Cloud-Based VMware Workspace ONE Overview

Cloud-Based VMware Workspace ONE Overview


VMware Workspace™ ONE™ simplifies access to cloud, mobile, and enterprise applications from supported devices. IT administrators can deploy, manage, and secure applications and, at the same time, offer a flexible, bring-your-own-device (BYOD) option for users.


The Quick-Start Tutorial Series for Cloud-Based VMware Workspace ONE helps you evaluate Workspace ONE by offering practical exercises. This overview is first in the quick-start series. It introduces Workspace ONE and its benefits, features, architecture, and components. Other articles in the tutorial offer hands-on exercises to set up your own proof-of-concept environment.

Important: This tutorial is designed for evaluation purposes only, based on using the minimum required resources for a basic deployment, and does not explore all possible features. This evaluation environment should not be used as a template for deploying a production environment. To deploy a production environment, see the VMware Workspace ONE Documentation.


This tutorial is for prospective IT administrators of Workspace ONE and anyone who uses the product. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is assumed. Knowledge of VMware Workspace ONE® UEM (unified endpoint management), formerly VMware Airwatch, VMware Identity Manager™, and VMware Horizon® 7 is also helpful.

Packaging and Licensing

All Workspace ONE editions are licensed on a per-named-user basis and available as an annual cloud subscription or a perpetual on-premises license.

For more information, see VMware Workspace ONE in the VMware Workspace ONE and VMware Horizon Packaging and Licensing guide.


This section provides a description of the core features and capabilities of Workspace ONE. In subsequent articles of this Quick-Start Tutorial, you will walk through some of these features.

About Unified Endpoint Management

IT can use mobile OS management interfaces to preconfigure laptops, smartphones, and tablets. Workspace ONE UEM device management uses enterprise mobile management APIs to provision, configure, and secure applications and devices. This level of control allows IT to adopt a flexible BYOD program by giving users device choice while securing data.


Device enrollment establishes the initial communication with Workspace ONE UEM to enable Enterprise Mobility Management (EMM).

Device Profiles

Device Profiles allow you to modify behavior of enrolled devices. Device profiles, combined with compliance policies, help you to enforce corporate rules and procedures.

Create Workspace ONE UEM device profiles based on criteria such as users, groups, platforms, and OS, and assign profiles to smart groups.

Data Loss Prevention

You can prevent data leakage in a number of ways. Examples of data leakage include saving work documents to public storage, such as Dropbox, or receiving work emails in an unmanaged email client. You can encrypt email attachments and restrict how the files are edited and shared. You can require using corporate-approved applications instead of native applications. For secure browsing, you can enable access to intranet sites to ensure that the sites are opened only in approved browsers. However, these precautions might be insufficient for your security needs.

Directory Integration

Configure Workspace ONE to use an existing directory infrastructure, such as Active Directory or other LDAP-based directory, for user synchronization, authentication, and application access.

Software Distribution

Workspace ONE also enables you to automatically install, update, and remove software packages - simplifying software distribution. Use Workspace ONE to configure packages that install based on conditions (such as network status or defined schedules), deploy software updates automatically, and notify users when updates occur.

Getting Started Wizard

The Getting Started Wizard serves as a checklist that walks through key configurations in the Workspace ONE UEM Console, step by step. The wizard is divided into four modules: Workspace ONE, Device, Content, and Application. Each module contains steps to accomplish specific end goals. As some modules share steps, the wizard tracks progress across all four modules to ensure the same step never has to be completed twice.

About Application Management

Workspace ONE provides users access to cloud, mobile, and Windows applications using a unified application catalog. The application catalog contains applications published to VMware Identity Manager and Workspace ONE UEM. Supported application types include internal web, SaaS, native mobile, internally developed mobile, legacy and modern Windows, VMware Horizon® 7, VMware Horizon Cloud Service™, Citrix published, and VMware ThinApp®. The catalog also supports virtualized desktops.

Native Workspace ONE Catalog

Users install the Workspace ONE application on a mobile device and, using corporate credentials, get SSO access to corporate, cloud, and mobile applications. The Workspace ONE application uses native OS capabilities to protect application access, such as biometric fingerprint readers on Android, Touch ID on iOS, and Windows Hello on Windows 10.

Mobile SSO

Mobile SSO with Workspace ONE, establishes trust between the user, device, application, and enterprise, enabling one-touch login to mobile applications. To protect more sensitive applications, you can enable biometric or other multifactor authentication methods. Mobile SSO is available for Android, iOS, and Windows 10 devices.

VMware Verify

Workspace ONE, integrated with the mobile application VMware Verify™, provides strong, multifactor authentication that simplifies access across devices. When a user attempts to access the Workspace ONE application store, or any application requiring strong authentication, VMware Verify sends a notification to the user’s mobile phone.

Conditional Access with Device Compliance

Workspace ONE allows you to configure network, platform, and application-specific criteria for authentication. A device must prove compliance with security rules prior to authorizing access to an application. Compliance rules protect against rooted or jailbroken devices, and you can use them to whitelist and blacklist applications.

Adaptive Management

With adaptive management, users are not required to enroll their device into Workspace ONE UEM to access applications that require only a basic level of security. Instead, users download the Workspace ONE mobile application from the appropriate app store, and log in with their corporate credentials. From here, they can access their authorized applications. However, to access applications that require a higher level of security, you can require users to enroll their devices.

Based on the device profile assigned, the Catalog displays all entitled applications, including mobile applications, SaaS applications, and Horizon 7-based virtual applications and desktops. Applications that require enrollment are indicated with a lock icon. When the user tries to download an application with a lock icon, the enrollment process is triggered. For example, users can download a conferencing application, such as WebEx, without enrollment. But they are prompted to enroll when they try to download an enterprise application, such as Salesforce.

Product Interoperability

A Workspace ONE implementation can interoperate with other identity providers, like Ping, Okta, and Microsoft Azure, through integration with VMware Identity Manager and still present a common catalog interface for all applications.

For more information, see the VMware Workspace ONE Documentation.

Components and Architecture

This section provides a description of each component of Workspace ONE, as well as an overview of the architecture so you can see how the components relate to each other.


Workspace ONE services are built on the integration of VMware Workspace ONE UEM, VMware Identity Manager, and VMware Horizon.

You can deploy Workspace ONE in many different configurations including:

  • On-premises deployments of VMware Identity Manager and Workspace ONE UEM
  • Cloud-based deployments of VMware Identity Manager and Workspace ONE UEM
  • Hybrid deployments with different components available either on-premises or in the cloud

This guide describes how to build a proof-of-concept for a cloud-based deployment of VMware Identity Manager and Workspace ONE UEM.


Workspace ONE consists of a number of key components that work together to provide the product's capabilities.

Component Function
VMware Workspace ONE® UEM
Enterprise mobility management
VMware Identity Manager
Identity platform
VMware Workspace ONE® Intelligence™
Integrated insights, app analytics, and automation
Workspace ONE app
End-user access to apps
VMware Horizon
Virtual desktops and Remote Desktop Services (RDS) published applications delivered either through Horizon Cloud or VMware Horizon® 7
VMware Workspace ONE® Boxer
Secure email client
VMware Workspace ONE® Browser
Secure web browser
VMware Workspace ONE® Content
Mobile content repository
VMware Workspace ONE® Tunnel
Secure method for individual applications to access corporate resources
VMware AirWatch Cloud Connector
Directory sync with enterprise directories
VMware Identity Manager Connector

Directory sync with enterprise directories 

Sync to Horizon resources

VMware Unified Access Gateway
Gateway that provides secure edge services
VMware Workspace ONE® Secure Email Gateway
Email proxy server
Certificate Authority Integration Lifecycle management of provisioned certificates
VMware Email Notification Service Email notifications for VMware Boxer on iOS


The previous components work together to provide the functionality of Workspace ONE. A basic Workspace ONE configuration consists of VMware Identity Manager and Workspace ONE UEM (formerly VMware AirWatch). VMware Enterprise Systems Connector securely transmits requests from Workspace ONE UEM to the back-end infrastructure. Administrators define user groups, policy settings, and device configurations. Users access Workspace ONE and their applications based on the defined settings and configurations.

Figure: Major Components of a Workspace ONE Deployment with Network Ports


Network Considerations

Workspace ONE UEM leverages the existing enterprise network infrastructure to provide its own high availability, redundancy, and scalability for the applications and desktops that it provides to end users. Local load balancing is incorporated on the front end of the SaaS environment. Core network security infrastructure includes redundant Ethernet switches, LAN segregation, firewalls, intrusion detection, and monitoring.

Redundant, high-volume firewalls are located between the Internet and the VMware AirWatch environment. An intrusion detection system (IDS) monitors all internal network traffic, logs suspicious activity, and issues alerts when suspicious network activity is detected.

Security Considerations

Workspace ONE UEM takes a multilayered approach to data center security. Primary data centers are maintained with onsite backups for quick recovery and replicated offsite backups for disaster recovery.

Production systems are hosted at two primary data centers, with cross replication of nightly backups to support performance, growth, and security challenges.

Workspace ONE UEM implements security by

  • Isolating all Workspace ONE UEM web servers using a demilitarized zone (DMZ)
  • Using antivirus clients to protect all servers
  • Providing spam filtering and spam reporting for email

Administrators control Workspace ONE UEM from an HTML5 web-based management console. Workspace ONE UEM encrypts all data transmitted between the web console and mobile devices.

Cloud-based Workspace ONE components are automatically upgraded and patched, ensuring that your environment meets the latest security standards.