Please provide your feedback in this short Flings' survey.

Workspace ONE Policy Analyzer for Windows

version 1.0 — October 08, 2021

Contributors 2
View All

Release Date: October 01, 2021


Workspace ONE Policy Analyzer for Windows aids in the management of profiles and baselines for Windows 10 devices. Policy Analyzer uses the Workspace ONE UEM API to review the status of profiles and baselines assigned to a specified Windows 10 device. The resultant HTML report displays all the assigned policies and baselines as well as highlighting potential conflicts between any profiles and/or baselines on the device. The reports also displays all profiles and baselines without potential conflicts. The administrator can then use the Workspace ONE UEM Console to resolve any issues identified.

Workspace ONE

Workspace ONE Policy Analyzer is a Microsoft Windows command line tool that does not require installation. Once the package is extracted at a desired location it can be run in a command window.

The tool has two commands:

  • analyze – analyses a given device’s policy.
  • list-devices - lists devices in the system for a given user. The output is printed on the screen as a tab separated list.
There are various options that can be passed into the tool.

Work on any command

  • -a, --api-url (REQUIRED). The url to the UEM environment’s rest API. Must be the API url, this is usually <uem-base-url>/api
  • -k, --api-key (REQUIRED). The API key to authenticate into the UEM environment's rest API.
  • -u, --api-username (REQUIRED). The API username to login to the UEM environment.
  • -p, --api-password (REQUIRED). Password for the preceding user.
Analyze command
  • --device-udid (REQUIRED). The UDID of the device to generate the report for. This can be discovered in the device details page in UEM console.
  • --report-dir (OPTIONAL). The directory where the reports will be saved into. If not specified, defaults to the current directory.
List devices command
  • --device-username (OPTIONAL). Username filter to filter devices to.
  • --json (OPTIONAL). Convert the output to JSON format rather than a TSV.
  • --max-devices (OPTIONAL). The maximum number of devices to fetch. If not specified, this defaults to 10.

UEM minimum permissions

The user given to the above commands needs the following set of permissions in Workspace ONE UEM:

  • API/Devices/REST API Devices Read
  • API/Groups/REST API Groups Read
  • API/Profiles/Updates Policy Read access
  • API/Profiles/Rest API Profiles Read
  • Device Management/Baselines/View Baselines
  • Groups/View/Organization Group
  • Groups/View/Organization Group List View
for convenience, there's an importable role .xml file in this fling's download section that you can verify and import into Workspace ONE UEM if you wish.