overview and reference - vmware workspace one€¦ · workspace one overview and reference guide 1...
TRANSCRIPT
Overview and ReferenceVMware Workspace ONE
Overview and Reference
VMware, Inc. 2
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
Copyright © 2019 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
Contents
1 Introduction to the VMware Workspace ONE Overview and Reference Guide 4
2 Workspace ONE Installation 6
Workspace ONE Installation Content 6
3 App Access and Management 10
App Access and Management Content 11
4 Mobile SSO for App Access and Management 14
Mobile SSO Content 14
5 Unified Endpoint Management 15
Unified Endpoint Management Content 16
6 Conditional Access 18
Conditional Access Content 18
7 Identity Providers for Conditional Access 21
Identity Provider Content 21
8 Enterprise Productivity 24
Enterprise Productivity Content 25
VMware, Inc. 3
Introduction to the VMwareWorkspace ONE Overview andReference Guide 1Review a high-level explanation of Workspace ONE with descriptions of its integrated systems and theuse cases it currently supports.
VMware Workspace™ ONE™ deploys and manages resources to a single digital workspace on iOS,Android, macOS, and Windows 10 devices. Services are built on the integration of VMware WorkspaceONE™ UEM (Unified Endpoint Management), VMware Identity Manager™, and VMware Horizon®.
Scope of This DocumentationThe Workspace ONE platform offers many capabilities. However, this depth has lent to the creation ofcontent not only on technical documentation sites, but also on technical marketing sites, and on internaland external professional support sites.
This overview and reference documentation is an effort to consolidate content and to capture theknowledge sourced in the field. It lists the documentation available to install the platform and to configurecapabilities. It also offers resources found on technical marketing sites and professional support sites.
Workspace ONE Component DescriptionWorkspace ONE is a set of integrated systems that includes Workspace ONE UEM (unified end-pointmanagement), VMware Identity Manager, and VMware Horizon.
n VMware Identity Manager services provide the identity-related components, including authenticationfor users who use single sign-on to access their resources. You create a set of policies that relate tonetworking and authentication to control access to these resources.
n Workspace ONE UEM services, formerly AirWatch, provide device enrollment, applicationdistribution, and compliance checking tools to ensure that remote access devices meet corporatesecurity standards. Users from enrolled devices can log in to their enabled applications securelywithout entering multiple passwords.
n VMware Horizon services provide remote desktops and applications in the data center, and deliverthese desktops and applications to employees as managed services. End users gain a familiar,personalized environment that they can access from any number of devices anywhere throughout theenterprise or from home. Administrators gain centralized control, efficiency, and security by havingdesktop data in the data center.
VMware, Inc. 4
Supported Use CasesWorkspace ONE offers solutions for the listed use cases.
n App Access and Management - Simplifies app access and management with a unified app catalog,deployment of virtual resources, and mobile SSO.
n Unified Endpoint Management - Unifies endpoint management by managing all devices, includingmodern management of Windows 10, regardless of ownership mode and still maintaining employeeprivacy.
n Identity Integration - Enables identity integration, offering conditional access through various methodsincluding certificate-based authentication, VMware Tunnel, identity provider integration, VMwareIdentity Manager, and access and compliance policies.
n Enterprise Productivity - Enables enterprise productivity by integrating with native email, offeringproductivity apps like Workspace ONE Boxer, Workspace ONE Web, and Workspace ONE Content,and offering SDKs, all built on the Workspace ONE framework.
About VMware Content SitesNote This documentation links to content outside of https://docs.vmware.com/. Content from some sitesare sourced from the field and are not fully vetted by research and development. Content might be agedor out-of-date from the latest released products and solutions.
n VMware Docs - https://docs.vmware.com/
n VMware Code - https://code.vmware.com
n VMware Digital Workspace Tech Zone - https://techzone.vmware.com/
n VMware EUC Blog - https://blogs.vmware.com/euc/
n VMware Technology Network - https://communities.vmware.com/welcome
n VMware TestDrive - https://portal.vmtestdrive.com/
Overview and Reference
VMware, Inc. 5
Workspace ONE Installation 2Workspace ONE is built on the endpoint and identity management infrastructures of Workspace ONEUEM and VMware Identity Manager. It can also integrate with VMware Horizon to offer robust features forthe digital workspace.
To install and configure Workspace ONE, use an instance of VMware Identity Manager and WorkspaceONE UEM. Configure and deploy policies in these two systems to the Workspace ONE app on devices.
If you already use virtual desktops and apps, integrate VMware Horizon 7 with VMware Identity Managerto leverage these virtual resources.
Components for InstallationThe Workspace ONE platform uses connectors to integrate components. These systems communicatethrough the connectors, and this enables admins to send policies and configurations through theirrespective consoles to the Workspace ONE app on devices.
n VMware Identity Manager - Offers user directories, access policies, web apps, and authenticationmethods, to control user access to resources.
n Workspace ONE UEM - Uses device, app, content, and email management to control the endpointaccess to resources.
n VMware Horizon - Runs remote desktops and applications in the data center, and delivers thesevirtual desktops and applications to employees as a managed service.
n A Connector
n VMware Identity Manager Connector - Provides directory integration, user authentication, andintegration with resources such as Horizon 7 for on-premises deployments.
n Cloud Connector - Provides organizations with the ability to integrate Workspace ONE UEM withtheir back-end enterprise systems.
Workspace ONE Installation ContentFind technical documentation, technical notes, and technical marketing resources for installingWorkspace ONE components.
VMware, Inc. 6
Table 2‑1. Introductory Content
Component Documentation
Workspace ONE Introduction n Introduction to Workspace ONE
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-D398B4CD-0443-479E-B5F4-6DD8621FAF55.html
n Workspace ONE Resources on VMware Digital WorkspaceTech Zone
https://techzone.vmware.com/resource/workspace-onen Workspace ONE tract on TestDrive by VMware
https://portal.vmtestdrive.com/products/empower-digital-workspace
Architecture n Workspace ONE Architecture Overview
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-826D5409-98C6-4A37-B4A9-B3DFD244AAE8.html
n VMware Workspace ONE Cloud-Based ReferenceArchitecture
https://techzone.vmware.com/resource/vmware-workspace-one-reference-architecture-saas-deployments
n VMware Workspace ONE and VMware Horizon 7Enterprise Edition On-premises Reference Architecture
https://techzone.vmware.com/resource/vmware-workspace-one-and-vmware-horizon-7-enterprise-edition-premises-reference
Requirements for Workspace ONE Workspace ONE Deployment Requirements
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-529C4EA5-091F-43B7-84B2-3B5C579B8155.html
Table 2‑2. Installation for On-Premises
Component Documentation
VMware Identity Manager Installer, Linux About Installing and Configuring VMware Identity Manager forLinux
https://docs.vmware.com/en/VMware-Identity-Manager/3.3/vidm-install/GUID-96E2F98A-5B90-4F81-A302-8264E6362494.html
VMware Identity Manager Installer, Windows Installing and Configuring VMware Identity Manager Connector2018.8.1.0 (Windows)
https://docs.vmware.com/en/VMware-Identity-Manager/services/identitymanager-connector-win/GUID-06085CBA-AF2C-41B6-B2E3-DA65212BAABF.html
Overview and Reference
VMware, Inc. 7
Table 2‑2. Installation for On-Premises (Continued)
Component Documentation
Cloud Connector VMware AirWatch Cloud Connector Guide
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/AirWatch_Cloud_Connector/GUID-AWT-ACC-INTRODUCTION.html
Workspace ONE UEM Installation and Architecture Workspace ONE UEM Installation
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMware-Workspace-ONE-UEM-Installation/GUID-AWT-INSTALL-INTRO.html
VMware Horizon 7 Horizon 7 Installation
https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-installation/GUID-37D39B4F-5870-4188-8B11-B6C41AE9133C.html
Table 2‑3. Integrations
Components Documentation
Workspace ONE UEM and VMware Identity Manager Integrating Workspace ONE UEM With VMware IdentityManager
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-F072888F-FC6F-4A6B-9574-2CAAE7E96A85.html
Horizon 7 and VMware Identity Manager n Providing Access to View, Horizon 6, or Horizon 7 Desktopand Application Pools
https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-5ED7E551-76CE-4B0F-9D30-EEE53C39BD67.html
n Using SAML Authentication
https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-administration/GUID-B08D6C13-8AA0-4B2C-A70F-C221ADFFF1D2.html
Overview and Reference
VMware, Inc. 8
Table 2‑3. Integrations (Continued)
Components Documentation
VMware Identity Manager and Horizon Cloud Service n Integrate a Horizon Cloud Node with a VMware IdentityManager Environment
https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure.admin15/GUID-6F252F50-0304-47EF-A207-5D36FDF40FAC.html
n Providing Access to VMware Horizon Cloud ServiceDesktops and Applications
https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-361DF7AB-D944-4E87-8F6E-7F0425D23ACD.html
VMware Identity Manager and Citrix n Overview of Citrix-Published Resources Integration
https://docs.vmware.com/en/VMware-Identity-Manager/3.3/com.vmware.wsp-resource/GUID-F51D18A8-0F8E-4580-86C2-9A2C639E866F.html
n Troubleshoting Citrix-Published Resources Configuration inVMware Identity Manager
https://docs.vmware.com/en/VMware-Identity-Manager/service/TroubleshootingVIDM_Citrix_Configuration.pdf
Overview and Reference
VMware, Inc. 9
App Access and Management 3Workspace ONE enables app access and management through the deployment of web and virtual appswith a unified app catalog, management of devices with direct enrollment and virtual desktops, and one-touch access to these resources through mobile SSO for Android and iOS.
Direct EnrollmentDirect enrollment requires devices to enroll with Workspace ONE UEM before they can access appresources in Workspace ONE. This requirement enrolls devices as managed access and there arebenefits to this process.
n Offers a convenient way for users to enroll with Workspace ONE with less setup on devices.
n Makes resources immediately accessible to managed devices.
Note If you do not assign managed access to devices, they are enrolled in Workspace ONE UEM asunmanaged. Unmanaged devices have access to resources configured as open access.
Virtual DesktopsVirtual desktops enable users from any trusted connection to access managed virtual apps located in thedata center. Create desktop pools that include thousands of virtual desktops with Horizon 7 and deploythem on virtual machines and physical machines. Use a master image to generate a pool of virtualdesktops. Users access app resources in the data center from these virtual pools.
Unified App CatalogOne of the roles of the Workspace ONE app is to be a unified app catalog. Deploy it to iOS, Android(legacy and Enterprise), macOS, and Windows 10 devices. Configure apps in Workspace ONE UEM asopen or managed access.
n Managed Access - Device users access resources by granting admins permissions on their devices(installs a management profile on the device).
n Open Access - Device users access resources without granting admins permissions on their devices.The app is available to devices no matter their managed status.
VMware, Inc. 10
The VMware Workspace ONE® Intelligent Hub app offers a single destination where users can securelyaccess, discover, connect with, and act on your corporate resources, teams, and workflow. The IntelligentHub app is installed on iOS and Android devices to enroll mobile devices and manage their access totheir resources.
Native AppsDeploy native apps through the unified app catalog from Workspace ONE UEM. Native apps includeinternally developed apps, free and paid public apps, and purchased apps from Apple's Volume PurchaseProgram (VPP). Most native apps can deploy as managed or open access to meet device ownershipmodels.
Self Service Access to Non-Native AppsUsers can select virtual and web (or SaaS) apps through the catalog depending on their needs. If the appis available, they do not have to requisition it. These types of non-native apps depend on an Internetconnection and are not restricted by platform.
Workspace ONE supports several platform agnostic app types such as virtual apps, Citrix apps, and webapps.
n Virtual Apps - Virtual apps can reside in a data center and you access them from virtual desktops.Virtual apps are advantageous because they are persistent. If a device fails, the app data still existsin the data center.
If you have existing VMware Horizon and Citrix virtual apps, deploy them to non-virtual devices byintegrating these resources with virtual apps collections in VMware Identity Manager. Then deploythem to devices through the Workspace ONE catalog.
n SaaS/Web Apps - Web or SaaS apps live in the cloud and users access them by URL. Upload webapps through VMware Identity Manager and SaaS apps through Workspace ONE UEM.
App Access and Management ContentFind technical documentation for configuring app access and management resources.
Overview and Reference
VMware, Inc. 11
Table 3‑1. Access Through Devices
Component Documentation
Workspace ONE UEM Direct Enrollment n Direct Enrollment Using Workspace ONE App
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-47B41EEB-B421-44CD-85D6-FDD2B74574F5.html
n User Experience When Directly Enrolling into WorkspaceONE UEM with Workspace ONE
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-DB397BFF-3919-4857-9E2B-B74F7A305A6E.html
Virtual Desktops n Setting Up Virtual Desktops in Horizon 7
https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-virtual-desktops/GUID-69AACA49-CF5E-4B55-99BF-BFE4DFBDE7CE.html
n Setting Up Horizon 7 for Linux Desktops
https://docs.vmware.com/en/VMware-Horizon-7/7.7/linux-desktops-setup/GUID-E6825232-3188-4507-B757-0CF743047282.html
Table 3‑2. Apps and Apps Management
Component Documentation
Workspace ONE Intelligent Hub About Workspace ONE Intelligent Hub Guide
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WorkspaceONEHub/GUID-47202E3E-0A71-44B3-8A04-782CA0514DB3.html
Unified App Catalog n Migrate VMware AirWatch Catalog to Workspace ONECatalog
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-APPCAT-MIGRATINGAPPCAT-TO-WS1CAT.html
n Deploying the VMware Workspace ONE Mobile Application
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-F93D7310-BE36-4B37-AA1F-54759E240B7C.html
Open Access and Managed Access of Apps Workspace ONE UEM Applications and the Workspace ONEManaged Access Feature
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-WS1-MANAGEORNOT-REASONS.html
Overview and Reference
VMware, Inc. 12
Table 3‑2. Apps and Apps Management (Continued)
Component Documentation
Native Apps -
Public, Internal, and Purchased
n Add Public Applications from an App Store
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-CONFIG-PUBLIC-APPS-WS1.html
n Deploy Internal Applications as a Local File
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-CONFIG-INTERNAL-APPS-LOCAL.html
n Apple Business Manager - Volume Purchase Program(VPP)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/AppleBusinessManager/GUID-AWT-KS-MAM-PURCHASEDAPPS.html
Web Apps
SaaS Apps
n Providing Access to Web Applications
https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-57B66680-A118-47DD-B3A3-81EAD6D6CAA7.html
n SaaS Applications in Workspace ONE UEM
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-SAAS-CONCEPT.html
Virtual Apps Using Virtual Apps Collections for Desktop Integrations https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-577D4812-0206-4DFC-B510-24C3D304AD6D.html
Overview and Reference
VMware, Inc. 13
Mobile SSO for App Access andManagement 4Mobile SSO works with apps that are accessed from the cloud. To enable one touch access, use SecurityAssertion Markup Language (SAML) to authenticate a user between the identity provider and the serviceprovider in the cloud. As long as the device accessing the app has a live Workspace ONE appconnection, the user does not need to authenticate to use the app.
Workspace ONE offers mobile SSO for iOS and Android resources.
n iOS - Uses a key distribution center (KDC) without the use of a connector or a third-party system.Kerberos authentication provides users, who are successfully signed in to their domain, access totheir Workspace ONE apps portal without additional credential prompts.
n Android - Uses certificate authentication and the VMware Tunnel mobile app. The VMware Tunnelclient is configured to access the VMware Identity Manager service for authentication. The tunnelclient uses the client certificate to establish a mutually authenticated SSL session and the VMwareIdentity Manager service retrieves the client certificate for authentication.
Mobile SSO ContentFind technical documentation for configuring mobile SSO.
Table 4‑1. Single Sign On
Component Documentation
Mobile SSO foriOS
Implementation Overview to Configure Mobile SSO for iOS
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-696F1F4F-22C9-4004-98E0-1EE5072FCF0C.html
Mobile SSO forAndroid
Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM Managed Android Devices
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1_android_sso_config/GUID-1E5128A5-1394-4A50-8098-947780E38166.html
VMware, Inc. 14
Unified Endpoint Management 5Workspace ONE enables you to manage endpoints while still providing privacy by controlling thecollection of data. It also enables the transition from the legacy management of Windows resources to themodern management of Windows 10.
Device Management and PrivacyManage Android, iOS, macOS, and Windows Desktop devices from a single location in the WorkspaceONE UEM console. Perform functions on a particular set of devices using many different screens in theconsole. The console offers various management screens including the Hub, device dashboards, devicelist views, and device detail views.
Offer end-user privacy while also managing corporate-owned resources with privacy settings inWorkspace ONE UEM. Privacy settings provide granular control over what data is collected from usersand what collected data is viewable by admins.
Modern Management for Windows 10Modern Windows management for Windows 10 updates the deployment, control, and management ofWindows Desktop devices. In the traditional management of Windows resources, admins need multipletools to deploy and manage resources. However, with modern management, admins can work from onelocation in Workspace ONE.
Modern methods for Windows management update these processes.
n Enrollment - Select from several ways to enroll Windows 10 devices when you integrate your ActiveDirectory (AD) system. Workspace ONE UEM supports enrollment through Azure AD, Out of Box,and Office 365 Apps.
Workspace ONE supports the auto-enrollment of specific Windows Desktop devices purchased fromDell. Auto-enrollment simplifies the enrollment process by automatically enrolling registered devicesfollowing the Out-of-Box-Experience.
n Provisioning - Use device profiles to provision and configure Windows Desktop devices to meetbusiness needs. Some useful profiles are listed.
n Encryption - Secures data on devices by working with the native BitLocker encryption policy.
n Wi-Fi - Connects devices to hidden, encrypted, or password-protected networks.
VMware, Inc. 15
n VPN - Provide remote and secure access to internal networks.
n App Distribution - Distribute Win32 apps with the software distribution or the peer distributionfeatures. These features enable the distribution of large apps along with their complex installationrequirements from the Workspace ONE UEM console.
Software distribution offers management of the app lifecycle that includes add, configure, deploy,track, update and version, and delete from the console.
Peer distribution offers the same management capabilities but reduces the traffic on communicationchannels and the time to download and install.
n Patches and Updates - Use the Windows Updates profile to ensure that Windows 10 devices remainup to date.
Unified Endpoint Management ContentFind technical documentation and technical marketing content about unified endpoint management.
Table 5‑1. Device Management and Privacy
Component Documentation
Device Management,General
n Introduction to Mobile Device Management
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/MDM/GUID-AWT-INTROMDM.html
n Device Enrollment
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/MDM/GUID-AWT-DEVICEENROLLMENTOVERVIEW.html
Privacy Settings forDevices
n Privacy and Data Collection
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/MDM/GUID-AWT-PRIVACYDATACOLLECTION.html
n Privacy Policies for Data Collection in VMware Productivity Applications
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/SDK_MAM/GUID-AWT-SDK-CSTMSTTGS-CRSHRPRTUSGEANLTCS-CNCPT.html
Overview and Reference
VMware, Inc. 16
Table 5‑2. Modern Management of Windows 10
Component Documentation
Enrollment n Enrollment Through Azure AD Integration
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Windows_Desktop_Device_Management/GUID-AWT-ENROLL-CLOUD.html
n Enabling the Out of Box Experience for Workspace ONEon Dell Windows 10 Devices
https://docs.vmware.com/en/VMware-Identity-Manager/3.3/idm-administrator/GUID-00694A55-D710-4878-B59A-5BF94AFF5BDF.html
Provisioning n Configure a Wi-Fi Profile (Windows Desktop)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Windows_Desktop_Device_Management/GUID-AWT-PROFILE-WIFICONFIGWD.html
n VPN Profile (Windows Desktop)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Windows_Desktop_Device_Management/GUID-AWT-PROFILE-VPNOVERVIEWWD.html
n Encryption Profile (Windows Desktop)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Windows_Desktop_Device_Management/GUID-AWT-PROFILE-ENCRYPTOVERVIEWWD.html
App Distribution n Peer Distribution for Win32 Applications
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-P2P-DIST-OPT.html
n Distribution of Win32 Applications
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-WIN32-SOFDIST-DSCRPTN.html
Patches and Updates Configure a Windows Updates Profile (Windows Desktop)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Windows_Desktop_Device_Management/GUID-AWT-PROFILE-WAU-CONFIGWD.html
Windows 10 Management in Workspace ONE UEM n Experience Workspace ONE on Windows 10
https://kb.vmtestdrive.com/hc/en-us/articles/360001152734-Experience-Workspace-ONE-on-Windows-10
n Operational Tutorial for VMware Workspace ONE: MovingWindows 10 to Modern Management
https://techzone.vmware.com/operational-tutorial-vmware-workspace-one-uem-moving-windows-10-modern-management
Overview and Reference
VMware, Inc. 17
Conditional Access 6Workspace ONE offers many conditional access options. Use VMware Identity Manager as your identityprovider (IDP) or use a third-party identity provider to offer the level of authentication that is best for thedevice, user, and app.
Use more than one method for extra control. For example you can set access policies at the app level,set compliance policies at the device level, and use VMware Tunnel to secure the connection betweenthe app and the device.
Access Policies and Compliance PoliciesAccess policies for web (SaaS) apps include rules that specify criteria to meet for access. Criteria includenetwork ranges, device types, authentication methods, and session lengths. Configure these policies inVMware Identity Manager or in Workspace ONE UEM.
The compliance engine in Workspace ONE UEM secures apps and devices and can preventcompromised resources from accessing your network.
VMware TunnelThe VMware Tunnel provides a secure method for individual apps to access corporate resources. Itauthenticates and encrypts traffic from individual apps on compliant devices to the back-end system theyare trying to reach.
Note For this method to work, devices must be managed by Workspace ONE UEM.
Certificate Based Authentication (CBA)Certificate based authentication (CBA) requires a certificate from the user to establish trust and allowaccess to apps. To use this option, ensure that the app supports CBA for the desired platform. WorkspaceONE UEM supports numerous certificate authorities as does VMware Identity Manager.
Conditional Access ContentFind technical documentation for configuring conditional access.
VMware, Inc. 18
Table 6‑1. Policies
Component Documentation
AccessPolicies
n Use Access Policies with SaaS Applications
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-ACCESS-POLICY-CONCEPT.html
n Managing Access Policies
https://docs.vmware.com/en/VMware-Identity-Manager/services/IDM_service_administration_cloud/GUID-92481E64-0CFF-43DD-9C0B-458BC3322A6A.html
n Configure Workspace ONE Access Policies in Horizon Administrator
https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-administration/GUID-8A0749AB-42C2-4B3E-920A-21C80A2CB269.html
n Considerations for Workspace ONE Mode
https://docs.vmware.com/en/VMware-Horizon-7/7.7/horizon-cloud-pod-architecture/GUID-848E758D-297B-4FD0-B0DE-489501039786.html
CompliancePolicies
n Enabling Compliance Checking for Workspace ONE UEM Managed Devices
https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-EF834B6D-C3EC-48BA-B38D-1574F7E4B773.html
n Compliance Policies
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/MDM/GUID-AWT-COMPLIANCEPOLICIESOVERVIEW.html
n Email Access Control Enforcement
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/WS1_MEM_Guide/GUID-AWT-EMAILPOLICIES.html
n Compliance for Mobile Application Management
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-MAM-COMPLIANCE.html
n Compromised Device Detection with Health Attestation
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Windows_Desktop_Device_Management/GUID-AWT-HEALTHATTESTATION.html
Table 6‑2. VMware Tunnel
Component Documentation
VMware Tunnel n VMware Tunnel on Linux
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Tunnel_Linux/GUID-AWT-TUNNEL-INTRODUCTION.html
n VMware Tunnel on Windows
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Tunnel_Windows/GUID-AWT-TUNNELQUICKSTART.html
Overview and Reference
VMware, Inc. 19
Table 6‑3. Certificate Based Authentication (CBA)
Component Documentation
CBA Support in VMware Identity Manager Configuring a Certificate or Smart Card Adapter for Use withVMware Identity Manager
https://docs.vmware.com/en/VMware-Identity-Manager/services/IDM_service_administration_cloud/GUID-5E0247E4-BA40-4266-8888-F748D8E2B728.html
CBA Support in Workspace ONE UEM Certificate Integration Resources
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMware-Workspace-ONE-UEM-Mobile-Device-Management-Documentation/GUID-AWT-CERTIFICATEINTEGRATIONRESOURCES.html
Overview and Reference
VMware, Inc. 20
Identity Providers forConditional Access 7Use VMware Identity Manager or integrate with third-party identity providers to configure conditionalaccess for your Workspace ONE deployment.
VMware Identity Manager as the Identity Provider (IDP)VMware Identity Manager can act as the identity provider service using your existing Active Directoryinfrastructure.
Third-Party Identity ProvidersIf you already use an identity provider, integrate it with VMware Identity Manager or Workspace ONEUEM and use it to secure access to resources in Workspace ONE.
You can integrate several IDPs with Workspace ONE that include, but are not limited to the following list.
n Active Directory Federation Service (ADFS)
n AzureAD Identity Services
n Okta
n OneLogin
n PingFederate
Identity Provider ContentFind technical documentation and technical notes for integrating third-party identity providers.
Note This topic references content from https://communities.vmware.com/blogs/identityville. The contenton this site is sourced from the field and not from research and development. It might be aged or out-of-date from the latest released products and solutions.
VMware, Inc. 21
Table 7‑1. Identity Provider (General)
Component Documentation
Third-PartyIdentityProviders
n Configuring a Third-Party Identity Provider Instance to Authenticate Users
https://docs.vmware.com/en/VMware-Identity-Manager/services/IDM_service_administration_cloud/GUID-C04AED8C-0D84-4DA6-A6DA-8DCBC8341E6E.html
n Providing Access to Third-Party Managed Applications in Workspace ONE
https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-EE0BCFF6-1B37-42CF-A881-DFC1EF24E9DA.html
n VMware Workspace ONE Integration with Third Party Identity Providers
https://communities.vmware.com/blogs/identityville/2017/01/03/vmware-workspace-one-integration-with-third-party-identity-providers
n EUC CST Tech Notes - Setting Up a 3rd Party IdP in VMware Identity Manager
https://communities.vmware.com/docs/DOC-34295
Table 7‑2. Identity Providers (Specific)
Component Documentation
VMware Identity Manager as the Identity Provider n Configuring User Authentication in VMware IdentityManager
https://docs.vmware.com/en/VMware-Identity-Manager/services/IDM_service_administration_cloud/GUID-04224060-D467-4DE0-BB08-B21E0AA9817D.html
n VMware Identity Manager REST API documentation
For OAuth2 and Open ID Connect (OIDC) for Mobile Apps
https://code.vmware.com/apis/57/idm
Active Directory Federation Service (ADFS) VMware Identity Manager and AD FS Integration – VMwareIdentity Manger as claims provider for mobile authentication
https://communities.vmware.com/blogs/identityville/2017/04/20/vmware-identity-manager-and-ad-fs-30-integration-vmware-identity-manger-as-claims-provider-for-mobile-authentication
Azure AD Identity Services (Workspace ONE UEM) Configure Azure AD Identity Services Integration
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Windows_Desktop_Device_Management/GUID-AWT-ENROLL-CONFIGAADSERVICES.html
Okta Integrating VMware Workspace ONE with Okta
https://docs.vmware.com/en/VMware-Workspace-ONE/services/workspaceone_okta_integration/GUID-3CA49953-A8F6-491D-90DF-63588EFC3292.html
Overview and Reference
VMware, Inc. 22
Table 7‑2. Identity Providers (Specific) (Continued)
Component Documentation
OneLogin OneLogin as Federated Identity Provider for VMware IdentityManager
https://communities.vmware.com/blogs/identityville/2016/12/16/onelogin-as-federated-identity-provider-for-vmware-identity-manager
PingFederate PingFederate as Identity Provider for VMware Identity Manager
https://communities.vmware.com/blogs/identityville/2016/12/22/pingfederate-as-identity-provider-for-vmware-identity-manager
Overview and Reference
VMware, Inc. 23
Enterprise Productivity 8Workspace ONE has several solutions to enable business productivity that are built on the WorkspaceONE framework. Workspace ONE can secure email content, manage Internet browsing, help deploy andsecure content, and offer a software development kit (SDK) to customize internal applications.
Secure EmailWorkspace ONE can help secure data in Outlook and Office 365 with data loss prevention (restrictions)policies in the Workspace ONE UEM console.
Workspace ONE can also enable legacy authentication for Office 365 email clients that use ExchangeActiveSync. Many organizations choose this path because Exchange ActiveSync clients do not downloadthe user’s entire mailbox, reducing the risk of data loss.
Productivity AppsVMware offers several apps for enterprise productivity to deploy through Workspace ONE.
n Workspace ONE Boxer - This app provides access to enterprise email, calendar, and contacts acrosscorporate-owned devices and bring-your-own devices (BYOD). Workspace ONE Boxer uses SSLcertificates to transmit data and uses AES 256-bit encryption for data and attachments.
n Workspace ONE Web - This app is an alternative to native browsers. It enables admins to control andsecure Internet browsing behaviors. Workspace ONE Web uses AES 256-bit encryption forstreaming, browsing settings, and downloaded files.
n Workspace ONE Content - This app enables users to access managed resources deployed to theirdevice. Workspace ONE Content uses SSL certificates to transmit data, AES 256-bit encryption forcontent deployed in the app, and it uses NSFileProtectionComplete for iOS.
SDK for Android and iOSUse the Workspace ONE SDK for Android and iOS to customize internal applications, and add unifiedendpoint management features built on the Workspace ONE framework.
VMware, Inc. 24
Enterprise Productivity ContentFind technical documentation for enabling enterprise productivity.
Table 8‑1. Profiles and Policies
Component Documentation
Data LossPrevention
(Restrictions inWorkspace ONEUEM)
n Configure Data Loss Prevention for the Default SDK Profile
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/SDK_MAM/GUID-AWT-DLP-CONFIGURE.html
n Restrictions Profile (Android)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Android_Platform/GUID-AWT-AFWPROFILE-RESTRICTIONS-CONCEPT.html
n Device Restriction Profiles for iOS
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/iOS_Platform/GUID-AWT-IOS-PROFILE-RESTRICTIONS-CONCEPT.html
n Configure a Restrictions Profile (macOS)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/macOS_Platform/GUID-AWT-MACPROFILERESTRICTIONS.html
n Configure a Restrictions Payload (Windows Desktop)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Windows_Desktop_Device_Management/GUID-AWT-PROFILE-RESTRICTIONSCONFIGWD.html
Client AccessPolicies
n VMware Identity Manager Integration with Office 365
https://www.vmware.com/pdf/vidm-office365-saml.pdfn Add Office 365 Applications with a Client Access Policy
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/Application_Management/GUID-AWT-SAAS-O365-CLIENTACCESSPLCY.html
Overview and Reference
VMware, Inc. 25
Table 8‑2. Productivity Apps
Component Documentation
VMware Workspace ONE Web Introduction to the VMware Workspace ONE Web
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1811/VMware-Workspace-One-Web/GUID-AWT-AWB-INTRODUCTION.html
VMware Workspace ONE Content VMware Workspace ONE Content
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1902/MCM/GUID-AWT-OVERV-CL.html
VMware Boxer n Introduction to VMware Boxer
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/VMware-Workspace-One-Boxer/GUID-AWT-BOXER-INTRODUCTION.html
n Architectural Overview for mobile flows
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/WS1-Mobile-Flows/GUID-AWT-MF-CG-ARCHITECTURE.html
Table 8‑3. VMware Workspace ONE SDK
Component Documentation
VMware Workspace ONE SDK for Android VMware Workspace ONE SDK for Android
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/SDK_Android/GUID-AWT-CHKS-GET-STARTED.html
VMware Workspace ONE for iOS (Swift) VMware Workspace ONE SDK for iOS (Swift)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/SDK_iOSSwift/GUID-AWT-KS-SDK-IOSSWIFT-OVERVIEW.html
VMware Workspace ONE for iOS (Objective-C) VMware Workspace ONE SDK for iOS (Objective-C)
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/SDK_iOSObjC/GUID-AWT-SDKIOS-INTRODUCTION.html
Workspace ONE Dev Center Workspace ONE Dev Center
https://code.vmware.com/web/workspace-one
Overview and Reference
VMware, Inc. 26