Windows 10 Compliance Workspace One UEM + Workspace ONE Access
Part 1: Workspace One UEM Compliance Rules
WorkspaceOne allows administrators to check the device posture in addition to the credentials provided for authentication. This ensure's that not only the provided credentials are valid, but also the device being used to access corporate resources is deemed secure and compliant. WorkspaceOne UEM has a robust compliance engine that allows administrator to set a standard for security on devices.
First you will be configuring a standard for compliance on Windows 10 using WorkspaceOne UEM
Second, you will be configuring Workspace ONE Access Access Policies to check the device compliance during the authentication process.
Third, you will bring this to life by authenticating to O365 using Workspace ONE Access certificate adapter in conjunction with device compliance.
1. Let's begin with configuring our UEM compliance rules for Windows 10.
(Note: that the same procedure can be used for Android and iOS, but in our scenario we will be dealing with Windows 10)
- Open the Workspace One UEM console on cn-livefire.awmdm.com and authenticate using your unique credentials. Navigate to Devices > Compliance Policies > List View and click + ADD
2. Select Windows from the "Select a platform to start:" window and select Windows Desktop from the next page as this one relates to Windows10 specifically.
- Select NEXT at the bottom of the page. We have now set our rule we will now select an action.
3. In the Actions tab validate the check box next to "Mark as Not Compliant" is selected.
- This will ensure that if our device does not follow the rules set in the previous page it will be flagged as not compliant. Now notice the drop down for the actions you can take. You could go as harsh as performing an enterprise wipe, or as subtle as notifying the user via a push notification.
- In the left dropdown leave Notify as the default and change Send Email to User to "Send Push Notification to Device" from the the action dropdown.
- Select + Add Escalation and leave as default. Notice you the user will be e-mailed after 1 day of the rule still being broken. Click NEXT at the bottom of the page
4. In the Add Compliance Policy page notice all the rules your can set in the left hand drop down. These are all the parameters an admin can set to determine whether a device is compliant with the organizations security rules. For this particular lab we will be dealing with the Firewall Status. Configure the following:-
- In the 2nd drop down, this should automatically change to Is
- in the 3rd dropdown change Good to "Poor".
5. Under the Assignment tab next Smart Groups select your unique Organization Group marked with the world symbol.
6. Under the Summary Tab change the default Name Firewall Status to - Windows 10 - Firewall and click FINISH & ACTIVATE at the bottom of the page.
7. On your Controlcenter desktop, open the Remote Desktop folder.
- Select and RDP to the W10Client01 with username Administrator and password VMware1!
- On the windows 10 desktop select Start > Run
- In the Run window type WF.msc
- In the Windows Defender for Firewall for Advanced Security select the Domain, Private and Public Profile and change the Firewall state from ON (recommended) to OFF, Select OK to close the Windows Defender Firewall window
8. Note! The Compliance Engine will now run (runs every 5 minutes by default) a check against the devices assigned to the Compliance Rule and report back to the Admin whether there are any device that have not passed the test. Since the Firewall is disabled on the Windows 10 Device we should get a flag stating it's non-compliant. This might take a while, so move on to the next section of the lab.
- Go back to your Workspace ONE UEM console, select Devices > Details View
- Notice now there is 1 COMPLIANCE VIOLATION and the Firewall Status is red
Part 2: Workspace ONE Access Access Policy Device Compliance
- Let's enable Device Compliance from AirWatch then enable Authentication Method in the Built-In Identity Providers .
- Navigate to your unique Workspace ONE Access tenant and authenticate as System Admin
- Navigate to Identity & Access Management Tab > Setup > AirWatch
- Scroll down to Compliance Check, select the Enable radio button and select Save
2. Open Identity & Access Management tab and select Identity Providers. On the page Identity Providers window select Built-in
3. Scroll down to Authentication Methods and enable the Device Compliance (with AirWatch) checkbox and scroll down and select Save at the bottom of the page.
- Now Navigate and select Policies in the Identity & Access Management tab
- Next to the SSO policy select the radio button and select EDIT
- In the Edit Policy window select Configuration
- Select ALL RANGES next to the policy that applies to "Windows 10"
- In this policy you will see that Certificate (Cloud Deployment) is the primary authentication method that is being used. We will now add device compliance, as an additional Access requirement, to allow user access. Select the + next to Certificate (Cloud Deployment)
- Next to If the preceding method fails or is not applicable, then CHANGE Password (cloud deployment) to Select fallback method....
- You will now have an "and" clause. In the dropdown select Device Compliance (AirWatch) .
- Select SAVE at the bottom of the page.
- Select NEXT on the following page and SAVE again on the Summary of the Edit Policy page.
Part 3: Windows 10 Compliance in Action
1. Windows 10 Compliance in Action
- We will now test for Compliance as an authentication method.
- Navigate to the Desktop of the ControlCenter2 and open the Remote Desktop folder and launch an RDP session using the W10client01.RDP client.
- Open Chrome within the W10 machine that was enrolled. Now type in Office.com . Select the sign-in to your account ICON on the right-hand side of the page.
- On the Sign In window type your custom user eg [email protected], select Next
- You will get a pop up from Chrome that will request you to select the appropriate certificate to use for authentication.
- On the Select a certificate window select OK
- At this point Workspace ONE Access will check the validity of the certificate, but also send an API compliance query to Workspace ONE UEM to ensure the device is compliant (This is using the UDID that is present to vIDM in the certificate)
- You will notice an Access Denied message. We can also see this in the Event audits in Workspace ONE Access.
- In your Workspace ONE Access tenant. Navigate to Dashboard > Reports > Audit Events and select Show
- Look for an event that is LOGIN failed with your custom user,
- To the right select View Details. Scroll down until you find the area "failuremessage" and read what it says.
3. Windows 10 Compliance in Action continued...
- Use your RDP connection and go back and enable the Windows Firewall on the Windows 10 machine.
- Select Start > RUN and type wf.msc
- Right click Windows Defender Firewall with Advanced Security on Local Computer and select Properties
- Re-enable the Domain, Private and Public Profiles by selecting the dropdown next Firewall state and change Off to On (recommended)
- Select OK to close the Windows Defender Firewall with Advanced Settings on Local Computer
- Navigate back to your Workspace ONE UEM Console
- Select Devices > List View > and select your Windows 10 device
- It take about 5 minutes for your Status to change in Workspace ONE UEM. Keep refreshing your screen
- If WNS status: Disconnected shows then try rebooting your Windows 10 machine.
- If this does not work Select Query > Security and Query > Health Attestation
- You should now see the device listed as compliant and the Firewall status as green in the WorkspaceOne UEM console.
- Revert back to your Windows 10 virtual machine
- Open a browser and type Office.com
- On the right of the page select the Sign into your accounts ICON
- On the Sign in type your custom user email address eg. [email protected] select Next
- On the Select a certificate window select OK
- On the Stay signed In? window select NO
- Notice the Single Sign-On using the Certificate + the Compliance Check against UEM worked successfully and you now have access to the application
- If you go to Workspace ONE Access , select the Dashboard > Reports > Audit Events
- Select Show ,
- notice the EVENT is LAUNCH and your User , the OBJECT is Office365 with Provisioning,
- Select View Details
- Notice Audit Events are reporting a successful login using Certificate (Cloud Deployment) and Device Compliance (with AirWatch).
- Select Show ,
This completes the Windows 10 Compliance with Workspace ONE Access and Workspace ONE UEM Lab. This is a single example of the many options for compliance that could be used not restricted to Windows 10, but also other platforms