Mobile-First with Samsung DeX and VMware Horizon
Currently, most people must work from home because of COVID-19. When the global lockdown started, companies were challenged to provide continuity of business with:
- Remote PC access (physical access to computers with VMware Horizon or Citrix)
- Remote access via VPN
- Published desktops and apps hosted on-premises
- Published desktops and apps hosted in the Cloud (e.g. Azure or AWS)
- Shipping of new laptops
- Shipping of new thin clients (don’t forget the Raspberry Pi 4)
- Shipping of new mobile devices like smartphones and tablets
The options look clear but the execution of these action wasn’t that easy. Nobody was prepared for a pandemic and its consequence of shipping problems and delays of servers, PCs and mobile devices. On the other side some of the companies already had the necessary infrastructure but not enough licenses for their virtual desktop infrastructure (VDI) of unified endpoint management (UEM) platform.
In Switzerland we are lucky to have modern and stable internet connections where 1 Gigabit over fiber is not the exception anymore. I don’t know how VMware’s internal IT was challenged at the beginning of this crisis but I could always access my applications and data from my laptop with Workspace ONE (I don’t need Horizon for work).
After a few weeks I was asking myself if the employers know all their options to enable their employees for remote working. For sure the most increased numbers are related to digital workspace products. That’s why people on Twitter and LinkedIn are shouting out that it’s “the year of VDI”.
As long as not every virtual desktop or remote desktop session host is equipped with a vGPU or when GPUs are affordable for everyone and become commodity, in my opinion, we cannot talk about the year of VDI. But that’s another topic.
When I heard that PC and smartphone shipments are delayed for weeks, I looked for alternatives which don’t rely on shipping of new devices:
- I assume the employee has a private PC or laptop at home
- I assume the employee possesses at least one smartphone or tablet
- I assume the employee has a stable internet connection at home
- I assume the employee has 4G/5G reception
To access a virtual desktop brokered via VMware Horizon you would only need a PC or laptop with a HTML5 capable browser to access the virtual environment. The installation of the Horizon Agent is not mandatory but would give you a much richer user experience.
Working directly on a smartphone or tablet makes only sense and fun when:
- You don’t have to access a virtual desktop or virtual app on a tiny display
- You can use mobile apps
- You can SaaS apps
- You can connect your phone or tablet to an external display – ideally with a keyboard and mouse
I have an iPad Pro at home but decided to test a mobile-first approach with a Samsung S20+, because it is more common that employers provide a smartphone instead of tablet. I am not aware of any mobile-only company that solely work with smartphones or tablets. But I think it’s important to understand how a mobile-first or mobile-only approach affects the user experience and if it’s possible to replaces PCs, laptops or thin clients.
Why is this thought interesting and important? The employee experience (EX) is the number one priority for a digital workspace and with today’s UEM platforms you can manage almost every formfactor and operating system (iOS, Android, macOS, Windows 10, Linux).
What if we can provide the same user experience and reduce costs with a mobile-first strategy coupled with Horizon for VDI use cases? Don’t ignore that there’s an ongoing shift towards 5G and it’s becoming more and more accessible.
The most famous telco provider in Switzerland is “Swisscom” who already offers a pretty wide 5G (up to 1Gbit/s) and 5G+ (up to 2Gbit/s) coverage:
My vision here is, that every employee is only equipped with a smartphone which they can use in the office and at home to securely connect to the corporate network to access internal apps or data and SaaS applications.
Here is what I would like to test:
- Can the Samsung S20+ replace my Dell laptop?
- How can I connect peripherals like an external display, keyboard, mouse, headset, webcam, printer etc.
- Which internal and external (mobile/SaaS) applications can be used with a good user experience?
- Which applications should better be accessed via a virtual desktop or published app delivered with Horizon?
- How is the user experience with Samsung DeX?
- Which 3rd party applications are supported with Samsung DeX?
- Can Samsung DeX transform a Samsung smartphone into a Windows thin client?
- How is my daily work affected?
- How does Samsung DeX and VMware Horizon work together?
Preparation of my Mobile-First Workplace
The first thing I did, after I installed all necessary Android updates, was to enroll my S20+ in VMware’s Workspace ONE.
In enrolled my phone as a dedicated corporate device and could access my company’s applications within the next five minutes. The following applications are the most important ones for my daily work at VMware:
- Microsoft Outlook / VMware Boxer
- Microsoft PowerPoint
- Microsoft Word
- Microsoft Excel
- Microsoft Teams
- Salesforce (SaaS version)
- Different web links (Confluence, Jira, intranet, technical marketing website etc.)
My phone is enrolled, remote access to the corporate network can be established and all the necessary mobile applications are installed. Internal web links and SaaS applications can be access through the secure per-app VPN tunnel (micro VPN tunnel) and the Workspace ONE application catalog (image above) with SSO (Single Sign-On).
So, how do I transform this smartphone into PC-mode?
I believe Samsung first included the “Desktop eXperience” (DeX) feature on Galaxy S8 smartphones and the original version even required the use of a DeX docking station. And since a few months DeX can now be launched via a direct cable connected to an external display, Windows or Mac client. This means that no multiport adapter and no HDMI cable is needed if your display has an USB-C port.
Samsung DeX is not hardware — it’s a software platform that extends your smartphone or tablet into a desktop computing experience.
To use DeX desktop on a Windows or Mac OS you’ll need the downloadable app, but this is not something I’m going to explore further.
Lucky me, my Dell display at home has a lot of regular USB ports and one USB-C port. This allowed me to connect the S20+ smartphone with the USB-C cable and connect peripherals like my headset (or speakers), keyboard and mouse. Another option would be, if you have a Bluetooth keyboard and mouse, to connect them directly to the S20. They only thing I didn’t do yet, because it has no priority, is to connect my network printer to the phone.
In the image above you can see the DeX desktop with some applications shortcuts I created.
The configuration of my keyboard and headset as the primary audio device was also very simple. So far, I am very impressed!
All you need to get started using DeX are a display, a HDMI adapter and peripherals. The HDMI adapter is only needed if you haven’t got an integrated USB-C port in your monitor. And not every monitor has a lot of USB ports. That’s why Samsung offers three different adapters:
The DeX cable is simple 1.4m long HDMI-USB-C cable which you plug into your monitor.
The compact HDMI adapter allows you to connect your phone to a HDMI cable on your monitor. As no additional ports are available with the DeX cable and HDMI adapter, you’ll need to use Bluetooth peripherals.
The third option is a multiport adapter gives you a USB 3.0 port, a GigE port for a wired internet connect and a USB-C port to connect the phone’s charging cable (beside the HDMI port).
If you have no mouse, then you could use your phone as a touchpad. A notification on your phone will give show you this option.
Samsung Core Applications & 3rd party apps
In Samsung’s “Beginner’s Guide to Samsung DeX” you’ll find the following information about support mobile apps:
All of Samsung’s core applications are optimized for DeX, meaning you can resize and maximize the apps. You can also use right-click functionality and keyboard shortcuts. There are dozens of third-party apps that are fully optimized for DeX, including the Microsoft Office suite, Adobe Acrobat Reader, Photoshop Lightroom, Photoshop Sketch, Gmail, Chrome, BlueJeans, GoToMeeting and all the leading VDI clients, to name just a few. For those that aren’t optimized for DeX, read on for the next tip.
Here’s the next tip about the DeX Labs activation:
DeX Labs offers access to “experimental” features that aren’t officially supported. Two current features include allowing DeX to force apps to resize and auto-open the last used app. To activate, click the DeX logo on the bottom right of your screen, open DeX Labs and toggle the features on. Now, when you open an app that is not DeX optimized, you’ll be given the opportunity to force resizing. This will allow you to view it in a larger window or even in fully maximized view.
Samsung and VMware have a partnership for a while now and because of that the VMware Horizon Client and some other VMware apps are on the list of supported 3rd party apps:
I tested Zoom already and it worked perfectly. First tests of Boxer and Slack also looked promising. The only apps which are not on the list of “apps in DeX mode” are:
- MS Teams
- Slack (seems to work)
When I try to open MS Teams in DeX mode, nothing happens, and I see on the smartphone that the app is immediately crashing. DeX Labs, which attempts to resize apps that aren’t officially supported by Samsung DeX, didn’t make any difference.
Mobile Apps vs. Desktop Apps
Since MS Teams is not working in DeX mode, I’m going to check if DeX Labs helps. Otherwise I have to mirror my phone’s screen to use MS Teams or start this on a virtual desktop provided with Horizon.
Launching VMware Horizon desktops when working within DeX gives you both. You’re now working on a virtual desktop with full desktop apps. You’re viewing content on a full-sized monitor, and using the keyboard and mouse to get work done. And it’s all powered by your Galaxy smartphone. That is the digital workplace, powered by mobile.
Accessing a virtual desktop is very easy. You just need to download the Horizon Client from the Workspace ONE catalog (Intelligent Hub) or install the available one from the Google Play Store.
For my tests I’m going to use the VMware TestDrive environment again like I did it for my testing with the Raspberry Pi 4. In the Horizon Client for Android User Guide you will find more information about using the Horizon Client with Samsung DeX:
If the Android device supports Samsung DeX, you can use Horizon Client in DeX desktop mode.
When the device is in DeX desktop mode, Horizon Client treats the device as a thin client and Thin Client
mode is enabled. For more information, see Using Horizon Client on a Thin Client.
The following features are supported when you use Horizon Client in Horizon DeX desktop mode.
- You can configure Horizon Client to start automatically when you switch to DeX desktop mode. See
Enable the DeX Mode Auto Launch Feature.
- Remote desktop and published application sessions continue to run after you enter or exit DeX
- If Horizon Client is maximized, remote desktops enter full-screen mode after you switch to DeX
- To switch the language input method in a remote desktop, you can use the language switch key on a
Samsung physical keyboard.
- You can connect to multiple remote desktops and published applications at the same time. Smart
card authentication is not supported for multiple sessions
Use Cases for DeX and VDI
Let’s give you a few examples of classic use cases.
When we think about hospitals and healthcare in general, then data security and mobility are very important topics. Mobility can help to improve productivity and almost every healthcare customers uses VDI for security and mobility purposes: E.g. shift workers, doctors need (VDI desktop) session roaming
My experience shows that doctors often have a phone, tablet and a desktop/laptop.
Instead of having:
- a computer in the office
- a computer or thin client in the examination room
- and a tablet for patient data (electronic health record) or medical images
you could do it all with one device and have the same user experience everywhere an in any case. I will cover the support of various authentication methods (smart card, biometric) later.
Please find here the VMware Horizon 7 Deployment Guide for Healthcare.
The finance vertical has also different pillars and specific use cases. With banking or wealth management customers you probably have to talk more about thin clients and VDI. And with insurances companies, that have a lot of road warriors, you need to consider scenarios where the agents/consultants are working in the car or directly at their customer.
For road warriors you could also propose a Samsung tablet and/or a mounted display and a dedicated keyboard which acts like a standalone computer.
Public sector customers have requirements with a combination of the healthcare and finance industry. Obviously, security is one of the most important topics. Data leakage prevention, encryption, data locality (argument for VDI) etc. or just a few of the requirements. Multi-factor authentication with smart cards is also very common.
Security with Samsung DeX and Horizon
In this section I want to summarize what Samsung and VMware offering for a secure mobile-first or mobile-only workplace. Samsung provides security with their phone and additional security features (Know) for the personal and enterprise use.
VMware is referring to their intrinsic security strategy with Zero Trust security approach.
Samsung DeX and Samsung Knox
Using DeX also brings security benefits. Samsung smartphones and tablets are protected by advanced biometric security and Samsung Knox, a defense-grade security platform that’s designed from the chip up to protect devices from the minute they’re powered on — so you can be sure your information is safe.
Workspace ONE Unified Endpoint Management (UEM)
For the device management and compliance (OS updates, security patches etc.) of Android based phones we have Workspace ONE UEM before allowing any access.
With Workspace ONE Access you can grant access to your applications based on a combination of conditions (which is also known as the conditional access engine. The policy framework for conditional access consists of:
- User (employee, contractor, customer)
- Device (iOS, Android, Win10, macOS, BYOD, corp device, unmanaged)
- Application (web, mobile, virtual, low or high security, internal, external)
- Location (network range, 3G/4G/5G, geo)
For the secure remote access to the corporate network Workspace ONE offers an application tunnel and proxy. The app tunnel is established with Workspace ONE Tunnel and the Unified Access Gateway (UAG) offers edge services that you securely access your on-prem Horizon virtual app or desktop.
With Workspace ONE Intelligence you’ll get automated remediation and orchestration. Based on different conditions or triggers you can define actions or workflows like ticketing or notifications. You could also automate the blocking of a VPN access if a phone or tablet doesn’t meet the required patch level.
If you want to go one step further you could leverage the Workspace ONE Trust Network which combines the insights from Workspace ONE with verified security partners (current partners are Carbon Black, Zscaler, Lookout, Netskope, Wandera and Zimperium) by APIs to deliver predictive and automated security for your mobile clients or the digital workspace in general.
You can also add VMware NSX to enhance security with micro-segmentation and secure east-west traffic for applications and desktops in the data center and the cloud.
Workspace ONE Intelligent Hub is the portal for users to access their different applications and provides the same user experience on any device. The look and feel in your browser are the same as on your Samsung phone or tablet. In DeX mode I opened the Intelligent Hub app (left) and access the portal as well in Chrome (right):
Customers know the smart cards as plastic cards which have a digital certificate embedded which allows them to authenticate themselves to their desktops and applications. Some larger enterprises use the same plastic card or badge to access buildings or to digitally sign documents.
To get access to the digital certificate on the card traditionally you would insert the card in an internal or external connected smart card reader and insert your PIN after. For mobile workers and a mobile-centric platform this way of working doesn’t offer the best user experience.
And beside that physical smart cards are also considered old-fashioned, right?
Because of these reasons VMware introduced support for derived credentials a couple of years ago for Horizon Clients for Android, iOS and Windows. This eliminated the need for physical smart cards and smart card readers. All you need is the PIV-D Manager mobile app which comes with Workspace ONE:
VMware PIV-D Manager is a mobile application that integrates with various Derived Credential solution providers enabling the use of Derived Credentials with Workspace ONE UEM. The available vendors currently supported with the PIV-D Manager app are DISA Purebred, Entrust IdentityGuard, Intercede MyID, XTec, and Workspace ONE UEM.
What if your mobile workers have problems with their phones or tablets? Workspace ONE Assist is the last piece to complete the puzzle and it enables you to access and troubleshoot devices remotely in real time from the Workspace ONE console.
Here are the current supported features separated by platform:
In April 2020 VMware has just announced the expansion of their remote support solution offerings with VMware RemoteHelp.
The difference between RemoteHelp and Workspace ONE Assist is, that you don’t Workspace ONE UEM with RemoteHelp. You can look at RemoteHelp like Bomgar or TeamViewer, but with the addition that support engineers can launch remote support sessions of Android (and iOS) devices directly from their CRM platform. RemoteHelp is sold as a standalone product and has its own console and end-user mobile application.
You would use RemoteHelp where customers are using DeX with Horizon but are not managing the device with Workspace ONE.
Samsung Galaxy S20+ as Thin Client
I mentioned already once or twice that I wrote articles about the Raspberry Pi 4 (RPi) and how it performs as a thin client for VMware Horizon. From a price perspective you cannot compare a S20+ and RPi because a smartphone has so many more features and is used for a lot else than connecting to a virtual desktop or web browsing. But let us have a look at the specs of both devices:
Specifications Samsung S20+ Raspberry Pi 4 B/4GB
Formfactor Smartphone Small Single-Board Computer
Dimensions & Weight 161.9 x 73.7 x 7.8mm
88 x 58 x 19.5mm
46g (board only)
Operating System(s) Android 10 Raspbian
Stratodesk NoTouch OS
Ubuntu (MATE, Core, Server)
Win 10 IoT Core
Processor (CPU) 64-bit 8-Core 2.70 GHz 4-Core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
Memory (RAM) 8GB 4GB
Network & Connectivity 5G
1 GigE (with adapter)
Display Connectivity USB-C
HDMI (with adapter)
Power Connectivity USB-C
The specifications of the Galaxy S20+ let us expect that we should have the same user experience compared to a Raspberry Pi4 Model B with 4GB RAM.
Horizon Test Environment
I’m going to use the same vGPU enabled Windows 10 from VMware TestDrive in the EMEA region. The Win10 desktop is equipped with four vCPUs from a Xeon Gold 6140 CPU, 8GB RAM and a Nvidia Tesla V100 GPU (V100-2Q profile).
As you can see in the screenshot above in Remote Desktop Analyzer I’m connected with the Blast protocol and that the active encoder is NVIDIA NvEnc H264. This tells us that the non-CPU encoding (H.264) on the virtual desktop and the H.264 decoding on the Samsung smartphone are supported and working.
I have tested a YouTube HD trailer and graphic intensive applications as usual. All my uploaded videos have been compressed to a more web-friendly format and size.
Here is the link for the Avengers 4 Endgame Trailer.
2) Nvidia Faceworks
3) eDrawings Racecar Animation
4) Nvidia “A New Dawn”
Can a Samsung Galaxy S20+ replace my laptop?
A Samsung smartphone (or tablet) can definitely replace a fat client like a PC or laptop. The videos above are clearly showing that accessing and working with a virtual desktop is no problem at all and that the user experience is very good.
Working in DeX mode was a little strange at the beginning, but I think I and people in general could get used to it over time.
The 3rd party apps which are not working in DeX mode need to be accessed from a virtual desktop delivered with VMware Horizon or directly on the phone. You can switch to screen mirroring quickly and go back to DeX mode after. That’s just how it is.
When I joined VMware two years ago, I chose the Galaxy S8 as my corporate device and a Dell Precision laptop. For my role as a pre-sales solution architect who has to work a lot offline while travelling, a laptop is probably a better fit. Otherwise, at home or in the office, I could easily work with my S8 or S20+ only.
And as companies are giving you a phone and laptop as well, the price for a S20+ is very acceptable if you can replace at least one device like a PC or thin client.
Mobile computing is already transforming productivity across many industries. I believe that Samsung’s key features and VMware’s digital workspace offering make it possible to provide a secure mobile-first workplace.