Workspace One UEM setup
Integrate UEM Console with VMware Identity Manager
This guide assumes the UEM Console integration with VMware Identity Manager has been completed.
Configure and deploy certificate through Workspace One UEM
Integrate with CA and Cert Template, make sure you meet the below guidelines.
Steps:
Subject Name
- CN={DeviceUid}
Add SAN Type:
- Email Address : {EmailAddress}
- User Principal Name: {UserPrincipalName}
VMware Identity Manager setup
Configure “Certificate (Cloud Deployment)” as Authentication Method
Configure Certificate auth as the authentication method.
Steps:
In the VMware Identity Manager Console:
- Identity & Access Management > Authentication Methods > Certificate (Cloud Deployment).
- Enable Certificate Adapter.
- Upload Root and intermediate CA certificates – must match the CA integration from Workspace One UEM.
- Set User Identifier Search Order: email | upn | subject.
- Tip: You can troubleshoot which one to use by setting the identifier search to each one individually, test authentication, and view what we are pulling from the certificate by viewing the Audit Report in the vIDM Console: under Dashboards > Reports.
- I recommend unchecking all the other boxes for troubleshooting purposes.
Enable Built-in Identity Provider to use Certificate (Cloud Deployment)
Steps:
In the VMware Identity Manager Console:
- Identity & Access Management > Identity Providers
- Open the “Built-In” provider.
- Enable “Certificate (Cloud Deployment)” as one of the authentication methods.
Set Policy Rule for Android to use Certificate & Device Compliance as authentication
Configure authentication policy for Android to Certificate (Cloud Deployment) & Device Compliance.
Steps:
In the VMware Identity Manager Console:
- Identity & Access Management > Policies > Create a New Policy.
- Set the policy to apply to the relevant application you are testing.
- Configure a Policy Rule for Android, and set authenticate using:
- Certificate (Cloud Deployment), and
- Device Compliance (with AirWatch).
Troubleshooting
Validate correct certificate is on the device
Validate correct certificate is on the device.
The Subject Name of certificate should be CN={DeviceUid}.
The SAN should match the Email or UPN in VMware Identity Manager, and should match the User Identifier Search set in the Authentication Method setup.
- Tip: iOS devices show the certificate’s full SAN attributes. You can enroll an iOS device, receive the Certificate from UEM, and validate the SAN values are correct.
Ensure correct Policy Rule is being activated
Check that other Policy Rules, including the default Policy, are not interfering with the authentication process.
You can edit the Error Messages that show up
For troubleshooting purposes, remove all other authentication methods from the policy, so that you are only testing Certificate auth.
Set correct User Identifier Search Order (email | upn | subject)
You can troubleshoot which one to use by setting the identifier search to each one individually, test authentication, and view what we are pulling from the certificate by viewing the Audit Report in the vIDM Console: under Dashboards > Reports.
Review Audit Events
In VMware Identity Manager, under Dashboard > Reports > Adit Events > Show, you can view the recent authentication attempts. Look through the Events for events similar to:
- LOGIN_ERROR failed
- LOGIN (Certificate (Cloud Deployment))
- LOGIN (Certificate (Cloud Deployment), Device Compliance (with AirWatch))
- LOGIN failed
The details of the events should show if VMware Identity Manager was able to pull the User from the certificate, or whether the correct policy rule was used, or if the login failed or succeeded.