Workspace ONE UEM - Device Identity & Enhanced TrustScoring

Configure Banyan to leverage VMware Workspace ONE UEM for Device Identity using pre-installed device certs and for Enhanced TrustScoring via API integrations

Updated on Feb 18, 2022

This article describes features that are only available in the Banyan Enterprise edition.

Overview
Setup
- A. Enable Workspace ONE UEM API Access
- B. Trust Device Certificates issued by your Enterprise Certificate Authority
Additional Notes
- MDM Fail Open/Closed
- TrustScoring Integration

This article covers how to integrate with Workspace ONE UEM for Device Identity using pre-installed certificates and for Enhanced TrustScoring via APIs. For detailed instructions on how to distribute the Banyan Desktop App to your entire fleet of managed devices go to our article on distributing the Desktop App.

Overview

Workspace ONE UEM configures and manages endpoints (desktop and mobile) in your enterprise. Banyan integrates with your organization’s Workspace ONE UEM account to ensure only approved managed devices can access Banyan-secured services.

There are two main parts to configuring the Workspace ONE UEM-Banyan integration. Part-A enables API access to gather data for Enhanced TrustScoring. Part-B enables Device Identity using pre-installed device certs. You may do either or both of these steps.

A. Enable Workspace ONE UEM API access so Banyan can gather device information from Workspace ONE UEM.
B. Trust Device Certificates issued by your Enterprise Certificate Authority so Banyan can utilize device certificates on your Workspace ONE UEM-managed devices.

With these configurations in place you can use Workspace ONE UEM to deploy device certs that will be trusted by Banyan, and to configure Enhanced TrustScoring.

Setup

A. Enable Workspace ONE UEM API Access

Workspace ONE UEM API access is used by Banyan to gather device information.

A1. In the Workspace ONE UEM Console, create a Role for the Banyan API

Navigate to Accounts > Administrators > Roles
Create a new Role
Grant access to the device APIs: REST - Devices - REST APIs for device management

A2. In the Workspace ONE UEM Console, create an Admin account

Navigate to Accounts > Administrators > List View
Click the Add button and choose Add Admin
Add this Admin to the Role you created previously in step A1
In the API tab, ensure Basic Auth is selected

A3. In the Workspace ONE UEM Console, create an API key

Navigate to Groups & Settings > All Settings > System > Advanced > API > REST API
Click Add to generate a new API key (also known as an Workspace ONE UEM Tenant Code)

A4. In the Banyan Command Center, save the Workspace ONE UEM credentials

Navigate to Settings > TrustProvider Settings > Device Manager
Set Device Manager Name to Workspace ONE UEM
Enter the API Host URL, Workspace ONE UEM Username and Password, and API Key
Select a Fail Mode according to your business needs* (see MDM Fail Open/Closed for more information)
Click Update API Config to save the Workspace ONE UEM credentials

A5. Specify MDM parameters in the Desktop App `mdm-config.json` file

If you are using Workspace ONE UEM to distribute the Banyan Desktop App, you need to set a few additional parameters in the mdm-config.json file so Banyan’s TrustScoring engine can correlate data from devices running the Banyan Desktop App with the data in Workspace ONE UEM:

Set mdm_present to true to inform Banyan that the device is managed by a Device Manager; for use in Device TrustScoring.

Note: if the mdm_present value is set to true, you must set the mdm_vendor_udid parameter as well.

Set mdm_vendor_name to airwatch to inform Banyan that the device is managed by Workspace ONE UEM; for use in Device TrustScoring.
Set mdm_vendor_udid to the device’s specific Workspace ONE UEM UDID to associate the device with its Workspace ONE UEM compliance factors; for use in Device TrustScoring. You can check a device’s Workspace ONE UEM UDID by logging into your Workspace ONE UEM Console, locating a specific device, and reviewing the Device Details summary.

See the note on TrustScoring Integration for more information on how Banyan’s TrustScoring engine uses device detail information from Workspace One UEM.

B. Trust Device Certificates issued by your Enterprise Certificate Authority

Your organization may already use Workspace ONE UEM to deploy device certificates on all managed devices using an Enterprise Certificate Authority, such as Symantec. Banyan can seamlessly integrate with certificates issued by those CAs and deployed via Workspace ONE UEM.

B1. Gather the full certificate chain of the Root CA used to sign device certificates

B2. In the Workspace ONE UEM Console, get the format used for the CN field

B3. In the Banyan Command Center, update the Device Certificate Configuration

Enter the Cert - Root CA and Cert - Common Name
Click Update Device Cert

Cert Fields in TrustProvider Settings

Now, you have successfully enabled Workspace ONE UEM API access and configured Banyan TrustProvider. Banyan now can leverage Workspace ONE UEM to establish trust with your directory of devices.

Additional Notes

MDM Fail Open/Closed

When entering the Workspace ONE UEM credentials in the Banyan Command Center, you are given the option to select a Fail Mode when Workspace ONE UEM is offline:

If set to FAIL CLOSED, Banyan redirects the end-user to an HTML error page.
If set to FAIL OPEN, Banyan issues the end-user a user-claims-only token. The end-user can access any Service where the Policy doesn’t mandate a trusted device or TrustScore requirements.

TrustScoring Integration

Banyan uses the Workspace ONE UEM Devices API (/api/mdm/devices?searchby=Serialnumber&id=%s) to query device data to use in its TrustScoring engine, and looks for the Compliance attribute associated with a given device.

If the Compliance attribute for a device is Non-Compliant, the device’s TrustScore is dropped to 0.

If the Compliance attribute for a device is a value other than Non-Compliant (such as Compliant, Pending Compliance Check, Not Available, Unknown, etc), the device’s TrustScore is impacted based on whether the Banyan App is installed or not:

Scenario 1. Banyan App is installed, and its mdm-config.json is set for Banyan’s TrustScoring engine to correlate data using the Workspace ONE UEM API, as in Setup A-5 above. If the Banyan App is installed and the Compliance attribute for a device is a value other than Non-Compliant, the device’s TrustScore is not impacted. In this scenario, Banyan also utilizes smart caching rules to account for connectivity issues with the API. If the Workspace ONE UEM Devices API returns a 50x error, Banyan’s TrustScoring engine will look in its internal Device Database for the last compliance status recorded, and use that in the device’s TrustScore computation.
Scenario 2. Banyan App is not installed; instead, the device can be identified by the certificate issued by an Enterprise CA, as in Setup B above. If the Banyan App is not installed and the Compliance attribute for a device is a value other than Non-Compliant, the device’s TrustScore is directly set to the maximum value, 100.