Some large on-premises deployments of Workspace ONE UEM require additional configuration. Learn more about the various advanced Workspace ONE UEM configurations, and the additional considerations that must be made for a successful implementation.

High Frequency Certificate Generation with CICO

In a CICO environment, certificates last hours instead of weeks or months, leading to a significant number of certificates being generated and revoked. Not only does this increase the load on the Workspace ONE UEM platform but also on the back-end Certificate Authority infrastructure.

Configure your Workspace ONE UEM deployment to control CA proliferation in three ways:

  1. Use the built-in CA (SCEP). If you select a different CA, vetting the back-end CA infrastructure becomes key to the success of this configuration.

  2. Increase the feature flag value for stored private key generation. The impact of this configuration is an increase of memory use equivalent to 100MB per 100,000 certificates. VMware recommends setting this value to the number of certificates you might expect to generate in one day. To update this value, contact VMware Support.

  3. Lower the validity period and the renewal period of the certificates. VMware recommends that validity and renewal values consider business-specific requirements such as maximum shift length. Recommended values are somewhere between 12 and 24 hours. This prevents the CRL from expanding indefinitely.

Public IP Address Forwarding

on-premises customers using Load Balancers for Devices Services must also configure the load balancers to set the XFF header with Client's Source IP. In the Load Balancer Configuration for your Directory Services Server, set Insert-X-Forwarded-For to Enable.

Figure 1. Public IP Address Forwarding
Set Insert-X-Forwarded-For to Enable

Unsupported CIS Benchmarks

Industry standards and best practices include the incorporation of CIS Benchmarks into your network infrastructure. However, some platforms and applications might not fully integrate with select controls. The Workspace ONE UEM Architecture as described in this guide, has been validated for almost all CIS Benchmarks. The below table, Unsupported CIS Benchmarks, outlines the CIS Benchmarks not supported with the Workspace ONE UEM platform. These CIS Benchmarks cannot be enabled on any device with VMware software installed.

Note:

Enabling any of the below unsupported CIS Benchmarks can result in loss of functionality and interruption of service.

Table 1. Unsupported CIS Benchmarks

Section

Recommendation

Title

Description

Level 1 - IIS 10

1

1.1

Ensure that web content is on non-system partition

Web resources published through IIS are mapped, via Virtual Directories, to physical locations on disk. It is recommended to map all Virtual Directories to a non-system disk volume.

2

2.3

Ensure 'forms authentication' require SSL

Forms-basedauthentication can pass credentials across the network in clear text. It is therefore imperative that the traffic between client and server be encrypted using SSL, especially in cases where the site is publicly accessible. It is recommended that communications with any portion of a site using Form Authentication is encrypted using SSL. **Note** Due to identified security vulnerabilities, SSL is no longer considered to provide adequate protection for sensitive information.

2

2.5

Ensure 'cookie protection mode' is configured for forms authentication

The cookie protection mode defines the protection Forms authentication cookies will be given within a configured application. The four cookie prtectionmodes that can be defined are: Encryption and validation - Specifies that the application use both data validation and encryption to help protect the cookie; this option uses the configured data validation algorithm (based on the machine key) and triple-DES (3DES) for encryption, if application and if the key is long enough (48 bytes or more) - None - Specifies that both encryption and validation is not performed on the cookie; cookies used in this manner might be subject to plain text attacks - Validation - Specifies that a validation scheme varifies that the contents of an encrypted cookie have not been changed in transit it is recommended that cookie protection mode always encrypt and validate Forms Authentication cookies.

4

4.7

Ensure Unlisted File Extensions are not allowed

The 'FileExtensions' Request Filter allows administrators to define specific extensions their web server(s) allow and disallow. The property 'allowUnlisted' covers all other file extensions not explicitly allowed or denied. Often times, extensions such as '.config', '.bat', '.exe', to name a few, should never be served. The 'AllowExtensions' and 'DenyExtensions' options are the UrlScan equivalents. It is recommended that all extensions be unallowed at the most global level possible, with only those necessary being allowed.

Level 2 - IIS 10

4

4.4

Ensure non-ASCII characters in URLs are not allowed.

This feature is used to allow or rejct all requests to IIS that contain non-ASCII characters. When using this feature, Request Filtering will deny the request if high-bit characters are present in the URL. The UrlScanequivalent is 'AllowHighBitCharacters'. It is recommended that requests containing non-ASCII characters be rejected, where possible.

For more information on CIS Benchmarks, see http://www.cisecurity.org.