The SSL Pinning settings page is where you can add domains of Workspace ONE UEM Device Services and auxiliary components, which can help prevent man-in-the-middle (MITM) attacks by enabling an additional layer of trust between the listed hosts and devices.
The certificates and domains you add here serve as a trusted form of validation that functions in addition to the standard certificate check a device performs against a Workspace ONE UEM component server. When devices establish sessions with your Workspace ONE UEM component servers, they also check the certificate against this stored certificate to guard against MITM attacks.
When you first navigate to this page, the Device Services site URL displays. However, no certificate data is present until you upload a certificate.
|On/Off||Enable or disable pinning using this switch. If you turn pinning from on to off, it terminates all pinning at the current organization group and all the child organization groups underneath it.|
|Upload (under Device Services)||Select this button in the Device Services section of the page to add the Hostname and upload the certificate used for validation. If you have load-balanced Device Services servers, you also need to upload the certificates for each server. You will not see this button if you already have a device services certificate populated.|
After uploading your Device Services certificate, you need to select Sync to initiate pinning. After, the sync status changes to a green color to indicate pinning was successful and the page should display your synced pin list.
|Add Host (under auxiliary)||
Select to add auxiliary components other than Device Services that you also want to enable pinning for. On the Add Pinned Host dialog, enter the following:
|Upload (under auxiliary)||Select to upload the certificate used for validation for each of your auxiliary components.|