The Australian Cyber Security Centre (ACSC) Essential Eight Maturity Model provides a set of recommended cyber principles for organisations of any type or size. VMware has extensive experience with the Essential Eight Maturity Model and supports customers in Australia who are required to comply with the Essential Eight.
The Essential 8 (E8) is divided across three primary objectives. To prevent attacks, limit attack impact, and ensure data availability.
This purpose of this article is to detail how organisations can implement the E8 maturity model specific to endpoint devices (primarily Windows 10 and macOS) using Workspace ONE UEM and the reporting and automation features of Intelligence. Specific hardening recommendations will also be detailed for mobile devices which is also detailed by the ACSC (see Other Recommendations at the end of this article).
Before implementing the recommendations in this article, I’d recommend you review the whitepaper VMware and the Essential Eight published on VMware Techzone. This paper explains how a number of complimentary VMware solutions can be deployed to address the Essential Eight. It covers the broader set of services from technologies from VMware such as VMware NSX, Carbon Black, vSphere, Aria Automation Config, Cloud Disaster Recovery and of course Workspace ONE.
As detailed in the whitepaper, Workspace ONE UEM can primarily assist customers address six of the eight mitigation strategies from the E8 recommendations.
That being said, Workspace ONE UEM can assist to compliment other solutions and enable operating system controls for Application Control category as you’ll see outlined below.
This article also details other VMware End User Computing services which compliment Workspace ONE to address the tenants of the Essential Eight, namely:
- Workspace ONE Access
- Dynamic Environment Manager (DEM)
- Workspace ONE Intelligence
- VMware Horizon
Prevent Cyber Attacks
This section includes four key areas which organisation can follow to assist them with preventing cyber attacks being initiated from endpoint devices by leveraging VMware technologies, primarily using Workspace ONE UEM.
1. Application Control
Carbon Black App Control
VMware recommend Carbon Black for advanced application controls. App Control tracks (at the time of writing) files of interest (executables, libraries, scripts, and installers) on endpoints. Whitelisting is achieved via a flexible trust model (not a traditional hash list that is difficult to maintain). In High Enforcement (default deny), no new unapproved files may execute unless they meet the rules defined in the security policy.
App Control has an expansive set of features and functionality matured over its 18yrs of development and maintenance.
App Control features/capabilities include:
- Broad OS/Platform support (Windows (2003/XP – Current), MacOS, Linux (CentOS/RHEL 6 – 8))
- Control of scripts and script interpreters
- Cloud file reputation (billions of known good and bad files)
- RESTful API (Network connectors including sandboxes and custom file analysis solutions)
- Broad file approval mechanism (Hash, Publisher (Certificates), User, Directory, Memory, Registry, Reputation, File Content (YARA), and Custom Rules). Custom Rule logic includes paths, files, wildcards/patterns, tags (YARA) and can be filtered by users, groups, computers, and process arguments. Expert Rules (a type of Custom rule) provide access to low level filesystem operations e.g., DLL loads etc.
App Control exceeds the Essential Eight criteria for Maturity Level 3. Built-in functionality negates the need for many of the recommended Microsoft block rules to prevent application whitelisting bypasses and can also be configured to implement the Microsoft block rules if required.
App Control can be implemented on desktops, laptops, VDI, point of sale, and servers. It works side-by-side with the Carbon Black Cloud sensor.
Implement application control using Windows Defender Application Control
If you’re using Windows Defender, you can use Workspace ONE UEM Baselines and configure these settings. ACSC recommends the following two settings be applied.
| Group Policy Setting | Recommended Option |
|---|---|
| Computer Configuration\Policies\Administrative Templates\System\Device Guard | |
| Deploy Windows Defender Application Control | EnabledCode Integrity Policy file path: <organisation defined> |
| Turn On Virtualization Based Security | EnabledVirtualization Based Protection of Code Integrity: Enabled with UEFI lock |
To configure these two settings via Workspace ONE UEM, select Resources – Baselines. Select New – Use Template and click Next. Create a new baseline description as follows:
Click Next. Select Windows Security Baseline and click Next
click Add Policy – Click Next. Now search for the two policies detailed above. For example.
Implement application control using Microsoft AppLocker
If Microsoft AppLocker (the predecessor of WDAC) is used for application control, a Windows 10/11 modern management profile for AppLocker can be applied. To do this, create a Windows profile and select Application Control. The following article details how to create the configuration file which you’ll upload to this profile.
Apps and Process Restrictions for macOS
macOS Intelligent Hub uses Apple’s Endpoint Security System Extension framework to monitor system events to help administrators block specific software from running on a managed device. While security tools should still be used for malware, viruses, or other malicious software, this functionality helps with basic restrictions such as games, CLI tools, messaging apps, or even OS update installers.
Currently there is no UI available for configuration in the Workspace ONE UEM console. To create the restriction policies you can use custom settings XML.
Jon Towels (aka Mobile Jon) has created a great video which details how to configure this. The VMware documentation is available here which details how to set this up plus create the custom settings XML.
Implementing application control within Linux environments
The ability to deploy applications to Linux managed devices with Workspace ONE UEM is currently in beta. When this feature is generally available (GA), customers could then deploy the File Access Policy daemon (fapolicyd) which is recommended by the ACSC for Linux application controls.
2. Patch Applications
As advised by the ACSC, applying patches to applications and operating systems is critical to ensuring the security of systems. Focusing on patching applications, Workspace ONE UEM is renowned for its ability to quickly deploy and update applications across a wide variety of operating systems.
Application Inventory
Workspace ONE Intelligence allows admins to quickly determine which applications are installed across all device types. This can be viewed by clicking on Workspace – Unified Endpoint Management – Apps. Then click on Mobile Apps or Desktop Apps
If we click on Desktop Apps as an example a range of application information including versions are available.
Another effective new dashboard is available by enabling one of the (many) new dashboards available via the Intelligence Marketplace. You can do this by selecting Marketplace – Templates – Dashboards. Then select Device App Adoption. Then select either Add or Add or Add & Go to Workspace as shown.
The Dashboard allows the administrator to view an inventory of internal, public or purchased apps by operating system and then click down into these summary graphs for more specific information.
Deploying and Updating Applications
Workspace ONE UEM is renowned for its ability to deploy and update large numbers of applications across hundreds of thousands of devices in real time. One of VMware’s customers has over a million Android devices managed by Workspace ONE UEM.
Workspace ONE UEM provides a range of details on the application status as shown below. This allows the administrator to quickly update applications and monitor the deployment progress in real time.
The administrator can select the Details tab and see the installation status for each device.
This includes information on whether the application leveraged any Peer Distribution capabilities which uses the native Windows BranchCache services.
Application versions can be easily updated as shown:
Workspace ONE Freestyle can then be used to automate the removal of applications after a period of time. For example, an application that hasn’t be used for 2 months. The following article Workspace One Application Management for Win10 – How Rollback and Uninstall Works by Brooks Peppin details the lifecycle of Windows application management using Workspace ONE.
Enterprise App Repository (EAR) for 3rd party applications
Workspace ONE also offers the Enterprise App Repository (EAR) for Windows. This repository includes hundreds of commonly used, prepackaged, and preconfigured apps that IT can instantly deploy.
You can find the EAR by selecting Resources – Apps – Internal – Add – From Enterprise App Repository
Furthermore, the apps in the repository are kept up to date and pretested across the last three OS builds, ensuring a guaranteed installation.
The EAR includes a number of popular 3rd party applications such as Adobe Reader, Java, Chrome, Firefox.
For more information on the EAR and how you can update applications, see this blog article.
3. Configure Microsoft Office Macro Security
As the ACSC advises, Microsoft Office applications can execute macros to automate routine tasks. Unfortunately, macros can contain malicious code resulting in unauthorised access to sensitive information as part of a targeted cyber intrusion.
The ACSC outlines that the security benefit is Very High and the Business Impact / Implementation Difficulty is Low to disable Macros for all users who do not have a demonstrated business value as shown in this table:
| Approach | Security Benefit | Business Impact | Implementation Difficulty |
|---|---|---|---|
| Macros are disabled for users that do not have a demonstrated business requirement | Very high | Low | Low |
| Only macros from trusted locations are enabled | High | High | Medium |
| Only macros digitally signed by trusted publishers are enabled | High | Medium | High |
| Users decide which macros to enable on a case-by-case basis | Low | Low | Low |
| All macros are enabled | None | None | Low |
Microsoft blocking Office Macros by default
Well the good news is that as of February 2023, all Office macros from the internet will be blocked by default in Office. See this article for further details. The article details the versions of Office and when this change became available in each update channel.
Note: The change doesn’t affect Office on a Mac, Office on Android or iOS devices, or Office on the web.
Blocking Office Macros with Workspace ONE UEM
To disable Office Macros using Workspace ONE UEM, first download the Microsoft 365 ADMX template from here. I downloaded these files to a test Windows 10 workstation. Run the executable and copy the files and subdirectories to C:\Windows\PolicyDefinitions directory.
Run mmc.exe and then add Local Computer Policy. You can then browse to each of the Office 365 settings which are applicable to your version of Office deployed. For example, for my lab this is:
The Trust Center policies, for the various applications with Office are located within these Group Policy folders:
| Application | Policy location |
|---|---|
| Access | Microsoft Access 2016\Application Settings\Security\Trust Center |
| Excel | Microsoft Excel 2016\Excel Options\Security\Trust Center |
| Powerpt | Microsoft PowerPoint 2016\PowerPoint Options\Security\Trust Center |
| Visio | Microsoft Visio 2016\Visio Options\Security\Trust Center |
| Word | Microsoft Word 2016\Word Options\Security\Trust Center |
When I had applied this setting, I could open regedit.exe and see that the setting was applied to HKCU\Software\policies\Microsoft\office\16.0\excel\security with a registry key of blockcontentexecutionfrominternet REG_DWORD value of 1.
Next download the LGPO.EXE utility from the Microsoft Security Compliance Toolkit here. Run the following command:
LGPO.EXE /B C:\TEMP
Where C:\TEMP is a nominated backup directory for the GPO. I then ZIP’ed the entire directory output and called it DisableOfficeMacroGPO.ZIP
From the Workspace ONE UEM admin console, you need to deploy the LGPO.EXE application to all Windows 10 workstations where you are going to deploy this GPO. Grischa Erast (VMware Staff Customer Success Specialist Engineer) details how to perform these steps here, by using product provisioning.
Next, select Resources – Profiles & Baselines – Baselines. Select New – Use Template
Click Next
Enter an appropriate name such as:
Select Custom Baseline and upload the ZIP’ed GPO from the previous step (in my case DisableOfficeMacroGPO.ZIP)
Click Next and Save and Assign. Choose the appropriate Smart Group and click Publish. Then you can monitor it’s deployment as shown:
Note: Your Windows 10 devices may need to be restarted for some polices to be applied.
Once the baseline was deployed to my test Windows 10 devices, I was able to verify the GPO was applied by reviewing the registry (as per above) and also testing Excel opening a spreadsheet with an embedded Macro. As you can see, this is disabled as shown.
Other Office Hardening Settings
The ACSC details a number of registry entries which can be implemented using Group Policy preferences to further harden Microsoft Excel and Microsoft Word. See this article for more details under these recommended priorities and categories:
High Priorities
- Flash Content
- Loading external content
- Object Linking and Embedding packages
Medium Priorities
- ActiveX
- Add-ins
- Extension Hardening
- File Type Blocking
- Office File Validation
- Running external programs
- Protected View
- Trusted documents
Low Priorities
- Hidden markup
- Reporting information
4. User Application Hardening
The ACSC outlines that “user application hardening protects an organisation from a range of threats including malicious websites, advertisements running malicious scripts and exploitation of vulnerabilities in unsupported software. These attacks often take legitimate application functionality and use it for malicious purposes. User application hardening makes it harder for cybercriminals to exploit vulnerabilities or at-risk functionality in your organisation’s applications”.
The ACSC focuses on web browser hardening and recommends other applications should be hardened in accordance with the application’s vendor guidance. I’ve detailed a number of places to download the respective web browser ADMX files and settings which should be applied based on the ACSC article:
| Web Browser | Setting | Recommend configuration |
| Microsoft Edge (ADMX download here) | Block ads on sites with intrusive ads | Enabled |
| Blocks external extensions from being installed | Enabled | |
| Blocks external extensions from being installed | Enabled | |
| Configure Microsoft Defender SmartScreen | Enabled | |
| Configure Microsoft Defender SmartScreen to block potentially unwanted apps | Enabled | |
| Prevent bypassing Microsoft Defender SmartScreen prompts for sites | Enabled | |
| Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads | Enabled | |
| Google Chrome (ADMX download here) | Ads setting for sites with intrusive ads | Toggled ON |
| Blocks external extensions from being installed | Enabled | |
| Safe Browsing Protection level | Enabled | |
| Safe Browsing is active in the standard mode | Enabled | |
| Allow download restrictions. Ensure it is toggled on in the middle pane and then set Block malicious downloads | Enabled |
Limit Attack Impact
This section includes three key areas which organisation can follow to limit the impact of cyber attacks which have been initiated from endpoint devices.
5. Restricting administrative privileges
The ACSC advises that “restricting administrative privileges is one of the most effective mitigation strategies in ensuring the security of system.
Users with administrative privileges for operating systems and applications are able to make significant changes to their configuration and operation, bypass critical security settings and access sensitive information.
Adversaries often use malicious code (also known as malware) to exploit security vulnerabilities in workstations and servers. Restricting administrative privileges makes it more difficult for an adversary’s malicious code to elevate its privileges, spread to other hosts, hide its existence, persist after reboot, obtain sensitive information or resist removal efforts.
An environment where administrative privileges are restricted is more stable, predictable, and easier to administer and support, as fewer users can make significant changes to their operating environment, either intentionally or unintentionally”
Dynamic Environment Manager (DEM) Privilege Elevation
Dynamic Environment Manager or DEM is primarily used for Horizon for configuring and deploying end-user desktop setting. DEM can also be used with Workspace ONE UEM, especially for some powerful device configuration capabilities, one of which is to Privilege Elevation.
With privilege elevation, a user can start certain pre-configured applications (which the VMware Dynamic Environment Manager agent runs elevated on the local desktop) as if the user is a member of the administrators group.
The following blog article by Roderik de Block (VMware Senior Technical Account Manager) details how to complete the three tasks to integrate DEM with Workspace ONE UEM:
- Install the VMware Dynamic Management Console
- Create Configuration Files
- Deploy the DEM agent to your endpoints and deliver the config with a UEM device profile
Once you’ve verified DEM is successfully deploying a configuration file, login to the DEM Management Console (app).
Privilege elevation is deactivated by default. You must activate it manually, configure conditions to control the elevated applications, and define an elevation message.
- Next click Create.
- Enter a name for the setting definition.
- Select the privilege-elevation type from the Type drop-down under Privilege Elevation Settings.
– Click Add in the Elevate section and select the folders or applications to add to the list.
– (Optional) If you are elevating an application, select whether to elevate child processes as well. - Click Save
Within the DEM console, save the settings as a .DEMConfig file. On the Workspace ONE UEM console, browse to Resources – Profiles & Baselines – Profiles. Select Add – Add Profile. Select Windows – Windows Desktop – Device Profile.
Name the Profile, such as Elevate Privilege and assign this to an appropriate smart group. Browse to Dynamic Environment Manager and upload the .DEMConfig file from the previous step.
Once the DEM settings file has been appropriately deployed, the user can attempt to access applications with the privilege feature enabled. For example:
Granting Users temporary local admin rights
Another popular option with a number of VMware customers is to give the user temporary (local) admin rights to their machine. This might be requested by the user via a Helpdesk ticket, upon which the Workspace ONE UEM administrator grants the user local admin rights for a period of time.
Windows temporary admin rights
Two of my colleagues Aron Aperauch (VMware, Staff Solutions Engineer) and Xiaoyu Zhang (VMware Solution Engineer, Commercial) created two powerShell scripts (+ presentation with video) detailing how the scripts can be deployed and activated via product provisioning to remotely grant and remove the user local admin rights.
macOS temporary admin rights
To achieve this capability with macOS, see this excellent article written by Adam Matthews (now Senior Solution Engineer at Okta)
VMware Horizon
VMware Horizon can be deployed so that administrators can connect to different (VDI hosted) privileged Windows 10/11 workstations (as recommended by the ACSC in this article). These workstations can be further hardened and have only critical administrator applications installed.
6. Patch operating systems
Applying patches to operating systems is critical to ensuring the security of systems and as such, forms part of the Essential 8. As advised by the ACSC, to mitigate advanced cyber threats, devices should be patched as follows:
- internet-facing services: within two weeks, or within 48 hours if an exploit exists
- workstations, servers, network devices and other network-connected devices: within two weeks, or within 48 hours if an exploit exists.
Windows 10/11 Patching
Workspace ONE UEM provides comprehensive management capabilities of Windows devices to ensure they are being patched within two weeks.
With Workspace ONE UEM 23.02 release, we’ve added new Windows Updates Profile features along with a Windows Updates (Legacy) Profile page. The new capability are as follows:
- New features to the Windows Updates Profile now offer the ability to have use case driven setting selections that are fully supported on Windows 10 20H2 and above. The enhancements include:
- Windows Updates Profile page: Explains the new supported settings and configuration.
- Windows Updates (Legacy) Profile Page: It is for Windows Desktop devices using Windows 10, 1909 or previous. A button to migrate can be found here.
- A Migration Button: Provides easy profile migration by automatically updating your old settings to the new supported ones.
- Pause & Rollback Buttons: After migration if you find issues with some drivers or third-party software you can now Pause and/or Rollback both feature and quality updates to resolve any issues.
The following provide an example of some of the new profile settings:
Note: The new Windows Updates profile is used instead of Windows Updates (Legacy)
Information on OS Update information for Windows is available via Intelligence. Select United Endpoint Management – OS Updates. Select the Windows desktop dashboard as shown:
When you click on View Dashboard, a range of information on Windows versions as well as update events is then shown as follows:
If you click on the Patches tab, the status of patch deployments are shown:
CVE scores
Within the Workspace ONE Intelligence console, if you click on Workspace Security – Vulnerability Management – within the Windows Vulnerabilities dashboard click on View Dashboard
If you scroll down the window, you can get a range of very useful information such as the vulnerabilities based on their Common Vulnerabilities and Exposures Score (or CVE). A CVE score is often used for prioritizing the security of vulnerabilities.
The CVE glossary is a project dedicated to tracking and cataloging vulnerabilities in consumer software and hardware. It is maintained by the MITRE Corporation with funding from the US Division of Homeland Security
If you expand a particular CVE (this example taken from a lab) you can see that 10 devices are impacted and they have a critical score of 9.8)
macOS Patching
Workspace ONE UEM provides a comprehensive management solution for macOS devices. The following two Techzone articles detail how this can be achieved:
- Using Intelligent Hub hubcli to Manage macOS Updates
- Managing Updates with the macOS Updater Utility: Workspace ONE Operational Tutorial
Information on OS Update information for macOS is available via Intelligence. Select United Endpoint Management – OS Updates. Select the Apple macOS dashboard as shown:
When you click on View Dashboard, a range of information on macOS versions as well as update events is then shown as follows:
iOS Updates
Workspace ONE UEM includes functionality to manage operating system updates on managed, supervised iOS devices. The OS update management feature provides administrators a view of all available updates and allows for granular assignment of those updates across an organization’s devices.
This capability is available by selecting Resource – Device Updates
The following article Managing iOS Updates: Workspace ONE Operational Tutorial provides more details on this capability.
CVE Scores
As per VMware’s blog article VMware Workspace ONE’s Support of CVE Remediation on the 29th April 2023, Workspace ONE Intelligence’s support for CVE scores has been expanded to include iOS. This information is available by clicking on Workspace – Workspace Security – Vulnerability Management – iOS Vulnerabilities. Click on View Dashboard.
A range of valuable iOS vulnerability information is shown as follows:
Android Updates
To manage Android updates, see this excellent article written by Patrick Zoeller (VMware, Staff Customer Success Specialist Engineer)
7. Multi-factor authentication
The ACSC advises that multi-factor authentication (or MFA for short) is one of the most effective controls an organisation can implement from gaining access to a device or network. This is because it makes it significantly more difficult for an adversary to steal credentials and therefore negate malicious activities or data exfiltration.
Workspace ONE Access (formerly VMware Identity Manager) combines the user’s identity with factors such as device and network information to make conditional access decisions for applications delivered by Workspace ONE. Workspace ONE Access can also acts as a broker to other identity stores and providers including Active Directory (AD), Active Directory Federation Services (ADFS), Entra ID (Azure AD), Okta and Ping Identity. Some useful integration articles are details as follows:
- Setting up Workspace ONE Single Sign-on (SSO) and Conditional Access. This is really the foundational element of setting up Access with UEM so that you can have certificate based authentication (no passwords). From which you could then enable MFA for some applications.
- Integrating Workspace ONE Access with Azure AD
- Workspace ONE – Okta Integration – Part 1 of 4 articles by Steve DSa
- Setting up Single Sign-On (SSO) to Workspace ONE UEM Self Service Portal (SSP) and Admin Console including MFA
Integrated Hub MFA
Customers can leverage the built in MFA capabilities of the Intelligent hub as shown below:
To set this up, check out Steve D’Sa’s excellent article Bringing MFA into the Intelligent Hub. I then created a new access policy called MFA and included the Workspace ONE UEM Consoleapplication and a policy for Web Browser device type:
When you then click on the pace ONE UEM Console application you’ll see a message that you need to approve the login on your mobile device as shown:
3rd party MFA solutions
To setup 3rd party MFA solutions such as RSA SecureID, again you can’t go past Steve DSa’ excellent blog article Enabling Risk-Based Identity Assurance: VMware Workspace ONE + RSA SecurID Access
As outlined above, if you’ve integrated identity providers such as Entra ID (Azure AD) or Okta with Workspace ONE, you can then leverage their native MFA solutions as part of their authentication (AuthN) and authorization (AuthZ) services.
Risk Scoring (Workspace ONE Intelligence Risk Analytics)
Use Workspace ONE Intelligence to view data collected for and identifying risk with scores. This Workspace ONE Intelligence Risk Analytics feature tracks user and device actions and behaviors and then calculates the potential risk.
It shows this potential with risk levels and other metadata so you can quickly measure the vulnerability of your Workspace ONE UEM deployment. You can also view login risk scores from Workspace ONE Access and these scores ingest information from a user’s login location and can report if the user is showing anomalous, risky behavior.
A video providing an overview of this capability is available here. A more detailed document outlining the various risk indicators which are assessed is detailed here.
The benefits of this capability is that for the Unknown state (as per the diagram below) Workspace ONE Access can automatically prompt the user for a second factor of authentication.
Data Availability
8. Regular Backups
As advised in the “VMware and the Essential Eight” paper, VMware does not offer standard backup software for backup and restoration of software, data, and configuration settings from any system. VMware’s software-defined data centre (SDDC) platforms provide a backup API that is used by many third-party vendors to provide hypervisor-level backup capabilities. VMware has “restore proofed” solutions for vSphere environments such as VCDR and Ransomware Recovery.
Other Recommendations
In this section, I detail a range of other security features to consider as part of your overall security policies for your organisation.
Useful ACSC guidelines
The Australia Cyber Security Centre (ACSC) has a range of detailed guidelines in the use and protection of various devices:
- Mobile Device Management – which includes recommended mobile devices, configuration settings such as enabling storage and communication encryption, disabling bluetooth, prevent personnel from installing or uninstalling non-approved applications once provisioned, configure device settings, use a VPN when accessing the internet etc.
- Hardening Microsoft Windows 21H1 OS – This publication provides recommendations on hardening workstations using Enterprise and Education editions of Microsoft Windows 10 version 21H1
Mobile Threat Defense (MTD)
Workspace ONE Mobile Threat Defense is a capability built into the Intelligent Hub application. As the name suggests, it provides advanced protection against threats to mobile devices on Android, iOS, and Chrome OS. The following is a good demonstration video highlighting it’s capabilities:
My colleague Mathieu Beaugrand (VMware, Senior Solution Engineer) has presented two webinars detailing how to setup and use the MTD service. See the following session for more information:
- Tech Tuesday – Workspace ONE Mobile Threat Defense (6th September 2022)
- Tech Tuesday – Workspace ONE MTD in details (7th Marcy 2023)
Recommended Profiles
There are a range of recommended profiles that an organisation should review and implement to secure their end user devices. I’ve listed a number of these below including links to other useful articles where possible.
Mobile Passcodes
A passcode is numeric or alpha-numeric code that you enter on your mobile device (e.g. iPad, iPhone, or Andriod device) that protects your data. Usually a fallback capability if face or fingerprint recognition is also enabled.
Recommendation: Enable and set minimum complexity to meet your security requirements
Further information: Techzone video
Bitlocker
BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in cipher block chaining or XTS mode with a 128-bit or 256-bit key
Recommendation: Enable
Further information: Techzone article
FileVault
FileVault is a disk encryption program in Mac OS X 10.3 (2003) and later. It performs on-the-fly encryption with volumes on Mac computers.
Recommendation: Enable
Further information: VMware docs article
Launcher
For Android rugged devices, Workspace ONE Launcher then automatically takes over as the device home screen and applies admin-defined device and application policies. Typically used for kiosk and frontline workers who need to access a specific set of applications as part of their duties
Recommendation: Enable
Further information: Techzone video (Launcher redesign)
Block Applications
Workspace ONE can be enabled to block specific applications on the device.
Recommendation: Enable for selected industries / business requirement
Further information:
Workspace ONE Hub Notifications Service
The Hub Notifications service is a cloud-hosted service designed to generate and serve real-time notifications to your employees. In Hub Services, you can create custom informational and actionable notifications to send to selected groups in your organization.
This capability allows organisations to send trusted communication alerts to their staff and contractors, instead of text messages which can be intercepted and sent by scammers impersonating your organisation or other services.
You also have the out-of-box capability to send weekly new app notification to all employees, if you choose to turn it on.
Users do not need to be in the Workspace ONE Intelligent Hub app to receive notifications. They can respond directly on the notification that is being viewed. When users are logged in to Workspace ONE Intelligent Hub, they can view their notifications from the For You tab.
The following 3 minute video shows how the administrator can create these notifications from the Hub Services Console.
Integration of WS1 with Entra ID (Azure AD) for Device Compliance
From late 2020, Workspace ONE has been able to provide device posture information to Azure Active Directory (AD) so it can be used as part Entra ID’s powerful Conditional Access capabilities. This allows Entra ID administrators a view of device compliance for iOS, Android, Windows and macOS for devices managed by Workspace ONE UEM.
For my lab you can see the device compliance for Mac, iPad and Windows 10 laptop.
To set this up, please see this article I also published on my blog.
Workspace ONE Intelligence Trust Network
Workspace ONE Trust Network integrates threat data from security solutions including endpoint detection and response (EDR) solutions, mobile threat defense (MTD) solutions, and cloud access security brokers (CASB). This integration provides Workspace ONE Intelligence users with insights into the risks to devices and users in their environment.
The Intelligence Freestyle Canvas can then be used to create an automation from these security solutions. For example, create a trigger rule to Enterprise Wipe the device if a Security severity of High was detected.
Summary
As detailed above, Workspace ONE UEM and Intelligence provides a comprehensive set of services so that an organisation of any size and variety of device types/operating systems, can address the key cyber principles of the Essential 8.
If you have any feedback on this article, please don’t hesitate to contact me via LinkedIn or my contact page.
Updates
3 May 2023 – Included Intelligence iOS Vulnerability CVE dashboards.
Many Miles Away 