What is Workspace ONE Unified Endpoint Management (UEM)? 

Launched two years ago, Workspace ONE is built on VMware AirWatch and extends its management capability beyond mobile devices (iOS, Android, Windows Phone) to desktop (Windows 10, macOS, ChromeOS). 

In addition, this digital workspace supports any application (i.e., internal web apps, SaaS apps, native public mobile apps, internally developed mobile apps, modern Windows apps, legacy Windows apps, virtualized management desktops) from a unified app catalog. The unified app catalog is called the Intelligent Hub (formerly AirWatch Agent) and is what is presented on the end-user’s device.  

Why Workspace ONE and VMware Identity Manager (VIDM)? 

There are many mobile apps that are available publicly (i.e., via Apple or Google stores), connect to the cloud, and are currently behind your organization’s Single Sign-On (SSO) provider. These are productivity apps such as Box, Slack, Salesforce, and of course Office apps (i.e., Outlook, Word, OneDrive, etc.) to name but a few. Although Mobile Device Management/Enterprise Mobile Management (MDM/EMM) providers have been able to leverage their app catalog to distribute and enforce security controls for these publicly available apps (as well as in-house apps), the devices must first be managed. Even with this management framework in place, apps requiring an employee’s SSO credentials on non-managed BYOD devices could still access the company’s corporate data.

 VIDM provides a way for the application to determine whether security controls are required and whether device posture is checked prior to allowing the user to access the application on the device. VIDM can act as a standalone federation identity provider (IdP). It can also integrate with existing IdP and SSO solutions as a federated IdP or service provider (SP).

Organizations that choose to federate a third-party IdP or SP, instead of leveraging VIDM as their IdP, would be doing so because they currently already have a third-party IdP or SP in place that acts as the Authentication Authority for applications. Users are familiar with SSO, so they do not need to remember additional IDs and passwords when leveraging the benefits of Workspace ONE UEM/VIDM. 

Federating a third-party IdP or SP would direct mobile users to Workspace ONE to authenticate, then apply policies to map data from the returned SAML assertion into an outgoing SAML assertion to a SaaS application.  

This is achieved without altering the SSO that employees are currently used to. Moreover, the current SSO experience can be improved by leveraging the Mobile SSO certificate from Workspace ONE UEM. Workspace ONE acts as a Certificate Authority, and VIDM acts as a Key Distribution Center (KDC). 

Summary of Benefits of Workspace ONE UEM

There are some very interesting new capabilities of VIDM, which is part of the Workspace ONE platform, that enable companies to streamline how apps are offered while striking an important balance between end-user experience and security. 

  1. Self Service – By leveraging the unified app catalog functionality available via VMware’s Intelligent Hub, any application can be accessed by the end-user irrespective of the device they are connecting from. Being able to access all of your apps from a unified app catalog is in itself a big benefit, but VIDM additionally enables users to easily authenticate to these apps. For example, it can be as easy as One-Touch Mobile SSO that is cert-based and does not require the user to enter a password and this experience can be consistent on any device, from browser to native mobile app. The Hub app, the gateway to all of your applications, can be set up for SSO authentication. Accessing the Hub app catalog does not require mobile device management (MDM) and thus a device management profile does not need to be installed on the device. Instead, the applications, which are distributed within the Hub app catalog, determine whether device management is required (see “Adaptive Authentication” below). 

  2. Adaptive Authentication – Instead of the old model of requiring MDM before the user can even access the apps within the company app catalog, the app itself determines the MDM requirement, which is a better balance of end-user experience and security. For example, for the user to access certain applications (i.e., email, collaboration and/or file storage) that contain restricted and/or confidential corporate data, when the user initiates the app download either from the Hub app catalog or from the public app store (i.e., Apple App Store), the user will first be required to manage her/his device via Workspace ONE. If certain apps can only be accessed on a managed device, it ensures that basic device security controls such as jailbreak detection, minimum OS, and iOS application policies for sharing data from company apps to personal apps are enforced. However, other applications (e.g., expenses or travel) may not require this level of security and can be accessed on an unmanaged device while still leveraging the benefits of SSO. 

  3. Flexibility Part of the flexibility that this platform offers is to determine conditional access at the app level (as discussed above). Another part of this platform is to allow the administrator to chain policies together based on the application. For example, an app-level policy can enforce different authentication strengths (One-Touch Mobile SSO or Multi-factor authentication) based on whether the device is on-network and managed. Additionally, for an app requiring a high level of security such as Outlook, which contains sensitive corporate data, the device would require management via Workspace ONE and MFA would be required (i.e., Mobile SSO certificate plus the user would be prompted for username/password). If the device is not managed, then access to Outlook would be denied. However, if the user is accessing an app with a lower security posture such as an app to manage company travel, then the device does not need to be managed and a single factor of authentication via SSO would suffice. 

How to use Workspace ONE to securely manage Microsoft Office 365? 

Companies can provide the best end-user experience while securing corporate Office data by leveraging the best of the Workspace ONE platform and Microsoft’s platform while ensuring that an employee’s personal Office data remains unaffected. 

  • Identity and Device Posture: Leverage VIDM to integrate with your third-party IdP so that the Office apps determine the security controls (i.e., OS, managed, jailbroken, inactive, blacklisted apps) required upon authentication, regardless of where the user downloads and installs the app from (i.e., Apple App Store versus Hub app catalog). 

  • Identity and User Authentication: Leverage VIDM to determine the authentication strength (certificate versus MFA) and the network scope (where the user is attempting to authenticate from) for employees authenticating to Office apps. For example, for employees authenticating to Office apps on managed devices, the authentication experience can be simplified by pushing the Mobile SSO certificate to those devices. The certificate can replace passwords required by the third-party IdP when the employee authenticates to the Office app. If MFA is a requirement, then the first factor would be the Mobile SSO certificate (from VIDM), and the second factor would be via the third-party IdP (in-app swipe or SMS). 

  • Application Policies: Leverage both Intune App Protection Policies and Workspace ONE app-level policies to ensure that employees can use all company apps, both Office and non-Office apps together (i.e., being able to open an email attachment in Outlook and share it with other users in Box or Slack) while preventing corporate data loss. 

For more detailed information on implementation see Using Workspace ONE with Office 365