VMware Workspace ONE™ UEM integrates with Pradeo Security Systems so that you can send unmanaged applications from Workspace ONE UEM to your app scanning service. App reputation services scan network data, including applications, for vulnerabilities and threats to prevent and block malicious attacks to enterprise networks.

Communications

Pradeo Security Systems audits and manages the security of enterprise-created mobile applications and public applications. The system uses a proprietary engine that analyzes the binary and byte code of enterprise and public apps. Pradeo integrates with Workspace ONE UEM using scheduled communications and REST APIs over HTTPS to transfer data.
  • Workspace ONE UEM calls Pradeo APIs on schedule and using the Workspace ONE UEM Integration Service.
  • Workspace ONE UEM makes APIs available for Pradeo to call Workspace ONE UEM endpoints and this availability is why you enable the REST API. Pradeo does not call Workspace ONE UEM APIs.
  • Pradeo APIs use HTTPS, which uses Secure Socket Layer (SSL) to provide communications security.
  • Workspace ONE UEM calls to Pradeo APIs are synchronous and responses are immediate.
  • Integration uses port 443 for communication.

Process Flow

The App Scan Integration system includes alternating actions between Workspace ONE UEM and Pradeo. Actions happen in a sequence so that the system reports accurate results and Workspace ONE UEM can act against threats identified by the system.
Table 1. Order of Actions

Workspace ONE UEM Pre-requisites

  • Configure an integration admin.
  • Enable REST APIs.
1. Workspace ONE UEM Actions
  1. Enable communication.
  2. Sync either automatically with the Scheduler or manually.

ResultWorkspace ONE UEM sends applications to Pradeo.

2. Pradeo Actions
  1. Analyze applications.
  2. Identify offending Android and Apple iOS applications.

Result – Pradeo sends results to Workspace ONE UEM identified as privacy, financial losses, and security.

3. Workspace ONE UEM Actions

  1. Creates blacklisted app groups, one for Android and one for Apple iOS.
  2. Configure compliance policies to act on devices with malicious applications.

ResultWorkspace ONE UEM acts as per compliance policies on offending devices.

Workspace ONE UEMTroubleshooting Options

  • View Console Events for integration activity.
  • Deactivate blacklisted app groups.
  • Reset integration.

Supported Components

App scan integration works for the listed applications. It is available for SaaS and on-premises customers. It is available for Android and iOS unmanaged applications.

Considerations

Consider these points to prevent issues or to help solve them.
  • Blacklisted Apps Remain Blacklisted
    Once an application is blacklisted in the Workspace ONE UEM console using App Scan Integration it remains blacklisted unless unless you take action.
    • Deactivate the blacklisted app group that includes the application.
    • Reset the integration.
    Consider how restrictive your Pradeo rules are before performing an app reputation scan and edit rules as necessary.
  • Customer Type Organization Group

    You must configure App Scan Integration using a Customer type organization group. Integration does not work using any other type of organization group.

  • Pradeo Rules

    Before enabling integration, ensure that your Pradeo rules are configured at the appropriate level to allow necessary applications and to block offending applications.

  • Android Application Control Profile and Blacklists

    The blacklisted app groups created by this integration are not available to use in the Android application control profile.

Custom Admin Role

To manage the integration, create a special admin user with restrictive roles. Special roles help to separate configurations and changes made for integration, so that they do not affect other areas of your Workspace ONE UEM deployment.

You want this custom admin role to access the Third-Party Integration page and to add or make edits to app groups. Give integration admins these abilities by adding a custom admin role with the listed categories, also known as permissions.

If you do not want to create an integration admin, ensure that the appointed admin user has the listed categories.
  • Apps & Books > Application Groups > Application Group Update Active Status (Edit)
  • Apps & Books > Application Groups > Application Group Add Item (Edit)
  • Apps & Books > Application Groups > Application Group Edit Item (Edit)
  • Apps & Books > Application Groups > Application Group View (Read)
  • Settings > Apps > Catalog > Third-Party App Scanning (Edit)
  • Settings > Apps > Catalog > App Scan (Read)

Enable REST API

This integration uses REST APIs, and APIs require authentication to integrate with Workspace ONE UEM. Enable the Workspace ONE UEM console to allow REST API authentication using Basic Authentication.

  • Go to Groups & Settings > All Settings > System > Advanced > API > REST API.
  • Complete entries on the tabs.
    Tab Settings
    General Select Enable API Access.

    This selection automatically generates the API Key for the organization group.

    Enter this key in Pradeo. Do not use an existing API key. Create a unique key for this integration.

    Authentication Select Basic as the API authentication method.

Enable Integration

Add your Pradeo information to the Workspace ONE UEM console so that the two systems can share applications and scan results.

  1. Navigate to Groups & Settings > All Settings > Apps > App Scan > Third-Party Integration.
  2. Select to enable communication between Workspace ONE UEM and Pradeo.
  3. Select Pradeo for Choose App Scan Vendor and complete the settings.
    Setting Description
    Pradeo User Name Enter the username for your Pradeo environment so Workspace ONE UEM and Pradeo can communicate.
    Pradeo Password Enter the password for your Pradeo environment.
    Pradeo REST API URL Enter the URL for your Pradeo environment to direct Workspace ONE UEM to the service.
  4. Complete the following settings to display and configure the Application Group Creation area.
    Setting Description
    Email Notification Select this check box to display configuration settings for notifications.
    Send Email To Enter email addresses to receive notifications about new app groups created by analysis. Use a comma to separate addresses.
    Message Template Use Message Preview to see the email that the system sends upon the creation of new app groups using the Vendor Application Group Creation Notification template.

Results in App Groups

Use Workspace ONE UEM to identify those applications that failed an app scan. Workspace ONE UEM lists them in blacklisted app groups. The system prevents access to applications in blacklisted app groups for security. Deactivate a group if you know the applications are secure for use.

In Apps & Books > Applications > Application Settings > App Groups, use the Created By filter to sort the list by Pradeo.

Deactivate Blacklisted App Groups

If the system blacklisted an application that you need, deactivate Pradeo blacklisted app groups.
  1. Navigate to Apps & Books > Applications > Application Settings > App Groups.
  2. Locate the Blacklisted app group with the needed application.
  3. Select the drop-down icon from the actions menu () and select Deactivate.
When you deactivate these blacklisted app groups, Workspace ONE UEM takes these actions.
  • Workspace ONE UEM does not display them in the list when you build your Compliance policy.
  • Workspace ONE UEM removes the deactivated group from all Compliance policies.

Configure Compliance

Build an application compliance policy that acts on devices with non-compliant applications. Select Application List on the Rules tab and select Contains Vendor Blacklisted App(s) for integration.

To configure the compliance engine to monitor for applications from your reputation scanning system, add the blacklisted app group to the list. If the engine detects blacklisted applications on devices assigned to the compliance rule, the engine acts as configured in the rule.

Results of Reconfiguring Integration

Reconfiguring Pradeo integration results in numerous actions.
  • Disables the Third Party App Scan Analysis.
  • Removes the App Scan Integration account information from the Workspace ONE UEM console.
  • Removes the blacklisted app groups from the Workspace ONE UEM console created from third-party vendor scans.
  • Removes compliance policies created using the blacklisted app groups.

Another way to fix application issues is to deactivate blacklisted app groups. This option might fix issues without removing configurations.

Monitor Integration With Console Events

Workspace ONE UEM lists events so that you can troubleshoot issues or find general information about systems configured in the console. Review console events in Monitor > Reports & Analytics > Events > Console Events. Events include the listed options.
  • App Scan Vendor Application Group Modified
  • Application Added To App Scan Vendor Application Group
  • Third Party Application Scanning Started
  • Error occurred while Third Party Application Scanning
  • Reset Perform for Third Party Application Scanning Vendor