Configure a Relay Server Cloud Connector for product provisioning by selecting an FTP, Explicit FTPS, Implicit FTPS (Pull only), SFTP file server, or HTTPS (pull only) protocol and integrating it with Workspace ONE UEM.

Client-server applications such as Workspace ONE UEM use the transport layer security (TLS) cryptographic protocol to communicate across a network. Three transfer protocols support TLS. The file transfer protocol (FTP), the file transfer protocol over SSL (FTPS), and the SSH file transfer protocol (SFTP).

These file transfer protocols only secure those parts of the process where data is in transit between the client and the server. Because of this limitation, use an OS-level disk encryption. There are several operating system-specific tools available (for example, BitLocker for Windows, GnuPG for Linux).

Workspace ONE UEM supports the creation of a Relay Server Cloud Connection (RSCC) as an alternative to the traditional push or pull methods to Configure a Relay Server.

An RSCC is a hybrid solution that pulls content (products only) from a content service endpoint and distributes that content (products only) to your relay servers. This design can bring performance improvements over a traditional pull relay server. This Relay Server workflow includes only RSCC options.


  • You need an FTP, Explicit FTPS, Implicit FTPS in Pull configuration (Android only), SFTP, or HTTPS (Pull only) file server.
    • Implicit FTPS relay servers are only supported in a pull configuration and can only be used with Android devices.
    • Pull service bandwidth needs and minimum hardware requirements are negligible when compared to pushing products to devices. Such needs are entirely dependent upon 1) the number of products you are pushing, 2) how often you push them, and 3) the size of the products in MBs.
    • When assessing hardware and bandwidth needs for FTP servers, consider following general guidelines and adjust their specifications as your needs change.
    • General FTP Server Guidelines: 2 GHz x86 or x64 processor and 4 GB RAM.
  • You must create an FTP user with a home directory. This user must have read/write/delete permissions for both the directory and the files used in the relay server. This FTP user must have a user name and password for authentication.
  • Workspace ONE UEM supports SFTP servers, however, the supported staging clients, Stage Now (Android), and Rapid Deployment, do not support SFTP servers for use with barcode staging.
  • If selecting an HTTPS protocol (pull configuration only), you must configure the HTTPS endpoint using the web server configuration tool of choice (for example, IIS). The root directory you opt in the web server config must be the same as the Pull Local Directory of the relay server.
  • FTP and FTPS servers must be compliant with RFC 959 and RFC 2228 set by the Internet Engineering Task Force.


  1. Navigate to Groups & Settings > All Settings > Admin > Product Provisioning and set the Relay Server Cloud Connector option to Enabled.

  2. Navigate to Devices > Provisioning > Relay Servers > List View and select the Add button, followed by Add Relay Server.
  3. Complete all applicable settings in the tabs that are displayed.

    Table 1. General Tab
    Setting Description
    Name Enter a name for the relay server.
    Description Enter a description for the relay server.
    Relay Server Type

    Select Cloud Relay as the relay server method.

    Cloud Relay – Designed for SaaS deployments, the Relay Server Cloud Connector (RSCC) pulls content (products only) from a content service endpoint and distributes that content (products only) to your relay servers.

    Log Level

    Select the level of detail you want the log to capture as your relay server operates. Error to log only when things go wrong or Debug to capture all available detail.

    Restrict Content Delivery Window

    Enable limits the content delivery to a specific time window. Provide a Start Time and End Time to restrict the delivery of content.

    The start time and end time of the restriction window is based on Coordinated Universal Time (UTC), which the system obtains by converting the console server time into Greenwich Mean Time (GMT).

    Set the system time on the console server accurately to ensure that your content is delivered on time.

    Table 2. Assignment Tab
    Setting Description
    Managed By

    Select the organization group that manages the relay server.

    Table 3. Pull Connection Tab
    Setting Description
    Pull Local Directory

    Enter the local directory path for the server.

    The directory you enter here must be the same as the root directory you opt when configuring an HTTPS endpoint on the webserver. For example, if you have configured an HTTPS endpoint and selected c:\rootfolder as your root directory in IIS, then you must use c:\rootfolder for your Pull Local Directory.

    Pull Discovery Text

    Enter the IP addresses or the MAC addresses of the server. Separate each address with commas.

    IP addresses use periods as normal but MAC addresses do not use any punctuation in this form.

    Pull Frequency Enter the frequency in minutes that the pull server monitors with the Workspace ONE UEM console for changes in the product.
    Max Push Connections Modify this value to throttle the maximum number of simultaneous connections used to push content to Relay Servers. The default value is 50.
    Report Status Batch Size As content distributes to target Relay Servers, Cloud Relay reports the transfer status of each Relay Server to the Workspace ONE Cloud. Modify this value to throttle the number of Relay Server statuses to include in each batch. The default value is 100 statuses per batch.
  4. Select Save.