Bringing MFA into the Intelligent Hub

January 15, 2021
 
This blog post was originally published at Steve The Identity Guy’s blog.
 

MFA thumbnail

If you’ve not already configured Multi-Factor Authentication (MFA) for your users – seriously, what are you waiting for? There are dozens of different MFA solutions on the market today with varying capabilities including push notifications along with support for biometric verification. So why am I so excited for MFA in the Intelligent Hub?

  • No registration required for managed devices
  • No additional applications are required for managed devices
  • No phone numbers are required
  • No barcodes to scan
  • MFA will be performed on a managed and *compliant* device!

In this blog, I’m going to go through the Good and the Bad of Intelligent Hub Verify. I’m hopeful some of these negatives will be addressed in an upcoming release.

Getting Started

  1. Log into the Workspace ONE Access Admin Console.
  2. Go to Identity & Access Management > Authentication Methods.
  3. Click Configure for Verify (Intelligent Hub).
    Note: This is different than VMware Verify.
  4. Go ahead and enable the Authentication Method. I also recommend you enable Enhanced Verification as well to require biometric verification.
    Verify (Intelligent Hub)
  1. Click Save.
  2. Go to Identity Providers.
  3. Click your Built-In Provider.
    Note: This is the built-in provider that you are using for all your authentication methods such as Mobile SSO. This could be Built-In or a custom one that you created when setting up Workspace ONE Access.
  4. Under Authentication Methods, make sure that Verify (Intelligent Hub) is enabled.
    Note: Both versions of Verify can be enabled at the same time. However, it is not required.
    Authentication Methods
  1. Click Save.

Once you’ve enabled Verify (Intelligent Hub), all you need to do is add it to your policies and users can start using it right away. Policy Management is a little frustrating but we’ll get to that a little later in the blog.

When a policy requires MFA, the user will receive an MFA prompt on their device.

Sign-In Request

If you’ve enabled Enhanced Verification, they will also get a biometrics prompt as well:

Touch ID for Hub

So what happens if you have multiple devices? The first time you are required to do MFA, you will be prompted to select the device you want to use for MFA.

Using Friendly Names

Workspace ONE Access will use the Friendly name to populate your device list. The format of the friendly name is defined in Workspace ONE UEM. You can see this in Groups & Settings > Devices & Users > General > Friendly Name. If you need to update this, the friendly names will be updated on the next device sync in UEM.

Friendly Name

Once you’ve selected a device, all notifications will be sent to that device. Please see Resetting a Preferred Hub MFA Device for instructions on how to reset this for a user.

Policy Management

Setting up your policies to use Verify (Intelligent Hub) might be a little confusing at first depending on how your existing policies are structured. I will break this section into two parts:

  • Application Policies
  • Default Access Policy

Its always good practice when defining access policies to not use the default access policy for any applications you’ve configured. The Default Access Policy should only be used for Enrollment and the Workspace ONE Portal. All other applications should be configure with a separate policy.

Application Policies

Setting up MFA for an Application Policy is pretty straight forward. In the policy management interface, you will need to define a primary authentication method (such as Certificate, Mobile SSO or Password Cloud) and use Verify (Intelligent Hub) as the secondary method.

First, by application policy I’m referring to adding a new policy and assigning it to specific applications. In this example, I’ve created a Policy called “MFA” and I’ve assigned an application to this policy.

Add Policy

If you click Add Policy, you can assign a Name and it can be applied to your existing applications:

Edit Policy

On the Configuration tab, you can define your OS specific policies:

Add Policy Rule

Default Access Policy

Setting up MFA on the Default Policy can be a little frustrating. Currently, Verify (Intelligent Hub) is only available on the “Web Browser” type in the default policy. You will need to make sure your Web Browser Policy is defined below your Device Enrollment Policy.

Edit Policy

In the Web Browser Policy, you can define Verify (Intelligent Hub) with your OS Specific primary authentication method:

Edit Policy Rule

This is obviously not a great admin experience especially if you have defined OS-specific policies in your Default Access Policy. I’m hopeful that VMware will allow you to configure Verify (Intelligent Hub) on OS-specific policies in a future release.

Resetting a Preferred Hub MFA Device

Unfortunately, VMware has not provided a reset capability yet in the Hub or the Workspace ONE Access Portal to allow the user to switch their preferred Verify (Intelligent Hub) MFA Device. So, for now, we’ll have to use Postman. Please see my blog on using Postman with Workspace ONE Access:

  1. Perform a GET on a user to obtain their Internal ID. See Get User Details in the above-mentioned blog.
  2. Open a new tab in Postman.
  3. Add the Authorization Header.
  4. Change the Auth Method to Patch.
  5. For the URL, enter:
    https://<TENANTURL>/SAAS/jersey/manager/api/scim/Users/{ID}
    Replace the Tenant URL with your URL.
    Replace the ID with the ID from the previous step in this section.
    i.e., https://dsas.vmwareidentity.com/SAAS/jersey/manager/api/scim/Users/884b7e7d-6a7b-4985-b113-56235826e8a6
  6. Select Body.
  7. Enter the JSON in the raw text that we’ll post to Workspace ONE.
  8. Select JSON (application/json) as the Content-Type.
  9. Add the following in the body.
{

  "schemas": [

    "urn:scim:schemas:core:1.0",

    "urn:scim:schemas:extension:workspace:tenant:sva:1.0",

    "urn:scim:schemas:extension:workspace:1.0",

    "urn:scim:schemas:extension:enterprise:1.0",

    "urn:scim:schemas:extension:workspace:mfa:1.0"

  ],

            "urn:scim:schemas:extension:workspace:mfa:1.0": {

                "hubMfaPreferredUDID": ""

            }

}
  1. Click Send.
  2. You should receive a 204 No Content response.

Filter Tags

Workspace ONE Workspace ONE Access Blog Feature Walk-through Fundamental Intermediate

Steven 'The Identity Guy' D'Sa

Read More from the Author

Hi, I’m Steven. I have more than 20 years of IT experience, including 14 years focused specifically on Identity and Access Management. I’ve spent most of my career as an Oracle Identity and Access Management Consultant, including four years as an Identity Management Architect for BlackBerry. I currently work as part of the Principal Technologies team at VMware responsible for Workspace ONE Access and the technical integrations with our Identity & Access partners.