(Note from Jack: We’ve updated this this article to keep it current. So rest assured that as of 2019, this is still the definitive explanation of VMware Workspace ONE.)
A while back, Jack and I were on the phone with our publisher talking about the things we were going to focus on for the foreseeable future. This was just after VMworld, so one of the things on the top of our minds was VMware Workspace ONE. When she asked us to explain exactly what it was, we had trouble coming up with something concise. What came out sounded more like "Well it does this…and it does that…oh, and it does that…plus it also does this other thing," and so on.
Since then, Jack and I spent some quality time at VMware's Atlanta office talking to the AirWatch team specifically about Workspace ONE, and one of our goals was to finally be able to articulate what Workspace ONE is. At long last, I think we've got it:
VMware Workspace ONE combines a catalog of apps and services with a layer of identity and, if needed, a layer of device management.
The "if needed" part is interesting, because while I may focus on endpoint management, Workspace ONE still has value simply as a workspace platform that uses VMware Identity Manager to facilitate logins to various services. It's effectively middleware that lets you set up connections between identity, storage, and application services. If you already use another IDaaS, you can use that instead of VMware's platform. In fact, that's the point: one platform tying it all together.
Still, the endpoint management element of this is the most exciting to me, and there is a lot of information to share that will have to wait for future articles, but it's worth spending a little time with it now.
Windows 10 modern management
It's becoming clear that Microsoft is putting the bulk of its endpoint management efforts behind modern management, which we've written about recently with the introduction to co-management that we got at Ignite in September 2017. (See Jack’s article on how SCCM/MDM co-management works and my article on what it means for AirWatch and MobileIron.) VMware is, at least for the time being, ahead of Microsoft in many respects, including the messaging they're communicating to the public.
While I am a fan modern management, I have had some unresolved issues with migrating there from a traditionally managed environment. The issues revolve around domain-based resources like printing, file shares, group policies, and software distribution (both apps and updates). For the most part, VMware has an answer for each of these:
- Machines managed with Workspace ONE can be joined to a domain (even as part of the out-of-box experience, or OOBE, with a new machine), so those machines can still access domain-based resources.
- For companies that have moved to an EFSS platform and no longer have file shares in the classic sense, but still rely on print servers, Windows Server 2016 includes a cloud printing feature that's tied to Azure AD. There are third-party vendors that can address this, too.
- Group policies are supported and applied as native local policies on the endpoints, meaning things like custom GPOs and GP Preferences are supported.
- Software distribution for both application packages and Windows Update, which is normally taken care of with things like SCCM and WSUS, can now be done with VMware's peer-to-peer software distribution technology, which they have because of their partnership with Adaptiva. In addition to the peer-to-peer architecture, VMware also has a cloud-based Content Delivery Network (CDN) that they use to add more flexibility to software deployments. (This is worthy of an article all by itself.)
While addressing these, VMware has also put a lot of work into the on-boarding process for new machines. They've partnered with Dell to include the AirWatch agent on new machines, meaning the OOBE will automatically connect you to your company's management system (this is an AirWatch feature, but it's also part of Workspace ONE). You can build custom provisioning packages that remove bloatware, install applications, and so on, before the user sees a desktop. If your machine needs to be domain-joined, it can also configure and connect to a VPN before beginning the domain-joining process.
(Update from Jack: More recently, we saw VMware get into the co-management space (managing desktops with SCCM and MDM at the same time) with the AirLift; and we appreciated learning about Dell provisioning for Workspace ONE.)
On the Mac side, VMware intends to add in all the same features as they have for Windows, at least as far as the management UI goes. Understandably, there are differences behind the scenes, both in terms of how macOS works and how people are used to managing Macs. VMware appears to still be learning, but they're listening to customers and adding integration with Munki, Puppet, and Chef, as needed.
Overall, the Workspace ONE platform supports MDM, scripting, DEP, bootstrap package deployment, asset and compliance tracking, OS update management, PKI integrations, and centralized policies.
While it may not yet be a JAMF replacement, that is certainly the goal. JAMF, known for years as the go-to management platform that also supports imaging, is facing challenges due to changes in macOS that all but remove the ability to image an OS, so MDM-based solutions like AirWatch and Workspace ONE, which handle onboarding and provisioning in a modern way using DEP and bootstrap package deployment, are clearly the management strategy of the future. JAMF is heading this direction, too, but the playing field is more level now than ever before.
What else does Workspace ONE do?
Again, there is more detail to get into here that is best left to other articles, but the idea is that VMware is trying to use modern management to get your users up and running as fast as possible with no image maintenance and as little software installation time as possible. While software is being installed, Workspace ONE can even provide users with alternative ways to access the apps until they're ready to go locally, for example, connecting users to OWA while Outlook is installing, or to other apps via Horizon until they're installed locally.
During our VMworld 2017 wrap-up podcast, Jack and I went a little "fanboy" on the entire concept, and after these meetings with VMware, they did nothing to change our minds. This is cool stuff, and you should pay attention to everything happening with modern management so that you're ready when the time is right. For now, I'm simply happy that we have a more concise definition of what VMware Workspace ONE is.
More Workspace ONE resources (2019 update)
Jack here again! What has been added to Workspace ONE since we first published this article? Without a doubt, the most important development is Workspace ONE Intelligence, which was announced at VMworld 2017 and became available in March 2018.
“Intelligence” is essentially the marketing name for the the policy engine behind Workspace ONE. With all the information coming in from endpoints and other sources, Intelligence provides modern ways to store, access, and analyze the data, and use it to create automated management and remediation policies. To go along with this, VMware has a partner integration program called Workspace ONE Trust Network.
In late 2018, VMware rolled out the Workspace ONE Intelligent Hub. This is the latest version of the Android and iOS clients, and combines features of the Workspace ONE app and the old AirWatch agent app into a single unified app. It also includes some Workspace ONE Mobile Flows capabilities.