Design a site like this with
Get started

Upgrade the Workspace ONE Access Connector to 22.09

After the update of Workspace ONE Access went fine (you can check the post here), now it’s time to upgrade the existing VMware Workspace ONE Access connector installation to version 22.09 to get the latest features, security updates, and resolved issues.

The Supported Upgrade Paths are:
– 22.05
– 20.10.x
– 20.01.x

In this guide and my Lab I am performing an upgrade from Version 21.08. to the latest 22.09. one!

First download the Workspace ONE Access Connector Software from the VMware Customer Connect portal  and copy the file to the server where the connector is currently installed on.

Start the Workspace ONE Access Connector installer.

You’ll will receive a notification that an older version of the Workspace ONE Access Connector is already installed and an upgrade will be performed, just click OK here.

The installer is backing up the old version, this can take some time so be patient here.

Accept the License Agreement and press the Next button.

Depending on your Use Cases you can decide which Services you want to install, in
my example I am hosting all services on this Connector Server. Just press Next to continue!

Important Considerations about the es-config.json file!
If the upgrade If you are upgrading from version 21.08.x or 22.05, and you
generated an es-config.json configuration file after the Workspace ONE Access 21.08 release or September 2021 Cloud release, you do not need to generate a new es-config.json file.

To generate a new file, in the Workspace ONE Access console, go to Integrations > Connectors, click New, create a new file on the Download Configuration File page of the wizard.

Just browse to the file location paste the password and press the Next button.

Here you can decide if you execute the Default or Custom upgrade, in my example I’ll keep it simple and select the Default one.

As I have the Kerberos Service already installed and selected it also during the upgrade
I need to paste here the password for this service account.

A quick Summary and the we are ready to Install the Upgrade.

Installer starts..

…and is installing one service after the other. This can take some minutes, so just relax and drink a cup of coffee. 🙂

If everything has worked, we should receive the following message, just press Finish here and restart to Connector Server.

Checking the Windows Services, everything looks good all of my installed services are up and running.

Now it’s time to log in to the Workspace ONE Access Console and check the Connector there!
And here too all services are healthy and running! 🙂

As a last test I’ve also checked the login with an Active Directory User and everything worked fine, so from my point of view the update was successful!!


Let’s upgrade to Workspace ONE Access 22.09

Here we go Workspace ONE Access is GA!
There are many new features and improvements that can be read here..

In this Blog I would like to cover the Online Upgrade from Workspace ONE Access to

Although we perform an online update, the following additional steps are required!
Log in to the VMware Customer Connect portal and navigate to the VMware Workspace ONE Access (VIDM) Download page.

Navigate to the update-fix.tgz section and download the file to your local client.

All important steps and a short guide can be found under the Read More section

Let’s check the appliance Version via the command line and you see that my appliance is running on version

Then let’s start with the update 🙂
First we need to upload the update-fix.tgz to your Workspace ONE Access Appliance!
This can be easily done with a tool like WinSCP 🙂

After we’ve uploaded the file we need to extract this one.
This can be done on the Appliance itself via the following command and should look this like.

If this was successful, we now need to replace the file configureupdate.hzn under /usr/local/horizon/update/configureupdate.hzn.
The command for this task is the following one:

The last step before the Update can start is to update the permission as below:

Check if an Online Update is available:

If yes you can start the Online Update:

It will take some minutes and you should see the following progress screen:

After a few minutes and if the update went fine you should see the following output and then you can just reboot the Workspace ONE Access appliance:

When the Workspace ONE Access appliance is up and running again we should see the following screen:

In addition to this we can check the version again via the command line 🙂

If we now log in via the Web Console

we the see the Redesigned Workspace ONE Access Navigation

So happy updating and enjoy the new features and enhancements!

Workspace ONE Intelligent Hub for Linux

The latest VMware Workspace ONE Intelligent Hub for Linux 22.06 brings some cool and interesting features like:

  • Web Enrollment
  • Application Sampling
  • Disk Encryption Detection
  • Additional Sensor Triggers
  • Additional Sensor Triggers
  • Remove Additional Dependencies on Puppet

The Minimum Requirements are:
Workspace ONE UEM 2206 running in a Shared SaaS environment or
-A Dedicated SaaS environment running Workspace ONE UEM 2206 of WS1 UEM that is enabled with the new Control Plane
Please note: Workspace ONE UEM for Linux is not currently available for on-premise installations.

In this Blog I would like to focus on the Web Enrollment feature on an Ubuntu 22.04.01 and how the steps look like

Start the Browser and type in your Group ID

As I have Workspace ONE Access as the source of Authentication configured I will be redirected and need to paste my credentials. (Username and password)

Type in your username
Type here your password

Here you need to select your Linux Agent Install Package and press Next afterwards.
As you see on the screen a pre-selected installation package is ready based on your Linux OS.

When the download is successfully completed, it is mandatory to close the browser.

Now open a Terminal Window and start the installation process of the
Workspace ONE Intelligent Hub.

Type here your sudo password!

Here you need to press ‘Y’ to install additional package (puppet-agent)

Here you see that puppet was successfully installed and the Workspace ONE Intelligent Hub enrollment completed successfully 🙂

Switching to the Workspace ONE UEM Console we see the newly enrolled Linux Device

Checking the Device Summary we can see that my Linux Device has the
Disk Encryption Detection enabled and configured.

Really interesting and useful features and improvements from my point of view I am curious how it continues with the Linux journey.

Workspace ONE Access goes Time-based One-Time Password (TOTP)

Workspace ONE Access Cloud now supports a new authentication method ‘Authenticator App’ to enhance its native MFA capabilities.
This MFA is ideal for users with unmanaged devices, can be used offline, and requires no collection of personal identifying information (PII).
Users can leverage any authenticator app of their choice–such as Google Authenticator, Microsoft Authenticator, Okta Verify, Authy, 1Password–that follows the time-based one-time passcode (TOTP) standards as defined in RFC 6238 on their own device.

Now let’s have a look on the Workspace ONE Access Console and how to set this up.
Another great Release is the Redesigned Workspace ONE Access Navigation 🙂

With a new toggle at the header in the console we can switch to the redesigned console and also witch back for easy comparison.

Setting up the new Authenticator App feature is quite easy, we just need to navigate to Integrations, the Authentication Methods and the we see the new Authenticator App method on the right side.

Just click on it, and press Configure on the next screen

Here we just need to enable the Authenticator Adapter Authentication and set the options like Number of re-tries and a custom text for registration based on our needs.

If this is done, we need to enable this new auth method in the Identity Provider section, this can be found also within the Integrations section, then just click on the Identity Providers menu and open up the Identity Provider where you want to enable this feature.

In my example we need to enable the Authenticator App auth methods in the
System Identity Provider.

Then just press Save to submit the settings and make this auth method available.

In the next part we need to adjust the Access Policy based on our needs and of course the Use-Case we want to adapt.
The policies menu is now located in the Resources section, after navigating to it just press the Policies button to get started.

In my first example I am adjusting the default_access_policy and want to use the new Authenticator app authentication Method as an additional auth factor.

For sure we can also create a dedicated Policy and configure the new Authenticator App there.

In this example we have a new Policy called TOTP, and this applies to the
Workspace ONE UEM application.

And within the Policy Rule we then can assign e.g the new Authenticator App auth method.

Within the Accounts, User and then Two-Factor Authentication section we can see that the user already registered an Auth App.

This new authentication method is great and an additional option to implement interesting and additional Use-Cases.Check also the latest Release Notes here!

Check out my LinkedIn Post and watch how it is looking like and enjoy testing and implementing! 🙂

VMware Tunnel for Standalone enrollment

VMware has released new versions of the Tunnel application for Windows and macOS
The VMware Workspace ONE Tunnel 3.0 for Windows and VMware Workspace ONE Tunnel 22.05 for macOS now supports Standalone Enrollment without Workspace ONE Intelligent Hub or any device management.

The Minimum Requirements are:

  • macOS version 11 or later
  • Windows 10 or later
  • Workspace ONE UEM Console 2203 or later

Now let’s walkthrough how the configuration and the enrollment on the client side is looking like.

We must allow enrollment for Boxer / Content / Web at the specific OG. This can be done by navigating to Groups and Settings –> All Settings –> Content –> Applications –> Workspace ONE Content App. Here we need select Disabled for the ‘Block Enrollment via Content, Boxer, and Web’ setting.

Then we need to create a new new Tunnel profile within the Workspace ONE console.
Here we will navigates to: Groups and Settings –> All Settings –> System –> Enterprise Integration –> VMware Tunnel.
On the right side we will finde a new section where where we can configure the NEW Tunnel Profiles.

Just press Create here to start creating a new Profile.

Select the Platform you want to create a profile for (Windows or macOS)

Give a Connection Name and select an existing Device Traffic Rule you want to use for this profile and for you Use Case and press Save then.

A Tunnel Profile for Windows could look this like 🙂

Depending on how many Profiles and which Platform we are using the overview could look and this like and we can also edit them afterwards.

Now let’s have a look how the installation on a Windows device is looking like.
Launch the VMware Workspace ONE Tunnel 3.0 after downloading it from the Workspace ONE Resources Portal.

After the application was successful installed restart your device open up the Tunnel App and press the Next button to start the enrollment.

Press the I agree button here.

Here we need to type in our Workspace ONE UEM Enrollment URL

Then we need to fill in the right Group ID.

If WORKSPACE ONE UEM is our Source of Authentication we need to fill in our Username and Password here.

But if WORKSPACE ONE ACCESS would be your Source of Authentication you will be redirected and then you need to type in your username and password in this way.

After a successful authentication the Configuration is downloaded.

And if If everything worked fine and configured the right wy, we should see the following screen with a successful enrollment. 🙂

This is how the device is looking like within the Workspace ONE UEM console.

More information can be found in this KB-Article and as always happy testing and implementing your Use-Cases.
And here you also find a short video how a basic enrollment is looking like! 🙂

VMware SASE – VMware Secure Access

In this blog I would like to provide a step-by-step instructions for setting up a basic
VMware Secure Access tunnel .
With Secure Access we ensure all users have secure access to cloud and data center hosted applications through a global network of service nodes with VMware SD-WAN and Workspace ONE

Now I would like to guide through the process how to configure ans set up Secure Access, we will first start with the configuration on the Workspace ONE UEM Console.

We need to navigate to Groups & Settings > Configurations, then scroll down to Tunnel.
 Here we need to enter a Hostname in the format where XXX is assigned by you. For example, “”.
The domain suffix must be “” and system will validate that the hostname is unique since it is a DNS name. 

We need to remember this hostname as it will be entered in the VMware Secure Access Provisioning process in the next section. 
Enter Port number 443 to use for the tunnel traffic and Click Save then.

We need now switch to the Cloud Orchestrator, here we can access the new UI directly.

Once logged in the SD-WAN drop down menu we need to select Secure Access

From the Secure Access screen, select New Service. 

Now we need to configure the Workspace ONE UEM details

DNS NAME: This is the “Hostname” of the Tunnel Server that is created for the UEM Tunnel. For example, Enter the hostname (for example, “myecorp”).
The domain name is a VMware hosted domain (
Workspace ONE UEM API URL: You can find this one in the Workspace ONE UEM console.
In my example it is!

Workspace ONE UEM ORG Group ID: Here we need to enter the Group ID we can seen it when we mouse over the name of our “Organization Group” at the top left of the Workspace ONE UEM page. 

Workspace ONE UEM Credentials: Enter the admin username and password you use to access the UEM console. We can create a separate admin user with the
“Console Administrator” role for this use. 

If we have entered all values we need to select Check and an API call will be made to the Workspace ONE server to validate the details entered. 

Any validation errors will be shown on the screen. If there are errors, we need to make any necessary changes, then select Check again.
Once the validation is successful, we need to select the Next button. 

In the next screen we need to enter the the Enterprise and Network Settings

Enterprise DNS server: Select Google or OpenDNS from the drop-down menu.
Enterprise SD-WAN segment: Use the Default “Global Segment” (only one secure access service/ tunnel service can be configured per segment).
Enterprise IP Ranges: We need to enter a range that is unique across the entire enterprise using this service.
Subnet Bits: No of bits used for subnetting the supernet.

If this was done successfully we need to select the PoP locations.

As we also want to use Cloud Web Security with this tunnel, we choose the
Cloud Web Security Policy created in my previous blog.

The final step is to enter a Name (Can be a name out your choice), Description and Tags and we need to click finish afterwards.

Now the Secure Access service will be deployed!
This may take a few minutes as the Tunnel server is brought online and connectivity is established to the SASE POPs. The deployment status will show “In Progress”.

We can Refresh the screen to check the status and once the Tunnel server is established, the deployment status should show “Completed”

And the selected POPs are online and available.

In the next blog we will take a look at the other required settings (Profile, Application) on the Workspace ONE UEM side

VMware SASE – VMware Cloud Web Security

In this blog I would like to cover the Cloud Web Security (CWS) topic that is a service of
VMware SASE (Secure Access Service Edge) that protects users and infrastructure when these users access web applications.
CWS is a cloud hosted service delivered using a global network of SASE PoPs
(Points-of-Presence) closer to the user.

Now I would like to guide through the process how to create and configure a
VMware Cloud Web Security.
We can create Security policies on the New UI of the VMware SD-WAN Orchestrator, that provides centralized, enterprise-wide installation, configuration, and real time monitoring, in addition to orchestrating the data flow through the cloud network.

We can access the new UI via this option here.

Once logged in in the New UI from the SD-WAN drop down menu we need to select
Cloud Web Security.

On the CWS page within the Configure Section we can start creating the new Security Policy.

We can name the policy as we like and it can be created then.

This one should appear then on the Security Policies overview.

After we’ve opened the new Security Policy the first menu section covers the SSL Inspection.
When using Cloud Web Security, the SSL Inpsection feature ensures that all traffic is
SSL decrypted and then inspected by default.

Some traffic can be disrupted when having a “man in the middle” for its traffic in the manner that SSL Inspection works. To ensure Cloud Web Security does not break these kinds of traffic, we can configure exceptions to this default SSL Inspection rule, which would allow the traffic to bypass SSL Inspection.
This page contains lists of domains for which configuring a bypass rule is recommended to ensure SSL Inspection does not break traffic to these domains.

In the following screenshots we can see how to configure SSL inspection, based on a Domain.

In last step we can Review our BYPASS-RULE, finish the configuration and the new
SSL Inspection should be in place then.

Within the last part of our Security Policy configuration, we will focus on the
URL Filtering, the first line of defense for users accessing the Internet.
With the URL Filtering we can block known security threats and restrict access to Websites based on company policies. 

By pressing the ADD RULE button we will start creating the new URL Filtering Rule.
In this example we are selecting the Website Categories selection

This configuration should apply to all users and groups and the Categories that we will choose in our example is Social Network.

For sure we can select multiple Categories here, but we will go forward with this one.
In the Action section we can configure how we will deal with the URL Filtering part, here in our example we will choose BLOCK as Action.

In the last step, we just need to label the Rule Name and press the Finish button

If the newly created Security Policy is visible in our overview we first need to publish it before this one can be used in the next configurations steps and consumed by the Users with its devices.

Press Yes to publish it finally.

Here we can see that it was successfully published and we are ready for the next steps.

In the next Blog I will cover the process how to configure Secure Access and interconnect this one with Workspace ONE UEM and attach the Security Policy to this configuration.
So stay tuned 🙂

VMware Anywhere Workspace Blog series

Part of my job at VMware as a EUC Senior Solution Engineer is supporting our customers and partners on their Digital Workspace Journey to a Modern Workplace.
And as I so often say to my colleagues, we are driving the #AnywhereWorkspaceTruck 🙂

In the past years I gained a lot of experience and was also part in several Digital Workspace project all around the globe .
Working with the customers and presenting and implementing the following product helped customers on the Digital Workspace Journey.

Workspace ONE Unified Endpoint Management (UEM) is one of the main members of the Workspace ONE family—it’s the software that manages device lifecycle and secures corporate data on devices.
Workspace ONE Access is another key member of the Workspace ONE family—the software that provides authentication, SaaS, Horizon application access, facilitates device enrollment and management, and more.
VMware Horizon allows IT departments to run virtual desktops and applications on-premises or cloud and remotely deliver these desktops and applications.

The results were satisfied customers, parter etc. as they got an amazing solution to fulfil their needs in several areas.

But wait… didn’t I say something about Anywhere Workspace…and now I am writing something about Digital Workspace??!!
Yes of course you are absolutely right 🙂
In the past and especially in the last 2 years a lot has happened and changed, especially the way we work today and in the future.

So for this reason I decided to start writing a Blog series about the Anywhere Workspace, the Logical Architecture and some nice Demos around it.

Unified Access Gateway Log Level Settings

One of the new and very useful features in the latest VMware Unifies Access Gateway 2111.x release is the option to configure log level modes such as DEBUG and TRACE for individual components instead of globally for all components.

You can configure it via the Admin-Interface within the Support section and then
Log Level Settings.

In the Log Level Settings you can specify the log level to the available components.

A possible configuration could therefore look like this 🙂

Hopefully we will also get the option to configure these log level settings also for the other Edge Services like Tunnel, Content and Secure Email Gateway.