August 23, 2022

VMware Workspace ONE has enhanced its FedRAMP SaaS UEM to include Baselines

We are delighted to announce that VMware’s Workspace ONE UEM service now has an additional FedRAMP enabled tool for keeping agency’s Windows Desktop devices secure with Baselines - Andrew Osborn discusses this exciting announcement and more.

Helping Public Sector Customers to Provide Modern Windows Management


Baselines in FedRAMP

We are excited to announce that VMware’s Workspace ONE UEM service now has an additional FedRAMP enabled tool for keeping agency’s Windows Desktop devices secure with Baselines and it now joins the rest of the Workspace ONE suite for modern workstation management, including Access & Hub Intelligence Services!! Workspace ONE UEM Baselines curates' industry-recommended settings into one configuration to simplify securing your devices.

With the addition of Baselines into the ‘Workspace ONE’ FedRAMP environment, government customers can now leverage this secure, cloud-hosted Workspace ONE environment, while keeping their devices configured to best practices. This typically time-consuming process can now manage the delivery of industry and Gov't-recommended settings into configurations called Baselines.

These configurations significantly reduce the time it takes to set up and configure Windows devices and allows an agency admin to manage the thousands of group policy objects for Windows today, while providing enhanced Integrated Insights for complete visibility into an agency’s digital workspace. Admins can gain deep insights into device, user, and app posture that enable data-driven decisions across an agency or branch’s entire environment.

Ensuring Policy Compliance and Enforcement

Workspace ONE UEM allows admins to push configurations and group policies to managed devices. Whether you are using MDM profiles or Workspace ONE Baselines, the configured policies are enforced locally. MDM profiles are enforced by the OMA-DM client, while Baselines are enforced by the Intelligent Hub.

Workspace ONE Baselines allow admins to keep all their devices secure with those settings and configurations as it uses a cloud-based micro-service that handles the policy catalog of settings to apply on devices. Baselines are based on GPO(s) and function in similar ways.


Here’s an overview of the components.

Cloud-Based Micro-Service

Baselines use a cloud-based micro-service that handles the policy catalog; and if you are an on-premises customer, ensure that your environment can communicate with the micro-service.

Baselines Compliance Status

An admin can ensure that devices are under their control, by following the status within the ‘Baseline Compliance Status’ view. Once Baselines are enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed on them, an admin can view the status from the Baselines Detail page. The compliance status for which device and when they are [compliant, intermediate, non-compliant, or not available] based on (3) types of compliance categories:

<p>Description automatically generated

Table: Types of Baselines

Baselines Compliance Engine

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide by your policies. These policies can include basic security settings, such as requiring a passcode or having a minimum device lock period and can be used to configure the ‘Health Attestation for Windows Desktop Compliance Policies.’ An agency can also decide to set and enforce certain precautions. These precautions go beyond setting password strength, such as denylisting certain apps, and requiring device check-in intervals to ensure that devices are safe and in-contact with Workspace ONE UEM.

 Figure 1: VMware’s Baseline Service Integration with UEM

Workspace ONE Suite Integration

Workspace ONE is built on VMware's Workspace ONE UEM technology that provides for the standard aspects of Mobile Device Management (MDM), Mobile App Management (MAM), including Unified Application Catalog. Workspace ONE integrates with virtual desktop application delivery via VMware Horizon on a common identity framework with Workspace ONE Assist to complete a full End User Computing (EUC) suite that can leverage Baselines as a key feature of enrollment, onboarding and compliance:

      FedRAMP Workspace ONE  =  UEM   +  Hub Services  +   Intelligence  +  Access  +   MTD  +  Horizon 

Figure 2: EUC Portfolio Logical View with Product Links

Each of the components, along with the Baselines feature, brings an integrated and secure Zero Trust Architecture solution that is partnered under a CRADA with the National Cybersecurity Center of Excellence (NCCoE ). Together within VMware Anywhere Workspace, this solution builds trust to empower government’s anywhere workforce with secure and frictionless experiences by:

  • Delivering unique integrations enabling tailored experiences and higher productivity for frontline, hybrid, and remote users, across heterogeneous environments including physical and virtual devices and multiple OS’s.
  • Enabling Zero Trust Network Access (ZTNA) with remote support for any device (BYO, 3rd party or VMware-managed) in a true hybrid workforce and provide a Security Operations Center (SOC) / Information & Technology support team the tools and telemetry for Indicator of Compromise (IoC) on mobile.
  • Facilitating flexible deployment options to obtain immediate value for prioritized use cases, so you can scale at your own pace to harness the full potential of an integrated platform.
  • Optimizing security and experience through an integrated approach that combines market-leading technologies essential for hybrid work. This integrated approach provides connected visibility and context, ensuring broader security coverage.

Industry Accolades

For more in-depth details regarding VMware’s most recent industry accolades and reviews, see the following blogs & external links:

Additional Resources

Filter Tags

Workspace ONE Workspace ONE UEM Blog Announcement Overview Win10 and Windows Desktop Zero Trust Public Sector