• Workspace ONE


  • Document


  • Overview


  • Technical Overview


  • Design

How Does Workspace ONE Work?

As you learned in our “What is VMware Workspace ONE?” article: Workspace ONE is a digital workspace platform that delivers and manages any app on any device by integrating access control, application management and multi-platform endpoint management. In this article, we’ll discuss how it works, including the various components in the architecture and how it all fits together. 

IT can deploy VMware Workspace ONE in a variety of deployment models, including on-premises, in the cloud, and hybrid with different components deployed on-premises and in the cloud. 

Workspace ONE Architecture 

Since the purpose of Workspace ONE is to manage secure application delivery to your end-users, it’s critical that you connect Workspace ONE to an existing directory infrastructure. You can configure Workspace ONE to use Active Directory or other LDAP-based directory, for user synchronization, authentication, and application access. 

For the sake of simplicity, we’re going to focus this article on a basic cloud deployment of Workspace ONE. The larger your environment, the more complex the requirements get, so we can’t walk through every detail here. This article is intended just to give you the info you need to understand how some of the elements would fit into your environment at a high level. We can split the architecture into infrastructure and end-user components. 

Infrastructure components 

  • VMware Identity Manager provides single sign-on (SSO) to an application store for software-as-a-service (SaaS)-based Horizon 7, Citrix, VMware ThinApp®, and web applications, as well as for Horizon 7 virtual desktops. It also provides a set of networking and authentication policies to control application access. For example, in the below, we can create detailed rules specifying specific authentication rules based on network range, what device the request is coming from, and the Active Directory group.


  • VMware Workspace ONE UEM provides a comprehensive enterprise mobility platform that delivers simplified access to enterprise applications, secures corporate data, and enables mobile productivity. In the diagram above, it works with public application stores, to handle the provisioning of native mobile applications to mobile devices. It also provides compliance-checking tools to ensure that remote access devices meet corporate security standards. For Office 365, and our integration with  the Office 365 Graph API we can manage the DLP settings across the suite of Office applications to ensure security.


For Windows 10 and other devices, we can apply device profiles. Here you see that I can configure security settings that will keep devices secure (encryption, Windows Updates, etc), but also some features that will really improve the experience for end users (configuring Wi-Fi and VPN for example). 

  • AirWatch Cloud Connector (ACC) – Runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM to the organization’s critical back-end enterprise infrastructure components. Organizations can leverage the benefits of Workspace ONE® UEM, running in any configuration, together with those of their existing LDAP, certificate authority, email, and other internal systems.
  • VMware Identity Manager Connector – Performs directory sync and authentication between an on-premises Active Directory and the VMware Identity Manager service.


End-User Components

The primary end-user component is the Workspace ONE application. Access the application catalog can be done from either the browser or a native mobile application. End-users can install the Workspace ONE native application through the public application store on Android, iOS, and Windows 10. Once installed, end-users will login with their Active Directory credentials and see the applications that IT has enabled access to. 

Applications with a star near the download button will require enrolling in management, which means that we will use the device APIs to handle endpoint management and ensure compliance. For applications that contain sensitive data, enrolling in management is the way to go, since it provides greater security including encryption, data protection, compliance, and removing enterprise applications when a device gets unenrolled.

End-users also get the benefit of mobile single sign-on, or as some call it, password-less authentication. For iOS, a Kerberos certificate is passed down to the end-user device. For users who are successfully signed in to their domain, access to their Workspace ONE apps portal without additional credential prompts. It’s really a win-win for IT and end-users. 

Learn More

To learn more, I encourage you to take a look at the following assets:

Filter Tags

  • Workspace ONE
  • Overview
  • Technical Overview
  • Document
  • Design