Top 10 Use Cases for Workspace ONE Intelligence for your Mobile Device Fleet (Part 2)
Welcome back to reading me go on and on about Workspace ONE Intelligence! This blog post is a continuation of my previous post. Recap: I am covering the top 10 use cases for Workspace ONE Intelligence, focusing on how the solution can improve your overall mobile device deployment. In the previous post, we discuss four use cases, focusing on IT Operations and quality of life improvement. Today, we will discuss another four — Security Enhancement.
As a reminder, this is just one of many resources for you around Workspace ONE Intelligence. There are many other blog posts and articles covering different aspects of the solutions, including this awesome Youtube playlist. Please go check it out!
For now, let’s look into the security aspect of Workspace ONE Intelligence. Today, I pick the top four security enhancement use cases through Workspace ONE Intelligence — three of which are out-of-the-box which you can take advantage of right now, while the other one requires a 3rd party integration with your Mobile Threat Defense (MTD) solution of choice.
Let’s get going, shall we?
Quick Links to Use Cases
5. Compliance Policy Engine (on steroids)
6. Vulnerability Management & Remediation
7. Risk Analytics for Mobile Devices
8. Integration with Mobile Threat Defense solutions (via Workspace ONE Trust Network)
5. Compliance Policy Engine (on steroids)
I am sure 99.9% of you reading this are familiar with the Compliance Policy Engine in Workspace ONE UEM. After all, that is the forefather of Workspace ONE Intelligence Automation. Compliance Policy Engine in UEM has been a great solution. However, what we could achieve with Workspace ONE Intelligence Automation will lift the compliance standard to the next level.
The main limitation of Workspace ONE UEM’s Compliance Policy Engine, as you may already know, is its pure focus on the device management portion. For Android and iOS devices, you have just a bit more than a dozen rules you can enforce (some of them rarely used) and only a few options for remediation actions — sending user notifications, blocking resources (profiles & apps), installing additional restrictions, and, as a last resort, enterprise wiping the devices.
Now, in a lot of cases, that would be sufficient. With Workspace ONE Intelligence Automation, though, there is a lot more we can do. Workspace ONE Intelligence can give you much more flexibility than the legacy Compliance Engine can. First of all, the world is your oyster. Virtually any data points collected from the devices can be used in your ruleset, including advanced attributes like device risk score, sensor (for desktop use case), or any data from third-party platforms.
Second, apart from having the full Workspace ONE UEM API library that you can utilize as your remediation action, Workspace ONE Intelligence integrates with other solutions through built-in and custom connectors. We can send user notifications, remove apps and profiles, install additional restrictions, or wipe the devices, just like the legacy Compliance Engine can. We also can create an incident through ServiceNow, send group messages in Slack, move devices to a different organization group to quarantine, and even tag the devices and trigger another workflow to run.
With that said, here are some of the compliance rule examples you may want to consider adding to your environment. (A fair warning … Some of these may pop up in other use cases as well. However, I will go deeper into those use cases as we get to them, so you may see some items pop up again as you read through this post.)
- Devices with Compromised Status
- Devices without passcode & restriction policies
- Devices with out-of-date OS or a potential target for a zero-day exploit — we will dive deeper into this in the next use case.
- Devices with a high risk score (calculated by Intelligence Risk Analytics. We will cover more later in this post.)
- Devices without security-related apps that your organization chooses e.g., Lookout, Better Mobile, Check Point, Intelligent Hub (yes, Intelligent Hub is a security-related app), and more.
- Devices with high threat levels gathered from Workspace ONE Trust Network (We will cover more later in this post as well.)
In addition to the custom template you can create yourselves, there are also a few available workflow templates you can explore. Here are the currently available workflow templates you can choose from, under Device Compliance.
Here is one example of the workflow from the pre-configured template readily available in Workspace ONE Intelligence. We are creating a ServiceNow incident flagging compromised enrolled devices, allowing the helpdesk team to reach out to the end-users to resolve the issue.
Here is another example of a compliance policy you can create through a custom workflow. In this case, we are checking if iOS devices have Workspace ONE Intelligent Hub installed or not. (Intelligent Hub is used for compromised status detection and, if enabled, Mobile Threat Defense). If the devices don’t have Intelligent Hub installed for any reason, we re-push the application down to the devices.
6. Vulnerability Management & Remediation
A zero-day vulnerability has, unfortunately, become more and more prevalent in this day and age. Like it or not, we have become far too familiar with dropping everything we are doing and spending hours, if not days, having all hands on deck fending off new exploits by bad actors.
Recognizing this challenge, VMware provides us with a way to lift the weight off us quite a bit through its out-of-the-box Vulnerability Management solution. This solution is built on top of Workspace ONE Intelligence, harvesting its core functionalities of Reports, Dashboards, and Automations to help you proactively manage potential vulnerability in your environment. It accomplishes this by gathering reported vulnerability data (CVE and CVSS) along with device data from Workspace ONE UEM to evaluate potential threats on the devices.
As of the time of this writing, the Vulnerability Management solution within Intelligence supports Windows and iOS platforms. (macOS is coming later this year.) And while it does not cover all device platforms at the moment, it still is a very powerful tool to use. Since this post is focused on mobile devices, I’ll be focusing on iOS in this case.
There are three parts to this solution — SLA definition, vulnerability monitoring, and vulnerability remediation.
Service-Level Agreements (SLAs), in this context, refer to how fast we need to remediate vulnerabilities for different levels of severity. This solution allows you to define what your SLAs should be, aligning with your security best practices. Based on your defined CVSS Score range, you can determine the threshold for the percentage of devices patched and remediation timeframe, as seen in the screenshot below. This will be used further in your security health visualization of the patching progress.
The second part is vulnerability monitoring, In this solution, there are built-in dashboards we can leverage to identify available updates and vulnerable devices and observe patch install status trends. This allows us to take further action if we see that our remediation effort is not going to meet the SLA target. This is what the dashboard for iOS devices looks like.
Lastly, we have vulnerability remediation. For this, we will use Workspace ONE Intelligence Automation workflow. Based on the CVSS score, we can create a workflow to act as a compliance policy engine to either remove resources, install restrictions, notify users or push out the latest OS update if we detect that the devices are vulnerable (e.g., devices with CVSS score over a defined threshold). This allows you to automate the OS update, specifically for the ones addressing any new vulnerability without manually updating the workflow.
Here is an example of how we can schedule the latest OS update on iOS devices that are vulnerable to CVEs with CVSS scores higher than 9.8.
7. Risk Analytics for Mobile Devices
Another built-in, out-of-the-box security solution available in Workspace ONE Intelligence is Risk Analytics. Similar to Vulnerability Management, this solution is built on top of Workspace ONE Intelligence as it harvests data from Workspace ONE UEM (and, optionally, Workspace ONE Access) and derives more information from it. With the UEM data, Workspace ONE Intelligence can identify potentially anomalous and high-risk behaviors on devices, allowing us to proactively mitigate potential threats to your environment.
There are multiple behaviors that impact the Risk Scoring. For example, we look at users’ application download behavior and check if they download any obscure or questionable applications. This VMware documentation contains a great description of the Risk Scoring concept, including additional details on different risk indicators by platform and ownership type, as well as how the score is calculated.
To visualize our overall Device Risk Scoring, a built-in dashboard is available for you. This can be found under Intelligence Dashboard > Security Risk Dashboard > Devices tab, as seen here below. This dashboard shows you the historical data of the devices with a high risk score, broken down by different risk indicators. (Please note that one device can have more than one high-risk indicator.)
I also build my own custom Risk Analytics Dashboard for mobile devices. You can download the JSON template here if you would like to import it as your own template.
Now that we can visualize devices & users who are high-risk, our next step is to take action against them. We can do that through… you guessed it… Workspace ONE Intelligence Automation. I alluded to this earlier in the first security use case. We can use the Automation workflow to create a Compliance Policy based on the Risk Score data. Here are a few ideas you can explore for devices with high risk score:
- Send the Security team and/or user notification through Slack, Teams, or email, alerting them to take a corrective action
- Open a ServiceNow incident, alerting the helpdesk team to reach out to the end-user to mitigate the issue
- Tag devices in Workspace ONE UEM as High Risk, triggering additional workflow in UEM or Intelligence, e.g., moving them to a quarantine OG, installing a new background image indicating that the device is a high-risk device, etc.
- Schedule OS update (only for supervised iOS devices) if the Risk Score Indicator is Laggard Update
In addition to actions you can perform through Intelligence Automation, with the integration with Workspace ONE Access, Risk Score can also be used to manage user access through Workspace ONE Access’s Conditional Access Policy. Risk Score can be used as another criterion — requiring devices and/or users with higher risk to perform additional layers of authentication or simply denying access to your sensitive resources.
This video below dives into more details on how Risk Analytics works, including the integration with Workspace ONE Access and how you can use Risk Scoring in the Conditional Access Policy flow.
To summarize, Risk Analytics is a low-effort, high-reward out-of-the-box solution that will add value to your security setup without any additional integration. (Workspace ONE Access integration is optional.) The risk score data have already been calculated for you. You can fully leverage this solution through the built-in risk scoring dashboard for visualization, along with your defined Compliance actions for high-risk devices to mitigate potential threats in your environment.
8. Integration with Mobile Threat Defense solutions (via Workspace ONE Trust Network)
Before we dive into this use case, let’s get to know more about Workspace ONE Trust Network!
Workspace ONE Trust Network integrates threat data from different security solutions, which include Endpoint Detection and Response (EDR) solutions, Mobile Threat Defense (MTD) solutions, and Cloud Access Security Brokers (CASB). This Trust Network informs Workspace ONE Intelligence with threat information as well as insights into risks in your device fleets. With the threat information, we can create dashboards and automation workflows to visualize and take action on those threats.
Since this post focuses on mobile devices, we are going to look into the Mobile Threat Defense solutions specifically. However, I would recommend you check out this TechZone article on integrating VMware’s very own EDR solution, Carbon Black, with Workspace ONE Intelligence for your desktop fleet.
Talking about MTD solutions, VMware partners with multiple vendors including BETTER Mobile, Check Point, Lookout, Pradeo, Wandera, and Zimperium. We won’t go into details on how to integrate each platform here, but you can find more details on how to configure the integration in this Workspace ONE Trust Network documentation here.
In addition to these solutions, VMware recently released a more streamlined integration with Lookout for Work called Workspace ONE Mobile Threat Defense. This new solution embeds Lookout’s Threat Detection capability within Workspace ONE Intelligent Hub, allowing for a much smoother end-user experience as everything is built-in. This is available today, and, I plan to cover this further as well in the future. For now, here are a few screenshots of how MTD is integrated into the Intelligent Hub application.
Regardless of which MTD solutions you pick, the idea is still the same. We can use a built-in dashboard or you can create your own to visualize the threats. The built-in dashboard lives under Intelligence Dashboard > Security Risk Dashboard > Threats tab.
You can also create an automation workflow to address any high-risk devices, similar to previous use cases. In the Automation workflow, we can take the MTD Threats data and filter them with their Threat Status and Threat Severity. In the example below, based on Lookout threat information, we decide to perform an Enterprise Wipe on the devices with an unresolved high threat severity.
Of course, you can choose other actions as you see fit, based on your security requirements. If a threat is not a high severity, then other actions could be performed such as notifying the security team through email or Slack, as well as creating a ServiceNow incident, as you can see below.
That wraps part 2 of my top 10 Workspace ONE Intelligence use cases. To recap, we have seen four different use cases that would help elevate your security posture in your mobile device fleet. Three of them are low-hanging fruits that you can utilize right away. The other requires additional integration, but once it’s integrated, it will give you a great tool in your security toolbox to mitigate any potential threats in your environment.
In part 3, we will cover two more use cases focusing on end-user experience improvement, bringing us to 10 use cases as originally promised. Please stay tuned!
