Early next year (2018), VMware AirWatch will begin enforcing SSL pinning in its mobile applications. Although SSL pinning to Device Services is optional and may be disabled by customers with On-Premise, or Dedicated SaaS environments, certain communications between VMware AirWatch mobile applications and VMware AirWatch cloud services will always be pinned for enhanced security.
Connectivity to the global Autodiscovery endpoint in AirWatch SaaS and the locally configured Trust Service for On-Premise closed network deployments will always be pinned. These relationships are coded into the mobile application binaries and cannot be disabled. This ensures that a root of trust can be established and mitigates the potential threat of attackers using a Man-in-the-Middle (MITM) attack to tamper with VMware Airwatch mobile applications. Such tampering at this phase of the pinning process would result in an erosion of security properties for all subsequent communication.
As a result, this means that network appliances used to inspect SSL/TLS network traffic cannot inspect communication between your mobile devices and these services. Connections occur initially at enrollment, but may occur again if a device is unable to establish a trusted connection to the Device Services endpoint.
Alert: Customer action required
Customers that employ an SSL/TLS inspection appliance for outbound traffic, or customers using closed network deployments will need to make certain that pinned connections to AirWatch services remain secure. In order to do this, customers should observe the following additional requirements to ensure that no interruption in connectivity occurs:
- Permit outbound network access from all devices during and after enrollment to the https://discovery.awmdm.com endpoint (or install a Trust Service and permit access from all devices to the Trust Service)
- Create SSL/TLS inspection appliance bypass exceptions for all device traffic going to either https://discovery.awmdm.com or the Trust Service, depending on your deployment type
Additionally, SaaS customers will need to implement the following requirements (Note: Dedicated SaaS & On-Premise customers that accept the security risk and disable pinning to the Device Services server need not enforce the requirements listed below):
- Permit outbound network access from all devices during and after enrollment to the Device Services endpoint for your environment.
- Create SSL/TLS inspection appliance bypass exceptions for all device traffic going to the Device Services endpoint.
To learn more about SSL Pinning within AirWatch, please review this KB article.
Support Contact Information
Do not hesitate to contact AirWatch Support with questions about these requirements. To open a Support Request, please call your local AirWatch support line or submit a Support Request via myAirWatch.
The AirWatch Team