1. In your email, find an invitation from [email protected]

2. Click the Set my password link
   • Configure and Confirm your new password
   • Click Back to sign in.

3. Launch https://mtp.lookout.com/a/ to sign into your VMware Workspace One Mobile Threat Defense admin console.

1. Launch the Android Studio and, if necessary, start your Device.

2. Maximize your Android Emulator device by clicking the Undock icon.

3. Launch Chrome
   • Accept prompts and configure Chrome
   • Browse to https://getwsone.com

4. Click  the Google Play link
   • Click Sign-in
   • Accept all prompts to configure Chrome on the device
   • Click Install to install the Intelligent Hub app on the device
   • Click Open to launch Intelligent Hub

5. Once you are able to view the field to add the Email address or server, the VMware Workspace ONE UEM Intelligent Hub app has been installed successfully
   • Close the Intelligent Hub app

6. Launch the Chrome Browser
   • In the upper right corner, click the white arrow (red circle) and choose Update Chrome.
   • Click Update.

Once Chrome has successfully been updated, you may continue with the next section.

1. Open Chrome on the ControlCenter in your pod.  Open the Workspace ONE UEM admin console (https://dw-livefire.awmdm.com) and navigate to ACCOUNTS > Administrators > Roles and Click ADD ROLE

2. Give the Role a name: MTD_API_Admin_{Your Initials}
   • Description: Used for MTD
   • Find the Category > API > REST
     • Configure the following:
       • Admins - Read
       • Apps - Read
       • Devices - Read
       • Groups - Read
       • Users - Read

3. Then navigate to Device Management > Bulk Management
   • Click Read and Edit

4. Scroll down and navigate to Settings > Tags
   • Click on Read and Edit
   • Click SAVE

5. In the Workspace ONE UEM admin console, navigate to ACCOUNTS > Administrators > List View and Click ADD > Add Admin > Basic

6. Fill in the following and click NEXT:
   • Username: MTD_Admin_{Your Initials}
   • Password: VMware1!
   • Confirm Password: VMware1!
   • First: MTD
   • Last Name: Admin
   • Email Address: [email protected]

7. In Add Admin select your Organization Group (Should be your e-mail address) and the MTD_API_Admin_{Your Initials} Role you created earlier. Click NEXT.

8. In the Details pane, leave the default settings and click NEXT

9. In the Settings pane, click the None radio button next to Message type and click CERTIFICATES.
   • Type VMware1! for the Certificate Password and click SAVE.
   • If you receive a Warning message that an administrator has access to an Organization Group ... click Continue.

10. Click on the three vertical dots and Edit your MTD_Admin account.

11. Click NEXT until you get to Settings.  Type VMware1! in the Certificate Password field and click EXPORT CLIENT CERTIFICATE. This should begin the download of the certificate p12 format. (We will use this later in the lab) Click SAVE to store the admin account.
    • If you receive a Warning message that an administrator has access to an Organization Group ... click Continue.

12. Navigate in the Workspace ONE Admin console to Groups & Settings > All Settings

13. Now navigate to System > Advanced > API > REST API > Select Override > Click on + ADD

14. Name WS1_MTD_{Your Initials} for the service.  Account type:  Admin. Copy the API Key to a notepad. Click Save at the bottom of the window.

NOTE: We will use this API key later in the integration with the Mobile Threat Defense Console.

15. Close the settings page and navigate to Groups & Settings > Groups > Assignment Groups > Click + ADD SMART GROUP

16. Name the Smart Group: MTD_Group_{Your Initials) then ensure that your Organization Group (Your e-mail address) is selected and click SAVE in the bottom right of the window.

17. Click on your newly created Smart Group: MTD_Group_{Your Initials)

18. Click Devices or Users
    • In the warning message box, click OK
    • In the Users field, type or select Craig and click ADD
    • Click Save

19. Navigate in the Workspace ONE Admin console to Groups & Settings > All Settings

20. In the left navigation menu click on Device & Users > Advanced > Tags in the navigation. Click + CREATE TAG

21. Name the first tag MTD - Activated and click SAVE. Repeat the process for the following tags.:

• MTD - Deactivated
• MTD - Disconnected
• MTD - Pending
• MTD - Unreachable
• MTD - Threats Present
• MTD - Secured
• MTD - Low Risk
• MTD - Moderate Risk
• MTD - High Risk

*Ensure you have all 10 tags added in the Workspace ONE UEM Admin console.

22. Navigate back to Groups & Settings > Groups > Assignment Groups > Click + Add Smart Group
    • Ensure that the Criteria tab is selected
    • In the Name field, type High Risk Devices
    • Expand Tags, click in the available field, select MTD-High Risk - {Your Org Name}, and click Add
    • Click Save

23. Navigate to Resouces > Native
    • Select the Public tab
    • Click Add Application

24. In the Platform field drop down box, select Android
    • In the Source field, select Import From Play
    • Click Next

25. Put a check in the box next to the following applications:
    • Adobe Acrobat Reader: Edit PDF
    • Microsoft Excel: Spreadsheets
    • Salesforce
    • Tunnel - Workspace ONE
    • Click IMPORT

26. Next Adobe Acrobat Reader click Assign

27. Input the following in the appropriate fields:
    • Name: Adobe Acrobat Reader
    • Assignment Groups: MTD_Group_{Your Initials} <-- this is your Smart Group
    • App Delivery: Auto
    • Auto-Update Priority: (Leave Default)
    • Click Create

28. Click the Exclusions tab
    • Select High Risk Devices {Your Org}
    • Click Save
    • Click Publish

29. Return to Resources  > Native > Public
    • Click Add Application and repeat the above steps for Microsoft Excel, Salesforce, and Tunnel - Workspace ONE

30. Ensure that the Install Status for all three apps reads View.

1. Open a new tab in your browser on Control Center and navigate to https://mtp.lookout.com/a/
   • Authenticate using the credentials that you received via email (in your email, find an invitation from [email protected]).

2. In the Mobile Threat Defense console navigate to Devices.
   • Select Device Policy Groups

3. In upper right corner, click Create Group.
   • In the Name field type Developers and in the Description field type Group for Developers
   • Click Create Group

4. In the Mobile Threat Defense console, navigate to Integrations.

5. On the Integrations page click on WorkspaceONE, this will allow us to setup a new connector.

6. File in the following values:
   • Label: WS1-Integration-{initials}
   • Workspace ONE URL : https://as1605.awmdm.com/
   • API Token: Paste the token that was captured above. (This is the API Token that you created in UEM previously, Step 12)
   • Authentication: Certificate Authentication (default)
   • Below Certificate (required), Choose File... : Upload your MTD_Admin user certificate you downloaded above. (Step 5)
   • Passphrase: VMware1! 

7. In the upper-right corner, select Connector Settings then click CREATE INTEGRATION.

8. Scroll down and find Automatically drive lookout for Work enrollment on Workspace ONE managed devices and set it to ON.
   1. Select the MTD_Group_{Your Initials} from the drop down of the smart groups.
   2. Set sync newly enrolled devices and unenrolled devices from UEM every 5 minutes (default).
   3. Automatically push activation emails to Workspace ONE managed devices >  Ensure that it is set to OFF.
   4. Delete device on unenrollment > Ensure that is is set to ON
   5. Treat devices which are removed from the enrollment smart group as unenrolled from Workspace ONE >  Ensure that it is set to OFF

9. Scroll down and Enable "Synchronize device status to Workspace ONE"
   • Match the State Sync to the Tags created in Workspace ONE UEM as shown above.

10. Set an e-mail address kim@corpXXX.euc-livefire where XXX is your assigned domain identifier for error handling and then click SAVE CHANGES at the top of the page.

1. In the Mobile Threat Defense Console, navigate to System > Manage Enrollment > Enroll with code

2. Click the device group enrollment code link

3. Select the Developers Enrollment Code
   • Copy this code to a notepad

4. Return to your WorkspaceOne UEM Admin console (https://dw-livefire.awmdm.com/)

5. Navigate in the Workspace ONE Admin console to Groups & Settings > All Settings
   • In the Settings page navigate to Apps > Settings and Policies > Settings and paste the below  with the enrollment code from MTD console to Custom Settings and click SAVE

{
   "mtdSettings":{    
         "isEnabled":true, "enrollmentCode":"ENROLLMENT CODE GOES HERE"
   }
}

6. Return to your Android emulator and, if necessary, swipe up to view the Intelligent Hub app.

7. Click Intelligent Hub app.

8. In the Email address or server field, type craig@corpXXX.euc-livefire.com (where XX is your assigned domain identifier) for the URL and click Next.  
   • You will then be redirected to Azure.
   • Re-enter your email craig@corpXXX.euc-livefire.com with a password of VMware1!
   • Click Yes to stay signed in.

9. Complete the enrollment process by approving the requested permissions.
   • Click Support

10. In My Devices, note the device status of All Good.
    • Click the Android device

11. Note the device status.
    • Device status may include: No risk, Enrolled, Compliant and Connectivity Normal
    • Click Mobile Threat Defense
      • Note that the device reads safe (but it "safe"? You may see something different in the Mobile Threat Defense Admin Console shortly, Step 13 )
    • Click the back arrow
    • Again, click the back arrow

12. Click Apps
    • Note that applications that are available on the device.

13. Return to the  MTD Admin Console https://mtp.lookout.com/a/ and navigate to Devices.  Initially it will report the device as Pending. Once it has successfully assessed the device it will report its Status.

14. In this case the device is not reporting any issues, however if we navigate to Vulnerabilities, we can observe that the Android device running has 673 vulnerabilities
    • Click the Severity Ration Percentage bar.  We can see that 57 are Critical.

**Your details may vary

15. Return to the Android emulator, click Work and launch the Chrome browser (You may have to click ESC a few times on your keyboard)

17. If necessary, complete the Chrome setup process.

18. In the URL field, type http://okay.ac and press Enter
    • Note how there is no protection against users accessing known bad phishing sites

18. In the URL field, type http://newid.com and press Enter
    • Note how there is no protection against known criminal activity sites

1. In the Mobile Threat Defense console navigate to Protections.
   • In the Manage settings for, click the drop down and select Developers.

2. Select the Phishing and Content Protection tab
   • Remove the check next to Inherit from parent group
   • Set the Enable Phishing and Content Protection to ON
   • If necessary, put a check in the box next to enable Secure DNS
   • Set Make Phishing and Content Protection mandatory to ON
   • Click Save Changes
   • Click Save

3. Scroll up, and ensure that the Phishing and Content Protection tab is selected
   • Click Configure Content Policies

Modify the following FOUR (4) Web and Content Policies and change the Risk Level to Low and Response to Block and Alert Device

4. Web and Content Malicious Content
   • Web and Content Unauthorized Content
   • Web and Content Phishing Content
   • Web and Content  Denylisted Content
   • Put a check in the box next to Policy Type to select all of the Web and Content Policies
     • Click Enable                          
   • Click Save Changes
     • Click Save Changes

5. Click the Gear icon next to Web and Content Unauthorized Content
   • Deselect Inherit from Parent Policy
   • Navigate to Personal Content and put a check in the box next to Social networking
   • Click Save Changes

15. Return to the Android emulator, click Work and launch the Intelligent Hub app
    • Click your enrolled device
    • Click Safe Browsing ON
    • Click OK to acknowledge the Safe Browsing notification, if prompted.

8. Return to the Work profile tab and select Tunnel

9. Complete the setup process by approving the requested permissions.                                                            

10. Ensure that your that Safe Browsing has been successfully enabled and reads ON.

12. In your Work profile, launch Chrome
13. In the URL field, type http://okay.ac and press Enter
    • Note how users are protected against accessing known bad phishing sites

13. In the URL field, type http://newid.com and press Enter
    • Note how users are protected against accessing known bad fraud sites

14. Return to the Intelligent Hub app
    • If necessary, click Support
    • Click Your Android Device
    • Next to Safe Browsing ON, click the arrow
      • Note that there are several sites that have now been flagged.
    • Click the arrow next to Unauthorized Content.
    • Note each entry

15. Return to your MTD admin console https://mtp.lookout.com/a/
    • In the left pane, click Issues
      • Note the list of issues that have been found in the last 30 days.

1. Return to Mobile Threat Defense admin console https://mtp.lookout.com/a/
   • In the left pane, select Protections
   • In the Manage Settings for field, ensure that Developers is selected.
   • Select the Policies tab
   • Find and select Device: Sideloaded App
     • Set the Risk level to High
     • Ensure that the Response is set to Block and alert device
   • Click the Gear Next to the High Risk level field
   • Deselect Inherit from parent policy
     • Note how apps sideloaded with Android Debug Bridge (adb) installers will be blocked
   • Click Save changes
     • Click Save changes

2. In Teams, click on the Files Tab
   • Open the VMware Mobile Threat Defense Files > Side-loading Test Files folder
   • Download HelloWorld.apk

WINDOWS or MAC

• Click the Terminal tab located at the bottom of your window.
• Navigate to %your download location%\platform-tools  
• Run the following command from the terminal:

platform-tools% ./adb shell pm list users

Note the Work Profile ID (typically 10 or 11)

platform-tools % ./adb install --user {Work Profile ID number}  HelloWorld.apk 

4. Click the Work tab
   • Note that the Hello World app has been sideloaded successfully

5. Note that the Adobe Acrobat Reader, Microsoft Excel, and Salesforce apps no longer appear in  the Work profile. (It may take a moment for the this to occur)

6. On the Android device, return to the Intelligent Hub app and click Support in the lower left corner.
   • In the Your device is at risk section, click the arrow to view more information

7. This sideloaded application has been tagged as High Risk

8. Return to the Workspace ONE UEM admin console (https://dw-livefire.awmdm.com) and navigate to Devices > List View
   • Click Craig Android
   • Note the HIGH RISK tag that has now been assigned

9. Return to the  MTD Admin Console https://mtp.lookout.com/a/
   • Navigate to Devices.  
     • Click High Risk
   • Click Hello World on the High Risk device

10. Click the Allow sideloaded app command button
    • Note the Signature Hash
      • Click Allow sideloading
        • Click Ok

11. Click Configure Policy
    • Note that sideloading for the Hello World app has been allowed
      • Click Cancel

12. Return to your Android emulator
    • Delete the Hello World app from both Personal and Work tabs
    • Click OK

13. After uninstalling the Hello World app from both the Personal and Work tabs, your published apps will reappear. (It may take up to 2 hours for all apps to reappear)

1. Return to Mobile Threat Defense admin console https://mtp.lookout.com/a/
   • In the left pane, select Protections
   • In the Manage Settings for field, ensure that Developers is selected.
   • Select the Policies tab
   • Find and select Device: Sideloaded App
     • Set the Risk level to High
     • Ensure that the Response is set to Block and alert device
   • Click the Gear Next to the High Risk level field
   • Deselect Inherit from parent policy
     • Note how apps sideloaded with Android Debug Bridge (adb) installers will be blocked
   • Click Save changes
     • Click Save changes