Workspace ONE UEM is flexible with PKI integration by being able to request certificates from either internal or external certificate authorities (CA). Integrate with Symantec MPKI services to issue certificates for your Workspace ONE UEM MDM solution.
In order for Workspace ONE UEM to communicate with Symantec as a Registration Authority (RA), you must first establish an account with Symantec. After your Symantec account is active, you can generate an RA certificate and store it on the RA server. Workspace ONE UEM can then be configured to use the certificate to communicate with the Symantec MPKI CA. Once communication is successfully established, you can define which certificate Workspace ONE UEM will deploy to the device.
openssl req -new -newkey rsa:2048 -nodes -out AirWatch.csr -keyout AirWatch.key -subj
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
openssl pkcs12 -export -out certificate.pfx -inkey AirWatch.key -in certificate.pem
Configure CA and request template in Workspace ONE UEM.
The URL is the same for all customers.
|Protocol||Select either the PKI or SCEPradio button.|
|SCEP Endpoint URL (SCEP Protocol)||Enter the URL for the SCEP End Point in the data entry field that appears. This allows your SCEP server to have sufficient access to request and issue certificates|
|Certificate||Select the Upload button and select the RA certificate (PFX file) you generated earlier.|
|Certificate Authority||Select the Symantec CA you created.|
|Profile Name||Select the Symantec profile OID|
|Automatic Certificate Renewal||Select the this checkbox if Workspace ONE UEM is going to automatically request the certificate to be renewed by Symantec when it expires.
If you select this option, enter the number of days prior to expiration before Workspace ONE UEM automatically requests Symantec to reissue the certificate in the Auto Renewal Period (days) field. This requires the certificate profile on Symantec to have Duplicate Certificates enabled.
|Enable Certificate Revocation||Select the this checkbox if Workspace ONE UEM should automatically remove the certificate if the device is unenrolled, if the applicable profile is removed, or if the device is deleted from Workspace ONE UEM.
If you do not select this checkbox, when you delete a profile or a device the SCEP certificate is removed from the device but it is not automatically revoked from the CA.
|Key Type||Configuration occurs in the Symantec PKI Manager. This indicates whether the public-private key pair is generated by Workspace ONE UEM or by Symantec. Workspace ONE UEM loads this setting from Symantec based on the selected OID and uses this value to determine the type of certificate request to send. Absolutely no configuration in Workspace ONE UEM is needed by the customer.|
|Mandatory Fields||Enter Lookup Values that complement those fields in the Symantec profile. These fields can change depending on which Symantec profile you choose since the information within the Symantec profile may be different.|
Configure Workspace ONE UEM profiles (payloads) for either PKI or SCEP. If in configuring the CA, you chose PKI then you only need to configure a Credentials profile, but if you chose SCEP, you only need to configure a SCEP profile. Once either of these profiles is created, you can create additional payloads that the Symantec certificate can use, such as Exchange ActiveSync (EAS), VPN, or Wi-Fi services.
At this point, saving and publishing the profile would deploy a certificate to the device. However, if you plan on using the certificate on the device for Wi-Fi, VPN, or Email purposes, then you should also configure the respective payload in the same profile to leverage the certificate being deployed.
Review some tips and troubleshooting steps for the integration.
Verify ability to perform certificate authentication without Workspace ONE UEM.
Remove Workspace ONE UEM from the configuration and manually configure a device to connect to your network server using certificate authentication. This should work outside of Workspace ONE UEM and until this works properly, Workspace ONE UEM will not be able to configure a device to connect with a certificate.
Verify ability to perform certificate authentication with Workspace ONE UEM.
You can confirm that the certificate is usable by pushing a profile to the device and testing whether or not the device is able to connect and sync to the configured EAS, VPN, or Wi-Fi access-point. If the device is not connecting and shows a message that the certificate cannot be authenticated or the account cannot connect then there is a problem in the configuration. Below are some helpful troubleshooting checks.
If SSL TLS errors are received while creating a template.
If the Workspace ONE UEM certificate profile fails to install on the device.