So as we move into the final week of October, I needed to come up with something good to discuss as I have a Cal Ripken-esque streak of having an article hit. I landed on this idea. Let’s pick 7 items you may not be familiar with in Workspace ONE. I mention them because they’re stuff you should be using today! I had a list of around 12, and narrowed that down to 10, but I think 7 is the right number. For fun here were my top 10:
- Automatic Disablement of User Accounts
- Automatic Revoke Azure Tokens
- You should use the autogenerated API key to avoid potential throttling/performance issues
- There’s a privacy app!
- Windows and MacOS have a Post-Enrollment Onboarding Experience
- You can use Custom Attributes in AD to Assign Devices to Org Groups
- All Apple Apps should be deployed as VPP
- You can tweak what WS1 Looks at for Windows Health Attestation
- WS1 has their own Intune-like App Protection Policies?
- There’s actually a good reason to use smart groups and user groups together?
So let’s get started and show you what special 7 I selected as great can’t miss features in Workspace ONE UEM!
Post-Enrollment Onboarding Experience
One of the items that me and many people have overlooked fully surfaced around WS1 UEM 2105 in the Post-Enrollment Onboarding UI. VMware I believe envisioned this as an OOBE feature and then extended it to MacOS. It addresses a bit of a sore spot with mostly minimal effort.
You configure it under Devices & Users > General > Enrollment > Optional Prompts which is probably why many people miss it.
You can see what the configuration screen looks like below:
The Windows splash page looks like this:
It’s pretty straight-forward and I wanted to highlight the use of lookup values to bring in a really solid experience overall for the user with great personalization. Let’s check the demo below to show what it looks like:
Automatically Disable Disabled User Accounts
A feature that I would wager roughly 60% of people know about “Automatically Sync Enabled or Disabled User Status” found in System > Enterprise Integration > Directory Services > User > Advanced:
Essentially what this feature does is when the accounts sync, if it sees the the UserAccountControl attribute in AD with any bit matching 2, it will then disable that account in Workspace ONE also. As an example when you disable an account in AD it sets the attribute to 0x0202. When the account is disabled in Workspace ONE, you will see the account deactivated and all enrolled devices should be unenrolled.
Automatic Revoking of Azure Tokens
This feature is a true hidden gem. We can leverage it in 2 ways: compliance and device unenrollment. You enable the feature in Directory Services as you can see below:
It does exactly what it says it does. When you delete/wipe a device, it will revoke that Azure token from that user. They will be prompted to sign back in at every device that is currently logged into Office 365. It is such a great feature period.
Additionally it is an option with compliance policies also:
Using the Auto-Generated UEM API Key
One of the best kept secrets is using the WS1 UEM Auto-generated API key. Most people are unaware that neglecting to use it may cause your commands to be throttled between WS1 UEM and Access, which has created some problems for some of the larger customers. It’s really just a single click of the button and you are good to go:
Workspace ONE SDK App Compliance
This is one that I didn’t even realize was available now. Similar to Intune App Protection Policies, you can apply App Policy that reflects every WS1-owned app, SDK app, or app-wrapped app and will take actions based on application version, inactivity, OS version, or security patch dates. You can find this under Apps > Settings and Policies > SDK App Compliance
All Apple Apps Should Be Deployed as VPP
This one most people know, but if even 1 person doesn’t realize it, then it is a win. Apple’s Volume Purchasing Program is for free apps too! Typically you will want to use VPP for a few reasons:
- You can install Apps without an Apple ID requirement
- Apps can be automatically-updated
- Simplifies deployment for MacOS
Overall, people should rely on programs like the Apple Volume Purchasing Program as much as possible because it eliminates most of the friction.
Why Do We Use Smart Groups and User Groups Together?
This last one is more of a service announcement.
Smart Groups today are the gold standard for deployments in Workspace ONE, but using them with user groups to make them more dynamic is always the best policy:
The reason we do that, which has saved me a few times is “Maximum Allowable Changes” at the User Group level. This feature will protect you when someone screws up like accidentally removing a nested group from an AD group:
I’ve worked at more than one company where this happened and our protections saved the day. User Groups are very useful when you use them correctly. You can also leverage creative LDAP queries as I mentioned in a past article on elevating your WS1 UEM Deployment last year. It’s always fun to see how far you can push the limits. Reminds me of an article that I read today about passing the username from Azure directly into Workspace ONE Access, which is a great find and an example of always doing more and being better.
Not everyone is going to be willing to dig through all of the documentation, settings, and nonsense to figure out what a platform can do. I am proof positive that everyone can learn something by digging deep and seeing what is possible. When 2109 comes out imminently, they have a few great new features, which I will write about soon. I have to give VMware credit as they continue to deliver capabilities that enhance the experience for administrators and empower us to elevate the user experience.