Workspace ONE UEM is flexible with PKI integration by being able to request certificates from either internal or external certificate authorities (CA). Integrate with Symantec MPKI services to issue certificates for your Workspace ONE UEM MDM solution.

In order for Workspace ONE UEM to communicate with Symantec as a Registration Authority (RA), you must first establish an account with Symantec. After your Symantec account is active, you can generate an RA certificate and store it on the RA server.

Workspace ONE UEM can then be configured to use the certificate to communicate with the Symantec MPKI CA. Once communication is successfully established, you can define which certificate Workspace ONE UEM will deploy to the device.

Prerequisites

  • Symantec version 8.0 or later
  • A Symantec MPKI account
  • Workspace ONE UEM version 9.5 or later
  • When using PKI protocol, verify the Symantec certificate profile(s) under Primary certificate options.

    Ensure Enrollment Method is set to PKI Web Services and Authentication method is set to 3rd party application. This gives Workspace ONE UEM the ability to deploy certificate profiles through APIs.

  • When using SCEP protocol, verification that the Symantec certificate profile(s), under Primary certificate options, within Authentication method, has Enrollment Code selected. This gives the SCEP server the ability to deploy certificate profiles through APIs.

Procedure

  1. In the Symantec PKI portal, generate a Registration Authority (RA) certificate. After Symantec creates the certificate, it is stored on the server, which can be any server you choose.
    1. Generate a new RSA key pair.

      Command: openssl req -new -newkey rsa:2048 -nodes -out AirWatch.csr -keyout AirWatch.key -subj

      /C=US/ST=Georgia/L=Atlanta/O=R&D/OU=R&D/CN=AirWatch

    2. Log in to the Symantec PKI portal.
    3. Click on Tasks (gear icon). Click on Get a RA Certificate.

    4. Paste the CSR into the field, submit, and download a new certificate.

    5. Convert the .p7b format certificate into .pem.

      Command: openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

    6. Create a pkcs12 with the private key and pem.

      openssl pkcs12 -export -out certificate.pfx -inkey AirWatch.key -in certificate.pem

  2. Configure CA and request template in Workspace ONE UEM.
    1. Configure the CA.
      1. Navigate to Devices > Certificates > Certificate Authorities > Certificate Authorities tab.
      2. Click Add complete the menu items.
        Option Description
        Authority Type Symantec
        Server URL

        Enter https://pki-ws.symauth.com/pki-ws. This allows Workspace ONE UEM to have sufficient access to request and issue certificates.

        The URL is the same for all customers.

        Protocol Select either the PKI or SCEPradio button.
        SCEP Endpoint URL (SCEP Protocol) Enter the URL for the SCEP End Point in the data entry field that appears. This allows your SCEP server to have sufficient access to request and issue certificates
        Certificate Select the Upload button and select the RA certificate (PFX file) you generated earlier.
      3. Enter the password Symantec provided previously in the Certificate Password field.

        The password you need in this step was created when you completed and exported the CSR process.

      4. Select Save.
      5. Click Test Connection when complete to verify the test is successful. An error message appears indicating the problem if the connection fails.
    2. Configure the request template.
      Define which certificate deploys to devices by setting up a certificate template in Workspace ONE UEM.
      1. Navigate to Devices > Certificates > Certificate Authorities.
      2. Select the Request Templates tab.
      3. Click Add and complete the menu items.
        Option Description
        Certificate Authority Select the Symantec CA you created.
        Profile Name Select the Symantec profile OID
        Automatic Certificate Renewal Select the this checkbox if Workspace ONE UEM is going to automatically request the certificate to be renewed by Symantec when it expires.

        If you select this option, enter the number of days prior to expiration before Workspace ONE UEM automatically requests Symantec to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on Symantec to have Duplicate Certificates enabled.

        Enable Certificate Revocation Select the this checkbox if Workspace ONE UEM should automatically remove the certificate if the device is unenrolled, if the applicable profile is removed, or if the device is deleted from Workspace ONE UEM.

        If you do not select this checkbox, when you delete a profile or a device the SCEP certificate is removed from the device but it is not automatically revoked from the CA.

        Key Type Configuration occurs in the Symantec PKI Manager. This indicates whether the public-private key pair is generated by Workspace ONE UEM or by Symantec. Workspace ONE UEM loads this setting from Symantec based on the selected OID and uses this value to determine the type of certificate request to send. Absolutely no configuration in Workspace ONE UEM is needed by the customer.
        Mandatory Fields Enter Lookup Values that complement those fields in the Symantec profile. These fields can change depending on which Symantec profile you choose since the information within the Symantec profile may be different.
      4. Click Save.
  3. Configure Workspace ONE UEM profiles (payloads) for either PKI or SCEP.

    If in configuring the CA, you chose PKI then you only need to configure a Credentials profile, but if you chose SCEP, you only need to configure a SCEP profile. Once either of these profiles is created, you can create additional payloads that the Symantec certificate can use, such as Exchange ActiveSync (EAS), VPN, or Wi-Fi services.

    1. Navigate to Devices > Profiles > List View.
    2. Click Add.
    3. Select the applicable platform for the device type.
    4. Specify General profile parameters.
    5. Select Credentials from the payload options and select Configure.
    6. Select Defined Certificate Authority from the Credential Source drop-down menu.
    7. Select the external Symantec CA you created previously in Configuring CA from the Certificate Authority drop-down menu.
    8. Select the certificate template for Symantec you created previously in Configuring Certificate Template from the Certificate Template drop-down menu.
    9. Select SCEP from the payload area on the left rather than configuring Credentials.
    10. Select Defined Certificate Authority from the Credential Source drop-down menu.
    11. Select the external Symantec CA you created for using SCEP previously in Configuring CA from the Certificate Authority drop-down menu.
    12. Select the certificate template for Symantec you created for using SCEP previously in Configuring Certificate Template from the Certificate Template drop-down menu.

      At this point, saving and publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or Email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed.

What to do next

Review some tips and troubleshooting steps for the integration.
  • Verify ability to perform certificate authentication without Workspace ONE UEM.

    Remove Workspace ONE UEM from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of Workspace ONE UEM and until this works properly, Workspace ONE UEM will not be able to configure a device to connect with a certificate.

  • Verify ability to perform certificate authentication with Workspace ONE UEM.

    You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks.

  • If SSL TLS errors are received while creating a template.
    • This error can occur when you attempt two tasks.
      • Create a Workspace ONE UEM certificate template byselecting the Retrieve Profiles button or
      • Retrieve a certificate from the Workspace ONE UEM console from the SecureAuth certificate authority.
    • The troubleshooting technique that usually resolves this problem is adding the required server certificate chain in the console servers trusted root key store.
  • If the Workspace ONE UEM certificate profile fails to install on the device.
    • Inform Workspace ONE UEM Professional Services of the error and request they:
      • Turn On Verbose Mode to capture additional data.
      • Retrieve web console log.
    • Workspace ONE UEM analyzes the log and works with customer to resolve the problem.
  • If the certificate is not populated in the View XML option of the profile.
    • Confirm that lookup values configured on the Symantec certificate profile match the look up values in the Workspace ONE UEM console’s request template.
    • Confirm that lookup values in Workspace ONE UEM request template are actually populated in the user information being pulled from AD.
    • Confirm you are pointing to the right profile in Symantec.