These testing and troubleshooting techniques are for SaaS, rather than on-premises deployments.
Verify Ability to Perform Certificate Authentication without Workspace ONE UEM
Remove Workspace ONE UEM from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of Workspace ONE UEM and until this works properly, Workspace ONE UEM will not be able to configure a device to connect with a certificate.
Verify Ability to Perform Certificate Authentication with Workspace ONE UEM
You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks.
If SSL TLS errors are received while creating a template
This error can occur when you attempt to...
- Create a Workspace ONE UEM certificate template by selecting the Retrieve Profiles button,
- Retrieve a certificate from the Workspace ONE UEM console from the GlobalSign certificate authority.
The troubleshooting technique that usually resolves this problem is to...
- Add the required server certificate chain in the console servers trusted root key store.
If the Workspace ONE UEM Certificate Profile fails to install on the device
- Inform Workspace ONE UEM Professional Services of the error and request they:
- Turn On Verbose Mode to capture additional data,
- Retrieve the web console log.
- Workspace ONE UEM analyzes the log and works with customer to resolve the problem.
If the certificate is not populated in the View XML option of the profile
- Confirm that lookup values configured on the GlobalSign certificate profile match the look up values in the Workspace ONE UEM console Request Template.
- Confirm that lookup values in Workspace ONE UEM Request Template are actually populated in the user information being pulled from AD.
- Confirm you are pointing to the right profile in GlobalSign.