Brian Madden recently laid out a great set of thought-provoking questions in his blog titled “What to Do If You Suddenly Have to Support 80% of Users Working Remotely.” As IT administrators globally shift to remote workers, several traditionally in-house device management processes need to join the shift. Although Brian touched on some processes at a high level, a few of us were discussing how to solve these problems. We wanted to bring to light some critical changes you can make as a result of the massive shift to remote work.
As is always top-of-mind for us in EUC, we hope to help you maintain the best end-user experience. This blog post highlights the features that will help provide the best experience for your remote workforce using Windows 10 and macOS devices managed by VMware Workspace ONE®. To learn how VMware transforms thousands of home environments into fully functional branch offices, take a look at the VMware SD-WAN by VeloCloud business continuity wide area network solution.
Move from Full-Device VPN to Per App VPN
Traditional IT organizations typically deliver VPN software, which grants remote access to the corporate network by tunneling all the network traffic on the device. As Brian mentioned in his blog post, the context of how organizations have sized their VPN endpoint might not correctly reflect device usage in the era of a mostly remote workforce. Were those VPNs sized for simple email or the full gamut of enterprise apps and connections?
As organizations move to modern management, we recommend using per-app tunneling (such as Workspace ONE Tunnel via VMware Unified Access Gateway™ software appliance). Even in the absence of true per-app tunneling, simply enabling split tunneling for your existing full-device VPN client can drastically reduce load. This recommendation also applies to a mostly remote workforce. Although per-app tunneling is typically associated with mobile platforms (such as iOS and Android), it is equally applicable to desktop platforms.
The key to success using per-app tunneling or split tunneling is to rationalize the traffic that must tunnel back to the datacenter. For example, a full-device VPN would typically route OneDrive, Microsoft Teams, Slack, and other cloud-based enterprise apps through the corporate network before they hairpin back out to the Internet. As a result, this can impact the performance of these cloud-based apps since the user is not taking the shortest route to the app source.
With per-app tunneling, you can selectively tunnel traffic from specific applications genuinely destined for an endpoint inside the corporate datacenter. This eases the burden on your corporate VPN endpoint and improves the end-user experience by eliminating the “hop” for cloud-based resources. Win-win!
An extra layer of security on Unified Access Gateway limits per-app tunneling access to internal resources only by managed devices in compliance. Out of compliance device access is blocked by Unified Access Gateway.
If you have a full-device VPN, you can continue using that with split tunneling. However, you might already have Unified Access Gateway appliances deployed if you’re leveraging it for VMware Horizon® or Workspace ONE use cases. In this case, you can add desktop tunneling immediately (or with scale-out of your Unified Access Gateway cluster) depending on the new device count.
If you’re not using Workspace ONE Tunnel today, you might be eligible to stand up Unified Access Gateway appliances for per-app tunneling, depending on your UEM licensing. With Unified Access Gateway ready to go, simply distribute the Workspace ONE Tunnel app (macOS or Windows 10) and configure Device Traffic Rules to rationalize traffic coming back to the corporate network.
You can save congestion and overload on your VPN by leveraging the per-app tunnel features. Additionally, you can enable the remote workforce selective access to applications and services such as network file shares, internal websites and resources, and even connecting to RDP hosts. You can achieve all of this while keeping the bandwidth hogs, application downloads, and patch updates delivered from the cloud.
To find out more, see Deploying VMware Workspace ONE Tunnel: VMware Workspace ONE Operational Tutorial.
Deliver Applications from the Cloud – No VPN Needed
If you’re already managing your devices with Workspace ONE from a Shared or Dedicated SaaS instance, our Akamai CDN integration is already enabled on your behalf – Phew! Akamai CDN integration allows apps that are deployed through VMware Workspace ONE® UEM to be distributed through Akamai’s vast content delivery network. This ensures that a remote employee is downloading a company-distributed application from the nearest distribution point to their physical location.
For on-premises installations without this integration enabled, Windows 10 and macOS devices come back to the datacenter to download any non-store (Internal) applications. The increase in app management traffic to your datacenter potentially impacts the end-user experience in the form of slow downloads or installs. The end-user experience worsens as a result of two issues: an unplanned increase in WAN utilization and geographically dispersed devices traversing high-latency global links.
As such, we highly recommend that organizations shifting a large portion of Windows 10 and macOS devices to remote work, to consider the following. Expand the drop-down menus to view the details for each step.
If on-premises, integrate Workspace ONE UEM with Akamai CDN to allow the global distribution of your internal apps for Windows 10 and macOS. Integrating Workspace ONE UEM with Akamai CDN reduces the load on the Workspace ONE UEM Servers, especially if there are large files like applications that need to be downloaded.
- macOS User Base
- Any apps deployed as Products should be configured instead as Internal Apps (including third-party non-store apps or Enterprise apps). Internal Apps deploy from the global CDN (rather than Device Services) in a region closer to your end-users.
- Use hubcli for end-user notifications as part of any pre/post-install scripting to keep the user informed of progress. On macOS with Intelligent Hub installed, run /usr/local/bin/hubcli in Terminal.app for detailed instructions.
- Use Volume-Purchased apps from Apple Business Manager to leverage Apple’s global CDN. Optionally, enable low-risk applications for Automatic Update.
- Windows 10 User Base
- As with macOS, any apps deployed as Products should be configured instead as Internal Apps (including third-party non-store apps or Enterprise apps). Internal Apps deploy from the global CDN (rather than the Workspace ONE UEM Device Services) in a region closer to your end-users.
- Ensure all necessary applications are available to end users in the Workspace ONE Unified App catalog. You might reconsider some applications that have only been assigned to a group of users, such as Microsoft Teams, Zoom, Skype, and so on, and assign them to all users to choose their collaboration tool of choice.
- End users primarily use the Workspace ONE portal on Windows 10 devices to quickly access all of their apps including SaaS and virtual apps. End users also receive the Workspace ONE app during enrollment, which provides easy access to native apps, SaaS, and virtual apps. Users will likely use this catalog for installing on-demand native apps. Hub services is now being integrated into the Workspace ONE Intelligent Hub for Windows, starting with version 20.3 and will continue to receive additional features over time. For more information, see How to Enable the New Intelligent Hub catalog on Windows 10.
Longer-term, organizations delivering extensively large application installers (or resource-intensive apps) could also consider a hybrid native & Horizon app portfolio. In this case, the large apps run in Horizon cloud but are displayed on the end-user device with a native look and feel. This includes macOS, where Windows-native apps get a Dock icon and a windowed experience. For more information, see Managing User Experience with VMware Horizon 7.
Control Windows 10 and macOS Updates and Patching from the Cloud
Many admins recognize the need to manage OS Update delivery. Traditionally, admins delivered updates from Microsoft WSUS or Apple SUS (or similar solutions like Reposado). On-Premises Update repositories provided IT admins granular control update publishing and availability. However, in the era of “Remote Work,” requiring devices to “phone home” to get the update list and the update(s) generates unnecessarily large traffic on your WAN connection. Similar to app delivery, the overall end-user experience worsens due to slow software update delivery.
As such, organizations should migrate their remote fleets to cloud-based update repositories as follows. Expand the drop-down menus to view the details.
- macOS User Base
- Enable (or modify) the macOS Software Update payload. Use this payload to point your remote fleet directly to Apple’s update servers and optionally force automatic updates. This profile also forces a regular update checking interval and forced restarts with user-allowed deferrals. It also forces definition downloads for macOS’s built-in Malware Removal Tool and XProtect.
- Use (or modify) the macOS Security & Privacy payload to set a Software Update delay (of up to 90 days). IT administrators can use this to delay software updates to perform adequate testing before fleetwide rollout. If necessary, organizations can optionally ignore updates. This payload also allows organizations to enforce Gatekeeper settings, such as preventing software from unknown developers to run on the device.
- Windows 10 User Base
There are two approaches to managing Windows Updates. The first option is to create multiple Windows Update profiles to automatically push updates to different groups who are assigned different deferral settings, essentially creating a development, UAT, to production type distribution rings. The second option is to assign the same profile to all devices and configure the require admin approval setting for a granular deployment of patches. Also, configure your Delivery Optimization settings to allow for peer-to-peer transfers of updates. For more information, see Managing Updates for Windows 10: VMware Workspace ONE Operational Tutorial.
- Configuring Automatic Windows Updates, Branching and Deferral settings
Convert Windows Updates policies from WSUS server to Windows Updates for Business (Microsoft Update Service). This allows patches to download from Microsoft CDNs rather than internal WSUS servers. Admins can still configure the Update Branch for the Windows machine then Defer or Pause, Quality, or Feature Updates as required. Ensure that both of the deferral options are not set to the same value. For more information, see the KB article: AMST-22189: Windows 10 Quality Updates do not appear on approved devices or install without approval.
Tip: Set Automatic Updates to Install Updates Automatically but Let User Schedule the Computer Restart.
Leveraging Admin-Approval for Updates
For admins who want more control or granularity of when patches are installed, you can leverage Workspace ONE’s patching approval process. Workspace ONE acts as the management pane to inform devices which patches can be downloaded and installed, based on preconfigured auto-approvals or when an admin manually approves an update. Workspace ONE UEM also integrates with Workspace ONE Intelligence for CVE ingestion which allows admins to configure automated approvals of correlated patches based on the Common Vulnerability Scoring System (CVSS) or by the set of correlated patches for a CVE.
Configure similar branching and deferral settings as previously described. However, all devices will use one profile and will not leverage distribution rings. Admins can automatically approve Windows Updates by Classification. This includes Security, Definition, Critical Updates, and more. Set these updates to allow, to automatically-approve the patches for installation. Admins can then see all available patches reported by the managed devices and approval patches manually.
Note: If you use CVE ingestion for patch approval, set Security to Not Allowed to allow Intelligence to approve the correlated patches.
View and Control Available Windows 10 patches in the Workspace ONE UEM console.
Now you have an Updates policy configured. Devices know what updates they are allowed to install and when to install them. These updates come from Microsoft Update Servers, instead of Internal WSUS Servers, saving a lot of bandwidth. Admins can still view Available patches for all Windows 10 devices. Admins can Apply Individual Updates; Driver Updates, Definition Updates, Security Updates, Feature Updates, and so on, directly from the Workspace ONE UEM console, either by device or by auto-approving the updates by policy.
- Configuring Automatic Windows Updates, Branching and Deferral settings
Enforcing Security Policies and Modern Endpoint Protection
As more devices move out of the office and into home or public Wi-Fi networks, the potential for network-based threats increases. IT admins can help protect work devices from these network-based threats by enabling modern endpoint protection or an on-device firewall. In either case, we recommend adequate testing to ensure no unexpected behavior between the firewall and end-user applications.
Both macOS and Windows 10 include a built-in application firewall. IT admins can use Workspace ONE to enable and configure security policies, such as the firewall. Expand the drop-down menus to view the details.
- macOS User Base
- Enable (or modify) the macOS Firewall payload to enable the application firewall. IT Admins can optionally configure the firewall to block incoming connections and enable stealth mode.
- Use (or modify) the macOS Security & Privacy payload to enforce Gatekeeper settings, such as preventing software from unknown developers from running on the device.
- Windows 10 User Base
Enable (or modify) the Windows Desktop Firewall Profile to configure the native Windows Desktop firewall settings. You will see all the same settings and configuration options you are familiar with.
Next, VMware Carbon Black Cloud™ provides modern endpoint protection for remote workers, including a next-generation antivirus (NGAV) and endpoint remediation (EDR) solution. VMware Carbon Black provides advanced protection and visibility to defend against malware and non-malware attacks, allowing IT administrator to access a control plane in the cloud to:
Respond to an attack as soon as it is identified.
Visualize every stage of the attack with easy-to-follow attack chain details to uncover root causes in minutes.
Immediately triage alerts by isolating endpoints, denylisting applications, or terminating processes.
Remotely access an endpoint through secure shell into any on or off the network to investigate and neutralize threats.
Leveraging the Application Management capability from Workspace ONE UEM, IT can deploy Carbon Black Sensor across all managed Windows and Mac devices. With the integration between Workspace ONE Intelligence and VMware Carbon Black for device quarantine, IT administrators gain real-time insight over and above the basic built-in firewall, security orchestration for rapid remediation, minimized risks associated with attacks, and simplified security by removing silos.
Continuous Remote Support using Workspace ONE Assist
With our businesses forced to work from home, connecting and supporting users when something goes wrong, becomes an incredible challenge. VMware Workspace ONE® Assist™, together with Workspace ONE UEM, enables you to remotely control Android, Windows CE, Windows 10, and macOS devices, and remotely view iOS devices in real-time to quickly troubleshoot and fix the device, network, or application issues with file and task management tools, including File Manager, Command-Line, and Registry Editor.
To learn more, watch the following video:
This post highlighted features you can leverage to support your remote workers using Windows 10 and macOS devices managed by Workspace ONE.
For more details on enabling remote workers with VMware, check out Enabling Business Continuity with VMware Digital Workspace.
Additional Authors and Contributors
- Darren Weatherly, End-User-Computing Senior Architect, Technical Marketing, VMware.
- Andreano Lanusse, End-User-Computing Staff Architect, Technical Marketing, VMware.
- Josue Negron, End-User-Computing Staff Architect, Technical Marketing, VMware.