As a frequent mentor in the mobility/UEM world, I often get asked “how do I get to where you are?” or “how do I become better?” I suppose this introduces the whole nature vs. nurture concept in a way. My personal belief is that with the right “friends” you can be more effective. We are going to talk about 5 tools that make a major difference in your effectiveness as an UEM engineer or architect.

These tools cannot transform you overnight, but knowing when to use them can enhance and simplify your troubleshooting and understanding of the technologies you support daily. The 5 tools we cannot live without are:

  • Wireshark
  • Fiddler
  • Postman
  • OpenSSL
  • PowerShell

Some of you will be surprised that I am not covering vendor-specific tools like xCode, Apple Configurator, Android Studio, etc. I had considered this, but I think it’s better to focus on products that will help you work through more technical issues. Truthfully, capturing logs on Android/iOS devices will more commonly just be passed onto vendors and doesn’t give you true value.

Vendor tools like the one above are crucial, but we will leave those to be discussed at a later time. We will cover each of these products and show how invaluable they can be. Let’s start building our toolbox to make us IT ninjas!

baby ninja GIF

Wiresharknado: The UEM Lifeline

Many people are intimidated by Wireshark. It can be a fairly daunting product. We need to be aware of a few things when we talk about Wireshark. The biggest key is that you cannot decrypt anything encrypted anymore. We used to be able to and then Eliptic Curve was introduced. These protocols/ciphers are a great advancement, but they also make SSL decryption near impossible with packet captures.

We have a few areas where Wireshark can be invaluable as UEM engineers and architects. The places where Wireshark are useful are:

  • LDAP (for troubleshooting LDAP auth or user group creation)
  • WiFi using EAP-TLS troubleshooting
  • Kerberos
  • Exchange Backend Troubleshooting

We can look at some of these examples to show how it flows and why it’s effective. I will show a few of them for context.

LDAP Packet Flows in Wireshark

When we debug LDAP, the key is to turn off SSL for debugging. By doing so, I can capture the traffic and filter to it easily in Wireshark with tcp.port==389

Let’s discuss the flow. The first part is the Kerberos exchange between your LDAP client and your DC. You will see a Ticket Request for LDAP and the subsequent response. The packets will look nearly identical with an example as seen below:

Authentication is important to mention because when you have authentication issues with LDAP you will look at things here. You will find a strong list of Kerberos error codes here. From there, you will move onto the LDAP bind. You can see the overall flow for LDAP here.

MS-ADOD]: Example 10: Obtain a List of User Accounts Using LDAP | Microsoft  Docs

The Bind is relatively basic, which you will see below is your authentication and negotiation of your DC. It’s a request and response using the well-known GSS-SPNEGO mechanism. A good list of errors can be found here

From here, we see the end result with a query and result of your LDAP query. It’s very useful because you can see your exact results and whether things look good or bad. Sometimes this is useful when your LDAP searches aren’t returning what you expect.

Troubleshooting WiFi using EAP-TLS with Wireshark

One other really challenging thing to troubleshoot using Wireshark is WiFi on mobile devices. This is another item that Wireshark can help with. Let’s use this capture as a nice example:

You can see from the packet capture that the Cisco Access Point (AP) and the Apple device are trying to negotiate the EAP transaction and failing. We find some really useful information in the packet captures, such as the AP sending the request:

You can also see in the response where it sends back the identity of the user trying to authenticate:

In this example, you can see after that negotiation we see a straight EAP failure. In this circumstance, it was caused by the DHCP scope not being configured correctly at the core switch level, but it’s just a nice example of how Wireshark can give you information that is useful when collaborating with other teams. Additionally, you can speak more authoritatively when you have powerful information available.

Fiddlering your way to UEM Excellence

Fiddler is an intriguing tool. Let’s talk a bit about Fiddler. Fiddler is a product that can intercept your HTTP session and provide some really strong contextual information on HTTP-based issues. Areas that you may use Fiddler are:

  • Investigating issues with websites not working
  • API request issues
  • HTTP failures
  • Investigating slowness

Setting up the HTTPs Decryption

Turning on/setting up decryption is super simple now. You will just go to Tools > Options and enable “Decrypt HTTPs traffic” You will receive a prompt to install the Fiddler root certificates and you’re good to go! The big key is to disable this after you’re done because many apps won’t work when you intercept SSL.

How Fiddler Helps You

One of the nice things with Fiddler is how it shows you the headers in a usable format. You can see below it gives you good insight into the HTTP request and response headers:

Additionally, you can look at statistics to determine areas where performance is a hot mess:

The text view within Fiddler will also show you the SSL characteristics of the HTTP requests:

One other thing I’d like to show is how I was able to decode the content of the data being sent to a data collector in Office 365:

Simply, Fiddler let’s you collect and decode encrypted data that you may not be able to get with Wireshark or in a browser. This is invaluable when debugging issues with a REST API, proxy, or firewall issues. Fiddler is a tool that no Web Developer should ever be without and can save you. One last amazing example is that you can pull identifiers that vendors might need to debug an issue on their end:

Fiddler is incredibly powerful so remember the TOP rule of Fiddler. Do NOT run it on a server unless you want to break it. It should be used carefully because it can be a double-edged sword.

Postman Party

I have covered Postman a bit in the past, such as my article about working with the AirWatch REST API here. I won’t go too deep on Postman here since it was covered in the past. You will see in my previous article that you are able to easily connect to API endpoints and test commands. It’s fairly straight forward:

Workspace One UEM API – List all devices – EUCSE Blog

The overall challenge with Postman is getting the basics down e.g. authentication and testing out basic connectivity. Once you figure things out, you can potentially build apps or run scripts against the API like I did with the Workspace ONE API. Postman is valuable because sometimes you may need to run a “one-off” command like clearing cache or deleting an orphaned item that is only invoked via API.

I deliberately don’t spend too much time on this because I’ve written about it before and a basic blog article doesn’t do it justice. If you are trying to make something work via REST API, I suggest reaching out to me because it’s complicated. Remember to leverage your vendor REST API documentation aka Swagger to see what is exposed via APIs.

OpenSSL is UEM’s Best Friend

Do I love OpenSSL? Do I? What do you think?

joey lawrence GIF

I think one of my biggest frustrations is how weak people are at OpenSSL. I am a huge proponent of OpenSSL and the things that you can do with it. We’re going to run down a few cool things you can do via OpenSSL.

Creating CSRs and Building PFX Certificates

When I see people using IIS to create CSRs, a small piece of me dies on the inside. You should NEVER ever do this. There is a nice little one line command you should always use below. I’ll give you a link to my sancert.conf which is solid.

openssl req -new -out san.csr -newkey rsa:2048 -nodes -sha256 -keyout san.key -config sancert.conf

Once you get that certificate back, you can do a bit of magic to build your PFX certificate, which is super simple. The huge value here is this builds a complete chain, which will not happen otherwise.

openssl pkcs12 -export -out test.pfx -inkey test.key -in test.cer -certfile cert-chain.pem

Now, we can use OpenSSL to see if a website is working properly. Simply, by using openssl s_client -connect with the URL and port, you can see how it works:

We can go a bit deeper now and see if weak ciphers are supported on that website. The code for that is this:

openssl s_client -connect cn420.awmdm.com:443 -cipher EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5 -no_tls1

You should see the following if your website is setup correctly:

Another neat command that I will show you is exporting root certificate from a website to a file via OpenSSL:

The last command that I wanted to mention is Verify. You can use OpenSSL Verify to validate if you built your root chain properly. The commands are below:

Feel free to find other OpenSSL commands here, but I would say these are the commands that I use most frequently.

Powershell: The Lifeblood of Windows Engineering

It’s very depressing how few people can use Powershell outside of Google. This is an acquired talent that takes time and effort. I will cover a few nice ways that we can use Powershell to do great things.

The first example that I will use is building a collection of users via Powershell to use in other places. We will build a Powershell variable that contains all of the user accounts in my test environment with a few of their attributes. We will highlight the full code at the end:

Once we have that collection, we can print a single attribute easily for fun:

This teaches us that we can leverage collections like this to gracefully update attributes. One example is a great script that I recommend as an Office 365 architect:

$BadUsers = Get-ADUser -Filter * -properties * | where -FilterScript {$_.mail -ne $_.userprincipalname} (This collects people who don't have email and UPN matching)
$BadUsers | foreach {Set-ADUser -Identity $_.samaccountname -userprincipalname $_.mail} (Makes every bad user's mail match their UPN) 

This is an example of how powerful Powershell can be. Most products have a Powershell component from Azure to Office 365 to VMware’s entire suite of products. My MobileJon Repo on Github will give you some excellent examples of how you can user Powershell in magnificient ways. Let me close this out with a few of the solutions I’ve built via Powershell in recent years:

  • Workspace ONE UEM API Tool
  • Connection Monitoring and Writing events to Event Viewer
  • Automating Initial Windows Updates for Dell Provisioning via Zero Touch
  • Configuring Windows Defender
  • Updating Records for Active Directory
  • A multitude of fixes and efforts for Office 365 e.g. fixing permissions or purging broken sites

Some Final Thoughts

As someone widely recognized as one of the true experts for Workspace ONE, evangelism means everything to me. I write articles like this to help equip each of you with the tools to be more effective experts within your organizations. I implore everyone who needs help or feels like they have gaps in their own knowledge to reach out to me.

In the near future, I’m going to be hosting webinars that are invite only as brown bag luncheons where we cover a topic that you may not have expertise in, such as SSL, security, networking fundamentals, etc. We can only grow together and I learn every day. Everyone brings a different perspective and the valuation of that perspective is crucial to our growth.

%d bloggers like this: