Skip to main content

VMware Workspace ONE

Deploying WhatPulse Professional with VMware Workspace ONE

VMware Workspace ONE UEM (formerly AirWatch) is a unified endpoint management platform that can manage Mac devices and deploy applications to them. For macOS software distribution, Workspace ONE uses the Software Distribution mechanism to push internal applications (non-App Store apps) to devices. We will package WhatPulse Professional for macOS as an "Internal Application" and deploy it to Macs, as well as use Workspace ONE to deliver supporting files (org ID) and permissions. This guide assumes you have a Workspace ONE environment set up with Mac management.

Prerequisites

  • Workspace ONE UEM Access: Admin access to the Workspace ONE UEM console (web portal). Your Mac devices should be enrolled in Workspace ONE (the Intelligent Hub is installed on them).
  • WhatPulse Installer (.pkg): Download the latest WhatPulse Professional .pkg installer for macOS from the WhatPulse downloads page. Workspace ONE requires software to be in PKG format for internal app deployment.
  • VMware Admin Assistant (for macOS): (Optional) A VMware-provided tool that generates detection metadata (PLIST) for Workspace ONE. Download it from VMware's resources or via Customer Connect. This is not required since WhatPulse provides a .pkg, but can help with automated detection criteria.
  • Org ID and Files: Your WhatPulse organization ID for automatic registration. Also plan for a Privacy Preferences profile (Workspace ONE can deploy configuration profiles to Macs for things like PPPC).

Deployment Steps

  1. (Optional) Prepare Detection Metadata using Admin Assistant: WhatPulse provides a .pkg installer, so you can skip straight to uploading it. However, if you want Workspace ONE to have detailed detection metadata, you can optionally use the Workspace ONE Admin Assistant:
    • Install and open Workspace ONE Admin Assistant on a Mac (this is a tool specifically made to package Mac apps for WS1).
    • Drag and drop the WhatPulse .pkg into the Admin Assistant window. It will generate a .plist file containing detection information (e.g., bundle ID com.whatpulse.mac, version, etc.) that WS1 uses to verify installation status.
    • If you skip this step, you can manually set detection criteria in WS1 (see step 3).
  2. Add the Application in Workspace ONE UEM:
    • In the Workspace ONE UEM Console, navigate to Apps & Books (might just be "Apps" in newer versions) > Native > Applications > Add Application and choose macOS > Internal Application (this means a custom app not from the Mac App Store).
    • Choose Upload and then browse for the WhatPulse .pkg file. Select the PKG. The console will begin uploading it. If your PKG is large, this may take a few minutes.
    • Application Details: After upload, Workspace ONE will either auto-extract some info or prompt you to enter details:
      • Name: e.g., "WhatPulse Professional".
      • Version: enter the version number (if Admin Assistant was used, it might fill this or it might say "Please Edit Me" if not detected – make sure to put the correct version).
      • Description: optional text about WhatPulse.
      • Category: perhaps "Utilities" or create a category.
      • Developer: WhatPulse.
      • Icon: you can upload an icon or WS1 might extract one from the app.
  3. Configure Deployment Settings:
    • Assignment Type: Choose Auto to force install on devices (so it silently installs without user needing to go to catalog). If you prefer to let users install from the catalog, choose On-Demand, but for enterprise deployment Auto is typical.
    • App Delivery Method: Most likely "Push" (immediate) since it's internal.
    • Installation Context: Device (so it installs for all users). For most software, Device context is appropriate.
    • Uninstall Option: You can optionally configure an uninstall script or check a box if WS1 offers to automatically handle removal (but since not needed now, you can leave it).
    • Detection Criteria: This is crucial – how WS1 knows the app is installed. If you used Admin Assistant, you likely have a .plist to upload under "Advanced > Upload Manifest" or "Use additional parameters". Upload the PLIST Admin Assistant gave you; it contains the detection criteria (e.g., bundle ID and version). If you didn't use it, set detection by file existence (e.g., path /Applications/WhatPulse/WhatPulse.app) and perhaps an app version check (Workspace ONE might allow specifying "exists and version >= X" from the app's Info.plist).
    • Save the app. Workspace ONE will now have the WhatPulse app listed in the console as an internal application.
  4. Assign the App to Devices:
    • After saving, you need to Assign the application to devices or groups. Go to the Assignments section for the app.
    • Create an assignment for your target devices. Typically, you would have a Smart Group that includes all Macs you want to deploy to (for instance, a group "All Corporate Macs" or by department).
    • Select that Smart Group as the deployment target. Set the deployment to Automatic (since we chose Auto earlier, it should reflect here) and whether to push on Wi-Fi only or any network (depending on your policy and app size; WhatPulse is not very large, so any network is fine).
    • (If needed, add exclusions if there are Macs you don't want to get it.)
    • Save the assignment. The app is now queued for installation on those devices.
  5. Automatic Org ID File Deployment: Workspace ONE doesn't natively have a one-step way to drop a file after app install like some tools, but we can achieve it through one of two methods:
    • Method A: Repackaging with PostInstall – The simplest for deployment: if you have control of the PKG (like you made it or can modify it), embed a post-installation script in the PKG that creates the wp-pro-org-id.txt. This way, when WS1 installs the PKG, that script runs automatically. For example, you could use a tool like Packages or pkgbuild to add a postinstall script:
#!/bin/sh
echo "<Your Org ID>" > "/Applications/WhatPulse/wp-pro-org-id.txt"
chown root:wheel "/Applications/WhatPulse/wp-pro-org-id.txt"
chmod 644 "/Applications/WhatPulse/wp-pro-org-id.txt"
exit 0

Ensure this script is part of the PKG before you upload to WS1. (If you already uploaded a pkg and don't want to re-upload, see Method B.)

  • Method B: Files/Actions via Product Provisioning – Workspace ONE can deploy files or scripts through the legacy Product Provisioning (if the Intelligent Hub is running in "device administrator" mode for macOS). This is more complex and typically used for things like dropping configuration files:
    • In the WS1 console, under Resources or Devices, find Product List or Sensors/Scripts (WS1 has added a Scripting engine in recent versions).
    • You could create a macOS Custom Script (if available) that writes the org ID file. For instance, a script profile with the same echo "<OrgID>" > /Applications/WhatPulse/wp-pro-org-id.txt command. Deploy that script to the same Smart Group.
    • Alternatively, use the Files payload in a Product to actually upload a small file (a text file containing your Org ID) and specify a path to drop it on the device. For example, upload a text file from your PC that contains just the org ID, and configure the product to place it at /Applications/WhatPulse/wp-pro-org-id.txt. You might combine that with a command sequence if needed to ensure the WhatPulse directory exists.
    • These methods require the VMware Intelligent Hub and possibly the "Product Provisioning" component; ensure that's set up in your environment.
  • If feasible, Method A (repackaging) is often easier: it bundles everything in one step. If you use Method B (script), note that Workspace ONE's script execution might be under "Scripts" (in more recent WS1 you can add custom scripts similar to how Mosyle does). You would create a script and assign it to run on devices (likely as System user).
  • In either case, the outcome should be that on each Mac, after installation, the file wp-pro-org-id.txt exists with your org info. That will cause the WhatPulse client to register itself to your org on first launch.
  1. Deploy Privacy Preferences Profile: Use Workspace ONE to push the necessary privacy permissions:
    • Create a macOS Profile (Devices > Profiles > Add > macOS).
    • Configure a Privacy Preferences Policy Control payload (if using the UI Wizard, you might find it under the Privacy section; or you can upload a custom .mobileconfig from Apple Configurator or Profile Creator).
    • In the PPPC settings, add an entry for the WhatPulse app's Bundle ID (com.whatpulse.mac) and designate the code requirements (Team ID). Mark Accessibility = Allow (without prompt), Input Monitoring = Allow for that app.
    • (Workspace ONE might require uploading the actual profile XML if the UI doesn't support adding Input Monitoring via GUI – if so, use a tool to create it, including both services.)
    • Save the profile and assign it to the same Smart Group of Macs. This will push down and pre-consent WhatPulse to the needed privacy permissions. Ensure this profile is installed before or at least by the time WhatPulse is run on endpoints.
  2. Publish and Install: After configuring the app assignment, the org ID file deployment, and the PPPC profile:
    • Workspace ONE will push the WhatPulse app to devices in the Smart Group. The Intelligent Hub on each Mac will download the PKG from the WS1 server and install it. You can monitor this in the console under Apps > Native > Internal > (WhatPulse) > Devices tab, which will show installation status per device.
    • The PPPC profile will also arrive on devices, so when the app is installed, the permissions are already handled.
    • The org ID file creation (if via embedded script) occurs during installation; if via separate script/profile, that will be executed around the same time (depending on how you scheduled it, possibly immediately after enrollment or on next check-in).
  3. Verification:
    • In the Workspace ONE console, find the WhatPulse app deployment and check device Install Status. Devices should report Installed for the app. If some show as "Pending" or "Failed", investigate connectivity or compatibility (e.g., ensure the pkg was uploaded correctly and that the devices meet any requirements).
    • On a Mac, verify that WhatPulse.app is in /Applications/WhatPulse. The app might not launch automatically (unless a user logs in, because typically a login item is set). You can manually open it to test.
    • Confirm the presence of wp-pro-org-id.txt in the WhatPulse application folder. It should contain the org string you provided.
    • Because the PPPC profile was installed, launching WhatPulse should not prompt the user for Accessibility or Input Monitoring approval – those should have been granted by the profile (the user can see them listed as allowed in System Preferences, indicated as managed).
    • When WhatPulse runs the first time, it will detect the org ID file and register itself. Now check the WhatPulse Pro web dashboard: the Mac should appear under Pending Computers automatically. The computer name might reflect the Mac's name. If you see it there, the whole chain (install + org ID) worked correctly.
    • Activate the computer in the dashboard (assign it to a user) and then observe that the client starts reporting data. With the permissions in place, stats collection should begin immediately (you can verify keystroke counts incrementing in the client, etc.).
  4. Ongoing Management:
    • Workspace ONE will now "own" this application. If you ever need to update WhatPulse, you would obtain the new version's PKG and use the Update Application function in WS1 or add a new version as an internal app (Workspace ONE can push updates by recognizing version changes).
    • The PPPC profile and org ID file don't typically need updates unless your org ID changed or Apple introduces new permissions.
    • If a device is unenrolled from WS1, WS1 can optionally remove the app (depending on if you checked "Remove on unenroll" in app settings). You might not need that for WhatPulse, but it's something to be aware of.

By leveraging Workspace ONE's software distribution, the WhatPulse app deployment is handled through the same framework as other internal apps. With the additional config profiles and scripts, the deployment becomes zero-touch: no end-user input is required for installation, configuration, or granting permissions. The Macs will silently install WhatPulse and automatically appear in your WhatPulse dashboard, ready for activation. This approach scales well, and Workspace ONE will provide feedback if any device fails to install (so you can remediate by, say, having the user online or on VPN, etc.). Once activated, WhatPulse should run at startup and begin collecting stats, completing the successful enterprise deployment through Workspace ONE.