Tutorial 1 - 11 min activityCloud-Based VMware Workspace ONE Overview
Tutorial 2 - 15 min activityInstallation and Setup
Tutorial 3 - 21 min activityInitial Configuration
Tutorial 4 - 30 min activityConfiguring Mobile Single Sign-On for iOS
Tutorial 5 - 12 min activityConfiguring Adaptive Management for iOS
Tutorial 6 - 22 min activityManaging Windows 10 Devices
Tutorial 7 - 20 min activityManaging Bring-Your-Own Android Devices
Tutorial 8 - 11 min activityManaging Android Devices
Tutorial 9 - 16 min activityManaging Chrome OS Devices
Tutorial 10 - 38 min activityManaging macOS Devices
Tutorial 11 - 22 min activityConfiguring Mobile Flows
Tutorial 12 - 42 min activityImplementing Workspace ONE Intelligence
Tutorial 13 - 23 min activityConfiguring Workspace ONE Tunnel
Tutorial 14 - 5 min activitySummary and Next Steps
Cloud-Based VMware Workspace ONE Overview
Cloud-Based VMware Workspace ONE Overview
The Quick-Start Tutorial Series for Cloud-Based VMware Workspace ONE helps you evaluate Workspace ONE by offering practical exercises. This overview is first in the quick-start series. It introduces Workspace ONE and its benefits, features, architecture, and components. Other articles in the tutorial offer hands-on exercises to set up your own proof-of-concept environment.
Important: This tutorial is designed for evaluation purposes only, based on using the minimum required resources for a basic deployment, and does not explore all possible features. This evaluation environment should not be used as a template for deploying a production environment. To deploy a production environment, see the VMware Workspace ONE Documentation.
This tutorial is for prospective IT administrators of Workspace ONE and anyone who uses the product. Familiarity with networking and storage in a virtual environment, Active Directory, identity management, and directory services is assumed. Knowledge of VMware Workspace ONE® UEM (unified endpoint management), formerly VMware Airwatch, VMware Identity Manager™, and VMware Horizon® 7 is also helpful.
Packaging and Licensing
All Workspace ONE editions are licensed on a per-named-user basis and available as an annual cloud subscription or a perpetual on-premises license.
For more information, see VMware Workspace ONE in the VMware Workspace ONE and VMware Horizon Packaging and Licensing guide.
This section provides a description of the core features and capabilities of Workspace ONE. In subsequent articles of this Quick-Start Tutorial, you will walk through some of these features.
About Unified Endpoint Management
IT can use mobile OS management interfaces to preconfigure laptops, smartphones, and tablets. Workspace ONE UEM device management uses enterprise mobile management APIs to provision, configure, and secure applications and devices. This level of control allows IT to adopt a flexible BYOD program by giving users device choice while securing data.
Device enrollment establishes the initial communication with Workspace ONE UEM to enable Enterprise Mobility Management (EMM).
Device Profiles allow you to modify behavior of enrolled devices. Device profiles, combined with compliance policies, help you to enforce corporate rules and procedures.
Create Workspace ONE UEM device profiles based on criteria such as users, groups, platforms, and OS, and assign profiles to smart groups.
Data Loss Prevention
You can prevent data leakage in a number of ways. Examples of data leakage include saving work documents to public storage, such as Dropbox, or receiving work emails in an unmanaged email client. You can encrypt email attachments and restrict how the files are edited and shared. You can require using corporate-approved applications instead of native applications. For secure browsing, you can enable access to intranet sites to ensure that the sites are opened only in approved browsers. However, these precautions might be insufficient for your security needs.
Configure Workspace ONE to use an existing directory infrastructure, such as Active Directory or other LDAP-based directory, for user synchronization, authentication, and application access.
Workspace ONE also enables you to automatically install, update, and remove software packages - simplifying software distribution. Use Workspace ONE to configure packages that install based on conditions (such as network status or defined schedules), deploy software updates automatically, and notify users when updates occur.
Getting Started Wizard
The Getting Started Wizard serves as a checklist that walks through key configurations in the Workspace ONE UEM Console, step by step. The wizard is divided into four modules: Workspace ONE, Device, Content, and Application. Each module contains steps to accomplish specific end goals. As some modules share steps, the wizard tracks progress across all four modules to ensure the same step never has to be completed twice.
About Application Management
Workspace ONE provides users access to cloud, mobile, and Windows applications using a unified application catalog. The application catalog contains applications published to VMware Identity Manager and Workspace ONE UEM. Supported application types include internal web, SaaS, native mobile, internally developed mobile, legacy and modern Windows, VMware Horizon® 7, VMware Horizon Cloud Service™, Citrix published, and VMware ThinApp®. The catalog also supports virtualized desktops.
Native Workspace ONE Catalog
Users install the Workspace ONE application on a mobile device and, using corporate credentials, get SSO access to corporate, cloud, and mobile applications. The Workspace ONE application uses native OS capabilities to protect application access, such as biometric fingerprint readers on Android, Touch ID on iOS, and Windows Hello on Windows 10.
Mobile SSO with Workspace ONE, establishes trust between the user, device, application, and enterprise, enabling one-touch login to mobile applications. To protect more sensitive applications, you can enable biometric or other multifactor authentication methods. Mobile SSO is available for Android, iOS, and Windows 10 devices.
Workspace ONE, integrated with the mobile application VMware Verify™, provides strong, multifactor authentication that simplifies access across devices. When a user attempts to access the Workspace ONE application store, or any application requiring strong authentication, VMware Verify sends a notification to the user’s mobile phone.
Conditional Access with Device Compliance
Workspace ONE allows you to configure network, platform, and application-specific criteria for authentication. A device must prove compliance with security rules prior to authorizing access to an application. Compliance rules protect against rooted or jailbroken devices, and you can use them to whitelist and blacklist applications.
With adaptive management, users are not required to enroll their device into Workspace ONE UEM to access applications that require only a basic level of security. Instead, users download the Workspace ONE mobile application from the appropriate app store, and log in with their corporate credentials. From here, they can access their authorized applications. However, to access applications that require a higher level of security, you can require users to enroll their devices.
Based on the device profile assigned, the Catalog displays all entitled applications, including mobile applications, SaaS applications, and Horizon 7-based virtual applications and desktops. Applications that require enrollment are indicated with a lock icon. When the user tries to download an application with a lock icon, the enrollment process is triggered. For example, users can download a conferencing application, such as WebEx, without enrollment. But they are prompted to enroll when they try to download an enterprise application, such as Salesforce.
A Workspace ONE implementation can interoperate with other identity providers, like Ping, Okta, and Microsoft Azure, through integration with VMware Identity Manager and still present a common catalog interface for all applications.
For more information, see the VMware Workspace ONE Documentation.
Components and Architecture
This section provides a description of each component of Workspace ONE, as well as an overview of the architecture so you can see how the components relate to each other.
Workspace ONE services are built on the integration of VMware Workspace ONE UEM, VMware Identity Manager, and VMware Horizon.
You can deploy Workspace ONE in many different configurations including:
- On-premises deployments of VMware Identity Manager and Workspace ONE UEM
- Cloud-based deployments of VMware Identity Manager and Workspace ONE UEM
- Hybrid deployments with different components available either on-premises or in the cloud
This guide describes how to build a proof-of-concept for a cloud-based deployment of VMware Identity Manager and Workspace ONE UEM.
Workspace ONE consists of a number of key components that work together to provide the product's capabilities.
|VMware Workspace ONE® UEM
||Enterprise mobility management|
|VMware Identity Manager™
|VMware Workspace ONE® Intelligence™
||Integrated insights, app analytics, and automation
|Workspace ONE app
||End-user access to apps
||Virtual desktops and Remote Desktop Services (RDS) published applications delivered either through Horizon Cloud or VMware Horizon® 7
|VMware Workspace ONE® Boxer
||Secure email client|
|VMware Workspace ONE® Browser
||Secure web browser|
|VMware Workspace ONE® Content
||Mobile content repository
|VMware Workspace ONE® Tunnel
||Secure method for individual applications to access corporate resources
|VMware AirWatch Cloud Connector
||Directory sync with enterprise directories
|VMware Identity Manager Connector
Directory sync with enterprise directories
Sync to Horizon resources
|VMware Unified Access Gateway™
||Gateway that provides secure edge services
|VMware Workspace ONE® Secure Email Gateway
||Email proxy server|
|Certificate Authority Integration||Lifecycle management of provisioned certificates|
|VMware Email Notification Service||Email notifications for VMware Boxer on iOS|
The previous components work together to provide the functionality of Workspace ONE. A basic Workspace ONE configuration consists of VMware Identity Manager and Workspace ONE UEM (formerly VMware AirWatch). VMware Enterprise Systems Connector securely transmits requests from Workspace ONE UEM to the back-end infrastructure. Administrators define user groups, policy settings, and device configurations. Users access Workspace ONE and their applications based on the defined settings and configurations.
Figure: Major Components of a Workspace ONE Deployment with Network Ports
Workspace ONE UEM leverages the existing enterprise network infrastructure to provide its own high availability, redundancy, and scalability for the applications and desktops that it provides to end users. Local load balancing is incorporated on the front end of the SaaS environment. Core network security infrastructure includes redundant Ethernet switches, LAN segregation, firewalls, intrusion detection, and monitoring.
Redundant, high-volume firewalls are located between the Internet and the VMware AirWatch environment. An intrusion detection system (IDS) monitors all internal network traffic, logs suspicious activity, and issues alerts when suspicious network activity is detected.
Workspace ONE UEM takes a multilayered approach to data center security. Primary data centers are maintained with onsite backups for quick recovery and replicated offsite backups for disaster recovery.
Production systems are hosted at two primary data centers, with cross replication of nightly backups to support performance, growth, and security challenges.
Workspace ONE UEM implements security by
- Isolating all Workspace ONE UEM web servers using a demilitarized zone (DMZ)
- Using antivirus clients to protect all servers
- Providing spam filtering and spam reporting for email
Administrators control Workspace ONE UEM from an HTML5 web-based management console. Workspace ONE UEM encrypts all data transmitted between the web console and mobile devices.
Cloud-based Workspace ONE components are automatically upgraded and patched, ensuring that your environment meets the latest security standards.