VMware's Digital Workspace Walkthrough

In this walkthrough, we’re going to review each of the features of VMware’s End User Computing products within the TestDrive environments.


We've broken this walkthrough down into 3 sections: Workspace ONE and Horizon, Workspace ONE and Workspace ONE UEM (formerly VMware AirWatch), and NSX. We've listed these 3 sections below and topics covered in each section.

Preparing for the Walkthrough

For this walkthrough we recommend having your devices already enrolled and configured prior to beginning. You'll need the below devices with the listed configurations. 

NOTE: We suggest using two iOS devices to show adaptive management. This is because it can take a few minutes for the KDC certificate and apps to install after you have installed the digital workspace profile. To ensure a better user experience use two different devices (once which is unmanaged and one which is managed)

MacOS - Unmanaged

  • Navigate to vmtestdrive.vidmpreview.com in your browser and log in with your TestDrive username and password
  • Ensure you have the VMware Horizon client installed. Download the client here if you don't have it installed already.
  • The NSX portion of the demo will be performed using a video. This is because we can't have users changing the network rules within NSX during other users demos giving an unreliable experience. Download the video here for use during the demo.

iOS - Unmanaged

  • Ensure you have downloaded Workspace ONE, logged in with your TestDrive email address, username and password. Login Instructions can be found in the iOS - BYOD walkthrough.
  • Ensure you have downloaded VMware Boxer, VMware Horizon, VMware Content Locker, and VMware Browser from Workspace ONE. Ensure you have launched each app so you won't need to wait for the app to configure the first time during your demo.

iOS - Managed

  • Ensure your device is enrolled using your TestDrive email address, username, and password. Enrollment instructions can be found here.
  • Ensure you have downloaded the VMware productivity apps from the app catalog, the Microsoft applications (Word, PowerPoint, Excel), and any other desired native apps.

Windows 10

  • We suggest using a Windows 10 VM for this walkthrough running on your MacOS machine. Enroll the Windows 10 device into the Corporate demo.
  • Please note some of the profiles are listed as on demand (such as the app restrictions profile). You'll need to install these to your device via the Workspace ONE UEM console prior to starting your demo.

Note on Customizing your Walkthrough

While this guide provides a general outline for a full EUC walkthrough, we recommend customizing your walkthrough based on the products you or your customers are interested in. Please add/remove from this walkthrough script as you see fit. 

Note on Screen Sharing

We recommend running this walkthrough on a MacOS machine. You'll need to have a MacOS machine with a Windows 10 virtual desktop and 2 iPads (one managed and one unmanaged) connected through USB. With this configuration, you can share your MacOS machine's screen via Skype for Business or WebEx to your customers.

To view full instructions for sharing your device r each platform check out our Demo Screen Sharing Guide.



Section 1: Workspace ONE and Horizon

Start on your unmanaged MacOS machine.

Navigate to  portal.vmtestdrive.com in your browser and log in with your TestDrive credentials.

VMware Workspace ONE combines Identity and Enterprise Mobility Management to empower end users with an intuitive and secure way to access all the apps and data employees need to work whenever, wherever and from whichever device they choose. Workspace ONE provides a consistent user experience across all devices, corporate owned or BYOD including Mac OS X, iOS, Android, and Windows 10. 

First, we’ll take a look at an unmanaged OS X machine. Here the employee is accessing Workspace ONE through a web browser. Upon logging in the user is brought to the Workspace ONE bookmarks tab, which is configured with web and virtual applications that have been selected by the user. Clicking on any of the apps will single sign the user into their identity so the user no longer needs to remember multiple sets of credentials or websites to access the corporate resources they need.


Move over to the catalog tab.

Employees can easily customize their digital workspace by browsing the fully-searchable app catalog. The Workspace ONE app catalog aggregates all the applications your employee needs including cloud, mobile, and windows apps so they have one central place for their corporate resources.

Clicking to add a virtual or web app adds the app to the employee's personalized workspace and will be accessible on any of their devices. Similarly, deleting an app will remove it from their personalized workspace while remaining available to be re-added from the catalog.


Move back to the bookmarks tab and launch into BlueJeans.

Now lets see the experience when launching into apps from Workspace ONE. We’ll click on BlueJeans which is a video conferencing app. Workspace ONE uses SAML-based authentication to single sign the user into their identity for a seamless experience.


Navigate back to Workspace ONE bookmark tab in the web browser. Click AMER-Win10AE to launch into a Windows 10 desktop via native Horizon client.

Launching virtual apps provides the same one click experience allowing the user to access the resources they need without remembering configuration information or websites. Users can access their virtual apps and desktops regardless of where they are or the device types that they are using; allowing them the flexibility to be productive wherever they are.

Here you can see we just launched into a virtual Windows 10 desktop from our OS X machine, which has been delivered through VMware Horizon. With Horizon administrators can improve VDI deployment and management by reducing the number of images that need to be maintained. Additionally, Horizon allows admins to deliver a consistent user experience across devices and locations while keeping corporate data secure and compliant.


Right-click on the start button, choose Programs and Features to display the current list of installed programs.

On this particular desktop the Administrator has used VMware App Volumes to deliver user applications. Normally, organizations will set these apps to install upon launching, however to demonstrate the power of App Volumes we have set these to be triggered by the user. 

Click the Start button, All apps, and App Volumes – ATTACH LOTS OF APPS!

Refresh the app list to see the number of apps has increased.

You can see by just clicking install we have gone from 30 to 79 apps in a matter of seconds.  App Volumes makes it easy to deliver, update, manage and monitor applications and users across virtual desktop and published application environments.

Next, open the Printers & Scanners menu. Observe the number of printers. Next, open 123Design from the app list on the desktop. 

Additionally, with VMware’s User Environment Manager we’re able to store user applications and particular windows settings in a file share to be delivered to non-persistent desktops. This creates a dedicated PC experience on your non-persistent floating Horizon desktops, lowering infrastructure costs and improving login times.

Note the list of printers has increased from launching 123Design.

For example, any drive or printers which are mapped to this desktop, will be available again on another desktop regardless of which in the pool the user gets to.

Return to Workspace ONE bookmarks tab in Chrome. Launch into Workday to show conditional access blocking your unmanaged MacOS machine.

Now that we’ve covered how easy it is to launch into all the apps employees need to use, let’s talk about security. With Workspace ONE’s conditional access policies administrators can block users from accessing certain apps based on strength of authentication, network, location and device compliance. For example, here our admin has decided to block access to Workday which contains sensitive company data on unmanaged devices.

When the user launches the app they are blocked and informed they must install the digital workspace profile to access the app.


Section 2: Workspace ONE and Workspace ONE UEM

Next, switch over to your unmanaged iOS device.

Intuitive user onboarding is paramount for any organization with BYOD devices or even organizations with corporate owned devices who also want to provide device choice to their employees. Employees don't want to have to download an Agent, enter environment information and enroll their devices to access their corporate resources.

Now with Workspace ONE and Workspace ONE UEM, you no longer have to ask your users to enroll their devices. Instead the employees can simply download the Workspace ONE app from the app store, login and start using it to launch entitled apps. This can be done from iOS, Android or Windows 10 devices.

Open Workspace ONE.

If we launch into Workspace ONE you’ll see the user is presented with the same experience as we saw on the mac. The user can single sign into any of the virtual or web applications with one click from the Workspace ONE bookmarks tab. 

Open the AMER-Win10AE desktop to show picking up the same session as we showed from our Mac.

If we click to launch into the Windows 10 desktop we’re picking up the same session we just showed from the Mac OS X machine. Employees can get up from their desks, leave their laptop behind and go out into the field without leaving their current session.

Close Horizon and navigate back to the Workspace ONE catalog.

If we return to Workspace ONE and navigate to the catalog you’ll now notice native iOS apps are available alongside the web and virtual apps we saw previously. When downloaded, Workspace ONE allows the user to single sign on into these apps extending the single sign-on experience across app types.

Close out of Workspace ONE and ensure you have the productivity apps downloaded.

While on the go your employees demand a best in class user experience, which is why VMware created productivity apps which are engaging and intuitive with a consumer-simple experience and enterprise-grade security. These apps allow employees to work collaboratively in real time and can be integrated into the apps and tools they already use.

Launch into Boxer. Features which can be highlighted: customizable swipe gestures, quick replies, calendar availability, content repository integrations, one touch dialing (ensure you have emailed yourself a WebEx invite), 

Vmware Boxer is A faster, smarter, secure email app that supports your Exchange, Office 365, Outlook, Gmail, Yahoo and iCloud email systems. Let's walk through a few of the features designed to make your employees more productive. First, our inbox is crowded with a few emails from facilities. We can easily select these emails and perform bulk actions such as sending them to the archive folder with a few taps. Users can configure these swipe gestures to actions of their choice so the user can customize Boxer to perform in the way that is most effective for them. 

Next, we have an email from our manager asking us to update a customer proposal. With Quick replies, I'm able to respond in just two clicks. Sending calendar availability from Boxer is as easy as clicking the open times on your calendar so you don’t have to exit an email to check your calendar. Here a customer is asking when I'm able to meet to discuss the proposal. I'll review my calendar and the open times are populated directly into the message. Additionally, When sending files,  users  have the option to attach from VMware Content Locker, Box, Dropbox, OneDrive for Business and more at the administrator's discretion.

Close out of Boxer and launch into Content Locker. Features which can be shown: sync content repositories by signing in with your TestDrive user credentials to the file shares (vmwdemo/testdriveusername), in the Workspace ONE UEM content section we have staged content as well as a restricted doc and unrestricted doc (top of the list).

Next, lets consider content management. VMware Content Locker Simplifies access to all corporate content across multiple content repositories and devices while enforcing data loss prevention settings configured by the admin. Content locker supports over 30 content repositories including OneDrive, Google drive, box, dropbox and more. Administrators can set granular controls blocking content from opening into certain applications, watermarking, and restricting copy paste just to name a few.

Close out of Content Locker and open VMware Browser. Features to show: whitelisting/blacklisting sites, navigating to internal sites, copy/paste restrictions.

Enable users with an intuitive browsing experience across intranet, internet and web apps on VMware Browser. Featuring a native user experience and single sign on (SSO), VMware Browser provides instant access to corporate sites without requiring a VPN connection. Administrators can configure Vmware Browser with data loss prevention controls such as blacklisting or whitelisting web pages, cut/copy/paste restrictions, enable/disable cookies and more.

Close out of VMware Browser. Navigate back to Workspace ONE and attempt to download an app which requires OS level management (denoted by a star). Click install on the locked app.

Now that we have reviewed the unmanaged onboarding and features of Workspace ONE, lets see what happens when an employee wants to download an app which contains sensitive corporate data that the admin does not want available on unmanaged devices. If we navigate back to the app catalog and attempt to download Salesforce, you'll see a star noting the device must install the digital workspace profiles before access will be granted. The onboarding process for installing the digital workspace profile is contained completely within Workspace ONE.  This empowers users to decide if and when they want to install the workspace services profile to their device based on the applications they want to access.

Click "your privacy" to open the privacy information.

Review the privacy info and select "Done" when ready to move on.

The user is shown exactly which information can and cannot be collected before proceeding so the user can trust their privacy will not be sacrificed.

Click "Enable Workspace Services" to continue with the installation of the stared app.

Clicking  proceed  from within Workspace ONE directs the user to install the digital workspace services profile. Now, all apps which previously were locked for unmanaged devices are available. At this time certificates, user profiles, and apps are being pushed down to the device to enhance the user experience and upgrade security.

Next, you'll be routed to install the Workspace Services Profile. At this point, it is best to switch to your managed device so you do not need to wait for the 1 -2 minutes for the certificates and apps to install.

Switch over to your managed iOS device which already has all the apps downloaded.

Open Salesforce. If this is the first time you are launching the app (we recommend deleting the app and reinstalling prior to your demo) you will see the user must accept the EULA. This is showing the seamless experience when the employee launches the app for the first time.

If we launch into Salesforce, you’ll see it now can be accessed with one touch using our unique secure app token system, app configuration, and Workspace ONE.

Next, close out of Salesforce and open one of the Microsoft apps. We have opened Excel. Click "Sign In" to continue.

Next, enter your TestDrive Office 365 email address and select next. This will be in the format {TestDriveUsername}@vmtestdrive.com.

Your account will be authenticated against VIDM.

Now you'll be signed into the service.

Additionally, you’ll see the user can single sign-on into office apps now that the device meets the compliance requirements.

In the event that the device is lost or stolen, administrators can issue remote commands including enterprise wiping the device to remove all corporate data.

Switch to the Windows 10 VM which is running on your MacOS machine.

Another critical consideration in the industry today is the deployment of Windows 10 machines. Traditional imaging and client management solutions have proven to be expensive, labor intensive on IT and frustrating for your employees. VMware Workspace ONE powered by Workspace ONE UEM modernizes how you approach management security of Windows 10 devices. By taking a modern cloud-first approach Workspace ONE UEM ensures company required security policies, GPOs, user profiles and settings and OS patches are pushed instantly to devices on or off the domain and across any network.

Navigate to the start menu > settings > accounts > access work or school. Note the device is enrolled and managed by Workspace ONE UEM.

You’ll see this device is fully enrolled in Workspace ONE UEM and we’ve pushed down a few policies such as requiring a passcode, pushing down corporate wallpaper including company branding, removing bloatware, setting up corporate VPN and wifi networks, configuring BitLocker encryption, mapping company printers and even the new windows as a service policies to keep the device up to date with the latest security patches.

Launch into the Workspace ONE app. Show the bookmarks tab and the catalog which now contains Windows applications as well.

Once on-boarded, employees can access the same Workspace ONE bookmarks tab and catalog for self-service and single sign-on access to recommended SaaS, remote UWP, and Win32 software. For your larger windows apps, Workspace ONE UEM enables cloud and peer distribution and sharing a faster more reliable and scalable software deployment while also reducing your bandwidth and infrastructure needs.

Launch into IE 6 from the Workspace ONE bookmarks.

Accessing a legacy Windows app such as IE 6 is as easy as clicking to launch from Workspace ONE, giving employees access to critical systems only available through legacy browsers. Remote apps look and feel just like using any other windows app including features like copy/paste and the ability to access local drives and files.

Navigate to the Windows store on the device. Navigate to Netflix.

Besides delivering the right apps to the right users Workspace ONE UEM ensures unapproved apps are blocked from download and prevented from execution so the OS is constantly protected against modern cyber security threats. You can see here the user is blocked from installing Netflix by a corporate policy.

Navigate to Outlook.

Requirements such as Microsoft Outlook are automatically pushed and silently installed without any user interaction. Email or exchange profiles are already setup for the user on the first launch of the app. 

Setting up data protection policies in Workspace ONE UEM prevents accidental leak of company IP into unapproved public websites or any personal apps that exist on the device. You can see Outlook  is marked  a managed application in the top right. If the employee saves any content from a work managed app you’ll notice the documents will be badged with a work icon.

Save a document from outlook onto the desktop. Note that the doc now contains the badged work icon.

The document saved from our corporate email now contains this work icon.


Section 3: NSX

For this section, we'll be playing a video. Due to the nature of NSX we can't have this demo live as the networking rules changes would impact others demos. Download the video here:  https://videos.vmtestdrive.com/cards/ad854f33-a766-428b-a3f8-49ca078a77da

VMware NSX delivers a completely new operational model for networking that forms the foundation of the Software-Defined Data Center. Because NSX builds networks in software, data center operators can achieve levels of agility, security, and economics that were previously unreachable with physical networks. Now, we’re going to show you a quick demo of Workspace ONE UEM and NSX working together. We’ll first take a look at the NSX admin console and NSX Service Composer.

You’ll see here we have 4 different servers configured which we have setup firewall rules to allow certain protocols to access. In a moment we’ll switch over to our iOS device which has been managed by Workspace ONE UEM. Through Workspace ONE UEM we have pushed down an application which reads data from all 4 of the servers we have configured in NSX. 

Switching over to a different view we can see the Service Composer. We have grouped together our server objects and the VMware Tunnel VPN so that we can apply rules based on group.

Now switching over to our iPad, you’ll see our app which has been configured to read data from the 4 servers we have setup within NSX. This app is actually configured to launch an VMware Tunnel or Workspace ONE UEM per app VPN. You’ll see the device can successfully read data from all 4 servers.

If I switch over and take a look at the VMware Tunnel app on the device, you’ll see the VMware Tunnel service is running and I’m actually VPN’ed back into my corporate infrastructure. NSX is controlling where I can go from here. At the moment I can see all the data in the app, but now I’m going to switch back to the NSX console and make some changes.

In the NSX console, I’ll navigate to the security policies and the HTTP rule and remove a few of the servers applying the information to the app. This could be an example of confidential data that we don’t want this user to see.

Next, we’ll move back to the application on the device and do a refresh. Now the first two graphs are displayed but the rest come back with an access denied message, showing NSX has dynamically reconfigured the network preventing access to those servers.

If I go back to the firewall rule, now for HTTPS I’m only seeing requests going through for servers 2 and 3 in this scenario.

Next, we’ll go back and re-enable the rule so you can see it working again in real time. I’ll go to the rule select apply policy and add back in Servers 1 and 4.

Now refresh the app again, and we’ll have access to all the graphs again. And as easy as that we’ve shown how easy it is to integrate NSX with Workspace ONE UEM to extend your security policies out to your managed mobile devices.

Now you're done! Wrap up and ask for any questions. As always, you can add or remove from this script as desired.

Walkthrough Summary

For Additional Support

Review Our Knowledge Base

Have more questions? Submit a request

Article is closed for comments.