SecureAuth

Workspace ONE UEM is flexible with PKI integration by being able to request certificates from either internal or external certificate authorities (CA). Integrate with SecureAuth services to issue certificates for your Workspace ONE UEM MDM solution.

In order for Workspace ONE UEM to communicate with SecureAuth for certificate distribution, you must have a SecureAuth instance configured and ready to issue certificates.

You can then configure Workspace ONE UEM to communicate with SecureAuth using basic authentication. Once communication is successfully established, you can define how to deploy certificates to devices. Below are some of the examples of how SecureAuth and Workspace ONE UEM can be deployed.

Workspace ONE UEM with SecureAuth Installed On-Premises
1. Device enrolls with Workspace ONE UEM.
2. Workspace ONE UEM requests a certificate from the SecureAuth endpoint (optionally thorugh the AirWatch Cloud Connector).
3. The SecureAuth endpoint delivers the certificate to Workspace ONE UEM (optionally thorugh the AirWatch Cloud Connector).
4. Workspace ONE UEM delivers the certificate to the device as part of an EAS, VPN, or Wi-Fi profile.
  Note: If your SecureAuth endpoint is public-facing, then it must be protected by a public SSL certificate. If you are using the AirWatch Cloud Connector, configure it to trust the root certificate installed on your SecureAuth appliance.
Workspace ONE UEM SaaS and SecureAuth SaaS
1. Device enrolls with Workspace ONE UEM.
2. Workspace ONE UEM requests a certificate from the SecureAuth endpoint.
3. The SecureAuth endpoint delivers the certificate to Workspace ONE UEM.
4. Workspace ONE UEM delivers the certificate to the device as part of an EAS, VPN, or Wi-Fi profile.
Workspace ONE UEM and SecureAuth Both Installed On-Premises
1. Device enrolls with Workspace ONE UEM.
2. Workspace ONE UEM requests a certificate from the SecureAuth endpoint (optionally thorugh the AirWatch Cloud Connector).
3. The SecureAuth endpoint delivers the certificate to Workspace ONE UEM (optionally thorugh the AirWatch Cloud Connector).
4. Workspace ONE UEM delivers the certificate to the device as part of an EAS, VPN, or Wi-Fi profile.
  Note: If your SecureAuth endpoint is public-facing, then it must be protected by a public SSL certificate. If you are using the AirWatch Cloud Connector, configure it to trust the root certificate installed on your SecureAuth appliance.

Prerequisites

A SecureAuth instance that is configured for certificate deployment.
Workspace ONE UEM console version 9.6 or later.
If your SecureAuth appliance is public-facing, it must be protected with a Public SSL Certificate. If you are using VMware AirWatch Cloud Connector for enterprise integration, then AirWatch Cloud Connector needs to be configured to trust the root certificate installed on your SecureAuth appliance.

Procedure

Generate a SecureAuth MPKI RA certificate.

Configure the CA and the request template in the Workspace ONE UEM console.

Configure the CA.

Navigate to Devices > Certificates > Certificate Authorities > Certificate Authorities tab.

Click Add and complete the menu items.

Option	Description
Authority Type	SecureAuth
Server URL	Enter `https://<SecureAuth_FQDN>/SecureAuthX/webservice/certificateissuerws.svc`, where `<SecureAuth_FQDN>` is the URL of your SecureAuth instance and the “X” in “SecureAuthX” is the realm instance number that is configured for certificates. This is the web endpoint that Workspace ONE UEM will use to submit requests and issue certificates.
Company GUID	Enter the value that you can find in the SecureAuth portal. Look in the License Info section.
User name	Enter name for your SecureAuth instance. Look in the FBA WebService section of the SecureAuth portal.
Password	Enter value for your SecureAuth instance. Look in the FBA WebService section of the SecureAuth portal.

Click Save.
Click Test Connection when complete to verify the test is successful. An error message appears indicating the problem if the connection fails.

Configure the request template.

Navigate to Devices > Certificates > Certificate Authorities.
Select the Request Templates tab.

Click Add and complete the menu items.

Option	Description
Certificate Authority	SecureAuth
Subject Name	The identity bound to the certificate.
Key Pair Generation Location	Select either Workspace ONE UEM or SecureAuth. This is where the key pair is generated – either on the SecureAuth side or on the Workspace ONE UEM side. SecureAuth - Generates the certificate and the private key and returns it back to Workspace ONE UEM with its root certificate. The root certificate and user certificate are combined into a single certificate and sent to the device to install. Workspace ONE UEM - Configure the Certificate Validity Period, which is the length of time the certificate is valid for in days. You can use the value 365. Also, configure the Private Key Length, which is how secure you want the keys. Use 2048 as the key length.
Private Key Type	Select if the certificate is used for signing and encryption operations or both.
Automatic Certificate Renewal	Select the this checkbox if Workspace ONE UEM is going to automatically request the certificate to be renewed by SecureAuth when it expires. If you select this option, enter the number of days prior to expiration before Workspace ONE UEM automatically requests SecureAuth to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on SecureAuth to have the Duplicated Certificates setting enabled.
Enable Certificate Revocation	Select the this checkbox if you want Workspace ONE UEM to be able to revoke certificates.

Click Save.

Configure Workspace ONE UEM profiles (payloads) for either PKI or SCEP.
If in Retrieving Certificate from SecureAuth certificate authority, you chose PKI then you only need to configure a Credentials profile. Once either of these profiles are created, you can create additional payloads that the SecureAuth certificate can use, such as Exchange ActiveSync (EAS), VPN, or Wi-Fi services.
1. Navigate to Devices > Profiles > List View.
2. Click Add.
3. Select the applicable platform for the device type.
4. Specify all General profile parameters.
5. Select Credentials from the payload options and select Configure.
6. Select Defined Certificate Authority from the Credential Source drop-down menu.
7. Select the external SecureAuth CA you created previously from the Certificate Authority drop-down menu.
8. Select the certificate template for SecureAuth you created previously from the Certificate Template drop-down menu.
  Saving and Publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed.
(Optional) If you are using AirWatch Cloud Connector and the SecureAuth appliance is not public-facing, configure AirWatch Cloud Connector to trust the SecureAuth appliance.
1. Open MMC by searching for it using Windows Search and launching the mmc.exe file.
2. Navigate to File > Add/Remove Snap-in.
  The Add or Remove Snap-ins screen displays.
3. Select the Certificates snap-in in the left pane and select Add.
4. Select Computer account as Snap in source. Select Next.
5. Select Local computer. Select Finish.
6. Select OK.
7. Expand the newly added Certificates tree.
8. Expand the Trusted Root Certification Authorities folder.
9. Right-click the Certificates folder here and select All Tasks > Import.
10. Proceed through the Certificate Import Wizard. As prompted, browse and select the file of the root certificate used to generate the SecureAuth SSL certificate. Select Next.
11. Select Place all certs in the following store. Select Next.
12. Click Finish.

What to do next

Review some tips and troubleshooting steps for the integration.

Verify ability to perform certificate authentication without Workspace ONE UEM.
Remove Workspace ONE UEM from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of Workspace ONE UEM and until this works properly, Workspace ONE UEM will not be able to configure a device to connect with a certificate.
Verify ability to perform certificate authentication with Workspace ONE UEM.
You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks.
If SSL TLS errors are received while creating a template.
- This error can occur when you attempt two tasks.
  - Create a Workspace ONE UEM certificate template byselecting the Retrieve Profiles button or
  - Retrieve a certificate from the Workspace ONE UEM console from the SecureAuth certificate authority.
- The troubleshooting technique that usually resolves this problem is adding the required server certificate chain in the console servers trusted root key store.
If the Workspace ONE UEM Certificate Profile fails to install on the device.
- Inform Workspace ONE UEM Professional Services of the error and request they:
  - Turn On Verbose Mode to capture additional data.
  - Retrieve web console log.
- Workspace ONE UEM analyzes the log and works with customer to resolve the problem.
If the certificate is not populated in the View XML option of the profile.
- Confirm that lookup values configured on the SecureAuth certificate profile match the look up values in the Workspace ONE UEM console’s Request Template.
- Confirm that lookup values in Workspace ONE UEM Request Template are actually populated in the user information being pulled from AD.
- Confirm you are pointing to the right profile in SecureAuth.