Omnissa Workspace ONE Unified Endpoint Management Integration with Horizon

Overview

Horizon delivers top-tier virtual desktops and applications to users, and Workspace ONE UEM provides best-in-class device security and management.  The two technologies can be integrated to provide the optimal “Better Together” solution. 

This document goes beyond the marketing message and dives deep into the technical aspects of integrating Horizon and Workspace ONE UEM such that every physical or virtual Windows endpoint in your environment is secured and managed seamlessly.

Why add Workspace ONE UEM to a Horizon deployment?

Within most organizations, the processes defined below are largely performed manually and are time consuming.  Omnissa’s “Better Together” approach ideally minimizes or eliminates many manual processes via complementary technologies and automation. 

Figure 1: Complementary technologies eliminate manual and time-consuming processes

Horizon excels at provisioning and brokering access to virtual desktops and apps, while Workspace ONE UEM fills the operational gaps that Horizon alone does not address:

  • Consistent patching and configuration management across all Windows devices--physical, virtual desktop, and server--including persistent VDI that drifts from its golden image over time
  • Compliance enforcement on both the physical client endpoint and the virtual desktop, creating a closed-loop security posture
  • Unified application lifecycle management, Workspace ONE UEM can deploy, update, and retire apps on VDI alongside physical devices
  • Single-pane telemetry through Omnissa Intelligence, correlating physical endpoint health, Horizon session metrics, and Digital Employee Experience (DEX) scores
  • Conditional access via Omnissa Access, gates Horizon desktop launch and compliance status of the connecting endpoint
  • Remote support through Workspace ONE Assist, directly from the Horizon console or Workspace ONE console for enrolled VDI desktops

Integration architecture

The integration of Horizon and Workspace ONE UEM connects four primary Omnissa components:

Component

Role

Deployment

Workspace ONE UEM

Enrolls and manages Windows desktops and servers. Pushes security baselines, profiles, apps, and scripts. Collects telemetry via the built-in Intelligence agent.

SaaS. AirWatch Cloud Connector for on-prem AD/LDAP integration.

Omnissa Access

Identity broker and SSO provider. Hosts the unified app catalog including Horizon resources. Enforces conditional access policies that check device compliance before granting Horizon sessions.

SaaS or on-premises. Access Connector installed on-prem for AD sync and Horizon integration.

Horizon 8 / Horizon Cloud

Provisions and brokers virtual desktops and published apps. Connection Servers (Horizon 8) or the cloud control plane (Horizon Cloud) handle session brokering and pool management.

On-premises (Horizon 8) or cloud-hosted (Horizon Cloud on Azure, AWS, etc.)

Unified Access Gateway (UAG)

Unified Access Gateway (UAG) in the DMZ. Proxies Horizon Blast sessions for external clients. Also hosts Tunnel and Content Gateway services (on separate UAG instances from Horizon).

On-premises virtual appliance in DMZ.

Figure 2: Architectural components

This guide assumes that each of these components have been deployed and fully functional.  Horizon and Workspace ONE UEM will be covered in detail within this guide.  For overall component integration, please see the Omnissa Tech Zone article Component Integration.

For more information about UAG, please see the Omnissa Tech Zone article Deploying Unified Access Gateway.  For more information about Access, please see the Omnissa Tech Zone article Omnissa Access Architecture.  Additionally, information about Access integration, including authentication and True SSO, is available within the following reference materials:

End-to-End Session Flow

When all components are integrated, users launch Horizon workloads more securely and with administrative touch points.  In addition, telemetry from both the physical endpoint and the virtual resource feed into Omnissa Intelligence to provide a complete end-to-end view so that actions can be taken if needed.

The diagram below depicts the architecture and process steps associated with provisioning and launching a Workspace ONE managed Horizon workload:

Figure 3: Provisioning and launching a Horizon workload

For more information about Horizon architecture and authentication, including Access, SAML assertion and TrueSSO, please see the Omnissa Tech Zone article Horizon Architecture.

Purpose-built technical integration points

Although it has long been possible to integrate Horizon workloads with Workspace ONE UEM, many steps were previously manual and time consuming.  To simplify the integration of Horizon and Workspace ONE UEM, Omnissa has developed several new technical capabilities:

  •           Intelligent Hub and Horizon agent enhancements, including new command line parameters that enable streamlined application and policy assignment based on the end-user logon
  •           Automated enrollment to Workspace ONE UEM integrates Workspace ONE UEM management directly from the Horizon console
  •           Auto-update of gold images provides one-click image updates that reduce admin overhead and human error

Each of these technical capabilities will be discussed as part of the respective integration processes.

Integrating Horizon and Workspace ONE UEM

The new integration capabilities enable more streamlined deployment of Horizon workloads.  Many Horizon environments are based on a multitude of customizations that are complex and difficult to manage.  By rethinking the backend processes and integrating Workspace ONE UEM, consistency and administrative efficiency increase. 

Figure 4: Horizon/Workspace ONE integration enables automation of several steps

A key benefit of Horizon and Workspace ONE integration is that the tasks bordered in yellow represent steps that are automated. 

This document focuses on each of the processes shown above.  The Workspace ONE UEM configurations represent the largest initial lift; however, once these configurations are complete, the remaining steps are streamlined and largely automated.

Pre-configuration of Workspace ONE UEM settings

The main step is to pre-configure several settings within Workspace ONE UEM prior to initiating any Horizon processes.  These settings include:

  • Segregating setup by means of an Organization Group, Smart Group(s) and Tag(s) to isolate and identify Horizon workloads
  • Designating a Staging User for initiating enrollment
  • Configuring enrollment settings to ensure that only the necessary user prompts are presented
  • Creating resources such as security and management policies, as well as applications
  • Automating customizations that streamline initial workload deployment processes based on conditional actions including if/then/else

Organization Group

While not required, Omnissa strongly recommends creating a new Child Organization Group (OG) solely for Horizon resources.  This creates a distinct entity for security, management, and configurations, which allows VDI-specific policies, including Windows Update cadence, baselines, app assignments, to be managed separately from physical endpoint policies.

Figure 5: OU structure

Depending on your environment, creation of only one child OG may be needed, whereas large or complex deployments may be better suited for multiple child OGs. 

When creating a Child OU, designate a unique name and Group ID as shown below:

Figure 6: Go to Groups & Settings > Groups > OG Details > Add Child OG to create a new Child OG

Note that subsequent configurations should be performed under the context of this newly created Child OG.  Ensure that you are in the correct OG based on the OG designation in the admin account dropdown as shown below.

Figure 7: OG context is visible from the account dropdown

Tags

Tags provide a way to filter and differentiate workloads, including distinguishing Horizon resources from physical PCs in Intelligence reports and dashboards.

Omnissa recommends creating one or more tags that can be assigned to devices, which can then be used to granularly select the desired group of devices.  For more information about tags, please see Omnissa Docs.

Figure 8: Go to Groups & Settings > Devices & Users > Advanced > Tags to create Tags to be used for filtering

Smart Group(s)

Smart Groups are dynamic filters based on criteria such as platform, OS version, ownership type, tags, and user group membership and are required for assignment of resources.  Omnissa recommends setting up multiple granular Smart Groups to provide the utmost flexibility.  For example, rather than setting up a single Smart Group covering all Horizon VDI Windows desktop devices, segregation by Operating System version, Feature Update, and model enables administrators to easily select the most appropriate devices for Baseline template policies.

The following example incorporates Windows 11 25H2 desktops hosted on VMware.

Figure 9: Go to Groups & Settings > Groups > Assignment Groups to create Smart Group(s) to be used when assigning resources

Staging Account

A Staging Account is used by Workspace ONE to initiate the Horizon auto-enrollment feature.  By temporarily enrolling the device via the Staging Account, the Horizon workload is provisioned but enrollment is deterred until initial user logon.  When the user first logs in via Horizon, Intelligent Hub then automatically reassigns the device to the logged-on user seamlessly and without any action required from the user or the administrator.

While a Staging Account is included with the top-level OG, one is not automatically provided for a Child OG and thus needs to be created.

A Staging Account can be a Basic or Directory account.  Basic implies that it is an account solely within Workspace ONE UEM, whereas a Directory account is aligned with an Active Directory account.  If an Active Directory account is used, it should be a Service Account to ensure that it is secured and not readily deleted.

Figure 10: Go to Accounts > Users > Users > Add > Add User to add a new Staging Account

Staging functionality must be explicitly enabled within the account, and the recommended settings are as shown below:

Figure 11: Within the new account, go to the Advanced tab and ensure that Enable Device Staging is enabled

Enrollment settings

By default, the first-time Intelligent Hub login experience includes several pop-ups, such as the "Getting Started" guide and the analytics data collection prompt. In a non-persistent desktop pool, these notifications reappear every time a user logs in to a new session and likely unnecessary. Disabling these prompts will streamline the login process and provide a better user experience, particularly for non-persistent environments.

The “Getting Started” function, knows as the Post-Enrollment Onboarding Experience, is likely unwanted and can be disabled as shown below:

Figure 12: Go to Groups & Settings > Settings > Devices & Users > General > Enrollment > Optional Prompt > select Override > Windows and disable Enable Post-Enrollment Onboarding Experience

Collecting analytics is enabled by default and can be disabled as shown below.

Figure 13: Go to Groups & Settings > Settings > Devices & Users > Microsoft > Windows > Intelligent Hub Settings > select Override > Privacy and disable Collect Analytics

Many organizations require user acceptance of a Terms of Use legal banner at logon.  This can be configured as follows:

Figure 14: Go to Groups & Settings > Settings > Devices & Users > General > Enrollment > Terms of Use > select Override > Set Require Enrollment Terms of Use Acceptance to Enabled > Add New Enrollment Terms of Use

Administrators should review the numerous other enrollment-related settings can be configured within Groups & Settings > Settings > Devices & Users > General > Enrollment. 

Policies

Workspace ONE UEM offers three policy types for Windows devices:

Policy Type

Description

Baselines

Template-based security baselines (Microsoft Security Baseline or CIS Benchmarks) with GUI-driven configuration, compliance reporting, and drift detection. Recommended as the primary policy layer.

Windows Profiles (CSP)

Settings delivered via Microsoft Configuration Service Providers and Intelligent Hub. Supplements baselines for specific configurations.

Windows ADMX Profiles

This new profile type provides settings that can be applied to Windows Desktop and Windows Server devices.  Note that Horizon-specific policies are available for configuration.

Figure 15: Types of policies that can be applied to Horizon Windows workloads

Workspace ONE Baselines offer industry-standard preconfigured Windows Security and CIS Windows Benchmarks for consistent hardening.  Most enterprises adhere to one of these two security standards, thus simplifying maximum security.  In addition, compliance can be readily tracked. Omnissa recommends testing in a pilot pool first because some settings (e.g., screen lock timeout) may conflict with Horizon session management.

Profiles supplement Baselines and can be applied to users or devices.  Two types of Profiles are offered, i.e., Windows Profiles and Windows ADMX Profiles.  A multitude of settings are available, including common application and Horizon-specific settings.

Figure 16: Go to Resources > Profiles & Baselines to configure policies

While it is technically possible to apply policies via Active Directory GPOs, Omnissa recommends utilizing the inherent Workspace ONE UEM Baselines and Profile options for security and management to provide over-the-air application of policy settings. 

A key consideration of policy application is ensuring that policy settings are not duplicated by multiple policy engines.  For example, if Windows Update restart is configured within a Workspace ONE policy, a conflict will arise if that setting is set with an Active Directory GPO or another policy engine.  As a result, an inconsistent user experience may occur initially and/or when policies are reapplied.

For detailed information about Workspace ONE policies, please see the Omnissa Tech Zone article Configuring Workspace ONE Windows Baselines and Profiles.

Please note: Especially for non-persistent environments, certain computer-level policies must still be delivered via Active Directory GPOs. Critical infrastructure paths, such as Omnissa DEM configuration and user shares, need to be processed at machine startup before a user logs in.  Because Workspace ONE UEM staging profiles do not apply early enough to catch this initial boot phase, traditional GPOs ensure these foundational settings are always present.

Key policies that impact Horizon workloads

Workspace ONE Profiles can be applied to Windows Desktop and/or Windows Server workloads and inherently provide several configuration options that are particularly valuable for Horizon workloads, including:

  • Keep Managed Resource settings, which controls whether apps deployed via Workspace ONE UEM persist even if the gold image is temporarily enrolled for maintenance, thus preventing redownloading apps to every desktop after image updates
  • Horizon-specific settings including Blast, URL redirection, agent, and client configuration
  • Common application settings including Chrome, Adobe Acrobat, Microsoft 365, and Zoom
  • Windows Updates including deployment times, restarts, and reminders

Keep Managed Resources

Within this Profile payload, there are four specific settings that determine whether resources are retained or discarded after unenrollment.  Because creating a new gold image causes unenrollment, these four settings are especially important for Horizon workloads, and in general, Omnissa recommends retaining all four resources:

  • Applications
  • Profiles
  • Baselines
  • Workspace ONE Intelligent Hub

Note that the Managed Resources payload is configured separately for Windows Desktop and Windows Server, and the default behavior for the two operating systems differs.

Figure 17: Go to Resources > Profiles & Baselines > Profiles > Add > Add Profiles > Windows > Desktop/Server > Device Profiles > Managed Resources to configure whether applications, profiles, baselines, and/or Intelligent Hub survive unenrollment

Horizon-specific settings

Administrators can centralize Horizon settings within the Workspace ONE policy engine to ensure that the right workloads receive the right settings.  For example, if extensive logging is needed for a Horizon workload in a UAT environment but not for all other pools, this can be easily configured.

Figure 18: Go to Resources > Profiles & Baselines > Profiles > Add > Add Profile > Windows ADMX > User/Device to configure Horizon-specific settings

Manage applications

Common applications such as Google Chrome, Adobe Acrobat, Microsoft 365, and others can be directly managed via Workspace ONE policies.

Figure 19: Similarly, common application-specific settings can be designated

Windows Update and vulnerabilities/emergency patches

There are numerous ways to configure Windows Updates, including Active Directory GPOs.  To streamline updates and retain consistency with physical Workspace ONE-managed devices, Omnissa recommends centralizing configuration.  For a deeper understanding of Windows Updates processes and functionality, please see the Omnissa Tech Zone article entitled Managing Updates for Windows Devices.

Windows Update is a Profile option that can be configured via either a Windows Profile or a Windows ADMX Profile.  The Windows ADMX Profile payload enables a more robust configuration of Windows Updates and is recommended. 

Figure 20: Windows Update is likewise a Profile that can be configured

In addition, two new vulnerability-related features help maximize security:

  • Granular Patch Management, which can be used to apply an emergency or zero-day remediations to Horizon desktop and server workloads without forcing users to log off

Figure 21: Granular Patch Management enables administrators to identify critical patches, including zero-day vulnerabilities, without user logoff

  • Vulnerability Defense is new functionality that not only identify operating system and application vulnerabilities but also provide full remediation

Figure 22: Vulnerability Defense workflow including vulnerability identification and remediation

Applications

Users require a variety of applications on Horizon workloads, but what is the best way to make those applications available with minimum administrative overhead and maximum flexibility?

Omnissa offers several ways to package and deploy applications, and it is strongly recommended that all application processes should be fully tested.   For deep technical insights, please see the Omnissa Tech Zone article Deploying Workspace ONE UEM Applications to Windows Devices.

Because many app packages are large, it is often advantageous to retain those packages on gold images that are unenrolled.  Please revisit the previous discussion related to the Managed Resources settings.

App packaging

Omnissa offers three key options for packaging Windows apps:

Figure 23: Omnissa application packaging options

App File creation is a manual process that requires uploading an MSI, EXE, or self-packaged ZIP file and configuring various settings.  Enterprise App Repository (EAR) houses approximately 9,600 applications and automates App File creation based on only two clicks.  In addition, EAR enables automatic application notifications and/or updates.

App Volumes is an Omnissa tool that enables packaging applications as a standard MSI or VHD and configuring various lifecycle settings.  Where custom application packages are necessary, App Volumes and/or App File ZIP files are most used. 

App deployment

Once applications are packaged, the next step is to determine the best way to deploy them. 

Figure 24: Omnissa application deployment options

While Assignment Groups provide a mechanism for blanketing the app deployment to one or more Smart Groups, the new Phased Deployment option enables administrators to deploy sequentially based on manual or automatic progression.  For example, if a new version of an application has been packaged and configured over the weekend, deployment can be automated based on a wait time such that the installation doesn’t happen on Monday morning.

Freestyle Orchestrator provides a blank canvas that can be created to consist of multiple steps, including if/then/else statements.  This functionality is quite useful for gold images.  For example, a sensor can be incorporated into a Freestyle Orchestrator workflow that checks for a specific version of a dependency app.  If dependency app version A exists, then install app version B, but if dependency app version X exists, then install app version Y, and if neither dependency app exists, then continue to a distinct workflow.  Freestyle Orchestrator will be discussed at length in a subsequent section.

Custom MSI packages created via App Volumes can be deployed not only via App Volumes but also via App Files and Freestyle Orchestrator.  Not only does this simplify the packaging process for custom apps, but it also enables delivery methods that target both persistent and non-persistent virtual Windows endpoints.

Figure 25: App lifecycle management using Workspace ONE UEM and App Volumes

Customizing and automating workflows

There are two key tools for customizing and automating workflows:

  • Freestyle Orchestrator
  • Dynamic Environment Manager

As you will note, there is some functional overlap between these two Omnissa tools, and one or both can support your requirements. 

Figure 26: Workspace ONE and Dynamic Environment Manager comparison

Some capabilities can be delivered via both Workspace ONE UEM and DEM, but others should be leveraged based on identifiable use cases, as described below.

Freestyle Orchestrator

Freestyle Orchestrator can be used not only to deploy applications, but it is also a powerful tool for automating multiple aspects of Horizon workloads. 

Because Freestyle Orchestrator incorporates if/then/else statements and numerous actions, it can effectively streamline Horizon gold images.  As a result, fewer gold images are necessary.

Of course, the operating system, i.e., Windows Desktop or Windows Server, must be installed on the gold image, and Freestyle Orchestrator can effectively handle the gold image from there.

After a gold image is temporarily enrolled into Workspace ONE via the Staging Account, numerous actions can then be incorporated into a one-time workflow.   For example, certificates can be installed, a sensor can determine that Feature Update 25H2 on a Windows 11 image and align subsequent steps, install the CrowdStrike Windows Sensor, and more.  Thus, rather than an unmanageable number of gold images, one or several base images can have numerous components appended. 

Figure 27: Onboarding actions that can be enabled via Freestyle Orchestrator

For Horizon workloads, these actions are particularly well suited for the new Onboarding phase, which is a run-once post-enrollment initial workflow.  If individual step(s) fail, Freestyle Orchestrator can be configured to halt or proceed, such as to take an alternate action.  However, the Onboarding workflow cannot be initiated to run again without restarting the entire process.

Alternatively, Freestyle Orchestrator workflows can be configured to run during the Auto Deploy phase.  Auto Deploy workflows can be run as necessary.

Figure 28: Horizon gold image Freestyle Orchestrator Onboarding workflow

In the example above, several actions are configured within the Onboarding workflow.

Dynamic Environment Manager (DEM)

Dynamic Environment Manager (DEM) remains a valuable tool within Horizon environments and continues to be supported and developed.  In addition to Horizon settings and policies, DEM provides functionality for initial configuration and use of ‘DEM Conditions and Condition Sets' that contain if/then/else conditional actions.

In particular, Conditional Access, DirectFlex, and Triggered Task provide unique functionality as described below:

Figure 29: DEM customization features: Conditions, DirectFlex, and Triggered Tasks

For more information about DEM, please see the Omnissa Tech Zone article entitled What Is Dynamic Environment Manager.

Summary of Workspace ONE configurations

In summary, integration of Horizon and Workspace ONE UEM depends on the following Workspace ONE UEM steps and configurations.  When complete, the bulk of the integration effort is done:

Figure 30: Horizon and Workspace ONE UEM integration steps

Omnissa recommends fully testing all configurations to ensure the desired end user experience and administrative management. 

Next comes the easy part.  Now that these configurations are complete, the following steps are necessary:

  • Administrator creates gold image
  • Administrator creates Horizon pool
  • User authenticates and logs into Horizon
  • Device is auto-enrolled into Workspace ONE UEM (no touch point)
  • If/then/else Onboarding workflows, including apps, policies, and settings, applied to Horizon workload based on user (no touch point)

With the exception of creating the gold image and Horizon pool, all subsequent steps are automated.  Once complete, the Horizon workload is fully functional for the specific user and ready to be accessed.

Gold image

The next step is to create a gold image. 

Traditionally, software packages and other components are included in the gold image; however, consider that each embedded package may ultimately cause image sprawl due to the number of unique gold images that may be necessary.  Instead, all resources could be customized based on user and/or device requirements, as shown in the blue triangle.

Figure 31: Gold image

A key benefit of Horizon and Workspace ONE UEM integration is the ability to customize the policies, applications, and settings that apply to each respective Horizon workload.  Thus, Omnissa recommends relying on the fewest vanilla gold images as possible and supplementing these gold images with customized resources assigned via automation by Workspace ONE.

As an example, sales engineers access Horizon virtual desktops from home/remote offices, as well as hotels and other venues when traveling, and field engineers access virtual desktops from customer sites to perform data analysis and validate compliance on water samples.  Although the apps, policies, and settings applied for the two scenarios differ, the same base gold image can apply to both groups, thus eliminating the need for two separate gold images.  Using the same gold image, the different apps, policies, and settings can be customized based on if/then/else conditions. 

Required contents of the gold image include:

  • The respective Windows RDSH Server or Windows 10/11 desktop operating system
  • Workspace ONE Intelligent Hub (AirwatchAgent.msi)
  • Command line parameters: DEFERENROLLMENT=Y and PROVISIONHUB=Y

Technically, nothing else is required on the gold image.

Once the gold image is sealed, a Horizon pool is configured and deployed as shown below:

Figure 32: Gold image process

Command line parameters explained

When enrolling a Horizon workload into Workspace ONE, six data fields are required:

  • Server address of Workspace ONE instance
  • Group ID
  • Username
  • Password
  • DEFERENROLLMENT, which is used to embed Intelligent Hub in the gold image and enable caching of enrollment details when there is no interactive Windows session
  • PROVISIONHUB, which enables Intelligent Hub to survive Sysprep

The first four parameters are integrated as part of the Horizon pool configuration and will be discussed in the subsequent section.

Enabling both DEFERENROLLMENT and PROVISIONHUB are necessary and ensure that the Intelligent Hub installation supports enrollment caching and survives Sysprep.

As a result of embedding the following command line into the gold image, Intelligent Hub would be successfully installed and prepared for enrollment:

Msiexec.exe /i "C:\AirwatchAgent.msi" /q DEFERENROLLMENT=Y PROVISIONHUB=Y

This example presumes that the AirwatchAgent.msi is installed on the C: drive and should be revised as appropriate.

Horizon pool

Whether the Horizon environment is based on Horizon 8 or Horizon Cloud, configuration of the Horizon pool is basically the same. 

Figure 33: Horizon 8 and Horizon Cloud enrollment and user access processes

Several fields are queried that will be used as part of the subsequent auto-enrollment step.  Shown below is the integration point for Horizon Cloud:

Figure 34: Configure Horizon Cloud Pool with Workspace ONE UEM integration

As shown above, when adding a new Horizon pool, the Workspace ONE UEM tab provides the auto-enrollment option.  When enabled, Workspace ONE UEM integration is simplified based on administrative designation of the following fields:

Parameter

Details

Server URL

  • Workspace ONE UEM service
  • For SaaS environments, this is the URL that is used for Workspace ONE administration; note that the “cn” prefix must be changed to “ds”

Organization Group ID

  • The new child OG that was created for Horizon workloads

Staging username

  • The staging user that was created under the child OG

Staging password

  • The staging user password that was assigned to the staging user account

Figure 35: Embedding Workspace ONE UEM parameters into Horizon pool configuration

Based on the instructions provided earlier in this guide, each of these fields should be known. An added benefit of this configuration is that the staging account password is not exposed. 

Auto-enrollment as part of pool creation as shown above is applicable to the following Horizon versions:

  • Horizon Cloud: Persistent and non-persistent
  • v2603+: Persistent and non-persistent
  • v2512: Persistent only

For Horizon version 2503 and earlier, it is necessary to configure a Windows scheduled task and then remove that task after completion to prevent credential exposure.  Below is an example:

schtasks /create /tn "DeferredEnrollment" /tr "cmd /c C:\PROGRA~2\Airwatch\AgentUI\AWProcessCommands.exe ENROLL --SERVER=ds<1234>.awmdm.com --og=HorizonDesktops --USERNAME=staginghorizon --PASSWORD=<YourPassword> --ASSIGNTOLOGGEDINUSER & schtasks /delete /tn DeferredEnrollment /f" /sc onstart /ru SYSTEM /rl HIGHEST /f

Once a gold image and pool have been created, Intelligent Hub and Horizon agents seamlessly work together to enroll virtual devices and subsequently assign applications, policies, and other settings as required for each user.

Within the Horizon console, integrated pools are easily identifiable by the UEM Managed label that appears under the pool name.

Figure 36: Workspace ONE UEM integrated pools show UEM Managed label

Figure 37: Intelligent Hub and Horizon Agent enable enrollment

Automated processes: user logon, auto-enrollment, and applying apps, policies, and settings

The rest is easy! 

After the Horizon pool has been created, the remaining steps occur automatically and require zero administrative intervention.

Figure 38: Remaining processes are automatically executed

Whether assigning dedicated 1:1 or 1:many dedicated pools or persistent or non-persistent workloads, integration of Horizon and Workspace ONE UEM results in fewer administrative processes.  Further, the elimination of embedded installers, scripts, and entering credentials provides a more secure and reliable process.

Day 2 maintenance and telemetry

Once Horizon workloads are fully functional, several post-implementation capabilities are typically necessary.

  • Gold image updates
  • Remote support for Horizon workloads via Assist
  • Telemetry, which can be tackled via Intelligence and Digital Employee Experience (DEX)

Please note that Intelligence is Omnissa’s foundational data and automation platform, while DEX (Digital Employee Experience) is the specific set of experience-focused tools, dashboards, and scoring metrics built on top of it.  For a deeper understanding, please see Omnissa Tech Zone, as this section only addresses Horizon and Workspace ONE UEM integration aspects.

Automate gold image updates

Non-persistent desktops often rely heavily on frequent updates to the gold image, and up until now, many Horizon customers depended on third-party tools or manual practices to update and patch gold images. 

The Horizon console now provides the ability to update gold images with just one click.  Workspace ONE UEM will automate and streamline the entire lifecycle of gold image management.  As discussed in previous sections, Workspace ONE UEM can be used to build out the gold image and then deploy Horizon workloads, including automated enrollment and resources.  

Figure 39: Fully automated gold image update process

Here’s where it gets particularly interesting.  Very soon, administrators will then be able to unenroll the Intelligent Hub but leave all the resources on the image and refresh the pool. As a result, when Horizon workloads are created from that gold image, all the necessary resources and profiles will already exist.  Note that this functionality will be coming to Horizon Cloud shortly, with Horizon 8 to follow.

Figure 40: New Auto-Update functionality within Horizon console enables one-click gold image updates

Remote support via Workspace ONE Assist

Workspace ONE Assist integrates with both Workspace ONE UEM and Horizon in their respective consoles:

  • From the Workspace ONE UEM console: select an enrolled Horizon VDI desktop and launch a remote control, file manager, or command line session.
  • From the Horizon console: the Help Desk card can launch Assist sessions directly for eligible desktops directly, without switching to the Workspace ONE UEM console.

Assist must be installed on the gold image (or deployed as a Workspace ONE app post-enrollment) for the Horizon desktop to support remote sessions.  For more information about Workspace ONE Assist, please see the Omnissa Tech Zone article Workspace ONE Assist.

Telemetry

Omnissa Intelligence and DEX gather metrics from both Horizon and Workspace ONE and thus is the ideal tool for monitoring, reporting, and actions.

Tags, as explained previously, are useful for identifying devices and can be  used in filters of a Freestyle Workflow. Additionally, tags can be applied to devices in the action step of a Workflow. Note that tags must be first created in Workspace ONE UEM but then may be used in Omnissa Intelligence.

 Using Intelligence to automate device cleanup

Workspace ONE UEM can provide immediate remediation to non-persistent desktops when updating the gold image and refreshing desktops is not an option. When non-persistent desktops are deleted, an orphaned device record remains in Workspace ONE UEM. Keeping non-persistent desktops in their own OG makes it easy to automate the cleanup of these orphaned records.

Configure a Freestyle workflow within Omnissa Intelligence to automatically clean up orphaned device records on a schedule that meets your needs.

The following example performs a weekly deletion of device records in the Horizon_VDI_Floating OG that have not been active for seven days.

Figure 42: Workspace ONE Intelligence workflow example

Digital Employee Experience (DEX) telemetry

Omnissa DEX telemetry captures a plethora of data points from both Workspace ONE UEM and Horizon to provide a full and unique view of environmental health.  Below is a list of key items but not an exhaustive list.

Figure 43: Key DEX telemetry data points

As an example, the following built-in dashboard presents basic environmental health data for administrators.

Figure 44: DEX dashboard example

Not only can the widget data be exported, but it can be automated into a Freestyle workflow.  As a result, numerous if/then/else options are plentiful.  For example, if average logon time and agents in error status are excessive, an alert could be generated or additional virtual machine resources could be automatically provisioned.

A multitude of actions can be automated, including:

Figure 45: DEX actions

Summary and additional resources

Horizon and Workspace ONE UEM are Better Together and provide strategic value for enterprises.  With a few straightforward configurations, these two technologies enable a unified approach to physical and virtual endpoints.

Figure 46: Unified approach to device management for virtual desktops and apps

Additional resources

For more information about Workspace ONE integration, please explore the following TechZone articles:

Change log

The following updates were made to this guide:

Date

Description of Changes

2026/06

Rewrite of Horizon / Workspace ONE Integration materials

About the author and contributors

Jo Harder, Principal Product Specialist, Omnissa

Josh Spencer, Senior Product Manager, Omnissa

Mike Erb, Adoption Product Manager, Omnissa

Sujay Gopalan, Product Specialist, Omnissa

Cy Whitfield, Senior Product Specialist, Omnissa

Will Uhlig, Solution Architect, Omnissa

Feedback

Your feedback is valuable.

To comment on this paper, contact End-User-Computing at tech_content_feedback@omnissa.com.

Filter Tags

Horizon Workspace ONE Horizon Workspace ONE UEM Document Operational Tutorial Intermediate Deploy