Experience Workspace ONE on Windows Desktop

Updated on

Workspace ONE is a digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management and multi-platform endpoint management.  Workspace ONE is built on Workspace ONE UEM and VMware Horizon's virtual application delivery, tied together by a common identity framework provided by Workspace ONE Access.

With Windows 10's new capabilities, Workspace ONE enables desktop administrators to automate application distribution and updates on the fly.  Combined with award-winning Horizon virtualization technology, automating the application delivery process enables better security and compliance. 

Follow the steps below to experience Workspace ONE on a Windows 10 device.


Before You Begin

In order to complete a Windows Desktop walkthrough, you'll need the following:

  • A valid VMware TestDrive account. 
  • Enabled Workspace ONE UEM service in the TestDrive Portal.
  • Recommended Device: Updated Windows 10 Enterprise physical or VM.
    Windows 10 Enterprise evaluation ISO is available via download from Microsoft
    • Maintain either a VM snapshot, or System Restore point on physical device, for a fast roll back.
  • Workspace ONE UEM administrator role: Device Administrator at World Wide Enterprises 
  • Network access from your device and TCP ports 80 and 443 enabled on your local network.

Section 1: Enroll your Windows 10 Device 

  • On your device, go to getwsone.com.  Download and install the Intelligent Hub
  • Enroll using your enrollment email address and TestDrive credentials. 

Your TestDrive email address follows the below format:


If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:

  1. Login to testdrive.vmware.com with your username and password
  2. Click on the dropdown next to Workspace ONE in the Ready to Use Experiences section to view your credentials
  3. Here you will find your TestDrive email address

When the Hub launches, enter your enrollment email.

Authenticate with your TestDrive credentials. 

Select the enrollment OG: Enterprise - Corporate Owned Demo.

Accept all prompts.  Your device will finish enrolling.

In Intelligent Hub, note the Apps, People, For You, and customizable site (TD KB) areas. In Apps, review both the Categories, making note of all apps: Windows, virtual, and web.  Note the ability to mark apps as favorites for quick access. 

Launch a SaaS app, like the Dropbox app.  You'll be provided access into Dropbox with the need to recall and enter a Dropbox password.

Section 2: Guided Work Experiences

VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs. Workspace ONE's unified app catalog transforms employee on-boarding.  Simply downloading the Workspace ONE app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization. Single Sign-On (SSO) federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.

Workspace ONE simplifies Windows 10 modern management with co-management capabilities for Microsoft System Center Configuration Management (SCCM).  With native Win32 app distribution, Workspace ONE does it over the air, no longer requiring devices to be tied to an organization's network.

Several Windows Apps apps are set up and will be delivered by Workspace ONE's software distribution over CDN.  From Workspace ONE's catalog, choose the Windows Apps category to view your assigned apps.

Choose an app, like 7-Zip (for size), and install it. Workspace ONE will now manage a silent installation of the Windows App.  

The Office 365 Pro Plus suite is available in Workspace ONE.  If you wish to show Office 365 Pro Plus, please be advised that it's a 2 GB file.  Given its size, not to mention PC and network performance variables, installation will not be timely.  

Note the automatic installation of the Windows Apps: Horizon Client, Workspace ONE Assist, Carbon Black, and more.  After enrollment, Workspace ONE installed cess to the all of these desktop apps  without any user interaction required.

Next, let's see a Horizon app in action.  Choose a VDI, like the NVDIA GRID desktop for your region (APAC, AMER, or EMEA) and allow the Horizon Client to open it. 

Additionally, you can show bookmarking the desktop for quick access from Favorites.

Next, launch the Visio RDSH app from the Hub. Choose the Visio app for your region.

Once you find the Visio horizon app for your region click to launch the app. It will open into either the native Horizon app if you have it downloaded or your browser if you do not have the Horizon Client installed.

Next, in the Hub, launch the Office 365 Portal web app

Workspace ONE will provide unfettered entry into Office 365!

Section 3: Understanding Security Features

Workspace ONE UEM Data Protection for Windows 10 is currently degraded in TestDrive as certain features, such as protected data copy/paste and protected document saving, aren't able to function due to new licensing requirements. Rest assured, the issue is environmental and is NOT present in production implementations of Workspace ONE UEM with Windows 10 Enterprise and Office 365 applications. 

Industry estimates state up to 75% of corporate data loss is committed unintentionally.  As the convergence of work and personal data on the same device accelerates, the risk of accidental data loss also increases through services that your organization does not and cannot control through traditional desktop management methods.

Step in Workspace ONE data protection. Data protection works by whitelisting enterprise  applications to give them permission to access enterprise data from protected cloud resources and networks.  If end users move data to non-enterprise applications, actions and alerts can be triggered based on selected enforcement policies. The data protection profile encrypts enterprise data and restricts access to approved devices.

Go back to the Office 365 portal, previously launched by workspace ONE, and launch Excel.  

Note the protected site badge in the address bar.

Next open the SharePoint document, CommittedSales.xlsx.  Open Other Workbooks > Site - VMware EUC - vmtsetdrive.com > Sales Workspace > Documents > CommittedSales.  

Copy sensitive content form the spreadsheet.

Open browser tab to a personal mail account, like Gmail, and attempt to paste the protected content.  Workspace ONE's data protection polices won't allow it. 

Open Wordpad.  Attempt to paste the clipboard. 

In Excel, save the document to your desktop.  Note how the file can only be saved as a "Work" document type for the protected domain. 

Go to your desktop and show the protected document badged with the briefcase icon indicating the document is protected.

Next, let's see Workspace ONE manage conditional access.  In this case, we'll see how a site becomes inaccessible when you attempt to access the site from an untrusted network.

In the Hub, launch the Patient Records web site. 

Due to Workspace ONE Access security policies, your access is denied.

Next, we'll review Workspace ONE polices and profiles

Restrictions that might have been set via Group Policy Objects (GPOs) are available for configuration in a restrictions profile with its various possible payloads.  Configuration Service Providers (CSPs) are made available to be configured to emulate many of the options available through GPO.  

The Workspace ONE applied restrictions profile contains restrictions for Windows Updates, internet sharing, region settings, bluetooth, and more. 

On the device, search for region settings.  Workspace ONE policy should prevent changing them. Along with a red notification, settings will be grayed out.

Next, let's check Windows Updates. From Search, enter "updates," and find the Windows Updates system setting.  Show both the configuration and restriction on the Windows Updates screen. 

Click the link "view configured update policies" to review Workspace ONE's configured policies.

Section 4: Enterprise Wipe

An enterprise wipe removes all data and access provided by Workspace ONE.  An enterprise wipe may be either manually performed by an admin, if allowed, by a user, or may be configured to be triggered via compliance policy.

Log in to Workspace ONE console.  Find your device and issue an enterprise wipe command.

After the device picks up the enterprise wipe command, MDM communication will be broken and the device will deprovision.  

Discuss the removal of the organization's data.  Show native mail has been removed.  Or, better yet, show removal of the certificates from the MMC console certificates snap-in for a security-minded audience.

Previous Article Windows Desktops and Workspace ONE
Next Article Workspace ONE Intelligence Overview