Endpoint management service roadmap

Endpoint protection is critical to reduce threats to university networks.

An endpoint is a computing device that communicates back and forth with a network, including but not limited to desktops, laptops, servers, and smartphones. The protection of UW–Madison endpoints that access University data is essential to reducing the overall security risk to the data these devices encounter.

This service provides a set of flexible endpoint management and security tools, supported by core campus IT organizations and used by distributed IT organizations, to manage and secure campus endpoints.

More information can be found at Endpoint management project page. Please contact us with questions at doit-seam-support@doit.wisc.edu.

Previous updates: Mar 27 | Jan 23 | Nov 16 | Aug 29 | Jun 29 | May 10 |Mar 15 | Feb 15 | Jan 19 | Dec 7 | Nov 9 | Oct 27 | Oct 13 | Sep 29 |Sep 15 | Aug 26 | Aug 11 | Jul 29 | Jul 12 | Jun 30 | Jun 16 | Jun 2 | May 19 | May 5 | Apr 21 | Apr 7 | Mar 16 | Feb 25 | Feb 10

---

March 27

Complete:

• The campus Workspace ONE environment was updated to version 2212.
• Standardized deactivation processes for BigFix and Workspace ONE admin accounts.
• Removed BigFix operator accounts that have not logged in over the past year, removed old baselines, removed superseded fixlets, deleted old actions.
• Created a KB document on renaming computers using Workspace ONE.
• Investigated establishing a Business Associate Agreement (BAA) with VMware for Workspace ONE.
• Reassessed BigFix relay infrastructure to optimize performance.
• Documented Workspace ONE profile settings to allow standard users in macOS to enable screen capture for common campus applications.
• Made BigFix content to remove the Windows Store version of TikTok available to campus partners through the DoIT_Shared_Applications BigFix site.
• Identified BigFix clients with sub-optimal command poll interval agent settings.
• Published results of testing Windows 11 compatibility with common campus tools and applications.

Now:

• Investigate Android management capabilities.
• Investigate delegated admin access to Workspace ONE Intelligence-based custom reports.
• Strategy for Workspace ONE file storage quota usage.
• Investigate Workspace ONE Intelligence.

Next:

• Document recommended unit-level customizations in Workspace ONE.

Later:

• Evaluate functionality of BigFix Insights for Vulnerability Remediation (IVR).
• Integrate Endpoint Management tools with CSOC SIEM (Awaiting storage expansion).
• Investigate Workspace ONE Access.

---

January 23

Complete:

• The campus Workspace ONE environment was updated to version 2210.
• Performed a biannual audit to remove inactive BigFix and Workspace ONE admin accounts.
• Created processes and documentation for cleanup of open actions with no end date and stopped/expired actions to maintain performance of the campus BigFix environment.

Now:

• Investigate Android management capabilities.
• Standardize deactivation processes for BigFix and Workspace ONE admin accounts.
• Investigate delegated admin access to Workspace ONE Intelligence-based custom reports.
• Remove BigFix operator accounts that have not logged in over the past year, remove old baselines, remove superseded fixlets, delete old actions.
• Create a KB document on renaming computers using Workspace ONE.
• Strategy for Workspace ONE file storage quota usage.
• Investigate establishing a Business Associate Agreement (BAA) with VMware for Workspace ONE.
• Investigate Workspace ONE Intelligence.
• Reassess BigFix relay infrastructure to optimize performance.

Next:

• Document recommended unit-level customizations in Workspace ONE.

Later:

• Identify BigFix clients with sub-optimal command poll interval agent settings and develop a correcting mechanism.
• Investigate BigFix Insights for Vulnerability Remediation (IVR).
• Integrate Endpoint Management tools with CSOC SIEM (Awaiting storage expansion).
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

November 16

Complete:

• Activated Windows 11 Upgrade Eligibility Information BigFix analysis for campus use.
• Created KB documentation regarding removal of Activation Lock on Apple devices, eligibility for Apple Automated Device Enrollment based on purchasing channel, creation of an Eduroam Workspace ONE profile for macOS, macOS 13 Ventura compatibility with campus software, and the sandbox WS1 environment.
• Partnered with the Office of Cybersecurity to conduct a risk assessment of the Workspace ONE service offering.
• Converted Workspace ONE environment to “latest mode”, including upgrades to versions 2206 and 2209.
• Secured enablement of Freestyle Orchestrator Workspace ONE feature.
• Implemented a periodic review of stale devices in Workspace ONE.
• Organized Apple Deployment Workshop training sessions for campus partners.

Now:

• Investigate Android management capabilities.
• Standardize deactivation processes for BigFix and Workspace ONE admin accounts.
• Investigate delegated admin access to Workspace ONE Intelligence-based custom reports.
• Remove BigFix operator accounts that have not logged in over the past year, remove old baselines, remove superseded fixlets, delete old actions.
• Create a KB document on renaming computers using Workspace ONE.
• Planning for Workspace ONE file storage quota usage.
• Investigate establishing a Business Associate Agreement (BAA) with VMware for Workspace ONE.

Next:

• Document recommended unit-level customizations in Workspace ONE.

Later:

• Investigate BigFix Insights for Vulnerability Remediation (IVR).
• Integrate Endpoint Management tools with CSOC SIEM (Awaiting storage expansion).
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

August 29

Complete:

• Reviewed actions in BigFix Master Action Site to optimize client performance.
• Created KB documentation on usage of the Workspace ONE API.
• Created documentation for deployment of Cisco AMP and Qualys Cloud Agent via BigFix.
• Increased the BigFix WebUI inactivity timeout from 15 to 30 minutes.
• Developed and socialized recommended naming conventions for content in Workspace ONE.
• Performed annual Apple School Manager account audit.
• Upgraded the BigFix environment to 10.0.7 and Workspace ONE to 22.06.
• Refreshed BigFix Linux client installation documentation.
• Enabled delegated admins to request access to the Workspace ONE UAT/sandbox environment.
• Create a biannual process to audit BigFix and Workspace ONE admin accounts.
• Setup secondary AirWatch Cloud Connector to support current utilization of Campus AD integration.

Now:

• Investigate Android management capabilities.
• Activate BigFix Windows 11 Upgrade Eligibility Information.
• Standardize deactivation processes for BigFix and Workspace ONE admin accounts.
• Document procedures related to Activation Lock for Apple devices.
• Conduct a risk assessment of the Workspace ONE service offering.
• Document eligibility for Apple Automated Device Enrollment / Device Enrollment Program based on purchasing channel.

Next:

• Remove BigFix operator accounts that have not logged in over the past year, remove old baselines, remove superseded fixlets, delete old actions.
• Investigate delegated admin access to Workspace ONE Intelligence-based custom reports.

Later:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

June 29

Complete:

• Worked with campus admins to update BigFix running on relays, reviewed open actions for the Master Action Site allowing for only actions that need to be applied to clients.
• Worked with VMWare to refine true-up process for Workspace ONE device licenses
• Upgraded Workspace ONE UEM to version 2203.
• Created role to allow standard BigFix operators permission to access patch policies WebUI
• Created KB documentation and informed campus Workspace ONE administrators of new workflow for cleaning up stale devices in Workspace ONE.
• Created public-facing documentation clarifying how the EPM Service is subsidized by campus funding.

Now:

• Create additional Workspace ONE AirWatch Cloud Connector to scale with current use.
• Refresh BigFix Linux client install documentation.
• Investigate Android management capabilities.
• Remove BigFix operator accounts that have not logged in over the past year, remove old baselines, remove superseded fixlets, delete old actions.
• Investigate Workspace ONE Intelligence-based custom reports.
• Create Workspace ONE content on a recommended naming conventions.
• Create and document a process for BigFix and Workspace ONE account auditing.

Next:

• Create documentation on how local Workspace ONE organizational group Admins can use Workspace ONE’s API.

Later:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

May 10

Complete:

• Created following KB documentation:
  • Workspace ONE – Enroll Devices Using Staging Accounts
  • Workspace ONE – Bind macOS Devices to Active Directory
  • Workspace ONE – Packaging Adobe Products for Deployment
  • Workspace ONE – Creating Smart Groups Using Campus Active Directory Security and Manifest Groups
• Created a process to cache Windows 10 feature updates for BigFix admins to deploy via the DoIT_Shared_Applications custom site in the BigFix console
• Updated BigFix – Custom Properties KB documentation.
• Renewed Apple Push Notification (APN) certificate for Workspace ONE

Now:

• Schedule upgrade of Workspace ONE to version 2203.
• Create public facing documentation regarding how the EPM Service is subsidized by campus funding.
• Create additional Workspace ONE AirWatch Cloud Connector to scale with current use.
• Refresh BigFix Linux client install documentation.
• Investigate Android management capabilities.

Next:

• BigFix infrastructure optimization tasks.
• Create Workspace ONE content recommended naming conventions KB.

Later:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

March 15

Endpoint Management Project-to-Date Review

The UW–Madison Endpoint Management (EPM) Project kicked off in fall 2020. Our mandate was to provide an enterprise endpoint management service based on VMware Workspace ONE and HCL BigFix for UW–Madison IT units to manage and secure UW’s desktop and mobile computing devices.

The team has made tremendous strides during this time. In the past year, the project team:

• Created a 3-year service budget, which includes service staffing and license subsidies.
• Developed internal handling documentation and workflows to provide support and ongoing maintenance for BigFix and Workspace ONE.
• Migrated UW–Madison’s Workspace ONE on-premise pilot to VMware’s Cloud.
• Built a service page and a comprehensive KnowledgeBase site with 86 articles.
• Developed a Canvas self-paced training course covering both BigFix and Workspace ONE.
• Organized a 150-member EPM Community of Practice (CoP).
• Held or sponsored over a dozen different outreach events, including ongoing monthly EPM CoP Office Hours.
• Created a shared repository in BigFix to allow campus BigFix administrators to deploy DoIT packaged content.
• Set up a support framework for Apple School Manager (ASM) administration and transitioned ASM support from DoIT Product Management to the EPM service team.

Today, the service has more than 70 participating campus units, 22,700 enrolled devices, and 438 administrators. Moving forward, the EPM service team will continue to seek feedback and find ways to provide value to campus administrators by:

• Creating additional best practices guidelines and how-to documentation.
• Exploring additional features provided by Workspace ONE and BigFix.
• Continuing to engage the campus IT community to identify opportunities for service improvements.

We look forward to continuing to serve the needs of campus and the UW–Madison IT community! Now for this month’s update.

Complete – these activities and features were completed since the last roadmap was published:

• Resolved Workspace ONE console objectGUID warning message.
• Created and shared BigFix content to remove Cisco Jabber and WebEx meetings.
• Documented creation of AMP WS1 profiles.

Now – these are the activities and features we are working on now:

• Create and share BigFix log4j vulnerability scanning content.
• Create additional Workspace ONE how-to KB articles based on user feedback.
• Investigate Android management capabilities.

Next – these are the activities and features we plan to work on next:

• Refresh BigFix KB documentation.
• Create Workspace ONE content recommended naming conventions KB.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

February 15

Complete – these activities and features were completed since the last roadmap was published:

• Established a procedure to periodically review service requests for quality assurance.
• Upgraded BigFix service to version 10.0.5.

Now – these are the activities and features we are working on now:

• Create and share BigFix log4j vulnerability scanning content.
• Create and share BigFix content to remove Cisco Jabber and WebEx meetings
• Create additional Workspace ONE how-to KB articles based on user feedback.
• Investigate Android management capabilities.

Next – these are the activities and features we plan to work on next:

• Refresh BigFix KB documentation
• Create Workspace ONE content recommended naming conventions KB.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

January 19

Complete – these activities and features were completed since the last roadmap was published:

• Transitioned from project to service.
• Established a procedure to periodically review service requests for quality assurance.
• Upgraded Workspace ONE UEM to 2111.

Now – these are the activities and features we are working on now:

• Upgrade BigFix service to version 10.0.5.
• Create Workspace ONE content recommended naming conventions KB.
• Investigate Android management capabilities.

Next – these are the activities and features we plan to work on next:

• Planning for the next phase of the Endpoint Management Service rollout. (Chris/Thad)
• Publish additional how-to content on creation of commonly applied Workspace ONE configuration profiles

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

December 7

Complete – these activities and features were completed since the last roadmap was published:

• Created a process for evaluating and documenting BigFix and Workspace ONE feature updates on an ongoing basis.
• Conducted recommended maintenance on BigFix infrastructure to improve performance and reliability.
• Verified domains used in UW Apple School Manager service accounts.

Now – these are the activities and features we are working on now:

• Establish a procedure to periodically review service requests for quality assurance.
• Create Workspace ONE content recommended naming conventions KB.
• Investigate Android management capabilities.
• Document configuration of Eduroam auto-join profiles.

Next – these are the activities and features we plan to work on next:

• Planning for the next phase of the Endpoint Management Service rollout.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

November 9

Complete – these activities and features were completed since the last roadmap was published:

• Clarified and updated documentation for how Workspace ONE console administrators can create additional delegated administrators.
• Tested macOS 12 compatibility against EPM tools and other common campus software packages and published results to KB.

Now – these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Investigate Android management capabilities.
• Create a process for evaluating and documenting BigFix and Workspace ONE feature updates on an ongoing basis.
• Conduct recommended maintenance on BigFix infrastructure to improve performance and reliability.
• Document configuration of Eduroam auto-join profiles.

Next – these are the activities and features we plan to work on next:

• Create a charter for the next phase of the Endpoint Management Service rollout.
• Establish a procedure to periodically review service requests for quality assurance.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

October 27 updates

Complete – these activities and features were completed since the last roadmap was published:

• Created Apple School Manager best practices documentation.
• Shared 82 Endpoint Management Knowledge Base (KB) documents to make them searchable in the Unified KB (kb.wisc.edu).

Now – these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Implement directory-based groups for Workspace ONE administrative console access.
• Investigate Android management capabilities.
• Create a process for evaluating and documenting BigFix and Workspace ONE feature updates on an ongoing basis.
• Test macOS 12 compatibility against EPM tools and other common campus software packages and publish results in KB.

Next – these are the activities and features we plan to work on next:

• Conduct recommended maintenance on BigFix infrastructure to improve performance and reliability.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

October 13 updates

Complete – these activities and features were completed since the last roadmap was published:

• Tested Windows 11 compatibility against EPM tools and other common campus software packages and published results in KB.
• Upgraded Workspace One UEM to version 2105.

Now – these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Implement directory-based groups for Workspace ONE administrative console access.
• Investigate Android management capabilities.
• Create a process for evaluating and documenting BigFix and Workspace ONE feature updates on an ongoing basis.
• Create Apple School Manager best practices documentation.

Next – these are the activities and features we plan to work on next:

• Investigate AutoDiscovery enrollment options to allow an email-based autodiscovery system to enroll devices to environments and organization groups.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

September 29 updates

Complete – these activities and features were completed since the last roadmap was published:

• Optimized EPM Knowledge Base site and overview documents.

Now – these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Implement directory-based groups for Workspace ONE administrative console access.
• Investigate Android management capabilities.
• Create a process for evaluating and documenting BigFix and Workspace ONE feature updates on an ongoing basis.
• Test Windows 11 compatibility against EPM tools and other common campus software packages.

Next – these are the activities and features we plan to work on next:

• Investigate AutoDiscovery enrollment options to allow an email-based autodiscovery system to enroll devices to environments and organization groups.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

September 15 updates

Complete – these activities and features were completed since the last roadmap was published:

• Created documentation about migrating Group Policy Objects to Workspace ONE profiles.
• Created documentation for packaging Microsoft Office for deployment via Workspace ONE.
• Added additional application deployment content to BigFix shared repository.

Now – these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Implement directory-based groups for Workspace ONE administrative console access.
• Investigate Android management capabilities.
• Optimize EPM Knowledge Base site and overview documents.

Next – these are the activities and features we plan to work on next:

• Investigate AutoDiscovery enrollment options to allow an email-based autodiscovery system to enroll devices to environments and organization groups.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

August 26 updates

Complete – these activities and features were completed since the last roadmap was published:

• Completed BigFix service upgrade to version 10.0.4.
• Analyzed data from different campus security and endpoint management tools (AMP, Qualys, BigFix, and Workspace ONE) to identify gaps in endpoint visibility.
• Created additional documentation for packaging and deploying enterprise software titles via Workspace ONE.

Now – these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Implement directory-based groups for Workspace ONE administrative console access.
• Add additional application deployment content to BigFix shared repository.
• Create documentation about migrating Group Policy Objects to Workspace ONE profiles
• Investigate Android management capabilities.

Next – these are the activities and features we plan to work on next:

• Investigate AutoDiscovery enrollment options to allow an email-based autodiscovery system to enroll devices to environments and organization groups.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.

---

August 11 updates

Complete – these activities and features were completed since the last roadmap was published:

• Standardize Workspace ONE service upgrade procedures.

Now – these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Implement directory-based groups for Workspace ONE administrative console access.
• Add additional application deployment content to BigFix shared repository.
• Create documentation for packaging and deploying enterprise software titles via Workspace ONE.
• Create documentation about migrating Group Policy Objects to Workspace ONE profiles.
• Analyze data from different campus security and endpoint management tools (AMP, Qualys, BigFix, and Workspace ONE) to identify gaps in endpoint visibility.
• Investigate Android management capabilities.

Next – these are the activities and features we plan to work on next:

• Investigate AutoDiscovery enrollment options to allow an email-based auto-discovery system to enroll devices to environments and organization groups.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.
• Develop a culture socialization plan for campus partners.

---

July 29 update

Complete – these activities and features were completed since the last roadmap was published:

• Created documentation on managing operating system updates
  – Workspace ONE – Managing macOS Updates
  – Workspace ONE – Managing Windows Updates
  – Workspace ONE – Windows Update Deployment Rings
• Created documentation for ADCS enrollment workflow
  – Workspace ONE – Campus Active Directory Device Certificate Enrollment
• Completed analysis of how to provide shared app content in Workspace ONE for enterprise software titles. There is currently no good way for OG administrators to use application content created at the top-level OG. Will revisit if VMware releases functionality to allow assignments for top-level OG applications.

Now- these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Standardize Workspace ONE service upgrade procedures.
• Implement directory-based groups for Workspace ONE administrative console access.
• Add additional application deployment content to BigFix shared repository.
• Investigate AutoDiscovery enrollment options to allow an email-based autodiscovery system to enroll devices to environments and organization groups.
• Create documentation for packaging and deploying enterprise software titles via Workspace ONE.
• Create documentation about migrating Group Policy Objects to Workspace ONE profiles.

Next – these are the activities and features we plan to work on next:

• Analyze data from different campus security and endpoint management tools (AMP, Qualys, BigFix, and Workspace ONE) to identify gaps in endpoint visibility.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.
• Investigate Android management capabilities.
• Develop a culture socialization plan for campus partners.

---

July 12 update

Complete – these activities and features were completed since the last roadmap was published:

• Tested Workspace ONE Freestyle Orchestrator features in dev environment.
• There are some features that fill existing gaps which are being evaluated.
• Provides the ability to create custom workflows, target systems more granularly, and push scripts in various languages (Powershell, Bash, Python, etc.).
• Tested Active Directory Certificate Services certificate enrollment workflows.

Now- these are the activities and features we are working on now:

• Create Workspace ONE content recommended naming conventions KB.
• Standardize Workspace ONE service upgrade procedures.
• Implement directory-based groups for Workspace ONE administrative console access.
• Add additional application deployment content to BigFix shared repository.
• Investigate AutoDiscovery enrollment options to allow an email-based autodiscovery system to enroll devices to environments and organization groups.
• Investigate how to provide shared app content for Workspace ONE enterprise software titles.
• Create additional EPM service documentation based on Community of Practice office hours feedback.
• Create documentation for ADCS enrollment workflows.

Next – these are the activities and features we plan to work on next:

• Analyze data from different campus security and endpoint management tools (AMP, Qualys, BigFix, and Workspace ONE) to identify gaps in endpoint visibility.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.
• Investigate Android management capabilities.
• Develop a culture socialization plan for campus partners.

---

June 30 update

Complete – these activities and features were completed since the last roadmap was published:

• Held an office hours session to get feedback on our documentation and Canvas course

Now- these are the activities and features we are working on now:

• Our CoP has grown to over 115 people. If you are responsible for endpoint management in your unit and would like to join our community on MS Teams, let us know.
• Create Workspace ONE “recommended naming conventions” KB for user created content.
• Add additional application deployment content to BigFix shared repository.
• Standardize Workspace ONE service upgrade procedures.
• Implement directory-based groups for Workspace ONE administrative console access.
• Testing Workspace ONE Freestyle Orchestrator features in dev environment.
• Investigate how to provide shared app content for Workspace ONE enterprise software titles
• Investigate AutoDiscovery enrollment options to allow an email-based autodiscovery system to enroll devices to environments and organization groups.

Next – these are the activities and features we plan to work on next:

• Create additional EPM service documentation based on Community of Practice office hours feedback
• Integrate Workspace ONE with Active Directory Certificate Services.
• Create Active Directory Certificate Services certificate enrollment workflows.
• Analyze data from different campus security and endpoint management tools (AMP, Qualys, BigFix, and Workspace ONE) to identify gaps in endpoint visibility.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.
• Investigate Android management capabilities.

---

June 16 update

Complete – these activities and features were completed since the last roadmap was published:

• Created a shared repository in BigFix to allow BigFix operators to deploy DoIT packaged content.
• Created support framework for Apple School Manager (ASM) administration and transitioned ASM support from DoIT Product Management to the Endpoint Management Project team.
• Confirmed integration of Workspace ONE with Active Directory Certificate Services is possible.
• Completed Dell Quick Start engagement and received information for how to configure Workspace ONE to take advantage of Dell Factory Provisioning options.

Now- these are the activities and features we are working on now:

• Our CoP has grown to over 113 people. If you are responsible for endpoint management in your unit and would like to join our community on MS Teams, let us know.
• Create Workspace ONE content recommended naming conventions KB.

Next – these are the activities and features we plan to work on next:

• We are planning upcoming Community of Practice meetings. If you would like to contribute to a future meeting, please contact Pat Daley.
• Integrate Workspace ONE with asset reporting database to comply with UW System Policy.
• Hold an office hours session to get feedback on our documentation and Canvas course.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Workspace ONE with Active Directory Certificate Services.
• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.
• Investigate Android management capabilities.

---

June 2 update

Complete – these activities and features were completed since the last roadmap was published:

• Enabled the Workspace ONE Hub catalog. This allows end users to install and launch apps assigned to them by an administrator directly from VMware’s Intelligent Hub app.

Now- these are the activities and features we are working on now:

• Our CoP has grown to over 112 people. If you are responsible for endpoint management in your unit and would like to join our community on MS Teams, let us know.
• The project team continues work with Dell/VMware and campus partners to configure the production environment, plan for delegated administration, and evaluate onboarding strategies.
• Develop a mechanism for Workspace ONE profile sharing.
• Integrate Workspace ONE with Active Directory Certificate Services.
• Create the support framework for Apple School Manager.
• Created a shared repository in BigFix to allow BigFix operators to deploy DoIT packaged content.

Next – these are the activities and features we plan to work on next:

• Integrate Workspace ONE with CMDB to meet asset reporting requirements.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrate Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.
• Investigate Android management capabilities.

---

May 19 update

Complete – these activities and features were completed since the last roadmap was published:

• Enabled Workspace ONE Enterprise App Repository.
• Published a self-paced training course for campus administrators.
• HCL’s Don Moss provided a primer on BigFix self-help resources and how to use BigFix relevance language.

Now- these are the activities and features we are working on now:

• Our CoP has grown to >106 people. If you are responsible for endpoint management in your unit and would like to join our community on MS Teams, let us know.
• The project team continues work with Dell/VMware and campus partners to configure the production environment, plan for delegated administration, and evaluate onboarding strategies.
• Enable Workspace ONE Hub catalog.
• Develop a mechanism for Workspace ONE profile sharing.
• Integrate Workspace ONE with Active Directory Certificate Services.
• Create support framework for Apple School Manager.

Next – these are the activities and features we plan to work on next:

• Integrate Workspace ONE with CMDB to meet asset reporting requirements.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrating Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access.
• Investigate Azure AD integration.
• Investigate Android management capabilities.

---

May 5 update

Complete – these activities and features were completed since the last roadmap was published:

• Enabled Filevault recovery key access in the self-service portal.
• Keith Mountin from Apple provided campus partners a two day workshop on managing Apple devices using Workspace ONE.

Now- these are the activities and features we are working on now:

• Our CoP has grown to over 106 people. If you are responsible for endpoint management in your unit and would like to join our community on MS Teams, let us know.
• The project team continues work with Dell/VMware and campus partners to configure the production environment, plan for delegated administration, and evaluate onboarding strategies.
• Investigating creation of an additional shared content repository for Workspace ONE.
• Enabling Workspace ONE Hub catalog and Enterprise App Repository.
• Creating a shared repository in BigFix to allow BigFix operators to deploy DoIT packaged content.

Next – these are the activities and features we plan to work on next:

• Develop a mechanism for Workspace ONE profile sharing
• Integrate Workspace ONE with Active Directory Certificate Services
• Develop support framework for Apple School Manager

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrating Endpoint Management tools with CSOC SIEM.
• Investigate Workspace ONE Access

---

Apr 21 update

Complete – these activities and features were completed since the last roadmap was published:

• The Endpoint Management Project (EPM) team sponsored our first Endpoint Management Community of Practice (CoP) learning session Thursday 4/15.  Matt Schultz from SMPH shared his experiences using Workspace ONE to manage Macs to an engaged audience of 57 CoP members.

Now- these are the activities and features we are working on now:

• Our CoP has grown to over 90 people. If you are responsible for endpoint management in your unit and would like to join our community on MS Teams, let us know.
• The project team continues work with Dell/VMware and campus partners to configure the production environment, plan for delegated administration, and evaluate onboarding strategies.
• Enable Workspace ONE Hub catalog.

Next – these are the activities and features we plan to work on next:

• Work with Apple and DoIT Product Management to update Apple School Manager support workflows.
• Create a shared repository in BigFix to allow BigFix operators to deploy DoIT packaged content.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrating Endpoint Management tools with CSOC SIEM.
• Investigate creating an additional shared content repository for Workspace ONE.

---

Apr 7 update

Complete – these activities and features were completed since the last roadmap was published:

• Completed the BigFix upgrade to version 10.0.2.
• Created a public facing FAQ with information about common problems and current known issues. We will continue to update these documents over time.
  – Endpoint Management Project FAQ
  – Workspace ONE Known issues
• Documented roles and responsibilities for service owners, delegated administrators, and basic service consumers in our Delegated Support Model KB.
• Launched a new project website with enhanced UX.
• Hosted 59 attendees at our last Lunch & Learn on March 26, with presentations by our vendor partners.

Now- these are the activities and features we are working on now:

• Our community of practice has grown to over 80 people. If you are responsible for endpoint management in your unit and would like to join our community of practice on MS Teams, let us know.
• The project team continues work with Dell/VMware and campus partners to configure the production environment, plan for delegated administration, and evaluate onboarding strategies.
• Developing self-paced training courses for campus administrators.
• Enabling Workspace ONE Hub catalog.

Next – these are the activities and features we plan to work on next:

• Work with Apple and DoIT Product Management to update Apple School Manager support workflows.
• Create a shared repository in BigFix to allow BigFix operators to deploy DoIT packaged content.

Later – these are activities, features, and requests that are being explored and are potential candidates for working on next:

• Integrating Endpoint Management tools with CSOC SIEM.
• Investigate creating an additional shared content repository for Workspace ONE.

---

Mar 16 update

The Endpoint Management Project kicked off the first Lunch & Learn session on February 24th. The team continues on training, documentation, configuration testing of Workspace ONE.

Complete:

• Created an MS Teams team to serve as a resource for a new Endpoint Management Community of Practice.
• Created a consolidated intake process for campus partners

Now:

• Gathering data from campus partners to build a more comprehensive implementation plan for campus rollout
• Documenting roles and responsibilities for service owners, delegated administrators, and basic service consumers
• Creating a public facing FAQ with information about common problems and current known issues
• Developing self paced training course for campus administrators
• Continuing work with Dell/VMware and campus partners to configure the production environment, plan for delegated administration, and evaluate onboarding strategies

Next:

• Work with Apple and DoIT Product Management to update Apple School Manager support workflows
• Next Lunch & Learn scheduled for March 25th 1-2pm
• BigFix upgrade to version 10.0.2

---

Feb 25 update

The Endpoint Management Project continues moving forward. We have spent the time planning communications, consolidating documentation, setting up a community of practice, upgrading the WS1 console, and finishing up the Dell WS1 Quick Start engagement.

Complete:

• On February 16th, DoIT Departmental Support worked with VMware to upgrade the Workspace ONE console from version 2005 to 2101.
• On February 24th, we held our first Lunch & Learn session, covering our service vision, current state of project, community of practice, and our documentation & intake process. We had 82 registrants and 73 people in attendance.
• The Endpoint Management KnowledgeBase site (internal) is now live and consolidates all previous BigFix and Workspace ONE documentation into a single space.

Now:

• The project team is creating an MS Teams team to serve as a resource for a new Endpoint Management Community of Practice
• The project team continues work with Dell/VMware and campus partners to configure the production environment, plan for delegated administration, and evaluate onboarding strategies.
• Developing a communication plan for continued engagement on the need for and implementation of unified endpoint management on campus.
• Creating a repeatable engagement and onboarding strategy for campus partners.

Next:

• Gathering data from campus partners to build a more comprehensive implementation plan for campus rollout.
• Define roles and responsibilities for service owners, delegated administrators, and basic service consumers.
• Develop migration strategies for campus partners currently running endpoint management services and for campus partners with no existing endpoint management strategy.

---

Feb 10 update

The revised endpoint management budget was approved. Campus is funding the core infrastructure and service offering, as well as licenses for campus endpoints in both the BigFix and Workspace One environments.

From the Madison Budget Office: “Endpoint Management has been funded by campus with one-time funds to begin the campus wide implementation process. We estimate this one-time campus funding will carry the Endpoint Management project into FY23. Starting in FY23, Endpoint Management will be partially funded by the IT Campus Assessment and by FY24 will be fully funded by the IT Campus Assessment.”

Complete:

• On January 15, the project team migrated from our on-prem environment to the VMware Workspace One SaaS production environment.

Now:

• The project team is engaged with the Safer Badgers project and AIMS to manage hundreds of endpoints used in the program including the Badger Ambassador devices, check-in devices at testing sites, and the loaner devices being distributed to faculty, staff, and students.
• On January 25, the project team kicked off a three-week engagement with Dell/VMware and campus partners to configure the production environment, plan for delegated administration, and evaluate onboarding strategies.
• On February 16th, DoIT Departmental Support will work with VMware to upgrade the Workspace ONE console from version 2005 to 2101.

Next:

Implementation roadmap 

• Develop an implementation plan for campus rollout.
• Align with the UW System and the UW–‍Madison Asset Inventory policies and procedures.
• Create a repeatable engagement and onboarding strategy for campus partners.
• Develop a communication plan for continued engagement on the need for and implementation of unified endpoint management on campus.
• Develop migration strategies for campus partners currently running endpoint management services and for campus partners with no existing endpoint management strategy.

Service Development

• Create a license purchasing and management process.
• Define roles and responsibilities for service owners, delegated administrators, and basic service consumers.
• Create ongoing training opportunities, centralized documentation, and onboarding options.

Community of Practice / Lunch & Learn

• Create a user-group community to engage with and validate the success and the features of the solution.
• Hold lunch & learn sessions that offer basic troubleshooting and support.

---

For more information, please see the Endpoint Management Project or contact us with questions at doit-seam-support@doit.wisc.edu.