Securing Workspace ONE UEM Windows Devices via Baselines and Profiles

Workspace ONE Unified Endpoint Management (UEM) enables administrators to manage and secure endpoints via policies that determine what users and devices can and can’t do from a functional and security perspective.  Let’s delve into the policies that can be applied to Workspace ONE Windows devices, as well as some guidelines to assist you with optimization.

Policies

While the actual configuration of Windows Profiles and Baselines is fairly straightforward, understanding what to configure where and when can sometimes be complex.   When should a Baseline be configured?  When is a Profile appropriate?

Figure 1: Configuration of Profiles and Baselines.

What about settings that can be configured within both a Profile and a Baseline?  For example, firewall settings can be configured within both Profiles and Baselines.

In addition, some environments require some Active Directory GPOs, which further complicates Workspace ONE policy options and functionality, as well as the downstream behavior.

Multiple policies may overlap and create an unexpected and/or inconsistent user experience.  For example, if an administrator wishes to disable Bluetooth on all Windows devices in a call center, there are numerous places where this setting can be configured—and potentially create conflicts. 

Workspace ONE Windows Policies Simplified

Determining the best approach to Workspace ONE Windows modern management should be addressed in conjunction with your CISO and/or Security team.  Let’s run through the three types of policies in recommended order.

Baselines

Baselines should be the primary policy type due to the built-in industry templates, Workspace ONE Intelligent Hub enforcement, and security compliance reporting. 

Two predefined Baseline templates are available to align with security standards: Windows Security Baseline and CIS Windows Benchmarks.   The options presented within the two Baseline template types differ and are contingent upon the specific selection. 

• Windows Security Baseline represents Microsoft’s recommended settings.
• CIS Benchmarks provides more stringent controls in line with the Center for Internet Security (CIS) recommendations.  Two levels are available: 
  • Level 1 addresses basic security requirements that should cause minimal if any issues.
  • Level 2 provides more stringent security settings that may result in reduced functionality.  Significant testing should be undertaken to ensure the desired security results align with user/device functionality requirements.  

Omnissa recommends adopting one of these security templates as the primary policy that encompasses most settings.  In most cases, additional settings are necessary, and this is where a supplemental Baseline and one or more Profiles are appropriate. 

For example, the Windows Security Baseline and CIS Benchmarks do not include settings related to USB peripherals.  A Create Your Own Baseline, which provides options from the Windows 10/11 policy catalog, would be the appropriate policy type to manage USB connections.

Your CISO and/or Security team will appreciate the compliance reporting that is available for Baselines.  Reports showing device status are readily available to aid with governance, risk, and compliance.

Figure 2: Baseline security compliance status.

Profiles

Secondarily, Profiles should be used for additional configurations.  Profiles offer numerous Payloads, which are settings such as Windows Updates and BitLocker Encryption, that are available within Profiles.  Omnissa recommends only one Payload per Profile, thus multiple Profiles are typically appropriate.

Figure 3: Payload settings on the left pane of Profile

Where a setting is available within both Baselines and Profiles, Omnissa recommends implementing the Baseline setting.  In any event, the same setting should never be configured within multiple policy types because this may create confusion and seemingly intermittent issues, plus troubleshooting time is greatly increased. 

For example, the firewall setting discussed previously should only be configured as a Baseline setting.  By configuring it in only one policy type, the resulting device behavior will be as expected and there is no chance of it being overwritten.

Active Directory GPOs

Omnissa recommends not integrating Active Directory GPOs with Workspace ONE Baselines and Profiles.  A third type of policy complicates managing and securing Windows devices.

For example, a new Workspace ONE administrator may not know about existing Active Directory GPOs that control Windows Hello and may spend seemingly endless hours troubleshooting authentication issues when configuring the Windows Hello payload within a Windows Profile.  It is much easier if Windows devices are entirely controlled within Workspace ONE.

However, for some environments, Active Directory GPOs are non-negotiable, and it is thus imperative for the Workspace ONE administrator to have awareness of these settings. 

For More Details

Ensuring that Windows devices are properly managed and controlled is an imperative aspect of endpoint security.  While Workspace ONE Baselines are the recommended primary policy type, Profiles and even Active Directory GPOs may affect your Windows devices. 

Want to know more?  Please see the Configuring Windows Baselines and Profiles Technical Walkthrough on Omnissa Tech Zone for a deep dive into Workspace ONE policies.