A while back, Jack and I were on the phone with our publisher talking about the things we were going to focus on for the foreseeable future. This was just after VMworld, so one of the things on the top of our minds was VMware Workspace ONE. When she asked us to explain exactly what it was, we had trouble coming up with something concise. What came out sounded more like "Well it does this…and it does that…oh, and it does that…plus it also does this other thing," and so on.
Last week, Jack and I spent some quality time at VMware's Atlanta office talking to the AirWatch team specifically about Workspace ONE, and one of our goals was to finally be able to articulate what Workspace ONE is. At long last, I think we've got it:
VMware Workspace ONE combines a catalog of apps and services with a layer of identity and, if needed, a layer of device management.
The "if needed" part is interesting, because while I may focus on endpoint management, Workspace ONE still has value simply as a workspace platform that uses VMware Identity Manager to facilitate logins to various services. It's effectively middleware that lets you set up connections between identity, storage, and application services. If you already use another IDaaS, you can use that instead of VMware's platform. In fact, that's the point: one platform tying it all together.
Still, the endpoint management element of this is the most exciting to me, and there is a lot of information to share that will have to wait for future articles, but it's worth spending a little time with it now.
It's becoming clear that Microsoft is putting the bulk of its endpoint management efforts behind modern management, which we've written about recently with the introduction to Co-Management that we got at Ignite this past September (my article, Jack's article). VMware is, at least for the time being, ahead of Microsoft in many respects, including the messaging they're communicating to the public.
While I am a fan modern management, I have had some unresolved issues with migrating there from a traditionally-managed environment. The issues revolve around domain-based resources like printing, file shares, group policies, and software distribution (both apps and updates). For the most part, VMware has an answer for each of these.
- Machines managed with Workspace ONE can be joined to a domain (even as part of the out-of-box experience, or OOBE, with a new machine), so those machines can still access domain-based resources.
- For companies that have moved to an EFSS platform and no longer have file shares in the classic sense, but still rely on print servers, Windows Server 2016 includes a cloud printing feature that's tied to Azure AD. There are third-party vendors that can address this, too.
- Group policies are supported and applied as native local policies on the endpoints, meaning things like custom GPOs and GP Preferences are supported.
- Software distribution for both application packages and Windows Update, which is normally taken care of with things like SCCM and WSUS, can now be done with VMware's peer-to-peer software distribution technology, which they have because of their partnership with Adaptiva. In addition to the peer-to-peer architecture, VMware also has a cloud-based Content Delivery Network (CDN) that they use to add more flexibility to software deployments. (This is worthy of an article all by itself.)
While addressing these, VMware has also put a lot of work into the on-boarding process for new machines. They've partnered with Dell to include the AirWatch agent on new machines, meaning the OOBE will automatically connect you to your company's management system (this is an AirWatch feature, but it's also part of Workspace ONE). You can build custom provisioning packages that remove bloatware, install applications, and so on, before the user sees a desktop. If your machine needs to be domain-joined, it can also configure and connect to a VPN before beginning the domain-joining process.
On the Mac side, VMware intends to add in all the same features as they have for Windows, at least as far as the management UI goes. Understandably, there are differences behind the scenes, both in terms of how OS X works and how people are used to managing Macs. VMware appears to still be learning, but they're listening to customers and adding integration with Munki, Puppet, and Chef as needed.
Overall, the Workspace ONE platform supports MDM, scripting, DEP, bootstrap package deployment, asset and compliance tracking, OS update management, PKI integrations, and centralized policies.
While it may not yet be a JAMF replacement, that is certainly the goal. JAMF, known for years as the go-to management platform that also supports imaging, is facing challenges due to changes in OS X that all but remove the ability to image an OS, so MDM-based solutions like AirWatch and Workspace ONE, which handle on-boarding and provisioning in a modern way using DEP and bootstrap package deployment, are clearly the management strategy of the future. JAMF is heading this direction, too, but the playing field is more level now than ever before.
So much more!
Again, there is more detail to get into here that is best left to other articles, but the idea is that VMware is trying to use modern management to get your users up and running as fast as possible with no image maintenance and as little software installation time as possible. While software is being installed, Workspace ONE can even provide users with alternative ways to access the apps until they're ready to go locally, for example, connecting users to OWA while Outlook is installing, or to other apps via Horizon/Frame until they're installed locally.
In future articles, we'll cover other features like OS build management, patch management, application support, device inventory, security, how this applies to desktop virtualization, and more. Plus Jack will cover what we learned about Android and iOS management. (They geeked out on this. I followed along for a while, but I'm going to stay in my lane and let Jack explain). For now, I'm simply happy that we have a more concise definition of what VMware Workspace ONE is. During our VMworld 2017 wrap-up podcast, Jack and I went a little "fanboy" on the entire concept, and after these meetings with VMware, they did nothing to change our minds. This is cool stuff, and you should pay attention to everything happening with modern management so that you're ready when the time is right.