Skip to main content
Workspace ONE MDM
Faraz Yaghouti avatar
Written by Faraz Yaghouti
Updated over a week ago

HERE'S WHY

Having secure devices plays a major role in meeting compliance requirements. We want to support as many Mobile Device Management solutions (MDMs) as possible, in addition to providing our agent. We have heard from many of you that you use VMware Workspace ONE. This article goes over how to sync & bring all of your compliance-related information from Workspace ONE to Drata.

Before Diving In…

  1. Make sure you have admin access to your company's Workspace ONE account.

  2. We currently only support desktop services. Mobile and tablet devices are not supported.

  3. Only one configuration source per machine will be read, with the Drata agent taking precedence.

  4. Prior to connecting Workspace ONE in Drata, please contact your Workspace ONE rep to ask them which access token URL is relevant for your organization. More info on the access token URL can be found in this VMWare article.

  5. Mobile Device Management is not offered for the Workspace ONE Employee Essentials and Desktop Essentials plans. Please ensure your organization is using a plan that has MDM capabilities. We recommend Workspace ONE UEM.

  6. For Windows devices, you need to set up compliance policies (shown below). Please make sure the names exactly match the names we mention in the below steps, otherwise Drata cannot sync the data.

  7. For MacOS devices, you only need to set up a profile to verify that the user has a screen lock (with password) enabled. The other compliance checks (disk encryption, auto updates, password manager, and antivirus) come automatically when you set up the connection – there is no configuration on your end needed.

  8. WorkspaceONE cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on the device's Application List.

  9. Note: At this time, Drata’s device compliance checks using the Workspace One connection confirms the following:

    1. Does the policy of the required name and/or type exist?

    2. Is that policy mapped to the device?

    3. Is that device compliant with that policy?

    If all three of the above criteria are met, Drata will show that device as passing.

HERE'S HOW

Overview of information needed to connect Workspace ONE to Drata:

  • Server URL: In Workspace ONE, different clients have different API sub domains (depending on the location) or custom domains

  • Authentication URL: Same behavior as Server URL, and has a dependency on the location of your data in Workspace ONE

  • Client Key: OAuth enabled with minimal permission

  • Client Secret: OAuth enabled with minimal permission

  • Account ID: This is a manual input field. You can add any identifier you like.

Server URL

Here is how to get the server URL after logging into your Workspace ONE account:

  • Navigate to Groups & Settings > All Settings

  • Navigate to System > Advanced > Site URLs

  • Copy and save the REST API URL - this will be entered into the "Server Url" field in Drata

  • Please copy the whole field

Authentication URL

Drata will use the Workspace ONE "Access Token URL" is URL to pull an Authentication token to connect to Workspace ONE and pull your device data.

Available Access Token URLs can be found in this VMWare article.

Workspace ONE Token Services Region

Workspace ONE UEM SaaS Data Center Location

Access Token URL

Ohio (United States)

All UAT environments

Virginia (United States)

United States

Virginia (United States)

Canada

Frankfurt (Germany)

United Kingdom

Frankfurt (Germany)

Germany

Tokyo (Japan)

India

Tokyo (Japan)

Japan

Tokyo (Japan)

Singapore

Tokyo (Japan)

Australia

Tokyo (Japan)

Hong Kong

To know that you are using the correct Access Token URL, we recommend testing it with something like Postman or another tool to make HTTP requests.

URL

POST https://{{REGION}}.uemauth.vmwservices.com/connect/token

Header

No headers

Body

{ grant_type = “client_credentials” client_id = {{CLIENT_ID}} client_secret = {{CLIENT_SECRET}} }

If the response is an “access_token” you’ll know you have the right Access Token URL.

The “client_id” and the “client_secret” can be obtained in the following section.

Client Key and Client Secret

A custom role sets the access Drata will use to read Workspace ONE data. Create a new Role that will be applied to the OAuth credentials.

  • Navigate to ACCOUNTS > Administrators > Roles

  • Click on ADD ROLE

  • Create a new role with the following permissions on the All → API → REST section:

    • Check the box for "Read" for "​​Devices," needed to read devices

    • Check the box for "Read" for "​​Groups," needed to pull Group ID as identification

    • Check the box for "Read" for "​​Profiles," needed to pull device profiles

  • The role may be saved with any name. This role will be used for the credentials below.

Generate Credentials:

  • Navigate to Groups & Settings > Configurations

  • Search for OAuth and select OAuth Client Management

  • Click on ADD button

  • Add any name and description that you like

  • Add your organization group

  • Add the custom role created in the previous step

  • Click "SAVE"

  • A new window with Client ID and Client Secret will appear. Copy and save this data in a secure location. Once the window is closed, you cannot get the Client Secret again unless you re-do the above steps.

Windows Compliance Policies:

We require some policies to pull information from Windows devices. All Compliance Policies can be found in DEVICES → Compliance Policies → List View.

Please make sure the names for the compliance policies match what we mentioned below, otherwise Drata cannot sync the data.

Antivirus:

This is used to check if a device has Antivirus. Add a new Compliance Policy

  • Select a Windows version

  • Select platform

  • Add the following configuration for the compliance

  • Add Actions as desired

  • Select a Group and Smart Groups

  • Name the policy “AntiVirus Status” exactly. If the name does not match, Drata sync cannot read from it.

  • Description can be whatever you like

Firewall Status:

This is used to check if the devices have an active firewall. Add the following configuration with the name “Firewall Status” exactly.

Automatic Updates:

This is used to check whether the devices have automatic updates enabled. Add the following configuration with the name “Automatic Updates” exactly.

Disk Encryption:

This is used to check if the devices have encrypted the hard disk. Add the following configuration with the name “Disk Encryption” exactly.

Passcode

This is used to check if the devices have a passcode. Add the following configuration with the name “Passcode” exactly.

MacOS Profile:

MacOS requires a profile to verify that the user has a screen lock (with password) enabled. There is no additional configuration needed for the other compliance checks (Disk encryption, automatic updates, password manager, and antivirus) as this information will come automatically when you set up the connection.

To create a profile do the following:

  • Go to RESOURCES → Profiles & Baselines → Profiles and click on ADD

  • Select a macOS version

  • Name must be “Passcode” exactly

  • "Require passcode on device" must be toggled on. Other settings can be configured as needed.

  • Add a group and a type of assignment

  • Click on "SAVE & PUBLISH"

Unlinked Devices

We will automatically unlink devices that are saved in Drata if they have an external ID and are marked as “Unenrolled” in Workspace ONE.

Did this answer your question?