Recently, we released part one of the steps to enable a remote workforce with Workspace ONE. Today, we are taking a deeper dive into what you need to get started on being an IT superhero in your organization.
To recap, VMware Workspace ONE is a platform that combines powerful integration across digital workspace solutions, including Access Management, Unified Endpoint Management (UEM), Analytics, Desktop and Application Virtualization. These key solutions enable remote work without compromising security and provide incredible user experience. Workspace ONE is organized into four core solutions:
• Workspace ONE UEM – Enables Unified Endpoint Management across Windows, Mac, iOS and Android devices, protecting corporate applications and data.
• Workspace ONE Access – Enables the unified application catalog, providing a single place to secure access to all applications and single sign-on, in addition to streamlining communication with all users through Hub Services.
• VMware Horizon – Enables access to remote applications and desktops, keeping all data in the datacenter.
• Carbon Black Cloud – Cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.
Step 1 – Accessing Workspace ONE in the Cloud
The VMware Workspace ONE platform can be deployed on-premises or via the cloud (SaaS-hosted). To accelerate your deployment time and stay up to date with all of the platform updates, we highly recommend that you leverage SaaS-hosted by requesting your free trial today. The following steps will help you gain quick access to Workspace ONE.
• Request a free trial of Workspace ONE.
○ Leverage the Workspace ONE Getting Started Wizard to complete some of the prerequisites, such as configuring Auto Discovery to enable e-mail domain lookups during enrollment, APNs for Apple devices and Single Sign-On profile configuration for a password-less experience.
○ Workspace ONE UEM is based on a multi-tenant architecture that allows one instance to support multiple organizations (tenants) in different regions or groups within a large organization. Each tier (tenant) provides an additional layer of security, configuration, customization and access control.
We have extended free trials of Workspace ONE for 90 days and 100 devices through July 31, 2020 available here!
For VMware Horizon, organizations can leverage Horizon Cloud Service to manage their cloud-hosted virtual desktops and applications, leveraging their capacity on Microsoft Azure or VMware Cloud on AWS. For more information, visit Maintaining Business Continuity in Challenging Times – Part 2.
Step 2 – User Directory Integration and Access to Corporate Resources
With a cloud-based architecture, Workspace ONE is consumed as a service requiring little or no infrastructure on-premises. Organizations often integrate with on-premises components such as Active Directory as the record source for authentication and Certificate Authority to increase security and provide better employee experience.
This second step covers the deployment and configuration of the on-premises components.
• Deploy and Configure AirWatch Cloud Connector (ACC) – Runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM to the organization’s critical back-end enterprise infrastructure components. Organizations can leverage the benefits of Workspace ONE® UEM MDM, running in any configuration, together with those of their existing LDAP, certificate authority, email and other internal systems.
• Deploy and Configure the Workspace ONE Access Connector – Performs directory sync and authentication between an on-premises Active Directory and the Workspace ONE Access service.
• Deploy and Configure the Unified Access Gateway (UAG) – Enables secure remote access from an external network to a variety of internal resources. Unified Access Gateway supports multiple use cases, completing the following steps depending on your use case:
○ Configure the VMware Tunnel Edge Service – Per-App Tunneling of native and web apps on mobile and desktop platforms to secure access to internal resources through the VMware Tunnel service.
○ Secure on-premises email infrastructure that grants access only to authorized devices, users and email applications based on managed policies. This capability leverages the Secure Email Gateway service integrated with Workspace ONE UEM.
○ Configure the Content Gateway Edge Service – Access from VMware Workspace ONE® Content app to internal file shares or SharePoint repositories by running the Content Gateway service.
○ Configure Web Reverse Proxy and Identity Bridging – Reverse proxying of web applications and identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based authentication.
○ Configure the Horizon Edge Service – Secure external access to desktops and applications on VMware Horizon® Cloud Service™ on Microsoft Azure and VMware Horizon® 7 on-premises.
• Configure Mobile Email Management – Helps to protect your mail infrastructure and enables Mobile Email Management (MEM) functionalities. Depending on your use case and mail infrastructure, this step may be skipped.
• Federate third-party IdPs and applications with Workspace ONE Access – Workspace ONE Access acts as an identity broker and can integrate with your existing 3rd party identity solutions. Take this time to federate Workspace ONE Access with your existing solutions to provide a seamless SSO experience to your end-users. Refer to the Integrate module in Mastering Workspace ONE Access.
• Enable Hub Services – Hub Services offers a unified catalog, actionable notifications to allow for real-time communication with employees and a people directory for a full digital workspace experience.
• Enable Workspace ONE Intelligence – Gives organizations insights, visualization tools, risk analytics based on user behavior and automation to help them make data-driven decisions for operating their Workspace ONE environment. By aggregating, analyzing, and correlating device, application, threat and user data.
Step 3 – Defining Access Policies and Deploying Apps
With the integrations in place to support the needs of your remote workforce, it’s time to define the policies that will secure devices, applications, corporate data and users, in addition to group assignments based on the permissions and access policies defined by the organization. The following steps can help guide you on how to achieve this.
• Create and Assign Device Profiles and Policies – Device profiles are the primary means by which you can manage devices in Workspace ONE UEM. They represent the settings that, when combined with compliance policies, help you enforce corporate rules and procedures. The most common profiles which might be deployed initially are email, Encryption, Device Passcodes, Wi-Fi and so on, along with security policies.
○ Create profiles for each platform type then configure a payload, which consists of the individual settings you configure for each platform type. For more details on the full capabilities of each platform and how to deploy those specific profiles, please refer to the Windows 10, macOS, iOS/tvOS and Android Enterprise management activity paths.
○ The process for creating a profile consists of first specifying the General settings followed by the Payload:
∙ The General settings determine how the profile is deployed and who receives it.
∙ The Payload for the profile is the actual restriction itself and other settings as applied to the device when the profile is installed.
○ Define Access Policies in Workspace ONE Access – Access policies can be used to establish trust between users, devices and apps in the Workspace ONE environment. You can configure access policies to manage how users access their catalog of resources and how users access specific resources.
∙ Leverage Risk Analytics to provide risk scoring based on user behavior anomalies and machine learning models. User Risk Score integrates with Workspace ONE Access for risk-based conditional access and multiple Workspace ONE use cases.
Applications are the center of needs for a Remote work force, and after defining the policies that will secure the device and user access, application provisioning is the next key procedure. The Unified Application Catalog, enabled on Workspace ONE Intelligent Hub App, allows users to go to a single place on their device to access all the applications they need and install those that do not necessarily need to be automatically installed. This means the administrator needs to give access to the user to install only when needed.
As an administrator, you might want to provision corporate applications for web access or install the native version on their devices, based on the employee needs. You can evaluate what would be the best type of deployment for the employee.
• Add and Assign Apps to the Unified Catalog – The Workspace ONE Intelligent Hub Unified Catalog supports various app types from web apps, virtual apps and even native apps. See Setting Up Resources in Workspace ONE Access and the Mobile Application Management tutorial for deploying and syncing native apps for Windows, macOS, Android and iOS.
○ There are several additional clients you might want to deploy for added capabilities such as the Carbon Black Cloud Sensor to protect endpoints, the Workspace ONE Assist client to enable remote assistance for end users’ device by the help desk and Workspace ONE Tunnel to enable access to internal resources through secure Per-App VPN capabilities.
• Provision the following Workspace ONE Productivity Apps for users who leverage Android or iOS smartphones and tablets:
○ Workspace ONE Boxer – Enables secure access to e-mails, calendar and contact lists.
○ Workspace ONE Web – Secures access to internal websites levering Per-App VPN technology.
○ Workspace ONE Smartfolio – Helps organizations manage and share corporate content with employees that need to access critical information on-the-job, and for organizations that have document-oriented regulatory requirements and have organizational needs for publishing enterprise content and compliance auditing.
○ Workspace ONE Content – Provides employees access to an internal content repository like network file share, SharePoint websites and other CMS that are hosted on the corporate office (on-premises).
○ Workspace ONE Notes – Enterprise secure notes and task manager that empowers users to capture ideas, meeting notes, tasks and more while on-the-go.
• Configure the SDK Policies – A software library for integration of mobile applications with the Workspace ONE platform, which allows for required authentication, DLP settings, SSO and many other options.
Step 4 – Onboarding your Users’ Devices
Before we jump into the technical steps, you should start by collaborating with your communication teams (HR, IT and management). You should focus on informing users on what to expect to assist in improving their employee experience while accessing corporate resources and apps they need to be productive. The steps below have everything you need to get started!
• Leverage Getting Started with the Workspace ONE End-User Adoption Kit to quickly communicate the benefits and steps for onboarding devices into Workspace ONE. You can choose from various roll-out paths and receive assets for communicating, educating, promoting and supporting end-users with your campaign. If you would like training on the kit and an introduction to the assets and how to best use them, please send an e-mail to firstname.lastname@example.org.
Now, from a technical perspective, the quickest way to onboard devices is by leveraging the VMware Workspace ONE Intelligent Hub. There is a simple site available for all platforms to get started: getwsone.com. Additionally, if you want to simplify these steps, you can push enrollment emails via the Workspace ONE UEM console with QR codes that users can scan to get started. From an end user’s perspective, they can follow these simple steps to enroll.
• Download Workspace ONE Intelligent Hub by navigating to getwsone.com.
• Enroll devices using your corporate e-mail address and corporate credentials.
• Once enrollment is complete, open the Workspace Intelligent Hub to access your unified catalog with everything you need!
If you want to use the QR codes, end-users will follow the steps below. Keep in mind that you can send user and device activation messages from the Workspace ONE console. You can even have emails automatically send out to AD user groups as the users are imported into the console. To customize the Device or User Activation message template, navigate to Device & Settings > All Settings > Device & Users > General > Message Templates.
• Receive enrollment emails (or SMS) with a QR code that can be scanned by various devices to get started.
• Enter your corporate credentials when prompted.
• Once enrollment is complete, open the Workspace Intelligent Hub to access your unified catalog with everything you need!
The following image shows a sample Device Activation message. Feel free to scan the QR code to experience the users’ first steps.
The above is the quickest onboarding method from a configuration standpoint, as no additional prerequisites are required. Every platform has its own unique set of onboarding methods that require fewer clicks from the end-user. You might want to explore some of these options as well, depending on how much time you have to prepare or what third-party licenses you have access too, such as Azure AD Premium, which is required for Autopilot and OOBE for Windows 10.
• Windows 10 Onboarding Options:
○ Planning your Windows 10 Deployment covers everything you need to know to get started, along with a decision flow to help you choose the best onboarding method for your use-case.
○ Enrolling Windows 10 Devices using Azure AD covers all the steps to integrate Workspace ONE with Azure AD to unlock Autopilot and out-of-box-experience (OOBE) enrollment, which allows employees to seamlessly enroll new Windows 10 devices.
○ Dell Provisioning allows admins to order devices directly from Dell with the apps configured in the Workspace ONE console preloaded on the device from the factory. This process also automates enrollment into Workspace ONE UEM, allowing for a seamless experience to apps as soon as the device completes the OOBE process.
○ If your devices are already domain joined or managed by Microsoft Endpoint Configuration Manager, I would suggest taking a look at Onboarding using Command-Line enrollment and Workspace ONE AirLift.
• macOS Onboarding Options:
○ Onboarding Options for macOS covers the various onboarding options for macOS including user-initiated enrollment, single-user and multi-user staging for network users and single-user staging without domain binding.
○ Learn how to use Apple Business Manager to streamline deployment of Apple devices.
• Android Onboarding Options:
○ Managing Android Devices covers the various onboarding options for Android including Work Profile (BYOD), Work Managed (Corporate-Owned) and COPE (Hybrid).
• iOS Onboarding Options:
○ Learn how to use Apple Business Manager to streamline the deployment of Apple devices.
Step 5 – Monitor Employee Experience & Provide Continuous Support
Workspace ONE allows you to be proactive in monitoring the environment and notifies IT of potential issues. Workspace ONE Intelligence helps to identify problems quickly and minimize the impact on employee experience. Use the following steps to enable helpdesk teams, improve communications with users and get visibility across the environment.
• Notify users of the Self-Service Portal to empower them to perform basic device management tasks, investigate issues and fix problems, thus reducing the number of support issues.
• Keep your end-users notified of your organization’s latest news via Hub Services. Hub Services sends custom actionable notifications to the Workspace ONE Intelligent Hub which allows you to communicate with employees without them needing to access their email.
• Leverage Workspace ONE Intelligence to automate battery replacement, automate patch remediation, meet security SLAs through intelligent patch automation, automate remediation based on threats and device risk score changes and create reports and dashboards to gain granular visibility and analyze trends.
Our intent with this blog post was to get you to start thinking about the high-level steps required to remotely deliver any app to any device, enabling workforces of all kinds to work from anywhere, instantly, while safeguarding sensitive information. Be sure to check out the Digital Workspace Tech Zone podcasts and Maintaining Business Continuity in Difficult Times – Part 3, where we discuss this topic in more detail with the experts from the EUC Technical Marketing team!
We know this can be overwhelming. However, VMWare can help your organization to enable a remote workforce as part of a business continuity plan. The VMware Professional Services team is available to help your organization. Please contact your VMware sales representative for more information on our service offerings.
I would like to recognize the assistance and contributions provided by Josue Negron, EUC Staff Architect, End User Computing, VMware.
Comment below with your thoughts, or let us know if there is anything we missed so that others can benefit!