Mobile threat detection and response is an area of ever-growing importance, as the world finds itself accessing sensitive resources on devices everywhere. Application, identity, or device management only offer so much protection against the assortment of threats users face.
Digital workspace products like VMware Workspace ONE and Zimperium's zIPS complement each other, and offer compensating controls specifically for mobile threats. These capabilities allow your organization to detect threats that you might otherwise not have the ability to detect, let alone to mitigate.
Zimperium focuses on being best-in-breed in mobile threat detection (MTD), and it shows. In 2019, Zimperium was the first MTD product to be FedRAMP authorized, partnered with VMware to join the Trust Network, and selected by Google to join the App Defense Alliance.
To make these controls possible, you need to integrate the Zimperium console (zConsole) with Workspace ONE UEM. In this blog post, I'll go through all the requirements for integration. Requirements like...
- Obtaining an API Key for integration
- Setting up MDM integration with zConsole and Workspace ONE UEM
- Testing integration
- Mood-lifting background picture
Grand Hyatt Kauai, not included in Workspace ONE. But a great place to treat your team, hint, hint...
How to Integrate the zConsole with Workspace ONE UEM
- Open the Workspace ONE UEM console and go to Groups & Settings > All Settings.
- In the Settings window, go to System > Advanced > API > REST API.
- In the General tab, click Add.
Note: Ensure Enable API Access is set to enabled. This is required.
- Name the service, for example, zConsole. Ensure the Account Type is set to Admin. Copy the API Key to your clipboard or Notepad. You will use this in the zConsole.
This API key is just for example.
- Log in to your Zimperium zConsole.
- In the left navigation pane, locate Manage.
- Click Manage.
- In the top of the Manage window, click the Integrations tab.
- Click Add MDM.
In this example, an existing environment is seen integrated already. Currently, you can have multiple environments associated with a single Zimperium SaaS VPC tenant or on-premise environment.
- Depending on your console version, select AirWatch by VMware, or Workspace ONE. Once selected, click Next.
- Enter the following information:
- URL: This is the URL for your Workspace ONE UEM API Endpoint.
Note: This needs a DNS A record, publicly resolvable, with 443 inbound/outbound TCP/UDP traffic allowed. You can create this public DNS A record in whatever service manages your public-facing DNS, such as AWS Route 53, Cloudflare DNS, GCP Cloud DNS, Azure DNS.
In this example, I have a DNS A Record created for the URL: https://ws1.<mycompany.com.
The proper firewall and IP routing table configuration are required to support inbound and outbound communication. - Username: A Basic user, or LDAP user in Workspace ONE UEM.
Note: The account must have permissions to make API calls for the smart groups, users, devices, and applications for the organization group(s) being managed. This example uses a directory account of vmware\ws1. - MDM Name: There is no incorrect value for this field. It is strictly to label the MDM environment in zConsole. Name it something appropriate, such as Hawaii Retirement Provider, or: Molokai Bank - Workspace ONE UEM - 1903 – Prod.
- Background Sync: Ensure that this box is checked.
- Mask Imported User Information: Check if you prefer the data to be anonymized. There are other unique identifiers that are not anonymized, and additional ways to limit data returned for other scenarios (such as GDPR compliance). In my lab environment, I leave this unchecked.
- API Key: This is the API Key that you copied onto your clipboard or Notepad in an earlier step. Paste it here.
- URL: This is the URL for your Workspace ONE UEM API Endpoint.
- In the lower right corner, click Next.
- At the next window, select the smart groups from Workspace ONE UEM that you want to import into the zConsole.
Note: I suggest making and importing the following (5) smart groups in Workspace ONE UEM (I’ll say more about this in an upcoming post): - Click Finish.
- This takes you back to the Integrations page. Verify your configuration by clicking the green Test MDM button.
- Verify that all the tests passed.
Note: During these tests, network traffic between the VPC and your Workspace ONE environment is expected. A series of API calls from the VPC will be made to verify access to Workspace ONE API endpoints.
After integration is complete, you will want to look at my blog post covering zIPS delivery and activation on Android devices.
Stay tuned for more posts covering Workspace ONE, Intelligence, Zimperium, Mobile Threats, and more.