VMware Workspace ONE Frequently Asked Questions (FAQs)


The VMware Workspace ONE Frequently Asked Questions (FAQs) document provides answers to some of the most popular Workspace ONE FAQs. We will continue to grow this list of FAQs so check back regularly for updates.

VMware Workspace ONE® is a digital workspace platform that delivers any app on any device. Its main components are Workspace ONE® Unified Endpoint Management (UEM) powered by AirWatch and VMware Workspace ONE® Access (formerly known as VMware Identity Manager). Workspace ONE also integrates with VMware Horizon® to provide virtual desktops and apps.

If you are new to Workspace ONE or if you want an overview of the features, components, and architecture of Workspace ONE, see What is Workspace ONE?.


This Workspace ONE FAQs document is intended for existing or prospective Workspace ONE IT administrators.

Access Management

Does Workspace ONE UEM support multi-factor authentication (MFA)?

Yes, you can use the built-in multi-factor authentication (MFA) for Workspace ONE UEM by enabling Verify (Intelligent Hub) on the Workspace ONE Access admin console. Verify (Intelligent Hub) is an MFA authentication method integrated with the Workspace ONE Intelligent Hub app. You must integrate Workspace ONE Access and Workspace ONE UEM with Hub services to use Verify (Intelligent Hub). Configure two-factor authentication in the Workspace ONE Access policy rules to require users to sign in using password authentication first and then the Verify (Intelligent Hub) passcode.

Workspace ONE also integrates with multi-factor authentication providers to deliver a range of mobile MFA features including push notification, TOTP code, and SMS. The solution supports multi-factor authentication through Okta Verify, Duo, PingID, RADIUS, RSA SecurID and RSA SecurID Access, and certificate-based authentication.

For more details, see:

What is Workspace ONE Access conditional access?

Workspace ONE Access conditional access policies allow you to control access to corporate apps and resources based on designated criteria such as:

  • Organization group inherited from AD.
  • Dynamic user groups maintained within the admin console.
  • Device ownership (corporate-owned versus personal device).
  • Device usage (mobile versus desktop).
  • Network / IP range.

Some authentication methods that you can specify are:

  • Device compliance.
  • Risk score.
  • Mobile SSO.

For more details, watch VMware Workspace ONE Access: Conditional Access Policies – Feature Walk-through.



Device Management

How does Workspace ONE UEM group devices and users for management and assignments?

Workspace ONE UEM uses several different types of groups to manage users, devices, apps, content, and more. You can optimize your unified endpoint management (UEM) strategy by using a combination of organization groups, smart groups, and user groups to streamline assignments and management.

Each of these groups can be easily managed in the Workspace ONE UEM console as assignment groups, such as:

  •   Organization groups
  •   Smart groups
  •   User groups

For more information, watch the following videos:

What is a Workspace ONE UEM organization group?

Organization groups are similar to organizational units in Active Directory and are typically based on the internal corporate structure; geographical location, business unit, and department.

With organization groups, you can:

  • Build groups for entities within your organization (for example, Company, Headquarters, Subsidiaries, Management, Salaried, Hourly, Sales, and so on).
  • Customize hierarchies with parent and child levels (for example, 'Salaried' and 'Hourly' as children under 'Management'). You can block or allow inheritance settings.
  • Integrate with multiple internal infrastructures at the tier level.
  • Delegate role-based access and management based on a multi-tenant structure
  • Manage device profiles, apps, policies, and products based on preconfigured network IP address ranges.
What is a Workspace ONE UEM smart group?

Smart groups determine which platform, devices, and users receive profiles, compliance policies, applications, books, baselines, sensors, scripts, and so on. Smart groups offer more flexibility than organization groups. You specify criteria for a smart group and if a device (or user group) matches those criteria, they are added to the group.

You can:

  • Deliver content and settings to user groups, individual users/devices, device platform, OS, model, device tags, and so on.
  • Set profiles and compliance policies to include or exclude specific smart groups.
  • View and edit the profiles and policies assigned to and excluding individual smart groups.
What is a Workspace ONE UEM user group?

User groups provide additional criteria to assign resources to devices based on user access rights and job roles. With user groups, you can:

  • Align end users with LDAP/AD associations, streamlining user and device management.
  • Assign profiles, applications, content, and compliance policies to groups of users according to existing groups and distribution lists.
  • Automatically update assignments based on directory user group changes or require administrator approval.
  • Set role-based access control to only allow approved administrators to change policy and resource assignments for certain user groups.
  • Assign multiple groups simultaneously – even of differing types – to profiles, public apps, and compliance policies.
What is the Workspace ONE UEM compliance engine?

The Workspace ONE UEM compliance engine is an automated tool that continuously monitors devices and performs escalating actions to prevent noncompliance.

The compliance engine allows you to:

  • Enforce compliance policies and set up automated actions for non-compliant activity.
  • Create rules for passcode, application compliance, data usage, voice usage, SMS usage, compromised status, encryption status, profile expiration, last compromised scan, Terms of Use acceptance, model, OS version, security patch version, roaming status, and SIM card change.
  • View rules and actions available by platform for simple setup and administration.
  • Set severity levels to perform escalated actions based on user response time frame.
  • Notify IT and end users of noncompliance automatically using customizable notifications:
    • Via SMS, email or push notifications (end users)
    • Via email (administrators)
  • Automatically block access to corporate resources, wipe corporate profiles or devices.
  • Reinstall assigned profiles and apps without user interaction when the device is compliant again.
  • Optionally perform actions on a device without marking it as non-compliant.
Can Workspace ONE UEM enforce an approved software version on the device before granting user access?

Yes, you can set restrictions to require approved OS versions, applications, and so on, to enable device access to corporate data. Use device profiles and compliance policies to enforce required or prohibited operating systems and applications.

You can perform automatic compliance actions from the Workspace ONE UEM admin console such as sending notifications, enterprise wipe, profile installation/removal, and managed application removal.

To add or update commonly used third-party applications for Windows 10 devices, use the new VMware Enterprise App Repository.

Can Workspace ONE UEM perform a remote device wipe?

Yes, from the Workspace ONE UEM admin console, you can perform a remote wipe on-demand or based on compliance policies. Administrators can include a note for users when performing a device wipe.

There are two main options; additional options are available depending on the platform:

  • Enterprise Wipe removes all corporate connections, applications, and content. The Workspace ONE Intelligent Hub remains on the device for easy re-enrollment. The device is unavailable to view on the console.
  • Full Device Wipe performs a “factory reset” to remove all device data (available only on demand). The Workspace ONE Intelligent Hub is no longer on the device. The device is unavailable to view on the console.

For more information, watch Episode 16: Wiping Windows 10 Devices - you have options!.


Enterprise Integration

What is Workspace ONE UEM enterprise integration?

Many of your existing enterprise components can be integrated into a Workspace ONE deployment. For example, securely integrate with AD/LDAP, certificate authorities, email infrastructures, and other enterprise systems both in a cloud and on-premises deployment model.

The following components can be configured from the Workspace ONE UEM admin console:

  • Directory Services – Integrate with AD/LDAP for authentication and group membership, helping to ensure that users receive appropriate profiles and access to apps and content.
  • Certificates and PKI – Integrate with Microsoft CA, CA, or SCEP certificate services providers such as MSCEP and VeriSign.
  • Email Infrastructure – Manage and monitor mobile email through tight integration to your corporate email infrastructure.
  • Proxy – Microsoft Exchange 2010/2013/2016/2019, IBM Domino with Lotus Notes, Novell GroupWise (with EAS), Google Apps for Work Beehive and other EAS.
  • PowerShell – Exchange 2010/2013/2016/2019, Office 365/BPOS.
  • Google – Google Apps for Business.
  • UEM Edge Services on VMware Unified Access Gateway™  to enable secure remote access from an external network to a variety of internal resources. Unified Access Gateway supports the following Workspace ONE UEM use cases:
      • Per-App Tunneling of native and web apps on mobile and desktop platforms to secure access to internal resources through the VMware Tunnel service.
      • Secure on-premises email infrastructure that grants access only to authorized devices, users, and email applications based on managed policies. This capability leverages the Secure Email Gateway service integrated with Workspace ONE UEM.
      • Access from VMware Workspace ONE® Content to internal file shares or SharePoint repositories by running the Content Gateway service.
      • Reverse proxying of web applications.
      • Identity bridging for authentication to on-premises legacy applications that use Kerberos or header-based authentication.

Other components that can be integrated:

  • Corporate Networks – Configure Wi-Fi and VPN network settings with automatic connections and centrally updated user credentials.
  • File Systems – Integrate with existing file systems, including SharePoint, Google Drive, OneDrive, file servers and network shares.
  • APIs – Integrate with existing IT infrastructures and third-party applications.
  • Security Information and Event Management (SIEM) – Integrate with SIEM solutions for enhanced logging of events occurring in the console.

For a full listing of our integration partners, see the VMware Marketplace.

Can I integrate Workspace ONE UEM REST APIs with existing infrastructures and third-party applications?

Yes. Workspace ONE UEM provides a collection of RESTful APIs (application programming interface) that allow external programs to use the core product functionality by integrating the APIs with existing IT infrastructures and third-party applications.

Using the simplified REST style of software architecture, Workspace ONE UEM REST APIs support a multitude of functionalities, including organization group, console administration, mobile application, mobile device, email, enrollment user, profile, smart group, and user group management.

Workspace ONE UEM REST APIs allow external systems to create, update, delete and modify entitlements for users through a system for cross-domain identity management (SCIM) API.

Available web services include user enrollment, device registration, device groups, organization group management, smart group management, user information, device data, search functions, custom attributes, remote device commands and bulk actions, device and system events and notifications, application groups, content management, VPP management, product provisioning, tags, and other systems management and operation information.

For more information, see:

Does Workspace ONE UEM integrate with directory services (AD/LDAP)?

Yes, Workspace ONE UEM integrates with your existing directory service (for example, Active Directory and Lotus Domino) and allows you to authenticate to Workspace ONE UEM using your existing credentials. Use the built-in wizard to quickly and easily configure integration.

By integrating Workspace ONE UEM with your directory services, you can:

  • Manage user groups according to current user organization and permissions.
  • Assign profiles, applications, compliance policies, and content based on a user’s role and group membership.
  • Ensure that a user receives the right access and restrictions for all relevant groups (if the user belongs to multiple groups).
  • Detect any changes within the system with ongoing directory synchronization and automatically perform necessary updates across all devices for affected users.
  • Automatically enterprise wipe devices when users are removed from user groups.
  • Require administrative approval or admin PIN before any changes occur.

For more details, see Active Directory Integration in the Platform Integration chapter of the Reference Architecture.


Reporting and Analytics

Does Workspace ONE include built-in reporting features?

Yes, Workspace ONE includes robust reporting features that empower administrators to centrally monitor device fleets using the following:

  • Built-in Workspace ONE UEM reports. (For custom reports, Workspace ONE Intelligence is required.)
  • Workspace ONE Intelligence reports.
  • Workspace ONE Intelligence interactive dashboards. With Workspace ONE Intelligence, you can customize reports and analyze trends using data from the complete Workspace ONE environment.
  • Workspace ONE Access User Engagement Dashboard.
What are Workspace ONE UEM reports?

Workspace ONE UEM reports allow you to:

  • Run live reports directly from the web console using the built-in reporting engine.
  • Customize fields on standard reporting templates across various categories including, applications, device content, device inventory, profiles, telecom, and user management.
  • Create subscriptions to send custom-generated reports to specific recipients at scheduled intervals.
  • Create bookmarks to save popular reports and easily regenerate them.

For more details, see Workspace ONE UEM reports.

What are Workspace ONE Intelligence reports?

Workspace ONE Intelligence aggregates and correlates data from Workspace ONE UEM, Workspace ONE Access, Workspace ONE Intelligence SDK, and Trust Network Solutions. Reports powered by Workspace ONE Intelligence provide access to critical business intelligence data and are different from the reports created in the Workspace ONE UEM console.

Workspace ONE Intelligence reports allow you to:

  • Analyze trends across device, application, and user business intelligence (BI) data and build reports for a complete view of your entire digital workspace environment.
  • Use the Custom Reports wizard to create a customized report using a starter template or a new report from scratch.
  • Create or schedule reports to provide detailed historical data about the entire environment and device fleet; gather an initial snapshot of your deployment and continue to capture ongoing changes.
  • View live previews of reports to see results before running the entire report. Run reports in seconds, with options to view or export in CSV format.
  • Easily share reports with the rest of the organization as links to avoid encountering file size limitations when sending via email.

For more details, see Getting Started with Workspace ONE Intelligence Reports and Dashboards: VMware Workspace ONE Operational Tutorial.

What are Workspace ONE Intelligence Dashboards?

With Workspace ONE Intelligence Dashboards, you can:

  • Configure the Monitor pane to display the most important business drivers/events.
  • View deployment information in real time on interactive dashboards which are available in graphical or tabular view.
  • Navigate to a list view and filter to show a specific group of devices, enrollment, compliance, profiles, applications, content, telecom, email, and certificate summaries on one central screen.
  • Take action, such as sending a message, on individual devices or groups of devices.
  • View data in a variety of formats, including graphs, portlets, and grids.
  • Export dashboard information to spreadsheet format (CSV file).

For more details, see Getting Started with Workspace ONE Intelligence Reports and Dashboards: VMware Workspace ONE Operational Tutorial.

What is the Workspace ONE Access User Engagement Dashboard?

The Workspace ONE Access console provides user and device analytics on the User Engagement Dashboard which allows you to:

  • Monitor device-level usage analytics on a per-user and per-app basis.
  • Specify audit events and generate reports for a configurable time period.
  • Audit events and include time, date, and identity of administrative changes to permissions and app access.
What is the Workspace ONE UEM event log?

Events are records of administrative and device actions that the Workspace ONE UEM console stores in logs. Integrate with Syslog to send log and event data and export event log data to CSV or XLSX files.

Workspace ONE UEM allows you to:

  • Configure which console and device events (for example, administration, configuration, interaction, session management) to send to syslog.
  • Integrate with security information and event management (SIEM) solutions for enhanced logging of events occurring in the console.
  • View events, filter by event type, category and module, and export events.
  • Configure event logging settings based on severity levels, with the ability to send specific levels to external systems via syslog integration.
  • Generate reports to track data over set time periods.


User Administration

How does Workspace ONE UEM manage role-based user administration for tiered roles?

Built-in and custom roles define the device groups that an IT administrator can access and manage, and restrict the depth of device management information and features available to each console user. For example, grant limited access within the console to help desk administrators and grant a greater range of permissions to the IT manager.

If the existing default roles are not suitable for your organization, use custom roles that allow you to customize as many unique roles as required. Choose from over 1,000 unique security permissions to define custom roles. You can set permissions to view (read-only), write, or update the system.

You have the flexibility to authenticate console users with basic, directory services, or SAML credentials and configure Workspace ONE to enable/disable SAML authentication for administrators according to organization group membership.

Users can have multiple assigned roles and you can auto-assign roles to individual console users or groups with AD/LDAP integration.

For more information, watch Episode 5: UEM Console Basics – Part 1: Organization Groups and RBAC.

How does Workspace ONE Access manage role-based user administration?

Workspace ONE Access has three predefined roles for role-based access control:

  • The super administrator role can access and manage all features and functions in the Workspace ONE Access services.
  • The read-only administrator role can view the details in the Workspace ONE Access console pages, including the dashboard and the reports, but cannot make changes. All administrator roles are automatically assigned the read-only role.
  • The directory administrator role can manage users, groups, and directories. The directory administrator can manage directory integration for both enterprise directories and local directories within your organization. The directory administrator can also manage local users and groups.

You cannot modify or delete the predefined roles but you can create custom administrator roles that give limited permissions to specific services in the Workspace ONE Access console.

For more information, watch VMware Workspace ONE Access: Role-Based Access Control – Feature Walk-through.

How does Workspace ONE Intelligence manage role-based user administration?

Role-based access control (RBAC) has predefined roles that you can assign to admins for access to the resources they use. Assign a single role or combine roles for those admins who require permissions to your entire environment.

Workspace ONE Intelligence can get user data from Workspace ONE UEM. RBAC supports adding admins from Workspace ONE UEM from both the basic users and the directory-based users.

  • Basic users are individual accounts that are not managed through an identity service. They require no enterprise infrastructure. These credentials exist only in Workspace ONE UEM and have no federated security.
  • Directory-based users are managed in an identity service and are pulled into Workspace ONE UEM. These users access resources with their directory credentials and any changes made to their accounts sync with Workspace ONE UEM.


Platform Support

What devices and platforms does Workspace ONE UEM support?

For an up-to-date list of devices and platforms supported by Workspace ONE UEM, see Supported Devices, OS, and Agents, Product Provisioning.


Technical Support

What are the available support offerings for Workspace ONE?

The Customer Support Welcome Center contains everything from self-service resources to information on filing and managing support requests.

Some self-service resources include:

  • VMware Docs – A complete library of official product documentation.
  • VMware Knowledge Base – View announcements, receive proactive updates on software releases, marketplace news and search, vote, comment, or create new ideas for products in our feature request portal.
  • VMware Community – Online forums with access to digital workspace community experts.
  • Digital Workspace Tech Zone – Everything you need for your digital workspace journey in the form of articles, documents, videos, and more.

Global Support Services provides varying levels of support that are appropriate for your program, with 24/7/365 coverage for severity 1 incidents and unlimited online support requests for all support levels.

Basic Production Premiere
  • Core 10/5 support.
  • Unlimited support requests via online, chat, and phone.
  • Core 10/5 support.
  • Faster severity 1 response target.
  • Higher number of designated customer contacts.
  • Unlimited support requests via online, chat, and phone.
  • Additional weekend support hours for severity 2 issues.
  • Highest number of designated customer contacts.
  • Designated Support Account Manager and support reviews.
  • Direct access to level 2 resources.
  • Available onsite support service days.

You can also use the My Company portal within My Workspace ONE to manage contact information for each team to designate available customer roles, levels of access at each role, and modify or add any team members to your account.


Summary and Additional Resources


This document provided answers to the most popular Workspace ONE FAQs.

Additional Resources

For more information about Workspace ONE, explore the Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you increase your understanding of Workspace ONE, including articles, videos, and labs.

You can also see the VMware Workspace ONE and VMware Horizon Reference Architecture, which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon.

About the Authors and Contributors

This document was created by:

  • Gina Daly, Technical Marketing Manager, End-User Computing, VMware.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Workspace ONE Access Workspace ONE Intelligence Workspace ONE UEM Document Deployment Considerations Overview