VMware Workspace ONE™ UEM integrates with FireEye Mobile Security so that you can send unmanaged applications from Workspace ONE UEM to your app scanning service. App reputation services scan network data, including applications, for vulnerabilities and threats to prevent and block malicious attacks to enterprise networks.

Communications

The integration includes these communication interactions.
  • Workspace ONE UEM makes APIs available for FireEye MTP to call Workspace ONE UEM endpoints and this availability is why you enable the REST API.
  • FireEye MTP APIs use HTTPS, which uses Secure Socket Layer (SSL) to provide communications security.
  • FireEye MTP calls to Workspace ONE UEM APIs are synchronous and responses are immediate.

Process Flow

The App Scan Integration system includes alternating actions between Workspace ONE UEM and FireEye MTP. Actions happen in a sequence so that the system reports accurate results and Workspace ONE UEM can act against threats identified by the system.
Workspace ONE UEM Pre-requisites
  • Configure an integration admin.
  • Enable REST APIs.
  • To receive scan results, create two app groups, one Android and the other Apple iOS, with the same name .
1. FireEye MTP Actions
  1. Enable communication.

    See FireEye MTP documentation for details on configuring integration in the FireEye MTP Management Portal.

ResultWorkspace ONE UEM sends applications to FireEye MTP.

2. FireEye MTP Actions
  1. Analyze applications.
  2. Identify offending Android and Apple iOS applications.

Result – FireEyE MTP sends results to Workspace ONE UEM.

3. Workspace ONE UEM Actions

  1. Displays blacklisted applications in the pre-configured app groups.
  2. Configure compliance policies to act on devices with malicious applications.

ResultWorkspace ONE UEM acts as per compliance policies on offending devices.

Supported Components

App scan integration works for the listed applications. It is available for SaaS and on-premises customers.
  • Android – Unmanaged applications
  • Apple iOS – Unmanaged applications

Considerations

Consider these points to prevent issues or to help solve them.
  • You must configure App Scan Integration using a Customer type organization group. Integration does not work using any other type of organization group.

  • Before enabling integration, ensure that your FireEye MTP policies are configured at the appropriate level to allow necessary applications and to block offending applications.

Custom Admin Role

To manage the integration, create a special admin user with restrictive roles. Special roles help to separate configurations and changes made for integration, so that they do not affect other areas of your Workspace ONE UEM deployment.

You want this custom admin role to access the Third-Party Integration page and to add or make edits to app groups. Give integration admins these abilities by adding a custom admin role with the listed categories, also known as permissions.

If you do not want to create an integration admin, ensure that the appointed admin user has the listed categories.
  • Apps & Books > Application Groups > Application Group Update Active Status (Edit)
  • Apps & Books > Application Groups > Application Group Add Item (Edit)
  • Apps & Books > Application Groups > Application Group Edit Item (Edit)
  • Apps & Books > Application Groups > Application Group View (Read)

Enable REST API

App scan integration uses REST APIs, and APIs require authentication to integrate with Workspace ONE UEM. Enable the Workspace ONE UEM console to allow REST API authentication using Basic Authentication.

  • Go to Groups & Settings > All Settings > System > Advanced > API > REST API.
  • Complete entries on the tabs.
    Tab Settings
    General Select Enable API Access.

    This selection automatically generates the API Key for the organization group.

    Enter this key to the FireEye MTP Management Portal. Do not use an existing API key. Create a unique key for this integration.

    Authentication Select Basic as the API authentication method.

Create Placeholder App Groups

Create app groups so that Workspace ONE UEM can display FireEye MTP scan results. Make an app group for Android and another for Apple iOS but name the two app groups the same. Enter this single name in the FireEye MTP Management Portal for integration.

You need at least one application in each group to create the placeholder. However, you can use a made-up application and application ID to create the placeholder app groups.
  1. Ensure that you are in the correct organization group.
  2. Navigate to Apps & Books > Applications > Application Settings > App Groups.
  3. Select Add Group.
  4. Configure the following settings on the List tab.
    Setting Description
    Type Select Blacklist from the menu.
    Platform Select Apple or Android from the menu.
    Name Enter a descriptive name for the placeholder group. Use the same name for both the Apple iOS and Android app groups.
  5. Select Add Application and enter a made-up application name and application ID.
    Setting Description
    Application Name

    Enter any name because this setting is a placeholder.

    For example, enter TestApp.

    Application ID

    Enter any string of characters because this setting is a placeholder.

Settings on the Assignment tab are optional.

Results in App Groups

Use Workspace ONE UEM to identify those applications that failed an app scan. Workspace ONE UEM lists them in blacklisted app groups. The system prevents access to applications in blacklisted app groups for security. Deactivate a group if you know the applications are secure for use.

In Apps & Books > Applications > Application Settings > App Groups, use the Created By filter to sort the list by FireEye.

If the system blacklisted an application that you need, deactivate FireEye blacklisted app groups in Workspace ONE UEM. Deactivation is the only way to revert the blacklisted status without reconfiguring integration.
  • Workspace ONE UEM does not display them in the list when you build your compliance policy.
  • Workspace ONE UEM removes the deactivated group from all compliance policies.

Deactivate Blacklisted App Groups

If the system blacklisted an application that you need, deactivate FireEye MTP blacklisted app groups.
  1. Navigate to Apps & Books > Applications > Application Settings > App Groups.
  2. Locate the Blacklisted app group with the needed application.
  3. Select the drop-down icon from the actions menu () and select Deactivate.
When you deactivate these blacklisted app groups, Workspace ONE UEM takes these actions.
  • Workspace ONE UEM does not display them in the list when you build your Compliance policy.
  • Workspace ONE UEM removes the deactivated group from all Compliance policies.

Configure Compliance

Build an application compliance policy that acts on devices with non-compliant applications. Go to Navigate to Devices > Compliance Policies > List View. Select Add, and then select Application List on the Rules tab. Choose Contains Vendor Blacklisted App(s) for integration.

To configure the compliance engine to monitor for applications from your reputation scanning system, add the blacklisted app group to the list. If the engine detects blacklisted applications on devices assigned to the compliance rule, the engine acts as configured in the rule.