Workspace ONE Cloud Services Security Whitepaper

AUGUST 2022
CONFIDENTIAL
Workspace ONE Cloud Services

Security Overview
Workspace ONE Cloud Services Security Whitepaper
Table of Contents
Document Scoping ..................................................................................................................................................... 5
Shared Responsibilities ........................................................................................................................................................ 5
Compliance Reports .............................................................................................................................................................. 5
Data Center Locations .......................................................................................................................................................... 5
Software Development Lifecycle ........................................................................................................................... 5
SDLC Best Practices.............................................................................................................................................................. 6
Security Engineering Processes ........................................................................................................................................ 7
Open-Source Software ........................................................................................................................................................ 8
VMware Information Security Program ................................................................................................................ 8
VMware’s Information Security Management System ................................................................................................ 9
Asset Management..................................................................................................................................................... 9
Data Classification and Handling .......................................................................................................................... 10
Physical Security ....................................................................................................................................................... 10
Data Center Security ...........................................................................................................................................................10
VMware Offices ...................................................................................................................................................................... 11
Human Resources and Personnel Security .......................................................................................................... 11
Employee Background Screening ..................................................................................................................................... 11
Confidentiality Agreements ................................................................................................................................................ 11
Employee Training................................................................................................................................................................. 11
Employee Termination ........................................................................................................................................................ 12
Business Continuity ................................................................................................................................................... 12
Risk Management ....................................................................................................................................................... 12
Vendor Risk Management .................................................................................................................................................. 13
Sub-processors ..................................................................................................................................................................... 13
Change Management ................................................................................................................................................ 13
Configuration Management .................................................................................................................................... 13
System Hardening ................................................................................................................................................................ 14
Time Synchronization .......................................................................................................................................................... 14
Vulnerability and Patch Management .................................................................................................................. 14
System Monitoring ............................................................................................................................................................... 14
Patch Management .............................................................................................................................................................. 14
Vulnerability Scanning ......................................................................................................................................................... 14
Penetration Testing .............................................................................................................................................................. 15
VMware and Third-Party Testing ............................................................................................................................................................15
Customer Penetration Testing .................................................................................................................................................................16
TECHNICAL WHITEPAPER | 2
CONFIDENTIAL
VMware Security Response Center (VSRC) .................................................................................................................. 16

Security Advisories ......................................................................................................................................................................................16
Customer Security Contact .......................................................................................................................................................................16
Cloud Environment Monitoring .............................................................................................................................. 16
Intrusion Detection & Prevention ..................................................................................................................................... 16
Antivirus & Antimalware...................................................................................................................................................... 17
Log Management .................................................................................................................................................................. 17
Infrastructure Logs .......................................................................................................................................................................................17
Application Event Logs ...............................................................................................................................................................................17
Incident Management & Response........................................................................................................................ 18
VMware Security Operations Center (SOC) .................................................................................................................. 18
Incident Reporting ................................................................................................................................................................ 18
Breach Notification ............................................................................................................................................................... 18
Identity and Access Management ......................................................................................................................... 19
Customer Access to Production Environment.............................................................................................................. 19
VMware Access to Production Environments .............................................................................................................. 19
VMware Access to Customer Networks ........................................................................................................................ 19
Session Controls ......................................................................................................................................................... 19
VMware Production Environment Sessions .................................................................................................................. 19
Workspace ONE UEM Management Console ............................................................................................................... 19
Workspace ONE Access Management Console .........................................................................................................20
Workspace ONE Hub Services ........................................................................................................................................20
Workspace ONE Intelligence Administrative Panel....................................................................................................20
Cloud Security Architecture .................................................................................................................................... 21
Workspace ONE UEM ......................................................................................................................................................... 21
Disaster Recovery ........................................................................................................................................................................................21
Workspace ONE UEM Cloud Control Plane Architecture ..............................................................................................................22
Workspace ONE UEM Classic Architecture ........................................................................................................................................ 23
Workspace ONE Access .................................................................................................................................................... 24
Disaster Recovery .......................................................................................................................................................................................24
Workspace ONE Access Architecture .................................................................................................................................................25
Workspace ONE Intelligence ............................................................................................................................................ 26
Disaster Recovery .......................................................................................................................................................................................26
Workspace ONE Intelligence Architecture .........................................................................................................................................27
Workspace ONE Data Handling............................................................................................................................ 28
Data Collection ..................................................................................................................................................................... 28
Workspace ONE UEM ................................................................................................................................................................................28
Workspace ONE Access & Hub Services ............................................................................................................................................29
CONFIDENTIAL
Workspace ONE Intelligence ...................................................................................................................................................................29

Data Segmentation ............................................................................................................................................................. 29
Workspace ONE UEM ................................................................................................................................................................................29
Workspace ONE Access and Workspace ONE Intelligence Shared Environments..............................................................29
Data Encryption ...................................................................................................................................................................30
Encryption In-Transit ................................................................................................................................................................................. 30
Encryption At-Rest ..................................................................................................................................................................................... 30
Key Management.......................................................................................................................................................................................... 31
Certificate Management ............................................................................................................................................................................ 32
Backup Retention & Data Destruction ........................................................................................................................... 33
Retention ........................................................................................................................................................................................................ 33
Destruction .................................................................................................................................................................................................... 33
Privacy and Compliance.......................................................................................................................................... 33
Data Sovereignty and Service Sub-Processors .......................................................................................................... 33
Privacy and the EU General Data Protection Regulation (GDPR) .......................................................................... 33
Binding Corporate Rules ...........................................................................................................................................................................34
Data Protection Requests.........................................................................................................................................................................34
Audit Reports and Trust Assurance .................................................................................................................... 35
ISO Certifications.................................................................................................................................................................. 35
PCI-DSS Certification........................................................................................................................................................... 35
SOC 2 Type 2 Audit Reports ............................................................................................................................................ 35
Cloud Security Alliance (CSA) Cloud Alliance Initiative Questionnaire (CAIQ) .................................................... 35
Standard Hosting Agreements and Service Resources ................................................................................. 35
VMware Cloud Services Guide ......................................................................................................................................... 35
Service Level Agreement .................................................................................................................................................. 35
Terms of Service .................................................................................................................................................................. 35
Release Management and Maintenance............................................................................................................. 35
Release Schedules ............................................................................................................................................................... 35
Scheduled Maintenance ..................................................................................................................................................... 36
Routine Maintenance .......................................................................................................................................................... 36
Emergency Maintenance ................................................................................................................................................... 36
Customer Support Services ................................................................................................................................... 36
Support Packages ............................................................................................................................................................... 37
VMware U.S. Export/Re-Export Laws and Regulations ................................................................................. 37
Export Restrictions .............................................................................................................................................................. 37
Appendix - Microservices ....................................................................................................................................... 38
Email Notification Service (ENS) ...................................................................................................................................... 38
CONFIDENTIAL
Document Scoping
This document provides a general overview of the security controls implemented in VMware Workspace
ONE® commercial cloud offerings 1 and includes information on the following services:
• Workspace ONE Unified Endpoint Management (UEM)
• Workspace ONE Access & Hub Services
• Workspace ONE Intelligence
The intent is to provide readers with an understanding of how Workspace ONE cloud services approach
security, the key mechanisms, and processes that VMware uses to manage information security, as well as
describing shared responsibilities for providing security in a modern cloud computing environment.
This document assumes at least intermediate knowledge of Workspace ONE cloud services and focuses on
the policies, processes, and controls supporting the cloud-delivered services. Federal Risk and Authorization
Management Program (FedRAMP), on-premises, and third-party offerings are not in-scope for this document.
Shared Responsibilities
The end-to-end security of the Workspace ONE cloud delivered service offerings is shared between VMware
and our customers. VMware provides security for the aspects of the Workspace ONE service offerings over
which we have sole physical, logical, and administrative level control. Customers are responsible for the
aspects of the service offerings over which they have administrative level access or control. The primary areas
of responsibility between VMware and customers are outlined in the VMware Cloud Services Guide available
for download from the VMware ONE Contract Center.
VMware leverages co-located data center facilities and IaaS providers to support the Workspace ONE service
offerings. These providers maintain physical and environmental security controls for the cloud-delivered
service. For more information, see Data Center Locations below.
Compliance Reports
Workspace ONE cloud services have achieved the Service Organization Control (SOC) 2 Type 2 and ISO
27001, ISO 27017, and ISO 27018 certifications. Additionally, Workspace ONE Access and Workspace ONE
Intelligence have achieved PCI-DSS certification. VMware can provide copies of the SOC 2 Type 2 report
under an NDA; please contact your VMware account representative to request these reports.
Refer to the VMware Cloud Trust Center to download the ISO certificate, PCI Attestation of Compliance
(AOC), and to see the latest list of industry certifications. Please note that, although some Workspace ONE
services are PCI-DSS certified, these services do not store, process, or transmit cardholder data.
Data Center Locations

Workspace ONE service offerings are available in the US, Canada, the European Economic Area (EEA), Asia-
Pacific (APAC) regions. Please refer to the Workspace ONE Sub-processors Lists available on the VMware
ONE Contract Center for a comprehensive list of primary and disaster recovery locations. Data center partner
hosting facilities’ physical addresses are confidential and on-site visits are prohibited. U.S.-based Workspace
ONE UEM deployments are located in either co-located data centers and AWS or VMware Cloud on AWS
(VMC on AWS) depending on deployment size. 2
Software Development Lifecycle
1 Information on the Workspace ONE Assist add-on cloud service is provided in a separate cloud security
whitepaper.
2 U.S.-based deployments of over 250,000 devices are located in co-located data centers.
CONFIDENTIAL
VMware’s Security Development Lifecycle (SDL) program is designed to identify and mitigate security risk
during the development phase of VMware software products. The development of VMware’s SDL has been
heavily influenced by industry best practices and organizations such as SAFECode (the Software Assurance
Forum for Excellence in Code) and BSIMM (Building Security in Maturity Model).
VMware Security Evangelism team works to actively cultivate relationships in the security community. VMware
has been an active participant in the broader software industry security community and became an early
BSIMM member in 2009: We have completed several reviews by BSIMM of our SDL. Findings are incorporated
into our SDL to drive continuous improvements. VMware is a member of SAFECode, an organization driving
security and integrity in software products and solutions. VMware also works closely with Industry
Organizations, Security Analysts and Researchers, etc. to stay current on the industry threat landscape and
security best practices. VMware Product Security VMware SDL is continuously assessed for its effectiveness
at identifying risk and new techniques are added to SDL activities as they are developed and mature.
SDLC Best Practices

We follow a defined Software Development Lifecycle (SDLC) which incorporates security into each phase (i.e.,
requirements, design, implementation, verification) of development. VMware’s programs and practices focus
on:
• Building secure software

• Protecting the intellectual property related to software products
• Managing software security supply chain risks
• Managing technology and partner ecosystem risks
• Delivering secure product support
Our SDLC is based on industry-recognized best practices and standards, including PCI-DSS common coding
vulnerabilities, OWASP, OSSTMM, SANS/CWE, and SCRUM methodologies. Code undergoes rigorous review
by our Engineering and Development Security teams. We consider attacker-centric categorizations (STRIDE)
and defensive-centric perspective (ASF) for threat modeling. Additionally, VMware cloud services undergo
multiple tests prior to release, including static and dynamic code reviews, penetration tests, fuzz and unit
testing, attack surface reviews, etc.
In alignment with PCI-DSS requirements, VMware encourages continuous employee training through annual
training in up-to-date secure coding techniques, including how to avoid common coding vulnerabilities.
VMware also subsidizes certification attempts (i.e., CISSP, CCSP), relevant conference passes, training classes,
and subscriptions to leading online training platforms for enhancing technical and business acumen.
Additionally, employees can participate in job rotation programs designed to reignite and broaden employee
work experience. Please refer to the VMware Product Security Whitepaper for additional information.
CONFIDENTIAL
Figure 1: VMware Security Development Cycle
Security Engineering Processes

The VMware Security Engineering, Communications & Response (vSECR) team develops Product Security
Requirements (PSR) to establish a security baseline for our products. These requirements are intended to
guide teams through all stages of the SDL, from product inception through development and product testing
to release. It also serves as a tool for senior management to benchmark product security against market
expectations. VMware SDL activities include:
• Security Training – vSECR works with R&D Education to create and maintain training programs about
product security. Managers, developers, and quality engineers can make use of these courses early in the
lifecycle of their product.
• Security Planning – Good security starts with early planning, at the genesis of the SDL process. The SDL
planning template forms the basis of the Security Review activity. VMware builds milestones and security
reviews for the product so that security is continuously evaluated.
• Serviceability and Response Planning – vSECR works with product teams to help build security into their
products’ servicing model, which includes planning for:
• Secure patching
• Open-source and third-party software licensing
• End-of-life support
• Security and management contacts for security response.
• Product Security Requirements (PSR) Assessment – This activity examines how a product adheres to
VMware PSR, which includes standards for:
• Authentication
• Authorization
• Encryption
• Certificates
• Network security
• Virtualization
• Accountability
• Software packaging and delivery
CONFIDENTIAL
• Threat Modeling – This activity identifies security flaws and incorrect design assumptions present in the
VMware Product Security architecture of a product.
• Open Source and Third-Party Software Validation (OSS/TP) – This activity validates that OSS/TP
software with known vulnerabilities are fixed before being included in a product release.
• Static Code Analysis – This activity uses automated tools to detect defects and security flaws in code.
• Vulnerability Scanning – This activity uses automated tools to detect security vulnerabilities in running
systems.
• Penetration Testing – This activity uses internal and external security teams to try to compromise
systems in isolated environments.
• Security Review – This activity examines the output and completion of all the other activities.
Open-Source Software
VMware uses some third-party and/or open-source code in our solution offerings, and we perform open-
source and third-party (OSS/TP) software validation to safeguard against known vulnerabilities prior to being
included in a VMware product release. Please refer to the publicly available Open-Source Disclosure page for
additional information on OSS/TP components.
VMware Information Security Program

Maintaining hosted services and securing data confidentiality, integrity, and availability requires a wide array of
tools and processes that must all be expertly designed to comply with laws and regulations while balancing
customer satisfaction, business needs, product development, and shareholder expectations. VMware balances
these needs with a set of controls and management processes designed to both mitigate risk and enhance
our product and service offerings. Overarching principles include:
• Risk – Managing risk by understanding the threat landscape, building a solid platform, and leveraging all
decision makers when calculating risk.
• Controls – Establishing a balance of effectiveness and efficiency by implementing the appropriate controls
for the associated risk.
• Security – Providing preventative and protective capabilities to ensure a secure service.
The VMware Information Security Program leverages guidance from industry best practices and regulatory
standards, including NIST SP 800-53, PCI-DSS, and ISO 27001. We maintain a written Information Security
Program and Policies to protect customer data hosted in our systems, and we perform annual reviews and
audits of our program to help ensure the integrity of our hosted offerings.
VMware has an Information Security Governance Committee (ISGC) that is chaired by members of senior
management and representatives from our Information Security, IT Operations, HR, Marketing, Facilities and
Legal teams. Our CISO is ultimately responsible for our Information Security program.
CONFIDENTIAL
Figure 2: Comprehensive Security Framework
VMware’s Information Security Management System

VMware has implemented various information security policies and procedures that are in line with its overall
corporate objectives, which demonstrate a commitment to the management of a formal Information Security
Management System (ISMS) and that fulfils VMware’s obligations to its customers regarding information
confidentiality, integrity, and availability. Our ISMS includes, but is not limited to, the following considerations
and objectives:
• The threats, vulnerabilities and the likelihood of occurrences identified by risk assessments relative to the
overall business strategy and objectives.
• The legal, statutory, regulatory, and contractual requirements with which VMware and relevant applicable
partners, contractors, and service providers must comply.
• The principles, objectives, and business requirements for information handling, processing, storing, and
archiving data developed by VMware to support its business operations.
VMware personnel are obligated to comply with VMware ISMS data protection requirements in their
respective roles, process, projects, and programs. Failure to adhere to these policies and procedures may
result in disciplinary action, including possible termination, and civil and/or criminal liability.
Asset Management
VMware maintains an asset management program as part of our ISMS to categorize both physical and logical
assets. The Asset Management policy is reviewed at least annually, and all changes are approved by our
Information Security Governance Committee.
Data Center Operations teams maintain an inventory of all production assets, including but not limited to,
software license information, software version numbers, component owners, machine names and network
addresses. Inventory specifications may include device type, model, serial number, and physical location. The
asset inventory is regularly reviewed in accordance with PCI-DSS requirements.
CONFIDENTIAL
Data Classification and Handling

Data classification is one of the foundational elements of the VMware ISMS. As such, VMware has a
comprehensive data classification policy and data handling and protection standards for all electronic and
paper media. Data controls and protections are implemented according to their classification.
Our data classification policy provides a matrix of controls arranged by the data lifecycle, from creation of the
data to its destruction, and covers all forms of media while in use, in transit, or archived. The policy focuses on
data classification sources, status, risks, and categories associated with the normal data lifecycle. Assets are
classified in terms of their value, legal requirements, sensitivity, and criticality to VMware and to our
customers. Customer-owned information is classified as “Restricted” which is the most stringent data
classification at VMware. Data classification and handling policies are audited at least annually by independent
third-party auditors.
Physical Security
VMware physical security policy governs security for our offices, data centers, support centers, and other
global business locations to safeguard information systems and staff.
Key elements of this policy include controls around: physical security perimeters, physical entry controls,
physical access, securing offices, rooms and facilities, visitors to facilities, records, preventing the misuse of
facilities, protecting against external and environmental threats, working in secure areas, access to restricted
areas, delivery and loading areas, equipment siting and protection, supporting utilities, equipment
maintenance, removal of assets, security of equipment and assets off-premises, secure disposal or reuse of
equipment, unattended user equipment and clear desk and clear screen.
VMware leverages co-located data center facilities in the U.S. and IaaS providers (in the U.S. and globally) to
support the Workspace ONE service offerings. These providers maintain physical and environmental security
controls for the cloud-delivered services.
Data Center Security

Workspace ONE co-location and cloud-hosting partners are at least Tier III, have undergone SOC 2 Type 2
audits, and have achieved at least ISO 27001 and PCI-DSS certifications. Physical addresses for Workspace
ONE hosting locations are confidential and on-site visits are forbidden.
While each facility is unique, our data center providers are required to follow the same minimum requirements
for redundancy and physical access control, including:
• Ingress and egress points are secured with devices that require individuals to provide multi-factor
authentication before granting entry or exit through a minimum combination of badge access, biometrics,
and mantraps.
• Physical access is controlled at building ingress points by 24x7 on-site professional security staff using
surveillance, detection systems, and other electronic means.
• Door alarming devices are configured to detect instances where an individual exits or enters a data layer
without providing multi-factor authentication.
• Physical access points to data centers are recorded by Closed Circuit Television Camera (CCTV).
Recordings are retained according to legal and compliance requirements.
• Environmental control systems are equipped minimally with N+1 power, cooling, and fire suppression
measures to ensure continuous operations.
• Data center partners are required to maintain certifications that are minimally in alignment with ISO 27001
and PCI-DSS standards.
CONFIDENTIAL
VMware Offices
All VMware offices deploy physical and environment security measures to safeguard VMware facilities, staff,
and assets. VMware uses a combination of building design, environmental controls, security systems, and
designated security personnel, in conjunction with corresponding procedures, physical and environmental
controls to restrict access to information services and information assets. Controls include, but are not limited
to:
• Implementing entry controls to secure VMware facilities.
• Maintaining and monitoring an audit trail of all access to the site through badge and visitor logs.
• Requiring visitor sign in with date and time of entry and departure, and supervising visitation.
• Performing regular access right reviews to secure areas and updating or revoking these rights as
necessary.
• Revoking all access rights to VMware facilities and restricted areas immediately and deactivating access
codes known by the staff upon staff termination.
Human Resources and Personnel Security

Human Resource considerations include processes for background screening, employment agreements,
training, and employee termination.
Employee Background Screening

Pursuant to local laws, regulations, ethics, and contractual constraints, all employment candidates, contractors,
and involved third parties are subject to background verification. VMware conducts criminal background
checks, commensurate with the employee position and level of access to the service.
Confidentiality Agreements
VMware employees and alternative workforce (AWF) are required to sign confidentiality agreements.
Additionally, upon hire, personnel are required to read and accept the Acceptable Use Policy and the VMware
Business Conduct Guidelines. Personnel who violate VMware standards or protocols are subject to
appropriate disciplinary action.
Employee Training
In alignment with the ISO 27001 standard, all VMware personnel are required to complete annual business
conduct and security awareness training. Personnel with access to cloud production environments receive
additional training as they assume job roles and responsibilities. VMware periodically validates those
employees understand and follow the established policies through compliance audits.
VMware uses an enterprise Learning Management System (LMS) to deliver required onboarding and annual
security awareness training. The LMS records successful completion and reports are reviewed during ISMS
review meetings. This training must be completed before authorizing access to production systems.
Awareness training topics include, but are not limited to:
• Secure system configuration
• User account management policies
• Environmental control implementation and operation procedures
• Incident Response plans and procedures
• Disaster Recovery plans and procedures
• Physical Security controls
CONFIDENTIAL
Employee Termination
VMware terminates access privileges to systems when an employee leaves the company. An employee who
changes roles within the organization will have access privileges modified according to their new position.
Terminated employees are required to return assets.
Business Continuity
This program implements appropriate security controls to protect its employees and assets against natural or
man-made disasters. As a part of the program, a runbook system automates policy review, and policy
updates made available to appropriate individuals. Additionally, these policies and procedures include defined
roles and responsibilities supported by regular workforce training. VMware determines the impact of any
disruption to the organization through identifying dependencies, critical products, and services.
Starting in March 2020, VMware executed our business continuity plan in response to the global COVID-19
pandemic. Our global teams are located around the globe, giving us strong geographic resilience in terms of
our ability to provide continuity of service for our customers. While our offices are open at present, we are
following international best practice guidelines and have seamlessly transitioned our global teams to a “work
from anywhere” policy that allows them to work from their homes, utilizing our own industry-leading
technology, and best-in-class collaboration tools.
VMware Global Support Services continues to operate 24x7 and, given the current environment, have put
extra measures in place to help ensure continued smooth operations. Our Professional Services organization,
including our Consulting, Technical Account Management, and Education Services are also fully operational; all
team members are fully equipped to efficiently and effectively work from home. We have also added capacity
to our worldwide consulting centers and collaborated with our Product teams to offer rapidly deployable
solutions to expand infrastructure capacity as well as enable secure remote productivity for our customers’
employees. The VMware Crisis Management Team, comprised of leaders from across the company, meets
regularly and stays up to date with evolving global changes and developments in relation to ongoing world
events.
Our business continuity plans are reviewed annually to determine which business processes are most critical
and what resources – people, equipment, records, computer systems, and office facilities – are required for
operation. All documented plans follow an annual standard maintenance, assessment, and testing schedule.
Workspace ONE operations teams also maintain service-specific business continuity plans to address the
unique needs of each cloud application.
Risk Management
In alignment with the ISO 27001 and PCI-DSS standards, VMware maintains a Risk Management program to
mitigate and manage risk companywide. We perform risk assessments at least annually to ensure appropriate
controls implementation to reduce the risk related to the confidentiality, integrity, and availability of sensitive
information.
VMware cloud management has a strategic business plan to mitigate and manage risks that requires
management to identify risks within its areas of responsibility and to implement appropriate measures
designed to address those risks. VMware cloud management re-evaluates the strategic business plan at least
two times per year.
CONFIDENTIAL
VMware’s Risk Management Program includes:

• Identifying and characterizing threats.
• Assessing the vulnerability of critical assets to specific threats.
• Determining the risk (i.e., the expected likelihood and consequences of specific types of attacks on
specific assets).
• Identifying ways to reduce those risks.
• Prioritizing risk reduction measures based on a strategy.
Vendor Risk Management

VMware has a comprehensive vendor procurement and risk management program to choose providers that
meet identified security baseline requirements. Supplier agreements require that providers comply with
applicable laws, security, and privacy obligations.
VMware has a formal process to document and to track non-conformance as a part of our ISMS. To assure
reasonable information security across our information supply chain, VMware reviews compliance
documentation for service sub-processors at least annually to help ensure appropriate controls are in place to
reduce risks to the confidentiality, integrity, and availability of sensitive information.
Sub-processors
VMware leverages sub-processors to provide certain services on our behalf. Refer to the Workspace ONE
lists available on the VMware ONE Contract Center for a list of sub-processors used globally. VMware is
responsible for any acts, errors, or omissions of our sub-processors that cause us to breach any of our
obligations. VMware enters into an agreement with each sub-processor that obligates the sub-processor to
process the Personal Data in a manner substantially similar to the standards set forth in the VMware Cloud
Services Exhibit, and at a minimum, at the level of data protection required by applicable Data Protection
Laws. Please refer to the VMware Data Processing Addendum for additional information.
Customers can sign up to receive updates to service sub-processors, please go to the Cloud Services
Preference Center and enable notifications for updates to this sub-processor list.
Change Management
VMware maintains a detailed Change Management policy that defines controlled changes to production
environments. Changes are processed through a formal program that includes approval, testing,
implementation, and rollback plans.
Third-party and internal audits of these processes are performed at least annually under the VMware ISMS
program and are essential to the VMware continuous improvement programs.
Configuration Management
VMware maintains a detailed Configuration Management policy based on industry best practices to harden
the cloud environment; revisions and exceptions to the Configuration Management policy are processed
through the Change Management policy to help ensure the confidentiality, integrity, and availability of our
hosted offering.
Baseline configuration standards include, but are not limited to:
• Disabling unnecessary ports, services, protocols, and physical connections.
• Reviewing server builds for gaps prior to image configuration.
• Hardening server configurations.
CONFIDENTIAL
Baseline configurations are documented for all software and hardware (where applicable – i.e., U.S-based co-
located data centers) installed in the production environment. Baseline configurations include the following
information about system components:
• Standard software packages installed on servers and network components.
• Current version numbers and patch information on operating systems and applications.
• Logical placement of all components within the system architecture.
System Hardening
VMware disables unnecessary ports, protocols, and services as part of baseline hardening standards. We
follow industry best practices in applying secure configurations to managed servers.
For Workspace ONE UEM servers that use Windows operating systems, the team hardens server
configurations using GPO policies (i.e., account policies, user rights, security options, event log settings, app
restrictions). Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Intelligence Linux-based
servers use Amazon Linux AMI for system hardening. The Amazon Linux AMI includes default security
configurations, such as: limited remote access using SSH key pairs, remote root login disablement, reducing
non-critical package installation, and automatic security related updates.
Time Synchronization
All cloud service components are time synchronized with a common centralized time source per ISO 27001
and PCI-DSS requirements.
Vulnerability and Patch Management

VMware employs a rigorous Vulnerability Management program as part of the VMware ISMS. Risk analysis and
acceptance activities are performed on vulnerabilities to confirm the vulnerability and to determine the
appropriate means of addressing the vulnerability.
System Monitoring
VMware Cloud Operations is staffed 7x24x365 and the team deploys several commercial and custom
purpose-built tools to monitor the performance and availability of all hosted solution components.
Components include the underlying infrastructure servers, storage, networks, portals, services, and
information systems used in the delivery of Workspace ONE services.
Patch Management
VMware maintains the systems it uses to deliver Workspace ONE services, including the application of
patches deemed critical for the target systems. Our policy is to patch or upgrade network, utility, and security
equipment after analyzing the severity and impact of potential vulnerabilities. Critical vulnerabilities are
addressed in a timely manner, and changes are made using industry best practices. Testing is conducted by
the QE department to ensure compatibility with the production environment. If required, rollback procedures
are conducted by the QE team.
For Workspace ONE Intelligence, base images receive patches and reboots as part of the bootstrap process.
Containers are generated on a weekly basis with all patches included. As instances are terminated, new
instances are deployed: No instances live more than seven days.
Vulnerability Scanning
Vulnerability scans are performed at least monthly on internal and external systems. In alignment with PCI-
DSS, system and application owners are required to address critical and high vulnerabilities with a plan of
corrective action after vulnerability discovery. Rescans are used to verify remediation of high-risk
vulnerabilities. Other vulnerabilities are addressed with a plan of corrective action within a reasonable period.
CONFIDENTIAL
Please note that VMware does not provide the results of vulnerability scans to customers. We do not feel
these isolated pieces of information are of use to our customers in protecting their security objectives. Results
are not in context, often generate a large volume of false-positives and do not accurately represent the
current security posture of a product or service.
Penetration Testing
VMware and Third-Party Testing
In alignment with PCI-DSS, VMware performs extensive internal and external penetration tests on Workspace
ONE services using both third-party vendors and the VMware Red Team at least annually. The penetration
tests are generally divided in three different phases that focus on identifying high impact vulnerabilities that
could lead to exploitation, theft of data, and/or overall privilege escalation. Tests follow a method intended to
simulate real-word attack scenarios and threats that could critically impact the data privacy, integrity, and
overall business reputation. VMware does not provide results of our pen testing activities for Workspace ONE
services; however, executive summaries of our pen tests and third-party attestation letters are available by
request. Further evidence of our annual penetration tests can be found in our SOC 2 Type 2 audit reports.
Please note that VMware’s policy mandates all penetration test findings with Common Vulnerability Scoring
System (CVSS) rankings must be remediated within defined SLA timelines. This means that if any issues were
found during testing, they must be resolved within the timelines shown below. We believe this is an important
step towards reducing VMware’s exposure to risk from vulnerabilities and protecting the availability of our
infrastructure.
Pen Test Scoring and Remediation Timelines
The VMware Red Team uses the industry standard CVSS 3 Scoring system, which takes the base score of the
vulnerability and applies environmental and other considerations unique to VMware to arrive at a true risk
score appropriate for our environment. This score determines remediation timelines as shown below.
Severity Levels CVSS Definition Remediation
Timeline
Catastrophic Findings of this level can be used to gain control 72 hours
of the host, network or application that can lead
(CVSS score 9 - 10)
to potential leakage of highly sensitive
information and exploitation would result in a
catastrophic monetary loss, data loss or negative
public image. The attack can be done by
someone with no service credentials.
Critical Findings of this level of risk are serious 14 days
deficiencies that can result in potential misuse of
(CVSS score 7 - 8.9)
the host or network by intruders. Exploitation
would result in monetary loss, sensitive data loss,
or moderate negative public image. Attacks can
be performed by someone with and/or without
service credentials.
Serious Findings of this level indicate that while exploit of 30 days
the vulnerability would only evoke minimal
(CVSS score 4 -
damage or information leaks. This category may
6.9)
contain issues that are more difficult to execute.
Minor Findings in this category may not present an 60 days
actual threat at the moment but could become
(CVSS score 0.1 -
more dangerous if used in conjunction with other
3.9)
security issues.
CONFIDENTIAL
Customer Penetration Testing

Customer-initiated penetration testing in the cloud-hosted production environment is explicitly forbidden in
the VMware Cloud Services Exhibit.
For Workspace ONE UEM only: With prior approval and under certain circumstances, customers can perform
penetration tests in a simulated environment. All results must be made available to VMware for analysis and
remediation (if necessary). Please reach out to your VMware representative for more information.
VMware Security Response Center (VSRC)

The VMware Security Response Center (VSRC) leads the analysis and remediation of software security issues
in VMware products. VSRC works with customers and the security research community to achieve our goals
of addressing these issues and providing customers with actionable security information in a timely manner.
VSRC receives reports directly, and proactively monitors the security landscape and receives direct reports
concerning security issues in VMware products. After validating a report, VSRC works with VMware Research
and Development to develop a solution and schedule releases that address the issue. Meanwhile, VSRC keeps
the reporter informed on progress. Upon remediating the issue, VSRC releases a VMware Security Advisory.
Security Advisories
VMware Security Advisories document remediation for security vulnerabilities that are reported in VMware
products. Optionally, sign up to receive new and updated advisories via e-mail.
Customer Security Contact
VMware encourages users who become aware of a security vulnerability in our products or services to
contact VMware with details of the vulnerability.
Please partner with your Technical Account Manager, Professional Services, or Sales representative to open a
support request on VMware Customer Connect, or you may file a support request directly to notify the
appropriate support channels.
When raising a support request, please provide as much detail as possible, including CVE identifiers, VMware
product version and build number, and any details regarding which vulnerability scanner was used, etc. as
applicable.
Note: VMware does not permit direct vulnerability scans of VMware-hosted production environments.
We encourage use of encrypted email. Our public PGP key is found at kb.vmware.com/kb/1055.
Cloud Environment Monitoring

VMware Cloud Operations is staffed 7x24x365 and deploys several commercial and custom purpose-built
tools to monitor the performance and availability of all hosted solution components. Components include the
underlying infrastructure servers, storage, networks, portals, services, and information systems used in the
delivery of Workspace ONE services.
Intrusion Detection & Prevention

VMware deploys several mechanisms to detect intrusions and help protect against distributed denial of
service (DDoS) attacks. These mechanisms range from real-time IDS technologies, internal logs and tools, and
external intelligence (OSINT) data sources. VMware monitors for security events involving the underlying
infrastructure servers, storage, networks, information systems, and upstream providers used in service
delivery. As part of VMware’s SDLC, Workspace ONE applications are also assessed against the OWASP Top
Ten to identify potential application code to identify and remediate potential errors that could lead to
unauthorized access and DDoS. In alignment with PCI-DSS Workspace ONE services use file integrity
monitoring to detect malicious behavior or changes in system files or libraries. In addition, Workspace ONE
CONFIDENTIAL
Intelligence uses the Amazon Web Application Firewall (WAF) which provides application layer protection
against common web exploits.
Antivirus & Antimalware

VMware implements industry best practices for both administrative and technical controls to prevent, detect,
and respond to viruses and malware, including ransomware. As part of our annual security training programs,
VMware operates a quarterly Phishing Prevention Program to help train our employees to recognize threats.
Social engineering topics (e.g., tailgating, badge access, and vishing) are also covered in our annual security
training. Additionally, VMware hosts annual Security & Resilience Fairs for our employees to educate them on
keeping VMware information systems secure and resilient. As our employees moved to a remote work model
during the global pandemic, VMware created a Working from Home security guide that covers topics such as
mobile device security, securing home Wi-Fi, phone/email scams, and securing homes for natural disasters.
In alignment with PCI-DSS, VMware has deployed and centrally manages Carbon Black antivirus and endpoint
protection on all employee workstations which is configured to scan for updates to antivirus definitions and
update clients continuously. Additionally, the software performs on-demand virus scans of any attachments or
content introduced into the workstation. Systems settings prohibit end users from disabling endpoint
protection software. All corporate-owned and personal devices are also enrolled in a VMware-managed
instance of Workspace ONE UEM. Please note that employees are prohibited from accessing Workspace ONE
production environments using personal devices.
Our cloud services also implement strong technical controls, including encrypted backups, network
segmentation, firewalls, and access control lists (ACLs) to mitigate or contain and remediate from potential
attacks. For systems commonly susceptible to malicious attack, such as Windows OS, VMware deploys
enterprise grade antivirus software. Antivirus software is automatically updated with logging enabled; files are
scanned on access. Workspace ONE Access and Workspace ONE Intelligence production systems are Linux-
based and are hardened using Amazon AMIs.
Log Management
Infrastructure Logs
Workspace ONE services leverage a robust centralized SIEM infrastructure. Critical systems and privileged
access to Workspace ONE infrastructure, firewall and IDS logs, and DNS Queries are logged and monitored.
Auditable events are in alignment with PCI-DSS requirements and include user identification, type of event,
data and time, success or failure indication, and origination of event. Access to the audit trail is protected, and
logs are stored separately and securely. Note: VMware does not provide SaaS infrastructure logs to
customers. Please see Application Event Logs for customer-accessible logging options.
VMware System Security logs and events are centrally aggregated and monitored in real-time 7x24x365 by
the VMware Security Operations Center (SOC). Logs forwarded to the VMware SOC are retained at least one
year, in alignment with PCI-DSS requirements, with up to five years of archive storage.
Application Event Logs
Customers can access application-level logs within Workspace ONE UEM and Workspace ONE Access that
record administrator and end user device events. Workspace ONE UEM event logs include:
• Device events show the commands sent from the console to devices, device responses, and device user
actions.
• Console events show actions taken from the Workspace ONE UEM console including login sessions, failed
login attempts, admin actions, system settings changes, and user preferences.
The audit events report in the Workspace ONE Access service that lists the events related to a user, including:
• The type of action within a specific date with criteria such as user, type, action, object, and date range.
CONFIDENTIAL
These logs can be exported as CSV for storage offline to meet regulatory or business requirements.
Workspace ONE UEM event logs can also be integrated with a customer’s existing SIEM solution using syslog.
Incident Management & Response

The VMware Incident Response program, plans, and procedures are developed in alignment with the ISO
27001 and PCI-DSS standards. VMware maintains contacts with industry bodies, risk and compliance
organizations, local authorities, and regulatory bodies. Points of contact are regularly updated to ensure direct
compliance liaisons have been established and prepared for a forensic investigation requiring rapid
engagement with law enforcement. Under the VMware ISMS program, the incident response plan is tested at
least once annually, regardless of whether a security incident has occurred.
Figure 3: Incident Response Cycle
VMware Security Operations Center (SOC)

The VMware SOC is staffed and monitors alerts on security anomalies 7x24x365. The SOC leverages multiple
log capture, security monitoring technologies, and intrusion detection tools to look for unauthorized access
attempts, monitor for incoming threats, and detect activity from malicious insiders.
Incident Reporting
All staff are responsible for reporting information security events as quickly as possible. At a minimum, these
scenarios include:
• Ineffective security controls or access violations.
• Breach of information integrity, confidentiality, or availability expectations.
• Human errors.
• Non-compliances with policies or guidelines.
• Breach of physical security arrangements.
• Uncontrolled system changes.
• Malfunction of software or hardware.
Breach Notification
In the case of a confirmed data breach, VMware shall without undue delay notify affected customers of the
breach in accordance with applicable laws, regulations, or governmental requests.
CONFIDENTIAL
Identity and Access Management

Customer Access to Production Environment
As Workspace ONE services are SaaS-based offerings, customer administrators do not directly manage
access to the production environment, but rather, access Workspace ONE services through web-based
consoles. Granular role-based access controls (RBAC) restrict the depth of device management information
and features available to each Workspace ONE console user. All Workspace ONE administrator changes are
retained for review within the console event log. Customer administrators also manage access and
entitlements for end user devices.
VMware Access to Production Environments

Access privileges are enforced using role-based access control, separation of duties, and the principle of least
privileges. Production environment access is secured through a combination of VPN, IP address allow listing or
jump servers using MFA and Active Directory credentials. In accordance with ISO 27001 and PCI-DSS, access
is restricted to authorized members of applicable teams, and system sessions are set to an idle timeout of 15
minutes. Logs are in place to review support staff access to all systems and environments. Quarterly User
Access Reviews are conducted to review privileged access and to remove/deactivate accounts with 90 days
of inactivity.
VMware Access to Customer Networks

Workspace ONE services integrate with customer resources using optional customer-managed on-premises
connectors. Workspace ONE services, therefore, do not require direct access to internal customer networks,
and VMware support personnel do not have access to customer internal networks. For more information on
the optional on-premises components, please see the Common Components section of the Workspace ONE
Reference Architecture.
Session Controls
VMware Production Environment Sessions
Workspace ONE SaaS production environment administrative sessions are set to time out after 15 minutes of
inactivity.
Workspace ONE UEM Management Console

The cloud-hosted Workspace ONE UEM console has a session timeout maximum of 60 minutes for customer
administrators based on the load balancer persistence settings. Workspace ONE administrators can also
configure an authentication timeout for end-user applications using the Workspace ONE Software
Development Kit (SDK).
Workspace ONE UEM console sessions include the following security controls:
• HTTP sessions are secured using state and sessions tokens created and validated by the server.
• Session control tokens are present on every HTTP transaction.
• Authenticated sessions do not tie identity and authentication to anti-CSRF tokens.
CONFIDENTIAL
Workspace ONE Access Management Console

Customer administrators set Workspace ONE SSO session and per app re-authentication policies to force
users to authenticate again after a configurable length of time.
The Workspace ONE Access Administrative Console and Workspace ONE app catalog include the following
security controls:
• HTTP sessions are secured using state and sessions tokens created and validated by the server.
• The solution uses HSTS headers.
• Session control tokens are present on every HTTP transaction.
• XSRF-TOKEN cookie is used to help prevent CSRF attacks.
The Workspace ONE mobile app for end users leverages OAuth tokens which are stored encrypted within the
app tokens using standard device-level encryption supported by each mobile operating system. All mobile
Workspace ONE apps require a device-level or app-level passcodes input by the end user to access the app.
Expiry of these tokens are controlled by the server. The admin gets to choose how long the session is valid
and how frequently it needs to be renewed. These tokens cannot be removed from the device and used
elsewhere.
Workspace ONE Hub Services

Workspace ONE Hub Services is configured from the Workspace ONE Access and Workspace ONE UEM
administrator consoles. Workspace ONE Access management console security is outlined above.
Workspace ONE Intelligence Administrative Panel

Generally, customers enable Workspace ONE Intelligence administrative panel through the Workspace ONE
UEM console or through the Workspace ONE Intelligence console via the Workspace ONE Cloud Admin Hub
on cloud.vmware.com.
Workspace ONE Intelligence administrative panel sessions include the following controls:
• JSON Web Tokens use certificates for authentication.
• Access tokens expire.
• Certificate downgrade is not possible.
• CSRF tokens and security headers are configured to mitigate XSS.
CONFIDENTIAL
Cloud Security Architecture

Workspace ONE cloud services leverage robust perimeter defenses, including, access control mechanisms,
perimeter firewalls, malware controls, auditing mechanisms, network controls, disablement of unnecessary
services, and maintaining defined configuration settings.
On-premises components are required to support certain solution features. VMware does not have, nor do we
require access to customer internal networks. Customers manage on-premises connectors for the solution.
Documentation on connectors is available on VMware Tech Zone.
Workspace ONE UEM

Unless specified, policies, procedures and controls as outlined in the Workspace ONE Cloud Service Specific
Controls section are applicable to both the next generation Workspace ONE UEM Control Plane and
Workspace ONE UEM Classic architectures. As of the publishing of this whitepaper, the Workspace ONE UEM
Control Plane architecture is available in our Shared SaaS environments. The Control Plane architecture will be
rolled out to our Managed Hosting environments throughout 2022.
Disaster Recovery
Workspace ONE UEM is supported by defined enterprise resiliency programs which includes business
continuity and disaster recovery mechanisms. The Workspace ONE UEM cloud infrastructure is designed with
high availability and resiliency by design. Redundancy helps ensure that customers will typically not notice a
disruption during a component or system failure inside a VMC on AWS Availability Zone (AZ) or primary co-
located data center.
• In VMC on AWS locations, VMware uses stretched cluster SDDC for high availability in an active-active
configuration: SDDC hosts are evenly split between two AZs within an AWS Region with an additional
witness host in a third AZ to automatically protect against host failures or failures within the region.
• In the unlikely event that a primary data center fails in a co-located data center, a manual process is
implemented to switch the primary database to the secondary database at the backup data center.
Device and console front-end connectivity is migrated to the backup data center. Settings are manually
updated to promote failover DNS from secondary to primary on the Global Load Balancer, this process
changes IP address references to the backup data center.
DR plans are rigorously tested against various disaster scenarios and include tabletop and service restoration
exercises. Additional DR strategies include:
• Daily backups are stored for 30 days.
• Monthly backups are retained for 60 days.
• Backups are encrypted in-transit and backups are encrypted at-rest (AES 256), and support staff regularly
review backup processes to help ensure data integrity.
Recovery Time Objective

• RTO – 72 Hours
Recovery Point Objective
• RPO – 24 hours
CONFIDENTIAL
Workspace ONE UEM Cloud Control Plane Architecture

Workspace ONE UEM has a multi-tiered architecture: Front-facing WEB/APP servers are isolated in a
restricted Demilitarized Zone (DMZ) behind L7 traffic management/SSL acceleration appliances that proxy all
connections to the WEB/APP layer. Workspace ONE UEM also contains an orchestration layer called the
Control Plane that uses containerized services for performance and high availability.
The UEM Control Plane ecosystem contains an application workloads cluster, core services cluster and a
management cluster that spans across the web/app, state, and management services tiers. The core services
cluster includes Kafka (for messaging), Postgres database, logging, and telemetry. The boundaries of the
Control Plane are completely internal, and it communicates only to the Workspace ONE UEM instance. The
Photon-based Linux Control Plane is scanned as a part of the deployment pipeline. The Workspace ONE UEM
Control Plane also uses HashiCorp Vault for secrets lifecycle management. Secrets are used for encrypted
communication between the Control Plane services.
Figure 4: Workspace ONE UEM Control Plane Architecture
CONFIDENTIAL
Workspace ONE UEM Classic Architecture

Workspace ONE UEM Classic Architecture has a three-tiered architecture. The front facing WEB/APP Servers
are isolated in a restricted Demilitarized Zone (DMZ) behind L7 traffic management/SSL acceleration
appliances that proxy all connections to the WEB/APP layer.
Figure 5: Workspace ONE UEM Classic Architecture
CONFIDENTIAL
Workspace ONE Access

Disaster Recovery
Workspace ONE Access is supported by defined enterprise resiliency programs which include business
continuity and disaster recovery mechanisms. The Workspace ONE Access service employs a highly
redundant design with multiple best-in-class redundancy technologies combined with data replication
strategies. The infrastructure is designed to ensure that customers will typically not notice a disruption during
a component or system failure inside a primary data center.
DR plans are rigorously tested against various disaster scenarios and include tabletop and service restoration
exercises. DR strategies include, but are not limited to:
• The use of multiple Amazon Web Services (AWS) Availability Zones and auto-scaling for capacity
adjustments.
• Daily database snapshots and datastore backups to support service RPO and RTO.
• Database snapshots are stored for 14 days.
• Backups are encrypted in-transit and backups are encrypted at-rest (AES 256), and support staff regularly
review backup processes to help ensure data integrity.
• Disaster recovery plans are tested and reviewed annually.

• RTO – 4 hours
• RPO – 4 hours
CONFIDENTIAL
Workspace ONE Access Architecture

Workspace ONE Access is a three-tiered architecture application hosted in a blue-green deployment in
multiple Availability Zones (AZs) in AWS Regions globally. The front facing WEB/APP Servers are isolated in a
restricted Demilitarized Zone (DMZ) behind L7 traffic management/SSL acceleration appliances that proxy all
connections to the WEB/APP layer. Workspace ONE Access uses a micro-segmentation approach for the
cloud network, and each instance or server belongs to a function-specific security group.
Figure 6: Workspace ONE Access Production Environment Architecture
AWS CloudFront Content Delivery Network (CDN) is used for delivery of some of the VMware Workspace
ONE Access service content (static JavaScript, CSS, and images) for the admin console and end-user
experience (login screen, Catalog, etc.) on HTTPS 443. On-premises connectors and third-party Identity
Providers do not require any access to AWS CloudFront CDN. The CDN does not store customer PII.
CONFIDENTIAL
Workspace ONE Intelligence

Disaster Recovery
Workspace ONE Intelligence is supported by defined enterprise resiliency programs which includes business
continuity and disaster recovery mechanisms. The Workspace ONE Intelligence service leverages multiple
availability zones in each deployment region and databases are configured with daily point-in-time backups
going back 30 days for resiliency. Additionally, Workspace ONE Intelligence infrastructure deployment is
automated and can be quickly orchestrated as required. The infrastructure is designed to ensure that
customers will typically not notice a disruption during a component or system failure inside a primary site.
DR plans are rigorously tested against various disaster scenarios, including AWS disasters within the region or
the whole region as well as tabletop exercises. DR strategies include but not limited to:
• The use of multiple AWS Availability Zones.
• Daily point-in-time backups are stored for 30 days. System audit log data is retained for 90 days.
• Backups are encrypted in-transit and at-rest, and support staff review backup processes to help ensure
data integrity.
• Disaster recovery plans are tested and reviewed annually.

• 4 hours
• 4 hours
CONFIDENTIAL
Workspace ONE Intelligence Architecture

Workspace ONE Intelligence is multi-tiered application comprised of microservices application which is built on
the Spring framework. All containerized services in the Workspace ONE Intelligence application are running in
multiple Availability Zones to help minimize downtime and automate scaling. Workspace ONE Intelligence
further limits downtime risk through a blue-green deployment architecture and a continuous integration,
continuous deployment (CI/CD) pipeline. Services in the state tier are deployed with failover in multiple
Availability Zones.
External traffic is routed through web application firewalls (WAF) and external load balancers; all internal
microservices are deployed behind internal load balancers in private subnets. Daily snapshots are taken and
replicated in region.
Figure 7: Workspace ONE Intelligence Production Environment Architecture
CONFIDENTIAL
For Workspace ONE UEM SaaS customers, VMware hosts the ETL server (in the Workspace ONE UEM cloud
environment). The hosted ETL server transmits data from your Workspace ONE UEM cloud deployment to the
Workspace ONE Intelligence cloud environment. On-premises Workspace ONE UEM customers must install an
ETL server to connect their on-premises Workspace ONE UEM deployment to the Workspace ONE
Intelligence cloud environment.
Customers can optionally leverage the Workspace ONE Trust Network to aggregate threat intelligence using
existing security tools, including VMware Carbon Black and Lookout, through secure API connections. Refer to
the VMware Solutions Exchange and service documentation on connectors is available on VMware Tech Zone
for more information.
Workspace ONE Data Handling

Data Collection
Workspace ONE UEM
Workspace ONE UEM collects limited personal data used for user activation and management. Customers can
enable AES-256 encryption at rest of these fields via the Workspace ONE UEM Administrative Console: User
first, last name, username, email address, and phone number. Note: Workspace ONE UEM does not store user
credentials derived from customer AD integration.
VMware publishes a Workspace ONE UEM Privacy Disclosure to inform customers who purchase the software
to perform unified endpoint management and those individuals whose devices are being managed by the
software regarding the types of information collected by the software about users and their devices.
Limiting Data Collection
Customers can also configure privacy settings to enable or disable the collection and display of user and
device information in the Workspace ONE UEM console according to device ownership type.
Privacy control types include:
• Collect and Display • Collect - Do Not Display • Do Not Collect
For the following fields:
• GPS Data • Call Usage • Personal Applications

• Carrier/Country Code • SMS Usage • Unmanaged Profiles
• Roaming Status • Device Phone Number • Public IP Address
• Cellular Usage Data
CONFIDENTIAL
Workspace ONE Access & Hub Services

Workspace ONE Access combines the User’s identity with factors such as device and network information to
make intelligence driven, conditional access decisions for applications delivered by Workspace ONE. Access
acts as a broker to other identity stores and providers (such as Active Directory (AD), Active Directory
Federation Services (ADFS), Azure AD, Okta and Ping Identity) that Customers may already be using to
enable authentication across on-premises, SaaS, web and native applications without the need to rearchitect
the identity environment. Workspace ONE Access and Hub Services collect data such as authentication, user
data, and logging data. For a complete list, please see the Workspace ONE Privacy Disclosure.
Workspace ONE Intelligence consumes data from various sources as configured by customer administrators
from Workspace ONE UEM, Workspace ONE Access, Workspace ONE Intelligence SDK, and/or the VMware
Trust Network. Data is aggregated from multiple sources to provide actionable security insights across
devices and users. Please refer to Supported Data Categories by Integration for a complete list of data
collection points on VMware Docs.
For additional information regarding data collection and use, please refer to the documents referenced in the
Standard Hosting Agreements and Service Resources section of this whitepaper.
Data Segmentation
Customer data is segmented in all Workspace ONE services. The data segmentation mechanism varies by
service and is detailed by service below.
Workspace ONE UEM
Workspace ONE UEM is available in both Shared and Managed Hosting environments. Workspace ONE
Access and Workspace ONE Intelligence are available in Shared Hosting environments only.
Workspace ONE UEM Shared Environment
Shared virtual machines are assigned to the Shared SaaS environment to host the Workspace ONE UEM
application. Data is isolated at the application layer using unique identifiers. The database resides on a shared
SQL cluster with shared infrastructure that contains data for multiple customers. Customers in the shared
environment can only access data from their tenant.
(Applicable to Control Plane Architecture deployments.) Shared environments use shared Control Plane
services such as Consul, Nomad, and Vault for security service communication, orchestration and scheduling,
secrets management, and enforcing access control lists. The Postgres database cluster used by the Control
Plane also resides on a shared infrastructure that contains data for multiple customers. Customers can only
access data from their tenant.
Workspace ONE UEM Managed Hosting
Workspace ONE Managed Hosting Service provides a single-tenant instance of the logical service, multiple
instances of the hosting service may leverage shared hardware infrastructure. There is no guarantee of or
design for dedicated physical servers.
• Dedicated VMs are assigned to the Managed Hosting environment to host the Workspace ONE UEM
application.
• SQL and (coming soon) Control Plane Postgres databases containing customer data are isolated and not
shared; please note that the databases do reside on shared SQL and Postgres clusters. For the Control
Plane, managed services customers will also receive dedicated Kafka topics (i.e., groups that hold
messages and events).
Workspace ONE Access and Workspace ONE Intelligence Shared Environments
CONFIDENTIAL
Customer data is segmented at the application level using unique customer identifiers. Customers cannot
access data from another customer’s tenant.
Data Encryption
Each service within the Workspace ONE platform leverages encryption to help protect data both in transit and
at rest. Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Intelligence collect varying data
points intended to achieve different outcomes in the delivery of the service. Due to these differences in
functionality, the specific encryption approach varies to align with the intended function of each service.
Encryption In-Transit
Workspace ONE UEM
All traffic traversing public networks and any sensitive interactions between Workspace ONE nodes
(Workspace ONE and its integration components) and the device agents are done using message-level
encryption. These message-level interactions are encrypted with 2048-bit RSA asymmetric keys using digital
certificates. In alignment with PCI-DSS, Workspace ONE UEM SaaS environments support TLS 1.2+. Note:
Managed hosting customers can restrict the TLS protocols communicating with their environment (e.g.,
customers can allowlist only TLS 1.2).
• Note: REST API calls take place over HTTPS with a certificate signed by a publicly trusted CA.
• Customers can also enable LDAPS to encrypt the directory services connection to on-premises solution
components such as the AirWatch Cloud Connector. The AirWatch Cloud Connector leverages HTTPS
communication to the cloud. Please refer to the Workspace ONE Reference Architecture for additional
information on on-premises solution components.
Communications for Workspace ONE Access is encrypted in transit via HTTPS (TLS) over public networks. In
alignment with PCI-DSS, Workspace ONE Access SaaS environments only support TLS 1.2+.
Each customer tenant is assigned unique private/public key pair. The keys are randomly generated at the time
of tenant creation. Private keys are encrypted at rest with AES-256.
Communications for Workspace ONE Intelligence are encrypted in transit via HTTPS (TLS) over public
networks. In alignment with PCI-DSS, Workspace ONE Intelligence SaaS environments only support TLS 1.2+.
Encryption At-Rest
Workspace ONE UEM
All user data stored within Workspace ONE UEM is encrypted at rest via a combination of both hardware-
based array-level encryption and/or volume-level encryption with a minimum level of AES-256 symmetric
encryption.
Additional data-level encryption is implemented for customer content and sensitive fields as described in the
Data Security – Data Collection section of this document. All locally defined passwords, certificate private
keys, client cookie data, tokens, and AD Bind Account are stored within the database and are protected with
256-bit AES symmetric encryption algorithm. Stored credentials use PBKDF2 with a salt of at least 256 bits
and a sufficiently large number of iterations.
Note: Workspace ONE UEM does not store user credentials derived from customer AD integration.
Workspace ONE Access & Hub Services
Locally defined Workspace ONE Access passwords are secured with AES-256 and PBKDF2 and a randomly
generated salt. The service does not store user credentials derived from customer AD integration. The AD
Bind Account is stored in the Workspace ONE Access database and is encrypted (AES-256). Data considered
sensitive by the application is encrypted (AES-256) with a per-tenant key that is generated by Workspace
CONFIDENTIAL
ONE Access. Amazon S3 instances used for Workspace ONE Access and Workspace ONE Hub Services are
encrypted. Encryption is applied at the database level for Workspace ONE Hub Services.
Workspace ONE Intelligence is a cloud service that provides deep insights, analytics, and automation for the
entire digital workspace. As such, Workspace ONE Intelligence was built as a cloud-native service and uses a
combination of AWS-managed and VMware-managed KMS keys for all encryption at rest across the solution
datastores. Data is encrypted at rest using AES-256 with GCM.
Key Management
Please note that Workspace ONE services do not currently support a bring your own key (BYOK) model. To
help ensure the security and integrity of the cryptography used in the cloud-hosted environments, only
authorized VMware support personnel have access to encryption keys, and keys are managed in line with PCI-
DSS. Customers can manage their own encryption keys for on-premises hosted resources, such as
establishing and managing the X.509 certificates for on-premises integration connectors (such as AirWatch
Cloud Connector).
CONFIDENTIAL
Workspace ONE UEM

Data in Workspace ONE UEM is encrypted at rest with a VMware data encryption key (DEK) that is stored in
the database. The Workspace ONE UEM database is encrypted at rest with array- or volume-level encryption.
Access to the DEK requires direct Root privileges to the Workspace ONE UEM database where the DEK is
stored. Those permissions are only granted to a small subset senior VMware Database Administrators with
documented business need. All interactive root access to the Workspace ONE UEM database and DEK is
logged and audited. Workspace ONE UEM server keys are stored in an enterprise grade key management
tool.
Workspace ONE Access uses AWS Key Management Service (KMS) to manage encryption keys. Sensitive
customer data is encrypted with a per-tenant key and stored encrypted using a separate master key. The
master key encrypts all per-tenant keys and is stored encrypted. The key used to encrypt the master key and
database snapshots is an AWS KMS key generated and stored by KMS. The private key does not leave KMS,
we do not use a customer supplied key that allows us to hold a copy of the private key outside of KMS. We
double encrypt the master key using the KMS in an alternate AWS region in case the primary region is down,
and we need to restore the service in the alternate region.
Workspace ONE Intelligence uses AWS KMS to manage encryption keys. Sensitive customer data is
encrypted with per-region keys and stored encrypted in the database. The keys used to encrypt database
snapshots are also AWS KMS keys generated and stored by KMS. The private keys do not leave KMS, and we
do not use a customer-supplied keys that allow us to hold a copy of the private key outside of KMS.
Certificate Management
Workspace ONE UEM
Customer certificates uploaded via the Workspace ONE UEM console are encrypted before upload and are
password protected in the PKCS12 format. The passwords are additionally encrypted at-rest using AES-256
encryption utilizing the application encryption key. These certificates can include:
• Registration Authority (RA) Certificates
• TLS Mutual Authentication Certificates (for connecting to a customer's on-premises enterprise CA)
• Gateway SSL Certificates
For certificates issued via integration with a customer’s on-premises Enterprise CA (including S/MIME),
VMWare will collect the certificate from the Enterprise CA and securely forward to the device. The certificate
may be stored in volatile cache memory for up to 4 hours but is never stored or written to non-volatile
storage.
For S/MIME certificates uploaded via the Self-Service Portal (SSP), the certificates are automatically purged
after 48 hours, and the customer can configure that retention period down to as low as 60 Minutes via the
SSP.
Workspace ONE Access uses SAML signing certificates to help ensure that messages are coming from the
expected identity and service providers. The SAML certificate is used to sign SAML requests, responses, and
assertions from the service to relying applications, such as WebEx or Google Apps. A self-signed certificate is
automatically created in the Workspace ONE Access service for SAML signing. These SAML certificates are
encrypted using tenant-specific keys that are encrypted using Amazon KMS.
CONFIDENTIAL
Backup Retention & Data Destruction

Retention
Workspace ONE UEM
Daily backups are stored for 30 days, and monthly backups are stored for 60 days 3.
Daily backups are stored for 14 days, and monthly backups are stored for 60 days.
Workspace ONE Intelligence stores data to offer historical analysis. The system stores raw data for three
months and stores trend data for 12 months. Examples of raw data can include battery information and
operating system versions. Some trend data examples include application installs and application adoption,
device category data, enrollment, and OS versions over time.
Destruction
Logical Destruction
Tenants and associated data are deleted upon request within 90 days of the deletion request.
Physical Destruction
VMware adheres to DOD Mandate 5220-22M, where applicable (U.S.-based co-located data centers only).
Please note that VMware partners with IaaS and managed service providers to support Workspace ONE
cloud-delivered environments globally: These providers manage physical media destruction processes
according to ISO 27001 and PCI-DSS requirements.
Privacy and Compliance

Data Sovereignty and Service Sub-Processors
All Workspace ONE customer production data is replicated to disaster recovery locations in region. For data
processing locations please refer to the Workspace ONE UEM and Workspace ONE Access sub-processors
lists available on the VMware ONE Contract Center. VMware affiliates may also process Content. As set forth
in the VMware Data Processing Addendum, VMware has adequate data transfer mechanisms in place with
each sub-processor. Please refer to the VMware Data Processing Addendum and service sub-processor lists
for additional information.
VMware creates microservices in discrete cloud environments to extend the core platform functionality.
Processing locations for product functionality delivered via microservices are also outlined in the service sub-
processor lists. For more information, please refer to the Microservices Appendix.
Privacy and the EU General Data Protection Regulation (GDPR)

Workspace ONE customers are responsible for using and configuring the service in a manner that enables the
customer to comply with applicable Data Protection Laws, including the GDPR, as a data controller or as a
data processor with respect to Personal Data. VMware complies with applicable data processor obligations.
For additional information regarding customer and VMware responsibilities please refer to the VMware Data
Processing Addendum and Workspace ONE Privacy Disclosure.
Workspace ONE customer administrators can configure some of the data is managed, collected, and stored
across managed devices. For example, device phone numbers can be collected for corporate-owned iOS
3
Exception: Workspace ONE UEM web console administrator login history which is purged, by default, every 730 days—unless the customer configures an
Admin Terms of Use (TOU) prompt for users—to support customers’ security and auditing purposes. If the TOU prompt is configured, the admin login history
is not automatically purged to store a timestamp and admin record corresponding to the TOU acceptance.
CONFIDENTIAL
devices, but not for employee-owned Android devices. Privacy controls can be set up with role-based access,
restricting customer IT staff that do not have the appropriate privileges from modifying policies that do not
adhere to company policy.
VMware has no direct relationship with the Users whose data it processes in connection with providing the
Software and any related services. A User who seeks access, or who seeks to correct, amend, or delete
inaccurate data should direct their query to the Customer. If the Customer requests VMware to modify or
remove the data, we will respond to the Customer’s request in accordance with our agreement with the
applicable Customer or as may otherwise be required by applicable law.
At any time, an appropriately provisioned Workspace ONE administrator can take the following actions to
help comply with applicable data protection laws:
• Access, upload, update or remove data directly from the console at any time.
• Require Terms of Use (TOU) acceptance prior to end users accessing the service during enrollment. Users
must accept the TOU before proceeding with enrollment, installing apps, or accessing the console. The
console allows administrators to customize fully and assign a unique TOU to each organization group and
child organization group. TOU acceptance can be reviewed in the administrative console or within the end-
user VMware Intelligent Hub at any time.
• Export solution data, including user reports, at any time via CSV as well as PDF and XLS formats.
Binding Corporate Rules

Coincident with the EU General Data Protection Regulation (GDPR), VMware has completed the EU approval
process for its global Binding Corporate Rules (BCR) as a data processor: This significant regulatory approval
allows VMware to use this transfer mechanism to protect the personal data of our customers when acting as
their data processor. The BCRs apply to our customer data processing relationships. VMware is listed as a
company for which the EU BCR cooperation procedure is closed. VMware also publishes BCR frequently
asked questions (FAQs) for customer and partner review.
Data Protection Requests
If VMware receives any requests from individuals or applicable data protection authorities relating to the
processing of Personal Data within Workspace ONE services, including requests from individuals seeking to
exercise their rights under Data Protection Law, VMware will promptly redirect the request to the customer.
VMware will not respond to such communication directly without the customer's prior authorization, unless
legally compelled to do so. If VMware is required to respond to such a request, VMware will promptly notify
the customer and provide a copy of the request, unless legally prohibited from doing so.
VMware will reasonably cooperate with customers to respond to any requests from individuals or applicable
data protection authorities relating to the processing of personal data to the extent that customer is unable to
access the relevant personal data in their use of the service. Please refer to the VMware Data Processing
Addendum for definitions and standard hosting terms.
CONFIDENTIAL
Audit Reports and Trust Assurance

ISO Certifications
Workspace ONE services have achieved ISO 27001, ISO 27017, and ISO 27018 certification. Refer to the
VMware Trust Center to view our certificate.
PCI-DSS Certification
Workspace ONE Access and Workspace ONE Intelligence have achieved PCI-DSS certification. The PCI-DSS
Attestation of Compliance (AOC) can be downloaded from VMware Trust Center. Please note that, although
these Workspace ONE services are PCI-DSS certified, they do not store, process, or transmit cardholder data.
SOC 2 Type 2 Audit Reports

Workspace ONE cloud-delivered environments have undergone SOC 2 Type 2 audits; SOC 2 Type 2 reports
are available under an NDA with VMware.
Cloud Security Alliance (CSA) Cloud Alliance Initiative Questionnaire (CAIQ)

VMware has completed and published a response to the CAIQ to provide transparency into technologies and
processes that vendors implement to manage risks for cloud-delivered environments.
Standard Hosting Agreements and Service Resources

VMware Cloud Services Guide
Please refer to the Workspace ONE and Workspace ONE Access Service sections available in the VMware
Cloud Services Guide for an overview of the hosted service, including roles and responsibilities shared
between VMware and the customer.
Service Level Agreement

Workspace ONE services will maintain a monthly availability measurement of 99.9% as defined in the
Workspace ONE service SLAs available on the VMware ONE Contract Center.
Terms of Service
The VMware Cloud Services Exhibit and the Cloud Services Guide govern VMware cloud delivered services in
addition to the VMware Data Processing Addendum.
Release Management and Maintenance

Workspace ONE services have a 99.9% uptime SLA as defined in the Workspace ONE service SLAs available
for download on the VMware ONE Contract Center. As part of the cloud offering, VMware manages and
updates the Workspace ONE SaaS applications and scoped hosting systems on behalf of our customers.
Release Schedules
VMware communicates feature releases and service announcements through VMware Docs, VMware Blogs,
My Workspace ONE, and by email. Our frequent release schedule demonstrates our commitment to
continuous innovation. New software features and operating systems are released daily, and we aim to
provide same-day support for new major operating system updates and APIs:
• Workspace ONE shared cloud environments receive updates automatically.
• Workspace ONE UEM Managed Hosting Service schedule upgrades to their environment via a user-
friendly update scheduling tool.
CONFIDENTIAL
Scheduled Maintenance
VMware schedules pre-defined maintenance windows to limit the potential to impact the environment
availability. These standing windows are scheduled annually and available on the My Workspace ONE support
portal and in this publicly available KB article.
Routine Maintenance
Occasionally, it is necessary for VMware to perform maintenance that has the potential to impact the
availability of customer environments outside of scheduled maintenance windows, and VMware reserves the
right to do so. A minimum of five days’ advance notice is given for routine maintenance.
Emergency Maintenance
Emergency maintenance is defined as potentially impactful maintenance activity that must be executed
quickly due to an immediate, material threat to the security, performance, or availability of the Service
Offerings. Every attempt will be made to provide as much advance notice as possible, but notice depends on
the severity and critical nature of the emergency maintenance.
Customer Support Services

VMware’s Global Customer Support Services teams are strategically placed around the world operating in a
follow-the-sun model from locations in the US, Costa Rica, Ireland and the UK, India, Japan, Australia, and
Singapore, as well as local support in China. Each center is staffed with engineers that provide industry-leading
expertise in mobility and have experience supporting real-world mobile environments. Support is available in
seventeen languages. Support may be provided from other offices as our support team continues to expand
to meet customer requirements.
Figure 8: Global Support Locations
CONFIDENTIAL
Support Packages
VMware provides multiple support options designed to fit specific customer requirements. The following
support packages are available for Workspace ONE UEM:
• SaaS Basic Support – Weekday global support for SaaS products, 12x5 (SaaS Severity 1 issues 24x7)
• SaaS Production Support – Focused, 24-hour support for SaaS products, (SaaS Severity 1 issues 24x7)
• Success 360 – Priority access to Senior Engineers, Account Management, and advanced Skyline features,
24x7
For the most up-to-date support offerings, please refer to the VMware Customer Support Offerings page.
Existing support customers can leverage the My Workspace ONE support portal. Please visit the Cloud
Service Support Policies page for additional information.
VMware U.S. Export/Re-Export Laws and Regulations

VMware, Inc. is committed to complying with all applicable U.S. export/re-export laws and regulations. We
observe applicable restrictions on the export and re-export of our products, services, or technical data.
If you are exporting or re-exporting VMware products, services, or technical data, U.S. export control applies
to you, and you are required to ascertain your compliance obligations. Please contact the VMware Trade
Compliance Legal Team with any questions regarding export compliance for our products, services, or
technical data at export@vmware.com.
Additional information on VMware’s Export Control Policies can be found on vmware.com:
• VMware Product Export Control Classification List
• VMware Bundle Product Export Control Classification List
Export Restrictions
The U.S. Department of Commerce and the U.S. Department of Treasury administer and maintain exclusion
lists. VMware does not ship products to any entity or individual, whether in the U.S. or abroad, specified on
these lists.
• U.S. Department of Commerce Denied Persons List
• U.S. Department of Commerce Denied Entity List
• U.S. Department of Commerce Unverified List
• U.S. Department of Treasury Specially Designated Nationals List
• U.S. Department of State Debarred List
• U.S. Department of State Nonproliferation Sanctions
CONFIDENTIAL
Appendix - Microservices
Workspace ONE extends core platform functionality through optional microservices which communicate with
the Workspace ONE UEM application via secure APIs over HTTPS/TLS. Microservices environments are also
governed by VMware information security policies outlined throughout this whitepaper.
Email Notification Service (ENS)

Overview
ENS is an optional feature that adds notification support for Exchange server email integration on end user
devices through Exchange Web Services (EWS) subscriptions. Please refer to the ENS Administrative Guide
on VMware Docs for additional information regarding service features, functionality, and configuration
requirements.
Service Architecture
ENS is a multi-tier application deployed in AWS Regions globally: Current locations are the US, Germany, UK,
and Japan.
ENS uses a highly available distributed DNS service as well as automated capacity and load balancing services
to support service reliability. Database instances are hosted in private subnets to which only the other ENS
subnets have access. Database backups are taken daily; API tokens and other non-transient customer
configuration data is backed up multiple times daily. In the event of a data failure, the application is architected
to self-heal through client re-subscription with ENS.
Application Data Management
Data Collection
The service stores a list of device details (see below) and public/private key pairs, which are used to decrypt
credentials when notifications are sent from Exchange. ENS does not store any emails or email content.
ENS databases store the following information:
• ENS assigned public/private keypairs
• Hashed email ID
• Device ID
• Certificate data
• APNS token
• Exchange Web Services (EWS) URL
• Subscription ID
Only partial certificate data is stored in the ENS database due to URL callback length limitations. Full
certificates are algorithmically constructed from the partial certificate data stored in the ENS database and
from certificate information provided in the callback URL.
ENS and EWS Subscription Credentials
ENS uses individual user accounts for authentication and for subscribing to push notifications with Exchange;
ENS does not require an Exchange server service account. End user devices store and manage the EWS
subscription user credentials.
Upon registration with ENS, devices are assigned a unique public/private keypair used to securely
communicate credentials to ENS. Encrypted credentials and UserID are passed to ENS through Callback URL
parameters. ENS decrypts credentials contained in the webhook parameters using the users’ private keys and
then syncs with Exchange to retrieve email header details. Credentials are then discarded by the ENS
endpoint once the call to the EWS endpoint has been made.
• EWS subscription credentials are not stored within the hosted ENS environment.
CONFIDENTIAL
• For enhanced security, ENS also supports Certificate Based Authentication (CBA) and OAuth on EWS.
Segmentation
ENS segments customer data at the application layer using unique identifiers.
Data in Transmission
Data transmitted to and from ENS is encrypted in transit over the public Internet via HTTPS/TLS. Exchange
credentials are transmitted to the service in an encrypted payload which ENS decrypts in order to retrieve
email details from Exchange.
CONFIDENTIAL
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 vmware.com Copyright © 2022 VMware, Inc.
All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents
listed at vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. and its subsidiaries in the United States and other jurisdictions.
All other marks and names mentioned herein may be trademarks of their respective companies.

Workspace ONE Cloud Services Security Whitepaper

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Workspace ONE Cloud Services Security Whitepaper

Uploaded by

Copyright:

Available Formats

AUGUST 2022

Workspace ONE Cloud Services

VMware Security Response Center (VSRC) .................................................................................................................. 16

Workspace ONE Intelligence ...................................................................................................................................................................29

Data Center Locations

Software Development Lifecycle

SDLC Best Practices

• Building secure software

Figure 1: VMware Security Development Cycle

Security Engineering Processes

VMware Information Security Program

Figure 2: Comprehensive Security Framework

VMware’s Information Security Management System

Data Classification and Handling

Data Center Security

Human Resources and Personnel Security

Employee Background Screening

VMware’s Risk Management Program includes:

Vendor Risk Management

Vulnerability and Patch Management

Customer Penetration Testing

VMware Security Response Center (VSRC)

Cloud Environment Monitoring

Intrusion Detection & Prevention

Antivirus & Antimalware

Incident Management & Response

Figure 3: Incident Response Cycle

VMware Security Operations Center (SOC)

Identity and Access Management

VMware Access to Production Environments

VMware Access to Customer Networks

Workspace ONE UEM Management Console

Workspace ONE Access Management Console

Workspace ONE Hub Services

Workspace ONE Intelligence Administrative Panel

Cloud Security Architecture

Workspace ONE UEM

Recovery Time Objective

Workspace ONE UEM Cloud Control Plane Architecture

Figure 4: Workspace ONE UEM Control Plane Architecture

Workspace ONE UEM Classic Architecture

Figure 5: Workspace ONE UEM Classic Architecture

Workspace ONE Access

Recovery Time Objective

Workspace ONE Access Architecture

Figure 6: Workspace ONE Access Production Environment Architecture

Workspace ONE Intelligence

Recovery Time Objective

Workspace ONE Intelligence Architecture

Figure 7: Workspace ONE Intelligence Production Environment Architecture

Workspace ONE Data Handling

Privacy control types include:

• Collect and Display • Collect - Do Not Display • Do Not Collect

For the following fields:

• GPS Data • Call Usage • Personal Applications

Workspace ONE Access & Hub Services

Workspace ONE UEM

Backup Retention & Data Destruction

Privacy and Compliance

Privacy and the EU General Data Protection Regulation (GDPR)

Binding Corporate Rules

Audit Reports and Trust Assurance

SOC 2 Type 2 Audit Reports