we will use Workspace ONE Access Connector, and the Directory Sync Service, it works very well together with UEM implementation, Workspace ONE Access synchronize users using a read-only connection to the Active Directory

Steps:

1. We will add the Connector, and download the config file:

· From the Workspace ONE Access Console, click Identity & Access Management.

· In the top right, Click Setup.

· Click New

· In the top right, click Add

Download the Installer.

Click Next

· Put the password and download the configuration file.

2. We will download Workspace ONE Access (formerly Identity Manager) Connector 21.08.0.0nand set it up at your windows server machine:

From the windows server machine:

· From the Workspace ONE Access Console, click Identity & Access Management.

· In the top right, Click Setup.

· Click New.

· Click GO TO MYVMWARE.COM.

· Click DOWNLOAD NOW, to download it.

· Once it is downloaded into your Windows Server Machine, please right-click on it, then click Run it as administrator then install it.

· Once the installation is complete, it will show under Identity & Access Management.

The VMware Workspace One Access Connector service installed successfully.

The Workspace ONE Access (formerly Identity Manager) Connector has been downloaded and set up successfully.

3. We will bind Active Directory to authenticate and authorize your users to access it:

· From Workspace ONE Access console, click Identity & Access Management.

· Click Add Directory, then click Add Active Directory.

· Type your Directory Name, which is your Domain FQDN (Fully Qualified Domain Name), then select the Sync Connector (the FQDN one which we installed), then select Directory Search Attribute to be sAMAccountName.

· At the bottom part, just put your bind user details (the bind user who has permission to query users and groups for the required domains), and the password as below, then click Save & Next.

· After a couple of seconds, Workspace One Access will get the Domain (or domains if you have more than one configured into your environment), click Next until you Click Sync Directory.

We have successfully Synced Active Directory in the Workspace ONE Access console.

Security incident and event management (SIEM) refer to the process of recording, monitoring, correlating, and analyzing the security events in an IT environment in real-time. No matter the size of a business, SIEM tools can have significant benefits for everything from compliance reporting to stopping attacks. Any managed services provider (MSP) can benefit from having SIEM software in its portfolio.

SIEM tools combine security information management (SIM) and security event management (SEM) functionalities. They use log data flows from different areas of an organization to create a real-time picture of potential threats to the IT environment, enabling your cybersecurity to be proactive rather than reactive. By relying on data from a variety of hosts in an IT environment, SIEM tools can provide you with a broad understanding of what is happening at every level of a business.

The SIEM process is one of the most critical branches of cybersecurity. By collecting, naturalizing, and correlating log data from an organization, SIEM tools help you reduce security breaches with proactive security.

Integration Advantages:

Data Aggregation and Visibility: Visibility into your entire IT environment is one of the biggest benefits of SIEM. This visibility goes hand in hand with the way that logs are normalized and correlated in a SIEM tool.

That’s why the SIEM capabilities that relate to data aggregation and normalization are so beneficial. Not only does a SIEM tool collect and store the data from the security tools in your IT environment in a centralized location, but it also normalizes them into a uniform format so you can easily compare the data. The tool also analyzes and correlates this data, finding connections that can help you detect security incidents quickly.

Incident Detection: Many of the hosts on your system that log security breaches don’t include built-in incident detection capabilities. That means they can observe events and produce log entries, but can’t analyze them for potentially suspicious activity. However, because SIEM tools correlate and analyze the log data that’s produced across hosts, they’re able to detect the incidents that might otherwise be missed—either because the relevant logs were not analyzed or because they were too widely separated between hosts to be detected.

There is a huge difference between detecting an attack as it’s occurring versus detecting it long after it has already succeeded. By detecting incidents that might otherwise go unnoticed until much later, the SIEM workflow can limit the scale of damage that might result from the threat.

Improved Efficiency: SIEM tools can significantly improve your efficiency when it comes to understanding and handling events in your IT environment. With SIEM tools, you can view the security log data from the many different hosts in your system from a single interface. This expedites the incident handling process in several ways. First, the ability to easily see log data from the hosts in your environment allows your IT team to quickly identify an attack’s route through your business. Second, the centralized data lets you easily identify the hosts that were affected by an attack.

Working more efficiently, especially when it comes to ongoing security incidents, is a huge asset for MSPs to be able to provide for their customers. By responding quickly to perceived events, SIEM tools can help you reduce the financial impact of a breach—as well as the amount of damage that occurs in the first place.

Simplified Compliance Reporting: Practically every business, no matter the size or the industry, has at least some regulations that it needs to comply with. Ensuring that you’re abiding by those regulations and that you can prove your compliance can be a difficult and time-consuming task. Luckily, thanks to the collection, normalization, and organization of log data, SIEM tools can help simplify the compliance reporting process. In fact, the benefits of SIEM tools as centralized logging solutions for compliance reporting are so significant that some businesses deploy SIEMs primarily to streamline their compliance reporting.

SIEM tools can save businesses both time and money by simplifying compliance reporting to make sure MSP customers are not in violation of any regulations. Without accurate reporting to prove compliance, businesses may face hefty fines and loss of accreditation. With SIEM tools, MSPs can easily generate reports that provide details on their customers’ compliance with the relevant regulatory protocols.

Policy Violation Notifications: A SIEM system in place will assure that any policy violation activity is reported quickly so that immediate countermeasures can be deployed. SIEM systems come with an automated alerting mechanism that makes this process easy. You can use the SIEM altering tool to get emails and dashboard notifications. This helps in preventing chronic violations and taking strict action against users for regular violations as we already integrated Workspace ONE UEM and Workspace ONE Access with the Directory Service, please review it from the basic guide: Deploy Workspace One 101 – For Beginners.

Forensic Analysis of Major Security Breaches: SIEM systems are designed for identifying patterns in cyber-attacks to prevent the IT assets of an organization. From compliance management to real-time monitoring, its ultimate goal is to enhance the security practices of your organization. With advanced tools and a rich set of features, you need expertise for integrating SIEM into your existing infrastructure. Vendors offering SIEM as a service can analyze your business activities and integrate cost-efficient SIEM solutions for your corporate security.

Configure Syslog:

· Click Monitor.

· Click Reports & Analytics.

· Click Events.

· Click Syslog.

· Set the Syslog Integration to Enabled.

· In General Tab, enter the following data:

o Hostname which is your SIEM URL.

o Protocol: Select the required protocol from available options (UDP, TCP, or Secure TCP) to send the data. We support TLS v1.0, TLS v 1.1, and TLS v1.3.

o Port: Enter the port number to communicate with the SIEM tool in the Port text box.

o Syslog Facility: select the facility level for the feature from the Syslog Facility menu. The Syslog protocol defines the Syslog facility.

o Message Tag: Enter a descriptive tag to identify events from the Workspace ONE UEM console in the Message Tag text box. For example, “AirWatch”.

o Message Content: Enter the data to include in the transmission in the Message Content text box. This is how the message data gets formatted when sent using Syslog to your SIEM tool. Use lookup values to set the content. For secure TCP, Newline (CRLF) formatting using Enter, \n, \r does not work and gets automatically converted to tab, \t for secure TCP.

· Click Save and use the Test Connection button to ensure successful communication between the Workspace ONE UEM console and the SIEM tool.

Configure the Scheduler Syslog Task:

You can configure the Scheduler Syslog Task for on-premises deployments. This task sets the intervals at which the AirWatch Console sends requests to the SIEM tool for data.

· From Workspace ONE UEM console, go to GROUPS & SETTINGS.

· Click All settings.

· Click Admin.

· Click Schedule.

· Click Edit for Syslog task.

· Define the interval at which the Console sends data to the options configured in the Syslog feature in the Recurrence Type setting.

· Define Range setting.

· Click Save.

You have successfully configured the Scheduler Syslog Task.

We will register the Workspace ONE UEM with Google using Google Account credentials.

Note: this is a necessary step if you want to enroll Android Device

Prerequisite:

You need a regular Google Account, or a G Suite account with administrative rights (Please use Corporate Google Account, not a personal one).

· From Workspace ONE UEM console, click GROUPS & SETTINGS, then click All Settings.

· Click Devices & Users, click Android, then click Android EMM registration, then click REGISTER WITH GOOGLE.

Note: if you are already signed in with your Google credentials, you are directed to the Google “Get Started” page.

· Select Sign In if you are not already, and enter your Google credentials and then select Get Started.

· Enter your Organization Name then press Next One, fill all required fields then click To Confirm then click Complete Registration.

· You are redirected to the Workspace ONE Console, click TEST CONNECTION to check that all configured successfully, then click Save.

You have successfully integrated your Workspace ONE UEM with Google

Enroll an Android Work Managed device using a unique identifier (afw#hub):

Prerequisites:

• Android device running version 5.0 or later.
• Factory reset device.
• Retrieve the Group ID from Workspace ONE UEM Console as we mentioned before.

1. Begin Enrollment:

·Start your phone after the factory reset is done, then click on the below arrow.

· Accept the privacy policy, then click Next.

· Connect to Wi-Fi, then click Next.

· Enter afw#hub into the Email, or phone text box to download the Workspace ONE Intelligent Hub.

· Install the Agent.

· Click Accept & Continue.

2. Configuring Workspace ONE UEM server details:

· Enter the Workspace ONE UEM server URL, then click Next.

· Enter your Group ID, then click Next.

· Enter your Active Directory credentials, then click Next.

· Click I UNDERSTAND.

· Click I AGREE, then it will set up your device.

3. Confirm Device Enrollment:

·After the device has completed enrollment, you can see the user account details. Tap This Device to view the device status.

You have successfully enrolled your Android Work Managed (Company Owned) device using a unique identifier.

we will need to configure Apple Push Notification Service (APNs) at the workspace UEM Console, then we will create a valid APNs certificate, and download it from Apple Push Certificate Portal (this will require you to have Apple Account ID), then upload it to Workspace UEM Console to Complete the Certificate Generation to integrate successfully with Apple.

Note: Apple Push Notification service (APNs) is the messaging protocol created by Apple to manage mobile devices.

Note: this is a necessary step if you want to enroll IOS or Mac OS devices.

Prerequisite:

Corporate Apple ID account: To create an Apple ID for business, a company owner enrolls the business in the Apple Business Manager program. To sign up for Apple Business Manager, provide information such as your organization’s name, D-U-N-S Number, phone number, and website.

Configure Apple Push Notification Service (APNs) :

· From Workspace ONE UEM console, click GROUPS & SETTINGS, then click All Settings.

· Click Devices & Users, then click Apple, then click APNs for MDM, then click Generate new certificate (this is a certificate for apple push notification service, any management tool that wants to manage mac OS or IOS needs to divert all their management traffic through the systems of apple).

· Click MDM_APNsRequest.plist, which will download a plist file, we will need it later, then click go to Apple. (here we Downloaded the Certificate Request)

Apple Push Notification service (APNs) is the messaging protocol created by Apple to manage mobile devices. To manage iOS devices, Workspace ONE UEM requires a valid APNs certificate, so we will create it :

Download the Certificate :

· Sign in with your Corporate Apple ID (please do not use personal Apple ID).

· Click Create Certificate.

· Click I have read and agree to these terms and conditions, then click Accept.

· Click Browse, then choose the MDM_APNsRequest.plist file, we downloaded before, then click Upload.

· Click Download

We have successfully downloaded the certificate

We will Complete the Certificate Generation, and upload it to Workspace UEM Console:

· Go back to Workspace ONE UEM console, press Next.

· Click Upload.

· Click Choose File, then choose the certificate we just downloaded, then click Save.

· Enter the Apple ID you used before to generate the Apple certificate, then press Save.

· Click TEST CONNECTION, to check that all configured successfully.

You have successfully integrated your Workspace ONE UEM with Apple.

Enroll an IOS device with the Workspace ONE Intelligent Hub:

· Navigate to getwsone.com from the Safari browser. Workspace ONE UEM automatically prompts the end-user to go to the App Store and download the Workspace ONE Intelligent Hub application. Follow the download prompts. An Apple ID is required to download the Workspace ONE Intelligent Hub from the iTunes store.

· Select the Workspace ONE Intelligent Hub application and then select either one of the following authentication methods:

· Email Address – Select auto-discovery, which we configured before.

· Server Details – Select to enroll using the server URL.

· QR Code – Select and use the device to scan the QR code received through email or the Support tab.

· Enter your AD credentials, which can include either a Username and Password.

· Select Next after reviewing privacy collection information.

· Once redirected to Safari WebView, you are prompted to download the MDM profile. The following message is displayed: This website is trying to download a configuration file. Do you want to allow this?

· Tap Allow and when the download is complete, tap Close.

· Select Allow downloading the MDM profile.

· Install the MDM profile. Accept any prompts for trust.

· Once the MDM profile is installed, navigate back to Hub.

· Select Done to complete enrollment. A success message is displayed. The enrollment into Workspace ONE UEM is now complete.

You have successfully enrolled an IOS device with the Workspace ONE Intelligent Hub.

Device-based targeted logging is ideal for logging exercises on a small number of devices.

· From the Workspace ONE UEM Console, go to Devices.

· Click List View.

· Select the device you want to target.

· From the Device details screen, click More.

· Click Targeted Logging.

· Click Create New Log.

· Select the time frame you desire and select Start.

· After the time is finished, go to Groups & Settings.

· Click All Settings.

· Click Admin.

· Click Diagnostics.

· Click Logging.

· Click Targeted Logging File Path.

· Navigate to the configured file path and open the log.

Enable Settings-Based Targeted Logging:

Device-based targeted logging is ideal for logging exercises on a large number of devices.

· From the Workspace ONE UEM Console, go to Groups & Settings.

· Click All Settings.

· Click Admin.

· Click Diagnostics.

· Click Logging.

· Select Enabled for the Targeted Logging setting and provide a comma-separated list of Device IDs.

· Once log gathering has concluded, reset Targeted Logging to Disabled.

The Single CA model uses only one Certificate Authority. All certificate requests will be processed by that CA. The Single CA model works well in smaller organizations, but larger organizations generally benefit from using a different model.

Having a Single CA makes it easy to administer. There is only one system you have to worry about. The Single CA model can also be very secure. You have to secure only one system. You also have more control over what certificate requests are processed.

The Single CA model does have its disadvantages. First, it doesn’t scale very well. All requests have to go to a single system. This system can become busy processing requests. Having a Single CA also represents a possible single point of failure. If that one system fails, certificate transactions cannot be processed.

Certification authority CA – Digital signature

The CA will ‘stamp’ the certificate with a signature. This signature binds all the other fields (listed above) into the certificate. The certificate identifies the CA via a digital signature but also by the name of the certificate. Certificates are issued by a CA which, by design, is a trusted party that vouches for the identity of those to whom it issues certificates. In order to prevent fake certificates, the CA’s public key must be trustworthy. The CA can publicize its public key or provide a certificate from a higher level CA which attests to the validity of its public key.

Workspace ONE UEM offers several deployment options for Microsoft certificate authorities:

· Workspace ONE UEM to the CA- This model uses the DCOM protocol. Workspace ONE UEM communicates directly with the Microsoft CA or through the AirWatch Cloud Connector to the CA.

Specifies the Distributed Component Object Model (DCOM) Remote Protocol, which exposes application objects via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.

· Mobile Devices to the CA – This model uses the NDES (a Microsoft proprietary version of SCEP) or SCEP protocol. Workspace ONE UEM only delegates certificate transactions between the device and the Microsoft CA.

The Network Device Enrollment Service (NDES) allows software on routers and other network devices running without domain credentials to obtain certificates based on the Simple Certificate Enrollment Protocol (SCEP).

· Workspace ONE UEM SCEP Proxy – This model uses the NDES or SCEP protocol. Workspace ONE UEM is the proxy that sends certificate transactions between the device and the CA endpoint. The NDES/SCEP endpoint is not exposed to the Internet.

Creating a New Certificate Authority in Workspace ONE UEM:

· In the Workspace ONE UEM Administration Console, go to Devices.

· Click Certificates.

· Click Certificate Authorities.

· Click Add.

· Provide a Name and Description.

· Provide the hostname to reach your certificate server.

· Enter your CA Authority Name (Note: This is the name that appears in your Certification Authority).

· Enter your username of the service account and password.

· Click Test Connection.

· Click Save.

You have successfully created a New Certificate Authority in Workspace ONE UEM.

The Security Policies page lets you configure options that affect Workspace ONE UEM apps, Workspace ONE SDK-built apps, and wrapped apps.

Security Policies profiles offer security controls for SDK-built apps. Control security with authentication methods, tunneling app traffic, and restricting access to features with data loss prevention.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Profiles.

· Click Add Profile.

· Click SDK Profile.

· iOS and Android both need to be added for iOS Enterprise Apps and Android Enterprise Apps.

· Under Restrictions configure Enable Data Loss Prevention.

· Click Save.

Why do you need VMware Tunnel, we explain it before, please click here.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click System.

· Click Enterprise Integration.

· Click VMware Tunnel.

· Click Download Installer.

· Select Workspace ONE Tunnel.

· Specify your server platform with the latest app version and your Workspace ONE Version.

· Setup the Workspace ONE Tunnel on your server.

· Click Save.

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Security Policies.

· Verify that AirWatch App Tunnel is Enabled.

· Select VMware Tunnel: Proxy for App Tunnel Mode.

· Click Save.

Add Configured VMware Tunnel to iOS/Android SDK Profiles:

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Profiles.

· Select the Profile we created before for iOS/Android.

· Click Proxy.

· Select Enable App Tunnel.

· Select VMware Tunnel Proxy for App Tunnel Mode.

· Click Save.

Modifying or Configuring Authentication Type That Is Used with Uploaded Enterprise Apps:

· From the Workspace ONE UEM Console, Go to Groups & Settings.

· Click All Settings.

· Click Apps.

· Click Settings and Policies.

· Click Security Policies.

· Modify Authentication Type for Enterprise Apps (You can Disable it, set Passcode, or enable Username and Password for recurring authentication with apps deployed through VMWare Workspace ONE (AirWatch) )

· Click Save.

· In the Workspace ONE UEM Administration Console, go to Devices.

· Click Certificates.

· Click Certificate Authorities.

· Click Add.

· Provide a Name for the Template.

· Select your Certificate Authority which you just created.

· Enter your Issuing Template in the following format: certificatetemplate:[ADCS-TEMPLATE]. In my lab, my issuing template would be “certificatetemplate:WS1Cert”.

· Select the Subject Name. Remember, the subject name is what the browser will present to the user. In Workspace ONE Access, we don’t have to use the subject to match the correct user.

· Select the correct private key length (per your CA settings).

· Select both Signing and Encryption.

· Under SAN, add the following:

Email Address -> {EmailAddress}

User Principal Name -> {UserPrincipalName}

DNS Name -> UDID={DeviceUid}

· Select Automatic Certificate Renewal.

· Select Name Certificate Revocation.

· Click Save.

You have successfully created a new certificate template in Workspace ONE UEM.