SSL Pinning Settings

As a Workspace ONE UEM console admin, you can add domains of Workspace ONE UEM Device Services and auxiliary components on the SSL Pinning settings page. These Device Services and auxiliary components can help prevent man-in-the-middle (MITM) attacks by enabling an additional layer of trust between the listed hosts and devices.

The certificates and domains you add here serve as a trusted form of validation that functions in addition to the standard certificate check a device performs against a Workspace ONE UEM component server. When devices establish sessions with your Workspace ONE UEM component servers, they also check the certificate against this stored certificate to guard against MITM attacks.

When you first navigate to this page, the Device Services site URL displays. However, no certificate data is present until you upload a certificate.

Important: The SSL pinning feature is only functional if it is used in conjunction with a Workspace ONE UEM application that supports certificate pinning.

What can you do with the SSL Pinning settings page?

The path to the settings page on the UEM console is Groups & Settings > All Settings > System > Security > SSL Pinning.

With the SSL Pinning settings page, you can:

Activate or deactivate the SSL Pinning for the organization group.
On-premises Only: Upload the Device Services certificate used for validation.
Add auxiliary components.


Setting	Description
On/Off	Enable or deactivate pinning using this switch. If you turn pinning from on to off, it terminates all pinning at the current organization group and all the child organization groups underneath it.
Upload (under Device Services)	Select this button in the Device Services section of the page to add the Hostname and upload the certificate used for validation. If you have load-balanced Device Services servers, you also need to upload the certificates for each server. You will not see this button if you already have a device services certificate populated.
Sync	After uploading your Device Services certificate, you need to select Sync to initiate pinning. After, the sync status changes to a green color to indicate pinning was successful and the page should display your synced pin list.
Add Host (under auxiliary)	Select to add auxiliary components other than Device Services that you also want to enable pinning for. On the Add Pinned Host dialog, enter the following: Host – Enter the fully qualified domain name of the host. Required – Select to require the certificate pin to be pinned at all child organization groups and prevent it from being deactivated or modified by child organization group administrators.
Upload (under auxiliary)	Select to upload the certificate used for validation for each of your auxiliary components.