Workspace ONE UEM delivers the enterprise mobility management portion of the solution, allows device enrollment, and uses profiles to enforce configuration settings and management of users’ devices. It also enables a mobile application catalog to publish public and internally developed applications to end users.

Design Approach

Workspace ONE UEM reference architecture illustrates how to architect and deliver a modern digital workspace that meets key business requirements and common use cases for the increasing mobile workplace. Any technology solution is deployed by defining the business drivers and identifying the use cases that need to be addressed. Each use case will entail a set of requirements that need to be fulfilled to satisfy the use case and the business drivers.

Once the requirements are understood, the solutions can be defined, and blueprints outlined for the services to be delivered. This step allows us to identify and understand the products, components, and parts that need to be designed, built, and integrated.

This modular, repeatable design approach combines components and services to customize the end-user experience without requiring specific configurations for individual users. The resultant environment and services can be easily adapted to address changes in the business and use case requirements.

Cloud-Based Logical Architecture

With a cloud-based implementation, the Workspace ONE UEM software is delivered as a service. To synchronize Workspace ONE with internal resources such as Active Directory or a Certificate Authority, we use a separate cloud connector, which can be implemented using an AirWatch Cloud Connector. The separate connector can run within the internal network in an outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.

The simple implementation usually consists of:

  • A Workspace ONE UEM tenant
  • AirWatch Cloud Connector

On-Premise Logical Architecture

Workspace ONE UEM is composed of separate services that can be installed on a single-server or multiple-server architecture to meet security and load requirements. Service endpoints can be spread across different security zones, with those that require external, inbound access located in a DMZ and the administrative console located in a protected, internal network, as shown in the on-premises architecture figure..

Syncing with internal resources such as Active Directory or a Certificate Authority can be achieved directly from the core components (Device Services and Admin Console) or using an AirWatch Cloud Connector. The separate connector can run within the LAN in outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.The implementation is separated into the three main components:

  • Workspace ONE UEM Admin Console
  • Workspace ONE UEM Device Services
  • AirWatch Cloud Connector

The additional on-premises Workspace ONE UEM components are:

  • Database: Microsoft SQL Server database that stores Workspace ONE UEM device and environment data.
    All relevant application configuration data, such as profiles and compliance policies, persist and reside in this database. Consequently, the majority of the application’s backend workload is processed here.
  • Memcached Server: A distributed data caching application that reduces the workload on the Workspace ONE UEM database.This server is intended for deployments of more than 5,000 devices.

Workspace ONE UEM Components

Workspace ONE UEM Console: Administration console for configuring policies within Workspace ONE UEM, to monitor and manage devices and the environment. This can be installed on-prem or in SaaS depending on the deployment method.

Workspace ONE UEM Device Services: Services that communicate with managed devices. Workspace ONE UEM relies on this component for:

  • Device enrollment
  • Application provisioning
  • Delivering device commands and receiving device data

Hosting the Workspace ONE UEM self-service catalog.
This can be installed on-prem or in SaaS depending on the deployment method.

API Endpoint: Collection of RESTful APIs, provided by Workspace ONE UEM, that allows external programs to use the core product functionality by integrating the APIs with existing IT infrastructures and third-party applications.

Workspace ONE APIs are also used by various Workspace ONE UEM services, such as Secure Email Gateway for interactions and data gathering.
This can be installed on-prem or in SaaS depending on the deployment method.

Airwatch Cloud Connector:  Component that performs the directory sync and authentication using an on-premises resource such as Active Directory or a trusted Certificate Authority. This can be installed on-prem or in SaaS depending on the deployment method.

Airwatch Cloud Messaging Service (AWCM): Service used in conjunction with the AirWatch Cloud Connector to provide secure communication to us backend systems. AirWatch Cloud Connector:

  • Uses AWCM to communicate with the Workspace ONE UEM Console.
  • Streamlines the delivery of messages and commands from the Workspace ONE UEM Console by eliminating the need for end users to access the public Internet or utilize consumer accounts, such as Google IDs.
  • Serves as a comprehensive substitute for Google Cloud Messaging (GCM) for Android devices and is the only option for providing MDM capabilities for Windows rugged devices. Also, Windows desktop devices that use the Workspace ONE Intelligent Hub use AWCM for real-time notifications.

This service is hosted in the cloud and is managed for we as a part of the SaaS offering.

VMware Tunnel: VMware Tunnel™ provides a secure and effective method for individual applications to access corporate resources hosted in the internal network. The VMware Tunnel uses a unique X.509 certificate (delivered to enrolled devices by Workspace ONE) to authenticate and encrypt traffic from applications to the tunnel.

VMware Tunnel has two components—Proxy and Per-App VPN.

  • Proxy Component: Responsible for securing traffic from endpoint devices to internal resources through the Workspace ONE Web app and through enterprise apps that leverage the Workspace ONE SDK.
  • Per-App Tunnel Component: Enables application-level tunneling (as opposed to full device-level tunneling) for managed applications on iOS, macOS, Android, and Windows devices.

You can find information about TestDrive in the following links:
Register for TestDrive
Workspace ONE UEM Demo Walkthroughs
Activating Workspace ONE UEM Trial in the VMware TestDrive Demo Portal
Logging into the Workspace ONE UEM Console
Logging into and using the Workspace ONE UEM Management Console
Using Your Workspace ONE UEM Sandbox

Closing Note
I hope it has been useful to you. See you next!

Leave a Reply

Your email address will not be published. Required fields are marked *