Today, VMware introduced updates to VMware Workspace ONE, the digital workspace solution that combines enterprise mobility management (EMM) and identity management to transform the delivery of IT services. The primary goal is to not just allow employees to work anywhere from any device, but also remove the friction of using new mobile apps “in the mobile moment,” while providing a pragmatic, risk-based security posture. The new updates releasing this month concentrate specifically on helping our customers begin their journey toward the digital workspace, with a strong focus on employee adoption and eliminating the complexity of adopting unified endpoint management.
You Don’t Need a BYOD Strategy
The bring-your-own-device (BYOD) movement is in a strained state in 2016. A vast majority of companies would claim to have adopted BYOD programs and policies, but when you dig deeper, we find of these programs a loose collection of policies and technologies perhaps covering email access and remote access with “best efforts” support.
This no fault of IT, however, and is a reflection of the state of where the industry has been where technology solutions were concentrated in silos. Networking vendors concentrated on VPN and filters for traffic coming through the DMZ. Enterprise mobility concentrated on device management and mobile email. And identity vendors concentrated on single sign-on (SSO) and, more recently, SaaS apps. Even the most forward thinking IT organizations who have implemented multiple technologies as part of a coordinated strategy struggle with gaps in policy enforcement, platform coverage, and usability.
The answer to this isn’t just to simply integrate and package up these siloed technologies, but to move toward an architecture that unifies application delivery, identity, access, and policy management for all employees and all of their devices, both BYOD and corporate-owned and operated devices. Instead of BYOD requiring a separate strategy, it becomes the basis for all services.
Moving Across the Spectrum of Management from One Platform: The Identity-Defined Workspace
Workspace ONE is designed around the concepts of identity management and self-service. Employees are either pre-entitled or may request access to services. Those services are delivered in a contextual experience. This means that it isn’t simply about any app on any device with a common policy, but instead, provides the ability to make risk-based decisions on what apps employees should be able to access based on the device they happen to be using at the time, and a whole host of conditions from location to device posture.
The diagram below helps simplify this concept:
Starting from the left, on a completely unmanaged device, with nothing more than a browser, many web-based internal and SaaS apps may be accessed with a SSO experience, including Windows apps through VMware Horizon or Citrix XenApp. The user experience is simplified with a common web-based catalog. All the employee needs to remember is their domain password.
This model isn’t just an option; it is available to every employee, and there will likely always be a use case for employees to access at least some set of their applications this way.
All New Managed Workspace Deployment Option Removes Barriers to Employee Adoption
Moving to the right in the model above is a new deployment option that is designed for delivering IT services to employees on their personally owned devices. The struggle with BYOD—particularly with mobile operating systems, including iOS, Android and now Windows 10—is that native applications need to be installed for real productivity. These apps access data and, left on their own, allow for cut, copy, paste and open-in features across any other app on the device. And of course, if the app itself stores data offline, there would be no way to wipe or restrict access if the device were lost or stolen or if the employee were terminated.
Two Imperfect Solutions for BYOD: MDM or MAM
To combat the potential for data loss through these gaping holes, the EMM industry has had only two choices: either manage the device or leverage traditional mobile app management (MAM) or techniques. These techniques either rely on the app written against a specific MAM SDK or that the app be “wrapped” with code specific to a management vendor.
Traditional MAM has proven an unrealistic approach, as it cannot guarantee compatibility with the rising numbers of third-party apps.
Workspace ONE, powered by AirWatch, has worked across the industry to combat the app management compatibility challenges through the AppConfig community. But even with AppConfig, the assumption has been that a device must first be enrolled. This leads back to the first solution: manage the device. But device management is often rejected due to potential privacy concerns and the friction that enrollment can cause between employees and IT.
[Related: What Is AppConfig?]
A New Middle Ground: The Managed Workspace
Building on the identity-defined workspace, a managed workspace leverages the privacy protections inherent in iOS, Android and Windows 10 to allow the native OS to enforce application policy—without exposing privacy-sensitive information to IT. More importantly, Workspace ONE transforms the employee experience for BYO devices. Beginning with simple access to an enterprise app store and launcher through the Workspace ONE app, if an employee then wants access to an application requiring greater protection, they can simply “accept” Workspace Services activation.
By accepting activation, Workspace ONE can push a certificate to the device to anchor one-touch authentication, enforce PIN–strength policy and allow IT to wipe only a protected app and enforce cut, copy, paste and “open-in” controls. Through this model, IT cannot view apps on the device, access to any user storage or activate GPS. Employees can be assured that their privacy is protected, and there is an immediate benefit of access so that “management” no longer is the conversation.
VMware VerifyTM: Simplifying Strong Authentication Across Any Device
To improve usability in even the most unmanaged use cases, VMware will introduce VMware Verify two-factor authentication service this month. Verify is an application that can be downloaded and installed on an employee’s personally owned smartphone.
When an employee attempts to access the Workspace ONE catalog, launcher or any application requiring strong authentication, the Verify App sends a notification to the smartphone asking the employee to verify that they are indeed attempting to access the app. Once the employee swipes “accept,” the application will launch automatically. This simple two-factor authentication can be used across the enterprise, removing the need for more complex solutions that always require manual entry of one-time passcodes.
Gateway to Unified Endpoint Management (UEM) with Windows 10
Of course in any enterprise, not every device is going to be owned and managed by the employee. IT will continue to own and operate laptops, smartphones and tablets for a variety of use cases. Many of these devices will migrate to Windows 10 over the coming years and with it an opportunity to embrace a new modern management model.
Windows 10 represents a complete mind-shift in PC management as it has embraced the principles of enterprise mobility management where security, configuration, and application lifecycle management are exposed through APIs. Instead of imaging the machine and managing OS patches with domain-joined tools, IT permits the OS vendor to patch and opens up new channels for application push and pull delivery through the Windows Business Store, now supported by Workspace ONE.
Unified endpoint management is a journey toward leveraging a common platform to manage across all of these device types. With Workspace ONE, all of the architecture, skills and processes developed through supporting the identity-defined or unmanaged workspace to the managed workspace are directly applied to unified endpoint management whenever the device needs to be deployed and operated by IT.
Because you liked this blog: