Workspace ONE Assist Architecture

Introduction

VMware Workspace ONE UEM (powered by AirWatch) is responsible for device enrollment, a mobile application catalog, policy enforcement regarding device compliance, and integration with key enterprise services, such as email, content, and social media.

VMware Workspace ONE® Assist allows VMware Workspace ONE® UEM administrators to remotely access and troubleshoot devices in real time while respecting end-user privacy.

Workspace ONE Assist features include:

  • Screen sharing capabilities – Allows remote devices to screen share and relinquish device controls to an administrator for guided support. Can also capture images and video remotely.
  • File system capabilities – Exposes the device’s file system and allows for folders or files to be edited, deleted, or added remotely.
  • Run commands – Automate issue resolution and common tasks by remotely sending commands to the device.

Workspace ONE Assist can be implemented using either an on-premises or a cloud-based (SaaS) model. Both models offer the same functionality.

Note: Workspace ONE Assist features and capabilities are platform dependent. See Capabilities by Platform for a comprehensive list.

To avoid repetition of information, an overview of the product, its architecture, and the common components are described in the cloud-based architecture section, which follows. The on-premises architecture section then adds to this information if your preference is to build on-premises.

Cloud-Based Architecture

With a cloud-based implementation, the Workspace ONE Assist software is delivered using a software-as-a-service (SaaS) model. The integration between your Workspace ONE UEM SaaS tenant and your Workspace ONE Assist SaaS deployment is configured for you.

If you are integrating Workspace ONE Assist SaaS with an on-premises Workspace ONE UEM tenant, see Integrate Deployment Model, On-Prem UEM with SaaS Assist.

For additional Workspace ONE Assist SaaS details, such as regional fully qualified domain names (FQDN) and IP addresses for allowlisting, see SaaS Configurations, Network and Security Requirements.

Figure 1: Cloud-Based Workspace ONE Assist Logical Architecture

Components

Workspace ONE Assist includes the following components:

Table 1: Workspace ONE Assist Components

Component

Description

Workspace ONE Assist Core Services

Services responsible for coordinating communication and providing service discovery for all other Workspace ONE Assist services. All database communication is handled through these services.

Workspace ONE Assist Portal Services

Services that host the Workspace ONE Assist administration portal that manages remote device sessions and registration.

 

Workspace ONE Assist Application Services

Services responsible for communicating with devices available for remote management.

Workspace ONE Assist Connection Proctor

Proctor for managing device connections to the Workspace ONE Assist server. Simultaneously handles multiple requests for remote management sessions.

For additional details on these components, see Workspace ONE Assist Components.

The Workspace ONE UEM SaaS and AirWatch Cloud Connector components are shown in the figure only because they illustrate the typical Workspace ONE SaaS deployment model. For more information on those components, see Workspace ONE UEM Architecture.

On-Premises Architecture

Workspace ONE Assist is composed of separate services that can be installed on a single- or multiple-server architecture to meet security and load requirements. Service endpoints can be spread across different network security zones, with Portal and Connection Proctor components located in a DMZ to allow external, inbound access to the Application, Core, and Database services located in a protected, internal network. See Deployments Across Public and Private Security Zones.

The network and security requirements for single- and multiple-server architecture differ and should be considered before deployment. See Network and Security Requirements. See On-Premises Configurations, Network and Security Requirements for a list of port and firewall rule requirements for both single- and multiple-server architectures.

The single-server architecture is also referred to as an all-in-one server, meaning the Core, Application, Portal, and Connection Proctor components are installed on a single server.

In addition to the components already described for this cloud-based architecture, there are additional components required for an on-premises deployment.

Table 2: Additional On-Premises Workspace ONE Assist Components

Component

Description

Database

Microsoft SQL Server database that stores the Workspace ONE Assist system and tenant configuration, operations, and logging, such as the accrual of historical data showing when a device was enrolled in remote management.

The Workspace ONE Assist system is composed of eight databases. See Workspace ONE Assist Components for additional details on the eight databases.

All Workspace ONE Assist Core Service servers, Connection Proctor servers, and remote management registration details persist and reside in this database.

You may use the same Microsoft SQL Server that supports your Workspace ONE UEM deployment for your Workspace ONE Assist deployment.

 

 

Figure 2: On-Premises Workspace ONE Assist Logical Architecture

Table 3: On-Premises Simple Workspace ONE Assist Architecture

Decision

An on-premises deployment of Workspace ONE Assist and the components required were architected, scaled, and deployed to support 50,000 devices and up to 50 concurrent remote management sessions with an active/passive setup.

Justification

This provides validation of design and implementation of an on-premises instance of Workspace ONE Assist.

Database

All Workspace ONE Assist system, tenant, and data configurations required for remote management operation and device registration are stored across eight databases on the SQL Server. For more details about how data is partitioned across these eight databases, see Workspace ONE Assist Components. The Workspace ONE Assist Core Services provide communication to the database for the Portal, Application, and Connection Proctor services.

In this reference architecture, Microsoft SQL Server 2016 was used along with its cluster offering Always On availability groups, which is supported with Workspace ONE Assist. This allows the deployment of two all-in-one Workspace ONE Assist servers in an active/passive pair that points to the same database and is protected by an availability group. An availability group listener is the connection target for both instances.

Windows Server Failover Clustering (WSFC) can also be used to improve local database availability and redundancy. In a WSFC cluster, two Windows servers are clustered together to run one instance of SQL Server, which is called a SQL Server failover cluster instance (FCI). Failover of the SQL Server services between these two Windows servers is automatic.

Workspace ONE Assist runs on an external SQL database and can be installed alongside your existing SQL database for Workspace ONE UEM. Licensed users can use a Microsoft SQL Server 2012, SQL Server 2014, or SQL Server 2016 database server to set up a high-availability database environment.

The Workspace ONE Assist installer will automatically create the necessary server roles, users, user mappings, and databases. You must have a server administrator account (or equivalent) for these elements to be created. See Database Settings Created Automatically During Installation.

Although Workspace ONE Assist supports using a local SQL Express database, it is not recommended for production and redundancy. For guidance on hardware sizing for Microsoft SQL Servers, see Hardware Scaling Requirements.

Table 4: Implementation Strategy for the On-Premises Workspace ONE Assist Database

Decision

An external Microsoft SQL database with Always-On availability groups was implemented for this design.

Justification

An external SQL database is recommended for production and allows for scale and redundancy.

Load Balancing

To remove a single point of failure, you can deploy more than one instance of a Workspace ONE Assist all-in-one server behind an external load balancer. This provides redundancy across the multiple all-in-one Workspace ONE Assist instances by routing traffic to the currently active service.

To ensure that the load balancer itself does not become a point of failure, most load balancers allow for setup of multiple nodes in a high-availability (HA) or active/passive configuration.

SSL/TLS passthrough is required for all Workspace ONE Assist server configurations on the load balancers. SSL/TLS offloading is not supported for Workspace ONE Assist components. To address persistence, you must configure the load balancer to use IP or SSL/TLS session persistence.

For more information on load balancing, see Integrate a Load Balancer to Your Deployment.

Scalability and Availability

Workspace ONE Assist components can be deployed in a single- or multiple-server architecture to support load and concurrency requirements. Single-server architectures can meet production high-availability requirements by deploying multiple all-in-one servers in an active/passive configuration behind a load balancer.

For more information on scaling a single- or multiple-server architecture, see Hardware Scaling Requirements.

Table 5: Implementation Strategy for the Workspace ONE Assist Services

Decision

Two instances of a Workspace ONE Assist all-in-one servers were deployed in the DMZ behind an external load balancer.

Justification

One all-in-one server can support 50,000 devices and 50 concurrent remote management sessions.

An additional all-in-one server is deployed in an active/passive configuration for redundancy.

Figure 3: On-Premises Workspace ONE Assist Architecture

This figure shows an environment suitable for up to 50,000 devices and 50 concurrent remote management sessions.

The Workspace ONE Assist all-in-one servers are located in the DMZ because the Connection Proctor and Portal components must be accessible from devices.

The Workspace ONE UEM administration console servers reside in the internal network with a load balancer in front of them. Administrators can access Workspace ONE Assist Portal services for remote management sessions from the Workspace ONE UEM administration console.

For this reference architecture, split DNS was used; that is, the same FQDN was used both internally and externally for user access to the Workspace ONE Assist active/passive server. Split DNS is not a strict requirement for a Workspace ONE Assist on-premises design, but it does improve the user experience.

See the Registering Failover for an active/passive Workspace ONE Assist section in Workspace ONE Assist Configuration for more detail.

Multi-site Design

The Workspace ONE Assist all-in-one servers are responsible for providing device registration and administering remote management sessions. These servers should be deployed to be highly available within a site and deployed in a secondary data center for failover and redundancy. A robust back-up policy for application servers and database servers can minimize the steps required for restoring a Workspace ONE Assist environment in another location.

You can configure disaster recovery (DR) for your Workspace ONE Assist solution using whatever procedures and methods meet your DR policies. Workspace ONE Assist has no dependency on your DR configuration, but we strongly recommend that you develop failover procedures for DR scenarios. Workspace ONE Assist components can be deployed to accommodate most of the typical disaster recovery scenarios.

Workspace ONE Assist consists of the following core components, which need to be designed for redundancy:

  • Workspace ONE Assist Core Services
  • Workspace ONE Assist Portal Services
  • Workspace ONE Assist Application Services
  • Workspace ONE Assist Connection Proctors
  • SQL database server

Table 6: Site Resilience Strategy for Workspace ONE Assist

Decision

A second site was set up with Workspace ONE Assist.

Justification

This strategy provides disaster recovery and site resilience for the on-premises implementation of Workspace ONE Assist.

Multi-site All-in-One Assist Servers

To provide site resilience, each site requires its own group of Workspace ONE Assist all-in-one servers deployed in an active/passive pair to allow the site to operate independently. One site runs as an active deployment, while the other has a passive deployment.

The Workspace ONE Assist all-in-one servers are hosted in the DMZ in each site. Each site has a local load balancer that directs traffic to the currently active Workspace ONE Assist all-in-one server in your active/passive pair. For more information, see the Registering Failover for an active/passive Workspace ONE Assist section in Workspace ONE Assist Configuration.

A global load balancer is used in front of each site’s load balancer.

Table 7: Strategy for Multi-site Deployment of the Workspace ONE Assist All-in-One active/passive Pairs

Decision

A second active/passive pair of Workspace ONE Assist all-in-one servers were installed in a second data center. The number and function of the servers were the same as sized for the primary site.

Justification

This strategy provides full disaster recovery capacity for all the Workspace ONE Assist services.

Multi-site Database

Workspace ONE Assist supports Microsoft SQL Server 2012 (and later) and its cluster offering Always On availability groups. This allows the deployment of multiple instances of the Workspace ONE Assist all-in-one servers to point to the same database so that remote management device registration and system configuration details are highly available in the case of component failure or maintenance.

It is recommended to deploy the Workspace ONE Assist databases on the same Workspace ONE UEM SQL Server machine. Due to this shared dependency, see the multi-site database detail in the Multi-site Design section for Workspace ONE UEM Architecture.

Table 8: Strategy for Multi-site Deployment of the On-Premises Database

Decision

A Microsoft SQL Server Always-On database was used.

Justification

This strategy provides replication of the database from the primary site to the recovery site and allows for recovery of the database functionality.

Failover to a Second Site

A Workspace ONE Assist multi-site design allows administrators to maintain constant availability of the different Workspace ONE Assist services in case a disaster renders the original active site unavailable. The following diagram shows a sample multi-site architecture.

Figure 4: On-Premises Multi-Site Workspace ONE Assist Architecture

To achieve failover to a secondary site, manual intervention might be required for two main layers of the solution:

  • Database – Depending on the configuration of the SQL Server Always On availability group, inter-site failover of the database can be automatic. If necessary, steps should be taken to manually control which site has the active SQL node.
  • All-in-one servers – The global load balancer controls which site the traffic is directed to. During normal operation, the global load balancer directs traffic to the local load balancer in front of the Workspace ONE Assist all-in-one servers in Site 1. In a failover scenario, the global load balancer should be either manually or automatically changed to direct traffic to the equivalent local load balancer in Site 2.

Prerequisites for Network Configuration

This section details the prerequisites for the Workspace ONE Assist network configuration. Verify that the following requirements are met:

  • A static IP address and a DNS A record are used for each Workspace ONE Assist all-in-one server.
  • Inbound firewall ports 443 and 8443 are open so that external devices can connect to the active Workspace ONE Assist Portal service and Connection Proctor service, respectively, through the load balancer.
    Note: 443 and 8443 are the default ports but can be customized if required.
  • The external load balancer must direct traffic to the active Workspace ONE Assist all-in-one server using SSL/TLS passthrough.
  • The external load balancer must support IP or SSL/TLS persistence for traffic directed to the active Workspace ONE Assist all-in-one server.
    For a comprehensive list of requirements, see Network and Security Requirements.

Installation and Initial Configuration

Workspace ONE Assist is delivered as a single installer and deploys the Core, Application, Portal, Connection Proctor, and Database services. For information on installing Workspace ONE Assist, see Install Workspace ONE Assist. For the all-in-one server installation, see Standard (Basic) Installation of Workspace ONE Assist.

At a high level, installation and configuration involve the following tasks:

  1. Generate the Workspace ONE Assist Certificates using the RemoteManagementCertificateGenerator utility included in the installer. See Generate the Workspace ONE Assist Certificates.
  2. Run the Workspace ONE Assist installer:
    1. Select the Standard – Basic (that is, “all-in-one”) configuration.
    2. Configure the database details.
    3. Configure the Application service details.
    4. Configure the Portal and Connection Proctor service bindings.
    5. When the installer finishes, leave the Run Resource Pack option enabled. If you complete the installer without automatically running the included resource pack, see Import Device Profiles with Resource Pack Utility.

For full details, see Standard (Basic) Installation of Workspace ONE Assist. For troubleshooting articles, see Troubleshooting Workspace ONE Assist.

Integration with Workspace ONE UEM

Integrating Workspace ONE UEM and Workspace ONE Assist allows your administrators to launch Remote Management sessions for eligible devices directly from the Workspace ONE UEM administration console.

The integration process between the two solutions is detailed in Configure the Workspace ONE UEM Console.

See the Workspace ONE UEM and Workspace ONE Assist Integration section in Platform Integration for full integration details.

Integration with Horizon Cloud Control Plane Service

An integration between Workspace ONE Assist and the Horizon Cloud Control Plane Service allows your administrators to launch Remote Management sessions for eligible devices directly from the Horizon Universal console via the Help Desk card. With Workspace ONE Assist for Horizon, support staff can quickly launch support sessions and remotely view and control virtual desktops directly from the Horizon Universal console.

The integration is primarily a cloud-based component of the Horizon Control Plane Service and enables any supported desktop type to be remotely controlled by Workspace ONE Access. You must implement the Assist for Horizon application on the relevant golden (base) image or the template virtual machine.

You can find more details on this integration in the Horizon Control Plane Services Architecture document of the Reference Architecture in the Help Desk section.

Remote Management Client Tools

The Workspace ONE Assist client provides support tools to facilitate troubleshooting and remotely controlling end-user devices. These client tools provide effective troubleshooting options such as remote screen sharing and control, remote file system management, remotely issuing commands to the device, inspecting running tasks, and more.

Note: Not all client tools are available on all OS platforms. See Capabilities by Platform.

You can also assign tool-specific role permissions to your administrators from the Workspace ONE UEM console for granular control over which administrators can interact with specific Workspace ONE Assist client tools. See Assign Role Permissions for Workspace ONE Assist Client Tools for more details.

End-user privacy is an important aspect when allowing your administrators to remotely access, view, and control managed devices. See Privacy Notices and End-User Prompts for more information on the end-user experience.

Share Screen Tool

The Share Screen tool allows your administrator to view and control the end-user device remotely. The administrator can capture images or video while the Share Screen session is active. There is a virtual keyboard available for the administrator, or you can use the physical device buttons by interacting with the device shell presented in the Share Screen view.

End users can pause the Share Screen session at any time if needed for privacy concerns. Active Share Screen sessions are presented to the end user clearly by highlighting their screen in a blue outline and showing the Assist icon to clearly indicate if the Share Screen session is active or paused.

Figure 5: Administrator View of Device Using Share Screen Tool

See Share Screen, Assist Client Tool for more details.

Important: When using Restriction Profiles in Workspace ONE UEM, be aware that disabling Allow Screen Capture will prevent Workspace ONE Assist from remotely viewing or controlling any device with this profile. See Restriction Profile Configurations for more detail.

See Troubleshooting Workspace ONE Assist for more troubleshooting articles.

Manage Files Tool

The Manage Files tool exposes the device’s file system to the administrator and allows administrators to upload, download, rename, delete, move, cut, copy, and paste files and folders.

Figure 6: Manage Files Tool Showing the File System on an End User’s Device

See Manage Files, Assist Client Tool for more details.

Remote Commands Tools

Administrators can leverage the Remote Shell client tool for Windows 10 and the Command-Line Interface client tool for Android devices to send commands remotely. The Remote Shell client tool for Windows 10 connects to a PowerShell interface, while the Command-Line client tool for Android connects to a command-line interface.

Figure 7: Example of Retrieving Device Configuration Information Using the Remote Shell Client Tool for Android

See Remote Shell Assist Client Tool for Windows 10 and Command-Line Interface, Android for additional details.

Workspace ONE Assist Client Tools

Additional Workspace ONE Assist client tools are available for your administrators based on your device platform. See Client Tools for a comprehensive list.

Getting Started

Workspace ONE Assist is available as an add-on to any Workspace ONE environment. On-premises deployments require the Workspace ONE Advanced Deployment Add-On. The shared SaaS version is available to all customers, including those with on-premises and dedicated SaaS environments. For additional information, reach out to your VMware sales representative.

Workspace ONE Assist is automatically provisioned and available for trial in Workspace ONE UEM Shared SaaS Free Trial and UAT environments. Workspace ONE Assist is not available for trial in Workspace ONE UEM On-Premises environments. If you wish to try Workspace ONE Assist in an on-premises deployment, request a new Workspace ONE UEM Shared SaaS Free Trial or UAT environment.

Workspace ONE UEM Shared SaaS Free Trial environments are available on the Try Workspace ONE page.

For more information, see the Workspace ONE Assist product documentation.

What’s Next?

Now that you have come to the end of this chapter, you can return to the landing page and search or scroll to select your next chapter in one of the following sections:

  • Overview chapters provide understanding of business drivers, use cases, and service definitions.
  • Architecture chapters explore the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon, App Volumes Dynamic Environment Manager, and Unified Access Gateway.
  • Integration chapters cover the integration of components and services you need to create the platform capable of delivering what you want.
  • Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Horizon, App Volumes, Dynamic Environment Management, and more.

 

 

 

 

Filter Tags

Workspace ONE Workspace ONE UEM Document Reference Architecture Advanced Design Modern Management