August 21, 2024

Monitoring Resource Deployments & Automated Remediation Process with Workspace ONE Intelligence

Workspace ONE Unified Endpoint Management (UEM) provides administrators with tools to manage and secure various endpoints, including Windows devices, through the use of Profiles and Baselines. It allows the establishment of policies that dictate the functions and security measures applicable to users and devices, ensuring compliance and protection against potential vulnerabilities.

Workspace ONE Intelligence Reports, Dashboards, and Freestyle Orchestrator are available to customers with Workspace ONE Mobile Essentials, Workspace ONE Desktop Essentials, Workspace ONE UEM Essentials, Workspace ONE Intelligence Add-On, Workspace ONE Risk Analytics Add-On, or Workspace ONE Experience Analytics Add-On licenses.

As organizations increasingly rely on a broad array of endpoints to perform essential business functions, ensuring these devices are always in a compliant and operationally ready state becomes a significant challenge.  Whether these are used as kiosks, point of sale, or inventory management devices, organizations must ensure that their endpoints are not only equipped with the business-critical applications but are also compliant with corporate security policies. 

This blog post delves into how IT departments can leverage the Workspace ONE Intelligence to not only monitor critical resource deployment process via reports and dashboards, but also the Freestyle Orchestrator workflows to automate the remediation of critical resources, ensuring the managed endpoints are continuously functioning, secure, and complaint.

Generating a Report and Dashboard for Visualization on Resource Deployments

Getting insights on resource deployments with reports and dashboards is critical. Insights help identify gaps in deployment, such as devices that have not received the necessary configurations or applications. This visibility is essential for IT departments to prioritize their efforts and address potential issues before they impact business operations.

Workspace ONE Intelligence can accrues data from different sources such as its trust network integrations with Carbon Black and Lookout, as well as CVE data from Apple and Microsoft for vulnerability monitoring. Most importantly, Workspace ONE Intelligence can pull data Workspace ONE UEM where device, profile, and application inventory can be monitored in near real-time. 

An example below shows how a report can be generated to track enrolled iOS devices to see different versions installed throughout the device fleet. Reports in Workspace ONE Intelligence can be generated on-demand or scheduled, then shared with appropriate teams. 

A screenshot of a computer</p> <p>Description automatically generated
Figure 1: Workspace ONE Intelligence report showing iOS devices with Workspace ONE Intelligent Hub installed.

To visualize this dataset, a dashboard can be created to aggregate these data into an easily consumable format. In Workspace ONE Marketplace, there is a large collection of Dashboard Templates which can be used to help you get started. The template in the screenshot below is called “App Transient State Tracking.”  This template contains multiple widgets where app install events are being tracked over time.

A screenshot of a computer</p> <p>Description automatically generated
Figure 2: Application Tracking dashboard template from Workspace ONE Marketplace.

Dashboard widgets can also be created from scratch without using a template, providing additional flexibility to get the data and visualization best suited the use cases and the audience. Below are two examples of two different widgets showing Workspace ONE Intelligent Hub install status for iOS devices. The first one looks at the historical trend of the application deployment trend using Application Trend data, while the other shows the current snapshot of the application deployment status.

 

A screenshot of a graph</p> <p>Description automatically generated
Figure 3: A custom widget showing iOS Workspace ONE Intelligent Hub install trend. 

A screenshot of a computer</p> <p>Description automatically generated
Figure 4: A custom widget showing current iOS Intelligent Hub install status.

Learn more about how to leverage templates from Workspace ONE Marketplace.

The Need for Automated Remediation for Critical Resources

In Workspace ONE UEM, once a profile or an application is confirmed as installed on a device, the deployment task is considered successful. While installation status (success or failure) is tracked in Workspace ONE UEM, there is no built-in mechanism to automatically re-deploy the resources back to the devices in case of deployment failure. 

While Desired State Management will help remedy this as it becomes generally available currently, IT administrators need to periodically check on the resource deployment status and manually re-deploy these resources back to the devices.

Automated remediation plays a crucial role in maintaining the desired state of devices within an IT environment. As new applications, profiles, or products are deployed to the devices, Workspace ONE Intelligence Freestyle Orchestrator can automatically detect resource install failure and re-deploy the resource back to the devices.

Building an Intelligence Freestyle Orchestrator Workflow

Workspace ONE Intelligence Freestyle Orchestrator provides IT administrators with a powerful tool to create and manage automated workflows that can execute a range of actions across devices and applications in response to defined events or conditions. These capabilities extend from simple notification dispatches to complex remediation tasks, enabling organizations to address issues swiftly and effectively.

To build an automated remediation workflow to re-deploy resources to devices, a few filters are recommended to be added:

Resource name or identifier: This could be a profile name, app name, or bundle ID.

Resource installation status: This is to ensure that re-install attempts are not made for devices with resources already installed.

Device platform: This is to ensure that the resources are targeted to specific device platform.

Device posture: This includes device enrollment status and device last seen time to ensure that targeted devices are enrolled and active.

It is also advised that a schedule trigger is used for this workflow. While an automatic trigger would allow the workflow to execute as soon as a resource installation failure is detected, it would execute just once and will not re-execute. This may not be the most suitable when multiple re-deployment attempts are needed. With a schedule trigger, the workflow will continue to re-execute as long as the devices are still a part of the defined criteria.

Here is an example of a Workspace ONE Intelligence Freestyle Orchestrator workflow where, every 12 hours, the workflow evaluates whether iOS devices have the latest version Workspace ONE Intelligent Hub installed (24.06 at the time of this writing). If the device does not have the 24.06 version installed, then the application install commands are sent out to the devices.

A screenshot of a computer</p> <p>Description automatically generated
Figure 5: A Freestyle Orchestrator Workflow showing criteria for queuing app install command to update Hub.

After the workflow was enabled, the activity of this workflow can be observed. Please note that when the status shows COMPLETED, it means that Workspace ONE Intelligence successfully executed the defined action. In this case, it makes an API call to Workspace ONE UEM to push the app install command. The COMPLETED status does not necessarily mean that the device has the app installed — just that the command is queued up.

A screenshot of a computer</p> <p>Description automatically generated
Figure 6: An activity tab in the Freestyle Orchestrator workflow showing the command was created.

In Workspace ONE UEM, the commands can also be observed as queued up in the Device Details > Troubleshooting tab.

A screenshot of a computer</p> <p>Description automatically generated
Figure 7: Corresponding command queued up in Workspace ONE UEM.

If the targeted devices still do not have the application installed, Workspace ONE Intelligence Freestyle Orchestrator will continue to automatically queue up the app install commands for the devices every 12 hours, as defined in the schedule trigger. The following screenshot shows the activity associated with this workflow after it has been enabled for a few days and the targeted devices are yet to consume the command.

A screenshot of a computer</p> <p>Description automatically generated
Figure 8: Activity tab in Workspace ONE Intelligence showing repeated commands being issued per the defined schedule.

Here is another example of resource remediation. In some rare cases, some Android devices may not have Workspace ONE Launcher app active on them despite the deployed Workspace ONE Launcher profile. To remediate this issue, a scheduled Freestyle Orchestrator workflow can be created where, if devices have Workspace ONE Launcher profile assigned to them and the Launcher active status is False, the Launcher profile is re-pushed down to the devices. The screenshot below shows the workflow setup.

A screenshot of a computer</p> <p>Description automatically generated
Figure 9: Freestyle Orchestrator workflow to re-install the Launcher profile if the Launcher is not active on Android devices.

When the Launcher profile gets re-deployed, the Launcher app will re-launch. 

Summary

In conclusion, leveraging Workspace ONE Intelligence offers an invaluable advantage for modern IT departments in managing their critical resources. By integrating monitoring and automated remediation processes, organizations can ensure their endpoints remain compliant, secure, and operational. The ability to quickly identify issues in resource deployments and automate corrective actions not only enhances security but also improves device usability and business continuity. Moreover, the flexibility to customize dashboards and create detailed reports enables a more informed decision-making process. As enterprises continue to navigate complex digital landscapes, tools like Workspace ONE Intelligence provide the essential capabilities needed to maintain a resilient and responsive IT infrastructure, ensuring that business operations always run smoothly and securely.

 

Filter Tags

Workspace ONE Workspace ONE Intelligence Blog Announcement Manage

Targoon Siripanichpong

Read More from the Author

Senior Customer Success Engineer, Omnissa Targoon Siripanichpong currently serves as a Senior Customer Success Engineer on the End-User Computing team. He works with Omnissa's strategic customers to help drive their initiatives and realize value from their Workspace ONE and Horizon investments. Targoon started his career journey in 2015 as a Premier Support Engineer, then transitioned to roles as a Support Account Manager and an EUC consultant prior to joining the Customer Success team. Targoon is passionate about helping his customers explore emerging EUC technology to help achieve their business goals. He holds a Bachelor's Degree from Purdue University and a Master's Degree from the University of Chicago.