Workspace ONE UEM - Device Identity & Enhanced TrustScoring
Configure Banyan to leverage VMware Workspace ONE UEM for Device Identity using pre-installed device certs and for Enhanced TrustScoring via API integrations
- Additional Notes
This article covers how to integrate with Workspace ONE UEM for Device Identity using pre-installed certificates and for Enhanced TrustScoring via APIs. For detailed instructions on how to distribute the Banyan Desktop App to your entire fleet of managed devices go to our article on distributing the Desktop App.
Workspace ONE UEM configures and manages endpoints (desktop and mobile) in your enterprise. Banyan integrates with your organization’s Workspace ONE UEM account to ensure only approved managed devices can access Banyan-secured services.
There are two main parts to configuring the Workspace ONE UEM-Banyan integration. Part-A enables API access to gather data for Enhanced TrustScoring. Part-B enables Device Identity using pre-installed device certs. You may do either or both of these steps.
A. Enable Workspace ONE UEM API access so Banyan can gather device information from Workspace ONE UEM.
B. Trust Device Certificates issued by your Enterprise Certificate Authority so Banyan can utilize device certificates on your Workspace ONE UEM-managed devices.
With these configurations in place you can use Workspace ONE UEM to deploy device certs that will be trusted by Banyan, and to configure Enhanced TrustScoring.
A. Enable Workspace ONE UEM API Access
Workspace ONE UEM API access is used by Banyan to gather device information.
A1. In the Workspace ONE UEM Console, create a Role for the Banyan API
- Navigate to Accounts > Administrators > Roles
- Create a new Role
- Grant access to the device APIs: REST - Devices - REST APIs for device management
A2. In the Workspace ONE UEM Console, create an Admin account
- Navigate to Accounts > Administrators > List View
- Click the Add button and choose Add Admin
- Add this Admin to the Role you created previously in step A1
- In the API tab, ensure Basic Auth is selected
A3. In the Workspace ONE UEM Console, create an API key
- Navigate to Groups & Settings > All Settings > System > Advanced > API > REST API
- Click Add to generate a new API key (also known as an Workspace ONE UEM Tenant Code)
A4. In the Banyan Command Center, save the Workspace ONE UEM credentials
- Navigate to Settings > TrustProvider Settings > Device Manager
- Set Device Manager Name to Workspace ONE UEM
- Enter the API Host URL, Workspace ONE UEM Username and Password, and API Key
- Select a Fail Mode according to your business needs* (see MDM Fail Open/Closed for more information)
- Click Update API Config to save the Workspace ONE UEM credentials
A5. Specify MDM parameters in the Desktop App
If you are using Workspace ONE UEM to distribute the Banyan Desktop App, you need to set a few additional parameters in the
mdm-config.json file so Banyan’s TrustScoring engine can correlate data from devices running the Banyan Desktop App with the data in Workspace ONE UEM:
trueto inform Banyan that the device is managed by a Device Manager; for use in Device TrustScoring.
airwatchto inform Banyan that the device is managed by Workspace ONE UEM; for use in Device TrustScoring.
mdm_vendor_udidto the device’s specific Workspace ONE UEM UDID to associate the device with its Workspace ONE UEM compliance factors; for use in Device TrustScoring. You can check a device’s Workspace ONE UEM UDID by logging into your Workspace ONE UEM Console, locating a specific device, and reviewing the Device Details summary.
See the note on TrustScoring Integration for more information on how Banyan’s TrustScoring engine uses device detail information from Workspace One UEM.
B. Trust Device Certificates issued by your Enterprise Certificate Authority
Your organization may already use Workspace ONE UEM to deploy device certificates on all managed devices using an Enterprise Certificate Authority, such as Symantec. Banyan can seamlessly integrate with certificates issued by those CAs and deployed via Workspace ONE UEM.
B1. Gather the full certificate chain of the Root CA used to sign device certificates
B2. In the Workspace ONE UEM Console, get the format used for the CN field
B3. In the Banyan Command Center, update the Device Certificate Configuration
- Enter the Cert - Root CA and Cert - Common Name
- Click Update Device Cert
Cert Fields in TrustProvider Settings
Now, you have successfully enabled Workspace ONE UEM API access and configured Banyan TrustProvider. Banyan now can leverage Workspace ONE UEM to establish trust with your directory of devices.
MDM Fail Open/Closed
When entering the Workspace ONE UEM credentials in the Banyan Command Center, you are given the option to select a Fail Mode when Workspace ONE UEM is offline:
- If set to FAIL CLOSED, Banyan redirects the end-user to an HTML error page.
- If set to FAIL OPEN, Banyan issues the end-user a user-claims-only token. The end-user can access any Service where the Policy doesn’t mandate a trusted device or TrustScore requirements.
Banyan uses the Workspace ONE UEM Devices API (
/api/mdm/devices?searchby=Serialnumber&id=%s) to query device data to use in its TrustScoring engine, and looks for the Compliance attribute associated with a given device.
If the Compliance attribute for a device is
Non-Compliant, the device’s TrustScore is dropped to 0.
If the Compliance attribute for a device is a value other than
Non-Compliant (such as
Pending Compliance Check,
Unknown, etc), the device’s TrustScore is impacted based on whether the Banyan App is installed or not:
Scenario 1. Banyan App is installed, and its
mdm-config.jsonis set for Banyan’s TrustScoring engine to correlate data using the Workspace ONE UEM API, as in Setup A-5 above. If the Banyan App is installed and the Compliance attribute for a device is a value other than
Non-Compliant, the device’s TrustScore is not impacted. In this scenario, Banyan also utilizes smart caching rules to account for connectivity issues with the API. If the Workspace ONE UEM Devices API returns a
50xerror, Banyan’s TrustScoring engine will look in its internal Device Database for the last compliance status recorded, and use that in the device’s TrustScore computation.
Scenario 2. Banyan App is not installed; instead, the device can be identified by the certificate issued by an Enterprise CA, as in Setup B above. If the Banyan App is not installed and the Compliance attribute for a device is a value other than
Non-Compliant, the device’s TrustScore is directly set to the maximum value, 100.
Last modified: Mar 16, 2021