You might have seen that we just announced that we’re renaming VMware Identity Manager to Workspace ONE Access. Before you roll your eyes due to another vendor product name change, I’d like to explain why we did this, and why I think it’s a good thing.
The TL;DR version is simple: VMware Identity Manager has evolved substantially over the years, and today it does much more than identity management. In fact, you could almost argue that “identity management” is the one thing it doesn’t do! So we’re just updating the name to Workspace ONE Access to reflect what it actually does today. This is just a name change. Nothing about the product, or our strategy or direction, is changing.
What is (was?) VMware Identity Manager?
VMware Identity Manager / Workspace ONE Access is not a separate product you buy, rather, it’s a component of Workspace ONE. It sits behind your primary identity provider(s) and acts as a broker into your Workspace ONE EUC platform. It can be installed on premises (via a virtual appliance) or delivered via SaaS (with an on-prem connector). Most people today use the SaaS version, and the SaaS version has more features than the on-prem version.
Identity Manager handles lots of things, including risk-based conditional access, single sign-on, the unified app & resource catalog, automation based on device or user compliance state changes, the connector for VMware cloud services that power things like the Workspace ONE Intelligent Hub and Workspace ONE Intelligence, and integrations with other components like Trust Network, NSX, and SD-WAN.
Looking at the list of things that VMware Identity Manager does, you probably notice what it doesn’t do. It’s not an identity provider, it doesn’t do identity lifecycle management, and it doesn’t do identity governance. All those functions are handled by your primary identity provider(s) which are typically Active Directory / Azure Active Directory, Okta, Ping, or some other IPD/IDaaS solution.
So, based on that, it’s actually pretty misleading to call the product VMware Identity Manager in 2019!
Fine, but why Workspace ONE “Access”?
If you look at the list of things that
Identity Manager (err, Workspace ONE Access) does, you’ll see they’re all related to securely providing users continuous access to their apps and data, regardless of the type of device they’re using or where they’re connecting from.
Think about it. In today’s world, you have many different versions of the same app for different platforms. (e.g. Excel for Windows, Excel for macOS, Excel for iOS, Excel for Android, and the Excel web app.) You build access rules for which users can access which versions of an app and the conditions that need to be met to access certain types of content. (e.g. you can use Excel for iOS to access local content on an iPhone that’s compliant, you get a Horizon-delivered remote Windows version of Excel for non-compliant devices, you can’t access certain spreadsheets if your user risk score is too high, etc.) Really you could argue the whole point of Workspace ONE is providing and managing who can get access to what based on many factors like their device, location, how they authenticated, intelligence and risk signals, etc.
VMware Identity Manager / Workspace ONE Access is the component in the background that knows and tracks and brokers all that, and it helps the users access what they need when they should be able to while ensuring they don’t have access when they shouldn’t. (This is kind of the whole point of the zero trust model.) So everything in there is about “access.”
The final thing I’ll say about the name change—and this is my personal favorite thing about it—is that it removes the word “Identity Manager” when I’m drawing the Workspace ONE story on a customer’s white board.
Anyone who’s been in this industry a while knows why this is important. Remember back in the day when we started adding SSL-VPNs to provide simplified remote access to our desktop virtualization solutions? When you mentioned that to a customer (who was typically a desktop architect), they’d say something like, “Oh shoot! You want to bring in a VPN? Well, heck, I need to get the security and networking teams in here because they do the VPNs.” And then BOOM! You’ve just added six months to the project.
The same is true today with VMware Workspace ONE. When I visit a customer and draw a component on the white board called “Identity Manager”, they immediately think, “Oh, I need to bring our security people into this conversation,” and then the security people say, “We already use AAD/ADFS/Ping/Okta/whatever and we like it, so why are you trying to sell me another one?” It just slows down the whole conversation and gets people worked up when they don’t need to be, since we’re not trying to replace the existing identity provider which they already love.
But if instead I can say, “Ok, and this component of Workspace ONE is called ‘Access’. It’s an on-prem connector that sits behind your primary IDP and brokers the identities into Workspace ONE, and it provides the SSO, conditional access policies, app catalog, and threads intelligence risk scoring into everything the user does,” people just nod approvingly, and the conversation continues.
So, for all these reasons, I’m actually happy about this name change. It’s a more appropriate name and will be less confusing in the long run. Yay!