Workspace ONE Unified Endpoint Management

VMware Workspace ONE now includes Baselines to enhance its FedRAMP SaaS UEM

This article was originally published at the VMware Digital Workspace Tech Zone Blog. 


We are excited to announce that Workspace ONE UEM now has an additional FedRAMP-enabled tool for keeping agencies’ Windows desktop devices secure. Workspace ONE Baselines curates industry-recommended settings into one configuration to simplify securing devices. 

With the addition of Baselines into the Workspace ONE FedRAMP environment, government customers can now leverage this secure, cloud-hosted environment while keeping their devices configured to best practices. This typically time-consuming process can now manage the delivery of industry and government-recommended settings into configurations called “baselines.” 

These baselines significantly reduce the time it takes to set up and configure Windows devices. The baselines allow an agency admin to manage the thousands of group policy objects for Windows today, while providing enhanced integrated insights for complete visibility into an agency’s digital workspace. Admins can gain deep insights into device, user, and app postures that enable data-driven decisions across an agency’s or branch’s entire environment. 

Workspace ONE Baselines ensures policy compliance and enforcement 

Workspace ONE UEM allows admins to push configurations and group policies to managed devices. The configured policies are enforced locally, whether using MDM profiles or Workspace ONE Baselines. MDM profiles are enforced by the OMA-DM client, while baselines are enforced by the Intelligent Hub. 

Workspace ONE Baselines allows admins to keep all their devices secure with those settings and configurations as it uses a cloud-based micro-service that handles the policy catalog of settings to apply on devices. Baselines are based on GPO(s) and function in similar ways. 

Overview of Workspace ONE Baselines components 

Here are the four components of Workspace ONE Baselines and how they work. 

1. Cloud-based micro-service 

Baselines uses a cloud-based micro-service that handles the policy catalog. For on-premises customers, Baselines ensures that the environment can communicate with the micro-service. 

2. Baselines compliance status 

An admin can ensure that devices are under their control by following the status within the “Baseline Compliance Status” view. Once baselines are enrolled in Workspace ONE UEM and have the Workspace ONE Intelligent Hub installed on them, an admin can view the status from the Baselines Detail page. There are three types of compliance categories. Compliance status can be: compliant, intermediate, non-compliant, or not available. 

Types of baselines by setting descriptions 

  • CIS Windows 10 Benchmarks: This baseline applies the configuration settings proposed by CIS Benchmarks. Select the OS version and benchmark level to apply. 
  • Windows 10 Security Baseline: This baseline applies the configuration settings proposed by Microsoft. Select the OS version and benchmark level to apply. 
  • Custom Baseline: Upload a ZIP file with a GPO backup. You must create this baseline outside of Workspace ONE UEM. The backup must be less than 5 MB with least one GPO folder. 

3. Workspace ONE Baselines compliance engine 

The compliance engine is an automated tool by Workspace ONE UEM that ensures all devices abide by agency policies. These policies can include basic security settings, such as requiring a passcode or having a minimum device lock period, and can be used to configure the “Health Attestation for Windows Desktop Compliance Policies.” An agency admin can also decide to set and enforce certain precautions. These precautions go beyond setting password strength, such as denylisting certain apps, and require device check-in intervals to ensure that devices are safe and in contact with Workspace ONE UEM. 

4. Workspace ONE platform integration 

Workspace ONE is built on VMware’s Workspace ONE UEM technology that provides for the standard aspects of mobile device management (MDM) and mobile app management (MAM), including Unified Application Catalog. Workspace ONE integrates with virtual desktop application delivery via VMware Horizon on a common identity framework with Workspace ONE Assist to complete a full End-User Computing (EUC) suite that can leverage Baselines as a key feature of enrollment, onboarding, and compliance: 

FedRAMP Workspace ONE  =  UEM   +  Hub Services  +   Intelligence  +  Access  +   MTD  +  Horizon

Each of the components, along with the baselines feature, brings an integrated and secure Zero Trust Architecture solution that is partnered under a cooperative research and development agreement with the National Cybersecurity Center of Excellence. This VMware Anywhere Workspace solution is able to empower a government’s hybrid or remote workforce with secure and frictionless experiences by: 

  • Delivering unique integrations enabling tailored experiences and higher productivity for frontline, hybrid, and remote users, across heterogeneous environments, including physical and virtual devices and multiple operating systems. 
  • Enabling Zero Trust Network Access (ZTNA) with remote support for any device (BYO, third-party, or VMware-managed) in a true hybrid workforce and providing a Security Operations Center (SOC) / Information & Technology support team the tools and telemetry for Indicator of Compromise (IoC) on mobile. 
  • Facilitating flexible deployment options to obtain immediate value for prioritized use cases, allowing flexible scaling to harness the full potential of an integrated platform. 
  • Optimizing security and experience through an integrated approach that combines market-leading technologies essential for hybrid work. This integrated approach provides connected visibility and context, ensuring broader security coverage. 

Additional resources 

Related Articles