Bringing Workspace ONE Mobile Threat Defense to the next Level with integrated Safe Browsing (aka. Phishing & Content Protection)
More and more Phishing attacks happen out side of corporate mail, So to prevent them a Phishing and Content Protection is a good option. As VMware is offering a Add-On for the UEM Installations , let us have a look on the latest and greatest that went GA in June.
Due to some operation system platform limitations you only can have Phishing & Content Protection (PCP) or a VPN if you go with the Lookout for Work App. But now with the integration of Hub and Tunnel App it brings this to a new level. So Mobile SSO, VPN and Phishing & Content Protection on the same Device without any issues. This really brings the Deployment to a totally new Level.
Pre-Reqs:
This Blog assumes a Customer that is already enabled with MTD and also has die the Hub MTD activation via the SDK Settings. If you have not done it yet, it is just adding 2 lines of config to the UEM Console , but I will not do into detail here as there are some TechZone articles already there that cover it in details.
To enable this features there are some pre-reqs required listed here:
- Hub Version iOS 23.05 or Android 23.05 or higher
- Tunnel Version: iOS 23.01.1 or Android 23.01 or higher
- Active VMware Mobile Threat Defense tenant.
Configuration for in the MTD Console
Note: Assumption here is you have already MTD activated with VMware via the SDK Settings and just want to add PCP.
Go to the “Protections” and click to the “Phishing and Content Protection” for you Device Group.
Once there make sure you enable the Phishing and Content Protection and then Select “Secure DNS” only. If you want to enforce it enable the “Mandatory” Setting, so the user does not have the choice to enable / disable it.
If you use VPN and you access internal Domains, make sure you add the Tunnel URLs to the “Skip List” for the Domains that are not public reachable.
once done “Save” the settings and click to “Configure content policies”
Here the policies and the Risk Level can be set. Also ensure the “Block & Alert” is set, as otherwise the Phishing pages will not be blocked.
To provide a better overview I created a Video , so it is easier to follow the above steps:
With all that, we have the MTD Console Config done and can done the configurations for iOS and Android next.
Configuration for Android
For Android the Configurations are really simple. Make sure you have the latest and supported Hub Version and Tunnel Version installed and the Custom Settings to activate MTD are set in the UEM console. once done you can test everything out.
If you go on the Device now the Tunnel App the SDK gets enabled and it fetches the Secure Browsing :
In Android Intelligent Hub you can see that Safe Browsing in the Support Tab is also enabled and you can get some details as User as well.
Configuration for iOS
For iOS we need to create a Profile for the DNS if there is no VMware Tunnel Profile set. If you use a VMware Tunnel VPN Profile , just ignore this custom Profile. Therefore create a new Device Profile for iOS and add the Custom XML shown here:
<dict>
<key>AppBundleIdentifier</key>
<string>com.vmware.ios-tunnel</string>
<key>PayloadDisplayName</key>
<string>DNS-Proxy</string>
<key>PayloadType</key>
<string>com.apple.dnsProxy.managed</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadIdentifier</key>
<string>com.apple.dnsProxy.managed.41CB9A8F-3324-4F97-8C4A-7746E835045F</string>
<key>PayloadUUID</key>
<string>41CB9A8F-3324-4F97-8C4A-7746E835045F</string>
</dict>Once added it should look like this, so make sure the Profile is assigned to the Fleet of iOS Devices with the Assignment Type set to “Auto”.
For iOS there is just this little profile extra, which makes the Configurations are really simple. Make sure you have the latest and supported Hub Version and Tunnel Version installed and the Custom Settings to activate MTD are set in the UEM console. Once done you can test everything out.
If you open now Tunnel it will activate the SDK and look similar to this:
Within the VMware Workspace ONE Intelligent Hub you will see the Secure Browsing is “ON” and if there are detected URLs you will see them and can have a deeper look as User as well. Also the Admin gets this URLs listed in the MTD Console.
To create a better overview I created a Video with the UEM Console Settings used:
Admin Experience :
Reporting can be used in Mobile Threat Defence Console as well and we see the URL that was blocked and all the classification of the Content:
This data can also be used with Workspace ONE Intelligence to build Automations or Dashboards to get a better view of the whole fleet and trends.
Device Demo
In this section of the Blog I want to show the device experience of MTD with PCP enabled. Here a demo of iOS :
also here the Android Device Demo :
Conclusion
Now we have successful deployed Mobile Threat Defense incl. Safe Browsing (aka. Phishing and Content Protection) for Workspace ONE UEM managed devices on iOS & Android. Tested it on iOS and Android and see all the Events in the MTD Console / in Intelligence. This brings the Security on the Device to the next Level, while keeping things as simple as possible for the User and the Administrators.
Note: This Blog was published at the GA of the feature , while the Demos and Videos have been recorded at the Beta Phase in Early 2023.
vExpert, blogger and VMware champion. Worked 10 years as a VMware & Microsoft consultant for a partner before joining VMware in 2017.