Top 10 Use Cases for Workspace ONE Intelligence for your Mobile Device Fleet (Part 1)
Update: Part 2 can be found here.
“So, I have purchased Workspace ONE Intelligence… Now what?”
That’s one of the most frequently asked questions that I, a VMware EUC Customer Success Manager, have received from my clients as they are looking to maximize their values in Workspace ONE Intelligence. Workspace ONE Intelligence is a powerful tool in our End-User Computing (EUC) toolbox. Even with their fundamental functionalities, Custom Reports and Historical Dashboards change the way EUC administrators and businesses monitor their devices and applications. Intelligence Automations allow us to significantly improve our enterprise security posture, admin quality of life, as well as digital employee experience. However, as I am working with my customers, I realize that coming up with use cases for Workspace ONE Intelligence may not be as intuitive as one might have thought. Therefore, I would like to use this space to discuss my experience helping my clients identify their use cases with Workspace ONE Intelligence.
While a lot of new Workspace ONE Intelligence features and functionalities are focusing on Desktop (see Windows 10 Vulnerability Management and DEEM Insight & User Experience Score), here I would like to focus on the benefits Workspace ONE Intelligence brings to your mobile device fleets. With that said, here are a few blog posts you can check out Workspace ONE Intelligence use cases for desktops that you can dive into separately.
- Monitor Windows App Adoption and Stability with Workspace ONE Intelligence Digital Employee Experience Management (DEEM)
- Using Workspace ONE Digital Employee Experience Management (DEEM) to improve employee experience on macOS
In this three-part series, we will discuss the top 10 use cases using Workspace ONE Intelligence that have been successfully implemented by my clients, focusing on the mobile device fleets. For each part, I will address:
- IT Ops & Quality of Life Improvement
- Security Enhancement
- Digital Employee Experience Management
Quick Links to Use Cases
1. Dashboards for IT Operations
One of the most important aspects of Endpoint Management is proactive monitoring. How does our device fleet do overall? Are we able to deploy these business-critical applications out to devices in a timely manner? How many devices are potentially susceptible to attack because of a zero-day vulnerability? What’s the latest status around specific issue remediation? From a Workspace ONE UEM standpoint, there is built-in reporting that can answer some of these questions. However, it can be quite cumbersome to produce reports and visualizations for our businesses and leadership teams. In a lot of cases, it requires us to export raw data, throw it into our favorite spreadsheet tool, aggregate it, and create a visualization which is not the most ideal way to spend time as an administrator, especially if we are dealing with potential security issues.
With the Workspace ONE Intelligence Dashboards feature, we can create visualizations for our device fleets within minutes. Based on the reporting data that we are looking for, we can aggregate data in our preferred diagrams, and build a dashboard to share with our business teams and leadership or use this information to diagnose any issues we may not be aware of so that we can remediate it.
First off, if you are looking to take advantage of the Workspace ONE Intelligence Dashboards and don’t know where to begin, there are built-in dashboards and templates to help us get started. VMware is also constantly adding more templates and assists us in creating insightful visualizations for different use cases. The screenshot below shows a part of the built-in default Mobile Device Dashboard.
Aside from the built-in dashboards and templates, you can create your own dashboard to meet your needs. For example, I am interested to see the overview of how many mobile devices in my organization have the required security profiles installed (passcode and restrictions in this scenario), as well as device compromised status as we are actively rolling out devices. From there, I created a dashboard including different widgets showing the profile install and compliance status breakdown for each mobile platform.
From this dashboard, I can see that there are a good number of devices that do not have the Restrictions Profile installed. This alerts me to further investigate the Workspace ONE UEM console to understand why this happened. Of course, in this case, you can view this information in the Workspace ONE UEM console as well, but this gives you a much better visualization with just one glance.
The next example here contains data not readily available in Workspace ONE UEM console. This dashboard contains Risk Score data, which is calculated from device states using Machine Learning. This shows another benefit of Workspace ONE Intelligence. Since Workspace ONE Intelligence can integrate data from other sources (e.g., Workspace ONE Access, Intelligence SDK, Trust Network) and provide a more advanced data format (e.g., time-series historical data, ML-based derived data), it allows us to visualize and gain insight into information unavailable in other sources.
This Risk Score dashboard contains the Risk Score data. (Duh.) This is calculated from data collected from user and device behaviors and categorized into different risk levels. It can be used to quickly help identify potential bad actors within our environment and allow us to address them before it is too late.
I am planning to cover the Risk Analytics use-case in more detail in the next part, including building remediation flow to help address devices or users with high Risk Score. In the meantime, more information on Risk Analytics with Workspace ONE Intelligence can be found here.
2. Automated Device Lifecycle Management
This is one of the most popular use cases with my clients and one of the first things configured in their environment. Over time, some enrolled devices stop communicating with Workspace ONE UEM console for various reasons. It can be because they are lost, powered off in a random drawer or cabinet somewhere, or improperly unenrolled. Whatever the reasons may be, you may see hundreds of thousands of these stale device records if you let them go long enough. This can cause challenges with reporting and licensing. And while you may be able to manually delete these records through the Workspace ONE UEM console UI, or through an API script, it can be tedious and time-consuming or require you to code. The Workspace ONE Intelligence Automation Engine can solve this problem very easily in an automated, no-code manner. The screenshot below shows an example of how you can set up your automation to manage devices not checking in.
In the example above, we are addressing devices not seen for more than seven days. We set up actions to send out a Slack notification and email to end-users, asking them to turn the device on, connect to the internet, and open Intelligent Hub application to send the beacon back to UEM console. We just kindly check in with the users in case they are on a vacation and turn their corporate devices off.
This is what it looks like on Slack when the notification is sent to the user.
One small thing to note is that we are dynamically assigning values based on the lookup values specified in the template. T’s iPad is the friendly name of the device in this scenario, and it is reflected properly in the Slack message.
Another example here shows us how we can automate the device cleanup process with Intelligence Workflow after devices have not checked in for more than 28 days. In this case, we decide to send the user a Slack message and an email and proceed to delete the devices off the console.
Of course, these settings are all flexible and you can further customize them based on your organization's needs and policies. For example, if you would like to make sure your executive devices are exempt from being removed from the environment, you can update your filter to exclude devices from the Executive Devices Organization Group, as seen below.
3. Automated Remediation Process for Critical Resources
When we deploy critical resources (mainly business-critical applications, profiles, or products), we would like to make sure that they are installed and remain on the devices. With Workspace ONE UEM, you can deploy these resources automatically. Understandably, you may expect a 100% deployment success rate. However, in practice, that may not always be the case. You may have some devices that lose internet connectivity while downloading the apps or profile install failure due to one reason or another. To remediate the issue, you will traditionally need to go into Workspace ONE UEM console and re-push those resources to the devices. And while that is effective in resolving the issue, it is not the most efficient way to do so. You may find yourself logging into the console once a day and keep re-pushing those resources until most devices have gotten them, and you are a few misclicks away from re-pushing the resources to all devices, not just those without the resources.
Workspace ONE Intelligence can help you automate that process, freeing up your time to do other important tasks. Here is an example screenshot of automation workflow here shows how you can set up an automated process where, every 12 hours, the Intelligence Automation Engine evaluates whether the assigned version (22.04.0.1) of Boxer is installed. If it is not installed, then we queue up the application install command to the devices. You can adjust this process however suits your deployment.
After the workflow was enabled, you can see the activity of this Workflow as it queues up Install Internal Application commands for devices yet to have Boxer installed. I have two devices here enrolled in my sandbox environment, so we can see two actions created here. Please note that when the status shows COMPLETED, it means that Workspace ONE Intelligence successfully executed the defined action. In this case, it makes an API call to Workspace ONE UEM to push the app install command. The COMPLETE status does not necessarily mean that the device has the app installed — just that the command is queued up.
In Workspace ONE UEM, if we navigate to Device Details > Troubleshooting > Commands tab, you can see the command queued up here as well, waiting for the device to pick up.
Since both of my devices are purposefully turned off, obviously it won’t be able to consume the app install command. Since the devices still do not have the app installed, Workspace ONE Intelligence automatically queued up app install commands for these two devices every 12 hours. This screenshot below shows the activity associated with this workflow after I let it run for a few days. The commands are queued up at 3 AM and 3 PM every day since the workflow was enabled.
This is a great way to ensure that your critical applications, profiles, and products are properly installed on the devices. Even if it gets removed accidentally, this mechanism will allow you to ensure that every 12 hours, the commands will be queued up to install those missing resources.
And of course, don’t forget to use Workspace ONE Intelligence Historical Dashboard to monitor your critical deployments!
4. Integration with your IT Service Management Tool
One of my favorite third-party integrations with Workspace ONE Intelligence is with ITSM tools. From the IT Ops and Helpdesk perspective, we live and breathe through our Helpdesk Ticketing system. Workspace ONE Intelligence can integrate with your ITSM to create Helpdesk tickets to proactively address challenges for your end-users even before they notice them.
Workspace ONE Intelligence has built-in integration with ServiceNow. We can follow the steps here to enable API communication and use ServiceNow Automation actions.
An example below shows how we can create a workflow to create a ServiceNow incident, in addition to sending to user email and Slack message, so that a Helpdesk team member can reach out to the executive with a device not seen for more than 28 days to resolve the issue.
This is what the ticket looks like after it’s created.
While ServiceNow is the first ITSM integration in Workspace ONE Intelligence, custom connectors can be created to make use of Workspace ONE Automation Workflows through REST API. As a matter of fact, here are some ready-to-use examples on VMware Samples GitHub page, including integrations with Atlassian, PagerDuty, and Zendesk, among others. Here is the same example but created with a custom connector with Atlassian JIRA Service Desk.
And here is how it looks like on JIRA Service Desk.
Another example here can be found below. This is a screenshot of how you can configure a workflow to automatically create a ServiceNow ticket to have a battery replaced for Zebra devices. Other workflows you can potentially leverage include automatically generating a ticket to investigate users with high-risk behavior, or a follow-up ticket to check in with the end-user who provides poor application experience feedback. The possibility is endless here.
Talking about ITSM, specifically ServiceNow, there is more documentation that deep dives into the feature and an article about how it further integrates with Workspace ONE, including leveraging Workspace ONE UEM actions like changing passcode, lock device, enterprise/device wipe, and remote control through Workspace ONE Assist, as well as pushing device telemetry to ServiceNow CMDB. If you are using ServiceNow, I highly encourage you to explore further here and here.
In part 2, we will further discuss how Workspace ONE Intelligence can help improve your security posture for your mobile device fleet. Stay tuned!