VMware Workspace ONE Cloud-Based Reference Architecture

VMware Workspace ONE Solution Overview

VMware Workspace ONE® is a simple and secure enterprise platform that delivers and manages any app on any device. Workspace ONE integrates identity, application, and enterprise mobility management while also delivering feature-rich virtual desktops and applications. It is available either as a cloud service or for on-premises deployment. The platform is composed of several components—VMware Workspace ONE® UEM (powered by AirWatch), VMware Identity Manager™, VMware Horizon®, and the Workspace ONE productivity apps, which are supported on most common mobile platforms.

VMware Reference Architectures

VMware reference architectures are designed and validated by VMware to address common use cases, such as enterprise mobility management, enterprise desktop replacement, remote access, and disaster recovery.

This Workspace ONE cloud-based reference architecture presents high-level design and low-level configuration guidance for the key features and integration points of Workspace ONE. The result is a description of cohesive services that address typical business use cases.

VMware reference architectures offer customers:

  • Standardized, validated, repeatable components
  • Scalable designs that allow room for future growth
  • Validated and tested designs that minimize implementation and operational risks
  • Quick implementation and reduced costs

This reference architecture does not provide performance data or stress-testing metrics. However, it does provide a structure and guidance on architecting in repeatable blocks for scale. The principles followed include the use of high availability and load balancing to ensure that there are no single points of failure and to provide a production-ready design.


This reference architecture guide helps IT architects, consultants, and administrators involved in the early phases of planning, designing, and deploying Workspace ONE, mobile, and VMware Horizon® Cloud Service solutions.

You should have:

  • A solid understanding of the mobile device landscape
  • Deep experience regarding the capabilities and configuration of mobile operating systems
  • Familiarity with device-management concepts
  • Knowledge of identity solutions and standards, such as SAML authentication
  • Understanding of enterprise communication and collaboration solutions, including Microsoft Office 365, Exchange, and SharePoint
  • A solid understanding of desktop and application virtualization
  • Familiarity with virtual desktops
  • A solid understanding of firewall policy and load-balancing configurations
  • A good working knowledge of networking and infrastructure, covering topics such as Active Directory, DNS, and DHCP

Workspace ONE Features

Workspace ONE features provide enterprise-class security without sacrificing convenience and choice for end users:

  • Real-time app delivery and automation Taking advantage of new capabilities in Windows, Workspace ONE allows desktop administrators to automate application distribution and updates. This automation, combined with virtualization technology, helps ensure application access as well as improve security and compliance. Provision, deliver, update, and retire applications in real time.
  • Self-service access to cloud, mobile, and Windows apps After end users are authenticated through either the Workspace ONE app or the Workspace ONE Intelligent Hub app, they can instantly access mobile, cloud, and Windows applications with one-touch mobile SSO.
  • Choice of any device, employee or corporate owned – Administrators can facilitate adoption of bring-your-own-device (BYOD) programs by putting choice in the hands of end users. Give the level of convenience, access, security, and management that makes sense for their work style.
  • Device enrollment The enrollment process allows a device to be managed in a Workspace ONE UEM environment so that device profiles and applications can be distributed and content can be delivered or removed. Enrollment also allows extensive reporting based on the device’s check-in to the Workspace ONE UEM service.
  • Adaptive management – For some applications, end users can log in to Workspace ONE and access the applications without first enrolling their device. For other applications, device enrollment is required, and the Workspace ONE app can prompt the user to initiate enrollment.

    Administrators can enable flexible application access policies, allowing some applications to be used prior to enrollment in device management, while requiring full enrollment for apps that need higher levels of security.
  • Conditional access – Both VMware Identity Manager and Workspace ONE UEM have mechanisms to evaluate compliance. When users register their devices with Workspace ONE, data samples from the device are sent to the Workspace ONE UEM cloud service on a scheduled basis to evaluate compliance. This regular evaluation ensures that the device meets the compliance rules set by the administrator in the Workspace ONE UEM Console. If the device goes out of compliance, corresponding actions configured in the Workspace ONE UEM Console are taken.

    VMware Identity Manager includes an access policy option that administrators can configure to check the Workspace ONE UEM server for device compliance status when users sign in. The compliance check ensures that users are blocked from signing in to an application or using SSO to the VMware Identity Manager portal if the device is out of compliance. When the device is compliant again, the ability to sign in is restored.

    Actions can be enforced based on the network that users are on, the platform they are using, or the applications being accessed. In addition to checking Workspace ONE UEM for device compliance, VMware Identity Manager can evaluate compliance based on network range of the device, type of device, operating system of the device, and credentials.
  • Unified application catalog – The VMware Identity Manager and Workspace ONE UEM application catalogs are combined and presented on either the Workspace ONE app’s Catalog tab or the VMware Workspace ONE® Intelligent Hub app, depending on which is being used.
  • Secure productivity apps: VMware Workspace ONE® Boxer, Web, Content, Notebook, People, Verify, and PIV-D Manager – End users can use the included mail, calendar, contacts, browser, content, organization, and authentication capabilities, while policy-based security measures protect the organization from data leakage by restricting the ways in which attachments and files are edited and shared.
  • Mobile SSO – One-touch SSO technology is available for all supported platforms. The implementation on each OS is based on features provided by the underlying OS. For iOS, one-touch SSO uses technology known as the key distribution center (KDC). For Android, the authentication method is called mobile SSO for Android. And for Windows 10, it is called cloud certificate.
  • Secure browsing – Using VMware Workspace ONE® Web instead of a native browser or third-party browser ensures that access to sensitive web content is secure and manageable.
  • Data loss prevention (DLP) – This feature forces documents or URLs to open only in approved applications to prevent accidental or purposeful distribution of sensitive information.
  • Resource types – Workspace ONE supports a variety of applications exposed through the VMware Identity Manager and Workspace ONE UEM catalogs, including SaaS-based SAML apps, VMware Horizon apps and desktops, VMware ThinApp® packaged apps delivered through VMware Identity Manager, and native mobile applications delivered through Workspace ONE UEM.

Workspace ONE Platform Integration

VMware Identity Manager provides the solution’s identity-related components. These components include authentication using username and password, two-factor authentication, certificate, Kerberos, mobile SSO, and inbound SAML from third-party VMware Identity Manager systems. VMware Identity Manager also provides SSO to entitled web apps and Windows apps and desktops delivered through either VMware Horizon or Citrix.

Figure: Workspace ONE Logical Architecture Overview

VMware Workspace ONE UEM delivers the enterprise mobility management portion of the solution. Workspace ONE UEM allows device enrollment and uses profiles to enforce configuration settings and management of users’ devices. It also enables a mobile application catalog to publish public and internally developed applications to end users.

Administrators can also develop compliance policies to alert themselves to compromised devices or wipe a device that is running unapproved applications. Workspace ONE UEM integrates with enterprise directories, such as Active Directory, for authentication and user management. To facilitate mobile productivity, Workspace ONE UEM can integrate with email systems and content repositories.

The Workspace ONE native app and the Workspace ONE Intelligent Hub app are available for iOS, Android, and Windows 10. Both apps consolidate the Workspace ONE UEM and VMware Identity Manager catalogs into a single catalog to bring native mobile, SaaS-based and on-premises web applications, and virtual apps and desktops to users in a simple manner. Through SSO technology, Workspace ONE makes it easy for users to access the applications they need.

VMware Workspace ONE Intelligence

VMware Workspace ONE® Intelligence is a service that gives organizations visualization tools and automation to help them make data-driven decisions for operating their Workspace ONE environment.

By aggregating, analyzing, and correlating device, application, and user data, Workspace ONE Intelligence provides extensive ways to filter and reveal key performance indicators (KPIs) at speed and scale across the entire digital workspace environment. After information of interest has been surfaced by Workspace ONE Intelligence, IT administrators can:

  • Use the built-in decision engine to create rules that take actions based on an extensive set of parameters.
  • Create policies that take automated remediation actions based on context.

With Workspace ONE Intelligence, organizations can easily manage complexity and security without compromising a great user experience.

Figure: Workspace ONE Intelligence Overview

Horizon Cloud Service on Microsoft Azure Platform

Horizon Cloud Service on Microsoft Azure provides customers with the ability to pair their existing Microsoft Azure infrastructure with the Horizon Cloud Service to deliver feature-rich virtual desktops and applications.

Horizon Cloud uses a purpose-built cloud platform that is scalable across multiple deployment options, including fully managed infrastructure from VMware and public cloud infrastructure from Microsoft Azure. The service supports a cloud-scale architecture that makes it easy to deliver virtualized Windows desktops and applications to any device, anytime.

Figure: Horizon Cloud Service on Microsoft Azure Overview

Reference Architecture Design Methodology

To ensure a successful Workspace ONE deployment, it is important to follow proper design methodology. To start, you need to understand the business requirements, reasons, and objectives for undertaking the project. From there, you can identify the needs of the users and organize these needs into use cases with understood requirements. You can then align and map those use cases to a set of integrated services provided by Workspace ONE.

Figure: Reference Architecture Design Methodology

A Workspace ONE design uses a number of components to provide the services that address the identified use cases. Before you can assemble and integrate these components to form a service, you must first design and build the components in a modular and scalable manner to allow for change and growth. You also must consider integration into the existing environment. Then you can bring the parts together to deliver the integrated services to satisfy the use cases, business requirements, and the user experience.

As with any design process, the steps are cyclical, and any previous decision should be revisited to make sure a subsequent one has not impacted it.