The SSL Pinning settings page is where you can add domains of AirWatch Device Services and auxiliary components, which can help prevent man-in-the-middle (MITM) attacks by enabling an additional layer of trust between the listed hosts and devices. The certificates and domains you add here serve as a trusted form of validation that functions in addition to the standard certificate check a device performs against an AirWatch component server. When devices establish sessions with your AirWatch component servers, they also check the certificate against this stored certificate to guard against MITM attacks.

When you first navigate to this page, the Device Services site URL displays. However, no certificate data is present until you upload a certificate.

Important:

The SSL pinning feature is only functional if it is used in conjunction with an AirWatch application that supports certificate pinning.

Setting Description
On/Off Enable or disable pinning using this switch. If you turn pinning from on to off, it terminates all pinning at the current organization group and all the child organization groups underneath it.
Upload (under Device Services) Select this button in the Device Services section of the page to add the Hostname and upload the certificate used for validation. If you have load-balanced Device Services servers, you also need to upload the certificates for each server. You will not see this button if you already have a device services certificate populated.
Sync

After uploading your Device Services certificate, you need to select Sync to initiate pinning. After, the sync status changes to a green color to indicate pinning was successful and the page should display your synced pin list.

Add Host (under auxiliary)

Select to add auxiliary components other than Device Services that you also want to enable pinning for. On the Add Pinned Host dialog, enter the following:

  • Host – Enter the fully qualified domain name of the host.
  • Required – Select to require the certificate pin to be pinned at all child organization groups and prevent it from being disabled or modified by child organization group administrators.
Upload (under auxiliary) Select to upload the certificate used for validation for each of your auxiliary components.