2016-07-14



Last month, VMware announced some great new innovations in Workspace ONE. This blog provides more details on how Workspace ONE helps IT roll out bring-your-own-device (BYOD) programs, secure enterprise data and protect employee privacy.



With simplified onboarding, a unified app catalog and true mobile single sign-on (SSO) Workspace ONE provides a consistent user experience across any device (phones, tablets, laptops and desktops) and any app (native, cloud, SaaS, web, and hybrid).

Evolution of the Enterprise Security Perimeter

Network: In the legacy desktop era, enterprises managed the security perimeter at the edge of the network because corporate data stayed behind the firewalls.

Device: With laptops and mobile devices, users left the building with data on those devices, so the security perimeter shifted to the device.

Apps: When employees started bringing personal devices to work, the BYOD revolution caused the perimeter to shift to apps.

Content: As employees started sharing files and data with customers and business partners, the control point shifted to the file or the piece of data itself.

Identity: And now, as users are walking through the front doors with many devices demanding consumer-simple experiences, the most common denominator is the user’s identity.

Our identity-defined workspace, Workspace ONE, provides a multi-tiered security model that can provide security across one or all of these layers to support corporate-owned and BYOD use cases.



Stand-Alone MAM vs. OS MAM

Today, a lot of our customers use VMware AirWatch mobile device management (MDM) on corporate-owned devices and mobile app management (MAM) on employee-owned devices (BYOD). There are two types of MAM: stand-alone MAM and operating system (OS) MAM. With Workspace ONE powered by AirWatch, companies can use stand-alone MAM and/or OS MAM.

Stand-alone MAM is the use of a proprietary container to secure and protect business apps and data. Business and personal data are separated using app containers, and data loss prevention (DLP) features are built into the app. It requires that the app is built with the AirWatch Software Development Kit (SDK) or App Wrapping technology.

OS MAM is the use of native OS frameworks to manage just the apps and data on the device using a workspace profile. The OS layer separates business and personal data on the device. With iOS Managed Apps framework and Android for Work framework, IT can ensure that the business data can only flow between enterprise-approved apps to prevent data leakage.

As Apple and Google have started integrating security and DLP features in the iOS and Android platforms, respectively, more enterprises are taking advantage of the OS MAM features to provide access to a large ecosystem of independent software vendor (ISV) apps. One of the major advantages of using OS MAM is that enterprises can securely enable all the native apps in the public app stores, as opposed to a limited set of apps available with stand-alone MAM via proprietary containers.

[Read More: VMware AirWatch Supports iOS 9.3]

Boost BYOD Adoption with Adaptive Management Technology

Ultimately, Workspace ONE helps you turbocharge BYOD adoption with a simpler user onboarding experience, intelligent access, privacy guard and adoption kit.

Our new adaptive management technology in Workspace ONE allows companies to seamlessly take advantage of both stand-alone MAM and OS MAM. IT administrators can roll out web apps that do not contain any sensitive information, as well as containerized apps (built with stand-alone MAM) without requiring a profile on the device.

Using the centralized console, IT admins can define access rules to ensure that apps containing sensitive data are locked and require a workspace profile. The rules for determining locked apps can be based on the security and sensitivity of app data and the posture of the device. When a user tries to open a locked app, adaptive management technology dynamically adds a workspace profile based on access rules. The workspace profile takes advantage of a special OS permission model without managing the device. For instance, IT can use OS MAM to wipe business apps and data off the device, but IT does not have permission to wipe personal apps or pictures. IT cannot see the user’s personal apps on the device.

Our Privacy First initiative helps educate end users and provides them the privacy controls via an app. IT can roll out the Privacy app to the user’s device so the user can dynamically see the policies applied on their device. Our microsite, What Is AirWatch?, is built to help educate users on the privacy built into our platform. Adaptive management technology combined with our Privacy First Program addresses the privacy concerns that made users uncomfortable with BYOD programs.

[Read More: 3 Things You Need To Know about AirWatch & End User Privacy]

Users can start using a set of mobile apps for employee productivity. The choice to enroll in a profile is presented at the time the user wants to be productive, so the conversation shifts from “management” to “business value.” IT controls the access rules engine. In most cases, apps with built-in security (e.g. VMware Boxer, AirWatch Browser or AirWatch Content Locker) or non-sensitive data at-rest (e.g. WebEx) are activated for all users.

To help you drive internal awareness, education and adoption of your BYOD program, we introduced the new BYOD Adoption Campaign Kit. The turnkey campaign-in-a-box includes templates, best practices and guides for BYOD planning, communication, education, promotion and support. The new adaptive management technology, AirWatch Privacy First, conditional access and BYOD Adoption Kit can help you turbocharge BYOD adoption with Workspace ONE.

Ultimately, Workspace ONE helps you turbocharge BYOD adoption with a simpler user onboarding experience, intelligent access, privacy guard and adoption kit.

Workspace ONE Apps Suite: Productivity for Users, Security for IT

The Workspace ONE apps suite provides a seamless and integrated app experience, giving users instant access to corporate email, calendar, contacts, files, browser, social and chat. With built-in security, these apps can help boost employee productivity, while upholding security and compliance standards.

Enterprises can use Office 365 Exchange, SharePoint and OneDrive for Business on premise or in the cloud with Active Directory (AD) in the cloud, on premise or federated using ADFS. For mobile content management (MCM), Content Locker supports over 30 enterprise content management (ECM) repositories, including SharePoint, One Drive for Business, Box, Documentum, File Shares, Open Text, Google Drive, etc. Policy controls in the AirWatch admin console allows IT to enable or disable specific repositories.

These apps encourage engaging business workflows during mobile micro-moments. For instance, some industry statistics show that an average user takes out their phone approximately 150 times a day and each instance lasts less than 90 seconds. The Workspace ONE suite of productivity apps is designed to make the user more productive during these micro-moments. Users can quickly unlock the apps using Apple Touch ID support.

In another micro-moment, you may want to edit an Excel spreadsheet on an iPad. This file may reside in SharePoint, the network drive, Box, OneDrive for Business, Documentum or another repository. You can easily open the file from the Excel app itself, and edits are directly saved back in the repository of record. As shown in the enclosed video, the content extensions framework supported by Content Locker makes it easier for users to share files within approved business apps.

[Read More: See VMware AirWatch Content Locker in Action in 5 Fast GIFs]

The iOS Boxer app is now available in stand-alone MAM mode with Workspace ONE. The containerized app has built-in security and DLP controls. IT organizations can now take advantage of certificate-based authentication to allow seamless setup for user’s mailboxes. Boxer offers over 30 advanced features, including combined mailbox, inline editing, quick replies and send availability. Watch the video to see how Boxer can make users more productive during mobile micro-moments.

[Read More: Boxer Mobile Email App Explained in 7 GIFs]

AirWatch Browser added a modern bookmarks screen to assist users in quickly navigating to the right resources. The browser enables IT administrators to push bookmarks, as well as allows users to add their own bookmarks. Users now have fast access to internal and external web resources without requiring a VPN connection. AirWatch Browser also added support for client-side public key infrastructure (PKI) certificates, as well as secure/multipurpose internet mail extensions (S/MIME) certificates, for authenticating to internal sites and web apps. For kiosk devices, Browser can now support multiple websites locked in kiosk mode.

AirWatch Browser provides a modern user experience for tabbed browsing and bookmarks.

The latest Content Locker release further enhances DLP with malware scanning. Most enterprises have network security tools to prevent users from downloading malicious files on their desktops and laptops. With support for Internet Content Adaptation Protocol (ICAP), Content Locker now integrates with your existing proxy server. This enables content filtering, malware detection and virus detection to safeguard enterprise data when downloading files on mobile devices or uploading files to enterprise repositories. By seamlessly integrating with your existing infrastructure, Content Locker enhances mobile security without requiring additional hardware or software for customers.

Some of the popular ICAP-compliant solutions include:

RSA DLP

Symantec DLP

McAfee DLP Prevent

Websense TRITON AP-DATA

The Workspace ONE apps suite provides the most comprehensive cross-platform support in the industry. Email, calendar, contacts, browsing and content capabilities are available across iOS, Android and Windows. The apps work on Windows smartphones, as well as tablets, providing a consistent user experience for all the apps across Windows 10 devices. Each app is optimized for the form factor, so users get a custom experience on phones and tablets.

Multi-Factor Authentication

The integration of enterprise mobility management (EMM) with identity and access management (IAM) and virtual desktop infrastructure (VDI) technology has opened new doors of innovation with Workspace ONE.

Last but not least, we launched the new VMware Verify app for multi-factor authentication. Users can now use their mobile device for two-factor authentication. When logging into corporate applications from any device, users get a push notification on smartphones and tablets (or SMS on older phones). By simply approving the access request, the identity provider immediately grants the requested access to the corporate app. VMware Verify is part of the Workspace ONE Standard, Advanced and Enterprise suites.

[Read More: The Digital Workspace Journey: VMware Workspace ONE]

IT can also set conditional access policies with Workspace ONE. For instance, my corporate apps can just ask for my AD credentials when I’m trying to access an app from work. But the same app can require two-factor authentication if I’m connected to an airport or a cafe Wi-Fi access point. The intelligent access rules can be based on the user, device, app or location. With VMware NSX integration, Workspace ONE can also provide conditional access through microsegmented networks.

[Read More: Explore Next Generation Mobile Security with the VMware AirWatch & NSX Integration]

Illustrated is the intelligent access policy framework.

Our product teams have been hard at work this quarter. The integration of enterprise mobility management (EMM) with identity and access management (IAM) and virtual desktop infrastructure (VDI) technology has opened new doors of innovation with Workspace ONE. We are delighted to bring these new updates to our customers and end users, and look forward to your feedback. Workspace ONE features—simplified onboarding to any app on any device, one-touch SSO, conditional access and adaptive management—are truly unique in the industry.

Watch Sanjay Poonen, our general manager of End-User Computing and corporate officer, demonstrate Workspace ONE. The unified solution brings together VDI, MDM/EMM and identity management to provide a lower total cost of ownership (TCO) solution with advanced innovation, productivity benefits for end users and security benefits for IT.

Show more