Integrating Cisco Security Connector: Workspace ONE Operational Tutorial

VMware Workspace ONE 9.3 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you configure the Cisco Security Connector for use with VMware Workspace ONE® UEM—you deliver an iOS app from the public App Store (or through the Apple Volume Purchase Program) and you also deliver two profile payloads.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. 

Both current and new administrators can benefit from using this tutorial. Familiarity with networking and storage in a virtual environment is assumed, including Active Directory, Windows Updates, and directory services. 

Knowledge of additional technologies such as VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Integrating Cisco Security Connector with Workspace ONE

Introduction

In June of 2017, Apple and Cisco announced a security partnership focused on network traffic and content security on mobile iOS devices. Recently, Apple and Cisco announced the availability of the Cisco Security Connector. This application can be managed and configured using VMware Workspace ONE UEM (unified endpoint management), formerly VMware AirWatch.

What is Cisco Security Connector?

Cisco Umbrella + Cisco Clarity (techzone cisco, cisco itunes, cisco security connector itunes)

Cisco Security Connector is a single iOS application leveraging two extensions (Cisco Clarity and Cisco Umbrella). Cisco Clarity (the component for Cisco AMP) provides visibility into mobile apps and their trajectory. Cisco Umbrella provides DNS enforcement and encryption regardless of port or protocol.  Using built-in iOS network hooks, Cisco Security Connector can provide granular network security and content filtering without the need for changes to end-user behavior, Virtual Private Networks, SSL decryption, or proxying.  

For Cisco customers, the Cisco Security Connector can be configured over-the-air on eligible supervised iOS devices. Configuration involves two steps: delivering an iOS app from the public App Store (or through the Apple Volume Purchase Program) and delivering two profile payloads.

Cisco Security Connector requires iOS device supervision (either via Apple Configurator 2, Apple School Manager, or the Device Enrollment Program).  For more detail about Supervision, see Get started with a supervised iPhone, iPad, or iPod touch.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

Check whether you have the following components installed and configured.

  1. Workspace ONE UEM tenant 9.3 or later with admin credentials
  2. iOS 11.3 or later
  3. Administrator credentials for Cisco AMP for Endpoints Dashboard (https://console.amp.cisco.com).
  4. Credentials for Cisco Umbrella (https://login.umbrella.com).

Deploying the Cisco Security Connector Application

The Cisco Security Connector can be deployed from the iTunes App Store as a Public or Purchased Application. This exercise helps you to deploy Cisco Security Connector as a Public application.

1. Add Native Public Application

(techzone cisco, cisco itunes, cisco security connector itunes)

In the Workspace ONE UEM console:

  1. Select Apps & Books.
  2. Select Native.
  3. Select Public.
  4. Select Add Application.

2. Search iOS Applications

(techzone cisco, cisco itunes, cisco security connector itunes)

Search for the Cisco Security Connector application:

  1. Select Apple iOS.
  2. Enter Cisco Security Connector.
  3. Click Next.

3. Select Appropriate iOS Application

(techzone cisco, cisco itunes, cisco security connector itunes)

Select the appropriate application:

  1. Ensure the Cisco Security Connector (com.cisco.ciscosecurity.app) is returned.
  2. Select the appropriate country.
  3. Click Select.

Note: Ensure you select the appropriate country so that the user's device receives the app from the appropriate country's App Store.

4. Save and Assign

(techzone cisco, cisco itunes, cisco security connector itunes)

Click Save & Assign.

5. Add Assignment

(techzone cisco, cisco itunes, cisco security connector itunes)

Click Add Assignment.

6. Add Assignment Group(s) and Policies

(techzone cisco, cisco itunes, cisco security connector itunes)

Continue configuring the application assignment and policies:

  1. Click in the Select Assignment Groups search box and select the assignment group to receive the application.
  2. Select Auto.
  3. Select Enabled  for Managed Access.
  4. Select Enabled for Make App MDM Managed if User Installed.
  5. Click Add to publish the application to your devices.

7. Save & Publish

  1. Ensure your assignment has been added.
  2. Click Save & Publish.

8. Publish

Click Publish.

Important: Publishing the application as Automatic immediately schedules it for delivery to applicable devices.  

Creating a Cisco AMP Extension Profile

To configure the Cisco Security Connector, download a profile from Cisco AMP for Endpoints. Then, add the file as a profile in the Workspace ONE UEM Console. This provides Cisco Security Connector the ability to audit and correlate traffic flow (URLs and ports) from iOS applications.

1. Log In to Cisco AMP for Endpoints

Navigate to the Cisco AMP for Endpoints Dashboard (https://console.amp.cisco.com) and log in.

  1. Enter the email address for your AMP for Endpoints administrator account.
  2. Enter the password for the AMP administrator.
  3. Click Log In.

2. Create a Management Group

2.2. Open Management Group Settings

Click Create Group.

2.3. Name and Save Group

  1. Name the group iOS Clarity.
  2. Click Save.

4. Upload MobileConfig File to Workspace ONE UEM

  1. In the Workspace ONE UEM console, select Devices.
  2. Expand Profiles & Resources.
  3. Select Profiles.
  4. Select Add.
  5. Select Upload Profile.

5. Upload File

Click Upload.

6. Choose File

Click Choose File.

7. Open MobileConfig File

  1. Select the iOS_Clarify_amp_ios.mobileconfig file.
  2. Click Open.

8. Save MobileConfig File

Click Save.

9. Continue File Upload

Click Continue.

10. Assign Profile

  1. Change Assignment Type to Auto.
  2. Change Allow Removal to Never.
  3. Select the Assignment Group(s) for this profile.
  4. Click Save & Publish.

11. Publish Profile

Click Publish.

Creating a Cisco Umbrella Profile

Cisco Umbrella provides secure DNS proxying for domain name resolution on iOS devices. By applying the Umbrella profile to a device with Cisco Security Connector, the device bypasses any auto-configured DNS servers and all external DNS requests are sent (encrypted) to Cisco Umbrella. This allows network administrators to track web requests and block specific URLs or categories.

1. Log In to Cisco Umbrella

  1. In your web browser, navigate to https://login.umbrella.com and enter your user name.
  2. Enter your password.
  3. Click Sign In.

2. Download the Root Certificate

2.2. Download Root Certificate

Click Download Certificate.

3. Download and Copy the AirWatch Config File's XML

3.2. Download AirWatch Config

  1. Click Download.
  2. Select AirWatch Config to download the mobileconfig XML file.

3.3. Open XML file

  1. Find the downloaded XML file and Control+click it (or right-click if you have a two-button mouse).
  2. Click Open.
  3. Validate the file opens in TextEdit or another text editor that allows you to view the XML.

3.4. Copy XML Between the Comments

  1. Select the text beginning with the first </dict> after the line starting !-- AirWatch - copy...
  2. End the text selection with the last </dict> immediately preceeding the line stating <!-- AirWatch - end copy -->

Important: Your selected text should be significantly longer than shown in the screenshot. This screenshot has been truncated for illustration.

4. Create a Workspace ONE UEM Profile

In the Workspace ONE UEM Console:

  1. Select Devices.
  2. Expand Profiles & Resources.
  3. Select Profiles.
  4. Select Add.
  5. Select Add Profile.

5. Select a Platform

Select Apple iOS.

6. Complete General Profile Information

  1. Enter a name for the profile.
  2. Enter a description for the profile.
  3. Set the assignment type to Auto.
  4. Select whether users are allowed to remove the profile from managed devices.  
  5. Select one or more assignment groups to receive the profile.

7. Open the Credentials Payload

  1. Scroll down the payload list.
  2. Select Credentials.
  3. Click Configure.

8. Configure the Credentials Profile

8.1. Upload a Certificate

Click Upload.

8.2. Choose File

Click Choose File.

8.3. Select the Umbrella Root Certificate File

Double-click the Cisco_Umbrella_Root_CA.cer file.

8.4. Save the Root Certificate File

Click Save.

8.5. Validate Upload

Validate the Credential Name has been pre-filled and the certificate details (Issuance Names and Validity Dates) are correct.

9. Configure Custom Settings XML Payload

9.1. Open the Custom Settings Payload

  1. Scroll down the payload list.
  2. Select Custom Settings.
  3. Click Configure.

9.2. Paste Copied XML

Paste the section you copied from the MobileconfigAirWatch.xml file (from the Umbrella Console) into the Custom Settings text box.

10. Publish the Profile

Click Publish.

Verifying Cisco Security Connector Installed

After you have completed the first three exercises, you are ready to begin testing the Cisco Security Connector on iOS devices. The following checklist helps you to verify that the components were configured correctly in Workspace ONE UEM.

1. Validate Cisco Security App

Validate the Cisco Security app has been installed on the device. You may have to swipe left or right as it may be shown on a different screen of the springboard.

2. Validate Cisco Security App Status

  1. Within the Cisco Security App, click Status.
  2. Ensure the status for Endpoint Visibility and Roaming Security show Protected with a green shield with check mark.
  3. If Roaming Security and/or Endpoint Visibility show a red shield with an X there may be an issue with your configurations. You may need to engage Cisco support.

Summary and Additional Resources

Conclusion

This operational tutorial provided the steps to configure the Cisco Security Connector for use with Workspace ONE UEM. These procedures included delivering an iOS app from the public App Store (or through the Apple Volume Purchase Program) and delivering two profile payloads.

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

For more information on Managing Windows 10 Devices with Workspace ONE, see the Understanding Windows 10 Management Activity Path

The content in this section helps you establish a basic understanding of Windows 10 management in the following categories:

Managing Windows 10 can be complicated. Let us demystify it, and make you a hero!

 

About the Author

This tutorial was written by:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware


Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Advanced iOS Deploy Secure Remote Access