Custom login URL for cloud WorkspaceONE Portal nice and easy

With WorkspaceONE deployed, many users begin their day at the main page of the WS1 Portal. Which, if you are using a cloud version, is usually hosted at a URL like <yourname>.vmwareidentity.eu (or com/etc for other regions). Many don’t like this and want something like login.mycorp.com instead. Here’s a short note on how to make it, and make it right!

How to make it …wrong!

Our first thought would be: “Not a problem – I’ll just have a DNS CNAME (alias)!”

login.mycorp.com –> mycorp.vmwareidentity.eu

This will not work. The client traffic WILL be redirected to the IP address of the cloud portal, but the URL in all the HTTP headers will still remain login.mycorp.com. And this is not what WS1 expects. At the minimum you will see this:

A very obvious case of the certificate name mismatch.

How to make it …right!

What we need instead if a proper web redirect (HTTP 301 Moved Permanently code) that will basically tell the browser “go to mycorp.vmwareidentity.eu instead“, including all the necessary HTTP header changes.

One way to do it is to deploy a web server hosting the login.mycorp.com URL and responding with the HTTP 301 Code. But this is complicated and we need a web server. Is there an easier way?

Maybe. Many cloud DNS hosters offer a WR or Web Redirect type of record. Basically, this is exactly the above web server, but they host it for you, and you manage this as just another DNS record type. Here’s how it looks in my CloudDNS console (they did not pay me for this post, but they are the only sensible free DNS provider I could find)

Example of a WE or Web Redirect record. Click to enlarge.

Now if we go to our short login URL we will see a proper login screen and the following network trace in the browser (here I use Chrome Developer Tools). I believe this is pretty self-explanatory. Note that we also don’t need to touch any SSL certs, cookies or anything else. It. Just. Works.

Permanent 301 redirection for VIDM login URL in browser’s network trace.

Summary

Now you know two ways to make the life of your users easier by providing them with a short login URL for their WorkspaceONE portal. One of those ways actually works! 🙂

What is your opinion, do you use shortened names in general or this is just a fad and waste of time? Write below!

Advertisements

Modern mobile security: people or devices? (with Dilbert)

I really like this slide from the IDC presentation for Google’s Enterprise Partner Summit 2019 (available in public access here).

A slide from IDC: The Evolution of Android in the Enterprise (c) IDC

Note that the technical threats begin at position number 7! But the top 6 are dominated by the threats based on the user behaviour (and the lack of proper tools/policies that allow such behaviour)!

Why does that happen? What can be done? Read on to learn more and see some Dilbert!

(more…)

Android Q Enterprise Features for EMM Admin

This is a brief analysis on the upcoming Android Enterprise Features in Android Q. Read the full notes here. Google has a habit of silently updating those documents, so I expect to update this post once subsequent iterations of Beta are released. The below is my sole opinion, and I welcome hearing yours. NB: it starts slow, the really great stuff is towards the 2nd half 🙂

(more…)

Device Compliance with Identity Manager – the less obvious implementation details

Everyone likes the idea of Device Compliance checks. It allows us to differentiate between Company-issues, BYOD-enrolled, private and totally foreign devices, assess their security posture and execute access decisions based on this vital data, expanding our Conditional Access options. It is also extremely easy to use, just like that (VIDM Admin Console):

Device Compliance can be easily added to any authentication method …yes

Right?

Wrong! Try it yourself and see if it works. In this post we will discuss some of the less obvious, but perfectly logical restrictions that Device Compliance imposes on your selection of authentication methods.

(more…)

Sideloading iOS apps: the good, the bad, the ugly collection

This brief post is a collection of links on the matter of sideloading iOS apps, the consequences and how to prevent it. Mostly via BrianMadden.com.

• https://www.brianmadden.com/opinion/Did-you-know-how-easy-it-is-to-sideload-iOS-apps-to-your-iPhone
• https://techcrunch.com/2019/02/12/apple-porn-gambling-apps/
• Software pirates use Apple tech to put hacked apps on iPhones
• >> Between February 2016 and February 2017, 11% of enterprise iOS devices encountered a sideloaded app.
• > Wandera’s data shows that 6.8% of iOS devices connect to third-party app stores (opens in a new tab)” href=”https://www.brianmadden.com/opinion/Wandera-mobile-security-data-shows-locked-down-corporate-policies-help-lessen-risk” target=”_blank”> >> Wandera’s data shows that 6.8% of iOS devices connect to third-party app stores
• > Sideloading (Re-Sign) An iOS App To Install On A Jailed Device (opens in a new tab)” href=”https://www.secjuice.com/sideloading-an-ios-app/” target=”_blank”>Sideloading (Re-Sign) An iOS App To Install On A Jailed Device
• Managing App Sideloading Threats on iOS (PDF from Lookout)
• “Legit” use cases for sideloading
• https://www.brianmadden.com/opinion/How-do-you-block-sideloaded-app-installation-on-iOS-or-Android

If you are interested in the subject or have own experiences – feel free to share your experiences!

[iOS vs Android] OS and Application Updates

I frequently get this question from customers and partners: “How can I control Application and OS Updates in iOS and Android“. So I’ll drop a note here.

Update management includes:

• Configuring the behaviour of OS upgrades (major), patches, public apps (via App/Play Store, VPP) and private apps (via App/Play Store or directly via EMM)
• Scheduling updates to happen (or NOT happen) at specific times For example, do not update between 8AM and 6PM, when the user is working.
• Manually pushing or rolling back an update to a single device or group of devices (troubleshooting, 0day immediate security patch etc)
• Controlling the visibility of update to the user, or blocking an update to specific devices altogether (known compatibility issue with business/mission-critical apps)
• Version control: i.e. upgrade to version X, not just to the latest version available. A very common case with public app stores.
• Pre-release support: alpha/beta users, multiple adoption rings.
• Controlling the updates delivery to that they only happen on Wi-Fi, or on Cellular.
• Granular control of all of the above per device group/type, per user group/name/type, per app etc.
• Controlling user ability to influence any of the above (allow costly cellular updates, defer/deny critical updates, update manually to an unsupported OS version etc)

Suddenly, things are not that simple, are they? Long story short, the winner is BY FAR the …Windows 10! 🙂 Watch the video on managing Win10 Updates with UEM here (tech and WorkspaceONE implementation and design/philosophy – much recommended). Now, let’s go back to iOS and Android an see what have we got there.

NB: This info may become out of date when new OS capabilities are released. If you notice anything outdated – leave a commend and I’ll update the post.

(more…)

Google Play Managed iFrame in Workspace ONE UEM (AirWatch) – App Collections

In two previous posts dedicated to the Managed Google Play iFrame we have covered Private Apps and Web Apps. The last feature of the iFrame interface is called Collections and allows you to organize the Work Play Store app layout, as well as shoot yourself in the foot a few times…

(more…)