BYOD light: Passwordless Secure Browsing
While there are multiple options for BYOD Devices to be managed like Work Profile on Android or User Enrollment on iOS, I want to show an alternative here that does not require a MDM Profile on the Device. So let us have a look on iOS Hub Registered Mode for Users that do not know their Password or do not even have Passwords. I used a iOS Device and Token based Enrollment with Hub Services Enabled and the VMware Tunnel with VMware Web App.
the following Pre-Reqs need to be met to have BYOD Light Devices Enrolled and having them protected on Browsing and also having:
- Existing Workspace ONE UEM with Hub Services
- VMware Tunnel (optional VMware SASE & Cloud Web Security)
- optional Workspace ONE Access CBA Authentication inc. CA for SSO (highly recommended)
This is how I build it up, it works , still you can change some components, if you do not have SASE for example you still can use
Enabling Hub Registered Mode:
This step is optional , I used it to show it does not require MDM Management of the device. Any as some Companies do not want to have MDM on BYOD , this is a good fit.
I used a separate OG ,and enabled then the Settings “Devices & Users” / “General” the Management Mode on Registered Devices like Shown here.
Enable Token Based Enrollment
This step is optional , I used it to show it does not require a Password to enroll the device.
In a passwordless world UEM can be used with Token based for Enrolling devices, if you have a SAML Provider this can be also archived there, but for simplification I used the UEM enbedded Tokens. This also works for Hub Registered Devices. So in the Enrolment Setting I enabled “Require Registration Token” and used the Single Token. This step is optional , I used it to show it does not require MDM Management of the device. In a passwordless world UEM can be used with Token based for Enrolling devices, if you have a SAML Provider this can be also archived there, but for simplification I used the UEM enbedded Tokens. This also works for Hub Registered Devices. So in the Enrolment Setting I enabled “Require Registration Token” and used the Single Token.
WS1 Web App Settings
I used the following SDK Settings to add the Certificate for WS1 Access and also do SSO for the SDK Apps :
- Single-Sign-On : Enabled
- Integrated Auth: Enabled
- Use Certificate: Enabled (Specify CA & Template)
You any optionally set the Authentication type to Passcode to have the user entering a Passcode to access the Apps.
in the “AirWatch App Tunnel” Part you can enable the Tunnel and set the device traffic rules. this would apply then.
Enrolling a Device with the QR-Code
to send a Token as Admin you select the User and click to Add Device
in the New Window you can enter the Mail Adress for the user. I used the personal mail adress, assuming the user has no access to corporate mails , this is a good option to start onboarding a device. Once clicked to “Save” that Mail is send out with a QR-Code.
Now the user has to download the VMware Workspace ONE Intelligent Hub (iOS or Android) from the Public AppStore / Goolge Play. , I used iOS here. I used the Option to scan the QR-Code for Enrollment. Once registered we are ready to install the Apps.
As the QR-Code has the Token in it , I do not need to type in a Password if “Single Factor” is selected. Keep in mind that the QR-Code with the Enrollment token can only be used once and expires after the set timeframe (default: 24 hours)
Once finished the device is enrolled & I can download the Boxer (Mail, Contacts Calender) , Content (Networkshare, OneDrive etc) , Web (Browser) and 3rd Party Application that can use the SDK to get Certificates and Tunnel Connection.
For setting up Web I highly recommend having a look on my Blog for WS1 Web and SASE
once there just download the App:
Once downloaded just open the App, SDK Settings get applied directly in the background , Certificates get requested and all is setup inc. VMware Tunnel SDK.
If you now use Workspace ONE Access you can do SSO to all you Web Application, internal via the Tunnel and External Applications. As we have a Certificate we do not need a Passwort to login here.
So let us have a look on how fast we can enroll a device an access a webpage without password on a BYOD Device.