Dean Flaming

Tech Curmudgeons

Dean Flaming

These are my technical notes and blog postings on Identity, Mobility, and More...

Using Workspace ONE Intelligence to Identify and Report on Devices Not Seen After X-Days

Business Use Case:

For this exercise we want to accomplish the main goal of finding devices which match the following logic:
  • Enrolled
  • Of a defined platform (or not)
  • Have not checked-in or have not "been seen" in X amount of days

Workspace ONE UEM and Workspace ONE Intelligence Items Needed:

This process will require that Workspace ONE Intelligence be integrated with Workspace ONE UEM. To see how to do this if you haven't already, follow the below process:

Ensure Workspace ONE UEM and Workspace ONE Intelligence are Integrated:

  1. In the Workspace ONE UEM Admin Console (as an AirWatch Admin), browse to MONITOR > Intelligence, check the "Opt in to Intelligence" and click LAUNCH.
  2. From the Workspace ONE Intelligence admin console, select the INTEGRATIONS tab.
  3. On the left, ensure DATA SOURCES is selected.
  4. In the main screen, look for the square titled "Workspace ONE UEM". If configured, it will have a status of Authorized and show connection data. You will be able to click on "VIEW" to get more details.
  5. If NOT configured, you will see a "SET UP" option. Click on this to integrate the two.

The following additional "logical" items will be needed to implement this use case:
  • Tags - At minimum, one tag will be needed to define devices are X-Days-Not-Seen.
    • Additional tags may be used for additional lengths of time as well as for devices initially "not seen", then "seen again" (i.e. The device was "lost" but then "found").
  • Intelligence Freestyle Workflows - At least two Intelligence Freestyle workflows will be needed to flag the devices on an ongoing basis.
    • Devices Not Seen After - This is the "lost" devices workflow. This workflow will be used to automatically flag devices which have not been seen after a defined period of time (X-Days).
    • Devices Seen After Lost - This is the "lost then found" workflow. This workflow will be used to automatically flag/unflag devices which were previously flagged as "Not Seen" and now have checked in again (i.e. Lost then found).
      • Why is this needed? - This is to provide automation for devices which were not seen after the initial designated period of time and are flagged as "lost", but have now been "found" and have come back online. This flow allows for additional checks and processes to define things like:
        • It's fine, all is good.
        • What happened to it? a.k.a. We need to investigate further.
        • Should we cancel the replacement order?
  • Reports - At least one Intelligence Report is needed to keep a running tally of lost devices and snapshots over time.
    • Notifications - Notifications of the reports will need to be sent out. This can be done in a few ways....this part is an area of options.

Setting up the Tags:

Here we will setup the tags needed for the automations.
  1. To create a tag in Workspace ONE UEM, login as an AirWatch Admin to Workspace ONE UEM, select your Customer OG, and browse to Groups and Settings > All Settings > Devices & Users > Advanced > Tags and click CREATE TAG.
  2. Type in the name of the Tag you wish to define for devices which have not checked-in for a defined period of time.
  3. Click SAVE.



Configuring the Intelligence Freestyle Workflows:

Now we need to create the Intelligence Freestyle workflows for tagging the "lost" devices and untagging the "found" devices.

Filters:

A note on Filters used in the workflows below. Aside from the "Not Seen within" setting, I am using two additional filters which you may wish to logically work through for your own use cases.
  • Enrolled = True: Specifically, in my use case here, I am only wanting these workflows to execute on Enrolled devices. This means registered or unenrolled devices where records still exist will not get tagged by these workflows. If you go into your Workspace ONE UEM Admin Console under Devices>List View and see a ton of stuff as "Not seen" in a long time, but nothing shows in your workflows as "Potentially Impacted", then it may be due to those devices actually being registered or unenrolled.
  • Platform = XX: While this is not absolutely necessary to accomplish the desired output, you may have need to be more granular in device selection and, thus defining the individual platforms might be necessary or helpful as some may be corporate owned and/or managed by other teams or meet some other use case parameters.
Other filters may also be needed for your specific workflows here, in order to properly meet your needs. It is recommended to logically work out the flow with teammates in documentation or on a whiteboard / noteboard to ensure any one-off details are accounted for.

Creating the Devices Not Seen After Workflow:

To get started, let's create the rule to automatically tag devices not seen after a designated time.
  1. Within the Workspace ONE Intelligence admin console, browse to FREESTYLE on the left and click ADD WORKFLOW. Name the workflow what makes sense and make sure to add in a description for anyone following behind you.
  2. Set the Data Source to Workspace ONE UEM Devices.
  3. Set the Trigger Settings to Automatic.
  4. Set the Trigger Rules to the following:
    NOTE: Use the "+" button to add more Trigger Rules.
    1. MDM Enrolled Equals True
    2. Platform Includes (your defined platforms)
      NOTE: This trigger may not be needed, but it gives you additional granularity and allows you to ensure that only the devices you specify are selected by this automation.
    3. Last Seen not within 7 day(s)
      NOTE: This can be whatever time frame you want. Just make sure it matches with your tag(s) set previously and with the workflow name. Also, if you want to do something like 5 Days, change the text and then click on the drop down that appears.
  5. Select ADD STEP to add an action.
  6. Click on ACTION and select it.
  7. Select Workspace ONE UEM and then Add Tag to Device.
    NOTE: You can search using the text box.
  8. Click on ADD ACTION.
  9. In the Add Tag to Device window...
    1. Select your Organization Name.
    2. Select your Tag you created previously.
  10. At this point, you can click SAVE.
    NOTE: The Workflow will not be enabled by default.
  11. When you are ready to enable, you can edit the workflow, enable it, and then save.


Creating the Devices Seen After Lost Workflow:

We now need to create the rule to automatically untag devices which were previously "lost" and are now "found". This workflow is for removing the tag defining a device as lost if the device is then found. Feel free to modify this workflow to add in other things such as different tags for how long it took to be found, or notifications to admins that a device previously marked as lost is now found. There are a plethora of options.
  1. Within the Workspace ONE Intelligence admin console, browse to FREESTYLE on the left and click ADD WORKFLOW. Name the workflow what makes sense and make sure to add in a description for anyone following behind you.
  2. Set the Data Source to Workspace ONE UEM Devices.
  3. Set the Trigger Settings to Automatic.
  4. Set the Trigger Rules to the following:
    NOTE: Use the "+" button to add more Trigger Rules.
    1. MDM Enrolled Equals True
    2. Platform Includes (your defined platforms)
      NOTE: This trigger may not be needed, but it gives you additional granularity and allows you to ensure that only the devices you specify are selected by this automation.
    3. Last Seen not within 7 day(s)
      NOTE: This can be whatever time frame you want. Just make sure it matches with your tag(s) set previously and with the workflow name. Also, if you want to do something like 5 Days, change the text and then click on the drop down that appears.
  5. Select ADD STEP to add an action.
  6. Click on ACTION and select it.
  7. Select Workspace ONE UEM and then Add Tag to Device.
    NOTE: You can search using the text box.
  8. Click on ADD ACTION.
  9. In the Add Tag to Device window...
    1. Select your Organization Name.
    2. Select your Tag you created previously.
  10. At this point, you can click SAVE.
    NOTE: The Workflow will not be enabled by default.
  11. When you are ready to enable, you can edit the workflow, enable it, and then save.

Now you have two workflows - One for marking devices as lost if not seen within a defined time frame, and another for marking a device as "found" if no longer lost.


Creating the Intelligence Report:

Now we need to create the Intelligence Report to capture the ongoing snapshot of data.
  1. Within the Workspace ONE Intelligence admin console, browse to REPORTS on the left and click ADD and select CUSTOM REPORT from the drop down.
  2. The first screen you will be prompted with is the Category. Click CATEGORY then select Workspace ONE UEM and then DEVICES.
  3. Name the report what makes sense and make sure to add in a description for anyone following behind you.
  4. Select SNAPSHOT for data type.
  5. Select your report download format (CSV or JSONL).
  6. Under FILTERS, we only need to look for devices with device tags containing any of the tag we defined.
    1. Click in SELECT ATTRIBUTE under the first empty rule and either use the text box to search or browse the categories on the left (in the drop down that appears) and select the Device Tags within Devices.
    2. Change "Contains All of" to "Contains Any of".
    3. For the value, select the tag you defined within UEM.
  7. Refresh the Preview to see any items.
  8. Use the "+" and "edit" options to the right of the report preview window to add pertinent data and columns.
  9. Click SAVE in the upper right when done.


Scheduling the Intelligence Report:

Now we need to set the Intelligence Report to run on an automated, periodic basis. For this use case, we will schedule the report to occur periodically (say, every 7 days).
  1. Within the Workspace ONE Intelligence admin console, browse to REPORTS on the left and click on the report name to open it.
  2. Click the SCHEDULES tab.
  3. Within the Schedules tab, click the ADD button.
  4. Within the Schedule window...
    1. Type the Schedule Name
    2. Set the Recurrence type (Hourly, Daily, Weekly, etc.)
    3. Set the Recurrence period (every X hours, days, etc.)
    4. Set the Starts At time
    5. Set the End Date (or NO END DATE).
    6. Click SCHEDULE to SAVE.
  5. You can set multiple schedules.
  6. You can View the report history by clicking VIEW in the far right.
  7. Additional reports may be downloaded from the DOWNLOADS tab at the top.


Sharing and Setting Alerts for the Intelligence Report:

Now we need to share the Intelligence Report with others.

Sharing the Report via Intelligence:

  1. Within the Workspace ONE Intelligence admin console, browse to REPORTS on the left and click on the report name to open it.
  2. Within the Overview screen, click on the SHARE button.
  3. You can select additional Workspace ONE Intelligence Users to share this report with. When new reports are generated, emails will appear in their inbox alerting them they can go view the new report.
  4. These "admins" will need to be able to login to Intelligence to grab the report.


Sharing the Report via Intelligence as a "Public Link":

  1. Within the Workspace ONE Intelligence admin console, browse to REPORTS on the left and click on the report name to open it.
  2. Within the Overview screen, click on the SHARE button.
  3. Scroll to the bottom of the Share window and enable the Public Link Sharing box and copy out the URL.
  4. Anyone with the URL will not need a login to the Intelligence Admin console and will be able to directly download any of the reports.
  5. Users just click the download link to save the report.

Downloading the Report via API Call:

This will require some additional coding, however, fortunately one of my esteemed colleagues (Targoon Siripanichpong) has written and posted some sample code on both TechZone and VMware's Developer site. These go into the necessary items to make the API call to download the report without need for making it a public link. Assuming additional automations added to the custom code making the API call, this could also be used (potentially) to send the report off to an email distribution list.

REFERENCE LINKS:

Published by Dean Flaming on