VMware Workspace ONE Assist, together with Workspace ONE UEM powered by AirWatch, enables you to remotely access and troubleshoot devices in real time. Workspace ONE Assist is privacy-friendly. End users can accept, pause, and end a remote session at any time for privacy reasons.

The Workspace ONE Assist client also has additional support tools and device information available. The combination of remote control and information allows you to troubleshoot any issues on devices quickly and accurately.

Workspace ONE Assist is already configured for Workspace ONE UEM SaaS customers who have purchased the upgrade.

Workspace ONE Assist requires devices to have the Workspace ONE Intelligent Hub and the Remote Management client installed.

Workspace ONE Assist Components

Workspace ONE Assist uses multiple components to facilitate the communication between admins and end-user devices. The core components are as follows.

Database

The database handles system and tenant configuration, operations, and logging such as the accrual of historical device enrollment data. The Workspace ONE Assist system is composed of eight databases.

  • ApAdmin – Maintains all the system configurations, tenant (customer) configuration, management information, system administration data, and server instrumentation data. There is only one ApAdmin database for all tenants.
  • APOps (2) – Maintains data required for the operations of the system such as device enrollment, Access Control List’s (ACL), groups, users, zones, and so on. You have one template APOps database and one for the tenant with the GUID.
  • APReports (2) – Contains historical data of device enrollment, session, audit, report views, and so on. You have one template APReports database and one for the tenant with a GUID.
  • APJournal (2) – Contains aggregated information on the tenant necessary to construct various reports. You have one template APJournal database and one for the tenant with a GUID.
  • APPublic – Contains pre-enrollment information on devices and multiple database jobs. There is only one APPublic database for all tenants.
Core Services

The Core Services component provides service discovery and auxiliary services for the Workspace ONE Assist solution through Web services and Windows services. These services include the following.

  • Management Entity (ME) – Windows service that provides an in-memory datastore for admin and management Web service, which provides the operational end point to the system.
  • Service Coordinator (SVC) – This Windows service is responsible for coordinating communication between various elements within the system. It provides the communication to the database and is responsible for the discovery of all other Remote Management Tool services. All Workspace ONE Assist Tool services register with this service. Service coordinator service is installed on an Application (App) Server.
  • Data Tier Proxy (DTP) – This Windows service works with the Service Coordinator. It serves as the gateway for all services to reach the Service Coordinator service to communicate with Remote Management Tool databases. Data Tier Proxy service is installed on the App Server.
  • Data Access Proxy (DAP) – This Web service is responsible for a proper communication of all Web services. It serves a similar purpose as the Data Tier Proxy service and is installed on the App server.

Portal Services

The Portal Services component handles the administrative and management services for Workspace ONE Assist. The Management Website is installed as part of the portal services component and consists of the following.

  • AetherPal Tool Controller Service (ACS) – Acts as a gateway service that maintains a consistent socket connection between the RS web console and the Connection Proctor.
  • Management Web Site (ADM/ANC) – IIS Service that hosts the RS web console for managing and remoting into devices. Anchor service responsible for mobile device registration. Also, it contains the System Admin Service (SAS) admin web portal for accessing and administering the tool and defining tenant and service configuration.
    • T10 Interface – The T10 Interface is part of the Management website and it defines an integration portal between Workspace ONE UEM and the Workspace ONE Assist server.
      • The T10 interface uses Representational State Transfer (REST) communication with a JavaScript Object Notation (JSON) payload. The T10 interface provides Workspace ONE UEM with the ability to make a mobile device eligibility call.
      • The T10 interface can also start a remote support session using the Workspace ONE Assist tool and delete the device from the Workspace ONE Assist system.

Application Services

Messaging Entity (MSG) – a core Windows service that provides the means for the Workspace ONE Assist tool to send out SMS messages to the device by way of API or direct communication. This communication is accomplished with a messaging gateway, such as Google Cloud Messaging (GCM), or any proprietary SMSC aggregator.

The remaining application services are installed by default but are not used by Workspace ONE Assist directly. As such, these services can be disabled if you prefer.

  • ZVC Services (ZVC) – Windows service used for GuideMe feature. ZVC Service helps with versioning and authoring management. Workspace ONE Assist does not require this auxiliary service. After installation, these services can be disabled in Windows services.
  • KB Service (KB) – Windows service used for GuideMe feature. This service help process content for delivery and publishing. This is an auxiliary service that is not required by the Workspace ONE Assist application for most use cases. Once installed, these services can be disabled in Windows services.

Connection Proctor

The Connection Proctor component uses the Windows Connection Proctor service to manage device connections to the Workspace ONE Assist server. The component also simultaneously handles multiple requests for sessions.

Supported Deployment Models

Workspace ONE Intelligent Hub and the platform-specific Workspace ONE Assist app must be installed on all devices. These two installs work together with Workspace ONE UEM to make it easy to use the console as the starting point for each support session.

Whether your Workspace ONE UEM deployment is part of an on-premises, dedicated SaaS, or shared SaaS environment, several Workspace ONE Assist deployment models are supported.

Note: Regarding iOS devices and organization groups (OGs), iOS can only be enabled or disabled for an entire customer. iOS cannot be enabled/disabled for specific OGs.
Table 1. Single Customer
Workspace ONE UEM Workspace ONE Assist
On-Premises On-Premises
On-Premises (Multi-Environment) Shared SaaS*
Shared SaaS Shared SaaS
Dedicated SaaS Shared SaaS

* In this scenario, multiple instances of Workspace ONE UEM (each for a single customer) communicate to a single Shared SaaS build of Workspace ONE Assist. See Integrate Deployment Model, On-Prem UEM With SaaS Assist.

Table 2. Multi-Tenant Partner**
Workspace ONE UEM Workspace ONE Assist
On-Premises Shared SaaS
Shared SaaS Shared SaaS
Dedicated SaaS Shared SaaS

** In this scenario, multiple organization groups within Workspace ONE UEM (on-premises or SaaS) communicate to a single Shared SaaS build of Workspace ONE Assist.

Typical On-premises Deployment

Most administrators deploy the Workspace ONE Assist server in an enterprise network to facilitate the communication between the various components. The typical deployment scenarios are summarized in this section. For simplicity, deployment with High Availability or multiple nodes with Active or Passive configuration details is not provided here.

Standard (Single Server) Deployment

This sample diagram is a typical deployment without the use of a load balancer.

1. Queue Remote Control Command. 6. Request Session URL.
2. Queuing Command to Connect to Server. 7. Admin Joins Session.
3. Confirm Command. 8. Device Joins Session.
4. Create Session. 9. Send Commands/Get Frames.
5. Send Session URL.

Medium-sized Depolyment

This diagram represents typical medium sized deployment where two servers are utilized. One server has Core, Application, and Portal services (CAP). Second server is the CP server. You can have more than one CP server. For more information, see Load Balancer.

Workspace ONE Assist CAP Servers contain Core Services, Application Services, and Portal Services.

1. Queue Remote Control Command. 6. Request Session URL.
2. Queuing Command to Connect to Server. 7. Admin Joins Session.
3. Confirm Command. 8. Device Joins Session.
4. Create Session. 9. Send Commands/Get Frames.
5. Send Session URL.

Load Balancer

A load balancer improves the workload distribution across multiple server resources and is valuable in high capacity, high availability environments. Consider a load balancer in your Workspace ONE Assist environment if your configuration features a separate CAP server and connection proctor server.

Integrate a Load Balanced to Your Deployment

SSL passthrough is required for all server configurations on the load balancer. To address persistence, you must configure the load balancer to use IP or SSL session persistence.

When you initially run the installer which creates the config.installer file, you are presented with the Database Credentials screen.

  1. For multi-node solutions, you must enter the database server instance name or the database server instance IP address.
  2. Run the database installation by itself even if you are installing other services on the same server.
  3. The Workspace ONE Assist server requires a host record that points to the internal IP address of the VIP (also known as Virtual IP) for the load balanced pool.
  4. Ensure that each [FQDN] record in the [ApAdmin].[dbo].[Server] table in the database points to the internal IP address of the VIP (also known as Virtual IP) for the load balanced pool.

    Ensure that you delete the Default Website from IIS once the server is running. See Domain Name Service and also Troubleshooting, Modify Database Record for Multi-Node Configuration.