June 06, 2024

Workspace ONE Tunnel Security and Compliance Update

Workspace ONE Tunnel has introduced two new features designed to bolster your security posture. These enhancements provide advanced measures to safeguard your organization's data and infrastructure, ensuring robust protection against potential threats.

Introducing TLS 1.3 and Application Integrity Checking for Workspace ONE Tunnel

Security is top of mind for CISOs and all IT professionals, and Workspace ONE Tunnel just released two new features to help improve your security posture. Specifically, these new features are:

  • TLS 1.3 – Enable TLS 1.3 communication for Workspace ONE Tunnel Desktop Client, bringing adherence to the newest network security standard and providing greater security.
  • Application Integrity Checking - Verification of application vendor to disallow rogue sources.

Why is TLS 1.3 Important?

Cybercriminals are skilled at infiltrating networks, and IETF (Internet Engineering Task Force) TLS 1.3 is the latest networking security defense. TLS 1.3 improves upon TLS 1.2 security by ceasing support for older cryptographic algorithms and providing faster handshake communications. Adoption of this encryption protocol has been accelerated by a United States government mandate, specifically NIST SP 800-52

The Tunnel Service on Unified Access Gateway (UAG) already supports TLS 1.3 since 2309 and doesn’t require additional configuration to enable TLS 1.3 communication between Tunnel client and server. Also, because certificates are not dependent on the TLS protocol version, there is no need to acquire a new certificate or make changes to your existing certificate: it’s just a matter of updating the appliance and tunnel client.

This Application is Authentic…Isn’t It?

Application sources aren’t always secure and genuine. Malicious third parties may host applications that appear to be authentic and trustworthy, but the sad truth is that they may be rogue sites administered by bad actors. For example, an Adobe Acrobat download may appear to be genuine and initially not present any concerns. However, upon deep investigation, the site may be hosted in a risky country or contain a valid certificate with a similar name.

To combat this, Workspace ONE introduces Application Integrity Checking on endpoints to validate that Windows applications are genuine and authentically provided by the vendor. Rather than simply assuming application authenticity, the application signature can be authenticated to verify legitimacy.

Desktop and laptop computers running Windows are at the greatest risk for rogue applications. Application Integrity Checking is focused on non-mobile devices and works by validating the signer certificate of managed applications that an admin specifies for tunneling. On mobile Apple App Store and Google Play™ Store ensure the integrity of app downloads.

Configuring Application Integrity Check

UEM Administrators can easily enable the Application Integrity Check following these three steps:

  1. Obtain the app's signer certificate subject name from the Windows application using PowerShell. See the following example:

A screenshot of a computer</p> <p>Description automatically generated

  1. After this, on the Workspace ONE UEM console / Security / Tunnel / Applications:
    1. Add or edit the Windows application. 
    2. Under Signing Information, enter the subject name for the application.
    3. Save the app.

A screenshot of a computer</p> <p>Description automatically generated

  1. Enable Application Integrity Check for the Windows Tunnel Profile; the configuration is located under the VPN profile for Tunnel. Save and publish the profile – application check will only be enabled when the new profile is installed on the device.

 

A screenshot of a computer</p> <p>Description automatically generated

As the Tunnel client receives a request it will perform the application check to ensure the signing information matches with the one previously configured on the console. If the check fails, the communication will be blocked by the client.

Summary

Workspace ONE Tunnel brings important updates for security and compliance; these updates ensure adherence to later standards as TLS 1.3 improves security over TLS 1.2 and adds updates to the TLS handshake process that reduces the roundtrip communication making HTTPS connections faster, cutting down latency and improving the overall user experience. It also secures communications from trusted application sources with the new Application Integrity Check ensuring only signed applications can communicate with the internal resources.

To learn more about Workspace ONE Tunnel, check out the following articles:

 

Filter Tags

Workspace ONE Workspace ONE UEM Blog Announcement Overview Zero Trust

Andreano Lanusse

Read More from the Author

Staff Architect, End User Computing. Andreano Lanusse is an experienced professional with a diverse background in multiple technologies, including the Omnissa portfolio. He has successfully led some of Omnissa's largest Digital Workspace deployments within the financial sector. In his role as Staff Architect, he serves as a subject matter expert, empowering the technical community through the creation of comprehensive technical content across the Omnissa Platform, Security, and Workspace ONE. His contributions include developing Reference Architectures for Workspace ONE and Horizon, fostering innovation and best practices in digital workspace solutions.