Configure Banyan to leverage VMware Workspace ONE UEM for Device Identity using pre-installed device certs and for Enhanced TrustScoring via API integrations
This article covers how to integrate with Workspace ONE UEM for Device Identity using pre-installed certificates and for Enhanced TrustScoring via APIs. For detailed instructions on how to distribute the Banyan Desktop App to your entire fleet of managed devices go to our article on distributing the Desktop App.
Workspace ONE UEM configures and manages endpoints (desktop and mobile) in your enterprise. Banyan integrates with your organization’s Workspace ONE UEM account to ensure only approved managed devices can access Banyan-secured services.
There are two main parts to configuring the Workspace ONE UEM-Banyan integration. Part-A enables API access to gather data for Enhanced TrustScoring. Part-B enables Device Identity using pre-installed device certs. You may do either or both of these steps.
A. Enable Workspace ONE UEM API access so Banyan can gather device information from Workspace ONE UEM.
B. Trust Device Certificates issued by your Enterprise Certificate Authority so Banyan can utilize device certificates on your Workspace ONE UEM-managed devices.
With these configurations in place you can use Workspace ONE UEM to deploy device certs that will be trusted by Banyan, and to configure Enhanced TrustScoring.
Workspace ONE UEM API access is used by Banyan to gather device information.
If you are using Workspace ONE UEM to distribute the Banyan Desktop App, you need to set a few additional parameters in the
mdm-config.json file so Banyan’s TrustScoring engine can correlate data from devices running the Banyan Desktop App with the data in Workspace ONE UEM:
trueto inform Banyan that the device is managed by a Device Manager; for use in Device TrustScoring.
airwatchto inform Banyan that the device is managed by Workspace ONE UEM; for use in Device TrustScoring.
mdm_vendor_udidto the device’s specific Workspace ONE UEM UDID to associate the device with its Workspace ONE UEM compliance factors; for use in Device TrustScoring. You can check a device’s Workspace ONE UEM UDID by logging into your Workspace ONE UEM Console, locating a specific device, and reviewing the Device Details summary.
See the note on TrustScoring Integration for more information on how Banyan’s TrustScoring engine uses device detail information from Workspace One UEM.
Your organization may already use Workspace ONE UEM to deploy device certificates on all managed devices using an Enterprise Certificate Authority, such as Symantec. Banyan can seamlessly integrate with certificates issued by those CAs and deployed via Workspace ONE UEM.
Cert Fields in TrustProvider Settings
Now, you have successfully enabled Workspace ONE UEM API access and configured Banyan TrustProvider. Banyan now can leverage Workspace ONE UEM to establish trust with your directory of devices.
When entering the Workspace ONE UEM credentials in the Banyan Command Center, you are given the option to select a Fail Mode when Workspace ONE UEM is offline:
Banyan uses the Workspace ONE UEM Devices API (
/api/mdm/devices?searchby=Serialnumber&id=%s) to query device data to use in its TrustScoring engine, and looks for the Compliance attribute associated with a given device.
If the Compliance attribute for a device is
Non-Compliant, the device’s TrustScore is dropped to 0.
If the Compliance attribute for a device is a value other than
Non-Compliant (such as
Pending Compliance Check,
Unknown, etc), the device’s TrustScore is impacted based on whether the Banyan App is installed or not:
Scenario 1. Banyan App is installed, and its
mdm-config.json is set for Banyan’s TrustScoring engine to correlate data using the Workspace ONE UEM API, as in Setup A-5 above. If the Banyan App is installed and the Compliance attribute for a device is a value other than
Non-Compliant, the device’s TrustScore is not impacted.
In this scenario, Banyan also utilizes smart caching rules to account for connectivity issues with the API. If the Workspace ONE UEM Devices API returns a
50x error, Banyan’s TrustScoring engine will look in its internal Device Database for the last compliance status recorded, and use that in the device’s TrustScore computation.
Scenario 2. Banyan App is not installed; instead, the device can be identified by the certificate issued by an Enterprise CA, as in Setup B above. If the Banyan App is not installed and the Compliance attribute for a device is a value other than
Non-Compliant, the device’s TrustScore is directly set to the maximum value, 100.