I remember a time like 4 or 5 years ago, when I was in a meeting with Symantec, they asked “what would it take for me to buy Skycure?” I said, “embed it into the AirWatch Agent.” Because that’s the only real way to deliver a MTD in our privacy-conscious enterprise.
Security through Obscurity is the Only Security for Me
A few points to make here:
- In many industries, you aren’t going to get away with pushing “security apps” to their phones
- Security is really only effective if it’s running behind the scenes completely silent
Fasting forward to 2022, we’re here to discuss a new and exciting product: Workspace ONE UEM Mobile Threat Defense (MTD) powered by Lookout. As I learned recently, they weren’t the first to do it, but in a two dog race they are ahead here. Microsoft and VMware are the majority of the UEM landscape today and everyone else is a niche player like Mobileiron who has become a specialist in the government space.
We’re going to discuss the architecture behind WS1 UEM MTD, check out the Lookout portal, set things up in both UEM and Lookout, the client configurations, and what that user experience looks like. There’s a ton to unpack so let’s get things going.
Workspace ONE UEM MTD Architecture
The idea is not super complicated. The design behind WS1 UEM MTD borrows from their old Veracode/Appthority integration from the early AirWatch days. So fundamentally:
- You create tags in Workspace ONE that map to something in Lookout
- Lookout identifies behaviors, such as cloud access, forked processes, etc.
- Lookout uses the WS1 API to add devices to tags
- You get creative and use those tags to create smart groups to pull away access or take actions based on those tags
- **NOW** you use Intelligence to do smart things with the Lookout Integration
You can see from the graphic below, Lookout will basically synchronize devices and tag status with WS1, Lookout synchronizes telemetry data/threat status, and incident response powered by our friend Workspace ONE Intelligence happens with beautiful synergy.
Honestly, it eats me up a little bit on the inside that I am endorsing a platform based mostly on TAGS. I REALLY REALLY HATE TAGS. I’m the same person that asked Wandera if they were still in 1995 because they were basing their platform on Tags. Nevertheless, when in Rome:
A Short Demo of the Workspace ONE UEM MTD Console
The “WS1 UEM MTD Platform” is essentially Lookout for Work and that’s perfectly fine with me. I cover nicely in the demo the different capabilities that you can find within. One of the things that I love about the console is that it is fairly simple, respects privacy, and provides plenty of filtering capabilities:
Setting up Workspace ONE UEM for Mobile Threat Defense
Of course, we need to move onto first setting up WS1 UEM. Let’s check out the demo and then I will spell out a few things for everyone:
When you setup the API account, these are the categories:
- Admins (Read)
- Apps (Read)
- Devices (Read)
- Groups (Read)
- Users (Read)
- Bulk Management (Edit)
- Tags (Edit)
Also for the full list of tags see below:
| Tag Name | Description |
|---|---|
| MTD – Activated | Activated devices |
| MTD – Deactivated | Deactivated devices |
| MTD – Disconnected | Devices that have lost connectivity with Mobile Threat Defense |
| MTD – Pending | Devices that have not activated Mobile Threat Defense yet |
| MTD – Unreachable | Devices that are unreachable by Mobile Threat Defense |
| MTD – Threats Present | Compromised devices |
| MTD – Secured | Secured devices |
| MTD – Low Risk | Low risk devices |
| MTD – Medium Risk | Medium risk devices |
| MTD – High Risk | High risk devices |
Once that is done, it’s time for us to move onto the other side of the world.
Setting up the Workspace ONE UEM MTD Portal
Once we finish WS1 UEM, we can move onto setting up Lookout aka the MTD Portal. The portal was easier to setup than I thought it would be. Check the video for setting stuff up, which is relatively simple:
If you don’t want to stare at the video, you can use this table so you get the mappings right:
| Option | Value |
|---|---|
| Device Status: | |
| Devices that have not activated Mobile Threat Defense yet | MTD – Pending |
| Devices with Mobile Threat Defense activated | MTD – Activated |
| Devices with Mobile Threat Defense deactivated | MTD – Deactivated |
| Connection Status: | |
| Devices that are unreachable by MTD | MTD – Unreachable |
| Devices that have lost connectivity with MTD | MTD – Disconnected |
| Risk Status: | |
| Devices with any issues present | MTD – Threats Present |
| Devices with low risk issues present | MTD – Low Risk |
| Devices with medium risk issues present | MTD – Moderate Risk |
| Devices with high risk issues present | MTD – High Risk |
| Devices with no issues present | MTD – Secured |
You also saw in the video how you can force the Hub to do Lookout-esque goodness without needing to deploy a separate app. The custom code for that can be seen below:
{
"mtdSettings":{
"isEnabled":true, "enrollmentCode":"ENROLLMENT CODE GOES HERE"
}
}Your configuration/setup is now complete. The final decision that you have to make is whether we want to hide it blissfully inside of the Intelligent Hub or deploy Lookout for Work.. Read on for more!
The Crossroads of Mobile Security
We are now stuck at a crossroads. In the previous video you saw how to setup the Intelligent Hub to handle your MTD sexiness.
This lovely table that I borrowed from the VMware documentation, will show you what you get from the two deployment models:
| Threat Protection | Capability | Intelligent Hub | Lookout for Work |
|---|---|---|---|
| ACCESS_CONTROL_VIOLATION | Access Control Violation due to a possible device compromise | X | X |
| ACTIVE_MITM | Allows a malicious actor to intercept data sent between two parties | X | X |
| ADWARE | Serves intrusive ads or sends excessive PII to ad networks | X | X |
| APP_DROPPER | Downloads malicious apps to the device | X | X |
| BACKDOOR | Opens up protected components to an attacker | X | X |
| BOT | Enables remote access and control of the device | X | X |
| CHARGEWARE | Misleadingly charges the device user | X | X |
| CLICK_FRAUD | Defrauds ad networks by faking clicks or downloads | X | X |
| DATA_LEAK | Leaks PII or other sensitive data off the device | X | X |
| DENYLISTED_APP | App denylisted as it violates policies or is unsafe | X | X |
| DENYLISTED_CONTENT | The device encountered denylisted content either through user activity in apps or browsers or through background app activity | . | X |
| DEVELOPER_MODE_ENABLED | Device has developer mode enabled | X | X |
| EXPLOIT | Leverages OS flaws to gain escalated device privileges | X | X |
| MALICIOUS_CONTENT | The device encountered malicious content either through user activity (in apps or browsers) or through background app activity | . | X |
| NO_DEVICE_LOCK | Device does not have a lock screen or passcode enabled | X | X |
| NON_APP_STORE_SIGNER | There is a trusted signing identity on the device that may be used to install and execute 3rd party apps not from the iOS App Store | X | X |
| OFFENSIVE_CONTENT | The device encountered offensive content either through user activity (in apps or browsers) or through background app activity | . | X |
| OUT_OF_DATE_ASPL | Device has an out-of-date Android security patch level | X | X |
| OUT_OF_DATE_OS | Device has an out-of-date OS version | X | X |
| PCP_DISABLED | The phishing and content protection feature has been disabled on the device | . | X |
| PHISHING_CONTENT | The device encountered phishing content either through user activity (in apps or browsers) or through background app activity | . | X |
| RISKWARE | Engages in risky behavior | X | X |
| ROGUE_WIFI | A wireless access point that imitates a known Wi-Fi to intercept and modify users private data by executing Man-in-the-Middle attacks | X | X |
| ROOT_ENABLER | Enables root access to the device | X | X |
| ROOT_JAILBREAK | Device has been rooted or jailbroken | X | X |
| SPAM | Uses device to send spam email or SMS | X | X |
| SPYWARE | Engages in broad-based data collection | X | X |
| SURVEILLANCEWARE | Engages in targeted data collection | X | X |
| TOLL_FRAUD | Fraudulently charges user through premium SMS or carrier fees | X | X |
| TROJAN | Performs malicious activities that are not disclosed | X | X |
| UNENCRYPTED | Device does not have storage encryption enabled | X | X |
| UNKNOWN_SOURCES_ENABLED | Device can install applications from unofficial app stores (supported on Android 4.1-7.1) | X | X |
| USB_DEBUGGING_ENABLED | Device has USB debugging enabled | X | X |
| VIRUS | A test application used to prove detection efficacy | X | X |
| VPN_NOT_ENABLED | The permission for the local VPN used for phishing and content protection and on-device threat protection was not accepted on the device | X | X |
| VULNERABILITY | App has an exploitable vulnerability | X | X |
| WORM | Replicates malicious code from one device to another | X | X |
UPDATE!! I found upon some additional testing that the native Intelligent Hub does perform some application inspection. It took much longer to bring the app inventory in than I had accounted for, but the end results were nifty.
You can see an example of the apps it is seeing:
When you drill into the application, you learn quite a bit like the fact that Meta uses certain cloud services:
You can also check out the network activity for the application:
You can even see how they’re violating your policies:
Essentially, using the Lookout app provides you with content inspection and phishing protection. That is a huge deal in our new Ransomware world. Eventually, you just need to decide what meets your company’s requirements. Let’s move onto how to deploy the Lookout for Work apps for iOS and Android
Deploying Lookout for Work on iOS
The one thing I thought I should show is the app config keys to make life easier on deployment:
| Configuration Key | Value Type | Configuration Value | Platform |
|---|---|---|---|
DEVICE_UDID | String | {DeviceUid} (iOS) {DeviceUuid} (Android) | iOS, Android |
MDM | String | AIRWATCH | iOS, Android |
EMAIL | String | {EmailAddress} | iOS, Android |
GLOBAL_ENROLLMENT_CODE | String | You saw where to get this earlier! | iOS, Android |
| HSM Key value | Boolean | False | Android |
Deploying Lookout for Work on Android
User Enrollment Experience for the Lookout Application
After all of these lovely demos, I wanted to showcase the user enrollment experience. It’s a nice little experience overall, but I think I still prefer this experience being fully inside the Intelligent Hub.
Tag Powered-Smart Groups Remove Capabilities Securing the Edge
So, let’s take a minute to discuss the spirit of security with compliance. The reason we use tags is because they are extendable to smart groups like below:
We create these smart groups for our various concerning MTD classifications. Once we have done that, we can start unraveling the magic. The prime example is Workspace ONE Tunnel. Once we create our smart groups, we use exclusions with those smart groups to take ACTION!
Inevitably, we should see these sorts of situations like most things in IT design. Capture the spirit of the “thing” in layman’s terms and then solve it with a technology thinggie. Yeah I know, super technical. Conceptually, this powers the zero trust story by truly extended the spirit of your IT security vision powered by Lookout Policy and Tagging in Workspace ONE.
Leveraging Workspace ONE Intelligence to Extend Lookout Capabilities
Building the integration is super simple. You just go into System > Application Keys in your WS1 UEM MTD console and then input the base URL of https://api.lookout.com and that application key and you’re ready to go!
You can see after integrating Lookout, you do have a few automations you can build easily:
Inevitably, you will be able to use that Lookout data to build automations like this one that Andreano covered in his video:
Known Issues with MTD
This area will be updated as new things are found. One item that I have uncovered so far I thought was particularly interesting.
I’ve run into a bug with the Lookout for Work application where it essentially eats VPN profiles when doing the safe browsing setup. It’s something that I am still investigating at this point. I can clearly see what it’s doing in the logs:
022/06/15 10:48:39:773 Initialized Safe Browsing config with private IP mode enabled.
2022/06/15 10:48:39:787 Safe Browsing Controller: Refreshing status.
2022/06/15 10:48:39:789 Safe Browsing App state is `Running`
2022/06/15 10:48:39:789 Checking if VPN should be started or stopped...
2022/06/15 10:48:39:878 #lko#{"request-size":171,"trace-id":"network-request","channel":"","service-name":"pcp_dns_session"}
2022/06/15 10:48:40:117 Successfully loaded resource1.
2022/06/15 10:48:40:154 Successfully loaded resource2.
2022/06/15 10:48:40:193 Vpn status changed: NotInstalled
2022/06/15 10:48:40:195 Recorded VPN installation.
2022/06/15 10:48:40:198 ⚠️ VPN permission state changed, send new telemetry for state Not Granted
2022/06/15 10:48:40:205 Refresh telemetry bundler timer with 5.0 seconds
2022/06/15 10:48:40:206 Safe Browsing App state is `NotInstalled`
2022/06/15 10:48:40:206 Safe Browsing feature notified of state change.
2022/06/15 10:48:40:206 Safe Browsing feature refresh scheduled.
2022/06/15 10:48:40:206 VPN config changed: NSConcreteNotification 0x2825e2920 {name = com.apple.networkextension.app-configuration-changed; object = {
localizedDescription = Safe Browsing
enabled = YES
protocolConfiguration = {
serverAddress = <5-char-str>
disconnectOnSleep = NO
includeAllNetworks = NO
excludeLocalNetworks = YES
enforceRoutes = NO
}
onDemandEnabled = NO
}}
2022/06/15 10:48:40:206 Loading VPN configuration from preferences.
2022/06/15 10:48:40:208 Successfully uninstalled the safe browsing vpn
2022/06/15 10:48:40:208 Stopped listening for status changes on NEVPNConnection: <NETunnelProviderSession: 0x2806216d0>Check out a video to see the behavior in case you run into it:
Closing Thoughts
Well, here we are at the end of this something lengthy article. Now, we can cover my thoughts on WS1 UEM MTD. As you saw at the beginning, this is something I’ve been waiting for a very long time. I’ve always believed that MTD would only be possible if you layer it into your MDM agent. People are so concerned today about every single thing you put on their device now.
On the other hand, I’m not sure that the Lookout for Work application is ready to work with a MDM fully given some of my experiences. I totally get why you wouldn’t want to miss out on the phishing and content analysis/protection that Lookout is offering, but there are a few kinks to be ironed out. I was sort of surprised that Lookout is powerful enough that it can remove profiles pushed by a MDM but that’s okay.
One thing that I thought quite a bit about is that they need to extend this stuff to the compliance engine. It’s a great capability but you need to be able to mark devices as non-compliant/compromised that are in a risky state. It’s highly inconsistent from that perspective. Personally, I think that instead of using tags that you should be straight marking devices as non-compliant, which would be much more consistent. By doing that, you would be able to fully integrate this with Workspace ONE Access to deliver something more comprehensive. Sure, you can argue that you can use smart groups to remove certificate/profiles, but that is a bit of lipstick on a pig.
Pingback: MTD Faceoff: WS1 UEM MTD vs. Microsoft Defender for Endpoint - Mobile Jon's Blog
Pingback: Service – Week 24-2022 VMware Enduser Computing Updates – Julius Lienemann
MobileIron has Zimperium baked in to their agent for 1-2yrs. McAfee also uses Zimperium in their MTD product, but I do not believe McAfee has MAM/MDM capabilities.
nice article, and agree, tags seem hacky, but it is what it is. Bringing this MTD into the vmware environment, i expected a bit more seamless startup as it is a bit more premium subscription , but im sure it will come naturally into something like the getting started wizard or similar to what other tools have done in UEM with simply putting in a subscription key or not sure, as it looks like it could be all scripted. Also just announced, is defender for Microsoft, would be a neat thing to see the comparison on startup configuration and administration of platforms.
I have an article on setting up defender for iOS. There’s a nice idea. I might do that for next week comparing the two platforms. Sadly defender requires an app still
Any plans from VMwares site to integrate the phishing part?
I’m guessing it’s an API gap at this juncture from Lookout. I’m sure they have specific features you can achieve without their app