Zero Trust 1 | Device Management and Secure Access to Organization Resources
The new normal remote working period has become a part of our lives for more than a year. The remote working period has caused many new problems for us IT employees. During this period, we had to provide a comfortable and safe working environment for our employees.
The transition to the remote working method has made the technology we use more important than ever, especially our computers. Employees used to be able to securely access company resources by connecting to the office network, but during remote work, they can try to access company resources from any device from anywhere in the world. In this case, we are faced with a few questions that need to be answered.
- Can we control the devices accessed to organizational resources?
- How can we install security patches on devices?
- Can we interfere with the problems in the devices remotely?
- Do employees have difficulty accessing resources?
- Can we ensure the security of the data on the devices in cases such as theft or loss?
Many questions can be added to this list, and it is not possible to answer these questions with a single article. Therefore, in this article, I will talk about one of the most important questions above, “Controlling the devices that access the organization’s resources”.
Why should I control the devices access to resources?
This question has become more important especially during the remote working period. Because employees can try to access organizational data from any device, even from computers in internet cafes that do not have any security measures. We can implement and manage many security measures on company-owned devices, but we cannot interfere with devices that are not under our management.
In Trendyol, we search for a solution for this problem and decided to perform the zero trust strategy. In the zero trust model, access to organizational resources is not granted until the user or the accessed device is verified. In this way, you can allow cloud-based or on-prem resources such as Google applications, slack zoom to be accessed only from company-owned devices.
We decided to implement this technology with Vmware Workspace ONE as part of zero trust in Trendyol.In the Workspace ONE structure; employees can easily log in without entering a password with Single Sign-on (SSO). At the same time, with the conditional access and device compliance capabilities, we can check whether the device accessed belongs to the company or not. While access is blocked from non-company devices, it is easily accessible via SSO from the company-owned device.
In the rest of the article, I will talk about single sign-on, conditional access technology, and the SSO configuration we made with Workspace ONE.
What is The Conditional Access and Device Compliance?
Conditional access; It is a service supported by workspace ONE, where users can log in if certain conditions are met. On the other hand, Device compliance is the authentication method that checks whether the device is enrolled or not to Workspace ONE UEM (MDM). Allows access to organizational resources only from managed devices by MDM. Users can access organization resources with SSO only from devices enrolled to MDM. SSO will not work on unenrolled devices and access will be blocked.
Our VMware Workspace ONE Architecture
VMware Workspace ONE products are available as Cloud-based and On-premises. We use Workspace ONE products that we use in Trendyol as on-premises.
First of all, let me introduce the Workspace ONE UEM, Workspace ONE Access, and Workspace ONE Tunnel applications that are in our structure and work in integration with each other to better understand the SSO configurations. because we will need these tools for SSO configuration.
Workspace ONE Unified Endpoint Management (UEM)
VMware Workspace One UEM is an endpoint solution capable of mobile device management (MDM), mobile application management, and mobile content management. With Workspace one UEM, you can manage the windows, macOS, Android, IOS devices, and you can do application management according to these platforms from a single point.
Workspace ONE Access
Workspace One Access supports SAML 2.0. In this way, web-based and local applications can be logged in quickly and securely with multi-factor authentication, conditional access and single sign-on.
Workspace ONE Tunnel
The Tunnel application allows users to securely access organizational resources without the need for a VPN. Application-based access is granted in tunnel applications working with Workspace ONE UEM. On workspace ONE UEM, the applications and URLs to be accessed are determined, and users can access the organization’s resources without a VPN connection via the tunnel application installed on their devices. In addition, tunnel configuration must be made for SSO to work on android devices. I will give more detailed information on Android SSO configuration.
You can see the Workspace ONE on-premises architecture we designed in Trendyol in the figure above. We have created a secure structure by positioning three main applications which are Workspace ONE UEM, Workspace ONE Access and Workspace ONE Tunnel applications in the DMZ area which is a completely isolated environment. With this architecture, user devices can be managed by the IT team as long as they are connected to the internet. Workspace ONE UEM, MDM application synchronizes user information from Active Directory via Airwatch Cloud Connector (ACC). On the other hand, Workspace ONE Access checks user information and device enrollment status via UEM.
Configuring Workspace ONE Single Sign-on (SSO)
Workspace ONE Access supports authentication methods such as Password, SSO, Device Compliance. As I mentioned above in the conditional access description, the device compliance authentication method cannot be used alone or together with password authentication. For device compliance to work, SSO configuration must be done according to the platform (Android, IOS, Windows and macOS).
Setting up Android SSO
Unlike other platforms, SSO configuration on Android devices requires Workspace ONE tunnel application. Because applications that will work with SSO on android devices provide access to Workspace ONE Access by proxying through the tunnel. The tunnel needs to be configured and working in your environment. You may have wondered how VMware tunnel works. In my next article, I will explain the tunnel application in detail. I will continue by explaining the SSO configuration we made with Google applications as an example.
Android SSO configuration steps;
1.In the Android SSO configuration, we first enable the cert proxy service on Access servers. After enabling the service, the cert proxy service must be restarted.
2. We export the tunnel certificate from the Tunnel Configuration page in UEM. We will use this certificate later when enabling the Android SSO service.
3. We enable the Identity & Access Management > Authentication Methods > Mobile SSO (for Android) service in the Workspace ONE Access Administration Console. Here we upload the tunnel certificate that we exported in the previous step.
4. Then we activate the Authentication methods > Mobile SSO (for Android) authentication method from the Identity & Access Management > Identity Providers > Built-in page.
5. For the Tunnel application to be able to proxy, it must be installed on user devices with custom settings. I can say that this is the most important point in Android SSO configuration. If the tunnel application is not installed with this custom setting in the on-premises structure, SSO will not work.
The setting in my example was modified for google apps.
Custom Settings: {“PackageID”:”com.google.android.gms”,”Domains”:”Access URL”,”Action”:”Proxy”,”Proxy”:”AccessURL:5262",”DefaultActionForSettings”:”Proxy”}
After the tunnel application is sent with this setting, Google Play Services is added to the Applications list in the tunnel application on the device.
6. Last, we add applications that will proxy device traffic rules on the tunnel Configuration page in UEM. With this rule, we send proxy server information to applications that will work with the proxy.
We have completed the SSO configuration for Android devices
Setting up IOS SSO
For iOS device authentication, Workspace ONE Access uses an identity provider that is built-in to the Workspace ONE Access service to provide access to mobile SSO authentication. This authentication method for iOS devices uses a Key Distribution Center (KDC). Kerberos authentication provides users, who are successfully signed in to their domain, access to their Workspace ONE apps portal without additional credential prompts.
Now let’s move on to the IOS SSO configuration;
1.First, the KDC service is installed on the workspace one access server with the following command. The realm name specified in the command must be written in uppercase letters. After completing the installation, you must restart the horizon and KDC services.
/etc/init.d/vmware-kdc init — realm IDM.EXAMPLE.COM — subdomain idm.example.com
service horizon-workspace restart
service vmware-kdc restart
2. Workspace one access must be accessible from the public with the Kerberos port to do Kerberos authentication. By defining the necessary access rules to the access server and then public DNS records should be created as follows.
kdc.example.com. 1800 IN A 1.2.3.4
kdc.example.com. 1800 IN AAAA ::ffff:1.2.3.4
_kerberos._tcp.idm.EXAMPLE.COM IN SRV 10 0 88 kdc.example.com.
_kerberos._udp.idm.EXAMPLE.COM IN SRV 10 0 88 kdc.example.com.
3. We will enable the KDC service. To enable the KDC service, we import the certificate we exported on the Groups And Settings >All Settings –>System >Enterprise Integration >Workspace ONE Access >Configuration page on the UEM. When you enable the KDC service on the Workspace ONE Acces realm name will populate automatically.
4. We enable Mobile SSO (IOS) on the identity & Access Management > Manage > Identity Providers > Built-In> Authentication Methods page via Workspace one access and export the KDC certificate found here. we will use this certificate in the profile that we will send to iOS devices.
5. Finally, We’ll send the Kerberos server information and the KDC certificate that we exported in the previous step to IOS devices with the profile we created via UEM. We have to create the profile as follows;
- In the Credential tab; add the KDC certificate we exported
- In the SCEP tab; choose Airwatch Certificate authority as the credential source.
- In the Single sign-on tab, write the realm name (IDM.EXAMPLE.COM) that we determined when installing the KDC service and add the Bundle IDs of the applications that will work with SSO. Safari Bundle ID must be added because IOS devices use safari as the default browser. If Safari Bundle ID is not added, SSO will not work in Google applications.
We have completed the iOS SSO configuration. You should then be able to login to Workspace ONE (via the application) or Safari on your IOS, SSO with mobile applications will also now work too.
Setting up Windows and Mac Operating Systems SSO
We do common SSO configuration for Windows and macOS platforms. It’s called “certificate (cloud deployment)”. We can say that this method is the simplest configuration compared to android and IOS. We need Certificate Authority (CA Server) for cloud deployment because we will send user certificates to user devices with the template we created on the CA server.
Let’s start the certificate cloud deployment configuration steps;
1.First, we create a new template by cloning the user certificate template on the CA server. In the Subject Name tab, select the Supply in the request option, and in the security tab, give Full control to the UEM bind service account. (UEM bind service account: your bind user between MDM and AD defined during the UEM installation).
2.We export the CA server root certificate. We will use this certificate in the next step.
3. In the Workspace One Access Console, enable Identity & Access Management > Authentication Methods > Certificate (Cloud Deployment). Here we import the root certificate that we exported from the CA server.
4. In Workspace one UEM, we create a request certificate template so that certificates can be sent to users.
- Certificate Authority: choose CA server.
- Issuing Template: certificatetemplate: write the name of the template we created on the CA server
- Subject Name: CN={EnrollmentUser}@example.com The purpose of adding the domain name “@example.com” is to send certificates in the correct format to macOS devices.
5. Finally, we created a user profile for windows and macOS platforms and sent the certificates to the users.
We have completed the SSO configuration in Windows and macOS. Now users can access organization services with SSO from their windows and macOS devices.
We have completed SSO configurations according to platforms. It’s time to set the conditional access policy, which I mentioned at the beginning of the article. We will create a conditional access policy on Workspace ONE Access. With this policy, we will realize our goal, which is to access organizational resources only from company-owned devices.
While creating the policy, we need to create separate rules for each platform. As an example, I will explain only the rule I created for android.
As you can see in the figure above, we chose SSO and Device compliance as the authentication method for android devices.
That’s it! With Device compliance, we check whether the device is enrolled to MDM. If the device is not enrolled to MDM, the users access request is denied before proceeding to the SSO step. otherwise, the users can log in to the application with SSO.
