The two main components of Workspace ONE UEM are the Device Services server and the Console server. In the standard deployment model, these components are installed on separate servers, and only the Device Services component requires an external DNS record, while the Console component can remain only internally available.
An externally registered DNS record is a friendly name that refers to the IP to tell external devices how to connect to Workspace ONE UEM (the Device Services server). This externally available URL must be set up with a trusted SSL certificate trusted by all device types. For Apple, you can see a list of root certificates natively trusted by iOS On the Apple Support webpage. For other OEMs, check with the OEM to see which third-party certificate authorities are natively trusted. You can also typically retrieve this information from the device by looking for the Trusted Root CAs under Settings.
A wildcard or individual website certificate is required.
Ensure that these steps are performed on both the Workspace ONE UEM console and Device Services servers.
Obtain SSL certificates for each of your external DNS entries. A list of root certificates natively trusted by iOS can be found here: http://support.apple.com/kb/HT5012
- On the Workspace ONE UEM console and Device Services Servers, open MMC:
- Start > Run
- Select OK
- In MMC, navigate to File > Add/Remove Snap-in …
- Select Certificates from the list of add-ins and select Add.
- Choose Computer account and select Next.
Keep Local computer selected and select Finish and OK.
- Expand the Certificates folder and right-click Personal.
- Select All Tasks and choose Import.
- In the Certificate Import Wizard, select Next and perform the following steps:
Click Browse and navigate to the Cert folder, which was staged earlier, and change the file type drop-down to All Files.
If the drop-down is not changed to All Files, the certificate cannot be selected for import.
Select the appropriate certificate and select Open.
In a standard, multi-server installation, this certificate is the external third-party certificate for the DS server and for the Console it can be a self-signed or internally issued certificate.
This certificate must be a PFX file.
- Click Next, and complete the following settings:
- Password: Your certificate password
Enable Mark this key as Exportable
(This setting is optional and allows you to export the certificate from this server to use it on another server.)
- Enable Include all extended properties
- Click Next and select Finish.
- Select OK to close the “The import was successful” pop-up.
- Expand the Personal folder to show the Certificates folder.
- Drag the Root CA Certificate into the Trusted Root Certification Authorities folder. Navigate to Trusted Root Certification Authorities > Certificates and verify that the move was successful.
- Navigate back to Personal > Certificates, and drag the Intermediate CA Certificate into the Intermediate Certification Authorities folder. Navigate to Intermediate Certification Authorities > Certificates and verify that the move was successful.
- To close MMC, select File > Exit . Select No to save changes.
- Open Server Manager, select Roles and expand: Web Server (IIS) > Information Services (IIS) Manager.
- In the right pane, under Connections, select the server.
Under the IIS section, double-click on Server Certificates and verify that the certificate is located in the certificate list. An example is shown.
Once uploaded on your server you can use it to add a 443 binding to the Default website in IIS. Your SSL certificate appears in the drop-down menu of available certificates.
Under Connections, expand Sites and select Default Website.
- Under Actions, to the far right side, under Edit Site, select Bindings and select Add…
- Configure the following settings:
- Type: https
- SSL certificate: Your certificate
Click OK and select to Close.
The IP address and Port are not altered. Do not populate the Hostname with an IP or DNS entry, since it affects the functionality of the SSL binding. A slight delay occurs when the certificate is bound to the website.
- Click OK and select to Close.
- Under Actions/Browse Website, verify Browse *.443 (https) is an available option.
Also verify that you have a private key that corresponds to your certificate.
Verify that the certificate contains the common name in the subject.
Verify that your DNS name is listed in the Subject Alternative Name.
Validate that you can connect to the server over HTTPS (https://[yourUEMDomain].com). At this point, the IIS splash page displays.
If SSL is used for UEM console access, ensure that FQDN is enabled.