JMP

Security Update: 8 Advances in End-User Computing from VMware

Employees across enterprise organizations in today&#rsquo;s mobile-cloud world expect simple user experiences to help them be productive. IT often runs into challenges supporting these expectations while keeping their environments secure.

Our team has focused on empowering organizations with an enterprise-secure approach and consumer-simple experience through a digital workspace. Employees can securely access any app, on any device in their own digital workspace provided by VMware Workspace ONE, powered by VMware AirWatch unified endpoint management technology.

Over the course of 2017, we&#rsquo;ve introduced many security capabilities across the Workspace ONE platform, which includes advancements in VMware Horizon 7 and VMware Horizon Cloud. Let&#rsquo;s take a closer look at those security capabilities, as well as existing security integrations and security features that elevate Workspace ONE to the digital workspace platform that organizations can trust.

1. Derived Credentials

Earlier this year, we announced our derived credentials solution as part of Workspace ONE. This was huge news for organizations mandated by certain directives, such as FIPS 201, that require use of smart cards, personal identification verification (PIV) or common access cards (CAC) for access to physical, logical and network resources.

Smart cards, PIV and CAC worked great on desktops and laptops, but the experience on mobile devices was poor and costly because special hardware was needed to read the cards. To help with this issue, the National Institute of Standards and Technology (NIST) updated FIPS 201 in 2013 and the following year released SP 800-157, with guidelines on how to generate and utilize alternative tokens, which they refer to as a derived PIV credentials, also commonly referred to as derived credentials or PIV-D. This helped provide better experience, implementation and deployment on mobile devices accessing physical, logical and network resources.

We released our derived credentials app, called VMware PIV-D Manager, that enables the use of derived credentials with native apps and profiles, VMware apps and third-party AirWatch SDK-enabled apps. PIV-D Manager even integrates with other derived credentials solution providers such as Entrust and Intercede.

2. Boxer S/MIME

VMware Boxer, one of our Workspace ONE productivity apps, is an integrated mobile email, calendar and contacts app that helps increase productivity by giving end users a great user experience. Security was a big focus on our Boxer app this year.

We started by enabling S/MIME support for sending and receiving signed and/or encrypted mail. S/MIME is a standard for public key encryption and signing of MIME (Multipurpose Internet Mail Extensions) data that allows for secure email exchange. Organizations have the option of signing an email for authenticity and/or encrypting email messages for an added layer of security.

3. Boxer Classification Markings

In various regulated industries, such as public sector, healthcare and financial, sensitive emails often need to be specifically marked or classified when they are sent and received. When it comes to email, messages typically get a classification appended in the subject line, top or bottom of the body, etc. For example, an email message should be marked &#rsquo;unclassified&#rdquo; or &#rsquo;secret&#rdquo; depending on the content of the email.

Earlier this year, we announced support for classification markings in the Boxer app, which integrates with the built-in Microsoft Exchange transport rules. This capability also integrates with TITUS, Boldon James and janusNET.

4. Boxer Information Rights Management

In addition to S/MIME and classification marking support, we added full support for information rights management (IRM). IRM is a form of data loss prevention (DLP), which can specify access permissions to email messages, including the ability to restrict copy-paste, restrict email forwarding, enforce email message content expiration and more. As you can tell, we put a lot of emphasis on email security through our Boxer app!

5. AirWatch & NSX Integration

AirWatch and NSX integration was introduced over a year ago, and the amount of customer interest in it hasn&#rsquo;t slowed down since. When apps on mobile devices have access to communicate to any resource in the data center, this represents a challenge for IT as the attack surface within the data center can be large.

The AirWatch and NSX integration aims to solve this problem by limiting each mobile app to only communicate to the server that it needs to talk to, using the tunneling capability in AirWatch and the micro-segmentation capability in NSX. Combining these two technologies vastly reduces the access footprint from the mobile device and the attack surface in the data center.

Organizations, like Vallejo Sanitation and Flood Control District, can raise their security posture from the mobile device to the data center using the AirWatch and NSX integration.This type of integration can also help organizations along their journey towards General Data Protection Regulation (GDPR) compliance, as data in transit utilizes AES-256 bit encryption.

VMworld 2017 Panel Discussion:

“Data Privacy, theGDPR &the Globalization of Compliance”

Add GRC3109PU via VMworld U.S. schedule builder.

AddGRC3109PE via VMworld Europe schedule builder.

6. Horizon & NSX Integration

We know that apps on mobile devices and data center resources can be tunneled and micro-segmented for an extra layer of security. We can take that same concept and apply it towards desktop virtualization.

Integrating Horizon and NSX, customers can effectively secure east-west traffic within the data center, preventing malware from spreading across the data center if a virtual desktop is compromised because each desktop is effectively isolated from other desktops. IT can quickly and easily administer networking and security policy that dynamically follows end users&#rsquo; virtual desktops and apps across infrastructure, devices and locations. This extra level of security takes desktop virtualization to a whole new level!

VMworld 2017 Breakout Session:

“Securing Your Horizon Virtualized Apps & Desktop Investments with NSX”

Add SIE2034BU via VMworld U.S. schedule builder.

Add SIE2034BE via VMworld Europe schedule builder.

7. Just-in-Time Management Platform (JMP)

We introduced JMP earlier this year, our next-generation desktop and application delivery platform, which enables fust-in-time desktops and apps. Imagine a virtual desktop that is created when a user logs in and destroyed when that user logs out. IT can set up a pool of virtual desktops that fits this model, including pools that can access the internet and pools that cannot, effectively creating separation parameters for higher security. Virtual desktops in each pool only get created when a user logs into a specific pool.

With the JMP platform extending across Horizon 7 and Horizon Cloud, IT has the ability to inject apps and user environment settings into the desktop the moment a user logs in. Having pristine desktops created at every login and destroyed at every logoff eliminates malware that the user may have accidentally installed during the session.

8. Smart Policies

Smart Policies are available in Horizon 7 and Horizon Cloud for IT to provide end users with a truly contextual user experience. For example, policies dynamically change depending on the device used or the location services are being accessed from.

True single sign-on (SSO) enables end-to-end authentication from Workspace ONE to Horizon virtual desktops and apps, for a secure and simple user experience. Users aren&#rsquo;t prompted for multiple logins once they&#rsquo;ve authenticated into the Workspace ONE portal. Client policies such as enabling or disabling clipboard redirection, USB, printing and more can be set by IT using Smart Policies. Horizon is certified to meet FIPS 140-2 and Common Criteria requirements as a result of the secure policies powered by Smart Policies.

For organizations looking for even more advanced security capabilities across Workspace ONE, look no further than Workspace ONE integrations with our ecosystem of mobile security leaders in the VMware Mobile Security Alliance. Workspace ONE integrates with technologies from our Mobile Threat Defense partners, Cloud Access Security Brokers partners and more to further enable comprehensive cybersecurity across mobile devices, apps, networks and cloud services.

Learn more about our end-user computing (EUC) security initiatives at VMworld U.S.andVMworld Europe. If you&#rsquo;re not attending VMworld, you still have time to register!

To learn more about the security capabilities in Workspace ONE, visit vmware.com/workspaceone.

The post Security Update: 8 Advances in End-User Computing from VMware appeared first on VMware End-User Computing Blog.

Read more..

JMP Is Here! See It Live at VMworld

Earlier this year, we introduced our Just-in-Time Management Platform(JMP—we pronounce it “jump”) to blow apart the desktop status quo. It&#rsquo;s evolved into something truly special that will change the way you provision desktops.

Tuesday, 5 p.m., at VMworld U.S.is your first chance to see this game-changing technology. There&#rsquo;ll be beer, cake references and the unstoppable Harry Labana (@harrylabana), vice president of management services and strategy for VMware End-User Computing (EUC).

VMworld 2017 Breakout Session:

Modernize Management with JMP Technologies in VMware Horizon & Take a Look at Where We Are Headed”

Add ADV1608BU via VMworld U.S. schedule builder.

Too Complex. Too Slow. Too Many Breakpoints.

Most of you use a static desktop provisioning model that makes it difficult for you to:

  • Deliver workspaces quickly and efficiently to all users and endpoints.
  • Be agile to end-user requests.
  • Keep up with OS updates and patches (especially with Windows 10).
  • Manage application and OS dependencies.
  • Respond when something goes wrong.

Just-in-Time Delivery

JMP is our answer to those problems. If I were in marketing, I&#rsquo;d sell it to you as “Simple. Fast. Bulletproof.” But I&#rsquo;m not; I&#rsquo;m a product guy. So, instead I&#rsquo;ll tell you that I recognize that you&#rsquo;re currently working too hard, fighting with yesterday&#rsquo;s provisioning tools and struggling with infrastructure that&#rsquo;s beyond its sell-by date. And I want to help.

In a JMP-managed world, you define the desktop workspace that your users want, but leave the building of it to our automation engine. JMP offers a single integrated console that leverages VMware Instant Clone Technology, VMware App Volumes and VMware User Environment Manager to deliver tailored workspaces built from a common gold image.

User-Centric Automation

You identify your users (individuals and groups), tag their desired attributes (policies, apps, infrastructure, etc.) and press go. The JMP engine then automates the creation of bespoke desktops that exactly meet your users&#rsquo; needs. On the device they want.

It&#rsquo;s as simple as it gets.

It gives you more time, flexibility and, oddly, control.

Too Complex. Too Slow. Too Many Breakpoints. Solved.

Going back to how we started this blog, JMP&#rsquo;s dynamic engine gives makes it easy for you to:

  • Deliver workspaces quickly and efficiently to all users and endpoints.
  • Be agile to end-user requests.
  • Keep up with OS updates and patches.
  • Manage application and OS dependencies.
  • Respond when something goes wrong.

Moving from a static to an automated management model gives you numerous benefits. Not least amongst them is the fact that you only consume resources when your users call upon them. No more pre-provisioning. No more downtime for patching. Just-in-time delivery across your entire desktop estate.

Cloud Ready

With JMP automating the actual desktop building, simply changing the target environment for your users can move someone from an on-prem environment to a hybrid or cloud based one. You now have a solution that leverages the infrastructure you&#rsquo;ve built, to deliver the desktops your CTO told you to prepare for.

See for Yourself

We like to say that we&#rsquo;re making managing virtual desktop infrastructure (VDI) a piece of cake. Everyone likes cake, right? Join Harry and I at VMworld, and get a sneak peek at the future of JMP—we&#rsquo;ll give you beer and maybe even cake. Possibly even a copy of Fusion 10. You should be there.

The post JMP Is Here! See It Live at VMworld appeared first on VMware End-User Computing Blog.

Read more..

Delivering a Seamless Digital Workspace Experience with Horizon Cloud

VMware Workspace ONE integrates with VMware Horizon Cloud to provide a simple and secure enterprise platform that allows end users to access their applications, data and services from any device, anywhere. Both platforms were built to integrate with each other, which provides a single user interface (UI) through the Workspace ONE enterprise catalog, to deliver applications to end users.

Explore Workspace ONE further in a Hands-on Lab.

About Workspace ONE

Workspace ONE combines identity, real-time application delivery and mobility management to provide a digital workspace to your end users. This digital workspace delivers Software-as-a-Service (SaaS) applications, public native mobile applications—and when integrated with Horizon Cloud, virtual applications and desktops—all from a single, unified application store.

About Horizon Cloud

Horizon Cloud enables the delivery of cloud-hosted or on-premises virtual desktops and applications. With Horizon Cloud, you can leverage a cloud-based management plane and even infrastructure, instead of deploying an entire infrastructure to support VDI desktops and RDS applications traditionally. Your IT organization can focus on delivering applications and desktops, instead of spending time maintaining the infrastructure.

Benefits of Integration

The integration of Workspace ONE and Horizon Cloud provides a number of benefits:

Single Sign-On

One of the primary advantages that Workspace ONE and Horizon Cloud provide is secure, single sign-on (SSO) to both desktops and applications. This provides simplicity and ease of access while maintaining security. Users can utilize either the Workspace ONE web-based portal from any HTML 5 web browser or the Workspace ONE mobile application. And when used with an iOS-based device, users can utilize touch ID for SSO.

Two-Factor Authentication

Workspace ONE provides multiple multi-factor authentication methods, such as RSA, Radius, Certificate, Kerberos, and VMware Verify to protect your environment beyond the basic user ID and password. Workspace ONE also provides two-factor authentication (2FA) for Horizon Cloud to secure your Digital Workspace.

In addition, you can utilize step-up authentication, which allows additional multi-factor authentication beyond the initial authentication into Workspace ONE when accessing a desktop or application. This increases the security by requiring two-factor authentication to access a specific desktop or application, even if you don&#rsquo;t require it to access Workspace ONE.

Three Integration Options

Both Horizon Cloud and Workspace ONE have a cloud hosted option and an on-premises option. You can integrate the Horizon Cloud options with the Workspace ONE options in the following configurations:

Figure 2: Possible Integration Configuration Options

Although the two types of deployment have unique architecture requirements, both require an on-premises component. The on-premises component can be a virtual appliance or a Windows server, based on the type of deployment. For more information on the different deployments and their architecture, see VMware Workspace ONE Documentation.

Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud

Horizon Cloud with Hosted Infrastructure supports only Workspace ONE Cloud.

Figure 3: Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud

The following Figure 4 illustrates the integration option for Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud. The VMware Identity Manager Connector (a) is deployed on-premises in your data center. This integrates with your Active Directory and synchronizes the resources between Horizon Cloud and Workspace ONE, along with desktop and application entitlements. This synchronization between the VMware Identity Manger Connector and Horizon Cloud occurs over the VPN or Direct Connect (b), which connects your data center to your Horizon Cloud tenant (c). The VMware Identity Manager Connector then synchronizes the resources and entitlements to the VMware Identity Manager (IDM) Cloud service (d).

Figure 4: Integration 1: Horizon Cloud with Hosted Infrastructure and Workspace ONE Cloud

Integration 2: Horizon Cloud On Premises and Workspace ONE On Premises

Horizon Cloud with On-Premises Infrastructure supports both the on-premises and cloud versions of Workspace ONE.

Figure 5: Integration 2: Horizon Cloud On-Premises and on-premises version of Workspace ONE

You can use Horizon Cloud with On-Premises Infrastructure to run desktops and applications in their data center using Hyper Converged Infrastructure (HCI) Appliances, but with abut with a cloud base control plane.

Figure 6 illustrates the integration option for Horizon Cloud On-Premises Infrastructure and on-premises version of Workspace ONE. VMware Identity Manager (a) is deployed as a virtual appliance in your data center. This provides integration with your Active Directory (b) and also performs the synchronization of the resources between Horizon Cloud and Workspace ONE (c), along with desktop entitlements.

Figure 6: Integration 2: Horizon Cloud On-Premises and on-premises version of Workspace ONE

Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud

Horizon Cloud with On-Premises Infrastructure supports both the on-premises version of Workspace ONE and Workspace ONE Cloud.

Figure 7: Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud

For Workspace ONE Cloud, the VMware Identity Manager Connector (a) is deployed on-premises in your data center (b). This provides integration with your Active Directory and also performs the synchronization (c) of the resources between Horizon Cloud and Workspace ONE, along with desktop entitlements. The VMware Identity Manager Connector then synchronizes the resources and entitlements to the IDM Cloud service (d).

Figure 8: Integration 3: Horizon Cloud On Premises and Workspace ONE Cloud

Tips on How to Integrate

To integrate Horizon Cloud with Workspace ONE, you deploy VMware Identity Manager or VMware Identity Manager Connector on-premises with one of the Horizon Cloud Service options described earlier. To start the integration, ensure that VMware Identity Manager or VMware Identity Manager Connector is configured and integrated with your Enterprise Directory.

For more information, see the VMware Horizon Cloud Service Documentation or VMware Workspace ONE Documentation.

Enable Horizon Cloud Desktops and Applications in VMware Identity Manager

With a Horizon Cloud and Workspace ONE integration, you can use the VMware Identity Manager Administration Console, a component of Workspace ONE, to enable desktops and applications.

  1. Log in to the VMware Identity Manager Administration Console.
  2. In the Catalog tab, select Manage Desktops and Applications > Horizon Cloud.
  3. Select Enable Horizon Cloud Deployments and Applications.
  4. Enter the following information for your environment:
  5. Click Save.
  6. Click Sync now to sync Desktop and App entitlements from the Horizon Cloud environment.

Configure SAML Authentication

You should configure a a SAML authentication between Horizon Cloud and VMware Identity Manager, the identity provider, to enable trust between the two. To establish trust, you first create a Federation Artifact for Horizon Cloud, then set up custom user ID mapping, and finally configure SAML authentication.

Create Federation Artifact for Horizon Cloud

To enable trust between Horizon Cloud and VMware Identity Manager, you create the Federation Artifact in the VMware Identity Manager Administration Console and add a SAML authentication in the Horizon Cloud Administration Console.

  1. In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
  2. In the left pane, select Horizon Cloud.
  3. Enter the following information for your Horizon Cloud environment:
  4. Click the Accept Certificate link next to the Tenant Appliance URLs.
  5. Click Save.

After creating a federation artifact, set the custom User ID mapping.

Custom User ID Mapping

You can use custom User ID Mapping to customize the user ID that is used in the SAML response when users launch Horizon Cloud Desktops and Applications. You can resolve SSO launch failures that are caused by a mismatch of the user ID attribute between VMware Identity Manager and Horizon Cloud.

  1. In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
  2. Click Horizon Cloud on the left.
  3. In the Horizon Cloud page, specify the name ID format to use.
  4. Click Save.

After setting the custom User ID mapping, configure the SAML authentication.

Configure SAML Authentication in Horizon Cloud

To configure SAML authentication in Horizon Cloud:

  1. In the VMware Identity Manager Administration Console, click the arrow on the Catalog tab and select Settings.
  2. In the left pane, click SAML Metadata.
  3. Click the Identity Provider (iDP) metadata link.
  4. Make a note of the URL from the browser&#rsquo;s address bar, such as https://VMwareIdentityMangerFQDN/SAAS/API/1.0/GET/metadata/idp.xml
  5. Log in to the Horizon Cloud Tenant.
  6. Navigate to Settings > General Settings > Edit.
  7. In the VMware Identity Manager section, enter the following required information:
  8. Click Save.

Enforce User Authentication through Workspace ONE Portal

You can set Horizon Cloud to enforce end user authentication through the Workspace ONE portal, requiring SAML-based authentication.

Figure 13: Enforcing User Authentication

  1. In the Administration Console, navigate to Settings > General Settings, and click Edit.
  2. In the User Account Configuration section, make selections according to your organization’s needs.
    • Force Remote Users to vIDM – When set to Yes, users that are trying to access their desktops from locations outside of your corporate network must log in to their Workspace ONE portal and access desktops and applications from that portal.
    • Force Internal Users to vIDM – When set to Yes, users that are trying to access their desktops from locations within your corporate network must log in to their Workspace ONE portal and access desktops and applications from that portal.
  3. Click Save to confirm the configuration to the system.

After you verify that user authentication is enforced, your users can launch desktops and applications securely from Workspace ONE.

Launch a Desktop or Application using Horizon Client or Supported Browser

Your end users can use either the Horizon Client or any supported HTML 5 browser to launch desktops and applications.

  1. In the Workspace ONE portal, click Bookmarks
  2. Double-click the desktop or application to launch.

To Wrap this up….

Step-by-step documentation on how to integrate Horizon Cloud with VMware Identity Manager can be found in the VMware Horizon Cloud Service Documentation and VMware Workspace ONE Documentation. If you want to try configuring the integration yourself, but do not have a Horizon Cloud or Workspace ONE environment yet, you are in luck. At VMworld, we are releasing a Hands-on-Labs for Horizon Cloud, which contains an entire module that walks you through the configuration of the integration. Make sure to check out HOL-1856-ADV-1 in the Hands-on-Labs at VMworld in Las Vegas!

 

The post Delivering a Seamless Digital Workspace Experience with Horizon Cloud appeared first on VMware End-User Computing Blog.

Read more..

Best Practices for Published Applications and Desktops in VMware Horizon Apps and VMware Horizon 7

The best practices guide for published applications and desktops in Horizon 7 and Horizon Apps is now available!

This guide is intended for anyone installing or administering published applications or published desktops in Horizon 7 or Horizon Apps. Readers should already be familiar with basic installation and administration procedures, such as those described in Publishing Applications with VMware Horizon 7.

When deploying a Horizon 7 or Horizon Apps RDSH-based published application and desktop solution, administrators will want to consider a number of best practices. Areas of consideration include VMware ESXi host sizing, RDSH image configuration and optimization, Horizon 7 configuration and policies, antivirus solutions, provisioning, and recurring maintenance.

Administrators will also want to consider integrating VMware JMP technologies, which include VMware Instant Clone Technology, VMware App Volumes, and VMware User Environment Manager. With our latest release of VMware Horizon 7, just-in-time delivery of virtual desktops is extended to include published applications delivered from RDSH servers, bringing increased speed, scale, and simplicity.

Be sure to download and read Best Practices for Published Applications and Desktops in VMware Horizon Apps and VMware Horizon 7.

To comment on this paper, contact VMware End-User-Computing Technical Marketing at euc_tech_content_.

The post Best Practices for Published Applications and Desktops in VMware Horizon Apps and VMware Horizon 7 appeared first on VMware End-User Computing Blog.

Read more..

Horizon Cloud Service with Hosted Infrastructure – July 2017 Technical Updates

There are several technical updates to the VMware Horizon Cloud Service with Hosted Infrastructure this quarter. The updates for this release focus on expanding capabilities from the initial release in February. VMware will