To ensure security, you must obtain the SSL certificate issued by a trusted Certificate Authority (CA). Still, if you want to use a self-signed SSL certificate, you must establish trust between your Assist agent and the self-signed SSL certificate.

Note: For Android (Legacy) devices, self-signed certificates are only supported on Android 6.0 and earlier. The root and intermediate certificates/public key pair must be installed on mobile devices you intend to remote into.
To establish trust for the self-signed SSL certificate, you must perform the following tasks:
  1. Generate hash key from the RM console.
  2. Update the self-signed certificate key value in the RM console.
  3. Publish the SSL configuration to the devices from the Workspace ONE UEM console.

Generate hash key from the RM console

To allow the support for the Self-Signed SSL Certificate, two key value parameters must be passed to the Assist agent. For this, you must generate the hash key using the self-signed SSL root and intermediate certificate.

  1. Open your browser and log into the AdminWebPortal using your credentials.
  2. Click ADMIN from the top menu and then select Client Configuration.
  3. From the Client Configuration drop-down menu, select EMM AppConfig Assistant.
  4. For the Base64 ssl certicate public key, click Choose file and browse to the location where the Root.crt file is stored.
    1. Select the Root.crt file and click Open.
    2. Click Generate Hash on the RM console.
  5. Click Choose file again and browse to the location where the Intermediate.crt file is stored.
    1. Select the Intermediate.crt file and click Open.
    2. Click Generate Hash on the RM console.
  6. Click Choose file again and browse to the location where the End User Certificate (com.crt) is stored.
    1. Select the End User Certificate file and click Open.
    2. Click Generate Hash on the RM console.
  7. Copy the generated hash key. This key is used as the input for the application configuration that is pushed from the Workspace ONE UEM console to the device while enrolling the device to the Assist server.

Update the Self-Signed certificate value in the RM console

After you generate the hash key, you must update the key value to True for the self-signed certificate in the RM console. This update enables the trust on the self-signed certificate.
  1. For the Trust self signed certificate, click the Edit icon.
  2. Change the key value from False to True and then click the Update icon.

Publish the SSL configuration from the Workspace ONE UEM console

To ensure the devices have the root and intermediate certificates, you must publish the SSL configuration to the devices from the Workspace ONE UEM console.
  1. Open the browser and log into the Workspace ONE UEM console.
  2. Navigate to Devices > Profiles & Resources > Profiles and select Add.
  3. Select Add Profile and then select Android.
  4. Configure the General settings. Enter the name and the groups to which the profile must be pushed.
  5. Select the Custom Settings payload and then select Configure.
  6. Enter the SSL configuration details in the custom settings field. The hash key that you generated previously from the RM console must be added as a parameter value to the configuration details.

    <characteristic type="com.airwatch.android.androidwork.app:com.airwatch.rm.agent" uuid="c5f7a5a7-7fe5-4053-b736-f0023717e1eb" target="1" ><parm name="device.security.ssl.b64pubkeys" value="{ENTER SSL HASH HERE}" type="string" /><parm name="device.security.ssl.pinselfsignedcert" value="true" type="boolean" /></characteristic>

  7. Select Select & Publish. The configuration details are pushed to all the devices enrolled to the Organization Group (OG).
Note:
  • The same configuration can also be done through the Profiles tab listed under Staging & Provisioning.
  • After the configuration is pushed to the device, check the troubleshooting logs for successful initiation of remote management.

    If not initiated, re-save the agent settings or uninstall and re-install the Assist agent and check for troubleshooting logs.

  • This configuration works only with Intelligent Hub 19.03 or later. The parsing error seen in earlier versions of the Hub has been fixed in version 19.03.
  • The app configuration is currently supported for Android Enterprise enrolled devices.