Configure your Workspace ONE UEM deployment to accept SSL certificate pinning.

SSL configuration is only required if you are unable to leverage the AWCM Trust Service. If you are in an on-premises environment leveraging the AWCM Trust Service, proceed to Upload SSL Device Services Certificate.


  • Configure the Workspace ONE Hub with SSL pinning support.
    Note: iOS devices enrolled using Web enrollment and DEP enrollment do not support certificate pinning during the enrollment process.
  • Gather a list of certificates that devices may encounter when connecting to Device Services (DS). Necessary certificates may include a Load Balancer certificate.
  • Configure an On-Premises Trust Service (TS) or a network exception. On-Premises customers should install an on-premises instance of the Trust Service.
  • If you have a closed-network deployment, set up a network exception to the Cloud Trust Service, which is hosted on the Auto-Discovery domain (


  1. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > Admin > Cloud Services > Workspace ONE ID. Select Workspace ONE ID for Auto Discovery Mode and use your Workspace ONE ID to generate the HMAC Token.
    When the token generates, verify that the appropriate firewall rules are configured.
    Table 1. HMAC Token Firewall Configuration
    Source Port Destination
    Workspace ONE UEM console TCP 443 (TLS)
    Device Services TCP 443 (TLS) TCP 443 (TLS) Device Services
    Devices TCP 443 (TLS) (or on-premises Trust Service)
  2. Install the Trust Service software on an on-premise server. This can be on a stand-alone server, or on a server with other Workspace ONE applications, such as Device Services.
  3. Provision a certificate for the Trust Service that is signed by the Workspace ONE UEM signing service.
    1. Create a Certificate Signing Request (CSR) for the server where you are installing the Trust Service in a normal manner.
      • The CSR should have an email address designated to it, with a domain that matches the domain of the MyWorkspaceONE ID requesting the certificate from MyWorkspaceONE.
      • The CSR cannot have multiple DNS names in the Subject Alternative Name.
    2. Generate a signed certificate in myWorkspaceONE by navigating to My Company > Certificate Signing Portal > Sign a Certificate and paste and Submit the signing request content from the CSR file you created in the first step.
    3. Download the newly-signed certificate .cer file.
  4. Bind the certificate downloaded from myWorkspaceONE to all servers with the Trust Service application.
    In an environment leveraging a load balancer or a reverse proxy, the certificate may need to be bound to those components as well to ensure a device can establish a secure connection.
    Note: If the Trust Service is installed on an existing server (such as a Device Services server), this certificate should be bound to a unique port on that server. Trust Service cannot use the same port as another server application.
  5. In the Workspace ONE UEM console, navigate to Groups & Settings > All Settings > System > Security > Trust Service. Insert the Trust Service URL (specifying the port if necessary, such as https://<host>:<port>/TrustService) and select Save.
  6. Verify that you can hit the service (https://<host>:<port>/TrustService/sslpinning/settings?URL=<host>).

What to do next

Upload the Device Services Certificate you have configured to the Workspace ONE UEM console using Upload SSL Device Services Certificate.