VMware Workspace ONE™ UEM integrates with Palo Alto Networks WildFire so that you can send unmanaged applications from Workspace ONE UEM to your app scanning service. App reputation services scan network data, including applications, for vulnerabilities and threats to prevent and block malicious attacks to enterprise networks.
- Workspace ONE UEM sends application hashes on schedule using the Workspace ONE Intelligent Hub for Android on devices and the Workspace ONE UEM Integration Service.
- WildFire responds with three verdicts: malware, grayware, and benign.
- Workspace ONE UEM creates two blacklisted app groups using malware and grayware verdicts. It records benign verdicts and does not resend hashes for benign applications.
- Workspace ONE UEM calls to WildFire are synchronous and responses are immediate.
- Integration uses port 443 for communication.
|Workspace ONE UEM Pre-requisites||Configure an integration admin.|
|1. Workspace ONE UEM Actions||
Result – Workspace ONE UEM sends applications to WildFire.
|2. WildFire Actions||
Result – WildFire sends results to Workspace ONE UEM.
|3. Workspace ONE UEM Actions||
Result – Workspace ONE UEM acts as per compliance policies on offending devices.
|Workspace ONE UEMTroubleshooting Options||
App scan integration works for the listed applications. It is available for SaaS and on-premises customers, but it is available for only Android unmanaged applications.
This integration works using the Workspace ONE Intelligent Hub for Android v5.3 or later. Older Workspace ONE Intelligent Hub versions do not support integration.
- Blacklisted Apps Remain Blacklisted
Once an application is blacklisted in the Workspace ONE UEM console using App Scan Integration it remains blacklisted unless unless you take action.
- Deactivate the blacklisted app group that includes the application.
- Reset the integration.
- Application Hashes, Application Versions, and Application Package Names
Although WildFire works with application hashes, Workspace ONE UEM app groups use the application package ID. The use of different components for analysis and management introduces the possibility to have an application version blacklisted in Workspace ONE UEM while WildFire considers a newer version benign. The new version remains blacklisted in Workspace ONE UEM due to its unchanged application package ID.
- Customer Type Organization Group
You must configure App Scan Integration using a Customer type organization group. Integration does not work using any other type of organization group.
- Android Application Control Profile and Blacklists
The blacklisted app groups created by this integration are not available to use in the Android application control profile.
Custom Admin Role
To manage the integration, create a special admin user with restrictive roles. Special roles help to separate configurations and changes made for integration, so that they do not affect other areas of your Workspace ONE UEM deployment.
You want this custom admin role to access the Third-Party Integration page and to add or make edits to app groups. Give integration admins these abilities by adding a custom admin role with the listed categories, also known as permissions.
Add your Palo Alto Networks WildFire information to the Workspace ONE UEM console so that the two systems can share applications and scan results.
- Navigate to .
- Select to enable communication between Workspace ONE UEM and WildFire.
- Select Palo Alto Networks WildFire for Choose App Scan Vendor and complete the settings.
Setting Description WildFire API Key Enter the key for your WildFire system so Workspace ONE UEM can send application hashes directly to WildFire.
Results in App Groups
Use Workspace ONE UEM to identify those applications that failed an app scan. Workspace ONE UEM lists them in blacklisted app groups. The system prevents access to applications in blacklisted app groups for security. Deactivate a group if you know the applications are secure for use.
In Created By filter to sort the list by Palo Alto Networks WildFire., use the
Deactivate Blacklisted App Groups
- Navigate to .
- Locate the Blacklisted app group with the needed application.
- Select the drop-down icon from the actions menu () and select Deactivate.
- Workspace ONE UEM does not display them in the list when you build your Compliance policy.
- Workspace ONE UEM removes the deactivated group from all Compliance policies.
Build an application compliance policy that acts on devices with non-compliant applications. Select Application List on the Rules tab and select Contains Vendor Blacklisted App(s) for integration.
To configure the compliance engine to monitor for applications from your reputation scanning system, add the blacklisted app group to the list. If the engine detects blacklisted applications on devices assigned to the compliance rule, the engine acts as configured in the rule.
Results of Resetting Integration
- Disables the Third Party App Scan Analysis.
- Removes the App Scan Integration account information from the Workspace ONE UEM console.
- Removes the blacklisted app groups from the Workspace ONE UEM console created from third-party vendor scans.
- Removes compliance policies created using the blacklisted app groups.
Another way to fix application issues is to deactivate blacklisted app groups. This option might fix issues without removing configurations.
Reset integration on the Third Party Integration page.
Monitor Integration With Console Events
- App Scan Vendor Application Group Modified
- Application Added To App Scan Vendor Application Group
- Third Party Application Scanning Started
- Error occurred while Third Party Application Scanning
- Reset Perform for Third Party Application Scanning Vendor