Back to Documentation
VMware

VMware Workspace ONE Deployment

Unified endpoint management and automated security compliance

Workspace ONE Integration Overview

Unified Endpoint Management

VMware Workspace ONE provides comprehensive endpoint management capabilities for deploying TYCHON Quantum Readiness across Windows, macOS, iOS, and Android devices with centralized compliance monitoring and automated security workflows.

📱 Multi-Platform

Deploy across Windows, macOS, iOS, and Android endpoints

âš¡ Automated Compliance

Continuous crypto security monitoring and policy enforcement

🔒 Zero Trust

Integration with Workspace ONE Access and Carbon Black

Use Cases

  • • BYOD Security: Scan personal devices for crypto compliance
  • • Mobile Certificates: Monitor certificate stores on iOS/Android
  • • Remote Workforce: Crypto security for distributed teams
  • • Compliance Automation: Automated policy enforcement and reporting
  • • Application Wrapping: Deploy TYCHON as managed application
  • • Conditional Access: Crypto-based device access policies

Application Deployment

1. Create Internal Application

Package TYCHON Quantum Readiness as internal application for enterprise distribution

Windows MSI Package Configuration

# Application Definition in Workspace ONE UEM Console
Application Name: TYCHON Quantum Readiness
Application Type: Internal
Platform: Windows Desktop
Category: Security Tools

# Installation Command
msiexec /i "certscanner-1.0.43.msi" /quiet /norestart INSTALLDIR="C:\Program Files\TYCHON" 

# Uninstall Command  
msiexec /x {PRODUCT-GUID} /quiet /norestart

# Detection Method
Registry Key: HKLM\SOFTWARE\TYCHON\Quantum Crypto Manager
Value Name: Version
Value Data: 1.0.43

macOS PKG Package Configuration

# macOS Application Configuration
Application Name: TYCHON Quantum Readiness
Application Type: Internal
Platform: macOS
Bundle ID: com.tychon.certscanner

# Installation Command
installer -pkg "certscanner-1.0.43.pkg" -target /

# Detection Method
File Path: /usr/local/bin/certscanner
File Detection: Exists

# Pre-Installation Script
#!/bin/bash
# Create TYCHON directory structure
mkdir -p /usr/local/bin
mkdir -p /var/log/tychon
chmod 755 /usr/local/bin
chmod 755 /var/log/tychon

2. Smart Groups and Assignment

Use smart groups to target specific device types and roles for scanner deployment

Security Team Devices

  • Criteria: Device Model contains "Security" OR User Group = "Security Team"
  • Applications: Full TYCHON suite with all scanning modes
  • Compliance: Daily scanning required
  • Configuration: Network + filesystem + memory scanning

Standard Corporate Devices

  • Criteria: Platform = "Windows" AND Enrollment Type = "Corporate"
  • Applications: TYCHON with filesystem scanning only
  • Compliance: Weekly scanning
  • Configuration: Local mode, certificate inventory

Compliance Policies

Custom Compliance Policies

Create custom compliance rules based on TYCHON scan results

Certificate Compliance Policy

# Workspace ONE Compliance Policy JSON
{
  "policy_name": "TYCHON Certificate Compliance",
  "description": "Ensure devices have valid certificates and secure crypto configuration",
  "platforms": ["Windows", "macOS", "Android", "iOS"],
  "rules": [
    {
      "rule_name": "Certificate Inventory Required",
      "condition": "file_exists",
      "path": "/var/log/tychon/latest-scan.json",
      "action": "require_scan"
    },
    {
      "rule_name": "No Expired Certificates",
      "condition": "custom_script",
      "script": "check_certificate_expiration.sh",
      "action": "block_if_expired"
    },
    {
      "rule_name": "Weak Cipher Detection",
      "condition": "custom_script", 
      "script": "check_weak_ciphers.sh",
      "action": "remediate_if_weak"
    }
  ],
  "enforcement": {
    "grace_period": "24_hours",
    "notification": true,
    "block_non_compliant": true
  }
}

Custom Compliance Scripts

Windows macOS 
# check_certificate_expiration.ps1
$scanFile = "C:\ProgramData\TYCHON\logs\latest-scan.json"
$complianceResult = @{
    compliant = $false
    message = ""
}

if (Test-Path $scanFile) {
    $scanData = Get-Content $scanFile | ConvertFrom-Json
    $expiredCerts = 0
    $expiringCerts = 0
    $thirtyDaysOut = (Get-Date).AddDays(30)
    
    foreach ($host in $scanData.hosts) {
        foreach ($cert in $host.certificates) {
            $expiryDate = [datetime]$cert.not_after
            if ($expiryDate -lt (Get-Date)) {
                $expiredCerts++
            } elseif ($expiryDate -lt $thirtyDaysOut) {
                $expiringCerts++
            }
        }
    }
    
    if ($expiredCerts -eq 0 -and $expiringCerts -lt 5) {
        $complianceResult.compliant = $true
        $complianceResult.message = "Certificate compliance: OK"
    } else {
        $complianceResult.message = "Found $expiredCerts expired and $expiringCerts expiring certificates"
    }
} else {
    $complianceResult.message = "TYCHON scan not found - please run certificate scan"
}

# Return compliance status to Workspace ONE
$complianceResult | ConvertTo-Json | Out-Host
#!/bin/bash
# check_certificate_expiration.sh
SCAN_FILE="/var/log/tychon/latest-scan.json"
COMPLIANCE_RESULT=""

if [[ -f "$SCAN_FILE" ]]; then
    # Parse scan results with jq
    EXPIRED_COUNT=$(jq -r '[.hosts[].certificates[] | select(.not_after | fromdateiso8601 < now)] | length' "$SCAN_FILE")
    EXPIRING_COUNT=$(jq -r '[.hosts[].certificates[] | select(.not_after | fromdateiso8601 < (now + 2592000))] | length' "$SCAN_FILE")
    
    if [[ "$EXPIRED_COUNT" -eq 0 ]] && [[ "$EXPIRING_COUNT" -lt 5 ]]; then
        COMPLIANCE_RESULT='{"compliant": true, "message": "Certificate compliance: OK"}'
    else
        COMPLIANCE_RESULT="{\"compliant\": false, \"message\": \"Found $EXPIRED_COUNT expired and $EXPIRING_COUNT expiring certificates\"}"
    fi
else
    COMPLIANCE_RESULT='{"compliant": false, "message": "TYCHON scan not found - please run certificate scan"}'
fi

# Return compliance status to Workspace ONE
echo "$COMPLIANCE_RESULT"

Automation & Workflows

Intelligent Hub Integration

Use Workspace ONE Intelligent Hub for automated scanning workflows and user self-service

Hub Services Configuration

# Hub Services Catalog Entry
{
  "service_name": "TYCHON Certificate Scan",
  "description": "Run crypto security scan on your device",
  "category": "Security",
  "icon": "security-shield",
  "platforms": ["Windows", "macOS"],
  "execution": {
    "type": "application",
    "command": "certscanner.exe",
    "arguments": "-mode local -scanfilesystem -outputformat tychon",
    "run_as": "user",
    "background": true
  },
  "approval_required": false,
  "self_service": true,
  "notification": {
    "on_completion": true,
    "message": "Certificate scan completed successfully"
  }
}

Automated Scanning Workflows

Windows macOS 
# Workspace ONE sensor script for automated scanning
# Deploy as Product Provisioning → Files/Actions → Add Action

$scannerPath = "C:\Program Files\TYCHON\certscanner.exe"
$outputDir = "C:\ProgramData\TYCHON\logs"
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = "$outputDir\ws1-scan-$timestamp.json"

# Ensure output directory exists
if (!(Test-Path $outputDir)) {
    New-Item -ItemType Directory -Path $outputDir -Force
}

# Run TYCHON scan
& $scannerPath -mode local -scanfilesystem -scanmemory `
  -outputformat tychon -output $outputFile `
  -tags "workspace-one,automated,compliance"

# Upload results to Workspace ONE Analytics
$hubUrl = "https://as###.awmdm.com"
$apiKey = $env:WS1_API_KEY
$orgGroupId = $env:WS1_ORG_GROUP

# Create custom event for Workspace ONE Analytics
$eventData = @{
    EventId = [guid]::NewGuid().ToString()
    DeviceId = (Get-WmiObject -Class Win32_ComputerSystemProduct).UUID
    Timestamp = (Get-Date).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
    EventType = "TYCHON_SCAN_COMPLETED"
    ScanFile = $outputFile
    ComplianceStatus = "COMPLIANT"
} | ConvertTo-Json

# Send to Workspace ONE Intelligence
Invoke-RestMethod -Uri "$hubUrl/api/mdm/analytics/event" `
  -Method POST -Headers @{
    "aw-tenant-code" = $apiKey
    "Content-Type" = "application/json"
  } -Body $eventData
#!/bin/bash
# Workspace ONE sensor script for macOS automated scanning
# Deploy via Custom Attributes → Add Attribute

SCANNER_PATH="/usr/local/bin/certscanner"
OUTPUT_DIR="/var/log/tychon"
TIMESTAMP=$(date +"%Y%m%d_%H%M%S")
OUTPUT_FILE="$OUTPUT_DIR/ws1-scan-$TIMESTAMP.json"

# Ensure output directory exists
mkdir -p "$OUTPUT_DIR"

# Run TYCHON scan
"$SCANNER_PATH" -mode local -scanfilesystem \
  -outputformat tychon -output "$OUTPUT_FILE" \
  -tags "workspace-one,automated,compliance"

# Upload results to Workspace ONE Analytics
HUB_URL="https://as###.awmdm.com"
API_KEY="$WS1_API_KEY" 
ORG_GROUP="$WS1_ORG_GROUP"

# Get device UUID for reporting
DEVICE_UUID=$(system_profiler SPHardwareDataType | awk '/Hardware UUID:/ { print $3 }')

# Create event data
EVENT_DATA=$(cat << EOF
{
  "EventId": "$(uuidgen)",
  "DeviceId": "$DEVICE_UUID",
  "Timestamp": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
  "EventType": "TYCHON_SCAN_COMPLETED",
  "ScanFile": "$OUTPUT_FILE",
  "ComplianceStatus": "COMPLIANT"
}
EOF
)

# Send to Workspace ONE Intelligence
curl -X POST "$HUB_URL/api/mdm/analytics/event" \
  -H "aw-tenant-code: $API_KEY" \
  -H "Content-Type: application/json" \
  -d "$EVENT_DATA"

3. Product Provisioning

Configure automated deployment and configuration management

Deployment Profile Configuration

# Product Provisioning Profile
{
  "profile_name": "TYCHON Security Scanner Deployment",
  "assignment_groups": ["Security Team", "IT Operations", "Compliance"],
  "deployment_schedule": {
    "type": "automatic",
    "maintenance_window": "02:00-04:00",
    "retry_attempts": 3
  },
  "configuration": {
    "install_behavior": "required",
    "removal_policy": "admin_only",
    "update_policy": "automatic"
  },
  "dependencies": [
    {
      "name": "Microsoft Visual C++ Redistributable",
      "version": "latest"
    }
  ],
  "post_install_actions": [
    {
      "type": "run_script",
      "script": "configure-tychon-scheduler.ps1",
      "timeout": "300"
    }
  ]
}

Workspace ONE Intelligence

Custom Dashboards

Create dashboards for crypto asset visibility and compliance monitoring

Certificate Compliance Dashboard

-- Workspace ONE Intelligence Query: Certificate Inventory
SELECT 
    d.DeviceFriendlyName,
    d.Platform,
    d.LastSeen,
    ca.EventType,
    JSON_EXTRACT(ca.EventData, '$.certificate_count') as cert_count,
    JSON_EXTRACT(ca.EventData, '$.expired_certificates') as expired_count,
    JSON_EXTRACT(ca.EventData, '$.compliance_status') as compliance_status
FROM Device d
LEFT JOIN CustomAnalytics ca ON d.DeviceId = ca.DeviceId
WHERE 
    ca.EventType = 'TYCHON_SCAN_COMPLETED'
    AND ca.Timestamp >= DATEADD(day, -7, GETDATE())
ORDER BY d.LastSeen DESC

Security Risk Dashboard

-- Risk Assessment Query
SELECT 
    d.DeviceFriendlyName,
    d.UserName,
    d.Platform,
    JSON_EXTRACT(ca.EventData, '$.weak_ciphers') as weak_cipher_count,
    JSON_EXTRACT(ca.EventData, '$.pqc_vulnerable') as pqc_vulnerable_count,
    CASE 
        WHEN JSON_EXTRACT(ca.EventData, '$.weak_ciphers') > 5 THEN 'HIGH_RISK'
        WHEN JSON_EXTRACT(ca.EventData, '$.weak_ciphers') > 0 THEN 'MEDIUM_RISK'
        ELSE 'LOW_RISK'
    END as risk_level
FROM Device d
LEFT JOIN CustomAnalytics ca ON d.DeviceId = ca.DeviceId  
WHERE 
    ca.EventType = 'TYCHON_SCAN_COMPLETED'
    AND ca.Timestamp >= DATEADD(day, -1, GETDATE())
ORDER BY weak_cipher_count DESC

API Integration

Workspace ONE REST API

Programmatic management of TYCHON deployment and compliance monitoring

Device Query and Scan Triggering

#!/usr/bin/env python3
# Workspace ONE API integration for TYCHON management

import requests
import json
import base64
from datetime import datetime, timedelta

class WorkspaceOneAPI:
    def __init__(self, base_url, api_key, username, password, tenant_code):
        self.base_url = base_url
        self.api_key = api_key
        self.tenant_code = tenant_code
        self.auth = base64.b64encode(f"{username}:{password}".encode()).decode()
        self.headers = {
            "Authorization": f"Basic {self.auth}",
            "aw-tenant-code": tenant_code,
            "Accept": "application/json",
            "Content-Type": "application/json"
        }

    def get_non_compliant_devices(self):
        """Get devices that need TYCHON scanning"""
        url = f"{self.base_url}/api/mdm/devices/compliance"
        params = {
            "compliancestatus": "NonCompliant",
            "searchby": "DeviceFriendlyName", 
            "search": "TYCHON"
        }
        
        response = requests.get(url, headers=self.headers, params=params)
        return response.json()

    def trigger_tychon_scan(self, device_id):
        """Trigger TYCHON scan on specific device"""
        url = f"{self.base_url}/api/mdm/devices/{device_id}/commands"
        
        command = {
            "Command": "InstallApplication",
            "ApplicationId": "tychon-scanner",
            "CommandXml": '''
                
                    RequestType
                    InstallApplication
                    ApplicationId
                    tychon-scanner
                    ManagementFlags
                    1
                
            '''
        }
        
        response = requests.post(url, headers=self.headers, data=json.dumps(command))
        return response.json()

    def bulk_scan_non_compliant(self):
        """Trigger scans on all non-compliant devices"""
        devices = self.get_non_compliant_devices()
        results = []
        
        for device in devices.get('Devices', []):
            result = self.trigger_tychon_scan(device['Id']['Value'])
            results.append({
                'device_name': device['DeviceFriendlyName'],
                'device_id': device['Id']['Value'],
                'command_uuid': result.get('CommandUuid')
            })
            
        return results

# Usage example
if __name__ == "__main__":
    api = WorkspaceOneAPI(
        base_url="https://as###.awmdm.com",
        api_key="your-api-key",
        username="admin@company.com", 
        password="your-password",
        tenant_code="your-tenant-code"
    )
    
    # Trigger scans on non-compliant devices
    results = api.bulk_scan_non_compliant()
    print(f"Triggered TYCHON scans on {len(results)} devices")

Carbon Black Cloud Integration

Integrate TYCHON results with VMware Carbon Black for advanced threat hunting

Custom Detection Rules

# Carbon Black Custom Detection Rule
title: "TYCHON Weak Cipher Detection"
description: "Alert when TYCHON detects weak cipher suites"
severity: 6

detection:
  selection:
    event_type: "childproc"
    process_name: "certscanner*.exe"
    cmdline_contains:
      - "-outputformat"
      - "-cipherscan"
  
  condition: selection

false_positives:
  - "Administrative scanning activities"
  - "Scheduled compliance scans"

fields:
  - "device_name"
  - "device_os" 
  - "process_cmdline"
  - "process_username"

tags:
  - "tychon"
  - "crypto_compliance"
  - "certificate_management"

Best Practices

Device Management

  • • Smart Groups: Target deployment based on device role and security clearance
  • • Staged Rollouts: Deploy to pilot groups before enterprise-wide deployment
  • • Compliance Monitoring: Regular compliance policy evaluation and remediation
  • • Self-Service: Allow users to run ad-hoc security scans via Hub
  • • Offline Support: Cache scan results for devices without connectivity

Security Integration

  • • Zero Trust: Integrate with Workspace ONE Access for conditional access
  • • Threat Intelligence: Combine TYCHON results with Carbon Black telemetry
  • • Identity Management: Role-based scanner permissions and access control
  • • Incident Response: Automated remediation workflows for crypto violations
  • • Audit Trails: Complete logging of all scanner deployments and executions

Enterprise Scale

  • • Global Deployment: Multi-site deployment with regional scanning policies
  • • Bandwidth Management: Schedule scans during maintenance windows
  • • Resource Optimization: Device resource limits and scan prioritization
  • • Reporting: Executive dashboards with crypto compliance metrics
  • • Integration: Connect with ITSM tools for automated ticket creation

Mobile Device Support

  • • iOS Certificates: Monitor certificate stores and VPN profiles
  • • Android Security: Scan installed certificates and crypto libraries
  • • BYOD Compliance: Crypto security for personal devices
  • • MDM Integration: Leverage device management for scanner deployment
  • • App Wrapping: Deploy TYCHON as wrapped managed application

Step-by-Step Deployment

1

Package TYCHON Application

Create MSI/PKG packages for Workspace ONE distribution

# Create Windows MSI package
# Use Advanced Installer or similar tool to create MSI
# Include certscanner.exe, configuration files, and install scripts
2

Upload to Workspace ONE

Add application to Workspace ONE UEM console

# Navigate to Apps & Books → Applications → Native → Internal
# Upload MSI/PKG package and configure metadata
# Set installation and detection rules
3

Create Smart Groups

Define target device groups for deployment

# Groups & Settings → Groups → Assignment Groups → Add Group
# Create groups: "Security Team", "Compliance Officers", "IT Operations"
# Define criteria: Platform, User Group, Device Model, etc.
4

Configure Compliance Policies

Set up compliance rules based on TYCHON scan results

# Device → Compliance Policies → Add Policy
# Configure certificate compliance rules and remediation actions
# Set enforcement periods and notification preferences
5

Deploy and Monitor

Deploy application and monitor compliance across device fleet

# Apps & Books → Applications → Assign to smart groups
# Monitor deployment status in Reports & Analytics
# Review compliance dashboards in Workspace ONE Intelligence
6

Optimize and Scale

Fine-tune deployment and scaling for enterprise needs

# Configure automated workflows in Workspace ONE Intelligence
# Set up integration with ITSM tools for automated remediation
# Scale deployment policies across multiple organization groups