To allow iOS devices to connect to the Workspace ONE Access Identity Provider, first configure the single sign-on profile for iOS devices then assign the profile to a smart group. This profile contains the information necessary for the device to connect to the identity provider and the certificate that the device used to authenticate.

Prerequisites

  • Mobile SSO for iOS is configured in Workspace ONE Access.
  • Mobile iOS authentication configured in the Workspace ONE Access default access policy.
  • iOS Kerberos certificate authority file saved to a computer that can be accessed from the Workspace ONE UEM admin console.
  • Your Certificate Authority and Certificate Template is properly configured in Workspace ONE UEM.
  • List of URLs and application bundle IDs that use Mobile SSO for iOS authentication on iOS devices.

Procedure

  1. In the Workspace ONE UEM console, navigate to Devices >Profiles & Resources > Profiles .
  2. Select Add > Add Profile and select Apple iOS.
  3. Enter the name as iOSKerberos and configure the General settings.
  4. In the left navigation pane, select Credentials > Configure to configure the credential.
    Option Description
    Credential Source Select Defined Certificate Authority from the drop-down menu.
    Certificate Authority Select the certificate authority from the list in the drop-down menu.
    Certificate Template Select the request template that references the certificate authority from the drop-down menu. This is the certificate template created in Adding the Certificate Template in Workspace ONE UEM.
  5. Click + in the lower right corner of the page again and create a second credential.
  6. In the Credential Source drop-down menu, select Upload.
  7. Enter a credential name.
  8. Click Upload to upload the KDC server root certificate that is downloaded from the Integrations > Identity Providers > Built-in IDP page.
  9. In the left navigation pane, select Single Sign-On and click Configure.
  10. Enter the connection information.
    Option Description
    Account Name Enter Kerberos.
    Kerberos Principal Name Click + and select {EnrollmentUser}.

    If your Active Directory includes employee user names that are configured with the same value for FirstName and LastName, create a custom attribute in the Workspace ONE UEM console Lookup Fields page. See Create Custom Lookup Value for iOS Mobile SSO Kerberos Principal Name.

    Realm

    For tenant deployments in the cloud, enter the Workspace ONE Access realm name for your tenant. Make sure that you enter the realm name in the same case as the realm name for your tenant.

    Note: Kerberos realm names are case sensitive. The recommend format is to create realm names in all upper case. Realm names that differ in the case are not equivalent. For example, WORKSPACEONEACCESS.COM is not the same realm name as workspaceoneaccess.com.

    For on premises deployments, enter the realm name you used when you initialized KDC in the Workspace ONE Access appliance. For example, EXAMPLE.COM

    Renewal Certificate Select Certificate #1 from the drop-down menu. This is the Active Directory CA cert that was configured first under credentials.
    URL Prefixes Enter the URL prefixes that must match to use this account for Kerberos authentication over HTTP.

    For tenant deployments in the cloud, enter the Workspace ONE Access server URL as https://<tenant>.workspaceoneaccess.<region>.

    For on premises deployments, enter the Workspace ONE Access server URL as https://myco.example.com.

    Application Bundle ID Enter the list of application identities that are allowed to use this sign-on. To perform single sign-on using iOS built-in Safari browser, enter the first application bundle ID as com.apple.mobilesafari. Continue to enter application bundle IDs. The applications listed must support SAML authentication.
  11. Click Save & Publish.

What to do next

Assign the device profile to a smart group. Smart groups are customizable groups that determine which platforms, devices, and users receive an assigned application, book, compliance policy, device profile, or provision. See Assign a Workspace ONE UEM Device Profile to Smart Groups.