Integration

AI Integration for VMware Workspace ONE

A technical guide for integrating AI with VMware Workspace ONE UEM and Intelligence APIs to automate device management, enhance security, and optimize endpoint operations through intelligent workflows.

Get in touch Learn more

Stylish WeWork-like workspace with hot desks and document wall, professional searching through enterprise knowledge base on a mounted ultrawide display, warm industrial pendants overhead.

ARCHITECTURE AND ROLLOUT

Where AI Fits into Workspace ONE

A practical blueprint for integrating AI into VMware Workspace ONE's unified endpoint management (UEM) and intelligence surfaces.

AI integration for Workspace ONE connects at three primary layers: the UEM API for device and application control, Workspace ONE Intelligence for analytics and automation, and the Intelligent Hub for user-facing interactions. The most immediate integration points are the REST APIs governing device inventory (/api/mdm/devices), application management (/api/mdm/apps), and profiles. AI agents can consume this telemetry—battery health, storage, OS version, compliance state, installed apps—to trigger automated remediations via scripts or profile pushes, moving from reactive ticket-based support to predictive maintenance.

High-value workflows center on Freestyle Orchestrator and Intelligence automation. For example, an AI layer can analyze device compliance drift in Intelligence, then automatically build and trigger a Freestyle workflow that applies a corrective configuration profile, logs the action, and notifies the user via Hub. Another pattern uses AI to optimize the application catalog: analyzing user role, department, and historical app usage to dynamically assign or recommend applications, automating license reclamation. For security, AI models can correlate device risk scores from integrated EDR platforms with UEM context to automatically quarantine non-compliant devices by pushing restrictive network profiles.

Rollout should start with a read-only integration to a sandbox UEM environment, using the APIs to build a baseline understanding of device estate patterns. Phase one typically automates a single, high-volume workflow like compliance reporting or proactive storage cleanup. Governance is critical: all AI-triggered actions should be routed through an approval queue or audit log within Workspace ONE Intelligence before execution, and prompts or models should be version-controlled. This ensures changes are reversible and traceable, aligning with ITIL change management. For teams managing diverse OS fleets, this AI layer becomes the central brain for cross-platform policy enforcement, reducing the cognitive load on admins juggling Windows, macOS, iOS, and Android separately.

The business impact is operational: turning device management from a manual, ticket-driven cost center into a proactive, self-healing utility. Realistic outcomes include reducing time-to-resolution for common device issues from hours to minutes, shrinking the window for compliance violations, and freeing up IT staff from routine profile and app assignment tasks. By using Workspace ONE's existing APIs and automation surfaces, the integration avoids costly platform replacement, extending the value of your current UEM investment. For a deeper dive on specific automation patterns, see our guide on AI Integration for Workspace ONE Freestyle Orchestrator or AI-Powered Device Health Monitoring.

ARCHITECTURE BLUEPRINT

Workspace ONE Integration Surfaces for AI

Core Management & Automation Layer

The Workspace ONE UEM console and its comprehensive REST API provide the primary integration surface for AI-driven device and application management. This is where you programmatically enforce policies, retrieve real-time inventory, and execute remote actions.

Key Integration Points:

Device Management API: Fetch detailed device inventory (model, OS, compliance status, installed apps, security posture). Use this data to train AI models for predictive failure analysis or compliance risk scoring.
Application Management API: Automate app assignment, distribution, and license reclamation. An AI layer can analyze usage patterns to dynamically assign applications or trigger automated removal of unused software.
Events API: Subscribe to real-time webhooks for device enrollment, compliance state changes, or security incidents. AI agents can consume these events to trigger automated remediation workflows, such as pushing a configuration profile or executing a script via the scripts API.

Example AI Workflow: An AI model monitoring the Events API detects a cluster of devices falling out of compliance. It analyzes the inventory data, identifies the root cause (e.g., a missing security patch), and uses the UEM API to automatically deploy the required patch payload to the affected device group.

UNIFIED ENDPOINT MANAGEMENT

High-Value AI Use Cases for Workspace ONE

Integrate AI directly into VMware Workspace ONE UEM and Intelligence workflows to automate complex device management tasks, predict issues before they impact users, and enable intelligent self-service. These patterns leverage the platform's REST APIs, Freestyle Orchestrator, and Intelligent Hub to move from reactive to proactive operations.

Predictive Device Health & Proactive Remediation

AI models analyze telemetry from Workspace ONE (battery cycles, storage, crash reports, OS builds) to predict device failures. Automatically trigger Freestyle Orchestrator workflows to run diagnostic scripts, notify users, or create preemptive service desk tickets in connected ITSM platforms like ServiceNow.

Reactive → Predictive

Support model shift

Intelligent Application Management & License Optimization

Use AI to analyze app installation, usage, and sentiment data from the Workspace ONE catalog. Automate license reclamation for unused apps, generate intelligent app recommendations for user roles, and dynamically adjust assignment groups based on department, location, and historical usage patterns via the UEM API.

Batch → Dynamic

Assignment logic

AI-Powered Compliance & Security Automation

Continuously evaluate device compliance states against internal policies and external threat intelligence. Use AI to prioritize violations, auto-remediate common issues via scripts or profile pushes, and orchestrate complex responses—like quarantining non-compliant devices in network access control (NAC) systems—through Workspace ONE Intelligence automation triggers.

Hours → Minutes

Violation response

Context-Aware Self-Service in Intelligent Hub

Embed an AI assistant within the Workspace ONE Intelligent Hub mobile app. Using the device's context (OS version, installed apps, compliance status), the assistant provides personalized troubleshooting, answers IT policy questions, and can execute approved self-remediation actions via secure API calls, deflecting tier-1 support tickets.

40% Deflection

Typical tier-1 ticket reduction

Smart Onboarding & Lifecycle Orchestration

AI orchestrates the entire device lifecycle. For onboarding, it analyzes a new hire's HRIS data (role, department) to automatically assign the correct Workspace ONE profiles, apps, and resources. For offboarding, it triggers automated wipe workflows, license recovery, and asset record updates in integrated systems, ensuring policy compliance.

Days → Hours

Onboarding timeline

Freestyle Orchestrator with AI Decision Points

Enhance low-code automation in Freestyle Orchestrator with AI decision nodes. For example, an AI model can analyze the content of a support ticket or device log ingested via webhook, then dynamically select the most effective remediation workflow branch to execute, adapting to the root cause without manual intervention.

Static → Adaptive

Workflow intelligence

INTEGRATION BLUEPRINTS

Example AI-Driven Workflows

These workflows demonstrate how to connect AI models and agents to Workspace ONE UEM and Intelligence APIs, creating self-healing endpoints and proactive operations. Each blueprint includes the trigger, data context, AI action, and system update.

Trigger: Workspace ONE Intelligence analytics detects a device exhibiting patterns correlated with imminent hardware failure (e.g., rapid battery health decline, repeated kernel panics, abnormal thermal events).

Context Pulled:

Device diagnostics and event logs via the GET /api/mdm/devices/{id}/diagnostics endpoint.
Historical failure data from the Workspace ONE Intelligence data lake.
Device model and warranty status from the asset inventory.

AI Agent Action:

A classification model assesses the failure probability and likely component (battery, storage, logic board).
An orchestration agent evaluates the business context: user role, device criticality, and local stock availability.
The agent decides on the remediation path: immediate replacement for critical users or proactive scripted remediation for non-critical issues (e.g., storage cleanup, cache reset).

System Update / Next Step:

If replacement is warranted, the agent:
- Creates a ticket in the connected ITSM (e.g., ServiceNow) via webhook with all context.
- Updates the device's custom attribute in Workspace ONE to Status: Pending Replacement.
- Triggers an automated email to the user with next steps, using the POST /api/mdm/devices/{id}/sendemail command.
If a software fix is possible, the agent uses Freestyle Orchestrator to push a targeted remediation script or configuration profile.

PRODUCTION-READY INTEGRATION PATTERNS

Implementation Architecture: Data Flow and Guardrails

A practical blueprint for connecting AI models to VMware Workspace ONE's UEM and Intelligence APIs to automate endpoint operations.

A production AI integration for Workspace ONE is built on a secure middleware layer that sits between your AI models (e.g., OpenAI, Anthropic, open-source LLMs) and the Workspace ONE UEM Console APIs. This layer handles authentication (using API keys or OAuth for VMware Cloud Services), manages API rate limits, and transforms AI-generated decisions into executable API calls. Core data flows include:

Ingestion: Pulling device inventory, compliance status, application lists, and event logs from the /api/mdm/devices, /api/mdm/devices/{id}/apps, and Workspace ONE Intelligence data sources.
Processing: Your AI models analyze this data for patterns—predicting device failures from battery/ storage trends, grouping devices for dynamic policy assignment, or drafting scripted remediations for common OS issues.
Action: The middleware executes approved actions via the UEM API, such as pushing a new profile (POST /api/mdm/devices/{id}/profiles), triggering a Freestyle Orchestrator workflow, or assigning an application. All actions are logged with a source: "ai-orchestrator" tag for auditability.

Critical guardrails must be engineered into the data flow to prevent unintended consequences:

Approval Gates: For high-impact actions (remote wipe, broad policy changes), the system should default to creating a ticket in your ITSM or a task in Workspace ONE Intelligence for admin review. Lower-risk actions (app assignment to a test group, non-critical script execution) can be automated based on confidence scores.
Rate Limit & Retry Logic: The middleware must respect Workspace ONE API rate limits (typically 120-180 requests/minute), implementing intelligent queuing and exponential backoff for retries.
Data Minimization & Privacy: Only necessary device attributes (serial number, model, compliance status) should be sent to external AI models. For sensitive environments, consider on-premise model deployment or using VMware's data processing agreements for cloud AI services.
Rollback Capability: Every configuration change pushed via AI should be tagged with a unique correlation ID, enabling instant rollback via API if monitoring detects a spike in help desk tickets or device errors.

Rollout follows a phased, observe-orient-decide-act (OODA) loop. Start in a monitoring-only phase, where the AI system analyzes data and generates recommended actions for admin review in a dashboard. Next, move to limited automation for low-risk, high-volume tasks like tagging devices based on intelligent grouping. Finally, implement closed-loop automation for specific, well-understood workflows—such as using AI to analyze crash reports and automatically deploying a remediation script via Freestyle Orchestrator. Continuous feedback is wired back into the AI system using Workspace ONE Intelligence events and help desk ticket data to refine decision models. This architecture ensures AI augments—rather than disrupts—your existing UEM operational controls.

INTEGRATION PATTERNS FOR WORKSPACE ONE

Code and Payload Examples

Triggering Actions Based on AI Risk Scores

Use the Workspace ONE UEM REST API to fetch device compliance data, enrich it with an AI risk model, and execute automated remediation actions. A common pattern is to have a scheduled job query the /api/mdm/devices endpoint, pass device attributes to an AI service for scoring, and then push scripts or profiles to high-risk devices.

Example Python call to fetch non-compliant devices and trigger a script:

python
import requests

# 1. Authenticate and get bearer token
auth_url = "https://as{instance}.awmdm.com/api/oauth2/token"
auth_payload = {
    "grant_type": "client_credentials",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret"
}
auth_response = requests.post(auth_url, data=auth_payload)
token = auth_response.json()["access_token"]

headers = {"Authorization": f"Bearer {token}", "Accept": "application/json"}

# 2. Fetch devices with a specific compliance status (e.g., "NonCompliant")
devices_url = f"https://{hostname}/api/mdm/devices/search?compliantstatus=NonCompliant"
devices = requests.get(devices_url, headers=headers).json()["Devices"]

# 3. For each device, call AI service to evaluate risk and decide action
for device in devices[:10]:  # Limit for example
    ai_payload = {
        "device_id": device["Id"]["Value"],
        "model": device["Model"],
        "os_version": device["OperatingSystem"],
        "last_check_in": device["LastSeen"]
    }
    # Call your AI risk scoring endpoint
    risk_score = requests.post("https://your-ai-service/score", json=ai_payload).json()["score"]
    
    if risk_score > 0.8:
        # 4. Execute high-risk action: Push a remediation script
        script_url = f"https://{hostname}/api/mdm/devices/{device['Id']['Value']}/scripts"
        script_payload = {
            "ScriptId": "your-remediation-script-id",
            "Command": "Install"
        }
        requests.post(script_url, json=script_payload, headers=headers)

AI INTEGRATION FOR WORKSPACE ONE

Realistic Time Savings and Operational Impact

How AI integration transforms key VMware Workspace ONE UEM and Intelligence workflows, moving from reactive to predictive operations.

Workflow	Before AI	After AI	Implementation Notes
Device Compliance Violation Triage	Manual review of 1000+ devices; 4-8 hours weekly	AI-prioritized list of high-risk devices; review in <1 hour	AI scores violations based on user role, data sensitivity, and threat intel
Application License Reclamation	Quarterly manual audit; 2-3 days of analyst time	Continuous AI analysis of installs vs. usage; automated reports	Integrates with Workspace ONE Intelligence for usage data; flags unused entitlements
Endpoint Performance Issue Root Cause	Manual log correlation and user interviews; 45-90 minutes per ticket	AI correlates UEM events, logs, and telemetry; suggests cause in <5 mins	Leverages Freestyle Orchestrator to auto-execute diagnostic scripts
OS Patch Deployment Scheduling	Static schedules based on broad device groups; high user disruption risk	AI-driven dynamic scheduling based on user patterns and business cycles	Analyzes user calendar, location, and network data to minimize impact
New Hire Device Provisioning	Manual profile/app assignment based on ticket; 30-60 mins per device	AI-driven zero-touch provisioning with dynamic policy assignment	Integrates with HRIS; assigns profiles based on department, location, and role
Security Incident Response (e.g., lost device)	Manual risk assessment and approval for remote wipe; 15-30 mins	AI evaluates context (location, last sync, data sensitivity); auto-triggers action	Approval loop remains for high-risk actions; logs rationale for audit
Help Desk Ticket Enrichment from UEM	Agent manually queries multiple UEM screens for device context	AI auto-attaches device health, policies, and recent changes to ticket	Uses Workspace ONE APIs; integrates with ServiceNow or Jira Service Management

ARCHITECTING CONTROLLED AI OPERATIONS FOR UEM

Governance, Security, and Phased Rollout

Integrating AI with VMware Workspace ONE requires a deliberate approach to security, policy enforcement, and change management to protect enterprise data and maintain operational stability.

Production AI integrations should be architected with a clear separation of duties and data flows. AI models and agents typically operate in a dedicated inference layer, calling the Workspace ONE UEM and Intelligence REST APIs to read device inventory, compliance states, and event logs. All write actions—such as pushing a new configuration profile, triggering a script via Freestyle Orchestrator, or changing a device's compliance state—must flow through a governance service. This service enforces role-based access control (RBAC), logs all actions to an immutable audit trail, and can require human-in-the-loop approval for high-risk operations like remote wipes or broad policy changes.

A phased rollout is critical for managing risk and measuring impact. Start with a read-only pilot where AI agents analyze data from a test device group to generate insights and recommendations, but take no autonomous actions. Phase two introduces assisted remediation, where the AI suggests specific scripts or profile updates to admins via a ticketing system like ServiceNow, who then approve and execute them manually through Workspace ONE. The final phase, controlled automation, enables the AI to execute pre-approved, low-risk actions directly—such as applying a predefined compliance remediation script to non-critical devices—while still escalating exceptions and anomalies for human review.

Security considerations are paramount. Ensure the AI system only accesses Workspace ONE APIs using service accounts with the minimum necessary scopes (e.g., READ for inventory, WRITE for specific orchestration tasks). All prompts and context sent to LLMs must be scrubbed of sensitive personal data (PII) and device identifiers. Implement a vector database for grounding AI responses in your official Workspace ONE documentation and approved scripts to reduce hallucination. Finally, establish continuous monitoring to track the AI's action success rate, flag unintended policy drift, and validate that automation is achieving the intended operational outcomes, such as reduced mean-time-to-resolution (MTTR) for common device issues.

Enabling Efficiency, Speed & Accuracy

Intelligent Analysis, Decision & Execution

We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.

Talk to Us

Search across company data

Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.

Useful when people spend too long searching or get different answers from different systems.

Enterprise searchRAGPermissions

Automate internal workflows

Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.

Useful when repetitive work moves across multiple tools and teams.

AI agentsWorkflow automationGovernance

Add AI to products and internal tools

Build assistants, guided actions, or decision support into the software your team or customers already use.

Useful when AI needs to be part of the product, not a separate tool.

AI integrationDecision supportModel routing

VMWARE WORKSPACE ONE AI INTEGRATION

Frequently Asked Questions

Practical answers for architects and IT leaders planning AI integration with VMware Workspace ONE UEM, Intelligence, and Freestyle Orchestrator.

AI integration connects to three primary layers within the Workspace ONE platform:

UEM REST API: For core device management actions (profile deployment, commands, inventory queries). An AI agent can call endpoints like POST /api/mdm/devices/{deviceid}/profiles to apply configurations or GET /api/mdm/devices/{deviceid} to retrieve real-time context.
Workspace ONE Intelligence API: This is the analytics engine. AI models consume aggregated event streams, compliance scores, and user behavior data from Intelligence to make predictive decisions (e.g., flagging devices likely to fall out of compliance).
Freestyle Orchestrator: AI can act as a decision node within low-code workflows. For example, a workflow trigger (e.g., "Device storage > 90%") can call an AI model via webhook to analyze the device's app usage history. The AI returns a recommendation (e.g., "Clear cache for App X"), and the Orchestrator executes the corresponding remediation script.

Typical Architecture: AI logic runs in a separate service (cloud or on-prem). It authenticates to Workspace ONE using OAuth 2.0 client credentials, listens for webhooks from Intelligence alerts or UEM events, processes the data, and returns actionable commands via the APIs.

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.

Limited slotsGet a Free AI Consultation

How We Work

Custom AI workflows for your Business

One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.