Workspace ONE Makes History with One of the First Embedded MTDs

Workspace ONE Makes History with One of the First Embedded MTDs

Security, WS1 Intelligence
One of the First Embedded MTDs

I remember a time like 4 or 5 years ago, when I was in a meeting with Symantec, they asked “what would it take for me to buy Skycure?” I said, “embed it into the AirWatch Agent.” Because that’s the only real way to deliver a MTD in our privacy-conscious enterprise.

Security through Obscurity is the Only Security for Me

A few points to make here:

  1. In many industries, you aren’t going to get away with pushing “security apps” to their phones
  2. Security is really only effective if it’s running behind the scenes completely silent

Fasting forward to 2022, we’re here to discuss a new and exciting product: Workspace ONE UEM Mobile Threat Defense (MTD) powered by Lookout. As I learned recently, they werent the first to do it, but in a two dog race they are ahead here. Microsoft and VMware are the majority of the UEM landscape today and everyone else is a niche player like Mobileiron who has become a specialist in the government space.

We’re going to discuss the architecture behind WS1 UEM MTD, check out the Lookout portal, set things up in both UEM and Lookout, the client configurations, and what that user experience looks like. There’s a ton to unpack so let’s get things going.

Workspace ONE UEM MTD Architecture

The idea is not super complicated. The design behind WS1 UEM MTD borrows from their old Veracode/Appthority integration from the early AirWatch days. So fundamentally:

  1. You create tags in Workspace ONE that map to something in Lookout
  2. Lookout identifies behaviors, such as cloud access, forked processes, etc.
  3. Lookout uses the WS1 API to add devices to tags
  4. You get creative and use those tags to create smart groups to pull away access or take actions based on those tags
  5. **NOW** you use Intelligence to do smart things with the Lookout Integration

You can see from the graphic below, Lookout will basically synchronize devices and tag status with WS1, Lookout synchronizes telemetry data/threat status, and incident response powered by our friend Workspace ONE Intelligence happens with beautiful synergy.

Honestly, it eats me up a little bit on the inside that I am endorsing a platform based mostly on TAGS. I REALLY REALLY HATE TAGS. I’m the same person that asked Wandera if they were still in 1995 because they were basing their platform on Tags. Nevertheless, when in Rome:

A Short Demo of the Workspace ONE UEM MTD Console

The “WS1 UEM MTD Platform” is essentially Lookout for Work and that’s perfectly fine with me. I cover nicely in the demo the different capabilities that you can find within. One of the things that I love about the console is that it is fairly simple, respects privacy, and provides plenty of filtering capabilities:

Setting up Workspace ONE UEM for Mobile Threat Defense

Of course, we need to move onto first setting up WS1 UEM. Let’s check out the demo and then I will spell out a few things for everyone:

When you setup the API account, these are the categories:

  • Admins (Read)
  • Apps (Read)
  • Devices (Read)
  • Groups (Read)
  • Users (Read)
  • Bulk Management (Edit)
  • Tags (Edit)

Also for the full list of tags see below:

Tag NameDescription
MTD – ActivatedActivated devices
MTD – DeactivatedDeactivated devices
MTD – DisconnectedDevices that have lost connectivity with Mobile Threat Defense
MTD – PendingDevices that have not activated Mobile Threat Defense yet
MTD – UnreachableDevices that are unreachable by Mobile Threat Defense
MTD – Threats PresentCompromised devices
MTD – SecuredSecured devices
MTD – Low RiskLow risk devices
MTD – Medium RiskMedium risk devices
MTD – High RiskHigh risk devices

Once that is done, it’s time for us to move onto the other side of the world.

Setting up the Workspace ONE UEM MTD Portal

Once we finish WS1 UEM, we can move onto setting up Lookout aka the MTD Portal. The portal was easier to setup than I thought it would be. Check the video for setting stuff up, which is relatively simple:

If you don’t want to stare at the video, you can use this table so you get the mappings right:

Device Status:
Devices that have not activated Mobile Threat Defense yetMTD – Pending
Devices with Mobile Threat Defense activatedMTD – Activated
Devices with Mobile Threat Defense deactivatedMTD – Deactivated
Connection Status:
Devices that are unreachable by MTDMTD – Unreachable
Devices that have lost connectivity with MTDMTD – Disconnected
Risk Status:
Devices with any issues presentMTD – Threats Present
Devices with low risk issues presentMTD – Low Risk
Devices with medium risk issues presentMTD – Moderate Risk
Devices with high risk issues presentMTD – High Risk
Devices with no issues presentMTD – Secured

You also saw in the video how you can force the Hub to do Lookout-esque goodness without needing to deploy a separate app. The custom code for that can be seen below:

         "isEnabled":true, "enrollmentCode":"ENROLLMENT CODE GOES HERE"

Your configuration/setup is now complete. The final decision that you have to make is whether we want to hide it blissfully inside of the Intelligent Hub or deploy Lookout for Work.. Read on for more!

The Crossroads of Mobile Security

We are now stuck at a crossroads. In the previous video you saw how to setup the Intelligent Hub to handle your MTD sexiness.

This lovely table that I borrowed from the VMware documentation, will show you what you get from the two deployment models:

Threat ProtectionCapabilityIntelligent HubLookout for Work
ACCESS_CONTROL_VIOLATIONAccess Control Violation due to a possible device compromiseXX
ACTIVE_MITMAllows a malicious actor to intercept data sent between two partiesXX
ADWAREServes intrusive ads or sends excessive PII to ad networksXX
APP_DROPPERDownloads malicious apps to the deviceXX
BACKDOOROpens up protected components to an attackerXX
BOTEnables remote access and control of the deviceXX
CHARGEWAREMisleadingly charges the device userXX
CLICK_FRAUDDefrauds ad networks by faking clicks or downloadsXX
DATA_LEAKLeaks PII or other sensitive data off the deviceXX
DENYLISTED_APPApp denylisted as it violates policies or is unsafeXX
DENYLISTED_CONTENTThe device encountered denylisted content either through user activity in apps or browsers or through background app activity.X
DEVELOPER_MODE_ENABLEDDevice has developer mode enabledXX
EXPLOITLeverages OS flaws to gain escalated device privilegesXX
MALICIOUS_CONTENTThe device encountered malicious content either through user activity (in apps or browsers) or through background app activity.X
NO_DEVICE_LOCKDevice does not have a lock screen or passcode enabledXX
NON_APP_STORE_SIGNERThere is a trusted signing identity on the device that may be used to install and execute 3rd party apps not from the iOS App StoreXX
OFFENSIVE_CONTENTThe device encountered offensive content either through user activity (in apps or browsers) or through background app activity.X
OUT_OF_DATE_ASPLDevice has an out-of-date Android security patch levelXX
OUT_OF_DATE_OSDevice has an out-of-date OS versionXX
PCP_DISABLEDThe phishing and content protection feature has been disabled on the device.X
PHISHING_CONTENTThe device encountered phishing content either through user activity (in apps or browsers) or through background app activity.X
RISKWAREEngages in risky behaviorXX
ROGUE_WIFIA wireless access point that imitates a known Wi-Fi to intercept and modify users private data by executing Man-in-the-Middle attacksXX
ROOT_ENABLEREnables root access to the deviceXX
ROOT_JAILBREAKDevice has been rooted or jailbrokenXX
SPAMUses device to send spam email or SMSXX
SPYWAREEngages in broad-based data collectionXX
SURVEILLANCEWAREEngages in targeted data collectionXX
TOLL_FRAUDFraudulently charges user through premium SMS or carrier feesXX
TROJANPerforms malicious activities that are not disclosedXX
UNENCRYPTEDDevice does not have storage encryption enabledXX
UNKNOWN_SOURCES_ENABLEDDevice can install applications from unofficial app stores (supported on Android 4.1-7.1)XX
USB_DEBUGGING_ENABLEDDevice has USB debugging enabledXX
VIRUSA test application used to prove detection efficacyXX
VPN_NOT_ENABLEDThe permission for the local VPN used for phishing and content protection and on-device threat protection was not accepted on the deviceXX
VULNERABILITYApp has an exploitable vulnerabilityXX
WORMReplicates malicious code from one device to anotherXX

UPDATE!! I found upon some additional testing that the native Intelligent Hub does perform some application inspection. It took much longer to bring the app inventory in than I had accounted for, but the end results were nifty.

You can see an example of the apps it is seeing:

When you drill into the application, you learn quite a bit like the fact that Meta uses certain cloud services:

You can also check out the network activity for the application:

You can even see how they’re violating your policies:

Essentially, using the Lookout app provides you with content inspection and phishing protection. That is a huge deal in our new Ransomware world. Eventually, you just need to decide what meets your company’s requirements. Let’s move onto how to deploy the Lookout for Work apps for iOS and Android

Deploying Lookout for Work on iOS

The one thing I thought I should show is the app config keys to make life easier on deployment:

Configuration KeyValue TypeConfiguration ValuePlatform
DEVICE_UDIDString{DeviceUid} (iOS) {DeviceUuid} (Android)iOS, Android
EMAILString{EmailAddress}iOS, Android
GLOBAL_ENROLLMENT_CODEStringYou saw where to get this earlier!iOS, Android
HSM Key valueBooleanFalseAndroid

Deploying Lookout for Work on Android

User Enrollment Experience for the Lookout Application

After all of these lovely demos, I wanted to showcase the user enrollment experience. It’s a nice little experience overall, but I think I still prefer this experience being fully inside the Intelligent Hub.

Tag Powered-Smart Groups Remove Capabilities Securing the Edge

So, let’s take a minute to discuss the spirit of security with compliance. The reason we use tags is because they are extendable to smart groups like below:

We create these smart groups for our various concerning MTD classifications. Once we have done that, we can start unraveling the magic. The prime example is Workspace ONE Tunnel. Once we create our smart groups, we use exclusions with those smart groups to take ACTION!

Inevitably, we should see these sorts of situations like most things in IT design. Capture the spirit of the “thing” in layman’s terms and then solve it with a technology thinggie. Yeah I know, super technical. Conceptually, this powers the zero trust story by truly extended the spirit of your IT security vision powered by Lookout Policy and Tagging in Workspace ONE.

Leveraging Workspace ONE Intelligence to Extend Lookout Capabilities

Building the integration is super simple. You just go into System > Application Keys in your WS1 UEM MTD console and then input the base URL of and that application key and you’re ready to go!

You can see after integrating Lookout, you do have a few automations you can build easily:

Inevitably, you will be able to use that Lookout data to build automations like this one that Andreano covered in his video:

Known Issues with MTD

This area will be updated as new things are found. One item that I have uncovered so far I thought was particularly interesting.

I’ve run into a bug with the Lookout for Work application where it essentially eats VPN profiles when doing the safe browsing setup. It’s something that I am still investigating at this point. I can clearly see what it’s doing in the logs:

022/06/15 10:48:39:773 Initialized Safe Browsing config with private IP mode enabled.
2022/06/15 10:48:39:787 Safe Browsing Controller: Refreshing status.
2022/06/15 10:48:39:789 Safe Browsing App state is `Running`
2022/06/15 10:48:39:789 Checking if VPN should be started or stopped...
2022/06/15 10:48:39:878 #lko#{"request-size":171,"trace-id":"network-request","channel":"","service-name":"pcp_dns_session"}
2022/06/15 10:48:40:117 Successfully loaded resource1.
2022/06/15 10:48:40:154 Successfully loaded resource2.
2022/06/15 10:48:40:193 Vpn status changed: NotInstalled
2022/06/15 10:48:40:195 Recorded VPN installation.
2022/06/15 10:48:40:198 ?? VPN permission state changed, send new telemetry for state Not Granted
2022/06/15 10:48:40:205 Refresh telemetry bundler timer with 5.0 seconds
2022/06/15 10:48:40:206 Safe Browsing App state is `NotInstalled`
2022/06/15 10:48:40:206 Safe Browsing feature notified of state change.
2022/06/15 10:48:40:206 Safe Browsing feature refresh scheduled.
2022/06/15 10:48:40:206 VPN config changed: NSConcreteNotification 0x2825e2920 {name =; object = {
localizedDescription = Safe Browsing
enabled = YES
protocolConfiguration = {
serverAddress = <5-char-str>
disconnectOnSleep = NO
includeAllNetworks = NO
excludeLocalNetworks = YES
enforceRoutes = NO
onDemandEnabled = NO
2022/06/15 10:48:40:206 Loading VPN configuration from preferences.
2022/06/15 10:48:40:208 Successfully uninstalled the safe browsing vpn
2022/06/15 10:48:40:208 Stopped listening for status changes on NEVPNConnection: <NETunnelProviderSession: 0x2806216d0>

Check out a video to see the behavior in case you run into it:

Closing Thoughts

Well, here we are at the end of this something lengthy article. Now, we can cover my thoughts on WS1 UEM MTD. As you saw at the beginning, this is something I’ve been waiting for a very long time. I’ve always believed that MTD would only be possible if you layer it into your MDM agent. People are so concerned today about every single thing you put on their device now.

On the other hand, I’m not sure that the Lookout for Work application is ready to work with a MDM fully given some of my experiences. I totally get why you wouldn’t want to miss out on the phishing and content analysis/protection that Lookout is offering, but there are a few kinks to be ironed out. I was sort of surprised that Lookout is powerful enough that it can remove profiles pushed by a MDM but that’s okay.

One thing that I thought quite a bit about is that they need to extend this stuff to the compliance engine. It’s a great capability but you need to be able to mark devices as non-compliant/compromised that are in a risky state. It’s highly inconsistent from that perspective. Personally, I think that instead of using tags that you should be straight marking devices as non-compliant, which would be much more consistent. By doing that, you would be able to fully integrate this with Workspace ONE Access to deliver something more comprehensive. Sure, you can argue that you can use smart groups to remove certificate/profiles, but that is a bit of lipstick on a pig.



Social Media

Get The Latest Updates

Subscribe To Our Weekly Newsletter

No spam, notifications only about the latest posts and updates.