Be the first to hear the mobile news. Enter your email to join.

VMware AirWatch Security: Year in Review

  • John Britton By

Explore the 2016 AirWatch security certifications, product releases and integrations for industry-leading data security and endpoint protection.

The market has voted. Over the past year, per IDC, VMware AirWatch experienced year-over-year growth in excess of 80%. Much of this growth came because of VMware’s intense focus on enterprise data security.

Here are eight reasons why 2016 was a fantastic year for data security and endpoint protection in the AirWatch Unified Endpoint Management (UEM) solution and across VMware’s broad end-user computing (EUC) portfolio:

1. The industry’s leading certificate-based authentication and access control.

2. Integrated network security and micro-segmentation platform, only available with VMware.

3. Cryptographic modules implemented securely across the largest number of platforms.

4. Industry-leading visibility into all managed and unmanaged devices in the enterprise.

5. Most flexible integration allows today and tomorrow’s leading security vendors to provide actionable analytics in securing and protecting all devices.

6. Recognized by the U.S. federal government to securely operate both on-premises and in SaaS environments.

7. Certifications on all components of the technology stack, from the data center to the end user.

8.  Industry-leading privacy initiative ensures regulatory compliance anywhere across the globe.


The AirWatch security and development teams were extremely busy over the last twelve months. In addition to bringing together a UEM solution with more depth and breadth than anyone in the market, we also focused heavily on our security posture. Throughout 2016, AirWatch dedicated tremendous resources to ensure our solutions are certified to run in the most highly regulated industries and governmental agencies.

  • DISA STIG: In partnership with the Defense Information Systems Agency (DISA), AirWatch released a Security Technical Implementation Guide (STIG) for the AirWatch Mobile Device Management (MDM) Architecture and AirWatch MDM agent for version 9.X.  Our formal announcement can be found here.

  • Digital_Government_Workspace_for_Dummies_front-2FedRAMP: AirWatch has been granted an Authority to Operate (ATO) by the Federal Risk and Authorization Management Program (FedRAMP) with an impact level of Moderate.

  • FIPS 140-2: To re-enforce our FIPS 140-2 encryption, AirWatch recently earned attestation from the Booz Allen Hamilton CMVP Certified Laboratory on the AirWatch source code for MDM Architecture, iOS SDK, Android SDK and Windows Software Development Kits (SDKs). These SDKs are used across AirWatch Boxer, Browser and Content Locker applications for encryption operations. Download the signed attestation letter.

  • NIAP Common Criteria: AirWatch is now in the “In Evaluation” stage for MDM and MDM Agent Protection Profile version 2.0 for iOS. We expect to become a NIAP validated vendor and achieve a Commercial Solutions for Classified Listing (CSFC) in early 2017. AirWatch is currently undergoing the NIAP Common Criteria validation process for its VMware Boxer email application, as well as Application Protection Profiles for mobile application management (MAM), VMware Identity Manager, Android, Windows 10 and iOS.

  • Criminal Justice Information Services: VMware enlisted audit partner Coalfire Systems to evaluate VMware products and solutions for CJIS Security Policy requirements capabilities and document these capabilities into a set of reference architecture documents. The AirWatch enterprise mobility management (EMM) platform aligns with NIST 800-53 revision 4 controls and supports Criminal Justice Information Services (CJIS) Security Policy version 5.5 requirements.

  • NIST SP 800-157 (Derived Credentials): AirWatch provides direct integration with various Certificate Authority (CA) vendors to generate and/or deliver a Derived Credential securely down to the mobile device and/or mobile application. In addition, AirWatch is integrating with the top-tier commercially off the shelf (COTS) Derived Credentials solutions, such as Entrust Identity Guard, Intercede MyID and XTec AuthentX. AirWatch also integrates with the DoD Purebred Derived Credentials solution.

  • NIST SP 800-163 (App Vetting): 800-163 defines the processes ensuring that mobile applications used in public sector are free from design vulnerabilities and that vulnerabilities cannot be inserted into the application throughout the application’s lifecycle. AirWatch is able to revoke access to applications that no longer meet the agency’s security requirements once deployed. Through the VMware Mobile Security Alliance (MSA), multiple AirWatch partners provide real-time application vetting and reputation scoring analysis, helping agencies comply with NIST SP 800-163.

PEN Tests

Penetration tests are an important checkpoint and validation process in the lifecycle of building a secure software solution. Within AirWatch, we regularly perform penetration tests to ensure code is as secure and maintain a program for customers to perform their own tests. Most customers either perform these tests internally or hire third-party testers to evaluate the security of the AirWatch products. With both internal and external penetration tests, AirWatch reviewed hundreds of penetration tests over the past year.  From these tests, AirWatch learned several important details about the product. These discoveries have been used to improve the product in several different ways.

Any issues raised within penetration tests are used to improve the security of  the product. They also help AirWatch better educate enterprise IT about best security practices and  improve how we discuss AirWatch as a secure product both internally and externally.

The AirWatch security team welcomes the external evaluation of the product and will continue to work with those who want to make the product more secure for everyone.

Modernizing & Securing Your Users’ Workspaces

One of the challenges present for today’s information worker is choosing the right tool for the task at hand. Traditionally, IT provided the Microsoft Office Suite of productivity tools for the information worker. With the consumerization of device platforms, users have many different choices on the types of hardware they want to use in the enterprise. To further complicate the issue, the rise of application stores (Google Play, Apple App Store and Microsoft VMware Workspace ONE security apps and devicesStore, along with many others) empower the end user to pick and choose productivity apps.

With the introduction of VMware Workspace ONE in February, enterprise customers can feel more secure about choosing VMware to manage all their devices and applications. Workspace ONE is a unified access control platform that delivers and manages access and DLP policies for any app on any device—mobile, desktops, laptops, rugged and Internet of Things. Workspace ONE addresses several of the biggest security issues that challenge today’s enterprises, including:

  • Identity and access management.

  • Any device anywhere.

  • Simple, self-service onboarding of new employees and devices.

Learn More: What Is Workspace ONE?

Identity & SSO Management

airwatch-vmware-identity-managerIdentifying the end user was once an easy task. The user was assigned a desk and a computer. IT could walk by and visually confirm that the correct user was accessing corporate data. In today’s distributed bring-your-own (BYO) environment, information workers can connect to the enterprise anywhere at anytime. To solve this problem, IT must be able to accurately identify the end user.

Workspace ONE is identity management for the mobile-cloud era. VMware delivers on consumer-simple expectations like one-touch access to nearly any app, from any device, optimized with AirWatch conditional access. IT can empower employees to be productive quickly and securely with a self-service app catalog, while giving IT a central place to manage user provisioning and access policies with enterprise-class directory integration, identity federation and user analytics.

Learn More: The Digital Workspace Journey & the Identity-Defined Workspace

Endpoint Compliance

vmware-trustpoint-airwatch-security-cyberthreatsUnderstanding the state of the enterprise has proven to be difficult and time consuming. IT has struggled to understand what devices are connecting to the network, as well as the intent and purpose of those devices, in a timely manner.

VMware TrustPoint delivers a broad set of capabilities to track, contain and remediate threats and vulnerabilities across every endpoint with unparalleled speed and scalability. Quickly remediate at scale by killing processes, capturing files, alerting users, applying updates or imaging endpoints in minutes. TrustPoint empowers security and IT teams with 15-second visibility and control to secure every endpoint across large global networks. Combining VMware’s Windows 10 imaging capabilities and Tanium’s leading-edge security platform, TrustPoint provides complete endpoint visibility and control with next-generation threat detection and remediation.

Learn More: VMware Unveils New Endpoint Security Solution VMware TrustPoint

Securing Access to Corporate Network Apps & Services

With the rise of mobile, enterprise has seen the number of connected device more than double. This is a challenge to IT, because they have no clue if the device attempting to connect to the network is a security threat. From a traditional MDM perspective, little thought was ever given to the possibility that a malicious actor could gain control of a mobile device and dive deep into the enterprise back office. At BlackHat USA 2016, it was demonstrated how a malicious actor could gain control of a secure connection on a mobile device to gain access to a back-office server.

vmware-nsx-airwatch-security-demo-videoRestricting network access to the back office is a problem that VMware NSX solves. NSX and AirWatch have been integrated to allow IT to segment traffic based on The AirWatch and NSX integration extends security beyond your digital workspace by securing corporate IP and data accessed from mobile apps, data and devices against mobile cybersecurity threats by reducing the mobile workflow footprint from the mobile device into the data center. By integrating identity and EMM with intelligent networking and micro-segmentation, this innovative integration from VMware allows organizations to:

  • Deliver enhanced network security for mobile workflows;

  • Accelerate digital workspace deployments;

  • Define mobile policies for network access:

  • Reduce mobile access footprint and attack surface; and

  • Accelerate mobile app delivering, testing and automation.

Mobile cybersecurity threats are mitigated by providing organizations with an extensible solution that seamlessly integrates NSX with the AirWatch compliance engine.

Customers who deployed AirWatch + NSX are more confident than ever that if there was ever an attack on the AirWatch Tunnel, back-office systems will not be compromised with no lateral movement from AirWatch servers to other highly sensitive data.  A customer example of NSX + AirWatch can be seen here.

Learn More: Explore Next Generation Mobile Security with VMware NSX + AirWatch

Multifactor Authentication & Hardware-Based Security

One of the challenges facing IT today is the storage and protection of credentials.  Saving the end user’s certificates or tokens or even passwords in a secure environment on the phone should always be the primary choice. AirWatch stores end-user credentials in the most secure way possible. On iOS devices, the Apple Secure Enclave (page 7 here) stores these credentials.

AirWatch can enable the use of multifactor authentication to access enterprise data. IT can require information workers to use the hardware-based biometric readers currently available on today’s mobile devices. In addition, VMware Verify can be used as an out of bands authentication method to ensure that data is only accessed after the end user passes multiple layers of defense.

Learn More: Introducing VMware Verify Two-Factor Authentication

Expanding Threat Detection with MSA Partners

MSAAMSA partners continually find and expose the malicious side of mobile computing. Since Connect Atlanta in 2015, our MSA partners did a phenomenal job finding and properly disclosing issues to make mobile computing safe for the world. We discussed a few examples here on the AirWatch Blog, including:

Only AirWatch brings together the strongest mobile threat defense partners together in a way to enable the enterprise to secure their data.

mobile security webinar


Security is great for gaining control and protecting the enterprise data. In today’s global workplace, the enterprise must also recognize and separate the personal side of the employee device from the corporate side. Since 2015, AirWatch leads the way with its award-winning Privacy First Initiative. AirWatch continued in 2016 with three major additions to the Privacy First Initiative.  More information on those can be found in this blog: 3 Things You Need to Know about AirWatch & End-User Privacy.


VMware is dedicated to continuing our vision and industry leadership for endpoint, data, application and network security in 2017. We are committed to providing the most secure solutions in the industry to help your business or agency protect your users, data and intellectual property.

To learn more about these innovations and how you can partner with VMware to secure your business from top to bottom, please visit

John Britton

John Britton

John Britton is the former director of product marketing for security at VMware End-User Computing (EUC).

Leave a Reply

Your email address will not be published. Required fields are marked *


Blog By Region

Blog By Category: