VMware Workspace ONE Tech Zone Workspace ONE Unified Endpoint Management

Get to know Linux management in Workspace ONE

This article, Linux Management Has Arrived!, was originally published at the VMware Digital Workspace Tech Zone Blog

Back when I was on the AirWatch Sales Engineering Team, I was occasionally asked whether it was possible to enroll and manage Linux endpoints alongside Android, iOS, Windows, and macOS devices. But this request was rare because so was Linux in the enterprise other than servers. Since then, this has changed dramatically, with the rise of Linux for developer workstations and the ever-increasing number of Internet of Things (IoT) endpoints connected to the network. As the Linux ecosystem continues to expand, it is critical that organizations have a strategy in place for securing, configuring, and supporting Linux endpoints remotely. And as of last year, I’m proud to say — yes, VMware Workspace ONE does in fact support Linux endpoint management.

Figure 1: The developer population will double by 2030, and the preferred workstation OS is Linux. Are you ready?

Workspace ONE UEM enables IT to support any Linux device—from developer workstations to unattended IoT endpoints—alongside existing mobile and laptop deployments, from a single console at scale. And because Workspace ONE provides distribution-agnostic support, customers can manage any x86 or ARM-based Linux endpoint, including CentOS, Debian, Fedora, Linux Mint, openSUSE, Raspbian, Red Hat, Ubuntu, and more. Other key features and capabilities include:

  • Streamlined Enrollment and Configuration: Quickly onboard devices with scripted or manual command line enrollment and leverage Wi-Fi Configuration to configure SSID, security type, credentials, and certificates, as well as Credentials Configuration to send certificates to devices.
  • Advanced Customization Features: Leverage Custom Configuration to create payloads that execute customized scripts and actions on devices.
  • End-to-End Management: Enable asset tagging and tracking, access critical device, and network info and troubleshooting logs, and perform enterprise wipe commands.
  • Integrated Analytics: Leverage VMware Workspace ONE Intelligence to uncover insights and drive automation based on time-based trends, historical data, and Workspace ONE Sensors, which can be created and assigned to track important custom device attributes.
  • Remote Support: Leverage VMware Workspace ONE Assist to remotely assist employees with workstation issues and troubleshoot unattended IoT endpoints to reduce downtime.
Figure 2: Capabilities of Workspace ONE Linux Management at initial release in November 2021

But isn’t it impossible to support all the various Linux distros?

There are over 600 Linux distributions today. Different distributions support different hardware architectures and have different package managers, and no standard set of MDM APIs exists like they do for Android, iOS, Windows 10, and macOS. And today, most Linux management tools on the market either provide advanced management capabilities for a single Linux distribution, or support many distributions, but only allow you to distribute packages (that you have to write). So how can we get both simplified, feature-rich management and support for a variety of Linux distributions?

As you know, Workspace ONE has touted a single-pane-of-glass management approach since analysts coined the term unified endpoint management (UEM), supporting as many device types, platforms, and use cases feasible. So, how can a single tool manage so many flavors of Linux? This was the primary obstacle the VMware product team aimed to tackle with the initial release of Workspace ONE UEM for Linux.

Any Linux distribution can be enrolled into Workspace ONE UEM so long as the device is x86_64, ARM5, or ARM7-based and is running SystemD or SystemV. There will just be a different Workspace ONE agent installer based on the device architecture and distribution tree: Debian-based, Red Hat-based, or other distros.

This video on VMware Tech Zone walks you through choosing the correct agent installer and the installation steps.

What’s next?

The product team is already enhancing Linux management in the 2206 release by adding the following capabilities. These start to lay the groundwork for future advanced management. Note that Workspace ONE Intelligent Hub for Linux (agent) version 22.06 and Workspace ONE UEM console version 2206 are required for the following features:

  • Web Enrollment with SAML Support
  • App & Package Sampling
  • Disk Encryption Detection
  • Automated Agent Upgrades
  • Additional Triggers for Custom Sensors

Let’s walk through these updates in detail to understand what they mean.

Web Enrollment with SAML Support

The initial release of Workspace ONE Linux management began with enrollment via command line. Enrollment via web browser was in beta. But now Linux devices can officially be enrolled into Workspace ONE UEM using both methods. In addition, the initial release of UEM for Linux only supported local (basic) UEM users, not directory users. But now web enrollment supports SAML-based authentication. The following video on Tech Zone shows how command line enrollment works:

Browser enrollment means that a user can open Google Chrome or Firefox and initiate UEM device enrollment and Intelligent Hub for Linux will be downloaded and installed, versus installing the Linux Hub manually and using command line to enroll. Because this enrollment method will only create a .dev or .rpm installation package, only Debian and Red Hat-based systems support web enrollment.

Web enrollment for Linux looks very similar to other platforms where the user first enters this URL into a browser: https://{your UEM instance}/DeviceManagement/Enrollment. Then the user is prompted for group ID, username and password, and device ownership type. The difference is that the user will choose the correct installation package to be generated, based on device platform (AMD 64, ARM 5, or ARM 7) and the distribution (Debian-based or Red Hat-based).

Figure 3: Workspace ONE Linux Management new web enrollment workflow

App & Package Sampling

Sometimes referred to as app inventory, the Workspace ONE Linux agent can now collect a list of the installed apps and packages from an enrolled device. You can view the list of apps on a device by navigating to DEVICES > List View then selecting an enrolled device to view the Details View page > Apps tab within the Workspace ONE UEM admin console.

Figure 4: New Linux Management App & Package Sampling in the Workspace ONE UEM admin console

The ability to query the device for the list of installed apps and packages is the first step for future app lifecycle management capabilities within the Workspace ONE UEM admin console.

Disk Encryption Detection

The Workspace ONE UEM Linux agent now can detect if the device’s drive was encrypted using LUKS (Linux Unified Key Setup) during initial system install or if encryption is disabled.

Figure 5: New Linux Management Encryption Detection in the Workspace ONE UEM admin console

Automated Agent Upgrades

The Linux Intelligent Hub agent can now automatically upgrade itself on the device. Once a day, the Intelligent Hub for Linux will check the Workspace ONE console for any newer agent versions, and if a new version is available, automatically install the update. This setting is found in the UEM console here: GROUPS & SETTINGS > All Settings > Devices & Users > Linux > Intelligent Hub Settings > Intelligent Hub Updates.

Figure 6: New Intelligent Hub for Linux Automatic Updates in the Workspace ONE UEM admin console

Additional Triggers for Custom Sensors

Finally, 2206 adds more options to trigger sensors in the Workspace ONE UEM console.

But first, what are sensors in Workspace ONE UEM? Sensors enable administrators to send bash scrips to the Linux device to collect any additional attributes that are not already included in the UEM console by default. Some examples could be the hostname or processor type of the device. Sensors can be created in the UEM console here: RESOURCES > Sensors.

Figure 7: Editing a sensor in the Workspace ONE UEM admin console

Custom sensor values from an enrolled device can be viewed under the Sensors tab of the Device Details screen in UEM.

Figure 8: Viewing sensor values for a Linux device in the Workspace ONE UEM admin console

So now, what do we mean by triggers for sensors? When assigning sensors to devices, various events can be used to trigger a query of the device for an updated sensor value. The following options are now available:

  • Periodically
  • At user login
  • At user log out
  • At startup
  • When network change detected
Figure 9: Options to trigger custom sensor query in the Workspace ONE UEM admin console

This is one of the first steps to providing advanced automation options for Linux management in the future.

Summary

So, when choosing a Linux management tool, consider that you likely have multiple distributions out there and ideally would have a distro-agnostic management platform that can provide remote configuration and support to a variety of Linux endpoints. In addition, the management tool would not only provide a method to push scripts to devices but would also have built-in configuration options, so the administrator doesn’t always have to write a script to accomplish a task. The Workspace ONE Linux team plans to continue evolving the Linux solution to simplify management and work towards providing automations for workflows, compliance, and remediation.

Check out these additional Workspace ONE Linux Management resources to learn more: