Introducing Workspace ONE
VMware is proud to announce Workspace ONE, the simple and secure enterprise platform that delivers and manages any app on any device by integrating identity, application, and enterprise mobility management. The introduction of Workspace ONE is the result of over two years of planning and well over a billion dollars in investment both organically and inorganically. This investment includes the market-leading enterprise mobility management (EMM) from VMware AirWatch, the recently introduced VMware Identity Manager and the new cloud management service in VMware Horizon Air. While these products have been and will continue to be developed and sold individually, there has been an even greater ongoing effort to both integrate common services and innovate by creating net-new functionality, packaging and purchasing flexibility.
Why Workspace ONE, and Why Now?
The concept of a digital workspace isn’t new. Most customers we speak to can imagine a new way of offering services to employees. They already question how much equipment they should need to buy for an employee and how to more efficiently on-board new employees. They already see the gaps in their security when lines of business contract with third-party SaaS providers and then lose accountability for access controls. It is clear that there are opportunities for a simple mobile app to transform a business process, and yet what remains unbelievable to most business-minded people is just how long it takes to roll out a new business application across an enterprise. The digital workspace is a logical reaction to external consumer-driven technology forces acting upon enterprises that bring both opportunities and threats. Let’s take a closer look at these forces.
Books could be written on the changes happening across the enterprise workforce. From digitizing field and remote employees to alternative workplaces, flexible work arrangements and globalization, the locations where people work increasingly put people and their devices outside the traditional physical network, where traditional security measures can no longer secure information.
What is also clear is that successful companies rely not just on the quality of their employees, but, more importantly, on engagement. More important than mere productivity, engagement is about harnessing the creative power of employees. Whether it be a retail store associate refining a display for a better customer experience based on real-time interaction or putting 3D component documentation in the hands of a mobile diesel mechanic in the middle of a remote oil field, the opportunities are endless. Of course, this also means that delivering and securing the apps and data for these digital employees is more problematic than ever.
Beyond these opportunities for engagement is also a demographic and cultural change in the workforce. The average time an employee spends with one company continues to drop. In many cases, workers prefer not to work for any one company, but rather stay “mobile,” working from project to project or season to season. These contingent or seasonal employees are in many cases no less important to the success of an organization. IT organizations are once again challenged to get employees empowered to be productive from the very first day.
It seems that only a few short years ago, many of us were convinced that the only “app” we would ever need in the near future was a browser. Increasingly new cloud-based services were developed that only needed a browser for access, and many internal applications were headed for HTML, as well., The rationale made sense: a ubiquitous network, plenty of flexibility, changes could be made quickly and no information needed to be cached on the device. This changed, however, with the rise of the mobile operating system (OS). The more we use mobile devices, the more pressure there is to have instant access to information. Caching data in apps improves performance, but then opens a security risk if the device is stolen or compromised. The most successful mobile apps have access to OS-specific APIs that give access to sensors (GPS location, accelerometers, cameras/scanners, biometric and other device services) that can be critical for enabling new business workflows. As a result, the device OS matters, and it is at least a three-platform world between Apple iOS/Mac, Google Android/Chrome and Microsoft Windows. A digital workspace strategy must support the security, delivery and lifecycle management of these new apps, as well as thousands of existing web and Windows apps across device platforms.
The last big force is devices. Just over the past year, we’ve seen some pretty amazing things happen among devices. Windows 10 emerged as a mobile operating system that can work across form factors. Apple released an iPad Pro with a keyboard, and Google announced that Chrome OS and Android will combine, effectively bringing Android and its Google Play Store to laptops. While form factor convergence is part of the story, these changes also reflect the success of the modern “mobile OS” where:
- User interface design between OS and device become one.
- The OS or device supplier updates the OS daily, when needed.
- New major OS versions are adopted on day one by a majority of devices.
- Management APIs are exposed for the configuration of devices.
- Device level services (sensors, security, trust) are exposed to applications.
These attributes of a mobile OS bring the opportunity to manage (or not manage) devices in a much different way than IT manages its tremendously complex fleets of laptops and desktops today.
In late 2014, VMware introduced Workspace Suite, a premium package of the AirWatch and Horizon product portfolios that allowed forward-thinking IT organizations to begin building digital workspaces of their own. Workspace ONE moves from a portfolio of products to a jointly engineered platform, where design teams and engineers defined use cases for digital workspaces and built new innovations to speed the deployment and adoption of digital workspaces. The all-new Workspace ONE is built as a cloud-first service, where continuous development is employed to bring new innovations to the cloud-based service on a weekly and monthly basis. It also supports on-premises deployments, with releases built 2-3 times a year from the same code base.
Let’s look at a few of the new Workspace ONE product innovations:
New Unified App Store
The concept of an app store or catalog is central to a digital workspace. Most employees are familiar with the idea of an app store, because they use it on their consumer devices. The concept is similar for the Workspace ONE enterprise app store, but there are a few important functions at play:
- A place (web page or app) for employees to search and find apps that they want to get access to. The catalog has a search function and a way to custom categorize apps to make
apps easy to find.
- An infrastructure for kicking off the request to entitlement workflow that would tie into existing IT service desk tools.
- A place to launch apps that they already have access to. Some of these apps may not even need to be requested, but are made available by default.
The Workspace ONE App Store aggregates entitlements to applications, regardless of where those entitlements are managed. This includes applications brokered through AirWatch from the Google, Microsoft or Apple app stores, remotely hosted Windows apps entitled through Horizon or Horizon Air, remote Citrix apps, internal web apps, packaged Windows apps and more.
Elements of the above functions have been previously available as part of Horizon, VMware Identity Manager and AirWatch, but not as a single user experience. The new Workspace One App Store was built from the ground up as a new service implemented as an API-pluggable infrastructure that aggregates app entitlements based on a common employee identity.
One Touch Mobile SSO
Workspace ONE contains the industry’s first one-touch single-sign on (SSO) for public mobile apps using the new, patent-pending Secure App Token system (SATS).
For many customers, SSO can be a confusing topic as the term can be used to describe many different experiences, all of which are supported through Workspace ONE:
Basic Active Directory Federation SSO: In the most basic use case, when an employee wants to access an app protected through Workspace ONE, the user may be prompted for their domain username and password. In this case, Workspace ONE is receiving the authentication request and authenticating the user against active directory. Even this basic form of SSO is critical, as it centralizes access policy, allows the password to be managed from one place and provides an immediate method of revoking access to an app without needing any administrative authority over the application itself.
SSO with Custom Policies: Workspace ONE can go another step further, building on simple SSO. With the Workspace ONE app installed on mobile devices or through a web browser on a laptop, a token timeout can be set for any level of policy. With these settings, a user may only need to re-authenticate once a day, once a week or longer. This provides an experience where the employee may not see a login at all for many apps throughout the day. With these controls, an enterprise may leverage stronger passwords or multi-factor authentication for initial authentication, knowing that it won’t be required too often, limiting friction with the end-user.
Device Trust Authentication: The next level of SSO is where the device itself becomes a factor of authentication to anchor an SSO experience. This is where Workspace ONE uniquely leverages its own Certificate Authority and, in the iOS case, a cloud-based Kerberos Key Distribution Service to enable a one-touch SSO experience. The app is only available to that device, and the user must still be able to unlock the device.
So What about Features Like Touch ID on iOS? Many people associate touch ID as a form of authentication for SSO, but it should be noted that touch ID only unlocks a device, taking the place of pin code entry, which is always a backup to touch ID. Workspace ONE supports pin-code entry or touch ID as another quick assurance that a device is still with its owner.
But That’s Only the Beginning: Workspace ONE is built on a powerful and extensible identity management framework designed with mobile platforms in mind. From Android to iOS and Windows 10, each OS vendor supports different techniques for establishing trust for device authentication. In the example policy set below, you can see how specific adapters are built to streamline authentication based on a variety of factors, like network range (many times internal or external, but could be Wi-Fi vs. wire, floor 5 vs. floor 6), device type, authentication method and how long to keep an authentication token active before requiring the user to re-authenticate.
Another powerful, industry-first feature is Workspace ONE ComplianceCheck conditional access. Most IDaaS (Identity as a Service) services can only leverage a few criteria for setting access policy, such as strength/type of authentication, network scope and session time. Workspace ONE can go one critical step further by implementing an API call between the AirWatch policy engine and Identity Manager to ensure that for those apps, where it is required, a device must prove compliance with security rules prior to authorizing access to an app. These policies can be leveraged regardless of the application type, as they are called at the time of authentication rather than a control inside the application itself. Controlling actions within an application using Application Management APIs is still available through the AirWatch SDK or by leveraging integrations from more than 50 ISVs who have joined the independent ACE (Application Configuration for Enterprise) consortium.
- OS / patch level, ensuring a device is patched beyond a known vulnerability or restricted to a particular OS;
- If the device is “managed,” so that it can be wiped of sensitive information;
- If the device has been jailbroken or rooted;
- If the device is within or outside a specific geography, something as simple as “a 10-mile radius of a hospital” or “deny if detected in a foreign country;” or
- If particular non-authorized apps are present, like an unmanaged Dropbox app that could lead to data loss.
This combination of user-based identity rules with fine-grained device policy rules permit the creation and enforcement of pragmatic policies that reduce the risk of unauthorized access and data loss, while granting users friction-free access to most apps and data on a daily basis.
Enterprise Integrations for Secure Email and Chat
The final area of innovation is around enterprise integrations in email, chat and content. While application delivery and access controls are at the heart of Workspace ONE, consumer simplicity and enterprise security require that information be available wherever it is needed and that action can be taken from anywhere.
VMware Workspace ONE includes email, calendar, content and chat that employees want to use, while invisible security measures protect the organization from data leakage by restricting how attachments and files can be edited and shared. Far from a “walled garden,” team chat, enterprise discussions, Q&A, content access and other social tools allow employees to work collaboratively in real time and can be integrated into the apps and tools they already use—moving from productivity to real employee engagement.
The image below is captured from the new inbox client recently acquired from Boxer. It includes popular consumer-style integrations, like Evernote and Sanebox.
However, not all communication is destined for email. Increasingly, group chat has become a powerful tool for integrating people and processes, particularly when those chat streams can be integrated and recorded within both integral and cloud-based enterprise systems of record. In the example here, an Atlassian Jira requirements repository is integrated with the Workspace ONE chat app, powered by the Socialcast messaging engine, permitting real-time visibility and communication across a team of developers. This same integration can be easily built for any internal web-application with WYSIWIG integration tools, and two-way integrations continue to be built with third-party SaaS services, such as GitHub and Jenkins, for DevOps teams across any industry.
Experience Workspace ONE
To get started on your digital workspace journey, reach out to your local VMware partner or sales representative, who will be able to set you up with a digital workspace demo experience that you can try on your own. You can also visit the solution web page at http://www.vmware.com/products/workspace-one/.