Create and deploy the Apple iOS device profile in Workspace ONE UEM to push the Identity Provider settings to the device. This profile contains the information necessary for the device to connect to the Workspace ONE Access Identity Provider and the certificate that the device used to authenticate. Enable single sign-on to allow seamless access without requiring authentication into each app.


  • Mobile SSO for iOS is configured in Workspace ONE Access.
  • Mobile iOS authentication configured in the Workspace ONE Access default access policy.
  • iOS Kerberos certificate authority file saved to a computer that can be accessed from the Workspace ONE UEM admin console.
  • Your Certificate Authority and Certificate Template is properly configured in Workspace ONE UEM.
  • List of URLs and application bundle IDs that use Mobile SSO for iOS authentication on iOS devices.


  1. In the Workspace ONE UEM console, navigate to Devices >Profiles & Resources > Profiles .
  2. Select Add > Add Profile and select Apple iOS.
  3. Enter the name as iOSKerberos and configure the General settings.
  4. In the left navigation pane, select Credentials > Configure to configure the credential.
    Option Description
    Credential Source Select Defined Certificate Authority from the drop-down menu.
    Certificate Authority Select the certificate authority from the list in the drop-down menu.
    Certificate Template Select the request template that references the certificate authority from the drop-down menu. This is the certificate template created in Adding the Certificate Template in Workspace ONE UEM.
  5. Click + in the lower right corner of the page again and create a second credential.
  6. In the Credential Source drop-down menu, select Upload.
  7. Enter a credential name.
  8. Click Upload to upload the KDC server root certificate that was downloaded from the Identity & Access Management > Manage > Identity Providers > Built-in Identity Provider page.
  9. In the left navigation pane, select Single Sign-On and click Configure.
  10. Enter the connection information.
    Option Description
    Account Name Enter Kerberos.
    Kerberos Principal Name Click + and select {EnrollmentUser}.

    For tenant deployments in the cloud, enter the Identity Manager realm name for your tenant. The text in this parameter must be capitalized. For example, VMWAREIDENTITY.COM.

    For on premises deployments, enter the realm name you used when you initialized KDC in the Workspace ONE Access appliance. For example, EXAMPLE.COM

    Renewal Certificate Select Certificate #1 from the drop-down menu. This is the Active Directory CA cert that was configured first under credentials.
    URL Prefixes Enter the URL prefixes that must match to use this account for Kerberos authentication over HTTP.

    For tenant deployments in the cloud, enter the Workspace ONE Access server URL as https://<tenant>.vmwareidentity.<region>.

    For on premises deployments, enter the Workspace ONE Access server URL as

    Applications Enter the list of application identities that are allowed to use this sign-on. To perform single sign-on using iOS built-in Safari browser, enter the first application bundle ID as Continue to enter application bundle IDs. The applications listed must support SAML authentication.
  11. Click Save & Publish.

What to do next

Assign the device profile to a smart group. Smart groups are customizable groups that determine which platforms, devices, and users receive an assigned application, book, compliance policy, device profile, or provision. See Assign a Workspace ONE UEM Device Profile to Smart Groups.