Integrating Cisco Security Connector: VMware Workspace ONE Operational Tutorial

VMware Workspace ONE 9.3 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE®environment. In this tutorial, you configure the Cisco Security Connector for use with VMware Workspace ONE® UEM—you deliver an iOS app from the public App Store (or through the Apple Volume Purchase Program) and you also deliver two profile payloads.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, identity management, and directory services. Knowledge of additional technologies such as VMware Identity Manager™ and VMware Workspace ONE® UEM, is also helpful.

Integrating Cisco Security Connector with Workspace ONE

Introduction

In June of 2017, Apple and Cisco announced a security partnership focused on network traffic and content security on mobile iOS devices. Recently, Apple and Cisco announced the availability of the Cisco Security Connector. This application can be managed and configured using VMware Workspace ONE UEM (unified endpoint management), formerly VMware AirWatch.

What is Cisco Security Connector?

Cisco Umbrella + Cisco Clarity

Cisco Security Connector is a single iOS application leveraging two extensions (Cisco Clarity and Cisco Umbrella). Cisco Clarity (the component for Cisco AMP) provides visibility into mobile apps and their trajectory. Cisco Umbrella provides DNS enforcement and encryption regardless of port or protocol.  Using built-in iOS network hooks, Cisco Security Connector can provide granular network security and content filtering without the need for changes to end-user behavior, Virtual Private Networks, SSL decryption, or proxying.  

For Cisco customers, the Cisco Security Connector can be configured over-the-air on eligible supervised iOS devices. Configuration involves two steps: delivering an iOS app from the public App Store (or through the Apple Volume Purchase Program) and delivering two profile payloads.

Cisco Security Connector requires iOS device supervision (either via Apple Configurator 2, Apple School Manager, or the Device Enrollment Program).  For more detail about Supervision, see Get started with a supervised iPhone, iPad, or iPod touch.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

  1. Workspace ONE UEM tenant 9.3 or later with admin credentials
  2. iOS 11.3 or later
  3. Administrator credentials for Cisco AMP for Endpoints Dashboard (https://console.amp.cisco.com).
  4. Credentials for Cisco Umbrella (https://login.umbrella.com).

Deploying the Cisco Security Connector Application

The Cisco Security Connector can be deployed from the iTunes App Store as a Public or Purchased Application. This exercise helps you to deploy Cisco Security Connector as a Public application.

1. Add Native Public Application

In the Workspace ONE UEM console:

  1. Select Apps & Books.
  2. Select Native.
  3. Select Public.
  4. Select Add Application.

2. Search iOS Applications

Search for the Cisco Security Connector application:

  1. Select Apple iOS.
  2. Enter Cisco Security Connector.
  3. Click Next.

3. Select Appropriate iOS Application

Select the appropriate application:

  1. Ensure the Cisco Security Connector (com.cisco.ciscosecurity.app) is returned.
  2. Select the appropriate country.
  3. Click Select.

Note: Ensure you select the appropriate country so that the user's device receives the app from the appropriate country's App Store.

4. Save and Assign

Click Save & Assign.

5. Add Assignment

Click Add Assignment.

6. Add Assignment Group(s) and Policies

Continue configuring the application assignment and policies:

  1. Click in the Select Assignment Groups search box and select the assignment group to receive the application.
  2. Select Auto.
  3. Select Enabled  for Managed Access.
  4. Select Enabled for Make App MDM Managed if User Installed.
  5. Click Add to publish the application to your devices.

7. Save & Publish

  1. Ensure your assignment has been added.
  2. Click Save & Publish.

8. Publish

Click Publish.

Important: Publishing the application as Automatic immediately schedules it for delivery to applicable devices.  

 

Creating a Cisco AMP Extension Profile

To configure the Cisco Security Connector, download a profile from Cisco AMP for Endpoints. Then, add the file as a profile in the Workspace ONE UEM Console. This provides Cisco Security Connector the ability to audit and correlate traffic flow (URLs and ports) from iOS applications.

1. Log In to Cisco AMP for Endpoints

Navigate to the Cisco AMP for Endpoints Dashboard (https://console.amp.cisco.com) and log in.

  1. Enter the email address for your AMP for Endpoints administrator account.
  2. Enter the password for the AMP administrator.
  3. Click Log In.

2. Create a Management Group

2.2. Open Management Group Settings

Click Create Group.

2.3. Name and Save Group

  1. Name the group iOS Clarity.
  2. Click Save.

4. Upload MobileConfig File to Workspace ONE UEM

  1. In the Workspace ONE UEM console, select Devices.
  2. Expand Profiles & Resources.
  3. Select Profiles.
  4. Select Add.
  5. Select Upload Profile.

5. Upload File

Click Upload.

6. Choose File

Click Choose File.

7. Open MobileConfig File

  1. Select the iOS_Clarify_amp_ios.mobileconfig file.
  2. Click Open.

8. Save MobileConfig File

Click Save.

9. Continue File Upload

Click Continue.

10. Assign Profile

  1. Change Assignment Type to Auto.
  2. Change Allow Removal to Never.
  3. Select the Assignment Group(s) for this profile.
  4. Click Save & Publish.

11. Publish Profile

Click Publish.

Creating a Cisco Umbrella Profile

Cisco Umbrella provides secure DNS proxying for domain name resolution on iOS devices. By applying the Umbrella profile to a device with Cisco Security Connector, the device bypasses any auto-configured DNS servers and all external DNS requests are sent (encrypted) to Cisco Umbrella. This allows network administrators to track web requests and block specific URLs or categories.

1. Log In to Cisco Umbrella

  1. In your web browser, navigate to https://login.umbrella.com and enter your user name.
  2. Enter your password.
  3. Click Sign In.

2. Download the Root Certificate

2.2. Download Root Certificate

Click Download Certificate.

3. Download and Copy the AirWatch Config File's XML

3.2. Download AirWatch Config

  1. Click Download.
  2. Select AirWatch Config to download the mobileconfig XML file.

3.3. Open XML file

  1. Find the downloaded XML file and Control+click it (or right-click if you have a two-button mouse).
  2. Click Open.
  3. Validate the file opens in TextEdit or another text editor that allows you to view the XML.

3.4. Copy XML Between the Comments

  1. Select the text beginning with the first </dict> after the line starting !-- AirWatch - copy...
  2. End the text selection with the last </dict> immediately preceeding the line stating <!-- AirWatch - end copy -->

Important: Your selected text should be significantly longer than shown in the screenshot. This screenshot has been truncated for illustration.

4. Create a Workspace ONE UEM Profile

In the Workspace ONE UEM Console:

  1. Select Devices.
  2. Expand Profiles & Resources.
  3. Select Profiles.
  4. Select Add.
  5. Select Add Profile.

5. Select a Platform

Select Apple iOS.

6. Complete General Profile Information

  1. Enter a name for the profile.
  2. Enter a description for the profile.
  3. Set the assignment type to Auto.
  4. Select whether users are allowed to remove the profile from managed devices.  
  5. Select one or more assignment groups to receive the profile.

7. Open the Credentials Payload

  1. Scroll down the payload list.
  2. Select Credentials.
  3. Click Configure.

8. Configure the Credentials Profile

8.1. Upload a Certificate

Click Upload.

8.2. Choose File

Click Choose File.

8.3. Select the Umbrella Root Certificate File

Double-click the Cisco_Umbrella_Root_CA.cer file.

8.4. Save the Root Certificate File

Click Save.

8.5. Validate Upload

Validate the Credential Name has been pre-filled and the certificate details (Issuance Names and Validity Dates) are correct.

9. Configure Custom Settings XML Payload

9.1. Open the Custom Settings Payload

  1. Scroll down the payload list.
  2. Select Custom Settings.
  3. Click Configure.

9.2. Paste Copied XML

Paste the section you copied from the MobileconfigAirWatch.xml file (from the Umbrella Console) into the Custom Settings text box.

10. Publish the Profile

Click Publish.

Verifying Cisco Security Connector Installed

After you have completed the first three exercises, you are ready to begin testing the Cisco Security Connector on iOS devices. The following checklist helps you to verify that the components were configured correctly in Workspace ONE UEM.

1. Validate Cisco Security App

Validate the Cisco Security app has been installed on the device. You may have to swipe left or right as it may be shown on a different screen of the springboard.

2. Validate Cisco Security App Status

  1. Within the Cisco Security App, click Status.
  2. Ensure the status for Endpoint Visibility and Roaming Security show Protected with a green shield with check mark.
  3. If Roaming Security and/or Endpoint Visibility show a red shield with an X there may be an issue with your configurations. You may need to engage Cisco support.

Summary and Additional Resources

Conclusion

This operational tutorial provided the steps to configure the Cisco Security Connector for use with Workspace ONE UEM. These procedures included delivering an iOS app from the public App Store (or through the Apple Volume Purchase Program) and delivering two profile payloads.

Terminology Used in This Tutorial

The following terms are used in this tutorial:

application store A user interface (UI) framework that provides access to a self-service catalog, public examples of which include the Apple App Store, the Google Play Store, and the Microsoft Store.
auto-enrollment Auto-enrollment simplifies the enrollment process by automatically enrolling registered devices following the Out-of-Box-Experience.
catalog A user interface (UI) that displays a personalized set of virtual desktops and applications to users and administrators. These resources are available to be launched upon selection.
cloud Asset of securely accessed, network-based services and applications. A cloud can also host data storage. Clouds can be private or public, as well as hybrid, which is both private and public.
device enrollment The process of installing the mobile device management agent on an authorized device. This allows access to VMware products with application stores, such as VMware Identity Manager.
identity provider (IdP) A mechanism used in a single-sign-on (SSO) framework to automatically give a user access to a resource based on their authentication to a different resource.
mobile device management
(MDM) agent
Software installed on an authorized device to monitor, manage, and secure end-user access to enterprise resources.
one-touch login A mechanism that provides single sign-on (SSO) from an authorized device to enterprise resources.
service provider (SP) A host that offers resources, tools, and applications to users and devices.
virtual desktop The user interface of a virtual machine that is made available to an end user.
virtual machine A software-based computer, running an operating system or application environment, that is located in the data center and backed by the resources of a physical computer.

For more information, see the VMware Glossary.

Additional Resources

About the Author

This tutorial was written by:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

 

Feedback

The purpose of this tutorial is to assist you. Your feedback is valuable. To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.