VMware 5V0-61.22 Exam Dumps & Practice Test Questions
To provide administrators with single sign-on (SSO) access to both the Workspace ONE UEM console and the Self-Service Portal, which third-party solution must be used?
A. SAML-based Identity Provider
B. Active Directory
C. LDAP-based Directory
D. DHCP
Correct Answer: A
Explanation:
When designing an enterprise-level access management solution for Workspace ONE UEM, Single Sign-On (SSO) is a crucial component that improves user experience and streamlines access to multiple services. SSO allows administrators to authenticate once and access various systems—like the Workspace ONE UEM Console and the Self-Service Portal—without having to log in separately to each system.
To achieve this, a SAML-based Identity Provider (IdP) is essential. SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties—specifically, between an identity provider and a service provider. In this architecture, the Identity Provider authenticates users and then sends SAML assertions to the Workspace ONE services to confirm identity.
Popular SAML IdPs include Microsoft Entra ID (formerly Azure AD), Okta, and ADFS. These solutions validate the user’s identity through corporate credentials and securely pass a token to Workspace ONE, enabling seamless access. This process also enables conditional access policies and integration with multifactor authentication tools for enhanced security.
Let’s break down why the other options are incorrect:
Active Directory (B) is a directory service that stores user credentials and permissions but does not support SSO directly unless it’s integrated with an SAML IdP.
LDAP-based Directory (C) is similar to AD in that it provides authentication services, but it lacks native SSO capabilities using SAML.
DHCP (D) is a network protocol that handles IP address assignment and has no relevance to user identity or authentication.
Therefore, to deliver a cohesive and secure SSO experience across multiple Workspace ONE portals, the deployment of a SAML-compliant Identity Provider is mandatory.
When setting up SEG V2 on Unified Access Gateway (UAG), how should an administrator correctly install the SSL certificate required for secure communication?
A. Use the Import-Certificate command in the UAG console
B. Upload the certificate to Workspace ONE UEM or provide it locally when finalizing the SEG Edge service
C. Use a terminal command to add the certificate to macOS keychain
D. Upload the certificate to Workspace ONE UEM or include it during SEG Edge service configuration on UAG
Correct Answer: D
Explanation:
In Workspace ONE, the Secure Email Gateway (SEG) is used to enable secure, policy-based access to corporate email services such as Exchange. When deploying SEG V2 on a Unified Access Gateway (UAG), securing the communication channel via SSL/TLS is critical to prevent data leakage and ensure encrypted communication.
The appropriate way to add an SSL certificate is either to upload it in advance to the Workspace ONE UEM console for centralized deployment or to directly upload it during the SEG Edge service configuration within the UAG Admin UI. These are the supported and recommended methods by VMware.
This dual-path approach (UEM or UAG interface) provides flexibility. For example:
In large environments, administrators might manage certificates centrally via Workspace ONE UEM, which simplifies automation and standardization.
In smaller setups or during quick testing, administrators may prefer to upload the SSL certificate manually during the SEG Edge setup on the UAG itself.
Let’s consider the incorrect options:
Option A shows a PowerShell command intended for Windows environments. UAG is a Linux-based appliance and does not support Windows commands.
Option C is a macOS-specific command (sudo security ...) and is completely unrelated to UAG or Workspace ONE.
Option B is partially valid but imprecisely worded; it says “when confirming” instead of “when configuring,” which inaccurately describes the SEG Edge setup process.
Hence, Option D provides the most accurate and supported method of deploying SSL certificates for SEG V2 on UAG.
Which two factors are most critical to address during the initial design phase of a Workspace ONE implementation? (Select two.)
A. Installing all required components
B. Creating a test environment
C. Involving key stakeholders
D. Identifying business goals
E. Setting up system integrations
Correct Answers: C and D
Explanation:
The success of any Workspace ONE deployment hinges on a strategic design phase that aligns technical configurations with the organization’s operational goals. Two essential tasks during this stage are engaging stakeholders and defining business drivers.
Involving stakeholders (C):
Designing an enterprise mobility solution impacts numerous departments, including IT, security, compliance, HR, and end-users. Each stakeholder group brings unique concerns:
IT cares about integration and support.
HR may focus on onboarding and provisioning.
Legal and compliance want to ensure that data handling follows regulations.
Engaging them early allows the solution to be tailored to real-world needs and ensures organizational buy-in, reducing friction during implementation and adoption.
Defining business drivers (D):
Every technical project should serve a broader purpose. Identifying why Workspace ONE is being implemented sets the stage for all technical decisions. Whether it's to support remote work, enhance data protection, implement BYOD policies, or streamline device onboarding, these drivers help define feature requirements, scalability needs, compliance rules, and even the deployment model (on-premises vs. cloud).
The other options are important but belong to later phases:
Installing components (A) is part of implementation.
Testing environment (B) is essential for validation and QA but not a strategic design consideration.
Configuring integrations (E) also follows design; it's an execution task.
In summary, involving stakeholders and defining business objectives lay the foundation for a successful Workspace ONE deployment and ensure that the technology aligns with organizational needs.
When users sign in to VMware Workspace ONE Access using Kerberos authentication and are then able to open Horizon apps without having to re-enter their credentials, which VMware technology enables this seamless access experience?
A. Certificate (Cloud Deployment)
B. Password Caching
C. True SSO
D. Identity Bridging
Correct Answer: C
Explanation:
The ability for users to seamlessly access VMware Horizon applications after authenticating through Workspace ONE Access using Kerberos relies heavily on the True SSO (Single Sign-On) technology provided by VMware. True SSO is essential when initial user authentication is passwordless, such as when Kerberos is used. Although Kerberos enables secure authentication at the first step, accessing Horizon apps typically requires credentials to be passed again to Active Directory. This is where True SSO bridges the gap.
True SSO works by generating short-lived, session-specific certificates that serve as authentication tokens. When a user successfully authenticates with Workspace ONE Access using Kerberos, True SSO automatically issues a certificate on their behalf, which is then used to log the user into their Horizon apps and desktops — all without the user needing to provide a password again. This ensures both security and user convenience, especially in environments where a passwordless user experience is desired.
Let’s consider why the other options are not appropriate:
A. Certificate (Cloud Deployment): While certificate-based authentication plays a role in identity validation, it alone does not handle the complex translation required between Workspace ONE Access and Horizon authentication contexts. Without True SSO, certificate authentication would not support passwordless SSO to Horizon.
B. Password Caching: This refers to storing user credentials temporarily for reuse, which introduces security risks and is largely deprecated in modern secure environments. VMware's True SSO replaces this method with a more secure, certificate-based approach.
D. Identity Bridging: Although the term is used in identity federation and integration contexts, it is not a VMware-specific solution for enabling SSO between Workspace ONE and Horizon. VMware’s True SSO is the exact feature purpose-built for this.
In summary, True SSO is vital for allowing users who authenticate with Kerberos (a non-password mechanism) to then access Horizon resources without entering a password. It creates a secure and seamless bridge between identity systems, enhancing both security posture and user experience.
To set up OpenID Connect (OIDC) in Workspace ONE Access so users can authenticate via external identity providers, which core protocol is used as the foundation for OIDC?
A. LDAP
B. FTP
C. IMAP
D. OAuth2
Correct Answer: D
Explanation:
OpenID Connect (OIDC) is an identity layer developed on top of the OAuth 2.0 protocol, making OAuth2 the foundational technology that enables OIDC to operate effectively. When an administrator wants to integrate third-party identity providers into VMware Workspace ONE Access, OIDC is used to provide authentication capabilities. However, the underlying protocol that facilitates token exchange, authorization flows, and secure identity assertions is OAuth 2.0.
OAuth 2.0 was originally developed as a secure authorization framework to allow applications to access user data without requiring password sharing. OIDC builds on this by adding a standardized layer that includes ID tokens, user info endpoints, and other components necessary for authentication and single sign-on (SSO). This makes it ideal for modern federated identity management systems, especially when integrating with social logins (e.g., Google, Facebook) or enterprise identity providers.
Let’s review the incorrect options:
A. LDAP (Lightweight Directory Access Protocol): LDAP is used for querying and maintaining directory information, such as user accounts, in enterprise environments. While Workspace ONE Access can connect to LDAP directories for user synchronization, it is not the protocol behind OIDC.
B. FTP (File Transfer Protocol): FTP is a legacy protocol designed for transferring files over networks. It has no relevance to authentication or authorization systems like OIDC or OAuth2.
C. IMAP (Internet Message Access Protocol): IMAP is used for retrieving emails from a mail server. Like FTP, it is unrelated to authentication protocols and does not play a role in identity federation or SSO.
In essence, OAuth2 is the engine that powers the OIDC framework. By adopting OAuth2’s token-based security model, OIDC can securely validate user identities and share that information with applications like Workspace ONE Access, enabling a seamless and secure SSO experience for users across different platforms.
A. Device root
B. Tunnel client
C. APNs
D. KDC
Correct Answer: D
Explanation:
When implementing Mobile Single Sign-On (SSO) for iOS in Workspace ONE UEM, the solution relies on Kerberos-based authentication to enable seamless, password-less access to enterprise resources. The foundational component that makes this possible is the KDC (Key Distribution Center) certificate.
The KDC certificate (Answer D) enables secure communication between the Workspace ONE Access service, which acts as a Kerberos proxy, and the iOS device. This setup allows iOS devices to request Kerberos tickets without needing to connect directly to an on-premises Active Directory. When a user attempts to access a resource, the device uses this ticket for authentication, facilitating transparent SSO access.
The certificate is typically issued by an internal Certificate Authority (CA) and needs to be uploaded to Workspace ONE Access and properly configured within the Mobile SSO profile. Without this certificate, the iOS device cannot trust the KDC proxy service or validate the issued tickets, breaking the SSO flow.
Here’s why the other options are incorrect:
Device root certificate (A): Although root certificates are essential for establishing trust between the device and backend systems, they don’t directly support the Kerberos-based authentication flow required by Mobile SSO.
Tunnel client certificate (B): Used for VPN and per-app tunneling scenarios, these certificates establish secure tunnels for app traffic but are unrelated to SSO mechanisms.
APNs certificate (C): This Apple Push Notification Service certificate is required for managing and communicating with Apple devices, such as pushing commands or profiles, but it plays no role in the Kerberos or SSO authentication flows.
Thus, the KDC certificate is the one and only correct choice when configuring iOS Mobile SSO.
If the Kerberos Authentication service on a Workspace ONE Access Connector is running on port 8443 and the server’s hostname is connector.local, what is the correct health check URL format?
A. https://connector.local:8443/eks/health
B. http://connector.local/eks/health
C. https://connector.local/eks/health
D. http://connector.local:8443/eks/health
Correct Answer: A
Explanation:
To monitor the Kerberos Authentication service—often referred to as Enterprise Kerberos Service (EKS)—on a Workspace ONE Access Connector, VMware provides a health check URL that confirms the availability and operational status of this service.
If the service is bound to port 8443, and the server hostname is connector.local, then the proper health check endpoint becomes:
https://connector.local:8443/eks/health — which matches Option A.
This endpoint must:
Use HTTPS, as the service is designed to operate over secure channels.
Include the custom port (8443) explicitly since 8443 is not the default HTTPS port (443).
Append the path /eks/health, which is the defined health check route for the Kerberos service.
Why the other options are incorrect:
Option B and D: These use HTTP, which is insecure and incompatible with most enterprise deployments of Workspace ONE Access, especially those running sensitive authentication services.
Option C: Though it uses HTTPS, it omits the port. If the service is running on a custom port (8443), this omission leads to failed connection attempts unless the port is specified.
Correct health monitoring is vital in high-availability environments, and the correct health check endpoint helps ensure proper service orchestration and alerts.
A. Workspace ONE Access serves as the service provider
B. Users are synchronized in advance from Active Directory
C. Workspace ONE Access Connector is mandatory for JIT to function
D. JIT provisioned users can be deleted individually
Correct Answer: D
Explanation:
Just-in-Time (JIT) Provisioning in VMware Workspace ONE Access is a dynamic method for creating user accounts at the moment they first authenticate via a federated identity provider (IdP). Instead of relying on prior synchronization from an external directory (e.g., AD or LDAP), user accounts are provisioned on-demand when the user successfully logs in through a SAML or OIDC assertion.
The defining behavior here is that JIT provisioned users can be individually deleted (Answer D). These users are treated like any other user in the Workspace ONE Access database once created. This means administrators can view, update, assign entitlements to, or delete these accounts as needed.
Let's address why the other choices are incorrect:
A: While Workspace ONE Access can act as a service provider in SAML-based integrations, this statement is general and not specific to JIT provisioning.
B: JIT users are not pre-synced. This option contradicts the core premise of JIT, which eliminates the need for directory synchronization.
C: The Workspace ONE Access Connector is not required for JIT. Many JIT scenarios use third-party cloud IdPs (like Okta or Entra ID), which interact with Workspace ONE directly using federation protocols, bypassing the Connector.
In summary, JIT offers a flexible, on-demand provisioning model and is especially beneficial in modern hybrid or multi-cloud identity scenarios.
What is the main function of the VMware Workspace ONE Trust Network when used within the Workspace ONE Intelligence platform?
A. Delivering VPN profiles to devices
B. Supporting integration of multiple directory domains across trusted networks
C. Combining threat intelligence from security platforms like EDR tools
D. Distributing apps to end users
Correct Answer: C
Explanation:
The VMware Workspace ONE Trust Network is a core component of the broader Workspace ONE Intelligence ecosystem, and its primary role is to aggregate and correlate threat intelligence data from various security platforms. This includes modern Endpoint Detection and Response (EDR) solutions, mobile threat defense platforms, and cloud security vendors. By pulling in this threat data and combining it with the real-time context of devices and users managed in Workspace ONE, the Trust Network helps create a unified and intelligent security posture for the enterprise.
The Trust Network does not operate in isolation. It acts as a connector that integrates threat signals from third-party security solutions such as Carbon Black, Zimperium, Lookout, and CrowdStrike, among others. These security tools feed telemetry into Workspace ONE Intelligence, which then correlates the data with UEM-managed device states. This provides security teams with insights into which devices might be compromised, what user actions triggered threats, and what steps should be automated in response.
This kind of integration supports automated remediation actions, such as device quarantine, blocking application access, or requiring user re-authentication. It empowers zero-trust frameworks by ensuring that access decisions are made not just based on identity but on contextual security posture.
Now let’s evaluate why the other options are not suitable:
A. Delivering VPN profiles to devices: This task is a basic MDM (Mobile Device Management) function handled by Workspace ONE UEM, not the Trust Network.
B. Supporting multi-domain directory services: While Workspace ONE Access handles directory integration across multiple domains, the Trust Network is not related to directory services or identity federation.
D. Distributing applications to end users: App delivery is again a UEM function, not tied to the Trust Network's security integration responsibilities.
To summarize, option C is correct because the Trust Network’s foundational goal is to integrate and operationalize security insights from third-party tools, transforming Workspace ONE into a centralized and proactive security management hub.
What is a prerequisite for enabling Digital Employee Experience Management (DEEM) in VMware Workspace ONE?
A. Devices must be marked as employee-owned
B. DEEM must be enabled in Workspace ONE Access
C. Productivity apps must be integrated with Workspace ONE SDK
D. Devices must be managed by Workspace ONE UEM, specifically Windows or macOS
Correct Answer: D
Explanation:
Digital Employee Experience Management (DEEM) is a key feature in VMware Workspace ONE that enables organizations to gain insights into end-user device performance and usage patterns. It focuses on monitoring endpoint health, application performance, system responsiveness, and user interactions to measure and improve digital experiences.
To enable DEEM and begin collecting telemetry, the most critical requirement is that the devices must be enrolled and managed in Workspace ONE UEM, and they must be running Windows 10/11 or macOS. This is because DEEM depends on system-level telemetry that can only be accessed through a managed endpoint with the Intelligent Hub installed.
Once a device is properly enrolled and DEEM is configured in the admin console, Workspace ONE begins collecting data related to system performance (e.g., boot time, CPU usage, application crashes, network latency). These insights help IT teams proactively identify and resolve issues affecting user productivity, such as slow logon times or failing apps.
Let’s review why the other choices are incorrect:
A. Device ownership type: DEEM is not restricted by whether the device is employee-owned or corporate-owned. Ownership type might affect certain security or compliance policies, but it does not impact DEEM telemetry collection.
B. Workspace ONE Access: This is primarily an identity and access management platform, responsible for SSO and directory integration. DEEM does not require any configuration within Workspace ONE Access.
C. Productivity app SDK integration: While integrating apps with the Workspace ONE SDK is important for app-level management (e.g., DLP, authentication), it is not necessary for DEEM. DEEM focuses on device-level experience metrics, not application-specific SDK features.
In summary, to activate DEEM functionality, organizations must ensure that Windows and macOS devices are fully managed within Workspace ONE UEM. Only then can meaningful telemetry be gathered to enhance digital employee experience.
Top VMware Certification Exams
Site Search:
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
MIN10OFF
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from support@examcollection.com and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.