These testing and troubleshooting techniques are for SaaS, rather than on-premises deployments.

Verify Ability to Perform Certificate Authentication without AirWatch

Remove AirWatch from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of AirWatch and until this works properly, AirWatch will not be able to configure a device to connect with a certificate.

Verify Ability to Perform Certificate Authentication with AirWatch

You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks.

If SSL TLS errors are received while creating a template

This error can occur when you attempt to...

  • Create an AirWatch certificate template by selecting the Retrieve Profiles button,
  • Retrieve a certificate from the AirWatch console from the GlobalSign certificate authority.

The troubleshooting technique that usually resolves this problem is to...

  • Add the required server certificate chain in the console servers trusted root key store.

If the AirWatch Certificate Profile fails to install on the device

  • Inform AirWatch Professional Services of the error and request they...
    • Turn On Verbose Mode to capture additional data,
    • Retrieve web console log.
  • AirWatch analyzes the log and works with customer to resolve the problem.

If the certificate is not populated in the View XML option of the profile

  • Confirm that lookup values configured on the GlobalSign certificate profile match the look up values in the AirWatch console’s Request Template.
  • Confirm that lookup values in AirWatch Request Template are actually populated in the user information being pulled from AD.
  • Confirm you are pointing to the right profile in GlobalSign.