This article, How to Remediate Vulnerable Software with Workspace ONE UEM and Flexera SVM, was originally posted at the VMware Digital Workspace Tech Zone Blog.
Enterprises have a large fleet of software applications that they make available to their employees for productivity, security, or to support their job functions. No matter the size of your company, you typically have tens, if not hundreds or thousands, of applications.
Vulnerabilities are being exploited for thousands of these apps each day. These are the issues that you, as an IT administrator, are aware of and can potentially keep track of with a lot of effort. However, users these days also download and install software on devices knowingly or unknowingly. The exploitations through this software are unfathomable. This makes a vulnerability management strategy and solution implementation extremely critical for every company.
Flexera is one of the leading vendors in the space of Vulnerability Management solutions. Flexera’s Software Vulnerability Manager (SVM) provides a curated list of patches for thousands of apps along with their vulnerability scores. But patching every application with vulnerabilities available in the app catalog is not a practical solution. The part that makes Flexera SVM unique is its ability to help companies prioritize the patches that impact their devices the most from the vast list of available patches. To top it off, it is not just the apps that a company manages and deploys to users for business needs (managed applications), but also the apps users might have self-installed (unmanaged) onto their devices, giving you the 360-degree coverage required.
VMware Workspace ONE® UEM can distribute Windows 10 software to devices while providing all the capabilities for companies to manage the entire lifecycle from initial deployment to updates, to retirement, along with appropriate policies – even for companies with complex organizational structures and distributed IT teams. By integrating Workspace ONE UEM with Flexera SVM, we build the bridge to remediate vulnerable software automatically, with a button click. With this integration, customers no longer need to provide any metadata required by managing these patches in Workspace ONE UEM.
Now, let us see how the integration works more closely. The setup of SVM and publishing of patches through Workspace ONE can be completed in three simple steps.
Prerequisites for the integration
- Workspace ONE UEM 2101 or later
- On- Flexera SVM premise version – 188.8.131.52 or SVM 2021 R1
- Patch Daemon – 5.0.381 or later
- Windows 10 devices enrolled in UEM with Flexera SVM agent running
Step 1: Configure the Patch Daemon with your Workspace ONE UEM credentials
Patch Daemon is the medium through which patches from the Flexera SVM catalog are published to your Workspace ONE UEM environment. Download the latest version of patch daemon before getting started.
- Install patch daemon on an admin machine.
- Launch the daemon and open the Workspace ONE tab.
- Enter the details of your desired Workspace ONE UEM instance along with authentication option, basic authentication or certificate.
- Also, provide the REST API key for the tenant hierarchy where you would like to publish the patches. Based on the admin credentials and API key, the Workspace ONE UEM Organization Groups list is populated. Select the desired OG.
- Test connection to ensure the connectivity has been established.
- Validate the SVM tab to ensure desired logging level is selected.
Now you are ready to start publishing desired patches to Workspace ONE!
Step 2: Identify vulnerabilities that you would like to patch and publish via Patch Daemon
In Flexera, review the high criticality patches in the SPS section. These are populated based on the vulnerabilities that your device fleet is susceptible to. After you identify the vulnerability you would like to patch, right-click and select the option to create a package. While creating the package, you will have the options to:
- Edit the contents of the package to add/edit any execution flow.
- View the applicability rules by which devices will be targeted.
- Select the publishing medium which should be selected as ‘Patch Daemon’.
Click ‘Publish.’ Monitor the publish status on the ‘patch deployment status’ page and confirm the Workspace ONE environment details.
Step 3: View, validate and assign in Workspace ONE UEM
When the publish status moves to ‘Success’ on SVM, open your Workspace ONE instance and navigate to the managed ‘apps’ list view. The published app should be visible in your UEM console with appropriate criticality and source as ‘Flexera SVM.’ The application in Workspace ONE will be created with the applicability rules from SVM converted to install contingencies and applicable detection criteria. Validate this metadata of the app and proceed to add assignments to your end-user devices for delivery.
The patch can be assigned to a test or pilot group before fully rolling out to all impacted devices. Even if the app is assigned to all devices, it will only be installed on devices that meet the applicability rules, thereby narrowing the scope of the rollout.
Repeat steps 2 and 3 for all vulnerabilities that you want to remediate for your devices.
Automate patch publishing
The selection and publishing of patches can be further automated by subscribing to them on Flexera SVM. This means applications like Google Chrome are always on the latest available instance.
For more details on the integration, talk to your Flexera SVM or Workspace ONE representative.
Check the following resources for more information.
- VMware Docs: Flexera Software Vulnerability Manager Integration
- Flexera Blogs: VMware and Flexera team-up to address critical need
- Flexera Announces Software Vulnerability Management for VMware Workspace ONE UEM
- Deploying Traditional Win32 Applications to Windows 10 Devices: Workspace ONE Operational Tutorial