Integrate Workspace ONE Mobile Threat Defense With Workspace ONE UEM

Take the following steps to fully prepare your Workspace ONE Mobile Threat Defense and Workspace ONE UEM environments to work together to protect your mobile endpoints.

Step 1 Create Organization Group

As a best practice, you can create an organization group (OG) from which you manage all the devices that you intend to protect with Mobile Threat Defense. Create a child OG under an existing OG and assign this and any relevant child OG to the Smart Group that you configure in the UEM integration in the MTD console.

  1. Log in to the Workspace ONE UEM console using your administrator account.
  2. Move to the OG under which you want to create a new child OG dedicated to managing devices you intend to protect with Mobile Threat Defense.

    This might be an existing customer type OG, for example, “Salesforce” under which you might create a child OG called “MTD” making the OG hierarchy look like this: Global/Salesforce/MTD.

    You might prefer to apply MTD protection from a higher position in the OG hierarchy, for example, Global/MTD.

    Either way, when you create a child OG, you always start from an existing OG. Move to this OG by clicking the OG selector button toward the top of any Workspace ONE UEM screen.

  3. Navigate to Groups & Settings > Groups > Organization Groups > Details and select the Add Child Organization Group button.

    This screenshot shows the Add Child Organization Group screen in the OG details menu item, allowing you to make a new child OG in the OG you are currently in.

    Complete the following settings.

    Setting Description
    Name Enter a name for the child organization group (OG) to be displayed. Use alphanumeric characters only. Do not use odd characters.
    Group ID This required OG identifier is used by end users during device login and during the enrollment of group devices to the appropriate OG.

    Ensure that users sharing devices receive the Group ID as it might be required for the device to log in depending on your Shared Device configuration.

    If you are not in an on-premises environment, the Group ID identifies your organization group across the entire shared SaaS environment. For this reason, all Group IDs must be uniquely named.
    Type Select “Customer”.
    Country Select the country where the OG is based.
    Locale Select the language classification for the selected country.
    Customer Industry Select from the list of Customer Industries.
    Time Zone Select the time zone for the OG’s location.
  4. Select Save. This is the OG that manages devices you intend to protect with Mobile Threat Defense.

  5. (Optional) You can create multiple OGs and assign different levels of MTD protection to each OG based on the specific policy group / enrollment code you get from the Mobile Threat Defense Console. You can then promote or demote the appropriate level of MTD protection simply by moving devices from one OG to another.

    If you intend to create mutiple levels of MTD protection and assign them to multiple OGs, you must create your OGs with the following hierarchy.

    This screenshot shows a sample OG hierarchy for the purpose of configuring multiple policy groups for multiple OGs.

    You can have as many child OGs as you want (and you can name them whatever you want) but they all must have the same parent OG.

    Later, in substep 12 of Step 6 Set Up Workspace ONE Mobile Threat Defense Console, you will be presented with the option to create multiple policy groups. You get a unique enrollment code for each policy group. Each organization group is assigned a unique enrollment code which effectively applies individual group policies to specific OGs.

Step 2 Create an API Role and Assign it to an Admin

  1. Log in to the Workspace ONE UEM console using your administrator account.
  2. Ensure that you are in the organization group (OG) you created in Step 1 Create Organization Group. If not, then move to this OG.
  3. Navigate to Accounts > Administrators > Roles.
  4. Select the Add Role button. The Create Role page displays.
  5. Enter the role name MTD_API_Admin and a description.
  6. Under the Categories column to the left, expand API and select Rest. Enable the Read check boxes for each of the following permissions.

    • Admins
    • Apps
    • Devices
    • Groups
    • Users

    this screenshot shows the Create Role screen with all the REST API permissions selected for the Mobile Threat Defense admin role.

  7. Under the Categories column to the left, expand Device Management and select Bulk Management. Enable the Edit check box for the Bulk Management permission.

    this screenshot shows the Create Role screen with the bulk management permission selected for the Mobile Threat Defense admin role.

  8. Under the Categories column to the left, scroll down and expand Settings, then select Tags and enable the Edit check box for the Tags permission.

    this screenshot shows the Create Role screen with the tags permission selected for the Mobile Threat Defense admin role.

  9. Select the Save button to save the role.

  10. Navigate to Accounts > Administrators > List View.
  11. Select the Add button and select Add Admin. The Add/Edit Admin page displays.
  12. On the Basic tab, enter the Username and values for all other required (*) fields for this Mobile Threat Defense admin.
  13. Switch to the Roles tab and select the Select Role text box. In the drop down menu that displays, scroll down to the role you created earlier, MTD_API_Admin
  14. In the Select Organization Group field, select the name of the organization group you created in the previous step.
  15. Select Save to assign the role to the admin.

Step 3 Create an API Key

  1. Log in to the Workspace ONE UEM console using your administrator account.
  2. Ensure that you are in the organization group (OG) you created in Step 1 Create Organization Group. If not, then move to this OG.
  3. Navigate to Groups & Settings > All Settings > System > Advanced > API > REST API. The REST API configuration page displays.
  4. For the Enable API Access option, select Enabled.
  5. Select the Add button. A blank key entry displays at the bottom of the listing. Add the Service Name WS1-MTD with an Account Type of Admin. This generates an API key which is used to configure the Workspace ONE Mobile Threat Defense console.
  6. Select the generated key from the API Key text box for WS1-MTD.
  7. Copy the key to clipboard with Ctrl-C (on Windows) or Command-C (on macOS).

    NOTE: This key will be pasted to the API Token in the Set Up Workspace ONE Mobile Threat Defense Console step, later in this workflow.

  8. Select Save.

Step 4 Create the Tags

The Workspace ONE UEM feature, Device Tags, is used extensively in Mobile Threat Defense. Take the following steps to create your device tags.

  1. Ensure that you are in the organization group (OG) you created in Step 1 Create Organization Group. If not, then move to this OG.
  2. Navigate to Groups & Settings > All Settings > Devices & Users > Advanced > Tags.
  3. Select Create Tag. The Create Tag dialog displays.
  4. In the Name text box, enter the Tag Name from the table.

    Tag Name Description
    MTD - Activated Activated devices
    MTD - Deactivated Deactivated devices
    MTD - Disconnected Devices that have lost connectivity with Mobile Threat Defense
    MTD - Pending Devices that have not activated Mobile Threat Defense yet
    MTD - Unreachable Devices that are unreachable by Mobile Threat Defense
    MTD - Threats Present Compromised devices
    MTD - Secured Secured devices
    MTD - Low Risk Low risk devices
    MTD - Medium Risk Medium risk devices
    MTD - High Risk High risk devices
  5. Select Save.

  6. Repeat Steps 3-5 to create each tag from the table.

You can also make customized tags based on specific threats such as “Denylisted App”, “PCP Disabled”, and any other customized tag you want. When you reach Step 6 Set Up Workspace ONE Mobile Threat Defense Console, you can assign these customized tags to their own Risk Classification in the State Sync section of the MTD Console.

Step 5 Create Smart Group

When you create a smart group, whatever organization group (OG) you are in at the time you create it becomes the home OG of that smart group. So if you want to include the maximum number of devices in your smart group, you must first move to the OG you made in Step 1 Create Organization Group.

  1. In the Workspace ONE UEM console, move to the organization group (OG) that manages all the devices you want to protect with Mobile Threat Defense. This is the OG you created in Step 1 Create Organization Group. (Optional) If you are configuring multiple OGs with differing levels of MTD protection, then ensure that you are in the parent OG.
    • Move OGs by clicking the OG selector button in Workspace ONE UEM. Do not create a smart group from the Global OG.
  2. Navigate to Groups & Settings > Groups > Assignment Groups.
  3. Select the Add Smart Group button. The Create New Smart Group screen displays.
  4. In the Name text box, enter a name for the smart group, such as Devices in Customer OG.
  5. Select which devices belong in the smart group by taking one or both of the following steps.
    1. In the Organization Group section, the name of the OG you moved to in step 1 displays. Enable this check box to include all devices in this OG for the smart group. All devices in this OG are protected with MTD provided you apply the MTD Custom Settings referenced in substep 18 of the next step, Step 6 Set Up Workspace ONE Mobile Threat Defense Console
    2. Optionally, in addition to the OG you selected, select the User Group section and Add user groups. This action includes all the devices in these user groups in the Mobile Threat Defense smart group.
  6. You can include or exclude devices by filling out the Additions and Exclusions sections. For more information, see Create a Smart Group
  7. Select Save.

Step 6 Set Up Workspace ONE Mobile Threat Defense Console

  1. Log in to the Mobile Threat Defense console.

    Navigate to https://vmware.lookout.com (SSO enabled) or https://vmware.lookout.com/a (bypassing SSO). An MTD tenant is provisioned at the time of MTD purchase and your designated contact person is created as an admin. You can select Forgot Password on the login page to reset your password. Once you are logged into the MTD console, you can create additional administrators by navigating to System > Manage Admins > Add Admin.

  2. In the left panel, select Integrations.

  3. Under Choose a product to set up, select the Workspace ONE button.
  4. Under Connector Settings, complete the following options.

    Setting Description
    Label for this MDM connection This optional entry identifies and differentiates between all your integrations.
    Workspace ONE URL Enter your Workspace ONE server URL, for example, https://asXXXX.awmdm.com
    API Token Paste the API Key you copied in the Create an API Key step. Ctrl-V (for Windows) and Command-V (for macOS).
    Authentication Certificate Authentication (Recommended): Upload a Workspace ONE UEM certificate and select a passphrase.

    Basic Authentication: Enter the same username and password as the admin to which you assigned the MTD_API_Admin in step 1. If you select Basic Authentication, you must update the connector configuration each time the API admin’s password expires.
    The alternative to this limitation is to set the API Admin password to never expire.
    Configure this setting in Workspace ONE UEM by navigating to Accounts > Administrators > List View, find the admin in the listing, select the Edit (this edit icon is in the shape of a pencil) icon, in the Basic tab of the Add/Edit Admin screen, set the Require password change at next login option to Disabled.
  5. Select Create Integration in the top-right corner. A banner notification displays indicating a successful integration and additional sections display.

  6. Scroll down to the Enrollment Management section and complete the following options.

    Setting Description
    Automatically drive Lookout for Work enrollment on Workspace ONE managed devices Set to ON.
    Use the following Workspace ONE smart groups to identify devices that should be enrolled in Lookout for Work: Select the smart group you created in step 5. In this workflow example, that smart group name is Devices in Customer OG but you must select the smart group you created.
    How often should Lookout check for new devices? Set to 5 to sync newly enrolled devices and unenrolled devices from UEM every 5 minutes.
    Automatically send activation emails to Workspace ONE managed devices Set to OFF. For an MDM integration, you should drive enrollment through your MDM, not via Mobile Threat Defense Console invitation emails.
    Delete device on unenrollment Set to ON to delete devices in Mobile Threat Defense when they are unenrolled from Workspace ONE UEM.
  7. Scroll down to the State Sync section and enable the option Synchronize device status to Workspace ONE.

    This screenshot shows the State Sync section of the MTD Console where you can configure all the risks and their corresponding UEM tags.

  8. Select and assign the tags you created in Step 4 per the following table. If you opt not to synchronize a specific device state to Workspace ONE, then leave the corresponding toggle off/null.

    Option Value
    Device Status:
    Devices that have not activated Mobile Threat Defense yet MTD - Pending
    Devices with Mobile Threat Defense activated MTD - Activated
    Devices with Mobile Threat Defense deactivated MTD - Deactivated
    Connection Status:
    Devices that are unreachable by MTD MTD - Unreachable
    Devices that have lost connectivity with MTD MTD - Disconnected
    Risk Status:
    Devices with any issues present MTD - Threats Present
    Devices with low risk issues present MTD - Low Risk
    Devices with medium risk issues present MTD - Moderate Risk
    Devices with high risk issues present MTD - High Risk
    Devices with no issues present MTD - Secured
    Risk Classification: (optional) add your customized Risk Classifications and assign them to specific custom tags you created in Step 4, enable or disable them per your preferences. Please note that the following are EXAMPLE Risk Classifications and are not required, meant to demonstrate that you can make any device tag with any label you want.
    Classification Tag
    Denylisted App MTD - Denylisted App
    Phishing and Content Protection Disabled MTD - PCP Disabled
  9. Scroll down to the Error Management section and enter an email address to which errors are reported.

  10. Scroll up and select Save Changes in the top-right corner. You can review connector settings from the Integrations at any time.
  11. (Optional for Workspace ONE UEM On-Premises Customers) You can configure specific IP addresses in the network definitions and rules which are enforced by firewall and proxy configurations for outbound web requests. As an admin of an on-premises environment for Workspace ONE UEM, you must include the following IP addresses needed by Lookout in an allowlist. This makes outbound service calls from the Lookout cloud to the Workspace ONE UEM server possible. The following IP addresses must be allowlisted.

    • 52.11.153.147
    • 52.11.153.253
    • 54.153.102.83
    • 54.153.102.84

    In the event IP addresses must be updated, Lookout provides 6 weeks advance notice to all system admins of the MTD console, giving you time to update your allowlist and avoid any interruption or inconsistency of service. Lookout makes every attempt to limit IP address updates to only once per year.

  12. (Optional) Configure Multiple Group Policies for the purpose of applying them to multiple OGs. You can configure multiple organization groups in UEM, assigning each one with their own unique policy group. This means you can promote or demote a level of MTD protection simply by moving devices from one OG to another. Take the following substeps to create mulitple group policies in the MTD Console.

    a. In the Mobile Threat Defense Console, navigate to Devices > Device Policy Groups. You can see the Default Group in the listing. This is the policy group that comes with each new integration.

    b. To create a new policy group, select the Create Group button to the right. The Create a new group screen displays.

    c. Enter the Name and Description of the new group.

    d. Select the Create Group button. The Device Policy Groups list view displays featuring your new group in the listing.

    e. Hover your pointer over the new group and select the View Protections link, which takes you to the Protections panel. When you create a new group, all enabled protections are inherited from the Default Group.

    f. You can customize Policies; change the risk levels, change the response, disable selected policies, enable others, and so forth.

    g. You can even customize the Alert device messages received by device end users when their device is placed in harm’s way.

    h. You can customize Phishing and Content Protection; change deployment types, change mandate levels, add domains, change allowlists and denylists.

    i. You can customize On-Device Threat Protection; change remediation, change blocked domains, and so forth.

    j. Select the Save changes button for each round of customizations.

    k. For each Policy Group you want to create, repeat steps b. through j.

  13. (Optional) Configure custom messages per policy or accept the default custom message. You can configure a custom notification message that appears to your device end users if their device comes under attack. You can configure this custom message for selected policies or you can accept the default custom message.

    a. Navigate to the Protections main menu item and then the Policies tab.

    b. Select the Default custom message link to review the existing default message and to make changes per your preferences. This verbatim message displays to users for each policy violation that is set to inherit the default parent message.

    c. If you do not want to use the same message, you can create a customized message tailored for each policy. Do this by selecting the message button next to the Alert device response for the policy you want to target, clearing the check from the Inherit parent custom message checkbox, then drafting your own policy-specific message.

    This partial screenshot shows the policy listing of the MTD Console showing how you can customize the alert message users recieve when their device is attacked.

    d. If you prefer, you can also use the default parent custom message. Opt for this by enabling the Inherit parent custom message checkbox.

    This screenshot shows the customize messaging panel, where you can either customize your own policy-specific message or inherit the parent custom message.

    e. Select Save when you are finished with your messaging customizations. Note that custom message settings might take up to 24 hours after saving before they start displaying on the device.

    f. This custom message is presented to the user in the threat’s details page in the Intelligent Hub app whenever the specified policy is violated.

    This screenshot shows the custom Alert device message that the end user sees when their device is protected from an attack.

  14. While still logged into the Mobile Threat Defense console, navigate to Devices > Device Policy Groups, then select and copy the enrollment code (Ctrl-C in Windows, Command-C in macOS). Each policy group in the listing has its own unique enrollment code.

  15. Log into Workspace ONE UEM.
  16. Move to the OG that holds the devices you want to protect with Workspace ONE Mobile Threat Defense. This is the OG you created in Step 1 Create Organization Group. (Optional) If you created multiple OGs, move to the next OG that is not yet configured with an MTD policy group.
  17. Navigate to Groups & Settings > All Settings > Apps > Settings and Policies > Settings.
  18. Enable Override if settings are unavailable.
  19. In Custom Settings, insert the following code, first, making sure to include the enrollment code that you copied earlier in step 13, replacing ENROLLMENT CODE GOES HERE.

    {
       "mtdSettings":{    
             "isEnabled":true, "enrollmentCode":"ENROLLMENT CODE GOES HERE"
       }
    }
    

    For example

    {
       "mtdSettings":{    
             "isEnabled":true, "enrollmentCode":"RHDOWG"
       }
    }
    
  20. Select the Save button.

  21. (Optional) If you plan to configure multiple organization groups with their own unique policy group, repeat steps 13 through 19, making sure to select the correct enrollment code that corresponds to the policy group you want to apply.

Step 7 Deploy the Workspace ONE Intelligent Hub App

Follow this step only if you have devices that lack the Workspace ONE Intelligent Hub app.

  1. For all devices you intend to protect with Workspace ONE Mobile Threat Defense, whether you want the Phishing and Content Protection option or not, direct your end users to the following website using their device.

    https://getwsone.com/

  2. Direct end users to download and install this app. When the end user selects the above link from their device, the resulting website checks to see what kind of device it is. The website then supplies the correct installer for that device. For a mobile device like iOS or Android, the app installation process is no different than any other app installation process.

Next Steps

If you want to implement the optional phishing and content protections, then proceed to Step 8 Phishing and Content Protection.

Otherwise, the integration is complete. You may also want to review these topics.

Step 8 Configure Phishing and Content Protections in the MTD Console (Optional)

Phishing is the method of choice for cybercriminals to infect and infiltrate computers and end user devices. Corporate device users are especially vulnerable since they are heavily targeted. Phishing is the ultimate social engineering attack, giving a hacker the ability to go after hundreds or even thousands of devices all at once.

The Phishing and Content Protection (PCP) option from Workspace ONE Mobile Threat Defense provides an additional layer of valuable protection for supported devices.

  • Support for MDM Managed devices of the iOS and Android platforms.
  • Support for Hub Registered Android devices.

Regarding devices with per-app or full device VPN with Workspace ONE Tunnel and the Tunnel Service on Unified Access Gateway, the following limitations apply.

  • Supports only per-app Tunnel on iOS MDM Managed devices.
  • Supports per-app and full device Tunnel on Android MDM Managed and Hub Registered devices.

PREREQUISITES

Phishing and Content Protection requires new versions of Workspace ONE Intelligent Hub and Workspace ONE Tunnel.

  • For the devices you intend to protect with PCP, direct your device end users to visit https://getwsone.com/ on their devices.
  • Direct end users to download and install the newest version of Workspace ONE Intelligent Hub.

Instructions for installing the Workspace ONE Tunnel app on devices are included in Step 8a and Step 8b that follow.

  1. While logged in to the Mobile Threat Defense Console, navigate to the Protections menu.
  2. Ensure that you have selected the the group that you want in Manage settings for: and that this group has the devices for which you want Phishing and Content Protection to be enabled.
  3. Select the Phishing and Content Protection tab and apply the following settings.

    This screenshot shows the recommended settings for use with phishing and content protection in the Protections menu of the MTD console

  4. Activate the Enable Phishing and Content Protection slider.

  5. Ensure that the Secure DNS option is checked.
  6. Determine whether to make PCP mandatory.
    • You can optionally Make Phishing and Content Protection mandatory, and if you do, PCP is activated automatically on the device and a PCP disabled threat is generated in the Mobile Threat Defense console and on the device if PCP fails to activate.
    • However, if not set to mandatory, the device receives a notification that PCP is available to be activated and requires end user set up on the device.
  7. Scroll further down on the Phishing and Content Protection tab to reveal more sections.

    This screenshot shows the three sections under the main PCP config screen, DNS Corporate, Allowlist, and Denylist.

    • Secure DNS Corporate Domain Skip List - Admins should enter corporate or internal domains that they would not want to be resolved by the DNS Resolver as part of the skip list. Instead, the Device Traffic Rules configured in UEM are applied. If a domain is not in the Skip List, it is routed through the MTD DNS resolver and hence undergos PCP checks. Add all your corporate domains here.
    • Allowlisted - Add a list of content that you are certain does not represent a threat.
    • Denylisted - Add a list of content that you want to make sure never is accessible to your device end users.
  8. Select the Policies tab.

    This screenshot shows the policies list for the Protections menu item.

  9. Scroll all the way to the bottom to view the Disabled Policies section. All the policies in this section are not enabled. All the policies listed above this section are enabled.

    You must enable all disabled policies that you want by adding a check mark in each disabled policy’s check box, scrolling back to the top of the listing, then selecting the Enable button.

    This screenshot shows the Enable button for the Policies listing.

    Similarly, you must disable all enabled policies that you want by adding a check mark in each enabled policy’s check box, scrolling back to the top, then selecting the Disable button.

  10. Configure content policies by specifying the Risk Level and Response for each unwanted content type in the policies listing. Define categories of content you would like to include in your content policy e.g., adult content, criminal content, etc.

  11. After enabling policies and defining content categories, you must confirm these actions by selecting the Save Changes button located at the bottom-right of the policy listing.

Step 8a Configure iOS Devices

On iOS devices, Phishing and Content Protection is delivered by configuring a custom DNS provider using the provided custom profile configuration in Workspace ONE UEM. Take the following steps to configure the iOS devices with PCP protection.

  1. In Workspace ONE UEM, move to the organization group (OG) that directly manages or is a parent of OGs that manage the iOS devices you intend to protect with PCP.

    This screenshot shows the Public tab of the Resources, Add Native apps in UEM

  2. Navigate to Resources > Apps > Native and select the Public tab.

  3. Select the Add Application button. The Add Application screen displays.

    This screenshot shows the Add Application screen, prepopulated with the iOS platform and Tunnel search parameters.

  4. For Platform, select Apple iOS and enable the Search App Store option.

  5. For Name, enter “Workspace ONE Tunnel”
  6. Select the Next button. The Search results display.
  7. Click the +Select button next to the correct result, making sure the version is at least 23.05. The Add Application screen displays again.
  8. Select the Save & Assign button. The Tunnel - Workspace ONE - Assignment screen displays.

    This screenshot shows the Distribution tab of the App Assignment screen.

  9. In the Distribution tab, enter a Name, Description, and for Assignment Groups, select the name of the smart group you are using to deliver Mobile Threat Defense to devices.

  10. For App Delivery Method, select the Auto radio button.

    This screenshot shows the Restrictions tab of the App Assignment screen.

  11. Move to the Restrictions tab and enable the following options.

    • Managed Access
    • Remove on Unenroll
    • Make App MDM Managed if User installed
  12. Select Create
  13. Select Save or Save & Publish iOS device end users will receive a prompt to install Workspace ONE Tunnel, which you should direct them to accept.
  14. Navigate to Resources > Profiles & Baselines > Profiles and select Add > Add Profile > iOS > Device Profile.
  15. In the left panel, scroll all the way down and select the Custom Settings payload. Select the Configure button to edit the payload and enter the following XML code in the custom settings text box.

    This screenshot shows the Custom Settings text box with the correct XML code needed to use the PCP option in Mobile Threat Defense

    <dict>
        <key>AppBundleIdentifier</key>
        <string>com.vmware.ios-tunnel</string>
        <key>PayloadDisplayName</key>
        <string>DNS-Proxy</string>
        <key>PayloadType</key>
        <string>com.apple.dnsProxy.managed</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
        <key>PayloadIdentifier</key>
        <string>com.apple.dnsProxy.managed.41CB9A8F-3324-4F97-8C4A7746E835045F</string>
        <key>PayloadUUID</key>
        <string>41CB9A8F-3324-4F97-8C4A-7746E835045F</string>
    </dict>
    
  16. In the left panel, scroll all the way up, select the General payload, and apply the following settings.

    Setting Recommended Entry
    Name iOS-MTD-PCP
    Deployment Managed
    Assignment Type Auto
    Managed By the entry here should be pre-populated with the OG you moved to in step a.
    Smart Groups Select the name of the smart group that contains all the iOS devices in this OG.

    This screenshot shows the general payload screen of the iOS profile for PCP enablement of the MTD device profile.

    Complete other fields per your preferences or leave as default.

  17. Select the Save and Publish button.
  18. Direct your iOS device end users to launch the Workspace ONE Intelligent Hub app. Once activated, they receive a notification on the iOS device from Hub that reads “Safe Browsing is activated.”
  19. In the Intelligent Hub app, navigate to the Support tab and select Device Details where a short card notice reports that PCP is activated.
  20. If you have configured PCP to be not mandatory, then the Safe Browsing toggle must be enabled on the device by the end user.

While VPN Tunnel functionality is not a required step to integrate Mobile Threat Defense with Workspace ONE UEM, if you have the desire to activate this functionality and a valid VPN Tunnel license, you can make it work with MTD. To configure this functionality, see the following topics, in order.

Step 8b Configure Android Devices

The Workspace ONE Intelligent Hub with the PCP functionality should already be installed on Android devices per the Prerequisites step. Older versions of Intelligent Hub do not support Phishing and Content Protection so if you have not already done so, please follow the Step 7 Deploy the Workspace ONE Intelligent Hub App.

Workspace ONE Tunnel must be present in the Work Container, on devices with both Personal and Work Profile, in order for PCP to be activated. If there is a need to assign Tunnel as an internal app, you can also upload the Tunnel APK file in Workspace ONE UEM and assign the application to all targeted Android devices. The Tunnel app is pushed to the device after it is enrolled in Workspace ONE UEM.

  1. In Workspace ONE UEM, move to the organization group (OG) that directly manages or is a parent of OGs that manage the Android devices you intend to protect with PCP.

    This screenshot shows the Public tab of the Resources, Add Native apps in UEM

  2. Navigate to Resources > Apps > Native and select the Public tab.

  3. Select the Add Application button. The Add Application screen displays.

    This screenshot shows the Add Application screen, prepopulated with the iOS platform and Tunnel search parameters.

  4. For Platform, select Android.

  5. Open a new tab in your browser and visit the Google Play store (https://play.google.com/).
  6. Initiate a search by selecting the magnifying glass at the top-right corner of the Google Play Store. Use “Workspace ONE Tunnel” as the search parameter.
  7. Select the app from the search results so that the URL looks similar to this: https://play.google.com/store/apps/details?id=com.airwatch.tunnel. This is the URL you can use for the Add Application screen.
  8. For Enter URL, enter the URL of the Google Play Store page for the app in the previous step.
  9. Select the Next button. An expanded version of the Add Application screen displays.
  10. For the required text box Name, enter “Workspace ONE Tunnel”.
  11. Select the Save & Assign button. The Workspace ONE Tunnel- Assignment screen displays.

    This screenshot shows the Distribution tab of the App Assignment screen.

  12. In the Distribution tab, enter a Name, Description, and for Assignment Groups, select the name of the smart group you are using to deliver Mobile Threat Defense to devices.

  13. For App Delivery Method, select the Auto radio button.
  14. For Auto Update Priority, hover your mouse cursor over the info badge to the far right of the screen to determine which option you want.

    This screenshot shows the Restrictions tab of the App Assignment screen.

  15. Move to the Restrictions tab and based on the EMM Managed Access description you see in the blue box, you must determine whether you want to enable Managed Access.

  16. Select Create
  17. Select Save or Save & Publish Android device end users will receive a prompt to install Workspace ONE Tunnel, which you should direct them to accept.
  18. Direct your Android device end users to launch the Workspace ONE Intelligent Hub app. Once activated, they receive a notification on the Android device from Hub that reads “Safe Browsing is activated.”
  19. In the Intelligent Hub app, navigate to the Support tab and select Device Details where a short card notice reports that PCP is activated.
  20. If you have configured PCP to be not mandatory, then the Safe Browsing toggle must be enabled on the device by the end user.

While VPN Tunnel functionality is not a required step to integrate Mobile Threat Defense with Workspace ONE UEM, if you have the desire to activate this functionality and a valid VPN Tunnel license, you can make it work with MTD. To configure this functionality, see the following topics, in order.

You can also configure Mobile Single Sign-On (SSO) with Workspace ONE Tunnel. For detailed documentation and instructions, see Implementing Mobile Single Sign-On Authentication for Workspace ONE UEM Managed Android Devices

check-circle-line exclamation-circle-line close-line
Scroll to top icon