Advanced Endpoint Security with Workspace ONE Mobile Threat Defense

Updated on

Mobile platforms and their operating systems have proliferated in both public and private sectors. The Windows OS has even taken a back seat to their numbers. In turn, nefarious forces are targeting these mobile platforms to take advantage of potential vulnerabilities.   

Deeply integrated with Workspace ONE, Workspace ONE Mobile Threat Defense, powered by Lookout's advanced mobile endpoint security technology, greatly enhances mobile device security by protecting from threats like phishing, root and jailbreak, malicious applications, malware, and many more device, application, and network originated threats.

Mobile Threat Defense (MTD) deeply integrates with the Workspace ONE platform including Workspace ONE UEM (UEM) and Workspace ONE Intelligence (Intelligence), making Mobile Threat Defense best-of-breed for deployment and management.

This guide outlines Workspace ONE Mobile Threat Defense demo flows available in TestDrive.

Before You Begin

Before you begin you need:

  • A VMware TestDrive account. See this guide for more information.
  • TestDrive's ready-to-use (RTU) Workspace ONE UEM activity.
  • An Android or iOS device.

Enroll Device

Talking Points

  • By enrolling into Workspace ONE UEM, due to tight integration between Mobile Threat Defense and Workspace ONE, your device becomes fully managed in both Workspace ONE UEM and Workspace ONE Mobile Threat Defense.
  • Mobile Threat Defense support is baked into the Workspace ONE Intelligent Hub app. No additional app is required*. Even Hub-registered mode supports Mobile Threat Defense (more details).
  • Mobile Threat Defense is supported on iOS, Android, and Chrome OS.

Enroll your device in TestDrive's Workspace ONE UEM environment.  For device enrollment details, click the appropriate header below: 

Android Enrollment
iOS Enrollment
Download the Intelligent Hub from Google Play.

Enroll using your TestDrive enrollment email address and TestDrive credentials.

Enrollment OG: Enterprise - BYOD Demo
Download the Intelligent Hub from the App Store.

Enroll using your TestDrive enrollment email address and TestDrive credentials.

Enrollment OG: Enterprise - Corporate Owned Demo

After enrollment, on your device, through deep and powerful integration between Mobile Threat Defense and Intelligence Hub Services, the Mobile Threat Defense device status will be instantly reflected on your device.

On your device, go to the Intelligent Hub > Self-Service area.  Self-Service is where you can view various device status, and perform certain functions, for all of your enrolled or registered devices.

In Self-Service > My Devices, your enrolled or registered devices will be listed with an overall status.

If you have multiple devices listed, choose the device labeled "current" to view its device details, where Mobile Threat Defense status is displayed.

Drill into the Mobile Threat Defense section for more details.

Since the device is safe, UEM provisions the device with all assigned apps and profiles. In turn, the device will be permitted to access corporate resources through its UEM-managed VPN connection(s).

Next, log in to TestDrive's Workspace ONE User Portal.

Launch the Workspace ONE UEM console. Click the star to save Workspace ONE UEM console to your favorites.

When logged in to Workspace ONE UEM, first verify you're using your Device Administrator and World Wide Enterprises admin role.  


Go to Devices > List View.

To rapidly find your device in UEM, filter the list by your username.

Initially, after enrollment, Mobile Threat Defense's device state may take up to five (5) minutes to sync with Workspace ONE UEM and tags will soon show up.

Your UEM device record should show MTD has (1) been activated and (2) determined the device to be secure. Accordingly, the device has been tagged with "MTD - Secured" and "MTD - Activated" tags.

Devices that are determined to be secure by MTD will be fully provisioned with device profiles and apps by UEM. Devices that are not secure, are classified as either high, medium, or low risk and will have configured triage measures performed by Workspace ONE.

Drill into your device record. Inside the record you find the device details.

Make note of your UEM device ID. The UEM device ID is found in the URL of your device record.

From either the Intelligent Hub (device) or the User Portal (desktop browser), find and launch the Workspace ONE Mobile Threat Defense web app.  Again, click the star to save the app in favorites.

Workspace ONE Access provides SSO into the Mobile Threat Defense console where you will have read only access.

Go to Devices.

Find your device by filtering the device list by the UEM device ID you made note of earlier.

Due to potential privacy issues in the TestDrive demo environment, the user's email address is not passed from UEM to MTD. In a production environment, email privacy would typically not be configured as it is in TestDrive and you could look up a device by friendly name or email address.

Device status will be listed as either High Risk, Medium Risk, Low Risk, or Secured. This status is passed to UEM through UEM's MTD tagging configuration and, again, deep integration between MTD and UEM.

This Android demo device is identified as secure, just as it is in UEM and the Hub.

Drill into the device to see its details. Note any issues listed for your device. In the case of this demo device, one low risk issue—the passcode not being present during enrollment—was detected and quickly resolved when the passcode was set.  

Scroll through device details.

Next, we'll trigger a MTD detection which will initiate device remediations.

Mobile Threat Defense in Action

Talking Points

  • Workspace ONE UEM's device remediation measures are configurable, so that administrators can mirror an organization's security policies. For example, an app or profile can be temporarily removed until the device is brought back into compliance.
  • Custom remediation policies can include the ability to block access to containerized apps, even on unmanaged devices, based on Mobile Threat Defense risk level.

Mobile Threat Defense, Workspace ONE UEM, and Workspace ONE Intelligence together provide a myriad of methods to remediate device threats. The measures taken herein are just a sampling.

Below, platform-specific demos are outlined. Each device platform has pre-configured threat triggers so that you can see MTD in action. Triggering time may vary depending on backend system synchronizations, device state, device and network performance, etc.

Android Demo

Mobile Threat Defense actions on Android are triggered using a pre-configured, benign riskware app, Test your antivirus

Android device state, post-enrollment, is reviewed in the first few steps. 

Go to the Hub > Self-Service area.  As previously noted, presuming you have a device that is secure, the device's Mobile Threat Defense status will be safe.  

Also, in Workspace ONE UEM the device should have secured status.

However, if you're enrolling an already-compromised device, Mobile Threat Defense will detect it and UEM will tag it accordingly.

Launch the Mobile Threat Defense console

Go to Devices. Find your device by filtering for your UEM device ID. 

Note the device is reporting as secured with no issues.

Next, either in the Intelligent Hub (device) or in the Workspace ONE User Portal (browser), install the Test your antivirus app.

Test your antivirus is a benign app that was built with a suspect SDK. 

Soon after Test your antivirus installs, Mobile Threat Defense will detect the riskware. The Intelligent Hub will receive the threat detected notification.

In the Mobile Threat Defense console, you should see your device reporting a medium risk.

Drill into the device record to see its complete Mobile Threat Defense posture details.

In the UEM console, the device will be properly tagged.

Simultaneously, Workspace ONE UEM will automatically remediate the device. To protect sensitive corporate data, Workspace ONE UEM will remove several apps.

Again, Workspace ONE UEM's remediation measures are configurable and should mirror an organization's security policies. An admin can remove all managed apps and profiles if that's what's required.  

Manually remove the threat app. 

Workspace ONE UEM will quickly re-provision the apps. 

Back in the MTD console, you'll see the device issue is now resolved.

iOS Demo

Mobile Threat Defense actions for iOS are triggered using a setup for a Man-in-the-Middle Attack (MitM) attack. The MitM attack is made possible by a fake VPN connection.

Post-enrollment iOS device state is reviewed in the first few steps.

Go to the Hub > Self-Service area.  As previously noted, presuming you have a device that is secure, the device's Mobile Threat Defense status will be safe.  

Also, in both UEM and the MTD consoles, the device will list as secured and be appropriately tagged.

The iOS demo simulates a Man-in-the-Middle Attack (MitM). An iOS configuration profile needs to be installed to set up the VPN.  Don't worry, the MitM setup does not actually do anything. It's a dummy setup. 

Go to the Hub > Self-Service. Find your current device.  On the right, in the device details area, go to profiles.

Install the "MitM Proxy Install" profile.

On the device, launch MitMProxyInstall and allow the download of the configuration profile.

Go to iOS settings > Profile Download and complete the configuration profile's installation. Accept all prompts.

After the iOS configuration profile installation is completed, the profile will show up as Free In-App Purchases. 

The profile creates a generic IPsec "VPN" connection. This is the fake MitM setup.

In settings, in the left pane, go to VPN. Turn on the VPN.

Next, open the Hub and look at its risk status. The MitM attack is detected. You'll also receive a push notification in the Hub.

In the Hub, drill into Mobile Threat Defnse status for threat details.  

Also, check the Mobile Threat Defense console for administration details.

If you're using a Wi-Fi only device:

Due to the fake VPN hindering communications from the required MTD and UEM management endpoints, on Wi-Fi only devices, to enable communications you will need to:

  1. Toggle the VPN on and off.
  2. Go to the Hub > Self Service ... sync device.
  3. Turn the VPN back on.

On devices with Wi-FI and cellular, MTD will look for a back channel (cellular) and use it communicate with MTD and UEM management endpoints, rather than over the Wi-Fi.    

Mobile Threat Defense and Workspace ONE UEM will remove the apps from the device.

Depending on your device type, if it has both Wi-Fi and cellular, remediation states will vary.

Also—if you have Office 365 enabled on your Testdrive account—you can launch Boxer and see the email notifications sent by Mobile Threat Defense.

Also, most importantly, to protect sensitive corporate data, Workspace ONE UEM has quickly taken action and removed the following apps:

  • Salesforce
  • Dropbox
  • Workspace ONE Web
  • Workspace ONE Content
  • VMware Boxer
  • WSO App Analytics

On the device, in Settings > General > VPN & Device Management, REMOVE Free In-App Purchases VPN profile.

After the threat has been removed, the device will be detected as secure, the Hub will reflect the secured state, and Workspace ONE UEM will quickly reinstall all of the apps.

Coming Soon - Phishing and Content Protection

Phishing and content protection are soon to come.  

Mobile Threat Defense & Workspace ONE Integration

Talking Points

  • Workspace ONE integration simplifies mobile threat management: 
    • Automatically syncs UEM's mobile devices into Mobile Threat Defense
    • When MTD classifies devices as safe or low/medium/high risk, those devices are tagged in UEM so appropriate UEM policies can be automatically applied, such as removing corporate resources on a high-risk device.

Launch the Mobile Threat Defense console from Workspace ONE. Workspace ONE Access provides SSO into the MTD console. Your TestDrive account has read-only access to view the MTD console; however, the integrations are not viewable.  

Launch the MTD console and review it.  

Below is the Integrations > Enrollment Management section as configured in TestDrive.

Below is a view of part of the Integrations > State Sync settings as configured in TestDrive.

More Info

Mobile Threat Defense on TechZone! 

Check out the MTD Tech Zone page for more information including demo videos.


Previous Article Securing Windows with Workspace ONE Intelligence and Carbon Black
Next Article The Digital Workspace Proving Ground