Workspace ONE UEM is flexible with PKI integration by being able to request certificates from either internal or external certificate authorities (CA). Integrate with GlobalSign PKI services to issue certificates for your Workspace ONE UEM MDM solution.

In order for Workspace ONE UEM to communicate with GlobalSign for certificate distribution, you must have a GlobalSign instance configured and ready to issue certificates. You can then configure Workspace ONE UEM to communicate with GlobalSign using basic authentication. Once communication is successfully established, you can define how to deploy certificates to devices. Below is an example of how GlobalSign and Workspace ONE UEM can be deployed.
  1. The device enrolls with Workspace ONE UEM.
  2. Workspace ONE UEM requests a certificate from the GlobalSign endpoint.
  3. The GlobalSign endpoint delivers the certificate to Workspace ONE UEM.
  4. Workspace ONE UEM delivers the certificate to the device as part of an EAS, VPN, or Wi-Fi profile.

Prerequisites

  • A GlobalSign instance that is configured for certificate deployment.
  • Workspace ONE UEM console version 9.5 or later.
  • A service account with authentication permissions.

Procedure

  1. Generate the GlobalSign certificate.
  2. Configure the GlobalSign certificate authority in Workspace ONE UEM console.
    1. Navigate to Devices > Certificates > Certificate Authorities.
    2. Click Add.
    3. Select GlobalSign from the Authority Type drop-down menu.
    4. Enter a unique name and description that identifies the GlobalSign certificate authority in the Certificate Authority and Description fields.
    5. In the Server URL field enter the URL of your GlobalSign instance.

      This is the web endpoint that Workspace ONE UEM will use to submit requests and issue certificates.

    6. Enter the Username and Password fields belonging to the service account with authentication permissions mentioned in System Requirements above.
    7. Click Save.
    8. Click Test Connection when complete to verify the test is successful. An error message appears indicating the problem if the connection fails.
    9. Click Save.
  3. Set up the request template for GlobalSign in Workspace ONE UEM console.
    1. Navigate to Devices > Certificates > Certificate Authorities.
    2. Select the Request Templates tab and select Add to complete the menu items.
      Option Description
      Certificate Authority GlobalSign
      Profile ID Enter the GlobalSign profile identity bound to the certificate.
      Product Code Enter the code for the certificate and the license.
      Validity Period Enter how long the certificate is valid.
      SAN Type Select Add to include one or more Subject Alternate Names with the template.

      This entry is used for additional unique certificate identification. In most cases, this needs to match the certificate template on the server. Use the drop-down menu to select the SAN Type and enter the subject alternate name in the corresponding data entry field.

      Each field supports lookup values. Email Address, User Principal Name, and DNS Name are supported by GlobalSign templates by default.

      Automatic Certificate Renewal Select the checkbox if Workspace ONE UEM is going to automatically request the certificate to be renewed by GlobalSign when it expires.

      If you select this option, enter the number of days prior to expiration before Workspace ONE UEM automatically requests GlobalSign to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on GlobalSign to have the Duplicated Certificates setting enabled.

      Enable Certificate Revocation Select the checkbox if you want Workspace ONE UEM to be able to revoke certificates.
    3. Select Save.
  4. Configure a Workspace ONE UEM Credentials profile (payloads) to deploy to devices.
    This profile connects the GlobalSign certificate authority configured in the console to devices with this Credentials profile (payload).
    1. Navigate to Devices > Profiles > List View.
    2. Click Add.
    3. Select the applicable platform for the device type.
    4. Specify General profile parameters.
    5. Select Credentials from the payload options and select Configure.
    6. Select Defined Certificate Authority from the Credential Source drop-down menu.
    7. Select the external GlobalSign CA you created from the Certificate Authority drop-down menu.
    8. Select the request template for GlobalSign you createdfrom the Certificate Template drop-down menu.
      Saving and publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed.

What to do next

Review some tips and troubleshooting steps for the integration.
  • Verify ability to perform certificate authentication without Workspace ONE UEM.

    Remove Workspace ONE UEM from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of Workspace ONE UEM and until this works properly, Workspace ONE UEM will not be able to configure a device to connect with a certificate.

  • Verify ability to perform certificate authentication with Workspace ONE UEM.

    You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks.

  • If SSL TLS errors are received while creating a template.
    • This error can occur when you attempt two tasks.
      • Create a Workspace ONE UEM certificate template byselecting the Retrieve Profiles button or
      • Retrieve a certificate from the Workspace ONE UEM console from the SecureAuth certificate authority.
    • The troubleshooting technique that usually resolves this problem is adding the required server certificate chain in the console servers trusted root key store.
  • If the Workspace ONE UEM Certificate Profile fails to install on the device.
    • Inform Workspace ONE UEM Professional Services of the error and request they:
      • Turn On Verbose Mode to capture additional data.
      • Retrieve web console log.
    • Workspace ONE UEM analyzes the log and works with customer to resolve the problem.
  • If the certificate is not populated in the View XML option of the profile.
    • Confirm that lookup values configured on the GlobalSign certificate profile match the look up values in the Workspace ONE UEM console’s Request Template.
    • Confirm that lookup values in Workspace ONE UEM Request Template are actually populated in the user information being pulled from AD.
    • Confirm you are pointing to the right profile in GlobalSign.