Planning Your Windows 10 Deployment: VMware Workspace ONE Operational Tutorial

Overview

Introduction

VMware Workspace ONE™ UEM (unified endpoint management), powered by VMware AirWatch®, includes capabilities for Windows 10 that introduce smarter ways to deploy, control, and manage an organization’s PC fleet.

Traditional approaches use multiple administrative tools to manage the PC life cycle, including separate tools for staging and imaging, for maintaining drivers, for managing OS updates, for configuring firewall, antivirus, and encryption policies, and more. In contrast, Workspace ONE UEM unifies enterprise mobility management in a single administrative console.

The release of Windows 10 introduced fundamental changes to the Windows operating system to address the security and data concerns of today's digital workspace. To take advantage of Workspace ONE UEM capabilities, you can fold the Windows 10 functionality into an existing VMware management solution. Combining traditional client requirements with modern enterprise management capabilities creates a simplified, cost-effective management solution.

This Planning Your Windows 10 Deployment: VMware Workspace ONE Operational Tutorial provides you with practical information to help you plan your Windows ONE UEM management solution to address the unique circumstances of your use cases.

Purpose

This operational tutorial provides you with discussions and  exercises to help with your existing VMware Workspace ONE® production environment. VMware provides operational tutorials to help you with

  • Common procedures or best practices
  • Complex manual procedures
  • Troubleshooting

Note: Before you begin any operational tutorial, you must first deploy a production environment. For information about deployment, see the VMware Workspace ONE Documentation.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM (unified endpoint management), powered by VMware AirWatch, is also helpful.

Meeting Windows 10 Security Priorities

Introduction

You can use Workspace ONE UEM to establish user trust, assess the device posture, enforce conditional access, and enable data loss prevention.

Security concerns include user trust, access, data loss, and more.

Figure: Security Priorities for the Modern Digital Workspace

Meeting Windows 10 Security Priorities with Workspace ONE

You can use Workspace ONE UEM to meet Windows 10 security priorities such as user trust, device posture, conditional access, prevention of data loss, and more.

User Trust

Workspace ONE UEM uses new identity features to establish user trust. These features include two-factor authentication, which requires that an enrolled, managed, and compliant device meet two forms of authentication.

To fulfill the first half of two-factor authentication, the device must be onboarded, a process of enrolling devices into Workspace ONE UEM for management in the Workspace ONE UEM Console (the Console).

For the second authentication factor, users with Microsoft Azure AD can use Windows Hello capabilities like biometric access and PIN authentication. Workspace ONE UEM enforces the PIN strength requirements and can allow or disable the biometric feature for end users' devices. Workspace ONE UEM also integrates with Windows Hello for biometric authentication while providing certificate authentication (or another authentication type) into the apps and corporate resources, thus providing a layered authentication model for added security.

Device Posture

Workspace ONE UEM assesses device posture by evaluating, locally enforcing, and remediating devices using the compliance engine, a Workspace ONE UEM tool that ensures that all devices abide by specified policies. A policy can include basic security settings or more critical security configurations.

The compliance engine detects non-compliant devices and sends end users a warning. If the end user addresses the issue after the warning, no further action is taken. If the end user fails to correct the issue in the specified time-frame, it escalates, and disciplinary actions occur. Use the Workspace ONE UEM Console to specify the escalation steps, disciplinary actions, grace periods, and messages. For example, the following figure demonstrates a tiered approach to compliance. With each security action, an end user’s non-response escalates the risk level.

Figure: Tiered Risk Escalations and Compliance Actions

Data Loss Prevention

Windows Information Protection, formerly known as Enterprise Data Protection, maintains end-user privacy and corporate security without sacrificing usability. This functionality applies across Windows 10 device use cases. It provides granular controls for defining trusted applications, trusted enterprise boundaries, and the enforcement level of various policies. Windows Information Protection encrypts all corporate data at the file level and decrypts only when accessed by a privileged application. An enterprise wipe removes all corporate data from the device.

Privileged Applications

In addition to delivering managed applications to devices through enrollment, Windows 10 can also place device apps that were not pushed through Workspace ONE UEM Mobile Device Management into a managed state when you designate them as privileged applications.

The updated Windows 10 SDK enables application developers to handle personal and corporate data on privileged applications, creating enlightened apps. For all options, administrators can set a policy that prevents an application from sharing corporate data to a personal app, site, or repository.

Per-App VPN

Per-App VPN prevents Windows 10 applications from gaining unauthorized access to internal or public endpoints. Its client-side micro-segmentation capabilities define which IP addresses, ports, and IP protocols Windows 10 applications can access.

You can also use privileged applications to simplify per-app VPN configurations. Depending on the needs of the organization, use one or both of the following options:

  • Every privileged application can have a unique VPN configuration.
  • All privileged applications can use the same VPN configuration.

The Workspace ONE UEM simplified approach to PC management promotes security. You can control and secure devices for end users with security profiles, compliance settings, and device restrictions. You can minimize the risk of data loss by restricting internal resources to managed devices that meet company-defined compliance polices.

Enterprise Boundaries

Enterprise boundaries on Windows 10 use specified IP ranges or domains to identify and encrypt work data downloaded to a device. The downloaded files are encrypted and can be opened only with a privileged application. For example, if the domain air-watch.com is specified as a protected network, data downloaded from sharepoint.air-watch.com can only be accessed by the privileged applications on that device.

Levels of Protection

You can configure varying levels of protection for user groups to address organizational demands and device use cases. Protection levels include:

  • Block - Corporate data can be accessed only from privileged applications.
  • Override - If a user attempts to access corporate data with a non-privileged application, a warning prompt appears. A user can choose to complete the action, but the action is logged in an audit log.
  • Audit - A user can access corporate data with a non-privileged application, but the action is logged in an audit log.
  • Off - Windows Information Protection is disabled.

Sharing Data to the Cloud

Windows Information Protection operates on a device level. However, if data is transferred to a file share or cloud repository, Windows Information Protection cannot guarantee data protection. Instead, shared data requires integration with a rights management service (RMS), such as Azure Information Protection (formerly Azure RMS), for protection. An RMS ensures that data copied from a managed device to a file share or internal cloud repository is encrypted prior to transfer and only other managed devices can access it. Thus, while Windows Information Protection protects data on the device, the RMS protects data shared in the cloud or to other internal systems.

Third-party cloud-based applications, such as Dropbox, cannot access corporate files unless designated as a privileged app. However, if the application is marked as privileged, corporate data can be synced to the respective clouds.

Determining Your Use Cases

Introduction

VMware Workspace ONE UEM modernizes Windows management and security across any use case. This section explores a variety of use cases and how you can use Workspace ONE UEM to manage them.

Understanding Windows 10 Use Cases

Most use cases for a Windows 10 deployment fall into one of three areas: employee-owned machines, remote-worker devices, and corporate branch office deployments. This tutorial addresses the required components and recommended configurations for the most common Windows 10 use cases.

Common Windows 10 Device Use Cases
Type of Device Use Case Name Primary End User EMM Priority Domain Joined APP Footprint SCCM Managed
Employee-Owned Machines BYOD Varied User privacy No Light No
Remote Employee Devices Remote Mobile Enablement Maybe Light No
Corporate Office Devices Enterprise Static Security Yes Heavy Maybe

Configuration requirements and recommendations vary by use case. Where applicable, the following sections specify which use cases a particular configuration applies to.

 

Selecting an Onboarding Workflow

Introduction

Workspace ONE UEM supports a variety of onboarding workflows that address multiple use cases. The onboarding method impacts other configuration decisions, and therefore is an important starting point when planning a Workspace ONE UEM deployment.

See Selecting an Onboarding Workflow for a decision tree to help you identify the enrollment flows that best suit your organization. You can read descriptions of those enrollment flows to learn more.

Selecting an Onboarding Workflow

The following figure provides information about each workflow and a decision tree to help you choose the best workflow for your use case.

Examine the tree to determine which enrollment flows best suit your organization. Then refer to the descriptions of the enrollment flows in following sections, to learn more.

Figure: Windows 10 Onboarding Decision Tree

Understanding Enrollment Options

Workspace ONE UEM supports a variety of device onboarding workflows that address multiple use cases.

Onboarding is a client-side workflow that does not occur until after the entire Workspace ONE UEM solution has been configured, tested, and deployed. However, because the onboarding method impacts other configuration decisions, it is an important starting point when planning a Workspace ONE UEM deployment.

The following table lists some recommended onboarding workflows by use case. Workspace ONE UEM can support any Windows 10 onboarding workflow for any use case, as long as the prerequisites are met. Many requirements are driven by the operating system.

Onboarding Requirements by Use Case
Onboarding Method BYOD Remote Enterprise Requirements
Agent-Based Enrollment R S S
  • Admin privileges for the end user
Azure Enrollment

- Out-of-Box Experience (OOBE)

- Autopilot

- Microsoft Azure Active Directory Join

- Microsoft Azure Connect
S R R
  • Microsoft Azure Active Directory Premium license
  • Admin privileges for the end user
  • Autopilot does not require end user to have admin privileges
Scripted Enrollment

- Workspace ONE AirLift (SCCM)

- Staged Provisioning (Admin)

- Deployed via Logon Script (GPO)
  R R
  • Most cases end user does not need admin privileges
  • When devices are not domain joined, admin must prepopulate device serial number in Workspace ONE UEM Console or we will prompt for end user’s username and password
Dell provisioning

- Microsoft Azure Active Directory Join with/without Premium License

- Domain Join

- Workgroup
  R R
  • Dell Provisioning Services
  • Access to corporate domain on first boot for Domain Joining
Runtime provisioning S S S
  • Admin privileges for the end user
  • Prepopulate serial number in Workspace ONE UEM Console
Native Work Access S S S
  • Admin privileges for the end user
  • Only recommended for devices which do not support installing desktop apps e.g. Surface Hub and Windows S
Key:
R - Recommended
S - Supported
     

See Microsoft mobile device enrollment for requirements and up-to-date information about onboarding scenarios that are not supported. For more information about each workflow and a decision tree to help choose the best workflow for your use case, see Selecting an Onboarding Workflow.

Agent-Based Enrollment

The agent-based enrollment method now uses VMware Workspace ONE Intelligent Hub (formerly known as AWAgent). The primary use case for agent-based enrollment is existing company-owned or BYOD devices that the end user self-onboards. The workflow is similar to the standard onboarding workflows for iOS and Android devices.

Microsoft Azure Active Directory Enrollment Workflows

Workspace ONE UEM integrates with Azure AD, providing a robust selection of onboarding workflows that apply to a wide range of Windows 10 use cases. However, Azure licensing requirements stipulate that you must purchase an additional Azure AD Premium license to complete this integration.

Enterprises that are leveraging Azure AD typically use one of the onboarding options described below.

Out-of-Box Experience and Autopilot

Primarily used for new company-owned devices that are not domain joined, this enrollment workflow is triggered the first time an end user powers on a device. The user joins the device to the Azure cloud domain as part of the initial setup process. This workflow does not require end users to have admin privileges. If you are leveraging Autopilot, end-user configuration is simplified and streamlined, but it requires having your devices’ OEM preregister these devices with Microsoft.

Microsoft Azure AD Join and Connect

This enrollment workflow is triggered from the device settings. Also referred to as cloud-domain join, this workflow is typically used for existing company-owned devices that are not already joined to an on-premises domain. End users must have admin privileges and will use their corporate credentials to join the device to the Azure cloud domain or connect to the Azure cloud domain.

Scripted Enrollment Workflows

Staged Provisioning

This workflow is primarily used for new company-owned, domain-joined devices that the IT admin enrolls and then ships to the end user. This workflow is also broadly used for onboarding existing devices via scripted enrollment using install parameters to assign the device to the currently logged in user on the device (domain joined), re-assigning the device based on serial number registration, or simply to ask the end user for their credentials to complete enrollment.

Workspace ONE AirLift for SCCM Managed Devices

Much like the other scripted enrollment methods, Workspace ONE AirLift simplifies automating the building of the required enrollment app and can optionally deploy this enrollment app to your SCCM managed devices via SCCM collections. For more info please watch the Workspace ONE AirLift Technical Overview video.

Group Policy

For domain-joined PCs, IT admins can leverage the domain (Group Policy Logon Scripts) to publish the Workspace ONE Intelligent Hub to end users for a seamless onboarding experience. This flow requires admin privileges. This method is primarily used for company-owned existing devices on the domain where IT provisions the Workspace ONE Intelligent Hub.

Dell Provisioning

In partnership with Dell Configuration Services, Workspace ONE UEM supports creating provisioning packages to install applications and configurations on your Dell Windows 10 devices before they leave the factory. To use Dell Provisioning for VMware Workspace ONE, you must participate in Dell Configuration Services. For more information, see Configuration Services.

When using Dell Provisioning, the following onboarding methods are supportable:

  • Azure AD Joining with Premium licenses
  • Azure AD Joining without Premium licenses
  • On-premises Domain Joining
  • Workgroup devices

Additional Enrollment Workflows

Runtime Provisioning

This workflow is primarily used for new, company-owned devices as an alternative to imaging. Runtime provisioning is an efficient way to set up a large number of devices for Workspace ONE UEM onboarding without imaging or re-imaging the devices Leveraging a runtime provisioning package (PPKG).

Native Work Access

This method is primarily used for company-owned, new or pre-existing devices on which the end user self-onboards. Similar to standard iOS and Android onboarding workflows. Agent-based enrollment is preferred over Native Work Access, especially if network bandwidth is a concern.

Configuring Workspace ONE Profiles

Introduction

Profiles provide the primary mechanism for managing devices. A profile consists of settings, configurations, and restrictions. When combined with compliance policies, the profile enforces corporate rules and procedures. To create a profile, you first specify the General settings and then configure a payload. General settings determine how the profile is deployed and who receives it. The payload settings apply to the device when the profile is installed. For optimal device and console management, configure one payload per profile.

Understanding General Settings

To create a profile, you first specify the General settings and then configure a payload. General settings determine how the profile is deployed and who receives it. The General settings include the following options:

Profile General Settings Table
Setting Description
Name Profile name to display in the Workspace ONE UEM Console.
Version Read only. Version of the profile.
Description Brief description of the profile’s purpose.
Deployment If set to Managed, the profile is automatically removed if the device is unenrolled. If set to Manual, the user must manually remove the profile after the device is unenrolled.
Assignment Type Specify how the profile is to be deployed to devices.
  • Auto – The profile is deployed to all devices automatically.
  • Optional – An end user can install the profile from the Self-Service Portal, or the administrator can choose which individual devices will receive the profile.
End users can also install profiles representing web applications using a Web Clip or Bookmark payload. If you configure the payload to appear in the App Catalog, you can install it from the App Catalog.
  • Compliance – The profile is applied to the device by the compliance engine when users fail to take corrective action to make their device compliant. For more information, search for Compliance Profiles Overview in VMware AirWatch Documentation.
Allow Removal Specify whether the end user can remove the profile.
  • Always – The end user can remove the profile at any time.
  • With Authorization – The end user can remove the profile with the authorization of the administrator. This option adds a Password text box.
  • Never – The end user cannot remove the profile from the device.
Managed By The organization group with administrative access to the profile.
Assigned
Groups
Specify smart groups to configure granular profile assignment. Enter an existing smart group, or click Create a new smart group.

The platform specified in the device profile or compliance policy takes precedence over the smart group’s platform. For example, a Windows Desktop profile is always assigned to Windows Desktops devices, even if the smart group includes other platforms.
Exclusions To exclude selected smart groups from profiles and policies, select Yes.

In the Excluded Groups option that appears, select the groups to exclude from this profile or policy. If you need to create a new group, click the Create Assignment Group button.

If the same group is selected in Assigned Groups and Excluded Groups, you cannot save the profile or policy.
View Device
Assignment
Preview the assigned devices, smart groups, and exclusions.
Additional
Assignment
Criteria
Select Enable Scheduling and install only during selected time periods to configure a time frame in which devices can receive the profile. In the Assigned Schedules text box, enter the name of a configured time schedule.

To configure a time schedule, navigate to Devices > Profiles & Resources > Profiles Settings > Time Schedules > Add Schedule > Add Schedule.
Removal Date Specify a future date formatted as MM/DD/YYYY to schedule the profile’s device-side removal.

Reviewing Windows 10 Payloads

This section reviews the payloads that are the most relevant in a Windows 10 deployment. Use the following table to determine whether the payload is relevant to your device use case. The following payloads are the most relevant in a Windows 10 deployment.

Table: Profile Payload Settings Relevant to Windows 10

Passcode Profile for Windows 10

A passcode payload secures devices by requiring users to enter a passcode to return from an idle state. When configuring a profile for the passcode payload, use existing corporate policies to inform decision-making. Best practice is to balance organizational security requirements with usability. The preconfigured password policies on on-premises domain-joined Windows 10 devices override the Workspace ONE UEM passcode profile. Therefore, the Workspace ONE UEM passcode profile best addresses BYOD and other non-domain-joined device use cases.

Windows 10 Email Profiles

Email profiles enable corporate email access on end-user devices. For Windows 10 devices, the available licensing for Microsoft Office applications determines which email payload to configure.

  • Device does NOT have Microsoft Office license -  Configure Exchange ActiveSync with the native mail client.
  • Device HAS Microsoft Office licenses - Configure Exchange Web Services with the Outlook web client, providing end users a familiar mobile email experience.

Exchange ActiveSync Profile

The Exchange ActiveSync payload enables end users to access corporate email on their devices using the native mail client. When published, this profile relies on the Workspace ONE mobile email management infrastructure to block access to corporate email and requires integration with Secure Email Gateway or PowerShell. For more information, search for VMware AirWatch Mobile Email Management Guide in My Workspace ONE documentation.

Exchange Web Services Profile for Windows 10

The Exchange Web Services payload enables end users to access corporate email on their devices using the Outlook web client. When published, this profile uses granular conditional access policies through Workspace ONE adaptive management to grant or deny access to Outlook and the Microsoft Office suite. Office 2016 supports modern authentication -- that is, Active Directory Authentication Library (ADAL)-based sign-in -- but earlier versions do not. Earlier versions use the source network, user or group, protocols, or user agent or client type to control access.

Credentials Profile for Windows 10

A credentials profile pushes root, intermediate, and client certificates to support Public Key Infrastructure and certificate authentication use cases. The profile pushes configured credentials to the required credentials store on the Windows desktop. The certificate handles authentication into Wi-Fi, VPN, and other corporate endpoints, providing end users with a seamless experience.

To use certificates:

  1. Configure a Credentials payload with a certificate authority.
  2. Configure the Wi-Fi and VPN payloads.
  3. Associate the certificate authority defined in the Credentials payload when configuring the Wi-Fi and VPN payloads.  

Wi-Fi Profile for Windows 10

A Wi-Fi profile auto-connects devices to corporate Wi-Fi, even if the network is hidden, encrypted, or password-protected. This payload is useful to end users who travel and use their own wireless network or are in an office  setting where they can connect their devices to a wireless network onsite.

Restriction Profile for Windows 10

To help prevent data loss, a Restriction profile limits native device functionality. The icon displayed next to some settings on the Restrictions payload window indicates the OS version required to enforce the restriction.

For Windows 10, the Restriction profile limits what end users can configure in the Start > Settings menu. After the restrictions are applied, the option is grayed out in the UI. A notification that organizational policies restrict this setting is shown.

The following screenshot shows an example of a system setting enforced by a Restriction profile.

Figure: Example of a System Setting Enforced by a Restriction Profile

Customize the Restrictions profile to enforce corporate policies and apply appropriate controls to settings. The following table lists some common restrictions options across use cases.

Table: Common Restrictions Settings Across Use Cases

The BYOD recommendations allow end users to control their own device. In comparison, the recommendations for remote and enterprise workers are more restrictive. These restrictions are similar to traditional GPO capabilities, so an easy way to configure this profile for enterprise users is to match the implemented GPO policies. For remote workers, weigh device security against user experience considerations.

You can configure credentials for personal, intermediate, trusted root, trusted publisher, and trusted people certificate stores.

Delivering Software

Introduction

Many issues in PC management arise from the delivery, integration, and support of applications. As end-user demand drives organizations to adopt more applications, these issues only grow in complexity and number. Today’s sophisticated user requires control over apps on both personal and corporate-owned devices. Windows 10 introduces features and tools to simplify application integration and management.

  • Whitelist or Blacklist by File Type (executables, scripts, Windows installers, dynamic-link libraries, packaged apps)
  • Apply Granular Whitelists and Blacklists (file hash, version, publisher, directory)
  • Use Role-Based Controls (enrolled, standard, admin)
  • Provide Advanced Protection (remove unwanted software, enforce software standardization)

Determining a Software Delivery Method

The recommended application delivery methods are based on the device use case. The following table shows the recommendations:

Table: Recommend Application Delivery Methods Based on Device

Delivering Win32 Applications

You can deploy Win32 applications from the Apps & Books section of the Workspace ONE UEM Console and, in doing so, use the application life-cycle flow that exists for all internal applications. This feature is called software distribution. Use software distribution to deliver Win32 applications, track installation statuses, keep application versions current, and delete old applications. To address scripting needs, use product provisioning.

Business Store Portal Integration for Automated Delivery

Microsoft Universal Windows Platform (UWP) applications consist of a single code base that can run on virtually any Windows device. Integrate Workspace ONE UEM with the Microsoft Store for Business portal to deploy UWP applications from the Microsoft Store for Business. Workspace ONE UEM supports integration with online and offline Business Store portal models.

  • Offline licensing - Workspace ONE UEM imports application data files and licenses into the Workspace ONE UEM Console. Workspace ONE UEM can then deliver applications and the associated license files to devices in a model is known as offline licensing. Using this model, any user account type can get apps without signing into the Microsoft Store.
  • Online licensing - The online licensing model requires an Azure AD account and authentication into the Microsoft Store for Business to pull applications from Microsoft. Supporting both licensing models enables all possible options for any use case.

Enabling the Business Store Portal has its own set of requirements and instructions. For more information, search for Windows Store for Business in the VMware AirWatch Mobile Application Management Guide.

Delivering Custom or Complex Files

Product provisioning delivers custom or complex files to managed devices. When a file cannot directly install on devices, package it in the Workspace ONE UEM Console to create a product. Then provision the product to managed devices based on configured conditions and smart group assignment in the Console.

After a product is provisioned, the Console periodically syncs with devices to check for the assigned product. If missing, the Console provisions the product again. In this way, the Console ensures that devices remain up to date.

Because software distribution addresses the majority of Windows 10 file delivery needs, the primary purpose of product provisioning is to address gaps in functionality for remote and enterprise worker use cases.

Managing Windows 10 Updates

Introduction

Deploying Windows 10 fixes, patches, and updates on multiple client servicing plans creates overhead. By using branches, you can create a customized deployment schedule based on preference and update sensitivity. This section explores the available patch management options.

Understanding Patch Management

The Workspace ONE UEM update service for Windows 10 provides tailored functionality to address the unique constraints of mobility and the cloud. Traditional operating system upgrades use a wipe-and-replace model. In contrast, the update-as-a-service model pushes periodic operating system and feature updates. Windows 10 updates occur on a frequent and dynamic basis to ensure that end users always have access to up-to-date operating system features.

Windows 10 Patch Management Options

Deploying Windows 10 fixes, patches, and updates on a variety of client servicing plans creates overhead. By using branches, you can create a customized deployment schedule based on preference and update sensitivity.

Figure: Windows 10 Patch Management Options

Review the following descriptions to understand the available patch management options.

Update Branch Description Feature Updates Quality Updates Use Case
Windows Insider Build - Fast Among the first to receive development builds from Microsoft; ability to provide direct feedback to Microsoft Not supported Not supported Used to provide feedback to Microsoft before builds are moved to slow ring
Windows Insider Build - Slow More stable than fast ring and includes fixed reported during fast ring Not supported Not supported Used to provide feedback to Microsoft before builds are moved to release ring
Release Windows Insider Build Close to public release but still early access, not on the development branch Not supported Not supported Used to provide feedback to Microsoft before builds are moved to public builds; IT pros and other interested employees
Semi-Annual Channel (Targeted) Semi-Annual Channel Not supported Not supported Pilot deployments used for testing feature updates and for users such as developers. Use various teams for a wide sample set.
Semi-Annual Channel Semi-Annual Channel 0-180 days 0-30 days Board deployment of features, you can choose from the ranges to build your distribution rings across organization

Summary and Additional Resources

Conclusion

This tutorial introduces you to how Workspace ONE UEM manages Windows 10 through a product discussion and exploration of concepts.

The use cases show how to configure Workspace ONE UEM to manage and deploy Windows 10 devices in your organization. Optimal management starts with selecting the onboarding method that best fits your particular use cases, to creating configuration changes on the device to leverage enterprise mobility management and legacy management technologies within the same platform.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

Term Description
adaptive access The ability to control access and authentication methods to sensitive apps based on a device’s managed status.
additive Includes only changes developed after the latest version of the application or the last additive patch.
app dependencies Applications required by the environment and devices to run the Win32 application.
app patches Files that apply additive or cumulative fixes, updates, or new features to applications.
app transforms Files that control application installation and can add or prevent components, configurations, and processes during the process.
app uninstall process Scripts that instruct the system to uninstall an application under specific circumstances.
application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
BitLocker Full disk encryption available for Windows, focused on addressing data leakage or data theft scenarios from stolen, lost, or incorrectly decommissioned devices.
bring your own device (BYOD) The process of providing secure access to corporate data, apps, and content on an employee-owned device without invading employee privacy to their personal data, apps, or content.
business mobility The concept of being able to provide secure access to your business services, infrastructure, and content to enable your workforce to work remotely.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
conditional access To provision access to a resource or service, based on user entitlements or roles.
container The separation of corporate and personal data on employee-owned devices, allowing IT administrators to manage corporate applications and profiles without invading employee privacy or personal apps and content.
cumulative Includes the entire application, including any changes since the latest version of the application, or the last patches.
data leakage protection Software-controlled policies that determine how and where data can be transferred or shared to.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
Device Health Attestation Module that gathers device health measurements and reports these measurements to the Health Attestation Service for evaluation.
enrollment The process of allowing your device to be managed by the software-defined policies of the chosen enterprise mobility management provider.
enterprise mobility management The concept of using software and policies to both secure and provide access controls for mobile devices.
files and actions The combination of the files delivered to a device and the actions that file performs on the device. Files and actions cannot be assigned directly to a device. Instead, assign files and actions to a product, which then provisions to devices.
Health Attestation Services Cloud service that evaluates health measurements from the device to determine the health state.
identity-as-a-service Identity and access management services through the cloud to provide SSO identity federation and user-access provisioning.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile application management The concept of managing access, deployment, and restrictions of mobile applications using software and services.
mobile device management
(MDM) agent
The concept of managing mobile devices using software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
multi-factor authentication Access control process that requires users to authenticate using more than one method of authentication by providing something the user knows (a password) and something the user has, such as a hardware token, smartcard, or phone, or something the user is, such as a fingerprint or retina.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
per-app VPN Policies that allow individual apps to access VPN configurations without granting device-wide access to the VPN connection.
public app stores Portals where users can access and obtain publically published applications, such as the iOS App Store and Google Play Store.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
smart groups Groups that control which devices get which product, based on how the group is created.
step-up authentication Restricting applications or services to require a stronger authentication method, depending on the sensitivity or severity of the resource.
unified endpoint management A single platform that allows organizations to manage and secure every endpoint, any app, and content across deployment use cases.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.
Windows Information Protection Formerly Enterprise Data Protection (EDP), a Windows solution to assist in preventing data leakage without impeding the user experience.

Additional Resources

Searching for More Information

When looking for more VMware documentation, you can focus the search using the Advanced Search option.

  1. In the VMware Workspace ONE Documentation window, select the gear icon to start an advanced search.
  2. Enter words or phrases to start the search.
    Example: To search for an article that you think is called Compliance Profile Overview, you might include just the key words, in case the article now has a different name.
  3. Narrow the results by selecting specific criteria.
    Example: The search is limited to the specific product and version.
  4. Click Advanced Search.
  5. In the resulting hit list, you can select a hit. Or you can either apply Sort By filters, or narrow the results further by clicking Advanced Search.

About the Authors

This tutorial written by Josué Negrón, Sr. Solutions Architect, End-User-Computing Technical Marketing, VMware, and Hannah Jernigan, Technical Writer, End-User-Computing Technical Marketing, VMware, with appreciation and acknowledgment for considerable contributions from the following subject matter experts:

  • Varun Murthy, Product Line Manager, VMware
  • Nigitha Alugubelli, Sr. Product Manager, VMware
  • Jason Roszak, Director Product Management, VMware
  • Darren Weatherly, Specialist Systems Engineer, VMware
  • Robert Terakedis, Sr. Technical Marketing Manager, EUC Technical Marketing, VMware
  • Aditya Kunduri, Sr. Product Marketing Manager, EUC Mobile Marketing, VMware
  • Ajay Padmakumar, VMware alumni
  • Pedro Bravo, VMware alumni

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.