SAAM1150BU Enabling Simple, Secure Access to Your Horizon and Citrix Virtual Desktops and Apps with Workspace ONE VMworld 2017 Content: Not for publication Greg Armanini & Matt Coppinger #VMWORLD #ADV1591BU
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. 2
Agenda 1 Why Workspace ONE? 2 Workspace ONE Overview 3 Horizon and Citrix in Workspace ONE 4 Workspace ONE Mode Demo CONFIDENTIAL 3
Agenda 1 Why Workspace ONE? 2 Workspace ONE Overview 3 Horizon and Citrix in Workspace ONE 4 Workspace ONE Mode Demo CONFIDENTIAL 4
Modern Workforce Consumerization is driving DIGITAL TRANSFORMATION Apps Anywhere Mobile Workflows Emerging Delivery Models 2016 VMware Inc. All rights reserved. Confidential Not for Distribution 5
Workspace Adapts With The Speed Of Life WORK PUBLIC PERSONAL 6
Consumerization Drives Vertical Integration ios / MAC itunes Apple ID App Store iwork icloud VMworld 2017 ANDROID / CHROME Gmail Account Google Play G Suite Google Drive WINDOWS Microsoft ID AD/Azure AD Office 365 Windows Store Update Service Content: Not for publication 7
And Creates Silos within IT itunes Apple ID App Store iwork icloud Mobile Team Desktop Team LOB ios / MAC ANDROID / CHROME WINDOWS SaaS APPS Gmail Account Google Play G Suite Google Drive Microsoft ID AD/Azure AD Office 365 Windows Store Update Service Salesforce 1 Concur Workday Slack Dropbox Docusign 8
A Platform Approach Breaks Silos and Delivers a Digital Workspace itunes Apple ID App Store iwork icloud Mobile Team End-User Services Desktop Team Team LOB ios / MAC ANDROID / CHROME WINDOWS SaaS APPS Gmail Account Google Play G Suite Google Drive Microsoft ID AD/Azure AD Identity and Access Management Office 365 Windows Store Update Service SCCM Salesforce 1 Concur Workday Slack Dropbox Docusign Unified Catalog Single-Sign On Authentication Access Policy Digital Workspace Platform Connected Things (Rugged / IoT) 9
VMware Workspace ONE Empowers the Digital Workspace your business needs You can t transform business without a great user experience VMworld 2017 Content: Not for publication You don t need to compromise security to get there
One Platform For All Use Cases Identity and Access Management Unified Catalog Single-Sign On Authentication Access Policy AirWatch Unified Endpoint Management (UEM) Management End-User Services Team ios / MAC ANDROID / CHROME WINDOWS SaaS APPS Virtualize Context Connected Things (Rugged / IoT) Open Ecosystem App Config Community Authentication and Identity Providers Mobile Security Alliance 11
Typical Virtual Workspace Journey Citrix XA Identity Manager Horizon 7 Desktops External Identity Web Apps Horizon 7 Apps Horizon Cloud AirWatch Native Apps Patch Management Gen1 virtual workspace (single pane of glass) Gen2 (unified catalog) Digital workspace (physical) 12
Typical Virtual Workspace Journey Citrix XA Identity Manager Horizon 7 A dv & Ent, Horizon Cloud Horizon Desktops External Identity Web Apps Horizon 7 Apps Horizon Cloud AirWatch Native Apps Patch Management Gen1 virtual workspace (single pane of glass) Gen2 (unified catalog) Digital Workspace workspace ONE Enterprise (physical) 13
Workspace ONE Benefits Only way to federate authentication for Horizon 7, Horizon Cloud, Citrix, Native and Web apps Path to reduce the Windows password dependency for improved security and usability Unified self-service and enterprise catalog Consistent, consumer-ized user experience 14
Agenda 1 Why Workspace ONE? 2 Workspace ONE Overview 3 Horizon and Citrix in Workspace ONE 4 Workspace ONE Mode Demo CONFIDENTIAL 15
Digital Workspace Access Services Security Services EMM FABRIC Unified End Point Management Services Business Intelligence or distribution Remote Employees BYO Users LOB Devices Contracted Employees Kiosk Devices Wearables IoT Devices 16
Web Virtual Native
Kiosk / Launcher Today BOOKMARKS App Catalog Enterprise Portal
App Access Through Workspace ONE Unified Workspace with entitled apps Workspace ONE VMworld 2017 Native mobile apps Web apps On-prem apps In-house mobile apps Public mobile apps Content: Not for publication OR Virtual apps 19
Integrating Existing Identity Solutions It is not uncommon to see an existing Identity Management solution for web apps Identity Management solutions support 3 rd party Identity Provider (IdP) federation Customers are not forced to throw out existing investment for second identity provider Legacy Web App(s) 3 rd party IdP New Web Apps VMware IDM Native Mobile Apps VMware IDM Remote Apps (Horizon / Citrix) VMware IDM
User VMworld 2017 Identity Policies Security Policy Access Control Plane Device Posture Provisioning Configuration CASB / Apps Ent. Systems Network Content: Not for publication Endpoints
Desktop Integrations In Workspace ONE Horizon 7 On-prem enterprise apps and desktops Horizon Cloud Hosted Enterprise class apps and desktops in the cloud Horizon Cloud On-Premises Enterprise class apps and desktops, simplified deployment Workspace ONE App Express Fast provisioned, web based Windows apps for non-domain users NEW! ThinApp Packaged apps can be used offline Citrix XenApp / XenDesktop Bring legacy apps forward into digital workspace 22
Workspace ONE VMware Identity Manager SaaS Offering Citrix XenApp On-premises ThinApp and Web Apps VMworld 2017 Content: Not for Web Applications Native Mobile publication
VMware Identity Manager On-Premises Offering Citrix XenApp On-premises ThinApp and Web Apps VMworld 2017 Content: Not for Horizon Cloud Web Applications Native Mobile publication
Agenda 1 Why Workspace ONE? 2 Workspace ONE Overview 3 Horizon and Citrix in Workspace ONE 4 Workspace ONE Mode Demo 25
Citrix Integration 26
Identity Manager and Citrix Integration Overview Leverages existing Citrix investment Citrix XenApp and XenDesktop entitlements sync to Workspace ONE Launch via Citrix Receiver with ICA file External access proxies through Netscaler Supports XenApp 5.0, 6.0, 6.5, 7.x XenDesktop 7.x IDM Hosted IDM on-premises 2.4+ Storefront SDK or Web Interface Receiver 27
Desktop
Workspace ONE Citrix Entitlement And Directory Sync Workspace ONE Citrix Receiver 3 vidm DB VIDM Service VMworld 2017 3 2 2 WebSocket Connector Integration Broker 1 1 PowerShell Store Front XML Server Controller Citrix Configuration Citrix Components Session Host Session Host Content: Not for publication Session Host 29
Workspace ONE Citrix Resource Launch (ICA) Workspace ONE 6 Citrix Receiver Launch Citrix Resource 1 ICA File 5 VIDM Service Launch request to Connector / IB 7 2 Connector Integration Broker Authenticate and request ICA File 3 4 Store Front XML Server Controller Citrix Configuration Citrix Components Session Host Session Host Session Host 30
Workspace ONE Citrix External Resource Launch (ICA) Workspace ONE 6 Citrix Receiver Launch Citrix Resource 1 ICA File 5 VIDM Service Netscaler Launch request to Connector / IB 8 2 7 Connector Integration Broker Authenticate via STA and request ICA File 3 4 Store Front XML Server STA Server Controller Citrix Configuration Citrix Components Session Host Session Host Session Host 31
IDM Connector and Integration Broker - Basic VMworld 2017 IDM Service Connector Integration Broker Connector Configure IB for both sync and launch Integration Broker Dedicated server for IB (& Connector) Citrix sync and launch Content: Not for publication 32
IDM Connector and Integration Broker - Advanced HA Connector pair, outbound doesn t require LB Identity Manager Service Separate sync and launch tasks in configuration Connector 1 Connector 2 10.142.29.10 10.142.29.11 Scale out sync brokers linearly behind load balancer LB LB Sync Integration Broker Sync Integration Broker Launch Integration Broker Launch Integration Broker LB Dedicated Windows servers per IB Citrix 33
Simplifying Integrations With Resource Profiles New! E X I S T I N G Identity Manager Service Service redirects to Connectors Connector 1 Connector 2 VMworld 2017 Config UI Config UI 2 Citrix, Horizon integrations configured per Connector Settings are manually copied between Hard management & troubleshooting Config UI (All) N E W Identity Manager Service Service hosts configuration UI Connector 1 Connector 2 Content: Not for publication Configuration UI is centralized Connectors become workers More fine grained control of resource sync is possible 34
Desktop Resource Profiles 35
Horizon 37
Simple Access to Apps & Desktops Access to Horizon 7 and Horizon Cloud desktops from Workspace ONE / Identity Manager Full support for Horizon 7.x Virtual Desktops Published Applications Horizon Cloud Pod Architecture Single Sign On & True SSO Support for Horizon Air / Cloud Horizon Cloud Hosted with Workspace ONE Support multiple tenants in Workspace ONE / Identity Manager VMworld 2017 SSO to virtual desktops and published apps Horizon Cloud On-premises with Identity Manager Content: Not for publication
Horizon Deployment Options ACTIVE DIRECTORY Horizon Cloud with Hosted Infrastructure MOBILE USERS USER APP DATA CLOUD PROVIDER OPEX model of utility based pricing Scalability on demand Minimal internal expertise required Remote locations where building data center capacity is impossible SECURE VPN CUSTOMER IT ENVIRONMENT REMOTE USERS SECURE VPN CORP USER DEVICES Horizon Cloud with On-premises Infrastructure VIRTUAL DESKTOPS & APPS ON HYPER-CONVERGED INFRASTRUCTURE Hybrid OPEX/CAPEX model Management infrastructure in the cloud On-premises virtual desktops & apps on hyper-converged infrastructure Minimal internal expertise required and easily scalable G CLOUD PROVIDER CONTROL PLANE ACCESS POINTS ACTIVE DIRECTORY LOAD BALANCERS CAPEX Model CONNECTION BROKERS CUSTOMER IT ENVIRONMENT On Premises (Horizon 7) Greater flexibility in desktop options Scalable to customer requirements Feature rich management MANAGEMENT SERVERS SANSTORAGE ACTIVE DIRECTORY COMPUTE SERVERS RUNNING VIRTUAL DESKTOPS
Horizon 7 Integration
Hosted Desktops Horizon 7.x Desktops Horizon Agent Request / Session Start Connection Server (Enable Authentication) VMworld 2017 Content: Not for Get Resources, Entitlements VMware Identity Manager publication Horizon Clients 41
Hosted Applications RDS Farm Connection Server VMware Identity Manager Horizon Agent Request / Session Start VMworld 2017 Content: Not for Get Resources, Entitlements publication Horizon Clients 42
Horizon True SSO VMworld 2017 No need to enter AD credentials or SmartCard Users authenticate to VMware Identity Manager using a variety of credential options Once authenticated, users select Horizon desktop or hosted (published) application Uses SAML to connect the Identity Provider s (IdP) authentication with user s UPN for access to AD credentials Content: Not for publication True SSO generates unique, short-lived certificate to manage Windows logon process
Integrating Horizon Cloud Setting up access to Horizon Cloud with Workspace ONE 44
Horizon Cloud Hosted Desktops & Apps Integration Requires On-Premises IDM Connector Requires IDM Connector be joined to Active Directory Domain Horizon Cloud On-Premises Support of Desktops and Apps with latest Horizon Client (v4) Integrated using sync between Identity Manager & Horizon Cloud Enable Horizon Cloud Desktops and Applications in IDM administration console Create Horizon Cloud Federation Artifact in IDM Configure SAML Authentication in Horizon Cloud From IDM initiate Sync with Horizon Cloud Desktops and Hosted applications are part of the same sync
Agenda 1 Why Workspace ONE? 2 Workspace ONE Overview 3 Horizon and Citrix in Workspace ONE 4 Workspace ONE Mode Demo 48
Horizon 7 Integrated With Workspace ONE Workspace ONE access policies enforced through the Horizon Client 1. Horizon Client, Horizon app or file association redirects through WS ONE browser or distribution 2. WS ONE can host app UI and enforce per app access policy 3. User passes through to Horizon resource when authenticated 49
Workspace ONE Configuration in Horizon 7.2 1 2 3 1. Require external authentication (IDM) 2. Enables redirection to WS1 hostname 3. Force access policy compliance 50
Access Policy Control in Identity Manager 51
CONFIDENTIAL 52
Accelerate your Knowledge of Workspace ONE Date Title Session # Speaker Tuesday, 11:00am Transformation of the Digital Workspace SAAM3157SU Tony Kueh Tuesday, 12:30pm Introduction to Access Management in Workspace ONE SAAM2288BU Josue Fontanez Prab Kalra Tuesday, 3:30pm Tuesday, 5:00pm Wednesday, 9:30am Wednesday, 2:00pm Wednesday, 3:30pm Enable Simple, Secure Access to your Horizon and Citrix Virtual Desktops and Apps with Workspace ONE Securing Access and Protecting Information in Office 365 with Workspace ONE Delivering Virtual Desktops and Apps via the Digital Workspace with Workspace ONE and VMware Horizon Deployment Deep Dive: Best Practices and Troubleshooting of Workspace ONE Secure and Seamless Access to all of your Applications with Conditional Access and Mobile SSO in Workspace ONE SAAM1150BU SAAM2291BU ADV1591BU SAAM2197BU SAAM2204BU Greg Armanini Matt Coppinger Camilo Lotero Adarsh Kedari Matt Coppinger Peter Bjork Kevin Sheehan Adarsh Kedari Vikas Jain Prab Kalra Thursday, 10:30am VMware on VMware: Winning a Single Sign-On Solution with VMware Workspace ONE SAAM1321BU Robert Coggins Josue Fontanez Thursday, 1:30pm Simplify Management and Security of your Mobile Apps with Workspace ONE SAAM2294BU Vikas Jain Vinay Jain Also join us for Quick Talks, Expert Discussions, and Hands-on-Labs!!!
Questions!