Remediate the Pixel4 and Galaxy S10 biometric security flaws with Workspace ONE

I am pretty sure you’ve heard already about the issues with Samsung Galaxy S10 fingerprint sensor and Google Pixel 4 Face Unlock. Both companies have acknowledged the issues and committed to releasing the patches “soon” (Samsung is said to be testing fixes in certain countries already). What can you in the meantime? With Workspace ONE and Android Enterprise is it easy!

(more…)

Hidden TCPdump and ETHtool on VMware UAG

VMware UAG (Unified Access Gateway) is a cool little security appliance, deployable on vSphere, AWS, Azure etc that hosts a lot of Workspace ONE edge services: Horizon Proxy, Web Reverse Proxy, Tunnel VPN Gateway, Content Gateway and (since 3.6) the Secure Email Gateway. The challenge is that the thing was built to be headless and super-secure, which means it is almost bare inside. And this is not helpful when troubleshooting.

While watching a VMworld 2019 Session (links at the bottom) I’ve found out that there is actually a hidden tcpdump and ethtool installer, which was first made for our own support services, but is generally available for everyone now.

All you need to do is invoke /etc/vmware/gss-support/install.sh command from the UAG CLI. Of course, it is highly advisable to remove the tools once the troubleshooting is done via /etc/vmware/gss-support/uninstall.sh !

ADV1798BU – Unified Access Gateway Securing Virtual Desktop and App Access

In case you need a refreshed on TCPdump and ETHtool:

With TCPdump I usually prefer capturing everything into a PCAP file and then loading in WireShark for analysis. Now we only need NetCat to be able to stream it conveniently to a remote host.

That is it for today – enjoy, and let me know if it was helpful!

Workspace ONE Notifications in Intelligent Hub – a real-life use case

A few weeks ago, like many others, we were hit by an O365 Exchange outage. What does usually an admin do, when something is down? -Send an email! But what do you do when email is also down? Ring/Text everyone? Blast it in Teams/Skype/Slack/etc? Pigeons?

This is what happened in our case with Workspace ONE Notifications API for Intelligent Hub.

VMware Workspace ONE Intelligent Hub notifications communicating O365 outage
(more…)

Is Mobile in your comfort zone?

A colleague of mine shared this post on LinkedIn, about his recent mobile work experience. Conceptually, nothing in that post was really new – we could do the same 10+ years ago. So why are we still hearing then “I’ll get this info to you when I get to the office” or similar replies?

My guess is that it’s not just about you being able to do it, but also, how you feel about it. How many times have you thought “Yeah, I *could* do this now, but it’s so darn tedious. Better wait until I get to the office/home/hotel” ?

Truth is, most people don’t want to leave their comfort zone. But what happens to the investment in mobility tech, if it doesn’t extend that comfort zone into the mobile environment? If I can read my emails on the phone, but acting on most of them requires getting to the laptop, starting VPN, signing into apps several times and being generally stationary for a while?

 - Dilbert by Scott Adams
https://dilbert.com/strip/2014-05-26

There are of course mobile apps and services with great user experiece, and there are platform UX guidelines for Android, iOS, Windows etc. But I guess having one great app won’t help.

Thus, I think, it’s not just about mobility per se, but rather a seamless and comfortable user experience across most apps and devices. Would you agree? You can invest into MDM, IAM, SSO, MTD and other TLAs all you want, but if they don’t extend the user’s comfort zone, the best you will get is security, compliance and mildly annoyed users that are still thinking that work can wait.

If you do agree with the above, you may want to check out the short videos below. They are part of a larger playlist dedicated to employee experience. Even though they are cheery marketing videos, they show the actual user experience and workflows.

If you want less cheery and more technical info, check out this article on Intelligent Hub Services APIs and Mobile Flows at BrianMadden.com.

And if you are visiting VMworld 2019, you may be interested in this session:

What’s New: Revolutionize Employee Productivity with Mobile Flows and Intelligent Hub [DEE2301BU]

If you don’t agree with the above (even after viewing the videos below) – could you please write why? Happy viewing!

Workspace ONE Mobile Flows
Workspace ONE Mobile Flows
Get your Employees Productive from Day 1

Custom login URL for cloud WorkspaceONE Portal nice and easy

With WorkspaceONE deployed, many users begin their day at the main page of the WS1 Portal. Which, if you are using a cloud version, is usually hosted at a URL like <yourname>.vmwareidentity.eu (or com/etc for other regions). Many don’t like this and want something like login.mycorp.com instead. Here’s a short note on how to make it, and make it right!

How to make it …wrong!

Our first thought would be: “Not a problem – I’ll just have a DNS CNAME (alias)!”

login.mycorp.com –> mycorp.vmwareidentity.eu

This will not work. The client traffic WILL be redirected to the IP address of the cloud portal, but the URL in all the HTTP headers will still remain login.mycorp.com. And this is not what WS1 expects. At the minimum you will see this:

A very obvious case of the certificate name mismatch.

How to make it …right!

What we need instead if a proper web redirect (HTTP 301 Moved Permanently code) that will basically tell the browser “go to mycorp.vmwareidentity.eu instead“, including all the necessary HTTP header changes.

One way to do it is to deploy a web server hosting the login.mycorp.com URL and responding with the HTTP 301 Code. But this is complicated and we need a web server. Is there an easier way?

Maybe. Many cloud DNS hosters offer a WR or Web Redirect type of record. Basically, this is exactly the above web server, but they host it for you, and you manage this as just another DNS record type. Here’s how it looks in my CloudDNS console (they did not pay me for this post, but they are the only sensible free DNS provider I could find)

Example of a WE or Web Redirect record. Click to enlarge.

Now if we go to our short login URL we will see a proper login screen and the following network trace in the browser (here I use Chrome Developer Tools). I believe this is pretty self-explanatory. Note that we also don’t need to touch any SSL certs, cookies or anything else. It. Just. Works.

Permanent 301 redirection for VIDM login URL in browser’s network trace.

Summary

Now you know two ways to make the life of your users easier by providing them with a short login URL for their WorkspaceONE portal. One of those ways actually works! 🙂

What is your opinion, do you use shortened names in general or this is just a fad and waste of time? Write below!

Google Play Managed iFrame in Workspace ONE UEM (AirWatch) – Web Apps

In the previous post I have covered adding Private apps via the Google Play Managed iFrame for Android Enterprise. This time let’s deal with the Web Apps (links, web clips).

(more…)

Apple iOS Update Management with WorkspaceONE UEM (AirWatch)

This practical entry briefly outlines how to force or defer OS Update for Apple iOS devices (iPhones, iPads). There are two completely opposite use cases for this:

  • Critical 0-day vulnerability – must force push OS Update to patch the devices
  • Business critical apps not tested with the latest iOS update – must delay/disallow update before testing. This is a better known challenge to Apple device managers, since typically user is allowed to update manually.
(more…)