Platform Integration

This chapter is one of a series that make up the VMware Workspace ONE and VMware Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Workspace ONE and Horizon solutions. This chapter provides information about integrating the separate products into a platform.

Introduction

After the various VMware Workspace ONE® and VMware Horizon® products and components have been designed and deployed, some one-time integration tasks must be completed to realize the full power of the Workspace ONE platform.

  • Integrate VMware Workspace ONE® UEM with VMware Workspace ONE® Access ™, VMware Workspace ONE® Intelligence, and VMware Workspace ONE® Assist.
  • Also integrate Workspace ONE Intelligence with Workspace ONE Access and VMware Workspace ONE® Trust Network.
  • Integrate VMware Horizon with Workspace ONE Access.

Workspace ONE UEM and Workspace ONE Access Integration

Workspace ONE Access (formerly called VMware Identity Manager) and Workspace ONE UEM (powered by AirWatch) are built to provide tight integration between identity and device management. This integration has been simplified in recent versions to ensure that configuration is relatively straightforward. For information about the latest release, see Integrating Workspace ONE UEM With Workspace ONE Access.

Although Workspace ONE Access and Workspace ONE UEM are the core components in a Workspace ONE deployment, you can also deploy a variety of other components, depending on your business use cases. As the following figure shows, you can use VMware Unified Access Gateway for access to an on-premises Exchange server through VMware Workspace ONE® UEM Secure Email Gateway (SEG) or Per-App Tunnel through VMware Tunnel edge service to access internal resources. Refer to the various sections in the VMware Workspace ONE UEM Documentation for descriptions of the full range of components that apply to a deployment.

Figure 1: Sample Workspace ONE Architecture

Many other enterprise components can be integrated into a Workspace ONE deployment. These components include technologies such as a Certificate Authority, Active Directory, file services, email systems, SharePoint servers, external access servers, and reverse proxies. We assume that these enterprise systems are in place and are functional if necessary.

To successfully integrate Workspace ONE UEM with Workspace ONE Access, you can use the Workspace ONE Getting Started wizards. The Identity and Access Management wizard walks you through setting up the AirWatch Cloud Connector to allow the components of Workspace ONE, Workspace ONE UEM, and Workspace ONE Access to communicate with your Active Directory. Documentation for this process is available in the Guide to Deploying VMware Workspace ONE with Workspace ONE Access.

AirWatch Cloud Connector and Directory Integration Configuration Wizard

You can use the Workspace ONE wizards to set up the AirWatch Cloud Connector, Active Directory integration, and Workspace ONE Access integration.

Figure 2: Identity and Access Management Wizard

The first step in the wizard is to connect the Workspace ONE UEM instance to the Workspace ONE Access tenant.

Figure 3: Connect to Workspace ONE Access

After you enter the fully qualified domain name (FQDN) and supply authentication credentials for the Workspace ONE Access tenant, the connection can be made.

  • The Workspace ONE UEM console servers must be able to reach the Workspace ONE Access tenant through port 443.
  • The Workspace ONE Access tenant must be able reach the Workspace ONE UEM API service through port 443.

After the connection is made, the first step in the Identity and Access Management wizard is marked as complete.

Figure 4: Identity and Access Management Wizard – Connection to Workspace ONE Access Completed

The next step in the Identity and Access Management wizard is to install the AirWatch Cloud Connector and connect Workspace ONE UEM to Active Directory.

Figure 5: AirWatch Cloud Connector and Workspace ONE Access Connector

The AirWatch Cloud Connector provides the ability to integrate Workspace ONE UEM with an organization’s backend enterprise systems. It is enabled in the Workspace ONE UEM Console and is downloaded to a Windows Server in the enterprise to enable communication between Active Directory and the Workspace ONE service.

Figure 6: Download the AirWatch Cloud Connector

The wizard prompts you to set up a password before downloading the AirWatch Cloud Connector installer. Use this password while running the installer.

Previous versions of Workspace ONE UEM provided access to the AirWatch Cloud Connector by using the Enterprise Systems Connector installer, a bundled installer of the AirWatch Cloud Connector and Workspace ONE Access. With current versions of Workspace ONE UEM, the Workspace ONE Access connector is downloaded as a separate installer.

Active Directory Integration

The next step, after setting up the AirWatch Cloud Connector, is to enter your Active Directory and bind authentication information to integrate AD with Workspace ONE UEM. Because you are making connections from the AirWatch Cloud Connector, ensure that networking and server IPs and host names can be resolved.

Note: Ensure that the Active Directory domain name you enter in the wizard matches the name used in Workspace ONE Access. Otherwise, administrators will not be able to access some features and configurations of Workspace ONE Access from the Workspace ONE UEM Console.

Figure 7: Connect to Active Directory

The Workspace ONE Access Connector provides connectivity to synchronize Workspace ONE Access with your user directory, such as Active Directory. The Workspace ONE Access Connector also provides user authentication and integration with Horizon Cloud, along with following capabilities:

  • Many authentication methods for external users, including password, RSA Adaptive Authentication, RSA SecurID, and RADIUS
  • Kerberos authentication for internal users
  • Access to VMware Horizon Cloud Service resources
  • Access to VMware Horizon resources
  • Access to Citrix-published resources

To set up the Workspace ONE Access Connector along with directory integration, see Installing and Configuring VMware Identity Manager Connector 19.03.0.0 (Windows) and Directory Integration with VMware Workspace ONE Access.

Catalog Population

The unified Workspace ONE app catalog contains many types of applications. SaaS-based SAML apps and Horizon apps and desktops are delivered through the Workspace ONE Access catalog, and native mobile apps are delivered through the Workspace ONE UEM catalog.

Table 1: Configuration Considerations for Populating the Workspace ONE Access Catalog

Resource

Configuration Considerations

SaaS apps

To add a new SaaS application, go to the Catalog tab, select Web Apps from the drop-down list, and select New.

Applications can be defined manually, or a predefined application template can be customized. See Setting Up Resources in Workspace ONE Access (Cloud) or Setting Up Resources in Workspace ONE Access (On Premises).

You can manually create SaaS apps that do not have a template in the cloud catalog by using the appropriate parameters.

Assign the appropriate users or groups to the applications being published, and choose whether the entitlement is user-activated or automatic.

VMware Horizon® or Horizon Cloud

To include Horizon or Horizon Cloud resources in the catalog, entitlements are synced from the Horizon environment to Workspace ONE Access.

Horizon and Horizon Cloud pods are added into the Workspace ONE Access catalog.

For more information, see Setting Up Resources in Workspace ONE Access (Cloud) or Setting Up Resources in Workspace ONE Access (On Premises).

The launch of a Horizon desktop or application from Workspace ONE Access does not alter the traffic path of the Horizon session. External access to Horizon environments still requires Unified Access Gateway appliances.

Native mobile apps

In the Workspace ONE UEM Console, you use the Apps and Books node to assign apps from the public app stores to their respective device platforms. Apps are defined by platform (iOS, Android, Windows, and more) and are located in the app store for that platform.

The apps are then assigned to Smart Groups as appropriate.

Application configuration key values are provided to point the Workspace ONE app to the appropriate Workspace ONE Access tenant.

Recommended apps to deploy include the Workspace ONE mobile app and popular Workspace ONE apps such as VMware Workspace ONE® Boxer, VMware Workspace ONE® Content, and VMware Workspace ONE® Browser.

Device Profile Configuration and Single Sign-On

Device profiles provide key settings that are applied to devices as part of enrollment in Workspace ONE UEM. The settings include payloads, such as credentials, passcode requirements, and other parameters used to configure and secure devices. Different payloads are configured in different services, as described in this document, but SSO is a common requirement across all devices and use cases.

Table 2: Configuration Considerations for Device Profiles in Workspace ONE UEM

Device Profiles

Configuration Considerations

iOS SSO

The iOS platform uses the mobile SSO authentication adapter. The authentication adapter is enabled in Workspace ONE Access and is added to an access policy.
A profile is deployed that provides the appropriate certificate payloads to support trust between the user, the iOS device, Workspace ONE UEM, and Workspace ONE Access. For more information, see Implementing Mobile Single Sign-in Authentication for Workspace ONE UEM-Managed iOS Devices.

Use the Mobile SSO Getting Started wizard to enable mobile SSO in your environment. The Mobile SSO wizard creates an SSO profile that uses a certificate issued by the AirWatch Certificate Authority.

Android SSO

Android uses the mobile SSO authentication adapter. It is enabled in Workspace ONE Access and is added to an access policy. A profile is deployed to support SSO. For more information, see Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM Managed Android Devices.

Use the Mobile SSO Getting Started wizard to enable mobile SSO in your environment. The Mobile SSO wizard creates the necessary VMware Tunnel device profile, publishes the VMware Tunnel application, and creates the required network rules.

Windows 10 SSO

Windows 10 SSO uses certificate authentication. A certificate is generated from the AirWatch CA through a SCEP (Simple Certificate Enrollment Protocol) profile.
When a device profile is deployed, the appropriate certificates are generated for the user and are installed on the user’s device.

The certificate (cloud deployment) authentication adapter is enabled to use Windows 10 SSO. For more information, see Configuring a Certificate for Use with Workspace ONE Access.

The user is prompted to select a certificate at Workspace ONE app launch.

For device-compliance checking to function, part of the certificate request template for Workspace ONE UEM must include a SAN type of DNS name with a value of UDID={DeviceUid}.

The Workspace ONE Access directory synchronizes user account information from Active Directory and uses it for entitling applications to users through the Workspace ONE app or browser page. For SSO and True SSO to work when integrating with Workspace ONE Access and VMware Horizon, a number of configuration considerations must be considered.

Table 3: Configuration Considerations for Features in Workspace ONE Access

Component

Configuration Considerations

Workspace ONE Access catalog

This catalog is the launch point for applications through the Workspace ONE portal. Applications in the following categories are expected to be configured:

  • SaaS apps
  • Horizon and Horizon Cloud desktop assignments
  • Horizon and Horizon Cloud RDSH-published apps

True SSO

True SSO support is configured in Workspace ONE Access to ensure simple end-user access to desktops and apps without multiple login prompts and without requiring AD credentials.

Workspace ONE Access Connectors

Workspace ONE Access Connectors are placed in the internal network to ensure that users external to the organization can access the resources that have been configured in the Workspace ONE catalog.

SaaS-based web apps

SaaS-based applications that use SAML as an authentication method can be accessed through Workspace ONE Access. Configuration of applications is done through the templates in the cloud application catalog.

See Setting Up Resources in Workspace ONE Access (Cloud) or Setting Up Resources in Workspace ONE Access (On Premises).

Horizon desktop assignments

In the Workspace ONE Access administration console, create one or more virtual apps collections for the Horizon pods or Horizon Cloud tenants.

See Setting Up Resources in Workspace ONE Access (Cloud) or Setting Up Resources in Workspace ONE Access (On Premises).

Configure SAML authentication between Workspace ONE Access and the Horizon pods or Horizon Cloud tenants.

Horizon published applications

RDSH-published applications and their entitlements populate the Workspace ONE Access catalog when Horizon pods or Horizon Cloud tenants are configured as described for virtual desktop assignments.

Active Directory Kerberos authentication

To provide SSO to the Workspace ONE Access catalog, the appropriate authentication methods must be enabled.

  • The default authentication method is password, which prompts for the user’s Active Directory user ID and password.
  • If Kerberos is enabled as the default authentication method, the user’s Windows credentials are passed to Workspace ONE Access when the user opens the catalog.

Kerberos authentication must be enabled under the Connectors section in the administration console. For more information, see Implementing Kerberos for Desktops with Integrated Windows Authentication.

Access policies

Access policies are configured to establish how users will authenticate to an operating system, network, or application.

Use the Identity and Access Management tab to manage policies and edit the default access policy, as described in Managing Access Policies.

You can use different policies for different network ranges so that, for example, AD Kerberos is used for internal connections, but other authentication methods are used for external connections.

Workspace ONE UEM and Workspace ONE Intelligence Integration

VMware Workspace ONE® Intelligence offers insights into your digital workspace. It offers enterprise mobility management (EMM) planning and automation. All these components help to optimize resources, strengthen security and compliance, and enrich user experience across your environment.

Workspace ONE UEM is the minimum and main required integration point for Workspace ONE Intelligence. When Workspace ONE UEM is hosted on-premises, it requires the installation of the Workspace ONE Intelligence Connector service on the internal network.

Note: For those using cloud-based Workspace ONE UEM, there is no need to install the Workspace ONE Intelligence Connector service because it is already enabled by default.

The Workspace ONE Intelligence Connector service collects data related to devices, apps, and OS updates from your Workspace ONE UEM database and pushes this data to the cloud-based report service.

Figure 8: Integration of Workspace ONE UEM with Workspace ONE Intelligence Cloud Service

The integration consists of high-level steps:

  1. Define the region where the Intelligence Connector service will sync the data. This information will be required during the installation process.
  2. Ensure you have allowlisted the applicable URLs so that the connector installation process can communicate with the correct cloud-based reports service.
    For the list of URLs, see Trust Cloud Services Destinations for On-Premises.

If you use a proxy server and want to use it with the Workspace ONE Intelligence Connector, make sure you have allowlisted specific destinations. If you do not allowlist these destinations, the installation can fail.

  1. Ensure you have met the hardware, software, and network requirements outlined in Workspace ONE Intelligence Requirements.
  2. Run the Workspace ONE Intelligence Connector installer, which might ask for the Workspace ONE UEM Installation Token that can be generated through https://my.workspaceone.com.

For more information, see Install the Workspace ONE Intelligence Connector Service for On-Premises.

After you successfully install the Intelligence Connector service and opt-in to Workspace ONE Intelligence through the Workspace ONE UEM Console, the Intelligence Connector service will perform the first import of all devices, apps, and OS update data. Subsequent synchronizations will be based on samples taken from the devices, sensors, apps, and OS updates.

For more information regarding Intelligence Connector support for high availability and disaster recovery, see High Availability and Disaster Recovery Support with the Workspace ONE Intelligence Connector.

Workspace ONE Access and Workspace ONE Intelligence Integration

Workspace ONE Access can be integrated with Workspace ONE Intelligence to provide insights on user logins and application launches. The integration requires a cloud-based Workspace ONE Access tenant and a licensed tenant of Workspace ONE Intelligence.

Figure 9: Integration of Workspace ONE Intelligence Cloud Service with Workspace ONE Access

Because the integration is performed between two cloud services, there is no need to perform any on-premises configuration.

The integration consists of two high-level steps:

  1. Log in to Workspace ONE Access as an administrator.
  2. Register the Workspace ONE Access tenant in the Workspace ONE Intelligence Console, as outlined in Register Workspace ONE Access.

Important: Ensure your Workspace ONE Access and Workspace ONE Intelligence tenants are in the same region. A Workspace ONE Access tenant can be registered with Workspace ONE Intelligence only if both are in the same region. See the Workspace ONE SaaS Environments Mapped to Workspace ONE Intelligence Regions for mapping information.

Figure 10: Workspace ONE Intelligence Successfully Integrated with Workspace ONE Access

After integration is complete, Workspace ONE Intelligence collects user and event data about Workspace ONE logins and app loads for all the apps contained in the Workspace ONE catalog. Events are synced every second or when 50,000 events have accumulated, whichever comes first.

The integration also enables the Risk Adapter in Workspace ONE Access for risk-based conditional access. For a complete list of data collected by the integration, see Workspace ONE UEM Data Definitions.

For step-by-step instructions on how to integrate Workspace ONE Access with Workspace ONE Intelligence, and an overview of how to create dashboards, watch VMware Workspace ONE Intelligence: VMware Identity Manager Integration - Feature Walk-through.

Workspace ONE Intelligence and Trust Network Integration

VMware Workspace ONE® Trust Network includes several security solutions that can be integrated with Workspace ONE Intelligence. This integration can provide a consolidated view of all threats reported by the various security solutions, and the intelligence component helps automate remediation actions. The integration requires a licensed cloud-based Workspace ONE Trust Network partner solution tenant and a Workspace ONE Intelligence tenant.

Figure 11: Integration flow of Workspace ONE Intelligence Cloud Service with Workspace ONE Trust Network

Because the integration is performed between two cloud services, there is no need to perform any on-premises configuration. You must, however, deploy and configure an agent provided by the security solution. Otherwise threats could not be reported to the Workspace ONE Trust Network, and Workspace ONE Intelligence would not obtain any data.

The integration consists of the following high-level steps:

  1. Obtain the URL and API keys required by the Workspace ONE Trust Network partner solution.
  2. Register the respective Workspace ONE Trust Network solution in the Workspace ONE Intelligence Console, under Settings > Integration.
  3. Deploy the Trust Network agent on all managed devices.

Note: You can leverage Workspace ONE UEM to deploy and configure the Workspace ONE Trust Network solution agent across all of your managed devices.

To learn how to set up each of the current partner solutions that can be part of Workspace ONE Trust Network integration with Workspace ONE Intelligence, see the following topics in the VMware Workspace ONE Intelligence guide:

Figure 12: Workspace ONE Intelligence Successfully Integrated with Carbon Black, Lookout and Netskope

After integration is complete, Workspace ONE Intelligence checks every 30 seconds for new threats reported by the Workspace ONE Trust Network solutions configured in your environment. Any new events that are identified are stored in a Workspace ONE Intelligence database. That way, any automations based on threat data that matches criteria for incoming events is immediately executed.

Workspace ONE UEM and Workspace ONE Assist Integration

Workspace ONE Assist can be integrated with Workspace ONE UEM to provide your administrators with single-sign-on capabilities into the VMware Workspace ONE® Assist Portal server. With this integration, administrators can seamlessly launch remote management sessions for your eligible devices from the Workspace ONE UEM console.

The integration with Workspace ONE UEM consists of a simple site URL configuration in the Workspace ONE UEM console, as detailed in the section that follows. Your devices will also require the Workspace ONE Assist application to be installed, which can be distributed to your managed devices using Workspace ONE UEM.

Workspace ONE UEM Configuration

The integration with Workspace ONE Assist consists of two high-level steps:

  1. Log in to the Workspace ONE UEM console with an admin account that has global organization group access.
  2. Navigate to the Site URLs settings under System > Advanced, and configure the Workspace ONE Assist fields.

Figure 13: Workspace ONE Assist Configuration in the Workspace ONE UEM Console

See Configure the Workspace ONE UEM Console for detailed steps.

Configure End-User Devices

Once Workspace ONE UEM has been configured, you must install the platform-specific Workspace ONE Assist agents on your devices before they can be remotely managed. 

This process consists of the following high-level steps:

  1. Locate the Workspace ONE Assist app for your desired supported platform or platforms.
  2. Publish the Workspace ONE Assist app to your managed devices. For an example, see How Do You Enable Remote Control with Samsung Knox Service Plugin.
  3. Determine if your platform or device requires additional supporting apps or configurations for remote management sessions. For an example, see How Do You Enable Remote View For iOS Devices

For full details, see Configure End-User Devices.

Start a Remote Management Session

Once the necessary Workspace ONE UEM and end-user device configurations have been made, your administrators can begin a remote management session by connecting to your managed devices through the Workspace ONE UEM console.

The process of starting this remote management session consists of the following high-level steps:

  1. Log in to the Workspace ONE UEM console.
  2. Navigate to the managed device you intend to start a remote management session with, and click Remote Management under MORE ACTIONS.

Figure 14: Start a Workspace ONE Assist Remote Management Session

See Start an Assist Session for more details.

Workspace ONE UEM Screen Capture Restriction Profiles

Workspace ONE UEM Restriction Profiles have a setting named Allow Screen Capture, which, if disabled, prevents devices from taking screen captures. Be aware that if you create a Restriction Profile that disallows screen capture, and you push that profile to a device, the profile will prevent Workspace ONE Assist from remotely viewing or controlling the device.

If you use a Restriction Profile that disables screen capturing, it is recommended to unassign this profile from any device that would utilize Workspace ONE Assist for remote screen-sharing sessions.

 

Horizon and Workspace ONE Access Integration

Horizon can be integrated into Workspace ONE through Workspace ONE Access. You can set up SSO for Horizon apps and desktops, ensure security with multi-factor authentication, and control conditional access.

The Horizon Enterprise Edition license includes the on-premises version of Workspace ONE Access, which supports access to Horizon apps and desktops only.

Figure 15: Integration of Horizon and On-Premises Workspace ONE Access

Horizon can be used with other license types and deployment models of Workspace ONE Access (such as cloud-based) if access to other apps such as Horizon apps and desktops, SaaS apps, or mobile apps, is also required.

Figure 16: Integration of Horizon with Cloud-Based Workspace ONE Access

Integrating Horizon with an instance of Workspace ONE Access consists of three high-level steps:

  1. Complete the prerequisite steps outlined in the next section. These steps include deploying Workspace ONE Access Connectors and configuring Active Directory synchronization.
  2. Configure SAML authentication in your Horizon environment, as described in Configure SAML Authentication in Horizon.
  3. Create one or more virtual apps collections, as described in Virtual Apps Collection Creation for Horizon Integration.

Prerequisites for Horizon Integration

Perform the following prerequisite tasks:

Prepare the Workspace ONE Access environment by following the instructions in Using Virtual Apps Collections for Desktop Integrations and Providing Access to Horizon 7 or Horizon 6 Desktop and Application Pools.

Ensure time synchronization is set so that Workspace ONE Access, Workspace ONE Access Connectors, and Horizon Connection Servers have the same time.

SAML Authentication Configuration for Horizon Integration

Before you create a virtual apps collection for Horizon in the Workspace ONE Access console, first add Workspace ONE Access as a SAML 2.0 authenticator to the Horizon Connection Servers. Repeat this process for each additional pod.

  1. Open the Horizon console, and navigate to Settings > Servers > Connection Servers.
  2. Select one of the Connection Servers and click Edit.
  3. On the Authentication tab, change Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) to either Allowed or Required.

  1. Select Manage SAML Authenticators to add a new SAML Authenticator, and click Add.
  2. Enter a label to identify the authenticator.
    1. In the Metadata URL field, change <YOUR SAML AUTHENTICATOR NAME> to the FQDN of Workspace ONE Access. Leave the other text as it is.
    2. Leave Enabled for Connection Server selected and click OK.

  1. Although the SAML 2.0 authenticator is defined once per pod, you must enable the authenticator individually on each Connection Server that is to use SAML authentication.
    1. Use the Horizon Console to edit the configuration of each Connection Server.
    2. Select the Authentication tab and change Delegation of authentication to VMware Horizon (SAML 2.0 Authenticator) to either Allowed or Required, matching what was selected on the first Connection Server.
    3. Select Manage SAML Authenticators, select the SAML authenticator just defined, and click Edit.
    4. Select Enabled for Connection Server and click OK.

For more information see, Configure SAML Authentication in Horizon.

Virtual Apps Collection Creation for Horizon Integration

You integrate Horizon desktops and applications into Workspace ONE Access by using virtual apps collections. See Providing Access to Horizon 7 or Horizon 6 Desktop and Application Pools.

  1. Log in to the Workspace ONE Access administrative console.
  2. From the Catalog drop-down menu, select Virtual Apps Collection.

If this is the first time the configuration has been run, a screen appears that provides information about virtual apps collections. Click GET STARTED.

  1. If the configuration has been run before, a screen appears that lists any configured virtual apps collections. Click NEW to add a new virtual apps collection.

  1. Select Horizon as the source type to create a Horizon virtual apps collection for your Horizon pods and Cloud Pod Architecture federation. This collection will host desktop or application capacity.

A virtual apps collection can contain one or more Horizon pods. The collection defines the configuration information about your Horizon environment, Workspace ONE Access Connectors, and settings to sync resources and entitlements to Workspace ONE Access.

  1. Name the new Horizon collection and select the connectors.
    1. Give the virtual apps collection a unique name.
    2. Select the Workspace ONE Access Connectors that will perform synchronization. Reorder the connectors if required, and click NEXT.

  1. To add the Horizon pods, click ADD A POD.

  1. Enter details for the first Horizon pod, specifying one of the Horizon Connection Servers, credentials, and whether smart card authentication or True SSO is set up in the pod, and once complete, click ADD.

  1. For each additional Horizon pod in your environment, click ADD A POD and repeat the process.

  1. Configure Horizon Cloud Pod Architecture.
    1. Select the check box to indicate if Cloud Pod Architecture is enabled and then click ADD A FEDERATION.

  1. Specify a unique federation name.
  2. Complete the Client Access FQDN field. This is usually the load balancer namespace for the Horizon environment.
  3. Select and add the Horizon pods that are part of this federation.
  4. Click ADD.

  1. Complete the additional configuration for the new collection.
    1. Set up a sync frequency schedule.
    2. Set Sync Duplicate Apps to No.
    3. Choose an activation policy. In most cases, leave this as the default of User-Activated, which allows the user to self-serve any Horizon resources they are entitled to from the Workspace ONE Access catalog.
    4. Choose which default client should be used for a Horizon session by selecting an item from the Default Launch Client list.
    5. Click NEXT to review the Summary page.

  1. After you review the Summary page, click BACK if you need to make changes, or click SAVE & CONFIGURE NETWORK RANGE. The information you entered is validated and saved.

The collection is added, and the Network Ranges page appears.

Note: The default configuration for network settings in Workspace ONE Access specifies a single All Ranges scope. Also consider adding additional network ranges and tailoring the client access FQDN as necessary.

  1. Change the client access FQDN for the All Ranges scope so that it points to the namespace for the load balancer.
    1. Click the ALL RANGES button on the Network Ranges page.
    2. Change the Client Access FQDN entries as needed. Any Horizon pods added will, by default, use the FQDN of the Horizon Connection Server used for adding the pod. Be sure to change the FQDN to the load balancer common namespace for the Connection Servers. Click SAVE.

  1. If necessary, configure different client access FQDNs for specific network ranges. For example, perhaps different FQDNs should be used for internal and external connections.
    1. Click CREATE NETWORK RANGE.

  1. Fill in the Name, IP Ranges, and change the Client Access FQDN entries. In the example below, a new range has been defined for internal IP ranges with the associated client access FQDNs. Click SAVE.

  1. After you add a virtual apps collection, you might want to force a synchronization of any entitlements, rather than waiting for the sync schedule to run. From the list of Virtual Apps Collections, select the collection and click the SYNC button.

See Configuring Horizon Pods and Pod Federations in Workspace ONE Access for more information.

Communication Flow When Launching a Horizon Resource from Workspace ONE Access

After Horizon has been integrated with Workspace ONE Access, a user can select a Horizon resource, such as a desktop or a published application, from the Workspace ONE browser page or mobile app.

Internal Client

The following figure depicts the flow of communication that takes place when an internal user selects and launches an entitled Horizon desktop or application. Although this illustrates the use of an on-premises deployment of Workspace ONE Access, the traffic flow is the similar if a cloud-based tenant of Workspace ONE Access is used.

Figure 17: Internal Launch of a Horizon Resource from Workspace ONE

  1. After the user is authenticated to Workspace ONE Access, either in a browser or using the Workspace ONE app, the user selects and launches a Horizon resource.
  2. Workspace ONE Access generates a SAML assertion and an artifact that contains the vmware-view URL. It returns this SAML artifact to the browser on the client device (vmware-view://URL SAMLArt=<saml-artifact>).
  3. The default URL handler for vmware-view types (normally the VMware Horizon® Client) is launched using the URL that was returned in the artifact (XML-API request do-submit-authentication <saml-artifact>).
  4. The Horizon Connection Server performs a SAML Artifact Resolve operation against Workspace ONE Access (<saml-artifact>).
  5. Workspace ONE Access validates the artifact and returns a SAML Assertion to the Horizon Connection Server (<saml-assertion>).
  6. The Horizon Connection Server returns successful authentication (XML-API OK response submit-authentication).
  7. The remote protocol client launches the session with the parameters returned.

External Client

The following figure depicts the flow of communication that takes place when an external user selects and launches an entitled Horizon desktop or application. Although this illustrates the use of an on-premises deployment of Workspace ONE Access, the traffic flow is similar if a cloud-based tenant of Workspace ONE Access is used.

Figure 18: External Launch of a Horizon Resource from Workspace ONE

  1. After the user is authenticated to Workspace ONE Access, either in a browser or using the Workspace ONE app, the user selects and launches a Horizon resource.
  2. Workspace ONE Access generates a SAML assertion and a SAML artifact that contains the vmware-view URL. It returns this URL to the browser on the client device (vmware-view://URL SAMLArt=<saml-artifact>).
  3. The default URL handler for vmware-view types (normally the VMware Horizon Client) is launched using the URL that was returned in the artifact (XML-API request do-submit-authentication <saml-artifact>).
  4. Unified Access Gateway proxies the authentication to the Horizon Connection Server
  5. The Horizon Connection Server performs a SAML resolve against Workspace ONE Access (<saml-artifact>).
  6. Workspace ONE Access validates the artifact and returns an assertion to the Horizon Connection Server (<saml-assertion>).
  7. The Horizon Connection Server returns successful authentication (XML-API OK response submit-authentication).
  8. Unified Access Gateway returns the successful authentication to the client.
  9. The remote protocol client launches the session with the parameters returned.
  10. Unified Access Gateway proxies the protocol session to the Horizon Agent.

Horizon Cloud and Workspace ONE Access Integration

Horizon Cloud can be integrated into Workspace ONE through Workspace ONE Access. You can set up SSO for Horizon Cloud apps and desktops, ensure security with multi-factor authentication, and control conditional access.

The Horizon Cloud license includes the cloud-hosted version of Workspace ONE Access, which supports access to Horizon Cloud apps and desktops only. Horizon Cloud can be used with other license types and deployment models of Workspace ONE Access (such as on-premises) if access to other apps such as Horizon apps and desktops, SaaS apps, or mobile apps, is also required.

Figure 19: Integration of Horizon Cloud and Workspace ONE Access

With VMware Horizon® Cloud Service on Microsoft Azure, you can specify creation of a cloud-based Workspace ONE Access tenant during the pod deployment process. The Workspace ONE Access tenant is associated with your Horizon Cloud customer record. Pods that already exist for the same Horizon Cloud customer record can then be integrated with that tenant.

Integrating Horizon Cloud Service with a cloud-hosted Workspace ONE Access tenant consists of three high-level steps:

  1. Complete the prerequisite steps outlined in the next section. These steps include deploying Workspace ONE Access Connectors and configuring Active Directory synchronization.
  2. Create one or more virtual apps collections, as described in Virtual Apps Collection Creation for Horizon Cloud Integration.
  3. Configure SAML authentication in your Horizon Cloud tenant, as described in SAML Authentication Configuration for Horizon Cloud Integration.

Prerequisites for Horizon Cloud Integration

Perform the following prerequisite tasks:

  • Prepare the Workspace ONE Access environment by following the instructions in Providing Access to VMware Horizon Cloud Service Desktops and Applications.
  • Verify that Workspace ONE Access is joined to same Active Directory domain structure as the Horizon Cloud pod.
  • Ensure that time synchronization is set so that Workspace ONE Access and Horizon Cloud pod have the same time.

Virtual Apps Collection Creation for Horizon Cloud Integration

You integrate Horizon Cloud desktops and applications into Workspace ONE Access by using virtual apps collections. See Providing Access to VMware Horizon Cloud Service Desktops and Applications and Integrate a Horizon Cloud Pod in Microsoft Azure with Workspace ONE Access.

  1. Log in to the Workspace ONE Access administrative console.
  2. From the Catalog drop-down menu, select Virtual Apps Collection.

If this is the first time the configuration has been run, a screen appears that provides information about virtual apps collections. Click GET STARTED.

  1. If the configuration has been run before, a screen appears that lists any configured virtual apps collections. Click NEW.

  1. Select Horizon Cloud as the source type to create a Horizon Cloud virtual apps collection for the Horizon Cloud environments that will host desktop or application capacity.

A virtual apps collection can contain one or more Horizon Cloud tenants. The collection defines configuration information about your Horizon Cloud tenants, Workspace ONE Access Connectors, and settings to sync resources and entitlements to Workspace ONE Access.

  1. Name the new Horizon Cloud collection and select the connectors.
    1. Give the virtual apps collection a unique name.
    2. Select the Workspace ONE Access Connectors that will perform synchronization. Reorder the connectors if required, and click NEXT.

  1. Add the Horizon Cloud tenants.
    1. Click ADD A TENANT.

  1. Enter details for the Horizon Cloud tenant:
  • Host – FQDN that corresponds to the Tenant Appliance IP Address
  • Credentials – Horizon Cloud tenant administrator account
  • Domains to Sync
  • Assertion Consumer Service URL – URL that typically contains the Horizon Cloud tenant's floating IP address or hostname, or the Unified Access Gateway URL
  • True SSO – Indicates whether True SSO is set up in the pod
  1. Once complete, click ADD.

  1. For each additional Horizon Cloud tenant in your environment, click ADD A TENANT and repeat the process.

  1. Complete the Configuration page for the new collection.
    1. Set up a sync frequency schedule.
    2. Set Sync Duplicate Apps to No.
    3. Choose an activation policy. In most cases, leave this as the default of User-Activated, which allows the user to self-serve any Horizon resources they are entitled to from the Workspace ONE Access catalog.
    4. Choose which default client should be used for a Horizon session by selecting an item from the Default Launch Client list.
    5. Click NEXT to review the Summary page.

  1. After you review the Summary page, click BACK if you need to make changes, or click SAVE. The information you entered is validated and saved.

  1. After you add a virtual apps collection, you might want to force a synchronization of any entitlements, rather than waiting for the sync schedule to run. From the list of Virtual Apps Collections, select the collection and click the SYNC button.

For more information on configuring virtual apps collections, see Using Virtual Apps Collections for Desktop Integrations.

SAML Authentication Configuration for Horizon Cloud Integration

After you create a virtual apps collection for the Horizon Cloud tenant in the Workspace ONE Access console, you configure SAML authentication in the Horizon Cloud tenant.

You can create a new Identity Management entry for each pod in your Horizon Cloud tenant.

  1. Log in to the Horizon Cloud Administrative Console.
  2. From Settings, select Identity Management and click New.

The New Identity Manager window appears.

Figure 20: Define Workspace ONE Access instance in Horizon Cloud console

The VMware Workspace ONE Access Metadata URL that you specify must be in a format similar to the following:

https://<FQDN of Workspace ONE Access>/SAAS/API/1.0/GET/metadata/idp.xml

For more information see, Configure SAML Authentication in the Horizon Cloud Tenant.

Communication Flow When Launching a Horizon Cloud Resource from Workspace ONE Access

After Horizon Cloud has been integrated with Workspace ONE Access, a user can select a Horizon resource, such as a desktop or a published application, from the Workspace ONE browser page or mobile app.

The following figure depicts the flow of communication that takes place when a user selects and launches an entitled Horizon desktop or application.

Figure 21: Traffic Flow on Launch of a Horizon Cloud Resource from Workspace ONE

  1. After the user is authenticated to Workspace ONE Access, either in a browser or using the Workspace ONE app, the user selects and launches a Horizon resource.
  2. Workspace ONE Access generates a SAML assertion and an artifact that contains the vmware-view URL. It returns this URL to the browser on the client device (vmware-view://URL SAMLArt=<saml-artifact>).
  3. The default URL handler for vmware-view types (normally the VMware Horizon Client) is launched using the URL that was returned in the artifact (XML-API request do-submit-authentication <saml-artifact>).
  4. If in-line, VMware Unified Access Gateway (UAG) proxies the authentication to the Horizon Cloud pod.
  5. The Horizon Cloud pod performs a SAML resolve against Workspace ONE Access (<saml-artifact>).
  6. Workspace ONE Access validates the artifact and returns an assertion to the Horizon Cloud pod (<saml-assertion>).
  7. The Horizon Cloud pod returns successful authentication (XML-API OK response submit-authentication).
  8. If in-line, Unified Access Gateway returns the successful authentication to the Horizon Client.
  9. The remote protocol client launches the session with the parameters returned.
  10. If in-line, Unified Access Gateway proxies the protocol session to the Horizon Agent in the virtual desktop or RDSH server (if the resource is a published application or desktop).

What's Next?

Now that you have come to the end of this chapter, you can return to the landing page and search or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters explore the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon, App Volumes Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of components and services you need to create the platform capable of delivering what you want.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Horizon, App Volumes, Dynamic Environment Management, and more.

Filter Tags

Workspace ONE Horizon Horizon Horizon Cloud Service Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Document Reference Architecture Intermediate Deploy