VMware Workspace ONE Cloud-Based Reference Architecture

Service Definitions

From our business requirements, we outlined several typical use cases and their requirements. Taking the business requirements and combining them with one or more use cases enables the definition of a service.

The service, for a use case, defines the unique requirements and identifies the technology or feature combinations that satisfy those unique requirements. After the service has been defined, you can define the service quality to be associated with that service. Service quality takes into consideration the performance, availability, security, and management and monitoring requirements to meet SLAs.

The detail required to build out the products and components comes later, after the services are defined and the required components are understood.

Do not treat the list of services as exclusive or prescriptive; each environment is different. Adapt the services to your particular use cases. In some cases, that might mean adding components, while in others it might be possible to remove some that are not required.

You could also combine multiple services together to address more complex use cases. For example, you could combine a VMware Workspace ONE® service with a VMware Horizon® Cloud Service and a recovery service.

Figure: Example of Combining Multiple Services for a Complex Use Case

Workspace ONE Use Case Services

A use case service identifies the features required for a specific type of user. For example, a mobile task worker might use a mobile device for a single task through a single application. The Workspace ONE use case service for this worker could be called the mobile device management service. This service uses only a few of the core Workspace ONE components,  as described in the following table.


Table: Core Components of Workspace ONE



VMware Workspace ONE® UEM

Enterprise mobility management

VMware Identity Manager

Identity platform

VMware Workspace ONE® Intelligence

Integrated insights, app analytics, and automation

Workspace ONE app

End-user access to apps

VMware Horizon

Virtual desktops and Remote Desktop Services (RDS) published applications delivered either through Horizon Cloud or VMware Horizon® 7

VMware Workspace ONE® Boxer

Secure email clients

VMware Workspace ONE® Browser

Secure web browser

VMware Workspace ONE® Content

Mobile content repository

VMware Workspace ONE® Tunnel

Secure and effective method for individual applications to access corporate resources

VMware AirWatch Cloud Connector

Directory sync with enterprise directories

VMware Identity Manager Connector

Directory sync with enterprise directories

Sync to Horizon resources

VMware Unified Access Gateway

Gateway that provides secure edge services

VMware Workspace ONE® Secure Email Gateway

Email proxy service

Enterprise Mobility Management Service

Overview: Many organizations have deployed mobile devices and have lightweight management capabilities, like simple email deployment and device policies, such as a PIN requirement, device timeouts, and device wiping. But they lack a comprehensive and complete management practice to enable a consumer-simple, enterprise-secure model for devices.

Use case: Mobile Task-Based Workers

Table: Unique Requirements of Mobile Task Workers

Unique Requirements


Provide device management beyond simple policies

  • Workspace ONE native app
  • VMware Identity Manager authentication
  • AirWatch Cloud Connector

Enable adaptive management capabilities

  • Workspace ONE native app
  • Adaptive management
  • Workspace services device enrollment


The following figure shows a high-level blueprint of a Workspace ONE Standard deployment and the available components.


Figure: Enterprise Mobility Management Service Blueprint

Enterprise Productivity Service

Overview: Organizations with a more evolved device management strategy are often pushed by end users to enable more advanced mobility capabilities in their environment. Requested capabilities include single sign-on (SSO) and multi-factor authentication, and access to productivity tools. However, from an enterprise perspective, providing this much access to corporate information means instituting a greater degree of control, such as blocking native email clients in favor of managed email, requiring syncing content with approved repositories, and managing which apps can be used to open files.

Use cases: Mobile Knowledge Workers, Contractors

Table: Unique Requirements of Mobile Knowledge Workers and Contractors

Unique Requirements


Multi-factor authentication

  • VMware Workspace ONE® Verify


  • VMware Identity Manager and Workspace ONE UEM

Managed email

  • Workspace ONE Boxer

Enterprise content synchronization

  • Workspace ONE Content

Secure browsing

  • VMware Workspace ONE® Web

VPN per application

  • Workspace ONE Tunnel


The following figure shows a high-level blueprint of a Workspace ONE Advanced deployment and the available components.

Figure: Enterprise Productivity Service Blueprint

Enterprise Application Workspace Service

Overview: Recognizing that some applications are not available as a native app on a mobile platform and that some security requirements dictate on-premises application access, virtualized applications and desktops become a core part of a mobility strategy. Building on the mobile productivity service, and adding access to VMware Horizon–based resources, enables this scenario.

Many current VMware Horizon users benefit from adding the Workspace ONE catalog capabilities as a single, secure point of access for their virtual desktops and applications.

Use cases: Contractors, Mobile Knowledge Workers

Table: Unique Requirements of Contractors and Mobile Knowledge Workers

Unique Requirements


Access to virtual apps and desktops

  • Horizon Cloud or Horizon 7
  • VMware Identity Manager Connector


The following figure shows a high-level blueprint of a Workspace ONE Enterprise Edition deployment and the available components.

Figure: Enterprise Application Workspace Service Blueprint

Horizon Cloud Service on Microsoft Azure Use Case Services

These services address a wide range of user needs. For example, a published application service can be created for static task workers, who require only a few Windows applications. In contrast, a secure desktop service could be created for users who need a larger number of applications that are better suited to a Windows desktop–based offering.

The following core components are used across the various use cases.

Table: Core Components of Horizon Cloud Service on Microsoft Azure



Horizon Cloud Service on Microsoft Azure

Virtual desktops and RDSH-published applications

VMware User Environment Manager

User profile, IT settings, and configuration for environment and applications

Microsoft Azure

Infrastructure platform

Published Application Service

Overview: Windows applications are delivered as published applications provided by farms of RDSH servers. These applications are optionally available in the catalog and through the Workspace ONE app or web application. User Environment Manager applies profile settings and folder redirection.

Use case: Static Task Worker

Table: Unique Requirements of Static Task Workers

Unique Requirements


Small number of Windows applications

  • Horizon Cloud on Microsoft Azure RDSH-published applications (a good fit for a small number of applications)

(Optional) location-aware printing

  • ThinPrint
  • User Environment Manager


Figure: Published Application Service Blueprint

GPU-Accelerated Application Service

Overview: Similar to the published application service, but this service uses hardware-accelerated rendering with NVIDIA GRID graphics cards available through Microsoft Azure. The Windows applications are delivered as published applications provided by farms of RDSH servers.  

Use case: Multimedia Designer/Engineer

Table: Unique Requirements of Multimedia Designers

Unique Requirements


GPU-accelerated rendering


Hardware H.264 encoding

  • Blast Extreme


Figure: GPU-Accelerated Application Service Blueprint

Secure Desktop Service

Overview: This service uses a standard Windows 10 desktop that is cloned from a master VM image. User Environment Manager applies the user’s Windows environment settings, application settings, and folder redirection. Desktop and application entitlements are optionally made available through the VMware Identity Manager catalog.

Use cases: Mobile Knowledge Worker, Contractors

Table: Unique Requirements of Mobile Knowledge Workers and Contractors

Unique Requirements


Large number of core and departmental applications

  • Horizon virtual desktop running Windows 10 (a good fit for larger numbers of applications)

Access from mobile locations

  • Unified Access Gateway, Blast Extreme

Two-factor authentication when remote

  • Unified Access Gateway, True SSO

Video content and Flash playback

  • URL content redirection, HTML5 redirection, Flash redirection
  • Access to USB devices
  • Restricted access to clipboard, USB, and so on (for example, for contractors)
  • User Environment Manager, Horizon Smart Policies, application blocking


Figure: Secure Desktop Service Blueprint

Recovery Services

To ensure availability, recoverability, and business continuity, the design of the services also needs to consider disaster recovery. We can define recovery services and map them to the previously defined use-case services.

Recovery services can be designed to operate in either an active/active or an active/passive mode and should be viewed from the users’ perspective.

  • In active/passive mode, loss of an active data center instance requires that the passive instance of the service be promoted to active status for the user.
  • In active/active mode, the loss of a data center instance does not impact service availability for the user because the remaining instance or instances continue to operate independently and can offer the end service to the user.

Horizon Cloud on Microsoft Azure Active/Passive Recovery Service 

Requirement: The use case service is run from a specific Azure region. An equivalent service can be provided from a second Azure region.

Overview: The core Windows desktop or RDSH server is a clone of a master VM image. User Environment Manager applies the profile, IT settings, user configuration, and folder redirection.

Table: Active/Passive Recovery Service Requirements



Windows desktop or RDSH server available in both sites 

Horizon desktop pools or RDSH server farms are created in both data centers.

Native applications 

Applications are installed natively in the base Windows OS.

IT settings 

User Environment Manager IT configuration is replicated to ensure availability in the event that the primary Azure region becomes unavailable.

User data and configuration 

User Environment Manager user data is replicated to ensure availability in the event that the primary Azure region becomes unavailable.

At a high level, this service consists of a Windows environment delivered by either a desktop or an RDSH server, with equivalent resources created at both data centers. User profile and user data files are made available at both locations and are also recovered in the event of a site outage.

Figure: Active/Passive Recovery Service Blueprint 

User Environment Manager provides profile management by capturing user settings for the operating system, applications, and user personalization. The captured settings are stored on file shares that need to be replicated to ensure site redundancy.

Although profile data can be made available to both regions, there is a failover process in the event of the loss of Region 1 that can impact the RTO and RPO.

Operational decisions can be made in these scenarios as to whether the service in Region 2 should be made available with reduced functionality (for example, available with the Windows base, the applications, and the IT configuration but without the user-specific settings).