Workspace ONE is a digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management and multi-platform endpoint management. Workspace ONE is built on the VMware AirWatch UEM technology and integrates with VMware Horizon's virtual application delivery on a common identity framework.
With Windows 10's new capabilities, Workspace ONE enables desktop administrators to automate application distribution and updates on the fly. Combined with award-winning Horizon virtualization technology, automating the application delivery process enables better security and compliance.
Follow the steps below to experience Workspace ONE on a Windows 10 device.
- Section 1: Register your Windows 10 Device
- Install Workspace ONE
- Register Workspace ONE
- Enroll your device
- Section 2: Guided Work Experiences
- Native Apps
- Horizon Apps
- Citrix Apps
- SaaS Apps
- Section 3: Understanding Security Features
- Data Loss Prevention
- Conditional Access
- Policies and Profiles
- Section 4: Enterprise Wipe
- Login to the Workspace ONE Console
- Issue an Enterprise Wipe to your Device
Before You Begin
In order to complete a Windows Desktop walkthrough, you'll need the following:
- A valid VMware TestDrive account.
- Enabled VMware AirWatch service in the TestDrive Portal.
- Device: Windows 10 Enterprise, at least version 1607. Windows 10 Enterprise 1703 ISO is available here (TestDrive Office 365 account required).
- Maintain either a VM snapshot, or System Restore point on physical device, for a fast roll back.
- Network access from your device and TCP ports 80 and 443 enabled on your local network.
Section 1: Register your Windows 10 Device
Open the Microsoft Store and install Workspace ONE.
Next, register Workspace ONE in your TestDrive tenant using your enrollment email address.
What's my enrollment email address?
You can verify your TestDrive enrollment email address in the TestDrive portal by following the steps below:
- Login to portal.vmtestdrive.com with your username and password
- In the "Empower Digital Workspace" area, expand the VMware AirWatch section.
- Here you will find your enrollment email address.
When Workspace ONE opens, enter your enrollment email in the field.
Authenticate with your TestDrive credentials.
To complete Workspace ONE registration, select your enrollment OG: Enterprise - EMM Demo
...then enter Workspace ONE.
Once in Workspace ONE, note the Bookmarks and Catalog areas. With bookmarks you can set up quick access to the most used VDI, RDSH apps, ThinApps, and SaaS apps.
Not all apps will be accessible at this time. Some apps, as determined by Workspace ONE polices, require certificates and multi-factor authentication. To have access to all of your assigned apps, you'll need to enroll your device to receive workspace services.
Launch a SaaS app, like the Salesforce SaaS app. You'll be denied access, as Salesforce requires a certificate for access.
Click enroll your device into AirWatch.
Download, install and launch the AirWatch Agent.
Enter your enrollment email as shown.
Proceed through enrollment, choosing your enrollment Organization Group (OG) when prompted: Enterprise - EMM Demo.
Authenticate using SAML provided by Workspace ONE's identity manager. Input your TestDrive user credentials.
After successful authentication, click next to complete enrollment.
Section 2: Guided Work Experiences
VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs. Workspace ONE's unified app catalog transforms employee on-boarding. Simply downloading the Workspace ONE app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization. Single Sign-On (SSO) federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.
Workspace ONE simplifies Windows 10 modern management with co-management capabilities for Microsoft System Center Configuration Management (SCCM). With native Win32 app distribution, Workspace ONE does it over the air, no longer requiring devices to be tied to an organization's network.
Several Win32 apps are setup and will be delivered by Workspace ONE's software distribution over CDN. From Workspace ONE's catalog, choose the Win32 category to view your assigned Win32 apps.
Choose an app, like 7-Zip (for size), and install it. Workspace ONE will now manage a silent installation of the Win32 app.
The Office 365 Pro Plus suite is available in Workspace ONE. If you wish to show Office 365 Pro Plus, please be advised that it's a 2 GB file. Given its size, not to mention PC and network performance variables, installation will not be timely.
Note the automatic installation of the Win32 VMware Horizon Client. After enrollment, Workspace ONE provided access to the full Horizon Client without any user interaction required.
Next, let's see a Horizon app in action. Choose a VDI, like the NVDIA GRID desktop for your region (APAC, AMER, or EMEA) and allow the Horizon Client to open it. Additionally, you can show bookmarking the desktop for quick access from Bookmarks.
Next, let's launch an RDSH app, Visio, with Workspace ONE. Choose the Visio app for your region.
Once you find the Visio horizon app for your region click to launch the app. It will open into either the native Horizon app if you have it downloaded or your browser if you do not have the Horizon Client installed.
Let's go back and see the now-accessible Salesforce SaaS app. Since the device is enrolled—and is not in violation of any administratively configured compliance polices—Salesforce access is allowed. Launch the Salesforce SaaS app.
Accept the Windows certificate prompt. The user certificate is also provided by Workspace ONE.
Next, in Workspace ONE, launch the Office 365 web app.
Workspace ONE will provide unfettered entry into Office 365!
Now let's hit an internal website. Internet Explorer is setup by Workspace ONE in per app VPN mode to use the VMware Tunnel to access and internal form. Install and then launch the VMware Tunnel app from Workspace ONE.
In Workspace ONE, find the HR Form web app.
If your default browser is not already set to Edge, at the prompt, choose Internet Explorer. If your default browser is set to Edge, use it to open the HR form. It will fail. But then, copy the link and paste it in IE. Accept the Tunnel certificate provided by Workspace ONE. After accepting, the connection should succeed.
The VMware Tunnel app's UI displays the Tunnel's current status. Enterprise Server will not show connectivity until the enabled per app VPN app—Internet Explorer—connects.
Section 3: Understanding Security Features
Industry estimates state up to 75% of corporate data loss is committed unintentionally. As the convergence of work and personal data on the same device accelerates, the risk of accidental data loss also increases through services that your organization does not and cannot control through traditional desktop management methods.
Step in Workspace ONE data protection. Data protection works by whitelisting enterprise applications to give them permission to access enterprise data from protected cloud resources and networks. If end users move data to non-enterprise applications, actions and alerts can be triggered based on selected enforcement policies. The data protection profile encrypts enterprise data and restricts access to approved devices.
Go back to the Office 365 portal, previously launched by workspace ONE, and launch Excel.
Note the protected site badge in the address bar.
Next open the SharePoint document, CommittedSales.xlsx. Open Other Workbooks > Site - VMware EUC - vmtsetdrive.com > Sales Workspace > Documents > CommittedSales.
Copy sensitive content form the spreadsheet.
Open browser tab to a personal mail account, like Gmail, and attempt to paste the protected content. Workspace ONE's data protection polices won't allow it.
Open Wordpad. Attempt to paste the clipboard.
In Excel, save the document to your desktop. Note how the file can only be saved as a "Work" document type for the protected domain.
Go to your desktop and show the protected document badged with the briefcase icon indicating the document is protected.
Next, let's see Workspace ONE manage conditional access. In this case, we'll see how a site becomes inaccessible when you attempt to access the site from an untrusted network.
Open Workspace ONE and launch the Patient Records site.
Your access will be denied.
Now we'll review Workspace ONE polices and profiles.
Restrictions that might have been set via Group Policy Objects (GPOs) are available for configuration in a restrictions profile with its various possible payloads. Configuration Service Providers (CSPs) are made available to be configured to emulate many of the options available through GPO.
The Workspace ONE applied restrictions profile contains restrictions for Windows Updates, internet sharing, region settings, bluetooth, and more.
On the device, search for region settings. Workspace ONE policy should prevent changing them. Along with a red notification, settings will be grayed out.
Next, let's check Windows Updates. From Search, enter "updates," and find the Windows Updates system setting. Show both the configuration and restriction on the Windows Updates screen.
Click the link "view configured update policies" to review Workspace ONE's configured policies.
Section 4: Enterprise Wipe
An enterprise wipe removes all data and access provided by Workspace ONE. An enterprise wipe may be either manually performed by an admin, if allowed, by a user, or may be configured to be triggered via compliance policy.
Log in to Workspace ONE console. Find your device and issue an enterprise wipe command.
After the device picks up the enterprise wipe command, MDM communication will be broken and the device will deprovision.
Discuss the removal of the organization's data. Show native mail has been removed. Or, better yet, show removal of the certificates from the MMC console certificates snap-in for a security-minded audience.
For Additional Support