How are the credentials or authentication tokens handled?

Although the client shares the credentials or tokens with the ENS2 environment upon registration, the credentials or tokens are not saved on the Workspace ONE UEM servers. The Exchange server sends the encrypted authentication information to the Workspace ONE UEM as part of a notification when a new email is available. From that notification (Exchange to the ENS2), the credentials are decrypted and used to make any requests necessary to the Exchange server. The credentials are discarded after performing the necessary requests.

If credentials are not saved, what data does the ENS is save? How secure is the ENS?

• Workspace ONE stores a list of devices and a list of public private key-pairs used to decrypt the credentials when the notifications are sent from the Exchange. The database is saved on a Virtual Private Cloud (private subnet) secured using firewall. There is no direct access from the Internet to this subnet. All access is controlled using VPC and firewall rules and only web servers with a single account have access to the database.
• Workspace ONE saves the log files to help debug issues and monitor the system. The log does not contain any private information (PI) of the customers and access is secured using the account permissions.

Where is the ENS hosted? Are there instances configured to serve each region based on data sovereignty laws?

The ENS is hosted in multiple regions. We have various environments spanning the US, Europe, and Asia regions that permit us to abide by data sovereignty rules.

What data is transmitted through the ENS server without being saved? How is it secured?

• User credentials that are encrypted with the RSA encryption.
• Email subject and sender (sent using HTTPS).
• Future functionality: The functionality to control what data (if any) is sent or fetched for the notification. You can also control the data from an email that is used in the notification payload.
• All communication is made through HTTPS.

What is the dependency of ENS on cloud services?

• AWS Simple Notification Service (SNS) is used for managing push notification in the AWS Cloud deployment.
• Cloud Notification Service (CNS) is mandatory for passing notifications to Apple/Android devices for on-premises deployments.
• AWS Relational Database Service (RDS) is used for the data persistence.

When sending requests to the Exchange which user agent does the ENS2 use?

The ENS2 uses the MailNotificationService/v2 (ExchangeServicesClient/15.00.0913.015) user agent. The value '15.00.0913.015' changes as new libraries from Microsoft are released and are updated for using ENS2.

What email folders does ENS2 monitor for incoming messages and actions?

ENS2 only monitors a user’s Inbox folder.

How does the ENS server authenticate a device before subscribing (Boxer application) to the notifications?

Each ENS tenant is issued an access token, the device provides the token to access the ENS APIs. In addition, the user credentials are required to create a subscription for a user.

How is the ENS server discovered on the device? Which application is used?

The Boxer application is configured with an ENS endpoint provided by the Workspace ONE console. The Boxer application manages the ENS subscriptions.

How does the application authenticate the ENS server?

The Boxer application uses certificate pinning to validate the ENS endpoint.

How are the public-private keys generated and managed on the ENS server? One key at the time of installation or one key (or key-pair) per mailbox or user ID?

The public or private key-pairs are generated in advance and stored in the ENS database. Each device is assigned a unique key-pair when the device registers with the ENS service.

How many pairs of public-private keys are used for moving credentials from the device?

There is one key-pair for each user that is used to encrypt all sensitive data transmitted from the client.

How are the keys and secrets managed on the ENS server?

Public or private key-pairs, hashed email ID, device ID, partial certificate, APNS token, EWS URL, and subscription ID manage the keys and secrets on the ENS server.

When a device initiates a connection to the ENS server what measures are taken on the client side and the ENS server to prevent against a man-in-the-middle attack?

The device uses TLS pinning to ensure that the device is connected to a valid ENS endpoint.

What security measures are used in the notification subscription flow to ensure that a user credentials cannot be intercepted in transmission?

In the older version of the ENS, the device provides the EWS endpoint used for subscriptions or the Autodiscover dynamically provides the EWS endpoint. In the latest version of the ENS, a set of EWS endpoints and their associated certificate fingerprints is associated with each API token, and the ENS server connects to the pre-configured endpoints validated by their fingerprints.

What data is stored by the ENS locally?

Each ENS server is stateless, apart from the API key which is refreshed every one hour.

What data is stored by the ENS on the SQL server?

The ENS stores the public or private key-pairs, hashed email ID, device ID, partial certificate, APNS token, EWS URL, and subscription ID on the SQL server.

How does the ENS handle connections to the SQL server?

The ENS stores the encrypted connection string in the web.config file which is decrypted and used to open a connection with the database.

How are credentials to the SQL server managed and secured by the ENS server?

Credentials are present in the configuration file and are encrypted with the RsaProtectedConfigurationProvider.

How does the connection pooling and failover work with redundant SQL servers?

The ENS fully supports SQL Always ON.

In a deployment scenario where the redundant servers are across different data centers, how is the data replicated across the data centers?

The ENS does not provide any explicit support for multiple data centers.

Does VMware have any guidelines for hardening the ENS server?

The standard server hardening procedures only apply. The only requirement is that the server must be accessible through HTTPS.

Does VMware have any guidelines for hardening the SQL Server (that accepts the connections from the DMZ hosted on the ENS server?

The standard server hardening procedures only apply. The only requirement is that the ENS server can connect to the SQL server endpoint.

Does the ENS server work if the connection from the device is bridged at a reverse-proxy or load-balancer? The connection terminates on the proxy and a spate connection transmits the payload.

The only requirement is that the device can communicate with the ENS endpoint over plain HTTPS. Long-running connections or other special behavior is not required, so a standard proxy might not cause problems.

How are the service account credentials managed on the ENS server?

The ENS2 does not use any service account.

How are the APNS certificates provisioned and handled on the ENS server?

The ENS servers do not directly require APNS certificates. The ENS notifications are routed through the CNS, and the communication between the ENS and CNS are authenticated through the mutual TLS. The CNS certificate is provisioned from the Workspace ONE console and stored in the web.config file on the ENS.

How does the ENS construct the webhook URL?

Whenever the ENS receives the request, extract the requesturi from the ENS and then use the requesturi as the webhook URL. When a request is made to the registerdevicev2 endpoint, the ENS gets the credentials which are in the encrypted format and the same encrypted data is used and added in the webhook URL query parameters. For the credentials, use the user name and password in the basic authentication, use the Oauthaccesstoken in the OAuth, and use the CBA data in CBA.

How are the user credentials encrypted and encoded for the webhook URL?

Encrypt the user credentials with the asymmetric cryptographic algorithm, that is, RSA with Public-Key Cryptography Standards 1 (PKCS 1) padding using the BouncyCastle crypto library. After encrypting the credentials, encode the credentials using, the HttpUtility.UrlEncode.

What encryption methods and tools are used to encrypt the user credentials for the webhook URL?

Use the RSA encryption with the PKCS 1 padding algorithm. For more information on PKCS 1, see the bcgit/bc-csharp.

If two users share the same password credentials, then the encrypted password in webhook URL will have the same value?

Since RSA encryption is used, different encrypted payload is obtained even though two inputs or passwords are the same.

Can local caching storage be used for password storage? After using the plaintext password (credential) to fetch the email how is the password purged?

The ENS does not store any caching in the local storage after decrypting the credentials. The ENS synchronizes with the Exchange and the object holding the password is disposed.

How does the flow work when the ENS server decrypts the user credentials (password) to plaintext to fetch the email?

The ENS decrypts the credentials (that are part of the callback URL on which the ENS receives notifications from the Exchange) using the private key of the user and synchronizes with the Exchange to get the email information.

Does the ENS server need a service account for the Exchange server? If yes, what are the required access privileges?

The ENS is explicitly designed to operate with no service accounts.

How does the ENS authenticate with the EWS or the Exchange? How are the credentials managed?

The device initiates all the EWS subscriptions using the user credentials stored on the device. The device encrypts the user credentials with a unique public or private key-pair and calls the subscription endpoint. The ENS service decrypts the credentials and uses the credentials to create the EWS subscription.

The credentials are not stored in memory.

How does the device resubscription to notification function, after a user has changed the password on the Exchange?

When the ENS endpoint notices that a subscription has failed, the ENS sends a silent push notification to the device to inform that the subscription must be recreated. In addition, the device can call a status endpoint on the ENS service to determine if a subscription is active. This permits the device to determine if the device must resubscribe to the ENS at the application start time.

How does the ENS protect against device spoofing to ensure only devices enrolled on the WorkSpace ONE UEM are allowed?

If a strict device compliance is required, the ENS configuration must use a SEG to communicate with the EWS, instead of connecting to the EWS directly. The ENS server includes the device IDs in all calls to the SEG. The SEG validates if the device IDs are compliant before allowing the subscriptions to be created.

Does the ENS check periodically if a device is compromised before sending push notifications to that device?

When the ENS is configured to communicate with the EWS through the SEG, the SEG prevents the ENS service from retrieving notifications for the compromised devices.

How is the Boxer application configured for registering with the ENS for email notifications?

The configuration for using the ENS is provided to the Boxer application through the same channel as all other Boxer configurations.

Assuming there is a URI in the Boxer configuration for making the initial connection to the ENS,provide a sample URI.

An ENS endpoint URL is similar to https://ens.getboxer.com/api/ens. To find a list of available cloud ENS endpoints, see the ENS Endpoints and IP Allowlist section in the Configure Email Notification Service for Cloud Deployment topic.

How is the webhook URL constructed with the user credentials encrypted encoding inline?

Example of a sample webhook URL: http://10.89.240.187/mailnotificationservice/api/ens/pushnotificationlistener?id=4&f=Plaw5DIs0czKmhmWowIJnj%2bFsjDPNt0Eplgg5EaBqgiVsrAmli%2bIXLy9ik8JIUklQsELIefjp7z8jBgSA2nxa4p7Hwxze6jUiT39%2bjaAea8df7rMUN3xjAtJPTb60ifXHULlH%2bjLPIRMeN92zNJGAU50Cj%2fp2fpq. Here, the id is the userinfoid pertaining to a single user and the parameter f is the filler key containing the encrypted information.

How is the payload of push notification constructed with any enrichment and/or trimming of data pulled from the Exchange by the ENS?

What are the crypto libraries and binaries used by the ENS?

The ENS uses the BouncyCastle.crypto library. For more information about the BouncyCastle.crypto library, see the Bouncy Castle page.

Are the credentials stored in the memory of the ENS servers. If yes, for how long are the credentials stored and what are the mitigating controls to prevent an unauthorized person from accessing this data?

When the ENS receives push notifications from the Exchange with encrypted credentials, the ENS decrypts the credentials in memory and sends a web request to the Exchange server with the credentials to retrieve the subject and summary of the new email. The ENS then sends push notifications through the SNS and discards the credentials from the memory. This process takes less than a minute. Nobody has access to the credentials data as the data is not stored anywhere.

Credentials are discarded after performing the necessary requests. Provide more information on the discarding process?

The ENS runs on the .net which provides garbage collection for unused objects in the memory. The ENS depends on this process to clean up the memory.

Can a third-party SIEM tools be integrated with the ENS? Does VMware support any form of internal monitoring and maintenance of access logs to the ENS to identify suspicious or malicious events?

Currently, the ENS does not have a solution to feed data into the SIEM solution. You can contact your support or account team with your requirements.

Describe the monitoring access level the ENS2 has on the Inbox folder. Is ENS able to view the email details (sender, subject and email body) contained in Inbox folders?

The ENS can only access the sender, subject, and the preview fields. The ENS does not synchronize or fetch the entire Inbox folder. The ENS only fetches one email data at a time and discards after constructing a notification.

Are copies of emails stored on the ENS server or does the ENS server act as a middle-man to pass email details and notifications to the mobile device through the AWS SNS?

Email data is not stored in the ENS server.

Can the OAuth token used to get the mail information (sender, recipients, subject, if mail attachment) be used for the Exchange notification scope only (and to get only this information)? Or does the OAuth token have the permission to read or write emails (and see all content of an email)?

The ENS relies on the EWS.AccessAsUser.All permission to gain access to email information using the OAuth token. Microsoft does not provide granular permissions for the EWS access. The EWS.AccessAsUser.All is the only permission you can provide to gain access to the EWS. The ENS fetches the required information about a new message (sender, recipient, subject, and so on) when the Exchange notifies the ENS through a push notification. The ENS then sends this information to the APNS or FCM and discards the information. The ENS never reads any other information or stores the information on the ENS server.

Both the Boxer application and the ENS share application registration on the Azure AD and the Boxer application uses these permissions.