3. Workspace ONE Mobile Threat Defense

VMware Workspace ONE Mobile Threat Defense (MTD) is our latest UEM-integrated advanced mobile endpoint security solution for Android, iOS, and Chrome. Powered by Lookout, Mobile Threat Defense helps organizations detect and respond to mobile threats and increases attention to mobile security best practices and standards. In this lab you will integrate Workspace ONE UEM with the Mobile Threat Defense.

Part 1: Activate Workspace One Mobile Threat Defense (Lookout) Account

Part 2: Install Intelligent Hub Onto Your Device

Part 3: Setup Workspace ONE UEM

Part 4: MTD & UEM integration

Part 5: Enrollment and Test

Part 6: Configure Phishing & Content Protection (PCP)

Part 7: Protect your Organization from Unapproved Applications

Part 8: Workspace One Trust Network Integration

Part 1: Activate Workspace One Mobile Threat Defense (Lookout) Account
  1. In your email, find an invitation from [email protected]
  1. Click the Set my password link
    • Configure and Confirm your new password
    • Click Back to sign in.

 

  1. Launch https://mtp.lookout.com/a/ to sign into your VMware Workspace One Mobile Threat Defense admin console.
Part 2: Install Intelligent Hub Onto Your Device
  1. Launch the Android Studio and, if necessary, start your Device.
  1. Maximize your Android Emulator device by clicking the Undock icon.
  1. Launch Chrome
    • Accept prompts and configure Chrome
    • Browse to https://getwsone.com
  1. Click  the Google Play link
    • Click Sign-in
    • Accept all prompts to configure Chrome on the device
    • Click Install to install the Intelligent Hub app on the device
    • Click Open to launch Intelligent Hub
  1. Once you are able to view the field to add the Email address or server, the VMware Workspace ONE UEM Intelligent Hub app has been installed successfully
    • Close the Intelligent Hub app
  1. Launch the Chrome Browser
    • In the upper right corner, click the white arrow (red circle) and choose Update Chrome.
    • Click Update.

Once Chrome has successfully been updated, you may continue with the next section.

Part 3: Setup Workspace ONE UEM

You need to configure the appropriate API access role and account in order for the Mobile Threat Defense environment to communicate with Workspace ONE UEM. You will then setup a smart group and tags to be leveraged as part of the integration.

  1. Open Chrome on the ControlCenter in your pod.  Open the Workspace ONE UEM admin console (https://dw-livefire.awmdm.com) and navigate to ACCOUNTS > Administrators > Roles and Click ADD ROLE
  1. Give the Role a name: MTD_API_Admin_{Your Initials}
    • Description: Used for MTD
    • Find the Category > API > REST
      • Configure the following:
        • Admins - Read
        • Apps - Read
        • Devices - Read
        • Groups - Read
        • Users - Read
  1. Then navigate to Device Management > Bulk Management
    • Click Read and Edit
  1. Scroll down and navigate to Settings > Tags
    • Click on Read and Edit
    • Click SAVE
  1. In the Workspace ONE UEM admin console, navigate to ACCOUNTS > Administrators > List View and Click ADD > Add Admin > Basic
  1. Fill in the following and click NEXT:
    • Username: MTD_Admin_{Your Initials}
    • Password: VMware1!
    • Confirm Password: VMware1!
    • First: MTD
    • Last Name: Admin
    • Email Address: [email protected]

 

  1. In Add Admin select your Organization Group (Should be your e-mail address) and the MTD_API_Admin_{Your Initials} Role you created earlier. Click NEXT.
  1. In the Details pane, leave the default settings and click NEXT
  1. In the Settings pane, click the None radio button next to Message type and click CERTIFICATES.
    • Type VMware1! for the Certificate Password and click SAVE.
    • If you receive a Warning message that an administrator has access to an Organization Group ... click Continue.
  1. Click on the three vertical dots and Edit your MTD_Admin account.
  1. Click NEXT until you get to Settings.  Type VMware1! in the Certificate Password field and click EXPORT CLIENT CERTIFICATE. This should begin the download of the certificate p12 format. (We will use this later in the lab) Click SAVE to store the admin account.
    • If you receive a Warning message that an administrator has access to an Organization Group ... click Continue.
  1. Navigate in the Workspace ONE Admin console to Groups & Settings > All Settings
  1. Now navigate to System > Advanced > API > REST API > Select Override > Click on + ADD
  1. Name WS1_MTD_{Your Initials} for the service.  Account type:  Admin. Copy the API Key to a notepad. Click Save at the bottom of the window.

NOTE: We will use this API key later in the integration with the Mobile Threat Defense Console.

  1. Close the settings page and navigate to Groups & Settings > Groups > Assignment Groups > Click + ADD SMART GROUP
  1. Name the Smart Group: MTD_Group_{Your Initials) then ensure that your Organization Group (Your e-mail address) is selected and click SAVE in the bottom right of the window.
  1. Click on your newly created Smart Group: MTD_Group_{Your Initials)
  1. Click Devices or Users
    • In the warning message box, click OK
    • In the Users field, type or select Craig and click ADD
    • Click Save
  1. Navigate in the Workspace ONE Admin console to Groups & Settings > All Settings
  1. In the left navigation menu click on Device & Users > Advanced > Tags in the navigation. Click + CREATE TAG
  1. Name the first tag MTD - Activated and click SAVE. Repeat the process for the following tags.:
  • MTD - Deactivated
  • MTD - Disconnected
  • MTD - Pending
  • MTD - Unreachable
  • MTD - Threats Present
  • MTD - Secured
  • MTD - Low Risk
  • MTD - Moderate Risk
  • MTD - High Risk

*Ensure you have all 10 tags added in the Workspace ONE UEM Admin console.

  1. Navigate back to Groups & Settings > Groups > Assignment Groups > Click + Add Smart Group
    • Ensure that the Criteria tab is selected
    • In the Name field, type High Risk Devices
    • Expand Tags, click in the available field, select MTD-High Risk - {Your Org Name}, and click Add
    • Click Save
  1. Navigate to Resouces > Native
    • Select the Public tab
    • Click Add Application
  1. In the Platform field drop down box, select Android
    • In the Source field, select Import From Play
    • Click Next
  1. Put a check in the box next to the following applications:
    • Adobe Acrobat Reader: Edit PDF
    • Microsoft Excel: Spreadsheets
    • Salesforce
    • Tunnel - Workspace ONE
    • Click IMPORT
  1. Next to Adobe Acrobat Reader click Assign
  1. Input the following in the appropriate fields:
    • Name: Adobe Acrobat Reader
    • Assignment Groups: MTD_Group_{Your Initials} <-- this is your Smart Group
    • App Delivery: Auto
    • Auto-Update Priority: (Leave Default)
    • Click Create
  1. Click the Exclusions tab
    • Select High Risk Devices {Your Org}
    • Click Save
    • Click Publish
  1. Return to Resources  > Native > Public
    • Click Add Application and repeat the above steps for Microsoft Excel and Salesforce.
    • Click Add Application and repeat the above steps for Tunnel - Workspace ONE  However, DO NOT add Tunnel to the Exclusions

DO NOT add Tunnel - Workspace ONE to Exclusions!

  1. Ensure that the Install Status for all three apps reads View.
Part 4: MTD & UEM Integration

Now that we have done the prerequisites for the Workspace ONE UEM settings, we will now make the necessary preparations on the Mobile Threat Defense console in order to complete the integration.

  1. Open a new tab in your browser on Control Center and navigate to https://mtp.lookout.com/a/
    • Authenticate using the credentials that you received via email (in your email, find an invitation from [email protected]).
  1. In the Mobile Threat Defense console navigate to Devices.
    • Select Device Policy Groups
  1. In upper right corner, click Create Group.
    • In the Name field type Developers and in the Description field type Group for Developers
    • Click Create Group

 

  1. In the Mobile Threat Defense console, navigate to Integrations.
  1. On the Integrations page click on WorkspaceONE, this will allow us to setup a new connector.
  1. File in the following values:
    • Label: WS1-Integration-{initials}
    • Workspace ONE URL : https://as1605.awmdm.com/
    • API Token: Paste the token that was captured above. (This is the API Token that you created in UEM previously, Step 12)
    • Authentication: Certificate Authentication (default)
    • Below Certificate (required), Choose File... : Upload your MTD_Admin user certificate you downloaded above. (Step 5)
    • Passphrase: VMware1! 
  1. In the upper-right corner, select Connector Settings then click CREATE INTEGRATION.
  1. Scroll down and find Automatically drive lookout for Work enrollment on Workspace ONE managed devices and set it to ON.
    1. Select the MTD_Group_{Your Initials} from the drop down of the smart groups.
    2. Set sync newly enrolled devices and unenrolled devices from UEM every 5 minutes (default).
    3. Automatically push activation emails to Workspace ONE managed devices >  Ensure that it is set to OFF.
    4. Delete device on unenrollment > Ensure that is is set to ON
    5. Treat devices which are removed from the enrollment smart group as unenrolled from Workspace ONE >  Ensure that it is set to OFF
  1. Scroll down and Enable "Synchronize device status to Workspace ONE"
    • Match the State Sync to the Tags created in Workspace ONE UEM as shown above.
  1. Set an e-mail address kim@euc-livefire for error handling and then click SAVE CHANGES at the top of the page.
Part 5: Enrollment & Test

Now that we have successfully integrated the Mobile Threat Defense Console with WorkspaceONE UEM, and enabled Phishing & Content Protection, let's proceed to get the Intelligent hub to communicate with the Mobile Threat Defense Console.

  1. In the Mobile Threat Defense Console, navigate to System > Manage Enrollment > Enroll with code
  1. Click the device group enrollment code link
  1. Select the Developers Enrollment Code
    • Copy this code to a notepad
  1. Return to your WorkspaceOne UEM Admin console (https://dw-livefire.awmdm.com/)
  1. Navigate in the Workspace ONE Admin console to Groups & Settings > All Settings
    • In the Settings page navigate to Apps > Settings and Policies > Settings and paste the below  with the enrollment code from MTD console to Custom Settings and click SAVE 
{
   "mtdSettings":{    
         "isEnabled":true, "enrollmentCode":"ENROLLMENT CODE GOES HERE"
   }
}

Configure the Intelligent Hub and Tunnel on your Android device.  The minimum requirements include the following: Intelligent Hub (minimum 23.03.0.49), Tunnel 23.01.0 Build 13 on iOS (minimum iOS 13, PCP in Beta)  or Android (minimum Android 9)

  1. Return to your Android emulator and, if necessary, swipe up to view the Intelligent Hub app.
  1. Click Intelligent Hub app.
  1. In the Email address or server field, type https://ds1605.awmdm.com and click Next.  
    • Enter your Group ID and click Next
    • Click the dropdown arrow next to Select Your Domain and select euc-livefire.com and check Remember this setting and click Next
    • In the following fields, type the following and click Sign in:
      • Username: Craig
      • Password: VMware1!
  1. Complete the enrollment process by approving the requested permissions.
    • Click Support
  1. In My Devices, note the device status of All Good.
    • Click the Android device
  1. Note the device status.
    • Device status may include: No risk, Enrolled, Compliant and Connectivity Normal
    • Click Mobile Threat Defense
      • Note that the device reads safe (but it "safe"? You may see something different in the Mobile Threat Defense Admin Console shortly, Step 13 )
      • Note how Safe Browsing is turned off.  We will enable this feature shortly.
    • Click the back arrow
    • Again, click the back arrow
  1. Click Apps
    • Note that applications that are available on the device.
  1. Return to the  MTD Admin Console https://mtp.lookout.com/a/ and navigate to Devices.  Initially it may report the device as Pending. Once it has successfully assessed the device it will report its Status.
  1. In this case the device is not reporting any issues, however if we navigate to Vulnerabilities, we can observe that the Android device running has 673 vulnerabilities
    • Click the Severity Ration Percentage bar.  We can see that 57 are Critical

**Your details may vary

  1. Return to the Android emulator, click the Work profile and launch the Chrome browser (You may have to click ESC a few times on your keyboard)
  1. If necessary, complete the Chrome setup process.
  1. In the URL field, type http://okay.ac and press Enter
    • Note how there is no protection against users accessing known bad phishing sites
  1. In the URL field, type http://newid.com and press Enter
    • Note how there is no protection against known criminal activity sites

Try connecting to the following sites, as well:

  • www.instagram.com
  • www.facebook.com
Part 6: MTD Phishing & Content Protection (PCP)

 Workspace ONE Mobile Threat Defense Phishing and Content Protection is unique in that it is built directly into Workspace ONE Tunnel and works seamlessly with other Tunnel capabilities.  This addresses conflicts that organizations may encounter with multiple VPN configurations — one for filtering and one for VPN — on a single device.  In this lab we will configure PCP  to protection from web and content vulnerabilities.

  1. In the Mobile Threat Defense console navigate to Protections.
    • In the Manage settings for, click the drop down and select Developers.
  1. Select the Phishing and Content Protection tab
    • Remove the check next to Inherit from parent group
    • Set the Enable Phishing and Content Protection to ON
    • If necessary, put a check in the box next to enable Secure DNS
    • Set Make Phishing and Content Protection mandatory to ON
    • Click Save Changes
    • Click Save

Make Phishing and Content Protection mandatory is optional, and if enabled, PCP will be activated automatically on the device and a PCP disabled threat is generated in the Mobile Threat Defense console and on the device if PCP fails to activate.

However, if not set to mandatory, the device receives a notification that PCP is available to be activated and requires end user set up on the device.

  1. Scroll up, and ensure that the Phishing and Content Protection tab is selected
    • Click Configure Content Policies

Modify the following FOUR (4) Web and Content Policies and change the Risk Level to Medium and Response to Block and Alert Device

  1. Web and Content Malicious Content
    • Web and Content Unauthorized Content
    • Web and Content Phishing Content
    • Web and Content  Denylisted Content
    • Put a check in the box next to Policy Type to select all of the Web and Content Policies
      • Click Enable                          
    • Click Review and Save
      • Click Save Changes
  1. Click the Gear icon next to Web and Content Unauthorized Content
    • Deselect Inherit from Parent Policy
    • Navigate to Personal Content and put a check in the box next to Social networking and Streaming media and downloads
    • Click Save Changes
      • Click Save Changes
  1. Return to the Android emulator, click Work and launch the Intelligent Hub app
    • Click your enrolled device
    • Click Safe Browsing needs to be setup
    • Click Setup to setup Tunnel.
    • Click Open Tunnel
  1. Complete the setup process by approving the requested permissions.                                                            

If you see that the VMware Tunnel reads "Not Configured, Contact your IT admin":

  1. Ensure that you have enabled Phishing and Content Protection in the Workspace One MTD admin console https://mtp.lookout.com/a/.
  2. Ensure that you configured the proper Enrollment Code in Part 5, Step 5.
  1. Ensure that your that Safe Browsing has been successfully enabled and reads ON.
  1. In your Work profile, launch Chrome
  2. In the URL field, type http://okay.ac and press Enter
    • Note how users are protected against accessing known bad phishing sites

It can take quite a while for the settings to be updated.  

  1. In the URL field, type http://newid.com and press Enter
    • Note how users are protected against accessing known bad fraud sites

Try connecting to the following sites, as well:

  • www.instagram.com
  • www.facebook.com
  • www.twitter.com (www.x.com)
  • phishing.lookoutsafebrowsingtest.com
  1. Return to the Intelligent Hub app
    • If necessary, click Support
    • Click Your Android Device
    • Next to Safe Browsing ON, click the arrow
      • Note that there are several sites that have now been flagged.
    • Click the arrow next to Unauthorized Content.
    • Note each entry
  1. Return to your MTD admin console https://mtp.lookout.com/a/
    • In the left pane, click Issues
      • Note the list of issues that have been found in the last 30 days.
Part 7: Protect your Organization from Unapproved Applications

We can configure Workspace One UEM Smart Groups, in conjunction with Workspace One Mobile Threat Defense, to ensure that published resources are only available to those devices that are not tagged as High Risk.

  1. Return to Mobile Threat Defense admin console https://mtp.lookout.com/a/
    • In the left pane, select Protections
    • In the Manage Settings for field, ensure that Developers is selected.
    • Select the Policies tab
    • Find and select Device: Sideloaded App
      • Set the Risk level to High
      • Ensure that the Response is set to Alert device
    • Click the Gear Next to the High Risk level field
    • Deselect Inherit from parent policy
      • Note how apps sideloaded with Android Debug Bridge (adb) installers will be blocked
    • Ensure that Device: Sideloaded App is selected and click ENABLE
    • Click Review and save
      • Click Save changes
  1. In Teams, click on the Files Tab
    • Open the VMware Mobile Threat Defense Files > Side-loading Test Files folder
    • Download HelloWorld.apk

WINDOWS or MAC

  • Click the Terminal tab located at the bottom of your window.
  • Navigate to %your download location%\platform-tools  
  • Run the following command from the terminal:

platform-tools% ./adb shell pm list users

Note the Work Profile ID (typically 10 or 11)

platform-tools % ./adb install --user {Work Profile ID number}  HelloWorld.apk 

 

  1. Click the Work tab
    • Note that the Hello World app has been sideloaded successfully
  1. Note that the Adobe Acrobat Reader, Microsoft Excel, and Salesforce apps no longer appear in  the Work profile. (It may take a moment for the this to occur)
  1. On the Android device, return to the Intelligent Hub app and click Support in the lower left corner.
    • In the Your device is at risk section, click the arrow to view more information
  1. This sideloaded application has been tagged as High Risk
  1. Return to the Workspace ONE UEM admin console (https://dw-livefire.awmdm.com) and navigate to Devices > List View
    • Click Craig Android
    • Note the HIGH RISK tag that has now been assigned
  1. Return to the  MTD Admin Console https://mtp.lookout.com/a/
    • Navigate to Devices.  
      • Click High Risk
    • Click Hello World on the High Risk device
  1. Click the Allow sideloaded app command button
    • Note the Signature Hash
      • Click Allow sideloading
        • Click Ok
  1. Click Configure Policy
    • Note that sideloading for the Hello World app has been allowed
      • Click Cancel
  1. Return to your Android emulator
    • Delete the Hello World app from both Personal and Work tabs
    • Click OK
  1. After uninstalling the Hello World app from the Work profile, your published apps will reappear. (It can take up to 2 hours for all apps to reappear)
Part 8: Workspace One Trust Network Integration

Workspace ONE Trust Network integrates threat data from security solutions including endpoint detection and response (EDR) solutions, mobile threat defense (MTD) solutions, and cloud access security brokers (CASB). This integration provides Workspace ONE Intelligence users with insights into the risks to devices and users in their environment. See how to register your specific Trust Network system with Intelligence.

Workspace ONE Intelligence displays event data for analysis in the Threats Summary module on the Security Risk dashboard.

1.  Return to Mobile Threat Defense admin console https://mtp.lookout.com/a/

  • In the left pane, select Protections
  • Configure the following settings:
    • In the Manage settings for, click the drop down and select Developers
    • Put a check in the box next to USB Debugging.  Set the Risk Levels to High and Response to Alert Device
    • Click Enable
    • Click Review and Save.
    • Click Save Changes.

2. In the left pane, select Issues

  • Note the High Risk status (It may take up to 10 minutes for this to update)

3. In the left pane, select System > Application Keys

  • Label the key WS1_MTD_Intelligence and click Next.
  • Click Generate Key and click OK

4. Open Chrome on the ControlCenter in your pod.  Open the Workspace ONE UEM admin console (https://dw-livefire.awmdm.com)

  • In the upper right corner, click the 9 squares and click Workspace ONE Intelligence.

5. Click to Copy Application Key to Clipboard and click OK

6. Click Integrations

7. Ensure that Data Sources is selected.

8. Find Workspace ONE Mobile Threat Defense and click Set Up

9. Click the arrow next to Authorization Details and type the following in the available fields:

  • Base URL: https://api.lookout.com
  • Application Key: {Paste the Application Key that you copied in the previous step}

10. Click Authorize

11. Return to the Workspace ONE Mobile Threat Defense tile and click View

  • Ensure that the Connection Status is Authorized
  • Ensure that the API Key is Valid

12. In the Unresolved HIGH Threats, click the three dots (...) and select Automate.

13. Type MTD Unresolved HIGH Severity and click Done.

  • Click Add Step and click Action

14. In the left corner, click Workspace ONE Intelligence

  • Navigate to select Send Email
  • Click ADD ACTION

15. In the available fields, type the following:

  • To: {Your Email Address}
    • Press Enter to add the email address as a custom value
  • Subject: MTD High Security Alert
  • Message: MTD High Security Alert triggered!
  • Click Test
  • In the Send Email windows click Next
  • Click Test
    • Note the successful 201 Created message
  • Click Cancel

16. Toggle the Enable Workflow to ON and click Save

  • Click Save & Enable

*Note the successfully created WorkFlow

17. Return to Mobile Threat Defense admin console https://mtp.lookout.com/a/

  • In the left pane, select Protections
  • Configure the following settings:
    • In the Manage settings for, click the drop down and select Developers
    • Put a check in the box next to No Passcode.  Set the Risk Levels to High  and Response to Alert Device
    • Click Enable
    • Click Review and Save.
    • Click Save Changes.

18. Return to the Workspace ONE UEM admin console (https://dw-livefire.awmdm.com)

  • In the Unresolved HIGH Threats tile, click View
  • Note the High Severity entries (It may take up to 10 minutes for this to appear)

19. In the upper left pane click Freestyle

  • Note the Last Run time

20. Open your email account to view the High Severity Alert message.

This completes the Workspace ONE Mobile Threat Defense lab.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.