Workspace ONE Overview and Reference Guide · Title: Workspace ONE Overview and Reference Guide Author: Workspace ONE UEM Created Date: 9/20/2018 10:16:32 AM

VMware Workspace ONE Overview andDocumentation Reference Guide

Have documentation feedback? Submit a Documentation Feedback support ticket using the Support Wizard onsupport.air-watch.com.Copyright©2018 VMware, Inc. All rights reserved. This product is protected by copyright and intellectual property laws in the United States and other countries as well as byinternational treaties. VMware products are covered by one ormore patents listed at http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All othermarks and names mentioned hereinmay be trademarks of theirrespective companies.

VMwareWorkspace ONE OverviewandDocumentation Reference Guide | v.2018.09 | September 2018

Copyright©2018 VMware, Inc. All rights reserved.

1

http://support.air-watch.com/

Table of ContentsChapter 1: Introduction to the VMware Workspace ONEOverview and ReferenceGuide 4

Scope of This Documentation 4Workspace ONEComponent Description 4Supported Use Cases 5About VMware Content Sites 5

Chapter 2: Workspace ONE Installation 7

Components for Installation 7Workspace ONE Installation Content 8

Chapter 3: App Access andManagement 11

Direct Enrollment 11Virtual Desktops 11Unified App Catalog 11Native Apps 12Self Service Access to Non-Native Apps 12App Access andManagement Content 13

Chapter 4: Mobile SSO for App Access andManagement 15

Mobile SSO Content 16

Chapter 5: Unified Endpoint Management 17

Device Management and Privacy 17ModernManagement forWindows 10 17Unified Endpoint Management Content 19

Chapter 6: Conditional Access 21

Access Policies and Compliance Policies 21VMware Tunnel 21Certificate Based Authentication (CBA) 21Conditional Access Content 22

2



Chapter 7: Identity Providers for Conditional Access 24

VMware Identity Manager as the Identity Provider (IDP) 24Third-Party Identity Providers 24Identity Provider Content 25

Chapter 8: Enterprise Productivity 27

Secure Email 27Productivity Apps 27SDK for Android and iOS 27Enterprise Productivity Content 28

3



Chapter 1:Introduction to the VMware WorkspaceONE Overview and Reference GuideVMwareWorkspace™ONE™ deploys and manages resources to a single digital workspace on iOS, Android, macOS, andWindows 10 devices. Services are built on the integration of VMwareWorkspace ONE™UEM (Unified EndpointManagement), VMware Identity Manager™, and VMware Horizon®.

Review a high-level explanation ofWorkspace ONE with descriptions of its integrated systems and the use cases itcurrently supports.

Scope of This DocumentationTheWorkspace ONE platform offers many capabilities. However, this depth has lent to the creation of content not onlyon technical documentation sites, but also on technical marketing sites, and on internal and external professionalsupport sites.

This overview and reference guide is an effort to consolidate documentation and to capture the knowledge sourced inthe field. It lists the documentation available to install the platform and to configure capabilities. It also offers resourcesfound on technical marketing sites and professional support sites.

Workspace ONE Component DescriptionWorkspace ONE is a set of integrated systems that includes Workspace ONE UEM (unified end-point management),VMware Identity Manager, and VMware Horizon.

l VMware Identity Manager services provide the identity-related components, including authentication for users whouse single sign-on to access their resources. You create a set of policies that relate to networking and authenticationto control access to these resources.

l Workspace ONE UEM services, formerly AirWatch, provide device enrollment, application distribution, andcompliance checking tools to ensure that remote access devices meet corporate security standards. Users fromenrolled devices can log in to their enabled applications securely without entering multiple passwords.

4



l VMware Horizon services provide remote desktops and applications in the data center, and deliver these desktopsand applications to employees as managed services. End users gain a familiar, personalized environment that theycan access from any number of devices anywhere throughout the enterprise or from home. Administrators gaincentralized control, efficiency, and security by having desktop data in the data center.

Supported Use CasesWorkspace ONE offers solutions for the listed use cases.

l App Access and Management

l Unified Endpoint Management

l Identity Integration

l Enterprise Productivity

About VMware Content SitesThis documentation cites content from the listed resources. Some sites require registration.

Chapter 1: Introduction to the VMware Workspace ONE Overview and Reference Guide

5



Note: This documentation links to content outside of https://docs.vmware.com/. Content from some sites aresourced from the field and are not fully vetted by research and development. Content might be aged or out-of-datefrom the latest released products and solutions.

l VMware Docs - https://docs.vmware.com/

l VMware Code - https://code.vmware.com

l VMware DigitalWorkspace Tech Zone - https://techzone.vmware.com/

l VMware EUC Blog - https://blogs.vmware.com/euc/

l VMware Technology Network - https://communities.vmware.com/welcome

l VMware TestDrive - https://portal.vmtestdrive.com/

Chapter 1: Introduction to the VMware Workspace ONE Overview and Reference Guide

6



https://docs.vmware.com/

https://docs.vmware.com/

https://code.vmware.com/

https://techzone.vmware.com/

https://blogs.vmware.com/euc/

https://communities.vmware.com/welcome

https://portal.vmtestdrive.com/

Chapter 2:Workspace ONE InstallationWorkspace ONE is built on the endpoint and identity management infrastructures ofWorkspace ONE UEM and VMwareIdentity Manager. It can also integrate with VMware Horizon to offer robust features for the digital workspace.

To install and configureWorkspace ONE, use an instance of VMware Identity Manager and Workspace ONE UEM.Configure and deploy policies in these two systems to theWorkspace ONE app on devices.

If you already use virtual desktops and apps, integrate VMware Horizon 7with VMware Identity Manager to leveragethese virtual resources.

Components for InstallationTheWorkspace ONE platform uses connectors to integrate components. These systems communicate through theconnectors, and this enables admins to send policies and configurations through their respective consoles to theWorkspace ONE app on devices.

l VMware Identity Manager - Offers user directories, access policies, web apps, and authentication methods, tocontrol user access to resources.

l Workspace ONE UEM - Uses device, app, content, and email management to control the endpoint access toresources.

l VMware Horizon - Runs remote desktops and applications in the data center, and delivers these virtual desktopsand applications to employees as a managed service.

l VMware AirWatch Cloud Connector - This component is the unified connector for theWorkspace ONE platform. Ithas two components: AirWatch Cloud Connector (ACC) and the VMware Identity Manager Connector.

7



Workspace ONE Installation ContentFind technical documentation, technical notes, and technical marketing resources for installing Workspace ONEcomponents.

Component Technical Documentation

Introductory Content

Workspace ONEIntroduction

l Introduction to Workspace ONE

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-D398B4CD-0443-479E-B5F4-6DD8621FAF55.html

l Workspace ONE resources on VMware DigitalWorkspace Tech Zone

https://techzone.vmware.com/resource/workspace-one

l Workspace ONE tract on TestDrive by VMware

https://portal.vmtestdrive.com/products/empower-digital-workspace

Architecture l Workspace ONE Architecture Overview

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-826D5409-98C6-4A37-B4A9-B3DFD244AAE8.html

l VMwareWorkspace ONE Reference Architecture for SaaS Deployments

https://techzone.vmware.com/resource/vmware-workspace-one-reference-architecture-saas-deployments

l VMwareWorkspace ONE and VMware Horizon 7 Enterprise Edition On-PremisesReference Architecture

https://techzone.vmware.com/resource/vmware-workspace-one-and-vmware-horizon-7-enterprise-edition-premises-reference

Requirements forWorkspace ONE

Requirements

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-529C4EA5-091F-43B7-84B2-3B5C579B8155.html

Installation Components for On-Premises

VMware Identity Manager

8





https://techzone.vmware.com/resource/workspace-one

https://portal.vmtestdrive.com/products/empower-digital-workspace










VMware Identity ManagerInstaller, Linux

About Installing and Configuring VMware Identity Manager for Linux

https://docs.vmware.com/en/VMware-Identity-Manager/3.3/vidm-install/GUID-96E2F98A-5B90-4F81-A302-8264E6362494.html

VMware Identity ManagerInstaller, Windows

About Installing and Configuring VMware Identity Manager for Windows

https://docs.vmware.com/en/VMware-Identity-Manager/3.3/vidm_windows_install/GUID-11C3F077-16D2-4D31-AD3C-2732F031F779.html

Workspace ONE UEM

Workspace ONE UEMInstallation and Architecture

Workspace ONE UEM Installation

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Install_Intro.html

VMware Horizon

VMware Horizon 7 Horizon 7 Installation

https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-installation/GUID-37D39B4F-5870-4188-8B11-B6C41AE9133C.html

Auxiliary Components

VMware Enterprise SystemsConnector

VMware Enterprise Systems Connector Installation and Configuration

https://docs.vmware.com/en/VMware-Identity-Manager/3.2/com.vmware.aw-enterpriseSystemsConn/GUID-2D63FE8B-0C73-49CC-B237-EA951CFD719B.html

Integrations

Workspace ONE UEM andVMware Identity Manager

Integrating Workspace ONE UEMWith VMware Identity Manager

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-F072888F-FC6F-4A6B-9574-2CAAE7E96A85.html

VMware Horizon withVMware Identity Manager

l Providing Access to View, Horizon 6, or Horizon 7 Desktop and Application Pools

https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-5ED7E551-76CE-4B0F-9D30-EEE53C39BD67.html

l Using SAML Authentication

https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-administration/GUID-B08D6C13-8AA0-4B2C-A70F-C221ADFFF1D2.html

Chapter 2: Workspace ONE Installation

9





















VMware Identity Managerand Horizon Cloud Service

l Integrate a Horizon Cloud Nodewith a VMware Identity Manager Environment

https://docs.vmware.com/en/VMware-Horizon-Cloud-Service/services/hzncloudmsazure.admin15/GUID-6F252F50-0304-47EF-A207-5D36FDF40FAC.html

l Providing Access to VMware Horizon Cloud Service Desktops and Applications

https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-361DF7AB-D944-4E87-8F6E-7F0425D23ACD.html

VMware Identity Managerand Citrix

l Providing Access to Citrix-Published Resources

https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-66F24F8D-72BE-43EA-A81C-B041AD631E4A.html

l Troubleshoting Citrix-Published Resources Configuration in VMware IdentityManager

https://docs.vmware.com/en/VMware-Identity-Manager/service/TroubleshootingVIDM_Citrix_Configuration.pdf

Getting Started Wizard

Workspace ONE GettingStarted Wizard

Using theWorkspace ONE Getting Started Wizard

https://docs.vmware.com/en/VMware-Workspace-ONE/services/ws1_quickconguration/GUID-667C3147-EC4E-4396-A50D-71E248903063.html

Chapter 2: Workspace ONE Installation

10
















Chapter 3:App Access and ManagementWorkspace ONE enables app access and management through the deployment of web and virtual apps with a unifiedapp catalog, management of devices with direct enrollment and virtual desktops, and one-touch access to theseresources through mobile SSO for Android and iOS.

Direct EnrollmentDirect enrollment requires devices to enroll with Workspace ONE UEM before they can access app resources inWorkspace ONE. This requirement enrolls devices as managed access and there are benefits to this process.

l Offers a convenient way for users to enroll with Workspace ONE with less setup on devices.

l Makes resources immediately accessible to managed devices.

Note: If you do not assign managed access to devices, they are enrolled in Workspace ONE UEM as unmanaged.Unmanaged devices have access to resources configured as open access.

Virtual DesktopsVirtual desktops enable users from any trusted connection to access managed virtual apps located in the data center.Create desktop pools that include thousands of virtual desktops with Horizon 7 and deploy them on virtual machinesand physical machines. Use a master image to generate a pool of virtual desktops. Users access app resources in the datacenter from these virtual pools.

Unified App CatalogOne of the roles of theWorkspace ONE app is to be a unified app catalog. Deploy it to iOS, Android (legacy andEnterprise), macOS, and Windows 10 devices. Configure apps in Workspace ONE UEM as open or managed access.

l Managed Access - Device users access resources by granting admins permissions on their devices (installs amanagement profile on the device).

11



l Open Access - Device users access resources without granting admins permissions on their devices. The app isavailable to devices no matter their managed status.

Native AppsDeploy native apps through the unified app catalog fromWorkspace ONE UEM. Native apps include internally developedapps, free and paid public apps, and purchased apps from Apple's Volume Purchase Program (VPP). Most native appscan deploy as managed or open access to meet device ownership models.

Self Service Access to Non-Native AppsUsers can select virtual and web (or SaaS) apps through the catalog depending on their needs. If the app is available, theydo not have to requisition it. These types of non-native apps depend on an Internet connection and are not restricted byplatform.

Workspace ONE supports several platform agnostic app types such as virtual apps, Citrix apps, and web apps.

l Virtual Apps - Virtual apps can reside in a data center and you access them from virtual desktops. Virtual apps areadvantageous because they are persistent. If a device fails, the app data still exists in the data center.

If you have existing VMware Horizon and Citrix virtual apps, deploy them to non-virtual devices by integrating theseresources with virtual apps collections in VMware Identity Manager. Then deploy them to devices through theWorkspace ONE catalog.

l SaaS/Web Apps -Web or SaaS apps live in the cloud and users access them by URL. Upload web apps throughVMware Identity Manager and SaaS apps through Workspace ONE UEM.

Chapter 3: App Access and Management

12



App Access and Management ContentFind technical documentation for configuring app access and management resources.

Component Documentation

Access Through Devices

Workspace ONEUEM DirectEnrollment

l Direct Enrollment in AirWatch Using Workspace ONE

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-47B41EEB-B421-44CD-85D6-FDD2B74574F5.html

l Workspace ONE Direct Enrollment

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-WorkspaceONE_DirectEnrollment.html

Virtual Desktops l Setting Up Virtual Desktops in Horizon 7

https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-virtual-desktops/GUID-69AACA49-CF5E-4B55-99BF-BFE4DFBDE7CE.html

l Setting Up Horizon 7 for Linux Desktops

https://docs.vmware.com/en/VMware-Horizon-7/7.6/linux-desktops-setup/GUID-E6825232-3188-4507-B757-0CF743047282.html

Apps

Unified AppCatalog

l Migrating VMware AirWatch Catalog to Workspace ONE Catalog

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-AppCat_MigratingAppCat_to_WS1Cat.html

l EnableWorkspace ONE Catalog for Workspace ONE

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-05AF662D-F0A1-4475-A3DE-91C5CD9992B2.html

l Using theWorkspace ONE Catalog

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-7FB9D8F2-7C39-448C-8C39-07B7D5C0B4E3.html

Open Accessand ManagedAccess of Apps

Workspace ONE UEM Applications and theWorkspace ONEManaged Access Feature

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-WS1_ManageOrNot_Reasons.html

13




















Native Apps -

Public, Internal,and Purchased

l Add Public Applications from an App Store

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Config_Public_Apps_WS1.html

l Add and Deploy Internal Applications as a Local File

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Config_Internal_Apps_Local.html

l Supported Content for Purchased Applications

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-VPP_Supported.html

Web Apps

SaaS Apps

l Providing Access to Web Applications

https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-57B66680-A118-47DD-B3A3-81EAD6D6CAA7.html

l SaaS Applications in Workspace ONE UEM

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-SaaS_Concept.html

Virtual Apps Using Virtual Apps Collections for Desktop Integrations

https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-577D4812-0206-4DFC-B510-24C3D304AD6D.html

14















Chapter 4:Mobile SSO for App Access andManagementMobile SSO works with apps that are accessed from the cloud. To enable one touch access, use Security AssertionMarkup Language (SAML) to authenticate a user between the identity provider and the service provider in the cloud. Aslong as the device accessing the app has a liveWorkspace ONE app connection, the user does not need to authenticateto use the app.

Workspace ONE offers mobile SSO for iOS and Android resources.

l iOS - Uses a key distribution center (KDC) without the use of a connector or a third-party system. Kerberosauthentication provides users, who are successfully signed in to their domain, access to their Workspace ONE appsportal without additional credential prompts.

l Android - Uses certificate authentication and the VMware Tunnel mobile app. The VMware Tunnel client isconfigured to access the VMware Identity Manager service for authentication. The tunnel client uses the clientcertificate to establish a mutually authenticated SSL session and the VMware Identity Manager service retrieves theclient certificate for authentication.

15



Mobile SSO ContentFind technical documentation for configuring mobile SSO.


Mobile SSOWizard inWorkspace ONEUEM

Configuring Mobile Single Sign-On

https://docs.vmware.com/en/VMware-Workspace-ONE/services/ws1_quickconguration/GUID-1506363B-02BA-470A-ACE3-56FB75B5C53A.html

Mobile SSO foriOS

Implementing Mobile Single Sign-in Authentication for Workspace ONE UEM-Managed iOS Devices

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-3EC86F69-6F6E-4C48-A5D9-F319562B6B9C.html

Mobile SSO forAndroid

Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM Managed AndroidDevices

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1_android_sso_config/GUID-1E5128A5-1394-4A50-8098-947780E38166.html

16









Chapter 5:Unified Endpoint ManagementWorkspace ONE enables you to manage endpoints while still providing privacy by controlling the collection of data. Italso enables the transition from the legacy management ofWindows resources to themodern management ofWindows10.

Device Management and PrivacyManage Android, iOS, macOS, and Windows Desktop devices from a single location in theWorkspace ONE UEM console.Perform functions on a particular set of devices using many different screens in the console. The console offers variousmanagement screens including the Hub, device dashboards, device list views, and device detail views.

Offer end-user privacy while also managing corporate-owned resources with privacy settings in Workspace ONE UEM.Privacy settings provide granular control over what data is collected from users and what collected data is viewable byadmins.

Modern Management for Windows 10Modern Windows management for Windows 10 updates the deployment, control, and management ofWindowsDesktop devices. In the traditional management ofWindows resources, admins need multiple tools to deploy andmanage resources. However, with modern management, admins can work from one location in Workspace ONE.

Modern methods for Windows management update these processes.

l Enrollment - Select from several ways to enroll Windows 10 devices when you integrate your Active Directory (AD)system. Workspace ONE UEM supports enrollment through Azure AD, Out of Box, and Office 365 Apps.

Workspace ONE supports the auto-enrollment of specific Windows Desktop devices purchased from Dell. Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.

l Provisioning - Use device profiles to provision and configureWindows Desktop devices to meet business needs.Some useful profiles are listed.

17



o Encryption - Secures data on devices by working with the native BitLocker encryption policy.

o Wi-Fi - Connects devices to hidden, encrypted, or password-protected networks.

o VPN - Provide remote and secure access to internal networks.

l App Distribution - DistributeWin32 apps with the software distribution or the peer distribution features. Thesefeatures enable the distribution of large apps along with their complex installation requirements from theWorkspaceONE UEM console.

Software distribution offers management of the app lifecycle that includes add, configure, deploy, track, update andversion, and delete from the console.

Peer distribution offers the samemanagement capabilities but reduces the traffic on communication channels andthe time to download and install.

l Patches and Updates - Use theWindows Updates profile to ensure that Windows 10 devices remain up to date.

Chapter 5: Unified Endpoint Management

18



Unified Endpoint Management ContentFind technical documentation and technical marketing content about unified endpoint management.


Device Management and Privacy

DeviceManagement, General Managing Devices

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-ManagingDevicesOverview.html

DeviceManagement, ByPlatform

DeviceManagement (By Platform)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Advanced_Dev_Mgmt_Overview.html

Privacy Settings for Devices Configure Privacy Settings

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-ConfigurePrivacySettings.html

Modern Management of Windows 10

Windows 10Management inWorkspace ONE UEM

l Reviewer's Guide for Windows 10 Unified Endpoint Management in AirWatch

https://techzone.vmware.com/resource/reviewers-guide-windows-10-unified-endpoint-management-airwatch

l ExperienceWorkspace ONE on Windows 10

https://kb.vmtestdrive.com/hc/en-us/articles/360001152734-Experience-Workspace-ONE-on-Windows-10

l Operational Tutorial for VMwareWorkspace ONE: Moving Windows 10 to ModernManagement

https://techzone.vmware.com/operational-tutorial-vmware-workspace-one-uem-moving-windows-10-modern-management

Enrollment l Enrollment Through Azure AD Integration

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Enroll_Cloud.html

l Enabling the Out of Box Experience for Workspace ONE on Dell Windows 10 Devices

https://docs.vmware.com/en/VMware-Workspace-ONE/services/aw-vidm-ws1integration-/GUID-00695A55-D710-4878-B59A-5BF95AFF5BDF.html


19




















Provisioning l Configure aWi-Fi Profile (Windows Desktop)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Profile_WiFiConfigWD.html

l VPN Profile (Windows Desktop)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Profile_VPNOverviewWD.html

l Encryption Profile (Windows Desktop)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Profile_EncryptOverviewWD.html

App Distribution l Peer Distribution for Win32 Applications

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-P2P_Dist_Opt.html

l Distribution ofWin32 Applications

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Win32_SofDist_Dscrptn.html

Patches and Updates Configure aWindows Updates Profile (Windows Desktop)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Profile_WAU_ConfigWD.html


20















Chapter 6:Conditional AccessWorkspace ONE offers many conditional access options. Use VMware Identity Manager as your identity provider (IDP) oruse a third-party identity provider to offer the level of authentication that is best for the device, user, and app.

Usemore than onemethod for extra control. For example you can set access policies at the app level, set compliancepolicies at the device level, and use VMware Tunnel to secure the connection between the app and the device.

Access Policies and Compliance PoliciesAccess policies for web (SaaS) apps include rules that specify criteria to meet for access. Criteria include network ranges,device types, authentication methods, and session lengths. Configure these policies in VMware Identity Manager or inWorkspace ONE UEM.

The compliance engine in Workspace ONE UEM secures apps and devices and can prevent compromised resources fromaccessing your network.

VMware TunnelThe VMware Tunnel provides a securemethod for individual apps to access corporate resources. It authenticates andencrypts traffic from individual apps on compliant devices to the back-end system they are trying to reach.

Note: For this method to work, devices must bemanaged by Workspace ONE UEM.

Certificate Based Authentication (CBA)Certificate based authentication (CBA) requires a certificate from the user to establish trust and allow access to apps. Touse this option, ensure that the app supports CBA for the desired platform. Workspace ONE UEM supports numerouscertificate authorities as does VMware Identity Manager.

21



Conditional Access ContentFind technical documentation for configuring conditional access.


Policies

Access Policies l Use Access Policies with SaaS Applications

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Access_Policy_Concept.html

l Managing Access Policies

https://docs.vmware.com/en/VMware-Identity-Manager/services/idm-administrator_aw/GUID-92481E64-0CFF-43DD-9C0B-458BC3322A6A.html

l ConfigureWorkspace ONE Access Policies in Horizon Administrator

https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-administration/GUID-8A0749AB-42C2-4B3E-920A-21C80A2CB269.html

l Considerations for Workspace ONEMode

https://docs.vmware.com/en/VMware-Horizon-7/7.6/horizon-cloud-pod-architecture/GUID-848E758D-297B-4FD0-B0DE-489501039786.html

22












Compliance Policies l Enabling Compliance Checking for Workspace ONE UEM Managed Devices

https://docs.vmware.com/en/VMware-Workspace-ONE/services/WS1-IDM-deploymentguide/GUID-EF834B6D-C3EC-48BA-B38D-1574F7E4B773.html

l Compliance Policies

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-CompliancePoliciesOverview.html

l Email Compliance Policies

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Email-Policies.html

l Compliance for Mobile Application Management

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-MAM_Compliance.html

l Configure the Health Attestation for Windows Desktop Compliance Policies

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Compliance_HealthAttest.html

VMware Tunnel

VMware Tunnel Introduction to VMware Tunnel

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Tunnel_Introduction.html

Certificate Based Authentication (CBA)

CBA Support inWorkspace ONE UEM

Supported Certificate Authorities

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Cert-Management-Splash.html

CBA Support in VMwareIdentity Manager

Configuring a Certificate or Smart Card Adapter for Use with VMware Identity Manager

https://docs.vmware.com/en/VMware-Identity-Manager/services/idm-administrator_aw/GUID-5E0247E4-BA40-4266-8888-F748D8E2B728.html

Chapter 6: Conditional Access

23



















Chapter 7:Identity Providers for Conditional AccessUse VMware Identity Manager or integrate with third-party identity providers to configure conditional access for yourWorkspace ONE deployment.

VMware Identity Manager as the Identity Provider (IDP)VMware Identity Manager can act as the identity provider service using your existing Active Directory infrastructure.

Third-Party Identity ProvidersIf you already use an identity provider, integrate it with VMware Identity Manager or Workspace ONE UEM and use it tosecure access to resources in Workspace ONE.

You can integrate several IDPs with Workspace ONE that include, but are not limited to the following list.

l Active Directory Federation Service (ADFS)

l AzureAD Identity Services

l Okta

l OneLogin

l PingFederate

24



Identity Provider ContentFind technical documentation and technical notes for integrating third-party identity providers.

Note: This topic references content from https://communities.vmware.com/blogs/identityville. The content on thissite is sourced from the field and not from research and development. It might be aged or out-of-date from the latestreleased products and solutions.


Identity Providers (General)

Third-Party IdentityProviders

l Configuring a Third-Party Identity Provider Instance to Authenticate Users

https://docs.vmware.com/en/VMware-Identity-Manager/services/idm-administrator_aw/GUID-C04AED8C-0D84-4DA6-A6DA-8DCBC8341E6E.html

l Providing Access to Third-Party Managed Applications in Workspace ONE

https://docs.vmware.com/en/VMware-Identity-Manager/services/com.vmware.wsair-resource/GUID-EE0BCFF6-1B37-42CF-A881-DFC1EF24E9DA.html

l VMwareWorkspace ONE Integration with Third Party Identity Providers

https://communities.vmware.com/blogs/identityville/2017/01/03/vmware-workspace-one-integration-with-third-party-identity-providers

l EUC CST Tech Notes - Setting Up a 3rd Party IdP in VMware Identity Manager

https://communities.vmware.com/docs/DOC-34295

Identity Provider (Native to Workspace ONE)

VMware IdentityManager as the IdentityProvider

l Configuring User Authentication in VMware Identity Manager

https://docs.vmware.com/en/VMware-Identity-Manager/services/idm-administrator_aw/GUID-04224060-D467-4DE0-BB08-B21E0AA9817D.html

l VMware Identity Manager REST API documentation

For OAuth2 and Open ID Connect (OIDC) for Mobile Apps

https://code.vmware.com/apis/57/idm

Identity Providers (Specific)

Active DirectoryFederation Service(ADFS)

VMware Identity Manager and AD FS Integration – VMware Identity Manger as claimsprovider for mobile authentication

https://communities.vmware.com/blogs/identityville/2017/04/20/vmware-identity-manager-and-ad-fs-30-integration-vmware-identity-manger-as-claims-provider-for-mobile-authentication

25



https://communities.vmware.com/blogs/identityville







https://communities.vmware.com/docs/DOC-34295



https://code.vmware.com/apis/57/idm





Azure AD IdentityServices (WorkspaceONE UEM)

Configure Azure AD Identity Services Integration

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Enroll_ConfigAADServices.html

Okta Integrating VMwareWorkspace ONE with Okta

https://docs.vmware.com/en/VMware-Workspace-ONE/services/workspaceone_okta_integration/GUID-3CA49953-A8F6-491D-90DF-63588EFC3292.html

OneLogin OneLogin as Federated Identity Provider for VMware Identity Manager

https://communities.vmware.com/blogs/identityville/2016/12/16/onelogin-as-federated-identity-provider-for-vmware-identity-manager

PingFederate PingFederate as Identity Provider for VMware Identity Manager

https://communities.vmware.com/blogs/identityville/2016/12/22/pingfederate-as-identity-provider-for-vmware-identity-manager

26











Chapter 8:Enterprise ProductivityWorkspace ONE has several solutions to enable business productivity that are built on theWorkspace ONE framework.Workspace ONE can secure email content, manage Internet browsing, help deploy and secure content, and offer asoftware development kit (SDK) to customize internal applications.

Secure EmailWorkspace ONE can help secure data in Outlook and Office 365with data loss prevention (restrictions) policies in theWorkspace ONE UEM console.

Workspace ONE can also enable legacy authentication for Office 365 email clients that use Exchange ActiveSync. Manyorganizations choose this path because Exchange ActiveSync clients do not download the user’s entire mailbox, reducingthe risk of data loss.

Productivity AppsVMware offers several apps for enterprise productivity to deploy through Workspace ONE.

l VMware Boxer - This app provides access to enterprise email, calendar, and contacts across corporate-owneddevices and bring-your-own devices (BYOD). Boxer uses SSL certificates to transmit data and uses AES 256-bitencryption for data and attachments.

l VMware Browser - This app is an alternative to native browsers. It enables admins to control and secure Internetbrowsing behaviors. Browser uses AES 256-bit encryption for streaming, browsing settings, and downloaded files.

l VMware Content Locker - This app enables users to access managed resources deployed to their device. ContentLocker uses SSL certificates to transmit data, AES 256-bit encryption for content deployed in the app, and it usesNSFileProtectionComplete for iOS.

SDK for Android and iOSUse theWorkspace ONE SDK for Android and iOS to customize internal applications, and add unified endpointmanagement features built on theWorkspace ONE framework.

27



Enterprise Productivity ContentFind technical documentation for enabling enterprise productivity.


Profiles and Policies

Data Loss Prevention

(Restrictions inWorkspace ONE UEM)

l Configure Data Loss Prevention for the Default SDK Profile

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-DLP_Configure.html

l Enforce Restrictions (Android)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-AFWProfile_Restrictions.html

l Restrictions Profile Overview (Android (Legacy))

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-restrictions_reference.html

l Device Restriction Profiles for iOS

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-iOS_Profile_Restrictions_Concept.html

l Configure a Restrictions Profile (macOS)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-MacProfileRestrictions.html

l Configure a Restrictions Payload (Windows Desktop)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Profile_RestrictionsConfigWD.html

Client Access Policies l VMware Identity Manager Integration with Office 365

https://www.vmware.com/pdf/vidm-office365-saml.pdf

l Add Office 365 Applications with a Client Access Policy

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-SaaS_O365_ClientAccessPlcy.html

28















https://www.vmware.com/pdf/vidm-office365-saml.pdf




Productivity Apps

VMware Boxer l Introduction to VMware Boxer

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-Boxer_Introduction.html

l Introduction to Mobile Flows

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-MF_intro_OLH.html

VMware Browser Introduction to the VMware Browser

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-AWB_Introduction.html

VMware ContentLocker

VMware Content Locker

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-OverV_CL.html

SDK

Workspace ONE DevCenter

Workspace ONE Dev Center

https://code.vmware.com/web/workspace-one

AirWatch SDK forAndroid

AirWatch SDK for Android

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-SDK_Android.html

AirWatch SDK for iOS(Swift)

AirWatch SDK for iOS (Swift)

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.7/vmware-airwatch-guides-97/GUID-AW97-SDK_iOS_Swift.html

AirWatch SDK for iOS(Objective-C)

VMware AirWatch iOS SDK Technical Implementation Guide

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/vmware_airwatch_ios_sdk_technical_implementation_guide.pdf

Chapter 8: Enterprise Productivity

29











https://code.vmware.com/web/workspace-one







Documents

Workspace ONE Overview and Reference Guide · Title: Workspace ONE Overview and Reference Guide Author: Workspace ONE UEM Created Date: 9/20/2018 10:16:32 AM