Each Workspace ONE UEM component has a section below with a short summary of their role within the Workspace ONE UEM architecture.
Workspace ONE UEM Console
Administrators use the Workspace ONE UEM Console through a Web browser to secure, configure, monitor, and manage their corporate device fleet.
Device Services are the components of Workspace ONE UEM that actively communicate with devices. Workspace ONE UEM relies on this component for processing:
Delivering device commands and receiving device data.
Device Services also hosts the Self-Service Portal, which device users access (through a Web browser) to monitor and manage their devices in Workspace ONE UEM.
AirWatch Cloud Messaging (AWCM)
VMware AirWatch Cloud Messaging (AWCM) provides secure communication to your back-end systems in conjunction with the VMware AirWatch Cloud Connector (ACC). The ACC uses AWCM to securely communicate with the Workspace ONE UEM console.
AWCM also streamlines the delivery of messages and commands from the UEM console to devices by eliminating the need for end users to access the public Internet or use consumer accounts, such as Google IDs. AWCM serves as a comprehensive substitute Firebase Cloud Messaging (FCM) for Android devices and is the only option for providing Mobile Device Management (MDM) capabilities for Windows Rugged devices.
AWCM simplifies device management by offering the following benefits:
Secure communication to your back-end infrastructure through the VMware AirWatch Cloud Connector.
Real-time communication with Workspace ONE UEM Windows Intelligent Hub.
Removing the need for third-party IDs.
Workspace ONE UEM console commands delivered directly to Android and Windows Rugged devices.
Remote commands such as device wipe and device lock delivered to macOS devices.
Increased functionality of internal Wi-fi only devices using push notifications in certain circumstances.
Additional information about AWCM requirements, setup, and installation can be found in the VMware AWCM Guide, available on docs.vmware.com.
API (Application Program Interface)
The AirWatch API component comprises REST (Representational State Transfer) and SOAP (Simple Object Access Protocol) APIs. These APIs are used for developers creating their own applications that want to start Workspace ONE UEM functionality and use the information stored in their Workspace ONE UEM environment.
By default, the AirWatch API is installed on both CN and DS application servers. It is configured to point to the CN by default.
When developing any new applications, VMware recommends the use of Version 2 of the REST API, both for ease of use and for optimal support long term.
Workspace ONE UEM stores all device and environment data in a Microsoft SQL Server database. Due to the amount of data flowing in and out of the Workspace ONE UEM database, proper sizing of the database server is crucial to a successful deployment.
For more information on system configurations, see the VMware AirWatch Installation Guide, available on docs.vmware.com, or contact Workspace ONE Support.
VMware Workspace ONE Access
VMware Workspace ONE Access extends your infrastructure to provide a seamless single sign-on (SSO) experience to web, mobile, software-as-a-service (SaaS), and legacy applications.
VMware Workspace ONE Access provides:
Conditional access controls
Single Sign-On functionality
For more information on configuring VMware Workspace ONE Access, see the VMware Workspace ONE Access guide, available on docs.vmware.com.
VMware AirWatch Cloud Connector
VMware AirWatch Cloud Connector provides organizations the ability to integrate Workspace ONE UEM and Workspace ONE Access with their back-end enterprise systems. VMware AirWatch Cloud Connector runs in the internal network in outbound connection mode to transmit secure requests from Workspace ONE UEM and Workspace ONE Access to critical enterprise infrastructure components. This allows organizations to harness the benefits of Workspace ONE UEM Mobile Device Management (MDM) and Workspace ONE Access and their existing LDAP, certificate authority, email, and other internal systems, all without inbound port 443 opened.
VMware AirWatch Cloud Connector integrates with the following internal components:
Email Relay (SMTP)
Directory Services (LDAP / AD)
Microsoft Certificate Services (PKI)
Simple Certificate Enrollment Protocol (SCEP PKI)
Email Management Exchange 2010 (PowerShell)
Third-party Certificate Services (on-premises only)
Lotus Domino Web Service (HTTPS)
Syslog (Event log data)
Additional information about VMware AirWatch Cloud Connector requirements, setup, and installation can be found in the AirWatch Cloud Connector documentation.
Workspace ONE Access
The Workspace ONE Access connector is an on-premises component of Workspace ONE Access that provides directory integration, user authentication, and integration with resources such as Horizon 7. The connector is deployed in outbound connection mode and, for most use cases, does not require inbound port 443 to be opened. It communicates with the Workspace ONE Access service through a Websocket-based communication channel.
Workspace ONE Access Connector supports optional services such as:
RSA Secure ID and Adaptive Auth
Additional information about Workspace ONE Access Connector requirements, setup, and installation can be found in the Workspace ONE Access Connector documentation.
VMware AirWatch AirWatch Secure Email Gateway (V2)
Enterprises using certain types of email servers, such as Exchange 2010 or Lotus Traveler, can use the Secure Email Gateway (SEG) server to take advantage of these advanced email management capabilities. The SEG acts as a proxy, handling all Exchange Active Sync traffic between devices and an existing ActiveSync endpoint.
Workspace ONE UEM offers advanced email management capabilities:
Detection and Remediation of rogue devices connecting to email.
Advanced controls of Mobile Mail access.
Advanced access control for administrators.
Integration with the Workspace ONE UEM compliance engine.
Enhanced traffic visibility through interactive email dashboards.
Certificate integration for advanced protection.
Email attachment control and hyperlink transform.
Enterprises using Exchange 2010+, Office 365 BPOS, or Google Apps for Work do not necessarily require the Secure Email Gateway server. For these email infrastructures, a different deployment model can be used that does not require a proxy server, such as Microsoft PowerShell Integration or Google password management techniques.
Email attachment control functionality requires the use of the Secure Email Gateway proxy server regardless of the email server type.
Additional information about SEG requirements, setup, and installation can be found in the VMware AirWatch SEG Administration Guide, available on docs.vmware.com.
Beginning with the 1907 release, SEG Classic is no longer available on new deployments. Beginning with Unified Access Gateway 3.6 the SEGv2 image is included in the UAG appliance.
VMware Tunnel and Unified Access Gateway (Tunnel)
The VMware Tunnel provides a secure and effective method for individual applications to access corporate sites and resources. When your employees access internal content from their mobile devices, the VMware Tunnel acts as a secure relay between the device and enterprise system. The VMware Tunnel can authenticate and encrypt traffic from individual applications on compliant devices to the back-end site or resources they are trying to reach.
Use the VMware Tunnel to access:
Internal websites and Web applications using the VMware Browser.
Internal resources through app tunneling for iOS 9 and higher devices using the VMware Tunnel.
Additional information about VMware Tunnel requirements, setup, configuration, and installation can be found in the VMware Tunnel Guide, available on docs.vmware.com.
AirWatch Content Gateway and Unified Access Gateway (Content Gateway)
The Content Gateway, together with VMware Workspace ONE Content, lets your end users securely access content from an internal repository. This means that your users can remotely access their documentation, financial documents, board books, and more directly from content repositories or internal file shares. As files are added or updated within your existing content repository, the changes are immediately reflected in the Workspace ONE Content, and users are granted access to their approved files and folders based on the existing access control lists defined in your internal repository. Using the Content Gateway with Workspace ONE Content allows you to provide access to your corporate content without sacrificing security.
Additional information about AirWatch Content Gateway requirements, setup, configuration, and installation can be found in the VMware AirWatch Content Gateway documentation, available on docs.vmware.com.
AirWatch Email Notification Service (Classic and V2)
The Email Notification Service (ENS) adds push notification support to Exchange on iOS and Android devices.
On iOS, this means the VMware Boxer email app can get notifications using either Apple’s background app refresh or Apple Push Notification Service (APNs) technologies. Background app refresh is used by default, however iOS attempts to balance the needs of all apps and the system itself. This means that each app might provide notifications at irregular periods using this method. To provide notifications quickly and consistently, Apple also provides APNs. This allows a remote server to send notifications to the user for that application, however Exchange does not natively support this.
ENS V2 supports notification services on managed Android devices to allow quick and consistent notifications about new items in your end users' email inboxes.
You can download the most up-to-date versions of the VMware AirWatch Email Notification Service Installation Guides, which includes configuration and installation, from docs.vmware.com.
Workspace ONE Intelligence
Workspace ONE Intelligence gives you insights into your digital workspace. It enables enterprise mobility management (EMM) planning and offers automation. The Reports feature provides faster, easier access to critical business intelligence data than normal Workspace ONE UEM reports. All these components help to optimize resources, to strengthen security and compliance, and to increase user experience across your entire environment.
You can download the most up-to-date version of the Workspace ONE Intelligence Guide, which includes configuration and installation, from docs.vmware.com.
Workspace ONE UEM offers a peer distribution system to deploy Win32 applications to enterprise networks. Peer distribution can reduce the time to download large applications to multiple devices in deployments that use a branch office structure.
For more information, see the Workspace ONE UEM Mobile Application Management (MAM) Guide, which includes configuration and installation, from docs.vmware.com.
As deployments begin to scale over 1,000 devices, it is recommended that all environments have a caching solution in place. Caching solutions aid in reducing load on the database server that comes from the sheer volume of calls that must be made to the database. After caching is configured, the Workspace ONE UEM components reach out to the caching solution in attempts to obtain the DB information they require. If the information that is needed does not reside on the cache server, the component will reach out to the DB and then store the value on the cache server for future use.
For more information on configuring Memcached, see the Memcached Integration guide, available on docs.vmware.com. If the Memcached setting is not available, reach out to VMware support for assistance.
VMware Workspace ONE AirLift is a server-side connector that simplifies and speeds the customers journey to modern management. Workspace ONE AirLift bridges administrative frameworks between Microsoft System Center Configuration Manager (ConfigMgr) and Workspace ONE UEM.
This bridge allows the customer to focus on moving co-management workloads and applications to the appropriate platform without redefining device and group memberships. Workspace ONE AirLift provides seamless adoption of co-management benefits and eases the transition on a collection by collection basis addressed toward particular use cases.
For more information on configuring Airlift, see the Airlift Integration guide, available on docs.vmware.com. If the Memcached setting is not available, contact VMware support for assistance.
Dell Factory Provisioning
In partnership with Dell Configuration Services, Workspace ONE UEM supports creating provisioning packages to install applications and configurations on your Dell Windows 10 devices before they leave the factory.
Dell Provisioning for VMware Workspace ONE requires on-premises customers to install the Dell Provisioning for VMware Workspace ONE service onto a standalone application server. To set up and configure Factory Provisioning, see the Workspace ONE UEM Windows Desktop Guide, available at docs.vmware.com.
To use Dell Provisioning for VMware Workspace ONE, you must participate in Dell Configuration Services. For more information, see https://www.dell.com/en-us/work/learn/system-configuration.