[Deep Dive] Workspace ONE Intelligence

[Deep Dive] Workspace ONE Intelligence

This post was originally published on this site ---

Integrated Insights, Automation, and App Analytics

The latest updates for Workspace ONE Intelligence are now available!

This deep dive covers four key topics: data storage and security, data visualization, automation, and app analytics.

    1. For admins who are nervous about the security of their data in our cloud-based service, you can now rest easy knowing what types of data Workspace ONE Intelligence streams, what it stores, and how that data stays secure.
    2. Take advantage of the new data visualization capabilities to customize the at-a-glance view of your Workspace ONE environment to your needs.
    3. Use the new automation capabilities to enable hands-free management of critical enterprise workflows.
    4. Explore another world of possibilities for intelligence with Apteligent app analytics.
To test out these features with step-by-step instructions, check out the Workspace ONE Quick-Start Tutorial.

Data Storage & Security

VMware Workspace ONE Intelligence provides real-time insights by streaming deployment data from Workspace ONE.

First–time synchronization pushes all of the AirWatch Database’s available data. The data available for streaming is determined by how the AirWatch Console and its privacy settings are configured. For 10.000 devices, the initial export should take less than 7 minutes.

After the initial sync, all further synchronizations are based on device samples cached on the AirWatch Database. This cache is checked every 10 seconds and samples are sent to Intelligence

To support historical analysis, VMware also stores the raw and trend data in its cloud services infrastructure. The following table provides more information about what data VMware stores, and how it stores that data.

Raw Data Trend Data
Storage Timeframe 3 Months 12 Months
  • Battery Information
  • Operating System Versions
  • Application Adoption
  • Device Category Data

To protect this data, Workspace ONE Intelligence uses organization-wide security measures, as well as its own design to mitigate security risks.

  • Configurable Data Collection – Use granular controls to specify what PII user data to collect and send to the cloud. Examples of PII data include, phone number, user name, email, and private app information.
  • Access Control – Workspace ONE Intelligence restricts access by using a Bearer Token for authentication. Obtaining this token requires a credential signed with the Console Identity. In other words, you can only access Workspace ONE Intelligence through the Workspace ONE UI.
  • Encryption – Protect collected data with https (TLS 1.2) encryption.


Before using Workspace ONE Intelligence, you must meet the minimum requirements.

  • Cloud-based or on-premises instance of Workspace ONE.

    Click here to learn more

    Cloud-Based Workspace ONE Intelligence Architecture
    On-Premises Workspace ONE Intelligence Architecture


  • Buy the Workspace ONE Enterprise SKU or the Workspace ONE Intelligence Add-On SKU to get access to all features

    Click here to learn more

    Existing Workspace ONE customers get access to reporting functionality. However, the full Intelligence feature set, which includes reports, dashboards, app analytics, and automation, only comes with the purchase of the appropriate SKU. See the Workspace ONE product page for more information on features and pricing.

  • AirWatch Console v9.2 or later
  • Admin role with appropriate access

    Click here to learn more

    The following roles has access to Workspace ONE Intelligence enabled by default

    • System Admin
    • AirWatch Admin
    • Console Admin

    Administrator can create or change existing roles to add or remove access to Intelligence

  • Enable reports powered by Workspace ONE Intelligence
  • On-Premises Customers Only Install Workspace ONE Intelligence Connector (aka ETL service)

    Click here to learn more

    For on-premises customers, Workspace ONE Intelligence relies on the extract, transform, load (ETL) service to capture and push data for reporting. Using the preferences configured in the AirWatch Console, the service captures each category’s most important data.

    ETL Requirements

    Hardware Requirements
    Single, Dedicated Server
    • 1 CPU
    • 8 GB RAM
    • 50 GB Storage
    One Server Per Site For site redundancy and disaster recovery
     Software Requirements
    Operating System Windows Server 2012 R2 or 2016
    Java Java 8
    Network Requirements
    Outbound traffic from the ETL service Port 443
    Internal network access to the AirWatch database The port used is based on your AirWatch deployment

    ETL Service Troubleshooting

    After installing the ETL service, you can use the Sync Status screen to troubleshoot potential issues.

    • Data Import Section – Percentages should be as close to 100% as possible.
    • ETL Service Section – Use the check-in time to determine the overall health of the service:
      • Check-in time < 10 mins = Informational Everything is OK.
      • Check-in time > 10 mins = Warning AirWatch Database continues to create events for export to the cloud service, but reports generated thereafter contain stale data.
      • Check-in time > 60 mins = Error AirWatch Database stops generating events for export, reports generated thereafter contain stale data, and the ETL Server requires attention.
    • Sync Status – The ETL service will check every 8 hours for a new update and if available will update itself by downloading the latest jar from the repository. The auto upgrade can fail if the service is unable to reach the artifact or isn’t able to upgrade itself.

    Switch Regions Post-ETL Installation

    To switch regions after installing ETL:

    1. Opt out
    2. Uninstall ETL
    3. Opt back in again
    4. Install ETL and set the new region

    Upon request customer data can be deleted from Workspace ONE Intelligence Cloud Service. Once deleted customer will be notified.

  • Opt-in via AirWatch Console

    Click here to learn more

    Opt into the Workspace ONE Intelligence interface from the Workspace ONE UEM console to begin using dashboards, automation, and reports.

    1. In the AirWatch Console, navigate to Hub > Intelligence, and click Next.
    2. Select Opt-in, and click Next.
    3. Review the Terms of Service and complete the required fields. Click Accept.

Customized Data Visualization & Automated Workflows

Customized Data Visualization

My Dashboard, powered by Workspace ONE Intelligence, displays data you customize with applied widgets. Displaying data as graphically allows you to analyze the trends occurring in areas within your Workspace ONE platform.

Add widgets to define the layout of My Dashboard. Then, use the following actions to further adjust the display:

  • Move Widgets – Select or grab widgets by the title and drag them anywhere on the dashboard.
  • Resize Widgets – Hover the cursor over any of the four edges of the widget to manually resize it.
  • Delete Widgets – Select the ellipsis on the top right-hand corner of any widget and select Delete.

To simplify data visualization, My Dashboard provides predefined widget templates that display your deployment’s metrics. Common metrics and their associated widgets include:

Metric Widget
Asset tracking Platform and OS Breakdown
Security Compromised Status by OS Version
Application deployment Top 10 Popular Apps
Windows patches Security Patch Status

My Dashboard provides templates for app, device, and OS update metrics. To customize the data a template displays, configure filters, charts, diagrams, and parameters.

Automated Workflows

Now, you can configure automated workflows to act on your Workspace ONE environment’s unique scenarios.

A workflow consists of triggers that cause the engine to use a set action through Workspace ONE or an integrated third-party service. Triggers are based on the evaluation of Device Samples sent by ETL Service to Intelligence Cloud Service.

  1. ETL sends samples to Intelligence Cloud Service
  2. Intelligence Cloud Service checks sample content
  3. If matched against any of the Automation Trigger Criteria that has been already configured, then the Action is triggered

You can configure workflows from scratch, or use preset templates. Once the workflow is configured, the decision engine only monitors data from that point forward, it does not analyze historical data. This differs from the AirWatch Compliance Engine, which evaluates the current state of devices when the rule is created.

Click here to learn more

While the decision engine is a robust feature, it is not the only automation engine in the Workspace ONE platform.

  • Decision Engine – The decision engine automates workflows across the entire environment, leveraging over 196 parameters from devices, apps and users to trigger automated actions across the environment including third party services like Service Now, Slack and more. The Decision engine goes beyond compliance – acting on triggers from devices to automate patch deployments, push app updates, change device configurations, etc.
  • AirWatch Compliance Engine – The AirWatch compliance engine leverages up to 18 parameters to ensure device compliance across the environment. It’s a very powerful tool for closed-loop remediation. Its engine acts on closed-loop workflows where a user can have resources returned after becoming compliant again.
  • Identity Manager Access Control Engine – This engine creates conditional access policies using inputs like network range, device type/OS, user security group, authentication strength and AirWatch Compliance engine status. It uses these inputs to conditionally allow, block or force additional authentication before providing users on managed or unmanaged devices access to applications.

API Communications & Third-Party Connections

The automation feature of Workspace ONE Intelligence uses APIs for communication between your Workspace ONE environment, the decision engine, and third-party services.

You can connect to the VMware Workspace ONE UEM API server, by generating an API key. For On-Premises Workspace ONE installations, the API Endpoint must be accessible from the Internet with trusted SSL Certificate

Generate an API Key in the AirWatch Console

To enable Workspace ONE Intelligence to use APIs to communicate with third-party services for automation, enter the API authentication credentials to Workspace ONE Intelligence.

Enter API Authentication credentials into Workspace ONE Intelligence

You can also configure connections in the third-party services such as Slack and ServiceNow.

Integrate ServiceNow with Workspace ONE Intelligence Automation using APIs

Introducing App Analytics with Apteligent

Apteligent monitors, prioritizes, troubleshoots, and trends your mobile app performance issues in real-time.

Support & Additional Resources

  • iOS, Android, hybrid, and HTML 5 SDKs available
  • SaaS Only
  • Data collected by Apteligent SDK is currently stored only in US Datacenters
  • Apteligent Documentation

The post [Deep Dive] Workspace ONE Intelligence appeared first on VMware End-User Computing Blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.