VMware Workspace ONE™ UEM integrates with Appthority so that you can send unmanaged applications from Workspace ONE UEM to your app scanning service. App reputation services scan network data, including applications, for vulnerabilities and threats to prevent and block malicious attacks to enterprise networks.

Communications

Appthority integrates with Workspace ONE UEM using scheduled communications and REST APIs over HTTPS to transfer data. Communications include an extra layer of security with the use of the App Scanning Integration Service.

  • App Scanning Integration Service - This integration uses the app scanning integration service for security. Systems do not communicate with the enterprise's demilitarized zone (DMZ) unless the communication is secured with a signing certificate. You upload signing certificates from both Workspace ONE UEM and Appthority during the initial setup.
  • Directions of Communication - Communication, in the form of REST APIs, travels between components over HTTPS. Workspace ONE UEM uses port 443 for communication.
    • The Workspace ONE UEM console and the compliance engine send the following to the App Scanning Integration Service.
      • The Workspace ONE UEMcompliance engine identifies blacklisted applications.
      • The Workspace ONE UEM console sends applications reported by devices that included identified blacklisted applications.
    • The App Scanning Integration Service posts applications reported by devices to the Appthority App Scanning Service.
    • The Appthority App Scanning Service posts blacklisted applications back to the App Scanning Integration Service.

Process Flow

The integration includes alternating actions between Workspace ONE UEM and Appthority. Actions happen in a sequence so that the system reports accurate results and Workspace ONE UEM can act against threats identified by the system.
  1. Set the prerequisites to enable the communication between Workspace ONE UEM and Appthority.
    • Admins configure an integration admin in the Workspace ONE UEM console.
    • Admins download the signing certificate from Appthority to upload to the Workspace ONE UEM console.
  2. Configure Workspace ONE UEM to send applications to Appthority.
    1. Admins enable communication and upload the Appthority signing certificate.
    2. Admins download the Workspace ONE UEM signing certificate and upload it to Appthority.
    3. Sync either automatically with the Scheduler or manually in the Workspace ONE UEM console.
  3. Appthority takes the listed actions and sends analysis results to Workspace ONE UEM.
    1. Appthority analyzes applications sent from Workspace ONE UEM.
    2. Appthority identifies suspicious Android and iOS applications and sends the analysis.
  4. Act on blacklisted applications with compliance policies in Workspace ONE UEM.
    1. Workspace ONE UEM creates blacklisted app groups from Appthority's results. It creates an app group for Android and a separate group for iOS.
    2. Admins configure compliance policies that act on the applications in the app groups.
  5. Manage the integration in Workspace ONE UEM with events, app groups, and refresh and reconfigure actions.
    • Admins view Console Events for integration activity.
    • Admins can deactivate blacklisted app groups.
    • Admins can refresh and reconfigure integration.

Supported Components

App scan integration works for the listed applications. It is available for SaaS and on-premises customers.
  • Android – Unmanaged applications
  • Apple iOS – Unmanaged applications

Considerations

Consider these points to prevent issues or to help solve them.
  • Blacklisted Status - Once an application is blacklisted in the Workspace ONE UEM console using app scan integration, it remains blacklisted unless you act.
    • Deactivate the blacklisted app group that includes the application.
    • Reconfigure the integration.

    Consider how restrictive your Appthority rules are before performing an app reputation scan and edit rules as necessary.

  • Customer Type Organization Group - You must configure app scan integration using a Customer type organization group. Integration does not work using any other type of organization group.
  • Appthority Rules - Before enabling integration, ensure that your Appthority rules are configured at the appropriate level to allow necessary applications and to block offending applications.
  • Android Application Control Profile and Blacklists - The blacklisted app groups created by this integration are not available to use in the Android application control profile.
  • Sync Times - The device type and privacy settings in Workspace ONE UEM can affect whether it sends applications to Appthority for analysis.
    • Challenge

      You can configure privacy settings for personal, unmanaged applications to display and collect data, to collect but not display data, or not to collect data.

      By default, Workspace ONE UEM displays and collects data for unmanaged applications on corporate devices (both dedicated and shared). However, it does not collect any data for unmanaged applications for employee owned and unassigned devices.

      The compliance engine might act on an application on an employee owned device because the application was on a corporate device and Appthority blacklisted it.

    • Solution

      You can deactivate the app group in Workspace ONE UEM that contains the application.

Custom Admin Role

To manage the integration, create a special admin user with restrictive roles. Special roles help to separate configurations and changes made for integration, so that they do not affect other areas of your Workspace ONE UEM deployment.

You want this custom admin role to access the Third-Party Integration page and to add or make edits to app groups. Give integration admins these abilities by adding a custom admin role with the listed categories, also known as permissions.

If you do not want to create an integration admin, ensure that the appointed admin user has the listed categories.
  • Apps & Books > Application Groups > Application Group Update Active Status (Edit)
  • Apps & Books > Application Groups > Application Group Add Item (Edit)
  • Apps & Books > Application Groups > Application Group Edit Item (Edit)
  • Apps & Books > Application Groups > Application Group View (Read)
  • Settings > Apps > Catalog > Third-Party App Scanning (Edit)
  • Settings > Apps > Catalog > App Scan (Read)

Enable Integration

Add your Appthority information to the Workspace ONE UEM console so that the two systems can share applications and scan results.

  1. Navigate to Groups & Settings > All Settings > Apps > App Scan > Third-Party Integration.
  2. Select to enable communication between Workspace ONE UEM and Appthority.
  3. Select Appthority for Choose App Scan Vendor and complete the settings.
    Setting Description
    Appthority User Name Enter the username for your Appthority environment so Workspace ONE UEM and Appthority can communicate.
    Appthority Password Enter the password for your Appthority environment.
    Appthority REST API URL Enter the URL for your Appthority environment to direct Workspace ONE UEM to the service through the app scanning service.
  4. Complete the following settings to display and configure the Application Group Creation area.
    Setting Description
    Email Notification Select this check box to display configuration settings for notifications.
    Send Email To Enter email addresses to receive notifications about new app groups created by analysis. Use a comma to separate addresses.
    Message Template Use Message Preview to see the email that the system sends upon the creation of new app groups using the Vendor Application Group Creation Notification template.

Results in App Groups

Use Workspace ONE UEM to identify those applications that failed an app scan. Workspace ONE UEM lists them in blacklisted app groups. The system prevents access to applications in blacklisted app groups for security. Deactivate a group if you know the applications are secure for use.

In Apps & Books > Applications > Application Settings > App Groups, use the Created By filter to sort the list by Appthority.

Deactivate Blacklisted App Groups

If the system blacklisted an application that you need, deactivate Appthority blacklisted app groups.
  1. Navigate to Apps & Books > Applications > Application Settings > App Groups.
  2. Locate the Blacklisted app group with the needed application.
  3. Select the drop-down icon from the actions menu () and select Deactivate.
When you deactivate these blacklisted app groups, Workspace ONE UEM takes these actions.
  • Workspace ONE UEM does not display them in the list when you build your Compliance policy.
  • Workspace ONE UEM removes the deactivated group from all Compliance policies.

Configure Compliance

Build an application compliance policy that acts on devices with non-compliant applications. Select Application List on the Rules tab and select Contains Vendor Blacklisted App(s) for integration.

To configure the compliance engine to monitor for applications from your reputation scanning system, add the blacklisted app group to the list. If the engine detects blacklisted applications on devices assigned to the compliance rule, the engine acts as configured in the rule.

Results of Reconfiguring Integration

Reconfiguring Appthority integration results in numerous actions.
  • Disables the Third-Party App Scan Analysis feature.
  • Removes the Appthority URL information from the Workspace ONE UEM console.
  • Removes the blacklisted app groups from the Workspace ONE UEM console created from the integration.
  • Removes compliance policies created using the blacklisted app groups.
  • Wipes all data from the app scanning integration service.

Another way to fix application issues is to deactivate blacklisted app groups. This option might fix issues without removing configurations.

Monitor Integration With Console Events

Workspace ONE UEM lists events so that you can troubleshoot issues or find general information about systems configured in the console. Review console events in Monitor > Reports & Analytics > Events > Console Events. Events include the listed options.
  • App Scan Vendor Application Group Modified
  • Application Added To App Scan Vendor Application Group
  • Third Party Application Scanning Started
  • Error occurred while Third Party Application Scanning
  • Reset Perform for Third Party Application Scanning Vendor