Use Microsoft Conditional Access Registration status in Workspace ONE Intelligence for Reporting and Automation
With the UEM 23.10 Update for Conditional Access ( Details here: https://digitalworkspace.one/2023/12/20/workspace-one-uem-conditional-access-update-with-uem-23-10/ ) the UEM Admin part was much easier, but I thought it might be a good thing to not stop there. So what about to have this functionality in Intelligence, so having Reports, Dashboards and Automations there to have full visibility over the fleet and also automate based on the registration. With the UEM 23.10.0.4 Version of UEM and newer this is possible now. So let us have a look.
Reporting
Starting with Reporting , When selecting the Category “Workspace ONE UEM → Devices” you can filter on the AAD Attribute.
First let us create a Report with Device that are not Registered with Azure / Entra AD therfore select the following Filter:
“Microsoft AAD Device ID” IS “NULL/EMPTY“
AND
“Enrollment Status” INCLUDES “(Enrolled)“
It will look like this:
to define Fields of the Report ,just add them as you with in the Reporting Section.
now let us create a Report with Device that are Registered with Azure / Entra AD therfore select the following Filter:
“Microsoft AAD Device ID” IS “IS NOT NULL/EMPTY“
AND
“Enrollment Status” INCLUDES “(Enrolled)“
It will look like this:
In the Report you will then see the Fields selected for the AAD Registered Devices.
Dashboard
Now let us use the same Filters and create a Dashboard by selecting the Category “Workspace ONE UEM → Devices” and Chart Type Dounut. I selected the measure : “Count” of “Device ID” and Group by: “Platform” :
Once we add the filters of the “Microsoft AAD Device ID” IS “IS NOT NULL/EMPTY“ and the Enrollment Status we have the Dashboard ready.
Here a Sample Dashboard I created.
This can be downloaded ad Imported in Intelligence: https://github.com/EUCPatrick/Intel-Connector/blob/main/Dashboard%20AAD%20Registration%20Status.json
Automation
To automate for example a Device that is not Registered , but needs to complete the Registration we can send down a Notification to register. I used an Android already enrolled device as a Example here, but similar it would also work on iOS or directly after enrollment.
When creating the Automation I used the Category “Workspace ONE UEM → Devices” and the Filtering on Platform , Enrollment Status and AAD Device ID like shown here:
To send a Notification “Workspace ONE Hub Services” with the Action “Send Notification” can be used.
To add a Link for registration on Android the Follwing can be used : “awagent://com.airwatch.androidagent?component=conditionalaccess&partnertype=microsoft “
On the Device itself the Notification will look like this and you can register the Device with the Register “Now Button”
To the full experience of this Registration via a Notification can be seen here:
This is just a sample usecase for Automation using the Registration Status. You also can work with Tags during the automations and only install Apps once registered and a lot of more.
Special thanks to the Intelligence Product Team for the Collaboration and bringing this feature to GA within the short time.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.