VMware Workspace ONE™ UEM integrates with FireEye Mobile Security so that you can send unmanaged applications from Workspace ONE UEM to your app scanning service. App reputation services scan network data, including applications, for vulnerabilities and threats to prevent and block malicious attacks to enterprise networks.
- Workspace ONE UEM makes APIs available for FireEye MTP to call Workspace ONE UEM endpoints and this availability is why you enable the REST API.
- FireEye MTP APIs use HTTPS, which uses Secure Socket Layer (SSL) to provide communications security.
- FireEye MTP calls to Workspace ONE UEM APIs are synchronous and responses are immediate.
|Workspace ONE UEM Pre-requisites||
|1. FireEye MTP Actions||
Result – Workspace ONE UEM sends applications to FireEye MTP.
|2. FireEye MTP Actions||
Result – FireEyE MTP sends results to Workspace ONE UEM.
3. Workspace ONE UEM Actions
Result – Workspace ONE UEM acts as per compliance policies on offending devices.
- Android – Unmanaged applications
- Apple iOS – Unmanaged applications
You must configure App Scan Integration using a Customer type organization group. Integration does not work using any other type of organization group.
Before enabling integration, ensure that your FireEye MTP policies are configured at the appropriate level to allow necessary applications and to block offending applications.
Custom Admin Role
To manage the integration, create a special admin user with restrictive roles. Special roles help to separate configurations and changes made for integration, so that they do not affect other areas of your Workspace ONE UEM deployment.
You want this custom admin role to access the Third-Party Integration page and to add or make edits to app groups. Give integration admins these abilities by adding a custom admin role with the listed categories, also known as permissions.
Enable REST API
App scan integration uses REST APIs, and APIs require authentication to integrate with Workspace ONE UEM. Enable the Workspace ONE UEM console to allow REST API authentication using Basic Authentication.
- Go to .
- Complete entries on the tabs.
Tab Settings General Select Enable API Access.
This selection automatically generates the API Key for the organization group.
Enter this key to the FireEye MTP Management Portal. Do not use an existing API key. Create a unique key for this integration.
Authentication Select Basic as the API authentication method.
Create Placeholder App Groups
Create app groups so that Workspace ONE UEM can display FireEye MTP scan results. Make an app group for Android and another for Apple iOS but name the two app groups the same. Enter this single name in the FireEye MTP Management Portal for integration.
- Ensure that you are in the correct organization group.
- Navigate to .
- Select Add Group.
- Configure the following settings on the List tab.
Setting Description Type Select Blacklist from the menu. Platform Select Apple or Android from the menu. Name Enter a descriptive name for the placeholder group. Use the same name for both the Apple iOS and Android app groups.
- Select Add Application and enter a made-up application name and application ID.
Setting Description Application Name
Enter any name because this setting is a placeholder.
For example, enter TestApp.
Enter any string of characters because this setting is a placeholder.
Results in App Groups
Use Workspace ONE UEM to identify those applications that failed an app scan. Workspace ONE UEM lists them in blacklisted app groups. The system prevents access to applications in blacklisted app groups for security. Deactivate a group if you know the applications are secure for use.
In Created By filter to sort the list by FireEye., use the
- Workspace ONE UEM does not display them in the list when you build your compliance policy.
- Workspace ONE UEM removes the deactivated group from all compliance policies.
Deactivate Blacklisted App Groups
- Navigate to .
- Locate the Blacklisted app group with the needed application.
- Select the drop-down icon from the actions menu () and select Deactivate.
- Workspace ONE UEM does not display them in the list when you build your Compliance policy.
- Workspace ONE UEM removes the deactivated group from all Compliance policies.
Build an application compliance policy that acts on devices with non-compliant applications. Go to Navigate to Add, and then select Application List on the Rules tab. Choose Contains Vendor Blacklisted App(s) for integration.. Select
To configure the compliance engine to monitor for applications from your reputation scanning system, add the blacklisted app group to the list. If the engine detects blacklisted applications on devices assigned to the compliance rule, the engine acts as configured in the rule.