What Is Workspace ONE?

Workspace ONE ® is a digital platform that delivers and manages any app on any device by integrating access control, application management, and unified endpoint management. The platform allows IT to deliver a digital workspace that includes the devices and apps of the business's choice, without sacrificing the security and control that IT professionals need.

Take a look at this introductory demo to see how Workspace ONE can help you.

What are the Key Features?

This section summarizes the features and capabilities of Workspace ONE, and outlines a few examples and use cases of when you would use each one.

Consumer-simple app authentication

With Workspace ONE, end-users can get password-less single sign-on to a catalog that provides them access to virtually any app. This includes mobile apps, web apps, cloud apps, and Windows apps. Once signed in, end-users can self-service select the applications they need to be productive with no IT intervention. As an IT professional, you control the back-end workflow to provide an excellent user experience that doesn’t sacrifice security.

Mobile SSO in Workspace ONE (Workspace 1) provides a password-less, single sign-on (SSO) experience.

Provide easy access to all the apps your end users need to do their job - either through the Workspace ONE Intelligent Hub or with the browser-based catalog.

Transform employee onboarding by enabling self-service access to the apps your end-users need.

One-touch single sign-on means your end-users don’t have to remember a bunch of credentials or type in the same password every time they access an app. Workspace ONE uses certificates to establish trust, providing a passwordless, single sign-on (SSO) experience.

Unified Endpoint Management options

Workspace ONE doesn’t dictate which platforms to deploy in your environment. Our goal is to support any device - even devices that have not yet been invented. From desktop OS’s to mobile OS’s, even wearables, and 3D graphics workstations, we support it. Beyond that, we also know that while some devices are corporate-owned and require IT management throughout their lifecycle, many will be owned by the employees themselves. Workspace ONE puts the choice in employees’ hands for the level of convenience, access, security, and management that makes sense for their work style.

Desktop OS's, mobile OS's, smartphones, you name it, we support it. That means you don’t have to worry about the next big mobile device that comes out. We will support it.
Bring-your-own, Choose-your-own, Corporate Owned, Locked Down, and so on…there are so many device management types. Workspace ONE supports them all in a single platform.
The Workspace ONE Intelligent Hub makes logging in on a BYO device super simple for end users. From the hub, they can seamlessly launch apps. However, if they try to access an app with confidential data, they are prompted to elevate management on their device.

Conditional Access

To protect the most sensitive information, Workspace ONE enforces access decisions based on device compliance and identity context. Using our powerful policy engine, you can mix and match inputs to make dynamic decisions on the level of access end-users receive.

Conditional access grants the right permissions to the right end users while keeping corporate data secure.

Apply conditional access policies on a per-application basis to enforce authentication strength and restrict access by network scope, location, and device compliance.

Provide a range of advanced device restrictions and policies such as data loss prevention and restricting access to corporate resources from rooted or jailbroken devices, allowlist and denylist for apps, open-in app restrictions, cut/copy/paste restrictions, geofencing, and network configuration.

Get real-time visibility with application, device and console events that provide detailed information for system monitoring, and view logs in the console or export pre-defined reports.

Automated app management

Workspace ONE allows IT professionals to automate application distribution and updates on the fly. Whether you’re deploying Windows apps or mobile apps, we automate the application delivery process to allow better security and compliance. With Workspace ONE you can deploy Windows apps to Windows devices in your organization or up-to-date apps to mobile devices, from a single platform that keeps you covered every step of the way.

Eliminate the need for laptop imaging with Workspace ONE’s simplified device management and provisioning. Our dynamic smart groups, which use device information and user attributes, ensure devices always have necessary configurations such as Wi-Fi and VPN.
Automatically install, update, and remove software packages. Create an automated workflow for software, applications, files, scripts, and commands to install on laptops. Configure installation based on a variety of IT-defined conditions.
Secure hosted virtual apps and desktops enabling users to work on highly sensitive and confidential information without compromising security with Horizon. Users can access their virtual apps and desktops from the Workspace ONE Intelligent Hub app, enabling the flexibility to be productive wherever they are.

What is the Architecture?

IT can deploy Workspace ONE in a variety of deployment models, including on-premises, in the cloud, and hybrid with different components deployed on-premises and in the cloud.

Since the purpose of Workspace ONE is to manage secure application delivery to your end-users, you must connect Workspace ONE to an existing directory infrastructure. You can configure Workspace ONE to use Active Directory or other LDAP-based directories, for user synchronization, authentication, and application access.

For the sake of simplicity, we’re going to focus this article on a basic cloud deployment of Workspace ONE. The larger your environment, the more complex the requirements get, so we can’t walk through every detail here. This article is intended just to give you the info you need to understand how some of the elements would fit into your environment at a high level. We can split the architecture into infrastructure and end-user components.

Workspace ONE architecture diagram combines WS1 UEM, workspace one access, and workspace one intelligence

Workspace ONE Components

Workspace ONE Access provides SSO to an application store for software-as-a-service (SaaS)-based Horizon, Citrix, ThinApp®, and web applications, as well as for Horizon virtual desktops. It also provides a set of networking and authentication policies to control application access. For example, in the following screenshot, we can create detailed rules specifying specific authentication rules based on network range, what device the request is coming from, and the Active Directory group.
Workspace ONE UEM (formerly known as AirWatch) provides a unified endpoint management platform that delivers simplified access to enterprise resources, secures corporate data, and enables productivity on any device anywhere in the world. UEM also integrates with public application stores to handle the provisioning of native mobile applications to mobile devices. Workspace ONE UEM provides compliance-checking tools to ensure that remote access devices meet corporate security standards. For Office 365, and our integration with the Office 365 Graph API we can manage the DLP settings across the suite of Office applications to ensure security.
Workspace ONE® Intelligence™ is a cloud-only service, hosted on Amazon Web Services (AWS), designed to simplify user experience without compromising security. The Intelligence service aggregates and correlates data from multiple sources to give complete visibility into the entire environment. It produces the insights and data that will allow you to make the right decisions for your Workspace ONE deployment. Workspace ONE Intelligence has a built-in automation engine that can create rules to take automatic action on security issues.
Unified Access Gateway is a software appliance that provides secure edge services and access to defined resources that reside in the internal network. This allows authorized, external users to access internally located resources in a secure manner.

Workspace ONE Intelligent Hub

Workspace ONE Intelligent Hub app or myworkspaceone.

https://getwsone.com . Once installed, end-users will log in with their Active Directory credentials and see the applications that IT has allowed access to. From a single app, end users can view favorite apps, new apps, recommended apps, and categories all within the Intelligent Hub catalog.

Some applications are marked with Requires Workspace ONE Tunnel. Tunnel sets up a VPN connection and connects corporate apps to corporate resources. For applications that contain sensitive data, enrolling in management is the way to go, since it provides greater security including encryption, data protection, compliance, and removing enterprise applications when a device gets unenrolled.

End-users also get the benefit of mobile SSO, or as some call it, password-less authentication. For iOS, a Kerberos certificate is passed down to the end-user device. Users who are successfully signed into their domain can access their Intelligent Hub catalog apps without additional credential prompts. It’s a win-win for IT and end-users.

Top 5 things you should know

Now that you’ve established a solid foundation of what Workspace ONE can do for you, hear directly from the product experts about the top 5 things you should know about Workspace ONE. This tech talk will help you understand how key product features in Workspace ONE will work for you.

Learn more

Check out the Workspace ONE Frequently Asked Questions (FAQs) which provides answers to some of the most common questions.

Learn more about other projects

If you are interested in other projects, see the following introductions:

What Is Workspace ONE?
Why So Many Workspace ONEs and How are they Different?
What Is Workspace ONE UEM?
What Is Horizon?
What is Dynamic Environment Manager?
What Is Digital Employee Experience (DEX)?