HERE'S WHY
Having secure devices plays a major role in meeting compliance requirements. We want to support as many Mobile Device Management solutions (MDMs) as possible, in addition to providing our agent. We have heard from many of you that you use VMware Workspace ONE. This article goes over how to sync & bring all of your compliance-related information from Workspace ONE to Drata.
Before Diving In…
Make sure you have admin access to your company's Workspace ONE account.
We currently only support desktop services. Mobile and tablet devices are not supported.
Only one configuration source per machine will be read, with the Drata agent taking precedence.
Prior to connecting Workspace ONE in Drata, please contact your Workspace ONE rep to ask them which access token URL is relevant for your organization. More info on the access token URL can be found in this VMWare article.
Mobile Device Management is not offered for the Workspace ONE Employee Essentials and Desktop Essentials plans. Please ensure your organization is using a plan that has MDM capabilities. We recommend Workspace ONE UEM.
For Windows devices, you need to set up compliance policies (shown below). Please make sure the names exactly match the names we mention in the below steps, otherwise Drata cannot sync the data.
For MacOS devices, you only need to set up a profile to verify that the user has a screen lock (with password) enabled. The other compliance checks (disk encryption, auto updates, password manager, and antivirus) come automatically when you set up the connection – there is no configuration on your end needed.
WorkspaceONE cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on the device's Application List.
Note: At this time, Drata’s device compliance checks using the Workspace One connection confirms the following:
Does the policy of the required name and/or type exist?
Is that policy mapped to the device?
Is that device compliant with that policy?
If all three of the above criteria are met, Drata will show that device as passing.
HERE'S HOW
Overview of information needed to connect Workspace ONE to Drata:
Server URL: In Workspace ONE, different clients have different API sub domains (depending on the location) or custom domains
Authentication URL: Same behavior as Server URL, and has a dependency on the location of your data in Workspace ONE
Client Key: OAuth enabled with minimal permission
Client Secret: OAuth enabled with minimal permission
Account ID: This is a manual input field. You can add any identifier you like.
Server URL
Here is how to get the server URL after logging into your Workspace ONE account:
Navigate to Groups & Settings > All Settings
Navigate to System > Advanced > Site URLs
Copy and save the REST API URL - this will be entered into the "Server Url" field in Drata
Please copy the whole field
Authentication URL
Drata will use the Workspace ONE "Access Token URL" is URL to pull an Authentication token to connect to Workspace ONE and pull your device data.
Available Access Token URLs can be found in this VMWare article.
Workspace ONE Token Services Region | Workspace ONE UEM SaaS Data Center Location | Access Token URL |
Ohio (United States) | All UAT environments | |
Virginia (United States) | United States | |
Virginia (United States) | Canada | |
Frankfurt (Germany) | United Kingdom | |
Frankfurt (Germany) | Germany | |
Tokyo (Japan) | India | |
Tokyo (Japan) | Japan | |
Tokyo (Japan) | Singapore | |
Tokyo (Japan) | Australia | |
Tokyo (Japan) | Hong Kong |
To know that you are using the correct Access Token URL, we recommend testing it with something like Postman or another tool to make HTTP requests.
URL | POST https://{{REGION}}.uemauth.vmwservices.com/connect/token |
Header | No headers |
Body | { grant_type = “client_credentials” client_id = {{CLIENT_ID}} client_secret = {{CLIENT_SECRET}} } |
If the response is an “access_token” you’ll know you have the right Access Token URL.
The “client_id” and the “client_secret” can be obtained in the following section.
Client Key and Client Secret
A custom role sets the access Drata will use to read Workspace ONE data. Create a new Role that will be applied to the OAuth credentials.
Navigate to ACCOUNTS > Administrators > Roles
Click on ADD ROLE
Create a new role with the following permissions on the All → API → REST section:
Check the box for "Read" for "Devices," needed to read devices
Check the box for "Read" for "Groups," needed to pull Group ID as identification
Check the box for "Read" for "Profiles," needed to pull device profiles
The role may be saved with any name. This role will be used for the credentials below.
Generate Credentials:
Navigate to Groups & Settings > Configurations
Search for OAuth and select OAuth Client Management
Click on ADD button
Add any name and description that you like
Add your organization group
Add the custom role created in the previous step
Click "SAVE"
A new window with Client ID and Client Secret will appear. Copy and save this data in a secure location. Once the window is closed, you cannot get the Client Secret again unless you re-do the above steps.
Windows Compliance Policies:
We require some policies to pull information from Windows devices. All Compliance Policies can be found in DEVICES → Compliance Policies → List View.
Please make sure the names for the compliance policies match what we mentioned below, otherwise Drata cannot sync the data.
Antivirus:
This is used to check if a device has Antivirus. Add a new Compliance Policy
Select a Windows version
Select platform
Add the following configuration for the compliance
Add Actions as desired
Select a Group and Smart Groups
Name the policy “AntiVirus Status” exactly. If the name does not match, Drata sync cannot read from it.
Description can be whatever you like
Firewall Status:
This is used to check if the devices have an active firewall. Add the following configuration with the name “Firewall Status” exactly.
Automatic Updates:
This is used to check whether the devices have automatic updates enabled. Add the following configuration with the name “Automatic Updates” exactly.
Disk Encryption:
This is used to check if the devices have encrypted the hard disk. Add the following configuration with the name “Disk Encryption” exactly.
Passcode
This is used to check if the devices have a passcode. Add the following configuration with the name “Passcode” exactly.
MacOS Profile:
MacOS requires a profile to verify that the user has a screen lock (with password) enabled. There is no additional configuration needed for the other compliance checks (Disk encryption, automatic updates, password manager, and antivirus) as this information will come automatically when you set up the connection.
To create a profile do the following:
Go to RESOURCES → Profiles & Baselines → Profiles and click on ADD
Select a macOS version
Name must be “Passcode” exactly
"Require passcode on device" must be toggled on. Other settings can be configured as needed.
Add a group and a type of assignment
Click on "SAVE & PUBLISH"
Unlinked Devices
We will automatically unlink devices that are saved in Drata if they have an external ID and are marked as “Unenrolled” in Workspace ONE.