Workspace ONE UEM can request certificates from various certificate authorities, one is Entrust IdentityGuard. To use Entrust IdentityGuardas as a certificate authority, ensure to use the supported version of Workspace ONE UEM console, have access to an Entrust IndentityGuard instance, and set up Entrust IdentityGuard for mobile enrollment.

You can use Entrust IdentityGuard as a third-party certificate authority for Workspace ONE UEM in a SaaS environment. Communication flows between Workspace ONE UEM, Entrust, and mobile devices.

A diagram of the communication flow between Workspace ONE UEM and Entrust.

Prerequisites

  • Open port 19443 from the Workspace ONE UEM console to your Entrust server.
    Note: SaaS deployments can contact VMware Support Services to check that 19443 is open.
  • If you use the AirWatch Cloud Connector, go to the advanced settings, and disable the Entrust PKI.
  • Use supported Entrust API versions V8 and V9.
  • Use Workspace ONE UEM console version 9.5 or later.
  • VMware AirWatch Cloud Connector is required if the Entrust IdentityGuard instance is installed behind a firewall.
  • An Entrust IdentityGuard instance needs to be available.
  • Configure Entrust IdentityGuard for mobile enrollment.

Procedure

  1. Set up Entrust IdentityGuard for mobile enrollment with Workspace ONE UEM. This task creates an Entrust Managed certificate authority (CA) and issues the instance of Entrust with a digital ID.
    Perform this task with help from your Entrust IdentityGuard representative. If you are using Entrust Managed Services PKI, your representative gives you several values you need for configuring Entrust as a CA in Workspace ONE UEM console.
    • URL to enter as the Server URL of the CA.
    • Credentials for the Server URL.
    • A digital ID configuration to enter while completing the certificate template.
    1. Configure an Entrust Managed CA in Entrust IdentityGuard.
      Adding a Managed CA allows Entrust IdentityGuard to communicate with your Security Manager CA.
    2. Configure a Digital ID Configuration in Entrust IdentityGuard.
      A Digital ID Configuration is a template that Entrust IdentityGuard uses to issue digital IDs.
    3. Configure the Entrust IdentityGuard digital ID policies.
    4. Mirror the password rules set in Security Manager and Entrust IdentityGuard.
      If the password rules do not match, errors can occur when issuing digital IDs.
    5. Add an Entrust IdentityGuard administrator that your Workspace ONE UEM MDM uses to issue digital IDs.
  2. Configure Entrust IdentityGuard as a certificate authority (CA) in the Workspace ONE UEM console.
    Configuration sets communication between the systems using values from your Entrust IdentityGuard managed certificate authority.
    1. Navigate to Devices > Certificates > Certificate Authorities and in the System Settings page that displays, select the Certificate Authorities tab.
    2. Select the Add button.
      The Certificate Authority – Add / Edit page displays.
    3. Enter in the Name field a unique name that identifies the Entrust certificate authority.
    4. Select the Authority Type drop-down and select Entrust.
    5. For Protocol, select either the PKI or SCEP radio button.
    6. Enter in the Server URL field the URL of the Administration Services MDM Web Service or the Entrust IdentityGuard Administration Service.
      If you are using Entrust Managed Services PKI, your Entrust IdenityGuard representative gave you this URL when you configured Entrust for mobile enrollment. should have been provided to you by an Entrust representative.
      An example of the URL is https://mobile.example.com:19443/mdmws/services/AdminServiceV8.
    7. In the Username and Password settings, enter the user name of the Administration Services or Entrust IdentityGuard administrator you created while configuring Entrust.
      If you are using Entrust Managed Services PKI, this username and corresponding password should have been provided to you by an Entrust representative.
    8. When complete, select the Test Connection button and verify that the test is successful.

      If the connection failed, an error displays. This error could be the result of a certificate not being installed on the Workspace ONE UEM server or the URL not being correct. In the example error, the Server URL was not correct.

      Error message for an incorrect server URL.

    9. Select Save.
  3. Define which certificate Workspace ONE UEM console deploys to devices by setting up a certificate template for Entrust IdentityGuard.
    1. On the Certificate Authorities system settings page (Groups & Settings > Configurations > Certificate Authorities), select the Request Templates tab.
    2. Select the Add button to add a new Certificate Template.
      The Certificate Template Add/Edit window displays.
    3. Select on the Certificate Authority drop-down and select the Entrust CA you configured earlier.
    4. Enter in the Name and Description fields the name you want to give the Entrust certificate template.
    5. For Managed CA, select the name of the Entrust CA.
    6. Click on the Profile Name drop-down and select the name of the Digital ID Configuration that you created while configuring Entrust.
      If you are using Entrust Managed Services PKI, this Digital ID Configuration should have been provided to you by an Entrust representative.
    7. Configure Subject Alternative Name (SAN) attributes as required.
      These are used for additional unique identification of the device and need to match the Digital ID configuration.
    8. If Workspace ONE UEM automatically requests the certificate to be reviewed by Entrust when it expires, check the Automatic Certificate Renewal check box and make sure the assignment type is set to Auto. Set the number of days prior to expiration beforeWorkspace ONE UEM auotmatically requests Entrust to reissue the certificate in Auto Renewal Period (days) field.
    9. If certificates must be revoked, either manually or when they are removed from the device, select Enable Certificate Revocation.
    10. Complete the Mandatory Fields that are used to form the common name of the distinguished name within the certificate.
      These fields can change depending on which Entrust profile you choose since the information within the profile may be different.

      The fields you see on the left side correspond to the data source fields you declared on the Entrust side. The values on the right are the Workspace ONE UEM variables. Enter Lookup Values in each of the fields that complement those fields in the Entrust profile. Make sure the lookup values you use match those used in the Digital ID configuration.

      If you are using Entrust Managed Services PKI, this information should have been provided to you by an Entrust representative.

    11. Click Save.

What to do next

To fix a (40) error that occurrs in your integration of Entrust IdentityGuard and Workspace ONE UEM, delete old profiles and update the values for two parameters.

If you see the error (40) Error AirWatch.CloudConnector.CertificateService.CertificateService.TestConnection, take the following steps to fix the error.
  • Clean up stale profiles.
  • Increase the size of MaxRecievedMessageSize to 2147483647.
  • Increase the size of MaxBufferSize to 2147483647.