Enable single sign-on for corporate apps to allow seamless access without requiring authentication into each app. Push this profile to authenticate end users through Kerberos authentication instead of storing passwords on devices. For more information on single sign-on settings, refer to the VMware Workspace ONE UEM Mobile Application Management Guide.


  1. Navigate to Resources > Profiles & Baselines > Profiles > Add and select Apple iOS.
  2. Configure the profile's General settings.
  3. Select the Single Sign On payload.
  4. Enter Connection Info:
    Setting Description
    Account Name Enter the name that appears on the device.
    Kerberos Principal Name Enter the Kerberos principal name.
    Realm Enter the Kerberos domain realm. This parameter must be fully capitalized.
    Renewal Certificate On iOS 8+ devices, select the certificate used to reauthenticate the user automatically without any need for user interaction when the user's single sign-on session expires. Configure a renewal certificate (for example: .pfx) using a credentials or SCEP payload.
  5. Enter the URL Prefixes that must be matched to use this account for Kerberos authentication over HTTP. For example: http://sharepoint.acme.com/. If left empty, the account is eligible to match all HTTP and HTTPS URLs.
  6. Enter the Application Bundle ID or select one from the drop-down menu. The bundle ID appears in this drop-down menu after the application has been uploaded to the UEM console. For example: com.air-watch.secure.browser. The applications specified must support Kerberos authentication.
  7. Select Save & Publish.


In the example of a Web browser, when end users navigate to a Web site specified in the payload, they are prompted to enter the password of their domain account. Afterward, they do not have to enter credentials again to access any of the Web sites specified in the payload.

  • Using Kerberos authentication, devices must be connected to the corporate network (either using corporate Wi-Fi or VPN).
  • The DNS server must have a record of the Kerberos services (KDC server).

  • Both the application on the mobile device and the Web site must support Kerberos/Negotiate authentication.