Workspace ONE is a simple and secure enterprise platform that delivers and manages any app on any device. It is available either as a cloud service or for on-premises deployment. The platform is composed of several components—Workspace ONE UEM, Workspace ONE Access, VMware Horizon, and the Workspace ONE productivity apps, which are supported on most common mobile platforms.
Although Workspace ONE Access and Workspace ONE UEM are the core components in a Workspace ONE deployment, we can deploy a variety of other components, depending on us business use cases. For example, we can use Unified Access Gateway to provide the Workspace ONE Tunnel or VPN-based access to on-premises resources.
Cloud-Based Logical Architecture
Here is the Workspace ONE cloud-based reference architecture. With a cloud-based architecture, Workspace ONE is consumed as a service requiring little or no infrastructure on-premises.
VMware Workspace ONE UEM SaaS Tenant: Cloud-hosted instance of the Workspace ONE UEM service. Workspace ONE UEM acts as the mobile device management (MDM), mobile content management (MCM), and mobile application management (MAM) platform.
Workspace ONE Access SaaS Tenant: Cloud-hosted instance of Workspace ONE Access. Workspace ONE Access acts as an identity provider by syncing with Active Directory to provide SSO across SAML-based applications and VMware ThinApp packaged apps. It is also responsible for enforcing the authentication policy based on networks, applications, or platforms.
On-Premises Logical Architecture
The Workspace ONE on-premises logical architecture is displayed. With an on-premises deployment of Workspace ONE, both Workspace ONE UEM and Workspace ONE Access are deployed in us data centers.
Workspace ONE Access Appliances: Acts as an identity provider by syncing with Active Directory to provide SSO across SAML-based applications and VMware ThinApp packaged apps. Workspace ONE Access is also responsible for enforcing authentication policy based on networks, applications, or platforms.
Workspace ONE UEM Device Services: Workspace ONE UEM consists of several core components, which can be installed on a single server. Workspace ONE UEM acts as the MDM, MCM, and MAM platform.
A number of optional components in a Workspace ONE deployment are common to both a cloud-based and an on-premises deployment.
Airwatch Cloud Connector (ACC): Runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM to the organization’s critical back-end enterprise infrastructure components. Organizations can leverage the benefits of Workspace ONE UEM MDM, running in any configuration, together with those of their existing LDAP, certificate authority, email, and other internal systems.
Workspace ONE Access Connector: Performs directory sync and authentication between an on-premises Active Directory and the Workspace ONE Access service.
Workspace ONE Native Mobile App: OS-specific versions of the native app are available for iOS, Android, and Windows 10. The Workspace ONE app presents a unified application catalog across Workspace ONE Access resources and native mobile apps, allows users to easily find and install enterprise apps, and provides an SSO experience across resource types.
Secure Email Gateway: Workspace ONE UEM supports integration with email services, such as Microsoft Exchange, GroupWise, IBM Notes (formerly Lotus Notes), and G Suite (formerly Google Apps for Work). The three options for integrating email are:
- VMware Secure Email Gateway: Requires a server to be configured in the data center.
- PowerShell Integration: Communicates directly with Exchange ActiveSync on Exchange 2010 or later or Microsoft Office 365.
- G Suite Integration: Integrates directly with the Google Cloud services and does not need additional servers.
Content Integration: The Workspace ONE UEM MCM solution helps organizations address the challenge of securely deploying content to a wide variety of devices using a few key actions. An administrator can leverage the Workspace ONE UEM Console to create, sync, or enable a file repository. After configuration, this content deploys to end-user devices with Workspace ONE Content. Access to content can be either read-only or read-write.
VMware Unified Access Gateway: Virtual appliance that provides secure edge services and allows external access to internal resources. Unified Access Gateway provides:
- Workspace ONE UEM Per-App Tunnels and the Tunnel Proxy to allow mobile applications secure access to internal services
- Access from Workspace ONE Content to internal file shares or SharePoint repositories by running the Content Gateway service
- Reverse proxying of Web servers
- SSO access to on-premises legacy Web applications by identity bridging from SAML or certificates to Kerberos
- Secure external access to Horizon 7 desktops and applications
I hope it has been useful to you. In the next blog we will see Workspace ONE UEM Deployment. See you next!