In today’s dynamic enterprise environment, maintaining the optimal performance and stability of your digital workspace infrastructure is paramount. Omnissa Workspace ONE, a cornerstone for many organizations’ End-User Computing (EUC) strategy, orchestrates device management, application delivery, and secure access. However, like any complex system, it requires regular oversight to ensure all components are functioning correctly and efficiently.
This article serves as a comprehensive guide to performing a thorough health check of your Omnissa Workspace ONE environment. We will delve into the critical components, outline manual verification procedures, and, in the spirit of efficiency, provide a PowerShell script to automate many of these checks. Proactive health monitoring is not just about fixing problems; it’s about preventing them, ensuring a seamless and secure experience for your end-users.
Understanding the Workspace ONE Architecture
A robust Workspace ONE deployment typically comprises several interconnected components, each playing a vital role in the overall functionality. Understanding these components is the first step towards effective health monitoring:
- Workspace ONE UEM Console: The central management interface for device enrollment, policy configuration, and application management.
- Device Services (DS): Handles device communication, enrollment, and command delivery.
- AirWatch Cloud Messaging (AWCM): Facilitates real-time communication between the UEM console and managed devices.
- Workspace ONE Access (formerly VMware Identity Manager): Provides single sign-on (SSO) and conditional access to applications and resources.
- Cloud Connectors: Bridge between your on-premises infrastructure (e.g., Active Directory, Certificate Authorities) and the Workspace ONE UEM console.
- Secure Email Gateway (SEG) / Email Notification Service (ENS): Secures email access for managed devices and provides notifications.
- Workspace ONE Tunnel: Provides secure, on-demand access to internal corporate resources for managed devices.
Each of these components must be healthy for the entire Workspace ONE ecosystem to operate without disruption. Let’s explore the manual checks required for each.
Manual Health Check Procedures
Regular manual checks are crucial for identifying issues that automated scripts might miss, such as visual anomalies or performance bottlenecks not immediately flagged by a simple status check. Below is a detailed breakdown of checks, organized by component.
1. Device Services | Cloud Messaging
These components are fundamental for device communication and management.
| Check Item | Action | Expected Outcome |
|---|---|---|
| Device Service Health Check URL | Access https://<Device Services URL>/deviceservices/awhealth/v1 in a web browser. |
Should return a healthy status (e.g., OK or similar). |
| Device Management Health Check URL | Access https://<Device Services URL>/devicemanagement/awhealth/v1 in a web browser. |
Should return a healthy status. |
| DS Server Utilization | Monitor CPU, Memory, and Disk I/O on MDM Device Server(s). | Utilization should be within normal operating thresholds. |
| DS Server Services | Verify the status of the following services on MDM Device Server(s):
|
All services should be running. |
| AWCM Service Health Check URL | Access https://<Device Services URL>:2001/AWCM/Statistics in a web browser. |
Should display AWCM statistics indicating normal operation. |
2. Console | Cloud Connector | API
These components are central to the UEM console’s functionality and its integration with your directory services.
| Check Item | Action | Expected Outcome |
|---|---|---|
| Console Health Check URL | Access https://<Console Services URL>/airwatch/awhealth/v1 in a web browser. |
Should return a healthy status. |
| Console Server Utilization | Monitor CPU, Memory, and Disk I/O on UEM Console Server(s) (e.g., gdc-ws1-uem-01, gdc-ws1-uem-02). |
Utilization should be within normal operating thresholds. |
| Console Server Services | Verify the status of the following services on UEM Console Server(s):
|
All services should be running. |
| MDM API Health Check URL | Access https://<Console Services URL>/api/mdm/hc in a web browser. |
Should return a healthy status. |
| System API Health Check URL | Access https://<Console Services URL>/api/system/hc in a web browser. |
Should return a healthy status. |
3. Access
Workspace ONE Access is crucial for user authentication and single sign-on to applications.
| Check Item | Action | Expected Outcome |
|---|---|---|
| Access Heartbeat URL | Access https://<WSO Access URL>/SAAS/API/1.0/REST/system/health/heartbeat in a web browser. |
Should return a healthy status (e.g., {). |
| Access App Catalog URL | Access https://<WSO Access URL>/catalog-portal/services/health in a web browser. |
Should return a healthy status. |
| Access APIs URL | Access https://<WSO Access URL>/SAAS/API/1.0/REST/system/health in a web browser. |
Should return a healthy status. |
4. Connectors
Cloud Connectors facilitate communication between Workspace ONE UEM and your on-premises infrastructure.
| Check Item | Action | Expected Outcome |
|---|---|---|
| Connector Server Services | Verify the status of the following services on your Cloud Connector server(s):
|
All services should be running. |
5. SEG | ENS
The Secure Email Gateway (SEG) and Email Notification Service (ENS) are vital for secure email access and notifications.
| Check Item | Action | Expected Outcome |
|---|---|---|
| SEG Service Health Check URL | Access https://<SEG URL>/health in a web browser. |
Should return a healthy status. |
| SEG LB Health Check URL | Access https://<SEG URL>/lb-health in a web browser. |
Should return a healthy status. |
| SEG ActiveSync Health Check URL | Access https://<SEG URL>/Microsoft-Server-ActiveSync in a web browser. |
Should return a healthy status or prompt for credentials. |
| Email Notification Server Services | Verify the status of the following services on your ENS server(s):
|
All services should be running. |
6. Tunnel
Workspace ONE Tunnel provides secure access to internal corporate resources.
| Check Item | Action | Expected Outcome |
|---|---|---|
| Tunnel Connection Health Check URL | Access https://<Tunnel URL>:8443/ in a web browser. |
Should return a healthy status or a login prompt. |
| VPND Service Status | On Tunnel FrontEnd and BackEnd Server(s), run service vpnd status. |
VPND service should be running. |
| VPN Report | On Tunnel FrontEnd and BackEnd Server(s), run /opt/vmware/tunnel/vpnd/vpnreport stat. |
Should display VPN statistics indicating normal operation. |
Automating Health Checks with PowerShell
While manual checks provide granular insight, automating routine health checks can save significant time and ensure consistency. The following PowerShell script provides a framework to automate the URL-based health checks and service status verifications for your Workspace ONE environment. Remember to replace the placeholder URLs and server names with your actual environment details.
# PowerShell Script for Workspace ONE Health Check Automation
#region Configuration
# --- Workspace ONE UEM Console & Device Services ---
$UEMConsoleURL = "https://your-uem-console.com"
$DeviceServicesURL = "https://your-ds.com"
$AWCMURL = "https://your-ds.com:2001"
# --- Workspace ONE Access ---
$AccessURL = "https://your-access.com"
# --- Secure Email Gateway (SEG) ---
$SEGURL = "https://your-seg.com"
# --- Workspace ONE Tunnel ---
$TunnelURL = "https://your-tunnel.com"
# --- Output File ---
$OutputFile = "C:\Temp\WorkspaceONE_HealthCheck_$(Get-Date -Format 'yyyyMMdd_HHmmss').log"
#endregion
#region Helper Functions
function Test-URLHealth {
param (
[string]$URL,
[string]$ComponentName
)
Write-Host "Testing $ComponentName URL: $URL" -ForegroundColor Cyan
try {
$response = Invoke-WebRequest -Uri $URL -UseBasicParsing -ErrorAction SilentlyContinue
if ($response.StatusCode -eq 200) {
Write-Host " SUCCESS: $ComponentName is reachable and returned status 200." -ForegroundColor Green
return "SUCCESS: $ComponentName is reachable and returned status 200."
} else {
Write-Host " WARNING: $ComponentName returned status $($response.StatusCode)." -ForegroundColor Yellow
return "WARNING: $ComponentName returned status $($response.StatusCode)."
}
} catch {
Write-Host " ERROR: Could not reach $ComponentName. Message: $($_.Exception.Message)" -ForegroundColor Red
return "ERROR: Could not reach $ComponentName. Message: $($_.Exception.Message)"
}
}
function Test-ServiceStatus {
param (
[string]$ComputerName,
[string[]]$ServiceNames,
[string]$ComponentName
)
Write-Host "Testing services for $ComponentName on $ComputerName" -ForegroundColor Cyan
$results = @()
foreach ($service in $ServiceNames) {
try {
$status = (Get-Service -Name $service -ComputerName $ComputerName -ErrorAction Stop).Status
if ($status -eq "Running") {
Write-Host " SUCCESS: Service '$service' is Running." -ForegroundColor Green
$results += "SUCCESS: Service '$service' is Running."
} else {
Write-Host " WARNING: Service '$service' is $($status)." -ForegroundColor Yellow
$results += "WARNING: Service '$service' is $($status)."
}
} catch {
Write-Host " ERROR: Service '$service' not found or could not be queried. Message: $($_.Exception.Message)" -ForegroundColor Red
$results += "ERROR: Service '$service' not found or could not be queried. Message: $($_.Exception.Message)"
}
}
return $results
}
#endregion
#region Main Health Check Logic
$HealthCheckResults = @()
$HealthCheckResults += "Workspace ONE Health Check Report - $(Get-Date)\n"
$HealthCheckResults += "===================================================\n\n"
# --- Device Services | Cloud Messaging ---
$HealthCheckResults += "### Device Services | Cloud Messaging ###\n"
$HealthCheckResults += Test-URLHealth -URL "$DeviceServicesURL/deviceservices/awhealth/v1" -ComponentName "Device Services Health"
$HealthCheckResults += Test-URLHealth -URL "$DeviceServicesURL/devicemanagement/awhealth/v1" -ComponentName "Device Management Health"
$HealthCheckResults += Test-URLHealth -URL "$AWCMURL/AWCM/Statistics" -ComponentName "AWCM Statistics"
# Note: Server utilization and specific DS services require direct access to the DS server,
# which is beyond the scope of a simple remote PowerShell script without additional configuration (e.g., WinRM).
# For these, manual checks or more advanced monitoring tools are recommended.
$HealthCheckResults += "\n"
# --- Console | Cloud Connector | API ---
$HealthCheckResults += "### Console | Cloud Connector | API ###\n"
$HealthCheckResults += Test-URLHealth -URL "$UEMConsoleURL/airwatch/awhealth/v1" -ComponentName "Console Health"
$HealthCheckResults += Test-URLHealth -URL "$UEMConsoleURL/api/mdm/hc" -ComponentName "MDM API Health"
$HealthCheckResults += Test-URLHealth -URL "$UEMConsoleURL/api/system/hc" -ComponentName "System API Health"
# Note: Console server utilization and specific Console services also require direct access.
$HealthCheckResults += "\n"
# --- Access ---
$HealthCheckResults += "### Access ###\n"
$HealthCheckResults += Test-URLHealth -URL "$AccessURL/SAAS/API/1.0/REST/system/health/heartbeat" -ComponentName "Access Heartbeat"
$HealthCheckResults += Test-URLHealth -URL "$AccessURL/catalog-portal/services/health" -ComponentName "Access App Catalog"
$HealthCheckResults += Test-URLHealth -URL "$AccessURL/SAAS/API/1.0/REST/system/health" -ComponentName "Access APIs"
$HealthCheckResults += "\n"
# --- Connectors (Example for a single Connector server) ---
# Replace 'YourConnectorServerName' with the actual hostname or IP of your Cloud Connector server
# $ConnectorServerName = "YourConnectorServerName"
# $ConnectorServices = @(
# "AirWatchCloudConnector",
# "DirectorySyncService",
# "KerberosAuthService",
# "UserAuthService",
# "VirtualAppService"
# )
# $HealthCheckResults += "### Connectors ###\n"
# $HealthCheckResults += Test-ServiceStatus -ComputerName $ConnectorServerName -ServiceNames $ConnectorServices -ComponentName "Cloud Connector"
$HealthCheckResults += "\n"
# --- SEG | ENS ---
$HealthCheckResults += "### SEG | ENS ###\n"
$HealthCheckResults += Test-URLHealth -URL "$SEGURL/health" -ComponentName "SEG Health"
$HealthCheckResults += Test-URLHealth -URL "$SEGURL/lb-health" -ComponentName "SEG Load Balancer Health"
$HealthCheckResults += Test-URLHealth -URL "$SEGURL/Microsoft-Server-ActiveSync" -ComponentName "SEG ActiveSync"
# Note: ENS services require direct access to the ENS server.
$HealthCheckResults += "\n"
# --- Tunnel ---
$HealthCheckResults += "### Tunnel ###\n"
$HealthCheckResults += Test-URLHealth -URL "$TunnelURL:8443/" -ComponentName "Tunnel Connection"
# Note: VPND service status and VPN report require direct access to the Tunnel server.
#endregion
#region Output Results
$HealthCheckResults | Out-File -FilePath $OutputFile
Write-Host "\nHealth check results saved to: $OutputFile" -ForegroundColor Green
#endregion
Conclusion
Regular health checks are a non-negotiable aspect of managing a robust Omnissa Workspace ONE environment. By combining diligent manual inspections with the efficiency of automation, you can ensure that your digital workspace remains performant, secure, and highly available. This proactive approach minimizes downtime, enhances user satisfaction, and ultimately contributes to the overall success of your enterprise mobility strategy. Implement these checks as part of your routine operational tasks, and empower your IT team to maintain a resilient Workspace ONE infrastructure.
