Create and deploy the Apple iOS device profile in AirWatch to push the Identity Provider settings to the device. This profile contains the information necessary for the device to connect to the VMware Identity Provider and the certificate that the device used to authenticate. Enable single sign-on to allow seamless access without requiring authentication into each app.


  • Mobile SSO for iOS is configured in VMware Identity Manager.

  • iOS Kerberos certificate authority file saved to a computer that can be accessed from the AirWatch admin console.

  • Your Certificate Authority and Certificate Template is properly configured in AirWatch.

  • List of URLs and application bundle IDs that use Mobile SSO for iOS authentication on iOS devices.


  1. In the AirWatch admin console, navigate to Devices >Profiles & Resources > Profiles .
  2. Select Add > Add Profileand select Apple iOS.
  3. Enter the name as iOSKerberos and configure the General settings.
  4. In the left navigation pane, select Credentials > Configure to configure the credential.



    Credential Source

    Select Defined Certificate Authority from the drop-down menu.

    Certificate Authority

    Select the certificate authority from the list in the drop-down menu.

    Certificate Template

    Select the request template that references the certificate authority from the drop-down menu. This is the certificate template created in Adding the Certificate Template in AirWatch.

  5. Click + in the lower right corner of the page again and create a second credential.
  6. In the Credential Source drop-down menu, select Upload.
  7. Enter a credential name.
  8. Click Upload to upload the KDC server root certificate that is downloaded from the Identity & Access Management > Manage > Identity Providers > Built-in Identity provider page.
  9. In the left navigation pane, select Single Sign-On and click Configure.
  10. Enter the connection information.



    Account Name

    Enter Kerberos.

    Kerberos Principal Name

    Click + and select {EnrollmentUser}.


    Enter the realm name you used when you initialized KDC in the VMware Identity Manager appliance. For example, EXAMPLE.COM

    Renewal Certificate

    Select Certificate #1 from the drop-down menu. This is the Active Directory CA cert that was configured first under credentials.

    URL Prefixes

    Enter the URL prefixes that must match to use this account for Kerberos authentication over HTTP.

    Enter the VMware Identity Manager server URL as


    Enter the list of application identities that are allowed to use this sign-on. To perform single sign-on using iOS built-in Safari browser, enter the first application bundle ID as Continue to enter application bundle IDs. The applications listed must support SAML authentication

  11. Click Save & Publish.


When the iOS profile is successfully pushed to users's devices, users can sign in to VMware Identity Manager using the Mobile SSO for iOS authentication method without entering their credentials.

What to do next

Create another profile to configure any other desired features, for example, Web Clips to create icons for Web Apps that you push from AirWatch to iOS device home pages or the app catalog.