Workspace ONE Mobile Threat Defense

Aug 25, 2022 | Mobile Threat Defense, Security, WorkspaceONE UEM

It has been a while since I wrote about end-user computing (EUC) or anywhere workspace related topics, but I was waiting for a solution like this when I joined VMware back in 2018 as a EUC Solution Architect focusing on Horizon and Workspace ONE. Before I left for vacation in mid-June, VMware announced the general availability of Workspace ONE Mobile Threat Defense (MTD), which brings mobile security integrated directly into Workspace ONE Intelligent Hub.

Workspace ONE (WS1) is VMware’s digital workspace platform that enables companies to simply and securely deliver and manage any app on any device. It integrates access control, application management and multi-platform endpoint management and is available on-premises deployment or as a cloud service (SaaS).

Part of WS1 is Workspace ONE UEM (Unified Endpoint Management), which gives customers the capabilities to manage the full lifecycle of any endpoint – mobile (iOS, Android), desktop (Windows 10/11, macOS, Chrome OS, Linux), rugged devices and even IoT devices – in one single solution and management console.

While Workspace ONE can enable a full zero trust architecture and provides different components that make a digital workspace more secure, there was no integrated solution available for mobile devices.

Before this announcement back in June 2022, Workspace ONE customers had to use Workspace ONE Intelligence with Workspace ONE Trust Network that integrates threat data from 3rd party vendors that provide EDR (endpoint detection and response) solutions, mobile threat defense capabilities, or cloud access security brokers (CASB). WS1 Intelligence provides users and admins insights into the risks of devices and users.

Workspace ONE Intelligence provides visibility by aggregating data from multiple sources with the goal in mind to better understand the security posture of a user’s device and employee experience. In the case of mobile security, by using Workspace ONE Trust Network, admins can integrate and aggregate threat data from external sources like Zimperium Mobile Threat Defense, Netskope or Lookout Mobile Endpoint Security.

Mobile Endpoint Security

The next step in the evolution is a WS1 UEM-integrated mobile protection powered by Lookout. Finally, customers can provide mobile specific protection and not only identity or network-based security mechanisms.

What started with an API integrated approach with Workspace ONE Trust Network has become one solution by integrating Lookout’s SDK (Software Development Kit) into Workspace ONE’s Intelligent Hub. Customers do not have to install or activate a separate app.

Workspace ONE Mobile Threat Defense Key Features

WS1 MTD addresses the dangers of phishing and web content, threat, vulnerabilities, and behaviors unique to mobile (Android, iOS, Chrome OS):

Application-based threats including mobile malware, app vulnerabilities, and risky application behaviors and configurations
Web and content vulnerabilities exposed through phishing via email, SMS, and messaging apps. This includes malicious URLs; malicious web pages, videos, and photos; and web and content behaviors and configurations
Zero-day threats and device vulnerabilities including jailbreak and root access detection. Device risk including OS version and update adoption.
Machine-in-the-middle attacks (MITM) and risky behaviors such as SSL certificate stripping; forcing weaker algorithm negotiation; anomalous application network connection activity; and vulnerabilities associated with rogue Wi-Fi

Integrated with Workspace ONE Intelligence, customers get these additional capabilities:

Aggregate view of events across users and device types
Interconnect endpoint, app, and identity analytics; CVE data; and threat data
Automate remediation of devices back to secure and compliant state
Flag users and devices for investigation and follow up
Notify users of issues that require self remediation

Lookout has developed the Mobile Risk Matrix to help organizations understand the components and vectors that make up the spectrum of mobile risk:

Mobile Risk Matrix

How does it work?

This video provides a short and good explanation:

Product Components and Requirements

There are different components required to use Workspace ONE Mobile Threat Defense:

WS1 MDT is available for Workspace ONE UEM on-premises, SaaS or managed hosting customers
Workspace ONE Intelligent Hub 2204 or later
Lookout for Work Mobile App is optional
- Only required for phishing and content protection, Android dual enrollment, and Chrome OS support
Workspace ONE Intelligence is optional
- Required for customers that want to see threat data and use Intelligence’s automation engine

How to get Workspace ONE Mobile Threat Defense?

Workspace ONE Mobile Threat Defense is available with all Workspace ONE editions that deliver mobile management and UEM. This add-on SKU per device can be subscribed with these editions:

Workspace ONE Mobile Essentials
Workspace ONE UEM Essentials
Workspace ONE Standard
Workspace ONE Advanced
Workspace ONE Enterprise
Anywhere Workspace Enterprise

The Workspace ONE editions comparison datasheet can be found here.

Why VMware and Lookout?

Looking at the 2022 Gartner® Magic Quadrant™ for Unified Endpoint Management (UEM) Tools one can see that VMware scored highest in 4 out of 4 use cases in the 2022 Gartner® Critical Capabilities for UEM Tools.

Lookout has a huge install base with more than 200 million devices and was first in the industry to provide an enterprise mobile security product. Lookout’s demonstrated track of record of continuous innovation creates value for customers and a competitive advantage (they hold more than 175 patents!):

The Company also continued to enhance its market-leading Mobile Threat Defense solution – Lookout Mobile Endpoint Security – with the release of two new innovative features: Mobile Endpoint Detection and Response (mEDR) and Protective DNS for iOS and Android platforms. Mobile EDR is used to detect and investigate threats on mobile endpoints through real-time continuous monitoring and endpoint data analytics. Protective DNS encrypts DNS queries and implements safeguards to prevent users from accessing domains associated with phishing, malware, botnets, and other high-risk categories before a connection to the endpoint can be established.

Want a Test Drive?

If you want to test Workspace ONE Mobile Threat Defense, have a look at this TestDrive knowledge base article.

Build a Digital Manufacturing Platform with the VMware Edge Compute Stack

Mar 22, 2022 | Edge Computing, ESXi, Horizon, Networking, NSX, Observability, Tanzu, Unified Endpoint Management, VMware Cloud, VMware Cloud Foundation, vSAN, vSphere, WorkspaceONE UEM

VMware revealed their edge computing vision at VMworld 2021. In VMware’s view the multi-cloud extends from the public clouds to private clouds to edge. Edge is about bringing apps and services closer to where they are needed, especially in sectors like retail, transportation, energy and manufacturing.

In verticals like manufacturing the edge was always important. It’s about producing things than you can sell. If you cannot produce, you lose time and money. Reliability, stability and factory uptime are not new requirements. But why is edge becoming so important now?

Without looking at any analyst report and only providing experience from the field, it is clear why. Almost all of the large enterprises are migrating workloads from their global (central) data centers to the public cloud. At the same time, customers are looking at new innovations and technologies to connect their machines, processes, people and data in a much more efficient way.

Which requirement did all my customers have in common? They didn’t want to move their dozens or hundreds of edge infrastructures to the public cloud, because the factories should work independently and autonomously in case of a WAN outage for example. Additionally, some VMware technologies were already deployed at the edge.

VMware Edge Compute Stack

This is why VMware introduced the so-called “Edge Compute Stack” (ECS) in October 2021, which is provides a unified platform to run VMs alongside containerized applications at the far edge (aka enterprise edge). ECS is a purpose-built stack that is available in three different editions (information based on initial availability from VMworld 2021):

VMware Edge Comput Stack Editions

As you can see, each VMware Edge Compute Stack edition has the vSphere Enterprise+ (hypervisor) included, software-defined storage with vSAN is optional, but Tanzu for running containers is always included.

While ECS is great, the purpose of this article is about highlighting different solutions and technologies that help you to build the foundation for a digital manufacturing platform.

IT/OT Convergence

You most probably have a mix of home-grown and COTS (commercial off-the-shelf) software, that need to be deployed in your edge locations (e.g., factories, markets, shops etc.). In manufacturing, OT (operational technology) vendors have just started the adoption of container technologies due to unique technology requirements and the business model that relies on proprietary systems.

The OT world is typically very hardware-centric and uses proprietary architectures. These systems and architectures, which were put into production 15-20 years ago, are still functional. It just worked.

While these methods and architectures have been very good, the manufacturing industry realized that this static and inflexible approach resulted in a technology debt, that didn’t allow any innovation for a long period of time.

Manufacturing companies are moving to a cloud-native architecture that should provide more flexibility and vendor interoperability with the same focus in mind: To provide a reliable, scalable and flexible infrastructure.

This is when VMware becomes relevant again with their (edge) compute stack. VMware vSphere allows you to run VMs and containers on the same platform. This is true for IT and OT workloads, that’s IT partial IT/OT covergence.

You may ask yourself how you then would design the network. I’ll answer this topic in a minute.

Kubernetes Operations

IT platform teams, who design and manage the edge have to expand their (VMware) platform capabilities that allow them to deploy and host containers. Like I said before, this is why Tanzu is included in all the VMware Edge Compute Stack editions. Kubernetes is the new Infrastructure-as-a-Service (IaaS) and so it makes only sense that the container deployment and management capability is included.

How do you provide centralized or regional Kubernetes management and operations if you don’t have a global (regional) data center anymore?

With a hybrid approach, by using Tanzu for Kubernetes Operations (TKO), a set of SaaS services that allow you to run, manage, connect and secure your container infrastructure across clouds and edge locations.

IT/OT Security

Now you have the right platform to run your IT and OT workloads on the same hypervisor or compute platform. You also have a SaaS-based control plane to deploy and manage your Kubernetes clusters.

As soon as you are dealing with a very dynamic environment where containers exist, you are having discussions about software-defined networking or virtualized networks. Apart from that, every organization and manufacturer are transforming their network and security at the edge and talk about network segmentation (and cybersecurity!).

Traditionally, you’ll find the Purdue Model implemented, a concept model for industrial control systems (ICS) that breaks the network in two zones:

Information Technology (IT)
Operational Technology (OT)

The Purdue Model of Computer Integrated Manufacturing

Source: https://www.automationworld.com/factory/iiot/article/21132891/is-the-purdue-model-still-relevant

In these IT and OT zones you’ll find subzones that describe different layers and the ICS components. As you can see as well, each level is secured by a dedicated physical firewall appliance. From this drawing one could say that the IT and OT world converge in the DMZ layer, because of the bidirectional traffic flow.

VMware is one of the pioneers when it comes to network segmentation that helps you driving IT/OT convergence. This is made possible by using network virtualization. As soon as you are using the VMware hypervisor and its integrated virtual switch, you are already using a virtualized network.

To bring IT and OT closer together and to provide a virtualized network design based on the Purdue Model including a zero-trust network architecture, you would start looking at VMware NSX to implement that.

In case you are looking for a software-defined load balancer or application delivery controller, have a look at NSX Advanced Load Balancer (formerly known as Avi).

PLC Virtualization

In level 2 of the Purdue Model, which hosts the systems for supervising, monitoring and controlling the physical process, you will find components like human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) software.

In level 3, manufacturing execution systems (MES) can be found.

Nowadays, most companies already run their HMIs, SCADAs and MES software in virtual machines on the VMware vSphere hypervisor.

The next big thing is the virtualization of PLCs (programmable logic controller), which is an industrial computer that controls manufacturing processes, such as machines, assembly lines and robotic devices. Traditional PLC implementations in hardware are costly and lack scalability.

That is why the company SDA was looking for a less hardware-centric but more software-centric approach and developed the SDA vPLC that is able to meet sub 10ms performance.

This vPLC solution is based on a hybrid architecture between a cloud system and the industrial workload at the edge, which has been tested on VMware’s Edge Compute Stack.

Monitoring & Troubleshooting

One area, which we haven’t highlighted yet, is the monitoring and troubleshooting of virtual machines (VMs). The majority of your workloads are still VM-based. How do you monitor these workloads and applications, deal with resource and capacity planning/management, and troubleshoot, if you don’t have a central data center anymore?

With the same approach as before – just with a cloud-based service. Most organizations rely on vRealize Operations (vROps) and vRealize Log Insight (vRLI) for their IT operations and platform teams gain visibility in all the main and edge data centers.

You can still use vROps and vRLI (on-premises) in your factories, but VMware recommends using the vRealize Cloud Universal (vRCU) SaaS management suite, that gives you the flexibility to deploy your vRealize products on-premises or as SaaS. In an edge use case the SaaS-based control plane just makes sense.

In addition to vRealize Operations Cloud you can make use of the vRealize True Visibility Suite (TVS), that extends your vRealize Operations platform with management packs and connectors to monitor different compute, storage, network, application and database vendors and solutions.

Factory VDI

Some of your factories may need virtual apps or desktops and for edge use cases there are different possible architectures available. Where a factory has a few hundred of concurrent users, a dedicated standalone VDI/RDSH deployment might make sense. What if you have hundreds of smaller factories and don’t want to maintain a complete VDI/RDSH infrastructure?

VMware is currently working on a new architecture for VMware Horizon (aka VMware Horizon Next-Generation) and their goal is to provide a single, unified platform across on-premises and cloud environments. They also plan to do that by introducing a pod-less architecture that moves key components to the VMware-hosted Horizon (Cloud) Control Plane.

This architecture is perfectly made for edge use cases and with this approach customers can reduce costs, expect increased scalability, improve troubleshooting and provide a seamless experience for any edge or cloud location.

VMware Horizon Next-Generation

Management for Enterprise Wearables

If your innovation and tech team are exploring new possibilities with wearable technologies like augmented reality (AR), mixed reality (MR) and virtual reality (VR) head-mounted displays (HMDs), then VMware Workspace ONE Unified Endpoint Management (UEM) can help you to securely manage these devices!

Workspace ONE UEM is very strong when it comes to the modern management of Windows Desktop and macOS operating systems, and device management (Android/iOS).

Conclusion

As you can see, VMware has a lot to offer for the enterprise edge. Organizations that are multi-cloud and keep their edge locations on-premises, have a lot of new technologies and possibilities nowadays.

VMware’s strengths are unfolded as soon as you combine different solutions. And these solutions help you to work on your priorities and requirements to build the right foundation for a digital manufacturing platform.

Introduction to Workspace ONE Express and Express+

Oct 18, 2019 | emm, Workspace ONE, WorkspaceONE UEM

With the release of Workspace ONE UEM 1907 AirWatch Express has been renamed to Workspace ONE Express and a few months later VMware announced Workspace ONE Express+ which is the result of a partnership with Dell.

Workspace ONE Express (WS1 Express) is a SaaS-only solution which is perfectly made for startups and the small- and mid-market in general. It is a simple mobile device management (MDM) solution designed to get your mobile devices up and running quickly without requiring extensive knowledge or an on-premises infrastructure.

The main features are the configuration of WiFi, apps, e-mail and security – basic MDM. WS1 Express requires a minimum of 10 devices and can be used for up to 500 devices, whereas the regular Workspace ONE UEM editions require at least 25 devices/users and have an unlimited licensing scale.

So, which edition is the right one for you? It depends on your types of mobile devices, use cases and requirements.

If you are a small company for example with 50 iOS and Android devices and would like to configure the native e-mail client, WiFi access, deploy some apps and set a passcode, then the Workspace ONE Express is the edition you are looking for.

If you are a company with around 250 users and would like to manage your macOS and Windows 10 clients, then we have to take a closer look what your requirements are.

IMPORTANT: WS1 Express has some policies for macOS, but Windows 10 can only be managed with Workspace ONE Express+ !

This means that you have to go for the Workspace ONE UEM Standard edition, if you need an acceptable feature set for these operating systems.

What is the big difference between Workspace ONE Express and Workspace ONE UEM Standard?

As just mentioned before, the biggest difference is the limited feature set of WS1 Express and that you cannot configure payloads, but have to use the “blueprint setup”.

WS1Express-Blueprints_Create

Upon the initial login, a step-by-step wizard will help and guide you through the process of configuring WS1 and your devices.

WS1Express-Getting Started _Setup

During the creation of a blueprint you can select the policies for each operating system and you quickly realize that Workspace ONE Express is really offers basic MDM capabilities.

WS1Express-Blueprints_Policies

Apple DEP and Android Zero-Touch Enrollment are fully supported with the Express edition.

Can you start with Express and upgrade later to Standard or Advanced? Yes, you can! This is the great thing about Workspace ONE. If your company is small and would like to start small, then choose Express. If your company, the employee number and your requirements grow, upgrade to a regular Workspace ONE UEM Edition like Standard or Advanced. That’s the most recent Workspace ONE Edition Comparison Guide about Express, Express+ and Standard:

Workspace ONE Standard for macOS and Windows 10 Management

I doubt that a customer would start with Express if they have macOS and Windows clients. Even smaller companies have probably 80% of the same requirements when it comes to macOS and Windows 10 modern management.

But which features and configurations does VMware support with Workspace ONE Standard for Windows 10 management? Please find here an unofficial listing of the supported features:

OS Lifecycle

OOBE and Factory Provisioning (Device Onboarding)
Co-Management with SCCM and Workspace ONE AirLift
MDM profiles (passcode, WiFi, restrictions etc.)
OS Updates via WSUS or Windows Updates for Business

App Lifecycle

Enterprise Application Store with Workspace ONE Intelligent Hub
Store Apps (Business and Public App Store) and MS Office 365 via CSP

Security

Device Restrictions
Remote and Enterprise Wipe
GPS Tracking
DLP (Windows Information Protection, AppLocker)
AV and Firewall (Windows Defender, 3rd party AV deployment, Windows Firewall)
Conditional Access Management
Enforce BitLocker Encryption

WS1_MDM_capabilities

That is a lot you can do already with our Standard edition, right? What are the reasons that you would need the next higher Workspace ONE Advanced edition? Most probably if you need one or more features like:

Application Delivery and Application Lifecycle (win32 – MSI, EXE, MST, MSP, PS1, BAT, ZIP)
Peer-to-Peer Distribution (WS1 uses Windows BranchCache feature!)
Advanced BitLocker Encryption Management (key rotation, maintenance windows etc.)
Per-App VPN Tunneling with VMware Tunnel

What are the capabilities when it comes to macOS management? Well, also here, VMware’s approach is to have a modern imageless management over the air from the same management console. New devices can be enrolled with DEP and the Bootstrap Enrollment method, but existing users and devices have the choice of a web-based or staged enrollment.

WS1_MDM_macOS

Please find here an unofficial listing of the supported features and configuration for macOS payloads which are included in Workspace ONE Standard.

Via MDM interface

Passcode
Network
VPN
Certificates
SCEP
Dock
Restrictions
Parental Controls
Directory Binding
Security & Privacy
Disk Encryption
Login Items
Login Window
Time Machine
Finder
Printing
Content Filter
Device & Enterprise Wipe
Token Enrollment
User Management (unlock user account, logout current user, delete user)

Via our Intelligent Hub (Agent)

Enforce Encryption
Firewall
Firmware Password
VMware Fusion
Microsoft Outlook
Notifications
Custom Attributes

How can I deliver 3rd party apps like MS Office, Adobe Creative Suite etc.? VMware use the open source “Munki” framework for that.

Workspace ONE Assist (formerly known as Advanced Remote Management)

There is also an add-on called Workspace ONE Assist which enables you to remotely access and troubleshoot a device.

At the moment of writing WS1 Assist only supports iOS, Android, Windows Mobile and Windows 10 devices, but the support for macOS is coming until the end of this year (2019).

Via the WS1 Admin Console WS1 Assist let’s you to capture images and videos of the remote device and you can view and export audit logs of the sessions and even manage files and folders on the Windows 10 remote device for example.

Final Words

If you would like to get a TestDrive access for Workspace ONE Express or Workspace ONE UEM, don’t hesitate to contact your partner or VMware account executive.

If you are a partner and would like to sell Workspace ONE, VMware has a MSP (Managed Service Provider) model for you! In this case contact your VCPP representative.

And I hope that you found valuable information here to better decide which Workspace ONE edition is the right one for you! 🙂

Raspberry Pi 4 – The Ultimate Thin Client?

Aug 15, 2019 | homelab, Horizon, Raspberry Pi, Thin Client, WorkspaceONE UEM

Everyone is talking about the new Raspberry Pi 4 and ask themselves if it’s the new ultimate and cheap thin client. So far, I haven’t seen any customer here in Switzerland using a Pi with VMware Horizon. And to be honest, I have no hands-on experience with Raspberry Pis yet and want to know if someone in pre-sales like me easily could order, install, configure and use it as a thin client. My questions were:

How much would it cost me in CHF to have a nice thin client?
What kind of operating system (OS) is or needs to be installed?
Is this OS supported for the VMware Horizon Client?
If not, do I need to get something like the Stratodesk NoTouch OS?
If yes, how easy is it to install the Horizon Client for Linux?
How would the user experience be for a normal office worker?
Is it possible to use graphics and play YouTube videos?

First, let’s check what I ordered on pi-shop.ch:

Raspberry Pi 4 Model B/4GB – CHF 62.90
KKSB Raspberry Pi 4 Case – CHF 22.90
32GB MicroSD Card (Class10) – CHF 16.90
Micro-HDMI to Standard HDMI (A/M) 1m cable – CHF 10.90
Power: Official Power Supply 15W – CHF 19.40
Keyboard/Mouse: Already available in my home lab

Total cost in CHF: 133.00

Raspberry Pi 4 Model B Specs

I ordered the Raspberry Pi 4 Model B/4GB with the following hardware specifications:

CPU – Broadcom BCM2711, quad-core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz
RAM – 4GB LPDDR4
WLAN – 2.4 GHz and 5.0 GHz IEEE 802.11b/g/n/ac wireless
Gigabit Ethernet
USB – 2x USB 3.0, 2x USB 2.0
Video – 2 × micro HDMI ports (up to 4Kp60 supported)
Multimedia – H.265 (4Kp60 decode), H.264 (1080p60 decode, 1080p30 encode)

With this powerful hardware I expect no problems and would assume that even playing videos and using graphics is not an issue. But let’s figure that out later.

Horizon Client for Linux

The support for the Raspberry Pi came with Horizon Client 4.6 for Linux:

Horizon Client for Linux now supports the Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

And the current Horizon Client 5.1 still only mentions the support for Raspberry Pi 3 with the same supported feature set:

Horizon Client for Linux 5.1 is supported on Raspberry Pi 3 Model B devices that are installed with ThinLinx Operating System (TLXOS) or Stratodesk NoTouch Operating System. The supported Horizon Client features include Blast Extreme, USB redirection, and H.264 decoding.

Hm, nothing has changed so far. During the time of writing this article I’ll try to figure out if the official support for a Pi 4 is coming soon and why ThinLinX is the only supported OS so far. Because I saw on Twitter and on the Forbes website that people are waiting for Ubuntu MATE for their Raspis.

And I found a tweet from August 6, 2019, from the ThinLinX account with the following information:

ThinLinX has just released TLXOS 4.7.0 for the Raspberry Pi 4 with dual screen support. The same image runs on the entire Raspberry Pi range from the RPi2 onward TLXOS 4.7.0 supports VMware Horizon Blast, Citrix HDX, RDP/RemoteFX, Digital Signage and IoT

Raspberry Pi and Horizon Client 4.6 for Linux

The next question came up – are there already any people around who tested the ThinLinX OS with a Raspberry Pi 3/4?

Probably a few people tried it already, but only one guy from UK so far blogged about this combination on his blog vMustard.

He wrote a guide about how to install TLXOS and the TMS management software, the configuration of TLXOS and how the Horizon Client for Linux needs to be installed. For sure his information helps me to get started.

Horizon Test Environment

I’m going to use VMware’s TestDrive to access a vGPU enabled Windows 10 desktop from the EMEA region. Such a Windows 10 1709 desktop is equipped with a Xeon Gold 6140 CPU and a Nvidia Tesla V100 card. I tried to get a card from Nvidia to perform the tests in my home lab, but they already gave away all the cards they had. So, the test in my home lab has to wait for a few weeks or months. 🙂

Workspace ONE UEM and TLXOS

And when I finally have installed TLXOS and can connect to a Horizon desktop, would it be possible to install Intelligent Hub and enroll the device in my Workspace ONE UEM sandbox environment? Is this also possible and supported?

Checking our VMware Docs and the Workspace ONE UEM product documentation the following information can be found:

The flexibility of the Linux operating system makes it a preferred platform for a wide range of uses, including notebooks, Raspberry Pi devices, and other IoT-capable devices. With Workspace ONE UEM, you can build on the flexibility and ubiquity of Linux devices and integrate them with your other mobile platforms in a central location for mobile device management.

Hm, would my new thin client be supported or not? The only requirements mentioned, are:

You can enroll devices running any version and any configuration of Linux running on either x86_64 or ARM7 architecture into Workspace ONE UEM
You can enroll Linux devices in any Workspace ONE UEM version from 1903 onward
You must deploy the Workspace ONE Intelligent Hub for Linux v1.0

As you can see above the new Raspberry Pi 4 is based on ARM8. I asked our product management if the RPi4 and TLXOS is supported and received the following answer:

As for WS1 UEM support for Linux, we do support ARM and won’t have a problem running on a Pi4, but we are still early stages for the product

As the Linux management capabilities with Workspace ONE UEM are very limited, I’m going to wait another four to six months to perform some tests. But TLXOS is anyway coming with its on management software. And customers would probably prefer another Linux Distribution like Ubuntu MATE.

Raspberry Pi 4 Setup

There is no special manual needed to set up a Raspberry Pi. Just unbox and install it in a case, if you ordered one. Here are some general instructions: https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

Install ThinLinX OS on the Raspberry Pi 4

Download the most recent installer for ThinLinX OS (TLXOS) for a Raspberry Pi: http://thinlinx.com/download/

1_TLXOS_RaspberryPi4_SDcard_Installer

Insert your microSD card into your PC and launch the “TLXOS Raspberry Pi SD Card Installer” (in my case tlxos_rpi-4.7.0.exe” and press “Yes” if you are prepared to write the image to the SD card.

3_TLXOS 4.7.0 for Raspberry Pi (v2 and v3)

After the image extraction a “Win32 Disk Imager” window will appear. Make sure the to choose the correct drive letter for the SD card (in my case “G”). Click “Write”

4_Win32_Disk_Imager

If everything went fine you should get a notification that the write was successful.

5_TLXOS-Complete

Now put the SD card into the Pi, connect the USB-C power cable, micro-HDMI cable, keyboard and mouse.

And then let’s see if the Pi can boot from the SD card.

5_TLXOS-Complete

It seems that the TLXOS just booted up fine and that we have “30 Day Free Trial” included.

8_TLXOS_30d_FreeTrial

A few minutes later TLXOS was writing something to the disk and did a reboot. The Chromium browser appears. This means we don’t need to install the TMS for our tests, except you would like to test the management of a TLXOS device.

I couldn’t find any menu on TLXOS, so I closed the browser and got access to a menu where I apparently can configure stuff.

10_Chromium_closed_menu_appears

Install Horizon Client for Linux on TLXOS

After I clicked on “Configure” before I browsed through the tabs (Application) and found the option to configure the Horizon Client. It seems that the client is included now in TLXOS which was not the case in the past. Nice!

11_TLXOS_Configure_VMwareBlast

Note:

When a TLXOS device boots, if configured correctly it will automatically connect to a Remote
Server using the specified connection Mode. Up to 16 different connection Modes can be
configured

I just entered the “Server” before and clicked on “Save Settings” which opened the Horizon Client automatically where I just have to enter my username and password (because I didn’t configure “Auto Login” before).

Voila, my vGPU powered Windows 10 desktop from VMware TestDrive appeared.

As first step I opened the VMware Horizon Performance Tracker and the Remote Desktop Analyzer (RD Analyzer) which both confirmed that the active encoder is “NVIDIA NvEnc H264“. This means that the non-CPU encoding (H.264) on the server and the H.264 decoding on TLXOS with the Horizon Client (with Blast) should work fine.

To confirm this, I logged out from the desktop and checked the Horizon Client settings. Yes, H.264 decoding was allowed (default).

15_TLXOS_HorizonClient_H264_allowed

After disallowing the H.264 decoding I could see the difference in the Horizon Performance Tracker.

The active encoder changed to “adaptive”. Let’s allow H.264 again for my tests!

Testing

1) User Experience with YouTube

As a first test the user experience with the Raspberry Pi 4 as a thin client and to check how the H.264 decoding performs I decided to watch this trailer:

AVENGERS 4 ENDGAME: 8 Minute Trailers (4K ULTRA HD) NEW 2019: https://www.youtube.com/watch?v=FVFPRstvlvk

I had to compress the video to be able to upload and embed it here. Important to see is that I was watching the 4K trailer in full screen mode and the video and audio were not choppy, but smooth I would say! I had around 21 to 23 fps. But that’s very impressive, isn’t it?

For the next few tests I’m going to use what TestDrive offers me:

2) TestDrive – Nvidia Faceworks

3) TestDrive – eDrawings Racecar Animation

4) TestDrive – Nvidia “A New Dawn”

5) TestDrive – Google Earth

6) FishGL

Conclusion

Well, what are the important criteria which a thin client needs to fullfil? Is it

(Very) small form factor
Management software – easy to manage
Secure (Patching/Updating, Two Factor Authentication, Smartcard Authentication)
Longevity – future proof
Enough ports for peripherals (e.g. Dualview Support)
Low price
Low power consumption

It always depends on the use cases, right? If Unified Communications is important to you or your customer, then you need to go with the Stratodesk’s NoTouch OS or have to buy another device and use a different OS. But if you are looking for a good and cheap device like the Raspberry Pi 4, then multimedia, (ultra) HD video streaming and office applications use cases are no problem.

My opinion? There are a lot of use cases for these small devices. Not only in end-user computing, but it’s easy for me to say that the Raspi has a bright future!

With the current TLXOS and the supported Horizon Client features so far I wouldn’t call this setup “enterprise ready” because the installation of TLXOS needs to be done manually except you can get it pre-installed on a SD card? Most customers rely on Unified Communications today and are using Skype for Business and other collaboration tools which is not possible yet according to the Horizon Client release notes. But as soon as the Horizon Client (for Linux) in TLXOS gets more features, the Raspberry Pi is going to take some pieces of the cake and the current thin client market has to live in fear. 😀

The biggest plus of a Raspberry Pi as a thin client is definitely the very small form factor combined with the available ports and the cheap money (TLXOS license not included). You can connect two high resolution monitors, a network cable, keyboard, mouse and a headset without any problem. If you buy the Pi in bulk as customer then I claim that the price is very, very hard to beat. And if a Pi has a hardware defect then plug the SD card into another Pi and your user can work again within a few minutes. If VESA mount is mandatory for you then buy a VESA case. By the way, this is my KKSB case:

What is missing in the end? Some Horizon Client features and the manual initial OS deployment method maybe. I imagine that IT teams of smaller and medium-sized companies could be very interested in a solution like this, because a Raspberry Pi 4 as a thin client already ROCKS!

Workspace ONE UEM – Data Security, Data Privacy and Data Collection

May 22, 2019 | AWS, emm, Workspace ONE, WorkspaceONE UEM

Updated on April 6th, 2022 – Please be aware that some of this information may no be accurate anymore

A lot of businesses are getting more and more interested in a Unified Endpoint Management solution like Workspace ONE UEM. While EMM is pretty clear to everyone, UEM is far away from this status. During the meetings with customers about Workspace ONE there are often concerns about “cloud” and the data which is being sent to the cloud.

Since this information about data privacy, data security or data collection regarding Workspace ONE is not easy to gather, I decided to make this information available here.

This topic is very important, because more businesses are open now to talk about cloud and hybrid solutions like Workspace ONE where the management backend is managed by VMware and only a few components need to be installed on-premises in your own data center:

Workspace ONE UEM SaaS Architecture

With the release of Workspace ONE UEM 1904 VMware started to publish “SaaS only releases“. Before this announcement an on-premises customer would get the on-prem installers three to four weeks after a new SaaS release has been made available. That’s why it’s clear that a lot more customers are having the same questions and requests when it comes to a cloud-based solution.

Of course, as we strive to bring you more cloud services at a faster pace, we will continue to add value with innovations in both our On-Premises and cloud offerings.

As a result, we are making a change to how we deliver Workspace ONE UEM beginning with Workspace ONE UEM Console 1904, which will be SaaS only release.

Which data are collected from users and devices? Who has access to this data?

By default, the solution only collects information necessary to manage the device, such as the device status, compliance information, OS, etc.; our solution may collect (if configured by administrator) or users may input data considered to be sensitive
The solution collects a limited personal data which includes user first and last name, username, email address, and phone number for user activation and management. These fields can be encrypted at rest in the solution database (AES 256). Customers may collect additional data points in the following matrix (as configured by the customer administrator): https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/UEM_Managing_Devices/GUID-AWT-DATA-COLLECT-MATRIX.html
VMware manages access to the SaaS environment while customers manage administrative and end-user access through the solution console
- Access to the SaaS environment is technically enforced according to role, the principle of least privileges and separation of duties
- Customers manage access entitlements for administrative and end users
VMware defines customer data related to the solution and/or hosted service in the VMware Data Processing Addendum
Data Sub-Processors can be found here

Is it possible to prevent data collection of specific information?

VMware covers this topic in their Workspace ONE Privacy Disclosure: https://www.vmware.com/help/privacy/uem-privacy-disclosure.html

Customer administrators use granular controls to configure what data is collected from users and what collected data is viewable by admins within the Workspace ONE console. Use granular role-based access controls to restrict the depth of device management information and features available to each administrative console user.
For Workspace ONE UEM configure Collect and Display, Collect Do Not Display, and Do Not Collect settings for user data:
- GPS Data
- Carrier/Country Code
- Roaming Status
- Cellular Data Usage
- Call Usage
- SMS Usage
- Device Phone Number
- Personal Application
- Unmanaged Profiles
- Public IP Address
Customer administrators can choose whether to display or to do not display the following user information:
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/UEM_Managing_Devices/GUID-AWT-CONFIGUREPRIVACYSETTINGS.html
- First Name
- Last Name
- Phone Number
- Email Accounts
- Username

How is data secured in the VMware hosted cloud?

Workspace ONE UEM has achieved the Service Organization Control (SOC) 2 Type 2 and ISO 27001, ISO 27017, and ISO 27018 certifications.

VMware can provide copies of the SOC 2 Type 2 report under an NDA; please contact your VMware account representative to request this report. Refer to the VMware Cloud Trust Center ISO certificate and to see the latest list of industry certifications.

VMware uses encryption for data in transit over the public Internet and at rest. For a comprehensive overview of the SaaS application, request the Workspace ONE UEM Cloud Security Overview from your VMware Representative.

I hope this short article helps everyone to get the information they require for a Workspace ONE UEM SaaS project. I shared the same information with several customers from different businesses and so far all legal departments accepted the statements and moved forward with their project with Workspace ONE UEM. 🙂

VMware Mirage – Alternatives

Jan 12, 2019 | Horizon, mirage, Unified Endpoint Management, WorkspaceONE UEM

As some of you know Mirage was (and still is) a revolutionary technology at the time Wanova released it in 2011 and in 2012 Mirage became part of VMware.

VMware Mirage is used by customers for their desktop image management and for backup and recovery requirements.

VMware Mirage provides next-generation desktop image management for physical desktops and POS devices across distributed environments. Automate backup and recovery and simplify Windows migrations.

Mirage is and was the solution for certain use cases and solved common desktop challenges. Therefore not all customers are happy that Mirage reaches end of support (EOS) on June 30, 2019. 🙁

But why is VMware Mirage being removed from support?

Well, the answer is very simple. Today, the market is heading in two directions – it’s all about the applications and end-user devices (called the Digital Workspace). That’s why customers should move or are somehow forced to move to a Unified Endpoint Management solution which is considered to be “the” Windows desktop management solution of the future. The future of Windows is apparently cloud based and Mirage has not been designed or architected for this.

What are the alternatives?

VMware has no successor or product which can replace all of the features and functions Mirage provided, but Workspace ONE is the official alternative solution when it comes to Windows desktop management.

There are really a lot of use cases and reasons why customers in the past decided to choose Mirage:

Reduce Management Complexity (e.g. single management console)
Desktop Backup and Recovery (automated and continuous system or user data backup)
Image Management (image layering)
Patch Management
Security & Compliance (auditing and encrypted connections)
Simple Desktop OS Migrations (e.g. Windows 7 to Windows 10 migrations)

VMware Mirage really simplified desktop management and provides a layered approach when it comes to OS and applications rollouts. Customers also had the use case where the physical desktop not always was connected to the corporate network and this is a common challenge IT department were facing.

The desktop images are stored in your own data center with secure encrypted access from all endpoints. You can also customize access rights to data and apps. Even auditing capabilities are available for compliance requirements.
And the best and most loved feature was the possibility for a full system backup and recovery!

IT people love Mirage because it was so simple to restore any damaged and lost device to the most recent state (snapshot).

For branch offices where no IT was onsite Mirage was also the perfect fit. An administrator just can distribute updates or Windows images to all remote laptops and PCs without any user interaction – maybe a reboot was now and then required. But that’s all!

In case of bandwidth problems you could also take advantage of the Branch Reflector technology which ensured that one endpoint downloads images update and then distribute it locally to other computers (peers), which saved relieved the WAN connection drastically.

Can WorkspaceONE UEM replace Mirage?

From a technical perspective my opinion is definitely NO. WorkspaceONE has not the complete feature set compared to Mirage when it is about Windows 10 desktop management, but both are almost congruent I have to say.

I agree that WorkspaceONE (WS1) is the logical step or way to “replace” Mirage, but this you have to know:

WS1 cannot manage desktop images for OS deployments. Nowadays, it is expected that a desktop is delivered pre-staged with a Windows 10 OS from the vendor or that your IT department is doing the staging for example with WDS/MDT.
WS1 has no backup and recovery function. If you use Dell Factory Provisioning then you can go back to a “restore point” where all of your pre-installed and manually installed applications get restored after a device wipe let’s say for example. But if the local hard disk has a failure and this restore partition is gone, then you have to get your device or hard disk replaced. Without Dell Factory Provisioning this means that IT has, again, still to deploy the desktop image with WDS/MDT.

For some special use cases it is even necessary to implement VMware Horizon, User Environment Manager, OneDrive for Business etc, but even then WS1 is a good complement since it can also be used for persistent virtual desktops!

As you can see a transition from Mirage to WS1 is not so easy and the few but most important differences are the reasons why customers and IT admins are not so amused about the EOS announcement of VMware Mirage.