In this comprehensive TestDrive walkthrough, you'll see how to demonstrate the modern Windows desktop managed by VMware Workspace ONE.
The corporate-liable device use case utilizes the most Windows 10 management functionality. Therefore, the standard, functionality rich demo is available when you enroll into the Enterprise - Corporate Owned Demo OG. Enrolling into BYOD is also supported and is intended to show a Windows 10 PC being under very light management without restrictions.
Contents
- Introduction
- Before You Begin
- Enrollment
- Workspace ONE UEM Console Overview
- VMware Workspace ONE Intelligent Hub
- Software Distribution over CDN for Windows Apps
- Remote Access with VMware SASE
- Product provisioning
- Data Protection (Windows Information Protection)
- Restrictions: AppLocker and System Restrictions
- Windows Updates
- Personalization
- Compliance: BitLocker and Health Attestation
- Provide Remote Support with Workspace ONE Assist
- Enterprise wipe
Introduction
In a traditional Windows environment, devices were managed through GPOs and complex systems management tools such as SCCM. With Workspace ONE UEM and Windows 10/Windows 11, configuration changes can be delivered in real-time, over-the-air, anywhere—not just when a system is on the corporate network.
Workspace ONE UEM brings industry leading, lightweight modern management coupled with the capabilities of traditional client management functions into a comprehensive Windows desktop management solution.
Workspace ONE UEM:
- Provides advanced endpoint protection and security features like ensuring device compliance, protecting enterprise data and apps, setting BitLocker encryption, managing device password, controlling Windows Firewall and AntiVirus, setting device restrictions, and collecting location information.
- With VMware Workspace ONE delivers a unified catalog experience to not only empower users to have all apps (desktop, virtual, web, and native) in one collection, but more importantly, provide secure and streamlined access to these apps.
Before You Begin
In order to complete a Windows 10/Windows 11 walkthrough, you'll need the following:
- An active VMware TestDrive account. Click here for more info.
- Ready-to-use (RTU) Workspace ONE UEM service enabled in the VMware TestDrive portal.
- Recommended Device: Fully updated Windows 10/Windows 11 Enterprise physical or VM.
- Windows 10/Windows 11 Enterprise evaluation ISO is available via speedy download from Microsoft.
- Workspace ONE UEM administrator role: Device Administrator at World Wide Enterprises
- For the console-side discussion, be sure you already have the console open with the necessary console views already loaded in your browser's tabs.
- If performing the data protection demo (WIP), you need to install 64-bit Office 365 Pro Plus from the Office 365 portal first. (Use a VM snapshot with it installed. A live Office 365 Pro Plus install can take a while hours, even over CDN.)
- Network access from your device and TCP port 443 enabled on your local network.
Begin with the below enrollment section, then proceed down the guide.
Enrollment
Talking Points
- Workspace ONE UEM supports several admin friendly and user friendly enrollment methods including the recommended Workspace ONE Intelligent Hub initiated enrollment, as well as auto-enrollment (OOBE) and native enrollment.
- With Workspace ONE Intelligent Hub, searching for the enrollment area in Windows settings, entering a server name (if there's no WADS, which is administrative overhead in itself), and waiting for the agent to install post-enrollment are all things of the past.
Hub-initiated enrollment is currently the recommended Windows enrollment method. To begin enrollment, on your Windows machine, go to https://getwsone.com.
Download and run the Workspace ONE Intelligent Hub app. (If prompted, install the Microsoft Visual C++ libraries.)
After installation completes you will be guided through enrollment. When the Hub UI opens, chose email enrollment, then enter your Workspace ONE UEM enrollment email address in the following format:
<username>@vmtestdrive.comWorkspace ONE UEM makes enrollment simple by automatically discovering the user's email address and directing the device's enrollment into the correct environment. The user doesn't need to know any technical details!
Proceed through enrollment, choosing Enterprise - Corporate Owned Demo. This flow contains the greatest functionality showcase and is, therefore, the standard. In addition to basic management, it contains Windows Information Protection (WIP), registry editing via scripts deployed by product provisioning, an automatically deployed Horizon Client via software distribution over CDN, system restrictions, App Locker, BitLocker, and administrator-managed Windows Updates. As mentioned in the introduction, this document entails the corporate-owned device demo.
Enterprise - BYOD Demo is also available to demonstrate the BYOD use case. Being sensitive to a user's privacy where restrictions of any type would be considered intrusive on a personal device, not much change takes place on the device in the BYOD demo. BYOD is provided as a contrast to the Enterprise - BYOD Demo flow.
Authenticate using SAML provided by Workspace ONE Access. Input your TestDrive credentials as listed below:
Username: <TestDrive username>
Password: <TestDrive password>
Immediately after SAML authentication, Workspace ONE UEM provisioning processes begin. Click next to complete enrollment.
Enrollment is complete when you see the following:
Next, check your device in the Workspace ONE UEM console and note that enrollment is complete.
Enrollment Tips
To sync Workspace ONE profiles and device samples, run mdmagent.exe.
To sync products (e.g., the registry edit scripts), manually sync the AirWatch Protection Agent/Unified Agent via a right-click as shown below.
The user cert is needed for an optimal Windows 10 & 11 demo. Workspace ONE Access authentication policies utilize the user cert for initial access into the Workspace ONE app itself as well as for several Workspace ONE managed apps. In situations where the user cert is not installed, Workspace ONE app authentication policies are set to fall back to username and password authentication.
The user cert is is set up by an automatically deployed Workspace ONE UEM profile. To verify the user cert's installation status:
- In the console, check your device's profiles view for the installed user cert profile, WWE - Windows - User Cert.
- On the machine, open MMC, add certificates for user context, and look in the personal store. Verify if your user cert has been installed by Workspace ONE UEM.
Continue in the Workspace ONE UEM console.
Talking Points
- An enrolled device will receive a set of automatically delivered profiles. Those profiles represent a baseline configuration how the PC should be set up, and additional profiles can be applied to meet specific requirements.
- Profiles are the settings, when combined with compliance policies, that help enforce organizational security policies.
- Passcode, Wi-Fi, certificate issuance, app whitelist/blacklist, and device restrictions are just a few profile types that may be created for Windows 10/Windows 11.
Go to Resource > Profiles & Baselines > Profiles.
In "Search List," enter "WWE - Windows -" to quickly filter your view to only list Windows 10/Windows 11 profiles.
Click through individual profiles to see review its payload.
Use the configured optional device profiles as needed.
Switch to your browser tab containing the device list. Find your device by filtering by your username. Drill into your device details and discuss profiles, apps, content and other features your audience would find important.
On the profiles tab, note the installed statuses and the assignment types, automatic vs optional, from this view. Again, use optional profiles to aid your discussion.
Go to More > Troubleshooting.
Discuss how Workspace ONE UEM enables the administrator to see real-time event logs—just as one would with SCCM—right in the Workspace ONE UEM console. Both events and command statuses can be readily accessed in real time!
Talking Points
- VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs.
- Unified app catalog transforms employee on-boarding. Simply downloading the Workspace ONE app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization.
- Delivers any application from the latest mobile cloud apps to legacy enterprise apps. Simple, one-stop access to all apps: native, web, virtual, VDI, and RDS apps!
- Internal web apps through a secured browser
- SaaS apps with SAML-based SSO and provisioning framework
- Native public mobile apps through brokerage of public app stores
- Modern Windows apps through the Windows Business Store
- Legacy Windows apps through Win32 package delivery
- Single Sign-On (SSO) that federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.
After enrollment, the Workspace ONE Intelligent Hub will automatically launch, preconfigured with the Workspace ONE Access tenant. It will complete setting up your workspace.
With Workspace ONE managed authentication, the user's access into the Workspace ONE Intelligent Hub is seamless and graceful. Manual user authentication is not required, but can be configured as a fallback method.
Proceed into the Intelligent Hub. Discuss the core Hub areas: Apps, People Search, For You, and the custom site.
In Apps, review both the Categories, making note of all apps: Windows, virtual, and web. Note the ability to mark apps as favorites for quick access.
Go over the rapid and seamless access Workspace ONE provides for virtual apps: VDI, RDSH, and Thin Apps. Choose a VDI, like the NVDIA GRID desktop for your region, and allow Horizon to open it. You can also show bookmarking.
Also review the support of legacy Windows apps, like Internet Explorer 6. Many organizations still need to support legacy web apps and Workspace ONE makes it available in a snap.
Launch the IE6_Thinapp.
Users can have seamless access to a critical web app only available thru a legacy browser.
Talking Points
- No longer do PCs need to be tied to local area network (LAN) computer management systems for native Windows app management. Both Windows 10/Windows 11 desktops and Windows 10/Windows 11 mobile devices can now have Windows apps managed over-the-air (OTA) by Workspace ONE UEM.
- Workspace ONE UEM provides a variety of different application distribution options to meet the variety of installation scenarios found in an enterprise. The application deployment framework supports MSI, EXE and ZIP based deployments, public apps from the Windows Store, as well as, complex script-based applications through product provisioning.
- Content Delivery Network (CDN) integration globally extends your organization's app deployment for fast and secure app delivery.
Windows's native VMware Horizon Client, Carbon Black Cloud Sensor, Workspace ONE Tunnel, Chrome Browser, and Zoom are configured to automatically deploy. These apps are delivered by Workspace ONE UEM's software distribution over CDN.
Workspace ONE UEM's Windows app distribution and management is doing the same thing that traditional LAN-based tools, like SCCM, have done with native apps—but Workspace ONE UEM is doing it over the air. Devices no longer have to be tied to the organization's LAN.
Several additional native Windows apps are set up for software distribution. From the Hub, select Windows Apps to filter out all Windows apps, both Windows desktop and UWP apps:
Choose one of the Windows desktop apps and push it to the device. 7-Zip is a good manual install app due to its small size.
You need a 64-bit Office 365 installation to demonstrate the upcoming WIP section. You may use either the provided Office 365 install or one on your machine, but it must be a 64-bit Office 365 install to work with the WIP profile.
The provided Office 365 Pro Plus ZIP is a 2 GB download/install. Needless to say, given PC and network performance, installation can take a while. Unless you are required to show the Office installation live, have your machine set up with Office 365 Pro Plus 64-bit before the demo.
Apps delivered via software delivery are set up through the familiar AW workflow. Though with Windows desktop apps, comprehensive deployment, install, dependency, detection, and uninstall settings are available to suit various complex app deployment needs.
In the console, you can not only use the troubleshooting tab to view the status of the apps' installation command but also show that the app is being delivered from the globally-reaching CDN.
Talking Points
- Users are always connected to enterprise apps, anywhere. Customizable per-client app policies can be fine-tuned and additional authentication is available.
- Users have a 'no-touch' remote access experience. Setup and configuration are 100% managed by Workspace ONE UEM.
- IT organizations can take a least-privilege approach to enterprise access, ensuring only defined apps and domains have access to the internal network.
- Zero Trust goals can be reached by combining explicit definitions for managed applications and integration with the Workspace ONE compliance engine.
Reference Enabling Secure and Optimized Access for Remote Workers with SASE for Anywhere Workspace.
VMware Secure Access is delivered through our VMware SASE PoP network across 100+ global locations, operated by VMware and 120+ service provider partners, with VMware Workspace ONE on over 40 million devices.
Talking Points
- Product provisioning allows you to create products containing profiles, applications, and files/actions (depending on the platform). These products follow a set of rules, schedules, and dependencies as guidelines for ensuring your devices remain up to date with the content they need.
- Products allow for complete customization through scripting, rule sets, schedules, and dependencies for ensuring your devices remain configured and up to date.
- Product Provisioning can be used for advanced, script-based app deployments.
In the TestDrive Windows setup, product provisioning pushes registry edits for internet security internet trusted zones. The product, consisting of a BAT and REG file, is pushed to and executed from C:\Temp\AW\.
To view the product's results, go to IE's Internet Options > Security > and view Local Intranet's sites. The site https://testdrive.vidmpreview.com was configured by Workspace ONE UEM product provisioning.
TestDrive's Office 365 service provides licensing for online apps when it's enabled on your TestDrive account—not Office desktop apps. Workspace ONE UEM Data Protection for Windows 10/Windows 11 is enabled in TestDrive, however, for it to work on the Office desktop apps those are required to be licensed. (VMware employees click here.).
Talking Points
- Issue at hand: Industry estimates state up to 75% of corporate data loss is committed unintentionally. WIP was built to address this issue.
- As the convergence of work and personal data on the same device accelerates, the risk of accidental data loss also increases through services that your organization does not and cannot control through traditional desktop management methods.
- Windows Information Protection (WIP) works by whitelisting enterprise applications to give them permission to access enterprise data from protected cloud resources and networks.
- If end users move data to non-enterprise applications, actions and alerts can be triggered based on selected enforcement policies.
- The data protection profile encrypts enterprise data and restricts access to approved devices. Encryption is managed thru a certificate in the data protection profile.
WIP Profile Summary
The TestDrive WIP profile has the following enterprise resources protected. Use them as you see fit.
Native apps:
- Microsoft Office 365 Pro Plus 64-bit
- Dropbox
Browsers:
- Internet Explorer (32-bit & 64-bit)
- Edge
Websites:
- TestDrive Office 365 Email
- TestDrive Office 365 SharePoint
- TestDrive Office 365 OneDrive
- Dropbox.com
On the device, open Excel. Sign in with your Office 365 email address. While badges no longer appear either in or on the apps, WIP functionality is present.
<testdriveUsername>@vmtestdrive.comE.g., [email protected]
Certificate authentication via Workspace ONE Access should authenticate you. Accept the prompts.
Open the SharePoint document, CommittedSales.xlsx. Open Other Workbooks > Sites - VMware EUC - vmtsetdrive.com > Sales Workspace > Documents > CommittedSales.
Copy sensitive content from the spreadsheet.
Open browser tab to a personal mail account, like Gmail, and attempt to paste the protected content. Workspace ONE UEM-managed WIP won't allow it.
Open Wordpad. Attempt to paste the clipboard.
Notepad, on the other hand, is a protected app and content is permitted.
In Excel, save the document to your desktop. Note how the file can only be saved as a "Work" document type for the protected domain.
Alternative WIP profiles can be configured for different user groups, where, for instance, an executive group would be granted the ability to save as either work or personal.
Go to your desktop and show the protected document badged with the briefcase icon indicating the document is protected.
Open either Edge or Internet Explorer. Go to mail.office365.com and enter your Office 365 email address.
Use the Workspace ONE UEM-managed certificate when prompted. Workspace ONE Access will sign you into your Office 365 mailbox.
Open an email with an attachment. Download the attachment to your desktop. Note the ability to only save it as a protected work document. Not only is the file under WIP policy, the organization's Office 365 site is too. All of the organization's Office 365 site content is protected and any organizational site can be protected just the same.
You can also open the Outlook native app, after a couple, quick wizard setup steps, and show that Outlook too is under the same WIP policy. WIP protects both the organization's web and native mail!
No matter what enterprise resource a document comes from, since it's protected, it's encrypted and can only be opened by other protected apps.
Additional WIP Talking Points
- Enforcement polices within the data protection profile allow the admin to set limits on what the user can do with protected data. The most common and recommended enforcement polices are:
- Encrypt and Block Data (This is the configuration.)
- Encrypt data and allow user to move data to non-protected applications with an audit trail of any data transfer. The user is warned that their actions will be audited.
Talking Points
- For the corporate dedicated device, a restriction profile may be configured to prevent access to functions such as changing date/time, modifying VPN, changing user account settings, enabling Bluetooth, using Cortana, disabling VPN over cellular, unenrolling, and many other functions that may be seen as an either increased security risk, an increase in cost, or lessened productivity.
- Windows User Account Control (UAC) settings can be managed thru a Restrictions profile. While this setting is an excellent safe guard to malicious app installations, in some organizations it creates a lot of unnecessary help desk calls.
- Workspace ONE UEM configures the native Windows AppLocker which prevents installation of undesirable apps by name, version, or publisher. Conversely, apps may be whitelisted by name, version, or publisher to only allow those apps.
- Corporate branding can be extended to the desktop.
- Native security features such as Windows Firewall Updates and Windows Insider builds can be managed.
- With the combination of WIP, App Locker, and restrictions profiles, a device can be fully managed and secured on the corporate network just as was done with the complex legacy tools.
AppLocker
From the Workspace ONE UEM console, in your device's details, push the WWE - Windows - Block Netflix AppLocker profile.
After the profile installs, which should be very quickly, go to the Microsoft Store and attempt to install Netflix. The Workspace ONE UEM-managed AppLocker profile will block the installation of Netflix.
In addition to UWP apps being able to be blocked, Windows executable, Windows installer, publisher, and script rules may also be configured with an AppLocker profile.
System Restrictions
Talking Points
- In the restrictions profile with its various possible payloads, a significant number of restrictions that might have been set via Group Policy Objects (GPOs) in the past are available to be configured.
- Configuration Service Providers (CSPs) are made available to be configured to emulate many of the options available through GPO.
The WWE - Windows - Restrictions Corp profile automatically deploys. Open it to review its payload. This profile contains restrictions for internet sharing, region settings, bluetooth, and Windows Updates (Check the profile's description for the payloads currently configured.).
On the device, search for region settings. Workspace ONE UEM-managed policy should prevent changing them. Along with a red notification, settings will be grayed out.
From Search, enter "updates," to find the Windows Updates system setting. Show both the configuration and restriction on the Windows Updates screen.
Click the link "view configured update policies" to review the Workspace ONE UEM-configured policies.
Talking Points
- Windows updates in the enterprise can take weeks or even months to be installed on an organizations entire fleet of PCs due to on-local-network requirements to reach distribution servers. Workspace ONE UEM and Windows 10/Windows 11 UEM use the simplicity of the cloud and Microsoft Update Service to deliver updates regardless of device location.
- Updates delivered through Microsoft Update can be controlled by Workspace ONE UEM. Options such as which “branch” to be on, as well as the ability to defer both quality updates and features allows granular control over when PCs get updates.
- Workspace ONE UEM allows the ability to set Active Hours for when updates should be applied to prevent users from canceling reboots, or allowing prevent reboot situations, or to schedule distribution when electricity is cheaper.
- Administrative approvals can target different groups of updates to the right groups of users or PCs, to make sure that PCs are healthy and secure.
- WSUS servers can also augment Workspace ONE UEM and be used for PCs that are always available on the corporate network.
In the UEM console, open Devices > Profiles & Resources > Profiles and search for "update." Select WWE - Windows - Updates Corp policy, open, and choose the Windows Updates payload.
Talking Points
- Personalization for Windows 10/Windows 11 provides over-the-air (OTA) customization of users' desktop environments without GPOs or custom scripts.
- The desktop wallpaper, lock screen image, and access to various Start Menu functions can all be customized OTA.
A configured personalization profile sets both the desktop wallpaper and the lock screen image. Signing off/on (or just reboot to apply all updates) is required to see all of the changes.
After an enterprise wipe, the wallpaper and lock screen will revert to the Windows default.
If performing an OOBE demo, because out-of-box Windows isn't updated, depending on the version of Windows, Windows most likely will need to fully update before the profile is can install.
Talking Points
- The Workspace ONE UEM compliance engine can automatically monitor, notify, and take action on devices that not meet rules set up in compliance management.
- A Windows 10/Windows 11 compliance policy is capable of taking action on critical security items such as device last seen, encryption state, firewall status, automatic updates, OS version, passcode, and Windows Health Attestation.
- Workspace ONE UEM can manage Windows BitLocker Encryption on both physical and virtual machines. A recovery key created during encryption is stored in the Workspace ONE UEM Console and in the Self-Service Portal.
- For Windows Health Attestation, Workspace ONE UEM pulls the necessary information from the device hardware and not the OS, compromised devices are detected even when the OS kernel is compromised.
BitLocker
Talking Points
- A Workspace ONE UEM profile encrypts the Windows 10/Windows 11 desktop device via native BitLocker encryption. After disk encryption, the BitLocker encryption key is made available in the Workspace ONE UEM console. If a device is lost and then recovered, with the BitLocker key readily available to the security team in the Workspace ONE UEM console, potentially lost data can be recovered easily.
- As of Workspace ONE UEM 9.1, BitLocker can also be managed with a password on devices without TPM. BitLocker managed by a password, instead of TPM, enables disk encryption on devices without TPM, like VMs running in older versions of Fusion or Workstation.
To demo BitLocker, from the console, push the WWE - Windows - BitLocker-Pcode profile.
Accept any prompts on the device...then, reboot. After reboot, the Intelligent Hub will prompt to set the BitLocker password.
...and then drive encryption will complete in the background.
Review the PC's BitLocker status in the console...
...and view the recovery key.
Health Attestation
In order to show Health Attestation, you must be using Workstation 14, Fusion 10.1, or a physical PC with the TPM enabled and Safe Boot enabled. In Workstation or Fusion, first encrypt the VM, then add a new device (Trusted Platform Module) and ensure that you have enabled UEFI and Secure Boot in Options > Advanced.
Talking Points
- It's a fact that some vulnerabilities compromise PCs prior to loading Windows, antivirus, and antimalware protections. Health attestation is able take measurements for things like Secure Boot, code integrity, BitLocker and boot manager and compare them against baselines stored in Workspace ONE UEM. If a device is compromised, it can be addressed via the compliance engine.
- If a device falls out of compliance, notifications can alert admins, managers, and the user. As well, customizable device actions can occur using the Workspace ONE UEM compliance engine.
The device sends the Health Attestation report to the Workspace ONE UEM console for enterprise health checks and potential compliance rule triggering.
We can see here that Secure Boot is enabled, preventing a rootkit from compromising this PC prior to Windows booting up, and that BitLocker is seen as enabled at boot. Other security technologies that operate at boot are reported, and compliance policies can be defined to inform administrators that a PC has potentially be compromised.
Talking Points
- Remotely control and troubleshoot far-flung Windows 10/Windows 11 devices just as if you were sitting in front of them.
- Workspace ONE Assist is already configured for SaaS customers who have purchased the upgrade.
Workspace ONE Assist is best-of-breed remote control for support of Windows devices (and other supported platforms).
To experience Workspace ONE Assist on Windows, all you need to do is be enrolled. Look for the Remote Assist function on the support menu. Allow time for the device to fully enroll before trying the Remote Assist feature.
Click Share Screen. The session will begin to launch...
When the session initiates, you'll be prompted with a support PIN.
Enter the the support PIN on the device. Accept the Terms and Share Screen.
The successful session should look like this:
Next, to remote control the device, request access from the toolbar:
After the user grants control access, the admin is free to explore the device.
Assist performs many other valuable administrative functions.
Record the support session as a WEBM file for later viewing and sharing.
Also, a keyboard is available for incompatible keyboard setups between admin and user machine.
To run another Workspace ONE Assist function, chose the desired function from the home menu.
The user must approve the new Assist function to run on the device.
Below display capture, file manager, and remote shell are each shown in the admin experience.
Discuss the need for both manual and automated enterprise wiping of a device. Workspace ONE UEM's customizable compliance polices can issue automatic wipes when a device falls out of compliance. Unlike a device wipe which wipes the entire device back to a factory state, an enterprise wipe will only remove the organization's data. With an enterprise wipe, any user data on the device—as in the BYO use case—cannot and will not be touched.
From the console, issue an enterprise wipe on your device. Show the device's notification of the wipe.
Discuss the removal of the organization's data. Show native mail has been removed. Or, better yet, show removal of the certificates from the MMC console certificates snap-in for a security-minded audience.