You add the AirWatch Provisioning app to the catalog in the Workspace ONE Access console and assign users to the app. When users are assigned to the app, they are provisioned in Workspace ONE UEM and can access the service.


Make sure that SAML authentication is enabled in the Workspace ONE UEM console in the Accounts > Administrators > Administrator Settings > Directory Services section.

An identity provider must be configured as the SAML provider before you configure the AirWatch Provisioning app. If you want to useWorkspace ONE Access as the SAML provider, follow the instructions in the Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications guide.


  1. Log in to the Workspace ONE Accessconsole.
  2. Select the Catalog > Web Apps tab.

    To add an app to the catalog, select the Catalog > Web Apps tab.
  3. Click New.
    The New SaaS Application wizard appears.
  4. Enter AirWatch Provisioning in the Search text box or click or browse from catalog, and select AirWatch Provisioning from the results.
  5. To proceed, click Next.
  6. On the Single Sign-On page, configure settings as required by your organization.
    Some settings are populated with default values relevant to the AirWatch Provisioning app. To learn more about a setting, click the information icon next to the setting.
    Note: For any setting not listed in the following table, accept the default value.
    Setting Description
    Authentication Type Populated with the SAML profile.
    Configuration Select Manual.
    Single Sign-On URL This field is not used for AirWatch provisioning, but cannot be empty. An empty field generates a validation error. You can leave the default address.
    Recipient URL This field is not used for AirWatch provisioning, but cannot be empty. An empty field generates a validation error. You can leave the default address.
  7. Click Next. Keep the default_access_policy_set.
  8. Click Save.
    The app is added to the catalog. Now you can enable provisioning.
  9. Select the AirWatch Provisioning app from the catalog list and click Edit > Configuration.
  10. Click Advanced Properties and scroll to Setup Provisioning.
  11. Click the radio button to change No to Yes.
  12. Select Provisioning and enter the following information.
    • AirWatch host. URL of your Workspace ONE UEM REST API (usually as
    • Admin user name
    • Admin password
      Note: Provide a Workspace ONE UEM admin account where the role is configured as Console administrator.
      Important: By default, the password of this administrator is changed every 30 days from the Workspace ONE UEM console. Make sure that you update the password in the AirWatch Provisioning app settings.
    • AirWatch API Key.
      Note: If you do not have an API key, in the UEM console, go to Groups & Settings > All Settings > System > Advanced > API > REST API. Click Override and select Add. Provide a service name and the account type of Admin. Copy the API key to enter on this page.
    • AirWatch Group ID. Enter your top-level OG group ID.
  13. Click Test Connection to validate connectivity. Click Next.
  14. In the User Provisioning page, verify that the attributes with which to provision users in Workspace ONE UEM are listed. Attribute names with an asterisk are required for provisioning. Click Next.
    If you are using JIT, make sure that the SAML assertion includes the User Name attribute. Also make sure that the keys in the SAML assertion match the attribute names exactly, including the case.
  15. In the Group Provisioning page, add the groups that you want to provision in Workspace ONE UEM. These user groups are automatically created in Workspace ONE UEM.
  16. Click Next and on the Summary page, click Save.