The Workspace ONE™ UEM software suite is composed of multiple components that work in conjunction to provide a complete mobile device solution. These sections outline each component, and give a short summary of their role to aid in the understanding of the Workspace ONE UEM architecture.

Workspace ONE UEM Console

Administrators use the Workspace ONE UEM Console through a Web browser to secure, configure, monitor, and manage their corporate device fleet. The Admin Console also typically contains the AirWatch API, which allows external applications to interact with the MDM solution; this API provides layered security to restrict access both on an application and user level.

Device Services

Device Services are the components of Workspace ONE UEM that actively communicate with devices. Workspace ONE UEM relies on this component for processing:

  • Device enrollment.
  • Application provisioning.
  • Delivering device commands and receiving device data.
  • Hosting the AirWatch Self-Service Portal, which device users can access (through a Web browser) to monitor and manage their devices in Workspace ONE UEM.

AirWatch Cloud Messaging (AWCM)

AirWatch Cloud Messaging (AWCM) is used in conjunction with the VMware Enterprise Systems Connector to provide secure communication to your back-end systems. VMware Enterprise Systems Connector uses AWCM to communicate with the Workspace ONE UEM console.

AWCM also streamlines the delivery of messages and commands from the UEM console by eliminating the need for end users to access the public Internet or utilize consumer accounts, such as Google IDs. It serves as a comprehensive substitute for Google Cloud Messaging (GCM) for Android devices and is the only option for providing Mobile Device Management (MDM) capabilities for Windows Rugged devices.

It is typically installed on the Device Services server for deployments up to 50,000 devices.

AWCM simplifies device management by offering the following benefits:

  • Enabling secure communication to your back-end infrastructure through the VMware Enterprise Systems Connector.
  • Enabling Workspace ONE UEM Windows Protection Agent real-time communication.
  • Removing the need for third party IDs.
  • Delivering Workspace ONE UEM console commands directly to Android and Windows Rugged devices.
  • Enabling the ability for remote control and file management on Android Samsung Approved for Enterprise (SAFE) and Windows Rugged devices.
  • Enabling the ability to send remote commands such as device wipe and device lock to macOS and Windows 7 devices.
  • Increasing the functionality of internal Wi-Fi only devices by enabling push notification in certain circumstances.

Additional information about AWCM requirements, setup and installation can be found in the VMware AirWatch AWCM Guide, available on


The AirWatch API component comprises REST (Representational State Transfer) and SOAP (Simple Object Access Protocol) APIs. These APIs are used for developers creating their own applications that wish to invoke Workspace ONE UEM functionality and utilize the information stored in their Workspace ONE UEM environment.

When developing any new applications, Workspace ONE UEM recommends the use of Version 2 of the REST API, both for ease of use and for optimal support long-term.

SQL Database

VMware AirWatch stores all device and environment data in a Microsoft SQL Server database. Due to the amount of data flowing in and out of the Workspace ONE UEM database, proper sizing of the database server is crucial to a successful deployment.

For more information on system configurations, see the VMware AirWatch Installation Guide, available on, or contact Workspace ONE Support.

VMware Identity Manager Service

Workspace ONE UEM relies on the VMware Identity Manager Service to handle the Workspace ONE functionality including app catalog, conditional access, and Single Sign-On.

The VMware Identity Manager Service provides:

  • Application provisioning
  • Self-service catalog
  • Conditional access controls
  • Single Sign-On functionality

For more information on configuring the VMware Identity Manager service, see the VMware Identity Manager Administration Guide, available here:

VMware Enterprise Systems Connector

VMware Enterprise Systems Connector provides organizations the ability to integrate Workspace ONE UEM and VMware Identity Manager with their back-end enterprise systems. VMware Enterprise Systems Connector runs in the internal network, acting as a proxy that securely transmits requests from Workspace ONE UEM and VMware Identity Manager to critical enterprise infrastructure components. This allows organizations to harness the benefits of AirWatch Mobile Device Management (MDM) and VMware Identity management, together with those of their existing LDAP, certificate authority, email, and other internal systems.

VMware Enterprise Systems Connector integrates with the following internal components:

  • Email Relay (SMTP)
  • Directory Services (LDAP / AD)
  • Microsoft Certificate Services (PKI)
  • Simple Certificate Enrollment Protocol (SCEP PKI)
  • Email Management Exchange 2010 (PowerShell)
  • BlackBerry Enterprise Server (BES)
  • Third-party Certificate Services (On-premises only)
  • Lotus Domino Web Service (HTTPS)
  • Syslog (Event log data)
  • Horizon
  • RSA

Additional information about VMware Enterprise Systems Connector requirements, setup, and installation can be found in the VMware Enterprise Systems Connector Guide, available at

AirWatch Secure Email Gateway (Classic and V2)

Enterprises using certain types of email servers, such as Exchange 2010 or Lotus Traveler, can use the AirWatch Secure Email Gateway (SEG) server to take advantage of these advanced email management capabilities. The SEG acts as a proxy, handling all Exchange Active Sync traffic between devices and an existing ActiveSync endpoint.

Workspace ONE UEM offers advanced email management capabilities:

  • Detection and Remediation of rogue devices connecting to email.
  • Advanced controls of Mobile Mail access.
  • Advanced access control for administrators.
  • Integration with the Workspace ONE UEM compliance engine.
  • Enhanced traffic visibility through interactive email dashboards.
  • Certificate integration for advanced protection.
  • Email attachment control and hyperlink transform.

Enterprises using Exchange 2010+, Office 365 BPOS, or Google Apps for Work do not necessarily require the Secure Email Gateway server. For these email infrastructures, a different deployment model can be used that does not require a proxy server, such as Microsoft PowerShell Integration or Google password management techniques.

Email attachment control functionality requires the use of the Secure Email Gateway proxy server regardless of the email server type.

Additional information about SEG requirements, setup, and installation can be found in the VMware AirWatch SEG Administration Guide, available on

VMware Tunnel and Unified Access Gateway (Tunnel)

The VMware Tunnel provides a secure and effective method for individual applications to access corporate sites and resources. When your employees access internal content from their mobile devices, the VMware Tunnel acts as a secure relay between the device and enterprise system. The VMware Tunnel can authenticate and encrypt traffic from individual applications on compliant devices to the back-end site or resources they are trying to reach.

Use the VMware Tunnel to access:

  • Internal websites and Web applications using the VMware Browser.
  • Internal resources through app tunneling for iOS 8 and higher devices using the VMware Tunnel.

Additional information about VMware Tunnel requirements, setup, configuration, and installation can be found in the VMware Tunnel Guide, available on

AirWatch Content Gateway and Unified Access Gateway (Content Gateway)

The Content Gateway, together with VMware Content Locker, lets your end users securely access content from an internal repository. This means that your users can remotely access their documentation, financial documents, board books, and more directly from content repositories or internal file shares. As files are added or updated within your existing content repository, the changes will immediately be reflected in VMware Content Locker, and users will only be granted access to their approved files and folders based on the existing access control lists defined in your internal repository. Using the Content Gateway with VMware Content Locker allows you to provide unmatched levels of access to your corporate content without sacrificing security.

Additional information about AirWatch Content Gateway requirements, setup, configuration, and installation can be found in the VMware AirWatch Content Gateway Admin and Install guides,available on

AirWatch Email Notification Service (Classic and V2)

The Email Notification Service (ENS) adds Apple Push Notification support to Exchange. On iOS, this means the VMware Boxer and VMware Workspace ONE UEM Inbox email apps can get notifications utilizing either Apple’s background app refresh or Apple Push Notification Service (APNs) technologies. Background app refresh is used by default, however iOS attempts to balance the needs of all apps and the system itself. This means that each app may provide notifications at irregular periods using this method. To provide notifications quickly and consistently, Apple also provides APNs. This allows a remote server to send notifications to the user for that application, however Exchange does not natively support this. ENS adds APNs support to your deployment to allow quick and consistent notifications about new items in your end users' email inboxes.

You can download the most up-to-date versions of the VMware AirWatch Email Notification Service Installation Guides, which includes configuration and installation, from

Workspace ONE Intelligence

Workspace ONE Intelligence gives you insights into your digital workspace. It enables enterprise mobility management (EMM) planning and offers automation. All these components help to optimize resources, to strengthen security and compliance, and to increase user experience across your entire environment.

You can download the most up-to-date version of the Workspace ONE Intelligence Guide, which includes configuration and installation, from


Workspace ONE UEM offers a peer distribution system to deploy Win32 applications to enterprise networks. Peer distribution can reduce the time to download large applications to multiple devices in deployments that use a branch office structure.

For more information, see the VMware AirWatch Mobile Application Management (MAM) Guide, which includes configuration and installation, from


As deployments begin to scale over 5,000 devices, it is recommended that all environments have a caching solution in place. Caching solutions aid in reducing load on the database server that comes from the sheer volume of calls that need to be made to the database. Once caching is configured, the Workspace ONE UEM components will first reach out to the caching solution in attempts to obtain the DB information they require. If the information that is needed does not reside on the cache server, the component will reach out to the DB and subsequently store the value on the cache server for future use.

For more information on configuring Memcached please see the Memcached Integration with AirWatch guide, available on If the Memcached setting is not available, please reach out to VMware support for assistance.