Business Continuity with VMware Workspace ONE

Providing Business Continuity with VMware Workspace ONE

Disruptions can take many forms, many scopes, and can impact organizations of any size, in any location. Unplanned events such as natural disasters, severe weather, illness, and travel restrictions make it nearly impossible to continue "business as usual." Every organization must develop a business continuity plan to ensure its operations can continue, no matter what the disruption. Business continuity can be achieved and remote workers supported with the VMware Workspace ONE® platform and the solutions it includes, such as VMware Workspace ONE® UEM, VMware Workspace ONE® Access, and VMware Carbon Black Cloud™, as well as with VMware Horizon®, and VMware Horizon® Cloud Service™.


This guide is intended for security architects, engineers, and administrators who are interested in a VMware Workspace ONE infrastructure. This guide is intended for those who want to familiarize themselves with the Workspace ONE platform, are in the process of implementing Workspace ONE for the first time, or have an existing Workspace ONE implementation that they want to expand. Not all sections of this guide are necessarily applicable to your particular deployment, but are clearly marked so you can find what you need to get started.

It is assumed that you have some familiarity with Windows data center technologies such as Active Directory, as well as with virtualization technology, cloud computing, network routing, and firewall security architecture.

Purpose of This Guide

This guide covers how business continuity challenges are changing with a remote-first requirement. This guide provides technical details on how VMware Workspace ONE can help meet these challenges and support remote workers.

Organizations may have a variety of starting states, from being new to Unified Endpoint Management (UEM) or already using Workspace ONE UEM and Workspace ONE Access. Regardless of the starting state of your organization, the following four steps should be considered:

  1. Reflect - Health check and solidify any existing environment.
  2. Expand - Understand the options available for new environments or expansion of existing ones.
  3. Deploy – Get deployment considerations for Workspace ONE, including guidance on best practices.
  4. Enhance and Evolve - Understand how to enhance and evolve the solution to add more security, improve user experience, and drive digital transformation.

Business Continuity Journey

Figure 1: Business Continuity Journey

Current Challenges to Business Continuity

Many business continuity plans have traditionally focused on data center elements when it comes to planning IT systems. These include ensuring data is replicated from primary to secondary data centers in case of a disaster and making key systems redundant and able to failover to run in alternate locations. A secondary consideration was ensuring users could access those systems during a period of disruption. However, this consideration was often based on the assumption that the users could work from another office location.

Times and challenges have changed and the assumption that users can access an office location no longer holds true. The focus is now on how to provide both continuity for the user, as well as business continuity for the IT systems. When planning for user access, a remote-first approach must now be taken.

While building a business and a user continuity plan, a critical element is to provide continued access to IT systems and corporate resources, to ensure that users remain productive no matter where they are or what device they are using. This has to be done while maintaining proper security and control over users’ access to corporate applications, data, and resources.

How can organizations plan, maintain, and support users that are no longer necessarily based in the office? While initially this requirement is driven by recent events when users cannot get to an office location, you should consider beyond these immediate needs. When evaluating business continuity options, you should strive for solutions that can be used as part of the user’s everyday system. In that way, this can be seen as more than just something to be used during an outage or disruptive event.

When the solution is based on a remote-first approach, you have the ability to offer options to work from home, either full-time or part-time. Many organizations are also exploring this for other reasons, such as to reduce daily travel to the office as part of a green initiative, or to allow more flexible work schedules.

The challenge facing IT is: How do we give users secure access to the applications used in their daily work, from devices and over networks that are not managed by our organization?

Meeting the Challenge

These challenges can be met with the VMware Workspace ONE platform, which combines powerful integration across digital workspace solutions, including access management, unified endpoint management (UEM), analytics, desktop and application virtualization and endpoint security. These are key solutions that enable remote work without compromising security and provides incredible user experience. The Workspace ONE platform includes four core solutions:

  • Workspace ONE UEM – Enables Unified Endpoint Management across Windows, Mac, iOS, and Android devices, protecting corporate applications and data
  • Workspace ONE Access – Enables a unified application catalog, providing a single place to secure access to all applications and single sign-on, in addition to streamlining communication with all users through Hub Services
  • VMware Horizon – Enables access to remote applications and desktops, keeping all data in the datacenter
  • Carbon Black Cloud – Provides a cloud-native endpoint protection platform (EPP) that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console

This guide provides an overview of three of these solutions: Workspace ONE UEM, Workspace ONE Access, and Carbon Black. For VMware Horizon, see Business Continuity with VMware Horizon.

Benefits of Using the Workspace ONE Platform

The Workspace ONE platform helps organizations quickly react to situations, such as a global pandemic, providing the tools users need to adapt to unexpected changes in the workplace. By combining the ability to manage, secure, and deliver any app on any device, Workspace ONE enables all kinds of workforces to work from anywhere, instantly, while maintaining a consistent user experience.

With Workspace ONE, end-users have a unified catalog that provides access to virtually any corporate application. This includes mobile apps, SaaS, internal, virtual and Windows apps. Once signed-in, end-users can self-service select the applications they need to be productive with no IT intervention, reducing helpdesk calls for end users to get access to applications and services.

  • Workspace ONE provides easy access to all the apps end users need to do their job either through a catalog available through a browser or the Intelligent Hub native application.
  • Transform employee onboarding by enabling self-service access to the apps and resources end-users need.
  • One-touch single sign-on means end-users don't have to remember multiple credentials, or type in the same password every time they access an app. Through the use of certificates, Workspace ONE provides a secure and easy way that results in a password-less single-sign on experience.

Starting States

Your organization may be new to VMware Workspace ONE, or may have already deployed some components. Your organization may be using Workspace ONE for only a subset of your devices, and now wants to address an increase in demand to meet business continuity needs or to support a remote-first culture.

Many organizations either rapidly adopted Workspace ONE or expanded their usage to cope with the sudden increase in demand during recent times. If this is true of your organization, your environment should be revisited to ensure that your organization is realizing all the benefits of Workspace ONE, that security has been implemented properly, and that the deployment is designed to scale and support the entire workforce.

After the health of any existing deployments is verified, there are various options that your organization should consider when looking to expand capabilities of a mobile or remote workforce and provide a robust digital workspace for all employees. The following sections detail this journey to a fully digital workspace from four different starting states: No Workspace ONE deployment, an existing deployment with no additional components, an existing deployment with some additional components, and an existing deployment with all components.

Workspace ONE Starting States and Deployment Journey

Figure 2: Workspace ONE Starting States and Deployment Journey

New to VMware Workspace ONE

If you are new to the Workspace ONE platform, there are a variety of ways you can explore it, test it, and conduct trial runs, to help you determine the best solution for your organization.

Understanding Benefits

VMware Workspace ONE is an intelligence-driven digital workspace platform that easily and securely delivers and manages any app on any device by integrating access control, application management, and multi-platform endpoint management. It is available as an annual cloud subscription or a perpetual on-premises license. Workspace ONE combines unified endpoint management technology (formerly VMware AirWatch®) with virtual application delivery (VMware Horizon) on a shared access management framework. With Workspace ONE, organizations can now evolve siloed cloud and mobile investments, enabling all employees, devices, and applications across the organization to accelerate their digital transformation journey with a platform-based approach.

Workspace ONE enables you to drastically improve experiences and tasks that were previously costly, time-consuming, and resource intensive. With Workspace ONE, your IT organizations can:

  • Onboard a new employee with all apps and devices in under an hour without tickets and help-desk calls
  • Set and enforce access and data policies across all apps, devices, and locations in one place
  • Complete business processes from a mobile device, similar to consumer experiences
  • Provision a new corporate laptop out of the box, anywhere in the world from the cloud, within minutes
  • Get insights and automation capabilities across your entire digital workspace environment

Considering Deployment Options

If you are new to the Workspace ONE platform, you can consider your deployment options, explore using Hands-On Labs, deploy a proof of concept, or conduct a pilot:

  • Choose a Software-as-a-Service (SaaS) hosted and managed Workspace ONE instance. Note: Some components require deployment within your network or on-premises datacenter to integrate the platform with internal systems.
  • Deploy Workspace ONE components in your on-premises datacenter as an alternative to SaaS-hosted.
  • Purchase a solution leveraging Workspace ONE technologies from a partner within the VMware Partner network, including mobile device carriers, desktop/laptop hardware vendors, and more, or leverage the expertise of VMware Professional Services.

See the Workspace ONE Reference Architecture for more detailed descriptions of these deployment options.

Exploring Hands-on Labs and TestDrive

For those completely new to Workspace ONE, there are a couple of options to experience the solution before setting it up in your environment.

VMware Hands-On Labs provides an on-demand hands-on experience for some of the Horizon product line. You can access the current HOL catalog, and search for "UEM" or "Workspace ONE" to see what is available. Signing up for an account is free.

VMware TestDrive is also available for additional use-case based, hands-on interactions. TestDrive provides a pre-configured, optimized environment with comprehensive step-by-step videos, walkthroughs, and guides for a quick learning experience. It is available to VMware partners and anyone with an invitation code. Contact your VMware EUC sales team to get an invitation code. You can access TestDrive here.

Conducting a Proof of Concept

It is a common practice to stand up an initial proof of concept to get hands-on experience with Workspace ONE technologies. A proof of concept includes testing specific use cases (such as employee-owned, corporate-owned, and rugged or kiosk devices), and how the solution works in your environment. The Quick-Start tutorial for Workspace ONE can be found on TechZone at QuickStart Tutorial Series for Cloud-Based VMware Workspace ONE. After concluding a proof of concept, but before running a pilot, revisit the deployment type decision (on-premises versus dedicated or shared SaaS) and verify that it meets your business needs. Work with your VMware EUC Sales Team if concerned about the deployment type selected.

Running a Pilot

The next logical step in testing whether a Workspace ONE solution is suitable for your everyday production or business continuity needs, is to deploy a pilot with one or more user groups to test the full functionality that your users require. A pilot typically includes testing the full range of device management and user experience capabilities. This is typically done with users who are willing to participate in initial testing and provide objective, detailed feedback.

Pilots are often done with VMware Partners or VMware Professional Services to leverage their expertise in having conducted previous pilots. Contact your VMware EUC Sales Team for help in finding a partner or Professional Services resource.

Next Steps

After a successful pilot, organizations typically begin to bring more devices under management with Workspace ONE. In the past, handheld mobile devices (from Apple, Google, Zebra, and more) were typically the first targets for management. Current desktop operating systems (Windows 10, macOS, and Chrome OS) support modern management via Workspace ONE. As such, you have the flexibility to onboard your end-user computing platforms to Workspace ONE management in a method that fits your business.

Some suggested next steps would include the following:

  • Identify opportunities or projects involving new device purchases, such as kiosk projects or device refresh. Plan to have these devices implemented with Workspace ONE as the management platform. By making Workspace ONE the standard for new devices, you can avoid migrations or on-site configuration changes later.
  • Identify small device groupings, or non-critical devices, to migrate with little or no business impact. Ask for feedback and use these smaller migrations to iterate improvements for onboarding or migration processes.
  • Consider whether users should force-migrate immediately or migrate at their next device refresh interval.
  • If currently managing devices with another MDM vendor, consider using a partner tool (such as Exodus or EBF Onboarder) to migrate mobile devices to Workspace ONE.
  • Consider Workspace ONE Access if an improved user-experience for employees (via catalog, single sign-on, and more) is a focus for the business.

This guide provides more options to consider as you are looking at Workspace ONE to provide business continuity and remote-first capabilities for your organization, and it is worth reading further. For more detail on design, architecture, sizing, external access, and other essential topics, see the Workspace ONE and Horizon Reference Architecture.

Existing Workspace ONE MDM Only

If you currently leverage only Workspace ONE UEM, this is the time to conduct a health check of your current state, consider expansion and deployment options, and start enhancements.

Conducting a Health Check

Before expanding an existing Workspace ONE UEM solution, the first step is to ensure that your organization is taking full advantage of current Workspace ONE capabilities and following best practices.

VMware provides a Health Check program to help. The program includes a technical review of system health, as well as a functional review of the usage of the VMware solution. The service applies to both on-premises and cloud deployment models, and is conducted remotely via teleconference by the VMware Professional Service team. VMware recommends to schedule health checks annually to optimize usage and proactively detect vulnerabilities in a rapidly evolving digital workspace ecosystem.

For more information on VMware's professional services offering, contact your EUC Sales representative.

Considering Expansion Options

Workspace ONE UEM has several deployment options that you can use to expand an existing Workspace ONE deployment to support additional remote workers:

Integrating Workspace ONE UEM with Workspace ONE Access

VMware Workspace ONE Access (formerly called VMware Identity Manager) is a key component of the VMware Workspace ONE platform. Among the capabilities of Workspace ONE Access are:

  • Simple application access for end users – Provides access to different types of applications, including internal web applications, SaaS-based web applications (such as Salesforce, Dropbox, Concur, and more), native mobile apps, native Windows and macOS apps, VMware ThinApp® packaged applications, VMware Horizon-based applications and desktops, and Citrix-based applications and desktops, all through a unified application catalog.
  • Self-service app store – Allows end users to search for and select entitled applications in a simple way, while providing enterprise security and compliance controls to ensure that the right users have access to the right applications. Users can customize the Favorites tab for fast, easy access to frequently used applications, and place the apps in a preferred order. IT can optionally push entries onto the Favorites tab using automated application entitlements.
  • Enterprise single sign-on (SSO) – Simplifies business mobility with an included Identity Provider (IdP) or integration with existing on-premises identity providers so that you can aggregate SaaS, native mobile, macOS, and Windows 10 apps into a single catalog. Users have a single sign-on experience regardless of whether they log in to an internal, external, or virtual-based application.
  • Conditional access – Includes a comprehensive policy engine that allows you, as the administrator, to set different access policies based on the risk profile of the application. You can use criteria such as network range, user group, application type, method of authentication, or device operating system to determine if the user should have access or not.
  • Productivity tools – Enables the Hub Services suite of productivity tools such as People Search, Notifications, Mobile Flow, Assistant, and more.
  • Enterprise identity management with adaptive access – Establishes trust between users, devices, and applications for a seamless user experience and powerful conditional access controls that leverage Workspace ONE UEM device enrollment and SSO adapters.
  • Workspace ONE native mobile apps – Includes native apps for iOS, Android, macOS, and Windows 10 to simplify finding, installing enterprise apps, and providing an SSO experience across resource types.
  • VMware Horizon / Citrix – Workspace ONE Access can also be integrated with VMware Horizon, VMware Horizon Cloud Service, and Citrix published applications and desktops. The Workspace ONE Access handles authentication and provides SSO services to applications and desktops.

See Workspace ONE and Horizon Reference Architecture for more detail on the various deployment options for Workspace ONE Access.

In addition, Workspace ONE Access has the ability to validate the compliance status of the device in Workspace ONE UEM. Failure to meet the compliance standards blocks a user from signing into an application or accessing applications in the catalog until the device becomes compliant. By integrating Workspace ONE Access and VMware Workspace ONE Intelligence, you can add user behavior and risk scoring into the access decision. For more information on Workspace ONE Intelligence, see the Existing Workspace ONE UEM and Access starting state.

Migrating from Third-Party Windows 10 and macOS Management

Workspace ONE combines complete cloud-based, modern management with intelligent automation to empower users, harden security, and simplify IT. Workspace ONE also co-exists with your Windows 10 traditional client management tools across any workload and features automation to speed transition to full modern management.

VMware Workspace ONE AirLift is a server-side connector that simplifies and speeds your journey to Windows 10 modern management. Workspace ONE AirLift bridges administrative frameworks between Microsoft Endpoint Configuration Manager (ConfigMgr), Active Directory, and Workspace ONE UEM. Some of the key features and benefits include:

  • Provides dashboards to monitor automated enrollment progress and modern management activity
  • Enables mapping between ConfigMgr device collections and Workspace ONE UEM smart groups
  • Facilitates application rationalization and migration from ConfigMgr to Workspace ONE
  • Facilitates Windows 10 Group Policy rationalization and migration from Active Directory to Workspace ONE UEM

For more information, see Modernizing Windows 10 Management: VMware Workspace ONE Operational Tutorial.

In migrating macOS management, you must consider the current management tool and macOS version. Not all macOS management tools manage the OS in the same way. Some manage macOS using custom agents, while others leverage the MDM protocol (or a combination of both). Additionally, as macOS continues to mature, the capabilities of the MDM protocol change, along with underlying requirements for successful onboarding. As such, use the following questions to guide your in-house professional services- or partner-engaged migration:

  • What version of macOS requires migration to Workspace ONE?
  • Should the Workspace ONE enrollment be automated, user-approved, or automated via Apple Business Manager or Apple School Manager?
  • Are currently deployed devices MDM-enrolled? If so, are they enrolled via Apple Business Manager (or Apple School Manager) automated enrollment?
  • If devices were MDM-enrolled via Apple Business Manager, was the automated enrollment profile set to prevent profile removal? If so, does the current management tool (and the migration tool) support API-driven profile removal?

For more information regarding macOS migration, see the following resources:


Enabling Modern Management for Windows 10 and macOS

VMware enables IT to leverage cloud-first modern management capabilities to ensure all employees, including decentralized workers, remain productive without disruption. Modern management is critical in supporting remote and distributed workforces as it leverages a cloud-based native framework unlike traditional PC lifecycle management solutions. Modern management allows IT to fully manage and configure devices over-the-air compared to legacy PC lifecycle management solutions which require line of sight to the domain. Workspace ONE offers cloud-based infrastructure for deploying policies, apps, updates, and enabling real-time communication, all over-the-air. Moving to modern management reduces the total cost of ownership per device per year by two-thirds when compared to traditional management solutions which require high IT-touch for deployment and configurations of devices. (For more information, see Forrester Total Economic Impact (TEI) report and Dell Provisioning for Workspace ONE.) By leveraging new technologies in Windows 10 and macOS, as well as strong hardware OEM partnerships, Workspace ONE enables modern management across five main areas:

  • Device onboarding – Simplified end-user onboarding with Windows 10 Out-of-Box Experience (OOBE) and Windows Autopilot for Windows 10. Drop ship Windows 10 devices to end users with Factory Provisioning or automate enrollment via command-line. For macOS, streamline deployment using Apple Business Manager or Apple School Manager. See the Onboarding Options for macOS and Onboarding Options for Windows 10 Operational Tutorials for more details.
  • Configuration management – Apply MDM-based policies to Windows and macOS endpoints and apply specific configuration settings over-the-air from the management console. Workspace ONE also supports scripting capabilities for both platforms. In addition to the standard MDM policies, you can leverage industry-standard policy baselines to deploy cloud-based policies (GPOs) to Windows devices.
  • OS Update management – Leverage the Windows and Apple update sources and choose when and how updates are applied to devices over-the-air. Updates can be scheduled, forced, or allow the end user to choose the best time for installation within a configured grace period set by IT. Windows Updates can also leverage Delivery Optimization to decrease the potential impacts on the corporate network.
  • Software distribution – Deliver applications from different sources to users via the Workspace ONE catalog. For both Windows 10 and macOS, applications are optionally delivered from a global CDN. With Windows 10, you can optionally leverage P2P capabilities in Windows 10. You can deliver EXE, MSI, or scripted install (ZIP) applications to Windows and third-party DMG and PKG installers to macOS. In addition, Workspace ONE integrates with Apple Business Manager, Apple School Manager, or the Microsoft Store for Business to deliver volume-licensed app store apps to devices.
  • Client health and security – Enable IT to enforce and manage the full lifecycle of BitLocker and FileVault encryption and set security policies on the endpoint. You will also have access to setting policies related to Windows Information Protection (WIP), Windows Hello for Windows, and various security, privacy, firewall, and firmware passwords for macOS, along with other OS security features for both platforms.

Your organization will have to determine the appropriate aspects of modern management that can be implemented in order to enable cloud-based modern management with intelligent automation to empower users, harden security, and simplify IT. To help with this process, see Developing a Modern Management Adoption Process for Windows 10.

For more technical details on getting started with modern management, see the Understanding Windows 10 Management and Understanding macOS Management activity paths on Tech Zone.

VMware offers professional services for deploying Workspace ONE and Jump Starting into Windows 10 with Workspace ONE. For more information on VMware's professional services offering, contact your EUC Sales representative.

Existing Workspace ONE UEM and Access

If you currently leverage Workspace ONE UEM and Workspace ONE Access, you are ready to conduct a health check, consider expansion and deployment options, and start enhancements.

Depending on your industry or current situation, your employees may or may not have a dedicated corporate device. First, you want to consider which device platforms or form factors each working group requires to be productive on their first days of working remotely. Your highly mobile users (those who already work from home or own a corporate device) will likely not require anything else, other than an added management layer to reap some of the benefits of device management.

Unifying the user experience across different device types and operating systems, simplifies the user experience, leading to improved productivity and satisfaction. Workspace ONE Access provides identity-related components, including authentication using username and password, two-factor authentication, certificate, Kerberos, mobile SSO, and inbound SAML from third-party Workspace ONE Access systems. Workspace ONE Access also provides SSO to entitled web apps, Windows apps, and desktops delivered through either VMware Horizon or Citrix.

Conducting a Health Check

Before expanding with VMware solutions, the first step is to ensure your organization is taking full advantage of current Workspace ONE capabilities and following best practices.

VMware provides a Health Check program to help. The program includes a technical review of system health, as well as a functional review of the usage of the VMware solution. The service applies to both on-premises and cloud deployment models and is conducted remotely via teleconference by the VMware Professional Service team. VMware recommends that you schedule health checks annually to optimize usage and proactively detect vulnerabilities in a rapidly evolving digital workspace ecosystem.

For more information on VMware's professional services offering, contact your EUC Sales representative.

Federating Authentication with Workspace ONE Access

Workspace ONE Access Federated Authentication

Figure 3: Workspace ONE Access Federated Authentication

If, like so many others, your enterprise IT environment has evolved through merger and acquisition (M&A) activity or business unit expansion, it likely includes a mix of new and legacy identity stores from a host of providers. While not uncommon, it is cumbersome for a company to be using Active Directory Federation Services, Azure Active Directory, Okta, Ping, and Active Directory across disparate locations.

Workspace ONE Access acts as an identity broker and can integrate with your existing third-party identity solutions. Take this time to federate Workspace ONE Access with your existing solutions to provide a seamless SSO experience to your end-users.

For more information regarding Federated Authentication with Workspace ONE Access, refer to the Integrate module in Mastering Workspace ONE Access, which includes:

Enabling Single Sign-On into All Apps (SaaS, Native, Virtual)

Employees want seamless access to all their information and apps without administrative hassles. Yet protecting corporate data in a perimeter-less environment is not only challenging, but costly when you must deploy and manage a variety of disconnected solutions.

The Workspace ONE Intelligent Hub user interface works similarly on phones, tablets, desktops, and browsers. The Catalog page in Workspace ONE Intelligent Hub displays resources that have been pushed to Workspace ONE. Users can tap or click to search, add, bookmark, and update applications. They can right-click on an app to remove it from the Bookmarked page and go to the Catalog page to add entitled resources.

To create seamless access to all corporate information and applications, we recommend these steps:

Workspace ONE Access Provides Policy-Based Conditional Access into Applications

Figure 4: Workspace ONE Access Provides Policy-Based Conditional Access into Applications

Activating Intelligent Hub Services

Workspace ONE Hub Services offers a unified catalog, actionable notifications, a virtual assistance chatbot, and a people directory for a full digital workspace experience. Employees install the Workspace ONE Intelligent Hub app on their devices or use their web browser for a single destination to access, discover, and connect with a company's corporate resources, teams, and workflows. Consider deploying the full suite of Hub Services to create a complete digital workspace and elegant employee experience:

  • Enable People Service for the Intelligent Hub App - When Hub Services is fully integrated with Workspace ONE Access, you can enable access to the People service to let users search for their colleagues and view user details and organization charts directly from the Intelligent Hub app.
  • Using Hub Notifications Service - Through Workspace ONE Intelligent Hub notifications, organizations can generate and serve actionable, real-time notifications across employees or to select employee groups. This flexible, cloud-hosted service sends notifications to users in both the Intelligent Hub portal in a browser and through the Intelligent Hub app on their mobile device.
  • Enable Workspace ONE Mobile Flows Notification in Hub Services - The Workspace ONE mobile flows service processes the notification workflow from other business apps such as Salesforce and delivers them to apps that integrate with Workspace ONE mobile flows. You must enable mobile flows in the Hub console to display notifications from mobile flows-configured business systems within Intelligent Hub.
  • Empower User Self-Service Features - In the Hub Services console Help & Support page, you can customize the type of self-service support features that are available in the Workspace ONE Intelligent Hub web browser view. You can add helpful links to the Support tab to empower and educate users about how to perform basic device management tasks, investigate issues, and fix problems. These links can reduce the number of help-desk tickets and support issues.

Workspace ONE Intelligent Hub

Figure 5: Workspace ONE Intelligent Hub

Considering Expansion Options

Workspace ONE UEM has several deployment options that can be used to expand an existing Workspace ONE deployment to support additional remote workers:

Considering VMware Unified Access Gateway

VMware Unified Access Gateway

Figure 6: VMware Unified Access Gateway

VMware Unified Access Gateway is a security platform that provides edge services and access to defined resources that reside in the internal network. It acts as the security gateway for VMware Workspace ONE and VMware Horizon deployments, enabling secure remote access from an external network to a variety of internal resources. Unified Access Gateway supports multiple use cases.

For more technical details on getting started with Unified Access Gateway, see the Mastering Unified Access Gateway Product Activity Path on Tech Zone. Select the Edge Services tab to jump to resources to walk you through configuring various Edge Services in Unified Access Gateway.

Considering Workspace ONE Intelligence

VMware Unified Access Gateway

Figure 7: Workspace ONE Intelligence Overview

VMware Workspace ONE Intelligence is a cloud service built for the VMware Workspace ONE platform that provides deep insights, analytics, and automation for the entire digital workspace. Together, these capabilities enhance digital user experience and strengthen security across the entire digital workspace environment.

  • Insights - By aggregating, correlating, and analyzing data from multiple internal and external sources, Workspace ONE Intelligence delivers out-of-the-box as well as advanced custom dashboards and reports to help organizations visualize the state of the digital workspace. It provides insights into the security posture, impact of new security threats, in context risk analytics, device and OS compliance, and the state digital employee experience.
  • Analytics - Workspace ONE Intelligence delivers a rich set of device and mobile app analytics. Built for the Workspace ONE Platform, Workspace ONE Intelligence aggregates data from Workspace ONE Access and Workspace ONE Unified Endpoint Management, enabling unique correlations and analytics for the digital workspace. With the Workspace ONE Intelligence SDK that collects mobile app analytics, your organization can track app performance and engagement. By leveraging machine learning techniques, Workspace ONE Intelligence takes the management of the digital workspace to the next level.
  • Automation and Orchestration - After the information has been surfaced by Workspace ONE Intelligence, you can leverage the built-in automation and orchestration engine to orchestrate workflows and automate actions based on pre-defined policies and a rich set of parameters. Automation can extend to third-party tools such as ServiceNow for ticketing and Slack for communications, and other tools that support REST API.

Existing Workspace ONE, Access, Intelligence, and Unified Access Gateway

If your organization is currently leveraging the Workspace ONE platform, along with the core components listed below, you are well on the way to achieving business continuity. Now is the time to conduct a health check, verify that your organization is taking full advantage of current capabilities and following best practices, and consider additional expansion and deployment options.

There is still room to enhance and evolve the use of VMware solutions as business continuity scenarios continue to add new requirements, pushing organizations to enable and efficiently manage a remote workforce.

  • Workspace ONE UEM
  • Workspace ONE Access
  • Workspace ONE Intelligence
  • VMware Unified Access Gateway

Conducting a Health Check

Before expanding, the first step is to ensure that your organization is taking full advantage of current Workspace ONE capabilities and following best practices.

VMware provides a Health Check program to help. The program includes a technical review of system health, as well as a functional review of the usage of the VMware solution. The service applies to both on-premises and cloud deployment models, and is conducted remotely via teleconference by the VMware Professional Service team. VMware recommends to schedule health checks annually to optimize usage and proactively detect vulnerabilities in a rapidly evolving digital workspace ecosystem.

For more information on VMware's professional services offering, contact your EUC Sales representative.

Deployment Considerations

Whether expanding an existing environment or planning for a new deployment, you should review and evaluate the deployment considerations covered in the VMware Workspace ONE and VMware Horizon Reference Architecture. This resource is available on Tech Zone to help you get started planning your next step into the digital workspace. It is a key tool that provides a framework and guidance for architecting Workspace ONE and Horizon environments, whether using cloud-based deployments or installing on-premises deployments. Design guidance is given for each product—with a corresponding component design chapter devoted to each product—followed by chapters that provide best practices for integrating the components into a complete platform.

Enhance and Evolve Toward Better Business Continuity

After the core Workspace ONE components have been deployed, an organization can enhance the security of a remote workforce and evolve the remote worker experience by considering the Workspace ONE solutions or integrating with other VMware or third-party offerings in the following sections.

Workspace ONE Assist

VMware Workspace ONE® Assist allows VMware Workspace ONE UEM administrators to remotely access and troubleshoot devices in real time while respecting end-user privacy. It provides cross platform support, including Windows 10, macOS, iOS, and Android.

Remote Access to Android Device with Workspace ONE Assist

Figure 8: Remote Access to Android Device with Workspace ONE Assist

The ability to remotely troubleshoot devices allows IT to quickly resolve issues impacting end user experience and productivity. To learn more about the features of Workspace ONE Assist, see VMware Workspace ONE Assist - Feature Walk-through. For comprehensive deployment details, consult the VMware Workspace ONE Assist section of the Reference Architecture.

Workspace ONE Trust Network

With the removal of local office boundaries and security as the top priority, endpoint and data protection is a major concern. VMware Workspace ONE® Trust Network allows verified security partner solutions to integrate with Workspace ONE Intelligence to deliver predictive and automated security in the digital workspace. Workspace ONE Trust Network is rapidly expanding, see below a list of released integrations and receptivity categories:

  • VMware Carbon Black (Endpoint Protection Platform)
  • Lookout for Work (Mobile Threat Defense)
  • Netskope (Cloud Access Security Broker)
  • Wandera (Mobile Threat Defense)
  • Zimperium (Mobile Threat Defense)

Integrating Workspace ONE Trust Network with Workspace ONE Intelligence provides insight into threats detected by each of the Trust Network components configured in the environment. With this information, you can get insights through predefined dashboards, customize as you need, and create automations based on threat events. The automation capability allows the immediate initiation of remediation actions, bring the InfoSec teams up to speed with key information about the threat and device under attack, enabled communication across teams integrating with third-party collaboration tools and more.

Consolidated Threat View Reported by Trust Network Solutions Over Time in Workspace ONE Intelligence

Figure 9: Consolidated Threat View Reported by Trust Network Solutions Over Time in Workspace ONE Intelligence

To learn more about Workspace ONE Trust Network integration, see Workspace ONE Intelligence and Trust Network Integration.

VMware Carbon Black

VMware Carbon Black Cloud is a cloud-native endpoint protection platform (EPP) that detects and analyses threat activities in real time from Windows and macOS endpoints, it combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single lightweight agent and an easy-to-use console.

Integrating VMware Carbon Black creates a new level of endpoint protection, and Workspace ONE Intelligence glues it all together with automation capabilities that can act on threat insights. The integration of Workspace ONE UEM, Workspace ONE® Intelligence™, and Carbon Black Cloud enables powerful security orchestration to achieve rapid remediation, minimize risks associated with attacks, and help simplify security by removing silos.

Security orchestration flow integrating Workspace ONE UEM, Intelligence and VMware Carbon Black.

Figure 10: Security orchestration flow integrating Workspace ONE UEM, Intelligence and VMware Carbon Black.

To see a complete security orchestration scenario with Workspace ONE UEM, Intelligence and Carbon Black in action, watch the Workspace ONE Intelligence and VMware Carbon Black: Automating Device Quarantine video.

To learn more how to integrate Workspace ONE Intelligence and VMware Carbon Black, see Integrating Workspace ONE Intelligence and VMware Carbon Black: VMware Workspace ONE Operational Tutorial.

Summary and Additional Resources

Workspace ONE inherently provides the tools necessary to support a variety of working styles - remote, mobile, deskless, or in corporate offices - while meeting any level of security requirements and providing an excellent employee experience. The Workspace ONE platform provides the foundation for maintaining continuous user access to critical business systems and maintaining employee communications during major disruptions, regardless of employee location or device. Workspace ONE is, therefore, an essential component of a business continuity plan.

Whether you were new to the Workspace ONE platform and its component solutions, or were an experienced user, this guide provided a start to exploring ways to meet the challenges of today’s events, as well as to be better prepared for business continuity and disaster recovery in the future. We started by reflecting on the current state of your deployment, and conducted a health check to solidify your existing enterprise. Next, we explored a variety of deployment and expansion options available for both new environments and existing ones. Then, we covered the deployment considerations to be aware of, including best practices guidance. And we ended by discussing how to enhance and transform your deployment to add security, support remote workers, improve user experience, drive digital transformation, and achieve your business continuity goals.

Additional Resources

For learn information about how you can use VMware products to meet business continuity goals, you can explore the following resources:

Change Log

The following updates were made to this guide:


Description of Changes


  • Initial version

Authors and Contributors

This guide was written by:


The purpose of this guide is to assist you, and your feedback about this is valuable. To comment on this paper, contact VMware End-User-Computing Technical Marketing at





Filter Tags

Workspace ONE Carbon Black Cloud Unified Access Gateway Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Document Technical Overview Overview Design Deploy Manage Optimize Business Continuity Identity / Access Management Secure Remote Access