VMworld 2018 - Day 3

VMworld 2018 - Day 3

(Note: You can replay recorded sessions here)

Deep Dive Into What's New with Workspace ONE Unified Endpoint Management

Console changed, mobile UI changed. Using Clarity UI.

Workspace ONE UEM is the new name for the console. The AirWatch name is not as prominent.

Windows 10

Windows 10 is a full OS and more complicated to manage than Android or iOS
Wizard to choose security baselines to lock down computers
Dell Factory Provisioning with Workspace ONE & apps already done. No charge.
Policy Builder for Custom Settings Profiles. Makes building the XML much easier

ServiceNow integration

Airlift moves SCCM info to Workspace ONE UEM

Apple Platforms

iOS & macOS

Remote view for iOS. View, not control.

DEP Skip Screens. Device Enrollment Program. Airwatch can skip some Apple screens in DEP.

Moving away from Product Provisioning for macOS devices.

Incorporated munki free tool for package deployment.


Android Enterprise is the new preferred method for MDM APIs.

New Android mode: COPE - Corporate Owned Personally Enabled

QR Code Generator to enroll Android devices into Workspace ONE

Samsung Knox container supported and integrated into the same console

Android Enterprise Multi-User Mode. Maybe a shared hospital device.

Console defaults to Android Enterprise. Opt-out available for Android Legacy management. This is needed for devices that are locked down with no access to the Play Store.

VMware Tunnel, Content Gateway, Unified Access Gateway

Content Gateway is now an integrated product in the UAG (Unified Access Gateway)
Identity Bridging with UAG. Identity Groups. SSO without username and password to an AD back-end. Uses Kerberos that is built into Windows. A certificate is on the device. Use biometrics to authenticate and a certificate is used to get a token. 

Secure Productivity Apps

Office 365 Graph APIs for DLP. Control where apps can save and copy/paste/cut.

Airwatch Agent moving to Workspace ONE Intelligent Hub. Adds more intelligence.

Workspace ONE Apps

Apps have new icons
New Send app is built to work with O365
Notebook works with Outlook Notes and Tasks
Web for Intranet access
Tunnel for per-app VPN
Content shared files
Verify for MFA
People for Contacts including org chart
PIV-D replaces access cards for authentication

Workspace ONE SDK

Analytics via Aptelligent. Designed for app analytics. Where are pain points in apps and user flows? 
Dedicated module for privacy. Framework for privacy rules. 
Tech Preview: Mobile Flows & Content. Content SDK allows Content features within custom apps.

Boxer Enhancements

Alert if sending outside the company
View calendar availability of recipients
Turn of notifications for VIPs only
Redesigned user interface. Attachments are at the top now. 


Like Evernote. 


Built to work with O365. Can open and share O365 files with Boxer and Content.

Mobile Flows

Extend Enterprise App Workflows
Built-in connectors and custom connectors

Workspace ONE Intelligence Vision

OS Patch Management

Trust Network Partners use the Airwatch APIs to send information

techzone.vmware.com for technical resources and tutorials

Great Power, Great Responsibility - Least Privilege Security with AppDefense

More money is spent on security, but losses are increasing
Was at RSA when a nation-state broke in and sold token seeds
Did not have enough layered controls. Too much emphasis on the external layer.
A user was phished with a zero-day attack. RSA was the only target for this attack.
No controls once the Infiltration phase was breached.
Attackers are getting better at using know "good apps" and open ports rather than inserting bad apps into the network.
Stop chasing bad and start ensuring good.
Reduce the attackable surface

What you do for endpoints (top of the pyramid) is different from what you should be doing for your servers.
System Integrity, App, Exploit, Data in Motion are tiers AppDefense is focussed on
Least privilege
Focus more on hygiene than on reducing threats

With great power comes great responsibility
Create a policy based on learning
The blocking is the easy part. The learning is the hard part.
Inventory of vCenter and containers supported. Bare metal coming.
Capture and analyze. Detect and Respond.
Can we use existing authoritative sources of information to classify inventory? Existing automation tools can be helpful for this. Run through analysis engine to match against known good software. 
Don't expect users to write manual triggers, just to approve what was learned. 
You cannot trust a security agent that may have been compromised. The hypervisor cannot be compromised from the VM

Capture the behavior of a "good" application

Machine learning for adaptive whitelisting. Helpful when known good applications auto-update causing them to look different. 

Advanced extensibility use case: vRealize Automation and Ansible Tower

Extending vRealize using SovLabs modules
Delta Air Lines example. 800 applications, 55+ mission critical. New VM turnaround took from 3 days to 6 months. 

Non-production goal: VM in 30 minutes. Solution: Ansible + SovLabs + VMware. 

vRrealize Automation 7.5

New UI - Clarity UI
Ansible is the top config management tool and vRA 7.5 adds more Ansible integration
Requests can be tied to business groups
Can rename a deployment in the UI
SOVLabs owned the integration with Ansible. Requires a SovLabs License.

Two ways to consume Ansible. Dedicated Tower module plug-in.  Standalone Tower plug-in.
If you are N-2 vRA behind. VMware engineering will help you get up to date

VMware Cloud on AWS with NSX: Use Cases, Design, and Implementation

AWS is just another vSphere site
Networking is AWS VPC networking

Use Cases:

1) DC expansion to the cloud

2) On demand capacity

Extend Layer 2 networking to VMC-AWS

3) Migration to the cloud

Data Center evacuation without changing the applications

4) D/R

Using Site Recovery Manager

Architecture & NSX-T SDDC

Key Components:

  • Management pool
  • Management gateway
  • Compute Pool

AWS login gives access to existing AWS resources

Route tables are built between

NSX-T is in preview mode
Components are within one VM rather than separate VMs
Connected to 0 router

All traffic can go over direct connect with NSX-T

NSX-T Differences From NSX-V

GUI changes in NSX-T for ease of use

Distributed Firewall (DFW) is a paid add on to NSX-T. Service Insertion and Load Balancer are coming.

NSX-T Deep Dive

(This section was presented very quickly; you might want to watch the replay)

Moved everything into the console
More than two DNS servers
Auditor and Admin roles built in
Multiple DNS zones

Role-Based Access Control
DFW. Rules fire same segment or separate segment for micro-segmentation.

Edge FW

Allow traffic through the MGW FW
Security groups in edge FW

Groups based on...
IP Address
VM Instance
VM Name
Security Tag

IPSEC VPN enhancements

Can do port mirroring to WireShark

Advanced NSX Services in VMware Cloud on AWS

Can you manage private cloud and public cloud using the same tools and skills today? Probably not. VMC-AWS fixes that

Typical cloud use cases

Overview of NSX-T Advanced Services
Connectivity, security, visibility

Direct connect
DPDK supported for faster packets

Micro segmentation in the public cloud with DFW and policies

Flow and packet level visibility

Use Case 1: Application Migration
Network and security focused assessment of applications

DFW, log intelligence

Transit VPC can be used to house security appliances to control traffic. Not required but security folks might like this. Reduces bandwidth. 

Perimeter VPC is another option for all application access

Use Case 2: Data Center Extension
Customer example with strict security model including controlling traffic coming back from the cloud.

Use Case 3: D/R
App failure. Understand the latency
Site failure. 

Example for hard-coded IP addresses (Extend Layer 2)

Example for full site failure

I hope you have enjoyed this post from Day 3. I value and welcome your feedback.