In Workspace ONE Access, the External Access Token authentication method is unique to the Workspace ONE UEM integration and is required for both single sign-on (SSO) and triggering the out-of-box experience (OOBE) in Workspace ONE on Windows 10 devices.


When using External Access Token authentication, the AirWatch Cloud Connector component must be deployed and configured.

  • External Access Token Authentication enabled on the AirWatch page in the Identity & Access Management tab.
  • AirWatch Provisioning Service for Windows 10 devices configured.

The configuration of External Access Token is read-only and is based off the Workspace ONE UEM (AirWatch) configuration in Workspace ONE Access. The exception is the token lifetime field.


  1. In the Workspace ONE Access console Identity & Access Management tab, select Authentication Methods.
  2. In the AirWatch External Access Token Configure column, click the pencil icon.
  3. Review the configuration.
    Option Description
    Enable AirWatch External Access Token This check box is enabled on the AirWatch page.
    AirWatch Admin Console URL Pre-populated with the AirWatch URL.

    AirWatch API Key

    Pre-populated with the AirWatch Admin API key.

    Certificate Used for Authentication Pre-populated with the AirWatch Cloud Connector certificate.
    Password for Certificate Pre-populated with the password for the AirWatch Cloud Connector certificate.
    AirWatch External Access Token Lifetime in Seconds The access token is used to validate the authentication with Workspace ONE Access. Access tokens have a limited lifetime. The time configured is the maximum time that the access token is valid. The token life is editable and defaulted to 600 seconds, which is 10 minutes.

    If the access token expires, users are prompted to authenticate again in the Workspace ONE application.

  4. Click Save.

What to do next

Associate the AirWatch External Access Token authentication method in the built-in identity provider. See Configure a Built-in Identity Provider in Workspace ONE Access

After the AirWatch External Access Token is associated to the built-in identity provider, create an access policy rule to use this auth method. See Create Access Policy in Workspace ONE Access for Workspace ONE Out-of-Box Experience Process.