VMware Workspace ONE: New CCF Connector for UEM Device and Application Visibility

What Changed

New VMware Workspace ONE solution package (v3.0.0) introducing CCF-based data ingestion for VMware’s Unified Endpoint Management (UEM) platform. Supports device inventory and application tracking across iOS, Android, Windows, and macOS managed devices.

Data Source

VMware Workspace ONE UEM platform ingestion via OAuth-authenticated REST API polling. Creates two Microsoft Sentinel tables:

VMwareWorkspaceOneDevices — enrolled device inventory with compliance status
VMwareWorkspaceOneDeviceApps — installed application details per device

Ingestion Mechanism

CCF-based connector using OAuth client credentials flow against region-specific VMware auth endpoints:

Custom-VMwareWorkspaceOneDevices_CL stream for device data
Custom-VMwareWorkspaceOneDeviceApps_CL stream for application data
Configurable application collection (optional per-device API calls)

Detection Surface Unlocked

Device Compliance Monitoring:

Non-compliant endpoint detection via ComplianceStatus field
Compromised/jailbroken device identification through CompromisedStatus
Device enrollment and last-seen tracking for visibility gaps

Shadow IT Discovery:

Installed but unassigned applications via InstallStatus vs AssignmentStatus correlation
Application inventory analysis across managed fleet
Unauthorized software installation detection

Sample Queries Included

Five pre-built queries for immediate operational use:

Non-compliant device identification
Compromised device detection
Top installed applications analysis
Shadow IT application discovery
Device enrollment status monitoring

Required OAuth permissions: REST API Devices Read, REST API MDM Devices, REST API Apps Read.

Affected Files

Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/VMwareWorkspaceOne_ConnectorDefinition.json
Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/VMwareWorkspaceOne_DCR.json
Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/VMwareWorkspaceOne_PollerConfig.json
Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/table_VMwareWorkspaceOneDeviceApps.json
Solutions/VMware Workspace ONE/Data Connectors/VMwareWorkspaceOneConnector_CCF/table_VMwareWorkspaceOneDevices.json
Solutions/VMware Workspace ONE/Package/testParameters.json
Solutions/VMware Workspace ONE/Parsers/parser_VMwareWorkspaceOneDeviceAppsAliasFunction.json
Solutions/VMware Workspace ONE/Parsers/parser_VMwareWorkspaceOneDevicesAliasFunction.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_VMwareWorkspaceOne.json, createUiDefinition.json, mainTemplate.json)

What Changed#

Data Source#

Ingestion Mechanism#

Detection Surface Unlocked#

Sample Queries Included#

Affected Files#