Experience Workspace ONE on Windows 10

Workspace ONE is a digital workspace platform that simply and securely delivers and manages any app on any device by integrating access control, application management and multi-platform endpoint management.  Workspace ONE is built on the Workspace ONE UEM technology and integrates with VMware Horizon's virtual application delivery on a common identity framework. 

With Windows 10's new capabilities, Workspace ONE enables desktop administrators to automate application distribution and updates on the fly.  Combined with award-winning Horizon virtualization technology, automating the application delivery process enables better security and compliance. 

Follow the steps below to experience Workspace ONE on a Windows 10 device.

Overview


Before You Begin


In order to complete a Windows Desktop walkthrough, you'll need the following:

  • A valid VMware TestDrive account. 
  • Enabled Workspace ONE UEM service in the TestDrive Portal.
  • Device: Windows 10 Enterprise, at least version 1607. Windows 10 Enterprise 1703 ISO is available here (TestDrive account with Office 365 integration required).
    • Maintain either a VM snapshot, or System Restore point on physical device, for a fast roll back.
  • Network access from your device and TCP ports 80 and 443 enabled on your local network.

Section 1: Register your Windows 10 Device 

Open the Microsoft Store and install Workspace ONE.

Next, register Workspace ONE in your TestDrive tenant using your enrollment email address. 

What's my TestDrive email address?

Your TestDrive email address follows the below format:

[TestDriveUsername]@vmtestdrive.com

If you're unsure what your TestDrive email address is, you can verify this in the TestDrive portal by following the steps below:

  1. Login to portal.vmtestdrive.com with your username and password
  2. Click on the dropdown next to Workspace ONE in the Ready to Use Experiences section to view your credentials
  3. Here you will find your TestDrive email address

Screen_Shot_2018-08-17_at_12.00.59_PM.png

When Workspace ONE opens, enter your enrollment email in the field. 

mceclip3.png

Authenticate with your TestDrive credentials. 

To complete Workspace ONE registration, select your enrollment OG: 

Enterprise - EMM Demo (Corporate Owned)

...then enter Workspace ONE.

Once in Workspace ONE, note the Bookmarks and Catalog areas.  With bookmarks you can set up quick access to the most used VDI, RDSH apps, ThinApps, and SaaS apps.

Not all apps will be accessible at this time.  Some apps, as determined by Workspace ONE polices, require certificates and multi-factor authentication.  To have access to all of your assigned apps, you'll need to enroll your device to receive workspace services.  

Launch a SaaS app, like the Salesforce SaaS app.  You'll be denied access, as Salesforce requires a certificate for access. 

Click enroll your device into AirWatch.

Download, install and launch the AirWatch Agent. 

Enter your enrollment email as shown:

WindowsEnrollEmail.png

Proceed through enrollment, choosing your enrollment Organization Group (OG) when prompted: Enterprise - EMM Demo (Corporate Owned)

Authenticate using SAML provided by Workspace ONE's identity manager.  Input your TestDrive user credentials.

After successful authentication, click next to complete enrollment. 

Section 2: Guided Work Experiences

VMware Workspace ONE is the enterprise platform that enables organizations to deliver a digital workspace that empowers users to securely bring the technology of their choice—devices and apps—without sacrificing productivity or security at a cost the business needs. Workspace ONE's unified app catalog transforms employee on-boarding.  Simply downloading the Workspace ONE app on the PC (or any platform) provides employees with a complete, self-service enterprise app catalog that can be easily customized and branded for your organization. Single Sign-On (SSO) federates the most complex on-premises Active Directory topologies and support for multi-factor authentication, like RSA.

Workspace ONE simplifies Windows 10 modern management with co-management capabilities for Microsoft System Center Configuration Management (SCCM).  With native Win32 app distribution, Workspace ONE does it over the air, no longer requiring devices to be tied to an organization's network.

Several Win32 apps are setup and will be delivered by Workspace ONE's software distribution over CDN.  From Workspace ONE's catalog, choose the Win32 category to view your assigned Win32 apps.

Choose an app, like 7-Zip (for size), and install it. Workspace ONE will now manage a silent installation of the Win32 app.  

The Office 365 Pro Plus suite is available in Workspace ONE.  If you wish to show Office 365 Pro Plus, please be advised that it's a 2 GB file.  Given its size, not to mention PC and network performance variables, installation will not be timely.  

Note the automatic installation of the Win32 VMware Horizon Client. After enrollment, Workspace ONE provided access to the full Horizon Client without any user interaction required.

 

Next, let's see a Horizon app in action.  Choose a VDI, like the NVDIA GRID desktop for your region (APAC, AMER, or EMEA) and allow the Horizon Client to open it.  Additionally, you can show bookmarking the desktop for quick access from Bookmarks.

Next, let's launch an RDSH app, Visio, with Workspace ONE.  Choose the Visio app for your region.

Once you find the Visio horizon app for your region click to launch the app. It will open into either the native Horizon app if you have it downloaded or your browser if you do not have the Horizon Client installed.

Let's go back and see the now-accessible Salesforce SaaS app. Since the device is enrolled—and is not in violation of any administratively configured compliance polices—Salesforce access is allowed.  Launch the Salesforce SaaS app.

Accept the Windows certificate prompt. The user certificate is also provided by Workspace ONE.

Next, in Workspace ONE, launch the Office 365 web app

Workspace ONE will provide unfettered entry into Office 365!

Now let's hit an internal website.  Chrome is setup in Workspace ONE UEM in per app VPN mode, using the VMware Tunnel to access an internal form.  Install and then launch the VMware Tunnel app from Workspace ONE (VMware Tunnel is currently installed manually from the Store.).

In Workspace ONE, find the HR Form web app. 

Launch the website using IE or Edge.  The connection will fail, demonstrating there's no device-wide VPN. 

Next, copy the internal URL, launch Chrome and input the URL.  Show the successful connection to the internal site. 

The VMware Tunnel app's UI is designed to simply display Tunnel status. Enterprise server will not show connectivity until the enabled per-app VPN app (Chrome) connects.

Section 3: Understanding Security Features

Workspace ONE UEM Data Protection for Windows 10 is currently under investigation in TestDrive as certain features, such as protected data copy/paste and protected document saving, are not functioning as expected. Rest assured, the issue is environmental and is NOT present in production implementations of Workspace ONE UEM with Windows 10 Enterprise and Office 365 applications. We’re working to restore the functionality.

Industry estimates state up to 75% of corporate data loss is committed unintentionally.  As the convergence of work and personal data on the same device accelerates, the risk of accidental data loss also increases through services that your organization does not and cannot control through traditional desktop management methods.

Step in Workspace ONE data protection. Data protection works by whitelisting enterprise  applications to give them permission to access enterprise data from protected cloud resources and networks.  If end users move data to non-enterprise applications, actions and alerts can be triggered based on selected enforcement policies. The data protection profile encrypts enterprise data and restricts access to approved devices.

Go back to the Office 365 portal, previously launched by workspace ONE, and launch Excel.  

Note the protected site badge in the address bar.

Next open the SharePoint document, CommittedSales.xlsx.  Open Other Workbooks > Site - VMware EUC - vmtsetdrive.com > Sales Workspace > Documents > CommittedSales.  

Copy sensitive content form the spreadsheet.

Open browser tab to a personal mail account, like Gmail, and attempt to paste the protected content.  Workspace ONE's data protection polices won't allow it. 

Open Wordpad.  Attempt to paste the clipboard. 

In Excel, save the document to your desktop.  Note how the file can only be saved as a "Work" document type for the protected domain. 

Go to your desktop and show the protected document badged with the briefcase icon indicating the document is protected.

Next, let's see Workspace ONE manage conditional access.  In this case, we'll see how a site becomes inaccessible when you attempt to access the site from an untrusted network.

Open Workspace ONE and launch the Patient Records site. 

 

W10-PatientRecordsLaunch.jpg

Your access will be denied.

Now we'll review Workspace ONE polices and profiles

Restrictions that might have been set via Group Policy Objects (GPOs) are available for configuration in a restrictions profile with its various possible payloads.  Configuration Service Providers (CSPs) are made available to be configured to emulate many of the options available through GPO.  

The Workspace ONE applied restrictions profile contains restrictions for Windows Updates, internet sharing, region settings, bluetooth, and more. 

On the device, search for region settings.  Workspace ONE policy should prevent changing them. Along with a red notification, settings will be grayed out.

Next, let's check Windows Updates. From Search, enter "updates," and find the Windows Updates system setting.  Show both the configuration and restriction on the Windows Updates screen. 

Click the link "view configured update policies" to review Workspace ONE's configured policies.

Section 4: Enterprise Wipe

An enterprise wipe removes all data and access provided by Workspace ONE.  An enterprise wipe may be either manually performed by an admin, if allowed, by a user, or may be configured to be triggered via compliance policy.

Log in to Workspace ONE console.  Find your device and issue an enterprise wipe command.

After the device picks up the enterprise wipe command, MDM communication will be broken and the device will deprovision.  

Discuss the removal of the organization's data.  Show native mail has been removed.  Or, better yet, show removal of the certificates from the MMC console certificates snap-in for a security-minded audience.

For Additional Support


Review Our Knowledge Base

Submit a Ticket

 

Have more questions? Submit a request

Article is closed for comments.