On-premises customers must install a Secure Channel Certificate to establish security between the AWCM and the following components: Workspace ONE UEM console, Device Services, API, and the Self-Service Portal.

This step is applicable to on-premises deployments. If you have not already installed a Secure Channel Certificate, then follow the steps below to do so, which walk you through installing a Secure Channel Certificate on a local AWCM server.
Important: Perform the following steps on the server running AWCM. If your AWCM server does not have access to the console server, then you can download the installer file from another server (for example, the console server) and copy it to the AWCM server. If the download fails on the server running AWCM, then contact Workspace ONE Support for potential workarounds.


  1. Navigate to Groups & Settings > All Settings > System > Advanced > Secure Channel Certificate.
  2. Select Download AWCM Secure Channel Installer within the AirWatch Cloud Messaging section to begin the installation of the Secure Channel Certificate install script.
    The Secure Channel Installer for Linux is only used for the Cloud Notification Service. AWCM is only supported on Windows servers.
  3. Copy the Secure Channel Certificate install script to your local AWCM server and right-click to Run as Administrator to execute and install.
  4. Enter or select Browse to find the Truststore path and select OK.
  5. Select OK when a Message dialog box appears informing you that the Certificate was added to keystore.
  6. Proceed with the steps for Establishing Communications with AWCM.
  7. Proceed with the installation steps for VMware AirWatch Cloud Connector, available at docs.vmware.com.

What to do next

If you make any changes to the Secure Channel Certificate in the AWCM keystore after you have downloaded and installed VMware Tunnel or VMware AirWatch Cloud Connector, then you will need to uninstall, delete all folders, re-download and re-install it.