The Endpoint Compliance Checks feature on Unified Access Gateway provides an extra layer of security for accessing Horizon desktops in addition to the other user authentication services that are available on Unified Access Gateway.

You can use the Endpoint Compliance Checks feature to ensure compliance to various policies such as an antivirus policy or encryption policy on endpoints. Endpoint compliance is checked when a user attempts to start a remote desktop or application from the listed entitlements.

Endpoint compliance policy is defined on a service running in cloud or on-premises. Unified Access Gateway can be used with endpoint compliance check providers such as Workspace ONE Intelligence (risk analysis feature) and OPSWAT.

Endpoint Compliance Checks are advanced settings, which can be configured on the Endpoint Compliance Check Provider Settings page.


Endpoint compliance check is performed by either the OPSWAT MetaAccess persistent agent or the OPSWAT MetaAccess on-demand agent on the Horizon Client. The OPSWAT agents communicate the compliance status to an OPSWAT instance running either in cloud or on-premises. You can configure the Unified Access Gateway for hosting the on-demand agent. This configuration allows Horizon Client to download the on-demand agent from Unified Access Gateway when necessary.

Workspace ONE Intelligence (Risk Analytics)

Workspace ONE Intelligence has a risk analytics feature that assesses user and device risk by identifying practices that affect security and calculating a risk score for every device and user in an organization. Unified Access Gateway communicates with Workspace ONE Intelligence through connection settings to obtain the device risk score information from Workspace ONE Intelligence. The risk score information helps in determining whether an endpoint device can be allowed to access a remote desktop or application based on the risk score of the endpoint device. If the endpoint device has a high risk score, then as an administrator you can configure Unified Access Gateway to deny access to such a device.

In addition to the compliance check, Unified Access Gateway sends the risk score data obtained from Workspace ONE Intelligence to the Dynamic Environment Manager for further analysis.

For more information about risk scores, see the Requirements to Access Dashboards and User Risk Dashboard section in the Workspace ONE Intelligence Dashboards, Automation, and Reports documentation at VMware Docs.