Workspace ONE UEM Architecture
This chapter is one of a series that make up the Omnissa Workspace ONE and Horizon Reference Architecture, a framework that provides guidance on the architecture, design considerations, and deployment of Omnissa Workspace ONE and Omnissa Horizon solutions. This chapter provides information about architecting Omnissa Workspace ONE Unified Endpoint Management (UEM).
Introduction
Omnissa Workspace ONE UEM (powered by AirWatch) is responsible for device enrollment, a mobile application catalog, policy enforcement regarding device compliance, and integration with key enterprise services, such as email, content, and social media.
Workspace ONE Unified Endpoint Management (UEM) features include:
- Device management platform – Allows full life-cycle management of a wide variety of devices, including phones, tablets, Windows 10, and rugged and special-purpose devices.
- Application deployment capabilities – Provides automatic deployment or self-service application access for employees.
- User and device profile services – Ensures that configuration settings for users and devices:
- Comply with enterprise security requirements
- Simplify end-user access to applications
- Productivity tools – Includes an email client with secure email functionality, a content management tool for securely storing and managing content, and a web browser to ensure secure access to corporate information and tools.
Deployment Options
Workspace ONE UEM can be implemented using a cloud-based (SaaS) or an on-premises model.
- Cloud-based (SaaS) – With a cloud-based implementation, Workspace ONE UEM is delivered as a service (SaaS). Cloud-based deployments of Workspace ONE UEM are the preferred option for new instances. This simplifies the architecture, deployment, and maintenance. As maintenance of the cloud service is handled by Omnissa, this simplifies operational tasks, and allows us to update the cloud service on a more frequent cadence basis.
- On-Premises – An on-premises deployment requires the installation of many different servers with different roles and functions. These also need to be maintained and upgraded, as OS and Workspace ONE UEM updates are released. If disaster recovery (DR) is required, a second instance would need to be deployed in a second site.
Note: New on-premises deployments of Workspace ONE UEM are by exception only and require the engagement of Professional Services. This document does not include details or guidance of the on-premises architecture.
Table 1: Deployment Strategy
| Decision | A cloud-based Workspace ONE UEM deployment was carried out. |
| Justification | A cloud-based deployment of Workspace ONE UEM aligns with most customer requirements and how they would typically deploy Workspace ONE UEM. |
Cloud-based (SaaS) Architecture
With a cloud-based implementation, Workspace ONE UEM is delivered as a service (SaaS).
To synchronize Workspace ONE with internal resources such as Active Directory or a Certificate Authority, you use a separate cloud connector, which can be implemented using an Omnissa AirWatch Cloud Connector. The separate connector can run within the internal network in an outbound-only connection mode, meaning the connector receives no incoming connections from the DMZ.
The simple implementation usually consists of:
- An Omnissa Workspace ONE UEM tenant
- Omnissa AirWatch Cloud Connectors
Figure 1: Cloud-Based Workspace ONE UEM Logical Architecture
The main components of Workspace ONE UEM are described in the following table.
Table 2: Workspace ONE UEM Components
| Description | |
| Workspace ONE UEM Console | Administration console for configuring policies within Workspace ONE UEM, to monitor and manage devices and the environment. This service is hosted in the cloud and is managed for you as a part of the SaaS offering. |
| Workspace ONE UEM Device Services | Services that communicate with managed devices. Workspace ONE UEM relies on this component for:
This service is hosted in the cloud and is managed for you as a part of the SaaS offering. |
| API endpoint | Collection of RESTful APIs, provided by Workspace ONE UEM, that allows external programs to use the core product functionality by integrating the APIs with existing IT infrastructures and third-party applications. Workspace ONE APIs are also used by various Workspace ONE UEM services, such as Secure Email Gateway for interactions and data gathering. This service is hosted in the cloud and is managed for you as a part of the SaaS offering. |
| AirWatch Cloud Connector | Component that performs directory sync and authentication using an on-premises resource such as Active Directory or a trusted Certificate Authority. This service is hosted in your internal network in outbound-only mode and can be configured for automatic updates. |
| AirWatch Cloud Messaging service (AWCM) | Service used in conjunction with the AirWatch Cloud Connector to provide secure communication to your backend systems. AirWatch Cloud Connector also uses AWCM to communicate with the Workspace ONE UEM Console. AWCM also streamlines the delivery of messages and commands from the Workspace ONE UEM Console by eliminating the need for end users to access the public Internet or utilize consumer accounts, such as Google IDs. It serves as a comprehensive substitute for Google Cloud Messaging (GCM) for Android devices and is the only option for providing mobile device management (MDM) capabilities for Windows rugged devices. Also, Windows desktop devices that use the Workspace ONE Intelligent Hub use AWCM for real-time notifications. This service is hosted in the cloud and is managed for you as a part of the SaaS offering. |
| Workspace ONE Tunnel | The Workspace ONE Tunnel provides a secure and effective method for individual applications to access corporate resources hosted in the internal network. The Workspace ONE Tunnel uses a unique X.509 certificate (delivered to enrolled devices by Workspace ONE) to authenticate and encrypt traffic from applications to the tunnel. Workspace ONE Tunnel has two components – Proxy and Per-App VPN. The Proxy component is responsible for securing traffic from endpoint devices to internal resources through the Workspace ONE Web app and through enterprise apps that leverage the Workspace ONE SDK. The Per-App Tunnel component enables application-level tunneling (as opposed to full device-level tunneling) for managed applications on iOS, macOS, Android, and Windows devices. |
Table 3: Implementation Strategy for Cloud-Based Workspace ONE UEM
| Decision | A cloud-based deployment of Workspace ONE UEM and the components required were architected for 50,000 devices, which allows for additional growth over time without a redesign. |
| Justification | This strategy provides validation of design and implementation of a cloud-based instance of Workspace ONE UEM. |
AirWatch Cloud Connector
Even when utilizing cloud solutions, such as Workspace ONE UEM, you might want to use some in-house components and resources, for example, email relay, directory services (LDAP/ AD), Certificate Authority, and PowerShell Integration with Exchange. These resources are usually secured by strict firewall rules in order to avoid any unintended or malicious access. Even though these components are not exposed to public networks, they offer great benefits when integrated with cloud solutions such as Workspace ONE.
The Omnissa AirWatch Cloud Connector (ACC) allows seamless integration of on-premises resources with the Workspace ONE UEM deployment, whether it be cloud-based or on-premises. This allows organizations to leverage the benefits of Workspace ONE UEM, running in any configuration, together with those of their existing LDAP, Certificate Authority, email relay, PowerShell Integration with Exchange, and other internal systems.
The AirWatch Cloud Connector runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM to the organization’s enterprise infrastructure components. The ACC always works in an outbound-only mode, which protects it from targeted inbound attacks and allows it to work with existing firewall rules and configurations.
Workspace ONE UEM and the ACC communicate by means of AirWatch Cloud Messaging (AWCM). This communication is secured through certificate-based authentication, with the certificates generated from a trusted Workspace ONE UEM Certificate Authority.
The ACC integrates with the following internal components:
- Email relay (SMTP)
- Directory services (LDAP/AD)
- Exchange 2010 (PowerShell)
- Syslog (event log data)
The ACC also allows the following PKI integration add-ons:
- Microsoft Certificate Services (PKI)
- Simple Certificate Enrollment Protocol (SCEP PKI)
- Third-party certificate services (on-premises only)
- OpenTrust CMS Mobile
- Entrust PKI
- Symantec MPKI
There is no need to go through AirWatch Cloud Connector for cloud certificate services. You use the ACC only when the PKI is on-premises, not in the cloud (SaaS).
Table 4: Deployment Strategy for the AirWatch Cloud Connector
| Decision | The AirWatch Cloud Connector was deployed. |
| Justification | The ACC provides integration of Workspace ONE UEM with Active Directory. |
Scalability
You can configure multiple instances of ACC by installing them on additional dedicated servers using the same installer. The traffic is automatically load-balanced by the AWCM component and does not require a separate load balancer.
Multiple ACC instances can receive traffic (that is, use a live-live configuration) as long as the instances are in the same organization group and connect to the same AWCM server for high availability. Traffic is routed by AWCM using an LRU (least recently used) algorithm, which examines all available connections to decide which ACC node to use for routing the next request.
For recommendations on the number of ACC instances required, and for hardware requirements, see AirWatch Cloud Connector System Requirements On Premises and SaaS. Note that the documentation shows only the number of connectors required for each sizing scenario to cope with the load demand. It does not include additional servers in those numbers to account for redundancy.
Table 5: Strategy for Scaling the ACC Deployment
| Decision | Three instances of AirWatch Cloud Connector were deployed in the internal network. These instances were installed on Windows Server VMs. |
| Justification | Two ACC instances are required based on load, and a third is added for redundancy. |
AirWatch Cloud Connector Installation
Refer to the latest AirWatch Cloud Connector documentation for full details on the AirWatch Cloud Connector Installation Process.
Integration with Omnissa Access
Integrating Workspace ONE UEM and Omnissa Access into your Workspace ONE environment provides several benefits. Workspace ONE uses Access for authentication, SaaS, and Horizon application access. Workspace ONE uses Workspace ONE UEM for device enrollment and management.
The integration process between the two solutions is detailed in Workspace ONE UEM Integration with Workspace ONE Access.
Also see the Workspace ONE UEM and Workspace ONE Access Integration section in Platform Integration for more detail.
Resource Types
An Omnissa Workspace ONE implementation can include the following types of application resources.
Native Mobile Apps
Native mobile apps from the Apple App Store, Google Play, and the Microsoft Windows Store have brought about new ways of easily accessing tools and information to make users more productive. A challenge has been making the available apps easy to find, install, and control. Workspace ONE UEM has long provided a platform for distribution, management, and security for these apps. Apps can be published from the app stores themselves, or internally developed apps can be uploaded to the Workspace ONE UEM service for distribution to end users.
Figure 2: Native Mobile Apps
Unified App Catalog
When Workspace ONE UEM and Access are integrated so that apps from both platforms can be enabled for end users, the option to use the unified catalog in Access is enabled. This catalog pulls entitlements from both platforms and displays them appropriately in the Workspace ONE native app on a mobile device. The Workspace ONE client determines which apps to display on which platform. For example, iOS apps appear only on devices running iOS, and Android apps appear only on Android devices.
Figure 3: Unified Catalog in Access
Conditional Access
With the Workspace ONE conditional access feature, administrators can create access policies that go beyond the evaluation of user identity and valid credentials. Combining Workspace ONE UEM and Access, administrators can evaluate the target resource being accessed, the source network from which the request originated, and the type and compliance status of the device. With these criteria, access policies can provide a more sophisticated authentication challenge only when needed or deny access when secure conditions are not met.
Using the Workspace ONE UEM Console to Create Access Policies
Configuration of compliance starts in the Workspace ONE UEM Console. Compliance policies are created by determining:
- A criterion to check, such as a jail-broken or rooted device
- An action to take, such as an email to an administrator or a device wipe
- An escalation to further actions if the device is not returned to compliance within a set time
- An assignment to devices or users
Examples of rules are listed in the following table.
Table 6: Examples of Access Policy Rules
| Compliance Criterion | Policy Description |
| Application list | A device is out of compliance with the policy for one or more of the following reasons:
|
| Last compromised scan | A device complies with this policy if the device was last scanned for compliance within the timeframe defined in the policy. |
| Passcode | A device complies with this policy if a passcode is set in the device by the user. A corresponding rule provides information on the passcode and encryption status of the device. |
| Device roaming | A device is out of compliance with this policy if the device is roaming. |
Refer to Compliance Policy Rules and Actions for the complete list.
Using the Workspace ONE UEM REST API to Extend Device Compliance Parameters
With the Workspace ONE UEM REST API, the definition of a device’s compliance status can be extended beyond what is available within the Workspace ONE UEM Console by leveraging an integration with one or more partners from the extensive list of Mobile Security Alliance (MSA) partners.
To use the device posture from Workspace ONE UEM with Access, you must enable the Device Compliance option when configuring the Workspace ONE UEM–Access integration. The Compliance Check function must also be enabled.
Figure 4: Enable Compliance Check
After you enable the compliance check through Workspace ONE UEM, you can add a rule that defines what kind of compliance parameters are checked and what kind of authentication methods are used.
Figure 5: Device Compliance Policy
The device’s unique device identifier (UDID) must also be captured in Workspace ONE UEM and used in the compliance configuration. This feature works with mobile SSO for iOS, mobile SSO for Android, and certificate cloud deployment authentication methods.
Note: Before you use the Device Compliance authentication method, you must use a method that obtains the device UDID. Evaluating device compliance before obtaining the UDID does not result in a positive validation of the device’s status.
Multi-factor Authentication
Omnissa Access supports chained, two-factor authentication. The primary authentication methods can be username and password or mobile SSO. You can combine these authentication methods with RADIUS, RSA Adaptive Authentication, and Workspace ONE Intelligent Hub Verify as secondary authentication methods to achieve additional security for access control.
BYOD and Mobile Application Management - MAM
Bring your own device (BYOD) refers to employees using personal devices to access corporate resources that contain potentially sensitive information. Personal devices could include smartphones, personal computers, or tablets.
Mobile Application Management (MAM) is the ability for administrators to secure and enable IT control of enterprise apps on a mobile device, such as by requiring full device management to access an app, or restricting copy-paste functionality within an app.
Workspace ONE supports a variety of device and application management approaches based on the ownership of the device and the level of security required by an organization. Corporate-owned devices, or devices used within a regulated industry, will likely require a greater level of management than employee-owned devices. However, employees will expect more privacy and fewer restrictions on the devices they own.
Each mobile platform has slightly different terminology to describe management methods, but here are the high-level options:
- Full mobile device management (MDM) – Requires the user to enroll the device into management to access any work applications. Enrollment involves downloading a management, or MDM, profile to the device. This method provides the most device control for the administrator, including full policies and restrictions, attestation and compliance, conditional access, and device remediation. Usually, this management method is used for corporate-owned devices; however, some organizations require this level of management for BYOD as well.
- OS partitioned – Management options that are made possible through device manufacturers. This includes iOS User Enrollment and Android Enterprise Work Profile. This configuration separates work apps and data from personal apps and data. See the Managing Android Devices Operational Tutorial for more details on these mobile platforms. Partitioning the OS is a common management option for both BYOD and corporate-owned devices because it provides a user-friendly method to distinguish between personal and work apps.
- Registered mode – If configured in the Workspace ONE UEM console, users are able to log in to the Workspace ONE Intelligent Hub app and access applications without full, device-level management (MDM profile). This management method provides the most privacy for the user and is a common option for BYOD. For instructions on enabling access to Intelligent Hub without full device management, see Enable Intelligent Hub Without Requiring Full Management.
- Containerized apps – Across any of the above-mentioned device management options, Workspace ONE provides secure apps that can be accessed by the user regardless of whether a device is fully managed or uses registered mode. Containerized apps include Workspace ONE productivity apps (Intelligent Hub, Boxer, Content, and so on) and apps that include the Workspace ONE SDK. Using containerized apps on a device in registered mode is the most common configuration to achieve BYOD MAM. Review this Mobile Application Management learning path to learn more about the Workspace ONE productivity apps.
Figure 6: Workspace ONE Device Management Options Along the Continuum
Enabling Adaptive Management for iOS
The Workspace ONE UEM administrator can allow users to log in to Workspace ONE Intelligent Hub without requiring full device management. In other words, the user can access the catalog of corporate applications without installing the iOS MDM profile on their device. This option is called registered mode: the user’s device is registered but not fully managed.
However, if an iOS user attempts to access a restricted corporate application in the catalog that requires MDM enrollment, the user is prompted to install the iOS MDM profile. This is referred to as adaptive management.
Adaptive management can be enabled on an application-by-application basis within the Workspace ONE UEM Console. Within an application profile, an administrator can choose to require device-level management prior to allowing use of a specific app, as shown in the following screenshot.
Figure 7: Mobile Application Deployment in the Workspace ONE UEM Console
When adaptive management is required for an app, the app has an indicator in the catalog, so the end user understands that the app has specific requirements.
Adaptive management is only supported on iOS. The Android platform no longer supports this functionality. The new standard for app deployment with Android is through Android Enterprise, as described in Managing Android Applications using Workspace ONE UEM.
Mobile Single Sign-On
One of the hallmark features of the Workspace ONE experience is mobile SSO technology, which provides the ability to sign in to the app once and gain access to all entitled applications, including SaaS apps. This core capability can help address security concerns and password-cracking attempts and vastly simplifies the end-user experience for a mobile user. A number of methods enable this capability on both Workspace ONE Access and Workspace ONE UEM. SAML becomes a bridge to the apps, but each native mobile platform requires different technologies to enable SSO.
Configuration of mobile SSO for iOS and Android devices can be found in the Workspace ONE UEM Integration with Workspace ONE Access guide.
Mobile SSO for iOS
Kerberos-based SSO is the recommended SSO experience on managed iOS devices. Workspace ONE Access offers a built-in Kerberos adapter, which can handle iOS authentication without the need for device communication to your internal Active Directory servers. In addition, Workspace ONE UEM can distribute identity certificates to devices using a built-in Workspace ONE UEM Certificate Authority, eliminating the requirement to maintain an on-premises CA.
Alternatively, enterprises can use an internal key distribution center (KDC) for SSO authentication, but this typically requires the provisioning of an on-demand VPN. Either option can be configured in the Standard Deployment model, but the built-in KDC must be used in the Simplified Deployment model that is referenced in Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM-Managed iOS Devices.
Mobile SSO for Android
Workspace ONE offers universal Android mobile SSO, which allows users to sign in to enterprise apps securely without a password. Android mobile SSO technology requires device enrollment and the use of Workspace ONE Tunnel to authenticate users against SaaS applications.
Refer to Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM Managed Android Devices.
Windows 10/11 and macOS SSO
Certificate-based SSO is the recommended experience for managed Windows and Mac desktops and laptops. An Active Directory Certificate Services or other CA is required to distribute certificates. Workspace ONE UEM can integrate with an on-premises CA through AirWatch Cloud Connector or an on-demand VPN.
For guidance on Workspace ONE UEM integration with a Certificate Authority, see Certificate Authority Integrations.
Email Integration
Workspace ONE offers a great number of choices when it comes to devices and email clients. Although this flexibility offers many choices of email clients, it also potentially exposes the enterprise to data leakage due to a lack of control after email messages reach the device.
Another challenge is that many organizations are moving to cloud-based email services, such as Microsoft Office 365 and G Suite (formerly Google Apps for Work). These services provide fewer email control options than the on-premises models that an enterprise might be accustomed to.
This section looks at the email connectivity models and the pros and cons of each.
Secure Email Gateway Proxy Model
The Omnissa Workspace ONE UEM Secure Email Gateway proxy server is a separate server installed in-line with your existing email server to proxy all email traffic going to mobile devices. Based on the settings you define in the Workspace ONE UEM Console, the Workspace ONE UEM Secure Email Gateway proxy server allows or blocks email for every mobile device it manages, and it relays traffic only from approved devices. With some additional configuration, no devices are allowed to communicate directly with the corporate email server.
Figure 8: Workspace ONE UEM Secure Email Gateway Architecture
Workspace ONE UEM Secure Email Gateway runs as a service on Omnissa Unified Access Gateway. For architecture and sizing considerations, see Unified Access Gateway Architecture.
Direct PowerShell Model
In this model, Workspace ONE UEM adopts a PowerShell administrator role and issues commands to the Exchange ActiveSync infrastructure to permit or deny email access based on the policies defined in the Workspace ONE UEM Console. PowerShell deployments do not require a separate email proxy server, and the installation process is simpler. In the case of an on-premises Exchange server, AirWatch Cloud Connector (ACC) can be leveraged to prevent inbound traffic flow.
Figure 9: Microsoft Office 365 Email Architecture
Supported Email Infrastructure and Models
Use the following table to compare these models and the mail infrastructures they support.
Table 7: Supported Email Deployment Models
| Deployment Model | Configuration Mode | Mail Infrastructure |
| Proxy model | Workspace ONE UEM Secure Email Gateway (proxy) |
|
| Direct model | PowerShell model |
|
| Direct model | Google model |
|
Microsoft Office 365 requires additional configuration for the Workspace ONE UEM Secure Email Gateway proxy model. It is recommended to use the direct model of integration with cloud-based email servers unless encryption of attachments is required.
The following table summarizes the pros and cons of the deployment features of Workspace ONE UEM Secure Email Gateway and PowerShell to help you choose which deployment is most appropriate.
Table 8: Workspace ONE UEM Secure Email Gateway and PowerShell Feature Comparison
| Model | Pros | Cons |
| Workspace ONE UEM Secure Email Gateway |
|
|
| PowerShell | No additional on-premises servers required for email management |
|
Key Design Considerations
The Workspace ONE UEM Secure Email Gateway is recommended for all on-premises email infrastructures with deployments of more than 100,000 devices. For smaller deployments or cloud-based email, PowerShell is another option.
For more information on design considerations for mobile email management, see What is Workspace ONE UEM Mobile Email Management Solution?.
Table 9: Email Deployment Model for this Reference Architecture
| Decision | The PowerShell model was used with Workspace ONE Boxer. |
| Justification | This design includes Microsoft Office 365 email. Although this decision limits employee choice of mail client and removes native email access in the Mobile Productivity service, it provides the best protection available against data leakage. |
Next Steps
- Configure Microsoft Office 365 email through PowerShell.
- Configure Workspace ONE Boxer as an email client for deployment as part of device enrollment.
Conditional Access Configured for Microsoft Office 365 Basic Authentication
By default, Microsoft Office 365 basic authentication is vulnerable because credentials are entered in the app itself rather than being submitted to an identity provider (IdP) in a browser, as with modern authentication. However, with Workspace ONE, you can easily enhance the security and control over Microsoft Office 365 with an active flow.
You can now control access to Office 365 active flows based on the following access policies in Omnissa Access:
- Network range
- Device OS type
- Group membership
- Email protocol
- Client name
Figure 10: Microsoft Office 365 Active Flow Conditional Access Policies
Content Integration
Mobile content management (MCM) can be critical to device deployment, ensuring that content is safely stored in enterprise repositories and available to end users when and where they need it with the appropriate security controls. The MCM features in Workspace ONE UEM provide users with the content they need while also providing the enterprise with the security control it requires.
Content Management Overview
- Workspace ONE UEM managed content repository – Workspace ONE UEM administrators with the appropriate permissions can upload content to the repository and have complete control over the files that are stored in it.
The synchronization process involves two components:
- Content Gateway – This on-premises node provides secure access to content repositories or internal file shares. You can deploy it as a service on a Unified Access Gateway virtual appliance. This gateway supports both cascade mode (formally known as relay-endpoint) and basic (formally known as endpoint-only) deployment models.
- Corporate file server – This preexisting repository can reside within an organization’s internal network or on a cloud service. Depending on an organization’s structure, the Workspace ONE UEM administrator might not have administrative permissions for the corporate file server.
- Omnissa Workspace ONE Content – After this app is deployed to end-user devices, users can access content that conforms to the configured set of parameters.
Figure 11: Mobile Content Management with Workspace ONE UEM
You can integrate Workspace ONE Content with a large number of corporate file services, including Box, Google Drive, network shares, various Microsoft services, and most websites that support Web Distributed Authoring and Versioning (WebDAV). It is beyond the scope of this document to list all of them.
For full design considerations for mobile content management, see Introduction to Mobile Content Management.
Content Gateway
Content Gateway provides a secure and effective method for end users to access internal repositories. Users are granted access only to their approved files and folders based on the access control lists defined in the internal repository through Workspace ONE Content. To prevent security vulnerabilities, Content Gateway servers support only Server Message Block (SMB) v2.0 and SMBv3.0. SMBv2.0 is the default. Content Gateway offers basic and cascade mode (formally known as relay-endpoint) architecture models for deployment.
Content Gateway can be deployed as a service within Unified Access Gateway. For guidance on deployment and configuration of Content Gateway service, see Content Gateway on Unified Access Gateway.
For step-by-step instructions, see Configuring Content Gateway Edge Services on Unified Access Gateway.
Scalability
Unified Access Gateway can be used to provide edge and gateway services for Content Gateway, Secure Email Gateway, and Workspace ONE Tunnel functionality. For architecture and sizing guidance, see Unified Access Gateway Architecture.
Data Protection in Workspace ONE Content
Workspace ONE Content provides considerable control over the types of activities that a user can perform with documents that have been synced to a mobile device. Applications must be developed using Workspace ONE SDK features or must be wrapped to use these restrictions. The following table lists the data loss prevention features that can be controlled.
Table 22: Data Loss Prevention Features
| Feature Name | Description |
| Enable Copy and Paste | Allows an application to copy and paste on devices |
| Enable Printing | Allows an application to print from devices |
| Enable Camera | Allows applications to access the device camera |
| Enable Composing Email | Allows an application to use the native email client to send email |
| Enable Data Backup | Allows wrapped applications to sync data with a storage service such as iCloud |
| Enable Location Services | Allows wrapped applications to receive the latitude and longitude of the device |
| Enable Bluetooth | Allows applications to access Bluetooth functionality on devices |
| Enable Screenshot | Allows applications to access screenshot functionality on devices |
| Enable Watermark | Displays text in a watermark in documents in the Workspace ONE Content |
| Limit Documents to Open Only in Approved Apps | Controls the applications used to open resources on devices |
| Allowed Applications List | Lists the applications that are allowed to open documents |
Content Key Design Considerations
Because this environment is configured with Microsoft Office 365, SharePoint-based document repositories are configured as part of the Workspace ONE Content implementation. Data loss prevention (DLP) controls are used in the Mobile Productivity service and Mobile Application Workspace profiles to protect corporate information.
Table 10: Implementation Strategy for Providing Content Gateway Services
| Decision | Unified Access Gateway was used to provide Content Gateway services. |
| Justification | Unified Access Gateway was chosen as the standard edge gateway appliance for Workspace ONE services, including Horizon and content resources. |
Workspace ONE Tunnel
Omnissa Workspace ONE Tunnel leverages unique certificates deployed from Workspace ONE UEM to authenticate and encrypt traffic from the mobile device to resources on the internal network. It consists of following two components:
- Proxy – This component secures the traffic between the mobile device and the backend resources through the Workspace ONE Web application. To leverage the proxy component with an internally developed app, you must embed the Workspace ONE SDK in the app.
The proxy component, when deployed, supports SSL offloading.
- Per-App Tunnel – This component allows certain applications on your device to communicate with your backend resources. This restricts access to unwanted applications, unlike the device-level VPN. The Per-App Tunnel supports TCP, UDP and HTTP(S) traffic and works for both public and internally developed apps. It requires the Workspace ONE Tunnel application to be installed and managed by Workspace ONE UEM.
Note: The Per-App Tunnel does not support SSL offloading.
Workspace ONE Tunnel Service Deployment
The Workspace ONE Tunnel service can be deployed as a service within Unified Access Gateway.
For guidance on deployment and configuration of the Workspace ONE Tunnel service, see Workspace ONE Tunnel on Unified Access Gateway. For step-by-step instructions, see Deploying with Unified Access Gateway (UAG).
Tunnel Architecture
The Per-App Tunnel component is recommended because it provides most of the functionality with easier installation and maintenance. It leverages native APIs offered by Apple, Google, and Windows to provide a seamless end-user experience and does not require additional configuration as the Proxy model does.
The Workspace ONE Tunnel service can reside in:
- DMZ (single-tier, basic mode)
- DMZ and internal network (multi-tier, cascade mode)
Both configurations support load balancing and high availability.
Figure 12: Workspace ONE Tunnel and Content Deployment Modes
For guidance on Deployment modes, see Workspace ONE Tunnel on Unified Access Gateway.
Tunnel Scalability
Unified Access Gateway can be used to provide edge and gateway services for Content Gateway and Workspace ONE Tunnel functionality. For architecture and sizing guidance, see Unified Access Gateway Architecture.
Tunnel Installation
For installation prerequisites, see System Requirements in Deploying with Unified Access Gateway (UAG).
After the installation is complete, configure the Workspace ONE Tunnel by following the instructions in UEM Console Configurations.
Table 11: Strategy for Providing Tunnel Services
| Decision | Omnissa Unified Access Gateway was used to provide tunnel services. |
| Justification | Unified Access Gateway was chosen as the standard edge gateway appliance for Workspace ONE services, including Horizon and content resources. |
Data Loss Prevention
Applications built using the Omnissa Workspace ONE SDK or wrapped by the Workspace ONE UEM App Wrapping engine can integrate with the SDK settings in the Workspace ONE UEM Console to apply policies, control security and user behavior, and retrieve data for specific mobile applications without changing the application itself. The application can also take advantage of controls designed to make accidental, or even purposeful, distribution of sensitive information more difficult. DLP settings include the ability to prevent copy and paste, prevent printing, prevent the camera or screenshot features, or require adding a watermark to content when viewed on a device. You can configure these features at a platform level with iOS- or Android-specific profiles applied to all devices, or you can associate a specific application for which additional control is required.
Workspace ONE UEM applications, including Workspace ONE Boxer and Workspace ONE Content, are built to the Workspace ONE SDK, conform to the Workspace ONE platform, and can natively take advantage of these capabilities. Other applications can be wrapped to include such functionality, but typically are not enabled for it out of the box.
Figure 13: Workspace ONE UEM Data Loss Prevention Settings
Another set of policies can restrict actions a user can take with email. For managed email clients such as Workspace ONE Boxer, restrictions can be set to govern copy and paste, prevent attachments from being accessed, or force all hyperlinks in email to use a secure browser, such as Workspace ONE Web.
Figure 14: Workspace ONE Boxer Content Restriction Settings
Summary and Additional Resources
Now that you have come to the end of this design chapter on Omnissa Horizon Cloud Service – next-gen, you can return to the reference architecture landing page and use the tabs, search, or scroll to select further chapter in one of the following sections:
- Overview chapters provide understanding of business drivers, use cases, and service definitions.
- Architecture chapters give design guidance on the Omnissa products you are interested in including in your deployment, including Workspace ONE UEM, Access, Intelligence, Workspace ONE Assist, Horizon Cloud Service, Horizon 8, App Volumes, Dynamic Environment Manager, and Unified Access Gateway.
- Integration chapters cover the integration of products, components, and services you need to create the environment capable of delivering the services that you want to deliver to your users.
- Configuration chapters provide reference for specific tasks as you deploy your environment, such as installation, deployment, and configuration processes for Omnissa Workspace ONE, Horizon Cloud Service, Horizon 8, App Volumes, Dynamic Environment Management, and more.
Additional Resources
For more information about Workspace ONE UEM, you can explore the following resources:
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| 2024-10-07 |
|
| 2024-05-17 |
|
| 2023-01-09 |
|
| 2023-07-19 |
|
| 2020-07-01 |
|
Author and Contributors
This chapter was written by:
- Graeme Gordon, Senior Staff Architect, Omnissa.
- Andreano Lanusse, Staff Architect, Omnissa.
- Christina Minihan, Senior Architect, Omnissa.
Feedback
Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.
Associated Content
From the action bar MORE button.