?

Workspace ONE: Unifying the IT experience at WWT

After a proof of concept with several leading end-user device management technologies, WWT selected VMware’s Workspace ONE for end-point device management.

End-user challenges

One of the key challenges our users faced was managing software in a consistent and intuitive manner on their end-point devices. To support all device types in our environment, WWT managed seven different catalogs, each allowing users to install software (disparate and sometimes duplicate across these different catalogs). Not all applications were available in every catalog, which created a confusing user experience when trying to access applications in our environment.

With more than 50 sites across the globe and a traveling user base, users dealt with high latency and slow speeds when downloading files and applications from our on-premise servers. Additionally, some application catalogs were only accessible if a user was connected to the WWT network, which required users to join a Virtual Private Network (VPN) to install the applications they needed. Most of our users do not require a VPN connection to do their daily work, so this was an additional inconvenience.

Information Technology (IT) challenges

In addition to end-user challenges, our IT department has to provide updates and support to numerous operating systems and platforms, while supporting an ever-increasingly mobile user base. In order to support these different systems, IT used multiple management tools.  Each tool required a specific skillset and IT resources to properly maintain.

Another challenge was that WWT’s ever-increasing global presence limited the effectiveness of traditional on-premise solutions. The issues driven by some of our legacy management tools required additional software distribution points and servers resulting in increasing overhead, upkeep and cost.

Vendor comparison/competitive analysis

WWT’s proof of concept (POC) of several leading end-user device management technologies was rigorous and extensive due to the complexity and diversity of our end-point environment.

The resulting user experience was simplified and uniform, regardless of supported device type or operating system, which eliminated the need to train users on multiple tools. The IT administrators received this same benefit in that they could manage all devices from a single platform, eliminating the need for specific expertise in numerous tools, which oftentimes resulted in siloed and/or tribal knowledge, which decreased scalability.

A differentiating feature of Workspace ONE was the ability to co-manage Windows devices on SCCM and Workspace One. This allowed us to phase out features of SCCM as we migrated to Workspace One Management versus planning for a major company-wide cut-over. Additionally, the option to implement Workspace ONE in VMware's web-hosted SaaS environment eliminated the need to maintain multiple servers across the globe. This addressed the challenge our remote and traveling users faced with latency and slow download speeds.

Solution summary

After an extensive evaluation, Workspace ONE best met both end user and IT requirements, as well as additional nice-to-have features.

We implemented Workspace ONE in VMware’s SasS environment to support employees across the globe, while reducing cost and overhead of on-premise distribution points in various regions.

Deployment of Workspace ONE was completed in a phased approach, allowing WWT to continually and quickly add business value to begin seeing return on our investment. Our phases included WWT-managed mobile phones, all Windows 10 devices and finally WWT warehouse scanners.  To conclude the scope of our enrollments, MacOS is currently progressing without issue.

User experience visualized

With the rollout of VMware’s Workspace ONE, end users can request licensing and/or access local, web and virtual applications from one intuitive catalog regardless of which supported device they are using. The below images show the before and after state of our environment consisting of various management tools which were consolidated into the Workspace ONE catalog: SCCM, JAMF, ServiceNow, SharePoint, Android Play and the Apple Application Store.

Prior to Workspace ONE

After Workspace ONE (unified experience on multiple devices)

IT administrator experience visualized

IT administrators were provided a scalable and vastly improved management experience once Workspace ONE was implemented. All applications, profiles, configurations and updates could now be deployed from a single console versus various tools (SCCM Manager, JAMF Pro Console and XenMobile Management Tool), and user permissions could now be more rigorously monitored and controlled.

Additionally, limited access could be granted to specific users and teams to view consolidated information about our WWT managed devices (troubleshooting support, security compliance checks, reports/analytics, etc.), without posing the risk of granting full administrative privileges to those users/teams in our production environment.

Application management

Device Management

On-premise service connections

WWT uses an on-premise Active Directory Domain Services (AD DS) solution to manage and store information of our domains, users and devices. With the deployment of Workspace ONE we’ve leveraged the VMware Enterprise Systems Connector to integrate our on-premise AD DS environment with the Workspace ONE Cloud environment. This gives users the ability to access Workspace ONE resources leveraging existing credentials used to access their devices and internal services. Two connection servers were configured to provide redundancy and reduce downtime during routine maintenance.

Workspace ONE architecture

Security compliance

An added benefit of Workspace ONE is the ability to increase device security by using compliance profiles created in Workspace ONE. These profiles can be customized to an organization’s specifications to check the compliance status of any enrolled device.

Within the Workspace ONE console, a compliance check can be run for company-specific encryption status, firewall status, and Operating System version. If a machine is found to be non-compliant, rules can be automated (based on the severity of the non-compliant rule) to complete a corresponding corrective action, such as emailing a user or restricting access to specific internal resources. Another security benefit is the ability to enterprise wipe a compromised, lost or stolen device from the centralized console.

A new feature implemented by WWT was Security Baselines for Windows Devices, which enabled any Group Policy Object to be uploaded and converted to a Microsoft Policy configuration service provider profile via Workspace One. The benefit of this was eliminating the need for a device to connect to our on-premise GPO Server to receive configurations. If you don’t have a Group Policy to convert, Workspace ONE offers templates such as CIS recommended settings.

Security Baselines for Windows Devices

Reporting and automation

Through Workspace One Intelligence, we provide customized scheduled reporting and custom dashboards to better track our environment in the areas of OS Updates, Application Usage and Security Vulnerabilities. These scheduled reports provide holistic information on application installation counts (for Software Asset Management), OS update status (ensuring latest security patches and feature updates) and device activity (proactively remediating security vulnerabilities before an exploit can occur).

By utilizing APIs between Workspace ONE and ServiceNow, we now have access to real-time, automated data vastly improving consistency in asset tracking overall. As mentioned previously, specific reports can also be automatically shared in view-only mode with specific users/teams without the need to provide them with full administrative privileges, thus minimizing risk.

Example dashboard used to show the most used applications across various devices.

Long-term vision

With the implementation of Workspace ONE, WWT has positioned itself for the future of device management. Paired with tools such as Microsoft’s Auto Pilot, Apple’s Device Enrollment Program and Samsung Knox we are focusing on offering a seamless out of box experience to our employees. With all devices being automatically configured and setup for use by Workspace ONE controls and shipped directly to a given facility or individual user. This will drastically reduce IT hours spent on imaging and device set-up, while allowing a user to get up and running on their first day without additional IT assistance or a long wait-time for manual device set-up.