Introduction to Workspace ONE Express and Express+

Introduction to Workspace ONE Express and Express+

Oct 18, 2019 | emm, Workspace ONE, WorkspaceONE UEM

With the release of Workspace ONE UEM 1907 AirWatch Express has been renamed to Workspace ONE Express and a few months later VMware announced Workspace ONE Express+ which is the result of a partnership with Dell.

Workspace ONE Express (WS1 Express) is a SaaS-only solution which is perfectly made for startups and the small- and mid-market in general. It is a simple mobile device management (MDM) solution designed to get your mobile devices up and running quickly without requiring extensive knowledge or an on-premises infrastructure.

The main features are the configuration of WiFi, apps, e-mail and security – basic MDM. WS1 Express requires a minimum of 10 devices and can be used for up to 500 devices, whereas the regular Workspace ONE UEM editions require at least 25 devices/users and have an unlimited licensing scale.

So, which edition is the right one for you? It depends on your types of mobile devices, use cases and requirements.

If you are a small company for example with 50 iOS and Android devices and would like to configure the native e-mail client, WiFi access, deploy some apps and set a passcode, then the Workspace ONE Express is the edition you are looking for.

If you are a company with around 250 users and would like to manage your macOS and Windows 10 clients, then we have to take a closer look what your requirements are.

IMPORTANT: WS1 Express has some policies for macOS, but Windows 10 can only be managed with Workspace ONE Express+ !

This means that you have to go for the Workspace ONE UEM Standard edition, if you need an acceptable feature set for these operating systems.

What is the big difference between Workspace ONE Express and Workspace ONE UEM Standard?

As just mentioned before, the biggest difference is the limited feature set of WS1 Express and that you cannot configure payloads, but have to use the “blueprint setup”.

WS1Express-Blueprints_Create

Upon the initial login, a step-by-step wizard will help and guide you through the process of configuring WS1 and your devices.

WS1Express-Getting Started _Setup

During the creation of a blueprint you can select the policies for each operating system and you quickly realize that Workspace ONE Express is really offers basic MDM capabilities.

WS1Express-Blueprints_Policies

Apple DEP and Android Zero-Touch Enrollment are fully supported with the Express edition.

Can you start with Express and upgrade later to Standard or Advanced? Yes, you can! This is the great thing about Workspace ONE. If your company is small and would like to start small, then choose Express. If your company, the employee number and your requirements grow, upgrade to a regular Workspace ONE UEM Edition like Standard or Advanced. That’s the most recent Workspace ONE Edition Comparison Guide about Express, Express+ and Standard:

Workspace ONE Standard for macOS and Windows 10 Management

I doubt that a customer would start with Express if they have macOS and Windows clients. Even smaller companies have probably 80% of the same requirements when it comes to macOS and Windows 10 modern management.

But which features and configurations does VMware support with Workspace ONE Standard for Windows 10 management? Please find here an unofficial listing of the supported features:

OS Lifecycle

  • OOBE and Factory Provisioning (Device Onboarding)
  • Co-Management with SCCM and Workspace ONE AirLift
  • MDM profiles (passcode, WiFi, restrictions etc.)
  • OS Updates via WSUS or Windows Updates for Business

App Lifecycle

Security

  • Device Restrictions
  • Remote and Enterprise Wipe
  • GPS Tracking
  • DLP (Windows Information Protection, AppLocker)
  • AV and Firewall (Windows Defender, 3rd party AV deployment, Windows Firewall)
  • Conditional Access Management
  • Enforce BitLocker Encryption

WS1_MDM_capabilities

That is a lot you can do already with our Standard edition, right? What are the reasons that you would need the next higher Workspace ONE Advanced edition? Most probably if you need one or more features like:

  • Application Delivery and Application Lifecycle (win32 – MSI, EXE, MST, MSP, PS1, BAT, ZIP)
  • Peer-to-Peer Distribution (WS1 uses Windows BranchCache feature!)
  • Advanced BitLocker Encryption Management (key rotation, maintenance windows etc.)
  • Per-App VPN Tunneling with VMware Tunnel

What are the capabilities when it comes to macOS management? Well, also here, VMware’s approach is to have a modern imageless management over the air from the same management console. New devices can be enrolled with DEP and the Bootstrap Enrollment method, but existing users and devices have the choice of a web-based or staged enrollment.

WS1_MDM_macOS

Please find here an unofficial listing of the supported features and configuration for macOS payloads which are included in Workspace ONE Standard.

Via MDM interface

  • Passcode
  • Network
  • VPN
  • Certificates
  • SCEP
  • Dock
  • Restrictions
  • Parental Controls
  • Directory Binding
  • Security & Privacy
  • Disk Encryption
  • Login Items
  • Login Window
  • Time Machine
  • Finder
  • Printing
  • Content Filter
  • Device & Enterprise Wipe
  • Token Enrollment
  • User Management (unlock user account, logout current user, delete user)

Via our Intelligent Hub (Agent)

  • Enforce Encryption
  • Firewall
  • Firmware Password
  • VMware Fusion
  • Microsoft Outlook
  • Notifications
  • Custom Attributes

How can I deliver 3rd party apps like MS Office, Adobe Creative Suite etc.? VMware use the open source “Munki” framework for that.

Workspace ONE Assist (formerly known as Advanced Remote Management)

There is also an add-on called Workspace ONE Assist which enables you to remotely access and troubleshoot a device. 

At the moment of writing WS1 Assist only supports iOS, Android, Windows Mobile and Windows 10 devices, but the support for macOS is coming until the end of this year (2019). 

Via the WS1 Admin Console WS1 Assist let’s you to capture images and videos of the remote device and you can view and export audit logs of the sessions and even manage files and folders on the Windows 10 remote device for example.

Final Words

If you would like to get a TestDrive access for Workspace ONE Express or Workspace ONE UEM, don’t hesitate to contact your partner or VMware account executive.

If you are a partner and would like to sell Workspace ONE, VMware has a MSP (Managed Service Provider) model for you! In this case contact your VCPP representative.

And I hope that you found valuable information here to better decide which Workspace ONE edition is the right one for you! 🙂

Workspace ONE UEM – Data Security, Data Privacy and Data Collection

May 22, 2019 | AWS, emm, Workspace ONE, WorkspaceONE UEM

Updated on April 6th, 2022 – Please be aware that some of this information may no be accurate anymore

A lot of businesses are getting more and more interested in a Unified Endpoint Management solution like Workspace ONE UEM. While EMM is pretty clear to everyone, UEM is far away from this status. During the meetings with customers about Workspace ONE there are often concerns about “cloud” and the data which is being sent to the cloud.

Since this information about data privacy, data security or data collection regarding Workspace ONE is not easy to gather, I decided to make this information available here.

This topic is very important, because more businesses are open now to talk about cloud and hybrid solutions like Workspace ONE where the management backend is managed by VMware and only a few components need to be installed on-premises in your own data center:

Workspace ONE UEM SaaS Architecture

With the release of Workspace ONE UEM 1904 VMware started to publish “SaaS only releases“. Before this announcement an on-premises customer would get the on-prem installers three to four weeks after a new SaaS release has been made available. That’s why it’s clear that a lot more customers are having the same questions and requests when it comes to a cloud-based solution.

Of course, as we strive to bring you more cloud services at a faster pace, we will continue to add value with innovations in both our On-Premises and cloud offerings.

As a result, we are making a change to how we deliver Workspace ONE UEM beginning with Workspace ONE UEM Console 1904, which will be SaaS only release.

Which data are collected from users and devices? Who has access to this data?

  • By default, the solution only collects information necessary to manage the device, such as the device status, compliance information, OS, etc.; our solution may collect (if configured by administrator) or users may input data considered to be sensitive
  • The solution collects a limited personal data which includes user first and last name, username, email address, and phone number for user activation and management. These fields can be encrypted at rest in the solution database (AES 256). Customers may collect additional data points in the following matrix (as configured by the customer administrator): https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/UEM_Managing_Devices/GUID-AWT-DATA-COLLECT-MATRIX.html
  • VMware manages access to the SaaS environment while customers manage administrative and end-user access through the solution console
    • Access to the SaaS environment is technically enforced according to role, the principle of least privileges and separation of duties
    • Customers manage access entitlements for administrative and end users
  • VMware defines customer data related to the solution and/or hosted service in the VMware Data Processing Addendum
  • Data Sub-Processors can be found here

Is it possible to prevent data collection of specific information?

VMware covers this topic in their Workspace ONE Privacy Disclosure: https://www.vmware.com/help/privacy/uem-privacy-disclosure.html

  • Customer administrators use granular controls to configure what data is collected from users and what collected data is viewable by admins within the Workspace ONE console. Use granular role-based access controls to restrict the depth of device management information and features available to each administrative console user.
  • For Workspace ONE UEM configure Collect and Display, Collect Do Not Display, and Do Not Collect settings for user data:
    • GPS Data
    • Carrier/Country Code
    • Roaming Status
    • Cellular Data Usage
    • Call Usage
    • SMS Usage
    • Device Phone Number
    • Personal Application
    • Unmanaged Profiles
    • Public IP Address
  • Customer administrators can choose whether to display or to do not display the following user information:
    https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/UEM_Managing_Devices/GUID-AWT-CONFIGUREPRIVACYSETTINGS.html
    • First Name
    • Last Name
    • Phone Number
    • Email Accounts
    • Username

How is data secured in the VMware hosted cloud?

Workspace ONE UEM has achieved the Service Organization Control (SOC) 2 Type 2 and ISO 27001, ISO 27017, and ISO 27018 certifications.

VMware can provide copies of the SOC 2 Type 2 report under an NDA; please contact your VMware account representative to request this report. Refer to the VMware Cloud Trust Center ISO certificate and to see the latest list of industry certifications.

VMware uses encryption for data in transit over the public Internet and at rest. For a comprehensive overview of the SaaS application, request the Workspace ONE UEM Cloud Security Overview from your VMware Representative.

I hope this short article helps everyone to get the information they require for a Workspace ONE UEM SaaS project. I shared the same information with several customers from different businesses and so far all legal departments accepted the statements and moved forward with their project with Workspace ONE UEM. 🙂