Posts

How to remove sensitive data from code and access Workspace ONE API's more securely (part 1)

Image
Organizations that use custom built tools to access API's can approach this in a variety of ways. It is not uncommon to find tools developed with sensitive data contained within the source code itself. PowerShell scripts are a great example of where we can find sensitive data leaking. These scripts come with the best of intentions, but can accidentally contain the keys to the kingdom. We’ll look at how I use a config.ini file to access a funny environment we’ll call https://Kauai.ryanpringnitz.com, but b efore we proceed, cue the mood boosting visuals... Storing sensitive data in code makes it difficult to commit code to a source version control system Bitbucket, GitHub, TFS, etc), as it would be insecure. It can even be against company policy to store sensitive data this way. By storing the sensitive information in a config.ini file; you can more easily present the code in a screen sharing session (maybe in a sprint demo), or commit your code to remote a repository.  Ex...

Using Product Provisioning in Workspace ONE to deliver intents to Android devices and perform tasks like activating Zimperium zIPS

Image
Friday the 13th, 2020 has come and gone, and what a week it was. Everyday we should be thankful, but this week I am especially thankful; thankful for health, thankful for my colleagues, team-mates, teachers, friends and mentors I get to work with and learn from everyday - even remotely.  It is a honor to be able to collaborate on projects that push the envelope, and work with people who selflessly share their time and knowledge.  Weeks like this remind me to appreciate the small things, encourages me to be more generous, and look for more ways to help others. I am thankful for everyone who does their part to make the world we all have come to appreciate, a better place. We might not have everything we want, but we can keep working toward our goals. Join me in being thankful, and looking for more ways to help where you can. The labor force is shifting in unprecedented ways this week, with class-A office space traded for makeshift offices - or makeshift medical facilities. W...

Force Android applications like Google Chrome to update in a zero-day/bug-fix/new-feature scenario with Workspace ONE

Image
There is a real and immediate need for every organization to be able to quickly react to zero-day vulnerabilities or new application releases with features requiring immediate and precise cut-overs. The threat landscape is wider than ever, while the frequency of new application builds in a world of CI/CD pipelines decreases from days to hours; and everything supporting the business has exacting requirements that need to be met.  Workspace ONE and the EUC product line-up is really well equipped to handle any digital workspace use case on any major platform. When you offer all that with API's to manage identity, access management and secure edge services; you have API's for everything to provide secure remote access to resources.  What has been interesting to watch over the years is the utility, broad-appeal, varied-price points and proven capabilities of the Android OS. As the OS has matured from the era of Jelly Bean, KitKat and Lollipop; the number of use cases supported ...

Submitting HTTP Requests to REST API endpoints in Workspace ONE UEM to retrieve devices

Image
Usage and adoption of REST API's continues to increase, as the need to integrate services over the web is greater than it has ever been. One of the most frequently used API endpoints in Workspace ONE UEM is  /API/mdm/devices. This API endpoint accepts a variety of parameters that help filter your result set to only include what is necessary, and reduce the payload size returned in the HTTP response. We will take a look at a quick example of how to perform this HTTP Request with Powershell and invoke-restmethod. Below is a simple Powershell script I was able to create for this example. Make sure to include base64 encoded credentials in a folder (c:\creds\b64.txt in the example), and to update the $apiKey object with an API key. When reviewing the results from the object with $getDevices.Devices, the following is stored in the variable: This API really gives you quite a bit to work with, and VMware is really good about offering developers an assortment of APIs to report ...

Zimperium Delivery and Activation on Android Enterprise with Workspace ONE UEM Product Provisioning

Image
A use case I am involved in required remotely delivering Zimperium zIPS, a mobile threat detection and response security product, to Android Enterprise devices with Workspace ONE UEM. Zimperium is an incredible mobile security product, which I will discuss more in upcoming blog posts. The way Workspace ONE and Zimperium compliment each other is ideal for securing devices running (Android and iOS supported). First we need to deliver zIPS; and this will cover the delivery and activation of zIPS on an Android Work Managed device with Workspace ONE UEM Product Provisioning. For zIPS to secure a device, report threats back to Zimperium's zConsole and eventually Workspace ONE Intelligence; zIPS requires activation on each device. It sounds daunting, especially because it isn't just delivering an apk file and managed configuration. If you have a fleet of 15,000 or 150,000 devices; you wouldn't want to visit each point-of-sale kiosk, in-flight entertainment system, medical devic...