Digital Workspace Mobile Threat Detection & Response with Workspace ONE & Zimperium - Integrating zConsole

Mobile threat detection and response is an area of ever-growing importance, as the world finds themselves accessing sensitive resources on devices everywhere. Application, identity or device management only offers so many protections to the assortment of threats users are faced with. 

 Digital Workspace products like Workspace ONE and Zimperium's zIPS compliment each other, and offer an additional level of compensating controls, specifically for mobile threats. These capabilities allow your organization to detect threats you might not have had visibility of, let alone the ability to mitigate.

Zimperium focuses on being best-in-breed in MTD, and it shows. In 2019; Zimperium would be the first MTD to be FedRAMP authorized, partner with the VMware to join the Trust Network, and selected by Google to join the App Defense Alliance. 

 To make this integration possible, you must first, thank your CISO, and then integrate Zimperium's zConsole with Workspace ONE UEM. In this post, we'll go through all the requirements. Requirements like...

  • Mood lifting console background picture
  • Obtaining an API Key for integration
  • Setting up MDM Integration with zConsole and Workspace ONE UEM
  • Testing Integration

Grand Hyatt Kauai, not included in Workspace ONE. But, a great place to treat your team and hold a meeting. Hint, hint...
  1. Open the Workspace ONE UEM console and go to;
    Groups & Settings -> All Settings 
  2. Open the Workspace ONE UEM console and go to;
    System -> Advanced -> API -> REST API
  3. In the 'General' tab, click 'Add'
    Note:     Ensure 'Enable API Access' is set to enabled. This is required.
  4. Name the Service, in this example 'zConsole' is used. Ensure the 'Account Type' is set to 'Admin'. Copy the API Key to your clipboard. We will reuse this in the zConsole.
    5. This API key is just for example


  5. Login to your Zimperium zConsole
  6. In the left navigation pane, locate 'Manage'
  7. Click 'Manage'
  8. In the page that opens, at the top, locate 'Integrations' and click it

  9. Click 'Add MDM'
    10. In this example, an existing environment is seen integrated already. Currently, you can have multiple environments associated with a single Zimperium SaaS VPC tenant or on-premise environment


  10. Select 'airwatch by VMware', depending on your console version, it may say Workspace ONE. Once selected, click 'Next'
  11. Add the following information;

    URL: This is the URL your Workspace ONE UEM API Endpoint is accessible at.
    Note: This needs a DNS A record, publicly resolvable, with 443 inbound/outbound TCP/UDP traffic allowed. This public DNS A record could be created in whatever manages your public facing DNS. Examples: AWS Route 53, Cloudflare DNS, GCP Cloud DNS, Azure DNS.
    In this example, I have a DNS A Record created in Azure DNS for the URL: https://ws1.ryanpringnitz.com
    The appropriate network security group, route table and associated configuration is inplace to support this.

    Username: A Basic user, or LDAP user in Workspace ONE UEM.
    Note: The account must have permissions to make API calls for the smart groups, users, devices, and applications for the organization group(s) being managed. This example uses a directory account of ryanpringnitz\ws1

    MDM Name: Name it something appropriate, like 'Hawaii Retirement Provider', or
    Molokai Bank - Workspace ONE UEM - 1903 - Prod
    There is no incorrect value for this field. This is strictly to label the MDM environment in zConsole

    Background Sync: Ensure this box is checked


    Mask Imported User Information:     Check if you prefer the data to be anonymized. There are other unique identifiers that are not anonymized, and additional ways to limit data returned for other scenarios (e.g. GDPR compliance). I leave this unchecked in my lab environment.

    API Key: This is the API Key you copied in to your notepad. Paste it here.

  12. In the lower right corner, click 'Next'
  13. At the next page, select smart groups from Workspace ONE UEM that you want to import in to the Zimperium Mobile Threat Detection & Response console.
    Note: I suggest making and importing the following (5) smart groups in Workspace ONE UEM; Risk-Critical, Risk-Elevated, Risk-Low, App - Zimperium - Pilot, and App - Zimperium - GA
    More on this in an upcoming post covering... 
  14. Click 'Finish'
  15. This will take you back to the 'Integrations' page. Proceed to verify your configuration by clicking the green button 'Test MDM'

  16. Verify all the tests passed.
    Note: During these tests, network traffic between the VPC and your Workspace ONE environment is expected. A series of API calls from the VPC will be made to verify access to Workspace ONE API endpoints. 


Once integration is complete, you will want to look at my blog post covering zIPS delivery and activation on Android devices. Stay tuned for more posts covering Workspace ONE, Intelligence, Zimperium, Mobile Threats, and more.

 Mahalo,
Ryan Pringnitz



Location: 1571 Poipu Rd, Koloa, HI 96756, USA

Comments

Post a Comment

Popular posts from this blog

Delivering Managed Configurations (key/value pairs) to Android applications with Workspace ONE UEM profiles

Image
Applications often have secrets that should not be hardcoded in the source code. This poses a challenge for developers, as ProGuard can change classes and method names, it won't help with secrets. Examples of secrets that can be removed from application source code include an API key or a OAuth refresh token. Another capability is for the MDM to dynamically deliver values to the application, such as the current logged in user, device serial number, or organization group. Google has made it more challenging to access non-resettable device identifiers like the serial number in recent years, and this remains a viable solution to provide non-resettable device identifiers (and other values) to applications running on the device. So how do we do it? Workspace ONE UEM can deliver profiles to devices. Profiles can configure a number of settings, in addition to delivering key/value pairs to your applications.  Google refers to these key/value pairs as Managed Configurations, aka application
Read more

How to use Square's OkHttp Java library to access Workspace ONE UEM API's

Image
Digital workspace solutions often require consuming other services. When doing so, you may work with things like; REST API endpoints, Webhooks, gRPC, GraphQL - the list goes on. You can interact with these in a number of ways, but one way I've come to appreciate is with Java. It has been especially helpful when I've wanted to work with libraries like Appium, Selenium, OKHttp, or the Workspace ONE UEM SDK in a workflow. With that, I thought it would be helpful to share how to work with Workspace ONE UEM API's using Java. In this blog post, we will cover; Basics of JetBrain's IntelliJ IDE, touching on Apache Maven Using  Square's OkHttp   library  to call Workspace ONE UEM API's Why Java? Java is used by many and supported by most (Docker, Kubernetes, static code analysis tools, cloud service providers, Android, Windows, macOS, Tanzu Application Service, etc). Many languages compile to j ava
Read more

How to use Powershell with the Workspace ONE UEM API to search for users

Image
Using API's has been infinitely helpful in integrating Workspace ONE UEM with other enterprise services and applications. A question was asked recently about forming the correct HTTP header using Powershell, and returning the users in the users. Below is an example Powershell script I was able to create for this example. Make sure to include base64 encoded credentials in a folder (c:\creds\b64.txt in the example), and to update the $apiKey variable with an API key. #Workspace ONE UEM Environment Address / Authentication  $addy   =   "https://ws1.molokaibank.com" $b64   =   Get-Content   -Path   "c:\creds\b64.txt" $apiKey   =   "apikey" $b64EncodedAuth   =   " $b64 " # Header $content   =   "application/json"   $authHeader   =   "Basic "   +   $b64EncodedAuth $header   =  @{ "Authorization"   =   $authHeader ;  "aw-tenant-code"   =   $apiKey ;  "Accept"   =   $content ; 
Read more