Steps to Enable a Remote Workforce with Workspace ONE – Part 1
Co-authored with Andreano Lanusse and Josue Negron. Read Steps to Enable a Remote Workforce with Workspace ONE – Part 2 here.
Based on the current events, many organizations are working around the clock to enable their remote workforce. This reality has caught many organizations by surprise. This blog provides guidance on how VMware can quickly help organizations enable their remote workforce with VMware Workspace ONE.
The VMware Workspace ONE platform combines powerful integration across digital workspace solutions. These key solutions enable the remote workforce without compromising security, and provide an incredible user experience. Workspace ONE is organized into four core solutions:
• Workspace ONE UEM – Provides Unified Endpoint Management across Windows, Mac, iOS and Android devices, protecting corporate applications and data.
• Workspace ONE Access – Enables the unified application catalog. This secures application access in a single place, and provides single sign-on. Additionally, it streamlines communication with all users through Hub Services.
• VMware Horizon – Allows access to remote applications and desktops, keeping all data in the datacenter.
• Carbon Black Cloud – Combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay. This cloud-native endpoint protection platform (EPP) uses a single lightweight agent and an easy-to-use console.
Step 1 – Accessing Workspace ONE in the Cloud
The immediate question is, “How do I get this solution up and running?” Organizations may have limited hardware and capacity, and most, if not all, employees must be remote. For quick access and scalability, VMware can quickly provision a full Workspace ONE Cloud environment as SaaS.
For Workspace ONE UEM and Workspace ONE Access, both are hosted as SaaS and VMware manages the infrastructure. This allows your IT team to focus on managing devices, applications, and security policies.
Additionally, organizations can use Horizon Cloud Service to manage their cloud-hosted virtual desktops and applications. For more information, visit Maintaining Business Continuity in Challenging Times – Part-1.
Step 2 – User Directory Integration and Access to Corporate Resources
To synchronize Active Directory users and groups with Workspace ONE, you must integrate the two services by installing Workspace ONE connectors on-premises. This integration unlocks secure access to applications, and conditional access. It also brings a unified catalog to the end user so they can access all applications from a single place, across all devices.
Access to corporate data hosted on-premises is another essential need as part of working remotely. Employees might need access to files, e-mails and applications that are seated on the internal network. In this case, IT must enable external access to employees without compromising security.
Workspace ONE provides a security gateway appliance (Unified Access Gateway) that is deployed on the DMZ and enables secure access to those resources while ensuring every access is authenticated and from a managed device by the organization. A single Unified Access Gateway appliance can handle multiple use cases and thousands of users.
The Unified Application Catalog is part of Workspace ONE Intelligent HUB. It provides the seamless integration that enables employees to access their corporate applications. Additionally, support for single sign-on and multi-factor authentication (MFA) enhance security.
Step 3 – Defining Access Policies and Deploying Apps to the Remote Workforce
Workspace ONE can deliver and manage native and web applications that are integrated with security policies on the device. Additionally, Workspace ONE can enable access to remote desktop and applications that run on the data center.
Before deploying apps or defining policies for the remote workforce, you must first consider employee roles and device ownership types. Then you can plan what applications to deploy, and how to make those apps available to end users.
Users with corporate-owned device, are easy to transition into the remote workforce. In corporate-owned devices, the Workspace ONE UEM administrator has granular control of the physical device. Therefore, admins can apply security policies that secure end-users access to web and native applications.
On the other hand, UEM admins have limited control over the physical device in the BYOD scenario. In this scenario, you must strike a balance between physical device applications, remote desktops (VDI), and applications. With Workspace ONE, the two options can seamlessly work together, achieving the balance between employee access and IT Security.
Step 4 – Onboarding Devices for the Remote Workforce
Depending on your industry or current situation, employees may or may not have a dedicated corporate device. First, you want to consider which device platforms or form factors your remote workforce requires.
Users who already work from home or own a corporate device, are easy to transition. These enrolled devices reap the benefits of device management:
• Access to any app from any device
• Send real-time notifications to all employees to all their devices
• Over-the-air device configurations, policies and corporate baselines
• Visibility into your entire device fleet using custom dashboards and reporting
• Secure all endpoints with a minimum standards baseline, deploying security solutions and policies and real-time compliance checks with remediation actions
In contrast, users without a corporate device, or those who have never worked from home, require a bit more effort. For these workers, communicating tips for working remotely is the best place to start. Then, you can enable them to onboard a device of their choice (BYOD), and send them an onboarding link.
To help with this process, we have a campaign-in-a-box that includes pre-made, customizable templates, best practices and ideas to launch your own integrated campaign and start driving adoption with the Workspace ONE platform immediately.
Keep in mind there are more streamlined onboarding methods. For example:
However, these methods require some prerequisites or additional configurations.
Step 5 – Monitor Employee Experience & Provide Continuous Support
After you configure everything and begin to onboard new users and their devices, your mind might turn to support. If your support team has multiple members who are specialized, you can use admin roles (custom or pre-built). These roles ensure each admin only sees and has access to what is important to them.
End users also have the ability to self-service many of their technical needs. For example, end users can:
• Retrieve their BitLocker recovery key
• Locate a lost device
• Wipe or lock-down a lost or stolen device
For users who need a higher level of assistance, consider Workspace ONE Assist. The help desk can remotely view, control, whiteboard, record, view processes, and grab logs from devices.
Admin roles, the self-service portal, and Workspace ONE Assist provide reactive support for users. However, you can also proactively support users using Workspace ONE Intelligence and supported third-party integrations. With these automated solutions, you can:
• Create custom dashboards, reports and robust automated actions
• Keep devices secure and up to date with CVE ingestion and automatic patching of devices.
• Proactively send end-users replacement laptop batteries to replace degraded batteries that cannot hold a charge.
• Leverage Sensors (custom attributes) to key your automated actions based on any values obtained from your managed devices.
Learn More About Enabling a Remote Workforce
This blog covers the high-level steps required for your remote workforce to securely work from anywhere. To learn more about this topic, check out our page on Tech Zone: Enabling Business Continuity with VMware Digital Workspace.