VMware Verify (Intelligent Hub)
In this lab we will setup MFA using VMware's own Intelligent hub. This authentication method does not require a phone number (GSM) to be registration, but rather will use the already deployed intelligent hub as "soft token" during the authentication process.
- Workspace ONE Access integrated with Workspace ONE UEM
- Hub Services activated with Notifications enabled.
- Workspace ONE Intelligent Hub app 20.05 or later installed on user devices.
- iOS or Android (physical or emulator) Device enrolled
- (Optional) Require device-level passcodes for managed devices and app-level passcode for registered devices.
NOTE: This authentication method is designed to be used in conjunction with another form of authentication, and should not be used as a stand alone authentication method.
NOTE: Please ensure you have a mobile device enrolled from the introduction labs from day 1. Currently VMware Verify (Intelligent Hub) is only supported on iOS & Android and does not support getting prompts on Windows devices.
- On your Workspace ONE Access administrator console
- Login using your custom admin account.
- Select the Identity & Access Management tab
- To the right of the page select Manage
- Select Authentication Methods
- Next to Verify (Intelligent Hub) select the pencil icon
- On the pop-up Verify (Intelligent Hub) window
- Select the box next to Enable Verify (Intelligent Hub)
- Select the box next to Enhanced Verification on Managed Devices
- Select Save at the bottom right
- In Workspace ONE Access console
- Navigate to Identity Providers
- Select the Built-in Identity provider.
- In the Built-in Identity provider window
- Scroll down until the Authentication methods area
- Select the box next to Verify (Intelligent Hub)
- Select Save at the bottom of the page.
- In the Workspace ONE Access admin console
- Navigate to Identity & Access Management.
- Select Manage
- On the left hand side and click on Policies
- Click EDIT DEFAULT POLICY on the Policies page.
- In the Edit Policy window
- In the left hand navigation, select Configuration
- Select ALL RANGES next to Device Type > Web Browser.
3. In the Edit Policy Rule page click the + next to the first form of authentication.
This could be Certificate (cloud deployment) or it could be Password (cloud deployment). *This could depend on previous labs or use-cases. The important concept is that we are using the "and" function in authentication rather than "or".*
4. You should now get a new authentication method drop down next to "and"
a. Select Verify (Intelligent Hub)
b. Once you have confirmed that you either have Certificate (cloud deployment) and Verify (Intelligent Hub) or you have Password (cloud deployment) and Verify (Intelligent Hub) you can click SAVE at the bottom right
NOTE: Ensure you have password (local directory) still as the fallback authentication method to ensure you can get back in to the administrator console.
5. Click NEXT on the Edit Policy page
6. Click SAVE on the Summary page
1. Navigate to your on-premise lab environment and click into the Remote Desktops folder on the Desktop of the ControlCenter virtual machine.
a. Double Click the W10Client01.RDP to connect to the Windows 10 Client.
2. Click Connect when the Remote Desktop Connection windows pops up.
3. On the Desktop of the W10Client01 click Google Chrome on the desktop
4. Type in the Workspace ONE Access URL for your tenant and click enter
a. if you have configured Certificate (cloud deployment) as your first authentication method you will be prompted to select a certificate click OK. (If you did the extra material on the previous lab you will not be prompted.)
b.OR If you have configured Password (cloud deployment) as your first authentication method select your domain and enter username and password.
5. If you have multiple devices configured for this user you will be asked to select your device. Confirm the device and click Continue.
NOTE: If you only have a single device configured you will not be prompted to select a device. This device becomes the default/preferred device and will be remember for future authentication requests. (See part 5 to reset)
6. The browser will now give you 60 seconds to respond to the request on your mobile device. If notification are enabled from the Intelligent Hub you will see the notification on the lock screen, otherwise navigate to the Intelligent Hub and click Approve on the Sign-in Request.
Note: The screen shots are for both iOS and Android above depending on which platform you are using.
7. You will then be prompted for the device passcode (or Touch-ID/Face-ID) used to unlock the device if you have one.
8. Once approved, you will be authenticated in the web browser to your Intelligent hub.
9. In the Intelligent Hub on the mobile device click on For You. Here you can view the current Notifications. Then click in the top right corner on History. Here you will see the Authentication requests that have been made.
Troubleshooting / Reporting step:
Let's have a look what events are created as a result of the authentication.
1. Navigate back to the Workspace ONE Access administration console and click on the down arrow next to Dashboard and select Reports.
2. Click on Audit Events from the Reports drop down and Show
3. Click View Details on the the most current event labeled LOGIN (Certificate (cloud deployment), Verify (Intelligent Hub))
4. In the details view of the event, you should see that the Authentication Method is hubmfa and that "success" : "true".
In a previous version of this lab you would have used an API string to reset the preferred device setting for the Verify (Intelligent Hub) as of April 2021, Access now has a GUI based reset action for administrator to reset end-users prior selected device for MFA.
- In the WorkspaceONE Access admin console navigate to Users & Groups
- In the Users tab click on the user Debio, Mark
- In the user view click on Two-Factor Authentication
- You will now find the option under the title Intelligent Hub Verity to Reset. Don't click on Reset for this lab as we will continue to use this device as the preferred device for Hub MFA.
This concludes the VMware Verify - Intelligent Hub lab.
Authored by: Simeon Frank