Select Page
Introduction to Workspace ONE Express and Express+

Introduction to Workspace ONE Express and Express+

With the release of Workspace ONE UEM 1907 AirWatch Express has been renamed to Workspace ONE Express and a few months later we announced Workspace ONE Express+ which is the result of a partnership with Dell.

Workspace ONE Express (WS1 Express) is a SaaS-only solution which is perfectly made for startups and the small- and mid-market in general. It is a simple mobile device management (MDM) solution designed to get your mobile devices up and running quickly without requiring extensive knowledge or an on-premises infrastructure.

The main features are the configuration of WiFi, apps, e-mail and security – basic MDM. WS1 Express requires a minimum of 10 devices and can be used for up to 500 devices, whereas the regular Workspace ONE UEM editions require at least 25 devices/users and have an unlimited licensing scale.

So, which edition is the right one for you? It depends on your types of mobile devices, use cases and requirements.

If you are a small company for example with 50 iOS and Android devices and would like to configure the native e-mail client, WiFi access, deploy some apps and set a passcode, then the Workspace ONE Express is the edition you are looking for.

If you are a company with around 250 users and would like to manage your macOS and Windows 10 clients, then we have to take a closer look what your requirements are.

IMPORTANT: WS1 Express has some policies for macOS, but Windows 10 can only be managed with Workspace ONE Express+ !

This means that you have to go for the Workspace ONE UEM Standard edition, if you need an acceptable feature set for these operating systems.

What is the big difference between Workspace ONE Express and Workspace ONE UEM Standard?

As just mentioned before, the biggest difference is the limited feature set of WS1 Express and that you cannot configure payloads, but have to use the “blueprint setup”.

WS1Express-Blueprints_Create

Upon the initial login, a step-by-step wizard will help and guide you through the process of configuring WS1 and your devices.

WS1Express-Getting Started _Setup

During the creation of a blueprint you can select the policies for each operating system and you quickly realize that Workspace ONE Express is really offers basic MDM capabilities.

WS1Express-Blueprints_Policies

Apple DEP and Android Zero-Touch Enrollment are fully supported with the Express edition.

Can you start with Express and upgrade later to Standard or Advanced? Yes, you can! This is the great thing about Workspace ONE. If your company is small and would like to start small, then choose Express. If your company, the employee number and your requirements grow, upgrade to a regular Workspace ONE UEM Edition like Standard or Advanced. That’s the most recent Workspace ONE Edition Comparison Guide about Express, Express+ and Standard:

Workspace ONE Standard for macOS and Windows 10 Management

I doubt that a customer would start with Express if they have macOS and Windows clients. Even smaller companies have probably 80% of the same requirements when it comes to macOS and Windows 10 modern management.

But which features and configurations do we support with Workspace ONE Standard for Windows 10 management? Please find here an unofficial listing of the supported features:

OS Lifecycle

  • OOBE and Factory Provisioning (Device Onboarding)
  • Co-Management with SCCM and Workspace ONE AirLift
  • MDM profiles (passcode, WiFi, restrictions etc.)
  • OS Updates via WSUS or Windows Updates for Business

App Lifecycle

Security

  • Device Restrictions
  • Remote and Enterprise Wipe
  • GPS Tracking
  • DLP (Windows Information Protection, AppLocker)
  • AV and Firewall (Windows Defender, 3rd party AV deployment, Windows Firewall)
  • Conditional Access Management
  • Enforce BitLocker Encryption

WS1_MDM_capabilities

That is a lot you can do already with our Standard edition, right? What are the reasons that you would need the next higher Workspace ONE Advanced edition? Most probably if you need one or more features like:

  • Application Delivery and Application Lifecycle (win32 – MSI, EXE, MST, MSP, PS1, BAT, ZIP)
  • Peer-to-Peer Distribution (WS1 uses Windows BranchCache feature!)
  • Advanced BitLocker Encryption Management (key rotation, maintenance windows etc.)
  • Per-App VPN Tunneling with VMware Tunnel

What are our capabilities when it comes to macOS management? Well, also here our approach is to have a modern imageless management over the air from the same management console. We support new devices with DEP and Bootstrap Enrollment, but give existing users and devices the choice of a web-based or staged enrollment.

WS1_MDM_macOS

Please find here an unofficial listing of the supported features and configuration for macOS payloads which are included in Workspace ONE Standard.

Via MDM interface

  • Passcode
  • Network
  • VPN
  • Certificates
  • SCEP
  • Dock
  • Restrictions
  • Parental Controls
  • Directory Binding
  • Security & Privacy
  • Disk Encryption
  • Login Items
  • Login Window
  • Time Machine
  • Finder
  • Printing
  • Content Filter
  • Device & Enterprise Wipe
  • Token Enrollment
  • User Management (unlock user account, logout current user, delete user)

Via our Intelligent Hub (Agent)

  • Enforce Encryption
  • Firewall
  • Firmware Password
  • VMware Fusion
  • Microsoft Outlook
  • Notifications
  • Custom Attributes

How can I deliver 3rd party apps like MS Office, Adobe Creative Suite etc.? We use the open source “Munki” framework for that.

Workspace ONE Assist (formerly known as Advanced Remote Management)

We also have an add-on called Workspace ONE Assist which enables you to remotely access and troubleshoot a device. 

At the moment of writing WS1 Assist only supports iOS, Android, Windows Mobile and Windows 10 devices, but the support for macOS is coming until the end of this year (2019). 

Via the WS1 Admin Console WS1 Assist let’s you to capture images and videos of the remote device and you can view and export audit logs of the sessions and even manage files and folders on the Windows 10 remote device for example.

Final Words

If you would like to get a TestDrive access for Workspace ONE Express or Workspace ONE UEM, don’t hesitate to contact your partner or VMware account executive.

If you are a partner and would like to sell Workspace ONE, we also have a MSP (Managed Service Provider) model for you! In this case contact your VCPP representative.

And I hope that you found valuable information here to better decide which Workspace ONE edition is the right one for you! 🙂

Raspberry Pi 4 – The Ultimate Thin Client?

Everyone is talking about the new Raspberry Pi 4 and ask themselves if it’s the new ultimate and cheap thin client. So far, I haven’t seen any customer here in Switzerland using a Pi with VMware Horizon. And to be honest, I have no hands-on experience with Raspberry Pis yet and want to know if someone in pre-sales like me easily could order, install, configure and use it as a thin client. My questions were:

  • How much would it cost me in CHF to have a nice thin client?
  • What kind of operating system (OS) is or needs to be installed?
  • Is this OS supported for the VMware Horizon Client?
  • If not, do I need to get something like the Stratodesk NoTouch OS?
  • If yes, how easy is it to install the Horizon Client for Linux?
  • How would the user experience be for a normal office worker?
  • Is it possible to use graphics and play YouTube videos?

First, let’s check what I ordered on pi-shop.ch:

  • Raspberry Pi 4 Model B/4GB – CHF 62.90
  • KKSB Raspberry Pi 4 Case – CHF 22.90
  • 32GB MicroSD Card (Class10) – CHF 16.90
  • Micro-HDMI to Standard HDMI (A/M) 1m cable – CHF 10.90
  • Power: Official Power Supply 15W – CHF 19.40
  • Keyboard/Mouse: Already available in my home lab

Total cost in CHF: 133.00

Raspberry Pi 4 Model B Specs

I ordered the Raspberry Pi 4 Model B/4GB with the following hardware specifications:

  • CPU – Broadcom BCM2711, quad-core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
  • RAM – 4GB LPDDR4
  • WLAN – 2.4 GHz and 5.0 GHz IEEE 802.11b/g/n/ac wireless
  • Gigabit Ethernet
  • USB – 2x USB 3.0, 2x USB 2.0
  • Video – 2 × micro HDMI ports (up to 4Kp60 supported)
  • Multimedia – H.265 (4Kp60 decode), H.264 (1080p60 decode, 1080p30 encode)

With this powerful hardware I expect no problems and would assume that even playing videos and using graphics is not an issue. But let’s figure that out later.

Horizon Client for Linux

The support for the Raspberry Pi came with Horizon Client 4.6 for Linux:

Horizon Client for Linux now supports the Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

And the current Horizon Client 5.1 still only mentions the support for Raspberry Pi 3 with the same supported feature set:

Horizon Client for Linux 5.1 is supported on Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

Hm, nothing has changed so far. During the time of writing this article I’ll try to figure out if the official support for a Pi 4 is coming soon and why ThinLinX is the only supported OS so far. Because I saw on Twitter and on the Forbes website that people are waiting for Ubuntu MATE for their Raspis

And I found a tweet from August 6, 2019, from the ThinLinX account with the following information:

ThinLinX has just released TLXOS 4.7.0 for the Raspberry Pi 4 with dual screen support. The same image runs on the entire Raspberry Pi range from the RPi2 onward TLXOS 4.7.0 supports VMware Horizon Blast, Citrix HDX, RDP/RemoteFX, Digital Signage and IoT

Raspberry Pi and Horizon Client 4.6 for Linux

The next question came up – are there already any people around who tested the ThinLinX OS with a Raspberry Pi 3/4?

Probably a few people tried it already, but only one guy from UK so far blogged about this combination on his blog vMustard.

He wrote a guide about how to install TLXOS and the TMS management software, the configuration of TLXOS and how the Horizon Client for Linux needs to be installed. For sure his information helps me to get started.

Horizon Test Environment

I’m going to use VMware’s TestDrive to access a vGPU enabled Windows 10 desktop from the EMEA region. Such a Windows 10 1709 desktop is equipped with a Xeon Gold 6140 CPU and a Nvidia Tesla V100 card. I tried to get a card from Nvidia to perform the tests in my home lab, but they already gave away all the cards they had. So, the test in my home lab has to wait for a few weeks or months. 🙂 

Workspace ONE UEM and TLXOS

And when I finally have installed TLXOS and can connect to a Horizon desktop, would it be possible to install Intelligent Hub and enroll the device in my Workspace ONE UEM sandbox environment? Is this also possible and supported?

Checking our VMware Docs and the Workspace ONE UEM product documentation the following information can be found:

The flexibility of the Linux operating system makes it a preferred platform for a wide range of uses, including notebooks, Raspberry Pi devices, and other IoT-capable devices. With Workspace ONE UEM, you can build on the flexibility and ubiquity of Linux devices and integrate them with your other mobile platforms in a central location for mobile device management.

Hm, would my new thin client be supported or not? The only requirements mentioned, are:

  • You can enroll devices running any version and any configuration of Linux running on either x86_64 or ARM7 architecture into Workspace ONE UEM
  • You can enroll Linux devices in any Workspace ONE UEM version from 1903 onward
  • You must deploy the Workspace ONE Intelligent Hub for Linux v1.0

As you can see above the new Raspberry Pi 4 is based on ARM8. I asked our product management if the RPi4 and TLXOS is supported and received the following answer:

As for WS1 UEM support for Linux, we do support ARM and won’t have a problem running on a Pi4, but we are still early stages for the product

As the Linux management capabilities with Workspace ONE UEM are very limited, I’m going to wait another four to six months to perform some tests. But TLXOS is anyway coming with its on management software. And customers would probably prefer another Linux Distribution like Ubuntu MATE.

Raspberry Pi 4 Setup

There is no special manual needed to set up a Raspberry Pi. Just unbox and install it in a case, if you ordered one. Here are some general instructions: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Install ThinLinX OS on the Raspberry Pi 4

Download the most recent installer for ThinLinX OS (TLXOS) for a Raspberry Pi: http://thinlinx.com/download/

1_TLXOS_RaspberryPi4_SDcard_Installer

Insert your microSD card into your PC and launch the “TLXOS Raspberry Pi SD Card Installer” (in my case tlxos_rpi-4.7.0.exe” and press “Yes” if you are prepared to write the image to the SD card.

3_TLXOS 4.7.0 for Raspberry Pi (v2 and v3)

After the image extraction a “Win32 Disk Imager” window will appear. Make sure the to choose the correct drive letter for the SD card (in my case “G”). Click “Write”

4_Win32_Disk_Imager

If everything went fine you should get a notification that the write was successful.

5_TLXOS-Complete

Now put the SD card into the Pi, connect the USB-C power cable, mirco-HDMI cable, keyboard and mouse.

And then let’s see if the Pi can boot from the SD card.

5_TLXOS-Complete

It seems that the TLXOS just booted up fine and that we have “30 Day Free Trial” included.

8_TLXOS_30d_FreeTrial

A few minutes later TLXOS was writing something to the disk and did a reboot. The Chromium browser appears. This means we don’t need to install the TMS for our tests, except you would like to test the management of a TLXOS device.

I couldn’t find any menu on TLXOS, so I closed the browser and got access to a menu where I apparently can configure stuff.

10_Chromium_closed_menu_appears

Install Horizon Client for Linux on TLXOS

After I clicked on “Configure” before I browsed through the tabs (Application) and found the option to configure the Horizon Client. It seems that the client is included now in TLXOS which was not the case in the past. Nice! 

11_TLXOS_Configure_VMwareBlast

Note:

When a TLXOS device boots, if configured correctly it will automatically connect to a Remote
Server using the specified connection Mode. Up to 16 different connection Modes can be
configured

I just entered the “Server” before and clicked on “Save Settings” which opened the Horizon Client automatically where I just have to enter my username and password (because I didn’t configure “Auto Login” before).

Voila, my vGPU powered Windows 10 desktop from VMware TestDrive appeared.

As first step I opened the VMware Horizon Performance Tracker and the Remote Desktop Analyzer (RD Analyzer) which both confirmed that the active encoder is “NVIDIA NvEnc H264“. This means that the non-CPU encoding (H.264) on the server and the H.264 decoding on TLXOS with the Horizon Client (with Blast) should work fine.

To confirm this, I logged out from the desktop and checked the Horizon Client settings. Yes, H.264 decoding was allowed (default).

15_TLXOS_HorizonClient_H264_allowed

After disallowing the H.264 decoding I could see the difference in the Horizon Performance Tracker.

The active encoder changed to “adaptive”. Let’s allow H.264 again for my tests!

Testing

 

1) User Experience with YouTube

As a first test the user experience with the Raspberry Pi 4 as a thin client and to check how the H.264 decoding performs I decided to watch this trailer:

AVENGERS 4 ENDGAME: 8 Minute Trailers (4K ULTRA HD) NEW 2019: https://www.youtube.com/watch?v=FVFPRstvlvk

I had to compress the video to be able to upload and embed it here. Important to see is that I was watching the 4K trailer in full screen mode and the video and audio were not choppy, but smooth I would say! I had around 21 to 23 fps. But that’s very impressive, isn’t it?

For the next few tests I’m going to use what TestDrive offers me:

2) TestDrive – Nvidia Faceworks

3) TestDrive – eDrawings Racecar Animation

4) TestDrive – Nvidia “A New Dawn”

5) TestDrive – Google Earth

6) FishGL

Conclusion

Well, what are the important criteria which a thin client needs to fullfil? Is it

  • (Very) small form factor
  • Management software – easy to manage
  • Secure (Patching/Updating, Two Factor Authentication, Smartcard Authentication)
  • Longevity – future proof
  • Enough ports for peripherals (e.g. Dualview Support)
  • Low price
  • Low power consumption

It always depends on the use cases, right? If Unified Communications is important to you or your customer, then you need to go with the Stratodesk’s NoTouch OS or have to buy another device and use a different OS. But if you are looking for a good and cheap device like the Raspberry Pi 4, then multimedia, (ultra) HD video streaming and office applications use cases are no problem.

My opinion? There are a lot of use cases for these small devices. Not only in end-user computing, but it’s easy for me to say that the Raspi has a bright future!

With the current TLXOS and the supported Horizon Client features so far I wouldn’t call this setup “enterprise ready” because the installation of TLXOS needs to be done manually except you can get it pre-installed on a SD card? Most customers rely on Unified Communications today and are using Skype for Business and other collaboration tools which is not possible yet according to the Horizon Client release notes. But as soon as the Horizon Client (for Linux) in TLXOS gets more features, the Raspberry Pi is going to take some pieces of the cake and the current thin client market has to live in fear. 😀

The biggest plus of a Raspberry Pi as a thin client is definitely the very small form factor combined with the available ports and the cheap money (TLXOS license not included). You can connect two high resolution monitors, a network cable, keyboard, mouse and a headset without any problem. If you buy the Pi in bulk as customer then I claim that the price is very, very hard to beat. And if a Pi has a hardware defect then plug the SD card into another Pi and your user can work again within a few minutes. If VESA mount is mandatory for you then buy a VESA case. By the way, this is my KKSB case:

What is missing in the end? Some Horizon Client features and the manual initial OS deployment method maybe. I imagine that IT teams of smaller and medium-sized companies could be very interested in a solution like this, because a Raspberry Pi 4 as a thin client already ROCKS!

    Workspace ONE UEM – Data Security, Data Privacy and Data Collection

    A lot of businesses are getting more and more interested in a Unified Endpoint Management solution like Workspace ONE UEM. While EMM is pretty clear to everyone, UEM is far away from this status. During the meetings with customers about Workspace ONE we often hear concerns about “cloud” and the data which is being sent to the cloud.

    Since this information about data privacy, data security or data collection regarding Workspace ONE is not easy to gather, I decided to make this information available here.

    This topic is very important, because more businesses are open now to talk about cloud and hybrid solutions like Workspace ONE where the management backend is managed by VMware and only a few components need to be installed on-premises in your own data center:

    Workspace ONE UEM SaaS Architecture

    With the release of Workspace ONE UEM 1904 VMware started to publish “SaaS only releases“. Before this announcement an on-premises customer would get the on-prem installers three to four weeks after a new SaaS release has been made available. That’s why it’s clear that a lot more customers are having the same questions and requests when it comes to a cloud-based solution.

    Of course, as we strive to bring you more cloud services at a faster pace, we will continue to add value with innovations in both our On-Premises and cloud offerings.

    As a result, we are making a change to how we deliver Workspace ONE UEM beginning with Workspace ONE UEM Console 1904, which will be SaaS only release.

    Which data are collected from users and devices? Who has access to this data?

    • By default, the solution only collects information necessary to manage the device, such as the device status, compliance information, OS, etc.; our solution may collect (if configured by administrator) or users may input data considered to be sensitive
    • The solution collects a limited personal data which includes user first and last name, username, email address, and phone number for user activation and management. These fields can be encrypted at rest in the solution database (AES 256). Customers may collect additional data points in the following matrix (as configured by the customer administrator): https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1904/UEM_Managing_Devices/GUID-AWT-DATA-COLLECT-MATRIX.html
      • VMware automatically collects certain information when you use or access Online Properties (“VMware websites, online advertisements or marketing emails “) or mobile apps. This information does not necessarily reveal your identity directly but may include information about the specific device you are using, such as the hardware model, operating system version, web-browser software (such as Firefox, Safari, or Internet Explorer) and your Internet Protocol (IP) address/MAC address/device identifier. We also automatically collect and store certain information in server logs such as: statistics on your activities on the Online Properties or mobile apps; information about how you came to and used the Online Property or mobile app; your IP address; device type and unique device identification numbers, device event information (such as crashes, system activity and hardware settings, browser type, browser language, the date and time of your request and referral URL), broad geographic location (e.g. country or city-level location) and other technical data collected through cookies, pixel tags and other similar technologies that uniquely identify your browser. Please refer to the VMware Privacy Notice for additional information.
    • VMware manages access to the SaaS environment while customers manage administrative and end-user access through the solution console
      • Access to the SaaS environment is technically enforced according to role, the principle of least privileges and separation of duties
      • Customers manage access entitlements for administrative and end users
    • VMware defines customer data related to the solution and/or hosted service in the VMware Data Processing Addendum
    • Data Sub-Processors can be found here

    Is it possible to prevent data collection of specific information?

    • Customer administrators use granular controls to configure what data is collected from users and what collected data is viewable by admins within the Workspace ONE console. Use granular role-based access controls to restrict the depth of device management information and features available to each administrative console user.
    • For Workspace ONE UEM configure Collect and Display, Collect Do Not Display, and Do Not Collect settings for user data:
      • GPS Data
      • Carrier/Country Code
      • Roaming Status
      • Cellular Data Usage
      • Call Usage
      • SMS Usage
      • Device Phone Number
      • Personal Application
      • Unmanaged Profiles
      • Public IP Address
    • Customer administrators can choose whether to display or to do not display the following user information:
      https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1904/UEM_Managing_Devices/GUID-AWT-CONFIGUREPRIVACYSETTINGS.html
      • First Name
      • Last Name
      • Phone Number
      • Email Accounts
      • Username

     Is the data in the cloud encrypted?

    • Yes – Certificate private keys, client cookie data and tokens are encrypted in the solution database with a derived AES 256-bit symmetric encryption with an IV.
      • Customers can enable encryption at rest for user first name, last name, email and phone number
      • We do not store AD/LDAP passwords in our database
    • VMware Content Locker, VMware Boxer and VMware AirWatch App Wrapping solutions use AES 256-bit encryption to secure data on mobile devices
    • Data between the web console (management console and Self Service Portal) and device is encrypted using HTTPS and is not decrypted at any point along the path
      • VMware leverages a 2048-bit key in the SaaS environment
      • An application server controls communication between the web console and the database to limit the potential for malicious actions through SQL injection or invalid input: No direct calls are made to the database
    • All sensitive interactions between AirWatch nodes (AirWatch hosting servers and the VMware Enterprise Systems Connector), between VMware AirWatch Agent and the AirWatch solution are accomplished using message level encryption. For these message level interactions, the AirWatch Cloud uses 2048-bit RSA asymmetric key encryption using digital certificates.
    • We encrypt AD/LDAP credentials on the device via AES 256-bit and store them in the device keychain (internal memory)

    I hope this short article helps everyone to get the information they require for a Workspace ONE UEM SaaS project. I shared the same information with several customers from different businesses and so far all legal departments accepted the statements and moved forward with their project with Workspace ONE UEM. 🙂

    VMware Mirage – Alternatives

    As some of you know Mirage was (and still is) a revolutionary technology at the time Wanova released it in 2011 and in 2012 Mirage became part of VMware.

    VMware Mirage is used by customers for their desktop image management and for backup and recovery requirements.

    VMware Mirage provides next-generation desktop image management for physical desktops and POS devices across distributed environments. Automate backup and recovery and simplify Windows migrations.

    Mirage is and was the solution for certain use cases and solved common desktop challenges. Therefore not all customers are happy that Mirage reaches end of support (EOS) on June 30, 2019. 🙁

    But why is VMware Mirage being removed from support?

    Well, the answer is very simple. Today, the market is heading in two directions – it’s all about the applications and end-user devices (called the Digital Workspace). That’s why customers should move or are somehow forced to move to a Unified Endpoint Management solution which is considered to be “the” Windows desktop management solution of the future. The future of Windows is apparently cloud based and Mirage has not been designed or architected for this.

    What are the alternatives?

    VMware has no successor or product which can replace all of the features and functions Mirage provided, but Workspace ONE is the official alternative solution when it comes to Windows desktop management.

    There are really a lot of use cases and reasons why customers in the past decided to choose Mirage:

    • Reduce Management Complexity (e.g. single management console)
    • Desktop Backup and Recovery (automated and continuous system or user data backup)
    • Image Management (image layering)
    • Patch Management
    • Security & Compliance (auditing and encrypted connections)
    • Simple Desktop OS Migrations (e.g. Windows 7 to Windows 10 migrations)

    VMware Mirage really simplified desktop management and provides a layered approach when it comes to OS and applications rollouts. Customers also had the use case where the physical desktop not always was connected to the corporate network and this is a common challenge IT department were facing.

    The desktop images are stored in your own data center with secure encrypted access from all endpoints. You can also customize access rights to data and apps.  Even auditing capabilities are available for compliance requirements.
    And the best and most loved feature was the possibility for a full system backup and recovery!

    IT people love Mirage because it was so simple to restore any damaged and lost device to the most recent state (snapshot).

    For branch offices where no IT was onsite Mirage was also the perfect fit. An administrator just can distribute updates or Windows images to all remote laptops and PCs without any user interaction – maybe a reboot was now and then required. But that’s all!

    In case of bandwidth problems you could also take advantage of the Branch Reflector technology which ensured that one endpoint downloads images update and then distribute it locally to other computers (peers), which saved relieved the WAN connection drastically.

    Can WorkspaceONE UEM replace Mirage?

    From a technical perspective my opinion is definitely NO. WorkspaceONE has not the complete feature set compared to Mirage when it is about Windows 10 desktop management, but both are almost congruent I have to say.

    I agree that WorkspaceONE (WS1) is the logical step or way to “replace” Mirage, but this you have to know:

    • WS1 cannot manage desktop images for OS deployments. Nowadays, it is expected that a desktop is delivered pre-staged with a Windows 10 OS from the vendor or that your IT department is doing the staging for example with WDS/MDT.
    • WS1 has no backup and recovery function. If you use Dell Factory Provisioning then you can go back to a “restore point” where all of your pre-installed and manually installed applications get restored after a device wipe let’s say for example. But if the local hard disk has a failure and this restore partition is gone, then you have to get your device or hard disk replaced. Without Dell Factory Provisioning this means that IT has, again, still to deploy the desktop image with WDS/MDT.

    For some special use cases it is even necessary to implement VMware Horizon, User Environment Manager, OneDrive for Business etc, but even then WS1 is a good complement since it can also be used for persistent virtual desktops!

    As you can see a transition from Mirage to WS1 is not so easy and the few but most important differences are the reasons why customers and IT admins are not so amused about the EOS announcement of VMware Mirage.

    VCP-DW 2018 Exam Experience

    On the 30th November 2018 I passed my VCAP7-DTM Design exam and now I would like to share my VCP-DW 2018 (2V0-761) exam experience with you guys.

    I’m happy to share that I also passed this exam today and I thought it might be helpful, even a new VCP-DW 2019 exam will be released on 28th February 2019, to share my exam experience since it’s still a pretty new certification and not that much information can be found in the vCommunity.

    How did I prepare myself? To be honest, I almost had no hands-on experience and therefore I had to get the most out of the available VMware Workspace ONE documentation. I already had basic knowledge for my daily work as a solution architect, but it was obvious that this is not enough to pass. The most of my basic knowledge I gained from the VMware Workspace ONE: Deploy and Manage [V9.x] course which was really helpful in this case.

    If you check the exam prep guide you can see that you have to study tons of PDFs and parts of the online documentation. 

    Didn’t check all the links and documents in the exam prep guide but I can recommend to read these additional docs:

    In my opinion you’ll get a very good understanding of Workspace ONE (UEM and IDM) if you read all the documents above. In additional to the papers I recommend to get some hands-on experience with the Workspace ONE UEM and IDM console.

    As VMware employee I have access to VMware TestDrive where I have a dedicated Workspace ONE UEM sandbox environment. I enrolled an Android, iOS and two Windows 10 devices and configured a few profiles (payloads). I also deployed the Identity Manager Connector in my homelab to sync my Active Directory accounts with my Identity Manager instance which enables also the synchronization of my future Horizon resources like applications and desktops.

    I think that I spent around two weeks for preparation including the classroom training at the AirWatch Training Facility Milton Keynes, UK.

    The exam (version 2018) itself consists of 65 multiple choice and drag & drop questions and I had 135 minutes time to answer all questions. If you are prepared and know your stuff then I doubt that you will need more than one hour, but this could change with the new VCP-DW 2019. 🙂

    I’m just happy that I have a second VCP exam in my pocket and now I have to think about the next certification. My scope as solution architect will change a little. In the future I’m also covering SDDC (software defined data center) topics like vSphere, vSAN, NSX, VMware Cloud Foundation, Cloud Assembly and VMC on AWS. That’s why I’m thinking to earn the VCP-DCV 2019 or the TOGAF certification.

    Unified Endpoint Management – The Modern EMM

    I was touring through Switzerland and had the honor to speak at five events for a “Mobility, Workspace & Licensing” roadshow for SMB customers up to 250 employees. Before I started my presentation I have always asked the audience three questions:

    • Who knows what MDM or EMM (Mobile Device Management or Enterprise Mobility Management) is?
    • Have you ever heard of Unified Endpoint Management (UEM)?
    • Does the name Airwatch or Workspace ONE ring any bells?

    This is my thing to know which people are sitting in front of me and how deep I should or can go from a technical perspective. And I was shocked and really surprised how many people have raised their hands – only between 1 and 5 persons in average. And the event room was filled with 50 to 60 persons! I don’t know how popular EMM and UEM are in other countries, but I think this is a “Swiss thing” when you work with smaller companies. We need to make people aware that UEM is coming! 🙂

    That’s why I decided to write an article about Enterprise Mobility Management and how it transformed or evolved to the term Unified Endpoint Management.

    The basic idea of Mobile Device Management was to have an asset management solution which provides an overview of the smartphones (at the beginning iPhones were very popular) in a company. Enterprises were interested for example to disable Siri and ensure that corporate mobile phone devices were staying within policy guidelines. In addition, if you could lock and wipe the devices, you were all set.

    However, business needs and requirements changed and suddenly employees wanted or even demanded access to applications and content. Here we are talking about features like mail client configuration, WiFi certificate configuration,  content and mobile application management (MAM) and topics like containerization and identity management also became important – security in general. So, MDM and MAM were part now of Enterprise Mobility Management.

    Vendors like VMware, Citrix, MobileIron and so on wanted to go further and offer the same management and configuration possibilities for operating systems like Windows or Mac OS. If I recall correctly this must have been between 2013 and 2017.

    One of the biggest topics and challenges for this time were the creation of so called IT silos. There are many reasons how IT silos were built, but in the device management area it’s easy to give an example. Let’s say that you are working for an enterprise with 3’000 employees and you have to manage devices and operating systems like:

    • PCs & Laptops (Windows OS)
    • MacBooks or Mac OS in general
    • Android & iOS devices
    • Virtual apps & desktops (Windows OS)

    A typical scenario – your IT is deploying Windows OS mit SCCM (Configuration Manager), Mac OS devices are not managed, IT is using JAMF or does manual work, EMM solution for iOS and Android and for the VDI or server based computing (Terminal Server) environment the responsible IT team is using different deployment and management tools. This is an example how silos got build and nowadays they prevent IT from moving at the speed of business. VMware’s UEM solution to break up those silos is called Workspace ONE UEM.

    The EMM or mobility market is moving into two directions:

     

    Today, it’s all about the digital workspace – access ANY application, from ANY cloud, from ANY device and ANYTIME.

    People need app access to mobile apps, internal apps, SaaS apps and Win32 (legacy) apps. On the other hand we want to use any device, no matter if it’s a regular fat client, the laptop at home, wearables or a rugged or IoT device. If you combine “App Access” and “UEM” then you will get a new direction called “Digital Workspace”. Again, this means that Digital Workspace is just another name for the combined EUC (end-user computing) platform.

    UEM is a term which has been introduced by Gartner as a replacement for the client management tool (CMT) and Enterprise Mobility Management.

    Gartner defines Unified Endpoint Management as a new class of tools which function as an unified management interface – a single pane of glass. UEM should give enterprises the possibility to manage and configure iOS, Android, Mac OS and Windows 10 devices with a single unified console. With this information I would call UEM as the modern EMM.

    Modern Management – Windows 10

    Why is Windows 10 suddenly a topic when we talk about UEM? Well, Microsoft has put a lot efforts in their Windows 10 operating system and are providing more and more APIs that allow a richer feature set for the modern management approach – the same experience and approach we already have with mobile device management. Microsoft is seeking  to simplify Windows 10 management and I have to say that they made a fantastic job so far!

    Modern Management, if it’s with VMware Workspace ONE UEM or with a competitor’s product, is nothing else than going away from the network-based deployment to a cloud-based deployment.

    Traditional means staging with SCCM for example, apply group policies, deploy software packages and perform Windows Updates on a domain-joined PC.

    Modern means that we have the same out-of-the-box experience (OOBE) with our Windows 10 devices compared to an iPhone as an example. We want to unbox the device, perform a basic configuration and start consuming. By consuming I mean install all the apps I want wherever I am at the moment. If it’s a less secure network at home, at friends, on a beach, train or at the airport.

    Modern also means that I receive my policies (GPOs) and basic configuration (WiFi, E-Mail, Bitlocker etc.) over-the-air across any network. And my device doesn’t need to be domain-joined (but it can). Windows Updates can also be configured and deployed directly from Microsoft or still with WSUS.

    Mix Physical and Virtual Desktops with Modern Management

    VMware’s vision and my understanding of modern management means that we can and should be able to manage any persistent desktop even if it’s a virtual machine. During my presentation I told the audience that they could have Windows 10 VMs in their on-premises data center, on AWS, Azure or even on a MacBook.

    This use case has NOT been tested by VMware yet, but what do you think if we can manage the recently announced Windows Virtual Desktops (WVD) which are only available through Microsoft Azure? I hope to give you more information about this as soon as I have spoken to the product management.

    But you see where this is going. Modern management offers us new possibilities for certain use cases and we can even easier on-board contractors or seasonal workers if no separate VDI/RDSH based solution is available.

    And let’s assume that in 2018/2019 all new ordered hardware are pre-staged with a Windows 10 version we ask for. For a virtual persistent desktop this is most certainly not the case, but think again about the Windows 10 offerings from Azure where Windows 10 is also “pre-staged”.

    Do we need UEM and Modern Management? Are we prepared for it?

    Well, if we go by the definition of UEM then we already use Unified Endpoint Management since EMM is a part of, but just without the Windows 10 client management part. A survey in Switzerland has shown that only 50% of the companies are dealing with this topic. And to be clear: an adoption or implementation of UEM takes several years. Gartner predicts that companies have to start working with UEM within the next three to five years.

    What preparation is needed to move to the new modern cloud-based management approach? There are different options depending on your current situation.

    If you are running on Windows 7 and use Configuration Manager (SCCM) for the deployment, you could use Workspace ONE’s Airlift technology to build a co-management setup. But then you need to migrate first from Windows 7 to Windows 10 and use SCCM to deploy our Intelligent Hub (formerly known as Airwatch Agent). Then your good to go and could profit from a transition phase until all clients have been migrated. And in the end you can get rid of SCCM completely.

    If you use another tool or manually install Windows 10, then you just need to install Intelligent Hub, enroll the device and your prepared.

    But we can leverage other features and technologies like AutoPilot or Dell Factory Provisioning for Workspace ONE which are not part of this article.

    Which UEM Solution for your Digital Workspace?

    If you are responsible for modernizing client and device management in your company, then keep the following advice in mind. Check your requirements and define a mobility or a general IT strategy for your company. Then look out for the vendors and solutions which meet your requirements and vision. Ignore who is on the top right of the Gartner Magic Quadrant or the vendor who claims to have “the ONE” digital workspace solution. In the end you, your customers and colleagues must be happy! 🙂 

    In the future I will provide more information about Unified Endpoint Management and Modern Management. We are in the early market phase when it comes to UEM and I’m curious what’s coming within the next one or two years.

    The terms “Intelligence” and “Analytics” have not been covered yet and they are very interesting because it’s about new features and technology based on artificial intelligence and machine learning. E.g. with VMware’s Workspace ONE Intelligence you have new options for “insights” and “automation”. You have data, can collect it and run it through a rules engine (automation). But this is something for another time.