Workspace ONE Access – Securing everything with 2FA

So far we have been adding more and more applications into the portal, but in this post, we will focus on adding security – specifically 2FA authentification.

VMware has its own solution called VMware Verify, which is part of every edition of Workspace ONE and also Horizon Advanced and higher so let’s focus on that today, but of course, you can use any other 2FA solution over RADIUS.

Just a short clarification on naming and how this 2FA works. VMware Verify is a software 2FA token (it’s an app for your mobile device Android/iOS, which can do push approval, one-time token generation or SMS). This solution is actually not developed by VMware, but it’s a branded version of a popular authentification service called Authy (if you open this app on your mobile, you will see that they are quite similar).

Couple of things to mention here. VMware Verify is a cloud service, to be even more clear it’s not a VMware hosted cloud service. When you set up a new device (you will need to fill in phone number and email) those two things live outside of VMware.

In case you have Workspace ONE Access deployed on-prem, you will still be able to use Verify. During the activation, you will be prompted to insert Authy API key. You can get this key by contacting your VMware rep. This is not the case when using SaaS Access as Authy integration is already done there for all customers.

You can also use anything else (3rd party), which talks RADIUS, but let’s focus on that in a different post.

If you plan to use VMware Verify to secure your Horizon environment, which is totally doable, keep in mind that you should switch your Horizon Connection server to “Workspace ONE only mode” – in other words, all the incoming auth request must go through Workspace ONE Access. Otherwise, people will be able to bypass your policies by connecting directly to the connection server.

First step

As a first step, you must install the VMware Verify app to the mobile device – either from the Google Play or Apple AppStore. Launch the app and do the initial configuration. It will prompt you for a phone number and email address and you should also set up a PIN.

You should end up with a screen, which looks like this:

Now you are ready to configure Workspace ONE Access.

Second step

Open your Workspace ONE Access and go to admin console into Authentication Method and edit the VMware Verify line.

Simply enable Verify. Please note that if you are doing this on the on-prem installation you will need a token/API key, which can be obtained from your VMware rep. Click save.

Go to your built-in identity provider.

Enable VMware Verify as an authentication method.

Now you are ready to use Verify in access policies. Please note that the mobile application will configure the first time the user hits a resource protected by Verify not sooner. So you really need some policy up and running. You can protect the whole portal, but you can also just create a new policy for a specific resource and this is what we will do. Click on “Add Policy”.

Give it a name and select the desired resource. I will protect my Horizon desktop pool, but it can be anything. Click Next.

Now we need to add a policy rule.

It will be any range and any device then click on the little plus icon and add VMware Verify as a second factor.

If you take a look at users, you can see that there is no pairing so far between your AD user and Verify.

As I mentioned before, the user must hit the Verify access policy to finish the configuration. Go ahead and log in as a user.

Launch the protected resource.

Now the Verify access policy will kick in. You will be prompted for a phone number. This must match the number you’ve put to the Verify mobile app. It has nothing to do with the phone number you have in Active Directory.

The Verify app will be autoconfigured and it should look like this:

Copy the code to the prompt.

If you take a look at your users you can see phone number linked to the AD user.

In user details, you can reset the binding, if needed.

Let focus on getting the MobileSSO technology for iOS and Android up and running in the next post.