials.
Device Threats that involve using a device or other endpoint component with malicious intent. An example is an unauthorized application accesses a microphone or a camera.
Exfiltration Threats that involve an attempt to carry out an unauthorized data transfer. Such a transfer can be manual and carried out by someone with physical access to a computer. It can also be automated and carried out through malicious programming over a network.
Exploit Threats that involve taking advantage of a bug or vulnerability in an application or system, causing unintended behavior of that application or system. Examples include code injections and root enablers.
Malicious Web Host
Threats that involve an attempt to access known malicious site or domain. Examples include spam, phishing, malware, and cryptojacking.
Malware Threats that involve malicious software, intentionally designed to damage an endpoint, device, or network. Examples include ransom ware, key logger, and spyware.
Network Threats that involve a method or process used to attempt to compromise network security. Examples include man-in-the-middle attacks, port scanning, and unusual network protocols.
Other Threats that do not fit into a category.
Policy Threats that involve a device or endpoint breaking a company policy. Examples include installing a untrusted application and using a jailbroken or rooted device.
OS Updates Dashboard
Use the OS Updates dashboard to view version data for operating systems (OS) by platform. OS Updates data helps you know if your environment is fragmented and running older operating system on devices. For Windows Desktop, view all OS updates and patch updates.
OS Updates Modules
The OS Updates dashboard includes all OS platform modules by default for your ease. In order to include an OS platform, the system must discover at least one device for that platform. The widgets display a unique number of OS versions across all enrolled devices and a total number of enrolled devices seen for that platform in your Workspace ONE Intelligence environment. To see details into a specific platform, select View.
OS-Specific Module Information
Select View in an OS Updates module to get details for that operating system. A module displays two charts.
n Number of Devices by OS Version - This snapshot chart displays the number of enrolled
devices seen in Workspace ONE Intelligence for a specific OS version.
n Daily Active Devices by OS Version - This historical trend chart displays the number of active
(devices that reported a sample) enrolled devices that were seen by OS version plotted for a specific day.
You can edit the filters to display particular data for longer or shorter time periods. To narrow the search you can select a specific Model or OS Version from filters.
Patches Information
In the Windows Desktop module, the Patches tab lists data about patch update statuses for Windows including certain Microsoft applications as discovered from the Microsoft Updates channel. You can use filters to find data on patches using a specific knowledge base (KB) number, patch KB title, patch update classification, or date range.
The KB filters are useful when you want to know the status of a specific KB. The default view without edited filters, groups patches by the update status. Use the KB filters and the patch update status to determine the health of your Windows resources.
The count on the Patches tab shows the number of unique patches Workspace ONE Intelligence detects. View two charts.
n Number of Patches by Update Status - This snapshot chart shows the Windows patch
update status for all patches reported by enrolled devices.
n Number of Devices Updated by Status Over Time - This historical chart displays the number
of enrolled devices seen by Workspace ONE Intelligence (devices that reported a sample) by update status ploted for a specific day.
Windows Patch Status Descriptions
Status Descriptions
Approved The approved patch is successfully assigned to the device. Assigned The patch is approved and assigned to the device. Available The patch is available on the device for installation. Failed The patch failed to install.
Installed The patch successfully installed.
Pending Installation The patch installation is approved and available but not yet installed. Pending Reboot The patch installation is paused until the device reboots.
Status Descriptions
Removed The patch is removed.
Unknown The system is not receiving information about the patch.
Apps Dashboard
Use the Apps dashboard to analyze application use for applications managed in your Workspace ONE environment and accessed through the catalog. The dashboard displays data for
applications from Workspace ONE UEM, Apteligent by VMware, and Workspace ONE Access deployments.
Adoption and Engagement
The Apps dashboard helps determine if users adopt applications and if they use them. Low adoption has several causes. Is the application unnecessary? Is the application hard to use or does it have bugs?
Whatever the analysis, use the data on the dashboard to prioritize your application resources. Troubleshooting can reveal that the application is not worth the resources required to install and maintain it. Or perhaps, the application needs updating to the next version due to bug fixes.
Supported Applications by Integration
The Apps dashboard displays data for the listed application types.
n Workspace ONE UEM supports all managed applications.
n Apteligent by VMware supports internal applications that include the SDK and that are managed through Workspace ONE UEM.
n Workspace ONE Access supports web applications accessed through the Workspace ONE Intelligent Hub.
Apteligent by VMware Data for Workspace ONE Intelligence
SDK Apps
View Apteligent by VMware data in Workspace ONE Intelligence, in the Apps dashboard, after you add Workspace ONE Intelligence SDK apps and meet other requirements.
How the Integration Works
The Workspace ONE Intelligence SDK feeds Apteligent by VMware data to Workspace ONE Intelligence for display and analysis.
To connect Workspace ONE Intelligence and Apteligent by VMware data systems, add the App ID number created by Workspace ONE Intelligence to the internal application using the
Workspace ONE Intelligence SDK.
Requirements
To view and manage analytics for Workspace ONE Intelligence SDK apps in the Apps dashboard, ensure to use the listed configurations and components.
n Workspace ONE UEM must manage Workspace ONE Intelligence SDK apps as internal apps.
n To capture application data for the Apps dashboard, you must deploy Workspace ONE Intelligence SDK apps to devices with Workspace ONE UEM and these apps must be in use.
Supported Platforms
Workspace ONE Intelligence displays data for internal applications in the listed platforms.
n Android
n iOS
About Apteligent by VMware
Apteligent by VMware captures event data from key user flows in applications. Event data includes data about screen load numbers, network events, and incidents reports. It tracks key metrics, helps to improve applications release-over-release, and focuses on problems that are relevant to users. Use numerous data points about the mobile infrastructure to benchmark applications and to make data-driven decisions.
Note: Not all information available in Apteligent by VMware is available in the Apps dashboard.
Apteligent Developer Resources
Find the Workspace ONE Intelligence SDK and applicable documentation in the Developer Resources section found at the Workspace ONE Intelligence Dev Center.
Add Workspace ONE Intelligence SDK Apps
Add Workspace ONE Intelligence SDK apps with Workspace ONE Intelligence to generate an App ID. Then, view its engagement and adoption in the Apps dashboard.
To display Apteligent by VMware data in the Apps dashboard in the Workspace ONE Intelligence console, add applications and hook the Workspace ONE Intelligence SDK into those applications. To capture application data for the Apps dashboard, you must install the application on devices and it must be in use.
Prerequisites
You need the package ID of your app. Find the package ID in the app store URL after the identifier (id=com.company.appname).
Procedure
1 In the Workspace ONE UEM console, upload and deploy applicable internal applications, as managed. This action makes applications accessible in the Workspace ONE Intelligence.
2 In the Workspace ONE Intelligence console, add your app.
a Add an app in the Apps dashboard in Dashboards > Apps > Actions > Intelligence SDK
Apps > Add Application > New Application.
b Enter values in the Add Application window.
n iOS: Enter the app bundle ID.
n Android: Enter the app package name.
c If you do not have apps in the Workspace ONE Intelligence environment, the system prompts you to create an Apteligent by VMware account. Having an Apteligent by VMware account offers some features not available without an account. If you opt in, the system sends you an email invite to set up your account in Apteligent by VMware. You reset your password, and use the email you entered for your account creation to log in. This login is to the Apteligent by VMware console. This console has the same apps you add in your Workspace ONE Intelligence environment. Note: Apteligent by VMware data centers are in the United States. If you do not want to have data sent to centers in the U.S, opt out of creating an account.
d Finish the registration to generate the App ID in Workspace ONE Intelligence.
e In Dashboards > Apps > Intelligence SDK Apps, get the App ID for the added app in the list table. The App ID is a long, alpha-numeric string. Add this value to your app when you integrate the Workspace ONE Intelligence SDK.
f If you need the SDK-integration instructions, copy them or have the system email them to you.
3 Add the Workspace ONE Intelligence SDK and the Workspace ONE Intelligence-generated App ID to your app. The Workspace ONE Intelligence SDK feeds data to Workspace ONE Intelligence for display and analysis. Workspace ONE Intelligence uses the App ID to map Apteligent by VMware data to your app.
a If you do not have the Workspace ONE Intelligence SDK, get it from the Workspace ONE Intelligence console in Dashboards > Apps > Intelligence SDK Apps > Download SDK. b Follow the instructions for adding the Workspace ONE Intelligence SDK and the App ID to
your app.
4 In the Workspace ONE UEM console, upload and deploy the internal application that now has the SDK and Workspace ONE Intelligence App ID.
5 View analytics for your apps in the Apps dashboard in the Workspace ONE Intelligence console by searching for the package ID or app name in the global search.
Workspace ONE Access and Workspace ONE Intelligence
Integrate user data around events and users from Workspace ONE Access with Workspace ONE Intelligence. Web application data displays on the Apps dashboard.User Event and Engagement Data
Workspace ONE Intelligence collects user and event data around Workspace ONE logins and app loads for apps you deploy in the Workspace ONE Intelligent Hub catalog.
Workspace ONE Access Console URL
You need the Workspace ONE Access console URL of your Workspace ONE Access instance. You also need your Workspace ONE Access admin login credentials to successfully connect your instance to Workspace ONE Intelligence to send data.
Data Collected from Workspace ONE Access for the App Launches
Templates
Workspace ONE Intelligence receives the listed data points from Workspace ONE Access for display.
Filter Operator
App ID Includes, Does Not Include, Equals, Starts With, Contains App Name Includes, Does Not Include, Equals, Starts With, Contains Application Type Includes, Does Not Include, Equals, Starts With, Contains Device Identifier Includes, Does Not Include, Equals, Starts With, Contains Device Type Includes, Does Not Include, Equals, Starts With, Contains Device UDID Includes, Does Not Include, Equals, Starts With, Contains Domain Includes, Does Not Include, Equals, Starts With, Contains Event ID Includes, Does Not Include, Equals, Starts With, Contains Event Time Before, After, Between, Not Between, Within, Not Within Event Timestamp Before, After, Between, Not Between, Within, Not Within Event Type Includes, Does Not Include, Equals, Starts With, Contains Identity Management System ID Includes, Does Not Include, Equals, Starts With, Contains
Organization ID Equals, Not Equal To, Less Than, Less Than or Equal To, Greater Than, Greater Than or Equal To, Between, Not Between
Originating System ID Includes, Does Not Include, Equals, Starts With, Contains Source IP Address Includes, Does Not Include, Equals, Starts With, Contains Success Status Includes, Does Not Include, Equals, Starts With, Contains
User ID Equals, Not Equal To, Less Than, Less Than or Equal To, Greater Than, Greater Than or Equal To, Between, Not Between
User Internal ID Includes, Does Not Include, Equals, Starts With, Contains Username Includes, Does Not Include, Equals, Starts With, Contains
Data Collected from Workspace ONE Access for the User Logins
Templates
Workspace ONE Intelligence receives the listed data points from Workspace ONE Access for display.
Filter Operator
Authentication Mode Includes, Does Not Include, Equals, Starts With, Contains Device Identifier Includes, Does Not Include, Equals, Starts With, Contains Device Type Includes, Does Not Include, Equals, Starts With, Contains Domain Includes, Does Not Include, Equals, Starts With, Contains Error Message Includes, Does Not Include, Equals, Starts With, Contains Event ID Includes, Does Not Include, Equals, Starts With, Contains Event Time Before, After, Between, Not Between, Within, Not Within Event Timestamp Before, After, Between, Not Between, Within, Not Within Event Type Includes, Does Not Include, Equals, Starts With, Contains Identity Management System ID Includes, Does Not Include, Equals, Starts With, Contains
Organization ID Equals, Not Equal To, Less Than, Less Than or Equal To, Greater Than, Greater Than or Equal To, Between, Not Between
Originating System ID Includes, Does Not Include, Equals, Starts With, Contains Source IP Address Includes, Does Not Include, Equals, Starts With, Contains Success Status Includes, Does Not Include, Equals, Starts With, Contains
User ID Equals, Not Equal To, Less Than, Less Than or Equal To, Greater Than, Greater Than or Equal To, Between, Not Between
User Internal ID Includes, Does Not Include, Equals, Starts With, Contains Username Includes, Does Not Include, Equals, Starts With, Contains
Devices Dashboard
Use the Devices dashboard to analyze various key indicators for mobile and desktop devices in your Workspace ONE UEM deployment.
Find lots of data to analyze and act on your Workspace ONE UEM devices. The main modules are
Mobile Devices Dashboard and Desktop Devices Dashboard.
n The Mobile Devices Dashboard module displays various widgets to help you quickly see the use and health of your mobile devices fleet. Find information about enrolled users who are active and inactive. There is data about the health of device batteries and storage capacity. You can also see data about device ownership, device models, and their OS versions.
n The Desktop Devices Dashboard module not only displays widgets about the health of your desktop device deployment, it displays Digital Employee Experience Management (DEEM) telemetry. This module has Overview, Performance, and Errors tabs. For details about DEEM, access Technical Preview: Digital Employee Experience Management.
Digital Employee Experience Management
Digital Employee Experience Management (DEEM) helps organizations gain insights into the employee experiences with their digital workspace. DEEM provides insights about apps, operating system stability, and performance. It also displays analytics for key performance indicators that impact employee experiences such as start time, shutdown time, logon, and logout events.
What is DEEM?
DEEM harvests telemetry from desktop devices and provides insights to take predictive actions. The Workspace ONE Intelligent Hub gets the data from devices and sends it to Workspace ONE Intelligence for display and interaction on the Devices and Apps dashboards. To harvest data, the Workspace ONE Intelligent Hub for Windows Desktop now includes an agent built on the
osquery framework.
What are the prerequisites for DEEM?
n Use Workspace ONE UEM v2010 or later.
n Use the Workspace ONE Intelligent Hub for Windows Desktop v20.10 or later.
n Use the Workspace ONE Intelligence service.
n Use Windows 10 devices that are managed in Workspace ONE UEM.
n Use corporate-owned and corporate-shared devices.
What can you do with DEEM telemetry?
You can view and manipulate the data in modules. Focus your analysis to predict issues and to mitigate and fix problems. In the Desktop Device Dashboard module, find three tabs; Overview,
Performance, and Errors.
n Overview - This tab has general data for enrolled devices that are active and inactive. The Total OS Crashes analytic reports failures specifically for Windows Desktop devices fed from
n Performance - This tab displays statistics for Boot Time and Shutdown Time variables for
your Windows Desktop devices. It uses bubble charts to visualize Critical and Warning thresholds for these variables. Select a bubble to get specific metadata. With this information, you can instantly see the devices that might need replacing or that need attention due to aged form factors and software. Configure the Performance tab to display data that aligns with your organization's definition of the Critical and Warning thresholds. To edit the thresholds, select the ellipses (…) in the bottom right of the Performance tab.
n Errors - This tab displays statistics for Crashes and Crash Rate of your Windows Desktop
devices. It uses line graphs to visualize the events. Select a point on the line graph to focus your troubleshooting. With this information, you can quickly find problem devices, get the error codes for the failures, and fix the issue. In any module, you can use the Edit Columns setting to customize the data displayed on dashboards. View the data that is most helpful for your situation.
You can view and interact with DEEM telemetry data through built in and custom dashboards in Workspace ONE Intelligence.
n Devices dashboard - Go to the Desktop Device Dashboard module using the View Dashboard setting to get performance and error data fed from devices through the
Workspace ONE Intelligent Hub.
n Apps dashboard - Use several modules on this dashboard to view DEEM telemetry.
n MAU for Top 10 Windows Apps - This module displays your most popular apps by the
number of monthly active users. Perhaps an app you thought was helpful is not in this module? Then, there might be a problem with the app like it is hard to use, it does not install correctly, or users do not find it helpful with their work.
n Windows Apps Errors - This module displays data for native, Windows apps except web
apps. You can look at Crashes or Hangs data for these apps to identify apps that are not working or are constantly having problems.
What data does DEEM provide?
The DEEM system provides various telemetry to dashboards.
n Windows services
n Application changes
n Hangs
n Configurations
n Screen saver activities (logon, logoff, lock, and unlock)
What is the DEEM footprint on your Windows 10 devices?
The footprint is comparatively small. The tested configurations for DEEM suggest a periodic impact of up to 5% CPU usage for a typical 4 core CPU. Tested configurations also suggest 10 to 40 Mb of memory usage on each Windows 10 device. The Workspace ONE Intelligent Hub for Windows itself sends between 4K to 10K of data on randomized 10 minute intervals.
How do you enable DEEM?
Enable DEEM using the Integrations section of Workspace ONE Intelligence at Integrations >
Desktop Advanced Telemetry > Set Up. Select Enable to start collecting telemetry data for your
Windows Desktop devices managed in Workspace ONE UEM.
Enable GPOs for DEEM
To use the Digital Employee Experience Management (DEEM) feature fully, you must enable specific Group Policy Objects (GPOs) for Windows 10 devices. Enabling the GPOs, allows Workspace ONE Intelligence to report them in dashboards. You can do this action in SCCM or you can use product provisioning in Workspace ONE UEM.
You need to enable specific GPOs for a few performance indicators so DEEM can capture the associated data. n Login Failure n Lock n Unlock n Screen On n Screen Off
Enable the listed events in SCCM.
Event GPO
Login Failure SecuritySettings > Advanced Audit Policy Config SystemAuditPolicies > Logon/Logoff > Audit Logoff SystemAuditPolicies > AuditLogon, Other Logon/Logoff events
Lock SecuritySettings > Advanced Audit Policy Config SystemAuditPolicies > Logon/Logoff > Audit Logoff SystemAuditPolicies > AuditLogon, Other Logon/Logoff events
Unlock SecuritySettings > Advanced Audit Policy Config SystemAuditPolicies > Logon/Logoff > Audit Logoff SystemAuditPolicies > AuditLogon, Other Logon/Logoff events
Screen On SecuritySettings > Advanced Audit Policy Config SystemAuditPolicies > Logon/Logoff > Audit Logoff SystemAuditPolicies > AuditLogon, Other Logon/Logoff events
Screen Off SecuritySettings > Advanced Audit Policy Config SystemAuditPolicies > Logon/Logoff > Audit Logoff SystemAuditPolicies > AuditLogon, Other Logon/Logoff events
To use product provisioning in Workspace ONE UEM, create a File/Action to run the script on Windows 10 devices and deploy the script with a Product.
Prerequisites
Copy the listed code and save it in an app like Notepad ++ as a CMD file (batch file). Title it so you can recognize it for this procedure. Perhaps title it Enable_Windows_Audit_Events.cmd. This code updates the applicable GPOs.
@echo off
echo "Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value" >audit_policy.csv
echo ",System,Audit Logoff,{0cce9216-69ae-11d9-bed3-505054503030},Success and Failure,,3" >>audit_policy.csv
echo ",System,Audit Logon,{0cce9215-69ae-11d9-bed3-505054503030},Success and Failure,,3" >>audit_policy.csv
echo ",System,Audit Other Logon/Logoff Events,{0cce921c-69ae-11d9-bed3-505054503030},Success and Failure,,3" >>audit_policy.csv
auditpol.exe /restore /file:audit_policy.csv del /f audit_policy.csv
Procedure
1 In the Workspace ONE UEM console, create a File/Action to run the script. Go to Devices >
Provisioning > Components > Files/Action > Add Files/Actions > Windows > Windows Desktop.
2 On the General tab, enter a descriptive name for the Files/Action. You can enter GPO Update for DEEM. You want to recognize this action to add it to the product later in this task.
3 On the Files tab, select Add Files and upload the script. Enter the file path where you want the product to install the script on devices in Download Path. The Version setting is for your record keeping. You can enter 1.0 or any version number that makes sense for your situation. 4 Save the file.
5 On the Manifest tab, in the Install Manifest section, select Add Action and complete the settings.
n Action(s) To Perform: Select Run.
n Execution Context: Select System.
n Command Line and Arguments to run: Enter the file path of the script. For example,
enter C:\ Enable_Windows_Audit_Events.cmd.
n TimeOut (-1 for infinite): Enter 0.
6 Save the action.
7 In the Workspace ONE UEM console, create a Product to deploy the script to devices. Go to
Devices > Provisioning > Product List View > Add Product > Windows > Windows Desktop.
8 On the General tab, enter a name (like GPO Update Product for DEEM) and select the group in Smart Group that contains the devices you want to deploy the script to.