we will use Workspace ONE Access Connector, and the Directory Sync Service, it works very well together with UEM implementation, Workspace ONE Access synchronize users using a read-only connection to the Active Directory

Steps:

1. We will add the Connector, and download the config file:

· From the Workspace ONE Access Console, click Identity & Access Management.

· In the top right, Click Setup.

· Click New

· In the top right, click Add

Download the Installer.

Click Next

· Put the password and download the configuration file.

2. We will download Workspace ONE Access (formerly Identity Manager) Connector 21.08.0.0nand set it up at your windows server machine:

From the windows server machine:

· From the Workspace ONE Access Console, click Identity & Access Management.

· In the top right, Click Setup.

· Click New.

· Click GO TO MYVMWARE.COM.

· Click DOWNLOAD NOW, to download it.

· Once it is downloaded into your Windows Server Machine, please right-click on it, then click Run it as administrator then install it.

· Once the installation is complete, it will show under Identity & Access Management.

The VMware Workspace One Access Connector service installed successfully.

The Workspace ONE Access (formerly Identity Manager) Connector has been downloaded and set up successfully.

3. We will bind Active Directory to authenticate and authorize your users to access it:

· From Workspace ONE Access console, click Identity & Access Management.

· Click Add Directory, then click Add Active Directory.

· Type your Directory Name, which is your Domain FQDN (Fully Qualified Domain Name), then select the Sync Connector (the FQDN one which we installed), then select Directory Search Attribute to be sAMAccountName.

· At the bottom part, just put your bind user details (the bind user who has permission to query users and groups for the required domains), and the password as below, then click Save & Next.

· After a couple of seconds, Workspace One Access will get the Domain (or domains if you have more than one configured into your environment), click Next until you Click Sync Directory.

We have successfully Synced Active Directory in the Workspace ONE Access console.

Security incident and event management (SIEM) refer to the process of recording, monitoring, correlating, and analyzing the security events in an IT environment in real-time. No matter the size of a business, SIEM tools can have significant benefits for everything from compliance reporting to stopping attacks. Any managed services provider (MSP) can benefit from having SIEM software in its portfolio.

SIEM tools combine security information management (SIM) and security event management (SEM) functionalities. They use log data flows from different areas of an organization to create a real-time picture of potential threats to the IT environment, enabling your cybersecurity to be proactive rather than reactive. By relying on data from a variety of hosts in an IT environment, SIEM tools can provide you with a broad understanding of what is happening at every level of a business.

The SIEM process is one of the most critical branches of cybersecurity. By collecting, naturalizing, and correlating log data from an organization, SIEM tools help you reduce security breaches with proactive security.

Integration Advantages:

Data Aggregation and Visibility: Visibility into your entire IT environment is one of the biggest benefits of SIEM. This visibility goes hand in hand with the way that logs are normalized and correlated in a SIEM tool.

That’s why the SIEM capabilities that relate to data aggregation and normalization are so beneficial. Not only does a SIEM tool collect and store the data from the security tools in your IT environment in a centralized location, but it also normalizes them into a uniform format so you can easily compare the data. The tool also analyzes and correlates this data, finding connections that can help you detect security incidents quickly.

Incident Detection: Many of the hosts on your system that log security breaches don’t include built-in incident detection capabilities. That means they can observe events and produce log entries, but can’t analyze them for potentially suspicious activity. However, because SIEM tools correlate and analyze the log data that’s produced across hosts, they’re able to detect the incidents that might otherwise be missed—either because the relevant logs were not analyzed or because they were too widely separated between hosts to be detected.

There is a huge difference between detecting an attack as it’s occurring versus detecting it long after it has already succeeded. By detecting incidents that might otherwise go unnoticed until much later, the SIEM workflow can limit the scale of damage that might result from the threat.

Improved Efficiency: SIEM tools can significantly improve your efficiency when it comes to understanding and handling events in your IT environment. With SIEM tools, you can view the security log data from the many different hosts in your system from a single interface. This expedites the incident handling process in several ways. First, the ability to easily see log data from the hosts in your environment allows your IT team to quickly identify an attack’s route through your business. Second, the centralized data lets you easily identify the hosts that were affected by an attack.

Working more efficiently, especially when it comes to ongoing security incidents, is a huge asset for MSPs to be able to provide for their customers. By responding quickly to perceived events, SIEM tools can help you reduce the financial impact of a breach—as well as the amount of damage that occurs in the first place.

Simplified Compliance Reporting: Practically every business, no matter the size or the industry, has at least some regulations that it needs to comply with. Ensuring that you’re abiding by those regulations and that you can prove your compliance can be a difficult and time-consuming task. Luckily, thanks to the collection, normalization, and organization of log data, SIEM tools can help simplify the compliance reporting process. In fact, the benefits of SIEM tools as centralized logging solutions for compliance reporting are so significant that some businesses deploy SIEMs primarily to streamline their compliance reporting.

SIEM tools can save businesses both time and money by simplifying compliance reporting to make sure MSP customers are not in violation of any regulations. Without accurate reporting to prove compliance, businesses may face hefty fines and loss of accreditation. With SIEM tools, MSPs can easily generate reports that provide details on their customers’ compliance with the relevant regulatory protocols.

Policy Violation Notifications: A SIEM system in place will assure that any policy violation activity is reported quickly so that immediate countermeasures can be deployed. SIEM systems come with an automated alerting mechanism that makes this process easy. You can use the SIEM altering tool to get emails and dashboard notifications. This helps in preventing chronic violations and taking strict action against users for regular violations as we already integrated Workspace ONE UEM and Workspace ONE Access with the Directory Service, please review it from the basic guide: Deploy Workspace One 101 – For Beginners.

Forensic Analysis of Major Security Breaches: SIEM systems are designed for identifying patterns in cyber-attacks to prevent the IT assets of an organization. From compliance management to real-time monitoring, its ultimate goal is to enhance the security practices of your organization. With advanced tools and a rich set of features, you need expertise for integrating SIEM into your existing infrastructure. Vendors offering SIEM as a service can analyze your business activities and integrate cost-efficient SIEM solutions for your corporate security.

Configure Syslog:

· Click Monitor.

· Click Reports & Analytics.

· Click Events.

· Click Syslog.

· Set the Syslog Integration to Enabled.

· In General Tab, enter the following data:

o Hostname which is your SIEM URL.

o Protocol: Select the required protocol from available options (UDP, TCP, or Secure TCP) to send the data. We support TLS v1.0, TLS v 1.1, and TLS v1.3.

o Port: Enter the port number to communicate with the SIEM tool in the Port text box.

o Syslog Facility: select the facility level for the feature from the Syslog Facility menu. The Syslog protocol defines the Syslog facility.

o Message Tag: Enter a descriptive tag to identify events from the Workspace ONE UEM console in the Message Tag text box. For example, “AirWatch”.

o Message Content: Enter the data to include in the transmission in the Message Content text box. This is how the message data gets formatted when sent using Syslog to your SIEM tool. Use lookup values to set the content. For secure TCP, Newline (CRLF) formatting using Enter, \n, \r does not work and gets automatically converted to tab, \t for secure TCP.

· Click Save and use the Test Connection button to ensure successful communication between the Workspace ONE UEM console and the SIEM tool.

Configure the Scheduler Syslog Task:

You can configure the Scheduler Syslog Task for on-premises deployments. This task sets the intervals at which the AirWatch Console sends requests to the SIEM tool for data.

· From Workspace ONE UEM console, go to GROUPS & SETTINGS.

· Click All settings.

· Click Admin.

· Click Schedule.

· Click Edit for Syslog task.

· Define the interval at which the Console sends data to the options configured in the Syslog feature in the Recurrence Type setting.

· Define Range setting.

· Click Save.

You have successfully configured the Scheduler Syslog Task.

The Single CA model uses only one Certificate Authority. All certificate requests will be processed by that CA. The Single CA model works well in smaller organizations, but larger organizations generally benefit from using a different model.

Having a Single CA makes it easy to administer. There is only one system you have to worry about. The Single CA model can also be very secure. You have to secure only one system. You also have more control over what certificate requests are processed.

The Single CA model does have its disadvantages. First, it doesn’t scale very well. All requests have to go to a single system. This system can become busy processing requests. Having a Single CA also represents a possible single point of failure. If that one system fails, certificate transactions cannot be processed.

Certification authority CA – Digital signature

The CA will ‘stamp’ the certificate with a signature. This signature binds all the other fields (listed above) into the certificate. The certificate identifies the CA via a digital signature but also by the name of the certificate. Certificates are issued by a CA which, by design, is a trusted party that vouches for the identity of those to whom it issues certificates. In order to prevent fake certificates, the CA’s public key must be trustworthy. The CA can publicize its public key or provide a certificate from a higher level CA which attests to the validity of its public key.

Workspace ONE UEM offers several deployment options for Microsoft certificate authorities:

· Workspace ONE UEM to the CA- This model uses the DCOM protocol. Workspace ONE UEM communicates directly with the Microsoft CA or through the AirWatch Cloud Connector to the CA.

Specifies the Distributed Component Object Model (DCOM) Remote Protocol, which exposes application objects via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.

· Mobile Devices to the CA – This model uses the NDES (a Microsoft proprietary version of SCEP) or SCEP protocol. Workspace ONE UEM only delegates certificate transactions between the device and the Microsoft CA.

The Network Device Enrollment Service (NDES) allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).

· Workspace ONE UEM SCEP Proxy – This model uses the NDES or SCEP protocol. Workspace ONE UEM is the proxy that sends certificate transactions between the device and the CA endpoint. The NDES/SCEP endpoint is not exposed to the Internet.

Creating a New Certificate Authority in Workspace ONE UEM:

· In the Workspace ONE UEM Administration Console, go to Devices.

· Click Certificates.

· Click Certificate Authorities.

· Click Add.

· Provide a Name and Description.

· Provide the hostname to reach your certificate server.

· Enter your CA Authority Name (Note: This is the name that appears in your Certification Authority).

· Enter your username of the service account and password.

· Click Test Connection.

· Click Save.

You have successfully created a New Certificate Authority in Workspace ONE UEM.

After installing the Workspace ONE Assist server and all its components, configure the UEM console to communicate with the Workspace ONE Assist server.

· From Workspace ONE UEM console, go to GROUPS & SETTINGS.

· Click All settings.

· Click System.

· Click Advanced.

· Click Site URLs.

· Click Workspace ONE Assist.

· Put your Console Connection Name which is the Workspace ONE Assist server fully qualified domain name (FQDN) plus “/t10”.

· Put your Device Connection Name which is the Workspace ONE Assist server fully qualified domain name (FQDN).

· Click Save.

Workspace ONE Assist is ready now to remote any enrolled device through your portal.

The Security Policies page lets you configure options that affect Workspace ONE UEM apps, Workspace ONE SDK-built apps, and wrapped apps.

Security Policies profiles offer security controls for SDK-built apps. Control security with authentication methods, tunneling app traffic, and restricting access to features with data loss prevention.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Profiles.

· Click Add Profile.

· Click SDK Profile.

· iOS and Android both need to be added for iOS Enterprise Apps and Android Enterprise Apps.

· Under Restrictions configure Enable Data Loss Prevention.

· Click Save.

Why do you need VMware Tunnel, we explain it before, please click here.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click System.

· Click Enterprise Integration.

· Click VMware Tunnel.

· Click Download Installer.

· Select Workspace ONE Tunnel.

· Specify your server platform with the latest app version and your Workspace ONE Version.

· Setup the Workspace ONE Tunnel on your server.

· Click Save.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Security Policies.

· Verify that AirWatch App Tunnel is Enabled.

· Select VMware Tunnel: Proxy for App Tunnel Mode.

· Click Save.

Add Configured VMware Tunnel to iOS/Android SDK Profiles:

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Profiles.

· Select the Profile we created before for iOS/Android.

· Click Proxy.

· Select Enable App Tunnel.

· Select VMware Tunnel Proxy for App Tunnel Mode.

· Click Save.

Modifying or Configuring Authentication Type That Is Used with Uploaded Enterprise Apps:

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Security Policies.

· Modify Authentication Type for Enterprise Apps (You can Disable it, set Passcode, or enable Username and Password for recurring authentication with apps deployed through VMWare Workspace ONE (AirWatch) )

· Click Save.

· In the Workspace ONE UEM Administration Console, go to Devices.

· Click Certificates.

· Click Certificate Authorities.

· Click Add.

· Provide a Name for the Template.

· Select your Certificate Authority which you just created.

· Enter your Issuing Template in the following format: certificatetemplate:[ADCS-TEMPLATE]. In my lab, my issuing template would be “certificatetemplate:WS1Cert”.

· Select the Subject Name. Remember, the subject name is what the browser will present to the user. In Workspace ONE Access, we don’t have to use the subject to match the correct user.

· Select the correct private key length (per your CA settings).

· Select both Signing and Encryption.

· Under SAN, add the following:

Email Address -> {EmailAddress}

User Principal Name -> {UserPrincipalName}

DNS Name -> UDID={DeviceUid}

· Select Automatic Certificate Renewal.

· Select Name Certificate Revocation.

· Click Save.

You have successfully created a new certificate template in Workspace ONE UEM.

Workspace ONE Assist includes the following components:

Workspace ONE Assist Core Services: Services responsible for coordinating communication and providing service discovery for all other Workspace ONE Assist services. All database communication is handled through these services.

Workspace ONE Assist Portal Services: Services that host the Workspace ONE Assist administration portal that manages remote device sessions and registration.

Workspace ONE Assist Application Services: Services responsible for communicating with devices available for remote management which already been enrolled before, please check devices enrollment from the basic guide: Deploy Workspace One 101 – For Beginners.

Workspace ONE Assist Connection Proctor: Proctor for managing device connections to the Workspace ONE Assist server. Simultaneously handles multiple requests for remote management sessions.

Database: Microsoft SQL Server database that stores the Workspace ONE Assist system and tenant configuration, operations, and logging, such as the accrual of historical data showing when a device was enrolled in remote management.

Install Workspace ONE Assist to an On-Premises Environment:

1. we will Generate the Workspace ONE Assist T10 API Certificate:

Download the installer package, Workspace ONE Assist installer from VMware Workspace ONE Assist 5.3 Installer (You must generate the T10 API root and intermediate certificates used during an on-premises installation).

Note: The certificate generator is called RemoteManagementCertificateGenerator_9_2. This installer must be run on a machine with the same locale settings as the database server to ensure that the same date format is set in the SQL script. You must run this certificate generator as an administrator.

Run the Remote Management Certificate Generator which is included in the installer package.

 From Workspace ONE UEM console, go to GROUPS & SETTINGS.

 Click All Settings.

 Click System.

Click Advanced.

 Click Site URLs.

Go to Workspace ONE section, then copy the string in the Remote Management CN text box.

Set the connection type to be Remote Management.

Set the deployment to be On-Premises.

Put the Remote Management CN which we copied before at the Certificate Common Name.

Click Generate Certificates.

Set a password for the certificate, we will use it later.

Go to the folder that contains the certificate, Copy the p7b file to c:\temp\certs folder on the Workspace ONE Assist Server.

The certificate has been generated successfully.

2. Install Site SSL Certificate, Assist On-Premises Only:

SSL certificates provide secure, encrypted communications between a website and an Internet browser. The SSL certificate secures HTTPS binding for the management website for port 443 and allows a secure connection. This secure connection is between the admin and Web services. Also, the SSL certificate secures the connection to the Connection Proctor on port 8443 (or port 443 when the Connection Proctor (CP) Service runs on a separate server). You must provide the SSL certificate is a wildcard or SAN certificate.

Run the Microsoft Management Console (MMC).

Click file then click Add/Remove Snap-in.

 Click Certificates, then click Add.

Click Computer Account, then click Next.

Click Local Computer, then click Finish.

 Click Ok.

 Click Certificates (Local Computer), then click Personal.

 Click Certificates.

 In the Action menu of the MMC application, click All Tasks.

 Click Import.

 Click Next to begin the Wizard.

 Click Browse to locate the SSL certificate in the PFX file format which we generated before, then give it a name.

 Click Open to import it.

 Enter the Certificate password.

 Add checkmarks to the two boxes labeled Mark this key as exportable and Include all extended properties.

 Click Next.

 Select Place all certificates in the following store and set the Certificate store to ‘Personal’.

 Click Next.

 Confirm all the presented information is correct, then click Finish.

Your SSL certificate has been installed successfully.

We are installing Workspace ONE Assist for the first time, so you do not need to bind the SSL certificate to a website or renew the site thumbprint.

3. Standard (Basic) Installation of Workspace ONE Assist:

Download Workspace ONE Assist installer from https://my.workspaceone.com, then save it to the Workspace ONE Assist server.

 Right-click the installer file and select Run as administrator.

 Click Next.

 Choose any directory to install Workspace ONE Assist on it.

 Click Standard Installation (Basic) and then select Next.

 Click Connect to existing SQL Server, then enter all required data for it.

 Enter your Tenant FQDN (we explained it before, please click here).

 In the SSL Certificate text box, select the folder button, then select the SSL certificate which we generated before.

 click OK.

 Uncheck Apply Default Settings.

 Select the folder icon to attach the T10 certificate.

 Browse for the T10 certificate which we downloaded before.

 Click Open.

 Click Save.

 Click Next.

 Click Install.

 Click Next after the installation is finished.

 Leave the Execute Resource pack check box selected, then click Finish.

You have successfully installed the Workspace ONE Assist.

After you set up a directory in the Workspace ONE Access service, you can view and modify the directory configuration and sync settings, you can trigger manual sync or wait for the next scheduled sync run for the changes to take effect.

1. Syncing a Directory manually in Workspace ONE Access:

When you want to sync updates from your active directory to your Workspace ONE Access directory immediately, you can start the sync process manually.

· Click Identity & Access Management, then click Manage.

· Click Directories.

· Click the directory you want to sync

· Click Sync, and select Sync with Safeguards, or Sync without Safeguards to sync it manually.

The sync safeguard thresholds that are set limit the number of changes that can be made to users and groups when the directory syncs.

· From the sync setting, you can click Safeguards, then Set the percentage of changes to trigger the sync to fail then click Save.

You have successfully Synced a Directory manually in Workspace ONE Access

2. Setting up a Directory Sync Schedule in Workspace ONE Access:

You can set up a sync schedule so that users and groups are synced automatically from your Active Directory or LDAP directory to the Workspace ONE Access service at regular intervals.

· Click Identity & Access Management, then click Manage.

· Click Directories.

· Click the directory you want to sync.

· Click Sync Settings.

· In the Sync Frequency tab, set the sync frequency to run the sync, then click Save.

You have successfully Setup a Directory Sync Schedule in Workspace ONE Access.