Business Drivers, Use Cases and Service Definitions

This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Workspace ONE and Horizon solutions. This chapter provides information about sample business drivers, typical use cases and service definitions.

Addressing Business Requirements

An end-user-computing (EUC) solution based on VMware Workspace ONE, VMware Horizon and VMware Horizon Cloud Service on Microsoft Azure can address a wide-ranging set of business requirements and use cases. In this reference architecture, the solution targets the most common requirements and use cases seen in customer deployments to date.

A technology solution should directly address the critical business requirements that justify the time and expense of putting a new set of capabilities in place. Each and every design choice should center on a specific business requirement. Business requirements could be driven by the end user or by the team deploying EUC services.

The following are sample common key business drivers that can be addressed by the Workspace ONE solution.

Mobile Access

Requirement definition: Provide greater business mobility by providing mobile access to modern and legacy applications on laptops, tablets, and smartphones.

Workspace ONE and Horizon solution: Workspace ONE provides a straightforward, enterprise-secure method of accessing all types of applications that end users need from a wide variety of platforms.

  • It is the first solution that brings together identity, device and application management, a unified application catalog, and mobile productivity.
  • VMware Horizon Client technology supports all mobile and laptop devices as well as common operating systems.
  • VMware Unified Access Gateway virtual appliances provide secure external access to internal resources without the need for a VPN.

Fast Provisioning and Access

Requirement definition: Allow fast provisioning of and secure access to line-of-business applications for internal users and third-party suppliers, while reducing physical device management overhead.

Workspace ONE and Horizon solution: Workspace ONE can support a wide range of device access scenarios, simplifying the onboarding of end-user devices.

  • Adaptive management allows a user to download an app from a public app store and access some published applications. If a user needs to access more privileged apps or corporate data, they are prompted to enroll their device from within the app itself rather than through an agent, such as the VMware Workspace ONE Intelligent Hub app.
  • Horizon can provision hundreds of desktops in minutes using Instant Clone Technology. Horizon provides the ability to entitle groups or users to pools of desktops quickly and efficiently. Applications are delivered on a per-user basis using VMware App Volumes.
  • Horizon Cloud Service on Microsoft Azure delivers feature-rich virtual desktops and applications using a purpose-built cloud platform. This makes it easy to deliver virtualized Windows desktops and applications to any device, anytime. IT can save time getting up and running with an easy deployment process, simplified management, and a flexible subscription model.
  • Unified Access Gateway appliances provide a secure and simple mechanism for external users to access virtual desktops or published applications customized using VMware Dynamic Environment Manager.

Reduced Application Management Effort

Requirement definition: Reduce application management overhead and reduce application provisioning time.

Workspace ONE and Horizon solution: Workspace ONE provides end users with a single application catalog for native mobile, SaaS, and virtualized applications and improves application management.

  • Workspace ONE provides a consolidated view of all applications hosted across different services with a consistent user experience across all platforms.
  • With Horizon and Horizon Cloud Service on Microsoft Azure, Windows-based applications are delivered centrally, either through virtual desktops or as RDSH-published applications. These can be centrally managed, allowing for access control, fast updates, and version control.
  • VMware Workspace ONE Intelligence gives IT administrators insights into app deployments and app engagement. Analysis of user behavior combined with automation capabilities allow for quick resolution of issues, reduced escalations, and increased employee productivity.
  • App Volumes provides a simple solution to managing and deploying applications. Applications can be deployed “once” to a single central file and accessed by thousands of desktops. This simplifies application maintenance, deployment, and upgrades.
  • VMware ThinApp provides additional features to isolate or make Windows applications portable across platforms.

Centralized and Secure Data and Devices

Requirement definition: Centralize management and security of corporate data and devices to meet compliance standards.

Workspace ONE and Horizon solution: All components are designed with security as a top priority.

  • VMware Workspace ONE UEM (powered by AirWatch) provides aggregation of content repositories, including SharePoint, network file shares, and cloud services. Files from these repositories can be synced to the VMware Workspace ONE Content app for viewing and secure editing.
  • Workspace ONE UEM policies can also be established to prevent distribution of corporate files, control where files can be opened and by which apps, and prevent such functions as copying and pasting into other apps, or printing.
  • Horizon is a virtual desktop solution where user data, applications, and desktop activity do not leave the data center. Additional Horizon and Dynamic Environment Manager policies restrict and control user access to data.
  • VMware NSX provides network-based services such as security, network virtualization and can provide network least-privilege trust and VM isolation using micro-segmentation and identity-based firewalling for the Horizon management, RDSH, and desktop environments.
  • Horizon Cloud Service on Microsoft Azure is the platform for delivering virtual desktops or published applications where user data, applications, and desktop activity do not leave the data center. Additional Horizon Cloud and VMware Dynamic Environment Manager policies restrict and control user access to data.
  • Workspace ONE Intelligence detects and remediates security vulnerabilities at scale. Quickly identify out-of-compliance devices and automate access control policies based on user behavior.

Comprehensive and Flexible Platform for Corporate-Owned or BYOD Strategies

Requirement definition: Allow users to access applications, especially the Microsoft Office 365 suite, and corporate data from their own devices.

Workspace ONE and Horizon solution: Workspace ONE can meet the device-management challenges introduced by the flexibility demands of BYOD.

  • Workspace ONE and features like adaptive management simplify end-user enrollment and empower application access in a secure fashion to drive user adoption.
  • With Horizon and Horizon Cloud Service on Microsoft Azure, moving to a virtual desktop and published application solution removes the need to manage client devices, applications, or images. A thin client, zero client, or employee-owned device can be used in conjunction with Horizon Client. IT now has the luxury of managing single images of virtual desktops in the data center.
  • Get insights into device and application usage over time with Workspace ONE Intelligence to enable optimizing resource allocation and license renewals. The built-in automation capabilities can tag devices that have been inactive for specific periods of time or notify users when their devices need to be replaced.

Reduced Support Calls and Improved Time to Resolution

Requirement definition: Simplify and secure access to applications to speed up root-cause analysis and resolution of user issues.

Workspace ONE and Horizon solution: Workspace ONE provides single-sign-on (SSO) capabilities to a wide range of platforms and applications. By leveraging SSO technology, password resets are unnecessary.

  • Workspace ONE Access provides a self-service single point of access to all applications and, in conjunction with True SSO, provides a platform for SSO. Users no longer need to remember passwords or request applications through support calls.
  • Both Workspace ONE UEM and Workspace ONE Access include dashboards and analytics to help administrators understand what a profile of application access and device deployment looks like in the enterprise. With greater knowledge of which applications users are accessing, administrators can more quickly identify issues with licensing or potential attempted malicious activities against enterprise applications.
  • Workspace ONE Intelligence ensures that end users get the best mobile application experience by keeping an eye on app performance, app engagement, and user behavior. With detailed insights around devices, networks, operating systems, geolocation, connectivity state, and current app version, LOB owners can optimize their apps for their unique audience and ensure an optimal user experience.
  • Horizon Enterprise Edition includes the Horizon Help Desk Tool, which gives insights into users’ sessions and aids in troubleshooting and maintenance operations.

Multi-site Deployment Business Drivers 

There are many ways and reasons to implement a multi-site solution, especially when deploying components on-premises. The most typical setup and requirement is for a two-data-center strategy. The aim is to provide disaster recovery, with the lowest possible recovery time objective (RTO) and recovery point objective (RPO); that is, to keep the business running with the shortest possible time to recovery and with the minimum amount of disruption.

The overall business driver for disaster recovery is straightforward:

  • Keep the business operating during an extended or catastrophic technology outage.
  • Provide continuity of service.
  • Allow staff to carry out their day-to-day responsibilities.

With services, applications, and data delivered by Workspace ONE and Horizon, that means providing continuity of service and mitigating against component failure, all the way up to a complete data center outage.

With respect to business continuity and disaster recovery, this reference architecture addresses the following common key business drivers: 

  • Cope with differing levels and types of outages and failures.
  • Develop predictable steps to recover functionality in the event of failures.
  • Provide essential services and access to applications and data delivered by Workspace ONE and Horizon during outages.
  • Minimize interruptions during outages.
  • Provide the same or similar user experience during outages.
  • Provide mobile secure access.

The following table describes the strategy used for responding to each of these business drivers. In this table, the terms active/passive and active/active are used.

  • Active/passive recovery mode – Requires that the passive instance of the service be promoted to active status in the event of a service outage.
  • Active/active recovery mode – Means that the service is available from multiple data centers without manual intervention.

Table 1: Meeting Business Requirements with Multi-site Deployments

Business Driver 

Comments 

Provide essential services and access to applications and data delivered by Workspace ONE and Horizon during outages.

Minimize interruptions during outages.

The highest possible service level is delivered, and downtime is minimized, when all intra-site components are deployed in pairs and all services are made highly available. These services must be capable of being delivered from multiple sites, either in an active/active or active/passive manner.

Provide a familiar user experience during outages.

To maintain personalized environments for end users, replicate the parts that a user considers persistent (profile, user configuration, applications, and more). Reconstruct the desktop in the second data center using those parts.

Workspace ONE Access provides a common entry point to all types of applications, regardless of which data center is actively being used.

Cope with differing levels and types of outages and failures.

This reference architecture details a design for multi-site deployments to cope with catastrophic failures all the way up to a site outage. The design ensures that there is no single point of failure within a site.

Develop predictable steps to recover functionality in the event of failures.

The services are constructed from several components and designed in a modular fashion. A proper design methodology, as followed in this reference architecture, allows each component to be designed for availability, redundancy, and predictability.

With an effective design in place, you can systematically plan and document the whole end-user service and the recovery steps or processes for each component of the service.

Provide mobile secure access.

 

Desktop mobility is a core capability in the Horizon platform. As end users move from device to device and across locations, the solution reconnects end users to the virtual desktop instances that they are already logged in to, even when they access the enterprise from a remote location through the firewall. VMware Unified Access Gateway virtual appliances provide secure external access without the need for a VPN.

Use Cases

Use cases drive the design for any EUC solution and dictate which technologies are deployed to meet user requirements. Use cases can be thought of as common user scenarios. For example, a finance or marketing user might be considered a “normal office worker” use case.

Designing an environment includes building out the functional definitions for the use cases and their requirements. We define typical use cases that are also adaptable to cover most scenarios. We also define services to deliver the requirements of those use cases.

Workspace ONE Use Cases

This reference architecture includes the following common Workspace ONE use cases.

Table 2: Workspace ONE Common Use Cases

Use Case

Description

Mobile Task-Based Worker

Users who typically use a mobile device for a single task through a single application.

  • Mobile device is highly managed and used for only a small number of tasks, such as inventory control, product delivery, or retail applications.
  • Communications tools, such as email, might be restricted to only sending and receiving email with internal parties.
  • Device is typically locked down from accessing unnecessary applications. Access to public app stores is restricted or removed entirely.
  • Device location tracking, full device wipe, and other features are typically used.

Mobile Knowledge Worker

Many roles fit this profile, such as a hospital clinician or an employee in finance, marketing, HR, health benefits, approvals, or travel.

  • These workers use their own personal device (BYOD), a corporate device they personally manage, or a managed corporate device with low restrictions.
  • Users are typically allowed to access email, including personal email, along with public app stores for personal apps.
  • Device is likely subject to information controls over corporate data, such as data loss prevention (DLP) controls, managed email, managed content, and secure browsing.
  • Users need access to SaaS-based applications for HR, finance, health benefits, approvals, and travel, as well as native applications where those applications are available.
  • Device is a great candidate for SSO because the need to access many diverse applications and passwords becomes an issue for users and the helpdesk.
  • Privacy is typically a concern that might prevent device enrollment, so adaptive management and clear communication regarding the data gathered and reported to the Workspace ONE UEM service is important to encourage adoption.

Contractor

Contractors might require access to specific line-of-business applications, typically from a remote or mobile location.

  • Users likely need access to an organization’s systems for performing specific functions and applications, but access might be for a finite time period or to a subset of resources and applications.
  • When the contractor is no longer affiliated with the organization, all access to systems must be terminated immediately and completely, and all corporate information must be removed from the device.
  • Users typically need access to published applications or VDI-based desktops, and might use multiple devices not under company control to do so. Devices include mobile devices as well as browser-based devices.

 

Horizon Use Cases

This reference architecture includes the following Horizon or Horizon Cloud Service on Microsoft Azure use cases.

Table 3: VMware Horizon Use Cases

Use Case

Description

Static Task Worker

These workers are typically fixed to a specific location with no remote access requirement. Some examples include call center worker, administration worker, and retail user.

A static task worker:

  • Uses a small number of Microsoft Windows applications.
  • Does not install their own applications and does not require SaaS application access.
  • Might require location-aware printing.

Mobile Knowledge Worker

This worker could be a hospital clinician, a company employee, or have a finance or marketing role. This is a catch-all corporate use case.

A mobile knowledge worker:

  • Mainly uses applications from a corporate location but might access applications from mobile locations.
  • Uses a large number of core and departmental applications but does not install their own applications. Requires SaaS application access.
  • Requires access to USB devices.
  • Might require location-aware printing.
  • Might require two-factor authentication when accessing applications remotely.

Software Developer / IT (Power User)

Power users require administrator privileges to install applications. The operating system could be either Windows or a Linux OS, with many applications, some of which could require extensive CPU and memory resources.

A power user:

  • Mainly uses applications from a corporate location but might access applications from mobile locations.
  • Uses a large number of core and departmental applications and installs their own applications. Requires SaaS application access.
  • Requires the ability to view video and Flash content.
  • Requires two-factor authentication when accessing applications remotely.

Multimedia Designer / Engineer

These users might require GPU-accelerated applications, which have intensive CPU or memory workloads, or both. Examples are CAD/CAM designers, architects, video editors and reviewers, graphic artists, and game designers.

A multimedia designer:

  • Has a GPU requirement with API support for DirectX 10+, video playback, and Flash content.
  • Mainly uses applications from a corporate location but might access applications from mobile locations.
  • Might require two-factor authentication when accessing applications remotely.

Contractor

External contractors usually require access to specific line-of-business applications, typically from a remote or mobile location.

A contractor:

  • Mainly uses applications from a corporate location but might access applications from mobile locations.
  • Uses a subset of core and departmental applications based on the project they are working on. Might require SaaS application access.
  • Has restricted access to the clipboard, USB devices, and so on.
  • Requires two-factor authentication when accessing applications remotely.

Recovery Use Case Requirements 

When disaster recovery is being considered, the main emphasis falls on the availability and recoverability requirements of the differing types of users. For each of the previously defined use cases and their requirements, we can define the recovery requirements.

When using the cloud-based versions of services, such as Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Intelligence, availability is delivered as part of the overall service SLA.

With solutions that have components deployed on-premises, the availability of both the platform delivering the service to the user, and the data they expect to use, has to be considered. For VMware Horizon–based services, the availability portion of the solution might have dependencies on applications, personalization, and user data to deliver a full experience to the user in a recovery site. Consider carefully what type of experience will be offered in a recovery scenario and how that matches the business and user requirements.

This reference architecture discusses two common disaster recovery classifications: active/passive and active/active. When choosing between these recovery classifications, which are described in the following table, be sure to view the scenario from the user’s perspective.

Table 4: Disaster Recovery Classifications

Use Case and Recoverability Objective 

Description 

Active/Passive 

RTO = Medium 

RPO = Medium 

Users normally work in a single office location.

Service consumed is pinned to a single data center.

Failover of the service to the second data center ensures business continuity.

Active/Active 

RTO = Low 

RPO = Low 

Users require the lowest possible recovery time for the service (for example, health worker).

Mobile users might roam from continent to continent.

Users need to get served from the nearest geographical data center per continent.

Service consumed is available in both primary and secondary data centers without manual intervention.

Timely data replication between data centers is extremely important.

With a VMware Horizon–based service, the recovery service should aim to offer an equivalent experience to the user. Usually the service at the secondary site is constructed from the same or similar parts and components as the primary site service. Consideration must be given to data replication and the speed and frequency at which data from the primary site can be replicated to the recovery site. This can influence which type of recovery service is offered, how quickly a recovery service can become available to users, and how complete that recovery service might be.

The RTO (recovery time objective) is defined as the time it takes to recover a given service. RPO (recovery point objective) is the maximum period in which data might be lost. Low targets are defined as 30- to 60-second estimates. Medium targets are estimated at 45–60 minutes. These targets depend on the environment and the components included in the recovery service.

 

Service Definitions

From our business requirements, we outlined several typical use cases and their requirements. Taking the business requirements and combining them with one or more use cases enables the definition of a service.

The service, for a use case, defines the unique requirements and identifies the technology or feature combinations that satisfy those unique requirements. After the service has been defined, you can define the service quality to be associated with that service. Service quality takes into consideration the performance, availability, security, and management and monitoring requirements to meet SLAs.

The detail required to build out the products and components comes later, after the services are defined and the required components are understood.

Do not treat the list of services as exclusive or prescriptive; each environment is different. Adapt the services to your particular use cases. In some cases, that might mean adding components, while in others it might be possible to remove some that are not required.

You could also combine multiple services together to address more complex use cases. For example, you could combine a VMware Workspace ONE service with a VMware Horizon or VMware Horizon® Cloud Service and a recovery service.

Figure 1: Example of Combining Multiple Services for a Complex Use Case

Workspace ONE Use Case Services

A use case service identifies the features required for a specific type of user. For example, a mobile task worker might use a mobile device for a single task through a single application. The Workspace ONE use case service for this worker could be called the mobile device management service. This service uses only a few of the core Workspace ONE components, as described in the following table.

Table 1: Core Components of Workspace ONE

Component

Function

VMware Workspace ONE® UEM

Enterprise mobility management

Workspace ONE Access

Identity platform

VMware Workspace ONE® Intelligence

Integrated insights, app analytics, and automation

Workspace ONE app

End-user access to apps

VMware Horizon

Virtual desktops and Remote Desktop Services (RDS) published applications delivered either through Horizon or Horizon Cloud.

VMware Workspace ONE® Boxer

Secure email client

VMware Workspace ONE® Web

Secure web browser

VMware Workspace ONE® Content

Mobile content repository

VMware Workspace ONE® Tunnel

Secure and effective method for individual applications to access corporate resources

VMware AirWatch Cloud Connector

Directory sync with enterprise directories

Workspace ONE Access Connector

Directory sync with enterprise directories

Sync to Horizon resources

VMware Unified Access Gateway

Gateway that provides secure edge services

VMware Workspace ONE® Secure Email Gateway

Email proxy service

Enterprise Mobility Management Service

Overview: Many organizations have deployed mobile devices and have lightweight management capabilities, like simple email deployment and device policies, such as a PIN requirement, device timeouts, and device wiping. But they lack a comprehensive and complete management practice to enable a consumer-simple, enterprise-secure model for devices.

Use case: Mobile Task-Based Workers

Table 2: Unique Requirements of Mobile Task Workers

Unique Requirements

Components

Provide device management beyond simple policies

Workspace ONE native app

Workspace ONE Access authentication

AirWatch Cloud Connector

Enable adaptive management capabilities

Workspace ONE native app

Adaptive management

Workspace services device enrollment

 

Blueprint

The following figure shows a high-level blueprint of a Workspace ONE Standard deployment and the available components.

Figure 2: Enterprise Mobility Management Service Blueprint

Enterprise Productivity Service

Overview: Organizations with a more evolved device management strategy are often pushed by end users to enable more advanced mobility capabilities in their environment. Requested capabilities include single sign-on (SSO) and multi-factor authentication, and access to productivity tools. However, from an enterprise perspective, providing this much access to corporate information means instituting a greater degree of control, such as blocking native email clients in favor of managed email, requiring syncing content with approved repositories, and managing which apps can be used to open files.

Use cases: Mobile Knowledge Workers, Contractors

Table 3: Unique Requirements of Mobile Knowledge Workers and Contractors

Unique Requirements

Components

Multi-factor authentication

VMware Workspace ONE® Verify

SSO

Workspace ONE Access and Workspace ONE UEM

Managed email

Workspace ONE Boxer

Enterprise content synchronization

Workspace ONE Content

Secure browsing

VMware Workspace ONE® Web

VPN per application

Workspace ONE Tunnel

 

Blueprint

The following figure shows a high-level blueprint of a Workspace ONE Advanced deployment and the available components.

Figure 3: Enterprise Productivity Service Blueprint

Enterprise Application Workspace Service

Overview: Recognizing that some applications are not available as a native app on a mobile platform and that some security requirements dictate on-premises application access, virtualized applications and desktops become a core part of a mobility strategy. Building on the mobile productivity service, and adding access to VMware Horizon–based resources, enables this scenario.

Many current VMware Horizon users benefit from adding the Workspace ONE catalog capabilities as a single, secure point of access for their virtual desktops and applications.

Use cases: Contractors, Mobile Knowledge Workers

Table 4: Unique Requirements of Contractors and Mobile Knowledge Workers

Unique Requirements

Components

Access to virtual apps and desktops

Horizon or Horizon Cloud

Workspace ONE Access Connector

Blueprint

The following figure shows a high-level blueprint of a Workspace ONE Enterprise Edition deployment and the available components.

Figure 4: Enterprise Application Workspace Service Blueprint

 

Horizon Use Case Services

Horizon use case services address a wide range of user needs. For example, a Published Application service can be created for static task workers, who require only a few Windows applications. In contrast, a GPU-Accelerated Desktop service can be created for multimedia designers who require graphics drivers that use hardware acceleration.

The following components are used across the various use cases.

Table 5: Core Components of Horizon

Component

Function

Horizon

Virtual desktops and RDSH-published applications

VMware App Volumes

Application deployment

Dynamic Environment Manager

User profile, IT settings, and configuration for environment and applications

VMware vRealize® Operations for Horizon®

Management and monitoring

VMware vSphere®

Infrastructure platform

VMware vSAN

Storage platform

VMware NSX®

Networking and security platform

 

Horizon Published Application Service

Overview: Windows applications are delivered as published applications provided by farms of RDSH servers. The RDSH servers are created using instant clones to provide space and operational efficiency. Applications are delivered through App Volumes. Individual or conflicting applications are packaged with VMware ThinApp® and are available through the Workspace ONE Access catalog. Dynamic Environment Manager applies profile settings and folder redirection.

Use case: Static Task Worker

Table 6: Unique Requirements of Static Task Workers

Unique Requirements

Components

Small number of Windows applications

Horizon RDSH-published applications (a good fit for a small number of applications)

App Volumes packages

Requires location-aware printing

ThinPrint

Dynamic Environment Manager

 

Table 7: Service Qualities the of Horizon Published Application Service

Performance

Availability

Security

Management and Monitoring

Basic

Medium

Basic

(no external access)

Basic

 

Blueprint

Figure 5: Horizon Published Application Service Blueprint

Horizon GPU-Accelerated Application Service

Overview: Similar to the Horizon Published Application service but has more CPU and memory, and uses hardware-accelerated rendering with NVIDIA GRID graphics cards installed in the vSphere servers (vGPU).

Use case: Occasional Graphic Application Users

Table 8: Unique Requirements of Occasional Graphic Application Users

Unique Requirements

Components

GPU accelerated

NVIDIA vGPU-powered

Small number of Windows applications

Horizon RDSH-published applications (a good fit for a small number of applications)

App Volumes packages

Hardware H.264 encoding

Blast Extreme

 

Table 9: Service Qualities of the Horizon GPU-Accelerated Application Service

Performance

Availability

Security

Management and Monitoring

Basic

Medium

Medium

Medium

 

Blueprint

Figure 6: Horizon GPU-Accelerated Application Service Blueprint

Horizon Desktop Service

Overview: The core Windows 10 desktop is an instant clone, which is kept to a plain Windows OS, allowing it to address a wide variety of users.

The majority of applications are delivered through App Volumes, with core and different departmental versions. Individual or conflicting applications are packaged with ThinApp and are available through the Workspace ONE Access catalog.

Dynamic Environment Manager applies profile settings and folder redirection.

Use cases: Mobile Knowledge Worker, Contractors

Table 10: Unique Requirements of Mobile Knowledge Workers and Contractors

Unique Requirements

Components

Large number of core and departmental applications

Horizon instant-clone virtual desktop (a good fit for larger numbers of applications)

App Volumes packages for core applications and departmental applications

Require access from mobile locations

Unified Access Gateway, Blast Extreme

Two-factor authentication when remote

Unified Access Gateway, True SSO

Video content and Flash playback

URL content redirection, Flash redirection

Access to USB devices

Restricted access to clipboard, USB, and so on (for example, for contractors)

Dynamic Environment Manager, Smart Policies, application blocking

 

Table 11: Service Qualities of the Horizon Desktop Service

Performance

Availability

Security

Management and Monitoring

Medium

High

Medium high (contractors)

Medium

 

Blueprint

Figure 7: Horizon Desktop Service Blueprint

Horizon Desktop with User-Installed Applications Service

Overview: Similar to the construct of the Horizon Desktop service, with the addition of an App Volumes writable volume. Writable volumes allow users to install their own applications and have them persist across sessions.

Use case: Software Developer / IT (Power User)

Table 12: Unique Requirements of Software Developers and Power Users

Unique Requirements

Components

Windows extensive CPU and memory

Horizon instant-clone virtual desktop

User-installed applications

App Volumes writable volume

 

Table 13: Service Qualities of the Horizon Desktop with User-Installed Applications Service

Performance

Availability

Security

Management and Monitoring

Medium

High

High

Medium

 

Blueprint

Figure 8: Horizon Desktop with User-Installed Applications Service Blueprint

Horizon GPU-Accelerated Desktop Service

Overview: Similar to the Horizon Desktop Service or the Horizon Desktop with User-Installed Applications service but has more CPU and memory, and can use hardware-accelerated rendering with NVIDIA GRID graphics cards installed in the vSphere servers (vGPU).

Use case: Multimedia Designer

Table 14: Unique Requirements of Multimedia Designers

Unique Requirements

Components

GPU accelerated

NVIDIA vGPU-powered

User-installed applications

App Volumes writable volume

Hardware H.264 encoding

Blast Extreme

 

Table 15: Service Qualities of the Horizon GPU-Accelerated Desktop Service

Performance

Availability

Security

Management and Monitoring

High

High

Medium

High

 

Blueprint

Figure 9: Horizon GPU-Accelerated Desktop Service Blueprint

Horizon Linux Desktop Service

Overview: The core desktop is an instant clone of Linux. Applications can be pre-installed into the golden image VM.

Use case: Linux User

Table 16: Unique Requirements of Linux Users

Unique Requirements

Components

Linux extensive CPU and memory

Horizon for Linux instant clone

 

Table 17: Service Qualities of the Linux Desktop Service

Performance

Availability

Security

Management and Monitoring

Medium

Medium

Medium

Basic

 

Blueprint

Figure 10: Linux Desktop Service Blueprint

Horizon Cloud Service on Microsoft Azure Use Case Services

These services address a wide range of user needs. For example, a published application service can be created for static task workers, who require only a few Windows applications. In contrast, a secure desktop service could be created for users who need a larger number of applications that are better suited to a Windows desktop–based offering.

The following core components are used across the various use cases.

Table 18: Core Components of VMware Horizon® Cloud Service on Microsoft Azure

Component

Function

Horizon Cloud Service on Microsoft Azure

Virtual desktops and RDSH-published applications

VMware Dynamic Environment Manager

User profile, IT settings, and configuration for environment and applications

Microsoft Azure

Infrastructure platform

Horizon Cloud Published Application Service

Overview: Windows applications are delivered as published applications provided by farms of RDSH servers. These applications are optionally available in the catalog and through the Workspace ONE app or web application. Dynamic Environment Manager applies profile settings and folder redirection.

Use case: Static Task Worker

Table 19: Unique Requirements of Static Task Workers

Unique Requirements

Components

Small number of Windows applications

Horizon Cloud on Microsoft Azure RDSH-published applications (a good fit for a small number of applications)

(Optional) location-aware printing

ThinPrint

Dynamic Environment Manager

 

Blueprint

Figure 11: Horizon Cloud Published Application Service Blueprint

Horizon Cloud GPU-Accelerated Application Service

Overview: Similar to the Horizon Cloud Published Application service, but this service uses hardware-accelerated rendering with NVIDIA GRID graphics cards available through Microsoft Azure. The Windows applications are delivered as published applications provided by farms of RDSH servers.  

Use case: Multimedia Designer/Engineer

Table 20: Unique Requirements of Multimedia Designers

Unique Requirements

Components

GPU-accelerated rendering

NVIDIA backed GPU RDSH VM

Hardware H.264 encoding

Blast Extreme

 

Blueprint

Figure 12: Horizon Cloud GPU-Accelerated Application Service Blueprint

Horizon Cloud Desktop Service

Overview: This service uses a standard Windows 10 desktop that is cloned from a golden image VM. Dynamic Environment Manager applies the user’s Windows environment settings, application settings, and folder redirection. Desktop and application entitlements are optionally made available through the Workspace ONE Access catalog.

Use cases: Mobile Knowledge Worker, Contractors

Table 21: Unique Requirements of Mobile Knowledge Workers and Contractors

Unique Requirements

Components

Large number of core and departmental applications

Horizon virtual desktop running Windows 10 (a good fit for larger numbers of applications)

Access from mobile locations

Unified Access Gateway, Blast Extreme

Two-factor authentication when remote

Unified Access Gateway, True SSO

Video content and Flash playback

URL content redirection, HTML5 redirection, Flash redirection

Access to USB devices

Restricted access to clipboard, USB, and so on (for example, for contractors)

Dynamic Environment Manager, Horizon Smart Policies, application blocking

 

Blueprint

Figure 13: Horizon Cloud Desktop Service Blueprint

Recovery Services 

To ensure availability, recoverability, and business continuity, the design of the services also needs to consider disaster recovery. We can define recovery services and map them to the previously defined use-case services.

Recovery services can be designed to operate in either an active/active or an active/passive mode and should be viewed from the users’ perspective.

In active/passive mode, loss of an active data center instance requires that the passive instance of the service be promoted to active status for the user.

In active/active mode, the loss of a data center instance does not impact service availability for the user because the remaining instance or instances continue to operate independently and can offer the end service to the user.

In the use cases, a user belongs to a home site and can have an alternative site available to them. Where user pinning is required, an active/passive approach results in a named user having a primary site they always connect to or get redirected to during normal operations.

Also, a number of components are optional to a service, depending on what is required. Blueprints for multi-site Workspace ONE Access, App Volumes, and Dynamic Environment Manager data are detailed after the main active/passive and active/active recovery services.

Workspace ONE UEM Recovery Service - On-Premises

Workspace ONE UEM can be consumed as a cloud-based service or deployed on-premises. When deployed on-premises, it is important to provide resilience and failover capability both within and between sites to ensure business continuity. Workspace ONE UEM can be architected in an active/passive manner, with a failover process recovering the service in the standby site.

Figure 14: VMware Workspace ONE UEM Recovery Blueprint

Workspace ONE Access Recovery Service - On-Premises

Workspace ONE Access can also be consumed as a cloud-based service or deployed on-premises. When deployed on-premises, it is important to provide resilience and failover capability both within and between sites to ensure business continuity. Workspace ONE Access can be architected in an active/passive manner, with a failover process recovering the service in the standby site.

Figure 15: Workspace ONE Access Recovery Blueprint

Horizon Active-Passive Recovery Service 

Requirement: The use case service is run from a specific data center but can be failed over to a second data center in the event of an outage.

Overview: The core Windows desktop is an instant clone or linked clone, which is preferably kept to a vanilla Windows OS, allowing it to address a wide variety of users. The core could also be a desktop or session provided from an RDSH farm of linked clones or instant clones.

Although applications can be installed in the golden image OS, the preferred method is to have applications delivered through App Volumes, with core and department-specific applications included in various packages. Individual or conflicting applications are packaged with VMware ThinApp and are available through the Workspace ONE Access catalog.

If the use case requires the ability for users to install applications themselves, App Volumes writable volumes can be assigned.

Dynamic Environment Manager applies the profile, IT settings, user configuration, and folder redirection.

The following table details the recovery requirements and the corresponding Horizon component that addresses each requirement.

Table 22: Active/Passive Recovery Service Requirements

Requirement 

Comments 

Windows desktop or RDSH available in both sites 

Horizon pools or farms are created in both data centers.

Golden image VM can be replicated to ease creation.

Cloud Pod Architecture (CPA) is used for user entitlement and to control consumption.

Native applications 

Applications are installed natively in the base Windows OS. No replication is required because native applications exist in both data center pools.

Attached applications

(optional)

Applications contained in App Volumes packages are replicated.

User-installed applications

(optional)

App Volumes writable volumes.

RTO = 60–90 minutes 

RPO = 1–2 hours (array dependent) 

IT settings 

Dynamic Environment Manager IT configuration is replicated to another data center.

RTO = 30–60 seconds 

RPO = Approximately 5 minutes 

User data and configuration 

Dynamic Environment Manager user data is replicated to another data center.

RTO = 30–60 seconds 

RPO = Approximately 2 hours 

SaaS applications 

Workspace ONE Access is used as a single-sign-on workspace and is present in both locations to ensure continuity of access.

Mobile access 

Unified Access Gateway, Blast Extreme 

At a high level, this service consists of a Windows environment delivered by either an instant- or linked-clone desktop or RDSH server, with identical pools created at both data centers. With this service, applications can be natively installed in the OS, provided by App Volumes packages, or some combination of the two. User profile and user data files are made available at both locations and are also recovered in the event of a site outage.

Blueprint

Figure 16: Horizon Active/Passive Recovery Service Blueprint

Horizon Active-Active Recovery Service 

Requirement: This use case service is available from multiple data centers without manual intervention.

Overview: Windows applications are delivered as natively installed applications in the Windows OS, and there is little to no reliance on the Windows profile in case of a disaster. Dynamic Environment Manager provides company-wide settings during a disaster. Optionally, applications can be delivered through App Volumes packages, with core and department-specific applications included in various packages.

This service generally requires the lowest possible RTO, and the focus is to present the user with a desktop closest to his or her geographical location. For example, when traveling in Europe, the user gets a desktop from a European data center; when traveling in the Americas, the same user gets a desktop from a data center in the Americas.

The following table details the recovery requirements and the corresponding Horizon component that addresses each requirement.

Table 23: Active/Active Recovery Service Requirements

Requirements

Products, Solutions, and Settings

Lowest possible RTO during a disaster 

No reliance on services that cannot be immediately failed over.

Windows desktop or RDSH server available in both sites 

Horizon desktop and application pools are created in both data centers.

Golden image VM can be replicated to ease creation.

Cloud Pod Architecture (CPA) is used to ease user entitlement and consumption.

Native applications 

Applications are installed natively in the base Windows OS. No replication is required because native applications exist in both data center pools.

Attached applications

(optional)

Applications contained in App Volumes packages are replicated using App Volumes storage groups.

IT settings 

Dynamic Environment Manager IT configuration is replicated to another data center. The following RTO and RPO targets apply during a data center outage when a recovery process is required:

RTO = 30–60 seconds 

RPO = 30–60 seconds 

User data and configuration 

(optional)

Dynamic Environment Manager user data is replicated to another data center. The following RTO and RPO targets apply during a data center outage when a recovery process is required:

RTO = 30–60 seconds 

RPO = Approximately 2 hours 

Mobile access 

Unified Access Gateway, Blast Extreme 

 

At a high level, this service consists of a Windows environment delivered by a desktop or an RDSH server available at both data centers. With this service, applications can be natively installed in the OS, attached using App Volumes packages, or some combination of the two. If required, the user profile and user data files can be made available at both locations and can also be recovered in the event of a site outage.

Figure 17: Horizon Active/Active Recovery Service Blueprint

App Volumes Active-Passive Recovery Service

Although applications can be installed in the base OS, they can alternatively be delivered by App Volumes packages. A package is used to attach applications to either the Horizon desktop or the RDSH server that provides Horizon published applications.

Applications are attached either to the desktop, at user login, or to the RDSH server as it boots. Because packages are read-only to users and are infrequently changed by IT, packages can be replicated to the second, and subsequent, locations and are available for assignment and mounting in those locations as well.

App Volumes writable volumes are, by contrast, used for content such as user-installed applications, and are written to by the end user. Writable volumes must be replicated and made available at the second site. Due to the nature of the content, writable volumes can have their content updated frequently by users. These updates can affect the RPO and RTO achievable for the overall service. Operational decisions can be made as to whether to activate the service in Site 2 with or without the writable volumes to potentially reduce the RTO.

Figure 18: App Volumes Active/Passive Recovery Blueprint

App Volumes Active-Active Recovery Service

As can be seen in the active/passive App Volumes blueprint, App Volumes packages can be replicated from one site to another and made available, actively, in both because packages require read-only permissions for the user. The complication comes with writable volumes because these require both read and write permissions for the user. If a service does not include writable volumes, the App Volumes portion of the service can be made active/active.

Figure 19: App Volumes Active/Active Recovery Blueprint

Dynamic Environment Manager Profile Data Recovery Service

Dynamic Environment Manager provides profile management by capturing user settings for the operating system, applications, and user personalization. The captured settings are stored on file shares that need to be replicated to ensure site redundancy.

Although profile data can be made available to both data centers, there is a failover process in the event of the loss of Site 1 that can impact the RTO and RPO.

Operational decisions can be made in these scenarios as to whether the service in Site 2 would be made available with reduced functionality (for example, available with the Windows base, the applications, and the IT configuration but without the user-specific settings).

Figure 20: Dynamic Environment Manager Profile Recovery Blueprint

Horizon Cloud on Microsoft Azure Active-Passive Recovery Service 

Requirement: The use case service is run from a specific Azure region. An equivalent service can be provided from a second Azure region.

Overview: The core Windows desktop or RDSH server is a clone of a golden image VM. Dynamic Environment Manager applies the profile, IT settings, user configuration, and folder redirection.

Table 24: Active/Passive Recovery Service Requirements

Requirement 

Comments 

Windows desktop or RDSH server available in both sites 

Horizon desktop pools or RDSH server farms are created in both data centers.

Native applications 

Applications are installed natively in the base Windows OS.

IT settings 

Dynamic Environment Manager IT configuration is replicated to ensure availability in the event that the primary Azure region becomes unavailable.

User data and configuration 

Dynamic Environment Manager user data is replicated to ensure availability in the event that the primary Azure region becomes unavailable.

At a high level, this service consists of a Windows environment delivered by either a desktop or an RDSH server, with equivalent resources created at both data centers. User profile and user data files are made available at both locations and are also recovered in the event of a site outage.

Figure 21: Horizon Cloud Active/Passive Recovery Service Blueprint

Dynamic Environment Manager provides profile management by capturing user settings for the operating system, applications, and user personalization. The captured settings are stored on file shares that need to be replicated to ensure site redundancy.

Although profile data can be made available to both regions, there is a failover process in the event of the loss of Region 1 that can impact the RTO and RPO.

Operational decisions can be made in these scenarios as to whether the service in Region 2 should be made available with reduced functionality (for example, available with the Windows base, the applications, and the IT configuration but without the user-specific settings).

What's Next?

Now that you have come to the end of this chapter, you can return to the landing page and search or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters explore the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon, App Volumes Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of components and services you need to create the platform capable of delivering what you want.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Horizon, App Volumes, Dynamic Environment Management, and more.

Filter Tags

Workspace ONE Horizon Document Reference Architecture Intermediate Design