How does workspace ONE work (Architecture)?

Workspace One Architecture works based on Virtualization, treating every hardware component as an independent unit with a guest OS. These hardware components are called Virtual machines, which are software representations of a computer. The hypervisor is a thin layer of abstraction drawn over hardware components to isolate and decouple them with the host.


VMware is an Enterprise Mobility Management (EMM) with Unified End Point (UEM) management system which integrates all endpoints and applications into a single cloud-based security system.IT team can deploy and remotely control applications, be it existing enterprise applications or new applications from the app store or SaaS based solutions. A high level of security is maintained with Identity Management. Applications and device activity is continuously monitored, multi-level authentication techniques are used, and data is encrypted. Powerful collaboration tools in mails, company social platform, and calendar to further enhance user experience. Workspace can run on any device and operating device. Mass upgradation and patch deployment to all devices is another advantage of Workspace One.


Workspace One UEM architecture

Unified Endpoint Management enables all endpoint devices and virtual systems to be connected to a singular cloud platform offering high-security features, deployment, and control of applications and powerful collaboration tools. Workspace One solutions can be deployed either on-premise or a cloud-based technology as a SaaS service. A separate cloud connector called Airwatch Cloud connector is used with outbound connections from DMZ runs in internal networks to sync with active resources.

Workspace One UEM architecture

Workspace one UEM architecture components

  • UEM console: A central console for managing all endpoint devices and deploying and controlling all applications as an administrator.
  • Device services: A service for communication with all endpoint devices to send commands, receive feedback and data, registration with cloud, application deployment, and control.
  • API endpoint: Workspace one allows integration of third-party applications and enterprise applications with its core product. Device services also use API endpoints.
  • Cloud connector: Cloud connector is used to access and sync with active resources of enterprise with DMZ outbound connections and runs on internal networks only
  • Cloud messaging service: The backend systems are secured, and cloud messaging apps establish communication to the UEM console with cloud connector services. The users are further prevented from accessing the public internet and user’s accounts.
  • VMware tunnel: The virtual VMware tunnel’s communication and transfer of data between user applications and the internal corporate network is secured and encrypted. A proxy component is responsible for access to corporate resources, and a VPN per app is responsible for application-level tunneling.


Workspace One Access architecture

Workspace one access or Identity Manager is primarily concerned with application deployment and management. A single sign-on is provided with a catalog of all applications ranging from SaaS based, app store, enterprise applications, and across different OS through multi-factor authentication and access control to user devices. The main components are:

Access Tenant: Runs the access service and cloud-enabled technology.

Access Connector: Access active corporate directories and internal networks.


Workspace One Intelligence Architecture

Workspace one intelligence architecture overcomes the challenges of traditional MDM systems in which all devices have to be manually configured and controlled. Workspace one intelligence architecture uses machine learning and artificial intelligence to collect data, process it, and generate output reports and actions accordingly.

Workspace One Intelligence Architecture Features

  • Endpoints Intelligence: Endpoint devices are continuously monitored for any suspicious activity. In case of any threat, data can be wiped out, or the device can be locked.
  • Common vulnerabilities and exposure: The cloud-based technology is continuously updated with information on the latest threats and malware. This saves time for updating every device, and real-time results are seen in cybersecurity.
  • Identity analytics: Workspace One uses Identity Management to determine access, multi-step authentication, and one-touch sign-in. Device GPS and user activity are monitored as well.
  • App analytics: Applications are continuously monitored, Third-party applications are prevented from running malware and accessing internal corporate networks and data.


Workspace One Intelligence architecture components

  • Intelligence collector: A pool of data is connected from endpoint devices, running applications, and overall behavior of the user device, which is then communicated to cloud service.
  • Cloud service: The data received from the collector service is put together in the data points with a format of any choice. Also, reports are scheduled and generated.
  • Consoles: Workspace one UEM and Intelligence consoles are leveraged.
  • Data sources: The Access, Intelligence, UEM architectures, Trust network, and Common Vulnerability and Exposure points serve as data collection sources.

What is Workspace One Assist Architecture

Workspace Assist supports UEM architecture administration to remotely access and control user devices while maintaining user privacy and security.

Functions of Workspace One Assist architecture

  • Sharing screens between user and administrator, capturing images and videos, and handover controls for guidance and troubleshooting.
  • Access device files directory and adds, modify or delete an existing file.
  • Run commands remotely on the user device.

Components of Workspace One assist architecture

  • Assist Core service: Handles database communications and discovery capabilities for other assist architecture functions.
  • Assist portal services: Provides an administration console to control and register user endpoint devices.
  • Assist application services: Managing applications and device functions remotely.
  • Assist connection proctor: Manages endpoint connections to the server and handles multiple remote assistance requests as well.

What is Unified Access Gateway architecture?

Unified gateway architecture is concerned with establishing a secure connection between external networks and internal corporate networks, providing users access to corporate server data and functions.

Features of Unified Access Gateway architecture

  • Pre tunneling every application on a user device before granting access to the corporate network.
  • Communication methods like email and company social platforms are secured and accessed by only authorized applications and devices. The security policy can be modified and deployed as the admin sees fit.
  • Sharing points and internal files run through a portal of Content Gateway Services.
  • Run a reverse proxy on endpoint devices web and applications.
  • Authentication to enterprise applications through Kerberos or header-based.
  • Secure virtual desktops and systems.


  • Barry Allen

    A Full Stack Developer with 10+ years of experience in different domain including SAP, Blockchain, AI and Web Development.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.