Introduction to Workspace ONE #1
All users must understand the differences between endpoint and identity management. You must understand how to secure the endpoint and the infrastructure. Understanding all major components and the architecture of the product enables you to troubleshoot your own deployment.
Workspace ONE Overview
Workspace ONE includes areas for endpoint and identity management. Together, unifed endpoint management (UEM) and identity and access management make up a unified Workspace ONE console.
- WS1 Console enables you to view and manage every aspect of your WS1 UEM deployment. With this Web-based resource, you can quickly add new devices and users, manage profiles and configure system settings.
- WS1 Access (formerly Identity Manager) manages users and groups, and to set sup authentication and access policies.
Workspace ONE is built upon 2 main components:
- Workspace ONE UEM
- Workspace ONE Access
Workspace ONE UEM includes:
1. Enterprise System Connector (ESC)
2. Secure Email Gateway (SEG)
3. Unified Access Gateway (UAG)
4. AirWatch Cloud Messaging (AWCM)
5. AirWatch Device Services Server (DS)
6. Email Notification Service (ENS)
Workspace ONE Access includes:
1. Identity Services
2. Secure Conditional Access
3. Web and Virtual Application
4. Horizon Integration
Workspace ONE Architecture Overview
Workspace ONE includes several components of which Workspace ONE Access and Workspace ONE UEM are key. Workspace ONE core infrastructure also includes the ESC, VMware Horizon apps and desktops, and the Active Directory (AD).
Workspace ONE Access provides end-user portal, user directory integration, access policies, unified app catalog, authentication and Horizon integration and Workspace ONE UEM provides devices profiles, email integration, content integration, data loss prevention, corporate directory integration, mobile app catalog.
Workspace ONE and Single Sign-On
Workspace ONE uses One-Touch Mobile Single Sign-On to provide end-users seamless access to applications. Mobile SSO technology allows the user to sign in once and then have access to other entitled applications. SSO is a core capability and can help address security concerns and password cracking.
To enhance security, Workspace ONE enables Data Loss Prevention (DLP) and multifactor authentication (MFA) technology to ensure that enterprise information is protected on mobile platforms.
While there is a broad range of configuration options available, the Workspace ONE Access component provides built-in authentication adapters that restrict access to managed, compliant devices:
- Mobile SSO for iOS: Kerberos-based adapter for iOS devices.
- Mobile SSO for Android: Special implementation of certificate authorization for Android.
- Certificate (Cloud Deployment): Certificate authentication service aimed at web browsers and desktop devices.
- Password: Allows for authentication of directory passwords with a single connector whenWorkspace ONE is deployed together with both components of Enterprise SystemsConnector.
- Password (AirWatch Connector): Allows for authentication of directory passwords with asingle connector when Workspace ONE is deployed together using only AirWatch CloudConnector.
- Device Compliance (with Workspace ONE UEM): Measures the health of managed devicesresulting in a pass or fail based on criteria defined by VMwre AirWatch. Compliance can bechained with any other built-in adapter except password.
Workspace ONE Integrated Infrastructure
Workspace ONE integrates with the following infrastructure services:
i. Workspace ONE
ii. SharePoint Server
iii. Active Directory
iv. Email Systems
v. Certificate Services
vi. Edge Services (such as load balancing and firewalls)
vii. Reverse Proxy
viii. File Server
ix. DNS
x. External Access Server
Workspace ONE Unified Endpoint Management
Workspace ONE Unified Endpoint Management (UEM) provides a unified and user-centric approach to manage and secure any endpoint from a single platform.
With UEM, you can set policies and access based on an individual user and allow those policies to apply to any type of device that user may currently be accessing or accesses in the future.
Workspace ONE UEM allows you manage any endpoint, whether it is corporate or employee owned.
- PC Management: Windows 10, Mac, Chromebooks, browser w/BYOD
- Wearables and Things: Peripherals, smart glasses, printers
- Secure Mobile Devices: BYO, highly regulated industries
- Line of Business Devices: Task worker, rugged devices shared and kiosks
Workspace ONE provides real time device insights for admins to manage the full device lifecycle. Regardless of the platform that you want to manage, you can access the same information and functions.
Workspace ONE multitenancy provides management capability across all internal subgroupings, whether by geographies, business units, divisions, or other segmentations, in one, single console. Multitenant architecture can corporate hierarchy bring together. Also enabling each of those groups to uniquely manage their own deployment within the platform.
With role-based access controls, you can also define administrators and delegate management of your entire mobile deployment to local IT teams. Role-based access provides you to choose permissions to define custom roles and to assign multiple roles to a particular administrator. Role-based access functionality allows automatic assignment of roles to individual users or groups with LDAP integration as well as automatic syncs of any changes, all from a single console.
Identity and Access Management
Identity and access management is a single point of management for all user system access. With identity and access management;
- You can add users and grant access based on group membership.
- Workspace ONE Access is the single component for all user access to all systems.
- Users are removed from access to all systems in a similar streamlined fashion.
Identity and access management provides monitoring capability to identify which applications people are actually using.
For example, a company may have 1,000 software licenses. Using a solution like VMware Workspace ONE Access, you can collect metrics on software usage, improving and potentially reducing costs by identifying software that is underused relative to the licenses paid for or not used at all.
To manage user access the Workspace ONE Access component provides:
- Federated user identity: It enables electronic identities and attributes from one domain to be accepted and used to access resources in other domains. For example, federation to Office 365 allows Workspace ONE Access to authenticate login requests to the Office 365 service.
- Certificate authentication: You configure the certificate authentication method in the Workspace ONE Identity Manager console and then you select the authentication method to use in the built-in identity provider. One of the benefits is end users do not have to enter username and password anymore when accessing certain resources.
- A unified app catalog on any endpoint: The unified catalog contains applications published to Workspace ONE. Supported application types include intranet, SaaS, native mobile, internally developed mobile, legacy and modern Windows, Horizon 7, VMware Horizon Cloud Service, Citrix published, and ThinApp packages. The application store also contains virtualized desktops.
- Conditional access: With Workspace ONE Access, you can enforce conditional access based on the network range, platform, and applicaion-specific criteria for authentication.
- Mobile SSO: Mobile SSO is available for Android, iOS, and Windows 10 devices.
