Integrate with VMware Workspace ONE UEM

Prerequisites

• Reverse proxy enabled for the cloud service you want to protect
• VMware Workspace ONE UEM  instance, which has already been integrated with an Enterprise Certificate Authority
• Skyhigh Cloud Connector virtual machine ready for MDM integration
• Cloud service deployment (Office 365 for example) with a valid user account
• SSO integrated with the cloud service
• SSO configured to use the Skyhigh CASB reverse proxy 

Step 1: Create a Certificate Authority in VMware Workspace ONE UEM

1. Using the instructions found in Configure Active Directory Certificate Authority in VMware Workspace ONE, create a CA to connect to the Cloud Connector.
2. Make sure to choose the following:

• Protocol. Choose ADCS. Use VMware Workspace ONE UEM Cloud Connector (VCC) to connect to the Windows Enterprise Certificate Authority.
• Server Hostname. Enter the FWDN on the server in AWS, co-located with ACC. This must be resolvable to VCC and point to the CA.
• Authority Name. Enter the name of the CA server as shown in the Windows Certificate Authority manager (hostname with the domain prefixed and CA appended).
• Authentication. Choose Service Account using a standard AD user account.

Step 2: Add a Certificate Request Template in VMware Workspace ONE UEM

It is important the request have a subject alternate name (SAN) that includes the DeviceUid. When a device registers with VMware Workspace ONE UEM, the AW agent detects the device UID. This is then included in the certificate request from AW to the CA server. The UID is then included in the provided certificate and this is what Skyhigh CASB needs to see to validate the device certificate.

1. Using the instructions found in Add Certificate Template in VMware Workspace ONE UEM, create a Certificate Template.
2. Make sure to choose the following:

• Subject Name. Set to CN={EmailAddress}
• SAN type. Choose DNS Name and {DeviceUid}

Step 3: Add Device Profiles in VMware Workspace ONE UEM

Device profiles are created for each device type to be managed by VMware Workspace ONE UEM. Each profile is configured to use the CA server as it's source for credentials.

Instructions are found here: 

• Apple iOS 
• Android

Step 4: Configure Skyhigh CASB

1. Choose Access Control > Device Management.

2. Under the Establish Domain tab, enter or verify that the Original domain is set to the device.

3. Under the Customize Portal tab, enable the feature. This feature enables the device UID check. Choose Device Management portal colors.

3. Download the VMware Workspace ONE UEM CA file. This is the public certificate of the CA server that signs the mobile device certificates.

4. Under the Device Certificates tab, upload the CA certificate and set the Populate Device ID from the certificate for the following device types to All.

Step 5: Enable Cloud Access Policies

Cloud Access Control Policies are used to provide the correct behavior for managed and unmanaged devices by creating policies that require an unmanaged device to register before accessing a page, for example. Certificates are OS-agnostic, version-independent, and can be easily revoked or cycled, offering you a great deal of control and flexibility in cloud access management.

Policies are built on conditions (rules) and actions. Conditions are used with IS or IS NOT arguments to define the specific situation when a policy should be enacted. Actions then determine what happens when a policy is enacted.

You need a cloud access policy configured to check for the certificate. For example, you could create a Cloud Access policy that does the following:

• If:
  • 'Service' is 'Microsoft Office 365 and OneDrive'
  • AND
  • 'Device Type' is 'Native Apps'
• Then: 
  • Check cert: Redirect Managed, Block Unmanaged.

Another example:

• If:
  • Service is Microsoft Office 365 and OneDrive
• Then: 
  • Check cert: Redirect Managed, Proxy Unmanaged

For more information, see Cloud Access Policies.