Remediate the Pixel4 and Galaxy S10 biometric security flaws with Workspace ONE

I am pretty sure you’ve heard already about the issues with Samsung Galaxy S10 fingerprint sensor and Google Pixel 4 Face Unlock. Both companies have acknowledged the issues and committed to releasing the patches “soon” (Samsung is said to be testing fixes in certain countries already). What can you in the meantime? With Workspace ONE and Android Enterprise is it easy!

(more…)

Oracle Java licensing in Workspace ONE

Multiple components of Workspace ONE are build using the Java platform. I’ve received several questions from customers this week regarding the nearing EOL of Oracle Java and the related licensing changes. I hope this post will be useful to others having this issue.

(more…)

Hidden TCPdump and ETHtool on VMware UAG

VMware UAG (Unified Access Gateway) is a cool little security appliance, deployable on vSphere, AWS, Azure etc that hosts a lot of Workspace ONE edge services: Horizon Proxy, Web Reverse Proxy, Tunnel VPN Gateway, Content Gateway and (since 3.6) the Secure Email Gateway. The challenge is that the thing was built to be headless and super-secure, which means it is almost bare inside. And this is not helpful when troubleshooting.

While watching a VMworld 2019 Session (links at the bottom) I’ve found out that there is actually a hidden tcpdump and ethtool installer, which was first made for our own support services, but is generally available for everyone now.

All you need to do is invoke /etc/vmware/gss-support/install.sh command from the UAG CLI. Of course, it is highly advisable to remove the tools once the troubleshooting is done via /etc/vmware/gss-support/uninstall.sh !

ADV1798BU – Unified Access Gateway Securing Virtual Desktop and App Access

In case you need a refreshed on TCPdump and ETHtool:

With TCPdump I usually prefer capturing everything into a PCAP file and then loading in WireShark for analysis. Now we only need NetCat to be able to stream it conveniently to a remote host.

That is it for today – enjoy, and let me know if it was helpful!

The shortest longest Android 10 review post

Image result for android 10 logo

I’ve been planning and preparing and researching for my Android 10 Overview post for a while now, and then I found this monster of a review from Ron Amadeo on Ars Technica (instant subscribe!)

https://arstechnica.com/gadgets/2019/09/android-10-the-ars-technica-review/

Basically, I have very litte to add. The review is huge, though and will take a while. If you want to focus, read these enterprise-relevant sections:

And then the official Android Enterprise changelog from Google, which had still not been added to the TOC on the release notes page 🙂

Once we get those new features supported in Workspace ONE (and I get an extra Android10 device) I’ll post something more detailed.

On Apple, Security by Obscurity and WS1 Trust Network.

In the last several weeks a number of bugs were found in Apple’s iOS, MacOS and protocols. This had coincided with a partner workshop last Friday, where the decisive argument was “Have you ever heard of an Antivirus for an iPhone“.

Apple is well known for refusing to publish any details behind the inner workings of its solutions, locking everything that may be locked down and suing all those who try to work around those limitations..

Despite all that, flaws are being found, iOS was jailbroken again (because Apple unpatched a fix they implemented in 12.3) and malware on App Store is just as common as everywhere else.

Security Researchers about Apple’s Security Through Obscurity
(more…)

Workspace ONE Notifications in Intelligent Hub – a real-life use case

A few weeks ago, like many others, we were hit by an O365 Exchange outage. What does usually an admin do, when something is down? -Send an email! But what do you do when email is also down? Ring/Text everyone? Blast it in Teams/Skype/Slack/etc? Pigeons?

This is what happened in our case with Workspace ONE Notifications API for Intelligent Hub.

VMware Workspace ONE Intelligent Hub notifications communicating O365 outage
(more…)

Important enrollment switches for Samsung KNOX with Android Enterprise (VMware Workspace ONE UEM)

Workspace ONE has a ton of features built specifically for Samsung: KNOX OEM Extensions (modern and legacy), KNOX Service Plugin support (OEMconfig), E-FOTA, KNOX Mobile Enrollment, Legacy containers etc etc. There are a few switches controlling the end result. Today I want to discuss a few ones, that pop up in my practice every few months: License Key and Enable Containers, and how they make (or break) your Android Enterprise Samsung deployment.

(more…)