VMware Workspace ONE Achieves FedRAMP High Authorization
Overview
VMware Workspace ONE has now achieved FedRAMP High, as a Joint Authorization Board (JAB) Authorization service
VMware is excited to announce it has achieved FedRAMP High for the Workspace ONE cloud-based service with a JAB Provisional Authorization. Workspace ONE is a secure, cloud-based modern management and security solution suite for End-User Computing (EUC) requirements by providing a digital workspace platform that combines endpoint device deployment and management with secure Zero Trust Access (ZTA) capabilities for agencies & branches.
Consistently ranked as a leader by industry analysts, Workspace ONE delivers end-user-simple, single sign-on (SSO) access to cloud, web, mobile-native, and Windows-based apps in one unified catalog within Workspace ONE Hub Services that engages employees. Agencies can enable employees with a broad range of devices including iOS, Android, Mac, and Windows-based, as well as ruggedized devices to meet the needs or preferences of an agent or their mission while enforcing fine-grained, conditional access policies that also take into account device compliance information delivered by VMware’s Unified Endpoint Management (UEM) technology, and further delivering advanced desktop management capabilities for Windows 10 and 11, macOS, Chrome OS and Linux beyond what is available through MDM APIs.
Workspace ONE is also currently in-process for DoD Impact Level 5 from Defense Information Systems Agency (DISA) approval to support additional security controls for the DoD Cloud Computing Security Requirements Guide (CC SRG).
For State, Local, and Educational (SLED) customers, VMware Workspace ONE with UEM, Access, Intelligent Hub, and Intelligence are StateRAMP Moderate authorized and In Process to be High and VMware Workspace ONE MTD is StateRAMP Moderate authorized through the Lookout, Inc. Joint Authorization Board (JAB) P-ATO.
FedRAMP Paths & JAB Provisional Authorization
There are two approaches to obtaining a FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through an agency. The JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB selects approximately ~ (12) cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO). Additionally, the JAB is responsible for performing the continuous monitoring for all JAB Authorized cloud products.
Solution at a Glance
VMware Workspace ONE® is a digital workspace platform that simply and securely delivers and manages any app on smartphones, tablets, laptops, and other devices by integrating access control, application management, and multi-platform endpoint management. Workspace ONE integrates FedRAMP High Authorized UEM (formerly VMware AirWatch®) with conditional access control technology to deliver secure, anywhere access to applications and data. With Workspace ONE, organizations can evolve siloed cloud and mobile investments, enabling all employees, devices, and things across the organization to accelerate their digital transformation journey with a platform-based approach. Key platform components of Workspace ONE are represented in Table 1.
| PLATFORM COMPONENTS | DESCRIPTION |
| Workspace ONE Unified Endpoint Management (UEM) | Provides admins access to Mobile Device Management (MDM), Mobile Application Management (MAM) and Mobile App Store/Catalog (MAS) features and services in order to enable user/device enrollment, enablement, and secure/policy enforcement & compliance. |
| Workspace ONE Intelligent Hub | Employee-facing app that delivers: Unified App Catalog, People Search, Notifications, Self-Service Support, Branding, and a Custom Home Tab. Available as a native app on Windows, macOS, iOS, Android, and available as a web app, Intelligent Hub for Web. |
| Workspace ONE Access | Integrate with upstream identity providers and directories, including Active Directory, Azure Active Directory, LDAP, Okta, and Ping. Federated and Mobile SSO, MFA, Conditional Access Control. |
| Workspace ONE Intelligence | Experience analytics, Risk Analytics, historical reports, dashboards, and integrations with third-party apps. |
| Workspace ONE Tunnel | Connect apps (VMware or third-party) to corporate intranet services with a per-app VPN client app. Requires server-side per-app VPN infrastructure, such as VMware Unified Access Gateway or VMware Secure Access. |
| Unified Access Gateway (UAG) | Security platform that provides edge services and access to defined resources that reside in the internal network. It acts as the security gateway for VMware Workspace ONE® and VMware Horizon® deployments, enabling secure remote access from an external network to a variety of internal resources. |
| Secure Email Gateway (SEG) | Provide access control to the work email server to encrypt data and attachments. |
Table 1: Workspace ONE FedRAMP environment core services
VMware Workspace ONE is a digital workspace platform that provides users with secure access to their applications, data, and devices from any location. This platform is made up of several different products, each with its own unique features and capabilities, as shown in the following logical service diagram:
Figure 1: Workspace ONE platform’s key components, features & capabilities
Solution Summary
The VMware Workspace ONE solution resides within VMware Government Services (VGS) authorization boundary that is designed to allow US government agencies and customers supporting the US government to migrate, manage, and operate more sensitive workloads in the cloud. The VGS authorization boundary provides Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) capabilities to deliver modern applications at the speed the US government demands and operate across the data center, the edge, and the cloud.
Overall, VGS provides the following FedRAMP authorized services at the High baseline: VMware Cloud on AWS GovCloud (US) (VMC), Hybrid Cloud Extension (HCX), Carbon Black Cloud (CBC), Software Defined WAN (SD-WAN), Horizon Cloud Service (HCS), Aria Suite Cloud for US Public Sector, and as mentioned, Workspace ONE. More information on the VGS public sector roadmap can be found on the VMware Trust Center; below are key aspects of the VGS and subsequent SaaS offerings:
- Sold, operated and supported by VMware
- On-demand capacity and flexible consumption
- Full operational consistency with on-premises SDDC
- Fast and simple bi-directional workload migration
- FIPS 140.2 compliant cryptographic modules for encryption for Data-at-Rest & Data-in-Transit
- Hosted, operated and managed by VMware employees who are U.S. citizens, located on U.S. soil
- Direct access and integration with native AWS services
- IPv6 support for the Workspace ONE service
Architecture
This service is optimized to run on dedicated, elastic, bare-metal AWS infrastructure to protect highly sensitive government workloads with hardened security. AWS GovCloud provides the foundational FedRAMP IaaS components, which enables government’s infrastructure and operations teams to be able to count on those elements to add value to enable government agencies to ensure scale for capacity up or down quickly and confidently and provide access to native AWS services for the VMware Workspace ONE platform features and service.
As an IT admin, you can rely on the use of this FedRAMP Software-as-a-Service (SaaS) Workspace ONE offering to handle device enrollment, a customized app catalog, policy enforcement, compliance, and integration with email, social media, and more, securely and meeting the compliance needs of the U.S. Federal Gov't and Military.
In the following diagram, end-users’ devices are accessing a Workspace ONE UEM tenant in the FedRAMP cloud, which is powered by the AirWatch Cloud Connectors and Active Directory domain controller.
Figure 2: Workspace ONE platform’s logical architecture
VMware Workspace ONE UEM (powered by AirWatch) is responsible for device enrollment, a mobile application catalog, policy enforcement regarding device compliance, and integration with key enterprise services, such as email, content, and social media.
Workspace ONE Unified Endpoint Management (UEM) features include:
- Device management platform – Allows full life-cycle management of a wide variety of devices, including phones, tablets, Windows 10, and rugged and special-purpose devices.
- Application deployment capabilities – Provides automatic deployment or self-service application access for employees.
- User and device profile services – Ensures that configuration settings for users and devices:
- Comply with enterprise security requirements
- Simplify end-user access to applications
- Productivity tools – Includes an email client with secure email functionality, a content management tool for securely storing and managing content, and a web browser to ensure secure access to corporate information and tools.
Workspace ONE UEM can be implemented using an on-premises or a cloud-based (SaaS) model. Both models offer the same functionality.
Modern Management & Security for Federal Government
Government agencies at every level have had to reimagine how best to achieve mission outcomes, protect information, and improve employee engagement in the new distributed workplace. In response to this challenge, there has been a dramatic acceleration in the adoption of modern applications—such as software-as-a-service (SaaS) and native-mobile apps—coupled with the proliferation of mobile devices and platform options, many of which are connecting through unsecured networks.
IT departments are challenged more than ever to ensure these devices meet compliance requirements, applications are available to users and updated in a timely manner, and that applications and the data contained on them, or they access are secure from unauthorized eyes. With many traditional tools unable to scale or adequately fulfill their requirements in this distributed, disconnected model, organizations must modernize how they deliver, manage, and secure access to government resources.
VMware Workspace ONE utilizes a FedRAMP High Authorized instance for key Workspace ONE technologies: VMware Workspace ONE Unified Endpoint Management and VMware Workspace ONE Access™. Workspace ONE is consistently ranked as a leader by industry analysts. It delivers best-in-class multiplatform endpoint management, application management, access control, and application and desktop virtualization that enable government agencies to be productive and secure for devices both Government-Furnished Equipment (GFE) or BYOD-Approved Device(s) (BYODAD).
It begins with user-simple, single sign-on (SSO) access to cloud, web, mobile-native, and Windows-based apps in one unified application catalog. Agencies can enable employees with a broad range of devices, including iOS, Android, Mac, Windows, and rugged devices, to meet the needs or preferences of a user or their mission. Powerful conditional access policies can combine device compliance information with user and location information from UEM to deliver the appropriate authentication challenges to keep information secure.
Workspace ONE automates traditional onboarding, laptop and mobile device configuration, and delivers real-time application lifecycle management that bridges legacy enterprise client-server apps to the mobile cloud era. Government agencies can easily deploy, configure, secure, manage, and support smartphones, tablets, laptops, and other devices across multiple mobile applications and operating systems. Workspace ONE includes industry-leading mobile device, email, application, content, and browser management solutions.
Whether enabling government-furnished equipment (GFE), such as government-owned, personally enabled devices, or even for a bring-your-own-device (BYOD) program, agencies and branches can implement these solutions standalone, in a dual-persona, containerized solution; or as a comprehensive solution based on device type, use case and user role in the organization. This integrated solution helps agencies reduce costs and increase efficiency while mitigating security risks and managing data loss prevention (DLP).
Workspace ONE includes Workspace ONE Access, which is FedRAMP High Authorized. Workspace ONE Access combines with Workspace ONE Intelligent Hub to provide a single unified application catalog, multifactor authentication, conditional access, and SSO to SaaS and web apps. Workspace ONE Intelligent Hub can also be utilized to provide actionable notifications to users, a people search directory, and access to support or intranet pages.
Workspace ONE Feature Matrix for FedRAMP
VMware Workspace ONE® is an intelligence-driven digital workspace platform that provides multi-platform endpoint management to deliver and manage any app on any device simply and securely. Workspace ONE Standard, Advanced, and Enterprise are available as both a cloud service or on-premises and the FedRAMP solution provides the following features:
| UNIFIED ENDPOINT MANAGEMENT | |
| Mobile Device Management | Configure mobile device management (MDM) policies, settings and device configurations across phones, tablets and laptop devices that run iOS, Android, macOS, Windows 10, Chrome OS, Linux and others. |
| Basic Shared Device Management | Manage shared and kiosk configurations for mobile devices leveraging native MDM APIs, such as Android single/multi-app kiosk mode and iOS/iPadOS multiuser mode. |
| Android OEM Extensions | Support for OEMConfig—additional OEM-specific device management APIs on top of what’s natively available in Android Enterprise (e.g., Samsung Knox, Zebra Managed Configurations). |
| Advanced Frontline Worker & Special-Purpose Management | Manage advanced frontline worker mobile, rugged and peripheral (e.g., printers) devices. Includes support for advanced shared and kiosk configurations leveraging VMware Workspace ONE Launcher™; barcode-based enrollments, such as Zebra StageNow and Honeywell Enterprise Provisioner; relay servers; and additional legacy and special-purpose platform support, including Windows CE, Windows Mobile, QNX, Raspberry Pi, tvOS and others. |
| Wearable and Peripheral Management | Manage wearable devices and peripheral devices, such as augmented reality/virtual reality/ mixed reality (AR/VR/MR) smart glasses and head-mounted displays (HMDs), printers or other accessories. |
| Modern Desktop Management | Deliver API-driven modern management of desktops (Windows 10, macOS, Chrome OS). Includes out-of-the-box device onboarding (OOBE, DEP); MDM and custom policy configuration scripting; cloud (Windows Update for Business) and on-premises (Windows Server Update Services/Software Update Services) management; unified app catalog experience; app management (store apps); enforce data loss prevention (DLP) and encryption (BitLocker, FileVault 2); native firewall and antivirus configuration; and asset and compliance reporting. |
| Advanced Desktop Management | Deliver advanced desktop management capabilities for Windows 10 and macOS beyond what is available through MDM APIs. Includes features such as Baselines for Group Policy Object (GPO) configuration, Win32 app lifecycle management and native physical-to-physical (P2P) app delivery, BitLocker lifecycle management, Sensors for compliance reporting, per-app VPN tunneling, Windows 10 Enterprise policies and others. |
| IT Compliance Automation Engine | Build compliance policies with automated remediation workflows, such as app allowlist/ denylist, GPS and geofencing, OS version control, and compliance escalation. |
| Workspace ONE AirLift™ for Windows 10 | Automate the migration of traditionally high pain-point PC management tasks to Workspace ONE modern management for Windows 10 with this server-side connector to Microsoft System Center Configuration Manager (SCCM). Includes capabilities to build and deploy enrollment packages and migrate device collections, GPOs and apps to Workspace ONE. |
| Default App Storage Space | Utilize the default app storage space. Additional storage may be purchased at 25GB increments. |
| Workspace ONE Assist™ for Remote Management | Remotely support and troubleshoot tasks and knowledge worker devices, including desktop PCs, with a privacy-friendly advanced remote management and control tool. Supports Android, iOS, Windows Mobile, Windows 10 and macOS devices. |
| Telecom Management Tools | Track data, call and message consumption, and automate actions and compliance. |
| ACCESS MANAGEMENT | |
| Identity Broker | Integrate with third-party identity stores and providers, including Active Directory, Azure Active Directory, LDAP, Okta and Ping. |
| Federated Single Sign-On (SSO) | Federate Active Directory to third-party or internally developed apps using one of the federation standards. |
| Mobile SSO | Simplify and secure mobile-native applications with certificate-based mobile-native SSO. |
| Conditional Access Control | Utilize app access control policy to restrict access to apps based on user authentication strength, device platform, network ranges and app. *Functionality limitations for per-device licensing mode. |
| Identity Provider (IdP) | Serve as the identity database for user accounts. *Functionality limitations for per-device licensing mode. |
| Certificate (Cloud Deployment) | Allow for certificate-based authentication. |
| Mobile Email Management | Integrate with email infrastructure to provide access control for ActiveSync clients. Includes support for Office 365, G Suite and Exchange and includes VMware’s NIAP accredited Boxer E-Mail app. |
| INTELLIGENCE & AUTOMATION | |
| Custom Reports | Design custom reports with device, application and user data in Workspace ONE Intelligence™. |
| Custom Dashboards with Historical Data | Get complete visibility into your digital workspace with rich visualization at speed and scale when leveraging Workspace ONE Intelligence™. |
| App Analytics | Measure app adoption and engagement across apps built for employees when combined with Workspace ONE Intelligence™. |
| Automation Engine | Automate processes and take actions with predefined rules based on a rich set of parameters. Integrate with custom and third-party tools that support REST API across your environment, all when combined with Workspace ONE Intelligence™. |
| Digital Employee Experience Management | Combine Workspace ONE Intelligence™ and track digital workspace metrics impacting employee experience through DEEM; proactively identify issues; perform root cause analysis; and quickly remediate across Windows 10, macOS, iOS and Android. Increase employee engagement and productivity. |
Table 2: Workspace ONE FedRAMP environment additional service capabilities
Additional Enablement & Security
Workspace ONE provides a consumption-like experience for applications and information delivered by government-secure clouds, public clouds, and private clouds. Once authenticated through the Workspace ONE Intelligent Hub app, employees can instantly access their personalized enterprise app catalog and subscribe to authorized mobile, SaaS, and web apps. Additionally, Workspace ONE can be used with other VMware on-premises solutions where FedRAMP instances are not available.
| CAPABILITY | DESCRIPTION |
| Deliver any app from the latest mobile cloud apps to legacy enterprise apps | An enterprise app catalog delivers simple SSO access to the right apps on any device, including:
|
| Unified app catalog transforms agent onboarding | Simply downloading the Workspace ONE Intelligent Hub app on iOS or Android provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your company. The Workspace ONE Intelligent Hub app provides agents and staff with native apps that can be installed. |
| Application SSO improves the user experience and application security Password-free access leveraging device trust and PIN/biometric timeout settings for authentication | Workspace ONE integrates with an agency’s primary identity provider (IdP), such as Active Directory, LDAP, and third-party identity providers, such as Okta / Entrust to simplify access to all apps across your organization for all your users with SSO to SaaS and web applications as well as virtualized desktops and applications.1 |
| Password-free access leverages device trust and PIN/biometric timeout settings for authentication | Workspace ONE PIV-D Manager is a mobile application that integrates with various Commercial Off-the-Shelf (COtS) and government-deployed derived credential providers, such as Entrust and Purebred for use with devices managed by Workspace ONE UEM. Derived credentials provide government agencies and contractors with a solution for replacing smart-card authentication on mobile devices to meet high security requirements in the government sector. |
| Enterprise Desktop Management for updates and critical patching | Deliver enterprise-level desktop management capabilities powered by Workspace ONE Intelligence™. Includes dashboards, reports, and automations within the Workspace ONE platform to support use cases such as OS updates and patch rollout, CVE- and sensor-based vulnerability remediation, and others. |
Table 3: Workspace ONE additional capabilities
Flexibility to use any device: BYOD or GFE
The architecture you deploy today must work with devices not yet invented. From wearables to 3D graphics workstations, keeping employees productive means their apps must be available when and where they are. The architecture must also provide the flexibility to react to unforeseen events, including sudden shifts in work styles and locations. Some devices may be agency-owned and require IT to configure and manage them through their lifecycle.
Many devices may be owned by the employees themselves, purchased as part of a defined BYOD-Approved Device(s) program, or as the result of an unforeseen event. Workspace ONE provides the flexibility to deliver any ownership model, enabling management of on- or off-network devices, supporting BYODAD programs with adaptive management, or providing secure access from new devices with strong authentication.
| CAPABILITY | DESCRIPTION |
| Adaptive management maximizes adoption for even the most privacy-sensitive orgs. | The Workspace ONE Intelligent Hub app enables adaptive mgt. so agents can comfortably adopt BYOD-Approved Device(s) (BYODAD) programs throughout Gov't by deciding what level of access and corresponding management they want to use. |
| Shrink-wrapped device provisioning leverages OS mgt interfaces to self-configure laptops, and smart devices, such as phones and tablets for immediate enterprise use within agencies and branches. | Self-service, shrink-wrapped device provisioning is achieved through Workspace ONE UEM leveraging Enterprise Mobility Management (EMM)-based Application Programming Interface (API)s from Apple iOS and OS X, MS Win10/11, Google Android, and a wide variety of specialty platforms for ruggedized devices to provision, configure and secure apps on those devices or accessed by them. This also enables devices to receive patching through the OS vendor or open connection to cellular providers for the fastest response to Vulnerabilities, while leaving configuration and app mgt. to IT. |
Table 4: Workspace ONE device deployment & management capabilities
Real-time app delivery and automation
Workspace ONE takes full advantage of new Windows capabilities and leverages industry-leading UEM technology to enable desktop administrators to automate application distribution and updates on the fly. Combined with award-winning VMware Horizon® virtualization technology1, automating the application delivery process enables better security and compliance.
Workspace ONE eases the transition to Windows modern management with co-management capabilities for Microsoft System Center Configuration Manager (SCCM).
| CAPABILITY | DESCRIPTION |
| Remote configuration management enables employees to provision new, shrink-wrapped devices from anywhere | Workspace ONE UEM configuration eliminates the need for laptop imaging and provides a seamless, out-of-the-box experience for employees. Manage configurations based on dynamic smart groups, which consider device information and user attributes, and update automatically as those change. Automatically connect end users to corporate resources such as Wi-Fi and VPN, and enable secure connectivity to back-end systems with advanced options for certificate authentication and per-app VPN. |
| Windows software distribution automates software lifecycle (SDLC) management | Workspace ONE software distribution enables enterprises to automatically install, update, and remove software packages; provide scripting and file management tools; create an automated workflow for software, applications, files, scripts, and commands to install on laptops; and configure installation during enrollment or on demand. You can also set the package to install based on conditions, including network status or defined schedules, and deploy software updates automatically and notify the user when updates occur. |
| Virtual apps and desktops by Horizon deliver secure hosted desktops and apps | Horizon provides secure hosted virtual apps and desktops, enabling users to work on highly sensitive and confidential information without compromising corporate data. Users can access their virtual apps and desktops regardless of where they are or the device types they are using, providing them with the flexibility to be productive. |
| App analytics and automation | With Workspace ONE Intelligence enabled, admins have the ability to monitor app performance, app adoption, and user behavior across the organization, Workspace ONE provides IT with capabilities to quickly resolve app-related issues, reduce escalations, and improve user experience. Easily analyze and quantify how app performance affects app adoption, and quickly discover the most used apps to quantify ROI of app deployments. The intelligence-driven Workspace ONE comes with automation capabilities that help IT manage the entire digital workspace more efficiently by creating rules that take actions based on a rich set of parameters. Easily automate the deployment of applications, OS patches, and software updates, and create rules to quickly bring apps back to a stable state if they don’t perform as expected. |
| Asset tracking provides a single view of agency-managed devices, wherever they reside | Workspace ONE enables administrators to remotely monitor and manage all devices connected to your enterprise. It also aids and assists with enhanced compliance with new NIST 800-53 and FISMA guidelines for asset tracking. Because Workspace ONE is multitenant, you can manage devices across geographies, business units, or other segmentations in a single console, and then define, delegate, and manage with role-based access controls (RBACs). |
Table 5: Workspace ONE app delivery capabilities
Zero Trust security and endpoint compliance with conditional access
To protect the most sensitive information, Workspace ONE combines identity and device management to enforce access decisions based on a range of conditions from strength of authentication to network, location, and device compliance.
| CAPABILITY | DESCRIPTION |
| Securing the endpoints with integrated protection to enable endpoint security services (ESS) and Zero Trust policies | Workspace ONE Mobile Threat Defense™ provides security to your end-users with integration from our trusted partner, Lookout. Together, embedded into the Workspace ONE Hub application, administrators can ensure mobile-enabled platforms, such as iOS / iPadOS / AndroidOS <and> ChromeOS are protected from device, network, application & phishing threats without having to install or enable another app on the user’s device as the agent securing them is already within the Hub app. |
| Combines device management and access management for a Zero Trust approach to security including Conditional Access | Workspace ONE combines device trust information based on the device security settings and software information to check for rooted or jailbroken devices as well as allowlisted or denylisted applications with user information, target application, and location information, as well as authentication methods to deliver conditional access control to applications and data. With the Workspace ONE conditional access feature, administrators can create access policies that go beyond the evaluation of user identity and valid credentials. Combining Workspace ONE UEM and Workspace ONE Access, administrators can evaluate the target resource being accessed, the source network from which the request originated, and the type and compliance status of the device. With these criteria, access policies can provide a more sophisticated authentication challenge only when needed or deny access when secure conditions are not met. |
| Identity broker | Integrate with third-party identity stores (e.g., identity as a service [IDaaS]) and providers, including Active Directory, LDAP, Okta, and Ping. |
| Federated SSO | Federate Active Directory to third-party or internally developed apps (e.g., Entrust) using one of the federation standards. |
Table 6: Workspace ONE Zero Trust & conditional access capabilities
Secure productivity apps
Workspace ONE secure productivity apps include catalog, email, calendar, contacts, content, authentication access, and more. Designed for mobile users, Workspace ONE apps have a wealth of time-saving features employees want to use, and industry-leading, enterprise-grade security to protect sensitive agency data. Enable users with frictionless, secure access to the apps, tools, and content they require to get work done from anywhere.
| CAPABILITY | DESCRIPTION |
| Mobile App Management | Install, track inventory, configure and assign apps—such as internal, public, web and native apps—to users and devices, and including app wrapping for added security policies and management capabilities into an app that is already developed. |
| Empower employees with an enhanced catalog and progressive value | Workspace ONE Intelligent Hub combines with Workspace ONE Access to provide a single destination where employees have unified onboarding, catalog, and an enhanced user experience to access Hub Services, such as People, Notifications, and Home. Core capabilities of the Workspace ONE platform are leveraged to deliver a secure, consistent, cross-platform experience. Hub Services include: Notifications – Provides IT-administered push and in-app notifications, and custom notifications. People – Enables users to quickly look up colleagues via an employee directory; includes organization chart with name, email, phone, and search. Home – Gives users access to agency resources by embedding an intranet or agency portal. |
| Secure, NIAP-accredited E-Mail application designed to keep employees productive | Workspace ONE Boxer is an intuitive, NIAP-accredited, all-in-one email, calendar, and contacts app. It supports S/MIME encryption to increase the security of digital messages. Workspace ONE Boxer supports Exchange, Outlook, Google Workspace (formerly G Suite), Yahoo, Hotmail, iCloud, Office 365, IMAP, and POP3 mail accounts. |
| Integrated calendar and contacts with email make it simple to manage | By integrating email, calendar, and contacts, employees no longer need to move out of the email app when checking their calendar, looking up a colleague, and more. |
| Advanced email attachment security reduces data leakage | Secure email and attachments through the use of VMware’s Secure Email Gateway™, which enforces S/MIME encryption, wipe, and open-in controls to keep attachments secure. |
| Content management app permits line of business to push and manage secure content on the device | The Workspace ONE Content application gives admins the power to distribute files directly to devices, users, groups, and more across a range of internal repositories and external cloud storage providers, ensuring the latest, most up-to-date information is at employees’ fingertips. |
| SECURE APPS & DATA | |
| Workspace ONE Smartfolio™ | Deliver personalized, managed content in a user-friendly format to employees via this secure, containerized mobile application, while meeting compliance and workflow requirements. |
| Workspace ONE Cards™ | Enable employees to scan business cards and covert quickly and securely them to Exchange contacts via this secure, containerized mobile application. |
| Workspace ONE Web | Give employees frictionless access to intranet sites and web apps via this secure, containerized mobile application. Includes the ability to lock devices into kiosk (single-app) mode. |
| Workspace ONE Content | Enable employees to aggregate, view and mark up files across on-premises and cloud- based file repositories via this secure, containerized mobile application. Includes mobile content management, file editing and annotation while protecting from data loss with cut/copy/paste/open-in restrictions. |
| Workspace ONE Send | Enable the secure passing, back and forth, of Microsoft Intune-protected Word, Excel or PowerPoint attachments between Office 365 apps and Workspace ONE productivity apps. |
Table 7: Workspace ONE productivity app capabilities
Integrated Trust Framework
VMware Workspace ONE utilizes FedRAMP High Authorized technologies— Workspace ONE UEM and Workspace ONE Access—to incorporate a framework of trust for operating in today’s perimeterless world. By taking a better approach to delivering a better experience while not compromising on security, Workspace ONE facilitates modernizing government IT to meet the challenges of the 21st century.
With the addition of VMware Workspace ONE Intelligence into the Workspace ONE FedRAMP environment, government customers will have two options for integration:
- On-prem UEM deployment through the use of the ‘Intelligence Connector’ in order to facilitate the data transfer from the on-prem UEM to the hosted Intelligence tenant or natively via an existing/new FedRAMP cloud-hosted UEM tenant.
- After deployment, customers can leverage a secure, cloud-hosted environment to provide a service for their Workspace ONE platform that delivers insights, analytics, and automation for the digital workspace and gain deep insights into device, user, and app posture that enable data-driven decisions across an agency or branch’s entire environment via Intelligence as reflected below in Figure 3.
Figure 3: Workspace ONE Intelligence Connector Examples
Building on the industry-leading device and user management capabilities of Workspace ONE UEM, Identity Management via Access, and User/Device app and experience management through Hub Services, Intelligence additionally can provide the following benefits.
Workspace ONE Intelligence Benefits
At its core, Workspace ONE Intelligence is designed to simplify user experience without compromising security. The intelligence service aggregates and correlates data from multiple sources to give complete visibility into the entire environment. It produces the insights and data that will allow you to make the right decisions for your Workspace ONE deployment. Intelligence has a built-in automation engine that can create rules to take automatic action on security issues as highlighted in Table 8.
| CATEGORY | DESCRIPTION |
| Digital Employee Experience Mgt. (DEEM)
|
*Mobile app analytics (Intelligence SDK) Not including VMware Productivity Apps |
| Reports & Dashboards |
|
| Security
|
|
| Automation
|
|
Table 8: FedRAMP Phase I Feature Matrix
The complete Workspace ONE Intelligence Reference Architecture Guide (see Figure 1 for architecture flow overview) provides a framework and guidance on architecture, design considerations, and deployment of the Workspace ONE suite, as well as Horizon VDI solutions and integration and architecting Workspace ONE Intelligence into them. For those agencies/branches that want to evaluate the platform, the GSA FedRAMP marketplace provides a submission portal to request the System Security Plan for the VMware solution that is available on all FedRAMP XaaS Authorized solutions. Note: This information provides the agency’s Authorizing Officer (AO) the resources to review and provide authorization for the service’s use.
Figure 4: Data Sources for Workspace ONE Intelligence
Zero Trust Architecture & Network Access (ZTA / ZTNA)
Organizations can also further enable and implement a Zero Trust approach to security. Leverage machine learning to deliver continuous verification with risk analytics based on user behavior and device context. Agencies can enable a Zero Trust security framework with the inherent security capabilities of the intelligence-driven Workspace ONE platform and Workspace ONE Trust Network, as shown in Figure 5. This rich ecosystem of integrated partner solutions is enhanced by what Intelligence provides. This integrated solution helps agencies successfully empower the ‘anywhere organization’ and:
- Provide a Digital Employee Experience Management, as a part of Workspace ONE Intelligence, deliver a set of capabilities to help IT admins monitor digital workspace KPIs impacting a user’s experience, while proactively discovering issues and quickly remediating them with automation.
- Aggregate, correlate, and analyze data from multiple sources to deliver integrated insights, analytics, and automation for the digital workspace to help provide for risks from threats and feed actions to secure the ZTA model as represented in Figure 5.
- IT teams can proactively improve digital employee experience, strengthen security, and optimize IT operations.
- Application of single sign-on (SSO) to SaaS, Web, and virtualized desktops and applications.
Figure 5: Consolidated Threat View Example - Reported by Trust Network Solutions Over Time & CVE Metrics
Platform Privacy and Security
VMware is committed to supporting the government’s security and privacy management and policies. Intelligence provides IT managers the flexibility for data collection and storage configuration parameters, as Intelligence aggregates data from multiple sources that can be opted in or out of including deauthorizing those connections from the other Workspace ONE suite components including:
- UEM – Device ID (UDID, IMEI, IP, MAC, Serial Number), first name, last name, email, managed apps list, telecom, and network information, apps usage data, security health of devices.
- Access – User login details including successful and failed attempts, and app launch data.
- Intelligence SDK – App crash details, monthly active users (MAU), daily active users (DAU), app launch, network details, and app usage details.
- Common Vulnerabilities and Exposures (CVEs) – Doesn’t contain any PII data. Workspace ONE simply ingests CVE data from public sources such as NIST.
- Multi-factor Authentication (MFA) - Workspace ONE Access supports chained, two-factor authentication (2fA). The primary authentication methods can be username and password or mobile SSO. You can combine these authentication methods with RADIUS, RSA Adaptive Authentication, and VMware Workspace ONE Verify as secondary authentication methods to achieve additional security for access control.
Additionally, customers have control over all personally identifiable information (PII) sent to the cloud, such as phone number, username, email, and private app information. Raw data is stored for 3 months and trend data for 12 respectively.
Lastly, VMware takes pride in the assurance of its Cloud-Hosted solutions providing industry-leading security. The system has gone through penetration testing by a team of VMware InfoSec professionals. Customer data collected from the Workspace ONE production environment is encrypted using HTTPS (TLS 1.2), based on AES for uploading to Amazon Web Services (AWS) and to ensure confidentiality during transfer.
Only customers can access their data through a unique Workspace ONE login, including the Workspace ONE console interface. VMware will not access a customer’s data without their consent. Various levels of Multi-factor Authentication (MFA) access controls are used to lock down the system to only show data at the request of the customer.
VMware Compliance
VMware takes great pride in participating and complying with regulatory programs worldwide and continues to expand our compliance programs to meet the requirements of the most demanding missions. More information on VMware compliance can be found in the VMware Cloud Trust Center.
VMware Workspace ONE FedRAMP Summary
VMware is committed to providing industry-leading, public-sector solutions for endpoint management security, virtualization, cloud, and mobile. Embracing not only commercial requirements and industry standards but also government certification and accreditation programs and as a resource for Federal, State, and Local government(s) needs.
VMware’s Workspace ONE FedRAMP High Authorized solution, which includes Workspace ONE UEM, Intelligence, Intelligent Hub, and Access combine to provide a single unified device and user enablement platform for on-boarding of users and their devices including an application catalog, multifactor authentication, conditional access, and SSO to SaaS and web or native apps and can also be utilized to provide actionable notifications to users, a people search directory, and access to support or intranet pages to reduce downtime and maximize users time and efficiency.
Additional Resources
For more information on configuring or enabling Workspace ONE, Workspace ONE Intelligence and UEM, as well as Access, and Hub Services:
Workspace ONE Documentation
- VMware Workspace ONE UEM Release Notes
- VMware Workspace ONE Intelligence Release Notes
- VMware Workspace ONE Access Release Notes
Workspace ONE Government & Compliance Solutions
- Tech Zone: VMware Workspace ONE Security & Compliance Solutions
- Tech Zone: VMware Public Sector Solutions
- Tech Zone: VMware Horizon Cloud Service FedRAMP High / IL5
- Tech Zone: VMware Workspace ONE MTD FedRAMP Solution
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| 2023/11/16 |
|
| 2023/10/27 |
|
About the Author
Andrew Osborn is serving in a role at VMware as a dedicated ‘Staff Technical Marketing Architect’ for all things End-User Computing (EUC) compliance / regulatory. He has over 20 years’ experience in the IT Industry, including the last 10 years within Public Sector, with roles spanning Cybersecurity, Networking, Enterprise Ops, Mobility & Telco solutions, encompassing numerous technologies and architectures. Andrew received an MIS degree from University of Oklahoma with certs from ISC2 CISSP & GIAC GSLC and is based out of San Antonio, TX. He'll be contributing to VMware’s Tech Zone to provide more tailored messaging for Federal, State, Local & Education (SLED) solutions from VMware EUC.
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.