Updated on April 6th, 2022 – Please be aware that some of this information may no be accurate anymore
A lot of businesses are getting more and more interested in a Unified Endpoint Management solution like Workspace ONE UEM. While EMM is pretty clear to everyone, UEM is far away from this status. During the meetings with customers about Workspace ONE there are often concerns about “cloud” and the data which is being sent to the cloud.
Since this information about data privacy, data security or data collection regarding Workspace ONE is not easy to gather, I decided to make this information available here.
This topic is very important, because more businesses are open now to talk about cloud and hybrid solutions like Workspace ONE where the management backend is managed by VMware and only a few components need to be installed on-premises in your own data center:
With the release of Workspace ONE UEM 1904 VMware started to publish “SaaS only releases“. Before this announcement an on-premises customer would get the on-prem installers three to four weeks after a new SaaS release has been made available. That’s why it’s clear that a lot more customers are having the same questions and requests when it comes to a cloud-based solution.
Of course, as we strive to bring you more cloud services at a faster pace, we will continue to add value with innovations in both our On-Premises and cloud offerings.
As a result, we are making a change to how we deliver Workspace ONE UEM beginning with Workspace ONE UEM Console 1904, which will be SaaS only release.
Which data are collected from users and devices? Who has access to this data?
- By default, the solution only collects information necessary to manage the device, such as the device status, compliance information, OS, etc.; our solution may collect (if configured by administrator) or users may input data considered to be sensitive
- The solution collects a limited personal data which includes user first and last name, username, email address, and phone number for user activation and management. These fields can be encrypted at rest in the solution database (AES 256). Customers may collect additional data points in the following matrix (as configured by the customer administrator): https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/UEM_Managing_Devices/GUID-AWT-DATA-COLLECT-MATRIX.html
- VMware manages access to the SaaS environment while customers manage administrative and end-user access through the solution console
- Access to the SaaS environment is technically enforced according to role, the principle of least privileges and separation of duties
- Customers manage access entitlements for administrative and end users
- VMware defines customer data related to the solution and/or hosted service in the VMware Data Processing Addendum
- Data Sub-Processors can be found here
Is it possible to prevent data collection of specific information?
VMware covers this topic in their Workspace ONE Privacy Disclosure: https://www.vmware.com/help/privacy/uem-privacy-disclosure.html
- Customer administrators use granular controls to configure what data is collected from users and what collected data is viewable by admins within the Workspace ONE console. Use granular role-based access controls to restrict the depth of device management information and features available to each administrative console user.
- For Workspace ONE UEM configure Collect and Display, Collect Do Not Display, and Do Not Collect settings for user data:
- GPS Data
- Carrier/Country Code
- Roaming Status
- Cellular Data Usage
- Call Usage
- SMS Usage
- Device Phone Number
- Personal Application
- Unmanaged Profiles
- Public IP Address
- Customer administrators can choose whether to display or to do not display the following user information:
- First Name
- Last Name
- Phone Number
- Email Accounts
How is data secured in the VMware hosted cloud?
Workspace ONE UEM has achieved the Service Organization Control (SOC) 2 Type 2 and ISO 27001, ISO 27017, and ISO 27018 certifications.
VMware can provide copies of the SOC 2 Type 2 report under an NDA; please contact your VMware account representative to request this report. Refer to the VMware Cloud Trust Center ISO certificate and to see the latest list of industry certifications.
VMware uses encryption for data in transit over the public Internet and at rest. For a comprehensive overview of the SaaS application, request the Workspace ONE UEM Cloud Security Overview from your VMware Representative.
I hope this short article helps everyone to get the information they require for a Workspace ONE UEM SaaS project. I shared the same information with several customers from different businesses and so far all legal departments accepted the statements and moved forward with their project with Workspace ONE UEM. 🙂
We do not store AD/LDAP passwords in our database
What about the AD/LDAP bind password and the same for a Certificate Authority service account?
According to my knowledge for such accounts the password is stored and encrypted in the database since it is part of the service configuration.
Is anything different between the on-premises and SaaS versions?
Do you mean what the difference is, of the whole WS1 UEM is installed on-premises? If yes, then this is different. You would have all the backend servers (e.g. DB server, UEM console, device services server etc.). Then it also depends if you are going to use WS1 Intelligence, which is only available in the cloud as SaaS application – and the WS1 Intelligence Connector, which is installed on-premises.
In this case you would have the local WS1 UEM infrastructure sending data via the WS1 Intelligence Connector to the Intelligence service hosted in the cloud. Does that help?