Workspace ONE Assist Architecture
This chapter is one of a series that make up the , a framework that provides guidance on the architecture, design considerations, and deployment of Workspace ONE and Horizon solutions. This chapter provides information about architecting VMware Workspace ONE Assist.
VMware Workspace ONE UEM (powered by AirWatch) is responsible for device enrollment, a mobile application catalog, policy enforcement regarding device compliance, and integration with key enterprise services, such as email, content, and social media.
VMware Workspace ONE® Assist allows VMware Workspace ONE® UEM administrators to remotely access and troubleshoot devices in real time while respecting end-user privacy.
Workspace ONE Assist features include:
- Screen sharing capabilities – Allows remote devices to screen share and relinquish device controls to an administrator for guided support. Can also capture images and video remotely.
- File system capabilities – Exposes the device’s file system and allows for folders or files to be edited, deleted, or added remotely.
- Run commands – Automate issue resolution and common tasks by remotely sending commands to the device.
Workspace ONE Assist can be implemented using either an on-premises or a cloud-based (SaaS) model. Both models offer the same functionality.
To avoid repetition of information, an overview of the product, its architecture, and the common components are described in the cloud-based architecture section, which follows. The on-premises architecture section then adds to this information if your preference is to build on-premises.
With a cloud-based implementation, the Workspace ONE Assist software is delivered using a software-as-a-service (SaaS) model. The integration between your Workspace ONE UEM SaaS tenant and your Workspace ONE Assist SaaS deployment is configured for you.
Figure 1: Cloud-Based Workspace ONE Assist Logical Architecture
Workspace ONE Assist includes the following components:
Table 1: Workspace ONE Assist Components
Workspace ONE Assist Core Services
Services responsible for coordinating communication and providing service discovery for all other Workspace ONE Assist services. All database communication is handled through these services.
Workspace ONE Assist Portal Services
Services that host the Workspace ONE Assist administration portal that manages remote device sessions and registration.
Workspace ONE Assist Application Services
Services responsible for communicating with devices available for remote management.
Workspace ONE Assist Connection Proctor
Proctor for managing device connections to the Workspace ONE Assist server. Simultaneously handles multiple requests for remote management sessions.
The Workspace ONE UEM SaaS and AirWatch Cloud Connector components are shown in the figure only because they illustrate the typical Workspace ONE SaaS deployment model. For more information on those components, see .
Workspace ONE Assist is composed of separate services that can be installed on a single- or multiple-server architecture to meet security and load requirements. Service endpoints can be spread across different network security zones, with Portal and Connection Proctor components located in a DMZ to allow external, inbound access to the Application, Core, and Database services located in a protected, internal network. See the On-Premises Deployments Across Public and Private Security Zones section of .
The network and security requirements for single- and multiple-server architecture differ and should be considered before deployment. See the On-Prem Config sections of for a list of port and firewall rule requirements for both single- and multiple-server architectures.
The single-server architecture is also referred to as an all-in-one server, meaning the Core, Application, Portal, and Connection Proctor components are installed on a single server.
In addition to the components already described for this cloud-based architecture, there are additional components required for an on-premises deployment.
Table 2: Additional On-Premises Workspace ONE Assist Components
Microsoft SQL Server database that stores the Workspace ONE Assist system and tenant configuration, operations, and logging, such as the accrual of historical data showing when a device was enrolled in remote management.
All Workspace ONE Assist Core Service servers, Connection Proctor servers, and remote management registration details persist and reside in this database.
You may use the same Microsoft SQL Server that supports your Workspace ONE UEM deployment for your Workspace ONE Assist deployment.
Figure 2: On-Premises Workspace ONE Assist Logical Architecture
Table 3: On-Premises Simple Workspace ONE Assist Architecture
An on-premises deployment of Workspace ONE Assist and the components required were architected, scaled, and deployed to support 50,000 devices and up to 50 concurrent remote management sessions with an active/passive setup.
This provides validation of design and implementation of an on-premises instance of Workspace ONE Assist.
All Workspace ONE Assist system, tenant, and data configurations required for remote management operation and device registration are stored across eight databases on the SQL Server. For more details about how data is partitioned across these eight databases, see . The Workspace ONE Assist Core Services provide communication to the database for the Portal, Application, and Connection Proctor services.
In this reference architecture, Microsoft SQL Server 2016 was used along with its cluster offering Always On availability groups, which is supported with Workspace ONE Assist. This allows the deployment of two all-in-one Workspace ONE Assist servers in an active/passive pair that points to the same database and is protected by an availability group. An availability group listener is the connection target for both instances.
Windows Server Failover Clustering (WSFC) can also be used to improve local database availability and redundancy. In a WSFC cluster, two Windows servers are clustered together to run one instance of SQL Server, which is called a SQL Server failover cluster instance (FCI). Failover of the SQL Server services between these two Windows servers is automatic.
Workspace ONE Assist runs on an external SQL database and can be installed alongside your existing SQL database for Workspace ONE UEM. Licensed users can use a Microsoft SQL Server 2012, SQL Server 2014, or SQL Server 2016 database server to set up a high-availability database environment.
The Workspace ONE Assist installer will automatically create the necessary server roles, users, user mappings, and databases. You must have a server administrator account (or equivalent) for these elements to be created. See .
Table 4: Implementation Strategy for the On-Premises Workspace ONE Assist Database
An external Microsoft SQL database with Always-On availability groups was implemented for this design.
An external SQL database is recommended for production and allows for scale and redundancy.
To remove a single point of failure, you can deploy more than one instance of a Workspace ONE Assist all-in-one server behind an external load balancer. This provides redundancy across the multiple all-in-one Workspace ONE Assist instances by routing traffic to the currently active service.
To ensure that the load balancer itself does not become a point of failure, most load balancers allow for setup of multiple nodes in a high-availability (HA) or active/passive configuration.
SSL/TLS passthrough is required for all Workspace ONE Assist server configurations on the load balancers. SSL/TLS offloading is not supported for Workspace ONE Assist components. To address persistence, you must configure the load balancer to use IP or SSL/TLS session persistence.
Scalability and Availability
Workspace ONE Assist components can be deployed in a single- or multiple-server architecture to support load and concurrency requirements. Single-server architectures can meet production high-availability requirements by deploying multiple all-in-one servers in an active/passive configuration behind a load balancer.
Table 5: Implementation Strategy for the Workspace ONE Assist Services
Two instances of a Workspace ONE Assist all-in-one servers were deployed in the DMZ behind an external load balancer.
One all-in-one server can support 50,000 devices and 50 concurrent remote management sessions.
An additional all-in-one server is deployed in an active/passive configuration for redundancy.
Figure 3: On-Premises Workspace ONE Assist Architecture
This figure shows an environment suitable for up to 50,000 devices and 50 concurrent remote management sessions.
The Workspace ONE Assist all-in-one servers are located in the DMZ because the Connection Proctor and Portal components must be accessible from devices.
The Workspace ONE UEM administration console servers reside in the internal network with a load balancer in front of them. Administrators can access Workspace ONE Assist Portal services for remote management sessions from the Workspace ONE UEM administration console.
For this reference architecture, split DNS was used; that is, the same FQDN was used both internally and externally for user access to the Workspace ONE Assist active/passive server. Split DNS is not a strict requirement for a Workspace ONE Assist on-premises design, but it does improve the user experience.
The Workspace ONE Assist all-in-one servers are responsible for providing device registration and administering remote management sessions. These servers should be deployed to be highly available within a site and deployed in a secondary data center for failover and redundancy. A robust back-up policy for application servers and database servers can minimize the steps required for restoring a Workspace ONE Assist environment in another location.
You can configure disaster recovery (DR) for your Workspace ONE Assist solution using whatever procedures and methods meet your DR policies. Workspace ONE Assist has no dependency on your DR configuration, but we strongly recommend that you develop failover procedures for DR scenarios. Workspace ONE Assist components can be deployed to accommodate most of the typical disaster recovery scenarios.
Workspace ONE Assist consists of the following core components, which need to be designed for redundancy:
- Workspace ONE Assist Core Services
- Workspace ONE Assist Portal Services
- Workspace ONE Assist Application Services
- Workspace ONE Assist Connection Proctors
- SQL database server
Table 6: Site Resilience Strategy for Workspace ONE Assist
A second site was set up with Workspace ONE Assist.
This strategy provides disaster recovery and site resilience for the on-premises implementation of Workspace ONE Assist.
To provide site resilience, each site requires its own group of Workspace ONE Assist all-in-one servers deployed in an active/passive pair to allow the site to operate independently. One site runs as an active deployment, while the other has a passive deployment.
The Workspace ONE Assist all-in-one servers are hosted in the DMZ in each site. Each site has a local load balancer that directs traffic to the currently active Workspace ONE Assist all-in-one server in your active/passive pair. For more information, see the Registering Failover for an active/passive Workspace ONE Assist section in .
A global load balancer is used in front of each site’s load balancer.
Table 7: Strategy for Multi-site Deployment of the Workspace ONE Assist All-in-One active/passive Pairs
A second active/passive pair of Workspace ONE Assist all-in-one servers were installed in a second data center. The number and function of the servers were the same as sized for the primary site.
This strategy provides full disaster recovery capacity for all the Workspace ONE Assist services.
Workspace ONE Assist supports Microsoft SQL Server 2012 (and later) and its cluster offering Always On availability groups. This allows the deployment of multiple instances of the Workspace ONE Assist all-in-one servers to point to the same database so that remote management device registration and system configuration details are highly available in the case of component failure or maintenance.
It is recommended to deploy the Workspace ONE Assist databases on the same Workspace ONE UEM SQL Server machine. Due to this shared dependency, see the multi-site database detail in the Multi-site Design section for .
Table 8: Strategy for Multi-site Deployment of the On-Premises Database
A Microsoft SQL Server Always-On database was used.
This strategy provides replication of the database from the primary site to the recovery site and allows for recovery of the database functionality.
A Workspace ONE Assist multi-site design allows administrators to maintain constant availability of the different Workspace ONE Assist services in case a disaster renders the original active site unavailable. The following diagram shows a sample multi-site architecture.
Figure 4: On-Premises Multi-Site Workspace ONE Assist Architecture
To achieve failover to a secondary site, manual intervention might be required for two main layers of the solution:
- Database – Depending on the configuration of the SQL Server Always On availability group, inter-site failover of the database can be automatic. If necessary, steps should be taken to manually control which site has the active SQL node.
- All-in-one servers – The global load balancer controls which site the traffic is directed to. During normal operation, the global load balancer directs traffic to the local load balancer in front of the Workspace ONE Assist all-in-one servers in Site 1. In a failover scenario, the global load balancer should be either manually or automatically changed to direct traffic to the equivalent local load balancer in Site 2.
Prerequisites for Network Configuration
This section details the prerequisites for the Workspace ONE Assist network configuration. Verify that the following requirements are met:
- A static IP address and a DNS A record are used for each Workspace ONE Assist all-in-one server.
- Inbound firewall ports 443 and 8443 are open so that external devices can connect to the active Workspace ONE Assist Portal service and Connection Proctor service, respectively, through the load balancer.
Note: 443 and 8443 are the default ports but can be customized if required.
- The external load balancer must direct traffic to the active Workspace ONE Assist all-in-one server using SSL/TLS passthrough.
- The external load balancer must support IP or SSL/TLS persistence for traffic directed to the active Workspace ONE Assist all-in-one server.
For a comprehensive list of requirements, see .
Installation and Initial Configuration
Workspace ONE Assist is delivered as a single installer and deploys the Core, Application, Portal, Connection Proctor, and Database services. For information on installing Workspace ONE Assist, see . For the all-in-one server installation, see .
At a high level, installation and configuration involve the following tasks:
- Generate the Workspace ONE Assist Certificates using the RemoteManagementCertificateGenerator utility included in the installer. See .
- Run the Workspace ONE Assist installer:
- Select the Standard – Basic (that is, “all-in-one”) configuration.
- Configure the database details.
- Configure the Application service details.
- Configure the Portal and Connection Proctor service bindings.
- When the installer finishes, leave the Run Resource Pack option enabled. If you complete the installer without automatically running the included resource pack, see .
Integration with Workspace ONE UEM
Integrating Workspace ONE UEM and Workspace ONE Assist allows your administrators to launch Remote Management sessions for eligible devices directly from the Workspace ONE UEM administration console.
Integration with Horizon Cloud Control Plane Service
An integration between Workspace ONE Assist and the Horizon Cloud Control Plane Service allows your administrators to launch Remote Management sessions for eligible devices directly from the Horizon Universal console via the Help Desk card. With Workspace ONE Assist for Horizon, support staff can quickly launch support sessions and remotely view and control virtual desktops directly from the Horizon Universal console.
The integration is primarily a cloud-based component of the Horizon Control Plane Service and enables any supported desktop type to be remotely controlled by Workspace ONE Access. You must implement the Assist for Horizon application on the relevant golden (base) image or the template virtual machine.
Remote Management Client Tools
The Workspace ONE Assist client provides support tools to facilitate troubleshooting and remotely controlling end-user devices. These client tools provide effective troubleshooting options such as remote screen sharing and control, remote file system management, remotely issuing commands to the device, inspecting running tasks, and more.
You can also assign tool-specific role permissions to your administrators from the Workspace ONE UEM console for granular control over which administrators can interact with specific Workspace ONE Assist client tools. See the Assign Role Permissions for Workspace ONE Assist Client Tools section of for more details.
Share Screen Tool
The Share Screen tool allows your administrator to view and control the end-user device remotely. The administrator can capture images or video while the Share Screen session is active. There is a virtual keyboard available for the administrator, or you can use the physical device buttons by interacting with the device shell presented in the Share Screen view.
End users can pause the Share Screen session at any time if needed for privacy concerns. Active Share Screen sessions are presented to the end user clearly by highlighting their screen in a blue outline and showing the Assist icon to clearly indicate if the Share Screen session is active or paused.
Figure 5: Administrator View of Device Using Share Screen Tool
Important: When using Restriction Profiles in Workspace ONE UEM, be aware that disabling Allow Screen Capture will prevent Workspace ONE Assist from remotely viewing or controlling any device with this profile. See for more detail.
Manage Files Tool
The Manage Files tool exposes the device’s file system to the administrator and allows administrators to upload, download, rename, delete, move, cut, copy, and paste files and folders.
Figure 6: Manage Files Tool Showing the File System on an End User’s Device
Remote Commands Tools
Administrators can leverage the Remote Shell client tool for Windows 10 and the Command-Line Interface client tool for Android devices to send commands remotely. The Remote Shell client tool for Windows 10 connects to a PowerShell interface, while the Command-Line client tool for Android connects to a command-line interface.
Figure 7: Example of Retrieving Device Configuration Information Using the Remote Shell Client Tool for Android
Workspace ONE Assist Client Tools
Additional Workspace ONE Assist client tools are available for your administrators based on your device platform. See Client Tools for a comprehensive list.
Workspace ONE Assist is available as an add-on to any Workspace ONE environment. On-premises deployments require the Workspace ONE Advanced Deployment Add-On. The shared SaaS version is available to all customers, including those with on-premises and dedicated SaaS environments. For additional information, reach out to your VMware sales representative.
Workspace ONE Assist is automatically provisioned and available for trial in Workspace ONE UEM Shared SaaS Free Trial and UAT environments. Workspace ONE Assist is not available for trial in Workspace ONE UEM On-Premises environments. If you wish to try Workspace ONE Assist in an on-premises deployment, request a new Workspace ONE UEM Shared SaaS Free Trial or UAT environment.
Summary and Additional Resources
Now that you have come to the end of this design chapter on Workspace ONE Assist, you can return to the and use the tabs, search, or scroll to select your next chapter in one of the following sections:
- Overview chapters provide understanding of business drivers, use cases, and service definitions.
- Architecture chapters give design guidance on the products you are interested in including in your platform, including Workspace ONE UEM, Workspace ONE Access, Workspace ONE Assist, Workspace ONE Intelligence, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
- Integration chapters cover the integration of products, components, and services you need to create the platform capable of delivering the services that you want to deliver to your users.
- Configuration chapters provide reference for specific tasks as you build your platform, such as installation, deployment, and configuration processes for Workspace ONE, Horizon Cloud Service, Horizon, App Volumes, Dynamic Environment Management, and more.
For more information about VMware Workspace ONE Assist, you can explore the following resources:
The following updates were made to this guide:
Description of Changes
Author and Contributors
- Justin Sheets, VMware alumni
Your feedback is valuable.
To comment on this paper, contact VMware End-User-Computing Technical Marketing at firstname.lastname@example.org.