Workspace ONE, formerly called AirWatch, has supported Windows modern management for over a decade. Its early support focused on the built-in MDM capabilities of Windows but then expanded over the years through agent-based enhancements. In parallel, more advanced cloud based functionally was introduced as Workspace ONE evolved into the Omnissa platform. Reviewing this history of improvements provides valuable context for recent Omnissa announcements regarding AI, Vulnerability Defense and Next-gen Windows management.
Initial Workspace ONE (WS1) modern management capabilities focused on the OMA-DM client and Microsoft's Configuration Service Providers (CSP), APIs developed for the purpose of modern management. Over the years WS1 proprietary agent-based functionality was added to enhance configuration, management and reporting. Along with extending control over endpoints some enhancements have lent themselves to advanced workflows through Freestyle Orchestrator. These workflows are driven from the cloud through Omnissa Intelligence and a modern back-end architecture now referred to as Modern SaaS. Arguably, Workspace ONE Windows modern management today is the culmination of over 15 years of development and support.
Parlaying AirWatch Success Into Modern Management
A could-based service capable of managing windows devices anywhere in the world is foundational to modern management. AirWatch had been perfecting this model for half a decade by the time Windows 10 was released. To support iOS and Android devices AirWatch leveraged the cloud messaging services and APIs their respective manufacturers had purpose built for mobile device management. Windows modern management would trace a similar path, with Microsoft offering up the Windows Notification Service (WNS) and Configuration Service Providers (CSPs) for Windows. Accordingly, Windows modern management was a natural pivot for AirWatch, a parlay of previous success with iOS and Android management.
A could-based service capable of managing windows devices anywhere in the world is foundational to modern management. AirWatch had been perfecting this model for half a decade by the time Windows 10 was released. To support iOS and Android devices AirWatch leveraged the cloud messaging services and APIs their respective manufacturers had purpose built for mobile device management. Windows modern management would trace a similar path, with Microsoft offering up the Windows Notification Service (WNS) and Configuration Service Providers (CSPs) for Windows. Accordingly, Windows modern management was a natural pivot for AirWatch, a parlay of previous success with iOS and Android management.
Expertise in delivering this SaaS based model shows through best-in-class administration consoles and processes, features that may not shine brightly in a boardroom but mean the world to folks actually in the trenches. Fast and responsive APIs, smart groups for device targeting, and support for multi-tenancy immediately set Workspace ONE apart from other modern management solutions, as they still do today. Most notably, there's 15 years of experience supporting large scale customers with a SaaS based solution that needs constant updating to keep up with the demands of new devices and new features. Heck, this model is so mature Omnissa had to modernize the back end services to keep up with demands of scale and speed, leading to what's now called Modern SaaS. This transition wasn't easy, but necessary for growth that now sets Workspace ONE further apart from its competitors.
Agent-Based Enhancements To Modern Management
CSPs and the OMA-DM client used to implement them were the starting point for WS1 modern management, accounting for most of the built-in Windows profile payloads offered through the WS1 console today. They’re an obvious way to handle table stakes administration for mobile Windows devices such as configuring Wi-Fi firewalls, anti-virus, windows updates, etc...
In terms of monitoring and reporting, two major milestones are the release of Sensors (2019) and Workspace ONE Experience Management (2020). Upon their initial release Sensors enabled customers to customize the collection of attributes from managed devices by running PowerShell scripts on the endpoint and uploading the results into Intelligence. While Sensors provided some awesome reporting extensibility, Workspace ONE Experience Management really took monitoring to the next level. In the past referred to as DEEM or, more generally, our DEX solution, Workspace ONE Experience Management focuses on KPIs that reflect the health of a Windows device and applications it runs. This telemetry, along with employee surveys, are aggregated within the Intelligence data lake for analysis and rich reporting.
Agent-Based Enhancements To Modern Management
CSPs and the OMA-DM client used to implement them were the starting point for WS1 modern management, accounting for most of the built-in Windows profile payloads offered through the WS1 console today. They’re an obvious way to handle table stakes administration for mobile Windows devices such as configuring Wi-Fi firewalls, anti-virus, windows updates, etc...
Though these CSP based payloads are still widely used by customers today, over the last decade WS1 has expanded its modern management functionality through the Intelligent Hub agent or other tightly integrated Omnissa agents. Many of these features extend a WS1 admin's control over the system state of these devices. The Software Deployment Agent SFDAGent (2018) has helped overcome limitations with CSP based app deployments and Baselines (2019) addressed CSP limitations for porting traditional AD GPOs to modern management. An Integration Mode for Dynamic Environment Manager (2022) has opened the door to radical control over the user and application profile settings, while the Freestyle Orchestrator Scripts (2022) feature has simplified the use of PowerShell for both system and profile configuration.
Other agent-based features have increased security and simplified support. BitLocker management (2017) dramatically simplified support of encryption while Workspace ONE Tunnel for Windows Desktop (2021) enables Zero Trust architecture through a policy controlled Per-App or Full Device VPN. Particularly helpful for support has been WS1 Assist for Windows 10 (2019), enabling admins to remotely view, control and reconfigure managed windows devices in real time directly from the WS1 console.
Other agent-based features have increased security and simplified support. BitLocker management (2017) dramatically simplified support of encryption while Workspace ONE Tunnel for Windows Desktop (2021) enables Zero Trust architecture through a policy controlled Per-App or Full Device VPN. Particularly helpful for support has been WS1 Assist for Windows 10 (2019), enabling admins to remotely view, control and reconfigure managed windows devices in real time directly from the WS1 console.
In terms of monitoring and reporting, two major milestones are the release of Sensors (2019) and Workspace ONE Experience Management (2020). Upon their initial release Sensors enabled customers to customize the collection of attributes from managed devices by running PowerShell scripts on the endpoint and uploading the results into Intelligence. While Sensors provided some awesome reporting extensibility, Workspace ONE Experience Management really took monitoring to the next level. In the past referred to as DEEM or, more generally, our DEX solution, Workspace ONE Experience Management focuses on KPIs that reflect the health of a Windows device and applications it runs. This telemetry, along with employee surveys, are aggregated within the Intelligence data lake for analysis and rich reporting.
Most notably, the data collected from both Sensors and WS1 Experience management can be used to trigger advanced Freestyle Orchestrator workflows from WS1 UEM or Intelligence.
Advanced Sequencing And Workflows
For advanced sequencing and workflows there's two flavors of Freestyle Orchestrator, one accessed directly within WS1 UEM and another configured within Omnissa Intelligence. Both provide an intuitive, low-code/no-code, drag-and-drop interface for developing complex orchestration. The main differences are the breath of actions and data set used to inform decision logic. Freestyle Orchestrator for UEM is squarely focused on the endpoint itself, providing complex app sequencing, device on-boarding and desired state management. Initial targeting is through smart groups, with actions fine-tuned based on applications, files, registry settings or Sensor attributes detected on the device. Accordingly, apps, profiles or scripts are delivered to the device using if-then-else logic.
Freestyle Orchestrator for Intelligence is triggered by a broader dataset from within the Intelligence data lake, including extensive WS1 UEM reporting, DEX and Sensors. The actions triggered are much broader in scope as well, including extensive automation across the WS1 UEM environment as well as 3rd party integrations with solutions like ServiceNow. Against the WS1 UEM environment there's some 30 different actions to choose from, including device tagging, app installs and organization group device migrations. For 3rd party solutions, actions are made available through Workflow Connectors that execute REST API calls according to a solution's API options.
The range of actions available through these Workflow Connectors is largely dependent the richness of the REST APIs a 3rd party solution makes available. For example, ServiceNow offers a very rich and extensive set of APIs, so all sorts of actions and integrations are possible. In the demo below Incident tickets are created in ServiceNow using a custom Workflow Connector. Since it's an Intelligence based Freestyle Workflow, it could get triggered by any information within the Intelligence data lake, including experience management analytics. In this demo automation is driven by a PowerShell based Sensor that reports to Intelligence about the amount of free space on the endpoint device. When the device's storage falls below a specific threshold calls are made to both ServiceNow and Teams, along with a call to WS1 that applies a TAG to the device.
Freestyle Orchestrator for Intelligence is triggered by a broader dataset from within the Intelligence data lake, including extensive WS1 UEM reporting, DEX and Sensors. The actions triggered are much broader in scope as well, including extensive automation across the WS1 UEM environment as well as 3rd party integrations with solutions like ServiceNow. Against the WS1 UEM environment there's some 30 different actions to choose from, including device tagging, app installs and organization group device migrations. For 3rd party solutions, actions are made available through Workflow Connectors that execute REST API calls according to a solution's API options.
The range of actions available through these Workflow Connectors is largely dependent the richness of the REST APIs a 3rd party solution makes available. For example, ServiceNow offers a very rich and extensive set of APIs, so all sorts of actions and integrations are possible. In the demo below Incident tickets are created in ServiceNow using a custom Workflow Connector. Since it's an Intelligence based Freestyle Workflow, it could get triggered by any information within the Intelligence data lake, including experience management analytics. In this demo automation is driven by a PowerShell based Sensor that reports to Intelligence about the amount of free space on the endpoint device. When the device's storage falls below a specific threshold calls are made to both ServiceNow and Teams, along with a call to WS1 that applies a TAG to the device.
Arguably, Freestyle Orchestrator for UEM was developed to enable WS1 to compete with traditional PCLM solutions when it comes to endpoint provisioning or complex application packaging. However, Freestyle Orchestrator for Intelligence takes things to the next level, enabling automation capabilities that move beyond traditional desktop management. The capabilities of these two flavors of Freestyle Orchestrator can blend to collectively enable ruthless automation across managed devices and the 3rd party services used to support them. These workflow capabilities are the building blocks for the AI driven autonomous workspace vision presented at the Omnissa ONE conference this September. In this future Freestyle Orchestrator workflows could be automatically created and driven by Omnissa AI agentic services.
AI Enhancements
The imminent GA of the Omni AI assistant was a major announcement at Omnissa ONE this year. It's a generative AI offering that provides, "natural-language interactions for your data, documentation, and scripting needs." First and foremost, Omni allows admins to explore Workspace ONE data using a natural language processor. You can ask it a question like, "How many Windows devices are currently enrolled, " and in response get automatically generated reports and dashboards. You could even go on to manually target your Freestyle workflows based on these generated dashboards. In addition, Omni will offer advanced search capabilities and suggestions based on the Omnissa knowledge base. Finally, Omni can generate PowerShell scripts on behalf of the customer. These scripts can be used as Sensors for collecting data from endpoints or for pushing out system state changes through the Scripts capabilities of Freestyle Orchestrator. Here's a demonstration of the Omni AI assistant:
Omnisa AI agentic services, also announced at Omnissa ONE this year, will build off the generative AI capabilities of Omni to deliver agentic workflows using Freestyle Orchestrator. It's a major step towards the vision of an autonomous workspace that's, "self-configuring, self-healing and self securing." This service will be made up of, "prebuilt and customizable agents that stitch data, signals, and automations into end-to-end workflows." It's first planned use case as part of Workspace ONE Vulnerability Defense adds some useful color. When a vulnerability is detected through this new CrowdStrike integrated security solution, the Omni AI agentic service will automate remediation, creating and executing a Freestyle workflow and even phasing out the deployment through rings. Historically, workflows from Intelligence have been manually configured by admins and then triggered by Intelligence data or Experience Management analytics. Now, through the Omnissa AI agentic service generative AI will drive Freestyle Orchestrator automation to complete complex tasks.
Considering the Omnisa AI innovations already in place and the stages of AI growth planned, it makes sense that Omnissa is beginning to nibble on this fourth stage of AI adoption.While Omnissa has been dipping it's toe within AI since the initial release of Intelligence, more immediate examples have been Insights and the Guided Root Cause Analysis (RCA) features of Workspace ONE Experience Management. These solutions leveraged machine learning to detect anomalous trends and predict statistically significant root cases for some of these trends. With the release of Omni we're beginning the adoption of generative AI that will eventually drive our core Workspace ONE capabilities through AI agentic services.
Considering the Omnisa AI innovations already in place and the stages of AI growth planned, it makes sense that Omnissa is beginning to nibble on this fourth stage of AI adoption.While Omnissa has been dipping it's toe within AI since the initial release of Intelligence, more immediate examples have been Insights and the Guided Root Cause Analysis (RCA) features of Workspace ONE Experience Management. These solutions leveraged machine learning to detect anomalous trends and predict statistically significant root cases for some of these trends. With the release of Omni we're beginning the adoption of generative AI that will eventually drive our core Workspace ONE capabilities through AI agentic services.
Next-gen Windows Management
Another major announcement at Omnissa ONE was the planned release of Next-gen Windows management. This update will allow Workspace ONE to run side by side with MECM, as well as other modern management solutions such as Intune. Since an update made by Microsoft in 2019, WS1 hasn't been able to run side with SCCM/MECM. This update, "introduced a new mode called co-existence which automatically disables SCCM functionality such as application distribution, compliance rules, software updates, and many other workloads for devices that are enrolled into MDM management solutions like Workspace ONE UEM." In a nutshell Intune was allowed to run side-by side with SCCM, a strategy called co-management, while other modern management solutions were locked out. Nex-gen Windows management is poised to circumvent this challenge by shifting away from reliance on OMA-DM and CSPs.
As we've detailed throughout this article, agent-based improvements have laid the ground work for a shift away from the OMA-DM client. Over the years more and more functionality has been introduced through the Hub agent and other tightly integrated Omnissa agents. While there’s not a lot of publicly available information about Next-gen Windows management, the known progress Omnissa has had with Windows Server management certainly offers some clues. Windows servers don't have modern management capabilities built into them like the desktop OS, so success with the Windows Server management beta release has progressed independent of OMA-DM and CSPs.
As we've detailed throughout this article, agent-based improvements have laid the ground work for a shift away from the OMA-DM client. Over the years more and more functionality has been introduced through the Hub agent and other tightly integrated Omnissa agents. While there’s not a lot of publicly available information about Next-gen Windows management, the known progress Omnissa has had with Windows Server management certainly offers some clues. Windows servers don't have modern management capabilities built into them like the desktop OS, so success with the Windows Server management beta release has progressed independent of OMA-DM and CSPs.
With the beta release for Windows Server features like Experience Management, Intelligence and Assist have been supported. This aligns with the fact that these capabilities have been delivered through Intelligent Hub or other Omnissa agents. As far support for profiles goes, Windows Server management for WS1 leans on a new feature called, Windows Administrative Template (ADMX) Profiles, an alternative that leverages Intelligent Hub to apply ADMX settings more alined with traditional AD GPO settings. It's hard not to speculate that Next-gen Windows management will follow a similar path. More information on how Next-gen Windows management will work should come out in November.
Reaching Hire Ground
Ten years ago, arguments for a shift to SaaS based modern management focused on hardware savings and faster time to value. While these indeed are real advantages, the benefits don't stop there. Simply put, cloud adoption opens doors to processes and capabilities that just aren't practical or within reach for an on-premises model. In the case of Workspace ONE, Freestyle Orchestrator isn't even an option for an on-premises deployments and don't even think about AI. These are just two examples of what's possible today through the cloud-based Omnissa platform. SaaS synergies are paying off. We have reached higher ground, and the views are gorgeous.
No comments:
Post a Comment