Using VMware Workspace ONE with Delinea to Strengthen Endpoint Privilege Control

Learn how Workspace ONE UEM and Delinea can control endpoint privilege, reduce standing local admin rights, connect PAM access to device compliance, and improve audit and incident response evidence.

A note on VMware Workspace ONE and Omnissa

Many security and IT teams still search for “VMware Workspace ONE” because that is the name they know from previous deployments, contracts and internal documentation.

Current official product information now sits under Omnissa. Broadcom’s knowledge base states that the End User Computing division transitioned from VMware-hosted systems to Omnissa-hosted systems in May 2024, with support cases moving to the Omnissa website from May 6, 2024. (Support Portal)

For this article, we use “VMware Workspace ONE” where it helps recognition, and “Workspace ONE UEM” when referring to the current Omnissa product documentation.

 

Endpoint security needs stronger privilege control

Endpoint security programmes often mature through device management first.

Managed devices give security teams a strong starting point: enrolment, policy enforcement, application distribution, compliance rules and access decisions based on device posture.

That is a solid base. It also leaves one of the most sensitive areas exposed if it is handled separately: privileged access on the endpoint.

Local admin rights, privileged application use, emergency access, service credentials and remote admin sessions can create risk even on managed devices. Even when the device is compliant and the user is legitimate, the requested action may still carry more privilege than the task requires. This is where Workspace ONE UEM and Delinea work well together.

Workspace ONE UEM gives IT and security teams control over device enrolment, configuration, application deployment, compliance and access conditions. Omnissa describes Workspace ONE UEM as a cloud-native unified endpoint management platform for desktops, mobile, rugged, server and specialty devices across Windows, macOS, iOS, Android, Linux and ChromeOS from a single console. (Omnissa)

Delinea adds the privileged access layer. Privilege Manager gives endpoint least privilege and application control for Windows and macOS, including removal of local administrative rights, discovery of local admin privileges and policy-based actions such as blocking, elevation, monitoring, allow-listing, quarantine, sandbox and isolation. (docs.delinea.com)

The practical value comes from joining the operating model:

  1. Workspace ONE decides which devices are managed, compliant and allowed to receive security controls.
  2. Delinea decides which privileged actions are allowed, denied, elevated, recorded or sent for approval.
  3. Identity policy decides which users can reach PAM systems and under which conditions.
  4. Audit evidence shows who accessed what, from which device, and what they did.

 

Why endpoint privilege deserves board-level attention

Endpoint privilege is a direct route from user activity to system compromise.

A user with local admin rights can install tools, change security settings, disable controls, access sensitive files or create persistence. An attacker who compromises that user can inherit those rights. A contractor with broad admin access can create the same exposure, even when the work is legitimate.

Delinea’s documentation states that privileged local admin or root accounts can give access to the entire endpoint and can potentially be used to access other computers, domain resources and critical servers unless a least privilege model is implemented. (docs.delinea.com)

That point matters for CISOs and IAM leaders because endpoint privilege sits across several control domains:

  1. Identity governance: who should have access.
  2. Access management: how access is granted.
  3. Privileged access management: what privileged users can do.
  4. Device management: which devices are trusted enough for admin work.
  5. Audit and compliance: what evidence exists after the action.

Treating these areas as separate programmes creates gaps. A strong endpoint privilege model connects them.

 

What Workspace ONE UEM should control

Workspace ONE UEM should own the device management layer.

That means enrolment, ownership, baseline configuration, application delivery, patch posture, compliance state and remediation actions. Omnissa’s product documentation describes Workspace ONE UEM controls for conditional access, compliance policies, device posture checks, per-app VPN and automated patch management. (Omnissa)

For a Workspace ONE and Delinea model, Workspace ONE should answer these questions:

  1. Is this device enrolled?
  2. Is it assigned to the correct user or group?
  3. Does it meet the required compliance rules?
  4. Does it have the correct security agents installed?
  5. Has the Delinea agent been deployed and verified?
  6. Is the device allowed to access internal systems or privileged workflows?
  7. What remediation should happen if the device becomes non-compliant?

This gives security teams a controlled starting point. Delinea agents and privileged workflows should run from known, managed, compliant devices wherever possible.

Workspace ONE UEM also supports the deployment and management of Windows applications. Omnissa’s Windows application deployment guidance covers the use of Workspace ONE UEM to deploy MSI, EXE and ZIP packages to Windows devices. (Tech Zone)

That matters because Delinea agent rollout should be treated as a managed software deployment, with assignment, status tracking and exception handling.

For macOS, Workspace ONE can also support the MDM-based preparation needed before Delinea agent deployment. Delinea’s macOS guidance states that configuration profiles should be deployed before the agent deployment when using MDM. (docs.delinea.com)

 

What Delinea should control

Delinea should own the privileged action layer.

Privilege Manager is designed for endpoint least privilege and application control on Windows and macOS. Its two major components are Local Security and Application Control. (docs.delinea.com)

This gives security and IT teams a way to remove standing local admin rights while still allowing legitimate work to continue.

Delinea Privilege Manager can:

  1. Discover local administrator privileges.
  2. Control local group membership.
  3. Rotate credentials on privileged local accounts.
  4. Elevate approved applications.
  5. Block or sandbox risky applications.
  6. Require justification or approval for specific actions.
  7. Monitor endpoint activity linked to privilege use.

Delinea’s product information also references local admin rights removal, local user account management, local group membership management, automated local account password rotation, just-in-time access and MFA on application elevation with Entra ID integration. (Delinea)

Secret Server extends this into privileged credential management. It supports SAML SSO with configured identity providers, including Okta, OneLogin, Azure ADFS and Microsoft ADFS. (docs.delinea.com) It also exposes REST API documentation for bearer token authentication, token authentication and Windows integrated authentication. (docs.delinea.com)

For higher-risk administration, Secret Server can also add session evidence. Delinea describes session recording as a feature that captures second-by-second screenshots during recorded sessions and compiles them into a video for audit and security review. (docs.delinea.com)

 

A practical integration model

The safest article position is also the most accurate one: this should be designed as an operating integration, not described as a native connector unless the implementation has one in place.

The model can use:

  1. Workspace ONE UEM for device enrolment, compliance and agent deployment.
  2. Delinea Privilege Manager for endpoint least privilege and application control.
  3. Delinea Secret Server for credential vaulting, approvals and session recording.
  4. SAML and identity policy for PAM access.
  5. Conditional access for device compliance and access decisions.
  6. APIs and logs for automation, reporting and evidence.

Workspace ONE UEM can integrate with Microsoft Entra ID as a device compliance partner, allowing endpoint compliance and management status to be used in Microsoft access decisions. (docs.omnissa.com)

Workspace ONE Access can also add Device Compliance checks that query Workspace ONE UEM when users sign in from devices. (docs.omnissa.com)

In practical terms, this means PAM access can be tied to device posture through the identity layer. A privileged user should access Delinea from an enrolled and compliant device. A non-compliant device should trigger remediation or reduced access.

 

Step 1: define privileged endpoint groups

Start with the people and devices that carry the highest risk.

Do not begin with a generic “admin users” group. That hides important differences between roles.

Define groups such as:

  1. Service desk users who need approved elevation for support tools.
  2. Infrastructure administrators who access servers, directories and cloud consoles.
  3. Security operations users who run investigation tools.
  4. Developers who need limited elevation for local build tools.
  5. Third-party support users who need time-bound access.
  6. Executives and sensitive users who need stricter endpoint controls.
  7. Shared workstations and kiosk devices that should have no standing local admin access.

For each group, define:

  1. Which devices they can use.
  2. Which applications need elevation.
  3. Which applications must be blocked.
  4. Which actions need justification.
  5. Which actions need approval.
  6. Which sessions need recording.
  7. Which exceptions expire automatically.

This is where IAM and endpoint teams need to work from the same policy language. Device groups, identity groups and privilege policies should tell the same story.

 

Step 2: deploy Delinea agents through Workspace ONE UEM

The Delinea agent is the technical control point on the endpoint. Delinea states that agents are required on endpoint machines to carry out policies created in Privilege Manager. (docs.delinea.com)

Workspace ONE UEM should manage that deployment.

For Windows endpoints:

  1. Package the Delinea agent according to the supported installer format.
  2. Assign it to the correct Workspace ONE Smart Groups.
  3. Track install success and failure.
  4. Create remediation actions for missing or unhealthy agents.
  5. Report deployment status before enforcing stricter privilege rules.

For macOS endpoints, sequencing matters.

Delinea’s unattended macOS installation documentation states that MDM deployment requires the following order: deploy the required configuration profiles, run the pre-install script with the TMS URL and install code, then deploy the unmodified agent installer package. (docs.delinea.com)

This detail should be planned carefully. A failed macOS preparation stage can create policy gaps or support tickets during rollout.

 

Step 3: protect install codes and agent trust

Install codes should be governed as security assets.

Delinea states that the server needs either an install code or agent trust certificate to accept communication from an agent. The agent uses the install code to prove that the installation is authorised; after installation, the install code is deleted and the agent certificate is used for communication. (docs.delinea.com)

Practical controls:

  1. Use separate install codes for different rollout waves.
  2. Avoid using one install code across every business unit.
  3. Revoke install codes after the rollout window where appropriate.
  4. Monitor failed agent registrations.
  5. Reissue codes only through controlled change.
  6. Document which install code was used for which deployment group.

This creates a cleaner evidence trail and reduces the chance that unmanaged endpoints can register as trusted agents.

 

Step 4: remove standing local admin rights

This is where endpoint security gains become tangible.

Standing local admin rights create unnecessary exposure. Remove them where the business process allows it, then replace them with controlled elevation.

Delinea Privilege Manager supports local security controls that discover endpoint accounts, control local group membership and enforce password rotation on those accounts. Its Application Control capability can automatically elevate applications that require admin rights, allow approved applications and block malicious applications. (docs.delinea.com)

A practical rollout should use 3 stages:

  1. DiscoverIdentify users, devices, local admin accounts, applications requiring elevation and recurring support tasks.
  2. ModelDefine which applications and workflows need elevation by role, device group and business function.
  3. EnforceRemove local admin rights, apply elevation policies and monitor exceptions.

Do this gradually. Start with IT-controlled groups, then move into broader business users, developers and third parties.

 

Step 5: control privileged applications

Privilege control works best when it is specific.

A policy that says “allow admin tools” is too broad. A useful policy names the tools, the users, the device groups, the conditions and the logging requirements.

Examples of privileged applications and actions to review:

  1. PowerShell and Terminal.
  2. Registry Editor.
  3. Package managers.
  4. Remote desktop tools.
  5. Database clients.
  6. Cloud command-line tools.
  7. Browser access to admin consoles.
  8. VPN clients.
  9. Security investigation tools.
  10. Installers and updaters.
  11. Developer build tools.

Delinea can apply policy actions such as elevation, blocking, monitoring, allowing, quarantine, sandbox and isolation. (docs.delinea.com) The policy design should define which actions are automatic and which require approval.

For example:

  1. Allow approved service desk tools for service desk users on compliant devices.
  2. Require justification for PowerShell elevation.
  3. Require approval for admin tools on contractor devices.
  4. Block unknown remote access tools.
  5. Sandbox untrusted installers.
  6. Record privileged sessions to sensitive systems.

This keeps admin work moving while reducing unnecessary privilege.

 

Step 6: connect PAM access to device compliance

A privileged user should not be evaluated only as a user.

The device matters.

Workspace ONE UEM can provide device state, compliance status and management context. Omnissa describes conditional access and compliance policies that define access controls based on device state, user role and risk signals, with remediation actions for non-compliant endpoints. (Omnissa)

Delinea Secret Server can use SAML SSO with a configured identity provider. (docs.delinea.com) This allows identity policy to become the decision point for PAM access.

A practical access model could include:

  1. Privileged users authenticate through the enterprise IdP.
  2. MFA is required for Delinea access.
  3. Access to Secret Server depends on compliant device status.
  4. Non-compliant devices lose access to privileged vault workflows.
  5. Third-party users access privileged systems through controlled sessions.
  6. High-risk roles get stronger session monitoring and shorter access windows.

This model gives security leaders a cleaner answer to a common audit question: who accessed privileged systems, from which device, under which conditions?

 

Step 7: vault credentials and record privileged sessions

Endpoint privilege control should extend to the systems administrators access from their endpoints.

Delinea Secret Server provides privileged session management through a proxy model that can route access to servers through the Secret Server vault. (Delinea) Delinea also describes session recording as an audit trail from secret checkout through activity on the system and logout. (Delinea)

Use this for:

  1. Domain controllers.
  2. Privileged servers.
  3. Network devices.
  4. Regulated systems.
  5. Sensitive databases.
  6. Shared administrator accounts.
  7. Break-glass access.
  8. Third-party support sessions.

The objective: privileged access should leave usable evidence.

That evidence should show:

  1. User identity.
  2. Device used.
  3. Secret checked out.
  4. Time of access.
  5. Target system.
  6. Session activity.
  7. Approval record.
  8. Reason for access.
  9. Closure or credential rotation after use.

 

Step 8: build the audit and incident response view

Workspace ONE and Delinea each produce useful evidence. The security value increases when that evidence can be reviewed together.

Workspace ONE can show:

  1. Device enrolment status.
  2. Compliance status.
  3. Application deployment state.
  4. Patch and configuration status.
  5. Remediation actions.
  6. Device ownership and assignment.

Delinea can show:

  1. Local admin discovery.
  2. Local group membership changes.
  3. Elevation requests.
  4. Application control decisions.
  5. Secret checkout history.
  6. Session recordings.
  7. Keystroke logging where configured and legally approved.
  8. Approval and justification records.

Bring these records into the SIEM, GRC process or audit evidence pack. Use them for security investigations, compliance reviews and access recertification.

This matters because audit confidence and security reality can drift apart. The State of Pentesting Report 2025 found that 81% of surveyed organisations were confident their security posture met regulatory requirements, while pentesting data still showed unresolved and exploitable vulnerabilities across environments.

Endpoint privilege evidence helps close that gap.

 

Common implementation mistakes

Several issues weaken Workspace ONE and Delinea programmes.

Treating deployment as the programme

Installing the agent is only the first step. The security gain comes from policy design, removal of standing admin rights, approval workflows and evidence review.

Keeping temporary local admin access for too long

Temporary access often becomes permanent. Use expiry dates, justification and review cycles.

Using broad privilege policies

Policies should reflect real roles. Helpdesk, infrastructure admins, developers and contractors need different rules.

Missing macOS deployment sequencing

Delinea’s macOS MDM deployment requires configuration profiles before the pre-install script and agent installer package. (docs.delinea.com)

Leaving PAM access open from unmanaged devices

Privileged systems should be accessed from known, compliant devices wherever possible.

Separating endpoint and PAM evidence

A session recording without device context gives an incomplete view. A compliant device without privileged activity context gives the same problem from the other side.

Allowing exceptions without expiry

Every exception should have an owner, reason, review date and expiry condition.

 

Suggested rollout plan

Phase 1: assess

Map the current state before enforcing changes.

  1. Identify users with local admin rights.
  2. List privileged applications.
  3. Review unmanaged and non-compliant devices.
  4. Check Workspace ONE enrolment coverage.
  5. Identify endpoints missing required security agents.
  6. Review privileged credentials stored outside the vault.
  7. Document third-party support workflows.

Phase 2: pilot

Start with a controlled user group.

Good pilot candidates:

  1. Internal IT.
  2. Service desk.
  3. Security operations.
  4. A small developer group.
  5. A limited third-party support group.

Pilot goals:

  1. Deploy Delinea agents through Workspace ONE.
  2. Validate agent health.
  3. Remove local admin rights from pilot devices.
  4. Apply application elevation rules.
  5. Test user justification and approval.
  6. Validate Secret Server SSO and MFA.
  7. Record a defined set of privileged sessions.
  8. Review logs with the security team.

Phase 3: expand

Move from pilot to phased rollout.

Prioritise:

  1. High-risk users.
  2. Admin workstations.
  3. Contractors.
  4. Shared devices.
  5. Endpoints accessing regulated systems.
  6. Devices with repeated elevation requests.
  7. Devices with old local admin patterns.

Use the rollout data to refine policies. Too many denied requests may show a missing business workflow. Too many auto-approved requests may show excessive privilege.

Phase 4: govern

Turn the implementation into a repeatable control.

Monthly review should include:

  1. New local admin accounts.
  2. Privileged application trends.
  3. Denied elevation attempts.
  4. Contractor access records.
  5. Session recording review.
  6. Non-compliant privileged endpoints.
  7. Exceptions near expiry.
  8. Dormant privileged accounts.
  9. Changes to Workspace ONE compliance rules.
  10. Changes to Delinea policies.

 

KPIs for CISOs and IAM leaders

Use metrics that show control, coverage and risk reduction.

Recommended KPIs:

  1. Percentage of privileged users using enrolled and compliant devices.
  2. Percentage of admin endpoints with Delinea agent installed.
  3. Number of endpoints with standing local admin rights.
  4. Number of local admin accounts removed.
  5. Number of elevation requests by user group.
  6. Percentage of elevation requests approved, denied and auto-approved.
  7. Number of privileged applications blocked or sandboxed.
  8. Number of privileged sessions recorded.
  9. Number of unmanaged devices blocked from PAM access.
  10. Mean time to revoke privileged access after device non-compliance.
  11. Number of privileged credentials vaulted.
  12. Number of expired exceptions removed.
  13. Number of audit findings linked to endpoint privilege.

These metrics give leadership a clear view of progress. They also give IAM and endpoint teams a shared operating language.

 

Our perspective

Workspace ONE and Delinea can give organisations a practical model for endpoint privilege control when the implementation is treated as a governance programme.

Workspace ONE UEM manages the endpoint estate. Delinea controls privileged actions, local admin rights, credentials and session evidence. The identity layer connects users, devices and access conditions.

For CISOs, CTOs and IAM leaders, this creates a stronger answer to 3 questions:

  1. Which devices can be used for privileged work?
  2. Which privileged actions are allowed on those devices?
  3. What evidence proves the control worked?

Endpoint security improves when privilege becomes specific, time-bound, monitored and tied to device posture. Workspace ONE and Delinea give security teams the tools t

Cloudcomputing Acquires Innovate IT Ltd

Innovate IT Ltd is a UK specialist with 20 years experience in identity, access management and cloud security. This acquisition strengthens our ability to support clients across the full identity lifecycle – and specifically across the Okta ecosystem.

Read our CEO’s point of view