VMware Workspace ONE Cloud-Based Reference Architecture

Component Design: Workspace ONE UEM Architecture

VMware Workspace ONE® UEM (powered by AirWatch) is responsible for device enrollment, a mobile application catalog, policy enforcement regarding device compliance, and integration with key enterprise services, such as email, content, and social media.

Workspace ONE UEM features include:

  • Device management platform – Allows full life-cycle management of a wide variety of devices, including phones, tablets, Windows 10, and rugged and special-purpose devices.
  • Application deployment capabilities – Provides automatic deployment or self-service application access for employees.
  • User and device profile services – Ensures that configuration settings for users and devices:
    • Comply with enterprise security requirements
    • Simplify end-user access to applications
  • Productivity tools – Includes an email client with secure email functionality, a content management tool for securely storing and managing content, and a web browser to ensure secure access to corporate information and tools.

Workspace ONE UEM can be implemented using an on-premises or a cloud-based (SaaS) model.

Design decision: Although either an on-premises or a cloud-based implementation could deliver the required capabilities, in this reference architecture, a cloud-based Workspace ONE UEM design is used.

Design Overview

With a cloud-based implementation of Workspace ONE UEM, the service is delivered as a software as a service (SaaS). To synchronize Workspace ONE with internal resources such as Active Directory or a Certificate Authority, you use a separate cloud connector, which can be implemented using an AirWatch Cloud Connector. The separate connector can run within the internal network in an outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.

The simple implementation usually consists of:

  • A Workspace ONE UEM tenant
  • VMware AirWatch Cloud Connector

Figure: Sample Workspace ONE UEM Logical Architecture

The main components of Workspace ONE UEM are described in the following table.

Table: VMware Workspace ONE UEM Components



Workspace ONE UEM Console

Administration console for configuring policies within Workspace ONE UEM, to monitor and manage devices and the environment.

This service is hosted in the cloud and managed for you as a part of the SaaS offering.

AirWatch device services

Services that communicate with managed devices. Workspace ONE UEM relies on this component for:

  • Device enrollment
  • Application provisioning
  • Delivering device commands and receiving device data
  • Hosting the Workspace ONE UEM self-service portal

This service is hosted in the cloud and managed for you as a part of the SaaS offering.

API endpoint

Collection of RESTful APIs, provided by Workspace ONE UEM, that allows external programs to use the core product functionality by integrating the APIs with existing IT infrastructures and third-party applications.

VMware Workspace ONE® APIs are also used by various Workspace ONE UEM services such as Secure Email Gateway for interactions and data gathering.

This service is hosted in the cloud and managed for you as a part of the SaaS offering.

VMware AirWatch Cloud Connector

Component that performs directory sync and authentication using an on-premises resource such as Active Directory or a trusted Certificate Authority.

This service is hosted in your internal network in outbound-only mode and can be configured for automatic upgrades.

AirWatch Cloud Messaging service (AWCM)

Service used in conjunction with the AirWatch Cloud Connector to provide secure communication to your backend systems. AirWatch Cloud Connector also uses AWCM  to communicate with the Workspace ONE UEM Console.

AWCM also streamlines the delivery of messages and commands from the Workspace ONE UEM Console by eliminating the need for end users to access the public Internet or utilize consumer accounts, such as Google IDs. It serves as a comprehensive substitute for Google Cloud Messaging (GCM) for Android devices  and is the only option for providing mobile device management (MDM) capabilities for Windows rugged devices. Also, the VMware Workspace ONE® Intelligent Hub utilizes AWCM to communicate with Windows 10.

This service is hosted in the cloud and managed for you as a part of the SaaS offering.

VMware Workspace ONE® Tunnel

The Workspace ONE Tunnel provides a secure and effective method for individual applications to access corporate resources hosted in the internal network. The Workspace ONE Tunnel uses a unique X.509 certificate (delivered to enrolled devices by Workspace ONE) to authenticate and encrypt traffic from applications to the tunnel.


Workspace ONE Tunnel has two components – Proxy and Per-App VPN. The proxy component is responsible for securing traffic from endpoint devices to internal resources through the VMware Workspace ONE® Web app and through enterprise apps that leverage the Workspace ONE SDK. The per-app tunnel component enables application-level tunneling (as opposed to full device-level tunneling) for managed applications on iOS, macOS, Android, and Windows devices.

AirWatch Cloud Connector

Even when utilizing cloud solutions, such as Workspace ONE UEM, you might want to use some in-house components and resources, for example, email relay, directory services (LDAP/ AD), Certificate Authority, and PowerShell Integration with Exchange. These resources are usually secured by strict firewall rules in order to avoid any unintended or malicious access. Even though these components are not exposed to public networks, they offer great benefits when integrated with cloud solutions such as Workspace ONE.

The AirWatch Cloud Connector allows seamless integration of on-premises resources with the Workspace ONE UEM cloud deployment. This allows organizations to leverage the benefits of Workspace ONE Unified Endpoint Management (UEM), running in any configuration, together with those of their existing LDAP, Certificate Authority, email relay, PowerShell Integration with Exchange, and other internal systems.

The AirWatch Cloud Connector (ACC) runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM to the organization’s enterprise infrastructure components. The ACC always works in an outbound-only mode, which protects it and allows it to work with existing firewall rules and configurations.

Workspace ONE UEM and the ACC communicate by means of AirWatch Cloud Messaging (AWCM). This communication is secured through certificate-based authentication, with the certificates generated from a trusted AirWatch Certificate Authority.

The ACC integrates with the following internal components:

  • Email relay (SMTP)
  • Directory services (LDAP/AD)
  • Email Management Exchange 2010 (PowerShell)
  • BlackBerry Enterprise Server (BES)
  • Lotus Domino Web Service (HTTPS)
  • Syslog (event log data)

The ACC also allows the following PKI integration add-ons:

  • Microsoft Certificate Services (PKI)
  • Simple Certificate Enrollment Protocol (SCEP PKI)
  • Third-party certificate services (on-premises only)


You can configure multiple instances of ACC by installing them on additional dedicated servers using the same installer. The traffic is automatically load-balanced by the AWCM component and does not require a separate load balancer.

Multiple ACC instances can receive traffic (that is, use a live-live configuration) as long as the instances are in the same organization group and connect to the same AWCM server for high availability. Traffic is routed by AWCM and depends on the current load.

See On-Premises Architecture Hardware Assumptions in the ARCHITECTURE section of the VMware Workspace ONE UEM Online Help for recommendations on the number of ACC instances required and for hardware requirements. Note that the documentation shows only the number of connectors required for each sizing scenario to cope with the load demand. It does not include additional servers in those numbers to account for redundancy.

Design decision: Three instances of VMware AirWatch Cloud Connector are deployed. Two are required based on load and a third is added for redundancy.

AirWatch Cloud Connector Installation

Refer to the latest VMware Workspace ONE UEM documentation for full details on the VMware AirWatch Cloud Connector Installation Process.

Integration with VMware Identity Manager

Integrating Workspace ONE UEM and VMware Identity Manager into Workspace ONE provides several benefits. Workspace ONE uses VMware Identity Manager for authentication, SaaS, and VMware Horizon application access. Workspace ONE uses Workspace ONE UEM for device enrollment and management.

The integration process between the two solutions is detailed in Integrating Workspace ONE UEM With VMware Identity Manager in the Guide to Deploying VMware Workspace ONE with VMware Identity Manager.

Also see the Platform Integration section of this guide for more detail.

Resource Types

A Workspace ONE implementation can include many types of application resources used in the enterprise.

Native Mobile Apps

Native mobile apps from the Apple App Store, Google Play, and the Microsoft Windows Store have brought about new ways of easily accessing tools and information to make users more productive. A challenge has been making the available apps easy to find, install, and control. Workspace ONE UEM has long provided a platform for distribution, management, and security for these apps. Apps can be published from the app stores themselves or, for internally developed apps, they can be uploaded to the Workspace ONE UEM service for distribution to end users.

Figure: VMware Native Mobile Apps

Unified App Catalog

When Workspace ONE UEM and VMware Identity Manager are integrated so that apps from both platforms can be enabled for end users, the option to use the unified catalog in VMware Identity Manager is enabled. This catalog pulls entitlements from both platforms and displays them appropriately in the Workspace ONE native app on a mobile device. The Workspace ONE client determines which apps to display on which platform. For example, iOS apps appear only on devices running iOS, and Android apps appear only on Android devices. 

Figure: Unified Catalog in VMware Identity Manager

Conditional Access

With the Workspace ONE conditional access feature, administrators can create access policies that go beyond the evaluation of user identity and valid credentials. Combining Workspace ONE UEM and VMware Identity Manager, administrators can evaluate the target resource being accessed, the source network from which the request originated, and the type and compliance status of the device. With these criteria, access policies can provide a more sophisticated authentication challenge only when needed or deny access when secure conditions are not met.

Using the Workspace ONE UEM Console to Create Access Policies

Configuration of compliance starts in the Workspace ONE UEM Console. Compliance policies are created by determining:

  1. A criterion to check, such as a jail-broken or rooted device
  2. An action to take, such as an email to an administrator or a device wipe
  3. An escalation to further actions if the device is not returned to compliance within a set time
  4. An assignment to devices or users

Examples of rules are listed in the following table.

Table: Examples of Access Policy Rules

Compliance Criterion

Policy Description

Application list

A device is out of compliance with the policy for one or more of the following reasons:

  • Blacklisted apps are installed on the device.
  • Non-whitelisted apps are installed on the device.
  • Required apps are not installed.
  • The version of the installed app is different from the one defined in the policy.

Last compromised scan

A device complies with this policy if the device was last scanned for compliance within the timeframe defined in the policy.


A device complies with this policy if a passcode is set in the device by the user. A corresponding rule provides information on the passcode and encryption status of the device.

Device roaming

A device is out of compliance with this policy if the device is roaming.

Refer the section Compliance Policy Rules Descriptions in the  VMware Workspace ONE UEM Online Help for the complete list. Because not all the options apply to all the platforms, also see Compliance Policy Riles by Platform in the  VMware Workspace ONE UEM Online Help.

Using the VMware AirWatch REST API to Extend Device Compliance Parameters

With the VMware AirWatch REST API, the definition of a device’s compliance status can be extended beyond what is available within the Workspace ONE UEM Console by leveraging an integration with one or more partners from the extensive list of VMware Mobile Security Alliance (MSA) partners. For more information, see Mitigate Mobile Threats with Best-of-Breed Security Solutions.

To use the device posture from Workspace ONE UEM with VMware Identity Manager, you must enable the Device Compliance option when configuring the Workspace ONE UEM –VMware Identity Manager integration. The Compliance Check function must also be enabled.

Figure: Enable Compliance Check

After you enable the compliance check through Workspace ONE UEM, you can add a rule that defines what kind of compliance parameters are checked and what kind of authentication methods are used.

Figure: Device Compliance Policy

The device’s unique device identifier (UDID) must also be captured in Workspace ONE UEM and used in compliance configuration. This feature works with mobile SSO for iOS, mobile SSO for Android, and certificate cloud deployment authentication methods.

Note: Before you use the Device Compliance authentication method, you must use a method that obtains the device UDID. Evaluating device compliance before obtaining the UDID does not result in a positive validation of the device’s status.

Multi-factor Authentication

VMware Identity Manager supports chained, two-factor authentication. The primary authentication methods can be username and password or mobile SSO. You can combine these authentication methods with RADIUS, RSA Adaptive Authentication, and VMware Workspace ONE® Verify as secondary authentication methods to achieve additional security for access control.

Standalone MAM and Adaptive Management

Workspace ONE supports a variety of device and application management approaches. Standalone mobile application management (MAM) allows a user to download the Workspace ONE app from public app stores and immediately take advantage of entitled apps and corporate-published native mobile apps. The benefits of this approach include:

  • IT can distribute corporate-approved public mobile apps to unmanaged devices through the Workspace ONE app catalog.
  • With the Workspace ONE app installed, users can use SSO to access other VMware apps, including Workspace ONE Web and VMware Workspace ONE® Content, or any custom app built using the Workspace ONE SDK.
  • When an unmanaged device is out of compliance (for example, jail-broken), the system quickly takes action to protect company data. When a violation is detected, all company data is removed from the Workspace ONE app, Workspace ONE productivity apps (for example, Workspace ONE Content), and any custom app built using the Workspace ONE SDK.

Triggering the Enrollment Process from the Workspace ONE App

For applications that require a higher level of security assurance, users can enroll their device in Workspace ONE UEM directly from the Workspace ONE app, instead of downloading the Workspace ONE Intelligent Hub. All entitled apps are listed in the catalog. Apps that require enrollment are marked with a star icon. When the user tries to download an app with a­ star icon, the enrollment process is triggered. For example, users can download a conferencing app, such as WebEx, without enrollment. But they are prompted to enroll when they try to download, for example, Salesforce1, from the catalog.

Figure: Adaptive Management

Enabling Adaptive Management for iOS 

Adaptive management is enabled on an application-by-application basis within the Workspace ONE UEM Console. Within an application profile, an administrator can choose to require management of a device prior to allowing use of that app.

This feature is only supported for Apple iOS and is now deprecated for Android. The new standard for app deployment with Android is through Android Enterprise, as described in the VMware AirWatch Android Platform Guide.

Figure: Workspace ONE Application Deployment for Adaptive Management

Mobile Single Sign-On

One of the hallmark features of the Workspace ONE experience is mobile SSO technology, which provides the ability to sign in to the app once and gain access to all entitled applications, including SaaS apps. This core capability can help address security concerns and password-cracking attempts and vastly simplifies the end-user experience for a mobile user. A number of methods enable this capability on both VMware Identity Manager and Workspace ONE UEM. SAML becomes a bridge to the apps, but each native mobile platform requires different technologies to enable SSO.

Configuration of mobile SSO for iOS and Android devices can be found in the Guide to Deploying VMware Workspace ONE with VMware Identity Manager.

Mobile SSO for iOS

Kerberos-based SSO is the recommended SSO experience on managed iOS devices. VMware Identity Manager offers a built-in Kerberos adapter, which can handle iOS authentication without the need for device communication to your internal Active Directory servers. In addition, Workspace ONE UEM can distribute identity certificates to devices using a built-in AirWatch Certificate Authority, eliminating the requirement to maintain an on-premises CA.

Alternatively, enterprises can use an internal key distribution center (KDC) for SSO authentication, but this typically requires the provisioning of an on-demand VPN. Either option can be configured in the Standard Deployment model, but the built-in KDC must be used in the Simplified Deployment model that is referenced in the Guide to Deploying VMware Workspace ONE with VMware Identity Manager.

Mobile SSO for Android

Workspace ONE offers universal Android mobile SSO, which allows users to sign in to enterprise apps securely without a password. Android mobile SSO technology requires device enrollment and the use of Workspace ONE Tunnel to authenticate users against SaaS applications.

Refer to Android Mobile Single Sign-On to VMware Workspace ONE.

Windows 10 and Mac SSO

Certificate-based SSO is the recommended experience for managed Windows desktops and laptops and the Mac. An Active Directory Certificate Services or other CA is required to distribute certificates. Workspace ONE UEM can integrate with an on-premises CA through AirWatch Cloud Connector or an on-demand VPN.

Refer to Certificate Management in the INTEGRATIONS section of the VMware Workspace ONE UEM Online Help.

Email Integration

Workspace ONE offers a great number of choices when it comes to devices and email clients. Although this flexibility allows the choice of an email client, it also potentially exposes the enterprise to data leakage due to a lack of control after email messages reach the device.

Another challenge is that many organizations are moving to cloud-based email services, such as Microsoft Office 365 and G Suite (formerly Google Apps for Work). These services provide fewer email control options than the on-premises models that an enterprise might be accustomed to. 

This section looks at the email connectivity models and the pros and cons of each.

VMware Workspace ONE UEM Secure Email Gateway Proxy Model

The VMware Workspace ONE® UEM Secure Email Gateway proxy server is a separate server installed in-line with your existing email server to proxy all email traffic going to mobile devices. Based on the settings you define in the Workspace ONE UEM Console, the Workspace ONE UEM Secure Email Gateway proxy server allows or blocks email for every mobile device it manages, and it relays traffic only from approved devices. With some additional configuration, no devices are allowed to communicate directly with the corporate email server.

Figure:  Workspace ONE UEM Secure Email Gateway Architectures

Direct PowerShell Model

In this model, Workspace ONE UEM adopts a PowerShell administrator role and issues commands to the Exchange ActiveSync infrastructure to permit or deny email access based on the policies defined in the Workspace ONE UEM Console. PowerShell deployments do not require a separate email proxy server, and the installation process is simpler. In case of an on-premises Exchange, AirWatch Cloud Connector (ACC) can be leveraged to prevent inbound traffic flow.


Figure: Microsoft Office 365 Email Architecture

Supported Email Infrastructure and Models

Use the following table to compare these models and the mail infrastructures they support.

Table: Supported Email Deployment Models

Deployment Model

Configuration Mode

Mail Infrastructure

Proxy model

Workspace ONE UEM Secure Email Gateway (proxy)

Microsoft Exchange 2010, 2013, and 2016

IBM Domino with Lotus Notes

Novel GroupWise (with EAS)

G Suite

Office 365 (For attachment encryption)

Direct model

PowerShell model

Microsoft Exchange 2010, 2013, and 2016

Microsoft Office 365

Direct model

Google model

G Suite

Microsoft Office 365 requires additional configuration for the Workspace ONE UEM Secure Email Gateway proxy model. Workspace ONE UEM recommends the direct model of integration with cloud-based email servers unless attachment encryption is required.

The following table summarizes the pros and cons of the deployment features of Workspace ONE UEM Secure Email Gateway and PowerShell to help you choose which deployment is most appropriate.

Table: Workspace ONE UEM Secure Email Gateway and PowerShell Feature Comparison




Workspace ONE UEM Secure Email Gateway

  • Real-time compliance
  • Attachment encryption
  • Hyperlink transformation
  • Additional servers needed
  • Office 365 must be federated with Workspace ONE to prevent users from directly connecting to Office 365


No additional on-premises servers required for email management


  • No real-time compliance sync
  • Not recommended for deployments larger than 100,000 devices
  • VMware Workspace ONE® Boxer required to containerize attachments and hyperlinks in Workspace ONE Content and Workspace ONE Web

Key Design Considerations

VMware recommends using Workspace ONE UEM Secure Email Gateway for all on-premises email infrastructures with deployments of more than 100,000 devices. For smaller deployments or cloud-based email, PowerShell is another option.

For more information on design considerations for mobile email management, see the most recent VMware AirWatch Mobile Email Management Guide.

Design decision: Because this design includes Microsoft Office 365 email, the PowerShell model is used with Workspace ONE Boxer. Although this decision limits employee choice of mail client and removes native email access in the Mobile Productivity service, it provides the best protection available against data leakage.

Next Steps

  • Configure Microsoft Office 365 email through PowerShell.
  • Configure Workspace ONE Boxer as an email client for deployment as part of device enrollment.

Conditional Access Configured for Microsoft Office 365 Basic Authentication

By default, Microsoft Office 365 basic authentication is vulnerable because credentials are entered in the app itself rather than being submitted to an identity provider (IdP) in a browser, as with modern authentication. However, with Workspace ONE, you can easily enhance the security and control over Microsoft Office 365 with an active flow.

You can now control access to Office 365 active flows based on the following access policies in VMware Identity Manager:

  • Network range
  • Device OS type
  • Group membership
  • Email protocol
  • Client name

Figure: Microsoft Office 365 Active Flow Conditional Access Policies

Content Integration

Mobile content management (MCM) can be critical to device deployment, ensuring that content is safely stored in enterprise repositories and available to end users when and where they need it with the appropriate security controls. The MCM features in Workspace ONE UEM provide users with the content they need while also providing the enterprise with the security control it requires.

Content Management Overview

  1. Workspace ONE UEM managed content repository – Workspace ONE UEM administrators with the appropriate permissions can upload content to the repository and have complete control over the files that are stored in it.  
  2. The synchronization process involves two components:
  • VMware Content Gateway – This on-premises node provides secure access to content repositories or internal file shares. You can deploy it as a service on a VMware Unified Access Gateway virtual appliance. It supports both R cascade mode (formally known as relay-endpoint) and endpoint-only deployment models.
  • Corporate file server – This preexisting repository can reside within an organization’s internal network or on a cloud service. Depending on an organization’s structure, the Workspace ONE UEM administrator might not have administrative permissions for the corporate file server.
  1. VMware Workspace ONE Content – After this app is deployed to end-user devices, users can access content that conforms to the configured set of parameters.
  2. Personal content repository – End users have complete control over the files stored here. End users can add files on their devices from any supported web browser through the self-service portal in Workspace ONE Content, and from their personal computer through Workspace ONE Content Sync.

Figure: Mobile Content Management with Workspace ONE UEM

You can integrate Workspace ONE Content with a large number of corporate file services, including Box, Google Drive, network shares, various Microsoft services, and most websites that support Web Distributed Authoring and Versioning (WebDAV). It is beyond the scope of this document to list all of them.

For full design considerations for mobile content management, see the most recent VMware AirWatch Mobile Content Management Guide.

Content Gateway

VMware Content Gateway provides a secure and effective method for end users to access internal repositories. Users are granted access only to their approved files and folders based on the access control lists defined in the internal repository through VMware Workspace ONE Content. To prevent security vulnerabilities, Content Gateway servers support only Server Message Block (SMB) v2.0 and SMBv3.0. SMBv2.0 is the default. Content Gateway offers basic and cascade mode (formally known as relay-endpoint) architecture models for deployment.

Content Gateway can be deployed as a service within VMware Unified Access Gateway 3.3.2 and later. For more information, see Content Gateway on Unified Access Gateway in Deploying and Configurating VMware Unified Access Gateway.

For step-by-step instructions, see Configuring Content Gateway Edge Services on Unified Access Gateway.


Unified Access Gateway can be used to provide edge and gateway services for VMware Content Gateway and Workspace ONE Tunnel functionality. For architecture and sizing guidance see the Component Design - Unified Access Gateway Architecture section of this guide.

Data Protection in Workspace ONE Content

Workspace ONE Content provides considerable control over the types of activities that a user can perform with documents that have been synced to a mobile device. Applications must be developed using Workspace ONE SDK features or must be wrapped to use these restrictions. The following table lists the data loss prevention features that can be controlled.

Table: Data Loss Prevention Features

Feature Name


Enable Copy and Paste

Allows an application to copy and paste on devices

Enable Printing

Allows an application to print from devices

Enable Camera

Allows applications to access the device camera

Enable Composing Email

Allows an application to use the native email client to send email

Enable Data Backup

Allows wrapped applications to sync data with a storage service such as iCloud

Enable Location Services

Allows wrapped applications to receive the latitude and longitude of the device

Enable Bluetooth

Allows applications to access Bluetooth functionality on devices

Enable Screenshot

Allows applications to access screenshot functionality on devices

Enable Watermark

Displays text in a watermark in documents in the Workspace ONE Content

Limit Documents to Open Only in Approved Apps

Controls the applications used to open resources on devices

Allowed Applications List

Lists the applications that are allowed to open documents

Key Design Considerations

Because this environment is configured with Microsoft Office 365, SharePoint-based document repositories are configured as part of the Workspace ONE Content implementation. DLP controls are used in the Mobile Productivity service and Mobile Application Workspace profiles to protect corporate information.

Design decision: For this reference architecture, Unified Access Gateway is used to provide Content Gateway services. Unified Access Gateway is chosen as the standard edge gateway appliance for Workspace ONE services, including VMware Horizon and content resources.

Workspace ONE Tunnel

Workspace ONE Tunnel leverages unique certificates deployed from Workspace ONE UEM to authenticate and encrypt traffic from the mobile device to resources on the internal network. It consists of following two components:

  1. Proxy – This component secures the traffic between the mobile device and the backend resources through the Workspace ONE Web application. To leverage the proxy component with an internally developed app, you must embed the Workspace ONE SDK in the app.

The proxy component, when deployed, supports SSL offloading.

  1. Per-App Tunnel – This component allows certain applications on your device to communicate with your backend resources. This restricts access to unwanted applications, unlike the device-level VPN. The Per-App Tunnel supports both TCP and HTTP(S) traffic and works for both public and internally developed apps. It requires the Workspace ONE Tunnel application to be installed and managed by Workspace ONE UEM.

Note: The Per-App Tunnel does not support SSL offloading.

Tunnel Gateway Service Deployment

The Workspace ONE Tunnel gateway service can be deployed as a standalone Windows or Linux service, or as a service within VMware Unified Access Gateway 3.3.2 and later (preferred method). The standalone Windows installer only supports the Proxy module. However, the Linux-based Workspace ONE Tunnel installer and Unified Access Gateway support both the Proxy and the Per-App Tunnel modules.

For more information, see Deploying VMware Tunnel on Unified Access Gateway in Deploying and Configurating VMware Unified Access Gateway.

For step-by-step instructions, see Configuring VMware Tunnel Edge Services on Unified Access Gateway.


The Per-App Tunnel component is recommended because it provides most of the functionality with easier installation and maintenance. It leverages native APIs offered by Apple, Google, and Windows to provide a seamless end-user experience and does not require additional configuration as the Proxy model does.

The Workspace ONE Tunnel gateway service can reside in:

  • DMZ (single-tier, basic mode)
  • DMZ and internal network (multi-tier, cascade mode)

Both configurations support load balancing and high availability.

Figure: Workspace ONE Tunnel and Content Deployment Modes

See VMware Tunnel Deployment Model in the ARCHITECTURE section of the VMware Workspace ONE UEM Online Help.


Unified Access Gateway can be used to provide edge and gateway services for VMware Content Gateway and Workspace ONE Tunnel functionality. For architecture and sizing guidance, see the Component Design - Unified Access Gateway Architecture section of this guide.


For installation prerequisites, refer to System Requirements for Deploying VMware Tunnel with Unified Access Gateway in the ARCHITECTURE section of the VMware Workspace ONE UEM Online Help.

After the installation is complete, configure the Workspace ONE Tunnel by following the instructions in VMware Tunnel Core Configuration in the ARCHITECTURE section of the VMware Workspace ONE UEM Online Help.

Design decision: For this reference architecture, Unified Access Gateway was used to provide tunnel services.

Data Loss Prevention

Applications built using the Workspace ONE SDK can take advantage of app wrapping, which applies policies to a mobile app without changing the application itself. The application can also take advantage of controls designed to make accidental, or even purposeful, distribution of sensitive information more difficult. DLP settings include the ability to disable copy and paste, prevent printing, disable the camera or screenshot features, or require adding a watermark to content when viewed on a device. You can configure these features at a platform level with iOS- or Android-specific profiles applied to all devices, or you can associate a specific application for which additional control is required.

Workspace ONE UEM applications, including Workspace ONE Boxer and Workspace ONE Content, are built to the Workspace ONE SDK, conform to the Workspace ONE platform, and can natively take advantage of these capabilities. Other applications can be wrapped to include such functionality, but typically are not enabled for it out of the box.

Figure: Workspace ONE UEM Data Loss Prevention Settings

Another set of policies can restrict actions a user can take with email. For managed email clients such as Workspace ONE Boxer, restrictions can be set to govern copy and paste, prevent attachments from being accessed, or force all hyperlinks in email to use a secure browser, such as Workspace ONE Web.

Figure: Workspace ONE Boxer Content Restriction Settings